CIH file-type virus detection and elimination program for assembly source code

; This program is compiled by TASM
; CIH file-type virus detection and elimination program
Gofirst MACRO
XOR CX,CX
XOR DX,DX
MOV ax,4200h
INT 21H; file pointer to top of file
Endm
Alterline MACRO
MOV DL,0DH
MOV ah,02h
INT 21H; carriage return
MOV dl,0ah
MOV ah,02h
INT 21H; line Wrap
Endm
Copyhandle MACRO
PUSH BX
MOV ah,45h
INT 21H; copy file handle
MOV Bx,ax
MOV Ah,3eh
INT 21H; turning off copying files
POP BX
Endm
Data SEGMENT PARA Public ' data '
Exefile DB ' *. EXE ', 00
Dirfile DB ' *.* ', 00
Filebz DB 00; file flags (com:00; EXE:FF)
DISKSGN DB 00; detection Plate Number
Currdisk DB 00; Current Disk number
Diskcha DB 00,3ah,24h
DAT DB 256 DUP (24H); Disk transfer Address diskette transport area
Overmsg DB ' All cih viruses have been cleared!!! ', 0dh,0ah,24h
Filesuf DB DUP (0); storing part of the detected file
Pe_head DB 4 DUP (0); Storage PE head pointer
Virsuf DB 1024 DUP (0); storing CIH virus Header block Program
Virpoint DB 4 DUP (0); storing CIH first block and the first pointer of the linked list area
Secnum DB 00,00; Number of FILE SECTIONS
T_entry DB 4 DUP (0); True Entry RVA
Filemsg DB ' (CIH virus) ', 24H
Cleamsg DB ' killed!! ', 0dh,0ah,24h
Cl_zero DB 1024 DUP (0); Clear 0 data
HZSM DB ' is scanning: ', 24H
BLANK DB DUP (20H), 24H, send space
Initdir DB "", DUP (0); Initial directory
Currdir DB "PE", 00,63 DUP (24H); current directory
Updir DB "..", 00; up-level catalog
Dirsuff DB 4096 DUP (0); catalog parameter retention area
DIRSUFP DB 00,00; Table of contents parameter reserved pointer
Number of directory files in dirnum DB 01,00 disk
Exenum DB 00,00 number of EXE files in disk
Virexe DB 00,00, number of virus-infected EXE files
Dirmsg DB "subdirectory number:", 24H
Exemsg DB "*. EXE numbers: ", 24H
ErrMsg DB "; Which affected: ", 24H
Decsuf DB One DUP (0); binary-> decimal number storage area
Titl DB "CIH clean ASM sourcecode testing", 0dh,0ah
DB "Kuibing kuibing@163.com", 0dh,0ah,0dh,0ah
DB "The virus is a parastic virus which infects Windows 95/98. EXE files ", 0DH,
0AH
DB 0dh,0ah,0dh,0ah,24h
Begin DB 07h,07h, "Press any key to start detection/removal of virus!!", 0dh,0ah,24h
DATA ENDS
Code SEGMENT PARA Public ' code '
Assume Cs:code,ds:data,es:data,ss:stack
KILLCIH PROC FAR
MOV di,0082h
MOV Dl,[di]
Dec di
MOV Bl,[di]
PUSH DS
XOR Ax,ax
PUSH AX
PUSH DS
MOV Ax,data
MOV Ds,ax
MOV Es,ax
MOV Ax,stack
MOV Ss,ax
; Determine the test plate number
CMP BL,0DH
JZ Disk2
and DL,05FH
CMP dl,41h
JNZ DISK1
MOV BYTE ptr[disksgn],01h
MOV BYTE ptr[diskcha],41h
JMP DISK2
DISK1:CMP dl,42h
JNZ DISK3
MOV BYTE ptr[disksgn],02h
MOV BYTE ptr[diskcha],42h
JMP DISK2
DISK3:CMP dl,43h
JNZ DISK2
MOV BYTE ptr[disksgn],03h
MOV BYTE ptr[diskcha],43h
Disk2:mov ah,19h
INT 21H; Take the current disk number
MOV BYTE ptr[currdisk],al; Save Current disk number
;
CMP BYTE ptr[disksgn],00h
JNZ DISK4
ADD al,41h
MOV BYTE Ptr[diskcha],al
JMP DISK5
;
Disk4:mov Dl,byte PTR[DISKSGN]
DEC DL
MOV Ah,0eh
INT 21H; select disk drive
;
Disk5:push ES
MOV ax,0040h
MOV Es,ax
MOV di,0087h
MOV Al,es:[di]
POP ES
CMP al,00h
JZ CGA
MOV ax,0003h
