MalwareSourceCode/MSDOS/I-Index/Virus.MSDOS.Unknown.irm_kill.asm

296 lines
14 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
; Binary Obsession Cleaner
; - By Ratman -
data_18e equ 9CDh ;*
data_19e equ 4F43h ;*
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
irm_kill proc far
start:
mov ah,9
mov dx,offset data_1 ; ('IR Multi-Partite Virus K')
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
;====( Here is the program's self-check routine )==============================;
cmp word ptr ds:data_18e,3E8h
jne loc_1
; jmp short loc_1 ; 'Crack it'
; If you want it 'cracked', exchange the jne loc_1 to "jmp short loc_1" and
; voila!.. Program run like it wasn't modified.. All trivia really, and
; very usuful if one want a trojanized version of this program :).
mov ah,9
mov dx,offset data_6 ; ('Scanner fails Self-Check')
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
int 20h ; DOS program terminate
loc_1:
mov ax,201h
mov bx,offset data_15
mov cx,1
mov dx,80h
int 13h ; Disk dl=drive 0 ah=func 02h
; read sectors to memory es:bx
; al=#,ch=cyl,cl=sectr,dh=head
cmp data_15,3E8h
jne loc_2 ; Jump if not equal
mov ah,9
mov dx,offset data_2 ; ('Warning!: IR MultiPartit')
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
mov ah,0
int 16h ; Keyboard i/o ah=function 00h
; get keybd char in al, ah=scan
cmp ah,15h
jne loc_2 ; Jump if not equal
mov ax,201h
mov bx,offset data_15
mov cx,2
mov dx,80h
int 13h ; Disk dl=drive 0 ah=func 02h
; read sectors to memory es:bx
; al=#,ch=cyl,cl=sectr,dh=head
mov ax,301h
mov bx,offset data_15
mov cx,1
mov dx,80h
int 13h ; Disk dl=drive 0 ah=func 03h
; write sectors from mem es:bx
; al=#,ch=cyl,cl=sectr,dh=head
mov ah,9
mov dx,offset data_4 ; ('Drive C: MBR is now Clea')
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
loc_2:
mov ah,9
mov dx,offset data_5 ; ('Scanning the files in th')
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
mov ah,2Fh
int 21h ; DOS Services ah=function 2Fh
; get DTA ptr into es:bx
mov ah,4Eh
mov cx,7
mov dx,586h
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_4 ; Jump if carry Set
loc_3:
call sub_1
mov ah,4Fh
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jnc loc_3 ; Jump if carry=0
loc_4:
jmp short $+3 ; delay for I/O
nop
int 20h ; DOS program terminate
irm_kill endp
sub_1 proc near
push ax
push bx
push cx
push dx
push di
push si
push es
push es
pop ds
push cs
pop es
mov si,bx
add si,1Eh
mov di,58Ch
mov cx,0Fh
push cx
push di
rep movsb
pop di
pop cx
xor al,al
cld
repne scasb
mov al,20h
rep stosb
mov byte ptr es:[di],24h ; '$'
pop es
push cs
pop ds
mov ah,9
mov dx,58Ch
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
mov ax,3D02h
mov dx,bx
add dx,1Eh
push es
pop ds
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
mov ax,4202h
xor cx,cx ; Zero register
xor dx,dx ; Zero register
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
xor cx,cx ; Zero register
mov dx,ax
sub dx,1B9h ; EOF-441
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov ah,3Fh
mov cx,1B9h ; 441 bytes
mov dx,offset data_15
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
cmp data_15,3E8h
jne loc_5 ; Jump if not equal
mov ah,9
mov dx,offset data_9 ; ('is infected by IR MultiP')
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
mov ah,0
int 16h ; Keyboard i/o ah=function 00h
; get keybd char in al, ah=scan
cmp ah,15h
je loc_7 ; Jump if equal
mov ah,9
mov dx,offset data_11 ; (' - No')
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
jmp short loc_6
db 90h
loc_5:
mov ah,9
mov dx,offset data_8 ; ('is clean...')
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
loc_6:
mov ah,3Eh
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
mov data_15,0
pop si
pop si
pop dx
pop cx
pop bx
pop ax
retn
loc_7:
mov ah,9
mov dx,offset data_10 ; (' - Yes')
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
mov ax,5700h
int 21h ; DOS Services ah=function 57h
; get file date+time, bx=handle
; returns cx=time, dx=time
push cx
push dx
xor cx,cx ; Zero register
xor dx,dx ; Zero register
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov ah,40h ; '@'
mov cx,3
mov dx,offset data_17
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
mov ax,4202h
xor cx,cx ; Zero register
xor dx,dx ; Zero register
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
xor cx,cx ; Zero register
mov dx,ax
sub dx,1B9h
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov ah,40h ; '@'
mov cx,0
mov dx,offset data_15
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
pop dx
pop cx
mov ax,5701h
int 21h ; DOS Services ah=function 57h
; set file date+time, bx=handle
; cx=time, dx=time
jmp short loc_6
sub_1 endp
data_1 db 'IR Multi-Partite Virus Killer by'
db ' -+ RatMan +-', 0Ah, 0Dh
copyright db '(C) 1994 RatMan - This program i'
db 's free of charge for all use'
db 'rs.', 0Ah, 0Dh, 'DISCLAIMER: Thi'
db 's software is provided "AS IS" '
db 'without warranty of any kind,', 0Ah
db 0Dh, 'either expressed or implied'
db ', including but not limmited to '
db 'the fitness for', 0Ah, 0Dh, 'any'
db ' particular purpose. The entire '
db 'risk as to its quality or perfor'
db 'mance', 0Ah, 0Dh, 'is assumed by'
db ' the user.', 0Ah, 0Dh, 0Ah, 0Dh, '$'
data_2 db 'Warning!: IR MultiPartite Virus '
db 'found in MBR of Drive C: - Clean'
db ' (Y/N)', 0Ah, 0Dh, ' (I'
db 'f the System was booted from Dri'
db 've C: you should reboot', 0Ah, 0Dh
db ' from a clean floppy b'
db 'efore trying to clean your syste'
db 'm.....)', 7, 0Ah, 0Dh, 0Ah, 0Dh, '$'
data_4 db 'Drive C: MBR is now Clean......', 0Ah
db 0Dh, 0Ah, 0Dh, '$'
data_5 db 'Scanning the files in the Curren'
db 't Directory.....', 0Ah, 0Dh, 0Ah
db 0Dh, '$'
data_6 db 'Scanner fails Self-Check.....', 7
db 0Ah, 0Dh, '$'
data_8 db 'is clean...', 0Dh, 0Ah, '$'
data_9 db 'is infected by IR MultiPartite V'
db 'irus - Clean ? (Y/N)', 7, '$'
data_10 db ' - Yes', 0Ah, 0Dh, '$'
data_11 db ' - No', 0Ah, 0Dh, '$'
db 0, 0
data_12 db 2Ah
db 2Eh, 43h, 4Fh, 4Dh, 00h
data_13 db 1
db 63 dup (1)
data_15 dw 0
db 0
data_17 db 0
db 1021 dup (0)
seg_a ends
end start