JMP CLS
Cga:mov ax,0006h
Cls:int 10H; Clear screen
MOV ah,09h
MOV Dx,offset titl
INT 21H
MOV dx,offset DAT; disk transfer first address->DX
MOV Ah,1ah
INT 21H; creat DAT
MOV ah,47h
MOV Dl,byte PTR[DISKSGN]
MOV Si,offset initdir+1
INT 21H; Save initial directory name
MOV AH,3BH
MOV Dx,offset Currdir
INT 21H; back to root directory
MOV BYTE ptr[filebz],0ffh; EXE file flag
MOV Dx,offset Exefile
;
Call Clea_virus Chesk and clear CIH VIRUS
Call Cle_sdir, detecting files in each subdirectory and eliminating
;
MOV AH,3BH
MOV Dx,offset Initdir
INT 21H; Recovery initial Directory
MOV Dl,byte Ptr[currdisk]
MOV Ah,0eh
INT 21H; select disk drive
Done:alterline
MOV Dx,offset overmsg
MOV ah,09h
INT 21H
MOV Dx,offset dirmsg
MOV ah,09h
INT 21H
MOV Di,offset Dirnum
Call Btod display number of directories
Alterline
MOV Dx,offset exemsg
MOV ah,09h
INT 21H
MOV Di,offset Exenum
Call Btod: Number of EXE files displayed
MOV Dx,offset errmsg
MOV ah,09h
INT 21H
MOV Di,offset Virexe
Call Btod display number of virus EXE files
Alterline
MOV cx,0200h
MOV ah,01h
INT 10H; restore cursor
MOV ah,4ch
INT 21H; End Program return DOS
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;; Key programm;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Clea_virus PROC NEAR; search for EXE files under the same subdirectory and detect the presence of viruses and eliminate
MOV cx,027h
MOV Ah,4eh
INT 21H; Search for first match file
JNC look
JMP EXIT; not found,->exit.
Look:inc BYTE Ptr[exenum]
MOV Dx,offset HZSM
MOV ah,09h
INT 21H
MOV Dx,offset Diskcha
MOV ah,09h
INT 21H
MOV Dx,offset Currdir
MOV ah,09h
INT 21H; Display current directory path
MOV Di,offset currdir+1
CMP BYTE ptr[di],00h
JZ ZJS1
MOV ah,02h
MOV dl,5ch
INT 21H
Zjs1:mov Dx,offset DAT
ADD dx,1eh;D x: matching filename First address
PUSH DX
PUSH DX
POP DI
Bz5:inc DI
CMP BYTE ptr[di],00h
JNZ BZ5
INC DI
MOV BYTE ptr[di],24h
POP DX
MOV ah,09h
INT 21H; display file name
MOV Dx,offset DAT
ADD Dx,1eh
MOV ax,3d02h
INT 21H; open matching file
JNB CL0
JMP Nextfile
;;;;;;;;;;;;;
Cl0:mov Bx,ax
MOV ax,4200h
MOV cx,00h
MOV dx,3ch
INT 21H; file pointer moved to header 3CH byte
MOV dx,offset Filesuf; file buffer first address->DX
MOV cx,04h
MOV AH,3FH
INT 21H; Read 4 bytes (File address of new EXE header)
JNB CL1
JMP Nextfile
Cl1:mov ax,4200h
MOV Cx,word Ptr[filesuf+2]
MOV Dx,word Ptr[filesuf]
MOV WORD ptr[pe_head],dx; save PE FILE head pointer
MOV WORD PTR[PE_HEAD+2],CX
DEC DX
INT 21H; file pointer moved to new EXE HEADER-1
MOV dx,offset Filesuf; file buffer first address->DX
MOV cx,0200h
MOV AH,3FH
INT 21H; Read 512 bytes (PE File Signature)
JNB CL2
JMP Nextfile
CL2:CMP WORD ptr[filesuf+1],04550h The If is "PE" format file
JZ CL21
JMP Nextfile
CL21:CMP BYTE ptr[filesuf],00h
JNZ CL3; " XPE "may have CIH viurs
JMP Nextfile; Not BEEN infected CIH VIRUS
Cl3:mov Cx,word ptr[filesuf+07h]; Get number of Sections
MOV WORD PTR[SECNUM],CX
INC CX
SHL cx,1
SHL cx,1
SHL cx,1
PUSH CX;(section number +1) *8 = virus block pointer area size
POP DI
; get PE FILE Entry RVA
MOV Cx,word PTR[FILESUF+2BH];
MOV Dx,word ptr[filesuf+29h]; [Filesuf+29,2a,2b,2ch]=entry RVA
CMP Cx,word ptr[filesuf+57h]; [Filesuf+55,56,57,58h]=file Header Size
JE CL4
JB CL5; Maybe has CIH virus
JMP Nextfile
CL4:CMP Dx,word ptr[filesuf+55h]
JB CL5; Maybe has CIH virus
JMP Nextfile
Cl5:sub Dx,di
MOV WORD PTR[VIRPOINT],DX
MOV WORD ptr[virpoint+2h],cx; Save CIH
MOV ax,4200h
INT 21H; file pointer moves to the file Entry address-virus block pointer area size (DI)
MOV dx,offset Virsuf virus buffer first address->DX
MOV cx,100h
MOV AH,3FH
INT 21H; Read 100H bytes
JNB CL6
JMP Nextfile
CL6:CMP WORD PTR[VIRSUF+DI+36H],056CCH
JZ CL7; May CIH virus
JMP Nextfile
CL7:CMP WORD PTR[VIRSUF+DI+4BH],0FBCCH
JZ CL8; Sure CIH virus
JMP Nextfile
Cl8:mov Dx,offset filemsg
MOV ah,09h
INT 21H; shows a virus
MOV ax,4301h
MOV cx,0020h
MOV Dx,offset DAT
ADD Dx,1eh
INT 21H; Set file property to archive
;
; Save true Entry RVA
MOV Ax,word Ptr[virsuf+di+5eh]
MOV WORD Ptr[t_entry],ax
MOV Ax,word ptr[virsuf+di+60h]
MOV WORD Ptr[t_entry+2h],ax
;
MOV Dx,word Ptr[virpoint]
MOV Cx,word PTR[VIRPOINT+2H]; Get CIH
MOV ax,4200h
INT 21H; file pointer moved to the file Entry address-virus block pointer area size
;
MOV Cx,word ptr[virsuf+di-04h]; Take the length of the first block of CIH virus
Add Cx,di plus CIH virus linked list pointer block area size
MOV Dx,offset Cl_zero
MOV ah,40h
INT 21H; virus first block and linked list pointer area zeroing
;
;;;;;;;;;;;;;;;;;;;;;;
; Clear Other block viurs
; Omitted
;;;;;;;;;;;;;;;;;;;;;;
;
; Restore True Entry RVA (address to Entry Point)
MOV ax,4200h
MOV Cx,word Ptr[pe_head+2]
MOV Dx,word Ptr[pe_head]
ADD dx,28h
ADC cx,0
INT 21H; The file pointer moves to the entry point of the file header
MOV dx,offset Filesuf; file buffer first address->DX
; MOV cx,4h
; MOV AH,3FH
; INT 21H; reading into entry point
; JNB CL11
; JMP Nextfile
Cl11:mov Cx,word Ptr[t_entry]
MOV WORD PTR[FILESUF],CX
MOV Cx,word Ptr[t_entry+2]
MOV WORD PTR[FILESUF+2],CX
MOV cx,2h
MOV ah,40h
INT 21H; writes the normal entry parameter back
JB Nextfile
Copyhandle
MOV Si,[offset dat+15h]
MOV Cl,[si]
MOV ax,4301h
MOV Dx,offset DAT
ADD Dx,1eh
INT 21H; Recovery File original property
JB Nextfile
MOV Dx,offset DAT
MOV Si,word Ptr[offset dat+16h]
MOV Di,word Ptr[offset dat+18h]
MOV Cx,[si]
MOV Dx,[di]
MOV ax,5701h
INT 21H; Recovery file original date of creation
MOV Dx,offset cleamsg
MOV ah,09h
INT 21H
INC BYTE Ptr[virexe]
Nextfile:mov Ah,3eh
INT 21H
CLD
MOV Di,offset DAT
ADD Di,1eh
MOV Cx,0eh
MOV al,24h
RepZ STOSB
MOV Di,offset Filesuf
MOV cx,600h
MOV al,00
RepZ STOSB; Clear File buffer
MOV CX,0FFFFH
Bz6:loop BZ6
MOV CX,0FFFFH
Bz7:loop BZ7
MOV CX,0FFFFH
Bz8:loop BZ8
MOV CX,0FFFFH
Bz9:loop BZ9
MOV DL,0DH
MOV ah,02h
INT 21H; carriage return only
MOV Dx,offset HZSM
MOV ah,09h
INT 21H
MOV Dx,offset Diskcha
MOV ah,09h
INT 21H
MOV Dx,offset BLANK
MOV ah,09h
INT 21H
MOV DL,0DH
MOV ah,02h
INT 21H; carriage return
MOV AH,4FH
INT 21H
JC EXIT
JMP look
Exit:ret
Clea_virus ENDP
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
Cle_sdir PROC NEAR search for subdirectories EXE files and detect the presence of viruses and eliminate
Cl_subd:mov Dx,offset Dirfile
MOV cx,0010h
MOV Ah,4eh
INT 21H; Search for first match file
JNC LOOKS
JMP EXITS; not found,->exits.
Looks:mov Si,offset DAT
ADD si,15h
CMP BYTE ptr[si],10h
JZ NEXT1
JMP nextsub
Next1:mov Bx,offset DAT
ADD Bx,1eh; BX: matching filename First address
CMP BYTE Ptr[bx],2eh; "or". The Sub-directory
JNZ SUB1
JMP nextsub
Sub1:inc [dirnum]; subdirectory number plus 1
CLD
MOV Si,offset DAT
MOV Di,offset Dirsuff
ADD Di,word PTR[DIRSUFP]
MOV cx,0015h
RepZ MOVSB; Save current directory parameters
ADD WORD ptr[dirsufp],0015h; Table of contents parameter pointer +15h
MOV Di,offset currdir+1
CMP BYTE ptr[di],00h
JZ LP2
Lp1:inc DI
CMP BYTE ptr[di],00h
JNZ LP1; Find the end of the current subdirectory name path
MOV BYTE ptr[di],5ch
INC DI
Lp2:mov SI,BX
MOV CX,0DH
RepZ MOVSB
MOV Dx,offset Currdir
MOV AH,3BH
INT 21H; Go to the next level subdirectory
CLD
MOV Di,offset currdir+1
MOV CX,003FH
MOV al,24h
RepZ STOSB
MOV ah,47h
MOV Dl,byte PTR[DISKSGN]
MOV Si,offset currdir+1
INT 21H; fetching current subdirectory
MOV BYTE ptr[filebz],0ffh; EXE file flag
MOV Dx,offset Exefile
Call Clea_virus Chesk and clear CIH VIRUS
JMP cl_subd; Find the next level of directory and EXE files in the current subdirectory
Exits:mov Bx,offset currdir+1
CMP BYTE ptr[bx],00, the current directory is the root directory No
JNZ SUB2
JMP overs; The current directory is the root directory->overs
Sub2:mov AH,3BH
MOV Dx,offset Updir
INT 21H; back to previous subdirectory
MOV ah,47h
MOV Dl,byte PTR[DISKSGN]
MOV Si,offset currdir+1
INT 21H; fetching current subdirectory
STD
MOV Si,offset dirsuff-1h
ADD Si,word PTR[DIRSUFP]
MOV Di,offset dat+14h
MOV cx,0015h
RepZ MOVSB
Sub WORD ptr[dirsufp],0015h; restore current subdirectory parameters and pointers
Nextsub:mov AH,4FH
INT 21H
JC EXITS
JMP LOOKS
Overs:ret
Cle_sdir ENDP
;
;
Btod PROC NEAR, converting 2 in [DI] to decimal number display
MOV WORD Ptr[decsuf+10h],offset Decsuf
MOV dx,0000h
MOV Ax,[di]
;D the high value of x=; The low value of ax=
PUSH AX
POP SI
PUSH DX
POP DI
PUSH BP
PUSH BX
XOR Ax,ax
MOV Bx,ax
MOV Bp,ax
MOV cx,0020h
BTOD1:SHL si,1
RCL di,1
Xchg Bp,ax
ADC Al,al
DAA
Xchg Ah,al
ADC Al,al
DAA
Xchg Ah,al
Xchg Bp,ax
Xchg Bx,ax
ADC Al,al
DAA
Xchg Ah,al
ADC Al,al
DAA
Xchg Ah,al
Xchg Bx,ax
ADC al,00
LOOP BTOD1
MOV cx,1810h
Xchg Dx,ax
Call BTOD2
Xchg Bx,ax
Call BTOD3
MOV AX,BP
Call BTOD3
MOV BYTE ptr[decsuf+0bh],24h
MOV ah,09h
MOV Dx,offset Decsuf
INT 21H
JMP BTOD6
BTOD3 PROC NEAR
PUSH AX
MOV Dl,ah
Call BTOD7
POP DX
BTOD7 PROC NEAR
MOV DH,DL
SHR dl,1
SHR dl,1
SHR dl,1
SHR dl,1
Call BTOD2
MOV DL,DH
BTOD2 PROC NEAR
and DL,0FH
JZ BTOD8
MOV cl,00
Btod8:dec CH
and Cl,ch
OR dl,30h
SUB DL,CL
PUSH DI
MOV Di,word ptr[decsuf+10h]
MOV [DI],DL
INC DI
MOV WORD Ptr[decsuf+10h],di
POP DI
Ret
BTOD2 ENDP
BTOD7 ENDP
BTOD3 ENDP
Btod6:pop BX
POP BP
Ret
Btod ENDP
;
;
KILLCIH ENDP
;
CODE ENDS
Stack SEGMENT PARA stack ' stack '
DB 256 DUP (?)
STACK ENDS
End KILLCIH